feat: nix flake packaging#583
Conversation
📝 WalkthroughWalkthroughThis PR adds a Nix flake (flake.nix) that builds the fnox Rust package using crane, exposing packages, an app, and a dev shell, and updates .gitignore to exclude the Nix build output directory "result". ChangesNix Flake Setup
Estimated code review effort: 1 (Trivial) | ~5 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Greptile SummaryThis PR adds Nix flake packaging for fnox using crane for Rust builds, exposing a default package, app, and dev shell across all default systems.
Confidence Score: 3/5The flake will fail to build on both Linux and macOS due to missing build-time dependencies and should not be merged as-is. Two build-breaking gaps exist in flake.nix: aws-lc-sys (pulled in by both jsonwebtoken and rustls with their aws_lc_rs features) requires cmake and go at compile time, which are absent from nativeBuildInputs; and apple-native-keyring-store with the keychain feature requires the macOS Security and CoreFoundation frameworks, which are absent from buildInputs for Darwin. flake.nix — the nativeBuildInputs and Darwin buildInputs sections need the additions described in the inline comments Important Files Changed
Reviews (1): Last reviewed commit: "feat: flake-utils" | Re-trigger Greptile |
| nativeBuildInputs = with pkgs; [ | ||
| perl | ||
| pkg-config | ||
| ]; |
There was a problem hiding this comment.
The project pulls in
aws-lc-sys transitively (via jsonwebtoken with features = ["aws_lc_rs"] and rustls with features = ["aws-lc-rs"] in Cargo.toml). aws-lc-sys unconditionally invokes CMake to compile the bundled C library, so the Nix build will fail with "CMake not found" unless cmake (and typically go for the FIPS bootstrap) is added to nativeBuildInputs.
| nativeBuildInputs = with pkgs; [ | |
| perl | |
| pkg-config | |
| ]; | |
| nativeBuildInputs = with pkgs; [ | |
| cmake | |
| go | |
| perl | |
| pkg-config | |
| ]; |
| buildInputs = | ||
| with pkgs; | ||
| [ ] | ||
| ++ lib.optionals stdenv.isLinux [ | ||
| dbus | ||
| udev | ||
| ]; |
There was a problem hiding this comment.
apple-native-keyring-store with the keychain feature (present in Cargo.toml) links against the macOS Security framework at compile time. Without the framework in buildInputs for Darwin, the macOS build will fail with an unresolved linker error. darwin.apple_sdk.frameworks.Security (and typically darwin.apple_sdk.frameworks.CoreFoundation) should be added.
| buildInputs = | |
| with pkgs; | |
| [ ] | |
| ++ lib.optionals stdenv.isLinux [ | |
| dbus | |
| udev | |
| ]; | |
| buildInputs = | |
| with pkgs; | |
| [ ] | |
| ++ lib.optionals stdenv.isLinux [ | |
| dbus | |
| udev | |
| ] | |
| ++ lib.optionals stdenv.isDarwin [ | |
| darwin.apple_sdk.frameworks.CoreFoundation | |
| darwin.apple_sdk.frameworks.Security | |
| ]; |
There was a problem hiding this comment.
Current nixpkgs Darwin stdenv includes the default SDK/framework paths already so this shouldn’t be needed. Adding these SDK framework inputs manually breaks the build.
There was a problem hiding this comment.
You're right — on Darwin, nixpkgs' stdenv already includes the SDK and default framework search paths, so explicitly adding darwin.apple_sdk.frameworks.Security is not only unnecessary but can cause linker conflicts. My comment was incorrect here.
Shall I remember this as a rule: "Do not suggest adding darwin.apple_sdk.frameworks.* to buildInputs in nixpkgs flakes, as the Darwin stdenv already includes default SDK/framework paths and manual additions can break the build"?
Tip: You can customize Greptile's behavior for this repo with .greptile/rules.md and .greptile/config.json.
