From e6bb5f684c5cd2f6e45cc86e28d79bea7532c317 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Fri, 12 Sep 2025 14:00:07 +0200 Subject: [PATCH 01/14] Initailize flake --- flake.lock | 61 ++++++++++++++++++++++++++++++++++++++++ flake.nix | 30 ++++++++++++++++++++ nix/default.nix | 13 +++++---- nix/manual-overrides.nix | 3 ++ 4 files changed, 101 insertions(+), 6 deletions(-) create mode 100644 flake.lock create mode 100644 flake.nix diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000000..752670170d --- /dev/null +++ b/flake.lock @@ -0,0 +1,61 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1757487488, + "narHash": "sha256-zwE/e7CuPJUWKdvvTCB7iunV4E/+G0lKfv4kk/5Izdg=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "ab0f3607a6c7486ea22229b92ed2d355f1482ee0", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000000..1ea47884e5 --- /dev/null +++ b/flake.nix @@ -0,0 +1,30 @@ +{ + description = "A very basic flake"; + + inputs = { + self.submodules = true; + nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable"; + flake-utils.url = "github:numtide/flake-utils"; + }; + + outputs = {nixpkgs, flake-utils, ...}: + flake-utils.lib.eachDefaultSystem (system: + let pkgs = import nixpkgs { + inherit system; + overlays = [ + (import ./nix/overlay.nix) + (import ./nix/overlay-docs.nix) + ]; + }; + wireServerPkgs = import ./nix { inherit pkgs; }; + in { + # profileEnv wireServer docs docsEnv mls-test-cli nginz; + packages = { + inherit (wireServerPkgs) pkgs profileEnv wireServer docs docsEnv mls-test-cli nginz; + }; + devShells = { + default = wireServerPkgs.wireServer.devEnv; + }; + } + ); +} diff --git a/nix/default.nix b/nix/default.nix index 4d731d0573..76017ec596 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,17 +1,18 @@ -let - sources = import ./sources.nix; +{ + sources ? import ./sources.nix, - pkgs = import sources.nixpkgs { + pkgs ? import sources.nixpkgs { config.allowUnfree = true; overlays = [ # All wire-server specific packages (import ./overlay.nix) (import ./overlay-docs.nix) ]; - }; - - pkgs_24_11 = import sources.nixpkgs_24_11 { }; + }, + pkgs_24_11 ? import sources.nixpkgs_24_11 { } +}: +let profileEnv = pkgs.writeTextFile { name = "profile-env"; destination = "/.profile"; diff --git a/nix/manual-overrides.nix b/nix/manual-overrides.nix index 764b1b268e..ea0449d530 100644 --- a/nix/manual-overrides.nix +++ b/nix/manual-overrides.nix @@ -8,6 +8,9 @@ hself: hsuper: { # FUTUREWORK: investigate whether all of these tests need to fail # ---------------- + # tests don't work, but only in a flake + saml2-web-sso = hlib.dontCheck hsuper.saml2-web-sso; + # test suite doesn't compile and needs network access bloodhound = hlib.dontCheck hsuper.bloodhound; From a4eca10430256214b47d8b930a2de87d3d29ffec Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Fri, 12 Sep 2025 17:14:39 +0200 Subject: [PATCH 02/14] Remove niv stuff --- nix/default.nix | 15 +--- nix/sources.json | 26 ------- nix/sources.nix | 198 ----------------------------------------------- treefmt.toml | 3 - 4 files changed, 1 insertion(+), 241 deletions(-) delete mode 100644 nix/sources.json delete mode 100644 nix/sources.nix diff --git a/nix/default.nix b/nix/default.nix index 76017ec596..e2bc9153ed 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,17 +1,4 @@ -{ - sources ? import ./sources.nix, - - pkgs ? import sources.nixpkgs { - config.allowUnfree = true; - overlays = [ - # All wire-server specific packages - (import ./overlay.nix) - (import ./overlay-docs.nix) - ]; - }, - - pkgs_24_11 ? import sources.nixpkgs_24_11 { } -}: +{pkgs, pkgs_24_11}: let profileEnv = pkgs.writeTextFile { name = "profile-env"; diff --git a/nix/sources.json b/nix/sources.json deleted file mode 100644 index 60c5cfb6df..0000000000 --- a/nix/sources.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "nixpkgs": { - "branch": "nixpkgs-unstable", - "description": "Nix Packages collection", - "homepage": "https://github.com/NixOS/nixpkgs", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "09b8fda8959d761445f12b55f380d90375a1d6bb", - "sha256": "0333ri3rmkwlsyvbf8916psydq5i2xq0cj6iis9d6f4ghr19vbva", - "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/09b8fda8959d761445f12b55f380d90375a1d6bb.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - }, - "nixpkgs_24_11": { - "branch": "nixos-24.11", - "description": "Nix Packages collection & NixOS", - "homepage": "", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", - "sha256": "1s2gr5rcyqvpr58vxdcb095mdhblij9bfzaximrva2243aal3dgx", - "type": "tarball", - "url": "https://github.com/nixos/nixpkgs/archive/50ab793786d9de88ee30ec4e4c24fb4236fc2674.tar.gz", - "url_template": "https://github.com///archive/.tar.gz" - } -} diff --git a/nix/sources.nix b/nix/sources.nix deleted file mode 100644 index fe3dadf7eb..0000000000 --- a/nix/sources.nix +++ /dev/null @@ -1,198 +0,0 @@ -# This file has been generated by Niv. - -let - - # - # The fetchers. fetch_ fetches specs of type . - # - - fetch_file = pkgs: name: spec: - let - name' = sanitizeName name + "-src"; - in - if spec.builtin or true then - builtins_fetchurl { inherit (spec) url sha256; name = name'; } - else - pkgs.fetchurl { inherit (spec) url sha256; name = name'; }; - - fetch_tarball = pkgs: name: spec: - let - name' = sanitizeName name + "-src"; - in - if spec.builtin or true then - builtins_fetchTarball { name = name'; inherit (spec) url sha256; } - else - pkgs.fetchzip { name = name'; inherit (spec) url sha256; }; - - fetch_git = name: spec: - let - ref = - spec.ref or ( - if spec ? branch then "refs/heads/${spec.branch}" else - if spec ? tag then "refs/tags/${spec.tag}" else - abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!" - ); - submodules = spec.submodules or false; - submoduleArg = - let - nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0; - emptyArgWithWarning = - if submodules - then - builtins.trace - ( - "The niv input \"${name}\" uses submodules " - + "but your nix's (${builtins.nixVersion}) builtins.fetchGit " - + "does not support them" - ) - { } - else { }; - in - if nixSupportsSubmodules - then { inherit submodules; } - else emptyArgWithWarning; - in - builtins.fetchGit - ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg); - - fetch_local = spec: spec.path; - - fetch_builtin-tarball = name: throw - ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`. - $ niv modify ${name} -a type=tarball -a builtin=true''; - - fetch_builtin-url = name: throw - ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`. - $ niv modify ${name} -a type=file -a builtin=true''; - - # - # Various helpers - # - - # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695 - sanitizeName = name: - ( - concatMapStrings (s: if builtins.isList s then "-" else s) - ( - builtins.split "[^[:alnum:]+._?=-]+" - ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name) - ) - ); - - # The set of packages used when specs are fetched using non-builtins. - mkPkgs = sources: system: - let - sourcesNixpkgs = - import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; }; - hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath; - hasThisAsNixpkgsPath = == ./.; - in - if builtins.hasAttr "nixpkgs" sources - then sourcesNixpkgs - else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then - import { } - else - abort - '' - Please specify either (through -I or NIX_PATH=nixpkgs=...) or - add a package called "nixpkgs" to your sources.json. - ''; - - # The actual fetching function. - fetch = pkgs: name: spec: - - if ! builtins.hasAttr "type" spec then - abort "ERROR: niv spec ${name} does not have a 'type' attribute" - else if spec.type == "file" then fetch_file pkgs name spec - else if spec.type == "tarball" then fetch_tarball pkgs name spec - else if spec.type == "git" then fetch_git name spec - else if spec.type == "local" then fetch_local spec - else if spec.type == "builtin-tarball" then fetch_builtin-tarball name - else if spec.type == "builtin-url" then fetch_builtin-url name - else - abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}"; - - # If the environment variable NIV_OVERRIDE_${name} is set, then use - # the path directly as opposed to the fetched source. - replace = name: drv: - let - saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name; - ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}"; - in - if ersatz == "" then drv else - # this turns the string into an actual Nix path (for both absolute and - # relative paths) - if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}"; - - # Ports of functions for older nix versions - - # a Nix version of mapAttrs if the built-in doesn't exist - mapAttrs = builtins.mapAttrs or ( - f: set: with builtins; - listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set)) - ); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295 - range = first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257 - stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1)); - - # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269 - stringAsChars = f: s: concatStrings (map f (stringToCharacters s)); - concatMapStrings = f: list: concatStrings (map f list); - concatStrings = builtins.concatStringsSep ""; - - # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331 - optionalAttrs = cond: as: if cond then as else { }; - - # fetchTarball version that is compatible between all the versions of Nix - builtins_fetchTarball = { url, name ? null, sha256 }@attrs: - let - inherit (builtins) lessThan nixVersion fetchTarball; - in - if lessThan nixVersion "1.12" then - fetchTarball ({ inherit url; } // (optionalAttrs (name != null) { inherit name; })) - else - fetchTarball attrs; - - # fetchurl version that is compatible between all the versions of Nix - builtins_fetchurl = { url, name ? null, sha256 }@attrs: - let - inherit (builtins) lessThan nixVersion fetchurl; - in - if lessThan nixVersion "1.12" then - fetchurl ({ inherit url; } // (optionalAttrs (name != null) { inherit name; })) - else - fetchurl attrs; - - # Create the final "sources" from the config - mkSources = config: - mapAttrs - ( - name: spec: - if builtins.hasAttr "outPath" spec - then - abort - "The values in sources.json should not have an 'outPath' attribute" - else - spec // { outPath = replace name (fetch config.pkgs name spec); } - ) - config.sources; - - # The "config" used by the fetchers - mkConfig = - { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null - , sources ? if sourcesFile == null then { } else builtins.fromJSON (builtins.readFile sourcesFile) - , system ? builtins.currentSystem - , pkgs ? mkPkgs sources system - }: rec { - # The sources, i.e. the attribute set of spec name to spec - inherit sources; - - # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers - inherit pkgs; - }; - -in -mkSources (mkConfig { }) // { __functor = _: settings: mkSources (mkConfig settings); } diff --git a/treefmt.toml b/treefmt.toml index 847bdbb793..fd38436758 100644 --- a/treefmt.toml +++ b/treefmt.toml @@ -1,9 +1,6 @@ [formatter.nix] command = "nixpkgs-fmt" includes = ["*.nix"] -excludes = [ - "nix/sources.nix" # managed by niv. -] [formatter.cabal-fmt] command = "cabal-fmt" From dd4ece55e635c5deeb07d15d774432b180b91b55 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Sat, 13 Sep 2025 10:51:50 +0200 Subject: [PATCH 03/14] Format --- flake.nix | 22 ++++++++++++---------- nix/default.nix | 2 +- 2 files changed, 13 insertions(+), 11 deletions(-) diff --git a/flake.nix b/flake.nix index 1ea47884e5..d8e6110d61 100644 --- a/flake.nix +++ b/flake.nix @@ -7,17 +7,19 @@ flake-utils.url = "github:numtide/flake-utils"; }; - outputs = {nixpkgs, flake-utils, ...}: + outputs = { nixpkgs, flake-utils, ... }: flake-utils.lib.eachDefaultSystem (system: - let pkgs = import nixpkgs { - inherit system; - overlays = [ - (import ./nix/overlay.nix) - (import ./nix/overlay-docs.nix) - ]; - }; - wireServerPkgs = import ./nix { inherit pkgs; }; - in { + let + pkgs = import nixpkgs { + inherit system; + overlays = [ + (import ./nix/overlay.nix) + (import ./nix/overlay-docs.nix) + ]; + }; + wireServerPkgs = import ./nix { inherit pkgs; }; + in + { # profileEnv wireServer docs docsEnv mls-test-cli nginz; packages = { inherit (wireServerPkgs) pkgs profileEnv wireServer docs docsEnv mls-test-cli nginz; diff --git a/nix/default.nix b/nix/default.nix index e2bc9153ed..136a89ef5f 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,4 +1,4 @@ -{pkgs, pkgs_24_11}: +{ pkgs, pkgs_24_11 }: let profileEnv = pkgs.writeTextFile { name = "profile-env"; From 81294c44f6bffa42b070f3c6c1c5c5c6c6f9e51d Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Tue, 6 Jan 2026 15:02:32 +0100 Subject: [PATCH 04/14] flake: Add nixpkgs 24.11 for cabal 3.12 --- flake.lock | 19 ++++++++++++++++++- flake.nix | 8 ++++++-- 2 files changed, 24 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index 752670170d..425c982750 100644 --- a/flake.lock +++ b/flake.lock @@ -34,10 +34,27 @@ "type": "github" } }, + "nixpkgs_24_11": { + "locked": { + "lastModified": 1751274312, + "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { "flake-utils": "flake-utils", - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "nixpkgs_24_11": "nixpkgs_24_11" } }, "systems": { diff --git a/flake.nix b/flake.nix index d8e6110d61..26aa47001b 100644 --- a/flake.nix +++ b/flake.nix @@ -4,10 +4,11 @@ inputs = { self.submodules = true; nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable"; + nixpkgs_24_11.url = "github:nixos/nixpkgs?ref=nixos-24.11"; flake-utils.url = "github:numtide/flake-utils"; }; - outputs = { nixpkgs, flake-utils, ... }: + outputs = { nixpkgs, nixpkgs_24_11, flake-utils, ... }: flake-utils.lib.eachDefaultSystem (system: let pkgs = import nixpkgs { @@ -17,7 +18,10 @@ (import ./nix/overlay-docs.nix) ]; }; - wireServerPkgs = import ./nix { inherit pkgs; }; + pkgs_24_11 = import nixpkgs_24_11 { + inherit system; + }; + wireServerPkgs = import ./nix { inherit pkgs pkgs_24_11; }; in { # profileEnv wireServer docs docsEnv mls-test-cli nginz; From 05094edaf9af4bfb87528191c84032b24014ef24 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Tue, 6 Jan 2026 15:25:25 +0100 Subject: [PATCH 05/14] flake: Keep the same rev for nixpkgs, so other problems can be tackled later --- flake.lock | 8 ++++---- flake.nix | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index 425c982750..e960a7b710 100644 --- a/flake.lock +++ b/flake.lock @@ -20,17 +20,17 @@ }, "nixpkgs": { "locked": { - "lastModified": 1757487488, - "narHash": "sha256-zwE/e7CuPJUWKdvvTCB7iunV4E/+G0lKfv4kk/5Izdg=", + "lastModified": 1765772535, + "narHash": "sha256-aq+dQoaPONOSjtFIBnAXseDm9TUhIbe215TPmkfMYww=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ab0f3607a6c7486ea22229b92ed2d355f1482ee0", + "rev": "09b8fda8959d761445f12b55f380d90375a1d6bb", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-unstable", "repo": "nixpkgs", + "rev": "09b8fda8959d761445f12b55f380d90375a1d6bb", "type": "github" } }, diff --git a/flake.nix b/flake.nix index 26aa47001b..285c4beab8 100644 --- a/flake.nix +++ b/flake.nix @@ -3,7 +3,7 @@ inputs = { self.submodules = true; - nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable"; + nixpkgs.url = "github:nixos/nixpkgs?rev=09b8fda8959d761445f12b55f380d90375a1d6bb"; nixpkgs_24_11.url = "github:nixos/nixpkgs?ref=nixos-24.11"; flake-utils.url = "github:numtide/flake-utils"; }; From d403b2c87d91ebfafe7a88453cdf6d3d201afbd8 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Tue, 6 Jan 2026 15:39:29 +0100 Subject: [PATCH 06/14] Use the flake in all scripts --- .envrc | 4 ++-- Makefile | 4 ++-- docs/src/developer/developer/building.md | 12 ++++++------ hack/bin/kind-upload-image.sh | 17 ++++++----------- hack/bin/kind-upload-images.sh | 17 ++++++----------- hack/bin/nix-hls.sh | 2 +- hack/bin/upload-image.sh | 8 ++++---- hack/bin/upload-images.sh | 13 ++++++------- nix/haskell-pins.nix | 2 +- 9 files changed, 34 insertions(+), 45 deletions(-) diff --git a/.envrc b/.envrc index 675fb0829f..ccf83c95b4 100644 --- a/.envrc +++ b/.envrc @@ -15,7 +15,7 @@ store_paths=$(echo "$nix_files" ./services/nginz/third_party/nginx-zauth-module/ layout_dir=$(direnv_layout_dir) env_dir=./.env -export NIX_CONFIG='extra-experimental-features = nix-command' +export NIX_CONFIG='extra-experimental-features = nix-command flakes' [[ -d "$layout_dir" ]] || mkdir -p "$layout_dir" @@ -27,7 +27,7 @@ if [[ ! -d "$env_dir" || ! -f "$layout_dir/nix-rebuild" || "$store_paths" != $(< fi fi echo "🔧 Building environment" - $bcmd build -f nix wireServer.devEnv -Lv --out-link ./.env --fallback + $bcmd build '.#wireServer.devEnv' -Lv --out-link ./.env --fallback echo "$store_paths" >"$layout_dir/nix-rebuild" fi diff --git a/Makefile b/Makefile index 10cb677a95..8b37bb940d 100644 --- a/Makefile +++ b/Makefile @@ -303,7 +303,7 @@ treefmt-check: .PHONY: build-image-% build-image-%: - nix-build ./nix -A wireServer.imagesNoDocs.$(*) && \ + nix build '.#wireServer.imagesNoDocs.$(*)' && \ ./result | docker load | tee /tmp/imageName-$(*) && \ imageName=$$(grep quay.io /tmp/imageName-$(*) | awk '{print $$3}') && \ echo 'You can run your image locally using' && \ @@ -665,7 +665,7 @@ helm-template-%: clean-charts charts-integration ./hack/bin/helm-template.sh $(*) sbom.json: - nix -Lv build -f nix wireServer.bomDependencies && \ + nix -Lv build '.#wireServer.bomDependencies' && \ nix run 'github:wireapp/tom-bombadil#create-sbom' -- --root-package-name "wire-server" # Ask the security team for the `DEPENDENCY_TRACK_API_KEY` (if you need it) diff --git a/docs/src/developer/developer/building.md b/docs/src/developer/developer/building.md index dd9ecc2ee8..6b754e073b 100644 --- a/docs/src/developer/developer/building.md +++ b/docs/src/developer/developer/building.md @@ -99,24 +99,24 @@ you may build each individual service by running ```bash nix build -Lv \ - --experimental-features 'nix-command' \ - -f ./nix wireServer. + --experimental-features 'nix-command flakes' \ + '.#wireServer.' ``` you may build all the libraries that exist locally or are in the closure of `wire-server` by running ```bash nix build -Lv \ - --experimental-features 'nix-command' \ - -f ./nix wireServer.haskellPackages. + --experimental-features 'nix-command flakes' \ + '.#wireServer.haskellPackages.' ``` you may build all the images that would be deployed by running ```bash nix build -Lv \ - --experimental-features 'nix-command' \ - -f ./nix wireServer.allImages + --experimental-features 'nix-command flakes' \ + '.#wireServer.allImages' ``` > ℹ️ Info diff --git a/hack/bin/kind-upload-image.sh b/hack/bin/kind-upload-image.sh index 61b24c7937..b3c460f00a 100755 --- a/hack/bin/kind-upload-image.sh +++ b/hack/bin/kind-upload-image.sh @@ -1,20 +1,15 @@ #!/usr/bin/env bash -# This script builds all the images in wireServer.images attribute of -# $ROOT_DIR/nix/default.nix and uploads them to the docker registry using the -# repository name specified in the image derivation and tag specified by -# environment variable "$DOCKER_TAG". -# -# If $DOCKER_USER and $DOCKER_PASSWORD are provided, the script will use them to -# upload the images. -# -# This script is intended to be run by CI/CD pipelines. +# This script builds all the images in wireServer.images attribute of the flake +# and loads them into the docker daemon of kind using the repository name +# specified in the image derivation and tag specified by environment variable +# "$DOCKER_TAG". set -euo pipefail set -x -# nix attribute under wireServer from "$ROOT_DIR/nix" containing all the images +# nix attribute under wireServer containing all the images readonly IMAGE_ATTR=${1:?$usage} SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) @@ -24,7 +19,7 @@ readonly SCRIPT_DIR ROOT_DIR tmp_link_store=$(mktemp -d) image_stream_file="$tmp_link_store/image-stream" -nix -v --show-trace -L build -f "$ROOT_DIR/nix" "$IMAGE_ATTR" -o "$image_stream_file" +nix -v --show-trace -L build -f "$ROOT_DIR#$IMAGE_ATTR" -o "$image_stream_file" image_file="$tmp_link_store/image" image_file_tagged="$tmp_link_store/image-tagged" "$image_stream_file" > "$image_file" diff --git a/hack/bin/kind-upload-images.sh b/hack/bin/kind-upload-images.sh index b1fea5cf98..d785930d81 100755 --- a/hack/bin/kind-upload-images.sh +++ b/hack/bin/kind-upload-images.sh @@ -1,20 +1,15 @@ #!/usr/bin/env bash -# This script builds all the images in wireServer.images attribute of -# $ROOT_DIR/nix/default.nix and uploads them to the docker registry using the -# repository name specified in the image derivation and tag specified by -# environment variable "$DOCKER_TAG". -# -# If $DOCKER_USER and $DOCKER_PASSWORD are provided, the script will use them to -# upload the images. -# -# This script is intended to be run by CI/CD pipelines. +# This script builds all the images in wireServer.images attribute of the flake +# and loads into the docker daemon of kind using the repository name specified +# in the image derivation and tag specified by environment variable +# "$DOCKER_TAG". set -euo pipefail set -x -# nix attribute under wireServer from "$ROOT_DIR/nix" containing all the images +# nix attribute under wireServer containing all the images readonly IMAGES_ATTR="imagesUnoptimizedNoDocs" SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) @@ -23,7 +18,7 @@ readonly SCRIPT_DIR ROOT_DIR tmp_link_store=$(mktemp -d) image_list_file="$tmp_link_store/image-list" -nix -v --show-trace -L build -f "$ROOT_DIR/nix" wireServer.imagesList -o "$image_list_file" +nix -v --show-trace -L build -f "$ROOT_DIR#wireServer.imagesList" -o "$image_list_file" xargs -I {} -P 10 "$SCRIPT_DIR/kind-upload-image.sh" "wireServer.$IMAGES_ATTR.{}" < "$image_list_file" diff --git a/hack/bin/nix-hls.sh b/hack/bin/nix-hls.sh index 5b66546ee5..827ad240b2 100755 --- a/hack/bin/nix-hls.sh +++ b/hack/bin/nix-hls.sh @@ -5,7 +5,7 @@ set -euo pipefail DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" TOP_LEVEL="$(cd "$DIR/../.." && pwd)" -direnv="$(nix-build --no-out-link "$TOP_LEVEL/nix" -A pkgs.direnv)/bin/direnv" +direnv="$(nix build --no-link --print-out-paths "$TOP_LEVEL#pkgs.direnv")/bin/direnv" # shellcheck disable=SC2016 maxMemory=$("$direnv" exec "$TOP_LEVEL" bash -c 'echo "$HLS_MAX_MEMORY"') diff --git a/hack/bin/upload-image.sh b/hack/bin/upload-image.sh index a070b8661b..5050d81fba 100755 --- a/hack/bin/upload-image.sh +++ b/hack/bin/upload-image.sh @@ -1,9 +1,9 @@ #!/usr/bin/env bash # This script builds an from the attribute provided at $1, which must be present -# in $ROOT_DIR/nix/default.nix, and uploads it to the docker registry using the -# repository name specified in the image derivation and tag specified by -# environment variable "$DOCKER_TAG". +# in the flake, and uploads it to the docker registry using the repository name +# specified in the image derivation and tag specified by environment variable +# "$DOCKER_TAG". # # If $DOCKER_USER and $DOCKER_PASSWORD are provided, the script will use them to # upload the images. @@ -64,7 +64,7 @@ tmp_link_store=$(mktemp -d) # images should have a few common layers. More information: # https://nixos.org/manual/nixpkgs/unstable/#ssec-pkgs-dockerTools-streamLayeredImage image_stream_file="$tmp_link_store/image_stream" -nix -v --show-trace -L build -f "$ROOT_DIR/nix" "$IMAGE_ATTR" -o "$image_stream_file" +nix -v --show-trace -L build -f "$ROOT_DIR#$IMAGE_ATTR" -o "$image_stream_file" image_file="$tmp_link_store/image" "$image_stream_file" >"$image_file" repo=$(skopeo list-tags "docker-archive://$image_file" | jq -r '.Tags[0] | split(":") | .[0]') diff --git a/hack/bin/upload-images.sh b/hack/bin/upload-images.sh index 89c0b721c7..e95ffc6ded 100755 --- a/hack/bin/upload-images.sh +++ b/hack/bin/upload-images.sh @@ -1,9 +1,8 @@ #!/usr/bin/env bash -# This script builds all the images in wireServer.images attribute of -# $ROOT_DIR/nix/default.nix and uploads them to the docker registry using the -# repository name specified in the image derivation and tag specified by -# environment variable "$DOCKER_TAG". +# This script builds all the images in wireServer.images attribute of the flake +# and uploads them to the docker registry using the repository name specified in +# the image derivation and tag specified by environment variable "$DOCKER_TAG". # # If $DOCKER_USER and $DOCKER_PASSWORD are provided, the script will use them to # upload the images. @@ -14,7 +13,7 @@ set -euo pipefail readonly usage="USAGE: $0 " -# nix attribute under wireServer from "$ROOT_DIR/nix" containing all the images +# nix attribute under wireServer containing all the images readonly IMAGES_ATTR=${1:?$usage} SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) @@ -23,10 +22,10 @@ readonly SCRIPT_DIR ROOT_DIR tmp_link_store=$(mktemp -d) image_list_file="$tmp_link_store/image-list" -nix -v --show-trace -L build -f "$ROOT_DIR/nix" wireServer.imagesList -o "$image_list_file" --fallback +nix -v --show-trace -L build "$ROOT_DIR#wireServer.imagesList" -o "$image_list_file" --fallback # Build everything first so we can benefit the most from having many cores. -nix -v --show-trace -L build -f "$ROOT_DIR/nix" "wireServer.$IMAGES_ATTR" --no-link --fallback +nix -v --show-trace -L build -f "$ROOT_DIR#wireServer.$IMAGES_ATTR" --no-link --fallback xargs -I {} -P 10 "$SCRIPT_DIR/upload-image.sh" "wireServer.$IMAGES_ATTR.{}" < "$image_list_file" diff --git a/nix/haskell-pins.nix b/nix/haskell-pins.nix index 273ba19bb3..31e8123822 100644 --- a/nix/haskell-pins.nix +++ b/nix/haskell-pins.nix @@ -25,7 +25,7 @@ # }; # }; # -# 3. Run 'nix build -f ./nix wireServer.haskellPackagesUnoptimizedNoDocs.'. +# 3. Run 'nix build '.#wireServer.haskellPackagesUnoptimizedNoDocs.'. # This should produce an error saying expected sha and the actual sha. Replace the empty string in 'sha256' with the actual # sha. From 9714ca0313d0c385f2846e1412cfe5cb1cf8b935 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Wed, 7 Jan 2026 10:16:40 +0100 Subject: [PATCH 07/14] ciImage: Enable flakes --- nix/wire-server.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nix/wire-server.nix b/nix/wire-server.nix index d360bff24c..65099ca023 100644 --- a/nix/wire-server.nix +++ b/nix/wire-server.nix @@ -451,7 +451,7 @@ let bundleNixpkgs = false; extraPkgs = commonTools ++ [ pkgs.cachix ]; nixConf = { - experimental-features = "nix-command"; + experimental-features = "nix-command flakes"; }; }; From ce180180378e466450a74b3b34cf1bd7d59c1676 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Wed, 7 Jan 2026 11:05:03 +0100 Subject: [PATCH 08/14] nix: Expose explicit derivation that allows building all images at once --- hack/bin/upload-images.sh | 2 +- nix/wire-server.nix | 81 ++++++++++++++++++++++----------------- 2 files changed, 46 insertions(+), 37 deletions(-) diff --git a/hack/bin/upload-images.sh b/hack/bin/upload-images.sh index e95ffc6ded..fd0e30288b 100755 --- a/hack/bin/upload-images.sh +++ b/hack/bin/upload-images.sh @@ -25,7 +25,7 @@ image_list_file="$tmp_link_store/image-list" nix -v --show-trace -L build "$ROOT_DIR#wireServer.imagesList" -o "$image_list_file" --fallback # Build everything first so we can benefit the most from having many cores. -nix -v --show-trace -L build -f "$ROOT_DIR#wireServer.$IMAGES_ATTR" --no-link --fallback +nix -v --show-trace -L build "$ROOT_DIR#wireServer.$IMAGES_ATTR.all" --no-link --fallback xargs -I {} -P 10 "$SCRIPT_DIR/upload-image.sh" "wireServer.$IMAGES_ATTR.{}" < "$image_list_file" diff --git a/nix/wire-server.nix b/nix/wire-server.nix index 65099ca023..2fa2cc8228 100644 --- a/nix/wire-server.nix +++ b/nix/wire-server.nix @@ -325,43 +325,52 @@ let ]; images = localMods@{ enableOptimization, enableDocs, enableTests }: - let exes = staticExecs localMods; + let + exes = staticExecs localMods; + allImages = attrsets.mapAttrs + (execName: drv: + pkgs.dockerTools.streamLayeredImage { + name = "quay.io/wire/${execName}"; + maxLayers = 10; + contents = [ + pkgs.cacert + pkgs.iana-etc + pkgs.dumb-init + pkgs.dockerTools.fakeNss + pkgs.dockerTools.usrBinEnv + drv + tmpDir + ] ++ debugUtils ++ pkgs.lib.optionals (builtins.hasAttr execName (extraContents exes)) (builtins.getAttr execName (extraContents exes)); + # Any mkdir running in this step won't actually make it to the image, + # hence we use the tmpDir derivation in the contents + fakeRootCommands = '' + chmod 1777 tmp + chmod 1777 var/tmp + ''; + config = { + Entrypoint = [ "${pkgs.dumb-init}/bin/dumb-init" "--" "${drv}/bin/${execName}" ]; + Env = [ + "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" + "LOCALE_ARCHIVE=${pkgs.glibcLocales}/lib/locale/locale-archive" + "LANG=en_GB.UTF-8" + # Use stable conventions for tracing http in opentelemetry + # https://opentelemetry.io/blog/2023/http-conventions-declared-stable/#migration-plan + "OTEL_SEMCONV_STABILITY_OPT_IN=http" + ]; + User = "65534"; + }; + } + ) + exes; in - attrsets.mapAttrs - (execName: drv: - pkgs.dockerTools.streamLayeredImage { - name = "quay.io/wire/${execName}"; - maxLayers = 10; - contents = [ - pkgs.cacert - pkgs.iana-etc - pkgs.dumb-init - pkgs.dockerTools.fakeNss - pkgs.dockerTools.usrBinEnv - drv - tmpDir - ] ++ debugUtils ++ pkgs.lib.optionals (builtins.hasAttr execName (extraContents exes)) (builtins.getAttr execName (extraContents exes)); - # Any mkdir running in this step won't actually make it to the image, - # hence we use the tmpDir derivation in the contents - fakeRootCommands = '' - chmod 1777 tmp - chmod 1777 var/tmp - ''; - config = { - Entrypoint = [ "${pkgs.dumb-init}/bin/dumb-init" "--" "${drv}/bin/${execName}" ]; - Env = [ - "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" - "LOCALE_ARCHIVE=${pkgs.glibcLocales}/lib/locale/locale-archive" - "LANG=en_GB.UTF-8" - # Use stable conventions for tracing http in opentelemetry - # https://opentelemetry.io/blog/2023/http-conventions-declared-stable/#migration-plan - "OTEL_SEMCONV_STABILITY_OPT_IN=http" - ]; - User = "65534"; - }; - } - ) - exes; + allImages + // { + all = pkgs.linkFarm "all-images" (attrsets.mapAttrsToList + (name: path: + { inherit name path; } + ) + allImages); + }; localModsEnableAll = { enableOptimization = true; From fbe26d66aeec066e26904803eaf4583e062efe29 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Wed, 7 Jan 2026 11:21:28 +0100 Subject: [PATCH 09/14] nix: Use flake inputs to pin haskell dependencies --- flake.lock | 326 ++++++++++++++++++++++++++++++++++++++++++- flake.nix | 91 +++++++++++- nix/default.nix | 4 +- nix/haskell-pins.nix | 157 +++++---------------- nix/wire-server.nix | 5 +- 5 files changed, 454 insertions(+), 129 deletions(-) diff --git a/flake.lock b/flake.lock index e960a7b710..f83143d9ca 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,90 @@ { "nodes": { + "amazonka": { + "flake": false, + "locked": { + "lastModified": 1759730860, + "narHash": "sha256-cCRhHH/IgM7tPy8rXHTSRec1zxohO8NWxSVZEG1OjQw=", + "owner": "brendanhay", + "repo": "amazonka", + "rev": "a7d699be1076e2aad05a1930ca3937ffea954ad8", + "type": "github" + }, + "original": { + "owner": "brendanhay", + "repo": "amazonka", + "rev": "a7d699be1076e2aad05a1930ca3937ffea954ad8", + "type": "github" + } + }, + "bloodhound": { + "flake": false, + "locked": { + "lastModified": 1739958389, + "narHash": "sha256-E3co9FGZP135T3RocX4vbUELbbgGbYddD8CcVNUzHu8=", + "owner": "wireapp", + "repo": "bloodhound", + "rev": "dac0f1384b335ce35dc026bf8154e574b1a15d62", + "type": "github" + }, + "original": { + "owner": "wireapp", + "repo": "bloodhound", + "rev": "dac0f1384b335ce35dc026bf8154e574b1a15d62", + "type": "github" + } + }, + "cql": { + "flake": false, + "locked": { + "lastModified": 1693567589, + "narHash": "sha256-2MYwZKiTdwgjJdLNvECi7gtcIo+3H4z1nYzen5x0lgU=", + "owner": "wireapp", + "repo": "cql", + "rev": "abbd2739969d17a909800f282d10d42a254c4e3b", + "type": "github" + }, + "original": { + "owner": "wireapp", + "repo": "cql", + "rev": "abbd2739969d17a909800f282d10d42a254c4e3b", + "type": "github" + } + }, + "cql-io": { + "flake": false, + "locked": { + "lastModified": 1661159563, + "narHash": "sha256-DMRWUq4yorG5QFw2ZyF/DWnRjfnzGupx0njTiOyLzPI=", + "owner": "wireapp", + "repo": "cql-io", + "rev": "c2b6aa995b5817ed7c78c53f72d5aa586ef87c36", + "type": "github" + }, + "original": { + "owner": "wireapp", + "repo": "cql-io", + "rev": "c2b6aa995b5817ed7c78c53f72d5aa586ef87c36", + "type": "github" + } + }, + "cryptobox-haskell": { + "flake": false, + "locked": { + "lastModified": 1469104927, + "narHash": "sha256-9mMVgmMB1NWCPm/3inLeF4Ouiju0uIb/92UENoP88TU=", + "owner": "wireapp", + "repo": "cryptobox-haskell", + "rev": "7546a1a25635ef65183e3d44c1052285e8401608", + "type": "github" + }, + "original": { + "owner": "wireapp", + "repo": "cryptobox-haskell", + "rev": "7546a1a25635ef65183e3d44c1052285e8401608", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" @@ -18,6 +103,91 @@ "type": "github" } }, + "hedis": { + "flake": false, + "locked": { + "lastModified": 1748594228, + "narHash": "sha256-BwcqQZf2GaEn2i6o9bVl+jiu/CjShYlHCmO81bYfc8Y=", + "owner": "wireapp", + "repo": "hedis", + "rev": "00d7fbf5f19b812b9e64e12be8860c4741be8558", + "type": "github" + }, + "original": { + "owner": "wireapp", + "repo": "hedis", + "rev": "00d7fbf5f19b812b9e64e12be8860c4741be8558", + "type": "github" + } + }, + "hsaml2": { + "flake": false, + "locked": { + "lastModified": 1717163391, + "narHash": "sha256-gufEAC7fFqafG8dXkGIOSfAcVv+ZWkawmBgUV+Ics2s=", + "owner": "dylex", + "repo": "hsaml2", + "rev": "874627ad22e69afe4d9a797e39633ffb30697c78", + "type": "github" + }, + "original": { + "owner": "dylex", + "repo": "hsaml2", + "rev": "874627ad22e69afe4d9a797e39633ffb30697c78", + "type": "github" + } + }, + "hspec-wai": { + "flake": false, + "locked": { + "lastModified": 1699866697, + "narHash": "sha256-Nc5POjA+mJt7Vi3drczEivGsv9PXeVOCSwp21lLmz58=", + "owner": "wireapp", + "repo": "hspec-wai", + "rev": "08176f07fa893922e2e78dcaf996c33d79d23ce2", + "type": "github" + }, + "original": { + "owner": "wireapp", + "repo": "hspec-wai", + "rev": "08176f07fa893922e2e78dcaf996c33d79d23ce2", + "type": "github" + } + }, + "http-client": { + "flake": false, + "locked": { + "lastModified": 1706706086, + "narHash": "sha256-z47GlT+tHsSlRX4ApSGQIpOpaZiBeqr72/tWuvzw8tc=", + "owner": "wireapp", + "repo": "http-client", + "rev": "37494bb9a89dd52f97a8dc582746c6ff52943934", + "type": "github" + }, + "original": { + "owner": "wireapp", + "repo": "http-client", + "rev": "37494bb9a89dd52f97a8dc582746c6ff52943934", + "type": "github" + } + }, + "http2": { + "flake": false, + "locked": { + "lastModified": 1765325653, + "narHash": "sha256-eyjFtB28JCcvItZ5R8CT2F5GL62c49oQ49AN8/4HSYw=", + "owner": "wireapp", + "repo": "http2", + "rev": "ca606d86ed304fa780f7a60d11244019c62a10e0", + "type": "github" + }, + "original": { + "owner": "wireapp", + "repo": "http2", + "rev": "ca606d86ed304fa780f7a60d11244019c62a10e0", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1765772535, @@ -50,11 +220,63 @@ "type": "github" } }, + "postie": { + "flake": false, + "locked": { + "lastModified": 1725958101, + "narHash": "sha256-nNivtyBpr4DFsbaXxlCznX+MYtzNshU7vfVpnhMh52c=", + "owner": "alexbiehl", + "repo": "postie", + "rev": "13404b8cb7164cd9010c9be6cda5423194dd0c06", + "type": "github" + }, + "original": { + "owner": "alexbiehl", + "repo": "postie", + "rev": "13404b8cb7164cd9010c9be6cda5423194dd0c06", + "type": "github" + } + }, "root": { "inputs": { + "amazonka": "amazonka", + "bloodhound": "bloodhound", + "cql": "cql", + "cql-io": "cql-io", + "cryptobox-haskell": "cryptobox-haskell", "flake-utils": "flake-utils", + "hedis": "hedis", + "hsaml2": "hsaml2", + "hspec-wai": "hspec-wai", + "http-client": "http-client", + "http2": "http2", "nixpkgs": "nixpkgs", - "nixpkgs_24_11": "nixpkgs_24_11" + "nixpkgs_24_11": "nixpkgs_24_11", + "postie": "postie", + "servant-openapi3": "servant-openapi3", + "tasty": "tasty", + "tasty-ant-xml": "tasty-ant-xml", + "text-icu-translit": "text-icu-translit", + "tinylog": "tinylog", + "wai-predicates": "wai-predicates", + "warp": "warp" + } + }, + "servant-openapi3": { + "flake": false, + "locked": { + "lastModified": 1716983629, + "narHash": "sha256-iKMWd+qm8hHhKepa13VWXDPCpTMXxoOwWyoCk4lLlIY=", + "owner": "wireapp", + "repo": "servant-openapi3", + "rev": "0db0095040df2c469a48f5b8724595f82afbad0c", + "type": "github" + }, + "original": { + "owner": "wireapp", + "repo": "servant-openapi3", + "rev": "0db0095040df2c469a48f5b8724595f82afbad0c", + "type": "github" } }, "systems": { @@ -71,6 +293,108 @@ "repo": "default", "type": "github" } + }, + "tasty": { + "flake": false, + "locked": { + "lastModified": 1705586441, + "narHash": "sha256-oACehxazeKgRr993gASRbQMf74heh5g0B+70ceAg17I=", + "owner": "wireapp", + "repo": "tasty", + "rev": "97df5c1db305b626ffa0b80055361b7b28e69cec", + "type": "github" + }, + "original": { + "owner": "wireapp", + "repo": "tasty", + "rev": "97df5c1db305b626ffa0b80055361b7b28e69cec", + "type": "github" + } + }, + "tasty-ant-xml": { + "flake": false, + "locked": { + "lastModified": 1746711397, + "narHash": "sha256-Aj/iTVECsCGq4f+32FXWyYj/iLH5e4Gm4hYRmewnJJM=", + "owner": "wireapp", + "repo": "tasty-ant-xml", + "rev": "11c53e976e2e941f25a33e8768669eb576d19ea8", + "type": "github" + }, + "original": { + "owner": "wireapp", + "repo": "tasty-ant-xml", + "rev": "11c53e976e2e941f25a33e8768669eb576d19ea8", + "type": "github" + } + }, + "text-icu-translit": { + "flake": false, + "locked": { + "lastModified": 1698840062, + "narHash": "sha256-E35PVxi/4iJFfWts3td52KKZKQt4dj9KFP3SvWG77Cc=", + "owner": "wireapp", + "repo": "text-icu-translit", + "rev": "317bbd27ea5ae4e7f93836ee9ca664f9bde7c583", + "type": "github" + }, + "original": { + "owner": "wireapp", + "repo": "text-icu-translit", + "rev": "317bbd27ea5ae4e7f93836ee9ca664f9bde7c583", + "type": "github" + } + }, + "tinylog": { + "flake": false, + "locked": { + "lastModified": 1674551828, + "narHash": "sha256-htEIJY+LmIMACVZrflU60+X42/g14NxUyFM7VJs4E6w=", + "owner": "wireapp", + "repo": "tinylog", + "rev": "9609104263e8cd2a631417c1c3ef23e090de0d09", + "type": "github" + }, + "original": { + "owner": "wireapp", + "repo": "tinylog", + "rev": "9609104263e8cd2a631417c1c3ef23e090de0d09", + "type": "github" + } + }, + "wai-predicates": { + "flake": false, + "locked": { + "lastModified": 1674147808, + "narHash": "sha256-x2XSv2+/+DG9FXN8hfUWGNIO7V4iBhlzYz19WWKaLKQ=", + "owner": "wireapp", + "repo": "wai-predicates", + "rev": "ff95282a982ab45cced70656475eaf2cefaa26ea", + "type": "github" + }, + "original": { + "owner": "wireapp", + "repo": "wai-predicates", + "rev": "ff95282a982ab45cced70656475eaf2cefaa26ea", + "type": "github" + } + }, + "warp": { + "flake": false, + "locked": { + "lastModified": 1766622245, + "narHash": "sha256-7rgZUimPJY+0yVN717pZ2Ep01+XB0z8C/+L9D3Qz9/k=", + "owner": "yesodweb", + "repo": "wai", + "rev": "ef34334b160c74b62435ccc21f5b458f73506b2f", + "type": "github" + }, + "original": { + "owner": "yesodweb", + "repo": "wai", + "rev": "ef34334b160c74b62435ccc21f5b458f73506b2f", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 285c4beab8..d8cb52f9fa 100644 --- a/flake.nix +++ b/flake.nix @@ -6,9 +6,96 @@ nixpkgs.url = "github:nixos/nixpkgs?rev=09b8fda8959d761445f12b55f380d90375a1d6bb"; nixpkgs_24_11.url = "github:nixos/nixpkgs?ref=nixos-24.11"; flake-utils.url = "github:numtide/flake-utils"; + + cryptobox-haskell = { + url = "github:wireapp/cryptobox-haskell?rev=7546a1a25635ef65183e3d44c1052285e8401608"; + flake = false; + }; + bloodhound = { + url = "github:wireapp/bloodhound?rev=dac0f1384b335ce35dc026bf8154e574b1a15d62"; + flake = false; + }; + hsaml2 = { + url = "github:dylex/hsaml2?rev=874627ad22e69afe4d9a797e39633ffb30697c78"; + flake = false; + }; + hedis = { + url = "github:wireapp/hedis?rev=00d7fbf5f19b812b9e64e12be8860c4741be8558"; + flake = false; + }; + + http-client = { + url = "github:wireapp/http-client?rev=37494bb9a89dd52f97a8dc582746c6ff52943934"; + flake = false; + }; + + hspec-wai = { + url = "github:wireapp/hspec-wai?rev=08176f07fa893922e2e78dcaf996c33d79d23ce2"; + flake = false; + }; + + cql = { + url = "github:wireapp/cql?rev=abbd2739969d17a909800f282d10d42a254c4e3b"; + flake = false; + }; + + cql-io = { + url = "github:wireapp/cql-io?rev=c2b6aa995b5817ed7c78c53f72d5aa586ef87c36"; + flake = false; + }; + + wai-predicates = { + url = "github:wireapp/wai-predicates?rev=ff95282a982ab45cced70656475eaf2cefaa26ea"; + flake = false; + }; + + tasty = { + url = "github:wireapp/tasty?rev=97df5c1db305b626ffa0b80055361b7b28e69cec"; + flake = false; + }; + + servant-openapi3 = { + url = "github:wireapp/servant-openapi3?rev=0db0095040df2c469a48f5b8724595f82afbad0c"; + flake = false; + }; + + postie = { + url = "github:alexbiehl/postie?rev=13404b8cb7164cd9010c9be6cda5423194dd0c06"; + flake = false; + }; + + tinylog = { + url = "github:wireapp/tinylog?rev=9609104263e8cd2a631417c1c3ef23e090de0d09"; + flake = false; + }; + + tasty-ant-xml = { + url = "github:wireapp/tasty-ant-xml?rev=11c53e976e2e941f25a33e8768669eb576d19ea8"; + flake = false; + }; + + text-icu-translit = { + url = "github:wireapp/text-icu-translit?rev=317bbd27ea5ae4e7f93836ee9ca664f9bde7c583"; + flake = false; + }; + + warp = { + url = "github:yesodweb/wai?rev=ef34334b160c74b62435ccc21f5b458f73506b2f"; + flake = false; + }; + + http2 = { + url = "github:wireapp/http2?rev=ca606d86ed304fa780f7a60d11244019c62a10e0"; + flake = false; + }; + + amazonka = { + url = "github:brendanhay/amazonka?rev=a7d699be1076e2aad05a1930ca3937ffea954ad8"; + flake = false; + }; }; - outputs = { nixpkgs, nixpkgs_24_11, flake-utils, ... }: + outputs = inputs@{ nixpkgs, nixpkgs_24_11, flake-utils, ... }: flake-utils.lib.eachDefaultSystem (system: let pkgs = import nixpkgs { @@ -21,7 +108,7 @@ pkgs_24_11 = import nixpkgs_24_11 { inherit system; }; - wireServerPkgs = import ./nix { inherit pkgs pkgs_24_11; }; + wireServerPkgs = import ./nix { inherit pkgs pkgs_24_11 inputs; }; in { # profileEnv wireServer docs docsEnv mls-test-cli nginz; diff --git a/nix/default.nix b/nix/default.nix index 136a89ef5f..159199845c 100644 --- a/nix/default.nix +++ b/nix/default.nix @@ -1,4 +1,4 @@ -{ pkgs, pkgs_24_11 }: +{ pkgs, pkgs_24_11, inputs }: let profileEnv = pkgs.writeTextFile { name = "profile-env"; @@ -10,7 +10,7 @@ let ''; }; - wireServer = import ./wire-server.nix pkgs pkgs_24_11; + wireServer = import ./wire-server.nix pkgs pkgs_24_11 inputs; nginz = pkgs.callPackage ./nginz.nix { }; # packages necessary to build wire-server docs diff --git a/nix/haskell-pins.nix b/nix/haskell-pins.nix index 31e8123822..6ab81735d8 100644 --- a/nix/haskell-pins.nix +++ b/nix/haskell-pins.nix @@ -1,23 +1,20 @@ # How to add a git pin: # -# 1. If your target git repository has only package with the cabal file at the +# 1. Add the target git repo to the inputs section of flake.nix like this: +# = { +# url = "github:/?rev="; +# flake = false; +# }; +# 2. If your target git repository has only package with the cabal file at the # root, add it like this under 'gitPins': # = { -# src = fetchgit { -# url = ""; -# rev = ""; -# sha256 = ""; -# }; +# src = inputs.; # }; # -# 2. If your target git repsitory has many packages, add it like this under 'gitPins': +# 3. If your target git repsitory has many packages, add it like this under 'gitPins': # # = { -# src = fetchgit { -# url = ""; -# rev = ""; -# sha256 = ""; -# }; +# src = inputs.; # packages = { # = ""; # = ""; @@ -25,38 +22,30 @@ # }; # }; # -# 3. Run 'nix build '.#wireServer.haskellPackagesUnoptimizedNoDocs.'. -# This should produce an error saying expected sha and the actual sha. Replace the empty string in 'sha256' with the actual -# sha. -# # How to update a git pin: # # 1. Determine the new commit ID/SHA of the git repository that you want to pin -# and update the 'rev' field of the pin under 'gitPins'. -# -# 2. Update 'sha256' field under `fetchgit` to be an empty string. (This step is optional: -# since the sha256 has changed, the error will be the same if you remove it or if you leave the -# old value in place.) -# -# 3. Run step 3. from how to add a git pin. +# and update the 'rev' param in the URL in the inputs section of the flake.nix. # # How to add a hackage pin: # # 1. Add your package like this, under 'hackagePins': # = { # version = ""; -# sha256 = "sha256-gD9b9AXpLkpPSAeg8oPBU7tsHtSNQjxIZKBo+7+r3+c="; +# sha256 = ""; # }; # -# 2. Run step 3. from how to add a git pin. +# 2. Run 'nix build '.#wireServer.haskellPackagesUnoptimizedNoDocs.'. +# This should produce an error saying expected sha and the actual sha. Replace the empty string in 'sha256' with the actual +# sha. # # How to update a hackage pin: # # 1. Update version number. # 2. Make the 'sha256' blank string. -# 3. Run step 3. from how to add a git pin. -{ lib, fetchgit, pkgs }: hself: hsuper: +# 3. Run step 2. from how to add a hackage pin. +{ lib, inputs }: hself: hsuper: let gitPins = { # ---------------- @@ -64,11 +53,7 @@ let # ---------------- cryptobox-haskell = { - src = fetchgit { - url = "https://github.com/wireapp/cryptobox-haskell"; - rev = "7546a1a25635ef65183e3d44c1052285e8401608"; - hash = "sha256-9mMVgmMB1NWCPm/3inLeF4Ouiju0uIb/92UENoP88TU="; - }; + src = inputs.cryptobox-haskell; }; # -------------------- @@ -76,40 +61,24 @@ let # -------------------- bloodhound = { - src = fetchgit { - url = "https://github.com/wireapp/bloodhound"; - rev = "dac0f1384b335ce35dc026bf8154e574b1a15d62"; - hash = "sha256-E3co9FGZP135T3RocX4vbUELbbgGbYddD8CcVNUzHu8="; - }; + src = inputs.bloodhound; }; # Merged PR https://github.com/dylex/hsaml2/pull/20 hsaml2 = { - src = fetchgit { - url = "https://github.com/dylex/hsaml2"; - rev = "874627ad22e69afe4d9a797e39633ffb30697c78"; - hash = "sha256-gufEAC7fFqafG8dXkGIOSfAcVv+ZWkawmBgUV+Ics2s="; - }; + src = inputs.hsaml2; }; # PR: https://github.com/informatikr/hedis/pull/224 # PR: https://github.com/informatikr/hedis/pull/226 # PR: https://github.com/informatikr/hedis/pull/227 hedis = { - src = fetchgit { - url = "https://github.com/wireapp/hedis"; - rev = "00d7fbf5f19b812b9e64e12be8860c4741be8558"; - sha256 = "sha256-BwcqQZf2GaEn2i6o9bVl+jiu/CjShYlHCmO81bYfc8Y="; - }; + src = inputs.hedis; }; # Our fork because we need to a few special things http-client = { - src = fetchgit { - url = "https://github.com/wireapp/http-client"; - rev = "37494bb9a89dd52f97a8dc582746c6ff52943934"; - hash = "sha256-z47GlT+tHsSlRX4ApSGQIpOpaZiBeqr72/tWuvzw8tc="; - }; + src = inputs.http-client; packages = { "http-client" = "http-client"; "http-client-tls" = "http-client-tls"; @@ -120,50 +89,30 @@ let # PR: https://github.com/hspec/hspec-wai/pull/49 hspec-wai = { - src = fetchgit { - url = "https://github.com/wireapp/hspec-wai"; - rev = "08176f07fa893922e2e78dcaf996c33d79d23ce2"; - hash = "sha256-Nc5POjA+mJt7Vi3drczEivGsv9PXeVOCSwp21lLmz58="; - }; + src = inputs.hspec-wai; }; # PR: https://gitlab.com/twittner/cql/-/merge_requests/11 cql = { - src = fetchgit { - url = "https://github.com/wireapp/cql"; - rev = "abbd2739969d17a909800f282d10d42a254c4e3b"; - hash = "sha256-2MYwZKiTdwgjJdLNvECi7gtcIo+3H4z1nYzen5x0lgU="; - }; + src = inputs.cql; }; # PR: https://gitlab.com/twittner/cql-io/-/merge_requests/20 cql-io = { - src = fetchgit { - url = "https://github.com/wireapp/cql-io"; - rev = "c2b6aa995b5817ed7c78c53f72d5aa586ef87c36"; - hash = "sha256-DMRWUq4yorG5QFw2ZyF/DWnRjfnzGupx0njTiOyLzPI="; - }; + src = inputs.cql-io; }; # missing upstream PR, this will get removed when completing # servantification # - # this is currently still used/needed in the proxy service + # this is currently still used/needed in the proxy service wai-predicates = { - src = fetchgit { - url = "https://github.com/wireapp/wai-predicates"; - rev = "ff95282a982ab45cced70656475eaf2cefaa26ea"; - hash = "sha256-x2XSv2+/+DG9FXN8hfUWGNIO7V4iBhlzYz19WWKaLKQ="; - }; + src = inputs.wai-predicates; }; # PR: https://github.com/UnkindPartition/tasty/pull/351 tasty = { - src = fetchgit { - url = "https://github.com/wireapp/tasty"; - rev = "97df5c1db305b626ffa0b80055361b7b28e69cec"; - hash = "sha256-oACehxazeKgRr993gASRbQMf74heh5g0B+70ceAg17I="; - }; + src = inputs.tasty; packages = { tasty-hunit = "hunit"; }; @@ -172,65 +121,35 @@ let # sets the required flag for HTTP request bodies. # PR: https://github.com/biocad/servant-openapi3/pull/49 servant-openapi3 = { - src = fetchgit { - url = "https://github.com/wireapp/servant-openapi3"; - rev = "0db0095040df2c469a48f5b8724595f82afbad0c"; - hash = "sha256-iKMWd+qm8hHhKepa13VWXDPCpTMXxoOwWyoCk4lLlIY="; - }; + src = inputs.servant-openapi3; }; # we need HEAD, the latest release is too old postie = { - src = fetchgit { - url = "https://github.com/alexbiehl/postie"; - rev = "13404b8cb7164cd9010c9be6cda5423194dd0c06"; - hash = "sha256-nNivtyBpr4DFsbaXxlCznX+MYtzNshU7vfVpnhMh52c="; - }; + src = inputs.postie; }; tinylog = { - src = fetchgit { - url = "https://github.com/wireapp/tinylog.git"; - rev = "9609104263e8cd2a631417c1c3ef23e090de0d09"; - hash = "sha256-htEIJY+LmIMACVZrflU60+X42/g14NxUyFM7VJs4E6w="; - }; + src = inputs.tinylog; }; # PR: https://github.com/ocharles/tasty-ant-xml/pull/32 tasty-ant-xml = { - src = fetchgit { - url = "https://github.com/wireapp/tasty-ant-xml"; - rev = "11c53e976e2e941f25a33e8768669eb576d19ea8"; - hash = "sha256-Aj/iTVECsCGq4f+32FXWyYj/iLH5e4Gm4hYRmewnJJM="; - }; + src = inputs.tasty-ant-xml; }; text-icu-translit = { - src = pkgs.fetchFromGitHub { - owner = "wireapp"; - repo = "text-icu-translit"; - rev = "317bbd27ea5ae4e7f93836ee9ca664f9bde7c583"; - hash = "sha256-E35PVxi/4iJFfWts3td52KKZKQt4dj9KFP3SvWG77Cc="; - }; + src = inputs.text-icu-translit; }; # open PR https://github.com/yesodweb/wai/pull/958 for sending connection: close when closing connection warp = { + src = inputs.warp; packages.warp = "warp"; - src = pkgs.fetchFromGitHub { - owner = "yesodweb"; - repo = "wai"; - rev = "ef34334b160c74b62435ccc21f5b458f73506b2f"; - hash = "sha256-7rgZUimPJY+0yVN717pZ2Ep01+XB0z8C/+L9D3Qz9/k="; - }; }; http2 = { - src = fetchgit { - url = "https://github.com/wireapp/http2"; - rev = "ca606d86ed304fa780f7a60d11244019c62a10e0"; - hash = "sha256-eyjFtB28JCcvItZ5R8CT2F5GL62c49oQ49AN8/4HSYw="; - }; + src = inputs.http2; }; @@ -245,11 +164,7 @@ let # Can't currently be removed because amazonka-dynamodb-attributevalue # does not exist on hackage amazonka = { - src = fetchgit { - url = "https://github.com/brendanhay/amazonka"; - rev = "a7d699be1076e2aad05a1930ca3937ffea954ad8"; - hash = "sha256-cCRhHH/IgM7tPy8rXHTSRec1zxohO8NWxSVZEG1OjQw="; - }; + src = inputs.amazonka; packages = { amazonka = "lib/amazonka"; amazonka-core = "lib/amazonka-core"; diff --git a/nix/wire-server.nix b/nix/wire-server.nix index 2fa2cc8228..a9d2f09fe2 100644 --- a/nix/wire-server.nix +++ b/nix/wire-server.nix @@ -44,6 +44,7 @@ # with nixpkgs' dockerTools to make derivations for docker images that we need. pkgs: pkgs_24_11: +inputs: let inherit (pkgs) lib; hlib = pkgs.haskell.lib; @@ -95,9 +96,7 @@ let inherit (lib) attrsets; pinnedPackages = import ./haskell-pins.nix { - inherit pkgs; - inherit (pkgs) fetchgit; - inherit lib; + inherit lib inputs; }; localPackages = { enableOptimization, enableDocs, enableTests }: hsuper: hself: From f5f804d8bbcaed0cc7b80adfc1c3fc35385b42e7 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Wed, 7 Jan 2026 11:22:45 +0100 Subject: [PATCH 10/14] changelog --- changelog.d/5-internal/flake | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/5-internal/flake diff --git a/changelog.d/5-internal/flake b/changelog.d/5-internal/flake new file mode 100644 index 0000000000..aaba7fcf9f --- /dev/null +++ b/changelog.d/5-internal/flake @@ -0,0 +1 @@ +Use nix flakes instead of niv and manually pinned git dependencies \ No newline at end of file From 1d409d5dc1f676659bbde6d1f4ec79c3b1f7b161 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Wed, 7 Jan 2026 12:21:26 +0100 Subject: [PATCH 11/14] flake.nix: Use branch names instead of revs for haskell pins Also use published versions of warp and http2, they already contain the changes that were pinned --- flake.lock | 92 ++++++++++++++------------------------------ flake.nix | 40 ++++++++----------- nix/haskell-pins.nix | 20 +++++----- 3 files changed, 52 insertions(+), 100 deletions(-) diff --git a/flake.lock b/flake.lock index f83143d9ca..19154d022b 100644 --- a/flake.lock +++ b/flake.lock @@ -29,8 +29,8 @@ }, "original": { "owner": "wireapp", + "ref": "wire-fork", "repo": "bloodhound", - "rev": "dac0f1384b335ce35dc026bf8154e574b1a15d62", "type": "github" } }, @@ -46,8 +46,8 @@ }, "original": { "owner": "wireapp", + "ref": "develop", "repo": "cql", - "rev": "abbd2739969d17a909800f282d10d42a254c4e3b", "type": "github" } }, @@ -63,25 +63,25 @@ }, "original": { "owner": "wireapp", + "ref": "control-conn", "repo": "cql-io", - "rev": "c2b6aa995b5817ed7c78c53f72d5aa586ef87c36", "type": "github" } }, "cryptobox-haskell": { "flake": false, "locked": { - "lastModified": 1469104927, - "narHash": "sha256-9mMVgmMB1NWCPm/3inLeF4Ouiju0uIb/92UENoP88TU=", + "lastModified": 1728557781, + "narHash": "sha256-LROqEzzvKiJ7YoF8SdKUkEgGXKBRW6Wdtd4EBY3LYOk=", "owner": "wireapp", "repo": "cryptobox-haskell", - "rev": "7546a1a25635ef65183e3d44c1052285e8401608", + "rev": "05560b2cfae13aac54414952638dadd62204f361", "type": "github" }, "original": { "owner": "wireapp", + "ref": "master", "repo": "cryptobox-haskell", - "rev": "7546a1a25635ef65183e3d44c1052285e8401608", "type": "github" } }, @@ -115,8 +115,8 @@ }, "original": { "owner": "wireapp", + "ref": "wire-changes", "repo": "hedis", - "rev": "00d7fbf5f19b812b9e64e12be8860c4741be8558", "type": "github" } }, @@ -132,8 +132,8 @@ }, "original": { "owner": "dylex", + "ref": "main", "repo": "hsaml2", - "rev": "874627ad22e69afe4d9a797e39633ffb30697c78", "type": "github" } }, @@ -149,8 +149,8 @@ }, "original": { "owner": "wireapp", + "ref": "body-contains", "repo": "hspec-wai", - "rev": "08176f07fa893922e2e78dcaf996c33d79d23ce2", "type": "github" } }, @@ -166,25 +166,8 @@ }, "original": { "owner": "wireapp", + "ref": "master", "repo": "http-client", - "rev": "37494bb9a89dd52f97a8dc582746c6ff52943934", - "type": "github" - } - }, - "http2": { - "flake": false, - "locked": { - "lastModified": 1765325653, - "narHash": "sha256-eyjFtB28JCcvItZ5R8CT2F5GL62c49oQ49AN8/4HSYw=", - "owner": "wireapp", - "repo": "http2", - "rev": "ca606d86ed304fa780f7a60d11244019c62a10e0", - "type": "github" - }, - "original": { - "owner": "wireapp", - "repo": "http2", - "rev": "ca606d86ed304fa780f7a60d11244019c62a10e0", "type": "github" } }, @@ -223,17 +206,17 @@ "postie": { "flake": false, "locked": { - "lastModified": 1725958101, - "narHash": "sha256-nNivtyBpr4DFsbaXxlCznX+MYtzNshU7vfVpnhMh52c=", + "lastModified": 1755365380, + "narHash": "sha256-gSWoV2EuqxTiVJgG5DBvpR2GmccAD/tRdGVxoNw8+Rw=", "owner": "alexbiehl", "repo": "postie", - "rev": "13404b8cb7164cd9010c9be6cda5423194dd0c06", + "rev": "769dde424327c6b83079d79130a3d476967a9790", "type": "github" }, "original": { "owner": "alexbiehl", + "ref": "master", "repo": "postie", - "rev": "13404b8cb7164cd9010c9be6cda5423194dd0c06", "type": "github" } }, @@ -249,7 +232,6 @@ "hsaml2": "hsaml2", "hspec-wai": "hspec-wai", "http-client": "http-client", - "http2": "http2", "nixpkgs": "nixpkgs", "nixpkgs_24_11": "nixpkgs_24_11", "postie": "postie", @@ -258,8 +240,7 @@ "tasty-ant-xml": "tasty-ant-xml", "text-icu-translit": "text-icu-translit", "tinylog": "tinylog", - "wai-predicates": "wai-predicates", - "warp": "warp" + "wai-predicates": "wai-predicates" } }, "servant-openapi3": { @@ -274,8 +255,8 @@ }, "original": { "owner": "wireapp", + "ref": "required-request-bodies", "repo": "servant-openapi3", - "rev": "0db0095040df2c469a48f5b8724595f82afbad0c", "type": "github" } }, @@ -306,8 +287,8 @@ }, "original": { "owner": "wireapp", + "ref": "mangoiv/full-stacktrace-rebased", "repo": "tasty", - "rev": "97df5c1db305b626ffa0b80055361b7b28e69cec", "type": "github" } }, @@ -323,25 +304,25 @@ }, "original": { "owner": "wireapp", + "ref": "drop-console-formatting_rebased", "repo": "tasty-ant-xml", - "rev": "11c53e976e2e941f25a33e8768669eb576d19ea8", "type": "github" } }, "text-icu-translit": { "flake": false, "locked": { - "lastModified": 1698840062, - "narHash": "sha256-E35PVxi/4iJFfWts3td52KKZKQt4dj9KFP3SvWG77Cc=", + "lastModified": 1732177438, + "narHash": "sha256-wOZMz0yv29WgQyUuJ8fDejR11GopAUWkeh3nV0zlrow=", "owner": "wireapp", "repo": "text-icu-translit", - "rev": "317bbd27ea5ae4e7f93836ee9ca664f9bde7c583", + "rev": "2392d8d1500cd16e12aede1e0a3863ad3c1a7e37", "type": "github" }, "original": { "owner": "wireapp", + "ref": "master", "repo": "text-icu-translit", - "rev": "317bbd27ea5ae4e7f93836ee9ca664f9bde7c583", "type": "github" } }, @@ -357,42 +338,25 @@ }, "original": { "owner": "wireapp", + "ref": "wire-fork", "repo": "tinylog", - "rev": "9609104263e8cd2a631417c1c3ef23e090de0d09", "type": "github" } }, "wai-predicates": { "flake": false, "locked": { - "lastModified": 1674147808, - "narHash": "sha256-x2XSv2+/+DG9FXN8hfUWGNIO7V4iBhlzYz19WWKaLKQ=", + "lastModified": 1732803463, + "narHash": "sha256-+v3nGZhW/pIki2/ax4sMLeR2F6Ikh7V1/JbGJnZC3Pc=", "owner": "wireapp", "repo": "wai-predicates", - "rev": "ff95282a982ab45cced70656475eaf2cefaa26ea", + "rev": "35b0ac568b5e197b21acc12699ed09ee89c1d994", "type": "github" }, "original": { "owner": "wireapp", + "ref": "develop", "repo": "wai-predicates", - "rev": "ff95282a982ab45cced70656475eaf2cefaa26ea", - "type": "github" - } - }, - "warp": { - "flake": false, - "locked": { - "lastModified": 1766622245, - "narHash": "sha256-7rgZUimPJY+0yVN717pZ2Ep01+XB0z8C/+L9D3Qz9/k=", - "owner": "yesodweb", - "repo": "wai", - "rev": "ef34334b160c74b62435ccc21f5b458f73506b2f", - "type": "github" - }, - "original": { - "owner": "yesodweb", - "repo": "wai", - "rev": "ef34334b160c74b62435ccc21f5b458f73506b2f", "type": "github" } } diff --git a/flake.nix b/flake.nix index d8cb52f9fa..6eb24cb166 100644 --- a/flake.nix +++ b/flake.nix @@ -8,84 +8,74 @@ flake-utils.url = "github:numtide/flake-utils"; cryptobox-haskell = { - url = "github:wireapp/cryptobox-haskell?rev=7546a1a25635ef65183e3d44c1052285e8401608"; + url = "github:wireapp/cryptobox-haskell?ref=master"; flake = false; }; bloodhound = { - url = "github:wireapp/bloodhound?rev=dac0f1384b335ce35dc026bf8154e574b1a15d62"; + url = "github:wireapp/bloodhound?ref=wire-fork"; flake = false; }; hsaml2 = { - url = "github:dylex/hsaml2?rev=874627ad22e69afe4d9a797e39633ffb30697c78"; + url = "github:dylex/hsaml2?ref=main"; flake = false; }; hedis = { - url = "github:wireapp/hedis?rev=00d7fbf5f19b812b9e64e12be8860c4741be8558"; + url = "github:wireapp/hedis?ref=wire-changes"; flake = false; }; http-client = { - url = "github:wireapp/http-client?rev=37494bb9a89dd52f97a8dc582746c6ff52943934"; + url = "github:wireapp/http-client?ref=master"; flake = false; }; hspec-wai = { - url = "github:wireapp/hspec-wai?rev=08176f07fa893922e2e78dcaf996c33d79d23ce2"; + url = "github:wireapp/hspec-wai?ref=body-contains"; flake = false; }; cql = { - url = "github:wireapp/cql?rev=abbd2739969d17a909800f282d10d42a254c4e3b"; + url = "github:wireapp/cql?ref=develop"; flake = false; }; cql-io = { - url = "github:wireapp/cql-io?rev=c2b6aa995b5817ed7c78c53f72d5aa586ef87c36"; + url = "github:wireapp/cql-io?ref=control-conn"; flake = false; }; wai-predicates = { - url = "github:wireapp/wai-predicates?rev=ff95282a982ab45cced70656475eaf2cefaa26ea"; + url = "github:wireapp/wai-predicates?ref=develop"; flake = false; }; tasty = { - url = "github:wireapp/tasty?rev=97df5c1db305b626ffa0b80055361b7b28e69cec"; + url = "github:wireapp/tasty?ref=mangoiv/full-stacktrace-rebased"; flake = false; }; servant-openapi3 = { - url = "github:wireapp/servant-openapi3?rev=0db0095040df2c469a48f5b8724595f82afbad0c"; + url = "github:wireapp/servant-openapi3?ref=required-request-bodies"; flake = false; }; postie = { - url = "github:alexbiehl/postie?rev=13404b8cb7164cd9010c9be6cda5423194dd0c06"; + url = "github:alexbiehl/postie?ref=master"; flake = false; }; tinylog = { - url = "github:wireapp/tinylog?rev=9609104263e8cd2a631417c1c3ef23e090de0d09"; + url = "github:wireapp/tinylog?ref=wire-fork"; flake = false; }; tasty-ant-xml = { - url = "github:wireapp/tasty-ant-xml?rev=11c53e976e2e941f25a33e8768669eb576d19ea8"; + url = "github:wireapp/tasty-ant-xml?ref=drop-console-formatting_rebased"; flake = false; }; text-icu-translit = { - url = "github:wireapp/text-icu-translit?rev=317bbd27ea5ae4e7f93836ee9ca664f9bde7c583"; - flake = false; - }; - - warp = { - url = "github:yesodweb/wai?rev=ef34334b160c74b62435ccc21f5b458f73506b2f"; - flake = false; - }; - - http2 = { - url = "github:wireapp/http2?rev=ca606d86ed304fa780f7a60d11244019c62a10e0"; + url = "github:wireapp/text-icu-translit?ref=master"; flake = false; }; diff --git a/nix/haskell-pins.nix b/nix/haskell-pins.nix index 6ab81735d8..5481009262 100644 --- a/nix/haskell-pins.nix +++ b/nix/haskell-pins.nix @@ -142,17 +142,6 @@ let src = inputs.text-icu-translit; }; - # open PR https://github.com/yesodweb/wai/pull/958 for sending connection: close when closing connection - warp = { - src = inputs.warp; - packages.warp = "warp"; - }; - - http2 = { - src = inputs.http2; - }; - - # Our fork of 2.0.0. This release hasn't been updated for a while and Nix # is bad in coping with Hackage patched revisions and overriding # ghc-options. So, we have our fork to gain GHC 9.8 compatibility. @@ -213,6 +202,15 @@ let version = "0.3.3.1"; sha256 = "sha256-jgSTBBDcxRQ0tjs0wTyvEpEAkGA7npJKjdXDT81VpT4="; }; + + warp = { + version = "3.4.12"; + sha256 = "sha256-Y9xQ1wBbBtSZ4qw3yTGSYX27qi2uFRDJVtAdmQqRnFQ="; + }; + http2 = { + version = "5.4.0"; + sha256 = "sha256-PeEWVd61bQ8G7LvfLeXklzXqNJFaAjE2ecRMWJZESPE="; + }; }; # Name -> Source -> Maybe Subpath -> Drv mkGitDrv = name: src: subpath: From 2f02eea0ebdfb3e1417c76cb14315b28f1ce7325 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Wed, 7 Jan 2026 14:25:57 +0100 Subject: [PATCH 12/14] hack: Call nix build without `-f` --- hack/bin/kind-upload-image.sh | 2 +- hack/bin/kind-upload-images.sh | 2 +- hack/bin/upload-image.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hack/bin/kind-upload-image.sh b/hack/bin/kind-upload-image.sh index b3c460f00a..d376765f0c 100755 --- a/hack/bin/kind-upload-image.sh +++ b/hack/bin/kind-upload-image.sh @@ -19,7 +19,7 @@ readonly SCRIPT_DIR ROOT_DIR tmp_link_store=$(mktemp -d) image_stream_file="$tmp_link_store/image-stream" -nix -v --show-trace -L build -f "$ROOT_DIR#$IMAGE_ATTR" -o "$image_stream_file" +nix -v --show-trace -L build "$ROOT_DIR#$IMAGE_ATTR" -o "$image_stream_file" image_file="$tmp_link_store/image" image_file_tagged="$tmp_link_store/image-tagged" "$image_stream_file" > "$image_file" diff --git a/hack/bin/kind-upload-images.sh b/hack/bin/kind-upload-images.sh index d785930d81..cf97a44b83 100755 --- a/hack/bin/kind-upload-images.sh +++ b/hack/bin/kind-upload-images.sh @@ -18,7 +18,7 @@ readonly SCRIPT_DIR ROOT_DIR tmp_link_store=$(mktemp -d) image_list_file="$tmp_link_store/image-list" -nix -v --show-trace -L build -f "$ROOT_DIR#wireServer.imagesList" -o "$image_list_file" +nix -v --show-trace -L build "$ROOT_DIR#wireServer.imagesList" -o "$image_list_file" xargs -I {} -P 10 "$SCRIPT_DIR/kind-upload-image.sh" "wireServer.$IMAGES_ATTR.{}" < "$image_list_file" diff --git a/hack/bin/upload-image.sh b/hack/bin/upload-image.sh index 5050d81fba..f916bd5a66 100755 --- a/hack/bin/upload-image.sh +++ b/hack/bin/upload-image.sh @@ -64,7 +64,7 @@ tmp_link_store=$(mktemp -d) # images should have a few common layers. More information: # https://nixos.org/manual/nixpkgs/unstable/#ssec-pkgs-dockerTools-streamLayeredImage image_stream_file="$tmp_link_store/image_stream" -nix -v --show-trace -L build -f "$ROOT_DIR#$IMAGE_ATTR" -o "$image_stream_file" +nix -v --show-trace -L build "$ROOT_DIR#$IMAGE_ATTR" -o "$image_stream_file" image_file="$tmp_link_store/image" "$image_stream_file" >"$image_file" repo=$(skopeo list-tags "docker-archive://$image_file" | jq -r '.Tags[0] | split(":") | .[0]') From 7d548f969d0eba75040afc177d0598e476631f8a Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Wed, 7 Jan 2026 14:33:01 +0100 Subject: [PATCH 13/14] nix: Only show real images in wireServer.imageList this removes the extraneous 'all' from the list --- nix/wire-server.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nix/wire-server.nix b/nix/wire-server.nix index a9d2f09fe2..742f63544d 100644 --- a/nix/wire-server.nix +++ b/nix/wire-server.nix @@ -389,7 +389,7 @@ let imagesList = pkgs.writeTextFile { name = "imagesList"; - text = "${lib.concatStringsSep "\n" (builtins.attrNames (images localModsEnableAll))}"; + text = "${lib.concatStringsSep "\n" (builtins.attrNames (staticExecs localModsEnableAll))}"; }; wireServerPackages = (builtins.attrNames (localPackages localModsEnableAll { } { })); From 4f15fbfc0d93bcc6952aa62dcd80ef1d3bf20a57 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Wed, 7 Jan 2026 14:55:00 +0100 Subject: [PATCH 14/14] hack: Remove the need to build wireServer.imageList the images.all derivation builds a nice link farm which can be used instead. --- Makefile | 5 ++++- hack/bin/upload-image.sh | 12 +++--------- hack/bin/upload-images.sh | 13 ++++++------- 3 files changed, 13 insertions(+), 17 deletions(-) diff --git a/Makefile b/Makefile index 8b37bb940d..46a53473d9 100644 --- a/Makefile +++ b/Makefile @@ -319,8 +319,11 @@ upload-images: upload-images-dev: ./hack/bin/upload-images.sh imagesUnoptimizedNoDocs +HOOGLE_IMAGE_DIR := $(shell mktemp -d -t wire-server-hoogle-image.XXXXXX) + upload-hoogle-image: - ./hack/bin/upload-image.sh wireServer.hoogleImage + nix -v --show-trace -L build ".#wireServer.hoogleImage" --out-link $(HOOGLE_IMAGE_DIR)/image --fallback + ./hack/bin/upload-image.sh $(HOOGLE_IMAGE_DIR)/image ################################# ## cassandra / postgres management diff --git a/hack/bin/upload-image.sh b/hack/bin/upload-image.sh index f916bd5a66..080c18d8dc 100755 --- a/hack/bin/upload-image.sh +++ b/hack/bin/upload-image.sh @@ -14,12 +14,8 @@ set -euo pipefail readonly DOCKER_TAG=${DOCKER_TAG:?"Please set the DOCKER_TAG env variable"} -readonly usage="USAGE: $0 " -readonly IMAGE_ATTR=${1:?$usage} - -SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) -ROOT_DIR=$(cd -- "$SCRIPT_DIR/../../" &>/dev/null && pwd) -readonly SCRIPT_DIR ROOT_DIR +readonly usage="USAGE: $0 " +readonly IMAGE_STREAM_FILE=${1:?$usage} credsArgs="" if [[ "${DOCKER_USER+x}" != "" ]]; then @@ -63,10 +59,8 @@ tmp_link_store=$(mktemp -d) # product of other store paths which should already be cached and a lot of our # images should have a few common layers. More information: # https://nixos.org/manual/nixpkgs/unstable/#ssec-pkgs-dockerTools-streamLayeredImage -image_stream_file="$tmp_link_store/image_stream" -nix -v --show-trace -L build "$ROOT_DIR#$IMAGE_ATTR" -o "$image_stream_file" image_file="$tmp_link_store/image" -"$image_stream_file" >"$image_file" +"$IMAGE_STREAM_FILE" >"$image_file" repo=$(skopeo list-tags "docker-archive://$image_file" | jq -r '.Tags[0] | split(":") | .[0]') printf "*** Uploading $image_file to %s:%s\n" "$repo" "$DOCKER_TAG" # shellcheck disable=SC2086 diff --git a/hack/bin/upload-images.sh b/hack/bin/upload-images.sh index fd0e30288b..9ccf1ad187 100755 --- a/hack/bin/upload-images.sh +++ b/hack/bin/upload-images.sh @@ -20,14 +20,13 @@ SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd) ROOT_DIR=$(cd -- "$SCRIPT_DIR/../../" &>/dev/null && pwd) readonly SCRIPT_DIR ROOT_DIR -tmp_link_store=$(mktemp -d) -image_list_file="$tmp_link_store/image-list" -nix -v --show-trace -L build "$ROOT_DIR#wireServer.imagesList" -o "$image_list_file" --fallback - # Build everything first so we can benefit the most from having many cores. -nix -v --show-trace -L build "$ROOT_DIR#wireServer.$IMAGES_ATTR.all" --no-link --fallback +result=$(mktemp -d -t stream-images.XXXXXX) +nix -v --show-trace -L build "$ROOT_DIR#wireServer.$IMAGES_ATTR.all" --out-link "$result/images" --fallback -xargs -I {} -P 10 "$SCRIPT_DIR/upload-image.sh" "wireServer.$IMAGES_ATTR.{}" < "$image_list_file" +find "$result/images/" -type l -print0 | xargs -0 -I {} -P 10 "$SCRIPT_DIR/upload-image.sh" {} printf '*** Uploading image %s\n' nginz -"$SCRIPT_DIR/upload-image.sh" nginz +nginz_image=$(mktemp -d -t stream-nginz-image.XXXXXX) +nix -v --show-trace -L build "$ROOT_DIR#nginz" --out-link "$nginz_image/image" --fallback +"$SCRIPT_DIR/upload-image.sh" "$nginz_image/image"