From 72cddc5bd92860313fd4e482cc50a890a71ee235 Mon Sep 17 00:00:00 2001
From: samrose <samuel.rose@gmail.com>
Date: Thu, 22 Feb 2024 13:57:53 -0500
Subject: [PATCH] Sam/nix2container (#45)

* feat: nix2container

* WIP stash

* feat: refactor docker image build to use nix2container for image builds
---
 .gitignore        |   1 +
 docker/init.sh.in |   7 ++-
 flake.lock        |  70 ++++++++++++++++++++++++-
 flake.nix         | 128 +++++++++++++++++++++++++++++++++++-----------
 4 files changed, 171 insertions(+), 35 deletions(-)

diff --git a/.gitignore b/.gitignore
index eaa0768..78db5c1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,4 @@ result*
 
 # shell history
 .history
+container.sh
diff --git a/docker/init.sh.in b/docker/init.sh.in
index a0e6199..360d440 100644
--- a/docker/init.sh.in
+++ b/docker/init.sh.in
@@ -1,6 +1,5 @@
 #!/bin/bash
 # shellcheck shell=bash
-
-sudo -u postgres /bin/initdb --locale=C -D /data
-sudo -u postgres ln -s /etc/postgresql.conf /data/postgresql.conf
-sudo -u postgres /bin/postgres -p @PGSQL_DEFAULT_PORT@ -D /data
+/bin/initdb --locale=C -D /data/postgresql
+ln -s /etc/postgresql.conf /data/postgresql/postgresql.conf
+/bin/postgres -p @PGSQL_DEFAULT_PORT@ -D /data/postgresql 
diff --git a/flake.lock b/flake.lock
index cde2012..a5e030a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -18,7 +18,59 @@
         "type": "github"
       }
     },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nix2container": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1703410130,
+        "narHash": "sha256-qbJQ8DtdKzFK0fZck7kX64QWkS/3tKefxGjyI+SAQa4=",
+        "owner": "nlewo",
+        "repo": "nix2container",
+        "rev": "6aa8491e73843ac8bf714a3904a45900f356ea44",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nlewo",
+        "repo": "nix2container",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
+      "locked": {
+        "lastModified": 1697269602,
+        "narHash": "sha256-dSzV7Ud+JH4DPVD9od53EgDrxUVQOcSj4KGjggCDVJI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "9cb540e9c1910d74a7e10736277f6eb9dff51c81",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
       "locked": {
         "lastModified": 1696261572,
         "narHash": "sha256-s8TtSYJ1LBpuITXjbPLUPyxzAKw35LhETcajJjCS5f0=",
@@ -37,7 +89,8 @@
     "root": {
       "inputs": {
         "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs"
+        "nix2container": "nix2container",
+        "nixpkgs": "nixpkgs_2"
       }
     },
     "systems": {
@@ -54,6 +107,21 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",
diff --git a/flake.nix b/flake.nix
index 6d3c5e0..27e6f95 100644
--- a/flake.nix
+++ b/flake.nix
@@ -4,6 +4,7 @@
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
     flake-utils.url = "github:numtide/flake-utils";
+    nix2container.url = "github:nlewo/nix2container";
   };
 
   nixConfig = {
@@ -16,7 +17,7 @@
     ];
   };
 
-  outputs = { self, nixpkgs, flake-utils }: let
+  outputs = { self, nixpkgs, flake-utils, nix2container }: let
     gitRev = "vcs=${self.shortRev or "dirty"}+${builtins.substring 0 8 (self.lastModifiedDate or self.lastModified or "19700101")}";
 
     ourSystems = with flake-utils.lib; [
@@ -26,6 +27,7 @@
       let
         pgsqlDefaultPort = "5435";
         pgsqlSuperuser   = "postgres";
+        nix2img = nix2container.packages.${system}.nix2container;
 
         # The 'pkgs' variable holds all the upstream packages in nixpkgs, which
         # we can use to build our own images; it is the common name to refer to
@@ -177,8 +179,9 @@
           };
 
         # Make a Docker Image from a given PostgreSQL version and binary package.
-        makePostgresDocker = version: binPackage:
-          let
+        # updated to use https://github.com/nlewo/nix2container (samrose)
+          makePostgresDocker =  version: binPackage:
+            let
             initScript = pkgs.runCommand "docker-init.sh" {} ''
               mkdir -p $out/bin
               substitute ${./docker/init.sh.in} $out/bin/init.sh \
@@ -194,37 +197,102 @@
                 --subst-var-by PGSODIUM_GETKEY_SCRIPT "${./tests/util/pgsodium_getkey.sh}"
             '';
 
