chore: reduce build time by converting docker image to build with nix (#9099)

* Add Docker image * Try building the container in CI * Uncomment testing lines * Trim image step * Hit 'em with a Docker load * Oopsie! * Add a tag and push! * Fix image name 🤦 * Fix sudo * Fix target name * Build and push * Fix login to docker hub * Revert to Docker push * Fix PATH * Fix SHA * Fix ca certs * Fix ca certs * Fix coping files in * Fix docker init * Fix Docker group and init * Add comments to our Nix * Fix build stage * Add some more comments * Remove old dogfood image files * Tag and push with branch name * Fix tag passing * Fix tag passing * Remove old pull triggers * Convert gen to use Nix * Add protobuf to the flake * Add prettier to the dev shell * Swap to the faster Nix cache action * Add the correct yq * Fix gen * Add make to the flake * Update extensions
2026-06-02 20:48:20 +00:00 · 2023-08-17 21:19:36 -05:00
parent 5b165d5cb9
commit c0a78533bf
53 changed files with 221 additions and 681 deletions
@@ -169,38 +169,14 @@ jobs:
        with:
          fetch-depth: 1
-      - name: Setup Node
+      - name: Install Nix
-        uses: ./.github/actions/setup-node
+        uses: DeterminateSystems/nix-installer-action@v4
-      - name: Setup Go
+      - name: Run the Magic Nix Cache
-        uses: ./.github/actions/setup-go
+        uses: DeterminateSystems/magic-nix-cache-action@v2
      - name: Setup sqlc
        uses: ./.github/actions/setup-sqlc
      - name: go install tools
        run: |
          go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30
          go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.33
          go install golang.org/x/tools/cmd/goimports@latest
          go install github.com/mikefarah/yq/v4@v4.30.6
          go install github.com/golang/mock/mockgen@v1.6.0
      - name: Install Protoc
        run: |
          # protoc must be in lockstep with our dogfood Dockerfile or the
          # version in the comments will differ. This is also defined in
          # security.yaml
          set -x
          cd dogfood
          DOCKER_BUILDKIT=1 docker build . --target proto -t protoc
          protoc_path=/usr/local/bin/protoc
          docker run --rm --entrypoint cat protoc /tmp/bin/protoc > $protoc_path
          chmod +x $protoc_path
          protoc --version
      - name: make gen
-        run: "make --output-sync -j -B gen"
+        run: "nix-shell --command 'make --output-sync -j -B gen'"
      - name: Check for unstaged files
        run: ./scripts/check_unstaged.sh
@@ -5,11 +5,15 @@ on:
    branches:
      - main
    paths:
      - "flake.nix"
      - "flake.lock"
      - "dogfood/**"
      - ".github/workflows/dogfood.yaml"
  # Uncomment these lines when testing with CI.
  # pull_request:
  #   paths:
  #     - "flake.nix"
  #     - "flake.lock"
  #     - "dogfood/**"
  #     - ".github/workflows/dogfood.yaml"
  workflow_dispatch:
@@ -18,6 +22,9 @@ jobs:
  deploy_image:
    runs-on: buildjet-4vcpu-ubuntu-2204
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: Get branch name
        id: branch-name
        uses: tj-actions/branch-names@v6.5
@@ -30,11 +37,13 @@ jobs:
          tag=${tag//\//--}
          echo "tag=${tag}" >> $GITHUB_OUTPUT
-      - name: Set up QEMU
+      - name: Install Nix
-        uses: docker/setup-qemu-action@v2
+        uses: DeterminateSystems/nix-installer-action@v4
-      - name: Set up Docker Buildx
+      - name: Run the Magic Nix Cache
-        uses: docker/setup-buildx-action@v2
+        uses: DeterminateSystems/magic-nix-cache-action@v2
      - run: nix build .#devEnvImage && ./result | docker load
      - name: Login to DockerHub
        uses: docker/login-action@v2
@@ -42,15 +51,10 @@ jobs:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}
-      - name: Build and push
+      - name: Tag and Push
-        uses: docker/build-push-action@v4
+        run: |
-        with:
+          docker tag codercom/oss-dogfood:latest codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }}
-          context: "{{defaultContext}}:dogfood"
+          docker push codercom/oss-dogfood -a
          pull: true
          push: true
          tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:latest"
          cache-from: type=registry,ref=codercom/oss-dogfood:latest
          cache-to: type=inline
  deploy_template:
