{ description = "OCI image for cargoxx-pkgs CI jobs: nix + tea + git + jq"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; flake-utils.url = "github:numtide/flake-utils"; }; outputs = { self, nixpkgs, flake-utils }: flake-utils.lib.eachDefaultSystem (system: let pkgs = import nixpkgs { inherit system; }; # Single-user nix config — same defaults used by the cargoxx # distribution wrapper. Avoids the multi-user nixbld group # requirement; sandbox disabled because the runner container # itself doesn't usually have user-namespace support. nixConfig = '' experimental-features = nix-command flakes build-users-group = sandbox = false accept-flake-config = true ''; in { packages.default = pkgs.dockerTools.buildLayeredImage { name = "cargoxx-runner-job"; tag = "latest"; contents = with pkgs; [ bashInteractive coreutils findutils gawk gnugrep gnused gnutar gzip xz nix git curl jq tea nodejs_20 # JS-based actions/checkout@v4 etc. need `node` on PATH cacert iana-etc ]; # Skeleton filesystem layout: /tmp, /etc/passwd for nix, # writable nix store, cacert pointer. extraCommands = '' mkdir -p tmp etc/nix nix/var/{nix,log/nix} root chmod 1777 tmp cat > etc/passwd <<'EOF' root:x:0:0:root:/root:/bin/bash nobody:x:65534:65534:nobody:/var/empty:/bin/false EOF cat > etc/group <<'EOF' root:x:0: nobody:x:65534: EOF cat > etc/nix/nix.conf <<'EOF' ${nixConfig} EOF ''; config = { Env = [ "PATH=/bin:/usr/bin" "NIX_CONFIG=${nixConfig}" "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" "HOME=/root" "USER=root" ]; Cmd = [ "/bin/bash" ]; WorkingDir = "/root"; }; }; # `nix run .#load-image` builds the image and pipes it into the # local Docker daemon — no registry needed for single-host # deployments. apps.load-image = { type = "app"; program = toString (pkgs.writeShellScript "load-image" '' set -euo pipefail img=$(nix build --no-link --print-out-paths .#default) echo "loading $img into docker…" ${pkgs.docker}/bin/docker load < "$img" ''); }; }); }