-          in pkgs.dockerTools.buildImage {
-            name = "postgresql-${version}";
-            tag = "latest";
-
-            runAsRoot = ''
-              #!${pkgs.runtimeShell}
-              ${pkgs.dockerTools.shadowSetup}
-              groupadd -r postgres
-              useradd -r -g postgres postgres
-              mkdir -p /data /run/postgresql
-              chown postgres:postgres /data /run/postgresql
-            '';
+              l = pkgs.lib // builtins;
+
+              user = "postgres";
+              group = "postgres";
+              uid = "1001";
+              gid = "1001";
+
+              mkUser = pkgs.runCommand "mkUser" { } ''
+                mkdir -p $out/etc/pam.d
+
+                echo "${user}:x:${uid}:${gid}::" > $out/etc/passwd
+                echo "${user}:!x:::::::" > $out/etc/shadow
+
+                echo "${group}:x:${gid}:" > $out/etc/group
+                echo "${group}:x::" > $out/etc/gshadow
+
+                cat > $out/etc/pam.d/other <<EOF
+                account sufficient pam_unix.so
+                auth sufficient pam_rootok.so
+                password requisite pam_unix.so nullok sha512
+                session required pam_unix.so
+                EOF
+
+                touch $out/etc/login.defs
+              '';
+              run = pkgs.runCommand "run" { } ''
+                mkdir -p $out/run/postgresql
+              '';
+              data = pkgs.runCommand "data" { } ''
+                mkdir -p $out/data/postgresql
+              '';
+              pgconf = pkgs.runCommand "pgconf" { } ''
+                mkdir -p $out/data/pgconf
+              '';
+            in
+            nix2img.buildImage {
+              name = "postgresql-${version}";
+              tag = "latest";
+
+              nixUid = l.toInt uid;
+              nixGid = l.toInt gid;
+
+              copyToRoot = [
+                (pkgs.buildEnv {
+                  name = "image-root";
+                  paths = [ data run pkgs.coreutils pkgs.which pkgs.bash pkgs.nix pkgs.less initScript binPackage postgresqlConfig pkgs.dockerTools.binSh pkgs.sudo ];
+                  pathsToLink = [ "/bin" "/etc" "/var" "/share" "/data" "/run" ];
+                })
+                mkUser
+              ];
 
-            copyToRoot = pkgs.buildEnv {
-              name = "image-root";
-              paths = with pkgs; [
-                initScript coreutils bash binPackage
-                dockerTools.binSh sudo postgresqlConfig
+              perms = [
+              {
+                path = data;
+                regex = "";
+                mode = "0744";
+                uid = l.toInt uid;
+                gid = l.toInt gid;
+                uname = user;
+                gname = group;
+              }
+              {
+                path = pgconf;
+                regex = "";
+                mode = "0744";
+                uid = l.toInt uid;
+                gid = l.toInt gid;
+                uname = user;
+                gname = group;
+              }
+              {
+                path = run;
+                regex = "";
+                mode = "0744";
+                uid = l.toInt uid;
+                gid = l.toInt gid;
+                uname = user;
+                gname = group;
+              }
               ];
-              pathsToLink = [ "/bin" "/etc" "/var" "/share" ];
-              buildInputs = [ pkgs.qemu ];
-            };
 
-            config = {
-              Cmd = [ "/bin/init.sh" ];
-              ExposedPorts = { "${pgsqlDefaultPort}/tcp" = {}; };
-              WorkingDir = "/data";
-              Volumes = { "/data" = { }; };
+              config = {
+                Entrypoint = ["/bin/init.sh"];
+                User = "postgres";
+                WorkingDir = "/data";
+                Env = [
+                  "NIX_PAGER=cat"
+                  "USER=postgres"
+                  "PGDATA=/data/postgresql"
+                  "PGHOST=/run/postgresql"
+                ];
+                ExposedPorts = { "${pgsqlDefaultPort}/tcp" = {}; };
+                Volumes = { "/data" = { }; };
+              };
             };
-          };
-
+          
         # Create an attribute set, containing all the relevant packages for a
         # PostgreSQL install, wrapped up with a bow on top. There are three
         # packages: