{ description = "The Determinate Nix Installer"; inputs = { nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.1.0.tar.gz"; fenix = { url = "https://flakehub.com/f/nix-community/fenix/0.1.1584.tar.gz"; inputs.nixpkgs.follows = "nixpkgs"; }; naersk = { url = "github:nix-community/naersk"; inputs.nixpkgs.follows = "nixpkgs"; }; nix = { url = "https://flakehub.com/f/DeterminateSystems/nix/=2.23.3.tar.gz"; # Omitting `inputs.nixpkgs.follows = "nixpkgs";` on purpose }; determinate = { url = "https://flakehub.com/f/DeterminateSystems/determinate/0.1.tar.gz"; # We set the overrides below so the flake.lock has many fewer nodes. # # The `determinate` input is used to access the builds of `determinate-nixd`. # Below, we access the `packages` outputs, which download static builds of `determinate-nixd` and makes them executable. # The way we consume the determinate flake means the `nix` and `nixpkgs` inputs are not meaningfully used. # This means `follows` won't cause surprisingly extensive rebuilds, just trivial `chmod +x` rebuilds. inputs.nixpkgs.follows = "nixpkgs"; inputs.nix.follows = "nix"; }; flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.0.0.tar.gz"; }; outputs = { self , nixpkgs , fenix , naersk , nix , determinate , ... } @ inputs: let supportedSystems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ]; systemsSupportedByDeterminateNixd = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ]; forAllSystems = f: nixpkgs.lib.genAttrs supportedSystems (system: (forSystem system f)); forSystem = system: f: f rec { inherit system; pkgs = import nixpkgs { inherit system; overlays = [ self.overlays.default ]; }; lib = pkgs.lib; }; fenixToolchain = system: with fenix.packages.${system}; combine ([ stable.clippy stable.rustc stable.cargo stable.rustfmt stable.rust-src ] ++ nixpkgs.lib.optionals (system == "x86_64-linux") [ targets.x86_64-unknown-linux-musl.stable.rust-std ] ++ nixpkgs.lib.optionals (system == "aarch64-linux") [ targets.aarch64-unknown-linux-musl.stable.rust-std ]); nixTarballs = forAllSystems ({ system, ... }: inputs.nix.tarballs_direct.${system} or "${inputs.nix.checks."${system}".binaryTarball}/nix-${inputs.nix.packages."${system}".default.version}-${system}.tar.xz"); optionalPathToDeterminateNixd = system: if builtins.elem system systemsSupportedByDeterminateNixd then "${inputs.determinate.packages.${system}.default}/bin/determinate-nixd" else null; in { overlays.default = final: prev: let toolchain = fenixToolchain final.stdenv.system; naerskLib = final.callPackage naersk { cargo = toolchain; rustc = toolchain; }; sharedAttrs = { pname = "nix-installer"; version = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.version; src = builtins.path { name = "nix-installer-source"; path = self; filter = (path: type: baseNameOf path != "nix" && baseNameOf path != ".github"); }; nativeBuildInputs = with final; [ ]; buildInputs = with final; [ ] ++ lib.optionals (final.stdenv.isDarwin) (with final.darwin.apple_sdk.frameworks; [ SystemConfiguration ]); copyBins = true; copyDocsToSeparateOutput = true; doCheck = true; doDoc = true; doDocFail = true; RUSTFLAGS = "--cfg tokio_unstable"; cargoTestOptions = f: f ++ [ "--all" ]; NIX_INSTALLER_TARBALL_PATH = nixTarballs.