From e53cb5b1967500fbef2cff9fa940bebc468c859e Mon Sep 17 00:00:00 2001
From: Sergey Kuznetsov <skuznetsov@ripple.com>
Date: Thu, 5 Feb 2026 12:36:54 +0000
Subject: [PATCH 1/9] Add nix installation

---
 docker/debian/Dockerfile |  9 +++++++++
 docker/rhel/Dockerfile   | 10 ++++++++++
 docker/ubuntu/Dockerfile |  9 +++++++++
 3 files changed, 28 insertions(+)

diff --git a/docker/debian/Dockerfile b/docker/debian/Dockerfile
index 644f6dc..23de258 100644
--- a/docker/debian/Dockerfile
+++ b/docker/debian/Dockerfile
@@ -46,6 +46,7 @@ pkgs+=(binutils-gold)   # Required build tool.
 pkgs+=(curl)            # Dependency for tools requiring downloading data.
 pkgs+=(dpkg-dev)        # Required packaging tool.
 pkgs+=(debhelper)       # Required packaging tool.
+pkgs+=(xz-utils)        # Required to install nix
 pkgs+=(file)            # Required packaging tool.
 pkgs+=(git)             # Required build tool.
 pkgs+=(gpg)             # Dependency for tools requiring signing or encrypting/decrypting.
@@ -191,6 +192,14 @@ rm -rf ccache-${CCACHE_VERSION}
 ccache --version
 EOF
 
+# Install nix
+RUN <<EOF
+sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon
+
+# Verify the installation. Should be run from a new shell.
+bash -c 'nix --version'
+EOF
+
 # Set the Conan home directory, so the users of this image can find the default
 # profile.
 ENV HOME=/root
diff --git a/docker/rhel/Dockerfile b/docker/rhel/Dockerfile
index 57e2784..1e5ca9f 100644
--- a/docker/rhel/Dockerfile
+++ b/docker/rhel/Dockerfile
@@ -56,6 +56,8 @@ pkgs+=(rpm-build)         # Required packaging tool.
 pkgs+=(unzip)             # Dependency for tools requiring unzipping files.
 pkgs+=(vim)               # Text editor.
 pkgs+=(wget)              # Required build tool.
+pkgs+=(curl)              # Required to install nix
+pkgs+=(xz)                # Required to install nix
 dnf update -y
 dnf install -y --allowerasing --setopt=tsflags=nodocs "${pkgs[@]}"
 dnf clean -y all
@@ -306,6 +308,14 @@ rm -rf ccache-${CCACHE_VERSION}
 ccache --version
 EOF
 
+# Install nix
+RUN <<EOF
+sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon
+
+# Verify the installation. Should be run from a new shell.
+bash -c 'nix --version'
+EOF
+
 # Set the Conan home directory, so the users of this image can find the default
 # profile.
 ENV HOME=/root
diff --git a/docker/ubuntu/Dockerfile b/docker/ubuntu/Dockerfile
index 7476246..268087c 100644
--- a/docker/ubuntu/Dockerfile
+++ b/docker/ubuntu/Dockerfile
@@ -29,6 +29,7 @@ pkgs+=(ca-certificates) # Enable TLS verification for HTTPS connections by provi
 pkgs+=(binutils-gold)   # Required build tool.
 pkgs+=(curl)            # Dependency for tools requiring downloading data.
 pkgs+=(dpkg-dev)        # Required packaging tool.
+pkgs+=(xz-utils)        # Required to install nix
 pkgs+=(file)            # Required packaging tool.
 pkgs+=(git)             # Required build tool.
 pkgs+=(gpg)             # Dependency for tools requiring signing or encrypting/decrypting.
@@ -164,6 +165,14 @@ rm -rf ccache-${CCACHE_VERSION}
 ccache --version
 EOF
 
