Move builds for flake projects into a separate nix file

Author: sd234678

.last-exported-commit

@@ -1 +1 @@
-Last exported commit from parent repo: aed9d9e083b67949c214d3cba60c1615b082f9ce
+Last exported commit from parent repo: eb9d769ca6f914295b4bf09dcc82bc388a7f9305

nix-bootstrap.cabal

@@ -5,7 +5,7 @@ cabal-version: 2.0
 -- see: https://github.com/sol/hpack
 
 name:           nix-bootstrap
-version:        1.3.0.4
+version:        1.3.1.0
 author:         gchquser
 maintainer:     [email protected]
 copyright:      Crown Copyright
@@ -24,6 +24,7 @@ library
       Bootstrap.Cli
       Bootstrap.Data.Bootstrappable
       Bootstrap.Data.Bootstrappable.BootstrapState
+      Bootstrap.Data.Bootstrappable.BuildNix
       Bootstrap.Data.Bootstrappable.DefaultNix
       Bootstrap.Data.Bootstrappable.DevContainer
       Bootstrap.Data.Bootstrappable.Envrc
@@ -147,6 +148,7 @@ test-suite nix-bootstrap-test
   main-is: Spec.hs
   other-modules:
       Bootstrap.Data.Bootstrappable.BootstrapStateSpec
+      Bootstrap.Data.Bootstrappable.BuildNixSpec
       Bootstrap.Data.Bootstrappable.DefaultNixSpec
       Bootstrap.Data.Bootstrappable.DevContainerSpec
       Bootstrap.Data.Bootstrappable.EnvrcSpec

package.yaml

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 name: nix-bootstrap
-version: 1.3.0.4
+version: 1.3.1.0
 author: gchquser
 maintainer: [email protected]
 copyright: Crown Copyright

src/Bootstrap.hs

@@ -15,6 +15,7 @@ import Bootstrap.Cli
 import Bootstrap.Data.Bootstrappable
   ( Bootstrappable (bootstrapName),
   )
+import Bootstrap.Data.Bootstrappable.BuildNix (buildNixFor)
 import Bootstrap.Data.Bootstrappable.DefaultNix (defaultNixFor)
 import Bootstrap.Data.Bootstrappable.DevContainer
   ( devContainerDockerComposeFor,
@@ -395,6 +396,7 @@ makeBuildPlan MakeBuildPlanArgs {..} = do
             if unPreCommitHooksConfig mbpPreCommitHooksConfig
               then Just $ nixPreCommitHookConfigFor mbpRunConfig mbpProjectType
               else Nothing
+          buildNix = buildNixFor mbpRunConfig mbpProjectName mbpProjectType
       goModfile <-
         case mbpProjectType of
           Go (SetUpGoBuild True) ->
@@ -411,7 +413,8 @@ makeBuildPlan MakeBuildPlanArgs {..} = do
               ~: Envrc mbpPreCommitHooksConfig (rcUseFlakes mbpRunConfig)
               ~: gitignoreFor mbpRunConfig mbpProjectType mbpPreCommitHooksConfig
               ~: initialReadme
-              ~: flakeNixFor mbpRunConfig mbpProjectName mbpProjectType mbpPreCommitHooksConfig nixPreCommitHookConfig
+              ~: buildNix
+              ~: flakeNixFor mbpRunConfig mbpProjectName mbpProjectType mbpPreCommitHooksConfig nixPreCommitHookConfig buildNix
               ~: ( if rcUseFlakes mbpRunConfig
                      then Nothing
                      else Just $ nixShellFor mbpRunConfig mbpProjectType mbpPreCommitHooksConfig nixPreCommitHookConfig

src/Bootstrap/Data/Bootstrappable.hs

@@ -64,8 +64,15 @@ bootstrapContentNix a = do
             <$> writeExprFormatted expr
         Left (i1 :| iRest) ->
           pure . Left $
-            "Nix expression is incorrectly scoped; it references the out of scope identifiers "
-              <> toString (foldr (\i acc -> unIdentifier i <> ", " <> acc) ("and " <> unIdentifier i1) iRest)
+            "Nix expression is incorrectly scoped; it references the out of scope "
+              <> ( if null iRest
+                     then "identifier " <> toString (unIdentifier i1)
+                     else
+                       "identifiers "
+                         <> toString
+                           ( foldr (\i acc -> unIdentifier i <> ", " <> acc) ("and " <> unIdentifier i1) iRest
+                           )
+                 )
               <> ". This is a bug in nix-bootstrap; please "
               <> "contact the nix-bootstrap team to report it."
 

