{"id":24998449,"url":"https://github.com/cameronraysmith/nixpod","last_synced_at":"2026-03-05T22:11:48.719Z","repository":{"id":192975892,"uuid":"687843307","full_name":"cameronraysmith/nixpod","owner":"cameronraysmith","description":"⎈ containerized multiuser nix 🏘 ❄️","archived":false,"fork":false,"pushed_at":"2026-02-28T05:42:59.000Z","size":668,"stargazers_count":14,"open_issues_count":13,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-02-28T11:42:42.809Z","etag":null,"topics":["container-image","containerd","containers","devcontainer","devpod","dotfiles","home-manager","k8s","kubernetes","nix","nix-flake","oci","oci-image"],"latest_commit_sha":null,"homepage":"","language":"Nix","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cameronraysmith.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":".github/CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":".github/SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-09-06T05:58:57.000Z","updated_at":"2025-10-13T13:25:53.000Z","dependencies_parsed_at":"2023-09-06T07:41:54.971Z","dependency_job_id":"3f9f9bda-b759-4a48-99be-516c2558d936","html_url":"https://github.com/cameronraysmith/nixpod","commit_stats":null,"previous_names":["cameronraysmith/dotfiles","cameronraysmith/nixpod"],"tags_count":40,"template":false,"template_full_name":null,"purl":"pkg:github/cameronraysmith/nixpod","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cameronraysmith%2Fnixpod","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cameronraysmith%2Fnixpod/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cameronraysmith%2Fnixpod/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cameronraysmith%2Fnixpod/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cameronraysmith","download_url":"https://codeload.github.com/cameronraysmith/nixpod/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cameronraysmith%2Fnixpod/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30152187,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-05T21:15:50.531Z","status":"ssl_error","status_checked_at":"2026-03-05T21:15:11.173Z","response_time":93,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["container-image","containerd","containers","devcontainer","devpod","dotfiles","home-manager","k8s","kubernetes","nix","nix-flake","oci","oci-image"],"created_at":"2025-02-04T17:58:10.865Z","updated_at":"2026-03-05T22:11:48.711Z","avatar_url":"https://github.com/cameronraysmith.png","language":"Nix","readme":"\u003cdiv align=\"center\"\u003e\n\n# nixpod\n\n\u003ca href=\"https://nix.dev/concepts/flakes\" target=\"_blank\"\u003e\n\t\u003cimg alt=\"Nix Flakes Ready\" src=\"https://img.shields.io/static/v1?logo=nixos\u0026logoColor=d8dee9\u0026label=Nix%20Flakes\u0026labelColor=5e81ac\u0026message=In%20Containers\u0026color=d8dee9\u0026style=for-the-badge\"\u003e\n\u003c/a\u003e\n\n[![CI][ci-badge]][ci-link]\n\n**containerized nix + home-manager development environments**\n\n\u003c/div\u003e\n\n---\n\n## What this provides\n\nContainerized multi-user Nix development environments for platforms where NixOS cannot be used directly.\nFour container variants ship prebuilt multi-arch images (x86_64, aarch64) to `ghcr.io`, each with the Nix daemon, s6-overlay process supervision, and home-manager user configuration.\n\n| Variant | Purpose | User | Port |\n|---------|---------|------|------|\n| **nixpod** | General development | root (uid 0) | -- |\n| **ghanix** | GitHub Actions runners | runner (uid 1001) | -- |\n| **codenix** | code-server IDE | jovyan (uid 1000) | 8888 |\n| **jupnix** | JupyterLab | jovyan (uid 1000) | 8888 |\n\n\u003cdetails\u003e\n\u003csummary\u003eVariant details\u003c/summary\u003e\n\nThe *nixpod* container is the base variant with home-manager activated for root, intended for general-purpose development and debugging including scenarios like Kubernetes ephemeral containers.\n\nThe *ghanix* container is configured for GitHub Actions self-hosted runners with the runner user and includes the atuin daemon service.\n\nThe *codenix* container runs code-server on port 8888 with the jovyan user, includes VS Code extension installation and home-manager activation via s6 init scripts, and the atuin daemon.\n\nThe *jupnix* container runs JupyterLab on port 8888 with the jovyan user and includes the atuin daemon and home-manager activation.\n\nAll variants share a common base image built by `modules/containers/build-image.nix` with four ordered layers (base utilities, Nix daemon, s6-overlay, Nix configuration) plus a variant-specific customization layer.\n\n\u003c/details\u003e\n\n## Quick start\n\nPull and run a prebuilt image:\n\n```bash\ndocker pull ghcr.io/cameronraysmith/nixpod:latest\ndocker run -it --rm ghcr.io/cameronraysmith/nixpod:latest\n```\n\nBuild from source and load into the local Docker daemon:\n\n```bash\nnix run .#load-nixpod\n```\n\nThis uses skopeo with the nix2container transport to copy the image directly, without producing a full tarball.\nOn macOS, the loader automatically targets the corresponding Linux architecture.\n\nEnter the development shell:\n\n```bash\nnix develop\n```\n\n## Build commands\n\n```bash\nnix build                    # build default home-manager activation package\nnix build .#nixpod           # build nixpod container (nix2container JSON manifest)\nnix build .#codenix          # build code-server container\nnix build .#ghanix           # build GitHub Actions runner container\nnix build .#jupnix           # build JupyterLab container\nnix run .