Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

nix-oci

nix-oci is a flake-parts module designed to streamline the management of OCI (Open Container Initiative) repositories using the Nix package manager. By leveraging nix2container as its backend, nix-oci facilitates the declarative creation and handling of container images, ensuring reproducibility and efficiency in containerized environments.

Installation

See the readme.

Options

oci.enableDevShell

Whether to enable the flake development shell.

Type: boolean

Default:

false

Declared by:

oci.enableFlakeOutputs

Whether to automatically expose OCI apps, packages, and checks as flake outputs.

Type: boolean

Default:

true

Example:

false

Declared by:

oci.enabled

Whether to enable Enable the OCI module…

Type: boolean

Default:

false

Example:

true

Declared by:

oci.credentialsLeak

Options for credential leak detection in container images.

Type: submodule

Default:

{ }

Declared by:

oci.credentialsLeak.configPath

Path where global credentials leak check configuration files will be stored.

Type: absolute path

Default:

config.oci.rootPath + "/credentials-leak/"

Declared by:

oci.credentialsLeak.trivy

Configuration for detecting credentials leaks using Trivy.

Type: submodule

Default:

{ }

Declared by:

oci.credentialsLeak.trivy.enabled

Whether to enable credentials leak detection with Trivy.

Type: boolean

Default:

false

Example:

true

Declared by:

oci.cve

Configuration for Common Vulnerabilities and Exposures (CVE) scanning in container images.

Type: submodule

Default:

{ }

Declared by:

oci.cve.configPath

Path where CVE scanner configuration files will be stored.

Type: absolute path

Default:

cfg.oci.rootPath

Declared by:

oci.cve.grype

Configuration for CVE scanning using Grype.

Type: submodule

Default:

{ }

Declared by:

oci.cve.grype.enabled

Whether to enable CVE scanning with Grype.

Type: boolean

Default:

false

Example:

true

Declared by:

oci.cve.grype.config

Configuration for Grype scanner settings.

Type: submodule

Default:

{ }

Declared by:

oci.cve.grype.config.enabled

Whether to enable Grype configuration file generation.

Type: boolean

Default:

false

Example:

true

Declared by:

oci.cve.grype.config.rootPath

Path where Grype configuration files will be stored.

Type: absolute path

Default:

config.oci.cve.configPath + "/grype/"

Declared by:

oci.cve.trivy

Configuration for CVE scanning using Trivy.

Type: submodule

Default:

{ }

Declared by:

oci.cve.trivy.enabled

Whether to enable CVE scanning with Trivy.

Type: boolean

Default:

false

Example:

true

Declared by:

oci.cve.trivy.ignore

Configuration for CVE exclusions in Trivy scans.

Type: submodule

Default:

{ }

Declared by:

oci.cve.trivy.ignore.extra

Additional CVE identifiers to ignore globally in Trivy scans.

Type: list of string

Default:

[ ]

Declared by:

oci.cve.trivy.ignore.fileEnabled

Whether to enable Trivy CVE ignore file generation.

Type: boolean

Default:

false

Example:

true

Declared by:

oci.cve.trivy.ignore.rootPath

Path where Trivy CVE ignore files will be stored.

Type: absolute path

Default:

cfg.oci.cve.configPath

Declared by:

oci.devShellPackage

The package to use for the development shell.

Type: package

Declared by:

oci.fromImageManifestRootPath

The root path to store the pulled OCI image manifest JSON lockfiles.

Type: absolute path

Default:

config.oci.rootPath + "/pulledManifestsLocks/"

Declared by:

oci.registry

The OCI registry to use for pushing and pulling images.

Type: null or string

Default:

null

Declared by:

oci.rootPath

The root path to store the Nix OCI resources.

Type: absolute path

Default:

self + "/oci/"

Declared by:

oci.sbom

Configuration for Software Bill of Materials (SBOM) generation in container images.

Type: submodule

Default:

{ }

Declared by:

oci.sbom.path

Path where SBOM files will be stored.

Type: absolute path

Default:

cfg.oci.rootPath

Declared by:

oci.sbom.syft

Configuration for SBOM generation using Syft.

Type: submodule

Default:

{ }

Declared by:

oci.sbom.syft.enabled

Whether to enable SBOM generation with Syft.

Type: boolean

Default:

false

Declared by:

oci.sbom.syft.config

Configuration settings for Syft SBOM generation.

Type: submodule

Default:

{ }

Declared by:

oci.sbom.syft.config.enabled

Whether to enable Syft configuration file generation.

Type: boolean

Default:

false

Declared by:

oci.sbom.syft.config.rootPath

Path where Syft configuration files will be stored.

Type: absolute path

Default:

cfg.oci.sbom.path

Declared by:

oci.test

Global configuration for container testing tools.

Type: submodule

Default:

{ }

Declared by:

oci.test.containerStructureTest

Configuration for container-structure-test validation tool.

