From fbbdaa840a3842478d2a9c72389fe074a92ad223 Mon Sep 17 00:00:00 2001
From: Brian Ketelsen <bketelsen@gmail.com>
Date: Fri, 17 Mar 2023 08:23:59 -0400
Subject: [PATCH 1/4] feat: add nix

---
 Containerfile                                 | 45 +++++++++++++++++++
 etc/nix/nix.conf                              |  1 +
 etc/profile.d/nix-app-icons.sh                |  1 +
 etc/systemd/system/mkdir-rootfs@.service      | 12 +++++
 .../system/nix-daemon.service.d/override.conf |  2 +
 etc/systemd/system/nix.mount                  | 14 ++++++
 6 files changed, 75 insertions(+)
 create mode 100644 etc/nix/nix.conf
 create mode 100644 etc/profile.d/nix-app-icons.sh
 create mode 100644 etc/systemd/system/mkdir-rootfs@.service
 create mode 100644 etc/systemd/system/nix-daemon.service.d/override.conf
 create mode 100644 etc/systemd/system/nix.mount

diff --git a/Containerfile b/Containerfile
index f01f8c23089..12d9a1b49e1 100644
--- a/Containerfile
+++ b/Containerfile
@@ -47,3 +47,48 @@ COPY --from=cgr.dev/chainguard/cosign:latest /usr/bin/cosign /usr/bin/cosign
 RUN curl -Lo ./kind "https://kind.sigs.k8s.io/dl/v0.17.0/kind-$(uname)-amd64"
 RUN chmod +x ./kind
 RUN mv ./kind /usr/bin/kind
+
+RUN semanage fcontext -a -t etc_t '/nix/store/[^/]+/etc(/.*)?'
+RUN semanage fcontext -a -t lib_t '/nix/store/[^/]+/lib(/.*)?'
+RUN semanage fcontext -a -t systemd_unit_file_t '/nix/store/[^/]+/lib/systemd/system(/.*)?'
+RUN semanage fcontext -a -t man_t '/nix/store/[^/]+/man(/.*)?'
+RUN semanage fcontext -a -t bin_t '/nix/store/[^/]+/s?bin(/.*)?'
+RUN semanage fcontext -a -t usr_t '/nix/store/[^/]+/share(/.*)?'
+RUN semanage fcontext -a -t var_run_t '/nix/var/nix/daemon-socket(/.*)?'
+RUN semanage fcontext -a -t usr_t '/nix/var/nix/profiles(/per-user/[^/]+)?/[^/]+'
+
+RUN mkdir /var/lib/nix
+
+RUN semanage fcontext -a -t etc_t '/var/lib/nix/store/[^/]+/etc(/.*)?'
+RUN semanage fcontext -a -t lib_t '/var/lib/nix/store/[^/]+/lib(/.*)?'
+RUN semanage fcontext -a -t systemd_unit_file_t '/var/lib/nix/store/[^/]+/lib/systemd/system(/.*)?'
+RUN semanage fcontext -a -t man_t '/var/lib/nix/store/[^/]+/man(/.*)?'
+RUN semanage fcontext -a -t bin_t '/var/lib/nix/store/[^/]+/s?bin(/.*)?'
+RUN semanage fcontext -a -t usr_t '/var/lib/nix/store/[^/]+/share(/.*)?'
+RUN semanage fcontext -a -t var_run_t '/var/lib/nix/var/nix/daemon-socket(/.*)?'
+RUN semanage fcontext -a -t usr_t '/var/lib/nix/var/nix/profiles(/per-user/[^/]+)?/[^/]+'
+
+# Ensure systemd picks up the newly created units
+RUN systemctl daemon-reload
+# Enable the nix mount on boot.
+RUN systemctl enable nix.mount
+# Mount the nix mount now.
+RUN systemctl start nix.mount
