Add profiles

`flake.lock`: Update

.gitignore

@@ -5,3 +5,5 @@ dist/
 dist-newstyle/
 cabal.project.local
 
+*.swp
+

CHANGELOG.md

@@ -1,16 +1,40 @@
 # Revision history for Arion
 
-## Next
+## 0.2.1.0 -- 2023-07-26
+
+### Added
+
+* `service.networks` now supports attribute set values with various options, thanks to @pedorich-n.
+* `docker-compose.volumes` can now be specified in multiple modules, thanks to @qaifshaikh.
+* `image.fakeRootCommands` for making modifications to the image that aren't "add a link farm".
+
+### Fixed
+
+* Regular maintenance fixes, including one by olebedev
+
+
+## 0.2.0.0 -- 2022-12-02
+
+### BREAKING
+
+* The `project.name` option is now mandatory for projects that aren't deployed with the NixOS module.
+
+* The NixOS module now sets the default network name to the project name (commonly referred to as `<name>` in the option path).
+  If this is not desired, for instance if you need the projects to be on the same network, set `networks.default.name` in each of them.
+
+* The NixOS module now sets the default project name. You can still set your own value with the `project.name` option.
+  If you did not set one, docker compose heuristically determined the name to be `store`, so you may want to set `project.name = "store"` or prepare to rename the network manually.
 
 ### Removed
 
  - NixOS 20.09 support. Its docker-compose does not support the
    `networks.<name>.name` option, which is important in later versions.
+   A newer, bundled docker compose may work there, but for now the decision
+   is to drop this legacy version.
 
 ### Changed
 
 * Healthcheck-based dependencies in `service.depends_on`.
-* The `project.name` option is now mandatory.
 
 ### Added
 

arion-compose.cabal

@@ -1,7 +1,7 @@
 cabal-version:       2.4
 
 name:                arion-compose
-version: 0.1.3.0
+version: 0.2.1.0
 synopsis:            Run docker-compose with help from Nix/NixOS
 description:         Arion is a tool for building and running applications that consist of multiple docker containers using NixOS modules. It has special support for docker images that are built with Nix, for a smooth development experience and improved performance.
 homepage:            https://github.com/hercules-ci/arion#readme
@@ -30,8 +30,8 @@ source-repository head
   location: https://github.com/hercules-ci/arion
 
 common common
-  build-depends:     base >=4.12.0.0 && <4.17
-                   , aeson
+  build-depends:     base >=4.12.0.0 && <4.99
+                   , aeson >=2
                    , aeson-pretty
                    , async
                    , bytestring

bors.toml

@@ -1,5 +1,5 @@
 status = [
-  "ci/hercules/derivations",
+  "ci/hercules/onPush/default",
   "ci/hercules/evaluation",
 ]
 delete_merged_branches = true

default.nix

@@ -1,6 +1,11 @@
-{ pkgs ? import ./nix {}
+let flake = import ./nix/compat.nix;
+in
+{ pkgs ? import flake.inputs.nixpkgs { }
 , haskellPackages ? pkgs.haskellPackages
 }:
+let
+  pkgsWithArion = pkgs.extend flake.overlays.default;
+in
 {
-  arion = import ./nix/arion.nix { inherit pkgs haskellPackages; };
+  inherit (pkgsWithArion) arion;
 }

docs/antora.yml

@@ -4,3 +4,4 @@ version: 'master'
 nav:
 - modules/ROOT/nav.adoc
 - modules/reference/nav.adoc
+nix: true

docs/flake-module.nix

@@ -0,0 +1,31 @@
+{
+  perSystem = { config, pkgs, lib, ... }: {
+    packages.generated-option-doc-arion =
+      # TODO: use the render pipeline in flake-parts,
+      #       which has support for things like {options}`foo`.
+      let
+        eval = lib.evalModules {
+          modules = import ../src/nix/modules.nix;
+        };
+      in
+      (pkgs.nixosOptionsDoc
+        {
+          options = eval.options;
+        }).optionsCommonMark;
+
+    packages.generated-antora-files =
+      pkgs.runCommand "generated-antora-files"
+        {
+          nativeBuildInputs = [ pkgs.pandoc ];
+          doc_arion = config.packages.generated-option-doc-arion;
+        }
+        # TODO: use the render pipeline in flake-parts,
+        #       which has support for things like {options}`foo`.
+        ''
+          mkdir -p $out/modules/ROOT/partials
+          pandoc --from=markdown --to=asciidoc \
+            < $doc_arion \
+            > $out/modules/ROOT/partials/arion-options.adoc
+        '';
+  };
+}

docs/modules/ROOT/examples/full-nixos/arion-compose.nix

@@ -0,0 +1 @@
+../../../../../examples/full-nixos/arion-compose.nix

docs/modules/ROOT/examples/minimal/arion-compose.nix

@@ -0,0 +1 @@
+../../../../../examples/minimal/arion-compose.nix

docs/modules/ROOT/examples/nixos-unit/arion-compose.nix

@@ -0,0 +1 @@
+../../../../../examples/nixos-unit/arion-compose.nix

docs/modules/ROOT/pages/deployment.adoc

@@ -45,18 +45,21 @@ NOTE: This deployment method does NOT use an `arion-pkgs.nix` file, but reuses
     # Pick one of:
     #  - niv
     ((import ./nix/sources.nix).arion + "/nixos-module.nix")
-    #  - flakes (where arion is a flake input)
+    #  - or flakes (where arion is a flake input)
     arion.nixosModules.arion
-    #  - other
-    arionPath + "/nixos-module.nix")
+    #  - or other: copy commit hash of arion and replace HASH in:
+    (builtins.fetchTarball "https://github.com/hercules-ci/arion/archive/HASH.tar.gz") + "/nixos-module.nix")
   ];
 
   virtualisation.arion = {
     backend = "podman-socket"; # or "docker"
-    projects.example.settings = {
-      # Specify you project here, or import it from a file.
-      # NOTE: This does NOT use ./arion-pkgs.nix, but defaults to NixOS' pkgs.
-      imports = [ ./arion-compose.nix ];
+    projects.example = {
+      serviceName = "example"; # optional systemd service name, defaults to arion-example in this case
+      settings = {
+        # Specify you project here, or import it from a file.
+        # NOTE: This does NOT use ./arion-pkgs.nix, but defaults to NixOS' pkgs.
+        imports = [ ./arion-compose.nix ];
+      };
     };
   };
 }

docs/modules/ROOT/pages/index.adoc

@@ -40,6 +40,7 @@ Arion allows to compose containers with different granularity:
   * <<Docker image from DockerHub>>
 
 Full NixOS is supported on
+
  * docker-compose + podman with docker socket (NixOS >= 21.05)
  * docker-compose + docker, before cgroupsv2 (NixOS < 21.05)
 
@@ -112,14 +113,16 @@ Describe containers using NixOS-style modules. There are a few options:
 
 ==== Minimal: Plain command using nixpkgs
 
-`examples/minimal/arion-compose.nix`:
-
-```nix
+`examples/minimal/arion-compose.nix`
+[,nix]
+----
 { pkgs, ... }:
 {
-  config.services = {
+  project.name = "webapp";
+  services = {
 
     webserver = {
+      image.enableRecommendedContents = true;
       service.useHostStore = true;
       service.command = [ "sh" "-c" ''
                   cd "$$WEB_ROOT"
@@ -129,58 +132,36 @@ Describe containers using NixOS-style modules. There are a few options:
         "8000:8000" # host:container
       ];
       service.environment.WEB_ROOT = "${pkgs.nix.doc}/share/doc/nix/manual";
+      service.stop_signal = "SIGINT";
     };
   };
 }
-```
-
-==== NixOS: run only one systemd service
-
-`examples/nixos-unit/arion-compose.nix`:
-
-```nix
-{
-  services.webserver = { config, pkgs, ... }: {
-
-    nixos.configuration = {config, pkgs, ...}: {
-      boot.isContainer = true;
-      services.nginx.enable = true;
-      services.nginx.virtualHosts.localhost.root = "${pkgs.nix.doc}/share/doc/nix/manual";
-      system.build.run-nginx = pkgs.writeScript "run-nginx" ''
-        #!${pkgs.bash}/bin/bash
-        PATH='${config.systemd.services.nginx.environment.PATH}'
-        echo nginx:x:${toString config.users.users.nginx.uid}:${toString config.users.groups.nginx.gid}:nginx web server user:/var/empty:/bin/sh >>/etc/passwd
-        echo nginx:x:${toString config.users.groups.nginx.gid}:nginx >>/etc/group
-        ${config.systemd.services.nginx.runner}
-      '';
-    };
-    service.command = [ config.nixos.build.run-nginx ];
-    service.useHostStore = true;
-    service.ports = [
-      "8000:80" # host:container
-    ];
-  };
-}
-```
+----
 
 ==== NixOS: run full OS
 
 `examples/full-nixos/arion-compose.nix`:
 