    needs: deploy_image
@@ -61,3 +61,6 @@ site/stats/
 ./scaletest/terraform/.terraform.lock.hcl
 scaletest/terraform/secrets.tfvars
 .terraform.tfstate.*
 # Nix
 result
@@ -64,6 +64,9 @@ site/stats/
 ./scaletest/terraform/.terraform.lock.hcl
 scaletest/terraform/secrets.tfvars
 .terraform.tfstate.*
 # Nix
 result
 # .prettierignore.include:
 # Helm templates contain variables that are invalid YAML and can't be formatted
 # by Prettier.
@@ -1,348 +0,0 @@
 FROM rust:slim AS rust-utils
 # Install rust helper programs
 # ENV CARGO_NET_GIT_FETCH_WITH_CLI=true
 ENV CARGO_INSTALL_ROOT=/tmp/
 RUN cargo install exa bat ripgrep typos-cli watchexec-cli
 FROM ubuntu:jammy AS go
 RUN apt-get update && apt-get install --yes curl gcc
 # Install Go manually, so that we can control the version
 ARG GO_VERSION=1.20.7
 RUN mkdir --parents /usr/local/go
 # Boring Go is needed to build FIPS-compliant binaries.
 RUN curl --silent --show-error --location \
 	"https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz" \
 	-o /usr/local/go.tar.gz
 RUN tar --extract --gzip --directory=/usr/local/go --file=/usr/local/go.tar.gz --strip-components=1
 ENV PATH=$PATH:/usr/local/go/bin
 # Install Go utilities.
 ARG GOPATH="/tmp/"
 RUN mkdir --parents "$GOPATH" && \
 	# moq for Go tests.
 	go install github.com/matryer/moq@v0.2.3 && \
 	# swag for Swagger doc generation
 	go install github.com/swaggo/swag/cmd/swag@v1.7.4 && \
 	# go-swagger tool to generate the go coder api client
 	go install github.com/go-swagger/go-swagger/cmd/swagger@v0.28.0 && \
 	# goimports for updating imports
 	go install golang.org/x/tools/cmd/goimports@v0.1.7 && \
 	# protoc-gen-go is needed to build sysbox from source
 	go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30 && \
 	# drpc support for v2
 	go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.33 && \
 	# migrate for migration support for v2
 	go install github.com/golang-migrate/migrate/v4/cmd/migrate@v4.15.1 && \
 	# goreleaser for compiling v2 binaries
 	go install github.com/goreleaser/goreleaser@v1.6.1 && \
 	# Install the latest version of gopls for editors that support
 	# the language server protocol
 	go install golang.org/x/tools/gopls@latest && \
 	# gotestsum makes test output more readable
 	go install gotest.tools/gotestsum@v1.9.0 && \
 	# goveralls collects code coverage metrics from tests
 	# and sends to Coveralls
 	go install github.com/mattn/goveralls@v0.0.11 && \
 	# kind for running Kubernetes-in-Docker, needed for tests
 	go install sigs.k8s.io/kind@v0.10.0 && \
 	# helm-docs generates our Helm README based on a template and the
 	# charts and values files
 	go install github.com/norwoodj/helm-docs/cmd/helm-docs@v1.5.0 && \
 	# sqlc for Go code generation
 	go install github.com/sqlc-dev/sqlc/cmd/sqlc@v1.20.0 && \
 	# gcr-cleaner-cli used by CI to prune unused images
 	go install github.com/sethvargo/gcr-cleaner/cmd/gcr-cleaner-cli@v0.5.1 && \
 	# ruleguard for checking custom rules, without needing to run all of
 	# golangci-lint. Check the go.mod in the release of golangci-lint that
 	# we're using for the version of go-critic that it embeds, then check
 	# the version of ruleguard in go-critic for that tag.
 	go install github.com/quasilyte/go-ruleguard/cmd/ruleguard@v0.3.13 && \
 	# go-fuzz for fuzzy testing. they don't publish releases so we rely on latest.
 	go install github.com/dvyukov/go-fuzz/go-fuzz@latest && \
 	go install github.com/dvyukov/go-fuzz/go-fuzz-build@latest && \
 	# go-releaser for building 'fat binaries' that work cross-platform
 	go install github.com/goreleaser/goreleaser@v1.6.1 && \
 	go install mvdan.cc/sh/v3/cmd/shfmt@latest && \
 	# nfpm is used with `make build` to make release packages
 	go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.16.0 && \
 	# yq v4 is used to process yaml files in coder v2. Conflicts with
 	# yq v3 used in v1.
 	go install github.com/mikefarah/yq/v4@v4.30.6 && \
 	mv /tmp/bin/yq /tmp/bin/yq4 && \
 	go install github.com/golang/mock/mockgen@v1.6.0
 FROM gcr.io/coder-dev-1/alpine:3.18 as proto
 WORKDIR /tmp
 RUN apk add curl unzip
 RUN curl -L -o protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v23.3/protoc-23.3-linux-x86_64.zip
 RUN unzip protoc.zip
 FROM ubuntu:jammy
 SHELL ["/bin/bash", "-c"]
 # Updated certificates are necessary to use the teraswitch mirror.
 # This must be ran before copying in configuration since the config replaces
 # the default mirror with teraswitch.
 RUN apt-get update && apt-get install --yes ca-certificates
 COPY files /
 # Install packages from apt repositories
 ARG DEBIAN_FRONTEND="noninteractive"
