nix-docker
Docker images for the Nix package manager
This repository contains nix expressions to build a minimal docker image for the nix package manager. The current official docker image for nix is based on alpine, this image that is build from scratch and looks a lot more like nixos.
-
nix, bash and coreutils are installed in a system profile that is linked to
/run/current-system/sw
, the only global paths are/bin/sh
and/usr/bin/env
-
it's easy to build a new custom baseimage using a specific version of nixpkgs, this makes it a lot easier to create an image with a custom version of nix or nixpkgs.
-
the lnl7/nix:ssh image can be used to setup an image that can be used as a remote builder, this allows you to build expressions for
x86_64-linux
on other platforms (ex. building a new baseimage on a darwin machine)
Base Images
All the images are based on the latest baseimage, previous versions are available in my repository https://hub.docker.com/r/lnl7/nix/tags.
lnl7/nix:2020-09-11
(2.3.7)lnl7/nix:2020-06-07
(2.3.6)lnl7/nix:2020-03-07
(2.3.3)lnl7/nix:2019-03-01
(2.2)lnl7/nix:2018-09-21
(2.1.2)lnl7/nix:2018-07-17
(2.0.4)lnl7/nix:2018-04-17
(2.0)lnl7/nix:2018-03-13-patch1
lnl7/nix:2018-01-13
(1.11.16)lnl7/nix:2017-10-07
(1.11.15)lnl7/nix:2017-06-17
(1.11.10)lnl7/nix:2017-06-09
(1.11.9)lnl7/nix:2017-01-21
(1.11.6)lnl7/nix:124f25b
(1.11.4)lnl7/nix:ea9d390
(1.11.2)lnl7/nix:272cf5c
Default Image
The default image is intended for interactive use and includes some common and useful packages:
docker run --rm -it lnl7/nix nix repl '<nixpkgs>'
nix-repl>
Building an Image
FROM lnl7/nix:2.3.7
RUN nix-env -iA \
nixpkgs.curl \
nixpkgs.jq
Building a new Base Image
nix-shell -A env --run './result/bin/run-docker-build'
The src
can also can be overridden to use a custom nixpkgs for the image.
nix-shell -A env --argstr src ./srcs/2018-03-13.nix
remote builder
Running as adocker run --restart always --name nix-docker -d -p 3022:22 lnl7/nix:ssh
If you have not setup a remote builder before you can follow these steps.
Configure SSH
An insecure rsa key is provided in the repo, the following assumes you are using it. Optional instructions for generating a fresh key are provided at the end.
Single User Mode
Copy the rsa key to your ssh folder
chmod 600 ssh/insecure_rsa
cp ssh/insecure_rsa ~/.ssh/docker_rsa
Add an entry for the container in your ~/.ssh/config
Host nix-docker
User root
HostName 127.0.0.1
Port 3022
IdentityFile ~/.ssh/docker_rsa
Multi User Mode (Nix Daemon)
Copy the insecure rsa key to /etc/nix
sudo mkdir -p /etc/nix
chmod 600 ssh/insecure_rsa
sudo cp ssh/insecure_rsa /etc/nix/docker_rsa
Add an ssh entry to /var/root/.ssh/config if you are using nix daemon
Host nix-docker
User root
HostName 127.0.0.1
Port 3022
IdentityFile /etc/nix/docker_rsa
Optional: setup your own ssh key, instead of using the insecure key.
ssh-keygen -t rsa -b 2048 -N "" -f docker_rsa
docker cp docker_rsa.pub nix-docker:/root/.ssh/authorized_keys
Then copy the key to either /etc/nix
or ~/.ssh
depending on if you are running nix in single or multi user mode.
Create a signing keypair
openssl genrsa -out /etc/nix/signing-key.sec 2048
openssl rsa -in /etc/nix/signing-key.sec -pubout > /etc/nix/signing-key.pub
chmod 600 /etc/nix/signing-key.sec
ssh nix-docker mkdir -p /etc/nix
docker cp /etc/nix/signing-key.sec nix-docker:/etc/nix/signing-key.sec
Setup the container as a remote builder
sudo cp ssh/remote-build-env /etc/nix/
sudo cp ssh/machines /etc/nix/
Build a linux derivation
nix-build -E 'with import <nixpkgs> { system = "x86_64-linux"; }; hello.overrideAttrs (drv: { REBUILD = builtins.currentTime; })'