From e72a0ad8c338be5573a295db62748bc88d7ea4a4 Mon Sep 17 00:00:00 2001
From: h0nIg <h0nIg@users.noreply.github.com>
Date: Thu, 5 Jun 2025 23:28:47 +0200
Subject: [PATCH 1/4] docker: add docu references & remove duplicate code

---
 docker.nix | 27 +++++++++++----------------
 1 file changed, 11 insertions(+), 16 deletions(-)

diff --git a/docker.nix b/docker.nix
index c418a9e62..c6905b246 100644
--- a/docker.nix
+++ b/docker.nix
@@ -147,23 +147,11 @@ let
     "${k}:x:${toString gid}:${lib.concatStringsSep "," members}";
   groupContents = (lib.concatStringsSep "\n" (lib.attrValues (lib.mapAttrs groupToGroup groups)));
 
-  defaultNixConf = {
-    sandbox = "false";
-    build-users-group = "nixbld";
-    trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
-  };
-
   nixConfContents =
-    (lib.concatStringsSep "\n" (
-      lib.mapAttrsToList (
-        n: v:
-        let
-          vStr = if builtins.isList v then lib.concatStringsSep " " v else v;
-        in
-        "${n} = ${vStr}"
-      ) (defaultNixConf // nixConf)
-    ))
-    + "\n";
+    pkgs.dockerTools.nixConf
+    {
+      build-users-group = "nixbld";
+    };
 
   userHome = if uid == 0 then "/root" else "/home/${uname}";
 
@@ -181,6 +169,8 @@ let
         name = "root-profile-env";
         paths = defaultPkgs;
       };
+      # doc/manual/source/command-ref/files/manifest.nix.md
+      # may get replaced by pkgs.buildEnv once manifest.json can get written
       manifest = pkgs.buildPackages.runCommand "manifest.nix" { } ''
         cat > $out <<EOF
         [
@@ -246,6 +236,7 @@ let
           set -x
           mkdir -p $out/etc
 
+          # may get replaced by pkgs.dockerTools.caCertificates
           mkdir -p $out/etc/ssl/certs
           ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs
 
@@ -273,17 +264,21 @@ let
           mkdir -p $out${userHome}
           mkdir -p $out/nix/var/nix/profiles/per-user/${uname}
 
+          # see doc/manual/source/command-ref/files/profiles.md
           ln -s ${profile} $out/nix/var/nix/profiles/default-1-link
           ln -s /nix/var/nix/profiles/default-1-link $out/nix/var/nix/profiles/default
           ln -s /nix/var/nix/profiles/default $out${userHome}/.nix-profile
 
+          # see doc/manual/source/command-ref/files/channels.md
           ln -s ${channel} $out/nix/var/nix/profiles/per-user/${uname}/channels-1-link
           ln -s /nix/var/nix/profiles/per-user/${uname}/channels-1-link $out/nix/var/nix/profiles/per-user/${uname}/channels
 
+          # see doc/manual/source/command-ref/files/default-nix-expression.md
           mkdir -p $out${userHome}/.nix-defexpr
           ln -s /nix/var/nix/profiles/per-user/${uname}/channels $out${userHome}/.nix-defexpr/channels
           echo "${channelURL} ${channelName}" > $out${userHome}/.nix-channels
 
+          # may get replaced by pkgs.dockerTools.binSh & pkgs.dockerTools.usrBinEnv
           mkdir -p $out/bin $out/usr/bin
           ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env
           ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh

From 2caccbed11ed5a517ed3fee86f1da3cdbff60211 Mon Sep 17 00:00:00 2001
From: h0nIg <h0nIg@users.noreply.github.com>
Date: Fri, 6 Jun 2025 23:54:15 +0200
Subject: [PATCH 2/4] docker: shrink code - use buildenv.manifest

---
 docker.nix | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/docker.nix b/docker.nix
index c6905b246..1401dc6c7 100644
--- a/docker.nix
+++ b/docker.nix
@@ -165,12 +165,7 @@ let
           echo "[]" > $out/manifest.nix
         fi
       '';
-      rootEnv = pkgs.buildPackages.buildEnv {
-        name = "root-profile-env";
-        paths = defaultPkgs;
-      };
       # doc/manual/source/command-ref/files/manifest.nix.md
-      # may get replaced by pkgs.buildEnv once manifest.json can get written
       manifest = pkgs.buildPackages.runCommand "manifest.nix" { } ''
         cat > $out <<EOF
         [
@@ -200,11 +195,15 @@ let
         ]
         EOF
       '';
-      profile = pkgs.buildPackages.runCommand "user-environment" { } ''
-        mkdir $out
-        cp -a ${rootEnv}/* $out/
-        ln -s ${manifest} $out/manifest.nix
-      '';
+      profile = pkgs.buildPackages.buildEnv {
+        name = "root-profile-env";
+        paths = defaultPkgs;
+
+        postBuild = ''
+          mv $out/manifest $out/manifest.nix
+        '';
+        inherit manifest;
+      };
       flake-registry-path =
         if (flake-registry == null) then
           null

From 8fbc27af46e49265691ca664e5705b043639c7ca Mon Sep 17 00:00:00 2001
From: h0nIg <h0nIg@users.noreply.github.com>
Date: Thu, 26 Jun 2025 23:33:27 +0200
Subject: [PATCH 3/4] enhancements

---
 docker.nix | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/docker.nix b/docker.nix
index 825ffff4f..fff9672b2 100644
--- a/docker.nix
+++ b/docker.nix
@@ -176,11 +176,17 @@ let
     "${k}:x:${toString gid}:${lib.concatStringsSep "," members}";
   groupContents = (lib.concatStringsSep "\n" (lib.attrValues (lib.mapAttrs groupToGroup groups)));
 
-  nixConfContents =
-    pkgs.dockerTools.nixConf
-    {
-      build-users-group = "nixbld";
-    };
+  toConf = with pkgs.lib.generators; toKeyValue {
+    mkKeyValue = mkKeyValueDefault {
+      mkValueString = v: if lib.isList v then lib.concatStringsSep " " v else mkValueStringDefault { } v;
+    } " = ";
+  };
+
+  nixConfContents = toConf {
+    sandbox = false;
+    build-users-group = "nixbld";
+    trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
+  };
 
   userHome = if uid == 0 then "/root" else "/home/${uname}";
 

From ba12adc0f92396297b6c825690f3a3dfa8a9fbd5 Mon Sep 17 00:00:00 2001
From: h0nIg <h0nIg@users.noreply.github.com>
Date: Thu, 26 Jun 2025 23:37:39 +0200
Subject: [PATCH 4/4] format

---
 docker.nix | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/docker.nix b/docker.nix
index fff9672b2..c6e8e478e 100644
--- a/docker.nix
+++ b/docker.nix
@@ -176,11 +176,13 @@ let
     "${k}:x:${toString gid}:${lib.concatStringsSep "," members}";
   groupContents = (lib.concatStringsSep "\n" (lib.attrValues (lib.mapAttrs groupToGroup groups)));
 
-  toConf = with pkgs.lib.generators; toKeyValue {
-    mkKeyValue = mkKeyValueDefault {
-      mkValueString = v: if lib.isList v then lib.concatStringsSep " " v else mkValueStringDefault { } v;
-    } " = ";
-  };
+  toConf =
+    with pkgs.lib.generators;
+    toKeyValue {
+      mkKeyValue = mkKeyValueDefault {
+        mkValueString = v: if lib.isList v then lib.concatStringsSep " " v else mkValueStringDefault { } v;
+      } " = ";
+    };
 
   nixConfContents = toConf {
     sandbox = false;