Jan 30, 2025 · Jan 29, 2025
diff --git a/dogfood/contents/nix.hash b/dogfood/contents/nix.hash
 91e81c240fcf9f72e4c67497b68ba247a3f901147b61736072eb234e03db87b5  flake.nix
 b43d86368a0d2713d646d57e964dc2ac49744f5e11b6395fabed2d49596c1615  flake.lock
 f41c80bd08bfef063a9cfe907d0ea1f377974ebe011751f64008a3a07a6b152a  flake.nix
 32c441011f1f3054a688c036a85eac5e4c3dbef0f8cfa4ab85acd82da577dc35  flake.lock
diff --git a/flake.nix b/flake.nix
          drpc.defaultPackage.${system}
          formatter
          fzf
 gcc
 gcc13
          gdk
          getopt
          gh
            name = "coder-${osArch}";
            # Updated with ./scripts/update-flake.sh`.
            # This should be updated whenever go.mod changes!
            vendorHash = "sha256-hJBNmHz9ZJLS/QTu8w8y1w/Yi45aSoaSeZ//ysllp6c=";
            vendorHash = "sha256-QjqF+QZ5JKMnqkpNh6ZjrJU2QcSqiT4Dip1KoicwLYc=";
            proxyVendor = true;
            src = ./.;
            nativeBuildInputs = with pkgs; [
        devShells = {
          default = pkgs.mkShell {
            buildInputs = devShellPackages;
            shellHook = ''
              export PLAYWRIGHT_BROWSERS_PATH=${pkgs.playwright-driver.browsers}
              export PLAYWRIGHT_SKIP_VALIDATE_HOST_REQUIREMENTS=true
            '';

            PLAYWRIGHT_BROWSERS_PATH = pkgs.playwright-driver.browsers;
            PLAYWRIGHT_SKIP_VALIDATE_HOST_REQUIREMENTS = true;

            LOCALE_ARCHIVE =
              with pkgs;
            aarch64-windows = buildFat "windows_arm64.exe";
          }
          // (pkgs.lib.optionalAttrs pkgs.stdenv.isLinux {
            dev_image = docker.buildNixShellImage {
            dev_image = docker.buildNixShellImagerec{
              name = "codercom/oss-dogfood-nix";
              tag = "latest-${system}";

              # (ThomasK33): Workaround for images with too many layers (>64 layers) causing sysbox
              # to have issues on dogfood envs.
              maxLayers = 32;

              uname = "coder";
              homeDirectory = "/home/${uname}";

              drv = devShells.default.overrideAttrs (oldAttrs: {
                # (ThomasK33): Workaround for images with too many layers (>64 layers) causing sysbox
                # to have issues on dogfood envs.
                buildInputs =
                  oldAttrs.buildInputs
                  ++ (with pkgs; [
                    nix
                  (with pkgs; [
                    busybox
                    coreutils
                  ]);
                    nix
                    curl.bin # Ensure the actual curl binary is included in the PATH
                    glibc.bin # Ensure the glibc binaries are included in the PATH
                    binutils # ld and strings
                    filebrowser # Ensure that we're not redownloading filebrowser on each launch
                  ])
                  ++ oldAttrs.buildInputs;
              });
            };
          });
diff --git a/nix/docker.nix b/nix/docker.nix
  storeDir ? builtins.storeDir,
  pigz,
  zstd,
  stdenv,
  glibc,
 }:
 let
  inherit (lib)
      command ? null,
      run ? null,
      maxLayers ? 100,
      uname ? "nixbld",
    }:
    assert lib.assertMsg (!(drv.drvAttrs.__structuredAttrs or false))
      "streamNixShellImage: Does not work with the derivation ${drv.name} because it uses __structuredAttrs";
        exec ${lib.escapeShellArg (valueToString drv.drvAttrs.builder)} ${lib.escapeShellArgs (map valueToString drv.drvAttrs.args)}
      '';

      staticPath = "${dirOf shell}:${lib.makeBinPath [ builder ]}";
      staticPath = "${dirOf shell}:${
        lib.makeBinPath (
          lib.flatten [
            builder
            drv.buildInputs
          ]
        )
      }";