#load-nixpod        # load nixpod into Docker daemon via skopeo\nnix fmt                      # format nix files via treefmt (nixfmt)\nnix flake check              # validate flake, run nix-unit tests and pre-commit checks\n```\n\n\u003cdetails\u003e\n\u003csummary\u003eJustfile recipes\u003c/summary\u003e\n\nThe justfile provides grouped convenience commands.\nRun `just` to see all available recipes or `just -n \u003crecipe\u003e` for a dry run.\n\n**Nix operations:** `just build`, `just check`, `just lint`, `just io`, `just update`, `just clean`\n\n**Container lifecycle:** `just container-build`, `just container-load`, `just container-run`, `just container-push`, `just container-push-all`, `just container-build-all`\n\n**CI helpers:** `just gh-ci-run`, `just gh-workflow-status`, `just gh-watch`, `just gh-logs`, `just gh-rerun`, `just gh-cancel`\n\n**Secrets management:** `just show-secrets`, `just edit-secrets`, `just scan-secrets`, `just export-secrets`, `just validate-secrets`, and additional sops utilities\n\n**Release management:** `just test-release`, `just preview-version`, `just release`\n\n**Devpod operations:** `just pod`, `just devpod`, `just provider`\n\n\u003c/details\u003e\n\n## Flake outputs\n\n\u003cdetails\u003e\n\u003csummary\u003eOutput summary\u003c/summary\u003e\n\n**packages** (per system: aarch64-darwin, aarch64-linux, x86_64-darwin, x86_64-linux)\n\n- `default` -- home-manager activation package\n- `load-nixpod`, `load-ghanix`, `load-codenix`, `load-jupnix` -- scripts that load images into Docker\n- `push-nixpod`, `push-ghanix`, `push-codenix`, `push-jupnix` -- push arch-qualified images to ghcr.io\n\n*Linux-only packages* (aarch64-linux, x86_64-linux):\n\n- `nixpod`, `ghanix`, `codenix`, `jupnix` -- nix2container JSON image manifests\n- `container` -- alias for nixpod\n- `nixpod-users` -- system user identity derivation (passwd, group, shadow, PAM)\n- `s6-overlay-layer` -- s6-overlay filesystem layout\n\n**apps** (per system)\n\n- `load-nixpod`, `load-ghanix`, `load-codenix`, `load-jupnix` -- container loader apps\n- `push-nixpod`, `push-ghanix`, `push-codenix`, `push-jupnix` -- per-arch image push apps\n- `nixpodManifest`, `ghanixManifest`, `codenixManifest`, `jupnixManifest` -- multi-arch manifest assembly\n\n**devShells**\n\n- `default` -- development shell with build and operations tooling\n\n**checks**\n\n- `nix-unit` -- 12 evaluation-time tests for flake structure and container invariants\n- `pre-commit` -- git-hooks.nix pre-commit checks\n- `treefmt` -- treefmt formatting validation\n\n**formatter** -- treefmt (nixfmt)\n\n**homeModules** -- `default` home-manager module (atuin, git, neovim, starship, terminal, zsh with catppuccin theming)\n\n**legacyPackages** -- `homeConfigurations` (root, jovyan, runner) and `containerMatrix` for CI matrix discovery\n\n\u003c/details\u003e\n\n## Development\n\nEnter the development shell with `nix develop` or via direnv if configured.\nThe shell provides:\n\n- **build and CI:** just, act, nix-output-monitor, ratchet\n- **secrets:** age, sops, ssh-to-age, gitleaks\n- **release:** bun, nodejs (for semantic-release)\n- **pre-commit hooks:** treefmt (nixfmt) and gitleaks secret scanning via git-hooks.nix\n\nFormat all Nix files with `nix fmt`.\nValidate the flake and run pre-commit checks with `nix flake check`.\n\n## Architecture\n\nThe project is built on Nix Flakes with flake-parts for modular output composition.\nThe flake uses import-tree to auto-discover flake-parts modules from the `modules/` directory, eliminating manual import lists.\nContainer images are constructed with nix2container's `buildImage` and `buildLayer` for deferred tar creation and efficient layer management.\ns6-overlay provides process supervision within containers.\nHome-manager user configurations use deferred module composition via the `flake.modules.homeManager.*` namespace.\nMulti-arch publishing uses a decoupled push/manifest model: skopeo pushes per-arch images via the nix2container transport, then crane assembles multi-platform manifest lists.\n\n\n## Acknowledgements\n\n- [nix2container](https://github.com/nlewo/nix2container) -- deferred tar creation for container images\n- [s6-overlay](https://github.com/just-containers/s6-overlay) -- process supervision in containers\n- [flake-parts](https://github.com/hercules-ci/flake-parts) -- modular flake output composition\n- [import-tree](https://github.com/vic/import-tree) -- auto-discovery of flake-parts modules\n- [home-manager](https://github.com/nix-community/home-manager) -- declarative user environment configuration\n- [nix-unit](https://github.com/nix-community/nix-unit) -- evaluation-time unit testing for Nix expressions\n- [crane](https://github.com/google/go-containerregistry/tree/main/cmd/crane) -- multi-arch manifest assembly\n- [catppuccin](https://github.com/catppuccin/nix) -- theming for terminal and editor configuration\n- [nix-snapshotter](https://github.com/pdtpartners/nix-snapshotter) -- CRI-layer container integration\n- [vanixiets](https://github.com/cameronraysmith/vanixiets) -- reference nix-darwin and home-manager patterns\n\n[ci-badge]: https://github.com/cameronraysmith/nixpod/actions/workflows/ci.yaml/badge.svg\n[ci-link]: https://github.com/cameronraysmith/nixpod/actions/workflows/ci.yaml\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcameronraysmith%2Fnixpod","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcameronraysmith%2Fnixpod","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcameronraysmith%2Fnixpod/lists"}