From 9887294d9b06460c537ec9616a7a68b0c0d7677a Mon Sep 17 00:00:00 2001 From: Michael Francis Date: Thu, 7 May 2026 12:51:45 -0400 Subject: [PATCH 1/4] WIP, debug image --- .github/workflows/debug-image.yml | 73 +++++ debug-image/flake.lock | 489 ++++++++++++++++++++++++++++++ debug-image/flake.nix | 199 ++++++++++++ home-manager/flake.lock | 12 +- home-manager/home.nix | 11 +- zsh/zshrc.nix | 2 + 6 files changed, 777 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/debug-image.yml create mode 100644 debug-image/flake.lock create mode 100644 debug-image/flake.nix diff --git a/.github/workflows/debug-image.yml b/.github/workflows/debug-image.yml new file mode 100644 index 0000000..b36454c --- /dev/null +++ b/.github/workflows/debug-image.yml @@ -0,0 +1,73 @@ +name: debug-image + +on: + push: + branches: [master] + paths: + - "debug-image/**" + - "home-manager/**" + - "zsh/**" + - "tmux/**" + - "vim/**" + - ".github/workflows/debug-image.yml" + pull_request: + paths: + - "debug-image/**" + - "home-manager/**" + - "zsh/**" + - "tmux/**" + - "vim/**" + - ".github/workflows/debug-image.yml" + workflow_dispatch: + +permissions: + contents: read + packages: write + +jobs: + build-and-push: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@main + with: + extra-conf: | + experimental-features = nix-command flakes + accept-flake-config = true + + - name: Magic Nix Cache + uses: DeterminateSystems/magic-nix-cache-action@main + + - name: Resolve image name (ghcr requires lowercase) + id: image + env: + OWNER: ${{ github.repository_owner }} + run: | + owner_lc="${OWNER,,}" + echo "ref=ghcr.io/${owner_lc}/debug-image" >> "$GITHUB_OUTPUT" + + - name: Build image + working-directory: debug-image + run: nix build .#debug-image --print-build-logs + + - name: Log in to ghcr + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Push sha-tagged image to ghcr + working-directory: debug-image + run: | + nix run .#debug-image.copyTo -- \ + "docker://${{ steps.image.outputs.ref }}:${{ github.sha }}" + + - name: Push :latest tag (master only) + if: github.event_name == 'push' && github.ref == 'refs/heads/master' + working-directory: debug-image + run: | + nix run .#debug-image.copyTo -- \ + "docker://${{ steps.image.outputs.ref }}:latest" diff --git a/debug-image/flake.lock b/debug-image/flake.lock new file mode 100644 index 0000000..97fbdbd --- /dev/null +++ b/debug-image/flake.lock @@ -0,0 +1,489 @@ +{ + "nodes": { + "atuinPkg": { + "inputs": { + "fenix": "fenix", + "flake-compat": "flake-compat", + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1723635448, + "narHash": "sha256-DitGGbiTNxU/5DP1BmAE68AeyWiyjRVStlUXPMhQqIU=", + "owner": "atuinsh", + "repo": "atuin", + "rev": "72a562a38e15e12b39381d435f6977eb938783b0", + "type": "github" + }, + "original": { + "owner": "atuinsh", + "repo": "atuin", + "type": "github" + } + }, + "fenix": { + "inputs": { + "nixpkgs": [ + "home-manager-config", + "atuinPkg", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1723530607, + "narHash": "sha256-FaXZZLLDW1D+pj7UgrIslDS8XjMMG3Pus5gAvUYWQS0=", + "owner": "nix-community", + "repo": "fenix", + "rev": "296d44c440302980824c5f3b67e477cf0522e0c1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "fenix", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "inputs": { + "systems": "systems_4" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1758463745, + "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "release-25.05", + "repo": "home-manager", + "type": "github" + } + }, + "home-manager-config": { + "inputs": { + "atuinPkg": "atuinPkg", + "flake-utils": "flake-utils_3", + "home-manager": "home-manager", + "nilPkg": "nilPkg", + "nix-index-database": "nix-index-database", + "nixpkgs": [ + "nixpkgs" + ], + "nvimConfig": "nvimConfig", + "tmuxConf": "tmuxConf", + "vim-oceanic-next": "vim-oceanic-next", + "vim-quantum": "vim-quantum", + "zshConf": "zshConf" + }, + "locked": { + "path": "../home-manager", + "type": "path" + }, + "original": { + "path": "../home-manager", + "type": "path" + }, + "parent": [] + }, + "nilPkg": { + "inputs": { + "flake-utils": "flake-utils_4", + "nixpkgs": "nixpkgs_3", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1723948777, + "narHash": "sha256-rX14joTzvRUiCfmCT0LUMV3Mxi79VJANcKB/kkh7Qys=", + "owner": "oxalica", + "repo": "nil", + "rev": "4f3081d1f10bb61f197b780e67f426e53f818691", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "nil", + "type": "github" + } + }, + "nix-index-database": { + "inputs": { + "nixpkgs": [ + "home-manager-config", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1732519917, + "narHash": "sha256-AGXhwHdJV0q/WNgqwrR2zriubLr785b02FphaBtyt1Q=", + "owner": "nix-community", + "repo": "nix-index-database", + "rev": "f4a5ca5771ba9ca31ad24a62c8d511a405303436", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nix-index-database", + "type": "github" + } + }, + "nix2container": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1775487831, + "narHash": "sha256-2lguQpLPQaxpQCJjXhmEEAfabwsAhkP29Z7fgLzHARA=", + "owner": "nlewo", + "repo": "nix2container", + "rev": "76be9608a7f4d6c985d28b0e7be903ae2547df3e", + "type": "github" + }, + "original": { + "owner": "nlewo", + "repo": "nix2container", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1723541349, + "narHash": "sha256-LrmeqqHdPgAJsVKIJja8jGgRG/CA2y6SGT2TjX5Do68=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4877ea239f4d02410c3516101faf35a81af0c30e", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1753345091, + "narHash": "sha256-CdX2Rtvp5I8HGu9swBmYuq+ILwRxpXdJwlpg8jvN4tU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3ff0e34b1383648053bba8ed03f201d3466f90c9", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1722730825, + "narHash": "sha256-X6U+w8qFBuGPCYrZzc9mpN34aRjQ8604MonpBUkj908=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "f3834de3782b82bfc666abf664f946d0e7d1f116", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1767313136, + "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nvimConfig": { + "flake": false, + "locked": { + "path": "../vim/.vimrc", + "type": "path" + }, + "original": { + "path": "../vim/.vimrc", + "type": "path" + }, + "parent": [ + "home-manager-config" + ] + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "home-manager-config": "home-manager-config", + "nix2container": "nix2container", + "nixpkgs": "nixpkgs_4" + } + }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1723473250, + "narHash": "sha256-Ls0e6R4FmGUFXZlUcm6ZQaVNJ4Yj/nua4SSctXIopao=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "32a86cb1dad2b208e8f36f1bb50c2e4806b0371f", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "home-manager-config", + "nilPkg", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1722824458, + "narHash": "sha256-2k3/geD5Yh8JT1nrGaRycje5kB0DkvQA/OUZoel1bIU=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "a8a937c304e62a5098c6276c9cdf65c19a43b1a5", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "tmuxConf": { + "flake": false, + "locked": { + "path": "../tmux/tmux.nix", + "type": "path" + }, + "original": { + "path": "../tmux/tmux.nix", + "type": "path" + }, + "parent": [ + "home-manager-config" + ] + }, + "vim-oceanic-next": { + "flake": false, + "locked": { + "lastModified": 1682948609, + "narHash": "sha256-f5isbjoGMsLlzWkxQAU2an4lwEiIPuXKAZGyezZlv/M=", + "owner": "mhartington", + "repo": "oceanic-next", + "rev": "09833f72d5ba23de2e8bcae18f479f326f5f677a", + "type": "github" + }, + "original": { + "owner": "mhartington", + "repo": "oceanic-next", + "type": "github" + } + }, + "vim-quantum": { + "flake": false, + "locked": { + "lastModified": 