WIP: Nix container images

default.nix

@@ -1,9 +1,14 @@
 { nixpkgs ? <nixpkgs> }:
+let
+  sources = import ./nix/sources.nix;
+  nix-container-images = sources."nix-container-images";
+in
 import nixpkgs {
   # docker images run on Linux
   system = "x86_64-linux";
   config = {};
   overlays = [
+    (import "${nix-container-images}/overlay.nix")
     (import ./overlay.nix)
   ];
 }

images/nix/default.nix

@@ -1,56 +1,27 @@
-{ dockerTools
-, bash
-, cacert
-, coreutils
-, curl
-, gitMinimal
-, gnutar
-, gzip
-, iana-etc
-, nix
-, xz
-}:
+{ path, lib, nix }:
 let
-  image = dockerTools.buildImageWithNixDb {
-    inherit (nix) name;
-
-    contents = [
-      ./root
-      coreutils
-      # add /bin/sh
-      bash
-      nix
-
-      # runtime dependencies of nix
-      cacert
-      gitMinimal
-      gnutar
-      gzip
-      xz
-
-      # for haskell binaries
-      iana-etc
-    ];
-
-    extraCommands = ''
-      # for /usr/bin/env
-      mkdir usr
-      ln -s ../bin usr/bin
+  channel =
+    builtins.replaceStrings
+      ["\n"]
+      [""]
+      "nixos-${builtins.readFile "${path}/.version"}";
+in
+  lib.makeImage {
+    image = {
+      name = "nix";
+      tag = "latest";
 
-      # make sure /tmp exists
-      mkdir -m 0777 tmp
-    '';
+      run = ''
+        chmod u+w root
+        echo 'https://nixos.org/channels/${channel} nixpkgs' > root/.nix-channels
+      '';
 
-    config = {
-      Cmd = [ "/bin/bash" ];
-      Env = [
-        "ENV=/etc/profile.d/nix.sh"
-        "NIX_PATH=nixpkgs=channel:nixpkgs-unstable"
-        "PAGER=cat"
-        "PATH=/usr/bin:/bin"
-        "SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt"
-      ];
+      interactive = true;
     };
-  };
-in
-  image // { meta = nix.meta // image.meta; }
+    environment.systemPackages = [ nix ];
+    nix = {
+      enable = true;
+      useSandbox = false;
+      package = nix;
+    };
+  }

nix/sources.json

@@ -0,0 +1,13 @@
+{
+    "nix-container-images": {
+        "url": "https://github.com/cloudwatt/nix-container-images/archive/cf1dbb827946b22a36d0eeb64a0e062d5e7cba53.tar.gz",
+        "owner": "cloudwatt",
+        "branch": "master",
+        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz",
+        "repo": "nix-container-images",
+        "type": "tarball",
+        "sha256": "0svfqzp91qrx82w5wy0ax8vx54mqa1hgipbb1jbd96wqxhbxwgsl",
+        "description": "Write container images as NixOS machines",
+        "rev": "cf1dbb827946b22a36d0eeb64a0e062d5e7cba53"
+    }
+}

nix/sources.nix

@@ -0,0 +1,67 @@
+# This file has been generated by Niv.
+
+# A record, from name to path, of the third-party packages
+with rec
+{
+  pkgs =
+    if hasNixpkgsPath
+    then
+        if hasThisAsNixpkgsPath
+        then import (builtins_fetchTarball { inherit (sources_nixpkgs) url sha256; }) {}
+        else import <nixpkgs> {}
+    else
+        import (builtins_fetchTarball { inherit (sources_nixpkgs) url sha256; }) {};
+
+  sources_nixpkgs =
+    if builtins.hasAttr "nixpkgs" sources
+    then sources.nixpkgs
+    else abort
+    ''
+        Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
+        add a package called "nixpkgs" to your sources.json.
+    '';
+
+  builtins_fetchTarball =
+      # fetchTarball version that is compatible between all the versions of
+      # Nix
+      { url, sha256 }@attrs:
+      let
+        inherit (builtins) lessThan nixVersion fetchTarball;
+      in
+        if lessThan nixVersion "1.12" then
+          fetchTarball { inherit url; }
+        else
+          fetchTarball attrs;
+
+  hasNixpkgsPath = (builtins.tryEval <nixpkgs>).success;
+  hasThisAsNixpkgsPath =
+    (builtins.tryEval <nixpkgs>).success && <nixpkgs> == ./.;
+
+  sources = builtins.fromJSON (builtins.readFile ./sources.json);
+
+  mapAttrs = builtins.mapAttrs or
+    (f: set: with builtins;
+      listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set)));
+
+  getFetcher = spec:
+    let fetcherName =
+      if builtins.hasAttr "type" spec
+      then builtins.getAttr "type" spec
+      else "tarball";
+    in builtins.getAttr fetcherName {
+      "tarball" = pkgs.fetchzip;
+      "file" = pkgs.fetchurl;
+    };
+};
+# NOTE: spec must _not_ have an "outPath" attribute
+mapAttrs (_: spec:
+  if builtins.hasAttr "outPath" spec
+  then abort
+    "The values in sources.json should not have an 'outPath' attribute"
+  else
+    if builtins.hasAttr "url" spec && builtins.hasAttr "sha256" spec
+    then
+      spec //
+      { outPath = getFetcher spec { inherit (spec) url sha256; } ; }
+    else spec
+  ) sources