Skip to content

Add Nix flake for devenv.sh / NixOS integration #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mickamy merged 2 commits into from
Mar 2, 2026
Merged

Add Nix flake for devenv.sh / NixOS integration #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f69b96e
Initial plan
Copilot Mar 2, 2026
5368987
feat: add Nix package support via flake.nix and goreleaser nix publisher
Copilot Mar 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions .goreleaser.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,5 +48,20 @@ brews:
name: homebrew-tap
token: "{{ .Env.TAP_GITHUB_TOKEN }}"

nix:
# Publishes a Nix derivation that installs pre-built binaries to
# the mickamy/nur-packages repository on each release.
# Prerequisites:
# 1. Create the mickamy/nur-packages repository (NUR-compatible layout).
# 2. Add "install nix" step to the release workflow so nix-hash is available.
- name: sql-tap
homepage: https://github.com/mickamy/sql-tap
description: Watch SQL traffic in real-time with a TUI
license: mit
repository:
owner: mickamy
name: nur-packages
token: "{{ .Env.TAP_GITHUB_TOKEN }}"
Comment on lines +57 to +64
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The nix: publisher section in .goreleaser.yaml is missing the install stanza. Looking at the brews: block above (lines 43-45), the Homebrew tap explicitly installs both sql-tap and sql-tapd binaries. Without an install field, the goreleaser Nix publisher will default to only installing the binary that matches the package name (sql-tap), meaning the sql-tapd daemon binary will not be installed via the NUR package. Consider adding an explicit install field to ensure sql-tapd is also installed alongside sql-tap.

Copilot uses AI. Check for mistakes.

Comment on lines +51 to +65
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The release workflow (.github/workflows/release.yml) does not include a "install nix" step, but the .goreleaser.yaml nix: publisher section's inline comment says "Add 'install nix' step to the release workflow so nix-hash is available" as a prerequisite. Without Nix installed in the release runner, the goreleaser Nix publisher will fail on release. The PR description also calls this out but it was not implemented. This will cause releases to fail once this is merged unless the workflow is updated before a release is triggered.

Copilot uses AI. Check for mistakes.
changelog:
sort: asc
29 changes: 29 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,35 @@ cd sql-tap
make install
```

### Nix

**Using the flake directly**

```bash
nix profile install github:mickamy/sql-tap
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The README's Nix installation instruction uses nix profile install github:mickamy/sql-tap, but this command will only install the sql-tap TUI client. The sql-tapd proxy daemon is equally required to use the tool (as shown throughout the README's Quick Start section). Users will likely be confused when they install via Nix and find sql-tapd is missing. Consider documenting how to also get sql-tapd when installing via the flake, or making mainProgram in the flake encompass both binaries.

Suggested change
nix profile install github:mickamy/sql-tap
# Install both the TUI client (sql-tap) and the proxy daemon (sql-tapd)
nix profile install github:mickamy/sql-tap#sql-tap github:mickamy/sql-tap#sql-tapd

Copilot uses AI. Check for mistakes.
```

**In a `devenv.sh` project**

Add `sql-tap` as a flake input in `devenv.yaml`:

```yaml
inputs:
sql-tap:
url: github:mickamy/sql-tap
```

Then reference it in `devenv.nix`:

```nix
{ inputs, pkgs, ... }:
{
packages = [
inputs.sql-tap.packages.${pkgs.system}.default
];
}
```

### Docker

**PostgreSQL**
Expand Down
58 changes: 58 additions & 0 deletions flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
{
description = "Real-time SQL traffic viewer — proxy daemon + TUI / Web client";

inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
flake-utils.url = "github:numtide/flake-utils";
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The flake-utils input is referenced as github:numtide/flake-utils without any commit pinning, and there is currently no flake.lock in the repository. This means every Nix evaluation or build will fetch and execute a moving target from a third-party repository, giving it the ability to influence or replace the built sql-tap binaries. To mitigate this supply‑chain risk, generate and commit a flake.lock (e.g., via nix flake update) so that flake-utils (and nixpkgs) are locked to immutable revisions, and keep that lock file updated via regular, explicit dependency bumps.

Copilot uses AI. Check for mistakes.
};

outputs =
{ self
, nixpkgs
, flake-utils
}:
flake-utils.lib.eachDefaultSystem (system:
let
pkgs = nixpkgs.legacyPackages.${system};
version = self.shortRev or self.dirtyShortRev or "dev";
in
{
packages = {
sql-tap = pkgs.buildGoModule {
pname = "sql-tap";
inherit version;
src = pkgs.lib.cleanSource self;
subPackages = [ "." "cmd/sql-tapd" ];

# When go.mod or go.sum changes, update this hash by running:
# nix build 2>&1 | grep "got:" | awk '{print $2}'
# and replacing pkgs.lib.fakeHash below with the output.
vendorHash = pkgs.lib.fakeHash;
Comment on lines +29 to +30
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The vendorHash is set to pkgs.lib.fakeHash which will cause every nix build invocation to fail with an intentional hash mismatch error. This is a placeholder value that must be replaced with the actual vendor hash before the flake can be used by anyone. As-is, running nix profile install github:mickamy/sql-tap (as documented in the README) will always fail for end users.

The hash must be computed once (e.g., by temporarily setting vendorHash = null; or running nix build and reading the "got:" line), and then the real SRI hash must be committed in place of pkgs.lib.fakeHash. Publishing a flake with a fake hash as the committed value makes the flake non-functional for all users until this is fixed.

Suggested change
# and replacing pkgs.lib.fakeHash below with the output.
vendorHash = pkgs.lib.fakeHash;
# and replacing this null value below with the output.
vendorHash = null;

Copilot uses AI. Check for mistakes.

ldflags = [
"-s"
"-w"
"-X main.version=${version}"
];
Comment on lines +25 to +36
Copy link

Copilot AI Mar 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The subPackages = [ "." "cmd/sql-tapd" ] builds both the sql-tap (TUI client) and sql-tapd (proxy daemon) binaries in a single derivation. However, the ldflags only inject the version into main.version for one package at a time — the -X main.version=… flag only applies to the main package being built. Since there are two separate main packages (one at the root and one at cmd/sql-tapd), only one of them will receive the correct version injection. The sql-tapd binary at cmd/sql-tapd/main.go also declares var version = "dev" and this ldflag will only update one of the two main packages. You should split these into two separate buildGoModule derivations with their own ldflags, or verify that buildGoModule correctly propagates -X main.version to all subPackages.

Copilot uses AI. Check for mistakes.

meta = with pkgs.lib; {
description = "Watch SQL traffic in real-time with a TUI";
longDescription = ''
sql-tap sits between your application and your database
(PostgreSQL, MySQL, or TiDB), capturing every query and
displaying it in an interactive terminal UI. Inspect queries,
view transactions, and run EXPLAIN — all without changing your
application code.
'';
homepage = "https://github.com/mickamy/sql-tap";
license = licenses.mit;
maintainers = [ ];
mainProgram = "sql-tap";
platforms = platforms.unix;
};
};
default = self.packages.${system}.sql-tap;
};
}
);
}