base nix on ubuntu, no nix-shell for prod image, prod-image 1.47GB

Earthfile

@@ -2,11 +2,19 @@
 
 VERSION 0.8
 
+nix:
+  FROM ubuntu:24.04
+  RUN apt-get update && apt-get install -y curl \
+   && curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux \
+    --extra-conf "sandbox = false" \
+    --init none \
+    --no-confirm \
+   && apt remove --auto-remove -y curl
+  ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
+
 nix-dev-shell:
   ARG --required DEVSHELL
-  FROM nixos/nix:2.20.4
-  # enable flakes
-  RUN echo "extra-experimental-features = nix-command flakes" >> /etc/nix/nix.conf
+  FROM +nix
   # replace /bin/sh with a script that sources `/root/sh_env` for every RUN command.
   # we use this to execute all `RUN`-commands in our nix dev shell.
   # we need to explicitly delete `/bin/sh` first, because it's a symlink to `/bin/busybox`,
@@ -21,9 +29,20 @@ nix-dev-shell:
   WORKDIR /app
   COPY flake.nix flake.lock .
   # build our dev-shell, creating a gcroot, so it won't be garbage collected by nix.
-  RUN nix build --out-link /root/flake-devShell-gcroot ".#devShells.$ARCH-linux.$DEVSHELL"
-  # set up our `/root/sh_env` file to source our flake env, will be used by ALL `RUN`-commands!
-  RUN nix print-dev-env ".#$DEVSHELL" >> /root/sh_env
+  # Then set up our `/root/sh_env` file to source our flake env, will be used by ALL `RUN`-commands!
+  RUN nix build --out-link /root/flake-devShell-gcroot ".#devShells.$ARCH-linux.$DEVSHELL" \
+   && nix print-dev-env ".#$DEVSHELL" >> /root/sh_env \
+   && nix-collect-garbage
+
+nix-packages:
+  ARG --required PACKAGES
+  FROM +nix
+  WORKDIR /app
+  COPY flake.nix flake.lock .
+  RUN nix profile install --impure ".#$PACKAGES" \
+   && nix-collect-garbage \
+   && rm -rf /root/.cache
+  # RUN nix store optimise # hard linking can save ~40M
 
 
 globalbrain-node-package:
@@ -72,7 +91,7 @@ app-deploy-litefs:
    SAVE ARTIFACT /usr/local/bin/litefs
 
 docker-image:
-  FROM +nix-dev-shell --DEVSHELL='production'
+  FROM +nix-packages --PACKAGES='production'
 
   WORKDIR /app
 
@@ -105,16 +124,16 @@ docker-image:
   ENV INTERNAL_PORT="8080"
   ENV PORT="8081"
 
-  RUN nix-collect-garbage
-  RUN du -sh /* \
-   && find /app -mindepth 1 -maxdepth 1 -type d -print0 | xargs -0 du -sh | sort -hr | head -20 \
-   && find /nix/store -mindepth 1 -maxdepth 1 -type d -print0 | xargs -0 du -sh | sort -hr | head -20 \
-   && find /app/node_modules -mindepth 1 -maxdepth 1 -type d -print0 | xargs -0 du -sh | sort -hr | head -20
+  RUN find / \( -type f -o -type d \) -mindepth 1 -maxdepth 1 -print0 | xargs -0 du -sh | sort -hr | head -20 \
+   && find /nix/store \( -type f -o -type d \) -mindepth 1 -maxdepth 1 -print0 | xargs -0 du -sh | sort -hr | head -20 \
+   && find /app \( -type f -o -type d \) -mindepth 1 -maxdepth 1 -print0 | xargs -0 du -sh | sort -hr | head -20 \
+   && find /app/node_modules \( -type f -o -type d \) -mindepth 1 -maxdepth 1 -print0 | xargs -0 du -sh | sort -hr | head -20 \
+   && find /root \( -type f -o -type d \) -mindepth 1 -maxdepth 1 -print0 | xargs -0 du -sh | sort -hr | head -20
 
   # starting the application is defined in litefs.yml
   # test locally without litefs:
   # docker run -e SESSION_SECRET -e INTERNAL_COMMAND_TOKEN -e HONEYPOT_SECRET sha256:xyzxyz /bin/sh startup.sh
-  CMD ["/bin/sh", "-c", "/usr/local/bin/litefs mount"]
+  CMD ["/usr/local/bin/litefs", "mount"]
   SAVE IMAGE jabble:latest
 
 docker-image-e2e-test:
@@ -129,8 +148,7 @@ docker-image-e2e-test:
   WORKDIR /app
   COPY flake.nix flake.lock .
   RUN nix develop ".#e2e" --command echo warmed up
-  COPY --dir e2e playwright.config.ts ./
-  COPY docker-compose.yml ./
+  COPY --dir e2e playwright.config.ts docker-compose.yml ./
   WITH DOCKER --load jabble:latest=+docker-image
     RUN docker image ls \
      && (docker-compose up &) \

docker-compose.yml

@@ -8,6 +8,6 @@ services:
       - SESSION_SECRET=super-duper-s3cret
       - HONEYPOT_SECRET=super-duper-s3cret
       - INTERNAL_COMMAND_TOKEN=some-made-up-token
-    command: /bin/sh startup.sh
+    command: ./startup.sh
     init: true # make ctrl+c work
     restart: no

flake.nix

@@ -62,12 +62,14 @@
               export PLAYWRIGHT_SKIP_VALIDATE_HOST_REQUIREMENTS=true
             '';
           };
-          production = pkgs.mkShellNoCC {
-            buildInputs = with pkgs; [
+        };
+        packages = {
+          production = pkgs.buildEnv {
+            name = "production";
+            paths = with pkgs; [
               nodejs_20
               sqlite-interactive
               fuse3 # for litefs
-              busybox # for swap tools
             ];
           };
         };

fly.toml

@@ -13,7 +13,7 @@ source = "data"
 destination = "/data"
 
 [deploy]
-release_command = "/bin/sh -c 'node ./other/sentry-create-release'"
+release_command = "node ./other/sentry-create-release"
 
 [[services]]
 internal_port = 8_080

justfile

@@ -67,7 +67,7 @@ download-prod-db:
   rm -f "$APP_DATABASE_PATH"
   rm -f "$APP_DATABASE_PATH"-shm
   rm -f "$APP_DATABASE_PATH"-wal
-  flyctl ssh console -C "/bin/sh -c \"sqlite3 /litefs/data/sqlite.db '.backup /data/backup.db'\""
+  flyctl ssh console -C "sqlite3 /litefs/data/sqlite.db '.backup /data/backup.db'"
   flyctl ssh sftp get /data/backup.db "$APP_DATABASE_PATH" || true
 
 # build the docker container

other/litefs.yml

@@ -29,5 +29,5 @@ lease:
     key: 'litefs/${FLY_APP_NAME}'
 
 exec:
-  - cmd: /bin/sh -c "node ./other/setup-swap.js"
-  - cmd: /bin/sh startup.sh
+  - cmd: node ./other/setup-swap.js
+  - cmd: ./startup.sh

other/recent-sessions.sh

@@ -1,3 +1,3 @@
-#!/bin/sh
+#!/usr/bin/env bash
 
 sqlite3 -column $APP_DATABASE_PATH $'select username, datetime(session.createdAt/1000, \'unixepoch\') as login_time_utc from session join user on userId = user.id order by session.createdAt desc limit 10;'