chore: reduce build time by converting docker image to build with nix (#9099)

* Add Docker image

* Try building the container in CI

* Uncomment testing lines

* Trim image step

* Hit 'em with a Docker load

* Oopsie!

* Add a tag and push!

* Fix image name 🤦

* Fix sudo

* Fix target name

* Build and push

* Fix login to docker hub

* Revert to Docker push

* Fix PATH

* Fix SHA

* Fix ca certs

* Fix ca certs

* Fix coping files in

* Fix docker init

* Fix Docker group and init

* Add comments to our Nix

* Fix build stage

* Add some more comments

* Remove old dogfood image files

* Tag and push with branch name

* Fix tag passing

* Fix tag passing

* Remove old pull triggers

* Convert gen to use Nix

* Add protobuf to the flake

* Add prettier to the dev shell

* Swap to the faster Nix cache action

* Add the correct yq

* Fix gen

* Add make to the flake

* Update extensions

.github/workflows/ci.yaml

@@ -169,38 +169,14 @@ jobs:
         with:
           fetch-depth: 1
 
-      - name: Setup Node
-        uses: ./.github/actions/setup-node
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v4
 
-      - name: Setup Go
-        uses: ./.github/actions/setup-go
-
-      - name: Setup sqlc
-        uses: ./.github/actions/setup-sqlc
-
-      - name: go install tools
-        run: |
-          go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30
-          go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.33
-          go install golang.org/x/tools/cmd/goimports@latest
-          go install github.com/mikefarah/yq/v4@v4.30.6
-          go install github.com/golang/mock/mockgen@v1.6.0
-
-      - name: Install Protoc
-        run: |
-          # protoc must be in lockstep with our dogfood Dockerfile or the
-          # version in the comments will differ. This is also defined in
-          # security.yaml
-          set -x
-          cd dogfood
-          DOCKER_BUILDKIT=1 docker build . --target proto -t protoc
-          protoc_path=/usr/local/bin/protoc
-          docker run --rm --entrypoint cat protoc /tmp/bin/protoc > $protoc_path
-          chmod +x $protoc_path
-          protoc --version
+      - name: Run the Magic Nix Cache
+        uses: DeterminateSystems/magic-nix-cache-action@v2
 
       - name: make gen
-        run: "make --output-sync -j -B gen"
+        run: "nix-shell --command 'make --output-sync -j -B gen'"
 
       - name: Check for unstaged files
         run: ./scripts/check_unstaged.sh

.github/workflows/dogfood.yaml

@@ -5,11 +5,15 @@ on:
     branches:
       - main
     paths:
+      - "flake.nix"
+      - "flake.lock"
       - "dogfood/**"
       - ".github/workflows/dogfood.yaml"
   # Uncomment these lines when testing with CI.
   # pull_request:
   #   paths:
+  #     - "flake.nix"
+  #     - "flake.lock"
   #     - "dogfood/**"
   #     - ".github/workflows/dogfood.yaml"
   workflow_dispatch:
@@ -18,6 +22,9 @@ jobs:
   deploy_image:
     runs-on: buildjet-4vcpu-ubuntu-2204
     steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
       - name: Get branch name
         id: branch-name
         uses: tj-actions/branch-names@v6.5
@@ -30,11 +37,13 @@ jobs:
           tag=${tag//\//--}
           echo "tag=${tag}" >> $GITHUB_OUTPUT
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v4
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+      - name: Run the Magic Nix Cache
+        uses: DeterminateSystems/magic-nix-cache-action@v2
+
+      - run: nix build .#devEnvImage && ./result | docker load
 
       - name: Login to DockerHub
         uses: docker/login-action@v2
@@ -42,15 +51,10 @@ jobs:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
 
-      - name: Build and push
-        uses: docker/build-push-action@v4
-        with:
-          context: "{{defaultContext}}:dogfood"
-          pull: true
-          push: true
-          tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:latest"
-          cache-from: type=registry,ref=codercom/oss-dogfood:latest
-          cache-to: type=inline
+      - name: Tag and Push
+        run: |
+          docker tag codercom/oss-dogfood:latest codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }}
+          docker push codercom/oss-dogfood -a
 
   deploy_template:
     needs: deploy_image

.gitignore

@@ -61,3 +61,6 @@ site/stats/
 ./scaletest/terraform/.terraform.lock.hcl
 scaletest/terraform/secrets.tfvars
 .terraform.tfstate.*
+
+# Nix
+result

.prettierignore

@@ -64,6 +64,9 @@ site/stats/
 ./scaletest/terraform/.terraform.lock.hcl
 scaletest/terraform/secrets.tfvars
 .terraform.tfstate.*
+
+# Nix
+result
 # .prettierignore.include:
 # Helm templates contain variables that are invalid YAML and can't be formatted
 # by Prettier.

dogfood/Dockerfile

@@ -1,348 +0,0 @@
-FROM rust:slim AS rust-utils
-# Install rust helper programs
-# ENV CARGO_NET_GIT_FETCH_WITH_CLI=true
-ENV CARGO_INSTALL_ROOT=/tmp/
-RUN cargo install exa bat ripgrep typos-cli watchexec-cli
-
-FROM ubuntu:jammy AS go
-
-RUN apt-get update && apt-get install --yes curl gcc
-# Install Go manually, so that we can control the version
-ARG GO_VERSION=1.20.7
-RUN mkdir --parents /usr/local/go
-
-# Boring Go is needed to build FIPS-compliant binaries.
-RUN curl --silent --show-error --location \
-	"https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" \
-	-o /usr/local/go.tar.gz
-
-RUN tar --extract --gzip --directory=/usr/local/go --file=/usr/local/go.tar.gz --strip-components=1
-
-ENV PATH=$PATH:/usr/local/go/bin
-
-# Install Go utilities.
-ARG GOPATH="/tmp/"
-RUN mkdir --parents "$GOPATH" && \
-	# moq for Go tests.
-	go install github.com/matryer/moq@v0.2.3 && \
-	# swag for Swagger doc generation
-	go install github.com/swaggo/swag/cmd/swag@v1.7.4 && \
-	# go-swagger tool to generate the go coder api client
-	go install github.com/go-swagger/go-swagger/cmd/swagger@v0.28.0 && \
-	# goimports for updating imports
-	go install golang.org/x/tools/cmd/goimports@v0.1.7 && \
-	# protoc-gen-go is needed to build sysbox from source
-	go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30 && \
-	# drpc support for v2
-	go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.33 && \
-	# migrate for migration support for v2
-	go install github.com/golang-migrate/migrate/v4/cmd/migrate@v4.15.1 && \
-	# goreleaser for compiling v2 binaries
-	go install github.com/goreleaser/goreleaser@v1.6.1 && \
-	# Install the latest version of gopls for editors that support
-	# the language server protocol
-	go install golang.org/x/tools/gopls@latest && \
-	# gotestsum makes test output more readable
-	go install gotest.tools/gotestsum@v1.9.0 && \
-	# goveralls collects code coverage metrics from tests
-	# and sends to Coveralls
-	go install github.com/mattn/goveralls@v0.0.11 && \
-	# kind for running Kubernetes-in-Docker, needed for tests
-	go install sigs.k8s.io/kind@v0.10.0 && \
-	# helm-docs generates our Helm README based on a template and the
-	# charts and values files
-	go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.5.0 && \
-	# sqlc for Go code generation
-	go install github.com/sqlc-dev/sqlc/cmd/sqlc@v1.20.0 && \
-	# gcr-cleaner-cli used by CI to prune unused images
-	go install github.com/sethvargo/gcr-cleaner/cmd/gcr-cleaner-cli@v0.5.1 && \
-	# ruleguard for checking custom rules, without needing to run all of
-	# golangci-lint. Check the go.mod in the release of golangci-lint that
-	# we're using for the version of go-critic that it embeds, then check
-	# the version of ruleguard in go-critic for that tag.
-	go install github.com/quasilyte/go-ruleguard/cmd/ruleguard@v0.3.13 && \
-	# go-fuzz for fuzzy testing. they don't publish releases so we rely on latest.
-	go install github.com/dvyukov/go-fuzz/go-fuzz@latest && \
-	go install github.com/dvyukov/go-fuzz/go-fuzz-build@latest && \
-	# go-releaser for building 'fat binaries' that work cross-platform
-	go install github.com/goreleaser/goreleaser@v1.6.1 && \
-	go install mvdan.cc/sh/v3/cmd/shfmt@latest && \
-	# nfpm is used with `make build` to make release packages
-	go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.16.0 && \
-	# yq v4 is used to process yaml files in coder v2. Conflicts with
-	# yq v3 used in v1.
-	go install github.com/mikefarah/yq/v4@v4.30.6 && \
-	mv /tmp/bin/yq /tmp/bin/yq4 && \
-	go install github.com/golang/mock/mockgen@v1.6.0
-
-FROM gcr.io/coder-dev-1/alpine:3.18 as proto
-WORKDIR /tmp
-RUN apk add curl unzip
-RUN curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v23.3/protoc-23.3-linux-x86_64.zip
-RUN unzip protoc.zip
-
-FROM ubuntu:jammy
-
-SHELL ["/bin/bash", "-c"]
-
-# Updated certificates are necessary to use the teraswitch mirror.
-# This must be ran before copying in configuration since the config replaces
-# the default mirror with teraswitch.
-RUN apt-get update && apt-get install --yes ca-certificates
-
-COPY files /
-
-# Install packages from apt repositories
-ARG DEBIAN_FRONTEND="noninteractive"
-
-RUN apt-get update --quiet && apt-get install --yes \
-	apt-transport-https \
-	apt-utils \
-	bash \
-	bash-completion \
-	bats \
-	bind9-dnsutils \
-	build-essential \
-	ca-certificates \
-	cmake \
-	crypto-policies \
-	curl \
-	fd-find \
-	file \
-	git \
-	gnupg \
-	graphviz \
-	htop \
-	httpie \
-	inetutils-tools \
-	iproute2 \
-	iputils-ping \
-	iputils-tracepath \
-	jq \
-	language-pack-en \
-	less \
-	lsb-release \
-	man \
-	meld \
-	net-tools \
-	openjdk-11-jdk-headless \
-	openssh-server \
-	openssl \
-	libssl-dev \
-	pkg-config \
-	python3 \
-	python3-pip \
-	rsync \
-	shellcheck \
-	strace \
-	sudo \
-	tcptraceroute \
-	termshark \
-	traceroute \
-	vim \
-	wget \
-	xauth \
-	zip \
-	ncdu \
-	cargo \
-	asciinema \
-	zsh \
-	ansible \
-	neovim \
-	google-cloud-sdk \
-	google-cloud-sdk-datastore-emulator \
