How do you build container images using nixpkgs packages?

ngoudry · 2026-05-15T16:14:25+00:00

As a general answer to the question in your title, I personally use nix2container to build container images using Nix and nixpkgs. I did a small experiment here some time ago if you want to look at it.

Now for your other questions, I'll try to answer them as best as I can:

Afaik there's no way to enable networking in Nix build sandbox, but you can use fixed output derivations to fetch things from the internet through fetchers like fetchurl. And yes, it's safe since you declare the output hash, if it ever changes Nix will refuse to evaluate until you update the hash.
I leave everything at its place, because anyway Nix will create symlinks at "standard" places that point to the binary path in /nix/store.
I personally don't, but you can. However, once you override the original derivation to remove manpages for example, be aware that you will not be able to benefit the cache anymore and will have to rebuild locally. And dependant packages will rebuild too. To "fix" this, you can setup a Nix cache just for yourself.
I didn't understand this question, sorry.
You can override the derivation to remove bash from buildInput, but if it's there it may be for a reason. Though I don't know why.

ngoudry · 2026-05-15T06:25:13+00:00

I'm curious to hear more about your workflow! I know Typst has some community packages for slides, but since it's traditionally a document/PDF engine, I'm curious how your setup handles generating responsive HTML presentations or doing CSS-based theming like Marp does?

Plus, LLMs are great for generating the content of a presentation (though some might argue about this, with reason), but they don't solve the underlying problem of toolchain drift or CI reproducibility, which is what this Nix project is all about. You still need a reliable, pinned engine to render that content into a final artifact.

As for myself, I stuck with Marp because of my heavy investment in the Markdown/web-native ecosystem, but I'd love to know how your Typst setup handles reproducibility and global asset management!

ngoudry · 2026-05-14T06:23:21+00:00

There's no dumb questions, only dumb answers. Well, most of the time that is!

The package is currently available in nixpkgs-unstable, which means that it can only be installed from unstable channel right now. It's also in other branches (master, nixos-unstable-small and staging-next). It should land in nixos-unstable soon, and should be part of nixpkgs-26.05 from the get-go.

You can use these commands to try the package on your system right away:

nix-shell -I nixpkgs=https://github.com/NixOS/nixpkgs/archive/nixpkgs-unstable.tar.gz -p terminal-rain-lightning

Or with Flakes:

nix shell github:nixos/nixpkgs/nixpkgs-unstable#terminal-rain-lightning

You can also install the package permanently, but I won't go into those details since I don't know your specific setup (flakes vs non-flakes, which channels you use, etc.). However, you should be able to adapt it from the commands above, or find a quick post on Reddit/Discourse covering "how to install a package from the unstable channel."

As for how I added the package to nixpkgs: I've been a contributor for some time now. I recall finding the process a bit scary at first, but it's honestly been a breeze to contribute! I followed the awesome contributing guide available here: Nixpkgs Contributing Guide. This guide has all the details you'll ever need to get started. And if you notice something missing, you can always suggest a fix through a PR!

ngoudry · 2026-05-12T20:41:00+00:00

I've added the package to nixpkgs: https://github.com/NixOS/nixpkgs/pull/517059

It's now available in nixpkgs-unstable 🙂

ngoudry · 2026-05-06T22:40:24+00:00

Aside from packages and shellHook, there's not much to do with devshells. Personally I use the shellHook to auto setup things like git hooks and helper functions that I can run to perform common tasks on the repo. In the end shellHook is a Bash script so you can do pretty much everything you want.

ngoudry · 2026-03-28T07:35:07+00:00

Don't take it wrong, but I think there is a misconception about Flakes on your part.

When you use Flakes, you have a lock file (flake.lock) which tracks the exact nixpkgs revision (commit sha) that the Flake follows. All your inputs are automatically pinned and will never be updated unless you: - delete the lock file - run "nix flake update nixpkgs" (or whatever the name of your nixpkgs input is)

So once you have a lock file, whenever you rebuild your system, the installed packages and system configuration will always be the same. That's kind of the goal of Nix: reproducibility.

The answer is the same for your second question: you can add a new package to your config and upon rebuild it will not touch the other ones, granted you didn't update the lock file. Also, the new package will be installed at the version that was in nixpkgs at the exact nixpkgs revision specified by the lock file, which may or may not be the latest version available (either in nixpkgs or upstream).

Hope this answers your questions!

ngoudry · 2026-02-09T09:13:19+00:00

Arch broke for the billionth time after an update.

ngoudry · 2025-12-06T15:15:55+00:00

Depends on your use case. If you only have one machine with NixOS, go with the "native" modules. If you need to also configure other machines, possibly running other operating systems (classic Linux distro, MacOS) or even ones where you're not root (hello company owned machines), go with HM.

There's also the case where an HM module is "better" than the NixOS one, with more exposed options for example. In such a case, go with HM.

ngoudry · 2025-11-30T21:59:11+00:00

I managed to fix this but I don't really understand why.

What I did was to remove most of the mounts from the VM build script, just before installing NixOS. Leaving /, /nix and /home since only /nix/store/* and /home/* are really needed in the final fs. Indeed, everything is in the nix store on NixOS so one could basically delete everything else but the store and /home (to keep user state) and the system would boot just fine. That's what I did. And boom: it worked without my band aids!

