NixOS

Nixpkgs Manual

Version 22.11

Table of Contents

1. Preface
I. Using Nixpkgs
2. Global configuration
3. Overlays
4. Overriding
5. Functions reference
II. Standard environment
6. The Standard Environment
7. Meta-attributes
8. Multiple-output packages
9. Cross-compilation
10. Platform Notes
III. Builders
11. Fetchers
12. Trivial builders
13. Testers
14. Special builders
15. Images
16. Hooks reference
17. Languages and frameworks
18. Packages
IV. Contributing to Nixpkgs
19. Quick Start to Adding a Package
20. Coding conventions
21. Submitting changes
22. Vulnerability Roundup
23. Reviewing contributions
24. Contributing to this documentation

List of Figures

21.1. Staging workflow

Chapter 1. Preface

Table of Contents

1.1. Overview of Nixpkgs

The Nix Packages collection (Nixpkgs) is a set of thousands of packages for the Nix package manager, released under a permissive MIT/X11 license. Packages are available for several platforms, and can be used with the Nix package manager on most GNU/Linux distributions as well as NixOS.

This manual primarily describes how to write packages for the Nix Packages collection (Nixpkgs). Thus it’s mainly for packagers and developers who want to add packages to Nixpkgs. If you like to learn more about the Nix package manager and the Nix expression language, then you are kindly referred to the Nix manual. The NixOS distribution is documented in the NixOS manual.

1.1. Overview of Nixpkgs

Nix expressions describe how to build packages from source and are collected in the nixpkgs repository. Also included in the collection are Nix expressions for NixOS modules. With these expressions the Nix package manager can build binary packages.

Packages, including the Nix packages collection, are distributed through channels. The collection is distributed for users of Nix on non-NixOS distributions through the channel nixpkgs. Users of NixOS generally use one of the nixos-* channels, e.g. nixos-19.09, which includes all packages and modules for the stable NixOS 19.09. Stable NixOS releases are generally only given security updates. More up to date packages and modules are available via the nixos-unstable channel.

Both nixos-unstable and nixpkgs follow the master branch of the Nixpkgs repository, although both do lag the master branch by generally a couple of days. Updates to a channel are distributed as soon as all tests for that channel pass, e.g. this table shows the status of tests for the nixpkgs channel.

The tests are conducted by a cluster called Hydra, which also builds binary packages from the Nix expressions in Nixpkgs for x86_64-linux, i686-linux and x86_64-darwin. The binaries are made available via a binary cache.

The current Nix expressions of the channels are available in the nixpkgs repository in branches that correspond to the channel names (e.g. nixos-19.09-small).

Part I. Using Nixpkgs

Table of Contents

2. Global configuration
3. Overlays
4. Overriding
5. Functions reference

Chapter 2. Global configuration

Table of Contents

2.1. Installing broken packages
2.2. Installing packages on unsupported systems
2.3. Installing unfree packages
2.4. Installing insecure packages
2.5. Modify packages via packageOverrides
2.6. config Options Reference
2.7. Declarative Package Management

Nix comes with certain defaults about what packages can and cannot be installed, based on a package’s metadata. By default, Nix will prevent installation if any of the following criteria are true:

  • The package is thought to be broken, and has had its meta.broken set to true.

  • The package isn’t intended to run on the given system, as none of its meta.platforms match the given system.

  • The package’s meta.license is set to a license which is considered to be unfree.

  • The package has known security vulnerabilities but has not or can not be updated for some reason, and a list of issues has been entered in to the package’s meta.knownVulnerabilities.

Note that all this is checked during evaluation already, and the check includes any package that is evaluated. In particular, all build-time dependencies are checked. nix-env -qa will (attempt to) hide any packages that would be refused.

Each of these criteria can be altered in the nixpkgs configuration.

The nixpkgs configuration for a NixOS system is set in the configuration.nix, as in the following example: 

{
  nixpkgs.config = {
    allowUnfree = true;
  };
}

However, this does not allow unfree software for individual users. Their configurations are managed separately.

A user’s nixpkgs configuration is stored in a user-specific configuration file located at ~/.config/nixpkgs/config.nix. For example: 

{
  allowUnfree = true;
}

Note that we are not able to test or build unfree software on Hydra due to policy. Most unfree licenses prohibit us from either executing or distributing the software.

2.1. Installing broken packages

There are two ways to try compiling a package which has been marked as broken.

  • For allowing the build of a broken package once, you can use an environment variable for a single invocation of the nix tools: 

    $ export NIXPKGS_ALLOW_BROKEN=1

  • For permanently allowing broken packages to be built, you may add allowBroken = true; to your user’s configuration file, like this: 

    {
  allowBroken = true;
}

2.2. Installing packages on unsupported systems

There are also two ways to try compiling a package which has been marked as unsupported for the given system.

  • For allowing the build of an unsupported package once, you can use an environment variable for a single invocation of the nix tools: 

    $ export NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1

  • For permanently allowing unsupported packages to be built, you may add allowUnsupportedSystem = true; to your user’s configuration file, like this: 

    {
  allowUnsupportedSystem = true;
}

The difference between a package being unsupported on some system and being broken is admittedly a bit fuzzy. If a program ought to work on a certain platform, but doesn’t, the platform should be included in meta.platforms, but marked as broken with e.g. meta.broken = !hostPlatform.isWindows. Of course, this begs the question of what "ought" means exactly. That is left to the package maintainer.

2.3. Installing unfree packages

All users of Nixpkgs are free software users, and many users (and developers) of Nixpkgs want to limit and tightly control their exposure to unfree software. At the same time, many users need (or want) to run some specific pieces of proprietary software. Nixpkgs includes some expressions for unfree software packages. By default unfree software cannot be installed and doesn’t show up in searches.

There are several ways to tweak how Nix handles a package which has been marked as unfree.

  • To temporarily allow all unfree packages, you can use an environment variable for a single invocation of the nix tools: 

    $ export NIXPKGS_ALLOW_UNFREE=1

  • It is possible to permanently allow individual unfree packages, while still blocking unfree packages by default using the allowUnfreePredicate configuration option in the user configuration file.

    This option is a function which accepts a package as a parameter, and returns a boolean. The following example configuration accepts a package and always returns false: 

    {
  allowUnfreePredicate = (pkg: false);
}

    For a more useful example, try the following. This configuration only allows unfree packages named roon-server and visual studio code: 

    {
  allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
    "roon-server"
    "vscode"
  ];
}

  • It is also possible to allow and block licenses that are specifically acceptable or not acceptable, using allowlistedLicenses and blocklistedLicenses, respectively.

    The following example configuration allowlists the licenses amd and wtfpl: 

    {
  allowlistedLicenses = with lib.licenses; [ amd wtfpl ];
}

    The following example configuration blocklists the gpl3Only and agpl3Only licenses: 

    {
  blocklistedLicenses = with lib.licenses; [ agpl3Only gpl3Only ];
}

    Note that allowlistedLicenses only applies to unfree licenses unless allowUnfree is enabled. It is not a generic allowlist for all types of licenses. blocklistedLicenses applies to all licenses.

A complete list of licenses can be found in the file lib/licenses.nix of the nixpkgs tree.

2.4. Installing insecure packages

There are several ways to tweak how Nix handles a package which has been marked as insecure.

  • To temporarily allow all insecure packages, you can use an environment variable for a single invocation of the nix tools: 

    $ export NIXPKGS_ALLOW_INSECURE=1

  • It is possible to permanently allow individual insecure packages, while still blocking other insecure packages by default using the permittedInsecurePackages configuration option in the user configuration file.

    The following example configuration permits the installation of the hypothetically insecure package hello, version 1.2.3: 

    {
  permittedInsecurePackages = [
    "hello-1.2.3"
  ];
}

  • It is also possible to create a custom policy around which insecure packages to allow and deny, by overriding the allowInsecurePredicate configuration option.

    The allowInsecurePredicate option is a function which accepts a package and returns a boolean, much like allowUnfreePredicate.

    The following configuration example only allows insecure packages with very short names: 

    {
  allowInsecurePredicate = pkg: builtins.stringLength (lib.getName pkg) <= 5;
}

    Note that permittedInsecurePackages is only checked if allowInsecurePredicate is not specified.

2.5. Modify packages via packageOverrides

You can define a function called packageOverrides in your local ~/.config/nixpkgs/config.nix to override Nix packages. It must be a function that takes pkgs as an argument and returns a modified set of packages. 

{
  packageOverrides = pkgs: rec {
    foo = pkgs.foo.override { ... };
  };
}

2.6. config Options Reference

The following attributes can be passed in config.

enableParallelBuildingByDefault

Whether to set enableParallelBuilding to true by default while building nixpkgs packages. Changing the default may cause a mass rebuild.

Type: boolean

Default: false

Declared by:

pkgs/top-level/config.nix
allowAliases

Whether to expose old attribute names for compatibility.

The recommended setting is to enable this, as it improves backward compatibity, easing updates.

The only reason to disable aliases is for continuous integration purposes. For instance, Nixpkgs should not depend on aliases in its internal code. Projects that aren't Nixpkgs should be cautious of instantly removing all usages of aliases, as migrating too soon can break compatibility with the stable Nixpkgs releases.

Type: boolean

Default: true

Declared by:

pkgs/top-level/config.nix
allowBroken

Whether to allow broken packages.

See Installing broken packages in the NixOS manual.

Type: boolean

Default: false || builtins.getEnv "NIXPKGS_ALLOW_BROKEN" == "1"

Declared by:

pkgs/top-level/config.nix
allowUnfree

Whether to allow unfree packages.

See Installing unfree packages in the NixOS manual.

Type: boolean

Default: false || builtins.getEnv "NIXPKGS_ALLOW_UNFREE" == "1"

Declared by:

pkgs/top-level/config.nix
allowUnsupportedSystem

Whether to allow unsupported packages.

See Installing packages on unsupported systems in the NixOS manual.

Type: boolean

Default: false || builtins.getEnv "NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM" == "1"

Declared by:

pkgs/top-level/config.nix
checkMeta

Whether to check that the `meta` attribute of derivations are correct during evaluation time.

Type: boolean

Default: false

Declared by:

pkgs/top-level/config.nix
configurePlatformsByDefault

Whether to set configurePlatforms to ["build" "host"] by default while building nixpkgs packages. Changing the default may cause a mass rebuild.

Type: boolean

Default: false

Declared by:

pkgs/top-level/config.nix
contentAddressedByDefault

Whether to set __contentAddressed to true by default while building nixpkgs packages. Changing the default may cause a mass rebuild.

Type: boolean

Default: false

Declared by:

pkgs/top-level/config.nix
doCheckByDefault

Whether to run checkPhase by default while building nixpkgs packages. Changing the default may cause a mass rebuild.

Type: boolean

Default: false

Declared by:

pkgs/top-level/config.nix
showDerivationWarnings

Which warnings to display for potentially dangerous or deprecated values passed into stdenv.mkDerivation.

A list of warnings can be found in /pkgs/stdenv/generic/check-meta.nix.

This is not a stable interface; warnings may be added, changed or removed without prior notice.

Type: list of value "maintainerless" (singular enum)

Default: [ ]

Declared by:

pkgs/top-level/config.nix
strictDepsByDefault

Whether to set strictDeps to true by default while building nixpkgs packages. Changing the default may cause a mass rebuild.

Type: boolean

Default: false

Declared by:

pkgs/top-level/config.nix
warnUndeclaredOptions

Whether to warn when config contains an unrecognized attribute.

Type: boolean

Default: false

Declared by:

pkgs/top-level/config.nix

2.7. Declarative Package Management

2.7.1. Build an environment

Using packageOverrides, it is possible to manage packages declaratively. This means that we can list all of our desired packages within a declarative Nix expression. For example, to have aspell, bc, ffmpeg, coreutils, gdb, nixUnstable, emscripten, jq, nox, and silver-searcher, we could use the following in ~/.config/nixpkgs/config.nix: 

{
  packageOverrides = pkgs: with pkgs; {
    myPackages = pkgs.buildEnv {
      name = "my-packages";
      paths = [
        aspell
        bc
        coreutils
        gdb
        ffmpeg
        nixUnstable
        emscripten
        jq
        nox
        silver-searcher
      ];
    };
  };
}

To install it into our environment, you can just run nix-env -iA nixpkgs.myPackages. If you want to load the packages to be built from a working copy of nixpkgs you just run nix-env -f. -iA myPackages. To explore what’s been installed, just look through ~/.nix-profile/. You can see that a lot of stuff has been installed. Some of this stuff is useful some of it isn’t. Let’s tell Nixpkgs to only link the stuff that we want: 

{
  packageOverrides = pkgs: with pkgs; {
    myPackages = pkgs.buildEnv {
      name = "my-packages";
      paths = [
        aspell
        bc
        coreutils
        gdb
        ffmpeg
        nixUnstable
        emscripten
        jq
        nox
        silver-searcher
      ];
      pathsToLink = [ "/share" "/bin" ];
    };
  };
}

pathsToLink tells Nixpkgs to only link the paths listed which gets rid of the extra stuff in the profile. /bin and /share are good defaults for a user environment, getting rid of the clutter. If you are running on Nix on MacOS, you may want to add another path as well, /Applications, that makes GUI apps available.

2.7.2. Getting documentation

After building that new environment, look through ~/.nix-profile to make sure everything is there that we wanted. Discerning readers will note that some files are missing. Look inside ~/.nix-profile/share/man/man1/ to verify this. There are no man pages for any of the Nix tools! This is because some packages like Nix have multiple outputs for things like documentation (see section 4). Let’s make Nix install those as well. 

{
  packageOverrides = pkgs: with pkgs; {
    myPackages = pkgs.buildEnv {
      name = "my-packages";
      paths = [
        aspell
        bc
        coreutils
        ffmpeg
        nixUnstable
        emscripten
        jq
        nox
        silver-searcher
      ];
      pathsToLink = [ "/share/man" "/share/doc" "/bin" ];
      extraOutputsToInstall = [ "man" "doc" ];
    };
  };
}

This provides us with some useful documentation for using our packages. However, if we actually want those manpages to be detected by man, we need to set up our environment. This can also be managed within Nix expressions. 

{
  packageOverrides = pkgs: with pkgs; rec {
    myProfile = writeText "my-profile" ''
      export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin
      export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man
    '';
    myPackages = pkgs.buildEnv {
      name = "my-packages";
      paths = [
        (runCommand "profile" {} ''
          mkdir -p $out/etc/profile.d
          cp ${myProfile} $out/etc/profile.d/my-profile.sh
        '')
        aspell
        bc
        coreutils
        ffmpeg
        man
        nixUnstable
        emscripten
        jq
        nox
        silver-searcher
      ];
      pathsToLink = [ "/share/man" "/share/doc" "/bin" "/etc" ];
      extraOutputsToInstall = [ "man" "doc" ];
    };
  };
}

For this to work fully, you must also have this script sourced when you are logged in. Try adding something like this to your ~/.profile file: 

#!/bin/sh
if [ -d $HOME/.nix-profile/etc/profile.d ]; then
  for i in $HOME/.nix-profile/etc/profile.d/*.sh; do
    if [ -r $i ]; then
      . $i
    fi
  done
fi

Now just run source $HOME/.profile and you can starting loading man pages from your environment.

2.7.3. GNU info setup

Configuring GNU info is a little bit trickier than man pages. To work correctly, info needs a database to be generated. This can be done with some small modifications to our environment scripts. 

{
  packageOverrides = pkgs: with pkgs; rec {
    myProfile = writeText "my-profile" ''
      export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin
      export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man
      export INFOPATH=$HOME/.nix-profile/share/info:/nix/var/nix/profiles/default/share/info:/usr/share/info
    '';
    myPackages = pkgs.buildEnv {
      name = "my-packages";
      paths = [
        (runCommand "profile" {} ''
          mkdir -p $out/etc/profile.d
          cp ${myProfile} $out/etc/profile.d/my-profile.sh
        '')
        aspell
        bc
        coreutils
        ffmpeg
        man
        nixUnstable
        emscripten
        jq
        nox
        silver-searcher
        texinfoInteractive
      ];
      pathsToLink = [ "/share/man" "/share/doc" "/share/info" "/bin" "/etc" ];
      extraOutputsToInstall = [ "man" "doc" "info" ];
      postBuild = ''
        if [ -x $out/bin/install-info -a -w $out/share/info ]; then
          shopt -s nullglob
          for i in $out/share/info/*.info $out/share/info/*.info.gz; do
              $out/bin/install-info $i $out/share/info/dir
          done
        fi
      '';
    };
  };
}

postBuild tells Nixpkgs to run a command after building the environment. In this case, install-info adds the installed info pages to dir which is GNU info’s default root node. Note that texinfoInteractive is added to the environment to give the install-info command.

Chapter 3. Overlays

Table of Contents

3.1. Installing overlays
3.2. Defining overlays
3.3. Using overlays to configure alternatives

This chapter describes how to extend and change Nixpkgs using overlays. Overlays are used to add layers in the fixed-point used by Nixpkgs to compose the set of all packages.

Nixpkgs can be configured with a list of overlays, which are applied in order. This means that the order of the overlays can be significant if multiple layers override the same package.

3.1. Installing overlays

The list of overlays can be set either explicitly in a Nix expression, or through <nixpkgs-overlays> or user configuration files.

3.1.1. Set overlays in NixOS or Nix expressions

On a NixOS system the value of the nixpkgs.overlays option, if present, is passed to the system Nixpkgs directly as an argument. Note that this does not affect the overlays for non-NixOS operations (e.g. nix-env), which are looked up independently.

The list of overlays can be passed explicitly when importing nixpkgs, for example import <nixpkgs> { overlays = [ overlay1 overlay2 ]; }.

NOTE: DO NOT USE THIS in nixpkgs. Further overlays can be added by calling the pkgs.extend or pkgs.appendOverlays, although it is often preferable to avoid these functions, because they recompute the Nixpkgs fixpoint, which is somewhat expensive to do.

3.1.2. Install overlays via configuration lookup

The list of overlays is determined as follows.

  1. First, if an overlays argument to the Nixpkgs function itself is given, then that is used and no path lookup will be performed.

  2. Otherwise, if the Nix path entry <nixpkgs-overlays> exists, we look for overlays at that path, as described below.

    See the section on NIX_PATH in the Nix manual for more details on how to set a value for <nixpkgs-overlays>.

  3. If one of ~/.config/nixpkgs/overlays.nix and ~/.config/nixpkgs/overlays/ exists, then we look for overlays at that path, as described below. It is an error if both exist.

If we are looking for overlays at a path, then there are two cases:

  • If the path is a file, then the file is imported as a Nix expression and used as the list of overlays.

  • If the path is a directory, then we take the content of the directory, order it lexicographically, and attempt to interpret each as an overlay by:

    • Importing the file, if it is a .nix file.

    • Importing a top-level default.nix file, if it is a directory.

Because overlays that are set in NixOS configuration do not affect non-NixOS operations such as nix-env, the overlays.nix option provides a convenient way to use the same overlays for a NixOS system configuration and user configuration: the same file can be used as overlays.nix and imported as the value of nixpkgs.overlays.

3.2. Defining overlays

Overlays are Nix functions which accept two arguments, conventionally called self and super, and return a set of packages. For example, the following is a valid overlay. 

self: super:

{
  boost = super.boost.override {
    python = self.python3;
  };
  rr = super.callPackage ./pkgs/rr {
    stdenv = self.stdenv_32bit;
  };
}

The first argument (self) corresponds to the final package set. You should use this set for the dependencies of all packages specified in your overlay. For example, all the dependencies of rr in the example above come from self, as well as the overridden dependencies used in the boost override.

The second argument (super) corresponds to the result of the evaluation of the previous stages of Nixpkgs. It does not contain any of the packages added by the current overlay, nor any of the following overlays. This set should be used either to refer to packages you wish to override, or to access functions defined in Nixpkgs. For example, the original recipe of boost in the above example, comes from super, as well as the callPackage function.

The value returned by this function should be a set similar to pkgs/top-level/all-packages.nix, containing overridden and/or new packages.

Overlays are similar to other methods for customizing Nixpkgs, in particular the packageOverrides attribute described in Section 2.5, “Modify packages via packageOverrides. Indeed, packageOverrides acts as an overlay with only the super argument. It is therefore appropriate for basic use, but overlays are more powerful and easier to distribute.

3.3. Using overlays to configure alternatives

Certain software packages have different implementations of the same interface. Other distributions have functionality to switch between these. For example, Debian provides DebianAlternatives. Nixpkgs has what we call alternatives, which are configured through overlays.

3.3.1. BLAS/LAPACK

In Nixpkgs, we have multiple implementations of the BLAS/LAPACK numerical linear algebra interfaces. They are:

  • OpenBLAS

    The Nixpkgs attribute is openblas for ILP64 (integer width = 64 bits) and openblasCompat for LP64 (integer width = 32 bits). openblasCompat is the default.

  • LAPACK reference (also provides BLAS and CBLAS)

    The Nixpkgs attribute is lapack-reference.

  • Intel MKL (only works on the x86_64 architecture, unfree)

    The Nixpkgs attribute is mkl.

  • BLIS

    BLIS, available through the attribute blis, is a framework for linear algebra kernels. In addition, it implements the BLAS interface.

