From 3ca6a8c60eb4515fd80e37f792c1447849274ff0 Mon Sep 17 00:00:00 2001
From: Yueh-Shun Li <shamrocklee@posteo.net>
Date: Sun, 11 Aug 2024 13:22:02 +0800
Subject: [PATCH 1/8] singularity-tools: add bashInteractive and runScript into
 layerClosure

---
 pkgs/build-support/singularity-tools/default.nix | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/pkgs/build-support/singularity-tools/default.nix b/pkgs/build-support/singularity-tools/default.nix
index ef8ca167b336..86e7ebe8a561 100644
--- a/pkgs/build-support/singularity-tools/default.nix
+++ b/pkgs/build-support/singularity-tools/default.nix
@@ -82,7 +82,13 @@ rec {
               util-linux
             ];
             strictDeps = true;
-            layerClosure = writeClosure contents;
+            layerClosure = writeClosure (
+              [
+                bashInteractive
+                runScriptFile
+              ]
+              ++ contents
+            );
             preVM = vmTools.createEmptyImage {
               size = diskSize;
               fullName = "${projectName}-run-disk";

From e8360a61bcc21f523afd6226dc289cfaaf411573 Mon Sep 17 00:00:00 2001
From: Yueh-Shun Li <shamrocklee@posteo.net>
Date: Sat, 10 Aug 2024 22:34:01 +0800
Subject: [PATCH 2/8] singularity-tools: make extensible

---
 pkgs/build-support/singularity-tools/default.nix | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkgs/build-support/singularity-tools/default.nix b/pkgs/build-support/singularity-tools/default.nix
index 86e7ebe8a561..735cd14cc7a9 100644
--- a/pkgs/build-support/singularity-tools/default.nix
+++ b/pkgs/build-support/singularity-tools/default.nix
@@ -20,7 +20,7 @@
 let
   defaultSingularity = singularity;
 in
-rec {
+lib.makeExtensible (final: {
   # TODO(@ShamrockLee): Remove after Nixpkgs 24.11 branch-off.
   shellScript =
     lib.warn
@@ -147,4 +147,4 @@ rec {
 
     in
     result;
-}
+})

From a7b54b36c56f343b3bcb4f95f57646de2be4ce62 Mon Sep 17 00:00:00 2001
From: Yueh-Shun Li <shamrocklee@posteo.net>
Date: Sun, 11 Aug 2024 10:25:20 +0800
Subject: [PATCH 3/8] singularity-tools: create VM disk image outside $out

Place the VM disk image in a local directory "disk-image" instead of
"$out", so that we don't have to delete it to reserve "$out" for the
container image.
---
 pkgs/build-support/singularity-tools/default.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/build-support/singularity-tools/default.nix b/pkgs/build-support/singularity-tools/default.nix
index 735cd14cc7a9..f9b11489275d 100644
--- a/pkgs/build-support/singularity-tools/default.nix
+++ b/pkgs/build-support/singularity-tools/default.nix
@@ -92,11 +92,13 @@ lib.makeExtensible (final: {
             preVM = vmTools.createEmptyImage {
               size = diskSize;
               fullName = "${projectName}-run-disk";
+              # Leaving "$out" for the Singularity/Container image
+              destination = "disk-image";
             };
             inherit memSize;
           }
           ''
-            rm -rf $out
+            rmdir "$out"
             mkdir disk
             mkfs -t ext3 -b 4096 /dev/${vmTools.hd}
             mount /dev/${vmTools.hd} disk

From 4be1e115d6e1fbca373abf7bd28b157c445b1db0 Mon Sep 17 00:00:00 2001
From: Yueh-Shun Li <shamrocklee@posteo.net>
Date: Sun, 11 Aug 2024 10:54:42 +0800
Subject: [PATCH 4/8] singularity-tools: rename the VM mountpoint as
 "workspace"

---
 pkgs/build-support/singularity-tools/default.nix | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkgs/build-support/singularity-tools/default.nix b/pkgs/build-support/singularity-tools/default.nix
index f9b11489275d..eb2c55c33354 100644
--- a/pkgs/build-support/singularity-tools/default.nix
+++ b/pkgs/build-support/singularity-tools/default.nix
@@ -99,11 +99,11 @@ lib.makeExtensible (final: {
           }
           ''
             rmdir "$out"
-            mkdir disk
+            mkdir workspace
             mkfs -t ext3 -b 4096 /dev/${vmTools.hd}
-            mount /dev/${vmTools.hd} disk
-            mkdir -p disk/img
-            cd disk/img
+            mount /dev/${vmTools.hd} workspace
+            mkdir -p workspace/img
+            cd workspace/img
             mkdir proc sys dev
 
             # Run root script

From 7487a6207d6ecebf48e6376157ad6d581693f229 Mon Sep 17 00:00:00 2001
From: Yueh-Shun Li <shamrocklee@posteo.net>
Date: Sun, 11 Aug 2024 11:06:00 +0800
Subject: [PATCH 5/8] singularity-tools: quote shell variables

---
 pkgs/build-support/singularity-tools/default.nix | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/pkgs/build-support/singularity-tools/default.nix b/pkgs/build-support/singularity-tools/default.nix
index eb2c55c33354..4eed6abae016 100644
--- a/pkgs/build-support/singularity-tools/default.nix
+++ b/pkgs/build-support/singularity-tools/default.nix
@@ -116,14 +116,14 @@ lib.makeExtensible (final: {
 
