Document pinning nixpkgs in manual

[puffnfresh]

I've heard from both @nuttycom and @cocreature that nixpkgs' documentation doesn't describe how to ensure reproducible derivations by pinning the version of nixpkgs.

My knowledge is that this is probably the best way to pin:

import ((import <nixpkgs> { }).fetchFromGitHub {
  owner = "NixOS";
  repo = "nixpkgs";
  rev = "32bcda741a9f58d376ad1f1de0b051571cddc3d2";
  sha256 = "1gcnx2b5jmfyhjhd3d7jgr1wrqyidxczj34d37hxmv4yx7x2722y";
}) { config = { }; }

[vyp]

Would you know how that compares to setting nix.nixPath?

[domenkozar]

http://nix-cookbook.readthedocs.io/en/latest/faq.html#how-to-pin-nixpkgs-to-a-specific-commit-branch

[ocharles]

I think the solution in the issue description is the best way. I don't see any need to use fetchTarball.

[vyp]

For reference, and if it helps anyone, my source for setting nix.nixPath and managing it with git method, is: http://anderspapitto.com/posts/2015-11-01-nixos-with-local-nixpkgs-checkout.html

Except that has a typo on the line (the fourth "):

  nix.nixPath = [ "/etc/nixos" "nixos-config"=/etc/nixos/configuration.nix" ];

Should be something like the following instead:

  nix.nixPath = [ "nixpkgs=/etc/nixos" "nixos-config=/etc/nixos/configuration.nix" ];

And also I think it should be git fetch --all instead of just git fetch each time (so that all remotes are fetched).

[puffnfresh]

I think ideally there'd be a fetchNixpkgs function.

[domenkozar]

@ocharles fetchFromGitHub uses IFD, which then doesn't display all packages to be built upfront. So you first need to build pkgs.fetchFromGithub using the current NIX_PATH and then you can import further on with the new set.

fetchTarball is a builtin, but it has a drawback that you can't use it with Hydra and need to pass it as an input (what why I usually accept pkgs input that is fetchTarball by default.

[FRidh]

So that would have been the fetchNixpkgs @LnL7 had proposed (#26802), but that's IFD as @domenkozar pointed out. The proper solution is to use fetchTarball from Nix 1.12 which uses a hash (NixOS/nix#1382).

[ocharles]

@domenkozar I don't entirely understand your comment. Yes, it uses IFD and that results in multiple phases, but beyond that I haven't seen any problems. It's not like a command has to be ran multiple times. What is the main problem?

[copumpkin]

I use that pattern all the time at work. I even proposed something to make it a bit smoother, but it didn't really go anywhere: #22058

I also don't use fetchTarball since I want to be able to lock the version and treat it as a fixed-output derivation that I can cache somewhere, and no released version of Nix has that functionality for fetchTarball yet.

Edit: to elaborate, I want to be able to cache the exact nixpkgs tarball with a known output hash because many of my machines can't hit github.com, so fetchTarball's attempts to hit the internet directly won't work.

[domenkozar]

@ocharles if Nix needs to download anything before evaluating pkgs.fetchFromGithub it won't print the full build plan, etc. It's the best we have now until in Nix 11.12 is released where builtins.fetchTarball accepts a hash so it doesn't redownload the tarball, but all of that happens at evaluation time eagerly.

[adelbertc]

Just tried @puffnfresh 's implementation today, seems to work. Only issue was an ergonomic one, I wasn't sure how to get the sha256 so I used nix-prefetch-git as suggested here to fetch the revision and get the hash, and then copy/pasted the output. A bit tedious, not sure if there's a better way.

[vyp]

@adelbertc For GitHub, nix-prefetch-url --unpack https://github.com/<owner>/<repo>/archive/<rev>.tar.gz >> file.nix, not sure if there's a better way.

[domenkozar]

Relevant: #21732

[domenkozar]

It's been done in https://nixos.wiki/wiki/How_to_fetch_Nixpkgs_with_an_empty_NIX_PATH

[puffnfresh]

I think that's fair enough, although it still seems to be an IFD under 1.11

[CMCDragonkai]

Can the documentation be updated to show you to pin the same nixpkgs to both the configuration.nix and the nix.nixPath = [ "nixpkgs=??" ];.

I currently have something like:

{ config, ... }:
  let pkgs = import ./nixpkgs { config.allowUnfree = true; }; in
  {
    nix.nixPath = [ "nixpkgs=/etc/nixos/nixpkgs" ];
  }

But I if instead I was using https://github.com/nixos/nixpkgs/archive/ca2ba44cab47767c8127d1c8633e2b581644eb8f.tar.gz, then how to get this used in the nix.nixPath "nixpkgs=??"?