third_party/nix: make nix-env reusable
Change-Id: I19ffb94d0822044ad19b8454f91d2186209d3510
Reviewed-on: https://review.monogon.dev/c/monogon/+/2184
Tested-by: Jenkins CI
Reviewed-by: Serge Bazanski <serge@monogon.tech>
diff --git a/shell.nix b/shell.nix
index 2ae043c..3963630 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,94 +1,6 @@
-{ command ? "bash --noprofile --norc" }:
# If you're on NixOS, use me! `nix-shell --pure`.
-with import (fetchTarball {
- # nixpkgs 23.05 as of 2023/07/19
- url = "https://github.com/NixOS/nixpkgs/archive/2fadc2426928c844054cd28fabe231ff26a70715.tar.gz";
- sha256 = "sha256:06hpcqhaaqvd5gjcz2ps9lz6q2sf5fwgl5rwllpyl9x4g5g95ahv";
-}) {};
+{ sources ? import third_party/nix/sources.nix }:
let
- wrapper = pkgs.writeScript "wrapper.sh"
- ''
- # Fancy colorful PS1 to make people notice easily they're in the Monogon Nix shell.
- PS1='\[\033]0;\u/monogon:\w\007\]'
- if type -P dircolors >/dev/null ; then
- PS1+='\[\033[01;35m\]\u/monogon\[\033[01;36m\] \w \$\[\033[00m\] '
- fi
- export PS1
-
- # Use Nix-provided cert store.
- export NIX_SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt"
- export SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt"
-
- # Let some downstream machinery know we're on NixOS. This is used mostly to
- # work around Bazel/NixOS interactions.
- export MONOGON_NIXOS=yep
-
- # Convince rules_go to use /bin/bash and not a NixOS store bash which has
- # no idea how to resolve other things in the nix store once PATH is
- # stripped by (host_)action_env.
- export BAZEL_SH=/bin/bash
-
- # Allow passing a custom command via env since nix-shell doesn't support
- # this yet: https://github.com/NixOS/nix/issues/534
- if [ ! -n "$COMMAND" ]; then
- COMMAND="bash --noprofile --norc"
- fi
- exec $COMMAND
- '';
+ pkgs = import sources.nixpkgs {};
in
-(pkgs.buildFHSUserEnv {
- name = "monogon-nix";
- targetPkgs = pkgs: with pkgs; [
- git
- buildifier
- (stdenv.mkDerivation {
- name = "bazel";
- src = builtins.fetchurl {
- url = https://github.com/bazelbuild/bazel/releases/download/5.4.0/bazel-5.4.0-linux-x86_64;
- sha256 = "1w58m1brwjfwsv48fmd66inry67m4vgb3bwvwmamhdv099v183jg";
- };
- unpackPhase = ''
- true
- '';
- buildPhase = ''
- mkdir -p $out/bin
- cp $src $out/bin/.bazel-inner
- chmod +x $out/bin/.bazel-inner
-
- cat > $out/bin/bazel <<EOF
- #!/usr/bin/bash
- export BAZEL_REAL=$out/bin/.bazel-inner
- function get_workspace_root() {
- workspace_dir="\''${PWD}"
- while [[ "\''${workspace_dir}" != / ]]; do
- if [[ -e "\''${workspace_dir}/WORKSPACE" || -e "\''${workspace_dir}/WORKSPACE.bazel" ]]; then
- readonly workspace_dir
- return
- fi
- workspace_dir="$(dirname "\''${workspace_dir}")"
- done
- readonly workspace_dir=""
- }
-
- get_workspace_root
- readonly wrapper="\''${workspace_dir}/tools/bazel"
- if [ -f "\''${wrapper}" ]; then
- exec -a "\$0" "\''${wrapper}" "\$@"
- fi
- exec -a "\$0" "\''${BAZEL_REAL}" "\$@"
- EOF
- chmod +x $out/bin/bazel
- '';
- dontStrip = true;
- })
- zlib
- curl
- gcc
- binutils
- openjdk11
- patch
- python3
- ];
- runScript = wrapper;
-}).env
-
+(import third_party/nix/env.nix { inherit pkgs; }).env
diff --git a/third_party/nix/env.nix b/third_party/nix/env.nix
new file mode 100644
index 0000000..473e0fd
--- /dev/null
+++ b/third_party/nix/env.nix
@@ -0,0 +1,92 @@
+{ pkgs, extraConf ? "" }: with pkgs;
+let
+ wrapper = pkgs.writeScript "wrapper.sh"
+ ''
+ # Fancy colorful PS1 to make people notice easily they're in the Monogon Nix shell.
+ PS1='\[\033]0;\u/monogon:\w\007\]'
+ if type -P dircolors >/dev/null ; then
+ PS1+='\[\033[01;35m\]\u/monogon\[\033[01;36m\] \w \$\[\033[00m\] '
+ fi
+ export PS1
+
+ # Use Nix-provided cert store.
+ export NIX_SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt"
+ export SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt"
+
+ # Let some downstream machinery know we're on NixOS. This is used mostly to
+ # work around Bazel/NixOS interactions.
+ export MONOGON_NIXOS=yep
+
+ # Convince rules_go to use /bin/bash and not a NixOS store bash which has
+ # no idea how to resolve other things in the nix store once PATH is
+ # stripped by (host_)action_env.
+ export BAZEL_SH=/bin/bash
+
+ ${extraConf}
+
+ # Allow passing a custom command via env since nix-shell doesn't support
+ # this yet: https://github.com/NixOS/nix/issues/534
+ if [ ! -n "$COMMAND" ]; then
+ COMMAND="bash --noprofile --norc"
+ fi
+ exec $COMMAND
+ '';
+in
+(pkgs.buildFHSUserEnv {
+ name = "monogon-nix";
+ targetPkgs = pkgs: with pkgs; [
+ git
+ buildifier
+ (stdenv.mkDerivation {
+ name = "bazel";
+ src = builtins.fetchurl {
+ url = https://github.com/bazelbuild/bazel/releases/download/5.4.0/bazel-5.4.0-linux-x86_64;
+ sha256 = "1w58m1brwjfwsv48fmd66inry67m4vgb3bwvwmamhdv099v183jg";
+ };
+ unpackPhase = ''
+ true
+ '';
+ buildPhase = ''
+ mkdir -p $out/bin
+ cp $src $out/bin/.bazel-inner
+ chmod +x $out/bin/.bazel-inner
+
+ cat > $out/bin/bazel <<EOF
+ #!/usr/bin/bash
+ export BAZEL_REAL=$out/bin/.bazel-inner
+ function get_workspace_root() {
+ workspace_dir="\''${PWD}"
+ while [[ "\''${workspace_dir}" != / ]]; do
+ if [[ -e "\''${workspace_dir}/WORKSPACE" || -e "\''${workspace_dir}/WORKSPACE.bazel" ]]; then
+ readonly workspace_dir
+ return
+ fi
+ workspace_dir="$(dirname "\''${workspace_dir}")"
+ done
+ readonly workspace_dir=""
+ }
+
+ get_workspace_root
+ readonly wrapper="\''${workspace_dir}/tools/bazel"
+ if [ -f "\''${wrapper}" ]; then
+ exec -a "\$0" "\''${wrapper}" "\$@"
+ fi
+ exec -a "\$0" "\''${BAZEL_REAL}" "\$@"
+ EOF
+ chmod +x $out/bin/bazel
+ '';
+ dontStrip = true;
+ })
+ zlib
+ curl
+ gcc
+ binutils
+ openjdk11
+ patch
+ python3
+ busybox
+ niv
+ google-cloud-sdk
+ ];
+ runScript = wrapper;
+})
diff --git a/third_party/nix/sources.json b/third_party/nix/sources.json
new file mode 100644
index 0000000..0e9dd95
--- /dev/null
+++ b/third_party/nix/sources.json
@@ -0,0 +1,14 @@
+{
+ "nixpkgs": {
+ "branch": "release-23.05",
+ "description": "Nix Packages collection",
+ "homepage": null,
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "b9fc1843e64c11665ef440d02ecb6b3980a62756",
+ "sha256": "0krzc81cn1vfblhljw9wgx1wkfwlifh9dy3z3c64yhkh3xy6pfji",
+ "type": "tarball",
+ "url": "https://github.com/NixOS/nixpkgs/archive/b9fc1843e64c11665ef440d02ecb6b3980a62756.tar.gz",
+ "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
+ }
+}
diff --git a/third_party/nix/sources.nix b/third_party/nix/sources.nix
new file mode 100644
index 0000000..fe3dadf
--- /dev/null
+++ b/third_party/nix/sources.nix
@@ -0,0 +1,198 @@
+# This file has been generated by Niv.
+
+let
+
+ #
+ # The fetchers. fetch_<type> fetches specs of type <type>.