      # https://github.com/NixOS/nix/blob/2.8.0/src/nix-build/nix-build.cc#L493-L526
      rcfile = writeText "nix-shell-rc" ''
        ''}
      '';

      nixConfFile = writeText "nix-conf" ''
        experimental-features = nix-command flakes
      '';

      etcNixConf = runCommand "etcd-nix-conf" { } ''
        mkdir -p $out/etc/nix/
        ln -s ${nixConfFile} $out/etc/nix/nix.conf
      '';

      # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/globals.hh#L464-L465
      sandboxBuildDir = "/build";

          # TODO: Make configurable?
          NIX_BUILD_CORES = "1";

          # Make sure we get the libraries for C and C++ in.
          LD_LIBRARY_PATH = lib.makeLibraryPath [ stdenv.cc.cc ];
        }
        // drvEnv
        // {
          TMPDIR = sandboxBuildDir;
          TEMPDIR = sandboxBuildDir;
          TMP = sandboxBuildDir;
          TEMP =sandboxBuildDir;
          TEMP ="/tmp";

          # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1015-L1019
          PWD =sandboxBuildDir;
          PWD =homeDirectory;

          # https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1071-L1074
          # We don't set it here because the output here isn't handled in any special way
      contents = [
        binSh
        usrBinEnv
        etcNixConf
        (fakeNss.override {
          # Allows programs to look up the build user's home directory
          # https://github.com/NixOS/nix/blob/ffe155abd36366a870482625543f9bf924a58281/src/libstore/build/local-derivation-goal.cc#L906-L910
          # Slightly differs however: We use the passed-in homeDirectory instead of sandboxBuildDir.
          # We're doing this because it's arguably a bug in Nix that sandboxBuildDir is used here: https://github.com/NixOS/nix/issues/6379
          extraPasswdLines = [
            "nixbld:x:${toString uid}:${toString gid}:Build user:${homeDirectory}:/noshell"
            "${toString uname}:x:${toString uid}:${toString gid}:Build user:${homeDirectory}:${lib.escapeShellArg shell}"
          ];
          extraGroupLines = [
            "nixbld:!:${toString gid}:"
            "${toString uname}:!:${toString gid}:"
          ];
        })
      ];
        # Gives the user control over the build directory
        mkdir -p .${sandboxBuildDir}
        chown -R ${toString uid}:${toString gid} .${sandboxBuildDir}

        mkdir -p .${homeDirectory}
        chown -R ${toString uid}:${toString gid} .${homeDirectory}

        mkdir -p ./tmp
        chown -R ${toString uid}:${toString gid} ./tmp

        mkdir -p ./etc/skel
        chown -R ${toString uid}:${toString gid} ./etc/skel

        # Create traditional /lib or /lib64 as needed.
        # For aarch64 (arm64):
        if [ -e "${glibc}/lib/ld-linux-aarch64.so.1" ]; then
          mkdir -p ./lib
          ln -s "${glibc}/lib/ld-linux-aarch64.so.1" ./lib/ld-linux-aarch64.so.1
        fi

        # For x86_64:
        if [ -e "${glibc}/lib64/ld-linux-x86-64.so.2" ]; then
          mkdir -p ./lib64
          ln -s "${glibc}/lib64/ld-linux-x86-64.so.2" ./lib64/ld-linux-x86-64.so.2
        fi
      '';

      # Run this image as the given uid/gid
            shell
            rcfile
          ];
      config.WorkingDir =sandboxBuildDir;
      config.WorkingDir =homeDirectory;
      config.Env = lib.mapAttrsToList (name: value: "${name}=${value}") envVars;
    };
 in
 {
  inherit streamNixShellImage;