 RUN apt-get update --quiet && apt-get install --yes \
 	apt-transport-https \
 	apt-utils \
 	bash \
 	bash-completion \
 	bats \
 	bind9-dnsutils \
 	build-essential \
 	ca-certificates \
 	cmake \
 	crypto-policies \
 	curl \
 	fd-find \
 	file \
 	git \
 	gnupg \
 	graphviz \
 	htop \
 	httpie \
 	inetutils-tools \
 	iproute2 \
 	iputils-ping \
 	iputils-tracepath \
 	jq \
 	language-pack-en \
 	less \
 	lsb-release \
 	man \
 	meld \
 	net-tools \
 	openjdk-11-jdk-headless \
 	openssh-server \
 	openssl \
 	libssl-dev \
 	pkg-config \
 	python3 \
 	python3-pip \
 	rsync \
 	shellcheck \
 	strace \
 	sudo \
 	tcptraceroute \
 	termshark \
 	traceroute \
 	vim \
 	wget \
 	xauth \
 	zip \
 	ncdu \
 	cargo \
 	asciinema \
 	zsh \
 	ansible \
 	neovim \
 	google-cloud-sdk \
 	google-cloud-sdk-datastore-emulator \
 	kubectl \
 	postgresql-13 \
 	containerd.io \
 	docker-ce \
 	docker-ce-cli \
 	docker-compose-plugin \
 	packer \
 	terraform \
 	fish \
 	unzip \
 	zstd \
 	screen \
 	gettext-base && \
 	# Delete package cache to avoid consuming space in layer
 	apt-get clean && \
 	# Configure FIPS-compliant policies
 	update-crypto-policies --set FIPS
 # Install the docker buildx component.
 RUN DOCKER_BUILDX_VERSION=$(curl -s "https://api.github.com/repos/docker/buildx/releases/latest" | grep '"tag_name":' |  sed -E 's/.*"(v[^"]+)".*/\1/') && \
 	mkdir -p /usr/local/lib/docker/cli-plugins && \
 	curl -Lo /usr/local/lib/docker/cli-plugins/docker-buildx "https://github.com/docker/buildx/releases/download/${DOCKER_BUILDX_VERSION}/buildx-${DOCKER_BUILDX_VERSION}.linux-amd64" && \
 	chmod a+x /usr/local/lib/docker/cli-plugins/docker-buildx
 # See https://github.com/cli/cli/issues/6175#issuecomment-1235984381 for proof
 # the apt repository is unreliable
 RUN GH_CLI_VERSION=$(curl -s "https://api.github.com/repos/cli/cli/releases/latest" | grep '"tag_name":' |  sed -E 's/.*"v([^"]+)".*/\1/') && \
 	curl -L https://github.com/cli/cli/releases/download/v${GH_CLI_VERSION}/gh_${GH_CLI_VERSION}_linux_amd64.deb -o gh.deb && \
 	dpkg -i gh.deb && \
 	rm gh.deb
 # Install Lazygit
 # See https://github.com/jesseduffield/lazygit#ubuntu
 RUN LAZYGIT_VERSION=$(curl -s "https://api.github.com/repos/jesseduffield/lazygit/releases/latest" | grep '"tag_name":' |  sed -E 's/.*"v*([^"]+)".*/\1/') && \
 	curl -Lo lazygit.tar.gz "https://github.com/jesseduffield/lazygit/releases/latest/download/lazygit_${LAZYGIT_VERSION}_Linux_x86_64.tar.gz" && \
 	tar xf lazygit.tar.gz -C /usr/local/bin lazygit
 # Install frontend utilities
 RUN apt-get update && \
 	# Node.js (from nodesource) and Yarn (from yarnpkg)
 	curl -fsSL https://deb.nodesource.com/setup_18.x | sudo -E bash - &&\
 	apt-get install --yes --quiet \
 	nodejs yarn \
 	# Install browsers for e2e testing
 	google-chrome-stable microsoft-edge-beta && \
 	# Pre-install system dependencies that Playwright needs. npx doesn't work here
 	# for some reason. See https://github.com/microsoft/playwright-cli/issues/136
 	npm i -g playwright@1.36.2 pnpm@^8 && playwright install-deps && \
 	npm cache clean --force
 # Ensure PostgreSQL binaries are in the users $PATH.
 RUN update-alternatives --install /usr/local/bin/initdb initdb /usr/lib/postgresql/13/bin/initdb 100 && \
 	update-alternatives --install /usr/local/bin/postgres postgres /usr/lib/postgresql/13/bin/postgres 100
 # Create links for injected dependencies
 RUN ln --symbolic /var/tmp/coder/coder-cli/coder /usr/local/bin/coder && \
 	ln --symbolic /var/tmp/coder/code-server/bin/code-server /usr/local/bin/code-server
 # Disable the PostgreSQL systemd service.
 # Coder uses a custom timescale container to test the database instead.
 RUN systemctl disable \
 	postgresql
 # Configure systemd services for CVMs
 RUN systemctl enable \
 	docker \
 	ssh
 # Install tools with published releases, where that is the
 # preferred/recommended installation method.
 ARG CLOUD_SQL_PROXY_VERSION=2.2.0 \
 	DIVE_VERSION=0.10.0 \
 	DOCKER_GCR_VERSION=2.1.8 \
 	GOLANGCI_LINT_VERSION=1.52.2 \
 	GRYPE_VERSION=0.61.1 \
 	HELM_VERSION=3.12.0 \
 	KUBE_LINTER_VERSION=0.6.3 \
 	KUBECTX_VERSION=0.9.4 \
 	STRIPE_VERSION=1.14.5 \
 	TERRAGRUNT_VERSION=0.45.11 \
 	TRIVY_VERSION=0.41.0
 # cloud_sql_proxy, for connecting to cloudsql instances
 # the upstream go.mod prevents this from being installed with go install
 RUN curl --silent --show-error --location --output /usr/local/bin/cloud_sql_proxy "https://storage.googleapis.com/cloud-sql-connectors/cloud-sql-proxy/v${CLOUD_SQL_PROXY_VERSION}/cloud-sql-proxy.linux.amd64" && \
 	chmod a=rx /usr/local/bin/cloud_sql_proxy && \
 	# dive for scanning image layer utilization metrics in CI
 	curl --silent --show-error --location "https://github.com/wagoodman/dive/releases/download/v${DIVE_VERSION}/dive_${DIVE_VERSION}_linux_amd64.tar.gz" | \
 	tar --extract --gzip --directory=/usr/local/bin --file=- dive && \
 	# docker-credential-gcr is a Docker credential helper for pushing/pulling
 	# images from Google Container Registry and Artifact Registry