  • AMD BLIS/LIBFLAME (optimized for modern AMD x86_64 CPUs)

    The AMD fork of the BLIS library, with attribute amd-blis, extends BLIS with optimizations for modern AMD CPUs. The changes are usually submitted to the upstream BLIS project after some time. However, AMD BLIS typically provides some performance improvements on AMD Zen CPUs. The complementary AMD LIBFLAME library, with attribute amd-libflame, provides a LAPACK implementation.

Introduced in PR #83888, we are able to override the blas and lapack packages to use different implementations, through the blasProvider and lapackProvider argument. This can be used to select a different provider. BLAS providers will have symlinks in $out/lib/libblas.so.3 and $out/lib/libcblas.so.3 to their respective BLAS libraries. Likewise, LAPACK providers will have symlinks in $out/lib/liblapack.so.3 and $out/lib/liblapacke.so.3 to their respective LAPACK libraries. For example, Intel MKL is both a BLAS and LAPACK provider. An overlay can be created to use Intel MKL that looks like: 

self: super:

{
  blas = super.blas.override {
    blasProvider = self.mkl;
  };

  lapack = super.lapack.override {
    lapackProvider = self.mkl;
  };
}

This overlay uses Intel’s MKL library for both BLAS and LAPACK interfaces. Note that the same can be accomplished at runtime using LD_LIBRARY_PATH of libblas.so.3 and liblapack.so.3. For instance: 

$ LD_LIBRARY_PATH=$(nix-build -A mkl)/lib${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH nix-shell -p octave --run octave

Intel MKL requires an openmp implementation when running with multiple processors. By default, mkl will use Intel’s iomp implementation if no other is specified, but this is a runtime-only dependency and binary compatible with the LLVM implementation. To use that one instead, Intel recommends users set it with LD_PRELOAD. Note that mkl is only available on x86_64-linux and x86_64-darwin. Moreover, Hydra is not building and distributing pre-compiled binaries using it.

To override blas and lapack with its reference implementations (i.e. for development purposes), one can use the following overlay: 

self: super:

{
  blas = super.blas.override {
    blasProvider = self.lapack-reference;
  };

  lapack = super.lapack.override {
    lapackProvider = self.lapack-reference;
  };
}

For BLAS/LAPACK switching to work correctly, all packages must depend on blas or lapack. This ensures that only one BLAS/LAPACK library is used at one time. There are two versions of BLAS/LAPACK currently in the wild, LP64 (integer size = 32 bits) and ILP64 (integer size = 64 bits). The attributes blas and lapack are LP64 by default. Their ILP64 version are provided through the attributes blas-ilp64 and lapack-ilp64. Some software needs special flags or patches to work with ILP64. You can check if ILP64 is used in Nixpkgs with blas.isILP64 and lapack.isILP64. Some software does NOT work with ILP64, and derivations need to specify an assertion to prevent this. You can prevent ILP64 from being used with the following: 

{ stdenv, blas, lapack, ... }:

assert (!blas.isILP64) && (!lapack.isILP64);

stdenv.mkDerivation {
  ...
}

3.3.2. Switching the MPI implementation

All programs that are built with MPI support use the generic attribute mpi as an input. At the moment Nixpkgs natively provides two different MPI implementations:

  • Open MPI (default), attribute name openmpi

  • MPICH, attribute name mpich

  • MVAPICH, attribute name mvapich

To provide MPI enabled applications that use MPICH, instead of the default Open MPI, simply use the following overlay: 

self: super:

{
  mpi = self.mpich;
}

Chapter 4. Overriding

Table of Contents

4.1. <pkg>.override
4.2. <pkg>.overrideAttrs
4.3. <pkg>.overrideDerivation
4.4. lib.makeOverridable

Sometimes one wants to override parts of nixpkgs, e.g. derivation attributes, the results of derivations.

These functions are used to make changes to packages, returning only single packages. Overlays, on the other hand, can be used to combine the overridden packages across the entire package set of Nixpkgs.

4.1. <pkg>.override

The function override is usually available for all the derivations in the nixpkgs expression (pkgs).

It is used to override the arguments passed to a function.

Example usages: 

pkgs.foo.override { arg1 = val1; arg2 = val2; ... }

import pkgs.path { overlays = [ (self: super: {
  foo = super.foo.override { barSupport = true ; };
  })]};

mypkg = pkgs.callPackage ./mypkg.nix {
  mydep = pkgs.mydep.override { ... };
  }

In the first example, pkgs.foo is the result of a function call with some default arguments, usually a derivation. Using pkgs.foo.override will call the same function with the given new arguments.

4.2. <pkg>.overrideAttrs

The function overrideAttrs allows overriding the attribute set passed to a stdenv.mkDerivation call, producing a new derivation based on the original one. This function is available on all derivations produced by the stdenv.mkDerivation function, which is most packages in the nixpkgs expression pkgs.

Example usage: 

helloWithDebug = pkgs.hello.overrideAttrs (finalAttrs: previousAttrs: {
  separateDebugInfo = true;
});

In the above example, the separateDebugInfo attribute is overridden to be true, thus building debug info for helloWithDebug, while all other attributes will be retained from the original hello package.

The argument previousAttrs is conventionally used to refer to the attr set originally passed to stdenv.mkDerivation.

The argument finalAttrs refers to the final attributes passed to mkDerivation, plus the finalPackage attribute which is equal to the result of mkDerivation or subsequent overrideAttrs calls.

If only a one-argument function is written, the argument has the meaning of previousAttrs.

4.3. <pkg>.overrideDerivation

The function overrideDerivation creates a new derivation based on an existing one by overriding the original’s attributes with the attribute set produced by the specified function. This function is available on all derivations defined using the makeOverridable function. Most standard derivation-producing functions, such as stdenv.mkDerivation, are defined using this function, which means most packages in the nixpkgs expression, pkgs, have this function.

Example usage: 

mySed = pkgs.gnused.overrideDerivation (oldAttrs: {
  name = "sed-4.2.2-pre";
  src = fetchurl {
    url = ftp://alpha.gnu.org/gnu/sed/sed-4.2.2-pre.tar.bz2;
    sha256 = "11nq06d131y4wmf3drm0yk502d2xc6n5qy82cg88rb9nqd2lj41k";
  };
  patches = [];
});

In the above example, the name, src, and patches of the derivation will be overridden, while all other attributes will be retained from the original derivation.

The argument oldAttrs is used to refer to the attribute set of the original derivation.

4.4. lib.makeOverridable

The function lib.makeOverridable is used to make the result of a function easily customizable. This utility only makes sense for functions that accept an argument set and return an attribute set.

Example usage: 

f = { a, b }: { result = a+b; };
c = lib.makeOverridable f { a = 1; b = 2; };

The variable c is the value of the f function applied with some default arguments. Hence the value of c.result is 3, in this example.

The variable c however also has some additional functions, like c.override which can be used to override the default arguments. In this example the value of (c.override { a = 4; }).result is 6.

Chapter 5. Functions reference

Table of Contents

5.1. Nixpkgs Library Functions
5.2. Generators
5.3. Debugging Nix Expressions
5.4. prefer-remote-fetch overlay
5.5. pkgs.nix-gitignore

The nixpkgs repository has several utility functions to manipulate Nix expressions.

5.1. Nixpkgs Library Functions

Nixpkgs provides a standard library at pkgs.lib, or through import <nixpkgs/lib>.

5.1.1. Assert functions

5.1.1.1. lib.asserts.assertMsg

assertMsg :: Bool -> String -> Bool

Located at lib/asserts.nix:19 in <nixpkgs>.

Print a trace message if pred is false.

Intended to be used to augment asserts with helpful error messages.

pred

Condition under which the msg should not be printed.

msg

Message to print.

Example 5.1. Printing when the predicate is false

assert lib.asserts.assertMsg ("foo" == "bar") "foo is not bar, silly"
stderr> trace: foo is not bar, silly
stderr> assert failed


5.1.1.2. lib.asserts.assertOneOf

assertOneOf :: String -> String -> StringList -> Bool

Located at lib/asserts.nix:36 in <nixpkgs>.

Specialized asserts.assertMsg for checking if val is one of the elements of xs. Useful for checking enums.

name

The name of the variable the user entered val into, for inclusion in the error message.

val

The value of what the user provided, to be compared against the values in xs.

xs

The list of valid values.

Example 5.2. Ensuring a user provided a possible value

let sslLibrary = "bearssl";
in lib.asserts.assertOneOf "sslLibrary" sslLibrary [ "openssl" "libressl" ];
=> false
stderr> trace: sslLibrary must be one of "openssl", "libressl", but is: "bearssl"


5.1.2. Attribute-Set Functions

5.1.2.1. lib.attrset.attrByPath

attrByPath :: [String] -> Any -> AttrSet -> Any

Located at lib/attrsets.nix:24 in <nixpkgs>.

Return an attribute from within nested attribute sets.

attrPath

A list of strings representing the path through the nested attribute set set.

default

Default value if attrPath does not resolve to an existing value.

set

The nested attributeset to select values from.

Example 5.3. Extracting a value from a nested attribute set

let set = { a = { b = 3; }; };
in lib.attrsets.attrByPath [ "a" "b" ] 0 set
=> 3


Example 5.4. No value at the path, instead using the default

lib.attrsets.attrByPath [ "a" "b" ] 0 {}
=> 0


5.1.2.2. lib.attrsets.hasAttrByPath

hasAttrByPath :: [String] -> AttrSet -> Bool

Located at lib/attrsets.nix:42 in <nixpkgs>.

Determine if an attribute exists within a nested attribute set.

attrPath

A list of strings representing the path through the nested attribute set set.

set

The nested attributeset to check.

Example 5.5. A nested value does exist inside a set

lib.attrsets.hasAttrByPath
  [ "a" "b" "c" "d" ]
  { a = { b = { c = { d = 123; }; }; }; }
=> true


5.1.2.3. lib.attrsets.setAttrByPath

setAttrByPath :: [String] -> Any -> AttrSet

Located at lib/attrsets.nix:57 in <nixpkgs>.

Create a new attribute set with value set at the nested attribute location specified in attrPath.

attrPath

A list of strings representing the path through the nested attribute set.

value

The value to set at the location described by attrPath.

Example 5.6. Creating a new nested attribute set

lib.attrsets.setAttrByPath [ "a" "b" ] 3
=> { a = { b = 3; }; }


5.1.2.4. lib.attrsets.getAttrFromPath

getAttrFromPath :: [String] -> AttrSet -> Value

Located at lib/attrsets.nix:76 in <nixpkgs>.

Like Section 5.1.2.1, “lib.attrset.attrByPath except without a default, and it will throw if the value doesn't exist.

attrPath

A list of strings representing the path through the nested attribute set set.

set

The nested attribute set to find the value in.

Example 5.7. Succesfully getting a value from an attribute set

lib.attrsets.getAttrFromPath [ "a" "b" ] { a = { b = 3; }; }
=> 3


Example 5.8. Throwing after failing to get a value from an attribute set

lib.attrsets.getAttrFromPath [ "x" "y" ] { }
=> error: cannot find attribute `x.y'


5.1.2.5. lib.attrsets.attrVals

attrVals :: [String] -> AttrSet -> [Any]

Located at lib/attrsets.nix:203 in <nixpkgs>.

Return the specified attributes from a set. All values must exist.

nameList

The list of attributes to fetch from set. Each attribute name must exist on the attrbitue set.

set

The set to get attribute values from.

Example 5.9. Getting several values from an attribute set

lib.attrsets.attrVals [ "a" "b" "c" ] { a = 1; b = 2; c = 3; }
=> [ 1 2 3 ]


Example 5.10. Getting missing values from an attribute set

lib.attrsets.attrVals [ "d" ] { }
error: attribute 'd' missing


5.1.2.6. lib.attrsets.attrValues

attrValues :: AttrSet -> [Any]

Located at lib/attrsets.nix:213 in <nixpkgs>.

Get all the attribute values from an attribute set.

Provides a backwards-compatible interface of builtins.attrValues for Nix version older than 1.8.

attrs

The attribute set.

Example 5.11. 

lib.attrsets.attrValues { a = 1; b = 2; c = 3; }
=> [ 1 2 3 ]


5.1.2.7. lib.attrsets.catAttrs

catAttrs :: String -> [AttrSet] -> [Any]

Located at lib/attrsets.nix:232 in <nixpkgs>.

Collect each attribute named `attr' from the list of attribute sets, sets. Sets that don't contain the named attribute are ignored.

Provides a backwards-compatible interface of builtins.catAttrs for Nix version older than 1.9.

attr

Attribute name to select from each attribute set in sets.

sets

The list of attribute sets to select attr from.

Example 5.12. Collect an attribute from a list of attribute sets.

Attribute sets which don't have the attribute are ignored. 

catAttrs "a" [{a = 1;} {b = 0;} {a = 2;}]
=> [ 1 2 ]


5.1.2.8. lib.attrsets.filterAttrs

filterAttrs :: (String -> Any -> Bool) -> AttrSet -> AttrSet

Located at lib/attrsets.nix:243 in <nixpkgs>.

Filter an attribute set by removing all attributes for which the given predicate return false.

pred

String -> Any -> Bool

Predicate which returns true to include an attribute, or returns false to exclude it.

name

The attribute's name

value

The attribute's value

Returns true to include the attribute, false to exclude the attribute.

set

The attribute set to filter

Example 5.13. Filtering an attributeset

filterAttrs (n: v: n == "foo") { foo = 1; bar = 2; }
=> { foo = 1; }


5.1.2.9. lib.attrsets.filterAttrsRecursive

filterAttrsRecursive :: (String -> Any -> Bool) -> AttrSet -> AttrSet

Located at lib/attrsets.nix:254 in <nixpkgs>.

Filter an attribute set recursively by removing all attributes for which the given predicate return false.

pred

String -> Any -> Bool

Predicate which returns true to include an attribute, or returns false to exclude it.

name

The attribute's name

value

The attribute's value

Returns true to include the attribute, false to exclude the attribute.

set

The attribute set to filter

Example 5.14. Recursively filtering an attribute set

lib.attrsets.filterAttrsRecursive
  (n: v: v != null)
  {
    levelA = {
      example = "hi";
      levelB = {
        hello = "there";
        this-one-is-present = {
          this-is-excluded = null;
        };
      };
      this-one-is-also-excluded = null;
    };
    also-excluded = null;
  }
=> {
     levelA = {
       example = "hi";
       levelB = {
         hello = "there";
         this-one-is-present = { };
       };
     };
   }


5.1.2.10. lib.attrsets.foldAttrs

foldAttrs :: (Any -> Any -> Any) -> Any -> [AttrSets] -> Any

Located at lib/attrsets.nix:273 in <nixpkgs>.

Apply fold function to values grouped by key.

op

Any -> Any -> Any

Given a value val and a collector col, combine the two.

val

An attribute's value

col

The result of previous op calls with other values and nul.

nul

The null-value, the starting value.

list_of_attrs

A list of attribute sets to fold together by key.

Example 5.15. Combining an attribute of lists in to one attribute set

lib.attrsets.foldAttrs
  (n: a: [n] ++ a) []
  [
    { a = 2; b = 7; }
    { a = 3; }
    { b = 6; }
  ]
=> { a = [ 2 3 ]; b = [ 7 6 ]; }


5.1.2.11. lib.attrsets.collect

collect :: (Any -> Bool) -> AttrSet -> [Any]

Located at lib/attrsets.nix:297 in <nixpkgs>.

Recursively collect sets that verify a given predicate named pred from the set attrs. The recursion stops when pred returns true.

pred

Any -> Bool

Given an attribute's value, determine if recursion should stop.

value

The attribute set value.

attrs

The attribute set to recursively collect.

Example 5.16. Collecting all lists from an attribute set

lib.attrsets.collect isList { a = { b = ["b"]; }; c = [1]; }
=> [["b"] [1]]


Example 5.17. Collecting all attribute-sets which contain the outPath attribute name.

collect (x: x ? outPath)
  { a = { outPath = "a/"; }; b = { outPath = "b/"; }; }
=> [{ outPath = "a/"; } { outPath = "b/"; }]


5.1.2.12. lib.attrsets.nameValuePair

nameValuePair :: String -> Any -> AttrSet

Located at lib/attrsets.nix:331 in <nixpkgs>.

Utility function that creates a {name, value} pair as expected by builtins.listToAttrs.

name

The attribute name.

value

The attribute value.

Example 5.18. Creating a name value pair

nameValuePair "some" 6
=> { name = "some"; value = 6; }


5.1.2.13. lib.attrsets.mapAttrs

Located at lib/attrsets.nix:344 in <nixpkgs>.

Apply a function to each element in an attribute set, creating a new attribute set.

Provides a backwards-compatible interface of builtins.mapAttrs for Nix version older than 2.1.

fn

String -> Any -> Any

Given an attribute's name and value, return a new value.

name

The name of the attribute.

value

The attribute's value.

Example 5.19. Modifying each value of an attribute set

lib.attrsets.mapAttrs
  (name: value: name + "-" + value)
  { x = "foo"; y = "bar"; }
=> { x = "x-foo"; y = "y-bar"; }


5.1.2.14. lib.attrsets.mapAttrs'

mapAttrs' :: (String -> Any -> { name = String; value = Any }) -> AttrSet -> AttrSet

Located at lib/attrsets.nix:358 in <nixpkgs>.

Like mapAttrs, but allows the name of each attribute to be changed in addition to the value. The applied function should return both the new name and value as a nameValuePair.

fn

String -> Any -> { name = String; value = Any }

Given an attribute's name and value, return a new name value pair.

name

The name of the attribute.

value

The attribute's value.

set

The attribute set to map over.

Example 5.20. Change the name and value of each attribute of an attribute set

lib.attrsets.mapAttrs' (name: value: lib.attrsets.nameValuePair ("foo_" + name) ("bar-" + value))
   { x = "a"; y = "b"; }
=> { foo_x = "bar-a"; foo_y = "bar-b"; }


5.1.2.15. lib.attrsets.mapAttrsToList

mapAttrsToList :: (String -> Any -> Any) -> AttrSet -> [Any]

Located at lib/attrsets.nix:374 in <nixpkgs>.

Call fn for each attribute in the given set and return the result in a list.

fn

String -> Any -> Any

Given an attribute's name and value, return a new value.

name

The name of the attribute.

value

The attribute's value.

set

The attribute set to map over.

Example 5.21. Combine attribute values and names in to a list

lib.attrsets.mapAttrsToList (name: value: "${name}=${value}")
   { x = "a"; y = "b"; }
=> [ "x=a" "y=b" ]


5.1.2.16. lib.attrsets.mapAttrsRecursive

mapAttrsRecursive :: ([String] > Any -> Any) -> AttrSet -> AttrSet

Located at lib/attrsets.nix:391 in <nixpkgs>.

Like mapAttrs, except that it recursively applies itself to attribute sets. Also, the first argument of the argument function is a list of the names of the containing attributes.

f

[ String ] -> Any -> Any

Given a list of attribute names and value, return a new value.

name_path

The list of attribute names to this value.

For example, the name_path for the example string in the attribute set { foo = { bar = "example"; }; } is [ "foo" "bar" ].

value

The attribute's value.

set

The attribute set to recursively map over.

Example 5.22. A contrived example of using lib.attrsets.mapAttrsRecursive

mapAttrsRecursive
  (path: value: concatStringsSep "-" (path ++ [value]))
  {
    n = {
      a = "A";
      m = {
        b = "B";
        c = "C";
      };
    };
    d = "D";
  }
=> {
     n = {
       a = "n-a-A";
       m = {
         b = "n-m-b-B";
         c = "n-m-c-C";
       };
     };
     d = "d-D";
   }


5.1.2.17. lib.attrsets.mapAttrsRecursiveCond

mapAttrsRecursiveCond :: (AttrSet -> Bool) -> ([ String ] -> Any -> Any) -> AttrSet -> AttrSet

Located at lib/attrsets.nix:412 in <nixpkgs>.

Like mapAttrsRecursive, but it takes an additional predicate function that tells it whether to recursive into an attribute set. If it returns false, mapAttrsRecursiveCond does not recurse, but does apply the map function. It is returns true, it does recurse, and does not apply the map function.

cond

(AttrSet -> Bool)

Determine if mapAttrsRecursive should recurse deeper in to the attribute set.

attributeset

An attribute set.

f

[ String ] -> Any -> Any

Given a list of attribute names and value, return a new value.

name_path

The list of attribute names to this value.

For example, the name_path for the example string in the attribute set { foo = { bar = "example"; }; } is [ "foo" "bar" ].

value

The attribute's value.

set

The attribute set to recursively map over.

Example 5.23. Only convert attribute values to JSON if the containing attribute set is marked for recursion

lib.attrsets.mapAttrsRecursiveCond
  ({ recurse ? false, ... }: recurse)
  (name: value: builtins.toJSON value)
  {
    dorecur = {
      recurse = true;
      hello = "there";
    };
    dontrecur = {
      converted-to- = "json";
    };
  }
=> {
     dorecur = {
       hello = "\"there\"";
       recurse = "true";
     };
     dontrecur = "{\"converted-to\":\"json\"}";
   }


5.1.2.18. lib.attrsets.genAttrs

genAttrs :: [ String ] -> (String -> Any) -> AttrSet

Located at lib/attrsets.nix:432 in <nixpkgs>.