${final.stdenv.system}; DETERMINATE_NIXD_BINARY_PATH = optionalPathToDeterminateNixd final.stdenv.system; override = { preBuild ? "", ... }: { preBuild = preBuild + '' # logRun "cargo clippy --all-targets --all-features -- -D warnings" ''; }; postInstall = '' cp nix-installer.sh $out/bin/nix-installer.sh ''; }; in rec { # NOTE(cole-h): fixes build -- nixpkgs updated libsepol to 3.7 but didn't update # checkpolicy to 3.7, checkpolicy links against libsepol, and libsepol 3.7 changed # something in the API so checkpolicy 3.6 failed to build against libsepol 3.7 # Can be removed once https://github.com/NixOS/nixpkgs/pull/335146 merges. checkpolicy = prev.checkpolicy.overrideAttrs ({ ... }: rec { version = "3.7"; src = final.fetchurl { url = "https://github.com/SELinuxProject/selinux/releases/download/${version}/checkpolicy-${version}.tar.gz"; sha256 = "sha256-/T4ZJUd9SZRtERaThmGvRMH4bw1oFGb9nwLqoGACoH8="; }; }); # NOTE(cole-h): Got hit by the Rust 1.80 x time incompatibility issue: # https://github.com/NixOS/nixpkgs/issues/332957 # Can be removed once https://github.com/NixOS/nixpkgs/pull/335152 merges. cargo-outdated = final.callPackage ./nix/cargo-outdated.nix { inherit (final.darwin.apple_sdk.frameworks) CoreFoundation CoreServices Security SystemConfiguration; }; nix-installer = naerskLib.buildPackage sharedAttrs; } // nixpkgs.lib.optionalAttrs (prev.stdenv.system == "x86_64-linux") rec { default = nix-installer-static; nix-installer-static = naerskLib.buildPackage (sharedAttrs // { CARGO_BUILD_TARGET = "x86_64-unknown-linux-musl"; }); } // nixpkgs.lib.optionalAttrs (prev.stdenv.system == "aarch64-linux") rec { default = nix-installer-static; nix-installer-static = naerskLib.buildPackage (sharedAttrs // { CARGO_BUILD_TARGET = "aarch64-unknown-linux-musl"; }); }; devShells = forAllSystems ({ system, pkgs, ... }: let toolchain = fenixToolchain system; check = import ./nix/check.nix { inherit pkgs toolchain; }; in { default = pkgs.mkShell { name = "nix-install-shell"; RUST_SRC_PATH = "${toolchain}/lib/rustlib/src/rust/library"; NIX_INSTALLER_TARBALL_PATH = nixTarballs.${system}; DETERMINATE_NIXD_BINARY_PATH = optionalPathToDeterminateNixd system; nativeBuildInputs = with pkgs; [ ]; buildInputs = with pkgs; [ toolchain shellcheck rust-analyzer cargo-outdated cacert # cargo-audit # NOTE(cole-h): build currently broken because of time dependency and Rust 1.80 cargo-watch nixpkgs-fmt check.check-rustfmt check.check-spelling check.check-nixpkgs-fmt check.check-editorconfig check.check-semver check.check-clippy ] ++ lib.optionals (pkgs.stdenv.isDarwin) (with pkgs; [ libiconv darwin.apple_sdk.frameworks.Security darwin.apple_sdk.frameworks.SystemConfiguration ]) ++ lib.optionals (pkgs.stdenv.isLinux) (with pkgs; [ checkpolicy semodule-utils /* users are expected to have a system docker, too */ ]); }; }); checks = forAllSystems ({ system, pkgs, ... }: let toolchain = fenixToolchain system; check = import ./nix/check.nix { inherit pkgs toolchain; }; in { check-rustfmt = pkgs.runCommand "check-rustfmt" { buildInputs = [ check.check-rustfmt ]; } '' cd ${./.} check-rustfmt touch $out ''; check-spelling = pkgs.runCommand "check-spelling" { buildInputs = [ check.check-spelling ]; } '' cd ${./.} check-spelling touch $out ''; check-nixpkgs-fmt = pkgs.runCommand "check-nixpkgs-fmt" { buildInputs = [ check.check-nixpkgs-fmt ]; } '' cd ${./.} check-nixpkgs-fmt touch $out ''; check-editorconfig = pkgs.runCommand "check-editorconfig" { buildInputs = [ pkgs.git check.check-editorconfig ]; } '' cd ${./.} check-editorconfig touch $out ''; }); packages = forAllSystems ({ system, pkgs, ... }: { inherit (pkgs) nix-installer; } // nixpkgs.lib.optionalAttrs (system == "x86_64-linux") { inherit (pkgs) nix-installer-static; default = pkgs.nix-installer-static; } // nixpkgs.lib.optionalAttrs (system == "aarch64-linux") { inherit (pkgs) nix-installer-static; default = pkgs.nix-installer-static; } // nixpkgs.lib.optionalAttrs (pkgs.stdenv.isDarwin) { default = pkgs.nix-installer; }); hydraJobs = { vm-test = import ./nix/tests/vm-test { inherit forSystem; inherit (nixpkgs) lib; binaryTarball = nix.tarballs_indirect; }; container-test = import ./nix/tests/container-test { inherit forSystem; binaryTarball = nix.tarballs_indirect; }; }; }; }