+# R = recurse, F = full context (not just target)
+RUN restorecon -RF /nix
+
+RUN setenforce Permissive
+
+RUN sh <(curl -L https://nixos.org/nix/install) --daemon
+
+# Remove the linked services
+sudo rm -f /etc/systemd/system/nix-daemon.{service,socket}
+# Manually copy the services.
+sudo cp /var/lib/nix/var/nix/profiles/default/lib/systemd/system/nix-daemon.{service,socket} /etc/systemd/system/# R = recurse, F = full context (not just target)
+RUN restorecon -RF /nix
+# Ensure systemd picks up the newly created units
+RUN systemctl daemon-reload
+# Start (and enable) the nix-daemon socket
+RUN systemctl enable --now nix-daemon.socket
+
+RUN setenforce Enforcing
\ No newline at end of file
diff --git a/etc/nix/nix.conf b/etc/nix/nix.conf
new file mode 100644
index 00000000000..2c4e83fe7ed
--- /dev/null
+++ b/etc/nix/nix.conf
@@ -0,0 +1 @@
+experimental-features = nix-command flakes
\ No newline at end of file
diff --git a/etc/profile.d/nix-app-icons.sh b/etc/profile.d/nix-app-icons.sh
new file mode 100644
index 00000000000..ba684ac67b3
--- /dev/null
+++ b/etc/profile.d/nix-app-icons.sh
@@ -0,0 +1 @@
+XDG_DATA_DIRS="$HOME/.nix-profile/share:/nix/var/nix/profiles/default/share:$XDG_DATA_DIRS"
\ No newline at end of file
diff --git a/etc/systemd/system/mkdir-rootfs@.service b/etc/systemd/system/mkdir-rootfs@.service
new file mode 100644
index 00000000000..3321c2dae46
--- /dev/null
+++ b/etc/systemd/system/mkdir-rootfs@.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Enable mount points in / for ostree
+ConditionPathExists=!%f
+DefaultDependencies=no
+Requires=local-fs-pre.target
+After=local-fs-pre.target
+
+[Service]
+Type=oneshot
+ExecStartPre=chattr -i /
+ExecStart=mkdir -p '%f'
+ExecStopPost=chattr +i /
\ No newline at end of file
diff --git a/etc/systemd/system/nix-daemon.service.d/override.conf b/etc/systemd/system/nix-daemon.service.d/override.conf
new file mode 100644
index 00000000000..882f2262555
--- /dev/null
+++ b/etc/systemd/system/nix-daemon.service.d/override.conf
@@ -0,0 +1,2 @@
+[Service]
+Environment="NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
\ No newline at end of file
diff --git a/etc/systemd/system/nix.mount b/etc/systemd/system/nix.mount
new file mode 100644
index 00000000000..0f6b783c5d0
--- /dev/null
+++ b/etc/systemd/system/nix.mount
@@ -0,0 +1,14 @@
+[Unit]
+Description=Nix Package Manager
+DefaultDependencies=no
+After=mkdir-rootfs@nix.service
+Wants=mkdir-rootfs@nix.service
+Before=sockets.target
+After=ostree-remount.service
+BindsTo=var.mount
+
+[Mount]
+What=/var/lib/nix
+Where=/nix
+Options=bind
+Type=none
\ No newline at end of file

