Created
September 28, 2021 19:22
-
-
Save swdunlop/49e9462362f29d598d759f7f428c9987 to your computer and use it in GitHub Desktop.
Rootless Nix Dev Container for Visual Code hackers
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // For format details, see https://aka.ms/devcontainer.json. For config options, see the README at: | |
| // https://github.com/microsoft/vscode-dev-containers/tree/v0.194.0/containers/alpine | |
| { | |
| "name": "Alpine Nix", | |
| "build": { | |
| "dockerfile": "Dockerfile", | |
| "args": { | |
| // Update ALPINE_VERSION to pick an Alpine version: 3.11, 3.12, 3.13, 3.14 | |
| "ALPINE_VERSION": "3.14", | |
| // Update NIX_VERSION and NIX_SHA256 to change Nix versions, see https://nixos.org/download.html for the | |
| // latest version. | |
| "NIX_VERSION": "2.3.15", | |
| // See https://releases.nixos.org/?prefix=nix/nix-${NIX_VERSION} to find this hash. | |
| "NIX_SHA256": "aae346f0ee447efa042c38e320aee0368e3c6c7fa331d76f708bbe8539f694fa" | |
| } | |
| }, | |
| // Set *default* container specific settings.json values on container create. | |
| "settings": {}, | |
| // Add the IDs of extensions you want installed when the container is created. | |
| // Note that some extensions may not work in Alpine Linux. See https://aka.ms/vscode-remote/linux. | |
| "extensions": [], | |
| // Use 'forwardPorts' to make a list of ports inside the container available locally. | |
| // "forwardPorts": [], | |
| // Use 'postCreateCommand' to run commands after the container is created. | |
| // "postCreateCommand": "uname -a", | |
| // Uncomment when using a ptrace-based debugger like C++, Go, and Rust | |
| // "runArgs": [ "--cap-add=SYS_PTRACE", "--security-opt", "seccomp=unconfined" ], | |
| // https://opensource.com/article/21/7/vs-code-remote-containers-podman | |
| "workspaceMount": "source=${localWorkspaceFolder},target=/workspace,type=bind,Z", | |
| "workspaceFolder": "/workspace", | |
| "runArgs": [ | |
| "--userns=keep-id" | |
| ], | |
| "containerUser": "vscode" | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # See here for base image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.194.0/containers/alpine/.devcontainer/base.Dockerfile | |
| ARG ALPINE_VERSION="3.14" | |
| FROM mcr.microsoft.com/vscode/devcontainers/base:0-alpine-${ALPINE_VERSION} | |
| USER root | |
| # https://nvd.nist.gov/vuln/detail/CVE-2019-5021 | |
| RUN sed -i -e 's/^root::/root:!:/' /etc/shadow | |
| RUN apk update \ | |
| && apk upgrade \ | |
| && apk add openssl curl bash sudo xz \ | |
| && rm -rf /var/cache/apk/* | |
| # See here for how to integrate Nix into Alpine: https://github.com/redoracle/nixos/blob/master/Dockerfile | |
| ARG NIX_VERSION="2.3.15" | |
| ARG NIX_SHA256="aae346f0ee447efa042c38e320aee0368e3c6c7fa331d76f708bbe8539f694fa" | |
| WORKDIR / | |
| RUN wget https://releases.nixos.org/nix/nix-${NIX_VERSION}/nix-${NIX_VERSION}-x86_64-linux.tar.xz -O nix.tar.xz | |
| RUN echo ${NIX_SHA256} nix.tar.xz | sha256sum -c \ | |
| && cat nix.tar.xz | xz -d | tar xp \ | |
| && mv nix-*-linux nix-release \ | |
| && rm nix.tar.xz | |
| ARG USERNAME=vscode | |
| RUN addgroup -g 30000 -S nixbld \ | |
| && for i in $(seq 1 30); do adduser -S -D -h /var/empty -g "Nix build user $i" -u $((30000 + i)) -G nixbld nixbld$i ; done \ | |
| && mkdir -m 0755 /etc/nix \ | |
| && echo 'sandbox = false' > /etc/nix/nix.conf \ | |
| && mkdir -m 0755 /nix \ | |
| && chown -R ${USERNAME} /nix /etc/nix | |
| USER ${USERNAME} | |
| RUN USER=${USERNAME} sh nix-release/install | |
| USER root | |
| RUN rm -r /nix-release \ | |
| && ln -s /nix/var/nix/profiles/per-user/${USERNAME}/profile/etc/profile.d/nix.sh /etc/profile.d/ | |
| USER ${USERNAME} | |
| RUN . $HOME/.nix-profile/etc/profile.d/nix.sh \ | |
| && $HOME/.nix-profile/bin/nix-collect-garbage --delete-old \ | |
| && $HOME/.nix-profile/bin/nix-store --optimise \ | |
| && $HOME/.nix-profile/bin/nix-store --verify --check-contents | |
| ONBUILD ENV \ | |
| ENV=/etc/profile \ | |
| USER=${USERNAME} \ | |
| PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/per-user/${USERNAME}/profile/bin:/nix/var/nix/profiles/per-user/${USERNAME}/profile/sbin:/bin:/sbin:/usr/bin:/usr/sbin \ | |
| NIX_PATH=/nix/var/nix/profiles/per-user/${USERNAME}/channels | |
| ENV \ | |
| ENV=/etc/profile \ | |
| USER=${USERNAME} \ | |
| PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/per-user/vscode/profile/bin:/nix/var/nix/profiles/per-user/vscode/profile/sbin:/bin:/sbin:/usr/bin:/usr/sbin \ | |
| NIX_PATH=/nix/var/nix/profiles/per-user/vscode/channels |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Basically, just enough Nix on top of Microsoft's Alpine image to get to
nix-shell, since many of my projects have ashell.nixthat defines their dev environments.