containers · giuseppe · Mar 25, 2026 · Mar 23, 2026 · Mar 23, 2026 · Mar 23, 2026
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -15,7 +15,7 @@ jobs:
       - uses: actions/cache@v5
         with:
           path: .cache
-          key: nix-v1-2.24.9-${{ hashFiles('nix/nixpkgs.json') }}
+          key: nix-v2-${{ hashFiles('flake.lock') }}
 
       - run: sudo apt-get update
 
@@ -25,7 +25,7 @@ jobs:
           set -ex
           sudo mkdir -p .cache
           sudo mv .cache /nix
-          if [[ -z $(ls -A /nix) ]]; then sudo docker run --rm --privileged -v /:/mnt nixos/nix:2.24.9 cp -rfT /nix /mnt/nix; fi
+          if [[ -z $(ls -A /nix) ]]; then sudo docker run --rm --privileged -v /:/mnt nixos/nix:2.34.2 cp -rfT /nix /mnt/nix; fi
           sudo RUNTIME=docker SKIP_CHECKS=1 SKIP_GPG=1 build-aux/release.sh
           sudo mv /nix .cache
           sudo chown -Rf $(whoami) .cache

diff --git a/build-aux/release.sh b/build-aux/release.sh
@@ -5,7 +5,7 @@ set -xeuo pipefail
 SKIP_GPG=${SKIP_GPG:-}
 SKIP_CHECKS=${SKIP_CHECKS:-}
 
-NIX_IMAGE=${NIX_IMAGE:-nixos/nix:2.24.9}
+NIX_IMAGE=${NIX_IMAGE:-nixos/nix:2.34.2}
 
 test -e Makefile && make distclean
 
@@ -48,7 +48,7 @@ BUILD_CMD=(
 	-w "${PWD}"
 	"${NIX_IMAGE}"
 	nix
-	--extra-experimental-features nix-command
+	--extra-experimental-features "nix-command flakes"
 	--print-build-logs
 	--option cores "$(nproc)"
 	--option max-jobs "$(nproc)"
@@ -57,13 +57,17 @@ BUILD_CMD=(
 )
 
 mkdir -p /nix
+if [ ! -d /nix/store ] || ! "${RUNTIME:-podman}" run --init --rm -v /nix:/nix "${NIX_IMAGE}" nix --version >/dev/null 2>&1; then
+    "${RUNTIME:-podman}" run --init --rm -v /nix:/host-nix "${NIX_IMAGE}" \
+        sh -c 'rm -rf /host-nix/*; cp -a /nix/. /host-nix/'
+fi
 
 for ARCH in amd64 arm64 ppc64le riscv64 s390x; do
-    "${BUILD_CMD[@]}" --file nix/default-${ARCH}.nix
+    "${BUILD_CMD[@]}" "path:.#crun-static-${ARCH}"
     cp ./result/bin/crun "$OUTDIR/crun-$VERSION-linux-${ARCH}"
     rm -rf result
 
-    "${BUILD_CMD[@]}" --file nix/default-${ARCH}.nix --arg enableSystemd false
+    "${BUILD_CMD[@]}" "path:.#crun-static-${ARCH}-disable-systemd"
     cp ./result/bin/crun "$OUTDIR/crun-$VERSION-linux-${ARCH}-disable-systemd"
     rm -rf result
 done

diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -0,0 +1,136 @@
+{
+  description = "crun - a fast and low-memory footprint OCI Container Runtime";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+  };
+
+  outputs = { self, nixpkgs }:
+    let
+      archConfigs = {
+        amd64 = {
+          system = "x86_64-linux";
+          crossSystem = null;
+          enableCriu = true;
+        };
+        arm64 = {
+          system = "x86_64-linux";
+          crossSystem.config = "aarch64-unknown-linux-gnu";
+          enableCriu = false;
+        };
+        ppc64le = {
+          system = "x86_64-linux";
+          crossSystem.config = "powerpc64le-unknown-linux-gnu";
+          enableCriu = false;
+        };
+        riscv64 = {
+          system = "x86_64-linux";
+          crossSystem.config = "riscv64-unknown-linux-gnu";
+          enableCriu = false;
+        };
+        s390x = {
+          system = "x86_64-linux";
+          crossSystem.config = "s390x-unknown-linux-musl";
+          enableCriu = false;
+        };
+      };
+
+      mkCrunPackage = arch: { system, crossSystem, enableCriu }: enableSystemd:
+        let
+          # https://github.com/madler/zlib/issues/1200
+          # Only patch target-platform zlib so native build tools stay cached.
+          zlibOverlay = final: prev: {
+            zlib = if final.stdenv.hostPlatform.isS390x
+              then prev.zlib.overrideAttrs (old: {
+                postPatch = (old.postPatch or "") + ''
+                  substituteInPlace configure --replace-fail \
+                    '/^ZINCOUT *=/s#=.*#=$ZINCOUT#' \
+                    '/^ZINCOUT *=/s#=.*#=$ZINCOUT#
+/^VGFMAFLAG *=/s#=.*#=$VGFMAFLAG#'
+                  substituteInPlace contrib/crc32vx/crc32_vx.c --replace-fail \
+                    'HWCAP_S390_VX' 'HWCAP_S390_VXRS'
+                '';
+              })
+              else prev.zlib;
+          };
+          needsZlibFix = crossSystem != null
+            && crossSystem ? config
+            && builtins.match ".*s390x.*" crossSystem.config != null;
+          overlays = if needsZlibFix then [ zlibOverlay ] else [];
+          pkgsArgs = { inherit system overlays; }
+            // (if crossSystem != null then { inherit crossSystem; } else {});
+          pkgs = import nixpkgs pkgsArgs;
+          static = import ./nix/static.nix;
+
+          # Build static variants locally — these don't pollute the global package set
+          staticLibcap = (static pkgs.libcap).overrideAttrs (x: {
+            postInstall = ''
+              mkdir -p "$doc/share/doc/${x.pname}-${x.version}"
+              cp License "$doc/share/doc/${x.pname}-${x.version}/"
+              mkdir -p "$pam/lib/security"
+              mv "$lib"/lib/security "$pam/lib"
+            '';
+          });
+          staticLibseccomp = static pkgs.libseccomp;
+          staticYajl = pkgs.yajl.overrideAttrs (x: {
+            cmakeFlags = (x.cmakeFlags or []) ++ [ "-DBUILD_SHARED_LIBS=OFF" ];
+          });
+          staticSystemd = (static pkgs.systemdMinimal).overrideAttrs (x: {
+            outputs = [ "out" "dev" ];
+            mesonFlags = x.mesonFlags ++ [
+              "-Dbpf-compiler=gcc"
+              "-Dbpf-framework=false"
+              "-Dglib=false"
+              "-Dstatic-libsystemd=true"
+            ];
+            # TODO: remove when https://github.com/systemd/systemd/issues/30448
+            # got resolved or fixed in nixpkgs.
+            preConfigure = ''
+              export NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -Wno-error=format-overflow"
+            '';
+          });
+          staticCriu = let
+            staticProtobufc = pkgs.protobufc.overrideAttrs (x: {
+              configureFlags = (x.configureFlags or []) ++ [ "--enable-static" ];
+            });
+            staticLibnl = pkgs.libnl.overrideAttrs (x: {
