{ depot, lib, ... }: let inherit (depot) pkgs; mercurial = (pkgs.mercurial.overridePythonAttrs (origAttrs: { propagatedBuildInputs = [pkgs.python3Packages.hg-evolve]; })); updateNixpkgs = pkgs.runCommand "update_nixpkgs" { buildInputs = with pkgs; [ makeWrapper ]; } '' mkdir -p $out/bin cp ${./update_nixpkgs.sh} $out/bin/update_nixpkgs chmod +x $out/bin/update_nixpkgs patchShebangs --host $out/bin wrapProgram $out/bin/update_nixpkgs \ --prefix PATH : ${pkgs.lib.makeBinPath (with pkgs; [ bashInteractive mercurial openssh coreutils copybara git gnused ])} ''; in pkgs.dockerTools.buildImage { name = "update_nixpkgs"; config = { Cmd = [ "${updateNixpkgs}/bin/update_nixpkgs" ]; Env = [ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" "USER=root" ]; }; contents = [ pkgs.cacert updateNixpkgs (pkgs.runCommand "update_nixpkgs_content" {} '' mkdir $out $out/root $out/root/.ssh $out/etc $out/tmp chmod 700 $out/root $out/root/.ssh chmod 1777 $out/tmp cat <$out/etc/passwd root:x:0:0:System administrator:/root:/run/current-system/sw/bin/bash EOF cat <$out/root/.ssh/config Host hg Hostname hg.lukegb.com User hg StrictHostKeyChecking no IdentityFile /secrets/ssh_id EOF cat <$out/root/.hgrc [extensions] histedit = rebase = strip = remotenames = amend = evolve = topic = purge = share = EOF '') ]; }