+# Install nix
+RUN <<EOF
+sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon
+
+# Verify the installation. Should be run from a new shell.
+bash -c 'nix --version'
+EOF
+
 # Set the Conan home directory, so the users of this image can find the default
 # profile.
 ENV HOME=/root

From 51210eb33f4bd6988b05ae67c5afbe231bb11558 Mon Sep 17 00:00:00 2001
From: Sergey Kuznetsov <skuznetsov@ripple.com>
Date: Thu, 5 Feb 2026 13:53:24 +0000
Subject: [PATCH 2/9] Sort packages

---
 docker/debian/Dockerfile | 4 ++--
 docker/rhel/Dockerfile   | 4 ++--
 docker/ubuntu/Dockerfile | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/docker/debian/Dockerfile b/docker/debian/Dockerfile
index 23de258..90aaa82 100644
--- a/docker/debian/Dockerfile
+++ b/docker/debian/Dockerfile
@@ -46,7 +46,6 @@ pkgs+=(binutils-gold)   # Required build tool.
 pkgs+=(curl)            # Dependency for tools requiring downloading data.
 pkgs+=(dpkg-dev)        # Required packaging tool.
 pkgs+=(debhelper)       # Required packaging tool.
-pkgs+=(xz-utils)        # Required to install nix
 pkgs+=(file)            # Required packaging tool.
 pkgs+=(git)             # Required build tool.
 pkgs+=(gpg)             # Dependency for tools requiring signing or encrypting/decrypting.
@@ -61,6 +60,7 @@ pkgs+=(python3-pip)     # Package manager for Python applications.
 pkgs+=(unzip)           # Dependency for tools requiring unzipping files.
 pkgs+=(vim)             # Text editor.
 pkgs+=(wget)            # Required build tool.
+pkgs+=(xz-utils)        # Required to install nix
 apt-get update
 apt-get install -y --no-install-recommends "${pkgs[@]}"
 apt-get clean
@@ -194,7 +194,7 @@ EOF
 
 # Install nix
 RUN <<EOF
-sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon
+sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
 
 # Verify the installation. Should be run from a new shell.
 bash -c 'nix --version'
diff --git a/docker/rhel/Dockerfile b/docker/rhel/Dockerfile
index 1e5ca9f..bcf3a2a 100644
--- a/docker/rhel/Dockerfile
+++ b/docker/rhel/Dockerfile
@@ -28,6 +28,7 @@ if [[ "${RHEL_VERSION}" == "8" ]]; then
 else
   pkgs+=(binutils-gold)   # Required build tool.
 fi
+pkgs+=(curl)              # Required to install nix
 pkgs+=(file)              # Required packaging tool.
 pkgs+=(git)               # Required build tool.
 pkgs+=(gpg)               # Dependency for tools requiring signing or encrypting/decrypting.
@@ -56,7 +57,6 @@ pkgs+=(rpm-build)         # Required packaging tool.
 pkgs+=(unzip)             # Dependency for tools requiring unzipping files.
 pkgs+=(vim)               # Text editor.
 pkgs+=(wget)              # Required build tool.
-pkgs+=(curl)              # Required to install nix
 pkgs+=(xz)                # Required to install nix
 dnf update -y
 dnf install -y --allowerasing --setopt=tsflags=nodocs "${pkgs[@]}"
@@ -310,7 +310,7 @@ EOF
 
 # Install nix
 RUN <<EOF
-sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon
+sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
 