 	curl --silent --show-error --location "https://github.com/GoogleCloudPlatform/docker-credential-gcr/releases/download/v${DOCKER_GCR_VERSION}/docker-credential-gcr_linux_amd64-${DOCKER_GCR_VERSION}.tar.gz" | \
 	tar --extract --gzip --directory=/usr/local/bin --file=- docker-credential-gcr && \
 	# golangci-lint performs static code analysis for our Go code
 	curl --silent --show-error --location "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" | \
 	tar --extract --gzip --directory=/usr/local/bin --file=- --strip-components=1 "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64/golangci-lint" && \
 	# Anchore Grype for scanning container images for security issues
 	curl --silent --show-error --location "https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz" | \
 	tar --extract --gzip --directory=/usr/local/bin --file=- grype && \
 	# Helm is necessary for deploying Coder
 	curl --silent --show-error --location "https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz" | \
 	tar --extract --gzip --directory=/usr/local/bin --file=- --strip-components=1 linux-amd64/helm && \
 	# kube-linter for linting Kubernetes objects, including those
 	# that Helm generates from our charts
 	curl --silent --show-error --location "https://github.com/stackrox/kube-linter/releases/download/${KUBE_LINTER_VERSION}/kube-linter-linux" --output /usr/local/bin/kube-linter && \
 	# kubens and kubectx for managing Kubernetes namespaces and contexts
 	curl --silent --show-error --location "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubectx_v${KUBECTX_VERSION}_linux_x86_64.tar.gz" | \
 	tar --extract --gzip --directory=/usr/local/bin --file=- kubectx && \
 	curl --silent --show-error --location "https://github.com/ahmetb/kubectx/releases/download/v${KUBECTX_VERSION}/kubens_v${KUBECTX_VERSION}_linux_x86_64.tar.gz" | \
 	tar --extract --gzip --directory=/usr/local/bin --file=- kubens && \
 	# stripe for coder.com billing API
 	curl --silent --show-error --location "https://github.com/stripe/stripe-cli/releases/download/v${STRIPE_VERSION}/stripe_${STRIPE_VERSION}_linux_x86_64.tar.gz" | \
 	tar --extract --gzip --directory=/usr/local/bin --file=- stripe && \
 	# terragrunt for running Terraform and Terragrunt files
 	curl --silent --show-error --location --output /usr/local/bin/terragrunt "https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/terragrunt_linux_amd64" && \
 	chmod a=rx /usr/local/bin/terragrunt && \
 	# AquaSec Trivy for scanning container images for security issues
 	curl --silent --show-error --location "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" | \
 	tar --extract --gzip --directory=/usr/local/bin --file=- trivy
 # Add Vercel globally. We can't install it in packages.json, because it
 # includes Go files which make golangci-lint unhappy.
 RUN yarn global add --prefix=/usr/local \
 	vercel \
 	typescript \
 	typescript-language-server \
 	prettier && \
 	yarn cache clean
 # We use yq during "make deploy" to manually substitute out fields in
 # our helm values.yaml file. See https://github.com/helm/helm/issues/3141
 #
 # TODO: update to 4.x, we can't do this now because it included breaking
 # changes (yq w doesn't work anymore)
 # RUN curl --silent --show-error --location "https://github.com/mikefarah/yq/releases/download/v4.9.0/yq_linux_amd64.tar.gz" | \
 #       tar --extract --gzip --directory=/usr/local/bin --file=- ./yq_linux_amd64 && \
 #     mv /usr/local/bin/yq_linux_amd64 /usr/local/bin/yq
 RUN curl --silent --show-error --location --output /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/download/3.3.0/yq_linux_amd64" && \
 	chmod a=rx /usr/local/bin/yq
 # Install GoLand.
 RUN mkdir --parents /usr/local/goland && \
 	curl --silent --show-error --location "https://download.jetbrains.com/go/goland-2021.2.tar.gz" | \
 	tar --extract --gzip --directory=/usr/local/goland --file=- --strip-components=1 && \
 	ln --symbolic /usr/local/goland/bin/goland.sh /usr/local/bin/goland
 # Install Antlrv4, needed to generate paramlang lexer/parser
 RUN curl --silent --show-error --location --output /usr/local/lib/antlr-4.9.2-complete.jar "https://www.antlr.org/download/antlr-4.9.2-complete.jar"
 ENV CLASSPATH="/usr/local/lib/antlr-4.9.2-complete.jar:${PATH}"
 # Add coder user and allow use of docker/sudo
 RUN useradd coder \
 	--create-home \
 	--shell=/bin/bash \
 	--groups=docker \
 	--uid=1000 \
 	--user-group
 # Adjust OpenSSH config
 RUN echo "PermitUserEnvironment yes" >>/etc/ssh/sshd_config && \
 	echo "X11Forwarding yes" >>/etc/ssh/sshd_config && \
 	echo "X11UseLocalhost no" >>/etc/ssh/sshd_config
 # We avoid copying the extracted directory since COPY slows to minutes when there
 # are a lot of small files.
 COPY --from=go /usr/local/go.tar.gz /usr/local/go.tar.gz
 RUN mkdir /usr/local/go && \
 	tar --extract --gzip --directory=/usr/local/go --file=/usr/local/go.tar.gz --strip-components=1
 ENV PATH=$PATH:/usr/local/go/bin
 RUN update-alternatives --install /usr/local/bin/gofmt gofmt /usr/local/go/bin/gofmt 100