From a4b985f47fb731ea14fc02079920b11eb17ee6a8 Mon Sep 17 00:00:00 2001
From: Brian Ketelsen <bketelsen@gmail.com>
Date: Fri, 17 Mar 2023 08:30:55 -0400
Subject: [PATCH 2/4] mkdir -p

---
 Containerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Containerfile b/Containerfile
index 12d9a1b49e1..29db59e4d9f 100644
--- a/Containerfile
+++ b/Containerfile
@@ -57,7 +57,7 @@ RUN semanage fcontext -a -t usr_t '/nix/store/[^/]+/share(/.*)?'
 RUN semanage fcontext -a -t var_run_t '/nix/var/nix/daemon-socket(/.*)?'
 RUN semanage fcontext -a -t usr_t '/nix/var/nix/profiles(/per-user/[^/]+)?/[^/]+'
 
-RUN mkdir /var/lib/nix
+RUN mkdir -p /var/lib/nix
 
 RUN semanage fcontext -a -t etc_t '/var/lib/nix/store/[^/]+/etc(/.*)?'
 RUN semanage fcontext -a -t lib_t '/var/lib/nix/store/[^/]+/lib(/.*)?'

From 50e4ee2f1d42cebd5efaa04f4274b59a9bcf5141 Mon Sep 17 00:00:00 2001
From: Brian Ketelsen <bketelsen@gmail.com>
Date: Fri, 17 Mar 2023 08:49:47 -0400
Subject: [PATCH 3/4] step away from container installer

---
 Containerfile                                 | 47 +---------
 etc/systemd/system/mkdir-rootfs@.service      | 12 ---
 .../system/nix-daemon.service.d/override.conf |  2 -
 etc/systemd/system/nix.mount                  | 14 ---
 usr/bin/nix-install                           | 93 +++++++++++++++++++
 5 files changed, 94 insertions(+), 74 deletions(-)
 delete mode 100644 etc/systemd/system/mkdir-rootfs@.service
 delete mode 100644 etc/systemd/system/nix-daemon.service.d/override.conf
 delete mode 100644 etc/systemd/system/nix.mount
 create mode 100755 usr/bin/nix-install

diff --git a/Containerfile b/Containerfile
index 29db59e4d9f..1cc1e03fd29 100644
--- a/Containerfile
+++ b/Containerfile
@@ -46,49 +46,4 @@ COPY --from=cgr.dev/chainguard/cosign:latest /usr/bin/cosign /usr/bin/cosign
 