-```nix
+[,nix]
+----
 {
-  services.webserver = { pkgs, ... }: {
+  project.name = "full-nixos";
+  services.webserver = { pkgs, lib, ... }: {
     nixos.useSystemd = true;
-    nixos.configuration.boot.tmpOnTmpfs = true;
+    nixos.configuration.boot.tmp.useTmpfs = true;
     nixos.configuration.services.nginx.enable = true;
     nixos.configuration.services.nginx.virtualHosts.localhost.root = "${pkgs.nix.doc}/share/doc/nix/manual";
+    nixos.configuration.services.nscd.enable = false;
+    nixos.configuration.system.nssModules = lib.mkForce [];
+    nixos.configuration.systemd.services.nginx.serviceConfig.AmbientCapabilities = 
+      lib.mkForce [ "CAP_NET_BIND_SERVICE" ];
     service.useHostStore = true;
     service.ports = [
       "8000:80" # host:container
     ];
   };
 }
-```
+----
 
 ==== Docker image from DockerHub
 
@@ -194,6 +175,11 @@ Describe containers using NixOS-style modules. There are a few options:
 }
 ```
 
+==== NixOS: run only one systemd service
+
+Running individual units from NixOS is possible using an experimental script.
+See `examples/nixos-unit/arion-compose.nix`.
+
 === Run
 
 Start containers and watch their logs:

docs/modules/ROOT/pages/options.adoc

@@ -1,5 +1,3 @@
-// To update option descriptions
-//  - use git grep or github search
-//  - or browse through src/nix/modules
+# Arion Options
 
-include::partial$NixOSOptions.adoc[]
+include::partial$arion-options.adoc[]

examples/full-nixos/arion-compose.nix

@@ -2,7 +2,8 @@
   project.name = "full-nixos";
   services.webserver = { pkgs, lib, ... }: {
     nixos.useSystemd = true;
-    nixos.configuration.boot.tmpOnTmpfs = true;
+    nixos.configuration.boot.tmp.useTmpfs = true;
+    nixos.configuration.networking.useDHCP = false;
     nixos.configuration.services.nginx.enable = true;
     nixos.configuration.services.nginx.virtualHosts.localhost.root = "${pkgs.nix.doc}/share/doc/nix/manual";
     nixos.configuration.services.nscd.enable = false;

examples/minimal/arion-compose.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 {
-  config.project.name = "webapp";
-  config.services = {
+  project.name = "webapp";
+  services = {
 
     webserver = {
       image.enableRecommendedContents = true;

examples/nixos-unit/arion-compose.nix

@@ -36,8 +36,8 @@
         echo nginx:x:${toString config.users.groups.nginx.gid}:nginx >>/etc/group
         echo 'nobody:x:65534:65534:Unprivileged account do not use:/var/empty:/run/current-system/sw/bin/nologin' >>/etc/passwd
         echo 'nogroup:x:65534:' >>/etc/group
-        mkdir -p /var/log/nginx /run/nginx/ /var/cache/nginx /var/lib/nginx/{,logs,proxy_temp,client_body_temp,fastcgi_temp,scgi_temp,uwsgi_temp}
-        chown nginx /var/log/nginx /run/nginx/ /var/cache/nginx /var/lib/nginx/{,logs,proxy_temp,client_body_temp,fastcgi_temp,scgi_temp,uwsgi_temp}
+        mkdir -p /var/log/nginx /run/nginx/ /var/cache/nginx /var/lib/nginx/{,logs,proxy_temp,client_body_temp,fastcgi_temp,scgi_temp,uwsgi_temp} /tmp/nginx_client_body
+        chown nginx /var/log/nginx /run/nginx/ /var/cache/nginx /var/lib/nginx/{,logs,proxy_temp,client_body_temp,fastcgi_temp,scgi_temp,uwsgi_temp} /tmp/nginx_client_body
         ${config.systemd.services.nginx.runner}
       '';
     };

examples/traefik/arion-compose.nix

@@ -10,6 +10,17 @@
  */
 { lib, pkgs, ... }: {
   config.project.name = "traefik";
+  config.networks = {
+    traefik-custom = {
+      name = "traefik-custom";
+      ipam = {
+        config = [{
+          subnet = "172.32.0.0/16";
+          gateway = "172.32.0.1";
+        }];
+      };
+    };
+  };
   config.services = {
     traefik = {
       image.command = [
@@ -24,6 +35,7 @@
         stop_signal = "SIGINT";
         ports = [ "80:80" "8080:8080" ];
         volumes = [ "/var/run/docker.sock:/var/run/docker.sock:ro" ];
+        networks = [ "traefik-custom" ];
       };
     };
 
@@ -34,14 +46,17 @@
         ${pkgs.python3}/bin/python -m http.server
       ''}"];
       service.container_name = "simple-service";
-      service.ports = [
-        "8000:8000" # host:container
-      ];
       service.stop_signal = "SIGINT";
       service.labels = {
         "traefik.enable" = "true";
         "traefik.http.routers.nix-docs.rule" = "Host(`nix-docs.localhost`)";
         "traefik.http.routers.nix-docs.entrypoints" = "web";
+        "traefik.http.services.nix-docs.loadBalancer.server.port" = "8000";
+      };
+      service.networks = {
+        traefik-custom = {
+          ipv4_address = "172.32.0.5";
+        };
       };
     };
   };

flake.lock

@@ -1,21 +1,103 @@
 {
   "nodes": {
-    "nixpkgs": {
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "lastModified": 1601906239,
-        "narHash": "sha256-P1jBYbYeFswig/0FKbgh+BpVhh9iurD3m0T2ae4gdx8=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "c2bb4af48d26ed091e5674394bacbf8d488c7939",
+        "lastModified": 1722555600,
+        "narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "flake-parts_2": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "hercules-ci-effects",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1712014858,
+        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
+        "type": "github"
+      },
+      "original": {
+        "id": "flake-parts",
         "type": "indirect"
       }
     },
+    "haskell-flake": {
+      "locked": {
+        "lastModified": 1675296942,
+        "narHash": "sha256-u1X1sblozi5qYEcLp1hxcyo8FfDHnRUVX3dJ/tW19jY=",
+        "owner": "srid",
+        "repo": "haskell-flake",
+        "rev": "c2cafce9d57bfca41794dc3b99c593155006c71e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "srid",
+        "ref": "0.1.0",
+        "repo": "haskell-flake",
+        "type": "github"
+      }
+    },
+    "hercules-ci-effects": {
+      "inputs": {
+        "flake-parts": "flake-parts_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1719226092,
+        "narHash": "sha256-YNkUMcCUCpnULp40g+svYsaH1RbSEj6s4WdZY/SHe38=",
+        "owner": "hercules-ci",
+        "repo": "hercules-ci-effects",
+        "rev": "11e4b8dc112e2f485d7c97e1cee77f9958f498f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "hercules-ci-effects",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1722630782,
+        "narHash": "sha256-hMyG9/WlUi0Ho9VkRrrez7SeNlDzLxalm9FwY7n/Noo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d04953086551086b44b6f3c6b7eeb26294f207da",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
+        "flake-parts": "flake-parts",
+        "haskell-flake": "haskell-flake",
+        "hercules-ci-effects": "hercules-ci-effects",
         "nixpkgs": "nixpkgs"
       }
     }

flake.nix

@@ -1,44 +1,98 @@
 {
   description = "Arion - use Docker Compose via Nix";
 
-  outputs = { self, nixpkgs }:
-  let
-    lib = import (nixpkgs + "/lib");
-    systems = [
-      "aarch64-linux"
-      "x86_64-darwin"
-      "x86_64-linux"
-    ];
-    arionFromPkgs = pkgs: import ./nix/arion.nix { inherit pkgs; };
-  in {
-
-    # The overlay is currently the recommended way to integrate arion,
-    # because its arion attribute behaves just like Nixpkgs.
-    overlay = final: prev: {
-      arion = arionFromPkgs final;
-    };
-
-    packages = lib.genAttrs systems (system:
-    let
-      pkgs = nixpkgs.legacyPackages.${system};
-    in
-    {
-      arion = arionFromPkgs pkgs;
-    });
-
-    # Does not include the eval and build functions like you may expect from Nixpkgs.
-    defaultPackage = lib.genAttrs systems (system:
-      self.packages.${system}.arion
-    );
-
-    lib = {
-      eval = import ./src/nix/eval-composition.nix;
-      build = args@{...}:
-        let composition = self.lib.eval args;
-        in composition.config.out.dockerComposeYaml;
-    };
-
-    nixosModules.arion = ./nixos-module.nix;
-
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    haskell-flake.url = "github:srid/haskell-flake/0.1.0";
+    flake-parts.url = "github:hercules-ci/flake-parts";
+    flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
+    hercules-ci-effects.url = "github:hercules-ci/hercules-ci-effects";
+    hercules-ci-effects.inputs.nixpkgs.follows = "nixpkgs";
   };
+
+  outputs = inputs@{ self, flake-parts, ... }:
+    flake-parts.lib.mkFlake { inherit inputs; } ({ config, lib, extendModules, ... }: {
+      imports = [
+        inputs.haskell-flake.flakeModule
+        inputs.hercules-ci-effects.flakeModule
+        inputs.flake-parts.flakeModules.easyOverlay
+        ./docs/flake-module.nix
+        ./tests/flake-module.nix
+      ];
+      systems = inputs.nixpkgs.lib.systems.flakeExposed;
+      perSystem = { config, self', inputs', pkgs, system, final, ... }:
+        let h = pkgs.haskell.lib.compose; in
+        {
+          overlayAttrs = {
+            inherit (config.packages) arion;
+            arionTestingFlags = {
+              dockerSupportsSystemd = false;
+            };
+          };
+          packages.default = config.packages.arion;
+          packages.overlay-test = final.arion;
+          packages.arion = import ./nix/arion.nix { inherit pkgs; };
+          haskellProjects.haskell-package = {
+            # not autodetected: https://github.com/srid/haskell-flake/issues/49
+            packages.arion-compose.root = ./.;
+
+            overrides =
+              self: super: {
+                arion-compose =
+                  lib.pipe super.arion-compose [
+                    (h.addBuildTools [ pkgs.nix ])
+                    (h.overrideCabal (o: {
+                      src = pkgs.lib.sourceByRegex ./. [
+                        ".*[.]cabal"
+                        "LICENSE"
+                        "src/?.*"
+                        "README.asciidoc"
+                        "CHANGELOG.md"
+                      ];
+                      preCheck = ''
+                        export NIX_LOG_DIR=$TMPDIR
+                        export NIX_STATE_DIR=$TMPDIR
+                        export NIX_PATH=nixpkgs=${pkgs.path}
+                      '';
+                    }))
+                  ];
+              };
+          };
+          devShells.default = config.devShells.haskell-package.overrideAttrs (o: {
+            nativeBuildInputs = o.nativeBuildInputs or [ ] ++ [
+              pkgs.docker-compose
+              pkgs.nixpkgs-fmt
+              config.haskellProjects.haskell-package.haskellPackages.releaser
+            ];
+          });
+        };
+
+      hercules-ci.flake-update = {
+        enable = true;
+        autoMergeMethod = "merge";
+        when = {
+          hour = [ 2 ];
+          dayOfMonth = [ 5 ];
+        };
+      };
+
+      herculesCI.ciSystems = [
+        # "aarch64-darwin"
+        # "aarch64-linux"
+        "x86_64-darwin"
+        "x86_64-linux"
+      ];
+
+      flake = {
+        debug = { inherit inputs config lib; };
+
+        lib = {
+          eval = import ./src/nix/eval-composition.nix;
+          build = args@{ ... }:
+            let composition = self.lib.eval args;
+            in composition.config.out.dockerComposeYaml;
+        };
+        nixosModules.arion = ./nixos-module.nix;
+      };
+    });
 }

nix/ci.nix

@@ -1,46 +0,0 @@
-let
-  sources = import ./sources.nix;
-  lib = import (sources."nixos-unstable" + "/lib");
-  inherit (import (sources."project.nix" + "/lib/dimension.nix") { inherit lib; }) dimension;
-in
-
-dimension "Nixpkgs version" {
-    "nixos-22_05" = {
-      nixpkgsSource = "nixos-22.05";
-      enableDoc = true;
-    };
-    "nixos-unstable" = {
-      nixpkgsSource = "nixos-unstable";
-      isReferenceNixpkgs = true; # match ./default.nix
-      enableDoc = true;
-    };
-  } (
-    _name: { nixpkgsSource, isReferenceNixpkgs ? false, enableDoc ? true,
-             dockerSupportsSystemd ? false, nixosHasPodmanDockerSocket ? true }:
-
-
-      dimension "System" {
-        "x86_64-linux" = { isReferenceTarget = isReferenceNixpkgs; };
-        "x86_64-darwin" = { enableNixOSTests = false; };
-      } (
-        system: { isReferenceTarget ? false, enableNixOSTests ? true }:
-          let
-            pkgs = import ./. {
-              inherit system dockerSupportsSystemd nixosHasPodmanDockerSocket;
-              nixpkgsSrc = sources.${nixpkgsSource};
-            };
-          in
-          {
-            inherit (pkgs) arion;
-          } // lib.optionalAttrs enableNixOSTests {
-            inherit (pkgs) tests;
-          } // lib.optionalAttrs enableDoc {
-            inherit (pkgs) 
-              # FIXME: nixpkgs antora packaging is broken
-              # doc
-              doc-options doc-options-check;
-          } // lib.optionalAttrs isReferenceTarget {
-            inherit (pkgs.arion-project.haskellPkgs) arion-compose-checked;
-          }
-      )
-  )

nix/compat.nix

@@ -0,0 +1,10 @@
+(import
+  (
+    let lock = builtins.fromJSON (builtins.readFile ./flake.lock); in
+    fetchTarball {
+      url = "https://github.com/edolstra/flake-compat/archive/009399224d5e398d03b22badca40a37ac85412a1.tar.gz";
+      sha256 = "sha256:0xcr9fibnapa12ywzcnlf54wrmbqqb96fmmv8043zhsycws7bpqy";
+    }
+  )
+  { src = ../.; }
+).defaultNix

nix/default.nix

@@ -1,23 +0,0 @@
-{ sources ? import ./sources.nix
-, nixpkgsName ? "nixos-unstable" # match ./ci.nix isReferenceNixpkgs
-, nixpkgsSrc ? sources.${nixpkgsName}
-, system ? builtins.currentSystem
-, dockerSupportsSystemd ? false
-, nixosHasPodmanDockerSocket ? true
-, ...
-}:
-
-import nixpkgsSrc ({
-  # Makes the config pure as well. See <nixpkgs>/top-level/impure.nix:
-  config = {
-  };
-  overlays = [
-    (_: _: {
-      arionTestingFlags = {
-        inherit dockerSupportsSystemd nixosHasPodmanDockerSocket;
-      };
-    })
-    (import ./overlay.nix)
-  ];
-  inherit system;
-})

nix/haskell-overlay.nix

@@ -1,16 +0,0 @@
-self: super: hself: hsuper:
-{
-  arion-compose = import ./haskell-arion-compose.nix { pkgs = self; haskellPackages = hself; };
-  arion-compose-checked =
-              let pkg = /* super.haskell.lib.buildStrictly  currently broken in nixos-unstable */ hself.arion-compose;
-                  checked = super.haskell.lib.overrideCabal pkg (o: {
-                    postConfigure = ''${o.postConfigure or ""}
-                      if ! ${hsuper.cabal-install}/bin/cabal check;
-                      then
-                        echo 1>&2 ERROR: cabal file is invalid. Above warnings were errors.
-                        exit 1
-                      fi
-                    '';
-                  });
-              in checked;
-}

nix/overlay.nix

@@ -1,60 +0,0 @@
-self: super:
-let
-  inherit (self.arion-project) haskellPkgs;
-  inherit (super) lib;
-
-  sources = import ./sources.nix;
-
-  fakeRepo = src: super.runCommand "source" { inherit src; nativeBuildInputs = [super.git]; } ''
-    cp -r --no-preserve=mode $src $out
-    git init
-    cp -r .git $out
-  '';
-
-in
-{
-
-  inherit (import ./.. { pkgs = self; }) arion;
-  tests = super.callPackage ../tests {};
-
-  doc-options = import ../docs/options.nix {};
-  doc-options-check = self.runCommand "doc-options-check" {} ''
-    if diff --color -u ${../docs/modules/ROOT/partials/NixOSOptions.adoc} ${self.doc-options}; then
-      touch $out
-    else
-      echo 1>&2 "The doc options have changed and need to be added."
-      echo 1>&2 "Please run ./update-options in the root of your arion clone."
-      exit 1
-    fi
-  '';
-  doc = self.stdenv.mkDerivation { 
-    name = "arion-documentation"; 
-    nativeBuildInputs = [super.antora];
-    src = fakeRepo ../.;
-    HOME = ".";
-    buildPhase = "antora antora-playbook";
-    installPhase = ''
-      mkdir $out
-      mv public/* $out/
-    '';
-  };
-
-  arion-project = super.recurseIntoAttrs {
-    haskellPkgs = super.haskellPackages.extend (import ./haskell-overlay.nix self super);
-    shell = haskellPkgs.shellFor {
-      packages = p: [p.arion-compose];
-      nativeBuildInputs = [
-        haskellPkgs.cabal-install
-        haskellPkgs.ghcid
-        haskellPkgs.haskell-language-server
-        super.docker-compose
-        self.niv
-        self.nixpkgs-fmt
-        self.releaser
-      ];
-    };
-  };
-
-  inherit (import (sources.niv) {}) niv;
-  releaser = self.haskellPackages.callCabal2nix "releaser" sources.releaser {};
-}

nix/sources.json

@@ -1,63 +0,0 @@
-{
-    "niv": {
-        "branch": "master",
-        "description": "Easy dependency management for Nix projects",
-        "homepage": "https://github.com/nmattia/niv",
-        "owner": "nmattia",
-        "repo": "niv",
-        "rev": "fad2a6cbfb2e7cdebb7cb0ad2f5cc91e2c9bc06b",
-        "sha256": "0mghc1j0rd15spdjx81bayjqr0khc062cs25y5dcfzlxk4ynyc6m",
-        "type": "tarball",
-        "url": "https://github.com/nmattia/niv/archive/fad2a6cbfb2e7cdebb7cb0ad2f5cc91e2c9bc06b.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
-    },
-    "nixos-22.05": {
-        "branch": "nixos-22.05",
-        "description": "Nix Packages collection",
-        "homepage": null,
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "a634c8f6c1fbf9b9730e01764999666f3436f10a",
-        "sha256": "1d40v43x972li5fg7jadxkj341li41mf2cl6vv7xi6j80rkq45q4",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/a634c8f6c1fbf9b9730e01764999666f3436f10a.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
-    },
-    "nixos-unstable": {