 # Verify the installation. Should be run from a new shell.
 bash -c 'nix --version'
diff --git a/docker/ubuntu/Dockerfile b/docker/ubuntu/Dockerfile
index 268087c..9541a3e 100644
--- a/docker/ubuntu/Dockerfile
+++ b/docker/ubuntu/Dockerfile
@@ -29,7 +29,6 @@ pkgs+=(ca-certificates) # Enable TLS verification for HTTPS connections by provi
 pkgs+=(binutils-gold)   # Required build tool.
 pkgs+=(curl)            # Dependency for tools requiring downloading data.
 pkgs+=(dpkg-dev)        # Required packaging tool.
-pkgs+=(xz-utils)        # Required to install nix
 pkgs+=(file)            # Required packaging tool.
 pkgs+=(git)             # Required build tool.
 pkgs+=(gpg)             # Dependency for tools requiring signing or encrypting/decrypting.
@@ -44,6 +43,7 @@ pkgs+=(python3-pip)     # Package manager for Python applications.
 pkgs+=(unzip)           # Dependency for tools requiring unzipping files.
 pkgs+=(vim)             # Text editor.
 pkgs+=(wget)            # Required build tool.
+pkgs+=(xz-utils)        # Required to install nix
 apt-get update
 apt-get install -y --no-install-recommends "${pkgs[@]}"
 apt-get clean
@@ -167,7 +167,7 @@ EOF
 
 # Install nix
 RUN <<EOF
-sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon
+sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
 
 # Verify the installation. Should be run from a new shell.
 bash -c 'nix --version'

From 6e61e3ef316746d549b355c6b5a85c32c920e8a9 Mon Sep 17 00:00:00 2001
From: Sergey Kuznetsov <skuznetsov@ripple.com>
Date: Thu, 5 Feb 2026 14:10:58 +0000
Subject: [PATCH 3/9] Fix nix sourcing issue

---
 docker/debian/Dockerfile | 8 ++++++--
 docker/rhel/Dockerfile   | 8 ++++++--
 docker/ubuntu/Dockerfile | 8 ++++++--
 3 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/docker/debian/Dockerfile b/docker/debian/Dockerfile
index 90aaa82..9fa4910 100644
--- a/docker/debian/Dockerfile
+++ b/docker/debian/Dockerfile
@@ -196,8 +196,11 @@ EOF
 RUN <<EOF
 sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
 
-# Verify the installation. Should be run from a new shell.
-bash -c 'nix --version'
+# Source the nix daemon script to make nix available in the current shell.
+. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+
+# Verify the installation.
+nix --version
 EOF
 
 # Set the Conan home directory, so the users of this image can find the default
@@ -348,3 +351,4 @@ cd test && ./run.sh clang
 cd ..
 rm -rf test
 EOF
+
diff --git a/docker/rhel/Dockerfile b/docker/rhel/Dockerfile
index bcf3a2a..5c5e4be 100644
--- a/docker/rhel/Dockerfile
+++ b/docker/rhel/Dockerfile
@@ -312,8 +312,11 @@ EOF
 RUN <<EOF
 sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
 
-# Verify the installation. Should be run from a new shell.
-bash -c 'nix --version'
+# Source the nix daemon script to make nix available in the current shell.
+. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+
+# Verify the installation.
+nix --version
 EOF
 
 # Set the Conan home directory, so the users of this image can find the default
@@ -350,3 +353,4 @@ cd test && ./run.sh clang
 cd ..
 rm -rf test
 EOF
+
diff --git a/docker/ubuntu/Dockerfile b/docker/ubuntu/Dockerfile
index 9541a3e..ab78a7b 100644
--- a/docker/ubuntu/Dockerfile
+++ b/docker/ubuntu/Dockerfile
@@ -169,8 +169,11 @@ EOF
 RUN <<EOF
 sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
 
-# Verify the installation. Should be run from a new shell.
-bash -c 'nix --version'
+# Source the nix daemon script to make nix available in the current shell.
+. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+
+# Verify the installation.
+nix --version
 EOF
 
 # Set the Conan home directory, so the users of this image can find the default
@@ -316,3 +319,4 @@ cd test && ./run.sh clang
 cd ..
 rm -rf test
 EOF
+

From 0b80d06ecee5fa9aed50bc063da308e264d1ca37 Mon Sep 17 00:00:00 2001
From: Sergey Kuznetsov <skuznetsov@ripple.com>
Date: Thu, 5 Feb 2026 14:25:41 +0000
Subject: [PATCH 4/9] Fix build