 COPY --from=go /tmp/bin /usr/local/bin
 COPY --from=rust-utils /tmp/bin /usr/local/bin
 COPY --from=proto /tmp/bin /usr/local/bin
 COPY --from=proto /tmp/include /usr/local/bin/include
 USER coder
 # Ensure go bins are in the 'coder' user's path. Note that no go bins are
 # installed in this docker file, as they'd be mounted over by the persistent
 # home volume.
 ENV PATH="/home/coder/go/bin:${PATH}"
 # This setting prevents Go from using the public checksum database for
 # our module path prefixes. It is required because these are in private
 # repositories that require authentication.
 #
 # For details, see: https://golang.org/ref/mod#private-modules
 ENV GOPRIVATE="coder.com,cdr.dev,go.coder.com,github.com/cdr,github.com/coder"
 # Increase memory allocation to NodeJS
 ENV NODE_OPTIONS="--max-old-space-size=8192"
@@ -1,10 +0,0 @@
 .PHONY: docker-build docker-push
 branch=$(shell git rev-parse --abbrev-ref HEAD)
 build_tag=codercom/oss-dogfood:${branch}
 build:
 	DOCKER_BUILDKIT=1 docker build . -t ${build_tag}
 push: build
 	docker push ${build_tag}
@@ -1,6 +0,0 @@
 // Do not install recommended packages by default
 APT::Install-Recommends "0";
 // Do not install suggested packages by default (this is already
 // the Ubuntu default)
 APT::Install-Suggests "0";
@@ -1 +0,0 @@
 APT::Acquire::Retries "3";
@@ -1,19 +0,0 @@
 # Ignore all packages from this repository by default
 Package: *
 Pin: origin download.docker.com
 Pin-Priority: 1
 # Docker Community Edition
 Package: docker-ce
 Pin: origin download.docker.com
 Pin-Priority: 500
 # Docker command-line tool
 Package: docker-ce-cli
 Pin: origin download.docker.com
 Pin-Priority: 500
 # containerd runtime
 Package: containerd.io
 Pin: origin download.docker.com
 Pin-Priority: 500
@@ -1,8 +0,0 @@
 # Ignore all packages from this repository by default
 Package: *
 Pin: origin cli.github.com
 Pin-Priority: 1
 Package: gh
 Pin: origin cli.github.com
 Pin-Priority: 500
@@ -1,16 +0,0 @@
 # Ignore all packages from this repository by default
 Package: *
 Pin: origin dl.google.com
 Pin-Priority: 1
 Package: google-chrome-stable
 Pin: origin dl.google.com
 Pin-Priority: 500
 Package: google-chrome-beta
 Pin: origin dl.google.com
 Pin-Priority: 500
 Package: google-chrome-unstable
 Pin: origin dl.google.com
 Pin-Priority: 500
@@ -1,19 +0,0 @@
 # Ignore all packages from this repository by default
 Package: *
 Pin: origin packages.cloud.google.com
 Pin-Priority: 1
 # Google Cloud SDK for gcloud and gsutil CLI tools
 Package: google-cloud-sdk
 Pin: origin packages.cloud.google.com
 Pin-Priority: 500
 # Datastore emulator for working with the licensor
 Package: google-cloud-sdk-datastore-emulator
 Pin: origin packages.cloud.google.com
 Pin-Priority: 500
 # Kubectl for working with Kubernetes (GKE)
 Package: kubectl
 Pin: origin packages.cloud.google.com
 Pin-Priority: 500
@@ -1,14 +0,0 @@
 # Ignore all packages from this repository by default
 Package: *
 Pin: origin apt.releases.hashicorp.com
 Pin-Priority: 1
 # Packer for creating virtual machine disk images
 Package: packer
 Pin: origin apt.releases.hashicorp.com
 Pin-Priority: 500
 # Terraform for managing infrastructure
 Package: terraform
 Pin: origin apt.releases.hashicorp.com
 Pin-Priority: 500
@@ -1,12 +0,0 @@
 # Ignore all packages from this repository by default
 Package: *
 Pin: origin packages.microsoft.com
 Pin-Priority: 1
 Package: microsoft-edge-beta
 Pin: origin packages.microsoft.com
 Pin-Priority: 500
 Package: microsoft-edge-dev
 Pin: origin packages.microsoft.com
 Pin-Priority: 500
@@ -1,9 +0,0 @@
 # Ignore all packages from this repository by default
 Package: *
 Pin: origin deb.nodesource.com
 Pin-Priority: 1
 # Node.js for building the frontend
 Package: nodejs
 Pin: origin deb.nodesource.com
 Pin-Priority: 500
@@ -1,19 +0,0 @@
 # Ignore all packages from this repository by default
 Package: *
 Pin: origin ppa.launchpad.net
 Pin-Priority: 1
 # Ansible
 Package: ansible-base
 Pin: origin ppa.launchpad.net
 Pin-Priority: 500
 # Neovim
 Package: neovim
 Pin: origin ppa.launchpad.net
 Pin-Priority: 500
 # Neovim Runtime
 Package: neovim-runtime
 Pin: origin ppa.launchpad.net
 Pin-Priority: 500
@@ -1,9 +0,0 @@
 # Ignore all packages from this repository by default
 Package: *
 Pin: origin dl.yarnpkg.com
 Pin-Priority: 1
 # Yarn for managing Node.js packages
 Package: yarn
 Pin: origin dl.yarnpkg.com
 Pin-Priority: 500
@@ -1,3 +0,0 @@
 deb https://mirror.pit.teraswitch.com/ubuntu/ jammy main restricted universe
 deb https://mirror.pit.teraswitch.com/ubuntu/ jammy-updates main restricted universe
 deb https://mirror.pit.teraswitch.com/ubuntu/ jammy-backports main restricted universe
@@ -1 +0,0 @@
 deb [signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu jammy stable
