feat(persist-nix-var): add per-project /nix/var persistence feature

ckagerer · ckagerer · commit f4167de71b1c · 2026-05-16T13:23:24.000+02:00
Without persisting /nix/var, Nix loses its SQLite database on every
rebuild and re-downloads store paths that are already present in the
shared /nix/store volume. Per-project volume avoids SQLite contention
when multiple devcontainers share the store simultaneously.
diff --git a/src/persist-nix-store/README.md b/src/persist-nix-store/README.md
@@ -1,7 +1,7 @@
 # Persist Nix store (persist-nix-store)
 
-Mounts a named Docker volume at `/nix/store` so the Nix package store survives container rebuilds
-without re-downloading packages.
+Mounts a shared named Docker volume at `/nix/store` so the Nix package store survives container
+rebuilds without re-downloading packages.
 
 ## Example Usage
 
@@ -11,27 +11,33 @@ without re-downloading packages.
 }
 ```
 
-Combine with the [chezmoi](../chezmoi/) feature and `defer_scripts: true` to skip Nix downloads on
-every rebuild:
+Combine with [persist-nix-var](../persist-nix-var/) so Nix also retains its database across
+rebuilds and recognises already-present store paths. Add the [chezmoi](../chezmoi/) feature with
+`defer_scripts: true` to run Nix installation at post-create time (when the volumes are mounted):
 
