autobrr: init at 1.36.0 #287593
autobrr: init at 1.36.0 #287593
Conversation
dotlambda
changed the title
This comment was marked as duplicate.
This comment was marked as duplicate.
Sorry, something went wrong.
|
I think I've addressed all remaining concerns. @ambroisie please let me know if I've missed anything from your original review. |
There was a problem hiding this comment.
There should be a settings option to create config.toml. See NixOS/rfcs#42.
| DynamicUser = true; | ||
| StateDirectory = "autobrr"; | ||
| StateDirectoryMode = "0700"; | ||
| ExecStart = "${pkgs.autobrr}/bin/autobrr --config '${WorkingDirectory}'"; |
There was a problem hiding this comment.
| ExecStart = "${pkgs.autobrr}/bin/autobrr --config '${WorkingDirectory}'"; | |
| ExecStart = "${lib.getExe pkgs.autobrr} --config '${WorkingDirectory}'"; |
|
|
||
| vendorHash = "sha256-SkwSKFEZAmjVnaSowIbrdH667vB5WqNrPuRs/Yh6BLc="; | ||
|
|
||
| preBuild = "cp -r ${autobrr-web}/* web/dist"; |
There was a problem hiding this comment.
| preBuild = "cp -r ${autobrr-web}/* web/dist"; | |
| preBuild = '' | |
| cp -r ${autobrr-web}/* web/dist | |
| ''; |
| DynamicUser = true; | ||
| StateDirectory = "autobrr"; | ||
| StateDirectoryMode = "0700"; | ||
| ExecStart = "${pkgs.autobrr}/bin/autobrr --config '${WorkingDirectory}'"; |
There was a problem hiding this comment.
Where is WorkingDirectory defined?
There was a problem hiding this comment.
And please use lib.getExe:
| ExecStart = "${pkgs.autobrr}/bin/autobrr --config '${WorkingDirectory}'"; | |
| ExecStart = "${lib.getExe pkgs.autobrr} --config '${WorkingDirectory}'"; |
| autobrr-web = stdenvNoCC.mkDerivation { | ||
| pname = "${pname}-web"; | ||
| inherit src version; | ||
|
|
||
| nativeBuildInputs = [ | ||
| nodePackages.pnpm | ||
| cacert | ||
| ]; | ||
|
|
||
| buildPhase = '' | ||
| runHook preBuild | ||
|
|
||
| export HOME=$(mktemp -d) | ||
| pnpm --dir web install | ||
| pnpm --dir web run build | ||
|
|
||
| mv web/dist $out | ||
|
|
||
| runHook postBuild | ||
| ''; | ||
|
|
||
| dontInstall = true; | ||
|
|
||
| outputHashMode = "recursive"; | ||
| outputHash = "sha256-IOrW26Nq+9PYWlzUSpPBfkv3jzs5VlfF0JVFaUCDMmw="; | ||
| }; |
There was a problem hiding this comment.
So at least we're not using an FOD to store the pnpm dependencies. But I still worry that the output is not bit-for-bit reproducible.
My recommendation is to:
- Try to use
pnpm-exportand usebuildNpmPackageormkYarnPackage. - If
pnpm-exportdoesn't work, just generate a lock file manually.
In either case, this would mean vendoring the lock file to the repository.
There was a problem hiding this comment.
I believe this derivation should be bit-for-bit reproducible. Different versions of pnpm might have different store or cache formats, but each module in node_modules will be consistent with its hash in pnpm-lock.yaml. dist just contains the final bundle created by Vite. Why would that change because the dependencies are grabbed with a different package manager?
There was a problem hiding this comment.
What makes you believe the output of pnpm --dir web run build is reproducible? Do TypeScript and Vite claim to be reproducible?
There was a problem hiding this comment.
error: build of '/nix/store/cfcl0gpb9p5nnphw25g9mc6hifjpf3wl-autobrr-web-1.36.0.drv' on 'ssh://nix@willard' failed: hash mismatch in fixed-output derivation '/nix/store/cfcl0gpb9p5nnphw25g9mc6hifjpf3wl-autobrr-web-1.36.0.drv':
specified: sha256-IOrW26Nq+9PYWlzUSpPBfkv3jzs5VlfF0JVFaUCDMmw=
got: sha256-SkwSKFEZAmjVnaSowIbrdH667vB5WqNrPuRs/Yh6BLc=
There was a problem hiding this comment.
pnpm --dir web run build just runs tsc && vite build, as specified in package.json. Neither of these claim to be reproducible build tools (I don't think), but I believe that buildNpmPackage or mkYarnPackage would execute those commands in the same way. Please correct me if I'm wrong.
There was a problem hiding this comment.
May I ask if you did anything to cause the hash mismatch? Or did you just try to build it on your machine
There was a problem hiding this comment.
The latter.
Neither of these claim to be reproducible build tools (I don't think), but I believe that
buildNpmPackageormkYarnPackagewould execute those commands in the same way.
Yes but those aren't used in FODs.
|
|
||
| vendorHash = "sha256-SkwSKFEZAmjVnaSowIbrdH667vB5WqNrPuRs/Yh6BLc="; | ||
|
|
||
| preBuild = "cp -r ${autobrr-web}/* web/dist"; |
There was a problem hiding this comment.
For easy diffs, I'd use a multi-line string:
| preBuild = "cp -r ${autobrr-web}/* web/dist"; | |
| preBuild = '' | |
| cp -r ${autobrr-web}/* web/dist | |
| ''; |
| @@ -0,0 +1,70 @@ | |||
| { config, pkgs, lib, ... }: | |||
|
|
|||
| with lib; | |||
| openFirewall = mkOption { | ||
| type = types.bool; | ||
| default = false; | ||
| description = lib.mdDoc "Open ports in the firewall for the Autobrr web interface."; |
There was a problem hiding this comment.
|
We just released v1.38.0 so might be a good idea to bump the version in this pr 😄 |
Description of changes
Reopening #283389. Closes #224560.
Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.