@@ -1 +0,0 @@
 deb [signed-by=/usr/share/keyrings/google-chrome.gpg] https://dl.google.com/linux/chrome/deb/ stable main
@@ -1 +0,0 @@
 deb [signed-by=/usr/share/keyrings/google-cloud.gpg] https://packages.cloud.google.com/apt cloud-sdk main
@@ -1 +0,0 @@
 deb [signed-by=/usr/share/keyrings/hashicorp.gpg] https://apt.releases.hashicorp.com jammy main
@@ -1 +0,0 @@
 deb [signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/edge stable main
@@ -1 +0,0 @@
 deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_16.x jammy main
@@ -1 +0,0 @@
 deb [signed-by=/usr/share/keyrings/postgresql.gpg] https://apt.postgresql.org/pub/repos/apt jammy-pgdg main
@@ -1,2 +0,0 @@
 deb [signed-by=/usr/share/keyrings/ansible.gpg] https://ppa.launchpadcontent.net/ansible/ansible/ubuntu focal main
 deb [signed-by=/usr/share/keyrings/neovim.gpg] https://ppa.launchpadcontent.net/neovim-ppa/stable/ubuntu focal main
@@ -1 +0,0 @@
 deb http://security.ubuntu.com/ubuntu/ jammy-security main restricted universe
@@ -1 +0,0 @@
 deb [signed-by=/usr/share/keyrings/yarnpkg.gpg] https://dl.yarnpkg.com/debian/ stable main
@@ -1,4 +0,0 @@
 # These settings are required to prevent the postinst script
 # from modifying /etc/apt/sources.list.d
 repo_add_once="false"
 repo_reenable_on_distupgrade="false"
@@ -1,4 +0,0 @@
 # These settings are required to prevent the postinst script
 # from modifying /etc/apt/sources.list.d
 repo_add_once="false"
 repo_reenable_on_distupgrade="false"
@@ -1,3 +0,0 @@
 {
  "registry-mirrors": ["https://mirror.gcr.io"]
 }
@@ -1 +0,0 @@
 coder ALL=(ALL) NOPASSWD:ALL
@@ -266,9 +266,7 @@ data "docker_registry_image" "dogfood" {
 resource "docker_image" "dogfood" {
  name = "${local.registry_name}@${data.docker_registry_image.dogfood.sha256_digest}"
  pull_triggers = [
-    data.docker_registry_image.dogfood.sha256_digest,
+    data.docker_registry_image.dogfood.sha256_digest
    sha1(join("", [for f in fileset(path.module, "files/*") : filesha1(f)])),
    filesha1("Dockerfile"),
  ]
  keep_locally = true
 }
@@ -1,62 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 PROJECT_ROOT="$(git rev-parse --show-toplevel)"
 curl_flags=(
 	--silent
 	--show-error
 	--location
 )
 gpg_flags=(
 	--dearmor
 	--yes
 )
 pushd "$PROJECT_ROOT/dogfood/files/usr/share/keyrings"
 # Upstream Docker signing key
 curl "${curl_flags[@]}" "https://download.docker.com/linux/ubuntu/gpg" |
 	gpg "${gpg_flags[@]}" --output="docker.gpg"
 # Google Cloud signing key
 curl "${curl_flags[@]}" "https://packages.cloud.google.com/apt/doc/apt-key.gpg" |
 	gpg "${gpg_flags[@]}" --output="google-cloud.gpg"
 # Google Linux Software repository signing key (Chrome)
 curl "${curl_flags[@]}" "https://dl.google.com/linux/linux_signing_key.pub" |
 	gpg "${gpg_flags[@]}" --output="google-chrome.gpg"
 # Microsoft repository signing key (Edge)
 curl "${curl_flags[@]}" "https://packages.microsoft.com/keys/microsoft.asc" |
 	gpg "${gpg_flags[@]}" --output="microsoft.gpg"
 # Upstream PostgreSQL signing key
 curl "${curl_flags[@]}" "https://www.postgresql.org/media/keys/ACCC4CF8.asc" |
 	gpg "${gpg_flags[@]}" --output="postgresql.gpg"
 # NodeSource signing key
 curl "${curl_flags[@]}" "https://deb.nodesource.com/gpgkey/nodesource.gpg.key" |
 	gpg "${gpg_flags[@]}" --output="nodesource.gpg"
 # Yarnpkg signing key
 curl "${curl_flags[@]}" "https://dl.yarnpkg.com/debian/pubkey.gpg" |
 	gpg "${gpg_flags[@]}" --output="yarnpkg.gpg"
 # Ansible PPA signing key
 curl "${curl_flags[@]}" "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x6125e2a8c77f2818fb7bd15b93c4a3fd7bb9c367" |
 	gpg "${gpg_flags[@]}" --output="ansible.gpg"
 # Neovim signing key
 curl "${curl_flags[@]}" "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x9dbb0be9366964f134855e2255f96fcf8231b6dd" |
 	gpg "${gpg_flags[@]}" --output="neovim.gpg"
 # Hashicorp signing key
 curl "${curl_flags[@]}" "https://apt.releases.hashicorp.com/gpg" |
 	gpg "${gpg_flags[@]}" --output="hashicorp.gpg"
 # GitHub CLI signing key
 curl "${curl_flags[@]}" "https://cli.github.com/packages/githubcli-archive-keyring.gpg" |
 	gpg "${gpg_flags[@]}" --output="github-cli.gpg"
 popd
@@ -70,11 +70,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1690179384,
+        "lastModified": 1692174805,
-        "narHash": "sha256-+arbgqFTAtoeKtepW9wCnA0njCOyoiDFyl0Q0SBSOtE=",
+        "narHash": "sha256-xmNPFDi/AUMIxwgOH/IVom55Dks34u1g7sFKKebxUm0=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "b12803b6d90e2e583429bb79b859ca53c348b39a",
+        "rev": "caac0eb6bdcad0b32cb2522e03e4002c8975c62e",
        "type": "github"
      },
      "original": {
@@ -11,50 +11,186 @@
    flake-utils.lib.eachDefaultSystem (system:
      let
        pkgs = nixpkgs.legacyPackages.${system};
        formatter = pkgs.nixpkgs-fmt;