1521851603, + "narHash": "sha256-8lFaCrjjKRlO3RObIamhlQNr/WHMgUynZonM5KQnVfI=", + "owner": "tyrannicaltoucan", + "repo": "vim-quantum", + "rev": "78c435ba226f465e243b7c728b87ad13d37e9cd6", + "type": "github" + }, + "original": { + "owner": "tyrannicaltoucan", + "repo": "vim-quantum", + "type": "github" + } + }, + "zshConf": { + "flake": false, + "locked": { + "path": "../zsh/zshrc.nix", + "type": "path" + }, + "original": { + "path": "../zsh/zshrc.nix", + "type": "path" + }, + "parent": [ + "home-manager-config" + ] + } + }, + "root": "root", + "version": 7 +} diff --git a/debug-image/flake.nix b/debug-image/flake.nix new file mode 100644 index 0000000..8f7f823 --- /dev/null +++ b/debug-image/flake.nix @@ -0,0 +1,199 @@ +{ + description = "Debugging container image with edude03's home-manager environment"; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; + flake-utils.url = "github:numtide/flake-utils"; + + nix2container = { + url = "github:nlewo/nix2container"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + + home-manager-config = { + url = "path:../home-manager"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + outputs = { + self, + nixpkgs, + flake-utils, + nix2container, + home-manager-config, + ... + }: + flake-utils.lib.eachDefaultSystem (system: let + pkgs = nixpkgs.legacyPackages.${system}; + + # Container images target Linux. On Darwin hosts, evaluate against the + # equivalent Linux pkgs and rely on a remote/linux-builder to actually build. + imageSystem = + if system == "aarch64-darwin" + then "aarch64-linux" + else if system == "x86_64-darwin" + then "x86_64-linux" + else system; + + pkgsLinux = nixpkgs.legacyPackages.${imageSystem}; + n2c = nix2container.packages.${system}.nix2container; + + username = "edude03"; + uid = 1000; + gid = 1000; + + homeConfig = home-manager-config.packages.${imageSystem}.homeConfigurations.${username}; + hmActivation = homeConfig.activationPackage; + + passwd = pkgsLinux.writeText "passwd" '' + root:x:0:0:root:/root:${pkgsLinux.bashInteractive}/bin/bash + ${username}:x:${toString uid}:${toString gid}:${username}:/home/${username}:${pkgsLinux.bashInteractive}/bin/bash + nobody:x:65534:65534:Nobody:/:/bin/false + ''; + + groupFile = pkgsLinux.writeText "group" '' + root:x:0: + ${username}:x:${toString gid}: + nobody:x:65534: + ''; + + nixConf = pkgsLinux.writeText "nix.conf" '' + experimental-features = nix-command flakes + sandbox = false + build-users-group = + substituters = https://cache.nixos.org/ + trusted-users = root ${username} + ''; + + debugTools = with pkgsLinux; [ + # Shell + core + bashInteractive + coreutils-full + gnugrep + gnused + gawk + findutils + gnutar + gzip + bzip2 + xz + unzip + less + which + file + + # Network debugging + curl + wget + netcat-openbsd + socat + bind.dnsutils + iputils + iproute2 + mtr + tcpdump + + # Process / syscall debugging + strace + ltrace + lsof + procps + psmisc + + # Data wrangling + jq + yq-go + ripgrep + fd + + # Crypto / transport + openssl + openssh + cacert + + # Nix toolchain + nix + git + + # Tiny-utility fallback (nslookup, vi, etc.) + busybox + ]; + + imageRoot = pkgsLinux.symlinkJoin { + name = "debug-image-root"; + paths = [ + (pkgsLinux.buildEnv { + name = "debug-image-env"; + paths = debugTools ++ [homeConfig.config.home.path]; + pathsToLink = ["/bin" "/sbin" "/lib" "/share" "/etc" "/include"]; + ignoreCollisions = true; + }) + ]; + postBuild = '' + mkdir -p \ + $out/home/${username} \ + $out/etc/nix \ + $out/usr/bin \ + $out/tmp \ + $out/var/tmp \ + $out/var/empty \ + $out/run \ + $out/root + + # Materialize home-manager's generated home tree. + cp -a ${hmActivation}/home-files/. $out/home/${username}/ + + # Convenience symlink so $HOME/.nix-profile/bin works. + ln -s ${homeConfig.config.home.path} $out/home/${username}/.nix-profile + + install -m 0644 ${passwd} $out/etc/passwd + install -m 0644 ${groupFile} $out/etc/group + install -m 0644 ${nixConf} $out/etc/nix/nix.conf + + # Compatibility shims many scripts assume. + ln -sf /bin/env $out/usr/bin/env + [ -e $out/bin/sh ] || ln -sf ${pkgsLinux.bashInteractive}/bin/bash $out/bin/sh + + chmod 