+ #
+
+ fetch_file = pkgs: name: spec:
+ let
+ name' = sanitizeName name + "-src";
+ in
+ if spec.builtin or true then
+ builtins_fetchurl { inherit (spec) url sha256; name = name'; }
+ else
+ pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
+
+ fetch_tarball = pkgs: name: spec:
+ let
+ name' = sanitizeName name + "-src";
+ in
+ if spec.builtin or true then
+ builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
+ else
+ pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
+
+ fetch_git = name: spec:
+ let
+ ref =
+ spec.ref or (
+ if spec ? branch then "refs/heads/${spec.branch}" else
+ if spec ? tag then "refs/tags/${spec.tag}" else
+ abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"
+ );
+ submodules = spec.submodules or false;
+ submoduleArg =
+ let
+ nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0;
+ emptyArgWithWarning =
+ if submodules
+ then
+ builtins.trace
+ (
+ "The niv input \"${name}\" uses submodules "
+ + "but your nix's (${builtins.nixVersion}) builtins.fetchGit "
+ + "does not support them"
+ )
+ { }
+ else { };
+ in
+ if nixSupportsSubmodules
+ then { inherit submodules; }
+ else emptyArgWithWarning;
+ in
+ builtins.fetchGit
+ ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg);
+
+ fetch_local = spec: spec.path;
+
+ fetch_builtin-tarball = name: throw
+ ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
+ $ niv modify ${name} -a type=tarball -a builtin=true'';
+
+ fetch_builtin-url = name: throw
+ ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
+ $ niv modify ${name} -a type=file -a builtin=true'';
+
+ #
+ # Various helpers
+ #
+
+ # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
+ sanitizeName = name:
+ (
+ concatMapStrings (s: if builtins.isList s then "-" else s)
+ (
+ builtins.split "[^[:alnum:]+._?=-]+"
+ ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
+ )
+ );
+
+ # The set of packages used when specs are fetched using non-builtins.
+ mkPkgs = sources: system:
+ let
+ sourcesNixpkgs =
+ import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; };
+ hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
+ hasThisAsNixpkgsPath = <nixpkgs> == ./.;
+ in
+ if builtins.hasAttr "nixpkgs" sources
+ then sourcesNixpkgs
+ else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
+ import <nixpkgs> { }
+ else
+ abort
+ ''
+ Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
+ add a package called "nixpkgs" to your sources.json.
+ '';
+
+ # The actual fetching function.
+ fetch = pkgs: name: spec:
+
+ if ! builtins.hasAttr "type" spec then
+ abort "ERROR: niv spec ${name} does not have a 'type' attribute"
+ else if spec.type == "file" then fetch_file pkgs name spec
+ else if spec.type == "tarball" then fetch_tarball pkgs name spec
+ else if spec.type == "git" then fetch_git name spec
+ else if spec.type == "local" then fetch_local spec
+ else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
+ else if spec.type == "builtin-url" then fetch_builtin-url name
+ else
+ abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
+
+ # If the environment variable NIV_OVERRIDE_${name} is set, then use
+ # the path directly as opposed to the fetched source.
+ replace = name: drv:
+ let
+ saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
+ ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
+ in
+ if ersatz == "" then drv else
+ # this turns the string into an actual Nix path (for both absolute and
+ # relative paths)
+ if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
+
+ # Ports of functions for older nix versions
+
+ # a Nix version of mapAttrs if the built-in doesn't exist
+ mapAttrs = builtins.mapAttrs or (
+ f: set: with builtins;
+ listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
+ );
+
+ # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
+ range = first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
+
+ # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
+ stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
+
+ # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
+ stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
+ concatMapStrings = f: list: concatStrings (map f list);
+ concatStrings = builtins.concatStringsSep "";
+
+ # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
+ optionalAttrs = cond: as: if cond then as else { };
+
+ # fetchTarball version that is compatible between all the versions of Nix
+ builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
+ let
+ inherit (builtins) lessThan nixVersion fetchTarball;
+ in
+ if lessThan nixVersion "1.12" then
+ fetchTarball ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
+ else
+ fetchTarball attrs;
+
+ # fetchurl version that is compatible between all the versions of Nix
+ builtins_fetchurl = { url, name ? null, sha256 }@attrs:
+ let
+ inherit (builtins) lessThan nixVersion fetchurl;
+ in
+ if lessThan nixVersion "1.12" then
+ fetchurl ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
+ else
+ fetchurl attrs;
+
+ # Create the final "sources" from the config
+ mkSources = config:
+ mapAttrs
+ (
+ name: spec:
+ if builtins.hasAttr "outPath" spec
+ then
+ abort
+ "The values in sources.json should not have an 'outPath' attribute"
+ else
+ spec // { outPath = replace name (fetch config.pkgs name spec); }
+ )
+ config.sources;
+
+ # The "config" used by the fetchers
+ mkConfig =
+ { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
+ , sources ? if sourcesFile == null then { } else builtins.fromJSON (builtins.readFile sourcesFile)
+ , system ? builtins.currentSystem
+ , pkgs ? mkPkgs sources system
+ }: rec {
+ # The sources, i.e. the attribute set of spec name to spec
+ inherit sources;
+
+ # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
+ inherit pkgs;
+ };
+
+in
+mkSources (mkConfig { }) // { __functor = _: settings: mkSources (mkConfig settings); }