        # Check in https://search.nixos.org/packages to find new packages.
        # Use `nix flake update` to update the lock file if packages are out-of-date.
        devShellPackages = with pkgs; [
          bat
          bash
          cairo
          curl
          docker
          drpc.defaultPackage.${system}
          exa
          getopt
          git
          gnumake
          gnused
          go_1_20
          go-migrate
          golangci-lint
          gopls
          gotestsum
          jq
          kubernetes-helm
          mockgen
          nfpm
          nix
          nodejs
          nodePackages.pnpm
          nodePackages.prettier
          nodePackages.typescript
          nodePackages.typescript-language-server
          openssh
          openssl
          pango
          pixman
          pkg-config
          postgresql
          protobuf
          protoc-gen-go
          ripgrep
          screen
          shellcheck
          shfmt
          sqlc
          strace
          terraform
          typos
          vim
          yq-go
          zip
          zstd
        ];
        # This is the base image for our Docker container used for development.
        # Use `nix-prefetch-docker ubuntu --arch amd64 --image-tag lunar` to get this.
        baseDevEnvImage = pkgs.dockerTools.pullImage {
          imageName = "ubuntu";
          imageDigest = "sha256:7a520eeb6c18bc6d32a21bb7edcf673a7830813c169645d51c949cecb62387d0";
          sha256 = "ajZzFSG/q7F5wAXfBOPpYBT+aVy8lqAXtBzkmAe2SeE=";
          finalImageName = "ubuntu";
          finalImageTag = "lunar";
        };
        # This is an intermediate stage that adds sudo with the setuid bit set.
        # Nix doesn't allow setuid binaries in the store, so we have to do this
        # in a separate stage. 
        intermediateDevEnvImage = pkgs.dockerTools.buildImage {
          name = "intermediate";
          fromImage = baseDevEnvImage;
          runAsRoot = ''
            #!${pkgs.runtimeShell}
            ${pkgs.dockerTools.shadowSetup}
            userdel ubuntu
            groupadd docker
            useradd coder \
              --create-home \
              --shell=/bin/bash \
              --uid=1000 \
              --user-group \
              --groups docker
            cp ${pkgs.sudo}/bin/sudo usr/bin/sudo
            chmod 4755 usr/bin/sudo
            mkdir -p /etc/init.d
          '';
        };
        # Environment variables that live in `/etc/environment` in the container.
        # These will also be applied to the container config.
        devEnvVars = [
          "PATH=${pkgs.lib.makeBinPath devShellPackages}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/home/coder/go/bin"
          # This setting prevents Go from using the public checksum database for
          # our module path prefixes. It is required because these are in private
          # repositories that require authentication.
          #
          # For details, see: https://golang.org/ref/mod#private-modules
          "GOPRIVATE=coder.com,cdr.dev,go.coder.com,github.com/cdr,github.com/coder"
          # Increase memory allocation to NodeJS
          "NODE_OPTIONS=--max_old_space_size=8192"
          "TERM=xterm-256color"
        ];
        # Builds our development environment image with all the tools included.
        # Using Nix instead of Docker is **significantly** faster. This _build_
        # doesn't really build anything, it just copies pre-built binaries into
        # a container and adds them to the $PATH.
        # 
        # To test changes and iterate on this, you can run:
        # > nix build .#devEnvImage && ./result | docker load
        # This will import the image into your local Docker daemon.
        devEnvImage = pkgs.dockerTools.streamLayeredImage {
          name = "codercom/oss-dogfood";
          tag = "latest";
          fromImage = intermediateDevEnvImage;
          maxLayers = 64;
          contents = [
            # Required for `sudo` to persist the proper `PATH`.
            (
              pkgs.writeTextDir "etc/environment" (pkgs.lib.strings.concatLines devEnvVars)
            )
            # Allows `coder` to use `sudo` without a password.
            (
              pkgs.writeTextDir "etc/sudoers" ''
                coder ALL=(ALL) NOPASSWD:ALL
              ''
            )
            # Also allows `coder` to use `sudo` without a password.
            (
              pkgs.writeTextDir "etc/pam.d/other" ''
                account sufficient pam_unix.so
                auth sufficient pam_rootok.so
                password requisite pam_unix.so nullok yescrypt
                session required pam_unix.so
              ''
            )
            # The default Nix config!
            (
              pkgs.writeTextDir "etc/nix/nix.conf" ''
                experimental-features = nix-command flakes
              ''
            )
            # This is the debian script for managing Docker with `sudo service docker ...`.
            (
              pkgs.writeTextFile {
                name = "docker";
                destination = "/etc/init.d/docker";
                executable = true;
                text = (builtins.readFile (
                  pkgs.fetchFromGitHub
                    {
                      owner = "moby";
                      repo = "moby";
                      rev = "ae737656f9817fbd5afab96aa083754cfb81aab0";
                      sha256 = "sha256-oS3WplsxhKHCuHwL4/ytsCNJ1N/SZhlUZmzZTf81AoE=";
                    } + "/contrib/init/sysvinit-debian/docker"
                ));
              }
            )
