implement the secret-list command

Change-Id: I5e1570940fedf52bb560fd824270e201757004ed

1 files changed, 59 insertions, 5 deletions

diff --git a/flake.nix b/flake.nix
index c101218..1666ae6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -14,17 +14,72 @@
       ref = "nixos-25.05";
     };
 
+    # Crane is a library used to manage Rust builds from nix.
+    #
+    # It doesn't take any inputs itself (the mkLib call, below, uses
+    # dependency injection, which removes that need), so we don't have to set
+    # up any "follows" relations.
     crane = {
       type = "github";
       owner = "ipetkov";
       repo = "crane";
     };
+
+    # The Rust overlay is a nix "overlay" which provides different versions of
+    # the Rust compiler toolchain. We need a feature from the nightly versions
+    # of the Rust compiler, so we can't use the stable builds that nixpkgs
+    # provides. There are quite a few projects out there that package Rust
+    # toolchains for nix, but this one interacts well with Crane, so it's the
+    # one we use.
+    #
+    # This one does take nixpkgs as a flake input, so we set up the "follows"
+    # relation to avoid having two distinct versions of nixpkgs in use, which
+    # would be expensive at best and cause version-skew errors at worst.
+    rust-overlay = {
+      type = "github";
+      owner = "oxalica";
+      repo = "rust-overlay";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
-  outputs = { self, nixpkgs, crane }:
+  outputs = { self, nixpkgs, crane, rust-overlay }:
   let supportedSystems = [ "aarch64-linux" "x86_64-linux" ];
       forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
-      nixpkgsFor = forAllSystems (system: import nixpkgs { inherit system; });
+
+      nixpkgsFor = forAllSystems (system: import nixpkgs {
+        inherit system;
+
+        # We apply the Rust overlay to the entire package set, but it will
+        # use a stable version of Rust for most packages, except where we
+        # explicitly override that behavior.
+        #
+        # This may result in increased build times since the upstream cache of
+        # pre-built nix packages is less likely to have things. Unfortunately,
+        # there's not a convenient or concise way to use an overlay
+        # selectively; this is one reason to not use overlays when more modern
+        # styles of nix architecture are available. There just isn't a way to
+        # avoid that with our requirements right now.
+        #
+        # Hopefully, we can remove the overlay (but keep Crane) when the
+        # nightly features we use have all reached stable status. Please try
+        # hard to avoid adding dependencies on new nightly-only Rust features.
+        overlays = [ (import rust-overlay) ];
+      });
+
+      # Since we rely on a Rust nightly feature (see the features annotation
+      # at the top of main.rs), we need to invoke Crane with a nightly version
+      # of the Rust compiler. There are many possible ways to achieve that,
+      # most with roughly the same result.
+      #
+      # One thing to note is that, by using Crane's overrideToolchain feature
+      # here, we make sure we're only using nightly Rust for our own package.
+      # Using it for the entire distro would be easy to do by accident, and
+      # would be terrible for build times and upgrade reliability.
+      toolchainFor = pkgs: pkgs.rust-bin.selectLatestNightlyWith
+                               (toolchain: toolchain.default);
+      craneLibFor = pkgs: (crane.mkLib pkgs).overrideToolchain toolchainFor;
+
   in {
     nixosModules.default = { ... }: {
       imports = [
@@ -36,7 +91,7 @@
     };
 
     packages = forAllSystems (system: let pkgs = nixpkgsFor.${system}; in {
-      default = (crane.mkLib pkgs).buildPackage {
+      default = (craneLibFor pkgs).buildPackage {
         src = ./.;
       };
     });
@@ -44,8 +99,7 @@
     devShells = forAllSystems (system: let pkgs = nixpkgsFor.${system}; in {
       default = pkgs.mkShell {
         nativeBuildInputs = with pkgs; [
-          cargo
-          rustc
+          (toolchainFor pkgs)
         ];
       };
     });