-        "branch": "lib-modules-allow-disable-_modules.args-docs-internal",
-        "description": "A read-only mirror of NixOS/nixpkgs tracking the released channels. Send issues and PRs to",
-        "homepage": "https://github.com/NixOS/nixpkgs",
-        "owner": "hercules-ci",
-        "repo": "nixpkgs",
-        "rev": "14aa201b658f43546b00153bb2ada7206ba8dd26",
-        "sha256": "0xn43gdn3rfys1d8ni3y6x7vxyc263qsbhfsjwc5x7pcd3dfrcjw",
-        "type": "tarball",
-        "url": "https://github.com/hercules-ci/nixpkgs/archive/14aa201b658f43546b00153bb2ada7206ba8dd26.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz",
-        "version": ""
-    },
-    "project.nix": {
-        "branch": "master",
-        "description": "A configuration manager for your projects",
-        "homepage": null,
-        "owner": "hercules-ci",
-        "repo": "project.nix",
-        "rev": "2e598501e7fda6993d2a1a281aa296b26d01e10c",
-        "sha256": "1rkzpzxpg69px6qwchdlg4xf5irv0snrzk2l6vrs9rsx48gqax9j",
-        "type": "tarball",
-        "url": "https://github.com/hercules-ci/project.nix/archive/2e598501e7fda6993d2a1a281aa296b26d01e10c.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
-    },
-    "releaser": {
-        "branch": "master",
-        "description": "Automation of Haskell package release process.",
-        "homepage": null,
-        "owner": "domenkozar",
-        "repo": "releaser",
-        "rev": "52a2bb0b2ce0bc15d4e7b11d8761a28d82c0c083",
-        "sha256": "178lv0a0qxd8six0rm83j7wjwlsad1hysdrk4mb38fagbb8csagb",
-        "type": "tarball",
-        "url": "https://github.com/domenkozar/releaser/archive/52a2bb0b2ce0bc15d4e7b11d8761a28d82c0c083.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
-    }
-}

nix/sources.nix

@@ -1,171 +0,0 @@
-# This file has been generated by Niv.
-
-let
-
-  #
-  # The fetchers. fetch_<type> fetches specs of type <type>.
-  #
-
-  fetch_file = pkgs: name: spec:
-    let
-      name' = sanitizeName name + "-src";
-    in
-      if spec.builtin or true then
-        builtins_fetchurl { inherit (spec) url sha256; name = name'; }
-      else
-        pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
-
-  fetch_tarball = pkgs: name: spec:
-    let
-      name' = sanitizeName name + "-src";
-    in
-      if spec.builtin or true then
-        builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
-      else
-        pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
-
-  fetch_git = name: spec:
-    let
-      ref =
-        if spec ? ref then spec.ref else
-          if spec ? branch then "refs/heads/${spec.branch}" else
-            if spec ? tag then "refs/tags/${spec.tag}" else
-              abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!";
-    in
-      builtins.fetchGit { url = spec.repo; inherit (spec) rev; inherit ref; };
-
-  fetch_local = spec: spec.path;
-
-  fetch_builtin-tarball = name: throw
-    ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
-        $ niv modify ${name} -a type=tarball -a builtin=true'';
-
-  fetch_builtin-url = name: throw
-    ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
-        $ niv modify ${name} -a type=file -a builtin=true'';
-
-  #
-  # Various helpers
-  #
-
-  # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
-  sanitizeName = name:
-    (
-      concatMapStrings (s: if builtins.isList s then "-" else s)
-        (
-          builtins.split "[^[:alnum:]+._?=-]+"
-            ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
-        )
-    );
-
-  # The set of packages used when specs are fetched using non-builtins.
-  mkPkgs = sources: system:
-    let
-      sourcesNixpkgs =
-        import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; };
-      hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
-      hasThisAsNixpkgsPath = <nixpkgs> == ./.;
-    in
-      if builtins.hasAttr "nixpkgs" sources
-      then sourcesNixpkgs
-      else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
-        import <nixpkgs> {}
-      else
-        abort
-          ''
-            Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
-            add a package called "nixpkgs" to your sources.json.
-          '';
-
-  # The actual fetching function.
-  fetch = pkgs: name: spec:
-
-    if ! builtins.hasAttr "type" spec then
-      abort "ERROR: niv spec ${name} does not have a 'type' attribute"
-    else if spec.type == "file" then fetch_file pkgs name spec
-    else if spec.type == "tarball" then fetch_tarball pkgs name spec
-    else if spec.type == "git" then fetch_git name spec
-    else if spec.type == "local" then fetch_local spec
-    else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
-    else if spec.type == "builtin-url" then fetch_builtin-url name
-    else
-      abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
-
-  # If the environment variable NIV_OVERRIDE_${name} is set, then use
-  # the path directly as opposed to the fetched source.
-  replace = name: drv:
-    let
-      saneName = stringAsChars (c: if isNull (builtins.match "[a-zA-Z0-9]" c) then "_" else c) name;
-      ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
-    in
-      if ersatz == "" then drv else ersatz;
-
-  # Ports of functions for older nix versions
-
-  # a Nix version of mapAttrs if the built-in doesn't exist
-  mapAttrs = builtins.mapAttrs or (
-    f: set: with builtins;
-    listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
-  );
-
-  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
-  range = first: last: if first > last then [] else builtins.genList (n: first + n) (last - first + 1);
-
-  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
-  stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
-
-  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
-  stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
-  concatMapStrings = f: list: concatStrings (map f list);
-  concatStrings = builtins.concatStringsSep "";
-
-  # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
-  optionalAttrs = cond: as: if cond then as else {};
-
-  # fetchTarball version that is compatible between all the versions of Nix
-  builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
-    let
-      inherit (builtins) lessThan nixVersion fetchTarball;
-    in
-      if lessThan nixVersion "1.12" then
-        fetchTarball ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
-      else
-        fetchTarball attrs;
-
-  # fetchurl version that is compatible between all the versions of Nix
-  builtins_fetchurl = { url, name ? null, sha256 }@attrs:
-    let
-      inherit (builtins) lessThan nixVersion fetchurl;
-    in
-      if lessThan nixVersion "1.12" then
-        fetchurl ({ inherit url; } // (optionalAttrs (!isNull name) { inherit name; }))
-      else
-        fetchurl attrs;
-
-  # Create the final "sources" from the config
-  mkSources = config:
-    mapAttrs (
-      name: spec:
-        if builtins.hasAttr "outPath" spec
-        then abort
-          "The values in sources.json should not have an 'outPath' attribute"
-        else
-          spec // { outPath = replace name (fetch config.pkgs name spec); }
-    ) config.sources;
-
-  # The "config" used by the fetchers
-  mkConfig =
-    { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
-    , sources ? if isNull sourcesFile then {} else builtins.fromJSON (builtins.readFile sourcesFile)
-    , system ? builtins.currentSystem
-    , pkgs ? mkPkgs sources system
-    }: rec {
-      # The sources, i.e. the attribute set of spec name to spec
-      inherit sources;
-
-      # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
-      inherit pkgs;
-    };
-
-in
-mkSources (mkConfig {}) // { __functor = _: settings: mkSources (mkConfig settings); }

nixos-module.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, options, pkgs, ... }:
 let
   inherit (lib)
     attrValues
@@ -26,9 +26,14 @@ let
         visible = "shallow";
       };
       _systemd = mkOption { internal = true; };
+      serviceName = mkOption {
+        description = "The name of the Arion project's systemd service";
+        type = types.str;
+        default = "arion-${name}";
+      };
     };
     config = {
-      _systemd.services."arion-${name}" = {
+      _systemd.services.${config.serviceName} = {
         wantedBy = [ "multi-user.target" ];
         after = [ "sockets.target" ];
 
@@ -46,7 +51,7 @@ let
   };
 
   arionSettingsType = name:
-    (cfg.package.eval { modules = [ { project.name = lib.mkDefault name; } ]; }).type or (
+    (cfg.package.eval { modules = [{ project.name = lib.mkDefault name; }]; }).type or (