Generate an attribute set by mapping a function over a list of attribute names.

names

Names of values in the resulting attribute set.

f

String -> Any

Takes the name of the attribute and return the attribute's value.

name

The name of the attribute to generate a value for.

Example 5.24. Generate an attrset based on names only

lib.attrsets.genAttrs [ "foo" "bar" ] (name: "x_${name}")
=> { foo = "x_foo"; bar = "x_bar"; }


5.1.2.19. lib.attrsets.isDerivation

isDerivation :: Any -> Bool

Located at lib/attrsets.nix:446 in <nixpkgs>.

Check whether the argument is a derivation. Any set with { type = "derivation"; } counts as a derivation.

value

The value which is possibly a derivation.

Example 5.25. A package is a derivation

lib.attrsets.isDerivation (import <nixpkgs> {}).ruby
=> true


Example 5.26. Anything else is not a derivation

lib.attrsets.isDerivation "foobar"
=> false


5.1.2.20. lib.attrsets.toDerivation

toDerivation :: Path -> Derivation

Located at lib/attrsets.nix:449 in <nixpkgs>.

Converts a store path to a fake derivation.

path

A store path to convert to a derivation.

5.1.2.21. lib.attrsets.optionalAttrs

optionalAttrs :: Bool -> AttrSet

Located at lib/attrsets.nix:472 in <nixpkgs>.

Conditionally return an attribute set or an empty attribute set.

cond

Condition under which the as attribute set is returned.

as

The attribute set to return if cond is true.

Example 5.27. Return the provided attribute set when cond is true

lib.attrsets.optionalAttrs true { my = "set"; }
=> { my = "set"; }


Example 5.28. Return an empty attribute set when cond is false

lib.attrsets.optionalAttrs false { my = "set"; }
=> { }


5.1.2.22. lib.attrsets.zipAttrsWithNames

zipAttrsWithNames :: [ String ] -> (String -> [ Any ] -> Any) -> [ AttrSet ] -> AttrSet

Located at lib/attrsets.nix:482 in <nixpkgs>.

Merge sets of attributes and use the function f to merge attribute values where the attribute name is in names.

names

A list of attribute names to zip.

f

(String -> [ Any ] -> Any

Accepts an attribute name, all the values, and returns a combined value.

name

The name of the attribute each value came from.

vs

A list of values collected from the list of attribute sets.

sets

A list of attribute sets to zip together.

Example 5.29. Summing a list of attribute sets of numbers

lib.attrsets.zipAttrsWithNames
  [ "a" "b" ]
  (name: vals: "${name} ${toString (builtins.foldl' (a: b: a + b) 0 vals)}")
  [
    { a = 1; b = 1; c = 1; }
    { a = 10; }
    { b = 100; }
    { c = 1000; }
  ]
=> { a = "a 11"; b = "b 101"; }


5.1.2.23. lib.attrsets.zipAttrsWith

zipAttrsWith :: (String -> [ Any ] -> Any) -> [ AttrSet ] -> AttrSet

Located at lib/attrsets.nix:497 in <nixpkgs>.

Merge sets of attributes and use the function f to merge attribute values. Similar to Section 5.1.2.22, “lib.attrsets.zipAttrsWithNames where all key names are passed for names.

f

(String -> [ Any ] -> Any

Accepts an attribute name, all the values, and returns a combined value.

name

The name of the attribute each value came from.

vs

A list of values collected from the list of attribute sets.

sets

A list of attribute sets to zip together.

Example 5.30. Summing a list of attribute sets of numbers

lib.attrsets.zipAttrsWith
  (name: vals: "${name} ${toString (builtins.foldl' (a: b: a + b) 0 vals)}")
  [
    { a = 1; b = 1; c = 1; }
    { a = 10; }
    { b = 100; }
    { c = 1000; }
  ]
=> { a = "a 11"; b = "b 101"; c = "c 1001"; }


5.1.2.24. lib.attrsets.zipAttrs

zipAttrs :: [ AttrSet ] -> AttrSet

Located at lib/attrsets.nix:505 in <nixpkgs>.

Merge sets of attributes and combine each attribute value in to a list. Similar to Section 5.1.2.23, “lib.attrsets.zipAttrsWith where the merge function returns a list of all values.

sets

A list of attribute sets to zip together.

Example 5.31. Combining a list of attribute sets

lib.attrsets.zipAttrs
  [
    { a = 1; b = 1; c = 1; }
    { a = 10; }
    { b = 100; }
    { c = 1000; }
  ]
=> { a = [ 1 10 ]; b = [ 1 100 ]; c = [ 1 1000 ]; }


5.1.2.25. lib.attrsets.recursiveUpdateUntil

recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet

Located at lib/attrsets.nix:535 in <nixpkgs>.

Does the same as the update operator // except that attributes are merged until the given predicate is verified. The predicate should accept 3 arguments which are the path to reach the attribute, a part of the first attribute set and a part of the second attribute set. When the predicate is verified, the value of the first attribute set is replaced by the value of the second attribute set.

pred

[ String ] -> AttrSet -> AttrSet -> Bool

path

The path to the values in the left and right hand sides.

l

The left hand side value.

r

The right hand side value.

lhs

The left hand attribute set of the merge.

rhs

The right hand attribute set of the merge.

Example 5.32. Recursively merging two attribute sets

lib.attrsets.recursiveUpdateUntil (path: l: r: path == ["foo"])
  {
    # first attribute set
    foo.bar = 1;
    foo.baz = 2;
    bar = 3;
  }
  {
    #second attribute set
    foo.bar = 1;
    foo.quz = 2;
    baz = 4;
  }
=> {
  foo.bar = 1; # 'foo.*' from the second set
  foo.quz = 2; #
  bar = 3;     # 'bar' from the first set
  baz = 4;     # 'baz' from the second set
}


5.1.2.26. lib.attrsets.recursiveUpdate

recursiveUpdate :: AttrSet -> AttrSet -> AttrSet

Located at lib/attrsets.nix:566 in <nixpkgs>.

A recursive variant of the update operator //. The recursion stops when one of the attribute values is not an attribute set, in which case the right hand side value takes precedence over the left hand side value.

lhs

The left hand attribute set of the merge.

rhs

The right hand attribute set of the merge.

Example 5.33. Recursively merging two attribute sets

recursiveUpdate
  {
    boot.loader.grub.enable = true;
    boot.loader.grub.device = "/dev/hda";
  }
  {
    boot.loader.grub.device = "";
  }
=> {
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "";
}


5.1.2.27. lib.attrsets.recurseIntoAttrs

recurseIntoAttrs :: AttrSet -> AttrSet

Located at lib/attrsets.nix:636 in <nixpkgs>.

Make various Nix tools consider the contents of the resulting attribute set when looking for what to build, find, etc.

This function only affects a single attribute set; it does not apply itself recursively for nested attribute sets.

attrs

An attribute set to scan for derivations.

Example 5.34. Making Nix look inside an attribute set

{ pkgs ? import <nixpkgs> {} }:
{
  myTools = pkgs.lib.recurseIntoAttrs {
    inherit (pkgs) hello figlet;
  };
}


5.1.2.28. lib.attrsets.cartesianProductOfSets

cartesianProductOfSets :: AttrSet -> [ AttrSet ]

Located at lib/attrsets.nix:316 in <nixpkgs>.

Return the cartesian product of attribute set value combinations.

set

An attribute set with attributes that carry lists of values.

Example 5.35. Creating the cartesian product of a list of attribute values

cartesianProductOfSets { a = [ 1 2 ]; b = [ 10 20 ]; }
=> [
     { a = 1; b = 10; }
     { a = 1; b = 20; }
     { a = 2; b = 10; }
     { a = 2; b = 20; }
   ]


5.1.3. String manipulation functions

5.1.3.1. lib.strings.concatStrings

concatStrings :: [string] -> string

Concatenate a list of strings.

Example 5.36. lib.strings.concatStrings usage example

concatStrings ["foo" "bar"]
=> "foobar"


Located at lib/strings.nix:44 in <nixpkgs>.

5.1.3.2. lib.strings.concatMapStrings

concatMapStrings :: (a -> string) -> [a] -> string

Map a function over a list and concatenate the resulting strings.

f

Function argument

list

Function argument

Example 5.37. lib.strings.concatMapStrings usage example

concatMapStrings (x: "a" + x) ["foo" "bar"]
=> "afooabar"


Located at lib/strings.nix:54 in <nixpkgs>.

5.1.3.3. lib.strings.concatImapStrings

concatImapStrings :: (int -> a -> string) -> [a] -> string

Like `concatMapStrings` except that the f functions also gets the position as a parameter.

f

Function argument

list

Function argument

Example 5.38. lib.strings.concatImapStrings usage example

concatImapStrings (pos: x: "${toString pos}-${x}") ["foo" "bar"]
=> "1-foo2-bar"


Located at lib/strings.nix:65 in <nixpkgs>.

5.1.3.4. lib.strings.intersperse

intersperse :: a -> [a] -> [a]

Place an element between each element of a list

separator

Separator to add between elements

list

Input list

Example 5.39. lib.strings.intersperse usage example

intersperse "/" ["usr" "local" "bin"]
=> ["usr" "/" "local" "/" "bin"].


Located at lib/strings.nix:75 in <nixpkgs>.

5.1.3.5. lib.strings.concatStringsSep

concatStringsSep :: string -> [string] -> string

Concatenate a list of strings with a separator between each element

Example 5.40. lib.strings.concatStringsSep usage example

concatStringsSep "/" ["usr" "local" "bin"]
=> "usr/local/bin"


Located at lib/strings.nix:92 in <nixpkgs>.

5.1.3.6. lib.strings.concatMapStringsSep

concatMapStringsSep :: string -> (a -> string) -> [a] -> string

Maps a function over a list of strings and then concatenates the result with the specified separator interspersed between elements.

sep

Separator to add between elements

f

Function to map over the list

list

List of input strings

Example 5.41. lib.strings.concatMapStringsSep usage example

concatMapStringsSep "-" (x: toUpper x)  ["foo" "bar" "baz"]
=> "FOO-BAR-BAZ"


Located at lib/strings.nix:105 in <nixpkgs>.

5.1.3.7. lib.strings.concatImapStringsSep

concatIMapStringsSep :: string -> (int -> a -> string) -> [a] -> string

Same as `concatMapStringsSep`, but the mapping function additionally receives the position of its argument.

sep

Separator to add between elements

f

Function that receives elements and their positions

list

List of input strings

Example 5.42. lib.strings.concatImapStringsSep usage example

concatImapStringsSep "-" (pos: x: toString (x / pos)) [ 6 6 6 ]
=> "6-3-2"


Located at lib/strings.nix:122 in <nixpkgs>.

5.1.3.8. lib.strings.makeSearchPath

makeSearchPath :: string -> [string] -> string

Construct a Unix-style, colon-separated search path consisting of the given `subDir` appended to each of the given paths.

subDir

Directory name to append

paths

List of base paths

Example 5.43. lib.strings.makeSearchPath usage example

makeSearchPath "bin" ["/root" "/usr" "/usr/local"]
=> "/root/bin:/usr/bin:/usr/local/bin"
makeSearchPath "bin" [""]
=> "/bin"


Located at lib/strings.nix:141 in <nixpkgs>.

5.1.3.9. lib.strings.makeSearchPathOutput

string -> string -> [package] -> string

Construct a Unix-style search path by appending the given `subDir` to the specified `output` of each of the packages. If no output by the given name is found, fallback to `.out` and then to the default.

output

Package output to use

subDir

Directory name to append

pkgs

List of packages

Example 5.44. lib.strings.makeSearchPathOutput usage example

makeSearchPathOutput "dev" "bin" [ pkgs.openssl pkgs.zlib ]
=> "/nix/store/9rz8gxhzf8sw4kf2j2f1grr49w8zx5vj-openssl-1.0.1r-dev/bin:/nix/store/wwh7mhwh269sfjkm6k5665b5kgp7jrk2-zlib-1.2.8/bin"


Located at lib/strings.nix:159 in <nixpkgs>.

5.1.3.10. lib.strings.makeLibraryPath

Construct a library search path (such as RPATH) containing the libraries for a set of packages

Example 5.45. lib.strings.makeLibraryPath usage example

makeLibraryPath [ "/usr" "/usr/local" ]
=> "/usr/lib:/usr/local/lib"
pkgs = import <nixpkgs> { }
makeLibraryPath [ pkgs.openssl pkgs.zlib ]
=> "/nix/store/9rz8gxhzf8sw4kf2j2f1grr49w8zx5vj-openssl-1.0.1r/lib:/nix/store/wwh7mhwh269sfjkm6k5665b5kgp7jrk2-zlib-1.2.8/lib"


Located at lib/strings.nix:177 in <nixpkgs>.

5.1.3.11. lib.strings.makeBinPath

Construct a binary search path (such as $PATH) containing the binaries for a set of packages.

Example 5.46. lib.strings.makeBinPath usage example

makeBinPath ["/root" "/usr" "/usr/local"]
=> "/root/bin:/usr/bin:/usr/local/bin"


Located at lib/strings.nix:186 in <nixpkgs>.

5.1.3.12. lib.strings.normalizePath

normalizePath :: string -> string

Normalize path, removing extranous /s

s

Function argument

Example 5.47. lib.strings.normalizePath usage example

normalizePath "/a//b///c/"
=> "/a/b/c/"


Located at lib/strings.nix:196 in <nixpkgs>.

5.1.3.13. lib.strings.optionalString

optionalString :: bool -> string -> string

Depending on the boolean `cond', return either the given string or the empty string. Useful to concatenate against a bigger string.

cond

Condition

string

String to return if condition is true

Example 5.48. lib.strings.optionalString usage example

optionalString true "some-string"
=> "some-string"
optionalString false "some-string"
=> ""


Located at lib/strings.nix:209 in <nixpkgs>.

5.1.3.14. lib.strings.hasPrefix

hasPrefix :: string -> string -> bool

Determine whether a string has given prefix.

pref

Prefix to check for

str

Input string

Example 5.49. lib.strings.hasPrefix usage example

hasPrefix "foo" "foobar"
=> true
hasPrefix "foo" "barfoo"
=> false


Located at lib/strings.nix:225 in <nixpkgs>.

5.1.3.15. lib.strings.hasSuffix

hasSuffix :: string -> string -> bool

Determine whether a string has given suffix.

suffix

Suffix to check for

content

Input string

Example 5.50. lib.strings.hasSuffix usage example

hasSuffix "foo" "foobar"
=> false
hasSuffix "foo" "barfoo"
=> true


Located at lib/strings.nix:241 in <nixpkgs>.

5.1.3.16. lib.strings.hasInfix

hasInfix :: string -> string -> bool

Determine whether a string contains the given infix

infix

Function argument

content

Function argument

Example 5.51. lib.strings.hasInfix usage example

hasInfix "bc" "abcd"
=> true
hasInfix "ab" "abcd"
=> true
hasInfix "cd" "abcd"
=> true
hasInfix "foo" "abcd"
=> false


Located at lib/strings.nix:266 in <nixpkgs>.

5.1.3.17. lib.strings.stringToCharacters

stringToCharacters :: string -> [string]

Convert a string to a list of characters (i.e. singleton strings). This allows you to, e.g., map a function over each character. However, note that this will likely be horribly inefficient; Nix is not a general purpose programming language. Complex string manipulations should, if appropriate, be done in a derivation. Also note that Nix treats strings as a list of bytes and thus doesn't handle unicode.

s

Function argument

Example 5.52. lib.strings.stringToCharacters usage example

stringToCharacters ""
=> [ ]
stringToCharacters "abc"
=> [ "a" "b" "c" ]
stringToCharacters "💩"
=> [ "�" "�" "�" "�" ]


Located at lib/strings.nix:287 in <nixpkgs>.

5.1.3.18. lib.strings.stringAsChars

stringAsChars :: (string -> string) -> string -> string

Manipulate a string character by character and replace them by strings before concatenating the results.

f

Function to map over each individual character

s

Input string

Example 5.53. lib.strings.stringAsChars usage example

stringAsChars (x: if x == "a" then "i" else x) "nax"
=> "nix"


Located at lib/strings.nix:299 in <nixpkgs>.

5.1.3.19. lib.strings.charToInt

charToInt :: string -> int

Convert char to ascii value, must be in printable range

Example 5.54. lib.strings.charToInt usage example

charToInt "A"
=> 65
charToInt "("
=> 40


Located at lib/strings.nix:318 in <nixpkgs>.

5.1.3.20. lib.strings.escape

escape :: [string] -> string -> string

Escape occurrence of the elements of `list` in `string` by prefixing it with a backslash.

list

Function argument

Example 5.55. lib.strings.escape usage example

escape ["(" ")"] "(foo)"
=> "\\(foo\\)"


Located at lib/strings.nix:331 in <nixpkgs>.

5.1.3.21. lib.strings.escapeC

escapeC = [string] -> string -> string

Escape occurence of the element of `list` in `string` by converting to its ASCII value and prefixing it with \\x. Only works for printable ascii characters.

list

Function argument

Example 5.56. lib.strings.escapeC usage example

escapeC [" "] "foo bar"
=> "foo\\x20bar"


Located at lib/strings.nix:344 in <nixpkgs>.

5.1.3.22. lib.strings.escapeShellArg

escapeShellArg :: string -> string

Quote string to be used safely within the Bourne shell.

arg

Function argument

Example 5.57. lib.strings.escapeShellArg usage example

escapeShellArg "esc'ape\nme"
=> "'esc'\\''ape\nme'"


Located at lib/strings.nix:354 in <nixpkgs>.

5.1.3.23. lib.strings.escapeShellArgs

escapeShellArgs :: [string] -> string

Quote all arguments to be safely passed to the Bourne shell.

Example 5.58. lib.strings.escapeShellArgs usage example

escapeShellArgs ["one" "two three" "four'five"]
=> "'one' 'two three' 'four'\\''five'"


Located at lib/strings.nix:364 in <nixpkgs>.

5.1.3.24. lib.strings.isValidPosixName

string -> bool

Test whether the given name is a valid POSIX shell variable name.

name

Function argument

Example 5.59. lib.strings.isValidPosixName usage example

isValidPosixName "foo_bar000"
=> true
isValidPosixName "0-bad.jpg"
=> false


Located at lib/strings.nix:376 in <nixpkgs>.

5.1.3.25. lib.strings.toShellVar

string -> (string | listOf string | attrsOf string) -> string

Translate a Nix value into a shell variable declaration, with proper escaping.

The value can be a string (mapped to a regular variable), a list of strings (mapped to a Bash-style array) or an attribute set of strings (mapped to a Bash-style associative array). Note that "string" includes string-coercible values like paths or derivations.

Strings are translated into POSIX sh-compatible code; lists and attribute sets assume a shell that understands Bash syntax (e.g. Bash or ZSH).

name

Function argument

value

Function argument

Example 5.60. lib.strings.toShellVar usage example

''
${toShellVar "foo" "some string"}
[[ "$foo" == "some string" ]]
''


Located at lib/strings.nix:396 in <nixpkgs>.

5.1.3.26. lib.strings.toShellVars

attrsOf (string | listOf string | attrsOf string) -> string

Translate an attribute set into corresponding shell variable declarations using `toShellVar`.

vars

Function argument

Example 5.61. lib.strings.toShellVars usage example

let
foo = "value";
bar = foo;
in ''
${toShellVars { inherit foo bar; }}
[[ "$foo" == "$bar" ]]
''


Located at lib/strings.nix:424 in <nixpkgs>.

5.1.3.27. lib.strings.escapeNixString

string -> string

Turn a string into a Nix expression representing that string

s

Function argument

Example 5.62. lib.strings.escapeNixString usage example

escapeNixString "hello\${}\n"
=> "\"hello\\\${}\\n\""


Located at lib/strings.nix:434 in <nixpkgs>.

5.1.3.28. lib.strings.escapeRegex

string -> string

Turn a string into an exact regular expression

Example 5.63. lib.strings.escapeRegex usage example

escapeRegex "[^a-z]*"
=> "\\[\\^a-z]\\*"


Located at lib/strings.nix:444 in <nixpkgs>.

5.1.3.29. lib.strings.escapeNixIdentifier

string -> string

Quotes a string if it can't be used as an identifier directly.

s

Function argument

Example 5.64. lib.strings.escapeNixIdentifier usage example

escapeNixIdentifier "hello"
=> "hello"
escapeNixIdentifier "0abc"
=> "\"0abc\""


Located at lib/strings.nix:456 in <nixpkgs>.

5.1.3.30. lib.strings.escapeXML

string -> string

Escapes a string such that it is safe to include verbatim in an XML document.

Example 5.65. lib.strings.escapeXML usage example

escapeXML ''"test" 'test' < & >''
=> "&quot;test&quot; &apos;test&apos; &lt; &amp; &gt;"


Located at lib/strings.nix:470 in <nixpkgs>.

5.1.3.31. lib.strings.toLower

toLower :: string -> string

Converts an ASCII string to lower-case.

