From d15feffcdb262f5e4686297e156319591895a945 Mon Sep 17 00:00:00 2001 From: Irene Knapp Date: Wed, 17 Dec 2025 15:16:20 -0800 Subject: implement the secret-list command Change-Id: I5e1570940fedf52bb560fd824270e201757004ed --- flake.nix | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 59 insertions(+), 5 deletions(-) (limited to 'flake.nix') diff --git a/flake.nix b/flake.nix index c101218..1666ae6 100644 --- a/flake.nix +++ b/flake.nix @@ -14,17 +14,72 @@ ref = "nixos-25.05"; }; + # Crane is a library used to manage Rust builds from nix. + # + # It doesn't take any inputs itself (the mkLib call, below, uses + # dependency injection, which removes that need), so we don't have to set + # up any "follows" relations. crane = { type = "github"; owner = "ipetkov"; repo = "crane"; }; + + # The Rust overlay is a nix "overlay" which provides different versions of + # the Rust compiler toolchain. We need a feature from the nightly versions + # of the Rust compiler, so we can't use the stable builds that nixpkgs + # provides. There are quite a few projects out there that package Rust + # toolchains for nix, but this one interacts well with Crane, so it's the + # one we use. + # + # This one does take nixpkgs as a flake input, so we set up the "follows" + # relation to avoid having two distinct versions of nixpkgs in use, which + # would be expensive at best and cause version-skew errors at worst. + rust-overlay = { + type = "github"; + owner = "oxalica"; + repo = "rust-overlay"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { self, nixpkgs, crane }: + outputs = { self, nixpkgs, crane, rust-overlay }: let supportedSystems = [ "aarch64-linux" "x86_64-linux" ]; forAllSystems = nixpkgs.lib.genAttrs supportedSystems; - nixpkgsFor = forAllSystems (system: import nixpkgs { inherit system; }); + + nixpkgsFor = forAllSystems (system: import nixpkgs { + inherit system; + + # We apply the Rust overlay to the entire package set, but it will + # use a stable version of Rust for most packages, except where we + # explicitly override that behavior. + # + # This may result in increased build times since the upstream cache of + # pre-built nix packages is less likely to have things. Unfortunately, + # there's not a convenient or concise way to use an overlay + # selectively; this is one reason to not use overlays when more modern + # styles of nix architecture are available. There just isn't a way to + # avoid that with our requirements right now. + # + # Hopefully, we can remove the overlay (but keep Crane) when the + # nightly features we use have all reached stable status. Please try + # hard to avoid adding dependencies on new nightly-only Rust features. + overlays = [ (import rust-overlay) ]; + }); + + # Since we rely on a Rust nightly feature (see the features annotation + # at the top of main.rs), we need to invoke Crane with a nightly version + # of the Rust compiler. There are many possible ways to achieve that, + # most with roughly the same result. + # + # One thing to note is that, by using Crane's overrideToolchain feature + # here, we make sure we're only using nightly Rust for our own package. + # Using it for the entire distro would be easy to do by accident, and + # would be terrible for build times and upgrade reliability. + toolchainFor = pkgs: pkgs.rust-bin.selectLatestNightlyWith + (toolchain: toolchain.default); + craneLibFor = pkgs: (crane.mkLib pkgs).overrideToolchain toolchainFor; + in { nixosModules.default = { ... }: { imports = [ @@ -36,7 +91,7 @@ }; packages = forAllSystems (system: let pkgs = nixpkgsFor.${system}; in { - default = (crane.mkLib pkgs).buildPackage { + default = (craneLibFor pkgs).buildPackage { src = ./.; }; }); @@ -44,8 +99,7 @@ devShells = forAllSystems (system: let pkgs = nixpkgsFor.${system}; in { default = pkgs.mkShell { nativeBuildInputs = with pkgs; [ - cargo - rustc + (toolchainFor pkgs) ]; }; }); -- cgit 1.4.1