docker: use callPackage, parametrise the image build

[drupol]

Motivation

At work, I needed to prepare a custom Nix Docker image to support our internal setup, which relies on a private GitLab instance secured with custom SSL certificates. My initial intention was to reuse the official docker.nix recipe and simply inject the custom certificates. Unfortunately, this was not straightforward, as the set of packages included in the image is not exposed as configurable parameters. It may be possible to override them in a more advanced way, but I have not found a clean solution yet.

To work around this, I copied the docker.nix file into our project and modified it so that the packages injected into the final Docker image are now passed as parameters. This gives me full control over the contents of the image, including the ability to add our custom certificates and tools.

This PR implements the changes that I made in my own docker.nix, I guess it will be useful for some others.

If this PR gets merged, then I'll update my project, remove the duplicated docker.nix file and use something similar to:

{
  inputs,
  ...
}:
let
  myImage = callPackage ${inputs.nix}/docker.nix {
    cacert = cacert.override { #... };
  };
in
  myImage

The old image size is:

❯ nix path-info -Sh ./result.old
/nix/store/npdf6xk88whw7jpmzyfxmzmcj3n2hy04-docker-image-tarball-2.30.0pre20250611_371fcf9       206.6 MiB

The new image size is:

❯ nix path-info -Sh ./result.new 
/nix/store/6fh0030cyh50jhmaxz9f50z3cx92q3kc-docker-image-tarball-2.30.0pre20250612_053cf5c       134.2 MiB
❯

There's a size gain of around 17%.

Context

---

Add 👍 to pull requests you find important.

The Nix maintainer team uses a GitHub project board to schedule and track reviews.

[nixos-discourse]

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/nix-official-docker-image-with-custom-ssl-certificate/65527/3

[drupol]

Thanks!