Example 5.66. lib.strings.toLower usage example

toLower "HOME"
=> "home"


Located at lib/strings.nix:500 in <nixpkgs>.

5.1.3.32. lib.strings.toUpper

toUpper :: string -> string

Converts an ASCII string to upper-case.

Example 5.67. lib.strings.toUpper usage example

toUpper "home"
=> "HOME"


Located at lib/strings.nix:510 in <nixpkgs>.

5.1.3.33. lib.strings.addContextFrom

Appends string context from another string. This is an implementation detail of Nix.

Strings in Nix carry an invisible `context` which is a list of strings representing store paths. If the string is later used in a derivation attribute, the derivation will properly populate the inputDrvs and inputSrcs.

a

Function argument

b

Function argument

Example 5.68. lib.strings.addContextFrom usage example

pkgs = import <nixpkgs> { };
addContextFrom pkgs.coreutils "bar"
=> "bar"


Located at lib/strings.nix:525 in <nixpkgs>.

5.1.3.34. lib.strings.splitString

Cut a string with a separator and produces a list of strings which were separated by this separator.

_sep

Function argument

_s

Function argument

Example 5.69. lib.strings.splitString usage example

splitString "." "foo.bar.baz"
=> [ "foo" "bar" "baz" ]
splitString "/" "/usr/local/bin"
=> [ "" "usr" "local" "bin" ]


Located at lib/strings.nix:536 in <nixpkgs>.

5.1.3.35. lib.strings.removePrefix

string -> string -> string

Return a string without the specified prefix, if the prefix matches.

prefix

Prefix to remove if it matches

str

Input string

Example 5.70. lib.strings.removePrefix usage example

removePrefix "foo." "foo.bar.baz"
=> "bar.baz"
removePrefix "xxx" "foo.bar.baz"
=> "foo.bar.baz"


Located at lib/strings.nix:554 in <nixpkgs>.

5.1.3.36. lib.strings.removeSuffix

string -> string -> string

Return a string without the specified suffix, if the suffix matches.

suffix

Suffix to remove if it matches

str

Input string

Example 5.71. lib.strings.removeSuffix usage example

removeSuffix "front" "homefront"
=> "home"
removeSuffix "xxx" "homefront"
=> "homefront"


Located at lib/strings.nix:578 in <nixpkgs>.

5.1.3.37. lib.strings.versionOlder

Return true if string v1 denotes a version older than v2.

v1

Function argument

v2

Function argument

Example 5.72. lib.strings.versionOlder usage example

versionOlder "1.1" "1.2"
=> true
versionOlder "1.1" "1.1"
=> false


Located at lib/strings.nix:600 in <nixpkgs>.

5.1.3.38. lib.strings.versionAtLeast

Return true if string v1 denotes a version equal to or newer than v2.

v1

Function argument

v2

Function argument

Example 5.73. lib.strings.versionAtLeast usage example

versionAtLeast "1.1" "1.0"
=> true
versionAtLeast "1.1" "1.1"
=> true
versionAtLeast "1.1" "1.2"
=> false


Located at lib/strings.nix:612 in <nixpkgs>.

5.1.3.39. lib.strings.getName

This function takes an argument that's either a derivation or a derivation's "name" attribute and extracts the name part from that argument.

x

Function argument

Example 5.74. lib.strings.getName usage example

getName "youtube-dl-2016.01.01"
=> "youtube-dl"
getName pkgs.youtube-dl
=> "youtube-dl"


Located at lib/strings.nix:624 in <nixpkgs>.

5.1.3.40. lib.strings.getVersion

This function takes an argument that's either a derivation or a derivation's "name" attribute and extracts the version part from that argument.

x

Function argument

Example 5.75. lib.strings.getVersion usage example

getVersion "youtube-dl-2016.01.01"
=> "2016.01.01"
getVersion pkgs.youtube-dl
=> "2016.01.01"


Located at lib/strings.nix:641 in <nixpkgs>.

5.1.3.41. lib.strings.nameFromURL

Extract name with version from URL. Ask for separator which is supposed to start extension.

url

Function argument

sep

Function argument

Example 5.76. lib.strings.nameFromURL usage example

nameFromURL "https://nixos.org/releases/nix/nix-1.7/nix-1.7-x86_64-linux.tar.bz2" "-"
=> "nix"
nameFromURL "https://nixos.org/releases/nix/nix-1.7/nix-1.7-x86_64-linux.tar.bz2" "_"
=> "nix-1.7-x86"


Located at lib/strings.nix:657 in <nixpkgs>.

5.1.3.42. lib.strings.enableFeature

Create an --{enable,disable}-<feat> string that can be passed to standard GNU Autoconf scripts.

enable

Function argument

feat

Function argument

Example 5.77. lib.strings.enableFeature usage example

enableFeature true "shared"
=> "--enable-shared"
enableFeature false "shared"
=> "--disable-shared"


Located at lib/strings.nix:673 in <nixpkgs>.

5.1.3.43. lib.strings.enableFeatureAs

Create an --{enable-<feat>=<value>,disable-<feat>} string that can be passed to standard GNU Autoconf scripts.

enable

Function argument

feat

Function argument

value

Function argument

Example 5.78. lib.strings.enableFeatureAs usage example

enableFeatureAs true "shared" "foo"
=> "--enable-shared=foo"
enableFeatureAs false "shared" (throw "ignored")
=> "--disable-shared"


Located at lib/strings.nix:686 in <nixpkgs>.

5.1.3.44. lib.strings.withFeature

Create an --{with,without}-<feat> string that can be passed to standard GNU Autoconf scripts.

with_

Function argument

feat

Function argument

Example 5.79. lib.strings.withFeature usage example

withFeature true "shared"
=> "--with-shared"
withFeature false "shared"
=> "--without-shared"


Located at lib/strings.nix:697 in <nixpkgs>.

5.1.3.45. lib.strings.withFeatureAs

Create an --{with-<feat>=<value>,without-<feat>} string that can be passed to standard GNU Autoconf scripts.

with_

Function argument

feat

Function argument

value

Function argument

Example 5.80. lib.strings.withFeatureAs usage example

withFeatureAs true "shared" "foo"
=> "--with-shared=foo"
withFeatureAs false "shared" (throw "ignored")
=> "--without-shared"


Located at lib/strings.nix:710 in <nixpkgs>.

5.1.3.46. lib.strings.fixedWidthString

fixedWidthString :: int -> string -> string -> string

Create a fixed width string with additional prefix to match required width.

This function will fail if the input string is longer than the requested length.

width

Function argument

filler

Function argument

str

Function argument

Example 5.81. lib.strings.fixedWidthString usage example

fixedWidthString 5 "0" (toString 15)
=> "00015"


Located at lib/strings.nix:724 in <nixpkgs>.

5.1.3.47. lib.strings.fixedWidthNumber

Format a number adding leading zeroes up to fixed width.

width

Function argument

n

Function argument

Example 5.82. lib.strings.fixedWidthNumber usage example

fixedWidthNumber 5 15
=> "00015"


Located at lib/strings.nix:741 in <nixpkgs>.

5.1.3.48. lib.strings.floatToString

Convert a float to a string, but emit a warning when precision is lost during the conversion

float

Function argument

Example 5.83. lib.strings.floatToString usage example

floatToString 0.000001
=> "0.000001"
floatToString 0.0000001
=> trace: warning: Imprecise conversion from float to string 0.000000
"0.000000"


Located at lib/strings.nix:753 in <nixpkgs>.

5.1.3.49. lib.strings.isCoercibleToString

Check whether a value can be coerced to a string

x

Function argument

Located at lib/strings.nix:760 in <nixpkgs>.

5.1.3.50. lib.strings.isStorePath

Check whether a value is a store path.

x

Function argument

Example 5.84. lib.strings.isStorePath usage example

isStorePath "/nix/store/d945ibfx9x185xf04b890y4f9g3cbb63-python-2.7.11/bin/python"
=> false
isStorePath "/nix/store/d945ibfx9x185xf04b890y4f9g3cbb63-python-2.7.11"
=> true
isStorePath pkgs.python
=> true
isStorePath [] || isStorePath 42 || isStorePath {} || …
=> false


Located at lib/strings.nix:778 in <nixpkgs>.

5.1.3.51. lib.strings.toInt

string -> int

Parse a string as an int. Does not support parsing of integers with preceding zero due to ambiguity between zero-padded and octal numbers. See toIntBase10.

str

Function argument

Example 5.85. lib.strings.toInt usage example


toInt "1337"
=> 1337

toInt "-4"
=> -4

toInt " 123 "
=> 123

toInt "00024"
=> error: Ambiguity in interpretation of 00024 between octal and zero padded integer.

toInt "3.14"
=> error: floating point JSON numbers are not supported


Located at lib/strings.nix:808 in <nixpkgs>.

5.1.3.52. lib.strings.toIntBase10

string -> int

Parse a string as a base 10 int. This supports parsing of zero-padded integers.

str

Function argument

Example 5.86. lib.strings.toIntBase10 usage example

toIntBase10 "1337"
=> 1337

toIntBase10 "-4"
=> -4

toIntBase10 " 123 "
=> 123

toIntBase10 "00024"
=> 24

toIntBase10 "3.14"
=> error: floating point JSON numbers are not supported


Located at lib/strings.nix:859 in <nixpkgs>.

5.1.3.53. lib.strings.readPathsFromFile

Read a list of paths from `file`, relative to the `rootPath`. Lines beginning with `#` are treated as comments and ignored. Whitespace is significant.

NOTE: This function is not performant and should be avoided.

Example 5.87. lib.strings.readPathsFromFile usage example

readPathsFromFile /prefix
./pkgs/development/libraries/qt-5/5.4/qtbase/series
=> [ "/prefix/dlopen-resolv.patch" "/prefix/tzdir.patch"
"/prefix/dlopen-libXcursor.patch" "/prefix/dlopen-openssl.patch"
"/prefix/dlopen-dbus.patch" "/prefix/xdg-config-dirs.patch"
"/prefix/nix-profiles-library-paths.patch"
"/prefix/compose-search-path.patch" ]


Located at lib/strings.nix:902 in <nixpkgs>.

5.1.3.54. lib.strings.fileContents

fileContents :: path -> string

Read the contents of a file removing the trailing \n

file

Function argument

Example 5.88. lib.strings.fileContents usage example

$ echo "1.0" > ./version

fileContents ./version
=> "1.0"


Located at lib/strings.nix:922 in <nixpkgs>.

5.1.3.55. lib.strings.sanitizeDerivationName

sanitizeDerivationName :: String -> String

Creates a valid derivation name from a potentially invalid one.

Example 5.89. lib.strings.sanitizeDerivationName usage example

sanitizeDerivationName "../hello.bar # foo"
=> "-hello.bar-foo"
sanitizeDerivationName ""
=> "unknown"
sanitizeDerivationName pkgs.hello
=> "-nix-store-2g75chlbpxlrqn15zlby2dfh8hr9qwbk-hello-2.10"


Located at lib/strings.nix:937 in <nixpkgs>.

5.1.3.56. lib.strings.levenshtein

levenshtein :: string -> string -> int

Computes the Levenshtein distance between two strings. Complexity O(n*m) where n and m are the lengths of the strings. Algorithm adjusted from https://stackoverflow.com/a/9750974/6605742

a

Function argument

b

Function argument

Example 5.90. lib.strings.levenshtein usage example

levenshtein "foo" "foo"
=> 0
levenshtein "book" "hook"
=> 1
levenshtein "hello" "Heyo"
=> 3


Located at lib/strings.nix:976 in <nixpkgs>.

5.1.3.57. lib.strings.commonPrefixLength

Returns the length of the prefix common to both strings.

a

Function argument

b

Function argument

Located at lib/strings.nix:997 in <nixpkgs>.

5.1.3.58. lib.strings.commonSuffixLength

Returns the length of the suffix common to both strings.

a

Function argument

b

Function argument

Located at lib/strings.nix:1005 in <nixpkgs>.

5.1.3.59. lib.strings.levenshteinAtMost

levenshteinAtMost :: int -> string -> string -> bool

Returns whether the levenshtein distance between two strings is at most some value Complexity is O(min(n,m)) for k <= 2 and O(n*m) otherwise

Example 5.91. lib.strings.levenshteinAtMost usage example

levenshteinAtMost 0 "foo" "foo"
=> true
levenshteinAtMost 1 "foo" "boa"
=> false
levenshteinAtMost 2 "foo" "boa"
=> true
levenshteinAtMost 2 "This is a sentence" "this is a sentense."
=> false
levenshteinAtMost 3 "This is a sentence" "this is a sentense."
=> true


Located at lib/strings.nix:1029 in <nixpkgs>.

5.1.4. Miscellaneous functions

5.1.4.1. lib.trivial.id

id :: a -> a

The identity function For when you need a function that does “nothing”.

x

The value to return

Located at lib/trivial.nix:12 in <nixpkgs>.

5.1.4.2. lib.trivial.const

const :: a -> b -> a

The constant function

Ignores the second argument. If called with only one argument, constructs a function that always returns a static value.

x

Value to return

y

Value to ignore

Example 5.92. lib.trivial.const usage example

let f = const 5; in f 10
=> 5


Located at lib/trivial.nix:26 in <nixpkgs>.

5.1.4.3. lib.trivial.pipe

pipe :: a -> [<functions>] -> <return type of last function>

Pipes a value through a list of functions, left to right.

val

Function argument

functions

Function argument

Example 5.93. lib.trivial.pipe usage example

pipe 2 [
(x: x + 2)  # 2 + 2 = 4
(x: x * 2)  # 4 * 2 = 8
]
=> 8

# ideal to do text transformations
pipe [ "a/b" "a/c" ] [

# create the cp command
(map (file: ''cp "${src}/${file}" $out\n''))

# concatenate all commands into one string
lib.concatStrings

# make that string into a nix derivation
(pkgs.runCommand "copy-to-out" {})

]
=> <drv which copies all files to $out>

The output type of each function has to be the input type
of the next function, and the last function returns the
final value.


Located at lib/trivial.nix:61 in <nixpkgs>.

5.1.4.4. lib.trivial.concat

concat :: [a] -> [a] -> [a]

Concatenate two lists

x

Function argument

y

Function argument

Example 5.94. lib.trivial.concat usage example

concat [ 1 2 ] [ 3 4 ]
=> [ 1 2 3 4 ]


Located at lib/trivial.nix:80 in <nixpkgs>.

5.1.4.5. lib.trivial.or

boolean “or”

x

Function argument

y

Function argument

Located at lib/trivial.nix:83 in <nixpkgs>.

5.1.4.6. lib.trivial.and

boolean “and”

x

Function argument

y

Function argument

Located at lib/trivial.nix:86 in <nixpkgs>.

5.1.4.7. lib.trivial.bitAnd

bitwise “and”

Located at lib/trivial.nix:89 in <nixpkgs>.

5.1.4.8. lib.trivial.bitOr

bitwise “or”

Located at lib/trivial.nix:94 in <nixpkgs>.

5.1.4.9. lib.trivial.bitXor

bitwise “xor”

Located at lib/trivial.nix:99 in <nixpkgs>.

5.1.4.10. lib.trivial.bitNot

bitwise “not”

Located at lib/trivial.nix:104 in <nixpkgs>.

5.1.4.11. lib.trivial.boolToString

boolToString :: bool -> string

Convert a boolean to a string.

This function uses the strings "true" and "false" to represent boolean values. Calling `toString` on a bool instead returns "1" and "" (sic!).

b

Function argument

Located at lib/trivial.nix:114 in <nixpkgs>.

5.1.4.12. lib.trivial.mergeAttrs

Merge two attribute sets shallowly, right side trumps left

mergeAttrs :: attrs -> attrs -> attrs

x

Left attribute set

y

Right attribute set (higher precedence for equal keys)

Example 5.95. lib.trivial.mergeAttrs usage example

mergeAttrs { a = 1; b = 2; } { b = 3; c = 4; }
=> { a = 1; b = 3; c = 4; }


Located at lib/trivial.nix:124 in <nixpkgs>.

5.1.4.13. lib.trivial.flip

flip :: (a -> b -> c) -> (b -> a -> c)

Flip the order of the arguments of a binary function.

f

Function argument

a

Function argument

b

Function argument

Example 5.96. lib.trivial.flip usage example

flip concat [1] [2]
=> [ 2 1 ]


Located at lib/trivial.nix:138 in <nixpkgs>.

5.1.4.14. lib.trivial.mapNullable

Apply function if the supplied argument is non-null.

f

Function to call

a

Argument to check for null before passing it to `f`

Example 5.97. lib.trivial.mapNullable usage example

mapNullable (x: x+1) null
=> null
mapNullable (x: x+1) 22
=> 23


Located at lib/trivial.nix:148 in <nixpkgs>.

5.1.4.15. lib.trivial.version

Returns the current full nixpkgs version number.

Located at lib/trivial.nix:164 in <nixpkgs>.

5.1.4.16. lib.trivial.release

Returns the current nixpkgs release number as string.

Located at lib/trivial.nix:167 in <nixpkgs>.

5.1.4.17. lib.trivial.oldestSupportedRelease

The latest release that is supported, at the time of release branch-off, if applicable.

Ideally, out-of-tree modules should be able to evaluate cleanly with all supported Nixpkgs versions (master, release and old release until EOL). So if possible, deprecation warnings should take effect only when all out-of-tree expressions/libs/modules can upgrade to the new way without losing support for supported Nixpkgs versions.

This release number allows deprecation warnings to be implemented such that they take effect as soon as the oldest release reaches end of life.

Located at lib/trivial.nix:180 in <nixpkgs>.

5.1.4.18. lib.trivial.isInOldestRelease

Whether a feature is supported in all supported releases (at the time of release branch-off, if applicable). See `oldestSupportedRelease`.

release

Release number of feature introduction as an integer, e.g. 2111 for 21.11. Set it to the upcoming release, matching the nixpkgs/.version file.

Located at lib/trivial.nix:186 in <nixpkgs>.

5.1.4.19. lib.trivial.codeName

Returns the current nixpkgs release code name.

On each release the first letter is bumped and a new animal is chosen starting with that new letter.

Located at lib/trivial.nix:198 in <nixpkgs>.

5.1.4.20. lib.trivial.versionSuffix

Returns the current nixpkgs version suffix as string.

Located at lib/trivial.nix:201 in <nixpkgs>.

5.1.4.21. lib.trivial.revisionWithDefault

revisionWithDefault :: string -> string

Attempts to return the the current revision of nixpkgs and returns the supplied default value otherwise.

default

Default value to return if revision can not be determined

Located at lib/trivial.nix:212 in <nixpkgs>.

5.1.4.22. lib.trivial.inNixShell

inNixShell :: bool

Determine whether the function is being called from inside a Nix shell.

Located at lib/trivial.nix:230 in <nixpkgs>.

5.1.4.23. lib.trivial.inPureEvalMode

inPureEvalMode :: bool

Determine whether the function is being called from inside pure-eval mode by seeing whether `builtins` contains `currentSystem`. If not, we must be in pure-eval mode.

Located at lib/trivial.nix:238 in <nixpkgs>.

5.1.4.24. lib.trivial.min

Return minimum of two numbers.

x

Function argument

y

Function argument

Located at lib/trivial.nix:243 in <nixpkgs>.

5.1.4.25. lib.trivial.max

Return maximum of two numbers.

x

Function argument

y

Function argument

Located at lib/trivial.nix:246 in <nixpkgs>.

5.1.4.26. lib.trivial.mod

Integer modulus

base

Function argument

int

Function argument

Example 5.98. lib.trivial.mod usage example

mod 11 10
=> 1
mod 1 10
=> 1


Located at lib/trivial.nix:256 in <nixpkgs>.

5.1.4.27. lib.trivial.compare

C-style comparisons

a < b, compare a b => -1 a == b, compare a b => 0 a > b, compare a b => 1

a

Function argument

b

Function argument

Located at lib/trivial.nix:267 in <nixpkgs>.

5.1.4.28. lib.trivial.splitByAndCompare

(a -> bool) -> (a -> a -> int) -> (a -> a -> int) -> (a -> a -> int)

Split type into two subtypes by predicate `p`, take all elements of the first subtype to be less than all the elements of the second subtype, compare elements of a single subtype with `yes` and `no` respectively.

p

Predicate

yes

Comparison function if predicate holds for both values

no

Comparison function if predicate holds for neither value

a

First value to compare

b

Second value to compare

Example 5.99. lib.trivial.splitByAndCompare usage example

let cmp = splitByAndCompare (hasPrefix "foo") compare compare; in

cmp "a" "z" => -1
cmp "fooa" "fooz" => -1

cmp "f" "a" => 1
cmp "fooa" "a" => -1
# while
compare "fooa" "a" => 1


Located at lib/trivial.nix:292 in <nixpkgs>.

5.1.4.29. lib.trivial.importJSON

Reads a JSON file.

Type :: path -> any

path

Function argument

Located at lib/trivial.nix:312 in <nixpkgs>.

5.1.4.30. lib.trivial.importTOML

Reads a TOML file.

Type :: path -> any

path

Function argument

Located at lib/trivial.nix:319 in <nixpkgs>.