 ```json
 "features": {
     "ghcr.io/ckagerer/devcontainer-features/chezmoi:1": {
         "dotfiles_repo": "your-user/dotfiles",
         "defer_scripts": true
     },
-    "ghcr.io/ckagerer/devcontainer-features/persist-nix-store:1": {}
+    "ghcr.io/ckagerer/devcontainer-features/persist-nix-store:1": {},
+    "ghcr.io/ckagerer/devcontainer-features/persist-nix-var:1": {}
 }
 ```
 
 ## How It Works
 
 The volume is mounted at `/nix/store` — not at `/nix`. This is intentional:
 
-- `/nix/store` is content-addressable and designed for concurrent read access. Multiple devcontainers
-  can share the same volume safely, even when open simultaneously.
-- `/nix/var` (the Nix SQLite database, profiles, and GC roots) stays inside each container's own
-  writable layer. Sharing it would cause database corruption under concurrent writes.
+- `/nix/store` is content-addressable and safe for concurrent reads. Multiple devcontainers
+  can share the same volume simultaneously without conflicts.
+- `/nix/var` (the Nix SQLite database, profiles, and GC roots) is handled separately by
+  [persist-nix-var](../persist-nix-var/), which uses a per-project volume to avoid SQLite
+  write contention between concurrent containers.
+
+Without `persist-nix-var`, Nix loses its database on every rebuild and re-downloads packages
+that are already present in the store.
 
 During build, `install.sh` pre-creates `/nix/store` with the remote user's ownership. Docker seeds
 an empty named volume from the image layer on first mount, so the directory is writable by the Nix
diff --git a/src/persist-nix-var/README.md b/src/persist-nix-var/README.md
@@ -0,0 +1,50 @@
+# Persist Nix var (persist-nix-var)
+
+Mounts a per-project named Docker volume at `/nix/var` so the Nix SQLite database,
+user profiles, and GC roots survive container rebuilds.
+
+Without this feature, Nix loses its database on every rebuild and re-downloads packages
+that are already present in `/nix/store` — even when used together with
+[persist-nix-store](../persist-nix-store/).
+
+## Example Usage
+
+```json
+"features": {
+    "ghcr.io/ckagerer/devcontainer-features/persist-nix-store:1": {},
+    "ghcr.io/ckagerer/devcontainer-features/persist-nix-var:1": {}
+}
+```
+
+Combine with the [chezmoi](../chezmoi/) feature and `defer_scripts: true` to fully skip
+Nix downloads on rebuilds:
+
+```json
+"features": {
+    "ghcr.io/ckagerer/devcontainer-features/chezmoi:1": {
+        "dotfiles_repo": "your-user/dotfiles",
+        "defer_scripts": true
+    },
+    "ghcr.io/ckagerer/devcontainer-features/persist-nix-store:1": {},
+    "ghcr.io/ckagerer/devcontainer-features/persist-nix-var:1": {}
+}
+```
+
+## How It Works
+
+The volume is mounted at `/nix/var` — not at `/nix`. This is intentional:
+
+- `/nix/var` contains the Nix SQLite database (`db/`), per-user profiles (`profiles/`),
+  and GC roots (`gcroots/`). Persisting it ensures Nix recognises store paths that are
+  already present in `/nix/store` and skips redundant downloads.
+- The volume is **per-project** (named with `${localWorkspaceFolderBasename}` and
+  `${devcontainerId}`), so concurrent devcontainers each have their own isolated database.
+  This avoids SQLite write contention and profile conflicts that would occur with a shared
+  `/nix/var`.
+
+## Volume Name
+
+The volume is named `devcontainer-<project>-persist-nix-var-<id>` and is scoped to each
+devcontainer. Combined with the shared `devcontainer-nix-store` volume from
+[persist-nix-store](../persist-nix-store/), packages are downloaded once and registered
+once per project — surviving all subsequent rebuilds.
diff --git a/src/persist-nix-var/devcontainer-feature.json b/src/persist-nix-var/devcontainer-feature.json
@@ -0,0 +1,19 @@
+{
+    "name": "persist-nix-var",
+    "id": "persist-nix-var",
+    "version": "1.0.0",
+    "description": "Mounts a per-project named volume at /nix/var to persist the Nix database, profiles, and GC roots across devcontainer rebuilds. Use together with persist-nix-store so the Nix daemon recognises already-downloaded store paths and skips redundant downloads.",
+    "documentationURL": "https://github.com/ckagerer/devcontainer-features/tree/main/src/persist-nix-var",
+    "options": {},
+    "installsAfter": [
+        "ghcr.io/devcontainers/features/common-utils",
+        "ghcr.io/ckagerer/devcontainer-features/persist-nix-store"
+    ],
+    "mounts": [
+        {
+            "source": "devcontainer-${localWorkspaceFolderBasename}-persist-nix-var-${devcontainerId}",
+            "target": "/nix/var",
+            "type": "volume"
+        }
+    ]
+}
diff --git a/src/persist-nix-var/install.sh b/src/persist-nix-var/install.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+# (C) Copyright 2026 Christian Kagerer
+# Purpose: Pre-create /nix/var with correct ownership so Docker seeds the
+# per-project named volume from the image layer on first mount.
+#
+# The volume is mounted at /nix/var (not /nix) so each project keeps its own
+# Nix SQLite database, profiles, and GC roots — avoiding lock contention when
+# multiple devcontainers share the same /nix/store volume simultaneously.
+
+set -o errexit -o nounset -o pipefail
+
+mkdir -p /nix/var
+chown "${_REMOTE_USER}:$(id -gn "${_REMOTE_USER}")" /nix /nix/var
+chmod 755 /nix /nix/var
+
+echo "Done"
diff --git a/test/persist-nix-var/non_root_user.sh b/test/persist-nix-var/non_root_user.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+# Tests that /nix/var is owned and writable by the non-root remote user.
+
+set -e
+
+# shellcheck source=/dev/null
+source dev-container-features-test-lib
+
+check "/nix/var directory exists" test -d /nix/var
+check "/nix/var is writable by the current user" test -w /nix/var
+# shellcheck disable=SC2016
+check "/nix/var permissions are 755" sh -c '[ "$(stat -c "%a" /nix/var)" = "755" ]'
+# shellcheck disable=SC2016
+check "/nix/var is owned by the current user" sh -c '[ "$(stat -c "%U" /nix/var)" = "$(id -un)" ]'
+# shellcheck disable=SC2016
+check "/nix is owned by the current user" sh -c '[ "$(stat -c "%U" /nix)" = "$(id -un)" ]'
+
+reportResults
diff --git a/test/persist-nix-var/scenarios.json b/test/persist-nix-var/scenarios.json
@@ -0,0 +1,16 @@
+{
+    "non_root_user": {
+        "image": "ubuntu:jammy",
+        "features": {
+            "ghcr.io/devcontainers/features/common-utils:1": {
+                "installZsh": false,
+                "installOhMyZsh": false,
+                "upgradePackages": false,
+                "username": "octocat"
+            },
+            "persist-nix-store": {},
+            "persist-nix-var": {}
+        },
+        "remoteUser": "octocat"
+    }
+}
diff --git a/test/persist-nix-var/test.sh b/test/persist-nix-var/test.sh
@@ -0,0 +1,32 @@
+#!/bin/bash
+
+# This test file will be executed against an auto-generated devcontainer.json that
+# includes the 'persist-nix-var' Feature with no options.
+#
+# For more information, see: https://github.com/devcontainers/cli/blob/main/docs/features/test.md
+#
+# These scripts are run as 'root' by default. Although that can be changed
+# with the '--remote-user' flag.
+#
+# This test can be run with the following command:
+#
+#    devcontainer features test    \
+#               --features persist-nix-var   \
+#               --remote-user root \
+#               --skip-scenarios   \
+#               --base-image mcr.microsoft.com/devcontainers/base:ubuntu \
+#               /path/to/this/repo
+
+set -e
+
+# shellcheck source=/dev/null
+source dev-container-features-test-lib
+
+check "/nix/var directory exists" test -d /nix/var
+check "/nix/var is writable" test -w /nix/var
+# shellcheck disable=SC2016
+check "/nix/var permissions are 755" sh -c '[ "$(stat -c "%a" /nix/var)" = "755" ]'
+# shellcheck disable=SC2016
+check "/nix permissions are 755" sh -c '[ "$(stat -c "%a" /nix)" = "755" ]'
+
+reportResults