Type: submodule

Default:

{ }

Declared by:

oci.test.containerStructureTest.enabled

Whether to enable container-structure-test globally for all containers.

Type: boolean

Default:

false

Declared by:

oci.test.dgoss

Configuration for dgoss (Docker + goss) testing framework.

Type: submodule

Default:

{ }

Declared by:

oci.test.dgoss.enabled

Whether to enable dgoss testing globally for all containers.

Type: boolean

Default:

false

Declared by:

oci.test.dive

Configuration for Dive container image analysis tool.

Type: submodule

Default:

{ }

Declared by:

oci.test.dive.enabled

Whether to enable Dive analysis globally for all containers.

Type: boolean

Default:

false

Declared by:

perSystem.oci.packages.containerStructureTest

The package to use for container-structure-test.

Type: package

Default:

pkgs.container-structure-test

Example:

pkgs.container-structure-test

Declared by:

perSystem.oci.packages.dgoss

The package to use for dgoss.

Type: package

Default:

pkgs.dgoss

Example:

pkgs.dgoss

Declared by:

perSystem.oci.packages.dive

The package to use for dive.

Type: package

Default:

pkgs.dive

Example:

pkgs.dive

Declared by:

perSystem.oci.packages.grype

The package to use for grype.

Type: package

Default:

pkgs.grype

Example:

pkgs.grype

Declared by:

perSystem.oci.packages.nix2container

The nix2container package.

Type: attribute set

Default:

inputs.nix2container.packages.${system}.nix2container

Example:

inputs.nix2container.packages.${system}.nix2container

Declared by:

perSystem.oci.packages.podman

The package to use for podman.

Type: package

Default:

pkgs.podman

Example:

pkgs.podman

Declared by:

perSystem.oci.packages.regctl

The package to use for regctl (multi-arch manifest tool).

Type: package

Default:

pkgs.regclient

Example:

pkgs.regclient

Declared by:

perSystem.oci.packages.skaffold

The package to use for skaffold.

Type: package

Default:

pkgs.skaffold

Example:

pkgs.skaffold

Declared by:

perSystem.oci.packages.skopeo

The package to use for skopeo.

Type: package

Default:

inputs.nix2container.packages.${system}.skopeo-nix2container

Example:

inputs.nix2container.packages.${system}.skopeo-nix2container

Declared by:

perSystem.oci.packages.syft

The package to use for syft.

Type: package

Default:

pkgs.syft

Example:

pkgs.syft

Declared by:

perSystem.oci.packages.trivy

The package to use for trivy.

Type: package

Default:

pkgs.trivy

Example:

pkgs.trivy

Declared by:

perSystem.oci.containers

Container definitions. Each key is a container name.

Type: attribute set of (submodule)

Default:

{ }

Example:

{
  my-app = {
    package = pkgs.hello;
    dependencies = [ pkgs.bash ];
  };
}

Declared by:

perSystem.oci.debug

Add debug build in output.

Type: submodule

Default:

{ }

Declared by:

perSystem.oci.debug.enabled

Type: boolean

Default:

false

Declared by:

perSystem.oci.debug.packages

Type: list of package

Default:

with pkgs; [
  coreutils
  bash
  curl
]

Declared by:

perSystem.oci.debug.entrypoint

Debug entrypoint wrapper configuration.

Type: submodule

Default:

{ }

Declared by:

perSystem.oci.debug.entrypoint.enabled

Whether to enable debug entrypoint wrapper.

Type: boolean

Default:

false

Declared by:

perSystem.oci.debug.entrypoint.wrapper

Default behavior run sleep infinity fallback if entrypoint fail.

Type: package

Default:

pkgs.writeScriptBin "entrypoint" ./debug-entrypoint.sh

Declared by:

perSystem.oci.flake.packages

OCI container packages that can be exposed as flake outputs.

Type: attribute set of package (read only)

Default:

{ }

Declared by:

perSystem.oci.flake.apps

OCI-related apps that can be exposed as flake outputs.

Type: attribute set of (attribute set) (read only)

Default: Apps for security scanning, SBOM generation, validation, and multi-arch builds, derived from oci.containers.

Declared by:

perSystem.oci.flake.checks

OCI-related checks that can be exposed as flake outputs.

Type: attribute set of package (read only)

Default:

{ }

Declared by:

perSystem.oci.perContainer

Per-container module definition.

Multiple modules can contribute to this option. Each contribution is a module that will be evaluated for every container with container-specific context.

The module receives these special arguments:

  • containerName: the attribute name of the container
  • config: the container’s config (for reading within the module)
  • globalConfig: the top-level flake config
  • perSystemConfig: the perSystem config
  • system: the current system
  • pkgs: nixpkgs for current system
  • lib: nixpkgs lib

Type: per-container module

Default:

{ }

Declared by: