Merge pull request #11799 from obsidiansystems/flake-nixpkgs-cleanup

Clean up packaging a bit

packaging/binary-tarball.nix

@@ -0,0 +1,84 @@
+{ runCommand
+, system
+, buildPackages
+, cacert
+, nix
+}:
+
+let
+
+  installerClosureInfo = buildPackages.closureInfo {
+    rootPaths = [ nix cacert ];
+  };
+
+  inherit (nix) version;
+
+  env = {
+    #nativeBuildInputs = lib.optional (system != "aarch64-linux") shellcheck;
+    meta.description = "Distribution-independent Nix bootstrap binaries for ${system}";
+  };
+
+in
+
+runCommand "nix-binary-tarball-${version}" env ''
+  cp ${installerClosureInfo}/registration $TMPDIR/reginfo
+  cp ${../scripts/create-darwin-volume.sh} $TMPDIR/create-darwin-volume.sh
+  substitute ${../scripts/install-nix-from-tarball.sh} $TMPDIR/install \
+    --subst-var-by nix ${nix} \
+    --subst-var-by cacert ${cacert}
+
+  substitute ${../scripts/install-darwin-multi-user.sh} $TMPDIR/install-darwin-multi-user.sh \
+    --subst-var-by nix ${nix} \
+    --subst-var-by cacert ${cacert}
+  substitute ${../scripts/install-systemd-multi-user.sh} $TMPDIR/install-systemd-multi-user.sh \
+    --subst-var-by nix ${nix} \
+    --subst-var-by cacert ${cacert}
+  substitute ${../scripts/install-multi-user.sh} $TMPDIR/install-multi-user \
+    --subst-var-by nix ${nix} \
+    --subst-var-by cacert ${cacert}
+
+  if type -p shellcheck; then
+    # SC1090: Don't worry about not being able to find
+    #         $nix/etc/profile.d/nix.sh
+    shellcheck --exclude SC1090 $TMPDIR/install
+    shellcheck $TMPDIR/create-darwin-volume.sh
+    shellcheck $TMPDIR/install-darwin-multi-user.sh
+    shellcheck $TMPDIR/install-systemd-multi-user.sh
+
+    # SC1091: Don't panic about not being able to source
+    #         /etc/profile
+    # SC2002: Ignore "useless cat" "error", when loading
+    #         .reginfo, as the cat is a much cleaner
+    #         implementation, even though it is "useless"
+    # SC2116: Allow ROOT_HOME=$(echo ~root) for resolving
+    #         root's home directory
+    shellcheck --external-sources \
+      --exclude SC1091,SC2002,SC2116 $TMPDIR/install-multi-user
+  fi
+
+  chmod +x $TMPDIR/install
+  chmod +x $TMPDIR/create-darwin-volume.sh
+  chmod +x $TMPDIR/install-darwin-multi-user.sh
+  chmod +x $TMPDIR/install-systemd-multi-user.sh
+  chmod +x $TMPDIR/install-multi-user
+  dir=nix-${version}-${system}
+  fn=$out/$dir.tar.xz
+  mkdir -p $out/nix-support
+  echo "file binary-dist $fn" >> $out/nix-support/hydra-build-products
+  tar cfJ $fn \
+    --owner=0 --group=0 --mode=u+rw,uga+r \
+    --mtime='1970-01-01' \
+    --absolute-names \
+    --hard-dereference \
+    --transform "s,$TMPDIR/install,$dir/install," \
+    --transform "s,$TMPDIR/create-darwin-volume.sh,$dir/create-darwin-volume.sh," \
+    --transform "s,$TMPDIR/reginfo,$dir/.reginfo," \
+    --transform "s,$NIX_STORE,$dir/store,S" \
+    $TMPDIR/install \
+    $TMPDIR/create-darwin-volume.sh \
+    $TMPDIR/install-darwin-multi-user.sh \
+    $TMPDIR/install-systemd-multi-user.sh \
+    $TMPDIR/install-multi-user \
+    $TMPDIR/reginfo \
+    $(cat ${installerClosureInfo}/store-paths)
+''

packaging/hydra.nix

@@ -1,5 +1,4 @@
 { inputs
-, binaryTarball
 , forAllCrossSystems
 , forAllSystems
 , lib
@@ -12,7 +11,7 @@ let
   inherit (inputs) nixpkgs nixpkgs-regression;
 
   installScriptFor = tarballs:
-    nixpkgsFor.x86_64-linux.native.callPackage ../scripts/installer.nix {
+    nixpkgsFor.x86_64-linux.native.callPackage ./installer {
       inherit tarballs;
     };
 
@@ -62,7 +61,7 @@ in
     [ "i686-linux" ];
 
   buildStatic = forAllPackages (pkgName:
-    lib.genAttrs linux64BitSystems (system: nixpkgsFor.${system}.static.nixComponents.${pkgName}));
+    lib.genAttrs linux64BitSystems (system: nixpkgsFor.${system}.native.pkgsStatic.nixComponents.${pkgName}));
 
   buildCross = forAllPackages (pkgName:
     # Hack to avoid non-evaling package
@@ -99,13 +98,12 @@ in
   # Binary tarball for various platforms, containing a Nix store
   # with the closure of 'nix' package, and the second half of
   # the installation script.
-  binaryTarball = forAllSystems (system: binaryTarball nixpkgsFor.${system}.native.nix nixpkgsFor.${system}.native);
+  binaryTarball = forAllSystems (system:
+    nixpkgsFor.${system}.native.callPackage ./binary-tarball.nix {});
 
   binaryTarballCross = lib.genAttrs [ "x86_64-linux" ] (system:
     forAllCrossSystems (crossSystem:
-      binaryTarball
-        nixpkgsFor.${system}.cross.${crossSystem}.nix
-        nixpkgsFor.${system}.cross.${crossSystem}));
+      nixpkgsFor.${system}.cross.${crossSystem}.callPackage ./binary-tarball.nix {}));
 
   # The first half of the installation script. This is uploaded
   # to https://nixos.org/nix/install. It downloads the binary
@@ -124,7 +122,7 @@ in
     self.hydraJobs.binaryTarballCross."x86_64-linux"."riscv64-unknown-linux-gnu"
   ];
 
-  installerScriptForGHA = forAllSystems (system: nixpkgsFor.${system}.native.callPackage ../scripts/installer.nix {
+  installerScriptForGHA = forAllSystems (system: nixpkgsFor.${system}.native.callPackage ./installer {
     tarballs = [ self.hydraJobs.binaryTarball.${system} ];
   });
 
@@ -147,7 +145,10 @@ in
   external-api-docs = nixpkgsFor.x86_64-linux.native.nixComponents.nix-external-api-docs;
 
   # System tests.
-  tests = import ../tests/nixos { inherit lib nixpkgs nixpkgsFor self; } // {
+  tests = import ../tests/nixos {
+    inherit lib nixpkgs nixpkgsFor;
+    inherit (self.inputs) nixpkgs-23-11;
+  } // {
 
     # Make sure that nix-env still produces the exact same result
     # on a particular version of Nixpkgs.

packaging/installer/default.nix

@@ -0,0 +1,36 @@
+{ lib
+, runCommand
+, nix
+, tarballs
+}:
+
+runCommand "installer-script" {
+  buildInputs = [ nix ];
+} ''
+  mkdir -p $out/nix-support
+
+  # Converts /nix/store/50p3qk8k...-nix-2.4pre20201102_550e11f/bin/nix to 50p3qk8k.../bin/nix.
+  tarballPath() {
+    # Remove the store prefix
+    local path=''${1#${builtins.storeDir}/}
+    # Get the path relative to the derivation root
+    local rest=''${path#*/}
+    # Get the derivation hash
+    local drvHash=''${path%%-*}
+    echo "$drvHash/$rest"
+  }
+
+  substitute ${./install.in} $out/install \
+    ${lib.concatMapStrings
+      (tarball: let
+          inherit (tarball.stdenv.hostPlatform) system;
+        in '' \
+        --replace '@tarballHash_${system}@' $(nix --experimental-features nix-command hash-file --base16 --type sha256 ${tarball}/*.tar.xz) \
+        --replace '@tarballPath_${system}@' $(tarballPath ${tarball}/*.tar.xz) \
+        ''
+      )
+      tarballs
+    } --replace '@nixVersion@' ${nix.version}
+
+  echo "file installer $out/install" >> $out/nix-support/hydra-build-products
+''