+              configureFlags = (x.configureFlags or []) ++ [ "--enable-static" ];
+            });
+            staticLibnet = pkgs.libnet.overrideAttrs (x: {
+              configureFlags = (x.configureFlags or []) ++ [ "--enable-static" ];
+            });
+          in (static pkgs.criu).overrideAttrs (x: {
+            buildInputs = (x.buildInputs or []) ++ [
+              pkgs.protobuf
+              staticProtobufc
+              staticLibnl
+              staticLibnet
+            ];
+            NIX_LDFLAGS = "${x.NIX_LDFLAGS or ""} -lprotobuf-c";
+            buildPhase = ''
+              make lib
+            '';
+          });
+        in
+          pkgs.callPackage ./nix/derivation.nix {
+            inherit enableCriu enableSystemd;
+            libcap = staticLibcap;
+            libseccomp = staticLibseccomp;
+            yajl = staticYajl;
+            libsystemd = staticSystemd;
+            criu = staticCriu;
+          };
+
+      # Generate packages for all architectures and variants
+      packages = builtins.foldl' (acc: arch:
+        let cfg = archConfigs.${arch}; in
+        acc // {
+          "crun-static-${arch}" = mkCrunPackage arch cfg true;
+          "crun-static-${arch}-disable-systemd" = mkCrunPackage arch cfg false;
+        }
+      ) {} (builtins.attrNames archConfigs);
+
+    in {
+      packages.x86_64-linux = packages;
+    };
+}
diff --git a/nix/default-amd64.nix b/nix/default-amd64.nix
diff --git a/nix/default-arm64.nix b/nix/default-arm64.nix
diff --git a/nix/default-ppc64le.nix b/nix/default-ppc64le.nix
diff --git a/nix/default-riscv64.nix b/nix/default-riscv64.nix
diff --git a/nix/default-s390x.nix b/nix/default-s390x.nix
diff --git a/nix/default.nix b/nix/default.nix
diff --git a/nix/derivation.nix b/nix/derivation.nix
@@ -2,6 +2,11 @@
 , pkgs
 , enableCriu
 , enableSystemd
+, libcap
+, libseccomp
+, libsystemd
+, yajl
+, criu
 }:
 with pkgs; stdenv.mkDerivation {
   name = "crun";
@@ -32,17 +37,30 @@ with pkgs; stdenv.mkDerivation {
       yajl
     ] ++ lib.optionals enableCriu [ criu ];
   configureFlags = [ "--enable-static" ] ++ lib.optional (!enableSystemd) [ "--disable-systemd" ];
-  prePatch = ''
+  prePatch = let
+    staticLibs =
+      lib.optional enableCriu "${criu}/lib/libcriu.a"
+      ++ (if stdenv.hostPlatform.isMusl
+          then map (l: "${musl}/lib/${l}") [ "libc.a" "libpthread.a" "librt.a" ]
+          else map (l: "${glibc.static}/lib/${l}") [ "libc.a" "libpthread.a" "librt.a" ])
+      ++ [
+        "${lib.getLib libcap}/lib/libcap.a"
+        "${lib.getLib libseccomp}/lib/libseccomp.a"
+      ]
+      ++ lib.optional enableSystemd "${lib.getLib libsystemd}/lib/libsystemd.a"
+      ++ [ "${yajl}/lib/libyajl.a" ];
+  in ''
     export CFLAGS='-static -pthread -DSTATIC'
     export LDFLAGS='-s -w -static-libgcc -static'
     export EXTRA_LDFLAGS='-s -w -linkmode external -extldflags "-static -lm"'
     export CRUN_LDFLAGS='-all-static'
-    export LIBS='${lib.optionalString enableCriu "${criu}/lib/libcriu.a"} ${if stdenv.hostPlatform.isMusl then "${musl}/lib/libc.a ${musl}/lib/libpthread.a ${musl}/lib/librt.a" else "${glibc.static}/lib/libc.a ${glibc.static}/lib/libpthread.a ${glibc.static}/lib/librt.a"} ${lib.getLib libcap}/lib/libcap.a ${lib.getLib libseccomp}/lib/libseccomp.a ${lib.optionalString enableSystemd "${lib.getLib libsystemd}/lib/libsystemd.a"} ${yajl}/lib/libyajl.a'
+    export LIBS='${lib.concatStringsSep " " staticLibs}'
   '';
   buildPhase = ''
     patchShebangs .
+    printf '/* autogenerated.  */\n#ifndef GIT_VERSION\n# define GIT_VERSION "unknown"\n#endif\n' > git-version.h
     make -C libocispec libocispec.la
-    make git-version.h crun
+    make crun
   '';
   installPhase = ''
     install -Dm755 crun $out/bin/crun

diff --git a/nix/nixpkgs.json b/nix/nixpkgs.json
diff --git a/nix/nixpkgs.nix b/nix/nixpkgs.nix