[moredhel]

As a sibling mentions, Nix is has support for working on building Docker images. The syntax is declarative by default but does allow for an escape-hatch if required to run custom commands[1].

The support is decent and has a couple of interesting properties.

The first is bringing all of the stateful code `apt update` etc. out of the image. It is not necessary for it to be there in the first place. Because of the packages being updated out of the container, and the way nix caching works we don't need to worry about security fixes being missed because of the Docker caching.

Another benefit is declaratively building the image, This gives us a guarantee that we will get the same image on two machines. They are currently working towards reproducible builds meaning we will get to a point where two builds will produce _exactly_ the same docker image.

I agree with all that you're saying, Dockerfiles seem to be artificially constrained and a poor interface for building images.

[1] https://nixos.org/nixpkgs/manual/#sec-pkgs-dockerTools