src/Bootstrap/Data/Bootstrappable/BuildNix.hs

@@ -0,0 +1,43 @@
+{-# LANGUAGE QuasiQuotes #-}
+
+-- |
+-- Copyright : (c) Crown Copyright GCHQ
+-- Description : The code for build.nix
+module Bootstrap.Data.Bootstrappable.BuildNix (BuildNix, buildNixFor) where
+
+import Bootstrap.Cli (RunConfig (RunConfig, rcUseFlakes))
+import Bootstrap.Data.Bootstrappable
+  ( Bootstrappable (bootstrapContent, bootstrapName, bootstrapReason),
+    bootstrapContentNix,
+  )
+import Bootstrap.Data.Bootstrappable.DefaultNix
+  ( DefaultNix (defaultNixInBlockExpr),
+    defaultNixFor,
+  )
+import Bootstrap.Data.ProjectName (ProjectName)
+import Bootstrap.Data.ProjectType (ProjectType)
+import Bootstrap.Nix.Expr (Expr (EFunc), IsNixExpr (toNixExpr), nixargs)
+
+-- | A separate nix file defining reproducible builds for flake projects,
+-- to save it all being kept in flake.nix
+newtype BuildNix = BuildNix {unBuildNix :: Expr}
+  deriving stock (Eq, Show)
+
+instance Bootstrappable BuildNix where
+  bootstrapName = const "nix/build.nix"
+  bootstrapReason = const "This configures your reproducible project builds."
+  bootstrapContent = bootstrapContentNix
+
+instance IsNixExpr BuildNix where
+  toNixExpr = EFunc [nixargs|{ nixpkgs }:|] . unBuildNix
+
+-- | Gives a `BuildNix` (or `Nothing`) as appropriate for the project details
+-- given.
+buildNixFor :: RunConfig -> ProjectName -> ProjectType -> Maybe BuildNix
+buildNixFor RunConfig {rcUseFlakes} flakeNixProjectName flakeNixProjectType =
+  let buildExpr =
+        defaultNixInBlockExpr
+          <$> defaultNixFor flakeNixProjectName flakeNixProjectType
+   in if rcUseFlakes
+        then BuildNix <$> buildExpr
+        else Nothing

src/Bootstrap/Data/Bootstrappable/FlakeNix.hs

@@ -13,7 +13,7 @@ import Bootstrap.Data.Bootstrappable
       ),
     bootstrapContentNix,
   )
-import Bootstrap.Data.Bootstrappable.DefaultNix (DefaultNix (defaultNixInBlockExpr), defaultNixFor)
+import Bootstrap.Data.Bootstrappable.BuildNix (BuildNix)
 import Bootstrap.Data.Bootstrappable.NixPreCommitHookConfig (NixPreCommitHookConfig)
 import Bootstrap.Data.Bootstrappable.NixShell (NixShell (NixShell, nixShellBuildInputs, nixShellHooksRequireNixpkgs), nixShellFor)
 import Bootstrap.Data.PreCommitHook
@@ -26,7 +26,7 @@ import Bootstrap.Nix.Expr
     Expr (EGrouping, ELetIn, ELit, ESet),
     FunctionArgs (FASet),
     IsNixExpr (toNixExpr),
-    Literal (LString),
+    Literal (LPath, LString),
     nix,
     nixargs,
     nixbinding,
@@ -53,16 +53,15 @@ data FlakeNix = FlakeNix
     flakeNixProjectName :: ProjectName,
     flakeNixProjectType :: ProjectType,
     flakeNixBuildInputs :: [Expr],
-    flakeNixBuildExpr :: Maybe Expr,
+    flakeNixBuildNix :: Maybe BuildNix,
     -- | Used to determine whether to pass the nixpkgs argument to the pre-commit-hooks config
     flakeNixHooksRequireNixpkgs :: Bool
   }
 
