Add support for Nix flakes and haskell.nix #1570
Conversation
|
Suddenly I'm getting this error. Fresh checkout of |
|
@enobayram I'm seeing this error when I run |
|
@jwiegley Ugh, that's ugly. Luckily, I'm getting the same error on Linux, so I should be able to fix it soon. |
|
This also moves us away from haskell4nix (nixpkgs' haskell infrastructure) and over to haskell.nix, so two-in-one. I don't have a problem with that, but I was not expecting that based on the PR title. |
jwiegley
changed the title
|
Title updated. It didn't make sense to move to flakes without haskell.nix. |
|
@enobayram Everything looks good on my end. |
default.nix
Outdated
| , ... | ||
| }: | ||
| let chainweb-node = pkgs.haskell-nix.project' { | ||
| src = ./.; |
There was a problem hiding this comment.
Looks like this gets rid of nix-gitignore.
Flake input:
nix-gitignore.url = github:hercules-ci/gitignore.nix";
There was a problem hiding this comment.
Arguably we would want a shared src attribute between both appearances in default.nix, so they have consistent ignores.
There was a problem hiding this comment.
Thanks for pointing out this issue @chessai! I think using hercules-ci/gitignore.nix is a good suggestion, but AFAIK, that only filters out the files that are ignored by git, but it will accept new files that are neither ignored nor tracked by git. I think it's a reasonable thing that it does, but unfortunately that behavior is not the same as how Nix flakes behave. A Nix flake will first be copied to the Nix store and it will get built there. While the Nix flake gets copied, only files that are tracked by git will be copied, but if there are any changes they will be copied with those changes.
Instead of going forward with hercules-ci/gitignore.nix, I've decided to keep default.nix compatible with flake.nix by using src = self.outPath. Here's a demonstration of how this makes default.nix equivalent to flake.nix:
$ nix build --print-out-paths
/nix/store/8q1h87dpbv595ik2r5sw6rz29v836qq0-chainweb-exe-chainweb-node-2.18.1
$ nix-build
/nix/store/8q1h87dpbv595ik2r5sw6rz29v836qq0-chainweb-exe-chainweb-node-2.18.1
$ touch somenewfile
$ nix-build
/nix/store/8q1h87dpbv595ik2r5sw6rz29v836qq0-chainweb-exe-chainweb-node-2.18.1
$ nix build --print-out-paths
/nix/store/8q1h87dpbv595ik2r5sw6rz29v836qq0-chainweb-exe-chainweb-node-2.18.1
$ echo changing tracked file >> README.md
$ nix build --print-out-paths
warning: Git tree '.../chainweb-node' is dirty
/nix/store/rlxyjmwqalljkzg088dzwy0kd8bbaqnl-chainweb-exe-chainweb-node-2.18.1
$ nix-build
warning: Git tree '.../chainweb-node' is dirty
/nix/store/rlxyjmwqalljkzg088dzwy0kd8bbaqnl-chainweb-exe-chainweb-node-2.18.1
There was a problem hiding this comment.
Arguably we would want a shared
srcattribute between both appearances indefault.nix, so they have consistent ignores.
Seems like this comment isn't applicable anymore with my latest changes.
|
This currently runs into input-output-hk/haskell.nix#1367. There are workarounds described there. |
|
I will close and reopen the PR for debugging the new github action |
|
Are we sure that anybody is using the current |
|
Upon John's advice, I've just pushed a few commits that rename the new |
|
Are we good to go here? |
There was a problem hiding this comment.
Does this PR replace the previous nix infrastructure? If that's the case, would it be possible to delete the old files?
If the old files are still required, would it be possible to bundle those in a single subdirectory. I don't know which files are actually needed and which ones are just left overs from old setups. In particular, I am not aware that anybody ever used a nix generated docker file for chain web-node -- but I may just not be know about it.
(Ideally, all nix files would go into a ./nix subdirectory, to make it easier to identify which files belong to it. But not sure if that's possible.)
| @@ -55,26 +55,31 @@ source-repository-package | |||
| type: git | |||
| location: https://github.com/kadena-io/pact.git | |||
| tag: 842fbc4256b3cbbde337dbeaa393b649a26f1574 | |||
| --sha256: sha256-jD4Y2NOSYT0EQHs5BRSVvu8asfvRwt5XLDuZwbcG4mk= | |||
There was a problem hiding this comment.
How are those pins determined when updating the source tag for a package? Is that somewhere documented?
In the past we would just wait for the zeus nix build to fail and copy and paste from the failure message? That wasn't ideal (because of the extra CI roundtrip) but worked. Will that method still work?
There was a problem hiding this comment.
Is there any mechanism that guarantees that the source version represented by the --sha value matches the sources of the source tag?
In the past (with the old nix infra) we ran into issues where nix pins didn't exactly match the sources of the respective Hackage version and there was no easy way to detected that.
There was a problem hiding this comment.
The command to determine the sha locally is:
nix-prefetch-git --url https://github.com/kadena-io/pact.git --rev <SHA>
There was a problem hiding this comment.
Could you add that as a comment to the cabal.project file? So when people update that file they find that info?
There was a problem hiding this comment.
Could we include an action in the CI workflow that runs that command to double checks that the nix --sha actually matches the source tag?
(You may take a look at cabal CI workflows; there are examples for actions that check that the git tree is still clean after performing some action or test.)
There was a problem hiding this comment.
@larskuhtz Earlier today, I've added a step to check the hashes during the github action build, but then later I realized that the check was redundant, because it doesn't seem to be possible to start the build with a wrong sha256 anyway. I've tried multiple ways to fool it, like changing the source-repository-package commit hash without updating the sha256, but the nix build step always failed quickly, telling the correct sha256. As an example, check out this run: https://github.com/kadena-io/chainweb-node/actions/runs/4831581150/jobs/8609217888
The build took 2 minutes to fail and the error message tells you how you need to update the hash:
error: hash mismatch in fixed-output derivation '/nix/store/h9wwd3i3g0shagpc50i5kkms0mbbm5lc-pact-baac04e.drv':
specified: sha256-jD4Y2NOSYT0EQHs5BRSVvu8asfvRwt5XLDuZwbcG4mk=
got: sha256-PmvS1kNvnOErMpfQPhGp4oOxuZLa34MEXt/Q1p09EKI=
In the past (with the old nix infra) we ran into issues where nix pins didn't exactly match the sources of the respective Hackage version and there was no easy way to detected that.
I can imagine how the old nix infra running on Zeus could perform misleading builds, picking the old source folder from the nix store due to the outdated hash, but I don't think that kind of inconsistency is possible with this new setup.
That's why I've removed the separate cabal.project checks.
There was a problem hiding this comment.
Admittedly, the error message you get from the Nix build is not ideal because it doesn't tell you what exactly you need to do. So if somebody encounters this message out of the blue, it could be frustrating to try to debug it.
There was a problem hiding this comment.
We could add a hint about how to read this error to the comment that describes how to compute the sha.
|
@larskuhtz This is intended to replace the previous infrastructure, yes. I'd like to remove the old files soon, but I will do that after giving this new stuff some time to settle in and get plugged into CI. |
Because that's what nix-prefetch-git produces
Otherwise the check happens too late.
To avoid downloading the devShell if the environment hasn't changed
So that we can build it without evaluating the flake first.
This reverts commit eb31863.
This reverts commit e170492.
This reverts commit 2666565.
This reverts commit 9a2cd1c.
This PR adds a
flake.nixthat useshaskell.nixto Nixify thechainweb-nodepackage using the Haskell dependency versions from thecabal.project.freezefile. This PR retains the old Nix infrastructure but it's planned to be removed in a subsequent PR.