From 0f373b4ee242026cd67b1cd174c27c7e5af39b02 Mon Sep 17 00:00:00 2001
From: Spencer Heywood <github@heywoodlh.io>
Date: Wed, 20 Nov 2024 14:19:03 -0700
Subject: [PATCH] working static nix target

---
 nix/Dockerfile | 27 ++++++++++++++++++---------
 nix/README.md  | 27 ++++++++++++++++++++++++---
 nix/build.sh   | 22 ++++++++++++++++++++++
 nix/nix.conf   |  3 +++
 4 files changed, 67 insertions(+), 12 deletions(-)
 create mode 100755 nix/build.sh

diff --git a/nix/Dockerfile b/nix/Dockerfile
index b4346e3..bad4783 100644
--- a/nix/Dockerfile
+++ b/nix/Dockerfile
@@ -1,21 +1,33 @@
 FROM alpine:latest AS base
 LABEL maintainer=heywoodlh
 
-RUN apk add --no-cache curl bash \
-    && curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux --init none --no-confirm --extra-conf "filter-syscalls = false"
+RUN apk add --no-cache curl bash xz sudo shadow \
+    && curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux \
+      --extra-conf "sandbox = false" \
+      --init none \
+      --no-confirm \
+      --extra-conf='filter-syscalls = false'
+
+COPY nix.conf /etc/nix/nix.conf
 
 ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
 VOLUME /nix
 
 # Target for building the static nix binaries
-FROM base AS static-builder
-RUN nix build -o /opt/nix nixpkgs#nixStatic
+FROM base AS static-fetcher
+
+# Hydra Nix project: https://hydra.nixos.org/project/nix
+# Example 2.24 version job list URL: https://hydra.nixos.org/jobset/nix/maintenance-2.24#tabs-jobs
+RUN curl -L https://hydra.nixos.org/job/nix/maintenance-$(nix --version | awk '{print $3}' | cut -d'.' -f1-2)/buildStatic.nix.$(arch)-linux/latest/download-by-type/file/binary-dist -o /opt/nix \
+    && chmod +x /opt/nix
 
 # static target
 FROM alpine:latest AS static
 
-COPY --from=static-builder /opt/nix /opt/nix
-ENV PATH="${PATH}:/opt/nix/bin"
+COPY --from=static-fetcher /opt/nix /usr/bin/nix
+COPY --from=base /etc/nix/nix.conf /etc/nix/nix.conf
+
+RUN apk add --no-cache curl bash
 
 # Testing targets
 FROM base AS test
@@ -23,6 +35,3 @@ RUN nix run nixpkgs#hello
 
 FROM static AS static-test
 RUN nix run nixpkgs#hello
-
-# Default target
-FROM base
diff --git a/nix/README.md b/nix/README.md
index 1a0fe24..23d7226 100644
--- a/nix/README.md
+++ b/nix/README.md
@@ -1,4 +1,25 @@
-If any issues are encountered with this Docker image (or help desired) please file an issue on Github: https://github.com/heywoodlh/dockerfiles/issues
-For ideas on usage, look at my Fish functions in my .dotfiles: https://github.com/heywoodlh/.dotfiles/tree/master/config/fish/functions
+Alpine Linux Nix image with Flakes enabled by default.
 
-Feel free to ask for any help and I will try to respond as quick and as kindly as I can but I make no guarantee that I will provide support.
+Dockerfile and build resources are here: https://github.com/heywoodlh/dockerfiles/tree/master/nix
+
+GitHub Action to build this on a recurring basis: https://github.com/heywoodlh/actions/blob/master/.github/workflows/nix-buildx.yml
+
+## Usage
+
+```
+docker run -it --rm docker.io/heywoodlh/nix:latest nix run nixpkgs#hello
+```
+
+There is also a static Nix image with the `static` tag:
+
+```
+docker run -it --rm docker.io/heywoodlh/nix:static nix run nixpkgs#hello
+```
+
+The `static` image can be used as a base to redistribute the static Nix binary for other Linux systems, as well:
+
+```
+mkdir -p /tmp/nix-bin
+docker run -it --rm -v /tmp/nix-bin:/tmp/nix-bin docker.io/heywoodlh/nix:static cp /usr/bin/nix /tmp/nix-bin/nix
+/tmp/nix-bin/nix --version
+```
diff --git a/nix/build.sh b/nix/build.sh
new file mode 100755
index 0000000..3e3a862
--- /dev/null
+++ b/nix/build.sh
@@ -0,0 +1,22 @@
+#!/usr/bin/env bash
+# Script to test out multi-arch container build
+# docker buildx behaves differently from docker build (i.e. in GitHub Actions)
+
+arch_target=("amd64" "arm64")
+root_dir=$(pwd)
+date_tag=$(date +%Y_%m_snapshot)
+
+# Create multiarch builder
+docker buildx ls | grep -q multiarch || docker buildx create --name multiarch --driver docker-container --use &>/dev/null
+
+set -ex
+# Default target
+docker build --tag nix-test:latest --target=test .
+export nix_version="$(docker run -i --rm nix-test nix --version | awk '{print $3}')"
+docker buildx build --tag docker.io/heywoodlh/nix:"${nix_version}" --tag docker.io/heywoodlh/nix:latest --platform linux/amd64,linux/arm64 --target=base .
+
+# Static target
+docker build --tag nix-test:static --target=static-test .
+export nix_static_version="$(docker run -i --rm nix-test:static nix --version | awk '{print $3}')"
+docker buildx build --tag docker.io/heywoodlh/nix:static-"${nix_static_version}" --tag docker.io/heywoodlh/nix:static --platform linux/amd64,linux/arm64 --target=static .
+
diff --git a/nix/nix.conf b/nix/nix.conf
index f526839..b9bb22c 100644
--- a/nix/nix.conf
+++ b/nix/nix.conf
@@ -1,2 +1,5 @@
+trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
+trusted-substituters = https://cache.nixos.org
+trusted-users = root @wheel @nix
 extra-experimental-features = nix-command flakes
 build-users-group =