---
 docker/debian/Dockerfile | 21 ++++++++++++++++++++-
 docker/rhel/Dockerfile   |  8 ++++++++
 docker/ubuntu/Dockerfile | 40 +++++++++++++++++++++++++++++++++++++++-
 3 files changed, 67 insertions(+), 2 deletions(-)

diff --git a/docker/debian/Dockerfile b/docker/debian/Dockerfile
index 9fa4910..0b0865f 100644
--- a/docker/debian/Dockerfile
+++ b/docker/debian/Dockerfile
@@ -203,6 +203,12 @@ sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon
 nix --version
 EOF
 
+# Add nix to PATH and set NIX environment variables so nix is available in all
+# shells including non-interactive shells (e.g., GitHub Actions).
+ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
+ENV NIX_PROFILES="/nix/var/nix/profiles/default"
+ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
+
 # Set the Conan home directory, so the users of this image can find the default
 # profile.
 ENV HOME=/root
@@ -255,8 +261,16 @@ curl --no-progress-meter https://apt.llvm.org/llvm-snapshot.gpg.key | gpg --dear
 printf "%s\n%s\n" \
   "deb [signed-by=/etc/apt/keyrings/llvm.gpg] https://apt.llvm.org/${DEBIAN_VERSION}/ llvm-toolchain-${DEBIAN_VERSION}-${CLANG_VERSION} main" \
   | tee /etc/apt/sources.list.d/llvm.list
+# As of 2026-02-01, Debian Trixie rejects GPG keys using SHA1 signatures as insecure.
+# The LLVM apt repository (apt.llvm.org) GPG key still uses SHA1, causing signature
+# verification to fail. We configure apt to allow weak signatures and use
+# --allow-unauthenticated for this trusted repository until LLVM updates their signing key.
+printf "%s\n" \
+  "Acquire::AllowInsecureRepositories \"true\";" \
+  "Acquire::AllowWeakRepositories \"true\";" \
+  | tee /etc/apt/apt.conf.d/99llvm-allow-weak
 apt-get update
-apt-get install -t llvm-toolchain-${DEBIAN_VERSION}-${CLANG_VERSION} -y --no-install-recommends \
+apt-get install -t llvm-toolchain-${DEBIAN_VERSION}-${CLANG_VERSION} -y --no-install-recommends --allow-unauthenticated \
   clang-${CLANG_VERSION} \
   libclang-rt-${CLANG_VERSION}-dev \
   llvm-${CLANG_VERSION}
@@ -352,3 +366,8 @@ cd ..
 rm -rf test
 EOF
 
+
+
+
+
+
diff --git a/docker/rhel/Dockerfile b/docker/rhel/Dockerfile
index 5c5e4be..e202cd1 100644
--- a/docker/rhel/Dockerfile
+++ b/docker/rhel/Dockerfile
@@ -319,6 +319,12 @@ sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon
 nix --version
 EOF
 
+# Add nix to PATH and set NIX environment variables so nix is available in all
+# shells including non-interactive shells (e.g., GitHub Actions).
+ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
+ENV NIX_PROFILES="/nix/var/nix/profiles/default"
+ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
+
 # Set the Conan home directory, so the users of this image can find the default
 # profile.
 ENV HOME=/root
@@ -354,3 +360,5 @@ cd ..
 rm -rf test
 EOF
 
+
+
diff --git a/docker/ubuntu/Dockerfile b/docker/ubuntu/Dockerfile
index ab78a7b..6cc09f8 100644
--- a/docker/ubuntu/Dockerfile
+++ b/docker/ubuntu/Dockerfile
@@ -176,6 +176,12 @@ sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon
 nix --version
 EOF
 