 instance Bootstrappable FlakeNix where
   bootstrapName = const "flake.nix"
-  bootstrapReason FlakeNix {flakeNixPreCommitHooksConfig, flakeNixBuildExpr} =
+  bootstrapReason FlakeNix {flakeNixPreCommitHooksConfig} =
     "This configures what tools are available in your development environment"
-      <> maybe "" (const ", configures reproducible builds,") flakeNixBuildExpr
       <> if unPreCommitHooksConfig flakeNixPreCommitHooksConfig
         then " and links in the pre-commit hooks."
         else "."
@@ -74,18 +73,17 @@ flakeNixFor ::
   ProjectType ->
   PreCommitHooksConfig ->
   Maybe NixPreCommitHookConfig ->
+  Maybe BuildNix ->
   Maybe FlakeNix
 flakeNixFor
   rc@RunConfig {rcUseFlakes}
   flakeNixProjectName
   flakeNixProjectType
   flakeNixPreCommitHooksConfig
-  nixPreCommitHookConfig =
+  nixPreCommitHookConfig
+  flakeNixBuildNix =
     let NixShell {nixShellBuildInputs, nixShellHooksRequireNixpkgs} =
           nixShellFor rc flakeNixProjectType flakeNixPreCommitHooksConfig nixPreCommitHookConfig
-        flakeNixBuildExpr =
-          defaultNixInBlockExpr
-            <$> defaultNixFor flakeNixProjectName flakeNixProjectType
      in if rcUseFlakes
           then
             Just
@@ -158,10 +156,14 @@ instance IsNixExpr FlakeNix where
                                            bisProjectType = flakeNixProjectType
                                          }
                                  ]
-                              <> case flakeNixBuildExpr of
-                                Just buildExpr ->
+                              <> case flakeNixBuildNix of
+                                Just buildNix ->
                                   [ [nixbinding|defaultPackage = self.packages.${system}.default;|],
-                                    [nixproperty|packages.default|] |= buildExpr
+                                    [nixproperty|packages.default|]
+                                      |= ( [nix|import|]
+                                             |* ELit (LPath . toText $ bootstrapName buildNix)
+                                             |* [nix|{ inherit nixpkgs; }|]
+                                         )
                                   ]
                                     <> (if usingHooks then runChecksDerivation else [])
                                 Nothing -> if usingHooks then runChecksDerivation else []