       throw "lib.evalModules did not produce a type. Please upgrade Nixpkgs to nixos-unstable or >=nixos-21.11"
     );
 
@@ -64,7 +69,7 @@ in
       };
       package = mkOption {
         type = types.package;
-        
+
         default = (import ./. { inherit pkgs; }).arion;
         description = ''
           Arion package to use. This will provide <literal>arion</literal>
@@ -97,7 +102,10 @@ in
         virtualisation.docker.enable = false;
         virtualisation.podman.enable = true;
         virtualisation.podman.dockerSocket.enable = true;
-        virtualisation.podman.defaultNetwork.dnsname.enable = true;
+        virtualisation.podman.defaultNetwork = 
+          if options?virtualisation.podman.defaultNetwork.settings
+          then { settings.dns_enabled = true; } # since 2023-01 https://github.com/NixOS/nixpkgs/pull/199965
+          else { dnsname.enable = true; }; # compat <2023
 
         virtualisation.arion.docker.client.package = pkgs.docker-client;
       })

run-arion-via-nix

@@ -3,4 +3,4 @@
 # For manual testing of a hacked arion built via Nix.
 # Works when called from outside the project directory.
 
-exec nix run -f "$(dirname ${BASH_SOURCE[0]})" arion -c arion "$@"
+exec nix run -f "$(dirname ${BASH_SOURCE[0]})" arion "$@"

shell.nix

@@ -1 +1 @@
-args@{...}: (import ./nix args).arion-project.shell
+(builtins.getFlake ("git+file://" + toString ./.)).devShells.${builtins.currentSystem}.default

src/haskell/lib/Arion/Services.hs

@@ -1,6 +1,7 @@
 {-# LANGUAGE DeriveGeneric #-}
 {-# LANGUAGE DeriveAnyClass #-}
 {-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE CPP #-}
 module Arion.Services
   ( getDefaultExec
   ) where
@@ -9,15 +10,28 @@ import Prelude()
 import Protolude hiding (to)
 
 import qualified Data.Aeson as Aeson
+#if MIN_VERSION_lens_aeson(1,2,0)
+import qualified Data.Aeson.Key as AK
+#endif
 import           Arion.Aeson (decodeFile)
 
 import Control.Lens
 import Data.Aeson.Lens
 
+#if MIN_VERSION_lens_aeson(1,2,0)
+type Key = AK.Key
+mkKey :: Text -> Key
+mkKey = AK.fromText
+#else
+type Key = Text
+mkKey :: Text -> Key
+mkKey = identity
+#endif
+
 -- | Subject to change
 getDefaultExec :: FilePath -> Text -> IO [Text]
 getDefaultExec fp service = do
 
   v <- decodeFile fp
 
-  pure ((v :: Aeson.Value) ^.. key "x-arion" . key "serviceInfo" . key service . key "defaultExec" . _Array . traverse . _String)
+  pure ((v :: Aeson.Value) ^.. key "x-arion" . key "serviceInfo" . key (mkKey service) . key "defaultExec" . _Array . traverse . _String)

src/haskell/test/Arion/NixSpec.hs

@@ -13,19 +13,34 @@ import qualified Data.Text                     as T
 import qualified Data.Text.IO                  as T
 
 spec :: Spec
-spec = describe "evaluateComposition" $ it "matches an example" $ do
-  x <- Arion.Nix.evaluateComposition EvaluationArgs
-    { evalUid      = 123
-    , evalModules  = NEL.fromList
-                       ["src/haskell/testdata/Arion/NixSpec/arion-compose.nix"]
-    , evalPkgs     = "import <nixpkgs> { system = \"x86_64-linux\"; }"
-    , evalWorkDir  = Nothing
-    , evalMode     = ReadOnly
-    , evalUserArgs = ["--show-trace"]
-    }
-  let actual = pretty x
-  expected <- T.readFile "src/haskell/testdata/Arion/NixSpec/arion-compose.json"
-  censorPaths actual `shouldBe` censorPaths expected
+spec = describe "evaluateComposition" $ do
+  it "matches an example" $ do
+    x <- Arion.Nix.evaluateComposition EvaluationArgs
+      { evalUid      = 123
+      , evalModules  = NEL.fromList
+                         ["src/haskell/testdata/Arion/NixSpec/arion-compose.nix"]
+      , evalPkgs     = "import <nixpkgs> { system = \"x86_64-linux\"; }"
+      , evalWorkDir  = Nothing
+      , evalMode     = ReadOnly
+      , evalUserArgs = ["--show-trace"]
+      }
+    let actual = pretty x
+    expected <- T.readFile "src/haskell/testdata/Arion/NixSpec/arion-compose.json"
+    censorPaths actual `shouldBe` censorPaths expected
+
+  it "matches an build.context example" $ do
+    x <- Arion.Nix.evaluateComposition EvaluationArgs
+      { evalUid      = 1234
+      , evalModules  = NEL.fromList
+                         ["src/haskell/testdata/Arion/NixSpec/arion-context-compose.nix"]
+      , evalPkgs     = "import <nixpkgs> { system = \"x86_64-linux\"; }"
+      , evalWorkDir  = Nothing
+      , evalMode     = ReadOnly
+      , evalUserArgs = ["--show-trace"]
+      }
+    let actual = pretty x
+    expected <- T.readFile "src/haskell/testdata/Arion/NixSpec/arion-context-compose.json"
+    censorPaths actual `shouldBe` censorPaths expected
 
 censorPaths :: Text -> Text
 censorPaths = censorImages . censorStorePaths

src/haskell/test/Spec.hs

@@ -9,3 +9,4 @@ import qualified Arion.NixSpec
 spec :: Spec
 spec = do
   describe "Arion.Nix" Arion.NixSpec.spec
+

src/haskell/testdata/Arion/NixSpec/arion-compose.json

@@ -33,6 +33,7 @@
         }
     },
     "version": "3.4",
+    "volumes": {},
     "x-arion": {
         "images": [
             {

src/haskell/testdata/Arion/NixSpec/arion-compose.nix

@@ -2,7 +2,7 @@
   project.name = "unit-test-data";
   services.webserver = { pkgs, ... }: {
     nixos.useSystemd = true;
-    nixos.configuration.boot.tmpOnTmpfs = true;
+    nixos.configuration.boot.tmp.useTmpfs = true;
     nixos.configuration.services.nginx.enable = true;
     nixos.configuration.services.nginx.virtualHosts.localhost.root = "${pkgs.nix.doc}/share/doc/nix/manual";
     service.useHostStore = true;

src/haskell/testdata/Arion/NixSpec/arion-context-compose.json

@@ -0,0 +1,41 @@
+{
+    "networks": {
+        "default": {
+            "name": "unit-test-data"
+        }
+    },
+    "services": {
+        "webserver": {
+            "build": {
+                "context": "<STOREPATH>"
+            },
+            "environment": {},
+            "ports": [
+                "8080:80"
+            ],
+            "sysctls": {},
+            "volumes": []
+        }
+    },
+    "version": "3.4",
+    "volumes": {},
+    "x-arion": {
+        "images": [
+            {
+                "imageExe": "<STOREPATH>",
+                "imageName": "localhost/webserver",
+                "imageTag": "<HASH>"
+            }
+        ],
+        "project": {
+            "name": "unit-test-data"
+        },
+        "serviceInfo": {
+            "webserver": {
+                "defaultExec": [
+                    "/bin/sh"
+                ]
+            }
+        }
+    }
+}

src/haskell/testdata/Arion/NixSpec/arion-context-compose.nix

@@ -0,0 +1,9 @@
+{
+  project.name = "unit-test-data";
+  services.webserver.service = {
+    build.context = "${./build-context}";
+    ports = [
+      "8080:80"
+    ];
+  };
+}

src/haskell/testdata/Arion/NixSpec/build-context/Dockerfile

@@ -0,0 +1,4 @@
+FROM nginx
+
+RUN echo this is a dockerfile to be built
+

src/nix/lib.nix

@@ -1,16 +1,21 @@
 { lib }:
 let
 
-  link = url: text:
-    ''link:${url}[${text}]'';
+  link = url: text: ''[${text}](${url})'';
 
-  dockerComposeRef = fragment:
-    ''See ${link "https://docs.docker.com/compose/compose-file/#${fragment}" "Docker Compose#${fragment}"}'';
+  composeSpecRev = "55b450aee50799a2f33cc99e1d714518babe305e";
+
+  serviceRef = fragment:
+    ''See ${link "https://github.com/compose-spec/compose-spec/blob/${composeSpecRev}/05-services.md#${fragment}" "Compose Spec Services #${fragment}"}'';
+
+  networkRef = fragment:
+    ''See ${link "https://github.com/compose-spec/compose-spec/blob/${composeSpecRev}/06-networks.md#${fragment}" "Compose Spec Networks #${fragment}"}'';
 
 in
 {
   inherit
-    dockerComposeRef
     link
+    networkRef
+    serviceRef
     ;
 }

src/nix/modules/composition/composition.nix

@@ -3,7 +3,7 @@ let
   inherit (lib) types mkOption;
 
   link = url: text:
-    ''link:${url}[${text}]'';
+    ''[${text}](${url})'';
 
 in
 {

src/nix/modules/composition/docker-compose.nix

@@ -63,6 +63,11 @@ in
       type = lib.types.attrsOf (lib.types.submodule service);
       description = "An attribute set of service configurations. A service specifies how to run an image as a container.";
     };
+    docker-compose.volumes = lib.mkOption {
+      type = lib.types.attrsOf lib.types.unspecified;
+      description = "A attribute set of volume configurations.";
+      default = {};
+    };
   };
   config = {
     out.dockerComposeYaml = pkgs.writeText "docker-compose.yaml" config.out.dockerComposeYamlText;
@@ -73,6 +78,7 @@ in
       version = "3.4";
       services = lib.mapAttrs (k: c: c.out.service) config.services;
       x-arion = config.docker-compose.extended;
+      volumes = config.docker-compose.volumes;
     };
   };
 }

src/nix/modules/composition/host-environment.nix

@@ -23,9 +23,9 @@