1777 $out/tmp $out/var/tmp + ''; + }; + in { + packages.debug-image = n2c.buildImage { + name = "debug-image"; + tag = "latest"; + + copyToRoot = [imageRoot]; + + perms = [ + { + path = imageRoot; + regex = "/home/${username}"; + mode = "0755"; + uid = uid; + gid = gid; + uname = username; + gname = username; + } + ]; + + config = { + User = "root"; + WorkingDir = "/home/${username}"; + Cmd = ["${pkgsLinux.bashInteractive}/bin/bash" "-l"]; + Env = [ + "USER=${username}" + "HOME=/home/${username}" + "PATH=/home/${username}/.nix-profile/bin:/bin:/sbin" + "SHELL=${pkgsLinux.bashInteractive}/bin/bash" + "TERM=xterm-256color" + "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" + "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" + "NIX_PATH=nixpkgs=${nixpkgs}" + ]; + }; + }; + + packages.default = self.packages.${system}.debug-image; + }); +} diff --git a/home-manager/flake.lock b/home-manager/flake.lock index afb84a0..e8ad509 100644 --- a/home-manager/flake.lock +++ b/home-manager/flake.lock @@ -118,11 +118,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1756679287, - "narHash": "sha256-Xd1vOeY9ccDf5VtVK12yM0FS6qqvfUop8UQlxEB+gTQ=", + "lastModified": 1758463745, + "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=", "owner": "nix-community", "repo": "home-manager", - "rev": "07fc025fe10487dd80f2ec694f1cd790e752d0e8", + "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3", "type": "github" }, "original": { @@ -190,11 +190,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1756886854, - "narHash": "sha256-6tooT142NLcFjt24Gi4B0G1pgWLvfw7y93sYEfSHlLI=", + "lastModified": 1753345091, + "narHash": "sha256-CdX2Rtvp5I8HGu9swBmYuq+ILwRxpXdJwlpg8jvN4tU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "0e6684e6c5755325f801bda1751a8a4038145d7d", + "rev": "3ff0e34b1383648053bba8ed03f201d3466f90c9", "type": "github" }, "original": { diff --git a/home-manager/home.nix b/home-manager/home.nix index ecd4031..1f22daa 100644 --- a/home-manager/home.nix +++ b/home-manager/home.nix @@ -13,11 +13,10 @@ enable = true; enableZshIntegration = true; package = atuin; - daemon.enable = true; + daemon.enable = pkgs.stdenv.isLinux; settings = { enter_accept = false; }; - }; home.packages = with pkgs; [ @@ -51,6 +50,7 @@ # Nix tools alejandra nil + nixd # Kubernetes tooling kubectx @@ -63,6 +63,11 @@ programs.fzf = {enable = true;}; + programs.zoxide = { + enable = true; + enableZshIntegration = true; + }; + programs.git = { enable = true; userName = "Michael Francis"; @@ -83,7 +88,7 @@ }; }; - home.file.".tmux.conf" = { text = tmuxConfig; }; + home.file.".tmux.conf" = {text = tmuxConfig;}; home.file.".hushlogin" = {text = "";}; diff --git a/zsh/zshrc.nix b/zsh/zshrc.nix index 640891e..f0e2bf1 100644 --- a/zsh/zshrc.nix +++ b/zsh/zshrc.nix @@ -103,6 +103,8 @@ in { compinit -C; fi; + source ${pkgs.zsh-fzf-tab}/share/fzf-tab/fzf-tab.plugin.zsh + # Ensure nvim is used as editor export EDITOR=nvim From f46c4c0399e30b645d28eb88b8c8dbb673d593be Mon Sep 17 00:00:00 2001 From: Michael Francis Date: Thu, 7 May 2026 13:31:57 -0400 Subject: [PATCH 2/4] fix read oonly path? --- debug-image/flake.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/debug-image/flake.nix b/debug-image/flake.nix index 8f7f823..3912204 100644 --- a/debug-image/flake.nix +++ b/debug-image/flake.nix @@ -143,6 +143,9 @@ # Materialize home-manager's generated home tree. cp -a ${hmActivation}/home-files/. $out/home/${username}/ + # cp -a inherits read-only modes from the /nix/store source, so make + # the home root (and any subdirs) writable enough to add files. + find $out/home/${username} -type d -exec chmod u+w {} + # Convenience symlink so $HOME/.nix-profile/bin works. ln -s ${homeConfig.config.home.path} $out/home/${username}/.nix-profile From 1ef101cdfe5d01801e77e686f566464474528896 Mon Sep 17 00:00:00 2001 From: Michael Francis Date: Thu, 7 May 2026 13:48:50 -0400 Subject: [PATCH 3/4] dont