-	kubectl \
-	postgresql-13 \
-	containerd.io \
-	docker-ce \
-	docker-ce-cli \
-	docker-compose-plugin \
-	packer \
-	terraform \
-	fish \
-	unzip \
-	zstd \
-	screen \
-	gettext-base && \
-	# Delete package cache to avoid consuming space in layer
-	apt-get clean && \
-	# Configure FIPS-compliant policies
-	update-crypto-policies --set FIPS
-
-# Install the docker buildx component.
-RUN DOCKER_BUILDX_VERSION=$(curl -s "https://api.github.com/repos/docker/buildx/releases/latest" | grep '"tag_name":' |  sed -E 's/.*"(v[^"]+)".*/\1/') && \
-	mkdir -p /usr/local/lib/docker/cli-plugins && \
-	curl -Lo /usr/local/lib/docker/cli-plugins/docker-buildx "https://github.com/docker/buildx/releases/download/${DOCKER_BUILDX_VERSION}/buildx-${DOCKER_BUILDX_VERSION}.linux-amd64" && \
-	chmod a+x /usr/local/lib/docker/cli-plugins/docker-buildx
-
-# See https://github.com/cli/cli/issues/6175#issuecomment-1235984381 for proof
-# the apt repository is unreliable
-RUN GH_CLI_VERSION=$(curl -s "https://api.github.com/repos/cli/cli/releases/latest" | grep '"tag_name":' |  sed -E 's/.*"v([^"]+)".*/\1/') && \
-	curl -L https://github.com/cli/cli/releases/download/v${GH_CLI_VERSION}/gh_${GH_CLI_VERSION}_linux_amd64.deb -o gh.deb && \
-	dpkg -i gh.deb && \
-	rm gh.deb
-
-# Install Lazygit
-# See https://github.com/jesseduffield/lazygit#ubuntu
-RUN LAZYGIT_VERSION=$(curl -s "https://api.github.com/repos/jesseduffield/lazygit/releases/latest" | grep '"tag_name":' |  sed -E 's/.*"v*([^"]+)".*/\1/') && \
-	curl -Lo lazygit.tar.gz "https://github.com/jesseduffield/lazygit/releases/latest/download/lazygit_${LAZYGIT_VERSION}_Linux_x86_64.tar.gz" && \
-	tar xf lazygit.tar.gz -C /usr/local/bin lazygit
-
-# Install frontend utilities
-RUN apt-get update && \
-	# Node.js (from nodesource) and Yarn (from yarnpkg)
-	curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash - &&\
-	apt-get install --yes --quiet \
-	nodejs yarn \
-	# Install browsers for e2e testing
-	google-chrome-stable microsoft-edge-beta && \
-	# Pre-install system dependencies that Playwright needs. npx doesn't work here
-	# for some reason. See https://github.com/microsoft/playwright-cli/issues/136
-	npm i -g playwright@1.36.2 pnpm@^8 && playwright install-deps && \
-	npm cache clean --force
-
-# Ensure PostgreSQL binaries are in the users $PATH.
-RUN update-alternatives --install /usr/local/bin/initdb initdb /usr/lib/postgresql/13/bin/initdb 100 && \
-	update-alternatives --install /usr/local/bin/postgres postgres /usr/lib/postgresql/13/bin/postgres 100
-
-# Create links for injected dependencies
-RUN ln --symbolic /var/tmp/coder/coder-cli/coder /usr/local/bin/coder && \
-	ln --symbolic /var/tmp/coder/code-server/bin/code-server /usr/local/bin/code-server
-
-# Disable the PostgreSQL systemd service.
-# Coder uses a custom timescale container to test the database instead.
-RUN systemctl disable \
-	postgresql
-
-# Configure systemd services for CVMs
-RUN systemctl enable \
-	docker \
-	ssh
-
-# Install tools with published releases, where that is the
-# preferred/recommended installation method.
-ARG CLOUD_SQL_PROXY_VERSION=2.2.0 \
-	DIVE_VERSION=0.10.0 \
-	DOCKER_GCR_VERSION=2.1.8 \
-	GOLANGCI_LINT_VERSION=1.52.2 \
-	GRYPE_VERSION=0.61.1 \
-	HELM_VERSION=3.12.0 \
-	KUBE_LINTER_VERSION=0.6.3 \
-	KUBECTX_VERSION=0.9.4 \
-	STRIPE_VERSION=1.14.5 \
-	TERRAGRUNT_VERSION=0.45.11 \
-	TRIVY_VERSION=0.41.0
-
-# cloud_sql_proxy, for connecting to cloudsql instances
-# the upstream go.mod prevents this from being installed with go install
-RUN curl --silent --show-error --location --output /usr/local/bin/cloud_sql_proxy "https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v${CLOUD_SQL_PROXY_VERSION}/cloud-sql-proxy.linux.amd64" && \
-	chmod a=rx /usr/local/bin/cloud_sql_proxy && \
-	# dive for scanning image layer utilization metrics in CI
-	curl --silent --show-error --location "https://github.com/wagoodman/dive/releases/download/v${DIVE_VERSION}/dive_${DIVE_VERSION}_linux_amd64.tar.gz" | \
-	tar --extract --gzip --directory=/usr/local/bin --file=- dive && \
-	# docker-credential-gcr is a Docker credential helper for pushing/pulling
-	# images from Google Container Registry and Artifact Registry
-	curl --silent --show-error --location "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v${DOCKER_GCR_VERSION}/docker-credential-gcr_linux_amd64-${DOCKER_GCR_VERSION}.tar.gz" | \
-	tar --extract --gzip --directory=/usr/local/bin --file=- docker-credential-gcr && \
-	# golangci-lint performs static code analysis for our Go code
-	curl --silent --show-error --location "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" | \
-	tar --extract --gzip --directory=/usr/local/bin --file=- --strip-components=1 "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64/golangci-lint" && \
-	# Anchore Grype for scanning container images for security issues
-	curl --silent --show-error --location "https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz" | \
-	tar --extract --gzip --directory=/usr/local/bin --file=- grype && \