         stored at an alternate location without altering the format of
         store paths.
 
-        For example: instead of mounting the host's /nix/store as the
-        container's /nix/store, this will mount /mnt/foo/nix/store
-        as the container's /nix/store.
+        For example: instead of mounting the host's `/nix/store` as the
+        container's `/nix/store`, this will mount `/mnt/foo/nix/store`
+        as the container's `/nix/store`.
       '';
     };
 

src/nix/modules/composition/images.nix

@@ -36,7 +36,7 @@ in
     build.imagesToLoad = lib.mkOption {
       type = listOf unspecified;
       internal = true;
-      description = "List of dockerTools image derivations.";
+      description = "List of `dockerTools` image derivations.";
     };
   };
   config = {

src/nix/modules/composition/networks.nix

@@ -7,7 +7,7 @@ let
     types
     ;
   inherit (import ../../lib.nix { inherit lib; })
-    dockerComposeRef
+    link
     ;
 in
 {
@@ -19,7 +19,7 @@ in
         ];
       });
       description = ''
-        ${dockerComposeRef "networks-top-level-element"}
+        See ${link "https://docs.docker.com/compose/compose-file/06-networks/" "Docker Compose Networks"}
       '';
     };
     enableDefaultNetwork = mkOption {

src/nix/modules/networks/network.nix

@@ -7,7 +7,7 @@ let
     types
     ;
   inherit (import ../../lib.nix { inherit lib; })
-    dockerComposeRef
+    networkRef
     ;
 in
 {
@@ -15,21 +15,21 @@ in
     driver = mkOption {
       description = ''
         `"none"`, `"host"`, or a platform-specific value.
-        ${dockerComposeRef "driver"}
+        ${networkRef "driver"}
       '';
       type = types.str;
     };
 
     driver_opts = mkOption {
       description = ''
-        ${dockerComposeRef "driver_opts"}
+        ${networkRef "driver_opts"}
       '';
       type = types.lazyAttrsOf types.raw or types.unspecified;
     };
 
     attachable = mkOption {
       description = ''
-        ${dockerComposeRef "attachable"}
+        ${networkRef "attachable"}
       '';
       type = types.bool;
       example = true;
@@ -39,7 +39,7 @@ in
       description = ''
         Whether we've entered the 21st century yet.
         
-        ${dockerComposeRef "enable_ipv6"}
+        ${networkRef "enable_ipv6"}
       '';
       type = types.bool;
     };
@@ -49,7 +49,7 @@ in
       description = ''
         Manage IP addresses.
 
-        ${dockerComposeRef "ipam"}
+        ${networkRef "ipam"}
       '';
       type = types.raw or types.unspecified;
     };
@@ -58,7 +58,7 @@ in
       description = ''
         Achieves "external isolation".
 
-        ${dockerComposeRef "internal"}
+        ${networkRef "internal"}
       '';
       defaultText = false;
       type = types.bool;
@@ -68,7 +68,7 @@ in
       description = ''
         Metadata.
 
-        ${dockerComposeRef "labels"}
+        ${networkRef "labels"}
       '';
       # no list support, because less expressive wrt overriding
       type = types.attrsOf types.str;
@@ -79,7 +79,7 @@ in
         When `true`, don't create or destroy the network, but assume that it
         exists.
 
-        ${dockerComposeRef "external"}
+        ${networkRef "external"}
       '';
       type = types.bool;
     };
@@ -92,7 +92,7 @@ in
 
         Note the `default` network's default `name` is set to `project.name` by Arion.
 
-        ${dockerComposeRef "name"}
+        ${networkRef "name"}
       '';
       type = types.str;
     };

src/nix/modules/service/docker-compose-service.nix

@@ -12,15 +12,9 @@ let
 
   inherit (import ../../lib.nix { inherit lib; })
     link
-    dockerComposeRef
+    serviceRef
     ;
 
-  dockerComposeKitchenSink = ''
-    Analogous to the `docker run` counterpart.
-
-    ${dockerComposeRef "domainname-hostname-ipc-mac_address-privileged-read_only-shm_size-stdin_open-tty-user-working_dir"}
-  '';
-
   cap_add = lib.attrNames (lib.filterAttrs (name: value: value == true) config.service.capabilities);
   cap_drop = lib.attrNames (lib.filterAttrs (name: value: value == false) config.service.capabilities);
 
@@ -56,12 +50,12 @@ in
     service.volumes = mkOption {
       type = listOf types.unspecified;
       default = [];
-      description = dockerComposeRef "volumes";
+      description = serviceRef "volumes";
     };
     service.tmpfs = mkOption {
       type = listOf types.str;
       default = [];
-      description = dockerComposeRef "tmpfs";
+      description = serviceRef "tmpfs";
     };
     service.build.context = mkOption {
       type = nullOr str;
@@ -69,44 +63,65 @@ in
       description = ''
         Locates a Dockerfile to use for creating an image to use in this service.
 
-        ${dockerComposeRef "context"}
+        https://docs.docker.com/compose/compose-file/build/#context
+      '';
+    };
+    service.build.dockerfile = mkOption {
+      type = nullOr str;
+      default = null;
+      description = ''
+        Sets an alternate Dockerfile. A relative path is resolved from the build context.
+        https://docs.docker.com/compose/compose-file/build/#dockerfile
+      '';
+    };
+    service.build.target = mkOption {
+      type = nullOr str;
+      default = null;
+      description = ''
+        Defines the stage to build as defined inside a multi-stage Dockerfile.
+        https://docs.docker.com/compose/compose-file/build/#target
       '';
     };
     service.hostname = mkOption {
       type = nullOr str;
       default = null;
-      description = dockerComposeKitchenSink;
+      description = ''
+        ${serviceRef "hostname"}
+      '';
     };
     service.tty = mkOption {
       type = nullOr bool;
       default = null;
-      description = dockerComposeKitchenSink;
+      description = ''
+        ${serviceRef "tty"}
+      '';
     };
     service.environment = mkOption {
       type = attrsOf (either str int);
       default = {};
-      description = dockerComposeRef "environment";
+      description = serviceRef "environment";
     };
     service.image = mkOption {
-      type = str;
-      description = dockerComposeRef "image";
+      type = nullOr str;
+      default = null;
+      description = serviceRef "image";
     };
     service.command = mkOption {
       type = nullOr types.unspecified;
       default = null;
-      description = dockerComposeRef "command";
+      description = serviceRef "command";
     };
     service.container_name = mkOption {
       type = nullOr types.str;
       default = null;
-      description = dockerComposeRef "container_name";
+      description = serviceRef "container_name";
     };
     service.depends_on =
       let conditionsModule = {
             options = {
               condition = mkOption {
                 type = enum ["service_started" "service_healthy" "service_completed_successfully"];
-                description = dockerComposeRef "depends_on";
+                description = serviceRef "depends_on";
                 default = "service_started";
               };
             };
@@ -114,9 +129,10 @@ in
        in mkOption {
          type = either (listOf str) (attrsOf (submodule conditionsModule));
          default = [];
-         description = dockerComposeRef "depends_on";
+         description = serviceRef "depends_on";
        };
     service.healthcheck = mkOption {
+      description = serviceRef "healthcheck";
       type = submodule ({ config, options, ...}: {
         options = {
           _out = mkOption {
@@ -129,30 +145,30 @@ in
             type = nullOr (listOf str);
             default = null;
             example = [ "CMD" "pg_isready" ];
-            description = dockerComposeRef "healthcheck";
+            description = serviceRef "healthcheck";
           };
           interval = mkOption {
             type = str;
             default = "30s";
             example = "1m";
-            description = dockerComposeRef "healthcheck";
+            description = serviceRef "healthcheck";
           };
           timeout = mkOption {
             type = str;
             default = "30s";
             example = "10s";
-            description = dockerComposeRef "healthcheck";
+            description = serviceRef "healthcheck";
           };
           start_period = mkOption {
             type = str;
             default = "0s";
             example = "30s";
-            description = dockerComposeRef "healthcheck";
+            description = serviceRef "healthcheck";
           };
           retries = mkOption {
             type = int;
             default = 3;
-            description = dockerComposeRef "healthcheck";
+            description = serviceRef "healthcheck";
           };
         };
       });
@@ -164,14 +180,14 @@ in
         See ${link "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities"
         "`docker run --device` documentation"}
 
-        ${dockerComposeRef "devices"}
+        ${serviceRef "devices"}
       '';
     };
     service.dns = mkOption {
       type = listOf str;
       default = [];
       example = [ "8.8.8.8" "8.8.4.4" ];
-      description = dockerComposeRef "dns";
+      description = serviceRef "dns";
     };
     service.labels = mkOption {
       type = attrsOf str;
@@ -182,47 +198,58 @@ in
         "traefik.http.routers.my-service.rule" = "Host(`my-service.localhost`)";
         "traefik.http.routers.my-service.entrypoints" = "web";
       };
-      description = dockerComposeRef "labels";
+      description = serviceRef "labels";
     };
     service.links = mkOption {
       type = listOf str;
       default = [];
-      description = dockerComposeRef "links";
+      description = serviceRef "links";
     };
     service.external_links = mkOption {
       type = listOf str;
       default = [];
-      description = dockerComposeRef "external_links";
+      description = serviceRef "external_links";
+    };
+    service.profiles = mkOption {
+      type = listOf str;
+      default = [];
+      description = serviceRef "profiles";
     };
     service.extra_hosts = mkOption {
       type = listOf str;
       default = [];
-      description = dockerComposeRef "extra_hosts";
+      description = serviceRef "extra_hosts";
     };
     service.working_dir = mkOption {
       type = nullOr str;
       default = null;
-      description = dockerComposeKitchenSink;
+      description = ''
+        ${serviceRef "working_dir"}
+      '';
     };
     service.privileged = mkOption {
       type = nullOr bool;
       default = null;
-      description = dockerComposeKitchenSink;
+      description = ''
+        ${serviceRef "privileged"}
+      '';
     };
     service.entrypoint = mkOption {
       type = nullOr str;
       default = null;
-      description = dockerComposeRef "entrypoint";
+      description = serviceRef "entrypoint";
     };
     service.restart = mkOption {
       type = nullOr str;
       default = null;
-      description = dockerComposeRef "restart";
+      description = serviceRef "restart";
     };
     service.user = mkOption {
       type = nullOr str;
       default = null;
-      description = dockerComposeKitchenSink;
+      description = ''
+        ${serviceRef "user"}
+      '';
     };
     service.ports = mkOption {
       type = listOf types.unspecified;
@@ -230,38 +257,76 @@ in
       description = ''
         Expose ports on host. "host:container" or structured.
 
-        ${dockerComposeRef "ports"}
+        ${serviceRef "ports"}
       '';
     };
     service.expose = mkOption {
       type = listOf str;
       default = [];
-      description = dockerComposeRef "expose";
+      description = serviceRef "expose";
     };
     service.env_file = mkOption {
       type = listOf str;
       default = [];
-      description = dockerComposeRef "env_file";
+      description = serviceRef "env_file";
     };
     service.network_mode = mkOption {
       type = nullOr str;
       default = null;
-      description = dockerComposeRef "network_mode";
-    };
-    service.networks = mkOption {
-      type = nullOr (listOf types.str);
-      default = null;
-      description = dockerComposeRef "networks";
+      description = serviceRef "network_mode";
     };
+    service.networks =
+      let
+        networksModule = submodule ({ config, options, ...}: {
+          options = {
+            _out = mkOption {
+              internal = true;
+              readOnly = true;
+              default = lib.mapAttrs (k: opt: opt.value) (lib.filterAttrs (_: opt: opt.isDefined) { inherit (options) aliases ipv4_address ipv6_address link_local_ips priority; });
+            };
+            aliases = mkOption {
+              type = listOf str;
+              description = serviceRef "aliases";
+              default = [ ];
+            };
+            ipv4_address = mkOption {
+              type = str;
+              description = serviceRef "ipv4_address-ipv6_address";
+            };
+            ipv6_address = mkOption {
+              type = str;
+              description = serviceRef "ipv4_address-ipv6_address";
+            };
+            link_local_ips = mkOption {
+              type = listOf str;
+              description = serviceRef "link_local_ips";
+            };
+            priority = mkOption {
+              type = int;
+              description = serviceRef "priority";
+            };
+          };
+        });
+      in
+      mkOption {
+        type = either (listOf str) (attrsOf networksModule);
+        default = [];
+        description = serviceRef "networks";
+      };
     service.stop_signal = mkOption {
       type = nullOr str;
       default = null;
-      description = dockerComposeRef "stop_signal";
+      description = serviceRef "stop_signal";
+    };
+    service.stop_grace_period = mkOption {
+      type = nullOr str;
+      default = null;
+      description = serviceRef "stop_grace_period";
     };
     service.sysctls = mkOption {
       type = attrsOf (either str int);
       default = {};
-      description = dockerComposeRef "sysctls";
+      description = serviceRef "sysctls";
     };
     service.capabilities = mkOption {
       type = attrsOf (nullOr bool);
@@ -272,13 +337,15 @@ in
 
         Setting a capability to `true` means that it will be
         "added". Setting it to `false` means that it will be "dropped".
-        ${dockerComposeRef "cap_add-cap_drop"}
 
         Omitted and `null` capabilities will therefore be set
         according to Docker's ${
           link "https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities"
                "default list of capabilities."
         }
+
+        ${serviceRef "cap_add"}
+        ${serviceRef "cap_drop"}
       '';
     };
   };
@@ -288,10 +355,11 @@ in
       volumes
       environment
       sysctls
-      image
       ;
-  } // lib.optionalAttrs (config.service.build.context != null) {
-    inherit (config.service) build;
+  } // lib.optionalAttrs (config.service.image != null) {
+    inherit (config.service) image;
+  } // lib.optionalAttrs (config.service.build.context != null ) {
+    build = lib.filterAttrs (n: v: v != null)  config.service.build;
   } // lib.optionalAttrs (cap_add != []) {
     inherit cap_add;
   } // lib.optionalAttrs (cap_drop != []) {
@@ -330,12 +398,16 @@ in
     inherit (config.service) privileged;
   } // lib.optionalAttrs (config.service.network_mode != null) {
     inherit (config.service) network_mode;
-  } // lib.optionalAttrs (config.service.networks != null) {
-    inherit (config.service) networks;
+  } // lib.optionalAttrs (config.service.networks != [] && config.service.networks != {}) {
+    networks =
+      if (builtins.isAttrs config.service.networks) then builtins.mapAttrs (_: v: v._out) config.service.networks
+      else config.service.networks;
   } // lib.optionalAttrs (config.service.restart != null) {
     inherit (config.service) restart;
   } // lib.optionalAttrs (config.service.stop_signal != null) {
     inherit (config.service) stop_signal;
+  } // lib.optionalAttrs (config.service.stop_grace_period != null) {
+    inherit (config.service) stop_grace_period;
   } // lib.optionalAttrs (config.service.tmpfs != []) {
     inherit (config.service) tmpfs;
   } // lib.optionalAttrs (config.service.tty != null) {
@@ -344,5 +416,7 @@ in
     inherit (config.service) working_dir;
   } // lib.optionalAttrs (config.service.user != null) {
     inherit (config.service) user;
+  } // lib.optionalAttrs (config.service.profiles != []) {
+    inherit (config.service) profiles;
   };
 }

src/nix/modules/service/extended-info.nix

@@ -12,7 +12,7 @@ in
       type = attrsOf unspecified;
       description = ''
         Information about a service to include in the Docker Compose file,
-        but that will not be used by the `docker-compose`> command
+        but that will not be used by the `docker-compose` command
         itself.
 
         It will be inserted in `x-arion.serviceInfo.<service.name>`.

src/nix/modules/service/host-store.nix

@@ -20,7 +20,7 @@ in
     service.hostStoreAsReadOnly = mkOption {
       type = types.bool;
       default = true;
-      description = "Adds a ':ro' (read-only) access mode to the host nix store bind mount.";
+      description = "Adds a `:ro` (read-only) access mode to the host nix store bind mount.";
     };
     service.useHostNixDaemon = mkOption {