5.1.4.31. lib.trivial.warn

string -> a -> a

Print a warning before returning the second argument. This function behaves like `builtins.trace`, but requires a string message and formats it as a warning, including the `warning: ` prefix.

To get a call stack trace and abort evaluation, set the environment variable `NIX_ABORT_ON_WARN=true` and set the Nix options `--option pure-eval false --show-trace`

Located at lib/trivial.nix:347 in <nixpkgs>.

5.1.4.32. lib.trivial.warnIf

bool -> string -> a -> a

Like warn, but only warn when the first argument is `true`.

cond

Function argument

msg

Function argument

Located at lib/trivial.nix:357 in <nixpkgs>.

5.1.4.33. lib.trivial.warnIfNot

bool -> string -> a -> a

Like warnIf, but negated (warn if the first argument is `false`).

cond

Function argument

msg

Function argument

Located at lib/trivial.nix:364 in <nixpkgs>.

5.1.4.34. lib.trivial.throwIfNot

bool -> string -> a -> a

Like the `assert b; e` expression, but with a custom error message and without the semicolon.

If true, return the identity function, `r: r`.

If false, throw the error message.

Calls can be juxtaposed using function application, as `(r: r) a = a`, so `(r: r) (r: r) a = a`, and so forth.

cond

Function argument

msg

Function argument

Example 5.100. lib.trivial.throwIfNot usage example


throwIfNot (lib.isList overlays) "The overlays argument to nixpkgs must be a list."
lib.foldr (x: throwIfNot (lib.isFunction x) "All overlays passed to nixpkgs must be functions.") (r: r) overlays
pkgs


Located at lib/trivial.nix:386 in <nixpkgs>.

5.1.4.35. lib.trivial.throwIf

bool -> string -> a -> a

Like throwIfNot, but negated (throw if the first argument is `true`).

cond

Function argument

msg

Function argument

Located at lib/trivial.nix:393 in <nixpkgs>.

5.1.4.36. lib.trivial.checkListOfEnum

String -> List ComparableVal -> List ComparableVal -> a -> a

Check if the elements in a list are valid values from a enum, returning the identity function, or throwing an error message otherwise.

msg

Function argument

valid

Function argument

given

Function argument

Example 5.101. lib.trivial.checkListOfEnum usage example

let colorVariants = ["bright" "dark" "black"]
in checkListOfEnum "color variants" [ "standard" "light" "dark" ] colorVariants;
=>
error: color variants: bright, black unexpected; valid ones: standard, light, dark


Located at lib/trivial.nix:405 in <nixpkgs>.

5.1.4.37. lib.trivial.setFunctionArgs

Add metadata about expected function arguments to a function. The metadata should match the format given by builtins.functionArgs, i.e. a set from expected argument to a bool representing whether that argument has a default or not. setFunctionArgs : (a → b) → Map String Bool → (a → b)

This function is necessary because you can't dynamically create a function of the { a, b ? foo, ... }: format, but some facilities like callPackage expect to be able to query expected arguments.

f

Function argument

args

Function argument

Located at lib/trivial.nix:428 in <nixpkgs>.

5.1.4.38. lib.trivial.functionArgs

Extract the expected function arguments from a function. This works both with nix-native { a, b ? foo, ... }: style functions and functions with args set with 'setFunctionArgs'. It has the same return type and semantics as builtins.functionArgs. setFunctionArgs : (a → b) → Map String Bool.

f

Function argument

Located at lib/trivial.nix:440 in <nixpkgs>.

5.1.4.39. lib.trivial.isFunction

Check whether something is a function or something annotated with function args.

f

Function argument

Located at lib/trivial.nix:448 in <nixpkgs>.

5.1.4.40. lib.trivial.toFunction

Turns any non-callable values into constant functions. Returns callable values as is.

v

Any value

Example 5.102. lib.trivial.toFunction usage example


nix-repl> lib.toFunction 1 2
1

nix-repl> lib.toFunction (x: x + 1) 2
3


Located at lib/trivial.nix:463 in <nixpkgs>.

5.1.4.41. lib.trivial.toHexString

Convert the given positive integer to a string of its hexadecimal representation. For example:

toHexString 0 => "0"

toHexString 16 => "10"

toHexString 250 => "FA"

i

Function argument

Located at lib/trivial.nix:479 in <nixpkgs>.

5.1.4.42. lib.trivial.toBaseDigits

`toBaseDigits base i` converts the positive integer i to a list of its digits in the given base. For example:

toBaseDigits 10 123 => [ 1 2 3 ]

toBaseDigits 2 6 => [ 1 1 0 ]

toBaseDigits 16 250 => [ 15 10 ]

base

Function argument

i

Function argument

Located at lib/trivial.nix:505 in <nixpkgs>.

5.1.5. List manipulation functions

5.1.5.1. lib.lists.singleton

singleton :: a -> [a]

Create a list consisting of a single element. `singleton x` is sometimes more convenient with respect to indentation than `[x]` when x spans multiple lines.

x

Function argument

Example 5.103. lib.lists.singleton usage example

singleton "foo"
=> [ "foo" ]


Located at lib/lists.nix:23 in <nixpkgs>.

5.1.5.2. lib.lists.forEach

forEach :: [a] -> (a -> b) -> [b]

Apply the function to each element in the list. Same as `map`, but arguments flipped.

xs

Function argument

f

Function argument

Example 5.104. lib.lists.forEach usage example

forEach [ 1 2 ] (x:
toString x
)
=> [ "1" "2" ]


Located at lib/lists.nix:36 in <nixpkgs>.

5.1.5.3. lib.lists.foldr

foldr :: (a -> b -> b) -> b -> [a] -> b

“right fold” a binary function `op` between successive elements of `list` with `nul` as the starting value, i.e., `foldr op nul [x_1 x_2 ... x_n] == op x_1 (op x_2 ... (op x_n nul))`.

op

Function argument

nul

Function argument

list

Function argument

Example 5.105. lib.lists.foldr usage example

concat = foldr (a: b: a + b) "z"
concat [ "a" "b" "c" ]
=> "abcz"
# different types
strange = foldr (int: str: toString (int + 1) + str) "a"
strange [ 1 2 3 4 ]
=> "2345a"


Located at lib/lists.nix:53 in <nixpkgs>.

5.1.5.4. lib.lists.fold

`fold` is an alias of `foldr` for historic reasons

Located at lib/lists.nix:64 in <nixpkgs>.

5.1.5.5. lib.lists.foldl

foldl :: (b -> a -> b) -> b -> [a] -> b

“left fold”, like `foldr`, but from the left: `foldl op nul [x_1 x_2 ... x_n] == op (... (op (op nul x_1) x_2) ... x_n)`.

op

Function argument

nul

Function argument

list

Function argument

Example 5.106. lib.lists.foldl usage example

lconcat = foldl (a: b: a + b) "z"
lconcat [ "a" "b" "c" ]
=> "zabc"
# different types
lstrange = foldl (str: int: str + toString (int + 1)) "a"
lstrange [ 1 2 3 4 ]
=> "a2345"


Located at lib/lists.nix:81 in <nixpkgs>.

5.1.5.6. lib.lists.foldl'

foldl' :: (b -> a -> b) -> b -> [a] -> b

Strict version of `foldl`.

The difference is that evaluation is forced upon access. Usually used with small whole results (in contrast with lazily-generated list or large lists where only a part is consumed.)

Located at lib/lists.nix:97 in <nixpkgs>.

5.1.5.7. lib.lists.imap0

imap0 :: (int -> a -> b) -> [a] -> [b]

Map with index starting from 0

f

Function argument

list

Function argument

Example 5.107. lib.lists.imap0 usage example

imap0 (i: v: "${v}-${toString i}") ["a" "b"]
=> [ "a-0" "b-1" ]


Located at lib/lists.nix:107 in <nixpkgs>.

5.1.5.8. lib.lists.imap1

imap1 :: (int -> a -> b) -> [a] -> [b]

Map with index starting from 1

f

Function argument

list

Function argument

Example 5.108. lib.lists.imap1 usage example

imap1 (i: v: "${v}-${toString i}") ["a" "b"]
=> [ "a-1" "b-2" ]


Located at lib/lists.nix:117 in <nixpkgs>.

5.1.5.9. lib.lists.concatMap

concatMap :: (a -> [b]) -> [a] -> [b]

Map and concatenate the result.

Example 5.109. lib.lists.concatMap usage example

concatMap (x: [x] ++ ["z"]) ["a" "b"]
=> [ "a" "z" "b" "z" ]


Located at lib/lists.nix:127 in <nixpkgs>.

5.1.5.10. lib.lists.flatten

Flatten the argument into a single list; that is, nested lists are spliced into the top-level lists.

x

Function argument

Example 5.110. lib.lists.flatten usage example

flatten [1 [2 [3] 4] 5]
=> [1 2 3 4 5]
flatten 1
=> [1]


Located at lib/lists.nix:138 in <nixpkgs>.

5.1.5.11. lib.lists.remove

remove :: a -> [a] -> [a]

Remove elements equal to 'e' from a list. Useful for buildInputs.

e

Element to remove from the list

Example 5.111. lib.lists.remove usage example

remove 3 [ 1 3 4 3 ]
=> [ 1 4 ]


Located at lib/lists.nix:151 in <nixpkgs>.

5.1.5.12. lib.lists.findSingle

findSingle :: (a -> bool) -> a -> a -> [a] -> a

Find the sole element in the list matching the specified predicate, returns `default` if no such element exists, or `multiple` if there are multiple matching elements.

pred

Predicate

default

Default value to return if element was not found.

multiple

Default value to return if more than one element was found

list

Input list

Example 5.112. lib.lists.findSingle usage example

findSingle (x: x == 3) "none" "multiple" [ 1 3 3 ]
=> "multiple"
findSingle (x: x == 3) "none" "multiple" [ 1 3 ]
=> 3
findSingle (x: x == 3) "none" "multiple" [ 1 9 ]
=> "none"


Located at lib/lists.nix:169 in <nixpkgs>.

5.1.5.13. lib.lists.findFirst

findFirst :: (a -> bool) -> a -> [a] -> a

Find the first element in the list matching the specified predicate or return `default` if no such element exists.

pred

Predicate

default

Default value to return

list

Input list

Example 5.113. lib.lists.findFirst usage example

findFirst (x: x > 3) 7 [ 1 6 4 ]
=> 6
findFirst (x: x > 9) 7 [ 1 6 4 ]
=> 7


Located at lib/lists.nix:194 in <nixpkgs>.

5.1.5.14. lib.lists.any

any :: (a -> bool) -> [a] -> bool

Return true if function `pred` returns true for at least one element of `list`.

Example 5.114. lib.lists.any usage example

any isString [ 1 "a" { } ]
=> true
any isString [ 1 { } ]
=> false


Located at lib/lists.nix:215 in <nixpkgs>.

5.1.5.15. lib.lists.all

all :: (a -> bool) -> [a] -> bool

Return true if function `pred` returns true for all elements of `list`.

Example 5.115. lib.lists.all usage example

all (x: x < 3) [ 1 2 ]
=> true
all (x: x < 3) [ 1 2 3 ]
=> false


Located at lib/lists.nix:228 in <nixpkgs>.

5.1.5.16. lib.lists.count

count :: (a -> bool) -> [a] -> int

Count how many elements of `list` match the supplied predicate function.

pred

Predicate

Example 5.116. lib.lists.count usage example

count (x: x == 3) [ 3 2 3 4 6 ]
=> 2


Located at lib/lists.nix:239 in <nixpkgs>.

5.1.5.17. lib.lists.optional

optional :: bool -> a -> [a]

Return a singleton list or an empty list, depending on a boolean value. Useful when building lists with optional elements (e.g. `++ optional (system == "i686-linux") firefox').

cond

Function argument

elem

Function argument

Example 5.117. lib.lists.optional usage example

optional true "foo"
=> [ "foo" ]
optional false "foo"
=> [ ]


Located at lib/lists.nix:255 in <nixpkgs>.

5.1.5.18. lib.lists.optionals

optionals :: bool -> [a] -> [a]

Return a list or an empty list, depending on a boolean value.

cond

Condition

elems

List to return if condition is true

Example 5.118. lib.lists.optionals usage example

optionals true [ 2 3 ]
=> [ 2 3 ]
optionals false [ 2 3 ]
=> [ ]


Located at lib/lists.nix:267 in <nixpkgs>.

5.1.5.19. lib.lists.toList

If argument is a list, return it; else, wrap it in a singleton list. If you're using this, you should almost certainly reconsider if there isn't a more "well-typed" approach.

x

Function argument

Example 5.119. lib.lists.toList usage example

toList [ 1 2 ]
=> [ 1 2 ]
toList "hi"
=> [ "hi "]


Located at lib/lists.nix:284 in <nixpkgs>.

5.1.5.20. lib.lists.range

range :: int -> int -> [int]

Return a list of integers from `first' up to and including `last'.

first

First integer in the range

last

Last integer in the range

Example 5.120. lib.lists.range usage example

range 2 4
=> [ 2 3 4 ]
range 3 2
=> [ ]


Located at lib/lists.nix:296 in <nixpkgs>.

5.1.5.21. lib.lists.partition

(a -> bool) -> [a] -> { right :: [a], wrong :: [a] }

Splits the elements of a list in two lists, `right` and `wrong`, depending on the evaluation of a predicate.

Example 5.121. lib.lists.partition usage example

partition (x: x > 2) [ 5 1 2 3 4 ]
=> { right = [ 5 3 4 ]; wrong = [ 1 2 ]; }


Located at lib/lists.nix:315 in <nixpkgs>.

5.1.5.22. lib.lists.groupBy'

Splits the elements of a list into many lists, using the return value of a predicate. Predicate should return a string which becomes keys of attrset `groupBy' returns.

`groupBy'` allows to customise the combining function and initial value

op

Function argument

nul

Function argument

pred

Function argument

lst

Function argument

Example 5.122. lib.lists.groupBy' usage example

groupBy (x: boolToString (x > 2)) [ 5 1 2 3 4 ]
=> { true = [ 5 3 4 ]; false = [ 1 2 ]; }
groupBy (x: x.name) [ {name = "icewm"; script = "icewm &";}
{name = "xfce";  script = "xfce4-session &";}
{name = "icewm"; script = "icewmbg &";}
{name = "mate";  script = "gnome-session &";}
]
=> { icewm = [ { name = "icewm"; script = "icewm &"; }
{ name = "icewm"; script = "icewmbg &"; } ];
mate  = [ { name = "mate";  script = "gnome-session &"; } ];
xfce  = [ { name = "xfce";  script = "xfce4-session &"; } ];
}

groupBy' builtins.add 0 (x: boolToString (x > 2)) [ 5 1 2 3 4 ]
=> { true = 12; false = 3; }


Located at lib/lists.nix:344 in <nixpkgs>.

5.1.5.23. lib.lists.zipListsWith

zipListsWith :: (a -> b -> c) -> [a] -> [b] -> [c]

Merges two lists of the same size together. If the sizes aren't the same the merging stops at the shortest. How both lists are merged is defined by the first argument.

f

Function to zip elements of both lists

fst

First list

snd

Second list

Example 5.123. lib.lists.zipListsWith usage example

zipListsWith (a: b: a + b) ["h" "l"] ["e" "o"]
=> ["he" "lo"]


Located at lib/lists.nix:364 in <nixpkgs>.

5.1.5.24. lib.lists.zipLists

zipLists :: [a] -> [b] -> [{ fst :: a, snd :: b}]

Merges two lists of the same size together. If the sizes aren't the same the merging stops at the shortest.

Example 5.124. lib.lists.zipLists usage example

zipLists [ 1 2 ] [ "a" "b" ]
=> [ { fst = 1; snd = "a"; } { fst = 2; snd = "b"; } ]


Located at lib/lists.nix:383 in <nixpkgs>.

5.1.5.25. lib.lists.reverseList

reverseList :: [a] -> [a]

Reverse the order of the elements of a list.

xs

Function argument

Example 5.125. lib.lists.reverseList usage example


reverseList [ "b" "o" "j" ]
=> [ "j" "o" "b" ]


Located at lib/lists.nix:394 in <nixpkgs>.

5.1.5.26. lib.lists.listDfs

Depth-First Search (DFS) for lists `list != []`.

`before a b == true` means that `b` depends on `a` (there's an edge from `b` to `a`).

stopOnCycles

Function argument

before

Function argument

list

Function argument

Example 5.126. lib.lists.listDfs usage example

listDfs true hasPrefix [ "/home/user" "other" "/" "/home" ]
== { minimal = "/";                  # minimal element
visited = [ "/home/user" ];     # seen elements (in reverse order)
rest    = [ "/home" "other" ];  # everything else
}

listDfs true hasPrefix [ "/home/user" "other" "/" "/home" "/" ]
== { cycle   = "/";                  # cycle encountered at this element
loops   = [ "/" ];              # and continues to these elements
visited = [ "/" "/home/user" ]; # elements leading to the cycle (in reverse order)
rest    = [ "/home" "other" ];  # everything else


Located at lib/lists.nix:416 in <nixpkgs>.

5.1.5.27. lib.lists.toposort

Sort a list based on a partial ordering using DFS. This implementation is O(N^2), if your ordering is linear, use `sort` instead.

`before a b == true` means that `b` should be after `a` in the result.

before

Function argument

list

Function argument

Example 5.127. lib.lists.toposort usage example


toposort hasPrefix [ "/home/user" "other" "/" "/home" ]
== { result = [ "/" "/home" "/home/user" "other" ]; }

toposort hasPrefix [ "/home/user" "other" "/" "/home" "/" ]
== { cycle = [ "/home/user" "/" "/" ]; # path leading to a cycle
loops = [ "/" ]; }                # loops back to these elements

toposort hasPrefix [ "other" "/home/user" "/home" "/" ]
== { result = [ "other" "/" "/home" "/home/user" ]; }

toposort (a: b: a < b) [ 3 2 1 ] == { result = [ 1 2 3 ]; }


Located at lib/lists.nix:455 in <nixpkgs>.

5.1.5.28. lib.lists.sort

Sort a list based on a comparator function which compares two elements and returns true if the first argument is strictly below the second argument. The returned list is sorted in an increasing order. The implementation does a quick-sort.

Example 5.128. lib.lists.sort usage example

sort (a: b: a < b) [ 5 3 7 ]
=> [ 3 5 7 ]


Located at lib/lists.nix:483 in <nixpkgs>.

5.1.5.29. lib.lists.compareLists

Compare two lists element-by-element.

cmp

Function argument

a

Function argument

b

Function argument

Example 5.129. lib.lists.compareLists usage example

compareLists compare [] []
=> 0
compareLists compare [] [ "a" ]
=> -1
compareLists compare [ "a" ] []
=> 1
compareLists compare [ "a" "b" ] [ "a" "c" ]
=> -1


Located at lib/lists.nix:512 in <nixpkgs>.

5.1.5.30. lib.lists.naturalSort

Sort list using "Natural sorting". Numeric portions of strings are sorted in numeric order.

lst

Function argument

Example 5.130. lib.lists.naturalSort usage example

naturalSort ["disk11" "disk8" "disk100" "disk9"]
=> ["disk8" "disk9" "disk11" "disk100"]
naturalSort ["10.46.133.149" "10.5.16.62" "10.54.16.25"]
=> ["10.5.16.62" "10.46.133.149" "10.54.16.25"]
naturalSort ["v0.2" "v0.15" "v0.0.9"]
=> [ "v0.0.9" "v0.2" "v0.15" ]


Located at lib/lists.nix:535 in <nixpkgs>.

5.1.5.31. lib.lists.take

take :: int -> [a] -> [a]

Return the first (at most) N elements of a list.

count

Number of elements to take

Example 5.131. lib.lists.take usage example

take 2 [ "a" "b" "c" "d" ]
=> [ "a" "b" ]
take 2 [ ]
=> [ ]


Located at lib/lists.nix:553 in <nixpkgs>.

5.1.5.32. lib.lists.drop

drop :: int -> [a] -> [a]

Remove the first (at most) N elements of a list.

count

Number of elements to drop

list

Input list

Example 5.132. lib.lists.drop usage example

drop 2 [ "a" "b" "c" "d" ]
=> [ "c" "d" ]
drop 2 [ ]
=> [ ]


Located at lib/lists.nix:567 in <nixpkgs>.

5.1.5.33. lib.lists.sublist

sublist :: int -> int -> [a] -> [a]

Return a list consisting of at most `count` elements of `list`, starting at index `start`.

start

Index at which to start the sublist

count

Number of elements to take

list

Input list

Example 5.133. lib.lists.sublist usage example

sublist 1 3 [ "a" "b" "c" "d" "e" ]
=> [ "b" "c" "d" ]
sublist 1 3 [ ]
=> [ ]


Located at lib/lists.nix:584 in <nixpkgs>.

5.1.5.34. lib.lists.last

last :: [a] -> a

Return the last element of a list.

This function throws an error if the list is empty.

list

Function argument

Example 5.134. lib.lists.last usage example

last [ 1 2 3 ]
=> 3


Located at lib/lists.nix:608 in <nixpkgs>.

5.1.5.35. lib.lists.init

init :: [a] -> [a]

Return all elements but the last.

This function throws an error if the list is empty.

list

Function argument

Example 5.135. lib.lists.init usage example

init [ 1 2 3 ]
=> [ 1 2 ]


Located at lib/lists.nix:622 in <nixpkgs>.

5.1.5.36. lib.lists.crossLists

Return the image of the cross product of some lists by a function.

Example 5.136. lib.lists.crossLists usage example

crossLists (x:y: "${toString x}${toString y}") [[1 2] [3 4]]
=> [ "13" "14" "23" "24" ]


Located at lib/lists.nix:633 in <nixpkgs>.

5.1.5.37. lib.lists.unique

unique :: [a] -> [a]

Remove duplicate elements from the list. O(n^2) complexity.

Example 5.137. lib.lists.unique usage example

unique [ 3 2 3 4 ]
=> [ 3 2 4 ]


Located at lib/lists.nix:646 in <nixpkgs>.

5.1.5.38. lib.lists.intersectLists

Intersects list 'e' and another list. O(nm) complexity.

e

Function argument

Example 5.138. lib.lists.intersectLists usage example

intersectLists [ 1 2 3 ] [ 6 3 2 ]
=> [ 3 2 ]


Located at lib/lists.nix:654 in <nixpkgs>.

5.1.5.39. lib.lists.subtractLists

Subtracts list 'e' from another list. O(nm) complexity.

e

Function argument

Example 5.139. lib.lists.subtractLists usage example

subtractLists [ 3 2 ] [ 1 2 3 4 5 3 ]
=> [ 1 4 5 ]


Located at lib/lists.nix:662 in <nixpkgs>.

5.1.5.40. lib.lists.mutuallyExclusive

Test if two lists have no common element. It should be slightly more efficient than (intersectLists a b == [])

a

Function argument

b

Function argument

Located at lib/lists.nix:667 in <nixpkgs>.

5.1.6. Debugging functions

5.1.6.1. lib.debug.traceIf

traceIf :: bool -> string -> a -> a

Conditionally trace the supplied message, based on a predicate.

pred

Predicate to check

msg

Message that should be traced

x

Value to return

Example 5.140. lib.debug.traceIf usage example

traceIf true "hello" 3
trace: hello
=> 3


Located at lib/debug.nix:51 in <nixpkgs>.

5.1.6.2. lib.debug.traceValFn

traceValFn :: (a -> b) -> a -> a

Trace the supplied value after applying a function to it, and return the original value.

f

Function to apply

x

Value to trace and return

Example 5.141. lib.debug.traceValFn usage example

traceValFn (v: "mystring ${v}") "foo"
trace: mystring foo
=> "foo"


Located at lib/debug.nix:69 in <nixpkgs>.

5.1.6.3. lib.debug.traceVal

traceVal :: a -> a

Trace the supplied value and return it.

Example 5.142. lib.debug.traceVal usage example

traceVal 42
# trace: 42
=> 42


Located at lib/debug.nix:84 in <nixpkgs>.

5.1.6.4. lib.debug.traceSeq

traceSeq :: a -> b -> b

`builtins.trace`, but the value is `builtins.deepSeq`ed first.

x

The value to trace

y

The value to return

Example 5.143. lib.debug.traceSeq usage example

trace { a.b.c = 3; } null
trace: { a = <CODE>; }
=> null
traceSeq { a.b.c = 3; } null
trace: { a = { b = { c = 3; }; }; }
=> null


Located at lib/debug.nix:98 in <nixpkgs>.

5.1.6.5. lib.debug.traceSeqN

Like `traceSeq`, but only evaluate down to depth n. This is very useful because lots of `traceSeq` usages lead to an infinite recursion.

depth

Function argument

x

Function argument

y

Function argument

Example 5.144. lib.debug.traceSeqN usage example

traceSeqN 2 { a.b.c = 3; } null
trace: { a = { b = {…}; }; }
=> null


Located at lib/debug.nix:113 in <nixpkgs>.

5.1.6.6. lib.debug.traceValSeqFn

A combination of `traceVal` and `traceSeq` that applies a provided function to the value to be traced after `deepSeq`ing it.

f

Function to apply

v

Value to trace

Located at lib/debug.nix:130 in <nixpkgs>.

5.1.6.7. lib.debug.traceValSeq

A combination of `traceVal` and `traceSeq`.

Located at lib/debug.nix:137 in <nixpkgs>.

5.1.6.8. lib.debug.traceValSeqNFn

A combination of `traceVal` and `traceSeqN` that applies a provided function to the value to be traced.

f

Function to apply

depth

Function argument

v

Value to trace

Located at lib/debug.nix:141 in <nixpkgs>.

5.1.6.9. lib.debug.traceValSeqN

A combination of `traceVal` and `traceSeqN`.

Located at lib/debug.nix:149 in <nixpkgs>.

5.1.6.10. lib.debug.traceFnSeqN

Trace the input and output of a function `f` named `name`, both down to `depth`.

This is useful for adding around a function call, to see the before/after of values as they are transformed.

depth

Function argument

name

Function argument

f

Function argument

v

Function argument

Example 5.145. lib.debug.traceFnSeqN usage example

traceFnSeqN 2 "id" (x: x) { a.b.c = 3; }
trace: { fn = "id"; from = { a.b = {…}; }; to = { a.b = {…}; }; }
=> { a.b.c = 3; }


Located at lib/debug.nix:162 in <nixpkgs>.

5.1.6.11. lib.debug.runTests

Evaluate a set of tests. A test is an attribute set `{expr, expected}`, denoting an expression and its expected result. The result is a list of failed tests, each represented as `{name, expected, actual}`, denoting the attribute name of the failing test and its expected and actual results.

Used for regression testing of the functions in lib; see tests.nix for an example. Only tests having names starting with "test" are run.

Add attr { tests = ["testName"]; } to run these tests only.

tests

Tests to run

Located at lib/debug.nix:188 in <nixpkgs>.

5.1.6.12. lib.debug.testAllTrue

Create a test assuming that list elements are `true`.

expr

Function argument

Example 5.146. lib.debug.testAllTrue usage example

{ testX = allTrue [ true ]; }


Located at lib/debug.nix:204 in <nixpkgs>.

5.1.7. NixOS / nixpkgs option handling

5.1.7.1. lib.options.isOption

isOption :: a -> bool

Returns true when the given argument is an option

Example 5.147. lib.options.isOption usage example

isOption 1             // => false
isOption (mkOption {}) // => true


Located at lib/options.nix:50 in <nixpkgs>.

5.1.7.2. lib.options.mkOption

Creates an Option attribute set. mkOption accepts an attribute set with the following keys:

All keys default to `null` when not given.

pattern

Structured function argument

default

Default value used when no definition is given in the configuration.

defaultText

Textual representation of the default, for the manual.

example

Example value used in the manual.

description

String describing the option.

relatedPackages

Related packages used in the manual (see `genRelatedPackages` in ../nixos/lib/make-options-doc/default.nix).

type

Option type, providing type-checking and value merging.

apply

Function that converts the option value to something else.

internal

Whether the option is for NixOS developers only.

visible

Whether the option shows up in the manual. Default: true. Use false to hide the option and any sub-options from submodules. Use "shallow" to hide only sub-options.

readOnly

Whether the option can be set only once

Example 5.148. lib.options.mkOption usage example

mkOption { }  // => { _type = "option"; }
mkOption { default = "foo"; } // => { _type = "option"; default = "foo"; }


Located at lib/options.nix:60 in <nixpkgs>.

5.1.7.3. lib.options.mkEnableOption

Creates an Option attribute set for a boolean value option i.e an option to be toggled on or off:

name

Name for the created option

Example 5.149. lib.options.mkEnableOption usage example

mkEnableOption "foo"
=> { _type = "option"; default = false; description = "Whether to enable foo."; example = true; type = { ... }; }


Located at lib/options.nix:92 in <nixpkgs>.

5.1.7.4. lib.options.mkPackageOption

mkPackageOption :: pkgs -> string -> { default :: [string], example :: null | string | [string] } -> optionThe package is specified as a list of strings representing its attribute path in nixpkgs.Because of this, you need to pass nixpkgs itself as the first argument.The second argument is the name of the option, used in the description "The <name> package to use.".You can also pass an example value, either a literal string or a package's attribute path.You can omit the default path if the name of the option is also attribute path in nixpkgs.

Creates an Option attribute set for an option that specifies the package a module should use for some purpose.

pkgs

Package set (a specific version of nixpkgs)

name

Name for the package, shown in option description

pattern

Structured function argument

default

Function argument

example

Function argument

Example 5.150. lib.options.mkPackageOption usage example

mkPackageOption pkgs "hello" { }
=> { _type = "option"; default = «derivation /nix/store/3r2vg51hlxj3cx5vscp0vkv60bqxkaq0-hello-2.10.drv»; defaultText = { ... }; description = "The hello package to use."; type = { ... }; }


mkPackageOption pkgs "GHC" {
default = [ "ghc" ];
example = "pkgs.haskell.packages.ghc92.ghc.withPackages (hkgs: [ hkgs.primes ])";
}
=> { _type = "option"; default = «derivation /nix/store/jxx55cxsjrf8kyh3fp2ya17q99w7541r-ghc-8.10.7.drv»; defaultText = { ... }; description = "The GHC package to use."; example = { ... }; type = { ... }; }


Located at lib/options.nix:130 in <nixpkgs>.

5.1.7.5. lib.options.mkPackageOptionMD

Like mkPackageOption, but emit an mdDoc description instead of DocBook.

args

Function argument

name

Function argument

extra

Function argument

Located at lib/options.nix:148 in <nixpkgs>.

5.1.7.6. lib.options.mkSinkUndeclaredOptions

This option accepts anything, but it does not produce any result.

This is useful for sharing a module across different module sets without having to implement similar features as long as the values of the options are not accessed.

attrs

Function argument

Located at lib/options.nix:157 in <nixpkgs>.

5.1.7.7. lib.options.mergeEqualOption

"Merge" option definitions by checking that they all have the same value.

loc

Function argument

defs

Function argument

Located at lib/options.nix:190 in <nixpkgs>.

5.1.7.8. lib.options.getValues

getValues :: [ { value :: a } ] -> [a]

Extracts values of all "value" keys of the given list.

Example 5.151. lib.options.getValues usage example

getValues [ { value = 1; } { value = 2; } ] // => [ 1 2 ]
getValues [ ]                               // => [ ]


Located at lib/options.nix:210 in <nixpkgs>.

5.1.7.9. lib.options.getFiles

getFiles :: [ { file :: a } ] -> [a]

Extracts values of all "file" keys of the given list

Example 5.152. lib.options.getFiles usage example

getFiles [ { file = "file1"; } { file = "file2"; } ] // => [ "file1" "file2" ]
getFiles [ ]                                         // => [ ]


Located at lib/options.nix:220 in <nixpkgs>.

5.1.7.10. lib.options.scrubOptionValue

This function recursively removes all derivation attributes from `x` except for the `name` attribute.

This is to make the generation of `options.xml` much more efficient: the XML representation of derivations is very large (on the order of megabytes) and is not actually used by the manual generator.

x

Function argument

Located at lib/options.nix:265 in <nixpkgs>.

5.1.7.11. lib.options.literalExpression

For use in the `defaultText` and `example` option attributes. Causes the given string to be rendered verbatim in the documentation as Nix code. This is necessary for complex values, e.g. functions, or values that depend on other values or packages.

text

Function argument

Located at lib/options.nix:278 in <nixpkgs>.

5.1.7.12. lib.options.literalDocBook

For use in the `defaultText` and `example` option attributes. Causes the given DocBook text to be inserted verbatim in the documentation, for when a `literalExpression` would be too hard to read.

text

Function argument

Located at lib/options.nix:289 in <nixpkgs>.

5.1.7.13. lib.options.mdDoc

Transition marker for documentation that's already migrated to markdown syntax.

text

Function argument

Located at lib/options.nix:299 in <nixpkgs>.

5.1.7.14. lib.options.literalMD

For use in the `defaultText` and `example` option attributes. Causes the given MD text to be inserted verbatim in the documentation, for when a `literalExpression` would be too hard to read.

text

Function argument

Located at lib/options.nix:307 in <nixpkgs>.

5.1.7.15. lib.options.showOption

Convert an option, described as a list of the option parts in to a safe, human readable version.

parts

Function argument

Example 5.153. lib.options.showOption usage example

(showOption ["foo" "bar" "baz"]) == "foo.bar.baz"
(showOption ["foo" "bar.baz" "tux"]) == "foo.bar.baz.tux"

Placeholders will not be quoted as they are not actual values:
(showOption ["foo" "*" "bar"]) == "foo.*.bar"
(showOption ["foo" "<name>" "bar"]) == "foo.<name>.bar"

Unlike attributes, options can also start with numbers:
(showOption ["windowManager" "2bwm" "enable"]) == "windowManager.2bwm.enable"


Located at lib/options.nix:327 in <nixpkgs>.

5.1.8. Filesystem functions

5.1.8.1. lib.filesystem.haskellPathsInDir

Path -> Map String Path

A map of all haskell packages defined in the given path, identified by having a cabal file with the same name as the directory itself.

root

The directory within to search

Located at lib/filesystem.nix:18 in <nixpkgs>.

5.1.8.2. lib.filesystem.locateDominatingFile

RegExp -> Path -> Nullable { path : Path; matches : [ MatchResults ]; }

Find the first directory containing a file matching 'pattern' upward from a given 'file'. Returns 'null' if no directories contain a file matching 'pattern'.

pattern

The pattern to search for

file

The file to start searching upward from

Located at lib/filesystem.nix:41 in <nixpkgs>.

5.1.8.3. lib.filesystem.listFilesRecursive

Path -> [ Path ]

Given a directory, return a flattened list of all files within it recursively.

dir

The path to recursively list

Located at lib/filesystem.nix:69 in <nixpkgs>.

5.1.9. Source filtering functions

5.1.9.1. lib.sources.pathType

Returns the type of a path: regular (for file), symlink, or directory.

path

Function argument

Located at lib/sources.nix:274 in <nixpkgs>.

5.1.9.2. lib.sources.pathIsDirectory

Returns true if the path exists and is a directory, false otherwise.

path

Function argument

Located at lib/sources.nix:274 in <nixpkgs>.

5.1.9.3. lib.sources.pathIsRegularFile

Returns true if the path exists and is a regular file, false otherwise.

path

Function argument

Located at lib/sources.nix:274 in <nixpkgs>.

5.1.9.4. lib.sources.cleanSourceFilter

A basic filter for `cleanSourceWith` that removes directories of version control system, backup files (*~) and some generated files.

name

Function argument

type

Function argument

Located at lib/sources.nix:274 in <nixpkgs>.

5.1.9.5. lib.sources.cleanSource

Filters a source tree removing version control files and directories using cleanSourceFilter.

src

Function argument

Example 5.154. lib.sources.cleanSource usage example

cleanSource ./.


Located at lib/sources.nix:274 in <nixpkgs>.

5.1.9.6. lib.sources.cleanSourceWith

Like `builtins.filterSource`, except it will compose with itself, allowing you to chain multiple calls together without any intermediate copies being put in the nix store.

pattern

Structured function argument

src

A path or cleanSourceWith result to filter and/or rename.

filter

Optional with default value: constant true (include everything)

name

Optional name to use as part of the store path.

Example 5.155. lib.sources.cleanSourceWith usage example

lib.cleanSourceWith {
filter = f;
src = lib.cleanSourceWith {
filter = g;
src = ./.;
};
}
# Succeeds!

builtins.filterSource f (builtins.filterSource g ./.)
# Fails!


Located at lib/sources.nix:274 in <nixpkgs>.

5.1.9.7. lib.sources.trace

sources.trace :: sourceLike -> Source

Add logging to a source, for troubleshooting the filtering behavior.

src

Source to debug. The returned source will behave like this source, but also log its filter invocations.

Located at lib/sources.nix:274 in <nixpkgs>.

5.1.9.8. lib.sources.sourceByRegex

Filter sources by a list of regular expressions.

src

Function argument

regexes

Function argument

Example 5.156. lib.sources.sourceByRegex usage example

src = sourceByRegex ./my-subproject [".*\.py$" "^database.sql$"]


Located at lib/sources.nix:274 in <nixpkgs>.

5.1.9.9. lib.sources.sourceFilesBySuffices

sourceLike -> [String] -> Source

Get all files ending with the specified suffices from the given source directory or its descendants, omitting files that do not match any suffix. The result of the example below will include files like `./dir/module.c` and `./dir/subdir/doc.xml` if present.

src

Path or source containing the files to be returned

exts

A list of file suffix strings

Example 5.157. lib.sources.sourceFilesBySuffices usage example

sourceFilesBySuffices ./. [ ".xml" ".c" ]


Located at lib/sources.nix:274 in <nixpkgs>.

5.1.9.10. lib.sources.commitIdFromGitRepo

Get the commit id of a git repo.

path

Function argument

Example 5.158. lib.sources.commitIdFromGitRepo usage example

commitIdFromGitRepo <nixpkgs/.git>


Located at lib/sources.nix:274 in <nixpkgs>.

5.2. Generators

Generators are functions that create file formats from nix data structures, e. g. for configuration files. There are generators available for: INI, JSON and YAML

All generators follow a similar call interface: generatorName configFunctions data, where configFunctions is an attrset of user-defined functions that format nested parts of the content. They each have common defaults, so often they do not need to be set manually. An example is mkSectionName ? (name: libStr.escape [ "[" "]" ] name) from the INI generator. It receives the name of a section and sanitizes it. The default mkSectionName escapes [ and ] with a backslash.

Generators can be fine-tuned to produce exactly the file format required by your application/service. One example is an INI-file format which uses : as separator, the strings "yes"/"no" as boolean values and requires all string values to be quoted: 

with lib;
let
  customToINI = generators.toINI {
    # specifies how to format a key/value pair
    mkKeyValue = generators.mkKeyValueDefault {
      # specifies the generated string for a subset of nix values
      mkValueString = v:
             if v == true then ''"yes"''
        else if v == false then ''"no"''
        else if isString v then ''"${v}"''
        # and delegats all other values to the default generator
        else generators.mkValueStringDefault {} v;
    } ":";
  };

# the INI file can now be given as plain old nix values
in customToINI {
  main = {
    pushinfo = true;
    autopush = false;
    host = "localhost";
    port = 42;
  };
  mergetool = {
    merge = "diff3";
  };
}

This will produce the following INI file as nix string: 

[main]
autopush:"no"
host:"localhost"
port:42
pushinfo:"yes"
str\:ange:"very::strange"

[mergetool]
merge:"diff3"

Detailed documentation for each generator can be found in lib/generators.nix.

5.3. Debugging Nix Expressions

Nix is a unityped, dynamic language, this means every value can potentially appear anywhere. Since it is also non-strict, evaluation order and what ultimately is evaluated might surprise you. Therefore it is important to be able to debug nix expressions.

In the lib/debug.nix file you will find a number of functions that help (pretty-)printing values while evaluation is running. You can even specify how deep these values should be printed recursively, and transform them on the fly. Please consult the docstrings in lib/debug.nix for usage information.

5.4. prefer-remote-fetch overlay

prefer-remote-fetch is an overlay that download sources on remote builder. This is useful when the evaluating machine has a slow upload while the builder can fetch faster directly from the source. To use it, put the following snippet as a new overlay: 

self: super:
  (super.prefer-remote-fetch self super)

A full configuration example for that sets the overlay up for your own account, could look like this 

$ mkdir ~/.config/nixpkgs/overlays/
$ cat > ~/.config/nixpkgs/overlays/prefer-remote-fetch.nix <<EOF
  self: super: super.prefer-remote-fetch self super
EOF

5.5. pkgs.nix-gitignore

pkgs.nix-gitignore is a function that acts similarly to builtins.filterSource but also allows filtering with the help of the gitignore format.

5.5.1. Usage

pkgs.nix-gitignore exports a number of functions, but you'll most likely need either gitignoreSource or gitignoreSourcePure. As their first argument, they both accept either 1. a file with gitignore lines or 2. a string with gitignore lines, or 3. a list of either of the two. They will be concatenated into a single big string. 

{ pkgs ? import <nixpkgs> {} }:

 nix-gitignore.gitignoreSource [] ./source
     # Simplest version

 nix-gitignore.gitignoreSource "supplemental-ignores\n" ./source
     # This one reads the ./source/.gitignore and concats the auxiliary ignores

 nix-gitignore.gitignoreSourcePure "ignore-this\nignore-that\n" ./source
     # Use this string as gitignore, don't read ./source/.gitignore.

 nix-gitignore.gitignoreSourcePure ["ignore-this\nignore-that\n", ~/.gitignore] ./source
     # It also accepts a list (of strings and paths) that will be concatenated
     # once the paths are turned to strings via readFile.

These functions are derived from the Filter functions by setting the first filter argument to (_: _: true): 

gitignoreSourcePure = gitignoreFilterSourcePure (_: _: true);
gitignoreSource = gitignoreFilterSource (_: _: true);

Those filter functions accept the same arguments the builtins.filterSource function would pass to its filters, thus fn: gitignoreFilterSourcePure fn "" should be extensionally equivalent to filterSource. The file is blacklisted if it's blacklisted by either your filter or the gitignoreFilter.

If you want to make your own filter from scratch, you may use 

gitignoreFilter = ign: root: filterPattern (gitignoreToPatterns ign) root;

5.5.2. gitignore files in subdirectories

If you wish to use a filter that would search for .gitignore files in subdirectories, just like git does by default, use this function: 

gitignoreFilterRecursiveSource = filter: patterns: root:
# OR
gitignoreRecursiveSource = gitignoreFilterSourcePure (_: _: true);

Part II. Standard environment

Table of Contents

6. The Standard Environment
7. Meta-attributes
8. Multiple-output packages
9. Cross-compilation
10. Platform Notes

Chapter 6. The Standard Environment

Table of Contents

6.1. Using stdenv
6.2. Tools provided by stdenv
6.3. Specifying dependencies
6.4. Attributes
6.5. Phases
6.6. Shell functions and utilities
6.7. Package setup hooks
6.8. Purity in Nixpkgs
6.9. Hardening in Nixpkgs

The standard build environment in the Nix Packages collection provides an environment for building Unix packages that does a lot of common build tasks automatically. In fact, for Unix packages that use the standard ./configure; make; make install build interface, you don’t need to write a build script at all; the standard environment does everything automatically. If stdenv doesn’t do what you need automatically, you can easily customise or override the various build phases.

6.1. Using stdenv

To build a package with the standard environment, you use the function stdenv.mkDerivation, instead of the primitive built-in function derivation, e.g. 

stdenv.mkDerivation {
  name = "libfoo-1.2.3";
  src = fetchurl {
    url = "http://example.org/libfoo-1.2.3.tar.bz2";
    sha256 = "0x2g1jqygyr5wiwg4ma1nd7w4ydpy82z9gkcv8vh2v8dn3y58v5m";
  };
}

(stdenv needs to be in scope, so if you write this in a separate Nix expression from pkgs/all-packages.nix, you need to pass it as a function argument.) Specifying a name and a src is the absolute minimum Nix requires. For convenience, you can also use pname and version attributes and mkDerivation will automatically set name to "${pname}-${version}" by default. Since RFC 0035, this is preferred for packages in Nixpkgs, as it allows us to reuse the version easily: 

stdenv.mkDerivation rec {
  pname = "libfoo";
  version = "1.2.3";
  src = fetchurl {
    url = "http://example.org/libfoo-source-${version}.tar.bz2";
    sha256 = "0x2g1jqygyr5wiwg4ma1nd7w4ydpy82z9gkcv8vh2v8dn3y58v5m";
  };
}

Many packages have dependencies that are not provided in the standard environment. It’s usually sufficient to specify those dependencies in the buildInputs attribute: 

stdenv.mkDerivation {
  name = "libfoo-1.2.3";
  ...
  buildInputs = [libbar perl ncurses];
}

This attribute ensures that the bin subdirectories of these packages appear in the PATH environment variable during the build, that their include subdirectories are searched by the C compiler, and so on. (See Section 6.7, “Package setup hooks” for details.)

Often it is necessary to override or modify some aspect of the build. To make this easier, the standard environment breaks the package build into a number of phases, all of which can be overridden or modified individually: unpacking the sources, applying patches, configuring, building, and installing. (There are some others; see Section 6.5, “Phases”.) For instance, a package that doesn’t supply a makefile but instead has to be compiled manually could be handled like this: 

stdenv.mkDerivation {
  name = "fnord-4.5";
  ...
  buildPhase = ''
    gcc foo.c -o foo
  '';
  installPhase = ''
    mkdir -p $out/bin
    cp foo $out/bin
  '';
}

(Note the use of ''-style string literals, which are very convenient for large multi-line script fragments because they don’t need escaping of " and \, and because indentation is intelligently removed.)

There are many other attributes to customise the build. These are listed in Section 6.4, “Attributes”.

While the standard environment provides a generic builder, you can still supply your own build script: 

stdenv.mkDerivation {
  name = "libfoo-1.2.3";
  ...
  builder = ./builder.sh;
}

where the builder can do anything it wants, but typically starts with 

source $stdenv/setup

to let stdenv set up the environment (e.g. by resetting PATH and populating it from build inputs). If you want, you can still use stdenv’s generic builder: 

source $stdenv/setup

buildPhase() {
  echo "... this is my custom build phase ..."
  gcc foo.c -o foo
}

installPhase() {
  mkdir -p $out/bin
  cp foo $out/bin
}

genericBuild

6.2. Tools provided by stdenv

The standard environment provides the following packages:

  • The GNU C Compiler, configured with C and C++ support.

  • GNU coreutils (contains a few dozen standard Unix commands).

  • GNU findutils (contains find).

  • GNU diffutils (contains diff, cmp).

  • GNU sed.

  • GNU grep.

  • GNU awk.

  • GNU tar.

  • gzip, bzip2 and xz.

  • GNU Make.

  • Bash. This is the shell used for all builders in the Nix Packages collection. Not using /bin/sh removes a large source of portability problems.

  • The patch command.

On Linux, stdenv also includes the patchelf utility.

6.3. Specifying dependencies

As described in the Nix manual, almost any *.drv store path in a derivation’s attribute set will induce a dependency on that derivation. mkDerivation, however, takes a few attributes intended to include all the dependencies of a package. This is done both for structure and consistency, but also so that certain other setup can take place. For example, certain dependencies need their bin directories added to the PATH. That is built-in, but other setup is done via a pluggable mechanism that works in conjunction with these dependency attributes. See Section 6.7, “Package setup hooks” for details.

Dependencies can be broken down along three axes: their host and target platforms relative to the new derivation’s, and whether they are propagated. The platform distinctions are motivated by cross compilation; see Chapter 9, Cross-compilation for exactly what each platform means. [1] But even if one is not cross compiling, the platforms imply whether or not the dependency is needed at run-time or build-time, a concept that makes perfect sense outside of cross compilation. By default, the run-time/build-time distinction is just a hint for mental clarity, but with strictDeps set it is mostly enforced even in the native case.

The extension of PATH with dependencies, alluded to above, proceeds according to the relative platforms alone. The process is carried out only for dependencies whose host platform matches the new derivation’s build platform i.e. dependencies which run on the platform where the new derivation will be built. [2] For each dependency <dep> of those dependencies, dep/bin, if present, is added to the PATH environment variable.

A dependency is said to be propagated when some of its other-transitive (non-immediate) downstream dependencies also need it as an immediate dependency. [3]

It is important to note that dependencies are not necessarily propagated as the same sort of dependency that they were before, but rather as the corresponding sort so that the platform rules still line up. To determine the exact rules for dependency propagation, we start by assigning to each dependency a couple of ternary numbers (-1 for build, 0 for host, and 1 for target) representing its dependency type, which captures how its host and target platforms are each offset from the depending derivation’s host and target platforms. The following table summarize the different combinations that can be obtained:

host → target attribute name offset
build --> build depsBuildBuild -1, -1
build --> host nativeBuildInputs -1, 0
build --> target depsBuildTarget -1, 1
host --> host depsHostHost 0, 0
host --> target buildInputs 0, 1
target --> target depsTargetTarget 1, 1

Algorithmically, we traverse propagated inputs, accumulating every propagated dependency’s propagated dependencies and adjusting them to account for the “shift in perspective” described by the current dependency’s platform offsets. This results is sort of a transitive closure of the dependency relation, with the offsets being approximately summed when two dependency links are combined. We also prune transitive dependencies whose combined offsets go out-of-bounds, which can be viewed as a filter over that transitive closure removing dependencies that are blatantly absurd.

We can define the process precisely with Natural Deduction using the inference rules. This probably seems a bit obtuse, but so is the bash code that actually implements it! [4] They’re confusing in very different ways so… hopefully if something doesn’t make sense in one presentation, it will in the other! 

let mapOffset(h, t, i) = i + (if i <= 0 then h else t - 1)

propagated-dep(h0, t0, A, B)
propagated-dep(h1, t1, B, C)
h0 + h1 in {-1, 0, 1}
h0 + t1 in {-1, 0, 1}
-------------------------------------- Transitive property
propagated-dep(mapOffset(h0, t0, h1),
               mapOffset(h0, t0, t1),
               A, C)

let mapOffset(h, t, i) = i + (if i <= 0 then h else t - 1)

dep(h0, _, A, B)
propagated-dep(h1, t1, B, C)
h0 + h1 in {-1, 0, 1}
h0 + t1 in {-1, 0, -1}
----------------------------- Take immediate dependencies' propagated dependencies
propagated-dep(mapOffset(h0, t0, h1),
               mapOffset(h0, t0, t1),
               A, C)

propagated-dep(h, t, A, B)
----------------------------- Propagated dependencies count as dependencies
dep(h, t, A, B)

Some explanation of this monstrosity is in order. In the common case, the target offset of a dependency is the successor to the target offset: t = h + 1. That means that: 

let f(h, t, i) = i + (if i <= 0 then h else t - 1)
let f(h, h + 1, i) = i + (if i <= 0 then h else (h + 1) - 1)
let f(h, h + 1, i) = i + (if i <= 0 then h else h)
let f(h, h + 1, i) = i + h

This is where “sum-like” comes in from above: We can just sum all of the host offsets to get the host offset of the transitive dependency. The target offset is the transitive dependency is simply the host offset + 1, just as it was with the dependencies composed to make this transitive one; it can be ignored as it doesn’t add any new information.

Because of the bounds checks, the uncommon cases are h = t and h + 2 = t. In the former case, the motivation for mapOffset is that since its host and target platforms are the same, no transitive dependency of it should be able to “discover” an offset greater than its reduced target offsets. mapOffset effectively “squashes” all its transitive dependencies’ offsets so that none will ever be greater than the target offset of the original h = t package. In the other case, h + 1 is skipped over between the host and target offsets. Instead of squashing the offsets, we need to “rip” them apart so no transitive dependencies’ offset is that one.

Overall, the unifying theme here is that propagation shouldn’t be introducing transitive dependencies involving platforms the depending package is unaware of. [One can imagine the dependending package asking for dependencies with the platforms it knows about; other platforms it doesn’t know how to ask for. The platform description in that scenario is a kind of unforagable capability.] The offset bounds checking and definition of mapOffset together ensure that this is the case. Discovering a new offset is discovering a new platform, and since those platforms weren’t in the derivation “spec” of the needing package, they cannot be relevant. From a capability perspective, we can imagine that the host and target platforms of a package are the capabilities a package requires, and the depending package must provide the capability to the dependency.

6.3.1. Variables specifying dependencies

6.3.1.1. depsBuildBuild

A list of dependencies whose host and target platforms are the new derivation’s build platform. These are programs and libraries used at build time that produce programs and libraries also used at build time. If the dependency doesn’t care about the target platform (i.e. isn’t a compiler or similar tool), put it in nativeBuildInputs instead. The most common use of this buildPackages.stdenv.cc, the default C compiler for this role. That example crops up more than one might think in old commonly used C libraries.

Since these packages are able to be run at build-time, they are always added to the PATH, as described above. But since these packages are only guaranteed to be able to run then, they shouldn’t persist as run-time dependencies. This isn’t currently enforced, but could be in the future.

6.3.1.2. nativeBuildInputs

A list of dependencies whose host platform is the new derivation’s build platform, and target platform is the new derivation’s host platform. These are programs and libraries used at build-time that, if they are a compiler or similar tool, produce code to run at run-time—i.e. tools used to build the new derivation. If the dependency doesn’t care about the target platform (i.e. isn’t a compiler or similar tool), put it here, rather than in depsBuildBuild or depsBuildTarget. This could be called depsBuildHost but nativeBuildInputs is used for historical continuity.

Since these packages are able to be run at build-time, they are added to the PATH, as described above. But since these packages are only guaranteed to be able to run then, they shouldn’t persist as run-time dependencies. This isn’t currently enforced, but could be in the future.

6.3.1.3. depsBuildTarget

A list of dependencies whose host platform is the new derivation’s build platform, and target platform is the new derivation’s target platform. These are programs used at build time that produce code to run with code produced by the depending package. Most commonly, these are tools used to build the runtime or standard library that the currently-being-built compiler will inject into any code it compiles. In many cases, the currently-being-built-compiler is itself employed for that task, but when that compiler won’t run (i.e. its build and host platform differ) this is not possible. Other times, the compiler relies on some other tool, like binutils, that is always built separately so that the dependency is unconditional.

This is a somewhat confusing concept to wrap one’s head around, and for good reason. As the only dependency type where the platform offsets, -1 and 1, are not adjacent integers, it requires thinking of a bootstrapping stage two away from the current one. It and its use-case go hand in hand and are both considered poor form: try to not need this sort of dependency, and try to avoid building standard libraries and runtimes in the same derivation as the compiler produces code using them. Instead strive to build those like a normal library, using the newly-built compiler just as a normal library would. In short, do not use this attribute unless you are packaging a compiler and are sure it is needed.

Since these packages are able to run at build time, they are added to the PATH, as described above. But since these packages are only guaranteed to be able to run then, they shouldn’t persist as run-time dependencies. This isn’t currently enforced, but could be in the future.

6.3.1.4. depsHostHost

A list of dependencies whose host and target platforms match the new derivation’s host platform. In practice, this would usually be tools used by compilers for macros or a metaprogramming system, or libraries used by the macros or metaprogramming code itself. It’s always preferable to use a depsBuildBuild dependency in the derivation being built over a depsHostHost on the tool doing the building for this purpose.

6.3.1.5. buildInputs

A list of dependencies whose host platform and target platform match the new derivation’s. This would be called depsHostTarget but for historical continuity. If the dependency doesn’t care about the target platform (i.e. isn’t a compiler or similar tool), put it here, rather than in depsBuildBuild.

These are often programs and libraries used by the new derivation at run-time, but that isn’t always the case. For example, the machine code in a statically-linked library is only used at run-time, but the derivation containing the library is only needed at build-time. Even in the dynamic case, the library may also be needed at build-time to appease the linker.

6.3.1.6. depsTargetTarget

A list of dependencies whose host platform matches the new derivation’s target platform. These are packages that run on the target platform, e.g. the standard library or run-time deps of standard library that a compiler insists on knowing about. It’s poor form in almost all cases for a package to depend on another from a future stage [future stage corresponding to positive offset]. Do not use this attribute unless you are packaging a compiler and are sure it is needed.

6.3.1.7. depsBuildBuildPropagated

The propagated equivalent of depsBuildBuild. This perhaps never ought to be used, but it is included for consistency [see below for the others].

6.3.1.8. propagatedNativeBuildInputs

The propagated equivalent of nativeBuildInputs. This would be called depsBuildHostPropagated but for historical continuity. For example, if package Y has propagatedNativeBuildInputs = [X], and package Z has buildInputs = [Y], then package Z will be built as if it included package X in its nativeBuildInputs. If instead, package Z has nativeBuildInputs = [Y], then Z will be built as if it included X in the depsBuildBuild of package Z, because of the sum of the two -1 host offsets.

6.3.1.9. depsBuildTargetPropagated

The propagated equivalent of depsBuildTarget. This is prefixed for the same reason of alerting potential users.

6.3.1.10. depsHostHostPropagated

The propagated equivalent of depsHostHost.

6.3.1.11. propagatedBuildInputs

The propagated equivalent of buildInputs. This would be called depsHostTargetPropagated but for historical continuity.

6.3.1.12. depsTargetTargetPropagated

The propagated equivalent of depsTargetTarget. This is prefixed for the same reason of alerting potential users.

6.4. Attributes

6.4.1. Variables affecting stdenv initialisation

6.4.1.1. NIX_DEBUG

A natural number indicating how much information to log. If set to 1 or higher, stdenv will print moderate debugging information during the build. In particular, the gcc and ld wrapper scripts will print out the complete command line passed to the wrapped tools. If set to 6 or higher, the stdenv setup script will be run with set -x tracing. If set to 7 or higher, the gcc and ld wrapper scripts will also be run with set -x tracing.

6.4.2. Attributes affecting build properties

6.4.2.1. enableParallelBuilding

If set to true, stdenv will pass specific flags to make and other build tools to enable parallel building with up to build-cores workers.

Unless set to false, some build systems with good support for parallel building including cmake, meson, and qmake will set it to true.

6.4.3. Special variables

6.4.3.1. passthru

This is an attribute set which can be filled with arbitrary values. For example: 

passthru = {
  foo = "bar";
  baz = {
    value1 = 4;
    value2 = 5;
  };
}

Values inside it are not passed to the builder, so you can change them without triggering a rebuild. However, they can be accessed outside of a derivation directly, as if they were set inside a derivation itself, e.g. hello.baz.value1. We don’t specify any usage or schema of passthru - it is meant for values that would be useful outside the derivation in other parts of a Nix expression (e.g. in other derivations). An example would be to convey some specific dependency of your derivation which contains a program with plugins support. Later, others who make derivations with plugins can use passed-through dependency to ensure that their plugin would be binary-compatible with built program.

6.4.3.2. passthru.updateScript

A script to be run by maintainers/scripts/update.nix when the package is matched. It needs to be an executable file, either on the file system: 

passthru.updateScript = ./update.sh;

or inside the expression itself: 

passthru.updateScript = writeScript "update-zoom-us" ''
  #!/usr/bin/env nix-shell
  #!nix-shell -i bash -p curl pcre common-updater-scripts

  set -eu -o pipefail

  version="$(curl -sI https://zoom.us/client/latest/zoom_x86_64.tar.xz | grep -Fi 'Location:' | pcregrep -o1 '/(([0-9]\.?)+)/')"
  update-source-version zoom-us "$version"
'';

The attribute can also contain a list, a script followed by arguments to be passed to it: 

passthru.updateScript = [ ../../update.sh pname "--requested-release=unstable" ];

The script will be run with the UPDATE_NIX_NAME, UPDATE_NIX_PNAME, UPDATE_NIX_OLD_VERSION and UPDATE_NIX_ATTR_PATH environment variables set respectively to the name, pname, old version and attribute path of the package it is supposed to update.

For information about how to run the updates, execute nix-shell maintainers/scripts/update.nix.

6.4.4. Recursive attributes in mkDerivation

If you pass a function to mkDerivation, it will receive as its argument the final arguments, including the overrides when reinvoked via overrideAttrs. For example: 

mkDerivation (finalAttrs: {
  pname = "hello";
  withFeature = true;
  configureFlags =
    lib.optionals finalAttrs.withFeature ["--with-feature"];
})

Note that this does not use the rec keyword to reuse withFeature in configureFlags. The rec keyword works at the syntax level and is unaware of overriding.

Instead, the definition references finalAttrs, allowing users to change withFeature consistently with overrideAttrs.

finalAttrs also contains the attribute finalPackage, which includes the output paths, etc.

Let’s look at a more elaborate example to understand the differences between various bindings: 

# `pkg` is the _original_ definition (for illustration purposes)
let pkg =
  mkDerivation (finalAttrs: {
    # ...

    # An example attribute
    packages = [];

    # `passthru.tests` is a commonly defined attribute.
    passthru.tests.simple = f finalAttrs.finalPackage;

    # An example of an attribute containing a function
    passthru.appendPackages = packages':
      finalAttrs.finalPackage.overrideAttrs (newSelf: super: {
        packages = super.packages ++ packages';
      });

    # For illustration purposes; referenced as
    # `(pkg.overrideAttrs(x)).finalAttrs` etc in the text below.
    passthru.finalAttrs = finalAttrs;
    passthru.original = pkg;
  });
in pkg

Unlike the pkg binding in the above example, the finalAttrs parameter always references the final attributes. For instance (pkg.overrideAttrs(x)).finalAttrs.finalPackage is identical to pkg.overrideAttrs(x), whereas (pkg.overrideAttrs(x)).original is the same as the original pkg.

See also the section about passthru.tests.

6.5. Phases

stdenv.mkDerivation sets the Nix derivation’s builder to a script that loads the stdenv setup.sh bash library and calls genericBuild. Most packaging functions rely on this default builder.

This generic command invokes a number of phases. Package builds are split into phases to make it easier to override specific parts of the build (e.g., unpacking the sources or installing the binaries).

Each phase can be overridden in its entirety either by setting the environment variable namePhase to a string containing some shell commands to be executed, or by redefining the shell function namePhase. The former is convenient to override a phase from the derivation, while the latter is convenient from a build script. However, typically one only wants to add some commands to a phase, e.g. by defining postInstall or preFixup, as skipping some of the default actions may have unexpected consequences. The default script for each phase is defined in the file pkgs/stdenv/generic/setup.sh.

When overriding a phase, for example installPhase, it is important to start with runHook preInstall and end it with runHook postInstall, otherwise preInstall and postInstall will not be run. Even if you don’t use them directly, it is good practice to do so anyways for downstream users who would want to add a postInstall by overriding your derivation.

While inside an interactive nix-shell, if you wanted to run all phases in the order they would be run in an actual build, you can invoke genericBuild yourself.

6.5.1. Controlling phases

There are a number of variables that control what phases are executed and in what order:

6.5.1.1. Variables affecting phase control

6.5.1.1.1. phases

Specifies the phases. You can change the order in which phases are executed, or add new phases, by setting this variable. If it’s not set, the default value is used, which is $prePhases unpackPhase patchPhase $preConfigurePhases configurePhase $preBuildPhases buildPhase checkPhase $preInstallPhases installPhase fixupPhase installCheckPhase $preDistPhases distPhase $postPhases.