-	# Helm is necessary for deploying Coder
-	curl --silent --show-error --location "https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz" | \
-	tar --extract --gzip --directory=/usr/local/bin --file=- --strip-components=1 linux-amd64/helm && \
-	# kube-linter for linting Kubernetes objects, including those
-	# that Helm generates from our charts
-	curl --silent --show-error --location "https://github.com/stackrox/kube-linter/releases/download/${KUBE_LINTER_VERSION}/kube-linter-linux" --output /usr/local/bin/kube-linter && \
-	# kubens and kubectx for managing Kubernetes namespaces and contexts
-	curl --silent --show-error --location "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubectx_v${KUBECTX_VERSION}_linux_x86_64.tar.gz" | \
-	tar --extract --gzip --directory=/usr/local/bin --file=- kubectx && \
-	curl --silent --show-error --location "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubens_v${KUBECTX_VERSION}_linux_x86_64.tar.gz" | \
-	tar --extract --gzip --directory=/usr/local/bin --file=- kubens && \
-	# stripe for coder.com billing API
-	curl --silent --show-error --location "https://github.com/stripe/stripe-cli/releases/download/v${STRIPE_VERSION}/stripe_${STRIPE_VERSION}_linux_x86_64.tar.gz" | \
-	tar --extract --gzip --directory=/usr/local/bin --file=- stripe && \
-	# terragrunt for running Terraform and Terragrunt files
-	curl --silent --show-error --location --output /usr/local/bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/terragrunt_linux_amd64" && \
-	chmod a=rx /usr/local/bin/terragrunt && \
-	# AquaSec Trivy for scanning container images for security issues
-	curl --silent --show-error --location "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | \
-	tar --extract --gzip --directory=/usr/local/bin --file=- trivy
-
-# Add Vercel globally. We can't install it in packages.json, because it
-# includes Go files which make golangci-lint unhappy.
-RUN yarn global add --prefix=/usr/local \
-	vercel \
-	typescript \
-	typescript-language-server \
-	prettier && \
-	yarn cache clean
-
-# We use yq during "make deploy" to manually substitute out fields in
-# our helm values.yaml file. See https://github.com/helm/helm/issues/3141
-#
-# TODO: update to 4.x, we can't do this now because it included breaking
-# changes (yq w doesn't work anymore)
-# RUN curl --silent --show-error --location "https://github.com/mikefarah/yq/releases/download/v4.9.0/yq_linux_amd64.tar.gz" | \
-#       tar --extract --gzip --directory=/usr/local/bin --file=- ./yq_linux_amd64 && \
-#     mv /usr/local/bin/yq_linux_amd64 /usr/local/bin/yq
-
-RUN curl --silent --show-error --location --output /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/3.3.0/yq_linux_amd64" && \
-	chmod a=rx /usr/local/bin/yq
-
-# Install GoLand.
-RUN mkdir --parents /usr/local/goland && \
-	curl --silent --show-error --location "https://download.jetbrains.com/go/goland-2021.2.tar.gz" | \
-	tar --extract --gzip --directory=/usr/local/goland --file=- --strip-components=1 && \
-	ln --symbolic /usr/local/goland/bin/goland.sh /usr/local/bin/goland
-
-# Install Antlrv4, needed to generate paramlang lexer/parser
-RUN curl --silent --show-error --location --output /usr/local/lib/antlr-4.9.2-complete.jar "https://www.antlr.org/download/antlr-4.9.2-complete.jar"
-ENV CLASSPATH="/usr/local/lib/antlr-4.9.2-complete.jar:${PATH}"
-
-# Add coder user and allow use of docker/sudo
-RUN useradd coder \
-	--create-home \
-	--shell=/bin/bash \
-	--groups=docker \
-	--uid=1000 \
-	--user-group
-
-# Adjust OpenSSH config
-RUN echo "PermitUserEnvironment yes" >>/etc/ssh/sshd_config && \
-	echo "X11Forwarding yes" >>/etc/ssh/sshd_config && \
-	echo "X11UseLocalhost no" >>/etc/ssh/sshd_config
-
-# We avoid copying the extracted directory since COPY slows to minutes when there
-# are a lot of small files.
-COPY --from=go /usr/local/go.tar.gz /usr/local/go.tar.gz
-RUN mkdir /usr/local/go && \
-	tar --extract --gzip --directory=/usr/local/go --file=/usr/local/go.tar.gz --strip-components=1
-
-ENV PATH=$PATH:/usr/local/go/bin
-
-RUN update-alternatives --install /usr/local/bin/gofmt gofmt /usr/local/go/bin/gofmt 100
-
-COPY --from=go /tmp/bin /usr/local/bin
-COPY --from=rust-utils /tmp/bin /usr/local/bin
-COPY --from=proto /tmp/bin /usr/local/bin
-COPY --from=proto /tmp/include /usr/local/bin/include
-
-USER coder
-
-# Ensure go bins are in the 'coder' user's path. Note that no go bins are
-# installed in this docker file, as they'd be mounted over by the persistent
-# home volume.
-ENV PATH="/home/coder/go/bin:${PATH}"
-
-# This setting prevents Go from using the public checksum database for
-# our module path prefixes. It is required because these are in private
-# repositories that require authentication.
-#
-# For details, see: https://golang.org/ref/mod#private-modules
-ENV GOPRIVATE="coder.com,cdr.dev,go.coder.com,github.com/cdr,github.com/coder"
-
-# Increase memory allocation to NodeJS
-ENV NODE_OPTIONS="--max-old-space-size=8192"