use nixpkgs spokeo --- debug-image/flake.lock | 21 +++++++++++++++++---- debug-image/flake.nix | 8 ++++---- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/debug-image/flake.lock b/debug-image/flake.lock index 97fbdbd..936eddb 100644 --- a/debug-image/flake.lock +++ b/debug-image/flake.lock @@ -220,9 +220,7 @@ }, "nix2container": { "inputs": { - "nixpkgs": [ - "nixpkgs" - ] + "nixpkgs": "nixpkgs_4" }, "locked": { "lastModified": 1775487831, @@ -287,6 +285,21 @@ } }, "nixpkgs_4": { + "locked": { + "lastModified": 1767028467, + "narHash": "sha256-7G+2aXClSMaTY1ogpX14CAxjRsvyVzpE0GRwL71WO7g=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1cabc318c11299f07ca53e3cb719854682fe6eb3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { "locked": { "lastModified": 1767313136, "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=", @@ -321,7 +334,7 @@ "flake-utils": "flake-utils", "home-manager-config": "home-manager-config", "nix2container": "nix2container", - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" } }, "rust-analyzer-src": { diff --git a/debug-image/flake.nix b/debug-image/flake.nix index 3912204..a9d0437 100644 --- a/debug-image/flake.nix +++ b/debug-image/flake.nix @@ -5,10 +5,10 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; flake-utils.url = "github:numtide/flake-utils"; - nix2container = { - url = "github:nlewo/nix2container"; - inputs.nixpkgs.follows = "nixpkgs"; - }; + # nix2container ships a patched skopeo; keep its own pinned nixpkgs so the + # patch matches the skopeo version it was tested against. Skopeo is only + # used at push time, never in the runtime image. + nix2container.url = "github:nlewo/nix2container"; home-manager-config = { url = "path:../home-manager"; From 44a37f19f4d8c83512567d420109d11bf19f012c Mon Sep 17 00:00:00 2001 From: Michael Francis Date: Thu, 7 May 2026 15:08:21 -0400 Subject: [PATCH 4/4] fix perms, switch to zsh --- debug-image/flake.nix | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/debug-image/flake.nix b/debug-image/flake.nix index a9d0437..4d09100 100644 --- a/debug-image/flake.nix +++ b/debug-image/flake.nix @@ -43,12 +43,23 @@ uid = 1000; gid = 1000; - homeConfig = home-manager-config.packages.${imageSystem}.homeConfigurations.${username}; + baseHomeConfig = home-manager-config.packages.${imageSystem}.homeConfigurations.${username}; + # No systemd in the container, so the atuin user service has nothing to + # start it; disabling daemon mode keeps atuin working in non-daemon mode. + homeConfig = baseHomeConfig.extendModules { + modules = [ + ({lib, ...}: { + # home.nix sets this to true on Linux; override unconditionally for + # the container since there's no systemd to start the daemon. + programs.atuin.daemon.enable = lib.mkForce false; + }) + ]; + }; hmActivation = homeConfig.activationPackage; passwd = pkgsLinux.writeText "passwd" '' root:x:0:0:root:/root:${pkgsLinux.bashInteractive}/bin/bash - ${username}:x:${toString uid}:${toString gid}:${username}:/home/${username}:${pkgsLinux.bashInteractive}/bin/bash + ${username}:x:${toString uid}:${toString gid}:${username}:/home/${username}:${pkgsLinux.zsh}/bin/zsh nobody:x:65534:65534:Nobody:/:/bin/false ''; @@ -181,14 +192,17 @@ ]; config = { - User = "root"; + # Run as edude03 so $HOME is owned by the running user and home-manager + # config actually loads. Use `docker exec -u 0` for privileged debugging + # (tcpdump on host pids, etc.). + User = "${toString uid}:${toString gid}"; WorkingDir = "/home/${username}"; - Cmd = ["${pkgsLinux.bashInteractive}/bin/bash" "-l"]; + Cmd = ["${pkgsLinux.zsh}/bin/zsh" "-l"]; Env = [ "USER=${username}" "HOME=/home/${username}" "PATH=/home/${username}/.nix-profile/bin:/bin:/sbin" - "SHELL=${pkgsLinux.bashInteractive}/bin/bash" + "SHELL=${pkgsLinux.zsh}/bin/zsh" "TERM=xterm-256color" "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" "NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"