veprbl · veprbl · Sep 11, 2022
diff --git a/.github/workflows/docker-deploy.yml b/.github/workflows/docker-deploy.yml
@@ -0,0 +1,51 @@
+name: Docker deployment
+
+on:
+  push:
+    branches:
+      - master
+      - 'pr/docker'
+
+permissions:
+  packages: write
+
+jobs:
+  build-container:
+    name: Build Docker container
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2.4.0
+
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v2
+      with:
+        registry: ghcr.io
+        username: '${{ github.actor }}'
+        password: '${{ secrets.GITHUB_TOKEN }}'
+
+    - uses: cachix/install-nix-action@v22
+      with:
+        nix_path: nixpkgs=channel:nixpkgs-22.05-darwin
+        extra_nix_config: |
+          access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
+
+    - uses: cachix/cachix-action@v12
+      with:
+        name: epic-eic
+        signingKey: '${{ secrets.CACHIX_SIGNING_KEY }}'
+        skipPush: true
+
+    - name: Build Docker image
+      run: |
+        nix build .#dockerImage --keep-going --print-build-logs --no-write-lock-file -o docker-image
+
+    - name: Load Docker image
+      run: |
+        docker load -i docker-image | tee docker_load
+        grep "Loaded image: " docker_load
+
+    - name: Push to the Container Registry
+      run: |
+        DOCKER_IMAGE=$(cut -d " " -f 3 docker_load)
+        docker image tag $DOCKER_IMAGE ghcr.io/${{ github.repository }}:latest
+        docker image push ghcr.io/${{ github.repository }}:latest
diff --git a/README.md b/README.md
@@ -51,3 +51,12 @@ git clone https://github.com/veprbl/epic-nix.git
 cd epic-nix
 nix develop
 ```
+
+Singularity
+-----------
+
+A pre-built container can be entered like so:
+
+```shell
+singularity shell docker://ghcr.io/veprbl/epic-nix
+```
diff --git a/docker.nix b/docker.nix
@@ -1,8 +1,83 @@
-{ pkgs, providedPackageList, self, system }:
-
-{
-  dockerImage = pkgs.dockerTools.buildLayeredImage {
-    name = "eic-nix";
-    contents = map (name: self.packages.${system}.${name}) providedPackageList;
-  };
-}
+{ self
+, epic_pkgs
+, pkgs
+}:
+
+let
+
+  packages =
+    (builtins.attrValues
+      (pkgs.lib.filterAttrs
+        (name: value: (name != "fun4all") && (pkgs.lib.isDerivation value))
+        epic_pkgs));
+
+  extra_packages = with pkgs; [
+    # Development
+    cmake
+    gitFull
+    nix
+    stdenv.cc
+
+    # Utilities
+    bash
+    cacert
+    cachix
+    coreutils
+    curl
+    emacs
+    entr
+    gawk
+    gnugrep
+    gnused
+    jq
+    less
+    perl
+    procps
+    rsync
+    silver-searcher
+    vim
+    which
+    wget
+    zsh
+
+    # Libraries
+    python3
+    python3Packages.awkward
+    python3Packages.dask
+    python3Packages.distributed
+    python3Packages.hepmc3
+    python3Packages.matplotlib
+    python3Packages.pyarrow
+    python3Packages.scikit-learn
+    python3Packages.pytorch
+    python3Packages.uproot
+    root
+
+    # Continuous Integration
+    github-runner
+  ];
+
+  container_env = pkgs.runCommandNoCC "container-env" {
+    buildInputs = packages ++ extra_packages;
+  } ''
+    mkdir -p "$out/.singularity.d/env"
+    declare -p | grep -vE "^declare -[ai-]" | grep -vE "^declare -. (PWD|OLDPWD|HOME|TMP|TEMP)" > "$out/.singularity.d/env/99-epic-nix.sh"
+    cat > "$out/.singularity.d/env/99-epic-nix-config.sh" <<EOF
+    unset NIX_STORE_DIR
+    unset NIX_CONF_DIR
+    unset NIX_STATE_DIR
+    EOF
+    mkdir -p "$out/etc/nix"
+    cat > "$out/etc/nix/nix.conf" <<EOF
+    experimental-features = flakes nix-command
+    substituters = https://cache.nixos.org https://epic-eic.cachix.org
+    trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= epic-eic.cachix.org-1:9Mu7fnayGYtapkzXm+7ZhPP5w7bJxtSv9C+BJTWon/o=
+    EOF
+  '';
+
+in
+
+  pkgs.dockerTools.buildLayeredImage {
+    name = "epic-nix";
+    contents = packages ++ extra_packages ++ [ container_env ];
+  }
diff --git a/flake.nix b/flake.nix
@@ -37,9 +37,14 @@
 
             is_broken = pkg: (pkg.meta or {}).broken or false;
             select_unbroken = lib.filterAttrs (name: pkg: !(is_broken pkg));
+
+            epic_pkgs =
+              lib.filterAttrs (name: lib.isDerivation)
+              (select_unbroken (lib.getAttrs providedPackageList pkgs));
+
+            dockerImage = pkgs.callPackage ./docker.nix { inherit epic_pkgs self; };
           in
-            lib.filterAttrs (name: lib.isDerivation)
-            (select_unbroken (lib.getAttrs providedPackageList pkgs)));
+            epic_pkgs // (lib.optionalAttrs pkgs.stdenv.isLinux { inherit dockerImage; }));
 
       checks = self.packages;
 
@@ -51,7 +56,7 @@
           {
             default = pkgs.mkShell rec {
               buildInputs =
-                builtins.attrValues self.packages.${system} ++
+                builtins.filter lib.isDerivation (builtins.attrValues self.packages.${system}) ++
                 (with self.packages.${system}; [
                   geant4.data.G4EMLOW
                   geant4.data.G4ENSDFSTATE