feat: use nix to build images

this should result in smaller images, as well as safer updates

.github/dependabot.yml

@@ -0,0 +1,8 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    commit-message:
+      prefix: "deps(actions)"

.github/workflows/docker.yaml

@@ -0,0 +1,87 @@
+name: Publish Docker Image
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+jobs:
+  build:
+    name: Build image
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        arch: [x86_64, aarch64]
+
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: DeterminateSystems/nix-installer-action@v9
+
+      - name: Setup Nix cache
+        uses: DeterminateSystems/magic-nix-cache-action@v2
+
+      - name: Build Docker image
+        id: build
+        run: |
+          nix build -L .#container-${{ matrix.arch }}
+          [ ! -L result ] && exit 1
+          echo "path=$(realpath result)" >> "$GITHUB_OUTPUT"
+
+      - name: Upload image
+        uses: actions/upload-artifact@v4
+        with:
+          name: container-${{ matrix.arch }}
+          path: ${{ steps.build.outputs.path }}
+          if-no-files-found: error
+          retention-days: 12
+
+  push:
+    name: Push image
+    runs-on: ubuntu-latest
+    needs: build
+
+    permissions:
+      contents: read
+      packages: write
+
+    if: github.event_name == 'push'
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Download images
+        uses: actions/download-artifact@v4
+        with:
+          path: images
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_TOKEN }}
+
+      - name: Push to registry
+        env:
+          TAG: docker.io/getchoo/packwiz-serve:latest
+        run: |
+          set -euo pipefail
+
+          architectures=("x86_64" "aarch64")
+          for arch in "${architectures[@]}"; do
+            docker load < images/container-"$arch"/*.tar.gz
+            docker tag packwiz-serve:latest-"$arch" ${{ env.TAG }}-"$arch"
+            docker push ${{ env.TAG }}-"$arch"
+          done
+
+          docker manifest create ${{ env.TAG }} \
+            --amend ${{ env.TAG }}-x86_64 \
+            --amend ${{ env.TAG }}-aarch64
+
+          docker manifest push ${{ env.TAG }}

.gitignore

@@ -0,0 +1,4 @@
+# nix build artifacts
+result*
+repl-result-out*
+

container.nix

@@ -0,0 +1,51 @@
+{
+  lib,
+  pkgs,
+  system,
+  ...
+}: arch: let
+  crossPkgs =
+    {
+      "x86_64-linux" = {
+        "x86_64" = pkgs.pkgsStatic;
+        "aarch64" = pkgs.pkgsCross.aarch64-multiplatform.pkgsStatic;
+      };
+
+      "aarch64-linux" = {
+        "x86_64" = pkgs.pkgsCross.musl64;
+        "aarch64" = pkgs.pkgsStatic;
+      };
+    }
+    .${system}
+    .${arch};
+
+  packwiz = crossPkgs.packwiz.overrideAttrs (oldAttrs: {
+    ldflags = [
+      "-linkmode external"
+      "-extldflags '-static -L${crossPkgs.musl}/lib'"
+      "-s -w -X github.com/packwiz/packwiz.version=${oldAttrs.version}"
+    ];
+
+    postInstall = "";
+
+    CGO_ENABLED = 0;
+  });
+in
+  pkgs.dockerTools.buildLayeredImage {
+    name = "packwiz-serve";
+    tag = "latest-${arch}";
+
+    contents = [packwiz];
+
+    config = {
+      Cmd = ["/bin/packwiz" "serve"];
+      Env = [
+        "HOME=/home" # why exactly does packwiz need a home dir? :shrug:
+      ];
+      WorkingDir = "/data";
+      Volumes = {"/data" = {};};
+      ExposedPorts = {"8080" = {};};
+    };
+
+    architecture = crossPkgs.go.GOARCH;
+  }

flake.nix

@@ -0,0 +1,34 @@
+{
+  description = "a docker image to serve packwiz modpacks";
+
+  inputs.nixpkgs.url = "nixpkgs/nixpkgs-unstable";
+
+  outputs = {
+    self,
+    nixpkgs,
+    ...
+  }: let
+    systems = [
+      "x86_64-linux"
+      "aarch64-linux"
+    ];
+
+    forAllSystems = fn: nixpkgs.lib.genAttrs systems (sys: fn nixpkgs.legacyPackages.${sys});
+  in {
+    formatter = forAllSystems (pkgs: pkgs.alejandra);
+
+    packages = forAllSystems ({
+      pkgs,
+      system,
+      ...
+    }: let
+      containerFor = import ./container.nix pkgs;
+      arch = pkgs.stdenv.hostPlatform.uname.processor;
+    in {
+      container-x86_64 = containerFor "x86_64";
+      container-aarch64 = containerFor "aarch64";
+
+      default = self.packages.${system}."container-${arch}";
+    });
+  };
+}