       type = types.bool;

src/nix/modules/service/image.nix

@@ -30,6 +30,7 @@ let
         {
           name = null; tag = null; contents = null; config = null;
           created = null; extraCommands = null; maxLayers = null;
+          fakeRootCommands = null;
         }
         args;
       acceptedArgs = functionArgs dockerTools.streamLayeredImage;
@@ -67,6 +68,8 @@ let
           ln -s $i nix/var/nix/gcroots/docker/$(basename $i)
         done;
       '';
+
+    fakeRootCommands = config.image.fakeRootCommands;
   };
 
   priorityIsDefault = option: option.highestPrio >= (lib.mkDefault true).priority;
@@ -76,18 +79,18 @@ in
     build.image = mkOption {
       type = nullOr package;
       description = ''
-        Docker image derivation to be `docker load`ed.
+        Docker image derivation to be `docker load`-ed.
       '';
       internal = true;
     };
     build.imageName = mkOption {
       type = str;
-      description = "Derived from build.image";
+      description = "Derived from `build.image`";
       internal = true;
     };
     build.imageTag = mkOption {
       type = str;
-      description = "Derived from build.image";
+      description = "Derived from `build.image`";
       internal = true;
     };
     image.nixBuild = mkOption {
@@ -120,13 +123,22 @@ in
          Top level paths in the container.
       '';
     };
+    image.fakeRootCommands = mkOption {
+      type = types.lines;
+      default = "";
+      description = ''
+        Commands that build the root of the container in the current working directory.
+
+        See [`dockerTools.buildLayeredImage`](https://nixos.org/manual/nixpkgs/stable/#ssec-pkgs-dockerTools-buildLayeredImage).
+      '';
+    };
     image.includeStorePaths = mkOption {
       type = bool;
       default = true;
       internal = true;
       description = ''
         Include all referenced store paths. You generally want this in your
-        image, unless you load store paths via some other means, like useHostStore = true;
+        image, unless you load store paths via some other means, like `useHostStore = true`;
       '';
     };
     image.rawConfig = mkOption {
@@ -140,8 +152,8 @@ in
         Please use the specific `image` options instead.
 
         Run-time configuration of the container. A full list of the
-        options is available in the https://github.com/moby/moby/blob/master/image/spec/v1.2.md#image-json-field-descriptions[Docker Image Specification
-        v1.2.0].
+        options is available in the [Docker Image Specification
+        v1.2.0](https://github.com/moby/moby/blob/master/image/spec/v1.2.md#image-json-field-descriptions).
       '';
     };
     image.command = mkOption {
@@ -151,17 +163,19 @@ in
       '';
     };
   };
-  config = {
-    build.image = builtImage;
-    build.imageName = config.build.image.imageName;
-    build.imageTag =
-                 if config.build.image.imageTag != ""
-                 then config.build.image.imageTag
-                 else lib.head (lib.strings.splitString "-" (baseNameOf config.build.image.outPath));
-
-    service.image = lib.mkDefault "${config.build.imageName}:${config.build.imageTag}";
-    image.rawConfig.Cmd = config.image.command;
-
-    image.nixBuild = lib.mkDefault (priorityIsDefault options.service.image);
-  };
+  config = lib.mkMerge [{
+      build.image = builtImage;
+      build.imageName = config.build.image.imageName;
+      build.imageTag =
+                   if config.build.image.imageTag != ""
+                   then config.build.image.imageTag
+                   else lib.head (lib.strings.splitString "-" (baseNameOf config.build.image.outPath));
+      image.rawConfig.Cmd = config.image.command;
+      image.nixBuild = lib.mkDefault (priorityIsDefault options.service.image);
+    }
+    ( lib.mkIf (config.service.build.context == null)
+    {
+      service.image = lib.mkDefault "${config.build.imageName}:${config.build.imageTag}";
+    })
+  ];
 }

src/nix/modules/service/nixos-init.nix

@@ -39,7 +39,7 @@ in
     service.tmpfs = [
       "/run"          # noexec is fine because exes should be symlinked from elsewhere anyway
       "/run/wrappers" # noexec breaks this intentionally
-    ] ++ lib.optional (config.nixos.evaluatedConfig.boot.tmpOnTmpfs) "/tmp:exec,mode=777";
+    ] ++ lib.optional (config.nixos.evaluatedConfig.boot.tmp.useTmpfs) "/tmp:exec,mode=777";
 
     service.stop_signal = "SIGRTMIN+3";
     service.tty = true;

tests/arion-test/default.nix

@@ -1,4 +1,4 @@
-{ usePodman ? false, pkgs, lib, ... }:
+{ usePodman ? false, pkgs, lib ? pkgs.lib, ... }:
 
 let
   # To make some prebuilt derivations available in the vm
@@ -29,17 +29,9 @@ in
       enable = true;
       dockerSocket.enable = true;
     };
-    
-    # no caches, because no internet
-    nix.binaryCaches = lib.mkForce [];
 
-    # FIXME: Sandbox seems broken with current version of NixOS test
-    #        w/ writable store. Error:
-    #        machine# error: linking '/nix/store/7r8z2zvhwda85pgpdn5hzzz6hs1njklc-stdenv-linux.drv.chroot/nix/store/6v3y7s4q4wd16hsw393gjpxvcf9159bv-patch-shebangs.sh' to '/nix/store/6v3y7s4q4wd16hsw393gjpxvcf9159bv-patch-shebangs.sh': Operation not permitted
-    #
-    #        There should be no reason why arion can't run without
-    #        sandboxing, so please re-enable.
-    nix.useSandbox = false;
+    # no caches, because no internet
+    nix.settings.substituters = lib.mkForce [];
 
     virtualisation.writableStore = true;
     # Switch to virtualisation.additionalPaths when dropping all NixOS <= 21.05.
@@ -53,7 +45,7 @@ in
       pkgs.stdenv
     ];
 
-    virtualisation.memorySize = 1024;
+    virtualisation.memorySize = 2048;
     virtualisation.diskSize = 8000;
   };
   testScript = ''

tests/default.nix

@@ -1,46 +0,0 @@
-{ pkgs ? import ../pkgs.nix, arionTestingFlags ? {} }:
-let
-  inherit (pkgs) nixosTest recurseIntoAttrs arion lib;
-
-  hasEvalModulesType = (lib.evalModules { modules = [ {} ]; })?type;
-
-in
-
-recurseIntoAttrs {
-
-  test = nixosTest ./arion-test;
-
-  nixosModuleWithDocker =
-    lib.optionalAttrs
-      hasEvalModulesType
-      (
-        import ./nixos-virtualization-arion-test/test.nix pkgs {
-          virtualisation.arion.backend = "docker";
-        }
-      );
-
-  nixosModuleWithPodman =
-    lib.optionalAttrs
-      (hasEvalModulesType && arionTestingFlags.nixosHasPodmanDockerSocket)
-      (
-        import ./nixos-virtualization-arion-test/test.nix pkgs {
-          virtualisation.arion.backend = "podman-socket";
-        }
-      );
-
-  testWithPodman =
-    if arionTestingFlags.nixosHasPodmanDockerSocket
-    then nixosTest (import ./arion-test { usePodman = true; inherit pkgs lib; })
-    else {};
-
-  testBuild = arion.build {
-
-    # To be more accurately, you can do
-    #   pkgs = import ../examples/minimal/arion-pkgs.nix;
-    # but this is quite efficient:
-    inherit pkgs;
-
-    modules = [ ../examples/minimal/arion-compose.nix ];
-  };
-
-}

tests/flake-module.nix

@@ -0,0 +1,36 @@
+{
+  perSystem = { pkgs, final, ... }:
+    let
+      inherit (final) nixosTest arion lib;
+    in
+    {
+      checks = lib.optionalAttrs pkgs.stdenv.isLinux {
+        test = nixosTest ./arion-test;
+
+        nixosModuleWithDocker =
+          import ./nixos-virtualization-arion-test/test.nix final {
+            virtualisation.arion.backend = "docker";
+          };
+
+        # Currently broken; kafka can't reach zookeeper
+        # nixosModuleWithPodman =
+        #   import ./nixos-virtualization-arion-test/test.nix final {
+        #     virtualisation.arion.backend = "podman-socket";
+        #   };
+
+        testWithPodman =
+          nixosTest (import ./arion-test { usePodman = true; pkgs = final; });
+
+        testBuild = arion.build {
+
+          # To be more accurate, we could do
+          #   pkgs = import ../examples/minimal/arion-pkgs.nix;
+          # But let's avoid re-evaluating Nixpkgs
+          pkgs = final;
+
+          modules = [ ../examples/minimal/arion-compose.nix ];
+        };
+
+      };
+    };
+}

tests/nixos-virtualization-arion-test/test.nix

@@ -4,7 +4,7 @@ pkgs.nixosTest {
   name = "test-basic-arion-kafka";
   nodes = {
     machine = { ... }: {
-      virtualisation.memorySize = 3000;
+      virtualisation.memorySize = 4096;
       virtualisation.diskSize = 10000;
       imports = [
         ../../nixos-module.nix

update-options

@@ -1,9 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash
-
-set -eu -o pipefail
-
-cd "$(dirname ${BASH_SOURCE[0]})"
-
-doc_options="$(nix-build nix -A doc-options)"
-cat "$doc_options" >docs/modules/ROOT/partials/NixOSOptions.adoc