diff --git a/flake.lock b/flake.lock index 51a04c6c..1f87b9b6 100644 --- a/flake.lock +++ b/flake.lock @@ -10,11 +10,11 @@ "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1751403276, - "narHash": "sha256-V0EPQNsQko1a8OqIWc2lLviLnMpR1m08Ej00z5RVTfs=", + "lastModified": 1738524606, + "narHash": "sha256-hPYEJ4juK3ph7kbjbvv7PlU1D9pAkkhl+pwx8fZY53U=", "owner": "zhaofengli", "repo": "attic", - "rev": "896ad88fa57ad5dbcd267c0ac51f1b71ccfcb4dd", + "rev": "ff8a897d1f4408ebbf4d45fa9049c06b3e1e3f4e", "type": "github" }, "original": { @@ -32,11 +32,11 @@ "nixpkgs": "nixpkgs_4" }, "locked": { - "lastModified": 1748883665, - "narHash": "sha256-R0W7uAg+BLoHjMRMQ8+oiSbTq8nkGz5RDpQ+ZfxxP3A=", + "lastModified": 1737621947, + "narHash": "sha256-8HFvG7fvIFbgtaYAY2628Tb89fA55nPm2jSiNs0/Cws=", "owner": "cachix", "repo": "cachix", - "rev": "f707778d902af4d62d8dd92c269f8e70de09acbe", + "rev": "f65a3cd5e339c223471e64c051434616e18cc4f5", "type": "github" }, "original": { @@ -63,11 +63,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1744206633, - "narHash": "sha256-pb5aYkE8FOoa4n123slgHiOf1UbNSnKe5pEZC+xXD5g=", + "lastModified": 1728672398, + "narHash": "sha256-KxuGSoVUFnQLB2ZcYODW7AVPAh9JqRlD5BrfsC/Q4qs=", "owner": "cachix", "repo": "cachix", - "rev": "8a60090640b96f9df95d1ab99e5763a586be1404", + "rev": "aac51f698309fd0f381149214b7eee213c66ef0a", "type": "github" }, "original": { @@ -77,6 +77,23 @@ "type": "github" } }, + "complement": { + "flake": false, + "locked": { + "lastModified": 1741891349, + "narHash": "sha256-YvrzOWcX7DH1drp5SGa+E/fc7wN3hqFtPbqPjZpOu1Q=", + "owner": "girlbossceo", + "repo": "complement", + "rev": "e587b3df569cba411aeac7c20b6366d03c143745", + "type": "github" + }, + "original": { + "owner": "girlbossceo", + "ref": "main", + "repo": "complement", + "type": "github" + } + }, "crane": { "inputs": { "nixpkgs": [ @@ -100,11 +117,11 @@ }, "crane_2": { "locked": { - "lastModified": 1750266157, - "narHash": "sha256-tL42YoNg9y30u7zAqtoGDNdTyXTi8EALDeCB13FtbQA=", + "lastModified": 1739936662, + "narHash": "sha256-x4syUjNUuRblR07nDPeLDP7DpphaBVbUaSoeZkFbGSk=", "owner": "ipetkov", "repo": "crane", - "rev": "e37c943371b73ed87faf33f7583860f81f1d5a48", + "rev": "19de14aaeb869287647d9461cbd389187d8ecdb7", "type": "github" }, "original": { @@ -132,11 +149,11 @@ ] }, "locked": { - "lastModified": 1748273445, - "narHash": "sha256-5V0dzpNgQM0CHDsMzh+ludYeu1S+Y+IMjbaskSSdFh0=", + "lastModified": 1733323168, + "narHash": "sha256-d5DwB4MZvlaQpN6OQ4SLYxb5jA4UH5EtV5t5WOtjLPU=", "owner": "cachix", "repo": "devenv", - "rev": "668a50d8b7bdb19a0131f53c9f6c25c9071e1ffb", + "rev": "efa9010b8b1cfd5dd3c7ed1e172a470c3b84a064", "type": "github" }, "original": { @@ -153,11 +170,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1751525020, - "narHash": "sha256-oDO6lCYS5Bf4jUITChj9XV7k3TP38DE0Ckz5n5ORCME=", + "lastModified": 1740724364, + "narHash": "sha256-D1jLIueJx1dPrP09ZZwTrPf4cubV+TsFMYbpYYTVj6A=", "owner": "nix-community", "repo": "fenix", - "rev": "a1a5f92f47787e7df9f30e5e5ac13e679215aa1e", + "rev": "edf7d9e431cda8782e729253835f178a356d3aab", "type": "github" }, "original": { @@ -186,11 +203,11 @@ "flake-compat_2": { "flake": false, "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", "owner": "edolstra", "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", "type": "github" }, "original": { @@ -202,11 +219,11 @@ "flake-compat_3": { "flake": false, "locked": { - "lastModified": 1747046372, - "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=", + "lastModified": 1733328505, + "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=", "owner": "edolstra", "repo": "flake-compat", - "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885", + "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec", "type": "github" }, "original": { @@ -289,14 +306,15 @@ "nixpkgs": [ "cachix", "nixpkgs" - ] + ], + "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1747372754, - "narHash": "sha256-2Y53NGIX2vxfie1rOW0Qb86vjRZ7ngizoo+bnXU9D9k=", + "lastModified": 1733318908, + "narHash": "sha256-SVQVsbafSM1dJ4fpgyBqLZ+Lft+jcQuMtEL3lQWx2Sk=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "80479b6ec16fefd9c1db3ea13aeb038c60530f46", + "rev": "6f4e2a2112050951a314d2733a994fbab94864c6", "type": "github" }, "original": { @@ -343,6 +361,23 @@ "type": "github" } }, + "liburing": { + "flake": false, + "locked": { + "lastModified": 1740613216, + "narHash": "sha256-NpPOBqNND3Qe9IwqYs0mJLGTmIx7e6FgUEBAnJ+1ZLA=", + "owner": "axboe", + "repo": "liburing", + "rev": "e1003e496e66f9b0ae06674869795edf772d5500", + "type": "github" + }, + "original": { + "owner": "axboe", + "ref": "master", + "repo": "liburing", + "type": "github" + } + }, "nix": { "inputs": { "flake-compat": [ @@ -366,11 +401,11 @@ ] }, "locked": { - "lastModified": 1745930071, - "narHash": "sha256-bYyjarS3qSNqxfgc89IoVz8cAFDkF9yPE63EJr+h50s=", + "lastModified": 1727438425, + "narHash": "sha256-X8ES7I1cfNhR9oKp06F6ir4Np70WGZU5sfCOuNBEwMg=", "owner": "domenkozar", "repo": "nix", - "rev": "b455edf3505f1bf0172b39a735caef94687d0d9c", + "rev": "f6c5ae4c1b2e411e6b1e6a8181cc84363d6a7546", "type": "github" }, "original": { @@ -449,13 +484,29 @@ "type": "github" } }, - "nixpkgs_2": { + "nixpkgs-stable_2": { "locked": { - "lastModified": 1733212471, - "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", + "lastModified": 1730741070, + "narHash": "sha256-edm8WG19kWozJ/GqyYx2VjW99EdhjKwbY3ZwdlPAAlo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", + "rev": "d063c1dd113c91ab27959ba540c0d9753409edf3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1730531603, + "narHash": "sha256-Dqg6si5CqIzm87sp57j5nTaeBbWhHFaVyG7V6L8k3lY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "7ffd9ae656aec493492b44d0ddfb28e79a1ea25d", "type": "github" }, "original": { @@ -483,11 +534,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1748190013, - "narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=", + "lastModified": 1733212471, + "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "62b852f6c6742134ade1abdd2a21685fd617a291", + "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776", "type": "github" }, "original": { @@ -499,11 +550,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1751498133, - "narHash": "sha256-QWJ+NQbMU+NcU2xiyo7SNox1fAuwksGlQhpzBl76g1I=", + "lastModified": 1740547748, + "narHash": "sha256-Ly2fBL1LscV+KyCqPRufUBuiw+zmWrlJzpWOWbahplg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d55716bb59b91ae9d1ced4b1ccdea7a442ecbfdb", + "rev": "3a05eebede89661660945da1f151959900903b6a", "type": "github" }, "original": { @@ -518,26 +569,28 @@ "locked": { "lastModified": 1741308171, "narHash": "sha256-YdBvdQ75UJg5ffwNjxizpviCVwVDJnBkM8ZtGIduMgY=", - "ref": "v9.11.1", + "owner": "girlbossceo", + "repo": "rocksdb", "rev": "3ce04794bcfbbb0d2e6f81ae35fc4acf688b6986", - "revCount": 13177, - "type": "git", - "url": "https://forgejo.ellis.link/continuwuation/rocksdb" + "type": "github" }, "original": { + "owner": "girlbossceo", "ref": "v9.11.1", - "type": "git", - "url": "https://forgejo.ellis.link/continuwuation/rocksdb" + "repo": "rocksdb", + "type": "github" } }, "root": { "inputs": { "attic": "attic", "cachix": "cachix", + "complement": "complement", "crane": "crane_2", "fenix": "fenix", "flake-compat": "flake-compat_3", "flake-utils": "flake-utils", + "liburing": "liburing", "nix-filter": "nix-filter", "nixpkgs": "nixpkgs_5", "rocksdb": "rocksdb" @@ -546,11 +599,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1751433876, - "narHash": "sha256-IsdwOcvLLDDlkFNwhdD5BZy20okIQL01+UQ7Kxbqh8s=", + "lastModified": 1740691488, + "narHash": "sha256-Fs6vBrByuiOf2WO77qeMDMTXcTGzrIMqLBv+lNeywwM=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "11d45c881389dae90b0da5a94cde52c79d0fc7ef", + "rev": "fe3eda77d3a7ce212388bda7b6cec8bffcc077e5", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 564cd479..52fdc10b 100644 --- a/flake.nix +++ b/flake.nix @@ -2,344 +2,577 @@ inputs = { attic.url = "github:zhaofengli/attic?ref=main"; cachix.url = "github:cachix/cachix?ref=master"; - crane = { - url = "github:ipetkov/crane?ref=master"; - }; - fenix = { - url = "github:nix-community/fenix?ref=main"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - flake-compat = { - url = "github:edolstra/flake-compat?ref=master"; - flake = false; - }; + complement = { url = "github:girlbossceo/complement?ref=main"; flake = false; }; + crane = { url = "github:ipetkov/crane?ref=master"; }; + fenix = { url = "github:nix-community/fenix?ref=main"; inputs.nixpkgs.follows = "nixpkgs"; }; + flake-compat = { url = "github:edolstra/flake-compat?ref=master"; flake = false; }; flake-utils.url = "github:numtide/flake-utils?ref=main"; nix-filter.url = "github:numtide/nix-filter?ref=main"; nixpkgs.url = "github:NixOS/nixpkgs?ref=nixpkgs-unstable"; - rocksdb = { - url = "git+https://forgejo.ellis.link/continuwuation/rocksdb?ref=v9.11.1"; - flake = false; - }; + rocksdb = { url = "github:girlbossceo/rocksdb?ref=v9.11.1"; flake = false; }; + liburing = { url = "github:axboe/liburing?ref=master"; flake = false; }; }; - outputs = - inputs: - inputs.flake-utils.lib.eachDefaultSystem ( - system: - let - pkgsHost = import inputs.nixpkgs { + outputs = inputs: + inputs.flake-utils.lib.eachDefaultSystem (system: + let + pkgsHost = import inputs.nixpkgs{ + inherit system; + }; + pkgsHostStatic = pkgsHost.pkgsStatic; + + # The Rust toolchain to use + toolchain = inputs.fenix.packages.${system}.fromToolchainFile { + file = ./rust-toolchain.toml; + + # See also `rust-toolchain.toml` + sha256 = "sha256-KUm16pHj+cRedf8vxs/Hd2YWxpOrWZ7UOrwhILdSJBU="; + }; + + mkScope = pkgs: pkgs.lib.makeScope pkgs.newScope (self: { + inherit pkgs; + book = self.callPackage ./nix/pkgs/book {}; + complement = self.callPackage ./nix/pkgs/complement {}; + craneLib = ((inputs.crane.mkLib pkgs).overrideToolchain (_: toolchain)); + inherit inputs; + main = self.callPackage ./nix/pkgs/main {}; + oci-image = self.callPackage ./nix/pkgs/oci-image {}; + tini = pkgs.tini.overrideAttrs { + # newer clang/gcc is unhappy with tini-static: + patches = [ (pkgs.fetchpatch { + url = "https://patch-diff.githubusercontent.com/raw/krallin/tini/pull/224.patch"; + hash = "sha256-4bTfAhRyIT71VALhHY13hUgbjLEUyvgkIJMt3w9ag3k="; + }) + ]; + }; + liburing = pkgs.liburing.overrideAttrs { + # Tests weren't building + outputs = [ "out" "dev" "man" ]; + buildFlags = [ "library" ]; + src = inputs.liburing; + }; + rocksdb = (pkgs.rocksdb.override { + liburing = self.liburing; + }).overrideAttrs (old: { + src = inputs.rocksdb; + version = pkgs.lib.removePrefix + "v" + (builtins.fromJSON (builtins.readFile ./flake.lock)) + .nodes.rocksdb.original.ref; + # we have this already at https://github.com/girlbossceo/rocksdb/commit/a935c0273e1ba44eacf88ce3685a9b9831486155 + # unsetting this so i don't have to revert it and make this nix exclusive + patches = []; + cmakeFlags = pkgs.lib.subtractLists + [ + # no real reason to have snappy or zlib, no one uses this + "-DWITH_SNAPPY=1" + "-DZLIB=1" + "-DWITH_ZLIB=1" + # we dont need to use ldb or sst_dump (core_tools) + "-DWITH_CORE_TOOLS=1" + # we dont need to build rocksdb tests + "-DWITH_TESTS=1" + # we use rust-rocksdb via C interface and dont need C++ RTTI + "-DUSE_RTTI=1" + # this doesn't exist in RocksDB, and USE_SSE is deprecated for + # PORTABLE=$(march) + "-DFORCE_SSE42=1" + # PORTABLE will get set in main/default.nix + "-DPORTABLE=1" + ] + old.cmakeFlags + ++ [ + # no real reason to have snappy, no one uses this + "-DWITH_SNAPPY=0" + "-DZLIB=0" + "-DWITH_ZLIB=0" + # we dont need to use ldb or sst_dump (core_tools) + "-DWITH_CORE_TOOLS=0" + # we dont need trace tools + "-DWITH_TRACE_TOOLS=0" + # we dont need to build rocksdb tests + "-DWITH_TESTS=0" + # we use rust-rocksdb via C interface and dont need C++ RTTI + "-DUSE_RTTI=0" + ]; + + # outputs has "tools" which we dont need or use + outputs = [ "out" ]; + + # preInstall hooks has stuff for messing with ldb/sst_dump which we dont need or use + preInstall = ""; + }); + }); + + scopeHost = mkScope pkgsHost; + scopeHostStatic = mkScope pkgsHostStatic; + scopeCrossLinux = mkScope pkgsHost.pkgsLinux.pkgsStatic; + mkCrossScope = crossSystem: + let pkgsCrossStatic = (import inputs.nixpkgs { inherit system; + crossSystem = { + config = crossSystem; + }; + }).pkgsStatic; + in + mkScope pkgsCrossStatic; + + mkDevShell = scope: scope.pkgs.mkShell { + env = scope.main.env // { + # Rust Analyzer needs to be able to find the path to default crate + # sources, and it can read this environment variable to do so. The + # `rust-src` component is required in order for this to work. + RUST_SRC_PATH = "${toolchain}/lib/rustlib/src/rust/library"; + + # Convenient way to access a pinned version of Complement's source + # code. + COMPLEMENT_SRC = inputs.complement.outPath; + + # Needed for Complement: + CGO_CFLAGS = "-Wl,--no-gc-sections"; + CGO_LDFLAGS = "-Wl,--no-gc-sections"; }; - # The Rust toolchain to use - toolchain = inputs.fenix.packages.${system}.fromToolchainFile { - file = ./rust-toolchain.toml; + # Development tools + packages = [ + # Always use nightly rustfmt because most of its options are unstable + # + # This needs to come before `toolchain` in this list, otherwise + # `$PATH` will have stable rustfmt instead. + inputs.fenix.packages.${system}.latest.rustfmt - # See also `rust-toolchain.toml` - sha256 = "sha256-KUm16pHj+cRedf8vxs/Hd2YWxpOrWZ7UOrwhILdSJBU="; - }; + toolchain + ] + ++ (with pkgsHost.pkgs; [ + # Required by hardened-malloc.rs dep + binutils - mkScope = - pkgs: - pkgs.lib.makeScope pkgs.newScope (self: { - inherit pkgs inputs; - craneLib = (inputs.crane.mkLib pkgs).overrideToolchain (_: toolchain); - main = self.callPackage ./nix/pkgs/main { }; - liburing = pkgs.liburing.overrideAttrs { - # Tests weren't building - outputs = [ - "out" - "dev" - "man" - ]; - buildFlags = [ "library" ]; - }; - rocksdb = - (pkgs.rocksdb_9_10.override { - # Override the liburing input for the build with our own so - # we have it built with the library flag - inherit (self) liburing; - }).overrideAttrs - (old: { - src = inputs.rocksdb; - version = "v9.11.1"; - cmakeFlags = - pkgs.lib.subtractLists [ - # No real reason to have snappy or zlib, no one uses this - "-DWITH_SNAPPY=1" - "-DZLIB=1" - "-DWITH_ZLIB=1" - # We don't need to use ldb or sst_dump (core_tools) - "-DWITH_CORE_TOOLS=1" - # We don't need to build rocksdb tests - "-DWITH_TESTS=1" - # We use rust-rocksdb via C interface and don't need C++ RTTI - "-DUSE_RTTI=1" - # This doesn't exist in RocksDB, and USE_SSE is deprecated for - # PORTABLE=$(march) - "-DFORCE_SSE42=1" - # PORTABLE will get set in main/default.nix - "-DPORTABLE=1" - ] old.cmakeFlags - ++ [ - # No real reason to have snappy, no one uses this - "-DWITH_SNAPPY=0" - "-DZLIB=0" - "-DWITH_ZLIB=0" - # We don't need to use ldb or sst_dump (core_tools) - "-DWITH_CORE_TOOLS=0" - # We don't need trace tools - "-DWITH_TRACE_TOOLS=0" - # We don't need to build rocksdb tests - "-DWITH_TESTS=0" - # We use rust-rocksdb via C interface and don't need C++ RTTI - "-DUSE_RTTI=0" - ]; + cargo-audit + cargo-auditable - # outputs has "tools" which we don't need or use - outputs = [ "out" ]; + # Needed for producing Debian packages + cargo-deb - # preInstall hooks has stuff for messing with ldb/sst_dump which we don't need or use - preInstall = ""; + # Needed for CI to check validity of produced Debian packages (dpkg-deb) + dpkg - # We have this already at https://forgejo.ellis.link/continuwuation/rocksdb/commit/a935c0273e1ba44eacf88ce3685a9b9831486155 - # Unsetting this so we don't have to revert it and make this nix exclusive - patches = [ ]; + engage - postPatch = '' - # Fix gcc-13 build failures due to missing and - # includes, fixed upstream since 8.x - sed -e '1i #include ' -i db/compaction/compaction_iteration_stats.h - sed -e '1i #include ' -i table/block_based/data_block_hash_index.h - sed -e '1i #include ' -i util/string_util.h - sed -e '1i #include ' -i include/rocksdb/utilities/checkpoint.h - ''; - }); - }); + # Needed for Complement + go - scopeHost = mkScope pkgsHost; - mkCrossScope = - crossSystem: - let - pkgsCrossStatic = - (import inputs.nixpkgs { - inherit system; - crossSystem = { - config = crossSystem; - }; - }).pkgsStatic; - in - mkScope pkgsCrossStatic; + # Needed for our script for Complement + jq + gotestfmt - in - { - packages = - { - default = scopeHost.main.override { - disable_features = [ - # Don't include experimental features + # Needed for finding broken markdown links + lychee + + # Needed for linting markdown files + markdownlint-cli + + # Useful for editing the book locally + mdbook + + # used for rust caching in CI to speed it up + sccache + ] + # liburing is Linux-exclusive + ++ lib.optional stdenv.hostPlatform.isLinux liburing + ++ lib.optional stdenv.hostPlatform.isLinux numactl) + ++ scope.main.buildInputs + ++ scope.main.propagatedBuildInputs + ++ scope.main.nativeBuildInputs; + }; + in + { + packages = { + default = scopeHost.main.override { + disable_features = [ + # dont include experimental features "experimental" # jemalloc profiling/stats features are expensive and shouldn't # be expected on non-debug builds. "jemalloc_prof" "jemalloc_stats" - # This is non-functional on nix for some reason + # this is non-functional on nix for some reason "hardened_malloc" # conduwuit_mods is a development-only hot reload feature "conduwuit_mods" - ]; - }; - default-debug = scopeHost.main.override { - profile = "dev"; - # Debug build users expect full logs - disable_release_max_log_level = true; - disable_features = [ - # Don't include experimental features - "experimental" - # This is non-functional on nix for some reason - "hardened_malloc" - # conduwuit_mods is a development-only hot reload feature - "conduwuit_mods" - ]; - }; - # Just a test profile used for things like CI and complement - default-test = scopeHost.main.override { - profile = "test"; - disable_release_max_log_level = true; - disable_features = [ - # Don't include experimental features + ]; + }; + default-debug = scopeHost.main.override { + profile = "dev"; + # debug build users expect full logs + disable_release_max_log_level = true; + disable_features = [ + # dont include experimental features "experimental" # this is non-functional on nix for some reason "hardened_malloc" # conduwuit_mods is a development-only hot reload feature "conduwuit_mods" - ]; - }; - all-features = scopeHost.main.override { - all_features = true; - disable_features = [ - # Don't include experimental features + ]; + }; + # just a test profile used for things like CI and complement + default-test = scopeHost.main.override { + profile = "test"; + disable_release_max_log_level = true; + disable_features = [ + # dont include experimental features + "experimental" + # this is non-functional on nix for some reason + "hardened_malloc" + # conduwuit_mods is a development-only hot reload feature + "conduwuit_mods" + ]; + }; + all-features = scopeHost.main.override { + all_features = true; + disable_features = [ + # dont include experimental features "experimental" # jemalloc profiling/stats features are expensive and shouldn't # be expected on non-debug builds. "jemalloc_prof" "jemalloc_stats" - # This is non-functional on nix for some reason + # this is non-functional on nix for some reason "hardened_malloc" # conduwuit_mods is a development-only hot reload feature "conduwuit_mods" - ]; - }; - all-features-debug = scopeHost.main.override { - profile = "dev"; - all_features = true; - # Debug build users expect full logs - disable_release_max_log_level = true; - disable_features = [ - # Don't include experimental features + ]; + }; + all-features-debug = scopeHost.main.override { + profile = "dev"; + all_features = true; + # debug build users expect full logs + disable_release_max_log_level = true; + disable_features = [ + # dont include experimental features "experimental" - # This is non-functional on nix for some reason + # this is non-functional on nix for some reason "hardened_malloc" # conduwuit_mods is a development-only hot reload feature "conduwuit_mods" - ]; - }; - hmalloc = scopeHost.main.override { features = [ "hardened_malloc" ]; }; - } - // builtins.listToAttrs ( - builtins.concatLists ( - builtins.map - ( - crossSystem: - let - binaryName = "static-${crossSystem}"; - scopeCrossStatic = mkCrossScope crossSystem; - in - [ - # An output for a statically-linked binary - { - name = binaryName; - value = scopeCrossStatic.main; - } + ]; + }; + hmalloc = scopeHost.main.override { features = ["hardened_malloc"]; }; - # An output for a statically-linked binary with x86_64 haswell - # target optimisations - { - name = "${binaryName}-x86_64-haswell-optimised"; - value = scopeCrossStatic.main.override { - x86_64_haswell_target_optimised = - if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false; - }; - } + oci-image = scopeHost.oci-image; + oci-image-all-features = scopeHost.oci-image.override { + main = scopeHost.main.override { + all_features = true; + disable_features = [ + # dont include experimental features + "experimental" + # jemalloc profiling/stats features are expensive and shouldn't + # be expected on non-debug builds. + "jemalloc_prof" + "jemalloc_stats" + # this is non-functional on nix for some reason + "hardened_malloc" + # conduwuit_mods is a development-only hot reload feature + "conduwuit_mods" + ]; + }; + }; + oci-image-all-features-debug = scopeHost.oci-image.override { + main = scopeHost.main.override { + profile = "dev"; + all_features = true; + # debug build users expect full logs + disable_release_max_log_level = true; + disable_features = [ + # dont include experimental features + "experimental" + # this is non-functional on nix for some reason + "hardened_malloc" + # conduwuit_mods is a development-only hot reload feature + "conduwuit_mods" + ]; + }; + }; + oci-image-hmalloc = scopeHost.oci-image.override { + main = scopeHost.main.override { + features = ["hardened_malloc"]; + }; + }; - # An output for a statically-linked unstripped debug ("dev") binary - { - name = "${binaryName}-debug"; - value = scopeCrossStatic.main.override { - profile = "dev"; - # debug build users expect full logs - disable_release_max_log_level = true; - }; - } + book = scopeHost.book; - # An output for a statically-linked unstripped debug binary with the - # "test" profile (for CI usage only) - { - name = "${binaryName}-test"; - value = scopeCrossStatic.main.override { - profile = "test"; - disable_release_max_log_level = true; - disable_features = [ - # dont include experimental features - "experimental" - # this is non-functional on nix for some reason - "hardened_malloc" - # conduwuit_mods is a development-only hot reload feature - "conduwuit_mods" - ]; - }; - } - - # An output for a statically-linked binary with `--all-features` - { - name = "${binaryName}-all-features"; - value = scopeCrossStatic.main.override { - all_features = true; - disable_features = [ - # dont include experimental features - "experimental" - # jemalloc profiling/stats features are expensive and shouldn't - # be expected on non-debug builds. - "jemalloc_prof" - "jemalloc_stats" - # this is non-functional on nix for some reason - "hardened_malloc" - # conduwuit_mods is a development-only hot reload feature - "conduwuit_mods" - ]; - }; - } - - # An output for a statically-linked binary with `--all-features` and with x86_64 haswell - # target optimisations - { - name = "${binaryName}-all-features-x86_64-haswell-optimised"; - value = scopeCrossStatic.main.override { - all_features = true; - disable_features = [ - # dont include experimental features - "experimental" - # jemalloc profiling/stats features are expensive and shouldn't - # be expected on non-debug builds. - "jemalloc_prof" - "jemalloc_stats" - # this is non-functional on nix for some reason - "hardened_malloc" - # conduwuit_mods is a development-only hot reload feature - "conduwuit_mods" - ]; - x86_64_haswell_target_optimised = - if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false; - }; - } - - # An output for a statically-linked unstripped debug ("dev") binary with `--all-features` - { - name = "${binaryName}-all-features-debug"; - value = scopeCrossStatic.main.override { - profile = "dev"; - all_features = true; - # debug build users expect full logs - disable_release_max_log_level = true; - disable_features = [ - # dont include experimental features - "experimental" - # this is non-functional on nix for some reason - "hardened_malloc" - # conduwuit_mods is a development-only hot reload feature - "conduwuit_mods" - ]; - }; - } - - # An output for a statically-linked binary with hardened_malloc - { - name = "${binaryName}-hmalloc"; - value = scopeCrossStatic.main.override { - features = [ "hardened_malloc" ]; - }; - } - ] - ) - [ - #"x86_64-apple-darwin" - #"aarch64-apple-darwin" - "x86_64-linux-gnu" - "x86_64-linux-musl" - "aarch64-linux-musl" - ] - ) - ); + complement = scopeHost.complement; + static-complement = scopeHostStatic.complement; + # macOS containers don't exist, so the complement images must be forced to linux + linux-complement = (mkCrossScope "${pkgsHost.hostPlatform.qemuArch}-linux-musl").complement; } - ); + // + builtins.listToAttrs + (builtins.concatLists + (builtins.map + (crossSystem: + let + binaryName = "static-${crossSystem}"; + scopeCrossStatic = mkCrossScope crossSystem; + in + [ + # An output for a statically-linked binary + { + name = binaryName; + value = scopeCrossStatic.main; + } + + # An output for a statically-linked binary with x86_64 haswell + # target optimisations + { + name = "${binaryName}-x86_64-haswell-optimised"; + value = scopeCrossStatic.main.override { + x86_64_haswell_target_optimised = (if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false); + }; + } + + # An output for a statically-linked unstripped debug ("dev") binary + { + name = "${binaryName}-debug"; + value = scopeCrossStatic.main.override { + profile = "dev"; + # debug build users expect full logs + disable_release_max_log_level = true; + }; + } + + # An output for a statically-linked unstripped debug binary with the + # "test" profile (for CI usage only) + { + name = "${binaryName}-test"; + value = scopeCrossStatic.main.override { + profile = "test"; + disable_release_max_log_level = true; + disable_features = [ + # dont include experimental features + "experimental" + # this is non-functional on nix for some reason + "hardened_malloc" + # conduwuit_mods is a development-only hot reload feature + "conduwuit_mods" + ]; + }; + } + + # An output for a statically-linked binary with `--all-features` + { + name = "${binaryName}-all-features"; + value = scopeCrossStatic.main.override { + all_features = true; + disable_features = [ + # dont include experimental features + "experimental" + # jemalloc profiling/stats features are expensive and shouldn't + # be expected on non-debug builds. + "jemalloc_prof" + "jemalloc_stats" + # this is non-functional on nix for some reason + "hardened_malloc" + # conduwuit_mods is a development-only hot reload feature + "conduwuit_mods" + ]; + }; + } + + # An output for a statically-linked binary with `--all-features` and with x86_64 haswell + # target optimisations + { + name = "${binaryName}-all-features-x86_64-haswell-optimised"; + value = scopeCrossStatic.main.override { + all_features = true; + disable_features = [ + # dont include experimental features + "experimental" + # jemalloc profiling/stats features are expensive and shouldn't + # be expected on non-debug builds. + "jemalloc_prof" + "jemalloc_stats" + # this is non-functional on nix for some reason + "hardened_malloc" + # conduwuit_mods is a development-only hot reload feature + "conduwuit_mods" + ]; + x86_64_haswell_target_optimised = (if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false); + }; + } + + # An output for a statically-linked unstripped debug ("dev") binary with `--all-features` + { + name = "${binaryName}-all-features-debug"; + value = scopeCrossStatic.main.override { + profile = "dev"; + all_features = true; + # debug build users expect full logs + disable_release_max_log_level = true; + disable_features = [ + # dont include experimental features + "experimental" + # this is non-functional on nix for some reason + "hardened_malloc" + # conduwuit_mods is a development-only hot reload feature + "conduwuit_mods" + ]; + }; + } + + # An output for a statically-linked binary with hardened_malloc + { + name = "${binaryName}-hmalloc"; + value = scopeCrossStatic.main.override { + features = ["hardened_malloc"]; + }; + } + + # An output for an OCI image based on that binary + { + name = "oci-image-${crossSystem}"; + value = scopeCrossStatic.oci-image; + } + + # An output for an OCI image based on that binary with x86_64 haswell + # target optimisations + { + name = "oci-image-${crossSystem}-x86_64-haswell-optimised"; + value = scopeCrossStatic.oci-image.override { + main = scopeCrossStatic.main.override { + x86_64_haswell_target_optimised = (if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false); + }; + }; + } + + # An output for an OCI image based on that unstripped debug ("dev") binary + { + name = "oci-image-${crossSystem}-debug"; + value = scopeCrossStatic.oci-image.override { + main = scopeCrossStatic.main.override { + profile = "dev"; + # debug build users expect full logs + disable_release_max_log_level = true; + }; + }; + } + + # An output for an OCI image based on that binary with `--all-features` + { + name = "oci-image-${crossSystem}-all-features"; + value = scopeCrossStatic.oci-image.override { + main = scopeCrossStatic.main.override { + all_features = true; + disable_features = [ + # dont include experimental features + "experimental" + # jemalloc profiling/stats features are expensive and shouldn't + # be expected on non-debug builds. + "jemalloc_prof" + "jemalloc_stats" + # this is non-functional on nix for some reason + "hardened_malloc" + # conduwuit_mods is a development-only hot reload feature + "conduwuit_mods" + ]; + }; + }; + } + + # An output for an OCI image based on that binary with `--all-features` and with x86_64 haswell + # target optimisations + { + name = "oci-image-${crossSystem}-all-features-x86_64-haswell-optimised"; + value = scopeCrossStatic.oci-image.override { + main = scopeCrossStatic.main.override { + all_features = true; + disable_features = [ + # dont include experimental features + "experimental" + # jemalloc profiling/stats features are expensive and shouldn't + # be expected on non-debug builds. + "jemalloc_prof" + "jemalloc_stats" + # this is non-functional on nix for some reason + "hardened_malloc" + # conduwuit_mods is a development-only hot reload feature + "conduwuit_mods" + ]; + x86_64_haswell_target_optimised = (if (crossSystem == "x86_64-linux-gnu" || crossSystem == "x86_64-linux-musl") then true else false); + }; + }; + } + + # An output for an OCI image based on that unstripped debug ("dev") binary with `--all-features` + { + name = "oci-image-${crossSystem}-all-features-debug"; + value = scopeCrossStatic.oci-image.override { + main = scopeCrossStatic.main.override { + profile = "dev"; + all_features = true; + # debug build users expect full logs + disable_release_max_log_level = true; + disable_features = [ + # dont include experimental features + "experimental" + # this is non-functional on nix for some reason + "hardened_malloc" + # conduwuit_mods is a development-only hot reload feature + "conduwuit_mods" + ]; + }; + }; + } + + # An output for an OCI image based on that binary with hardened_malloc + { + name = "oci-image-${crossSystem}-hmalloc"; + value = scopeCrossStatic.oci-image.override { + main = scopeCrossStatic.main.override { + features = ["hardened_malloc"]; + }; + }; + } + + # An output for a complement OCI image for the specified platform + { + name = "complement-${crossSystem}"; + value = scopeCrossStatic.complement; + } + ] + ) + [ + #"x86_64-apple-darwin" + #"aarch64-apple-darwin" + "x86_64-linux-gnu" + "x86_64-linux-musl" + "aarch64-linux-musl" + ] + ) + ); + + devShells.default = mkDevShell scopeHostStatic; + devShells.all-features = mkDevShell + (scopeHostStatic.overrideScope (final: prev: { + main = prev.main.override { + all_features = true; + disable_features = [ + # dont include experimental features + "experimental" + # jemalloc profiling/stats features are expensive and shouldn't + # be expected on non-debug builds. + "jemalloc_prof" + "jemalloc_stats" + # this is non-functional on nix for some reason + "hardened_malloc" + # conduwuit_mods is a development-only hot reload feature + "conduwuit_mods" + ]; + }; + })); + devShells.no-features = mkDevShell + (scopeHostStatic.overrideScope (final: prev: { + main = prev.main.override { default_features = false; }; + })); + devShells.dynamic = mkDevShell scopeHost; + }); } diff --git a/nix/pkgs/book/default.nix b/nix/pkgs/book/default.nix new file mode 100644 index 00000000..3995ab79 --- /dev/null +++ b/nix/pkgs/book/default.nix @@ -0,0 +1,36 @@ +{ inputs + +# Dependencies +, main +, mdbook +, stdenv +}: + +stdenv.mkDerivation { + inherit (main) pname version; + + src = inputs.nix-filter { + root = inputs.self; + include = [ + "book.toml" + "conduwuit-example.toml" + "CODE_OF_CONDUCT.md" + "CONTRIBUTING.md" + "README.md" + "development.md" + "debian/conduwuit.service" + "debian/README.md" + "arch/conduwuit.service" + "docs" + "theme" + ]; + }; + + nativeBuildInputs = [ + mdbook + ]; + + buildPhase = '' + mdbook build -d $out + ''; +} diff --git a/nix/pkgs/complement/certificate.crt b/nix/pkgs/complement/certificate.crt new file mode 100644 index 00000000..5dd4fdea --- /dev/null +++ b/nix/pkgs/complement/certificate.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDfzCCAmegAwIBAgIUcrZdSPmCh33Evys/U6mTPpShqdcwDQYJKoZIhvcNAQEL +BQAwPzELMAkGA1UEBhMCNjkxCzAJBgNVBAgMAjQyMRUwEwYDVQQKDAx3b29mZXJz +IGluYy4xDDAKBgNVBAMMA2hzMTAgFw0yNTAzMTMxMjU4NTFaGA8yMDUyMDcyODEy +NTg1MVowPzELMAkGA1UEBhMCNjkxCzAJBgNVBAgMAjQyMRUwEwYDVQQKDAx3b29m +ZXJzIGluYy4xDDAKBgNVBAMMA2hzMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC +AQoCggEBANL+h2ZmK/FqN5uLJPtIy6Feqcyb6EX7MQBEtxuJ56bTAbjHuCLZLpYt +/wOWJ91drHqZ7Xd5iTisGdMu8YS803HSnHkzngf4VXKhVrdzW2YDrpZRxmOhtp88 +awOHmP7mqlJyBbCOQw8aDVrT0KmEIWzA7g+nFRQ5Ff85MaP+sQrHGKZbo61q8HBp +L0XuaqNckruUKtxnEqrm5xx5sYyYKg7rrSFE5JMFoWKB1FNWJxyWT42BhGtnJZsK +K5c+NDSOU4TatxoN6mpNSBpCz/a11PiQHMEfqRk6JA4g3911dqPTfZBevUdBh8gl +8maIzqeZGhvyeKTmull1Y0781yyuj98CAwEAAaNxMG8wCQYDVR0TBAIwADALBgNV +HQ8EBAMCBPAwNgYDVR0RBC8wLYIRKi5kb2NrZXIuaW50ZXJuYWyCA2hzMYIDaHMy +ggNoczOCA2hzNIcEfwAAATAdBgNVHQ4EFgQUr4VYrmW1d+vjBTJewvy7fJYhLDYw +DQYJKoZIhvcNAQELBQADggEBADkYqkjNYxjWX8hUUAmFHNdCwzT1CpYe/5qzLiyJ +irDSdMlC5g6QqMUSrpu7nZxo1lRe1dXGroFVfWpoDxyCjSQhplQZgtYqtyLfOIx+ +HQ7cPE/tUU/KsTGc0aL61cETB6u8fj+rQKUGdfbSlm0Rpu4v0gC8RnDj06X/hZ7e +VkWU+dOBzxlqHuLlwFFtVDgCyyTatIROx5V+GpMHrVqBPO7HcHhwqZ30k2kMM8J3 +y1CWaliQM85jqtSZV+yUHKQV8EksSowCFJuguf+Ahz0i0/koaI3i8m4MRN/1j13d +jbTaX5a11Ynm3A27jioZdtMRty6AJ88oCp18jxVzqTxNNO4= +-----END CERTIFICATE----- diff --git a/nix/pkgs/complement/config.toml b/nix/pkgs/complement/config.toml new file mode 100644 index 00000000..7f4ecef7 --- /dev/null +++ b/nix/pkgs/complement/config.toml @@ -0,0 +1,50 @@ +[global] +address = "0.0.0.0" +allow_device_name_federation = true +allow_guest_registration = true +allow_public_room_directory_over_federation = true +allow_public_room_directory_without_auth = true +allow_registration = true +database_path = "/database" +log = "trace,h2=debug,hyper=debug" +port = [8008, 8448] +trusted_servers = [] +only_query_trusted_key_servers = false +query_trusted_key_servers_first = false +query_trusted_key_servers_first_on_join = false +yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true +ip_range_denylist = [] +url_preview_domain_contains_allowlist = ["*"] +url_preview_domain_explicit_denylist = ["*"] +media_compat_file_link = false +media_startup_check = true +prune_missing_media = true +log_colors = true +admin_room_notices = false +allow_check_for_updates = false +intentionally_unknown_config_option_for_testing = true +rocksdb_log_level = "info" +rocksdb_max_log_files = 1 +rocksdb_recovery_mode = 0 +rocksdb_paranoid_file_checks = true +log_guest_registrations = false +allow_legacy_media = true +startup_netburst = true +startup_netburst_keep = -1 + +allow_invalid_tls_certificates_yes_i_know_what_the_fuck_i_am_doing_with_this_and_i_know_this_is_insecure = true + +# valgrind makes things so slow +dns_timeout = 60 +dns_attempts = 20 +request_conn_timeout = 60 +request_timeout = 120 +well_known_conn_timeout = 60 +well_known_timeout = 60 +federation_idle_timeout = 300 +sender_timeout = 300 +sender_idle_timeout = 300 +sender_retry_backoff_limit = 300 + +[global.tls] +dual_protocol = true diff --git a/nix/pkgs/complement/default.nix b/nix/pkgs/complement/default.nix new file mode 100644 index 00000000..1295cb03 --- /dev/null +++ b/nix/pkgs/complement/default.nix @@ -0,0 +1,89 @@ +# Dependencies +{ bashInteractive +, buildEnv +, coreutils +, dockerTools +, lib +, main +, stdenv +, tini +, writeShellScriptBin +}: + +let + main' = main.override { + profile = "test"; + all_features = true; + disable_release_max_log_level = true; + disable_features = [ + # console/CLI stuff isn't used or relevant for complement + "console" + "tokio_console" + # sentry telemetry isn't useful for complement, disabled by default anyways + "sentry_telemetry" + "perf_measurements" + # this is non-functional on nix for some reason + "hardened_malloc" + # dont include experimental features + "experimental" + # compression isn't needed for complement + "brotli_compression" + "gzip_compression" + "zstd_compression" + # complement doesn't need hot reloading + "conduwuit_mods" + # complement doesn't have URL preview media tests + "url_preview" + ]; + }; + + start = writeShellScriptBin "start" '' + set -euxo pipefail + + ${lib.getExe' coreutils "env"} \ + CONDUWUIT_SERVER_NAME="$SERVER_NAME" \ + ${lib.getExe main'} + ''; +in + +dockerTools.buildImage { + name = "complement-conduwuit"; + tag = "main"; + + copyToRoot = buildEnv { + name = "root"; + pathsToLink = [ + "/bin" + ]; + paths = [ + bashInteractive + coreutils + main' + start + ]; + }; + + config = { + Cmd = [ + "${lib.getExe start}" + ]; + + Entrypoint = if !stdenv.hostPlatform.isDarwin + # Use the `tini` init system so that signals (e.g. ctrl+c/SIGINT) + # are handled as expected + then [ "${lib.getExe' tini "tini"}" "--" ] + else []; + + Env = [ + "CONTINUWUITY_TLS__KEY=${./private_key.key}" + "CONTINUWUITY_TLS__CERTS=${./certificate.crt}" + "CONTINUWUITY_CONFIG=${./config.toml}" + "RUST_BACKTRACE=full" + ]; + + ExposedPorts = { + "8008/tcp" = {}; + "8448/tcp" = {}; + }; + }; +} diff --git a/nix/pkgs/complement/private_key.key b/nix/pkgs/complement/private_key.key new file mode 100644 index 00000000..5b9d4d4f --- /dev/null +++ b/nix/pkgs/complement/private_key.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDS/odmZivxajeb +iyT7SMuhXqnMm+hF+zEARLcbieem0wG4x7gi2S6WLf8DlifdXax6me13eYk4rBnT +LvGEvNNx0px5M54H+FVyoVa3c1tmA66WUcZjobafPGsDh5j+5qpScgWwjkMPGg1a +09CphCFswO4PpxUUORX/OTGj/rEKxximW6OtavBwaS9F7mqjXJK7lCrcZxKq5ucc +ebGMmCoO660hROSTBaFigdRTVicclk+NgYRrZyWbCiuXPjQ0jlOE2rcaDepqTUga +Qs/2tdT4kBzBH6kZOiQOIN/ddXaj032QXr1HQYfIJfJmiM6nmRob8nik5rpZdWNO +/Ncsro/fAgMBAAECggEAITCCkfv+a5I+vwvrPE/eIDso0JOxvNhfg+BLQVy3AMnu +WmeoMmshZeREWgcTrEGg8QQnk4Sdrjl8MnkO6sddJ2luza3t7OkGX+q7Hk5aETkB +DIo+f8ufU3sIhlydF3OnVSK0fGpUaBq8AQ6Soyeyrk3G5NVufmjgae5QPbDBnqUb +piOGyfcwagL4JtCbZsMk8AT7vQSynLm6zaWsVzWNd71jummLqtVV063K95J9PqVN +D8meEcP3WR5kQrvf+mgy9RVgWLRtVWN8OLZfJ9yrnl4Efj62elrldUj4jaCFezGQ +8f0W+d8jjt038qhmEdymw2MWQ+X/b0R79lJar1Up8QKBgQD1DtHxauhl+JUoI3y+ +3eboqXl7YPJt1/GTnChb4b6D1Z1hvLsOKUa7hjGEfruYGbsWXBCRMICdfzp+iWcq +/lEOp7/YU9OaW4lQMoG4sXMoBWd9uLgg0E+aH6VDJOBvxsfafqM4ufmtspzwEm90 +FU1cq6oImomFnPChSq4X+3+YpwKBgQDcalaK9llCcscWA8HAP8WVVNTjCOqiDp9q +td61E9IO/FIB/gW5y+JkaFRrA2CN1zY3s3K92uveLTNYTArecWlDcPNNFDuaYu2M +Roz4bC104HGh+zztJ0iPVzELL81Lgg6wHhLONN+eVi4gTftJxzJFXybyb+xVT25A +91ynKXB+CQKBgQC+Ub43MoI+/6pHvBfb3FbDByvz6D0flgBmVXb6tP3TQYmzKHJV +8zSd2wCGGC71V7Z3DRVIzVR1/SOetnPLbivhp+JUzfWfAcxI3pDksdvvjxLrDxTh +VycbWcxtsywjY0w/ou581eLVRcygnpC0pP6qJCAwAmUfwd0YRvmiYo6cLQKBgHIW +UIlJDdaJFmdctnLOD3VGHZMOUHRlYTqYvJe5lKbRD5mcZFZRI/OY1Ok3LEj+tj+K +kL+YizHK76KqaY3N4hBYbHbfHCLDRfWvptQHGlg+vFJ9eoG+LZ6UIPyLV5XX0cZz +KoS1dXG9Zc6uznzXsDucDsq6B/f4TzctUjXsCyARAoGAOKb4HtuNyYAW0jUlujR7 +IMHwUesOGlhSXqFtP9aTvk6qJgvV0+3CKcWEb4y02g+uYftP8BLNbJbIt9qOqLYh +tOVyzCoamAi8araAhjA0w4dXvqDCDK7k/gZFkojmKQtRijoxTHnWcDc3vAjYCgaM +9MVtdgSkuh2gwkD/mMoAJXM= +-----END PRIVATE KEY----- diff --git a/nix/pkgs/complement/signing_request.csr b/nix/pkgs/complement/signing_request.csr new file mode 100644 index 00000000..e2aa658e --- /dev/null +++ b/nix/pkgs/complement/signing_request.csr @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIChDCCAWwCAQAwPzELMAkGA1UEBhMCNjkxCzAJBgNVBAgMAjQyMRUwEwYDVQQK +DAx3b29mZXJzIGluYy4xDDAKBgNVBAMMA2hzMTCCASIwDQYJKoZIhvcNAQEBBQAD +ggEPADCCAQoCggEBANL+h2ZmK/FqN5uLJPtIy6Feqcyb6EX7MQBEtxuJ56bTAbjH +uCLZLpYt/wOWJ91drHqZ7Xd5iTisGdMu8YS803HSnHkzngf4VXKhVrdzW2YDrpZR +xmOhtp88awOHmP7mqlJyBbCOQw8aDVrT0KmEIWzA7g+nFRQ5Ff85MaP+sQrHGKZb +o61q8HBpL0XuaqNckruUKtxnEqrm5xx5sYyYKg7rrSFE5JMFoWKB1FNWJxyWT42B +hGtnJZsKK5c+NDSOU4TatxoN6mpNSBpCz/a11PiQHMEfqRk6JA4g3911dqPTfZBe +vUdBh8gl8maIzqeZGhvyeKTmull1Y0781yyuj98CAwEAAaAAMA0GCSqGSIb3DQEB +CwUAA4IBAQDR/gjfxN0IID1MidyhZB4qpdWn3m6qZnEQqoTyHHdWalbfNXcALC79 +ffS+Smx40N5hEPvqy6euR89N5YuYvt8Hs+j7aWNBn7Wus5Favixcm2JcfCTJn2R3 +r8FefuSs2xGkoyGsPFFcXE13SP/9zrZiwvOgSIuTdz/Pbh6GtEx7aV4DqHJsrXnb +XuPxpQleoBqKvQgSlmaEBsJg13TQB+Fl2foBVUtqAFDQiv+RIuircf0yesMCKJaK +MPH4Oo+r3pR8lI8ewfJPreRhCoV+XrGYMubaakz003TJ1xlOW8M+N9a6eFyMVh76 +U1nY/KP8Ua6Lgaj9PRz7JCRzNoshZID/ +-----END CERTIFICATE REQUEST----- diff --git a/nix/pkgs/complement/v3.ext b/nix/pkgs/complement/v3.ext new file mode 100644 index 00000000..0deaa48a --- /dev/null +++ b/nix/pkgs/complement/v3.ext @@ -0,0 +1,12 @@ +authorityKeyIdentifier=keyid,issuer +basicConstraints=CA:FALSE +keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment +subjectAltName = @alt_names + +[alt_names] +DNS.1 = *.docker.internal +DNS.2 = hs1 +DNS.3 = hs2 +DNS.4 = hs3 +DNS.5 = hs4 +IP.1 = 127.0.0.1 diff --git a/nix/pkgs/main/cross-compilation-env.nix b/nix/pkgs/main/cross-compilation-env.nix index 3e993bba..0f326c92 100644 --- a/nix/pkgs/main/cross-compilation-env.nix +++ b/nix/pkgs/main/cross-compilation-env.nix @@ -4,47 +4,51 @@ , stdenv }: -lib.optionalAttrs stdenv.hostPlatform.isStatic - { - ROCKSDB_STATIC = ""; - } +lib.optionalAttrs stdenv.hostPlatform.isStatic { + ROCKSDB_STATIC = ""; +} // { CARGO_BUILD_RUSTFLAGS = lib.concatStringsSep " " - (lib.optionals - stdenv.hostPlatform.isStatic - [ "-C" "relocation-model=static" ] - ++ lib.optionals - (stdenv.buildPlatform.config != stdenv.hostPlatform.config) - [ - "-l" - "c" + ([] + # This disables PIE for static builds, which isn't great in terms + # of security. Unfortunately, my hand is forced because nixpkgs' + # `libstdc++.a` is built without `-fPIE`, which precludes us from + # leaving PIE enabled. + ++ lib.optionals + stdenv.hostPlatform.isStatic + [ "-C" "relocation-model=static" ] + ++ lib.optionals + (stdenv.buildPlatform.config != stdenv.hostPlatform.config) + [ + "-l" + "c" - "-l" - "stdc++" + "-l" + "stdc++" - "-L" - "${stdenv.cc.cc.lib}/${stdenv.hostPlatform.config}/lib" - ] + "-L" + "${stdenv.cc.cc.lib}/${stdenv.hostPlatform.config}/lib" + ] ); } - # What follows is stolen from [here][0]. Its purpose is to properly - # configure compilers and linkers for various stages of the build, and - # even covers the case of build scripts that need native code compiled and - # run on the build platform (I think). - # - # [0]: https://github.com/NixOS/nixpkgs/blob/nixpkgs-unstable/pkgs/build-support/rust/lib/default.nix#L48-L68 - // +# What follows is stolen from [here][0]. Its purpose is to properly +# configure compilers and linkers for various stages of the build, and +# even covers the case of build scripts that need native code compiled and +# run on the build platform (I think). +# +# [0]: https://github.com/NixOS/nixpkgs/blob/nixpkgs-unstable/pkgs/build-support/rust/lib/default.nix#L48-L68 +// ( let inherit (rust.lib) envVars; in lib.optionalAttrs (stdenv.targetPlatform.rust.rustcTarget - != stdenv.hostPlatform.rust.rustcTarget) + != stdenv.hostPlatform.rust.rustcTarget) ( let inherit (stdenv.targetPlatform.rust) cargoEnvVarTarget; diff --git a/nix/pkgs/main/default.nix b/nix/pkgs/main/default.nix index 01fb8e40..f2fffec0 100644 --- a/nix/pkgs/main/default.nix +++ b/nix/pkgs/main/default.nix @@ -12,146 +12,144 @@ , rust-jemalloc-sys , stdenv - # Options (keep sorted) +# Options (keep sorted) , all_features ? false , default_features ? true - # default list of disabled features +# default list of disabled features , disable_features ? [ - # dont include experimental features - "experimental" - # jemalloc profiling/stats features are expensive and shouldn't - # be expected on non-debug builds. - "jemalloc_prof" - "jemalloc_stats" - # this is non-functional on nix for some reason - "hardened_malloc" - # conduwuit_mods is a development-only hot reload feature - "conduwuit_mods" - ] + # dont include experimental features + "experimental" + # jemalloc profiling/stats features are expensive and shouldn't + # be expected on non-debug builds. + "jemalloc_prof" + "jemalloc_stats" + # this is non-functional on nix for some reason + "hardened_malloc" + # conduwuit_mods is a development-only hot reload feature + "conduwuit_mods" +] , disable_release_max_log_level ? false -, features ? [ ] +, features ? [] , profile ? "release" - # rocksdb compiled with -march=haswell and target-cpu=haswell rustflag - # haswell is pretty much any x86 cpu made in the last 12 years, and - # supports modern CPU extensions that rocksdb can make use of. - # disable if trying to make a portable x86_64 build for very old hardware +# rocksdb compiled with -march=haswell and target-cpu=haswell rustflag +# haswell is pretty much any x86 cpu made in the last 12 years, and +# supports modern CPU extensions that rocksdb can make use of. +# disable if trying to make a portable x86_64 build for very old hardware , x86_64_haswell_target_optimised ? false }: let - # We perform default-feature unification in nix, because some of the dependencies - # on the nix side depend on feature values. - crateFeatures = path: - let manifest = lib.importTOML "${path}/Cargo.toml"; in - lib.remove "default" (lib.attrNames manifest.features); - crateDefaultFeatures = path: - (lib.importTOML "${path}/Cargo.toml").features.default; - allDefaultFeatures = crateDefaultFeatures "${inputs.self}/src/main"; - allFeatures = crateFeatures "${inputs.self}/src/main"; - features' = lib.unique - (features ++ - lib.optionals default_features allDefaultFeatures ++ - lib.optionals all_features allFeatures); - disable_features' = disable_features ++ lib.optionals disable_release_max_log_level [ "release_max_log_level" ]; - features'' = lib.subtractLists disable_features' features'; +# We perform default-feature unification in nix, because some of the dependencies +# on the nix side depend on feature values. +crateFeatures = path: + let manifest = lib.importTOML "${path}/Cargo.toml"; in + lib.remove "default" (lib.attrNames manifest.features); +crateDefaultFeatures = path: + (lib.importTOML "${path}/Cargo.toml").features.default; +allDefaultFeatures = crateDefaultFeatures "${inputs.self}/src/main"; +allFeatures = crateFeatures "${inputs.self}/src/main"; +features' = lib.unique + (features ++ + lib.optionals default_features allDefaultFeatures ++ + lib.optionals all_features allFeatures); +disable_features' = disable_features ++ lib.optionals disable_release_max_log_level ["release_max_log_level"]; +features'' = lib.subtractLists disable_features' features'; - featureEnabled = feature: builtins.elem feature features''; +featureEnabled = feature : builtins.elem feature features''; - enableLiburing = featureEnabled "io_uring" && !stdenv.hostPlatform.isDarwin; +enableLiburing = featureEnabled "io_uring" && !stdenv.hostPlatform.isDarwin; - # This derivation will set the JEMALLOC_OVERRIDE variable, causing the - # tikv-jemalloc-sys crate to use the nixpkgs jemalloc instead of building it's - # own. In order for this to work, we need to set flags on the build that match - # whatever flags tikv-jemalloc-sys was going to use. These are dependent on - # which features we enable in tikv-jemalloc-sys. - rust-jemalloc-sys' = (rust-jemalloc-sys.override { - # tikv-jemalloc-sys/unprefixed_malloc_on_supported_platforms feature - unprefixed = true; - }).overrideAttrs (old: { - configureFlags = old.configureFlags ++ - # we dont need docs - [ "--disable-doc" ] ++ - # we dont need cxx/C++ integration - [ "--disable-cxx" ] ++ - # tikv-jemalloc-sys/profiling feature - lib.optional (featureEnabled "jemalloc_prof") "--enable-prof" ++ - # tikv-jemalloc-sys/stats feature - (if (featureEnabled "jemalloc_stats") then [ "--enable-stats" ] else [ "--disable-stats" ]); +# This derivation will set the JEMALLOC_OVERRIDE variable, causing the +# tikv-jemalloc-sys crate to use the nixpkgs jemalloc instead of building it's +# own. In order for this to work, we need to set flags on the build that match +# whatever flags tikv-jemalloc-sys was going to use. These are dependent on +# which features we enable in tikv-jemalloc-sys. +rust-jemalloc-sys' = (rust-jemalloc-sys.override { + # tikv-jemalloc-sys/unprefixed_malloc_on_supported_platforms feature + unprefixed = true; +}).overrideAttrs (old: { + configureFlags = old.configureFlags ++ + # we dont need docs + [ "--disable-doc" ] ++ + # we dont need cxx/C++ integration + [ "--disable-cxx" ] ++ + # tikv-jemalloc-sys/profiling feature + lib.optional (featureEnabled "jemalloc_prof") "--enable-prof" ++ + # tikv-jemalloc-sys/stats feature + (if (featureEnabled "jemalloc_stats") then [ "--enable-stats" ] else [ "--disable-stats" ]); +}); + +buildDepsOnlyEnv = + let + rocksdb' = (rocksdb.override { + jemalloc = lib.optional (featureEnabled "jemalloc") rust-jemalloc-sys'; + # rocksdb fails to build with prefixed jemalloc, which is required on + # darwin due to [1]. In this case, fall back to building rocksdb with + # libc malloc. This should not cause conflicts, because all of the + # jemalloc symbols are prefixed. + # + # [1]: https://github.com/tikv/jemallocator/blob/ab0676d77e81268cd09b059260c75b38dbef2d51/jemalloc-sys/src/env.rs#L17 + enableJemalloc = featureEnabled "jemalloc" && !stdenv.hostPlatform.isDarwin; + + # for some reason enableLiburing in nixpkgs rocksdb is default true + # which breaks Darwin entirely + enableLiburing = enableLiburing; + }).overrideAttrs (old: { + enableLiburing = enableLiburing; + cmakeFlags = (if x86_64_haswell_target_optimised then (lib.subtractLists [ + # dont make a portable build if x86_64_haswell_target_optimised is enabled + "-DPORTABLE=1" + ] old.cmakeFlags + ++ [ "-DPORTABLE=haswell" ]) else ([ "-DPORTABLE=1" ]) + ) + ++ old.cmakeFlags; + + # outputs has "tools" which we dont need or use + outputs = [ "out" ]; + + # preInstall hooks has stuff for messing with ldb/sst_dump which we dont need or use + preInstall = ""; + }); + in + { + # https://crane.dev/faq/rebuilds-bindgen.html + NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa"; + + CARGO_PROFILE = profile; + ROCKSDB_INCLUDE_DIR = "${rocksdb'}/include"; + ROCKSDB_LIB_DIR = "${rocksdb'}/lib"; + } + // + (import ./cross-compilation-env.nix { + # Keep sorted + inherit + lib + pkgsBuildHost + rust + stdenv; }); - buildDepsOnlyEnv = - let - rocksdb' = (rocksdb.override { - jemalloc = lib.optional (featureEnabled "jemalloc") rust-jemalloc-sys'; - # rocksdb fails to build with prefixed jemalloc, which is required on - # darwin due to [1]. In this case, fall back to building rocksdb with - # libc malloc. This should not cause conflicts, because all of the - # jemalloc symbols are prefixed. - # - # [1]: https://github.com/tikv/jemallocator/blob/ab0676d77e81268cd09b059260c75b38dbef2d51/jemalloc-sys/src/env.rs#L17 - enableJemalloc = featureEnabled "jemalloc" && !stdenv.hostPlatform.isDarwin; - - # for some reason enableLiburing in nixpkgs rocksdb is default true - # which breaks Darwin entirely - inherit enableLiburing; - }).overrideAttrs (old: { - inherit enableLiburing; - cmakeFlags = (if x86_64_haswell_target_optimised then - (lib.subtractLists [ - # dont make a portable build if x86_64_haswell_target_optimised is enabled - "-DPORTABLE=1" - ] - old.cmakeFlags - ++ [ "-DPORTABLE=haswell" ]) else [ "-DPORTABLE=1" ] - ) - ++ old.cmakeFlags; - - # outputs has "tools" which we dont need or use - outputs = [ "out" ]; - - # preInstall hooks has stuff for messing with ldb/sst_dump which we dont need or use - preInstall = ""; - }); - in - { - # https://crane.dev/faq/rebuilds-bindgen.html - NIX_OUTPATH_USED_AS_RANDOM_SEED = "aaaaaaaaaa"; - - CARGO_PROFILE = profile; - ROCKSDB_INCLUDE_DIR = "${rocksdb'}/include"; - ROCKSDB_LIB_DIR = "${rocksdb'}/lib"; - } - // - (import ./cross-compilation-env.nix { - # Keep sorted - inherit - lib - pkgsBuildHost - rust - stdenv; - }); - - buildPackageEnv = { - GIT_COMMIT_HASH = inputs.self.rev or inputs.self.dirtyRev or ""; - GIT_COMMIT_HASH_SHORT = inputs.self.shortRev or inputs.self.dirtyShortRev or ""; - } // buildDepsOnlyEnv // { - # Only needed in static stdenv because these are transitive dependencies of rocksdb - CARGO_BUILD_RUSTFLAGS = buildDepsOnlyEnv.CARGO_BUILD_RUSTFLAGS - + lib.optionalString (enableLiburing && stdenv.hostPlatform.isStatic) +buildPackageEnv = { + GIT_COMMIT_HASH = inputs.self.rev or inputs.self.dirtyRev or ""; + GIT_COMMIT_HASH_SHORT = inputs.self.shortRev or inputs.self.dirtyShortRev or ""; +} // buildDepsOnlyEnv // { + # Only needed in static stdenv because these are transitive dependencies of rocksdb + CARGO_BUILD_RUSTFLAGS = buildDepsOnlyEnv.CARGO_BUILD_RUSTFLAGS + + lib.optionalString (enableLiburing && stdenv.hostPlatform.isStatic) " -L${lib.getLib liburing}/lib -luring" - + lib.optionalString x86_64_haswell_target_optimised + + lib.optionalString x86_64_haswell_target_optimised " -Ctarget-cpu=haswell"; - }; +}; - commonAttrs = { - inherit - (craneLib.crateNameFromCargoToml { - cargoToml = "${inputs.self}/Cargo.toml"; - }) - pname - version; +commonAttrs = { + inherit + (craneLib.crateNameFromCargoToml { + cargoToml = "${inputs.self}/Cargo.toml"; + }) + pname + version; src = let filter = inputs.nix-filter.lib; in filter { root = inputs.self; @@ -169,22 +167,22 @@ let cargoExtraArgs = "--no-default-features --locked " + lib.optionalString - (features'' != [ ]) - "--features " + (builtins.concatStringsSep "," features''); + (features'' != []) + "--features " + (builtins.concatStringsSep "," features''); dontStrip = profile == "dev" || profile == "test"; dontPatchELF = profile == "dev" || profile == "test"; buildInputs = lib.optional (featureEnabled "jemalloc") rust-jemalloc-sys' - # needed to build Rust applications on macOS - ++ lib.optionals stdenv.hostPlatform.isDarwin [ - # https://github.com/NixOS/nixpkgs/issues/206242 - # ld: library not found for -liconv - libiconv - # https://stackoverflow.com/questions/69869574/properly-adding-darwin-apple-sdk-to-a-nix-shell - # https://discourse.nixos.org/t/compile-a-rust-binary-on-macos-dbcrossbar/8612 - pkgsBuildHost.darwin.apple_sdk.frameworks.Security - ]; + # needed to build Rust applications on macOS + ++ lib.optionals stdenv.hostPlatform.isDarwin [ + # https://github.com/NixOS/nixpkgs/issues/206242 + # ld: library not found for -liconv + libiconv + # https://stackoverflow.com/questions/69869574/properly-adding-darwin-apple-sdk-to-a-nix-shell + # https://discourse.nixos.org/t/compile-a-rust-binary-on-macos-dbcrossbar/8612 + pkgsBuildHost.darwin.apple_sdk.frameworks.Security + ]; nativeBuildInputs = [ # bindgen needs the build platform's libclang. Apparently due to "splicing @@ -197,11 +195,11 @@ let # differing values for `NIX_CFLAGS_COMPILE`, which contributes to spurious # rebuilds of bindgen and its depedents. jq - ]; - }; + ]; + }; in -craneLib.buildPackage (commonAttrs // { +craneLib.buildPackage ( commonAttrs // { cargoArtifacts = craneLib.buildDepsOnly (commonAttrs // { env = buildDepsOnlyEnv; }); @@ -210,8 +208,8 @@ craneLib.buildPackage (commonAttrs // { cargoExtraArgs = "--no-default-features --locked " + lib.optionalString - (features'' != [ ]) - "--features " + (builtins.concatStringsSep "," features''); + (features'' != []) + "--features " + (builtins.concatStringsSep "," features''); env = buildPackageEnv; diff --git a/nix/pkgs/oci-image/default.nix b/nix/pkgs/oci-image/default.nix new file mode 100644 index 00000000..953407ef --- /dev/null +++ b/nix/pkgs/oci-image/default.nix @@ -0,0 +1,46 @@ +{ inputs + +# Dependencies +, dockerTools +, lib +, main +, stdenv +, tini +}: + +dockerTools.buildLayeredImage { + name = main.pname; + tag = "main"; + created = "@${toString inputs.self.lastModified}"; + contents = [ + dockerTools.caCertificates + main + ]; + config = { + Entrypoint = if !stdenv.hostPlatform.isDarwin + # Use the `tini` init system so that signals (e.g. ctrl+c/SIGINT) + # are handled as expected + then [ "${lib.getExe' tini "tini"}" "--" ] + else []; + Cmd = [ + "${lib.getExe main}" + ]; + Env = [ + "RUST_BACKTRACE=full" + ]; + Labels = { + "org.opencontainers.image.authors" = "June Clementine Strawberry and Jason Volk + "; + "org.opencontainers.image.created" ="@${toString inputs.self.lastModified}"; + "org.opencontainers.image.description" = "a very cool Matrix chat homeserver written in Rust"; + "org.opencontainers.image.documentation" = "https://continuwuity.org/"; + "org.opencontainers.image.licenses" = "Apache-2.0"; + "org.opencontainers.image.revision" = inputs.self.rev or inputs.self.dirtyRev or ""; + "org.opencontainers.image.source" = "https://forgejo.ellis.link/continuwuation/continuwuity"; + "org.opencontainers.image.title" = main.pname; + "org.opencontainers.image.url" = "https://continuwuity.org/"; + "org.opencontainers.image.vendor" = "continuwuation"; + "org.opencontainers.image.version" = main.version; + }; + }; +}