dogfood/Makefile

@@ -1,10 +0,0 @@
-.PHONY: docker-build docker-push
-
-branch=$(shell git rev-parse --abbrev-ref HEAD)
-build_tag=codercom/oss-dogfood:${branch}
-
-build:
-	DOCKER_BUILDKIT=1 docker build . -t ${build_tag}
-
-push: build
-	docker push ${build_tag}

dogfood/files/etc/apt/apt.conf.d/80-no-recommends

@@ -1,6 +0,0 @@
-// Do not install recommended packages by default
-APT::Install-Recommends "0";
-
-// Do not install suggested packages by default (this is already
-// the Ubuntu default)
-APT::Install-Suggests "0";

dogfood/files/etc/apt/apt.conf.d/80-retries

@@ -1 +0,0 @@
-APT::Acquire::Retries "3";

dogfood/files/etc/apt/preferences.d/docker

@@ -1,19 +0,0 @@
-# Ignore all packages from this repository by default
-Package: *
-Pin: origin download.docker.com
-Pin-Priority: 1
-
-# Docker Community Edition
-Package: docker-ce
-Pin: origin download.docker.com
-Pin-Priority: 500
-
-# Docker command-line tool
-Package: docker-ce-cli
-Pin: origin download.docker.com
-Pin-Priority: 500
-
-# containerd runtime
-Package: containerd.io
-Pin: origin download.docker.com
-Pin-Priority: 500

dogfood/files/etc/apt/preferences.d/github-cli

@@ -1,8 +0,0 @@
-# Ignore all packages from this repository by default
-Package: *
-Pin: origin cli.github.com
-Pin-Priority: 1
-
-Package: gh
-Pin: origin cli.github.com
-Pin-Priority: 500

dogfood/files/etc/apt/preferences.d/google-chrome

@@ -1,16 +0,0 @@
-# Ignore all packages from this repository by default
-Package: *
-Pin: origin dl.google.com
-Pin-Priority: 1
-
-Package: google-chrome-stable
-Pin: origin dl.google.com
-Pin-Priority: 500
-
-Package: google-chrome-beta
-Pin: origin dl.google.com
-Pin-Priority: 500
-
-Package: google-chrome-unstable
-Pin: origin dl.google.com
-Pin-Priority: 500

dogfood/files/etc/apt/preferences.d/google-cloud

@@ -1,19 +0,0 @@
-# Ignore all packages from this repository by default
-Package: *
-Pin: origin packages.cloud.google.com
-Pin-Priority: 1
-
-# Google Cloud SDK for gcloud and gsutil CLI tools
-Package: google-cloud-sdk
-Pin: origin packages.cloud.google.com
-Pin-Priority: 500
-
-# Datastore emulator for working with the licensor
-Package: google-cloud-sdk-datastore-emulator
-Pin: origin packages.cloud.google.com
-Pin-Priority: 500
-
-# Kubectl for working with Kubernetes (GKE)
-Package: kubectl
-Pin: origin packages.cloud.google.com
-Pin-Priority: 500

dogfood/files/etc/apt/preferences.d/hashicorp

@@ -1,14 +0,0 @@
-# Ignore all packages from this repository by default
-Package: *
-Pin: origin apt.releases.hashicorp.com
-Pin-Priority: 1
-
-# Packer for creating virtual machine disk images
-Package: packer
-Pin: origin apt.releases.hashicorp.com
-Pin-Priority: 500
-
-# Terraform for managing infrastructure
-Package: terraform
-Pin: origin apt.releases.hashicorp.com
-Pin-Priority: 500

dogfood/files/etc/apt/preferences.d/microsoft-edge

@@ -1,12 +0,0 @@
-# Ignore all packages from this repository by default
-Package: *
-Pin: origin packages.microsoft.com
-Pin-Priority: 1
-
-Package: microsoft-edge-beta
-Pin: origin packages.microsoft.com
-Pin-Priority: 500
-
-Package: microsoft-edge-dev
-Pin: origin packages.microsoft.com
-Pin-Priority: 500

dogfood/files/etc/apt/preferences.d/nodesource

@@ -1,9 +0,0 @@
-# Ignore all packages from this repository by default
-Package: *
-Pin: origin deb.nodesource.com
-Pin-Priority: 1
-
-# Node.js for building the frontend
-Package: nodejs
-Pin: origin deb.nodesource.com
-Pin-Priority: 500

dogfood/files/etc/apt/preferences.d/ppa

@@ -1,19 +0,0 @@
-# Ignore all packages from this repository by default
-Package: *
-Pin: origin ppa.launchpad.net
-Pin-Priority: 1
-
-# Ansible
-Package: ansible-base
-Pin: origin ppa.launchpad.net
-Pin-Priority: 500
-
-# Neovim
-Package: neovim
-Pin: origin ppa.launchpad.net
-Pin-Priority: 500
-
-# Neovim Runtime
-Package: neovim-runtime
-Pin: origin ppa.launchpad.net
-Pin-Priority: 500

dogfood/files/etc/apt/preferences.d/yarnpkg

@@ -1,9 +0,0 @@
-# Ignore all packages from this repository by default
-Package: *
-Pin: origin dl.yarnpkg.com
-Pin-Priority: 1
-
-# Yarn for managing Node.js packages
-Package: yarn
-Pin: origin dl.yarnpkg.com
-Pin-Priority: 500

dogfood/files/etc/apt/sources.list

@@ -1,3 +0,0 @@
-deb https://mirror.pit.teraswitch.com/ubuntu/ jammy main restricted universe
-deb https://mirror.pit.teraswitch.com/ubuntu/ jammy-updates main restricted universe
-deb https://mirror.pit.teraswitch.com/ubuntu/ jammy-backports main restricted universe

dogfood/files/etc/apt/sources.list.d/docker.list

@@ -1 +0,0 @@
-deb [signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu jammy stable

dogfood/files/etc/apt/sources.list.d/google-chrome.list

@@ -1 +0,0 @@
-deb [signed-by=/usr/share/keyrings/google-chrome.gpg] https://dl.google.com/linux/chrome/deb/ stable main