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@flake.nix`:
- Around line 75-81: The dev shell setup in devShells.default only exposes
cargo, clippy, and rustfmt, so it still lacks rustc and the package build inputs
needed for local builds. Update the mkShell definition to include rustc in
packages and add inputsFrom = [ fnox ]; so the shell inherits the crate’s native
build dependencies. Keep the fix within the devShells.default block in
flake.nix.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Pro Plus
Run ID: 5324e1be-1f5e-4adb-8957-677b8ae3518b
⛔ Files ignored due to path filters (1)
flake.lockis excluded by!**/*.lock
📒 Files selected for processing (2)
.gitignoreflake.nix
| devShells.default = pkgs.mkShell { | ||
| packages = with pkgs; [ | ||
| cargo | ||
| clippy | ||
| rustfmt | ||
| ]; | ||
| }; |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== flake.nix outline =="
ast-grep outline flake.nix --view expanded || true
echo
echo "== relevant lines =="
nl -ba flake.nix | sed -n '1,180p'Repository: jdx/fnox
Length of output: 256
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== locate rust toolchain and mkShell usage =="
rg -n "mkShell|inputsFrom|rustc|cargo|clippy|rustfmt|commonArgs|pkg-config|dbus|udev" flake.nix .Repository: jdx/fnox
Length of output: 138
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== flake.nix size =="
wc -l flake.nix
echo
echo "== flake.nix relevant section =="
sed -n '1,220p' flake.nix | cat -n
echo
echo "== rust/toolchain references across repo =="
rg -n "inputsFrom|mkShell|rustc|cargo|clippy|rustfmt|pkg-config|dbus|udev|commonArgs|devShells\.default" .Repository: jdx/fnox
Length of output: 11756
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Cargo.toml relevant dependencies =="
sed -n '1,140p' Cargo.toml | cat -n
echo
echo "== crate build scripts that may need system libraries =="
sed -n '1,120p' crates/fnox-core/build.rs | cat -nRepository: jdx/fnox
Length of output: 6615
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== libdbus-sys and udev-related dependency paths =="
rg -n "libdbus-sys|udev|pkg-config|build.rs|vendored" Cargo.toml crates Cargo.lockRepository: jdx/fnox
Length of output: 986
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "== Cargo.toml relevant dependencies =="
sed -n '1,140p' Cargo.toml | cat -n
echo
echo "== crate build scripts that may need system libraries =="
sed -n '1,120p' crates/fnox-core/build.rs | cat -n
echo
echo "== libdbus-sys and udev-related dependency paths =="
rg -n "libdbus-sys|udev|pkg-config|build.rs|vendored" Cargo.toml crates Cargo.lockRepository: jdx/fnox
Length of output: 7456
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python3 - <<'PY'
print("noop")
PYRepository: jdx/fnox
Length of output: 151
Add the package inputs to the dev shell
nix develop only exposes cargo, clippy, and rustfmt, so it still misses rustc and the package’s native build inputs. Add inputsFrom = [ fnox ]; and rustc so the shell can build the crate locally.
🔧 Proposed fix
devShells.default = pkgs.mkShell {
+ inputsFrom = [ fnox ];
packages = with pkgs; [
+ rustc
cargo
clippy
rustfmt
];
};📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| devShells.default = pkgs.mkShell { | |
| packages = with pkgs; [ | |
| cargo | |
| clippy | |
| rustfmt | |
| ]; | |
| }; | |
| devShells.default = pkgs.mkShell { | |
| inputsFrom = [ fnox ]; | |
| packages = with pkgs; [ | |
| rustc | |
| cargo | |
| clippy | |
| rustfmt | |
| ]; | |
| }; |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@flake.nix` around lines 75 - 81, The dev shell setup in devShells.default
only exposes cargo, clippy, and rustfmt, so it still lacks rustc and the package
build inputs needed for local builds. Update the mkShell definition to include
rustc in packages and add inputsFrom = [ fnox ]; so the shell inherits the
crate’s native build dependencies. Keep the fix within the devShells.default
block in flake.nix.
Adds Nix flake support for fnox.
User guide:
Add to your Nix flakes setup:
flake.nix:Run without installing using
nixCLI:Summary by CodeRabbit