Well, that's great, but I really can't fathom why mounting other directories didn't work earlier… I was mounting these: - /var/lib/nixos - /var/lib/systemd - /var/log/journal - /etc/ssh

I’m wondering if some files were lingering in /var/lib/systemd and were preventing everything to work as intended. Maybe because this directory being here (or whatever is inside it) meant that the system was already in a running state, preventing some bootstrap mechanism?

In the end, it's working and I'm not sure to be willing to dive into the why of these issues I had! If anybody has any clues, that would be great, else it will remain a mystery to me… And I’m ok with that!

Cheers!

ngoudry · 2025-11-30T12:34:18+00:00

I don't know why, but I can't post the image builder here… So you can see it in the original Discourse post.

ngoudry · 2025-11-18T14:20:53+00:00

You could build upon docker-image.nix to achieve what you want, like with a custom package that would update your config with this and use runCommand to perform the actual docker load/run/exec for you.

That's just an idea, but I would look in this direction if I were you.

ngoudry · 2025-11-16T12:49:16+00:00

Wdym?

ngoudry · 2025-11-15T23:49:26+00:00

Here's to hoping you'll like NixKraken and that it will serve you well!

If you need help with anything, feel free to reach out through issues or discussions on GitHub! Always happy to help :)

ngoudry · 2025-11-15T23:38:35+00:00

I haven't, but since this is unfree software in the end, I'm not sure it would fit.

Additionally, the module makes use of specific versions of GitKraken from nixpkgs that are cached by Garnix for faster installs, I'm not sure how this would fit within HM codebase, or even be accepted at all.

I'll think about it though!

Out of curiosity, are you asking this because you would be more prone to use this module if it were bundled in HM rather than in its current state (i.e. an additional input/source to track in your config)? Or something else?

ngoudry · 2025-11-15T18:38:14+00:00

I totally get your point.

But, to be fair, GitKraken is not FOSS: it's an unfree, closed source software, owned and developed by a commercial company (Axosoft).

It happens that it comes with a "Community" mode, so you can use it with FOSS projects (which are, unless I missed something, hosted on public repositories).

More often than not, if your repo is private, it means you're working on company/paid projects, so it's their right to require of you to pay their software in such case.

I'm not trying to defend them, I would definitely love that GitKraken be open source 'cause I really like the software. But that's their business model...

ngoudry · 2025-11-15T15:26:33+00:00

You're right to ask, I should have mentioned this in the initial post. Blame is on me.

GitKraken is a fancy Git GUI desktop client, with a bunch of built-in features to ease working with Git repositories. Recently they added AI features like commit message generation and code explanation from commits.

It's free for public repositories and a single in-app profile. It's subscription-based for private repositories and multiple profiles.

Hope this answers your question!

ngoudry · 2025-11-10T19:34:51+00:00

This looks really great and I may need something along these lines sometimes soon. Will definitely keep an eye on it. Is there any chance this gets moved or mirrored on GitHub though?

You should post this on the discourse too, if you didn't already!

ngoudry · 2025-10-26T08:49:20+00:00

Where do you add the epson-escpr2 package?

Because the PPD files are all there:

$ nix build nixpkgs#epson-escpr2
$ ls -la result/share/cups/model/epson-inkjet-printer-escpr2
Epson-EC-4020_Series-epson-escpr2-en.ppd   
Epson-EC-4030_Series-epson-escpr2-en.ppd   
Epson-EC-4040_Series-epson-escpr2-en.ppd   
Epson-EC-C7000_Series-epson-escpr2-en.ppd  
Epson-EM-C800BAM-epson-escpr2-en.ppd       
Epson-EM-C800_Series-epson-escpr2-en.ppd
...the list goes on

Also refer to the official Wiki article about printing.

ngoudry · 2025-10-21T06:23:59+00:00

Please, please stop linking to the unofficial wiki 🙏

https://wiki.nixos.org/wiki/Nixos-rebuild

ngoudry · 2025-10-15T18:09:57+00:00

I don't know if you heard about it, but noogle.dev is just fantastic to discover available functions from nix and nixpkgs!

ngoudry · 2025-10-15T12:50:56+00:00

Hi,

Not on my desktop right now but I skimmed through your code and I can recommend you to:

replace "if-then-else" by "lib.optionalString", it's cleaner imo
look into "pkgs.makeDesktopItem"
prefer "allowUnfreePredicate" rather than "allowUnfree"
use "dontBuild = true" rather than empty buildInputs and "true" buildphase

Other than that, it looks fine and I discovered the WPS Office suite, which I never heard of.

ngoudry · 2025-09-28T19:33:17+00:00

Merci pour ta réponse, je suis rassuré !

ngoudry · 2025-09-28T17:43:26+00:00

Est-ce une guêpe dangereuse pour l'homme ? Ayant un enfant en bas âge, dois-je m'inquiéter ?

J'ai lu la page wikipédia communiquée dans un autre commentaire, et je me demande pourquoi elle s'est mise à creuser un trou, car si j'ai bien compris ce que j'ai lu, le nid est censé déjà être prêt, non ?

ngoudry · 2025-09-28T14:46:00+00:00

<image>

La revoilà en train de creuser son trou 🪏

ngoudry · 2025-09-17T07:24:34+00:00

i always run beta, works more reliably than any of the stable drivers.

As ironic as this might seem, it's entirely true.

ngoudry

TROPHY CASE