+# Add nix to PATH and set NIX environment variables so nix is available in all
+# shells including non-interactive shells (e.g., GitHub Actions).
+ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
+ENV NIX_PROFILES="/nix/var/nix/profiles/default"
+ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
+
 # Set the Conan home directory, so the users of this image can find the default
 # profile.
 ENV HOME=/root
@@ -221,8 +227,15 @@ ARG UBUNTU_VERSION
 # Install Clang. Some build dependencies require GCC to be also available.
 ARG CLANG_VERSION
 RUN <<EOF
+# As of 2026-02-01, newer distros reject GPG keys using SHA1 signatures as insecure.
+# Some LLVM/Clang repository GPG keys may still use SHA1. We configure apt to allow
+# weak signatures and use --allow-unauthenticated as a workaround for trusted repositories.
+printf "%s\n" \
+  "Acquire::AllowInsecureRepositories \"true\";" \
+  "Acquire::AllowWeakRepositories \"true\";" \
+  | tee /etc/apt/apt.conf.d/99allow-weak
 apt-get update
-apt-get install -y --no-install-recommends \
+apt-get install -y --no-install-recommends --allow-unauthenticated \
   clang-${CLANG_VERSION} \
   libclang-rt-${CLANG_VERSION}-dev \
   llvm-${CLANG_VERSION} \
@@ -285,6 +298,23 @@ rm -rf ccache-${CCACHE_VERSION}
 ccache --version
 EOF
 
+# Install nix
+RUN <<EOF
+sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
+
+# Source the nix daemon script to make nix available in the current shell.
+. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
+
+# Verify the installation.
+nix --version
+EOF
+
+# Add nix to PATH and set NIX environment variables so nix is available in all
+# shells including non-interactive shells (e.g., GitHub Actions).
+ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
+ENV NIX_PROFILES="/nix/var/nix/profiles/default"
+ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
+
 # Set the Conan home directory, so the users of this image can find the default
 # profile.
 ENV HOME=/root
@@ -320,3 +350,11 @@ cd ..
 rm -rf test
 EOF
 
+
+
+
+
+
+
+
+

From ac7c9358366cf3110fe7a4b142afe68bbd4baf99 Mon Sep 17 00:00:00 2001
From: Sergey Kuznetsov <skuznetsov@ripple.com>
Date: Thu, 5 Feb 2026 16:52:55 +0000
Subject: [PATCH 5/9] Fix reviw comments

---
 docker/debian/Dockerfile | 6 ------
 docker/rhel/Dockerfile   | 3 ---
 2 files changed, 9 deletions(-)

diff --git a/docker/debian/Dockerfile b/docker/debian/Dockerfile
index 0b0865f..9bd9ae6 100644
--- a/docker/debian/Dockerfile
+++ b/docker/debian/Dockerfile
@@ -365,9 +365,3 @@ cd test && ./run.sh clang
 cd ..
 rm -rf test
 EOF
-
-
-
-
-
-
diff --git a/docker/rhel/Dockerfile b/docker/rhel/Dockerfile
index e202cd1..ee8764e 100644
--- a/docker/rhel/Dockerfile
+++ b/docker/rhel/Dockerfile
@@ -359,6 +359,3 @@ cd test && ./run.sh clang
 cd ..
 rm -rf test
 EOF
-
-
-

From 0859beaf6bbd73c4ae36c6257750d3960eae07b7 Mon Sep 17 00:00:00 2001
From: Sergey Kuznetsov <skuznetsov@ripple.com>
Date: Thu, 5 Feb 2026 17:03:50 +0000
Subject: [PATCH 6/9] Check nix after creating env variables

---
 docker/debian/Dockerfile | 13 ++++---------
 docker/rhel/Dockerfile   | 13 ++++---------
 docker/ubuntu/Dockerfile | 35 ++++++++---------------------------
 3 files changed, 16 insertions(+), 45 deletions(-)

diff --git a/docker/debian/Dockerfile b/docker/debian/Dockerfile
index 9bd9ae6..714e745 100644
--- a/docker/debian/Dockerfile
+++ b/docker/debian/Dockerfile
@@ -193,15 +193,7 @@ ccache --version
 EOF
 