dogfood/files/etc/apt/sources.list.d/google-cloud.list

@@ -1 +0,0 @@
-deb [signed-by=/usr/share/keyrings/google-cloud.gpg] https://packages.cloud.google.com/apt cloud-sdk main

dogfood/files/etc/apt/sources.list.d/hashicorp.list

@@ -1 +0,0 @@
-deb [signed-by=/usr/share/keyrings/hashicorp.gpg] https://apt.releases.hashicorp.com jammy main

dogfood/files/etc/apt/sources.list.d/microsoft-edge.list

@@ -1 +0,0 @@
-deb [signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/edge stable main

dogfood/files/etc/apt/sources.list.d/nodesource.list

@@ -1 +0,0 @@
-deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_16.x jammy main

dogfood/files/etc/apt/sources.list.d/postgresql.list

@@ -1 +0,0 @@
-deb [signed-by=/usr/share/keyrings/postgresql.gpg] https://apt.postgresql.org/pub/repos/apt jammy-pgdg main

dogfood/files/etc/apt/sources.list.d/ppa.list

@@ -1,2 +0,0 @@
-deb [signed-by=/usr/share/keyrings/ansible.gpg] https://ppa.launchpadcontent.net/ansible/ansible/ubuntu focal main
-deb [signed-by=/usr/share/keyrings/neovim.gpg] https://ppa.launchpadcontent.net/neovim-ppa/stable/ubuntu focal main

dogfood/files/etc/apt/sources.list.d/security.list

@@ -1 +0,0 @@
-deb http://security.ubuntu.com/ubuntu/ jammy-security main restricted universe

dogfood/files/etc/apt/sources.list.d/yarnpkg.list

@@ -1 +0,0 @@
-deb [signed-by=/usr/share/keyrings/yarnpkg.gpg] https://dl.yarnpkg.com/debian/ stable main

dogfood/files/etc/default/google-chrome

@@ -1,4 +0,0 @@
-# These settings are required to prevent the postinst script
-# from modifying /etc/apt/sources.list.d
-repo_add_once="false"
-repo_reenable_on_distupgrade="false"

dogfood/files/etc/default/microsoft-edge-beta

@@ -1,4 +0,0 @@
-# These settings are required to prevent the postinst script
-# from modifying /etc/apt/sources.list.d
-repo_add_once="false"
-repo_reenable_on_distupgrade="false"

dogfood/files/etc/docker/daemon.json

@@ -1,3 +0,0 @@
-{
-  "registry-mirrors": ["https://mirror.gcr.io"]
-}

dogfood/files/etc/sudoers.d/nopasswd

@@ -1 +0,0 @@
-coder ALL=(ALL) NOPASSWD:ALL

dogfood/main.tf

@@ -266,9 +266,7 @@ data "docker_registry_image" "dogfood" {
 resource "docker_image" "dogfood" {
   name = "${local.registry_name}@${data.docker_registry_image.dogfood.sha256_digest}"
   pull_triggers = [
-    data.docker_registry_image.dogfood.sha256_digest,
-    sha1(join("", [for f in fileset(path.module, "files/*") : filesha1(f)])),
-    filesha1("Dockerfile"),
+    data.docker_registry_image.dogfood.sha256_digest
   ]
   keep_locally = true
 }

dogfood/update-keys.sh

@@ -1,62 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-PROJECT_ROOT="$(git rev-parse --show-toplevel)"
-
-curl_flags=(
-	--silent
-	--show-error
-	--location
-)
-
-gpg_flags=(
-	--dearmor
-	--yes
-)
-
-pushd "$PROJECT_ROOT/dogfood/files/usr/share/keyrings"
-# Upstream Docker signing key
-curl "${curl_flags[@]}" "https://download.docker.com/linux/ubuntu/gpg" |
-	gpg "${gpg_flags[@]}" --output="docker.gpg"
-
-# Google Cloud signing key
-curl "${curl_flags[@]}" "https://packages.cloud.google.com/apt/doc/apt-key.gpg" |
-	gpg "${gpg_flags[@]}" --output="google-cloud.gpg"
-
-# Google Linux Software repository signing key (Chrome)
-curl "${curl_flags[@]}" "https://dl.google.com/linux/linux_signing_key.pub" |
-	gpg "${gpg_flags[@]}" --output="google-chrome.gpg"
-
-# Microsoft repository signing key (Edge)
-curl "${curl_flags[@]}" "https://packages.microsoft.com/keys/microsoft.asc" |
-	gpg "${gpg_flags[@]}" --output="microsoft.gpg"
-
-# Upstream PostgreSQL signing key
-curl "${curl_flags[@]}" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" |
-	gpg "${gpg_flags[@]}" --output="postgresql.gpg"
-
-# NodeSource signing key
-curl "${curl_flags[@]}" "https://deb.nodesource.com/gpgkey/nodesource.gpg.key" |
-	gpg "${gpg_flags[@]}" --output="nodesource.gpg"
-
-# Yarnpkg signing key
-curl "${curl_flags[@]}" "https://dl.yarnpkg.com/debian/pubkey.gpg" |
-	gpg "${gpg_flags[@]}" --output="yarnpkg.gpg"
-
-# Ansible PPA signing key
-curl "${curl_flags[@]}" "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x6125e2a8c77f2818fb7bd15b93c4a3fd7bb9c367" |
-	gpg "${gpg_flags[@]}" --output="ansible.gpg"
-
-# Neovim signing key
-curl "${curl_flags[@]}" "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x9dbb0be9366964f134855e2255f96fcf8231b6dd" |
-	gpg "${gpg_flags[@]}" --output="neovim.gpg"
-
-# Hashicorp signing key
-curl "${curl_flags[@]}" "https://apt.releases.hashicorp.com/gpg" |
-	gpg "${gpg_flags[@]}" --output="hashicorp.gpg"
-
-# GitHub CLI signing key
-curl "${curl_flags[@]}" "https://cli.github.com/packages/githubcli-archive-keyring.gpg" |
-	gpg "${gpg_flags[@]}" --output="github-cli.gpg"
-popd