  # This function streams a docker image that behaves like a nix-shell for a derivation
  # Docs: doc/build-helpers/images/dockertools.section.md
Original file line number	Diff line number	Diff line change
		@@ -1,2 +1,2 @@
		91e81c240fcf9f72e4c67497b68ba247a3f901147b61736072eb234e03db87b5 flake.nix
		b43d86368a0d2713d646d57e964dc2ac49744f5e11b6395fabed2d49596c1615 flake.lock
		f41c80bd08bfef063a9cfe907d0ea1f377974ebe011751f64008a3a07a6b152a flake.nix
		32c441011f1f3054a688c036a85eac5e4c3dbef0f8cfa4ab85acd82da577dc35 flake.lock
Original file line number	Diff line number	Diff line change
Expand Up		@@ -85,7 +85,7 @@
		drpc.defaultPackage.${system}
		formatter
		fzf
		gcc
		gcc13
		gdk
		getopt
		gh
Expand DownExpand Up		@@ -174,7 +174,7 @@
		name = "coder-${osArch}";
		# Updated with ./scripts/update-flake.sh`.
		# This should be updated whenever go.mod changes!
		vendorHash = "sha256-hJBNmHz9ZJLS/QTu8w8y1w/Yi45aSoaSeZ//ysllp6c=";
		vendorHash = "sha256-QjqF+QZ5JKMnqkpNh6ZjrJU2QcSqiT4Dip1KoicwLYc=";
		proxyVendor = true;
		src = ./.;
		nativeBuildInputs = with pkgs; [
Expand DownExpand Up		@@ -212,10 +212,9 @@
		devShells = {
		default = pkgs.mkShell {
		buildInputs = devShellPackages;
		shellHook = ''
		export PLAYWRIGHT_BROWSERS_PATH=${pkgs.playwright-driver.browsers}
		export PLAYWRIGHT_SKIP_VALIDATE_HOST_REQUIREMENTS=true
		'';

		PLAYWRIGHT_BROWSERS_PATH = pkgs.playwright-driver.browsers;
		PLAYWRIGHT_SKIP_VALIDATE_HOST_REQUIREMENTS = true;

		LOCALE_ARCHIVE =
		with pkgs;
Expand All		@@ -239,21 +238,29 @@
		aarch64-windows = buildFat "windows_arm64.exe";
		}
		// (pkgs.lib.optionalAttrs pkgs.stdenv.isLinux {
		dev_image = docker.buildNixShellImage {
		dev_image = docker.buildNixShellImagerec{
		name = "codercom/oss-dogfood-nix";
		tag = "latest-${system}";

		# (ThomasK33): Workaround for images with too many layers (>64 layers) causing sysbox
		# to have issues on dogfood envs.
		maxLayers = 32;

		uname = "coder";
		homeDirectory = "/home/${uname}";

		drv = devShells.default.overrideAttrs (oldAttrs: {
		# (ThomasK33): Workaround for images with too many layers (>64 layers) causing sysbox
		# to have issues on dogfood envs.
		buildInputs =
		oldAttrs.buildInputs
		++ (with pkgs; [
		nix
		(with pkgs; [
		busybox
		coreutils
		]);
		nix
		curl.bin # Ensure the actual curl binary is included in the PATH
		glibc.bin # Ensure the glibc binaries are included in the PATH
		binutils # ld and strings
		filebrowser # Ensure that we're not redownloading filebrowser on each launch
		])
		++ oldAttrs.buildInputs;
		});
		};
		});
Expand Down
Original file line number	Diff line number	Diff line change
Expand Up		@@ -17,6 +17,8 @@
		storeDir ? builtins.storeDir,
		pigz,
		zstd,
		stdenv,
		glibc,
		}:
		let
		inherit (lib)
Expand DownExpand Up		@@ -70,6 +72,7 @@ let
		command ? null,
		run ? null,
		maxLayers ? 100,
		uname ? "nixbld",
		}:
		assert lib.assertMsg (!(drv.drvAttrs.__structuredAttrs or false))
		"streamNixShellImage: Does not work with the derivation ${drv.name} because it uses __structuredAttrs";
Expand All		@@ -83,7 +86,14 @@ let
		exec ${lib.escapeShellArg (valueToString drv.drvAttrs.builder)} ${lib.escapeShellArgs (map valueToString drv.drvAttrs.args)}
		'';

		staticPath = "${dirOf shell}:${lib.makeBinPath [ builder ]}";
		staticPath = "${dirOf shell}:${
		lib.makeBinPath (
		lib.flatten [
		builder
		drv.buildInputs
		]
		)
		}";

