use nix based container

.dockerignore

@@ -0,0 +1,2 @@
+./result
+./target

docker/Dockerfile

@@ -1,21 +1,37 @@
-### alternative tag is e.g. '1.72.0'
-ARG RUST_VSN='stable'
+# based on https://mitchellh.com/writing/nix-with-dockerfiles
 
-##### Build
-FROM docker.io/clux/muslrust:${RUST_VSN} as builder
+# Nix builder
+FROM nixos/nix:latest AS builder
 
-COPY / ./
-RUN cargo build --release
+# Copy our source and setup our working dir.
+COPY . /tmp/build
+WORKDIR /tmp/build
 
-RUN mkdir -p /rootfs/etc/fpush \
- && mv $(find target/ -name fpush -type f -executable) /rootfs/fpush \
- && touch /rootfs/etc/fpush/settings.json
+RUN nix-channel --update
 
-##### Runtime
-FROM gcr.io/distroless/static-debian12:nonroot AS prod
+# Build our Nix environment
+RUN nix \
+    --extra-experimental-features "nix-command flakes" \
+    --option filter-syscalls false \
+    build
 
-COPY --from=builder /rootfs /
+# Copy the Nix store closure into a directory. The Nix store closure is the
+# entire set of Nix store values that we need for our build.
+RUN mkdir /tmp/nix-store-closure
+RUN mkdir /tmp/app
+RUN cp -R $(nix-store -qR result/) /tmp/nix-store-closure \
+    && ln -s $(readlink -f result)/ /tmp/app/fpush
+
+# Final image is based on scratch. We copy a bunch of Nix dependencies
+# but they're fully self-contained so we don't need Nix anymore.
+FROM scratch
+
+WORKDIR /app
+
+# Copy /nix/store
+COPY --from=builder /tmp/nix-store-closure /nix/store
+COPY --from=builder /tmp/app /app
 
 ENV RUST_LOG=info
 
-ENTRYPOINT ["/fpush","/etc/fpush/settings.json"]
+ENTRYPOINT ["/app/fpush/bin/fpush", "/etc/fpush/settings.json"]

docker/README.md

@@ -5,7 +5,7 @@ This folder holds an example Dockerfile.
 To build the image, run the following command from the root of this repository:
 
 ```bash
-docker build -t localhost/fpush:latest -f docker/Dockerfile .
+docker buildx build -t localhost/fpush:latest -f docker/Dockerfile .
 ```
 
 Run the image with:

flake.nix

@@ -2,21 +2,17 @@
   description = "Scalable push server for XMPP";
 
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+    crane.url = "github:ipetkov/crane";
+    crane.inputs.nixpkgs.follows = "nixpkgs";
     flake-utils.url = "github:numtide/flake-utils";
-    crane = {
-      url = "github:ipetkov/crane";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
   };
 
   outputs = { self, nixpkgs, flake-utils, crane }:
     flake-utils.lib.eachDefaultSystem (system:
       let
-        pkgs = import nixpkgs {
-          inherit system;
-        };
-        craneLib = crane.lib.${system};
+        pkgs = nixpkgs.legacyPackages.${system};
+        craneLib = crane.mkLib pkgs;
 
         commonArgs = {
           src = craneLib.cleanCargoSource ./.;
@@ -36,21 +32,19 @@
           cargoExtraArgs = "--all-features";
          } // commonArgs);
 
-        devShells = {
-          default = pkgs.mkShell {
-
-            buildInputs = [ ] ++ commonArgs.buildInputs;
-            nativeBuildInputs = builtins.attrValues
-              {
-                inherit (pkgs) cargo rustc nixpkgs-fmt shellcheck rnix-lsp;
-              } ++ [
-              # This is required to prevent a mangled bash shell in nix develop
-              # see: https://discourse.nixos.org/t/interactive-bash-with-nix-develop-flake/15486
-              (pkgs.hiPrio pkgs.bashInteractive)
-
-            ] ++ commonArgs.nativeBuildInputs;
-          };
-        };
+         devShells = {
+           default = pkgs.mkShell {
+             buildInputs = [ ] ++ commonArgs.buildInputs;
+             nativeBuildInputs = builtins.attrValues
+               {
+                 inherit (pkgs) cargo rustc fmt cargo-udeps cargo-outdated cargo-audit;
+               } ++ [
+               # This is required to prevent a mangled bash shell in nix develop
+               # see: https://discourse.nixos.org/t/interactive-bash-with-nix-develop-flake/15486
+               (pkgs.hiPrio pkgs.bashInteractive)
+             ] ++ commonArgs.nativeBuildInputs;
+           };
+         };
       }
     );
 }