flake.lock

@@ -70,11 +70,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1690179384,
-        "narHash": "sha256-+arbgqFTAtoeKtepW9wCnA0njCOyoiDFyl0Q0SBSOtE=",
+        "lastModified": 1692174805,
+        "narHash": "sha256-xmNPFDi/AUMIxwgOH/IVom55Dks34u1g7sFKKebxUm0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "b12803b6d90e2e583429bb79b859ca53c348b39a",
+        "rev": "caac0eb6bdcad0b32cb2522e03e4002c8975c62e",
         "type": "github"
       },
       "original": {

flake.nix

@@ -11,50 +11,186 @@
     flake-utils.lib.eachDefaultSystem (system:
       let
         pkgs = nixpkgs.legacyPackages.${system};
+        formatter = pkgs.nixpkgs-fmt;
+        # Check in https://search.nixos.org/packages to find new packages.
+        # Use `nix flake update` to update the lock file if packages are out-of-date.
+        devShellPackages = with pkgs; [
+          bat
+          bash
+          cairo
+          curl
+          docker
+          drpc.defaultPackage.${system}
+          exa
+          getopt
+          git
+          gnumake
+          gnused
+          go_1_20
+          go-migrate
+          golangci-lint
+          gopls
+          gotestsum
+          jq
+          kubernetes-helm
+          mockgen
+          nfpm
+          nix
+          nodejs
+          nodePackages.pnpm
+          nodePackages.prettier
+          nodePackages.typescript
+          nodePackages.typescript-language-server
+          openssh
+          openssl
+          pango
+          pixman
+          pkg-config
+          postgresql
+          protobuf
+          protoc-gen-go
+          ripgrep
+          screen
+          shellcheck
+          shfmt
+          sqlc
+          strace
+          terraform
+          typos
+          vim
+          yq-go
+          zip
+          zstd
+        ];
+
+        # This is the base image for our Docker container used for development.
+        # Use `nix-prefetch-docker ubuntu --arch amd64 --image-tag lunar` to get this.
+        baseDevEnvImage = pkgs.dockerTools.pullImage {
+          imageName = "ubuntu";
+          imageDigest = "sha256:7a520eeb6c18bc6d32a21bb7edcf673a7830813c169645d51c949cecb62387d0";
+          sha256 = "ajZzFSG/q7F5wAXfBOPpYBT+aVy8lqAXtBzkmAe2SeE=";
+          finalImageName = "ubuntu";
+          finalImageTag = "lunar";
+        };
+        # This is an intermediate stage that adds sudo with the setuid bit set.
+        # Nix doesn't allow setuid binaries in the store, so we have to do this
+        # in a separate stage. 
+        intermediateDevEnvImage = pkgs.dockerTools.buildImage {
+          name = "intermediate";
+          fromImage = baseDevEnvImage;
+          runAsRoot = ''
+            #!${pkgs.runtimeShell}
+            ${pkgs.dockerTools.shadowSetup}
+            userdel ubuntu
+            groupadd docker
+            useradd coder \
+              --create-home \
+              --shell=/bin/bash \
+              --uid=1000 \
+              --user-group \
+              --groups docker
+            cp ${pkgs.sudo}/bin/sudo usr/bin/sudo
+            chmod 4755 usr/bin/sudo
+            mkdir -p /etc/init.d
+          '';
+        };
+        # Environment variables that live in `/etc/environment` in the container.
+        # These will also be applied to the container config.
+        devEnvVars = [
+          "PATH=${pkgs.lib.makeBinPath devShellPackages}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/home/coder/go/bin"
+          # This setting prevents Go from using the public checksum database for
+          # our module path prefixes. It is required because these are in private
+          # repositories that require authentication.
+          #
+          # For details, see: https://golang.org/ref/mod#private-modules
+          "GOPRIVATE=coder.com,cdr.dev,go.coder.com,github.com/cdr,github.com/coder"
+          # Increase memory allocation to NodeJS
+          "NODE_OPTIONS=--max_old_space_size=8192"
+          "TERM=xterm-256color"
+        ];
+        # Builds our development environment image with all the tools included.
+        # Using Nix instead of Docker is **significantly** faster. This _build_
+        # doesn't really build anything, it just copies pre-built binaries into
+        # a container and adds them to the $PATH.
+        # 
+        # To test changes and iterate on this, you can run:
+        # > nix build .#devEnvImage && ./result | docker load
+        # This will import the image into your local Docker daemon.
+        devEnvImage = pkgs.dockerTools.streamLayeredImage {
+          name = "codercom/oss-dogfood";
+          tag = "latest";
+          fromImage = intermediateDevEnvImage;
+          maxLayers = 64;
+          contents = [
+            # Required for `sudo` to persist the proper `PATH`.
+            (
+              pkgs.writeTextDir "etc/environment" (pkgs.lib.strings.concatLines devEnvVars)
+            )
+            # Allows `coder` to use `sudo` without a password.
+            (
+              pkgs.writeTextDir "etc/sudoers" ''
+                coder ALL=(ALL) NOPASSWD:ALL
+              ''
+            )
+            # Also allows `coder` to use `sudo` without a password.
+            (
+              pkgs.writeTextDir "etc/pam.d/other" ''
+                account sufficient pam_unix.so
+                auth sufficient pam_rootok.so
+                password requisite pam_unix.so nullok yescrypt
+                session required pam_unix.so
+              ''
+            )
+            # The default Nix config!
+            (
+              pkgs.writeTextDir "etc/nix/nix.conf" ''
+                experimental-features = nix-command flakes
+              ''
+            )
+            # This is the debian script for managing Docker with `sudo service docker ...`.
+            (
+              pkgs.writeTextFile {
+                name = "docker";
+                destination = "/etc/init.d/docker";
+                executable = true;
+                text = (builtins.readFile (
+                  pkgs.fetchFromGitHub
+                    {
+                      owner = "moby";
+                      repo = "moby";
+                      rev = "ae737656f9817fbd5afab96aa083754cfb81aab0";
+                      sha256 = "sha256-oS3WplsxhKHCuHwL4/ytsCNJ1N/SZhlUZmzZTf81AoE=";
+                    } + "/contrib/init/sysvinit-debian/docker"
+                ));
+              }
+            )
+            # The Docker script above looks here for the daemon binary location.
+            # Because we're injecting it with Nix, it's not in the default spot.
+            (
+              pkgs.writeTextDir "etc/default/docker" ''
+                DOCKERD=${pkgs.docker}/bin/dockerd
+              ''
+            )
+            # The same as `sudo apt install ca-certificates -y'.
+            (
+              pkgs.writeTextDir "etc/ssl/certs/ca-certificates.crt"
+                (builtins.readFile "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt")
+            )
+          ];
+
+          config = {
+            Env = devEnvVars;
+            Entrypoint = [ "/bin/bash" ];
+            User = "coder";
+          };
+        };
       in
       {
-        formatter = pkgs.nixpkgs-fmt;
-        devShells.default = pkgs.mkShell {
-          buildInputs = with pkgs; [
-            bash
-            bat
-            cairo
-            drpc.defaultPackage.${system}
-            exa
-            getopt
-            git
-            go-migrate
-            go_1_20
-            golangci-lint
-            gopls
-            gotestsum
-            jq
-            kubernetes-helm
-            mockgen
-            nfpm
-            nodePackages.pnpm
-            nodePackages.typescript
-            nodePackages.typescript-language-server
-            nodejs
-            openssh
-            openssl
-            pango
-            pixman
-            pkg-config
-            postgresql
-            protoc-gen-go
-            ripgrep
-            screen
-            shellcheck
-            shfmt
-            sqlc
-            terraform
-            typos
-            yq
-            zip
-            zstd
-          ];
+        packages = {
+          devEnvImage = devEnvImage;
         };
+        defaultPackage = formatter; # or replace it with your desired default package.
+        devShell = pkgs.mkShell { buildInputs = devShellPackages; };
       }
     );
 }

