1 files changed, 23 insertions, 2 deletions

diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix
index 75e279afdc37..584beb3d89b8 100644
--- a/pkgs/build-support/docker/default.nix
+++ b/pkgs/build-support/docker/default.nix
@@ -32,7 +32,28 @@ rec {
     inherit pkgs buildImage pullImage shadowSetup buildImageWithNixDb;
   };
 
-  pullImage = callPackage ./pull.nix {};
+  pullImage =
+    let
+      fixName = name: builtins.replaceStrings ["/" ":"] ["-" "-"] name;
+    in {
+      imageName,
+      # To find the digest of an image, you can use skopeo:
+      # skopeo inspect docker://docker.io/nixos/nix:1.11 | jq -r '.Digest'
+      # sha256:20d9485b25ecfd89204e843a962c1bd70e9cc6858d65d7f5fadc340246e2116b
+      imageDigest,
+      sha256,
+      # This used to set a tag to the pulled image
+      finalImageTag ? "latest",
+      name ? (fixName "docker-image-${imageName}-${finalImageTag}.tar") }:
+      runCommand name {
+        impureEnvVars=pkgs.stdenv.lib.fetchers.proxyImpureEnvVars;
+        outputHashMode="flat";
+        outputHashAlgo="sha256";
+        outputHash=sha256;
+      }
+      ''
+        ${pkgs.skopeo}/bin/skopeo copy docker://${imageName}@${imageDigest} docker-archive://$out:${imageName}:${finalImageTag}
+      '';
 
   # We need to sum layer.tar, not a directory, hence tarsum instead of nix-hash.
   # And we cannot untar it, because then we cannot preserve permissions ecc.
@@ -560,7 +581,7 @@ rec {
         chmod -R a-w image
 
         echo "Cooking the image..."
-        tar -C image --hard-dereference --sort=name --mtime="@$SOURCE_DATE_EPOCH" --owner=0 --group=0 --xform s:'./':: -c . | pigz -nT > $out
+        tar -C image --hard-dereference --sort=name --mtime="@$SOURCE_DATE_EPOCH" --owner=0 --group=0 --xform s:'^./':: -c . | pigz -nT > $out
 
         echo "Finished."
       '';