 # Install nix
-RUN <<EOF
-sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
-
-# Source the nix daemon script to make nix available in the current shell.
-. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
-
-# Verify the installation.
-nix --version
-EOF
+RUN sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
 
 # Add nix to PATH and set NIX environment variables so nix is available in all
 # shells including non-interactive shells (e.g., GitHub Actions).
@@ -209,6 +201,9 @@ ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
 ENV NIX_PROFILES="/nix/var/nix/profiles/default"
 ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
 
+# Verify the nix installation.
+RUN nix --version
+
 # Set the Conan home directory, so the users of this image can find the default
 # profile.
 ENV HOME=/root
diff --git a/docker/rhel/Dockerfile b/docker/rhel/Dockerfile
index ee8764e..4c2ed4e 100644
--- a/docker/rhel/Dockerfile
+++ b/docker/rhel/Dockerfile
@@ -309,15 +309,7 @@ ccache --version
 EOF
 
 # Install nix
-RUN <<EOF
-sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
-
-# Source the nix daemon script to make nix available in the current shell.
-. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
-
-# Verify the installation.
-nix --version
-EOF
+RUN sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
 
 # Add nix to PATH and set NIX environment variables so nix is available in all
 # shells including non-interactive shells (e.g., GitHub Actions).
@@ -325,6 +317,9 @@ ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
 ENV NIX_PROFILES="/nix/var/nix/profiles/default"
 ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
 
+# Verify the nix installation.
+RUN nix --version
+
 # Set the Conan home directory, so the users of this image can find the default
 # profile.
 ENV HOME=/root
diff --git a/docker/ubuntu/Dockerfile b/docker/ubuntu/Dockerfile
index 6cc09f8..0774136 100644
--- a/docker/ubuntu/Dockerfile
+++ b/docker/ubuntu/Dockerfile
@@ -166,15 +166,7 @@ ccache --version
 EOF
 
 # Install nix
-RUN <<EOF
-sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
-
-# Source the nix daemon script to make nix available in the current shell.
-. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
-
-# Verify the installation.
-nix --version
-EOF
+RUN sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
 
 # Add nix to PATH and set NIX environment variables so nix is available in all
 # shells including non-interactive shells (e.g., GitHub Actions).
@@ -182,6 +174,9 @@ ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
 ENV NIX_PROFILES="/nix/var/nix/profiles/default"
 ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
 
+# Verify the nix installation.
+RUN nix --version
+
 # Set the Conan home directory, so the users of this image can find the default
 # profile.
 ENV HOME=/root
@@ -299,15 +294,7 @@ ccache --version
 EOF
 
 # Install nix
-RUN <<EOF
-sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
-
-# Source the nix daemon script to make nix available in the current shell.
-. /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh
-
-# Verify the installation.
-nix --version
-EOF
+RUN sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
 
 # Add nix to PATH and set NIX environment variables so nix is available in all
 # shells including non-interactive shells (e.g., GitHub Actions).
@@ -315,6 +302,9 @@ ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
 ENV NIX_PROFILES="/nix/var/nix/profiles/default"
 ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
 
+# Verify the nix installation.
+RUN nix --version
+
 # Set the Conan home directory, so the users of this image can find the default
 # profile.
 ENV HOME=/root
@@ -349,12 +339,3 @@ cd test && ./run.sh clang
 cd ..
 rm -rf test
 EOF
-
-
-
-
-
-
-
-
-

From c832e6e9d1dfe3fe0ab4de1721d4f34f0792edf4 Mon Sep 17 00:00:00 2001
From: Ayaz Salikhov <mathbunnyru@users.noreply.github.com>
Date: Thu, 5 Feb 2026 17:21:11 +0000
Subject: [PATCH 7/9] Update docker/ubuntu/Dockerfile