 RUN curl -Lo ./kind "https://kind.sigs.k8s.io/dl/v0.17.0/kind-$(uname)-amd64"
 RUN chmod +x ./kind
-RUN mv ./kind /usr/bin/kind
-
-RUN semanage fcontext -a -t etc_t '/nix/store/[^/]+/etc(/.*)?'
-RUN semanage fcontext -a -t lib_t '/nix/store/[^/]+/lib(/.*)?'
-RUN semanage fcontext -a -t systemd_unit_file_t '/nix/store/[^/]+/lib/systemd/system(/.*)?'
-RUN semanage fcontext -a -t man_t '/nix/store/[^/]+/man(/.*)?'
-RUN semanage fcontext -a -t bin_t '/nix/store/[^/]+/s?bin(/.*)?'
-RUN semanage fcontext -a -t usr_t '/nix/store/[^/]+/share(/.*)?'
-RUN semanage fcontext -a -t var_run_t '/nix/var/nix/daemon-socket(/.*)?'
-RUN semanage fcontext -a -t usr_t '/nix/var/nix/profiles(/per-user/[^/]+)?/[^/]+'
-
-RUN mkdir -p /var/lib/nix
-
-RUN semanage fcontext -a -t etc_t '/var/lib/nix/store/[^/]+/etc(/.*)?'
-RUN semanage fcontext -a -t lib_t '/var/lib/nix/store/[^/]+/lib(/.*)?'
-RUN semanage fcontext -a -t systemd_unit_file_t '/var/lib/nix/store/[^/]+/lib/systemd/system(/.*)?'
-RUN semanage fcontext -a -t man_t '/var/lib/nix/store/[^/]+/man(/.*)?'
-RUN semanage fcontext -a -t bin_t '/var/lib/nix/store/[^/]+/s?bin(/.*)?'
-RUN semanage fcontext -a -t usr_t '/var/lib/nix/store/[^/]+/share(/.*)?'
-RUN semanage fcontext -a -t var_run_t '/var/lib/nix/var/nix/daemon-socket(/.*)?'
-RUN semanage fcontext -a -t usr_t '/var/lib/nix/var/nix/profiles(/per-user/[^/]+)?/[^/]+'
-
-# Ensure systemd picks up the newly created units
-RUN systemctl daemon-reload
-# Enable the nix mount on boot.
-RUN systemctl enable nix.mount
-# Mount the nix mount now.
-RUN systemctl start nix.mount
-# R = recurse, F = full context (not just target)
-RUN restorecon -RF /nix
-
-RUN setenforce Permissive
-
-RUN sh <(curl -L https://nixos.org/nix/install) --daemon
-
-# Remove the linked services
-sudo rm -f /etc/systemd/system/nix-daemon.{service,socket}
-# Manually copy the services.
-sudo cp /var/lib/nix/var/nix/profiles/default/lib/systemd/system/nix-daemon.{service,socket} /etc/systemd/system/# R = recurse, F = full context (not just target)
-RUN restorecon -RF /nix
-# Ensure systemd picks up the newly created units
-RUN systemctl daemon-reload
-# Start (and enable) the nix-daemon socket
-RUN systemctl enable --now nix-daemon.socket
-
-RUN setenforce Enforcing
\ No newline at end of file
+RUN mv ./kind /usr/bin/kind
\ No newline at end of file
diff --git a/etc/systemd/system/mkdir-rootfs@.service b/etc/systemd/system/mkdir-rootfs@.service
deleted file mode 100644
index 3321c2dae46..00000000000
--- a/etc/systemd/system/mkdir-rootfs@.service
+++ /dev/null
@@ -1,12 +0,0 @@
-[Unit]
-Description=Enable mount points in / for ostree
-ConditionPathExists=!%f
-DefaultDependencies=no
-Requires=local-fs-pre.target
-After=local-fs-pre.target
-
-[Service]
-Type=oneshot
-ExecStartPre=chattr -i /
-ExecStart=mkdir -p '%f'
-ExecStopPost=chattr +i /
\ No newline at end of file
diff --git a/etc/systemd/system/nix-daemon.service.d/override.conf b/etc/systemd/system/nix-daemon.service.d/override.conf
deleted file mode 100644
index 882f2262555..00000000000
--- a/etc/systemd/system/nix-daemon.service.d/override.conf
+++ /dev/null
@@ -1,2 +0,0 @@
-[Service]
-Environment="NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
\ No newline at end of file
diff --git a/etc/systemd/system/nix.mount b/etc/systemd/system/nix.mount
deleted file mode 100644
index 0f6b783c5d0..00000000000
--- a/etc/systemd/system/nix.mount
+++ /dev/null
@@ -1,14 +0,0 @@
-[Unit]
-Description=Nix Package Manager
-DefaultDependencies=no
-After=mkdir-rootfs@nix.service
-Wants=mkdir-rootfs@nix.service
-Before=sockets.target
-After=ostree-remount.service
-BindsTo=var.mount
-
-[Mount]
-What=/var/lib/nix
-Where=/nix
-Options=bind
-Type=none
\ No newline at end of file
diff --git a/usr/bin/nix-install b/usr/bin/nix-install
new file mode 100755
index 00000000000..a5c21af61fd
--- /dev/null
+++ b/usr/bin/nix-install
@@ -0,0 +1,93 @@
+#!/bin/bash
+sudo sleep 2
+echo "Adding selinux content to /nix"