provisionerd/proto/provisionerd.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.30.0
-// 	protoc        v4.23.3
+// 	protoc-gen-go v1.31.0
+// 	protoc        v3.21.12
 // source: provisionerd/proto/provisionerd.proto
 
 package proto

provisionerd/proto/provisionerd_drpc.pb.go

@@ -1,5 +1,5 @@
 // Code generated by protoc-gen-go-drpc. DO NOT EDIT.
-// protoc-gen-go-drpc version: v0.0.33
+// protoc-gen-go-drpc version: (devel)
 // source: provisionerd/proto/provisionerd.proto
 
 package proto

provisionersdk/proto/provisioner.pb.go

@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.30.0
-// 	protoc        v4.23.3
+// 	protoc-gen-go v1.31.0
+// 	protoc        v3.21.12
 // source: provisionersdk/proto/provisioner.proto
 
 package proto

provisionersdk/proto/provisioner_drpc.pb.go

@@ -1,5 +1,5 @@
 // Code generated by protoc-gen-go-drpc. DO NOT EDIT.
-// protoc-gen-go-drpc version: v0.0.33
+// protoc-gen-go-drpc version: (devel)
 // source: provisionersdk/proto/provisioner.proto
 
 package proto
@@ -76,10 +76,6 @@ type drpcProvisioner_ParseClient struct {
 	drpc.Stream
 }
 
-func (x *drpcProvisioner_ParseClient) GetStream() drpc.Stream {
-	return x.Stream
-}
-
 func (x *drpcProvisioner_ParseClient) Recv() (*Parse_Response, error) {
 	m := new(Parse_Response)
 	if err := x.MsgRecv(m, drpcEncoding_File_provisionersdk_proto_provisioner_proto{}); err != nil {
@@ -111,10 +107,6 @@ type drpcProvisioner_ProvisionClient struct {
 	drpc.Stream
 }
 
-func (x *drpcProvisioner_ProvisionClient) GetStream() drpc.Stream {
-	return x.Stream
-}
-
 func (x *drpcProvisioner_ProvisionClient) Send(m *Provision_Request) error {
 	return x.MsgSend(m, drpcEncoding_File_provisionersdk_proto_provisioner_proto{})
 }

site/.eslintignore

@@ -64,6 +64,9 @@ stats/
 .././scaletest/terraform/.terraform.lock.hcl
 ../scaletest/terraform/secrets.tfvars
 .terraform.tfstate.*
+
+# Nix
+result
 # .prettierignore.include:
 # Helm templates contain variables that are invalid YAML and can't be formatted
 # by Prettier.

site/.prettierignore

@@ -64,6 +64,9 @@ stats/
 .././scaletest/terraform/.terraform.lock.hcl
 ../scaletest/terraform/secrets.tfvars
 .terraform.tfstate.*
+
+# Nix
+result
 # .prettierignore.include:
 # Helm templates contain variables that are invalid YAML and can't be formatted
 # by Prettier.