feat(dogfood): install nix package manager (#5308)

ghuntley · deansheather · mafredri · web-flow · commit bfc8a1094b9c · 2023-01-26T16:39:30.000+02:00
Co-authored-by: Dean Sheather &lt;dean@deansheather.com&gt;
Co-authored-by: Mathias Fredriksson &lt;mafredri@gmail.com&gt;
Co-authored-by: Kyle Carberry &lt;kyle@carberry.com&gt;
diff --git a/dogfood/Dockerfile b/dogfood/Dockerfile
@@ -316,7 +316,24 @@ COPY --from=go /tmp/bin /usr/local/bin
 COPY --from=rust-utils /tmp/bin /usr/local/bin
 COPY --from=proto /tmp/bin /usr/local/bin
 
-USER coder
+# Configure Nix without sandboxing
+# - https://github.com/NixOS/nix/issues/2636#issuecomment-455302745
+# - https://nixos.org/manual/nix/stable/installation/multi-user.html#setting-up-the-build-users
+RUN addgroup --system nixbld \
+	&& adduser coder nixbld \
+	&& for i in $(seq 1 30); do useradd -ms /bin/bash nixbld$i &&  adduser nixbld$i nixbld; done \
+	&& mkdir -m 0755 /nix && chown coder:coder /nix \
+	&& mkdir -p /etc/nix && echo 'sandbox = false' > /etc/nix/nix.conf
+
+# Install Nix
+ARG NIX_VERSION=2.3.15
+RUN cd /opt \
+	&& curl --silent --show-error --location \
+	"https://releases.nixos.org/nix/nix-${NIX_VERSION}/nix-${NIX_VERSION}-x86_64-linux.tar.xz" \
+	-o "nix-${NIX_VERSION}-x86_64-linux.tar.xz" \
+	&& tar -xf "nix-${NIX_VERSION}-x86_64-linux.tar.xz" \
+	&& ln -s "nix-${NIX_VERSION}-x86_64-linux" nix \
+	&& rm -rf "nix-${NIX_VERSION}-x86_64-linux.tar.xz"
 
 # Ensure go bins are in the 'coder' user's path. Note that no go bins are
 # installed in this docker file, as they'd be mounted over by the persistent
@@ -332,3 +349,5 @@ ENV GOPRIVATE="coder.com,cdr.dev,go.coder.com,github.com/cdr,github.com/coder"
 
 # Increase memory allocation to NodeJS
 ENV NODE_OPTIONS="--max-old-space-size=8192"
+
+USER coder
diff --git a/dogfood/main.tf b/dogfood/main.tf
@@ -63,10 +63,19 @@ resource "coder_agent" "dev" {
   startup_script = <<EOF
     #!/bin/sh
     set -x
+
     # install and start code-server
     curl -fsSL https://code-server.dev/install.sh | sh -s -- --version 4.8.3
     code-server --auth none --port 13337 &
+
     sudo service docker start
+
+    # Install Nix into our bash profile so `nix-shell`, `nix-build, and `nix` are available
+    bash /opt/nix/install --no-daemon
+    if ! grep -q '. ~/.nix-profile/etc/profile.d/nix.sh' ~/.bashrc; then
+      echo '. ~/.nix-profile/etc/profile.d/nix.sh' >> ~/.bashrc
+    fi
+
     DOTFILES_URI=${var.dotfiles_uri}
     rm -f ~/.personalize.log
     if [ -n "$DOTFILES_URI" ]; then
@@ -123,6 +132,33 @@ resource "docker_volume" "home_volume" {
   }
 }
 
+resource "docker_volume" "nix_volume" {
+  name = "coder-${data.coder_workspace.me.id}-nix"
+  # Protect the volume from being deleted due to changes in attributes.
+  lifecycle {
+    ignore_changes = all
+  }
+  # Add labels in Docker to keep track of orphan resources.
+  labels {
+    label = "coder.owner"
+    value = data.coder_workspace.me.owner
+  }
+  labels {
+    label = "coder.owner_id"
+    value = data.coder_workspace.me.owner_id
+  }
+  labels {
+    label = "coder.workspace_id"
+    value = data.coder_workspace.me.id
+  }
+  # This field becomes outdated if the workspace is renamed but can
+  # be useful for debugging or cleaning out dangling volumes.
+  labels {
+    label = "coder.workspace_name_at_creation"
+    value = data.coder_workspace.me.name
+  }
+}
+
 resource "coder_metadata" "home_info" {
   resource_id = docker_volume.home_volume.id
   item {
@@ -174,6 +210,11 @@ resource "docker_container" "workspace" {
     volume_name    = docker_volume.home_volume.name
     read_only      = false
   }
+  volumes {
+    container_path = "/nix"
+    volume_name    = docker_volume.nix_volume.name
+    read_only      = false
+  }
   # Add labels in Docker to keep track of orphan resources.
   labels {
     label = "coder.owner"