+sudo semanage fcontext -a -t etc_t '/nix/store/[^/]+/etc(/.*)?' ; sudo semanage fcontext -a -t lib_t '/nix/store/[^/]+/lib(/.*)?' ; sudo semanage fcontext -a -t systemd_unit_file_t '/nix/store/[^/]+/lib/systemd/system(/.*)?' ; sudo semanage fcontext -a -t man_t '/nix/store/[^/]+/man(/.*)?' ; sudo semanage fcontext -a -t bin_t '/nix/store/[^/]+/s?bin(/.*)?' ; sudo semanage fcontext -a -t usr_t '/nix/store/[^/]+/share(/.*)?' ; sudo semanage fcontext -a -t var_run_t '/nix/var/nix/daemon-socket(/.*)?' ; sudo semanage fcontext -a -t usr_t '/nix/var/nix/profiles(/per-user/[^/]+)?/[^/]+'
+sleep 1
+sudo mkdir /var/lib/nix
+sleep 1
+echo "adding selinux content to /var/lib/nix"
+sudo semanage fcontext -a -t etc_t '/var/lib/nix/store/[^/]+/etc(/.*)?' ; sudo semanage fcontext -a -t lib_t '/var/lib/nix/store/[^/]+/lib(/.*)?' ; sudo semanage fcontext -a -t systemd_unit_file_t '/var/lib/nix/store/[^/]+/lib/systemd/system(/.*)?' ; sudo semanage fcontext -a -t man_t '/var/lib/nix/store/[^/]+/man(/.*)?' ; sudo semanage fcontext -a -t bin_t '/var/lib/nix/store/[^/]+/s?bin(/.*)?' ; sudo semanage fcontext -a -t usr_t '/var/lib/nix/store/[^/]+/share(/.*)?' ; sudo semanage fcontext -a -t var_run_t '/var/lib/nix/var/nix/daemon-socket(/.*)?' ; sudo semanage fcontext -a -t usr_t '/var/lib/nix/var/nix/profiles(/per-user/[^/]+)?/[^/]+'
+echo "Creating service files"
+sleep 1
+echo "creating SSL cert file"
+
+sudo tee /etc/systemd/system/nix-daemon.service.d/override.conf <<EOF
+[Service]
+Environment="NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
+EOF
+sleep 1
+echo "Creating rootfs mkdir service"
+
+sudo tee /etc/systemd/system/mkdir-rootfs@.service <<EOF
+[Unit]
+Description=Enable mount points in / for ostree
+ConditionPathExists=!%f
+DefaultDependencies=no
+Requires=local-fs-pre.target
+After=local-fs-pre.target
+
+[Service]
+Type=oneshot
+ExecStartPre=chattr -i /
+ExecStart=mkdir -p '%f'
+ExecStopPost=chattr +i /
+EOF
+
+sleep 1
+echo "Creating nix.mount"
+
+sudo tee /etc/systemd/system/nix.mount <<EOF
+[Unit]
+Description=Nix Package Manager
+DefaultDependencies=no
+After=mkdir-rootfs@nix.service
+Wants=mkdir-rootfs@nix.service
+Before=sockets.target
+After=ostree-remount.service
+BindsTo=var.mount
+
+[Mount]
+What=/var/lib/nix
+Where=/nix
+Options=bind
+Type=none
+EOF
+
+sleep 1
+echo "Enabling mounting of /var/lib/nix to /nix and resetting SELinux context"
+sleep 1
+
+sudo systemctl daemon-reload ; sudo systemctl enable nix.mount ; sudo systemctl start nix.mount ; sudo restorecon -RF /nix
+
+sleep 1
+
+echo "Temorarly setting SELinux to permissive"
+
+sudo setenforce Permissive
+
+sleep 1
+
+echo "Preparring the nix install script"
+
+sleep 5
+
+sh <(curl -L https://nixos.org/nix/install) --daemon
+
+echo "Nix installer has finished running"
+sleep 1
+echo "Now copying service files"
+
+sleep 1
+
+sudo rm -f /etc/systemd/system/nix-daemon.{service,socket} ; sudo cp /nix/var/nix/profiles/default/lib/systemd/system/nix-daemon.{service,socket} /etc/systemd/system/ ; sudo restorecon -RF /nix ; sudo systemctl daemon-reload ; sudo systemctl enable --now nix-daemon.socket
+
+sleep 1
+
+echo "Now setting SELinux back to Enforcing"
+
+sudo setenforce Enforcing
+
+sleep 1
+
+echo "Reboot your system by typing"
+echo "systemctl reboot"
\ No newline at end of file

From 78722a390989c2281630e487112a5c0ee579c149 Mon Sep 17 00:00:00 2001
From: Brian Ketelsen <bketelsen@gmail.com>
Date: Fri, 17 Mar 2023 08:51:51 -0400
Subject: [PATCH 4/4] justfile

---
 etc/justfile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/etc/justfile b/etc/justfile
index 6e56ab8739f..0865f3d19db 100644
--- a/etc/justfile
+++ b/etc/justfile
@@ -22,7 +22,10 @@ distrobox-opensuse:
 distrobox-ubuntu:
   echo 'Creating Ubuntu distrobox ...'
   distrobox create --image quay.io/toolbx-images/ubuntu-toolbox:22.04 -n ubuntu -Y
- 
+
+nix-me-up:
+  echo 'Setting phasers to kill. Installing nix.'
+  /usr/bin/nix-install
 update:
   rpm-ostree update
   flatpak update -y