		# https://github.com/NixOS/nix/blob/2.8.0/src/nix-build/nix-build.cc#L493-L526
		rcfile = writeText "nix-shell-rc" ''
Expand All		@@ -109,6 +119,15 @@ let
		''}
		'';

		nixConfFile = writeText "nix-conf" ''
		experimental-features = nix-command flakes
		'';

		etcNixConf = runCommand "etcd-nix-conf" { } ''
		mkdir -p $out/etc/nix/
		ln -s ${nixConfFile} $out/etc/nix/nix.conf
		'';

		# https://github.com/NixOS/nix/blob/2.8.0/src/libstore/globals.hh#L464-L465
		sandboxBuildDir = "/build";

Expand DownExpand Up		@@ -142,6 +161,8 @@ let
		# TODO: Make configurable?
		NIX_BUILD_CORES = "1";

		# Make sure we get the libraries for C and C++ in.
		LD_LIBRARY_PATH = lib.makeLibraryPath [ stdenv.cc.cc ];
		}
		// drvEnv
		// {
Expand All		@@ -153,10 +174,10 @@ let
		TMPDIR = sandboxBuildDir;
		TEMPDIR = sandboxBuildDir;
		TMP = sandboxBuildDir;
		TEMP =sandboxBuildDir;
		TEMP ="/tmp";

		# https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1015-L1019
		PWD =sandboxBuildDir;
		PWD =homeDirectory;

		# https://github.com/NixOS/nix/blob/2.8.0/src/libstore/build/local-derivation-goal.cc#L1071-L1074
		# We don't set it here because the output here isn't handled in any special way
Expand All		@@ -172,16 +193,17 @@ let
		contents = [
		binSh
		usrBinEnv
		etcNixConf
		(fakeNss.override {
		# Allows programs to look up the build user's home directory
		# https://github.com/NixOS/nix/blob/ffe155abd36366a870482625543f9bf924a58281/src/libstore/build/local-derivation-goal.cc#L906-L910
		# Slightly differs however: We use the passed-in homeDirectory instead of sandboxBuildDir.
		# We're doing this because it's arguably a bug in Nix that sandboxBuildDir is used here: https://github.com/NixOS/nix/issues/6379
		extraPasswdLines = [
		"nixbld:x:${toString uid}:${toString gid}:Build user:${homeDirectory}:/noshell"
		"${toString uname}:x:${toString uid}:${toString gid}:Build user:${homeDirectory}:${lib.escapeShellArg shell}"
		];
		extraGroupLines = [
		"nixbld:!:${toString gid}:"
		"${toString uname}:!:${toString gid}:"
		];
		})
		];
Expand All		@@ -197,6 +219,28 @@ let
		# Gives the user control over the build directory
		mkdir -p .${sandboxBuildDir}
		chown -R ${toString uid}:${toString gid} .${sandboxBuildDir}

		mkdir -p .${homeDirectory}
		chown -R ${toString uid}:${toString gid} .${homeDirectory}

		mkdir -p ./tmp
		chown -R ${toString uid}:${toString gid} ./tmp

		mkdir -p ./etc/skel
		chown -R ${toString uid}:${toString gid} ./etc/skel

		# Create traditional /lib or /lib64 as needed.
		# For aarch64 (arm64):
		if [ -e "${glibc}/lib/ld-linux-aarch64.so.1" ]; then
		mkdir -p ./lib
		ln -s "${glibc}/lib/ld-linux-aarch64.so.1" ./lib/ld-linux-aarch64.so.1
		fi

		# For x86_64:
		if [ -e "${glibc}/lib64/ld-linux-x86-64.so.2" ]; then
		mkdir -p ./lib64
		ln -s "${glibc}/lib64/ld-linux-x86-64.so.2" ./lib64/ld-linux-x86-64.so.2
		fi
		'';

		# Run this image as the given uid/gid
Expand All		@@ -215,11 +259,12 @@ let
		shell
		rcfile
		];
		config.WorkingDir =sandboxBuildDir;
		config.WorkingDir =homeDirectory;
		config.Env = lib.mapAttrsToList (name: value: "${name}=${value}") envVars;
		};
		in
		{
		inherit streamNixShellImage;

		# This function streams a docker image that behaves like a nix-shell for a derivation
		# Docs: doc/build-helpers/images/dockertools.section.md
Expand Down