            # The Docker script above looks here for the daemon binary location.
            # Because we're injecting it with Nix, it's not in the default spot.
            (
              pkgs.writeTextDir "etc/default/docker" ''
                DOCKERD=${pkgs.docker}/bin/dockerd
              ''
            )
            # The same as `sudo apt install ca-certificates -y'.
            (
              pkgs.writeTextDir "etc/ssl/certs/ca-certificates.crt"
                (builtins.readFile "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt")
            )
          ];
          config = {
            Env = devEnvVars;
            Entrypoint = [ "/bin/bash" ];
            User = "coder";
          };
        };
      in
      {
-        formatter = pkgs.nixpkgs-fmt;
+        packages = {
-        devShells.default = pkgs.mkShell {
+          devEnvImage = devEnvImage;
          buildInputs = with pkgs; [
            bash
            bat
            cairo
            drpc.defaultPackage.${system}
            exa
            getopt
            git
            go-migrate
            go_1_20
            golangci-lint
            gopls
            gotestsum
            jq
            kubernetes-helm
            mockgen
            nfpm
            nodePackages.pnpm
            nodePackages.typescript
            nodePackages.typescript-language-server
            nodejs
            openssh
            openssl
            pango
            pixman
            pkg-config
            postgresql
            protoc-gen-go
            ripgrep
            screen
            shellcheck
            shfmt
            sqlc
            terraform
            typos
            yq
            zip
            zstd
          ];
        };
        defaultPackage = formatter; # or replace it with your desired default package.
        devShell = pkgs.mkShell { buildInputs = devShellPackages; };
      }
    );
 }
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.30.0
+// 	protoc-gen-go v1.31.0
-// 	protoc        v4.23.3
+// 	protoc        v3.21.12
 // source: provisionerd/proto/provisionerd.proto
 package proto
@@ -1,5 +1,5 @@
 // Code generated by protoc-gen-go-drpc. DO NOT EDIT.
-// protoc-gen-go-drpc version: v0.0.33
+// protoc-gen-go-drpc version: (devel)
 // source: provisionerd/proto/provisionerd.proto
 package proto
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.30.0
+// 	protoc-gen-go v1.31.0
-// 	protoc        v4.23.3
+// 	protoc        v3.21.12
 // source: provisionersdk/proto/provisioner.proto
 package proto
@@ -1,5 +1,5 @@
 // Code generated by protoc-gen-go-drpc. DO NOT EDIT.
-// protoc-gen-go-drpc version: v0.0.33
+// protoc-gen-go-drpc version: (devel)
 // source: provisionersdk/proto/provisioner.proto
 package proto
@@ -76,10 +76,6 @@ type drpcProvisioner_ParseClient struct {
 	drpc.Stream
 }
 func (x *drpcProvisioner_ParseClient) GetStream() drpc.Stream {
 	return x.Stream
 }
 func (x *drpcProvisioner_ParseClient) Recv() (*Parse_Response, error) {
 	m := new(Parse_Response)
 	if err := x.MsgRecv(m, drpcEncoding_File_provisionersdk_proto_provisioner_proto{}); err != nil {
@@ -111,10 +107,6 @@ type drpcProvisioner_ProvisionClient struct {
 	drpc.Stream
 }
 func (x *drpcProvisioner_ProvisionClient) GetStream() drpc.Stream {
 	return x.Stream
 }
 func (x *drpcProvisioner_ProvisionClient) Send(m *Provision_Request) error {
 	return x.MsgSend(m, drpcEncoding_File_provisionersdk_proto_provisioner_proto{})
 }
@@ -64,6 +64,9 @@ stats/
 .././scaletest/terraform/.terraform.lock.hcl
 ../scaletest/terraform/secrets.tfvars
 .terraform.tfstate.*
 # Nix
 result
 # .prettierignore.include:
 # Helm templates contain variables that are invalid YAML and can't be formatted
 # by Prettier.
@@ -64,6 +64,9 @@ stats/
 .././scaletest/terraform/.terraform.lock.hcl
 ../scaletest/terraform/secrets.tfvars
 .terraform.tfstate.*
 # Nix
 result
 # .prettierignore.include:
 # Helm templates contain variables that are invalid YAML and can't be formatted
 # by Prettier.
		`@@ -1 +0,0 @@`
			`deb [signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu jammy stable`
		`@@ -1 +0,0 @@`
			`deb [signed-by=/usr/share/keyrings/google-chrome.gpg] https://dl.google.com/linux/chrome/deb/ stable main`
		`@@ -1 +0,0 @@`
			`deb [signed-by=/usr/share/keyrings/hashicorp.gpg] https://apt.releases.hashicorp.com jammy main`
		`@@ -1 +0,0 @@`
			`deb [signed-by=/usr/share/keyrings/microsoft.gpg] https://packages.microsoft.com/repos/edge stable main`
		`@@ -1 +0,0 @@`
			`deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_16.x jammy main`
		`@@ -1 +0,0 @@`
			`deb [signed-by=/usr/share/keyrings/postgresql.gpg] https://apt.postgresql.org/pub/repos/apt jammy-pgdg main`
		`@@ -1,2 +0,0 @@`
			`deb [signed-by=/usr/share/keyrings/ansible.gpg] https://ppa.launchpadcontent.net/ansible/ansible/ubuntu focal main`
			`deb [signed-by=/usr/share/keyrings/neovim.gpg] https://ppa.launchpadcontent.net/neovim-ppa/stable/ubuntu focal main`
		`@@ -1 +0,0 @@`
			`deb http://security.ubuntu.com/ubuntu/ jammy-security main restricted universe`
		`@@ -1 +0,0 @@`
			`deb [signed-by=/usr/share/keyrings/yarnpkg.gpg] https://dl.yarnpkg.com/debian/ stable main`