---
 docker/ubuntu/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/ubuntu/Dockerfile b/docker/ubuntu/Dockerfile
index 0774136..375f693 100644
--- a/docker/ubuntu/Dockerfile
+++ b/docker/ubuntu/Dockerfile
@@ -228,7 +228,7 @@ RUN <<EOF
 printf "%s\n" \
   "Acquire::AllowInsecureRepositories \"true\";" \
   "Acquire::AllowWeakRepositories \"true\";" \
-  | tee /etc/apt/apt.conf.d/99allow-weak
+  | tee /etc/apt/apt.conf.d/99llvmallow-weak
 apt-get update
 apt-get install -y --no-install-recommends --allow-unauthenticated \
   clang-${CLANG_VERSION} \

From 57f45df2ad28b6f7e1fba29198b7e948d242f3dd Mon Sep 17 00:00:00 2001
From: Ayaz Salikhov <mathbunnyru@users.noreply.github.com>
Date: Thu, 5 Feb 2026 17:21:42 +0000
Subject: [PATCH 8/9] Update docker/ubuntu/Dockerfile

---
 docker/ubuntu/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/ubuntu/Dockerfile b/docker/ubuntu/Dockerfile
index 375f693..6950c05 100644
--- a/docker/ubuntu/Dockerfile
+++ b/docker/ubuntu/Dockerfile
@@ -228,7 +228,7 @@ RUN <<EOF
 printf "%s\n" \
   "Acquire::AllowInsecureRepositories \"true\";" \
   "Acquire::AllowWeakRepositories \"true\";" \
-  | tee /etc/apt/apt.conf.d/99llvmallow-weak
+  | tee /etc/apt/apt.conf.d/99llvm-allow-weak
 apt-get update
 apt-get install -y --no-install-recommends --allow-unauthenticated \
   clang-${CLANG_VERSION} \

From 902dc91ef4788138199d87250a12caaf15bbfcff Mon Sep 17 00:00:00 2001
From: Sergey Kuznetsov <skuznetsov@ripple.com>
Date: Fri, 6 Feb 2026 10:56:24 +0000
Subject: [PATCH 9/9] Move nix installation

---
 docker/debian/Dockerfile | 22 ++++++++++------------
 docker/rhel/Dockerfile   | 22 ++++++++++------------
 docker/ubuntu/Dockerfile | 34 ++++++++++------------------------
 3 files changed, 30 insertions(+), 48 deletions(-)

diff --git a/docker/debian/Dockerfile b/docker/debian/Dockerfile
index 714e745..e2158d0 100644
--- a/docker/debian/Dockerfile
+++ b/docker/debian/Dockerfile
@@ -97,6 +97,15 @@ ENV RUSTUP_HOME="/opt/rust/.rustup"
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y  --default-toolchain=${RUST_VERSION}
 ENV PATH="$CARGO_HOME/bin:$PATH"
 
+# Install nix
+RUN sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
+
+# Add nix to PATH and set NIX environment variables so nix is available in all
+# shells including non-interactive shells (e.g., GitHub Actions).
+ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
+ENV NIX_PROFILES="/nix/var/nix/profiles/default"
+ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
+
 # Print versions.
 RUN <<EOF
 cmake --version
@@ -107,6 +116,7 @@ mold --version
 python3 --version
 rustc --version
 cargo --version
+nix --version
 EOF
 
 # ====================== GCC IMAGE ======================
@@ -192,18 +202,6 @@ rm -rf ccache-${CCACHE_VERSION}
 ccache --version
 EOF
 