             # Build /bin and copy across closure
             mkdir -p bin ./${builtins.storeDir}
-            for f in $(cat $layerClosure) ; do
-              cp -ar $f ./$f
+            for f in $(cat "$layerClosure") ; do
+              cp -ar "$f" "./$f"
             done
 
             for c in ${toString contents} ; do
-              for f in $c/bin/* ; do
-                if [ ! -e bin/$(basename $f) ] ; then
-                  ln -s $f bin/
+              for f in "$c"/bin/* ; do
+                if [ ! -e "bin/$(basename "$f")" ] ; then
+                  ln -s "$f" bin/
                 fi
               done
             done
@@ -143,7 +143,7 @@ lib.makeExtensible (final: {
             mkdir -p /var/lib/${projectName}/mnt/session
             echo "root:x:0:0:System administrator:/root:/bin/sh" > /etc/passwd
             echo > /etc/resolv.conf
-            TMPDIR=$(pwd -P) ${projectName} build $out ./img
+            TMPDIR="$(pwd -P)" ${projectName} build "$out" ./img
           ''
       );
 

From 5396a84b1dcf44b4edb32a56172a3aff677f2aae Mon Sep 17 00:00:00 2001
From: Yueh-Shun Li <shamrocklee@posteo.net>
Date: Sun, 11 Aug 2024 10:58:06 +0800
Subject: [PATCH 6/8] singularity-tools: string-interpolate and and quote
 members in contents

String-interpolation converts path objects inside `contents` into store
paths to ensure they are properly included in the result image.

See tests.trivial-builders.references for the necessity of
string-interpolation.

Quote each string-interpolated content member to accomodates spaces
inside.
---
 pkgs/build-support/singularity-tools/default.nix | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pkgs/build-support/singularity-tools/default.nix b/pkgs/build-support/singularity-tools/default.nix
index 4eed6abae016..12e35720faf6 100644
--- a/pkgs/build-support/singularity-tools/default.nix
+++ b/pkgs/build-support/singularity-tools/default.nix
@@ -120,7 +120,12 @@ lib.makeExtensible (final: {
               cp -ar "$f" "./$f"
             done
 
-            for c in ${toString contents} ; do
+            # TODO(@ShamrockLee):
+            # Once vmTools.runInLinuxVMm works with `__structuredAttrs = true` (#334705),
+            # set __structuredAttrs = true and pass contents as an attribute
+            # so that we could loop with `for c in ''${contents[@]}`
+            # instead of expanding all the paths in contents into the Bash string.
+            for c in ${lib.escapeShellArgs contents} ; do
               for f in "$c"/bin/* ; do
                 if [ ! -e "bin/$(basename "$f")" ] ; then
                   ln -s "$f" bin/

From c229d14f505e64543cd62ba77898016f1059dc1c Mon Sep 17 00:00:00 2001
From: Yueh-Shun Li <shamrocklee@posteo.net>
Date: Sun, 11 Aug 2024 11:49:23 +0800
Subject: [PATCH 7/8] singularity-tools: proper line looping with while-read

---
 pkgs/build-support/singularity-tools/default.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pkgs/build-support/singularity-tools/default.nix b/pkgs/build-support/singularity-tools/default.nix
index 12e35720faf6..66cb4943091a 100644
--- a/pkgs/build-support/singularity-tools/default.nix
+++ b/pkgs/build-support/singularity-tools/default.nix
@@ -116,9 +116,10 @@ lib.makeExtensible (final: {
 
             # Build /bin and copy across closure
             mkdir -p bin ./${builtins.storeDir}
-            for f in $(cat "$layerClosure") ; do
+            # Loop over the line-separated paths in $layerClosure
+            while IFS= read -r f; do
               cp -ar "$f" "./$f"
-            done
+            done < "$layerClosure"
 
             # TODO(@ShamrockLee):
             # Once vmTools.runInLinuxVMm works with `__structuredAttrs = true` (#334705),

From c2eb0aa56e90cffbdcb82a54f3a9b1419e19c88b Mon Sep 17 00:00:00 2001
From: Yueh-Shun Li <shamrocklee@posteo.net>
Date: Sun, 11 Aug 2024 11:56:20 +0800
Subject: [PATCH 8/8] singularity-tools: don't preserve store content ownership

Don't preserve store content ownership to prepare for unprivileged-build
workflow.
---
 pkgs/build-support/singularity-tools/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkgs/build-support/singularity-tools/default.nix b/pkgs/build-support/singularity-tools/default.nix
index 66cb4943091a..249c3c8c85f1 100644
--- a/pkgs/build-support/singularity-tools/default.nix
+++ b/pkgs/build-support/singularity-tools/default.nix
@@ -118,7 +118,7 @@ lib.makeExtensible (final: {
             mkdir -p bin ./${builtins.storeDir}
             # Loop over the line-separated paths in $layerClosure
             while IFS= read -r f; do
-              cp -ar "$f" "./$f"
+              cp -r "$f" "./$f"
             done < "$layerClosure"
 
             # TODO(@ShamrockLee):