{ description = "Nix-based oci images for actions"; inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; flake-utils.url = "github:numtide/flake-utils"; }; outputs = { self, nixpkgs, nixpkgs-unstable, flake-utils, }: flake-utils.lib.eachDefaultSystem ( system: let inherit (nixpkgs) lib; imagePackages = pkgs: with pkgs; [ bashInteractive cacert coreutils curl docker podman findutils gawk gitFull gnugrep gnutar gzip jq nodejs openssl openssh rsync sudo wget xz makeWrapper bats shellcheck reuse lix sops nvd ]; containerLambda = name: tag: pkgs': let pkgs = import pkgs' { inherit system; }; in pkgs.dockerTools.buildImageWithNixDb { name = "git.flyinggecko.org/oci-images/nixos-runner/${name}"; tag = tag; copyToRoot = with pkgs; (imagePackages pkgs) ++ [ (pkgs.writeTextFile { name = "passwd"; destination = "/etc/passwd"; text = builtins.concatStringsSep "\n" [ "root:x:0:0:System administrator:/root:/bin/bash" "nixbld1:x:30001:30000:Nix build user 1:/var/empty:/run/current-system/sw/bin/nologin" "nixbld2:x:30002:30000:Nix build user 2:/var/empty:/run/current-system/sw/bin/nologin" "nixbld3:x:30003:30000:Nix build user 3:/var/empty:/run/current-system/sw/bin/nologin" "nixbld4:x:30004:30000:Nix build user 4:/var/empty:/run/current-system/sw/bin/nologin" "nixbld5:x:30005:30000:Nix build user 5:/var/empty:/run/current-system/sw/bin/nologin" "nixbld6:x:30006:30000:Nix build user 6:/var/empty:/run/current-system/sw/bin/nologin" "nixbld7:x:30007:30000:Nix build user 7:/var/empty:/run/current-system/sw/bin/nologin" "nixbld8:x:30008:30000:Nix build user 8:/var/empty:/run/current-system/sw/bin/nologin" "nixbld9:x:30009:30000:Nix build user 9:/var/empty:/run/current-system/sw/bin/nologin" "nixbld10:x:30010:30000:Nix build user 10:/var/empty:/run/current-system/sw/bin/nologin" "nixbld11:x:30011:30000:Nix build user 11:/var/empty:/run/current-system/sw/bin/nologin" "nixbld12:x:30012:30000:Nix build user 12:/var/empty:/run/current-system/sw/bin/nologin" "nixbld13:x:30013:30000:Nix build user 13:/var/empty:/run/current-system/sw/bin/nologin" "nixbld14:x:30014:30000:Nix build user 14:/var/empty:/run/current-system/sw/bin/nologin" "nixbld15:x:30015:30000:Nix build user 15:/var/empty:/run/current-system/sw/bin/nologin" "nixbld16:x:30016:30000:Nix build user 16:/var/empty:/run/current-system/sw/bin/nologin" "nixbld17:x:30017:30000:Nix build user 17:/var/empty:/run/current-system/sw/bin/nologin" "nixbld18:x:30018:30000:Nix build user 18:/var/empty:/run/current-system/sw/bin/nologin" "nixbld19:x:30019:30000:Nix build user 19:/var/empty:/run/current-system/sw/bin/nologin" "nixbld20:x:30020:30000:Nix build user 20:/var/empty:/run/current-system/sw/bin/nologin" "nixbld21:x:30021:30000:Nix build user 21:/var/empty:/run/current-system/sw/bin/nologin" "nixbld22:x:30022:30000:Nix build user 22:/var/empty:/run/current-system/sw/bin/nologin" "nixbld23:x:30023:30000:Nix build user 23:/var/empty:/run/current-system/sw/bin/nologin" "nixbld24:x:30024:30000:Nix build user 24:/var/empty:/run/current-system/sw/bin/nologin" "nixbld25:x:30025:30000:Nix build user 25:/var/empty:/run/current-system/sw/bin/nologin" "nixbld26:x:30026:30000:Nix build user 26:/var/empty:/run/current-system/sw/bin/nologin" "nixbld27:x:30027:30000:Nix build user 27:/var/empty:/run/current-system/sw/bin/nologin" "nixbld28:x:30028:30000:Nix build user 28:/var/empty:/run/current-system/sw/bin/nologin" "nixbld29:x:30029:30000:Nix build user 29:/var/empty:/run/current-system/sw/bin/nologin" "nixbld30:x:30030:30000:Nix build user 30:/var/empty:/run/current-system/sw/bin/nologin" "nixbld31:x:30031:30000:Nix build user 31:/var/empty:/run/current-system/sw/bin/nologin" "nixbld32:x:30032:30000:Nix build user 32:/var/empty:/run/current-system/sw/bin/nologin" "nobody:x:65534:65534:Unprivileged account (don't use!):/var/empty:/run/current-system/sw/bin/nologin" ]; }) (pkgs.writeTextFile { name = "group"; destination = "/etc/group"; text = builtins.concatStringsSep "\n" [ "root:x:0:" "wheel:x:1:" "kmem:x:2:" "tty:x:3:" "messagebus:x:4:" "disk:x:6:" "audio:x:17:" "floppy:x:18:" "uucp:x:19:" "lp:x:20:" "cdrom:x:24:" "tape:x:25:" "video:x:26:" "dialout:x:27:" "utmp:x:29:" "adm:x:55:" "keys:x:96:" "users:x:100:" "input:x:174:" "nixbld:x:30000:nixbld1,nixbld10,nixbld11,nixbld12,nixbld13,nixbld14,nixbld15,nixbld16,nixbld17,nixbld18,nixbld19,nixbld2,nixbld20,nixbld21,nixbld22,nixbld23,nixbld24,nixbld25,nixbld26,nixbld27,nixbld28,nixbld29,nixbld3,nixbld30,nixbld31,nixbld32,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9" "nogroup:x:65534:" ]; }) (pkgs.writeTextFile { name = "nsswitch.conf"; destination = "/etc/nsswitch.conf"; text = builtins.concatStringsSep "\n" [ "passwd: files mymachines systemd" "group: files mymachines systemd" "shadow: files" "hosts: files mymachines dns myhostname" "networks: files" "ethers: files" "services: files" "protocols: files" "rpc: files" ]; }) (pkgs.writeTextFile { name = "nix.conf"; destination = "/etc/nix/nix.conf"; text = builtins.concatStringsSep "\n" [ "accept-flake-config = true" "experimental-features = nix-command flakes" "substituters = https://cache.nixos.org" "trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; }) ]; extraCommands = builtins.concatStringsSep "\n" [ # /usr/bin/env "mkdir usr" "ln -s ../bin usr/bin" # create /tmp "mkdir -m 1777 tmp" # root needs a home "mkdir -vp root" ]; config = { Cmd = [ "/bin/bash" ]; Env = [ "LANG=en_GB.UTF-8" "ENV=/etc/profile.d/nix.sh" "BASH_ENV=/etc/profile.d/nix.sh" "NIX_BUILD_SHELL=/bin/bash" "NIX_PATH=nixpkgs=${./fake_nixpkgs}" "PAGER=cat" "PATH=/usr/bin:/bin" "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" "USER=root" ]; }; }; in { packages = { nixos-2411 = containerLambda "nixos" "24.11" nixpkgs; nixos-unstable = containerLambda "nixos" "unstable" nixpkgs-unstable; }; } ); }