packaging/installer/install.in

@@ -0,0 +1,124 @@
+#!/bin/sh
+
+# This script installs the Nix package manager on your system by
+# downloading a binary distribution and running its installer script
+# (which in turn creates and populates /nix).
+
+{ # Prevent execution if this script was only partially downloaded
+oops() {
+    echo "$0:" "$@" >&2
+    exit 1
+}
+
+umask 0022
+
+tmpDir="$(mktemp -d -t nix-binary-tarball-unpack.XXXXXXXXXX || \
+          oops "Can't create temporary directory for downloading the Nix binary tarball")"
+cleanup() {
+    rm -rf "$tmpDir"
+}
+trap cleanup EXIT INT QUIT TERM
+
+require_util() {
+    command -v "$1" > /dev/null 2>&1 ||
+        oops "you do not have '$1' installed, which I need to $2"
+}
+
+case "$(uname -s).$(uname -m)" in
+    Linux.x86_64)
+        hash=@tarballHash_x86_64-linux@
+        path=@tarballPath_x86_64-linux@
+        system=x86_64-linux
+        ;;
+    Linux.i?86)
+        hash=@tarballHash_i686-linux@
+        path=@tarballPath_i686-linux@
+        system=i686-linux
+        ;;
+    Linux.aarch64)
+        hash=@tarballHash_aarch64-linux@
+        path=@tarballPath_aarch64-linux@
+        system=aarch64-linux
+        ;;
+    Linux.armv6l)
+        hash=@tarballHash_armv6l-linux@
+        path=@tarballPath_armv6l-linux@
+        system=armv6l-linux
+        ;;
+    Linux.armv7l)
+        hash=@tarballHash_armv7l-linux@
+        path=@tarballPath_armv7l-linux@
+        system=armv7l-linux
+        ;;
+    Linux.riscv64)
+        hash=@tarballHash_riscv64-linux@
+        path=@tarballPath_riscv64-linux@
+        system=riscv64-linux
+        ;;
+    Darwin.x86_64)
+        hash=@tarballHash_x86_64-darwin@
+        path=@tarballPath_x86_64-darwin@
+        system=x86_64-darwin
+        ;;
+    Darwin.arm64|Darwin.aarch64)
+        hash=@tarballHash_aarch64-darwin@
+        path=@tarballPath_aarch64-darwin@
+        system=aarch64-darwin
+        ;;
+    *) oops "sorry, there is no binary distribution of Nix for your platform";;
+esac
+
+# Use this command-line option to fetch the tarballs using nar-serve or Cachix
+if [ "${1:-}" = "--tarball-url-prefix" ]; then
+    if [ -z "${2:-}" ]; then
+        oops "missing argument for --tarball-url-prefix"
+    fi
+    url=${2}/${path}
+    shift 2
+else
+    url=https://releases.nixos.org/nix/nix-@nixVersion@/nix-@nixVersion@-$system.tar.xz
+fi
+
+tarball=$tmpDir/nix-@nixVersion@-$system.tar.xz
+
+require_util tar "unpack the binary tarball"
+if [ "$(uname -s)" != "Darwin" ]; then
+    require_util xz "unpack the binary tarball"
+fi
+
+if command -v curl > /dev/null 2>&1; then
+    fetch() { curl --fail -L "$1" -o "$2"; }
+elif command -v wget > /dev/null 2>&1; then
+    fetch() { wget "$1" -O "$2"; }
+else
+    oops "you don't have wget or curl installed, which I need to download the binary tarball"
+fi
+
+echo "downloading Nix @nixVersion@ binary tarball for $system from '$url' to '$tmpDir'..."
+fetch "$url" "$tarball" || oops "failed to download '$url'"
+
+if command -v sha256sum > /dev/null 2>&1; then
+    hash2="$(sha256sum -b "$tarball" | cut -c1-64)"
+elif command -v shasum > /dev/null 2>&1; then
+    hash2="$(shasum -a 256 -b "$tarball" | cut -c1-64)"
+elif command -v openssl > /dev/null 2>&1; then
+    hash2="$(openssl dgst -r -sha256 "$tarball" | cut -c1-64)"
+else
+    oops "cannot verify the SHA-256 hash of '$url'; you need one of 'shasum', 'sha256sum', or 'openssl'"
+fi
+
+if [ "$hash" != "$hash2" ]; then
+    oops "SHA-256 hash mismatch in '$url'; expected $hash, got $hash2"
+fi
+
+unpack=$tmpDir/unpack
+mkdir -p "$unpack"
+tar -xJf "$tarball" -C "$unpack" || oops "failed to unpack '$url'"
+
+script=$(echo "$unpack"/*/install)
+
+[ -e "$script" ] || oops "installation script is missing from the binary tarball!"
+export INVOKED_FROM_INSTALL_IN=1
+"$script" "$@"
+
+} # End of wrapping