nix: validate checksums

[viceice]

• use releases instead of hydra, should work for v2+
• use 0 for patch from v2.5+
• sha256
• https://releases.nixos.org/?prefix=nix/

[sandydoo]

I tried porting the installer to typescript yesterday and I few things came up that I thought were worth relaying here:

1. https://releases.nixos.org/?prefix=nix/ uses javascript to list an S3 bucket. We could list the bucket directly instead (https://nix-releases.s3.amazonaws.com/?delimiter=/&prefix=nix/) and parse the XML to fetch the latest version.

2. Unlike the static build on Hydra, the releases are not statically compiled. I imagine the binary is linked to the store paths that ship with the release tar.

3. We could run the install script that ships with the tarball to set this all up. Unfortunately, it doesn't support being run as root. It needs another user and access to sudo.

   We might be able to get it to work as root though. It's a pretty short script. Or, if a fully working installation isn't necessary, we can manually replicate the required steps.

   There is an alternative installer https://github.com/DeterminateSystems/nix-installer. It's far more robust, supports specifying the exact version of Nix to install, and officially supports docker containers. However, it's important to note that it is unofficial and is maintained by third-party company.

[viceice]

I'm thinking about building our own static nix build. do you know an easy way to build this with an docker image?

[sandydoo]

I suppose the easiest way would be to use the nixos/nix container, checkout the nix repo by tag, and run nix build .#nix-static.

[viceice]

• https://github.com/containerbase/nix-prebuild

[viceice]

@sandydoo after #3087 is merged it should be easier to port to typescript 🤗