test/Bootstrap/Data/Bootstrappable/BuildNixSpec.hs

@@ -0,0 +1,131 @@
+{-# LANGUAGE QuasiQuotes #-}
+{-# OPTIONS_GHC -Wno-missing-import-lists #-}
+
+-- | Copyright : (c) Crown Copyright GCHQ
+module Bootstrap.Data.Bootstrappable.BuildNixSpec (spec) where
+
+import Bootstrap.Data.Bootstrappable (Bootstrappable (bootstrapContent))
+import Bootstrap.Data.Bootstrappable.BuildNix (buildNixFor)
+import Bootstrap.Data.ProjectName (ProjectName, mkProjectName)
+import Bootstrap.Data.ProjectType
+  ( ArtefactId (ArtefactId),
+    InstallLombok (InstallLombok),
+    InstallMinishift (InstallMinishift),
+    JavaOptions (JavaOptions),
+    ProjectType (Go, Java),
+    SetUpGoBuild (SetUpGoBuild),
+    SetUpJavaBuild (SetUpJavaBuild),
+  )
+import qualified Relude.Unsafe as Unsafe
+import Test.Hspec (Spec, describe, it)
+import Test.Hspec.Expectations.Pretty (shouldBe)
+import Test.Util.RunConfig (rcDefault, rcWithFlakes)
+import Text.RawString.QQ (r)
+
+spec :: Spec
+spec = describe "build.nix rendering" do
+  it "renders nothing for a non-flake project" do
+    buildNixFor rcDefault projectName (Go $ SetUpGoBuild True)
+      `shouldBe` Nothing
+  it "renders correctly for a Go project" do
+    case buildNixFor rcWithFlakes projectName (Go $ SetUpGoBuild True) of
+      Just buildNix ->
+        bootstrapContent buildNix
+          >>= ( `shouldBe`
+                  Right
+                    [r|{nixpkgs}:
+nixpkgs.buildGoModule {
+  pname = "test-project";
+  version = "0.1.0";
+  src = ./.;
+  vendorSha256 = null;
+  # Swap out the line above for the one below once you start adding dependencies.
+  # After your dependencies change, builds will fail until you update the hash below.
+  # When the build fails, it will tell you what the expected hash is.
+  # vendorSha256 = "sha256-00000000000000000000000000000000000000000000";
+}
+|]
+              )
+      Nothing -> fail "Gave nothing for a project which should've had a build.nix generated."
+
+  it "renders correctly for a Java project" do
+    case buildNixFor
+      rcWithFlakes
+      projectName
+      ( Java $
+          JavaOptions
+            (InstallMinishift True)
+            (InstallLombok True)
+            (SetUpJavaBuild $ ArtefactId "testId")
+      ) of
+      Just buildNix ->
+        bootstrapContent buildNix
+          >>= ( `shouldBe`
+                  Right
+                    [r|{nixpkgs}: let
+  projectName = "test-project";
+  artefactId = "testId";
+  repository = nixpkgs.stdenv.mkDerivation {
+    name = "${projectName}-repository";
+    buildInputs = [nixpkgs.maven];
+    src = ./.;
+    buildPhase = "mvn package -Dmaven.repo.local=$out";
+    # keep only *.{pom,jar,sha1,nbm} and delete all ephemeral files with lastModified timestamps inside
+    installPhase = ''
+      find $out -type f \
+          -name \*.lastUpdated -or \
+          -name resolver-status.properties -or \
+          -name _remote.repositories \
+          -delete
+    '';
+    dontFixup = true;
+    outputHashAlgo = "sha256";
+    outputHashMode = "recursive";
+    # This hash will need updating when changing your dependencies; the correct
+    # hash will be displayed when the build fails if so.
+    outputHash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
+  };
+  builtJar = nixpkgs.stdenv.mkDerivation rec {
+    pname = projectName;
+    version = "0.0.1-SNAPSHOT";
+    src = ./.;
+    buildInputs = [nixpkgs.maven];
+    buildPhase = ''
+      echo "Using repository ${repository}"
+      mvn --offline -Dmaven.repo.local=${repository} package;
+    '';
+    installPhase = ''
+      install -Dm644 target/${artefactId}-${version}.jar $out/${projectName}
+    '';
+  };
+  fromImage = nixpkgs.dockerTools.pullImage {
+    imageName = "eclipse-temurin";
+    imageDigest = "sha256:4cc7dfdfb7837f35c3820bcfbc5f666521364e2198960322848ab7d3e2ca3e88";
+    finalImageName = "eclipse-temurin";
+    finalImageTag = "17.0.4.1_1-jre";
+    sha256 = "sha256-OIib6PQJc1xX+Xu2xtaFEo/jZtxypkg8Y9RFMcJf39w=";
+  };
+in
+  nixpkgs.dockerTools.buildLayeredImage {
+    inherit fromImage;
+    name = projectName;
+    enableFakechroot = true;
+    fakeRootCommands = ''
+      cp ${builtJar}/${projectName} /${projectName}
+      chown root:root /${projectName}
+      chmod 774 /${projectName}
+    '';
+    config = {
+      Entrypoint = [
+        "/bin/sh"
+        "-c"
+        "java $JAVA_OPTS -jar /${projectName}"
+      ];
+    };
+  }
+|]
+              )
+      Nothing -> fail "Gave nothing for a project which should've had a build.nix generated."
+
+projectName :: ProjectName
+projectName = Unsafe.fromJust (mkProjectName "test-project")