-# Install nix
-RUN sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
-
-# Add nix to PATH and set NIX environment variables so nix is available in all
-# shells including non-interactive shells (e.g., GitHub Actions).
-ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
-ENV NIX_PROFILES="/nix/var/nix/profiles/default"
-ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
-
-# Verify the nix installation.
-RUN nix --version
-
 # Set the Conan home directory, so the users of this image can find the default
 # profile.
 ENV HOME=/root
diff --git a/docker/rhel/Dockerfile b/docker/rhel/Dockerfile
index 4c2ed4e..d4bedca 100644
--- a/docker/rhel/Dockerfile
+++ b/docker/rhel/Dockerfile
@@ -109,6 +109,15 @@ ENV RUSTUP_HOME="/opt/rust/.rustup"
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y  --default-toolchain=${RUST_VERSION}
 ENV PATH="$CARGO_HOME/bin:$PATH"
 
+# Install nix
+RUN sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
+
+# Add nix to PATH and set NIX environment variables so nix is available in all
+# shells including non-interactive shells (e.g., GitHub Actions).
+ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
+ENV NIX_PROFILES="/nix/var/nix/profiles/default"
+ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
+
 # Print versions.
 RUN <<EOF
 cmake --version
@@ -119,6 +128,7 @@ mold --version
 python3 --version
 rustc --version
 cargo --version
+nix --version
 EOF
 
 # ====================== GCC IMAGE ======================
@@ -308,18 +318,6 @@ rm -rf ccache-${CCACHE_VERSION}
 ccache --version
 EOF
 
-# Install nix
-RUN sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
-
-# Add nix to PATH and set NIX environment variables so nix is available in all
-# shells including non-interactive shells (e.g., GitHub Actions).
-ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
-ENV NIX_PROFILES="/nix/var/nix/profiles/default"
-ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
-
-# Verify the nix installation.
-RUN nix --version
-
 # Set the Conan home directory, so the users of this image can find the default
 # profile.
 ENV HOME=/root
diff --git a/docker/ubuntu/Dockerfile b/docker/ubuntu/Dockerfile
index 6950c05..8730e05 100644
--- a/docker/ubuntu/Dockerfile
+++ b/docker/ubuntu/Dockerfile
@@ -80,6 +80,15 @@ ENV RUSTUP_HOME="/opt/rust/.rustup"
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y  --default-toolchain=${RUST_VERSION}
 ENV PATH="$CARGO_HOME/bin:$PATH"
 
+# Install nix
+RUN sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
+
+# Add nix to PATH and set NIX environment variables so nix is available in all
+# shells including non-interactive shells (e.g., GitHub Actions).
+ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
+ENV NIX_PROFILES="/nix/var/nix/profiles/default"
+ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
+
 # Print versions.
 RUN <<EOF
 cmake --version
@@ -90,6 +99,7 @@ mold --version
 python3 --version
 rustc --version
 cargo --version
+nix --version
 EOF
 
 # ====================== GCC IMAGE ======================
@@ -165,18 +175,6 @@ rm -rf ccache-${CCACHE_VERSION}
 ccache --version
 EOF
 
-# Install nix
-RUN sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
-
-# Add nix to PATH and set NIX environment variables so nix is available in all
-# shells including non-interactive shells (e.g., GitHub Actions).
-ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
-ENV NIX_PROFILES="/nix/var/nix/profiles/default"
-ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
-
-# Verify the nix installation.
-RUN nix --version
-
 # Set the Conan home directory, so the users of this image can find the default
 # profile.
 ENV HOME=/root
@@ -293,18 +291,6 @@ rm -rf ccache-${CCACHE_VERSION}
 ccache --version
 EOF
 
-# Install nix
-RUN sh <(curl --proto '=https' --tlsv1.2 -L https://nixos.org/nix/install) --daemon --yes
-
-# Add nix to PATH and set NIX environment variables so nix is available in all
-# shells including non-interactive shells (e.g., GitHub Actions).
-ENV PATH="/nix/var/nix/profiles/default/bin:${PATH}"
-ENV NIX_PROFILES="/nix/var/nix/profiles/default"
-ENV NIX_SSL_CERT_FILE="/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
-
-# Verify the nix installation.
-RUN nix --version
-
 # Set the Conan home directory, so the users of this image can find the default
 # profile.
 ENV HOME=/root