It is discouraged to set this variable, as it is easy to miss some important functionality hidden in some of the less obviously needed phases (like fixupPhase which patches the shebang of scripts). Usually, if you just want to add a few phases, it’s more convenient to set one of the variables below (such as preInstallPhases).

6.5.1.1.2. prePhases

Additional phases executed before any of the default phases.

6.5.1.1.3. preConfigurePhases

Additional phases executed just before the configure phase.

6.5.1.1.4. preBuildPhases

Additional phases executed just before the build phase.

6.5.1.1.5. preInstallPhases

Additional phases executed just before the install phase.

6.5.1.1.6. preFixupPhases

Additional phases executed just before the fixup phase.

6.5.1.1.7. preDistPhases

Additional phases executed just before the distribution phase.

6.5.1.1.8. postPhases

Additional phases executed after any of the default phases.

6.5.2. The unpack phase

The unpack phase is responsible for unpacking the source code of the package. The default implementation of unpackPhase unpacks the source files listed in the src environment variable to the current directory. It supports the following files by default:

6.5.2.1. Tar files

These can optionally be compressed using gzip (.tar.gz, .tgz or .tar.Z), bzip2 (.tar.bz2, .tbz2 or .tbz) or xz (.tar.xz, .tar.lzma or .txz).

6.5.2.2. Zip files

Zip files are unpacked using unzip. However, unzip is not in the standard environment, so you should add it to nativeBuildInputs yourself.

6.5.2.3. Directories in the Nix store

These are simply copied to the current directory. The hash part of the file name is stripped, e.g. /nix/store/1wydxgby13cz...-my-sources would be copied to my-sources.

Additional file types can be supported by setting the unpackCmd variable (see below).

6.5.2.4. Variables controlling the unpack phase

6.5.2.4.1. srcs / src

The list of source files or directories to be unpacked or copied. One of these must be set. Note that if you use srcs, you should also set sourceRoot or setSourceRoot.

6.5.2.4.2. sourceRoot

After running unpackPhase, the generic builder changes the current directory to the directory created by unpacking the sources. If there are multiple source directories, you should set sourceRoot to the name of the intended directory. Set sourceRoot = "."; if you use srcs and control the unpack phase yourself.

By default the sourceRoot is set to "source". If you want to point to a sub-directory inside your project, you therefore need to set sourceRoot = "source/my-sub-directory".

6.5.2.4.3. setSourceRoot

Alternatively to setting sourceRoot, you can set setSourceRoot to a shell command to be evaluated by the unpack phase after the sources have been unpacked. This command must set sourceRoot.

6.5.2.4.4. preUnpack

Hook executed at the start of the unpack phase.

6.5.2.4.5. postUnpack

Hook executed at the end of the unpack phase.

6.5.2.4.6. dontUnpack

Set to true to skip the unpack phase.

6.5.2.4.7. dontMakeSourcesWritable

If set to 1, the unpacked sources are not made writable. By default, they are made writable to prevent problems with read-only sources. For example, copied store directories would be read-only without this.

6.5.2.4.8. unpackCmd

The unpack phase evaluates the string $unpackCmd for any unrecognised file. The path to the current source file is contained in the curSrc variable.

6.5.3. The patch phase

The patch phase applies the list of patches defined in the patches variable.

6.5.3.1. Variables controlling the patch phase

6.5.3.1.1. dontPatch

Set to true to skip the patch phase.

6.5.3.1.2. patches

The list of patches. They must be in the format accepted by the patch command, and may optionally be compressed using gzip (.gz), bzip2 (.bz2) or xz (.xz).

6.5.3.1.3. patchFlags

Flags to be passed to patch. If not set, the argument -p1 is used, which causes the leading directory component to be stripped from the file names in each patch.

6.5.3.1.4. prePatch

Hook executed at the start of the patch phase.

6.5.3.1.5. postPatch

Hook executed at the end of the patch phase.

6.5.4. The configure phase

The configure phase prepares the source tree for building. The default configurePhase runs ./configure (typically an Autoconf-generated script) if it exists.

6.5.4.1. Variables controlling the configure phase

6.5.4.1.1. configureScript

The name of the configure script. It defaults to ./configure if it exists; otherwise, the configure phase is skipped. This can actually be a command (like perl ./Configure.pl).

6.5.4.1.2. configureFlags

A list of strings passed as additional arguments to the configure script.

6.5.4.1.3. dontConfigure

Set to true to skip the configure phase.

6.5.4.1.4. configureFlagsArray

A shell array containing additional arguments passed to the configure script. You must use this instead of configureFlags if the arguments contain spaces.

6.5.4.1.5. dontAddPrefix

By default, the flag --prefix=$prefix is added to the configure flags. If this is undesirable, set this variable to true.

6.5.4.1.6. prefix

The prefix under which the package must be installed, passed via the --prefix option to the configure script. It defaults to $out.

6.5.4.1.7. prefixKey

The key to use when specifying the prefix. By default, this is set to --prefix= as that is used by the majority of packages.

6.5.4.1.8. dontAddStaticConfigureFlags

By default, when building statically, stdenv will try to add build system appropriate configure flags to try to enable static builds.

If this is undesirable, set this variable to true.

6.5.4.1.9. dontAddDisableDepTrack

By default, the flag --disable-dependency-tracking is added to the configure flags to speed up Automake-based builds. If this is undesirable, set this variable to true.

6.5.4.1.10. dontFixLibtool

By default, the configure phase applies some special hackery to all files called ltmain.sh before running the configure script in order to improve the purity of Libtool-based packages [5] . If this is undesirable, set this variable to true.

6.5.4.1.11. dontDisableStatic

By default, when the configure script has --enable-static, the option --disable-static is added to the configure flags.

If this is undesirable, set this variable to true. It is automatically set to true when building statically, for example through pkgsStatic.

6.5.4.1.12. configurePlatforms

By default, when cross compiling, the configure script has --build=... and --host=... passed. Packages can instead pass [ "build" "host" "target" ] or a subset to control exactly which platform flags are passed. Compilers and other tools can use this to also pass the target platform. [6]

6.5.4.1.13. preConfigure

Hook executed at the start of the configure phase.

6.5.4.1.14. postConfigure

Hook executed at the end of the configure phase.

6.5.5. The build phase

The build phase is responsible for actually building the package (e.g. compiling it). The default buildPhase simply calls make if a file named Makefile, makefile or GNUmakefile exists in the current directory (or the makefile is explicitly set); otherwise it does nothing.

6.5.5.1. Variables controlling the build phase

6.5.5.1.1. dontBuild

Set to true to skip the build phase.

6.5.5.1.2. makefile

The file name of the Makefile.

6.5.5.1.3. makeFlags

A list of strings passed as additional flags to make. These flags are also used by the default install and check phase. For setting make flags specific to the build phase, use buildFlags (see below). 

makeFlags = [ "PREFIX=$(out)" ];
6.5.5.1.4. makeFlagsArray

A shell array containing additional arguments passed to make. You must use this instead of makeFlags if the arguments contain spaces, e.g. 

preBuild = ''
  makeFlagsArray+=(CFLAGS="-O0 -g" LDFLAGS="-lfoo -lbar")
'';

Note that shell arrays cannot be passed through environment variables, so you cannot set makeFlagsArray in a derivation attribute (because those are passed through environment variables): you have to define them in shell code.

6.5.5.1.5. buildFlags / buildFlagsArray

A list of strings passed as additional flags to make. Like makeFlags and makeFlagsArray, but only used by the build phase.

6.5.5.1.6. preBuild

Hook executed at the start of the build phase.

6.5.5.1.7. postBuild

Hook executed at the end of the build phase.

You can set flags for make through the makeFlags variable.

Before and after running make, the hooks preBuild and postBuild are called, respectively.

6.5.6. The check phase

The check phase checks whether the package was built correctly by running its test suite. The default checkPhase calls make check, but only if the doCheck variable is enabled.

6.5.6.1. Variables controlling the check phase

6.5.6.1.1. doCheck

Controls whether the check phase is executed. By default it is skipped, but if doCheck is set to true, the check phase is usually executed. Thus you should set 

doCheck = true;

in the derivation to enable checks. The exception is cross compilation. Cross compiled builds never run tests, no matter how doCheck is set, as the newly-built program won’t run on the platform used to build it.

6.5.6.1.2. makeFlags / makeFlagsArray / makefile

See the build phase for details.

6.5.6.1.3. checkTarget

The make target that runs the tests. Defaults to check.

6.5.6.1.4. checkFlags / checkFlagsArray

A list of strings passed as additional flags to make. Like makeFlags and makeFlagsArray, but only used by the check phase.

6.5.6.1.5. checkInputs

A list of dependencies used by the phase. This gets included in nativeBuildInputs when doCheck is set.

6.5.6.1.6. preCheck

Hook executed at the start of the check phase.

6.5.6.1.7. postCheck

Hook executed at the end of the check phase.

6.5.7. The install phase

The install phase is responsible for installing the package in the Nix store under out. The default installPhase creates the directory $out and calls make install.

6.5.7.1. Variables controlling the install phase

6.5.7.1.1. dontInstall

Set to true to skip the install phase.

6.5.7.1.2. makeFlags / makeFlagsArray / makefile

See the build phase for details.

6.5.7.1.3. installTargets

The make targets that perform the installation. Defaults to install. Example: 

installTargets = "install-bin install-doc";
6.5.7.1.4. installFlags / installFlagsArray

A list of strings passed as additional flags to make. Like makeFlags and makeFlagsArray, but only used by the install phase.

6.5.7.1.5. preInstall

Hook executed at the start of the install phase.

6.5.7.1.6. postInstall

Hook executed at the end of the install phase.

6.5.8. The fixup phase

The fixup phase performs (Nix-specific) post-processing actions on the files installed under $out by the install phase. The default fixupPhase does the following:

  • It moves the man/, doc/ and info/ subdirectories of $out to share/.

  • It strips libraries and executables of debug information.

  • On Linux, it applies the patchelf command to ELF executables and libraries to remove unused directories from the RPATH in order to prevent unnecessary runtime dependencies.

  • It rewrites the interpreter paths of shell scripts to paths found in PATH. E.g., /usr/bin/perl will be rewritten to /nix/store/some-perl/bin/perl found in PATH. See Section 6.7.4, “patch-shebangs.sh for details.

6.5.8.1. Variables controlling the fixup phase

6.5.8.1.1. dontFixup

Set to true to skip the fixup phase.

6.5.8.1.2. dontStrip

If set, libraries and executables are not stripped. By default, they are.

6.5.8.1.3. dontStripHost

Like dontStrip, but only affects the strip command targetting the package’s host platform. Useful when supporting cross compilation, but otherwise feel free to ignore.

6.5.8.1.4. dontStripTarget

Like dontStrip, but only affects the strip command targetting the packages’ target platform. Useful when supporting cross compilation, but otherwise feel free to ignore.

6.5.8.1.5. dontMoveSbin

If set, files in $out/sbin are not moved to $out/bin. By default, they are.

6.5.8.1.6. stripAllList

List of directories to search for libraries and executables from which all symbols should be stripped. By default, it’s empty. Stripping all symbols is risky, since it may remove not just debug symbols but also ELF information necessary for normal execution.

6.5.8.1.7. stripAllListTarget

Like stripAllList, but only applies to packages’ target platform. By default, it’s empty. Useful when supporting cross compilation.

6.5.8.1.8. stripAllFlags

Flags passed to the strip command applied to the files in the directories listed in stripAllList. Defaults to -s (i.e. --strip-all).

6.5.8.1.9. stripDebugList

List of directories to search for libraries and executables from which only debugging-related symbols should be stripped. It defaults to lib lib32 lib64 libexec bin sbin.

6.5.8.1.10. stripDebugListTarget

Like stripDebugList, but only applies to packages’ target platform. By default, it’s empty. Useful when supporting cross compilation.

6.5.8.1.11. stripDebugFlags

Flags passed to the strip command applied to the files in the directories listed in stripDebugList. Defaults to -S (i.e. --strip-debug).

6.5.8.1.12. dontPatchELF

If set, the patchelf command is not used to remove unnecessary RPATH entries. Only applies to Linux.

6.5.8.1.13. dontPatchShebangs

If set, scripts starting with #! do not have their interpreter paths rewritten to paths in the Nix store. See Section 6.7.4, “patch-shebangs.sh on how patching shebangs works.

6.5.8.1.14. dontPruneLibtoolFiles

If set, libtool .la files associated with shared libraries won’t have their dependency_libs field cleared.

6.5.8.1.15. forceShare

The list of directories that must be moved from $out to $out/share. Defaults to man doc info.

6.5.8.1.16. setupHook

A package can export a setup hook by setting this variable. The setup hook, if defined, is copied to $out/nix-support/setup-hook. Environment variables are then substituted in it using substituteAll.

6.5.8.1.17. preFixup

Hook executed at the start of the fixup phase.

6.5.8.1.18. postFixup

Hook executed at the end of the fixup phase.

6.5.8.1.19. separateDebugInfo

If set to true, the standard environment will enable debug information in C/C++ builds. After installation, the debug information will be separated from the executables and stored in the output named debug. (This output is enabled automatically; you don’t need to set the outputs attribute explicitly.) To be precise, the debug information is stored in debug/lib/debug/.build-id/XX/YYYY…, where <XXYYYY…> is the <build ID> of the binary — a SHA-1 hash of the contents of the binary. Debuggers like GDB use the build ID to look up the separated debug information.

For example, with GDB, you can add 

set debug-file-directory ~/.nix-profile/lib/debug

to ~/.gdbinit. GDB will then be able to find debug information installed via nix-env -i.

6.5.9. The installCheck phase

The installCheck phase checks whether the package was installed correctly by running its test suite against the installed directories. The default installCheck calls make installcheck.

It is often better to add tests that are not part of the source distribution to passthru.tests (see Section 7.1.12, “tests). This avoids adding overhead to every build and enables us to run them independently.

6.5.9.1. Variables controlling the installCheck phase

6.5.9.1.1. doInstallCheck

Controls whether the installCheck phase is executed. By default it is skipped, but if doInstallCheck is set to true, the installCheck phase is usually executed. Thus you should set 

doInstallCheck = true;

in the derivation to enable install checks. The exception is cross compilation. Cross compiled builds never run tests, no matter how doInstallCheck is set, as the newly-built program won’t run on the platform used to build it.

6.5.9.1.2. installCheckTarget

The make target that runs the install tests. Defaults to installcheck.

6.5.9.1.3. installCheckFlags / installCheckFlagsArray

A list of strings passed as additional flags to make. Like makeFlags and makeFlagsArray, but only used by the installCheck phase.

6.5.9.1.4. installCheckInputs

A list of dependencies used by the phase. This gets included in nativeBuildInputs when doInstallCheck is set.

6.5.9.1.5. preInstallCheck

Hook executed at the start of the installCheck phase.

6.5.9.1.6. postInstallCheck

Hook executed at the end of the installCheck phase.

6.5.10. The distribution phase

The distribution phase is intended to produce a source distribution of the package. The default distPhase first calls make dist, then it copies the resulting source tarballs to $out/tarballs/. This phase is only executed if the attribute doDist is set.

6.5.10.1. Variables controlling the distribution phase

6.5.10.1.1. distTarget

The make target that produces the distribution. Defaults to dist.

6.5.10.1.2. distFlags / distFlagsArray

Additional flags passed to make.

6.5.10.1.3. tarballs

The names of the source distribution files to be copied to $out/tarballs/. It can contain shell wildcards. The default is *.tar.gz.

6.5.10.1.4. dontCopyDist

If set, no files are copied to $out/tarballs/.

6.5.10.1.5. preDist

Hook executed at the start of the distribution phase.

6.5.10.1.6. postDist

Hook executed at the end of the distribution phase.

6.6. Shell functions and utilities

The standard environment provides a number of useful functions.

6.6.1. makeWrapper <executable> <wrapperfile> <args>

Constructs a wrapper for a program with various possible arguments. It is defined as part of 2 setup-hooks named makeWrapper and makeBinaryWrapper that implement the same bash functions. Hence, to use it you have to add makeWrapper to your nativeBuildInputs. Here’s an example usage: 

# adds `FOOBAR=baz` to `$out/bin/foo`’s environment
makeWrapper $out/bin/foo $wrapperfile --set FOOBAR baz

# Prefixes the binary paths of `hello` and `git`
# and suffixes the binary path of `xdg-utils`.
# Be advised that paths often should be patched in directly
# (via string replacements or in `configurePhase`).
makeWrapper $out/bin/foo $wrapperfile \
  --prefix PATH : ${lib.makeBinPath [ hello git ]} \
  --suffix PATH : ${lib.makeBinPath [ xdg-utils ]}

Packages may expect or require other utilities to be available at runtime. makeWrapper can be used to add packages to a PATH environment variable local to a wrapper.

Use --prefix to explicitly set dependencies in PATH.

If dependencies should be resolved at runtime, use --suffix to append fallback values to PATH.

There’s many more kinds of arguments, they are documented in nixpkgs/pkgs/build-support/setup-hooks/make-wrapper.sh for the makeWrapper implementation and in nixpkgs/pkgs/build-support/setup-hooks/make-binary-wrapper/make-binary-wrapper.sh for the makeBinaryWrapper implementation.

wrapProgram is a convenience function you probably want to use most of the time, implemented by both makeWrapper and makeBinaryWrapper.

Using the makeBinaryWrapper implementation is usually preferred, as it creates a tiny compiled wrapper executable, that can be used as a shebang interpreter. This is needed mostly on Darwin, where shebangs cannot point to scripts, due to a limitation with the execve-syscall. Compiled wrappers generated by makeBinaryWrapper can be inspected with less <path-to-wrapper> - by scrolling past the binary data you should be able to see the shell command that generated the executable and there see the environment variables that were injected into the wrapper.

6.6.2. remove-references-to -t <storepath> [ -t <storepath> … ] <file> …

Removes the references of the specified files to the specified store files. This is done without changing the size of the file by replacing the hash by eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee, and should work on compiled executables. This is meant to be used to remove the dependency of the output on inputs that are known to be unnecessary at runtime. Of course, reckless usage will break the patched programs. To use this, add removeReferencesTo to nativeBuildInputs.

As remove-references-to is an actual executable and not a shell function, it can be used with find. Example removing all references to the compiler in the output: 

postInstall = ''
  find "$out" -type f -exec remove-references-to -t ${stdenv.cc} '{}' +
'';

6.6.3. substitute <infile> <outfile> <subs>

Performs string substitution on the contents of <infile>, writing the result to <outfile>. The substitutions in <subs> are of the following form:

6.6.3.1. --replace <s1> <s2>

Replace every occurrence of the string <s1> by <s2>.

6.6.3.2. --subst-var <varName>

Replace every occurrence of @varName@ by the contents of the environment variable <varName>. This is useful for generating files from templates, using @...@ in the template as placeholders.

6.6.3.3. --subst-var-by <varName> <s>

Replace every occurrence of @varName@ by the string <s>.

Example: 

substitute ./foo.in ./foo.out \
    --replace /usr/bin/bar $bar/bin/bar \
    --replace "a string containing spaces" "some other text" \
    --subst-var someVar

6.6.4. substituteInPlace <multiple files> <subs>

Like substitute, but performs the substitutions in place on the files passed.

6.6.5. substituteAll <infile> <outfile>

Replaces every occurrence of @varName@, where <varName> is any environment variable, in <infile>, writing the result to <outfile>. For instance, if <infile> has the contents 

#! @bash@/bin/sh
PATH=@coreutils@/bin
echo @foo@

and the environment contains bash=/nix/store/bmwp0q28cf21...-bash-3.2-p39 and coreutils=/nix/store/68afga4khv0w...-coreutils-6.12, but does not contain the variable foo, then the output will be 

#! /nix/store/bmwp0q28cf21...-bash-3.2-p39/bin/sh
PATH=/nix/store/68afga4khv0w...-coreutils-6.12/bin
echo @foo@

That is, no substitution is performed for undefined variables.

Environment variables that start with an uppercase letter or an underscore are filtered out, to prevent global variables (like HOME) or private variables (like __ETC_PROFILE_DONE) from accidentally getting substituted. The variables also have to be valid bash names, as defined in the bash manpage (alphanumeric or _, must not start with a number).

6.6.6. substituteAllInPlace <file>

Like substituteAll, but performs the substitutions in place on the file <file>.

6.6.7. stripHash <path>

Strips the directory and hash part of a store path, outputting the name part to stdout. For example: 

# prints coreutils-8.24
stripHash "/nix/store/9s9r019176g7cvn2nvcw41gsp862y6b4-coreutils-8.24"

If you wish to store the result in another variable, then the following idiom may be useful: 

name="/nix/store/9s9r019176g7cvn2nvcw41gsp862y6b4-coreutils-8.24"
someVar=$(stripHash $name)

6.6.8. wrapProgram <executable> <makeWrapperArgs>

Convenience function for makeWrapper that replaces <\executable\> with a wrapper that executes the original program. It takes all the same arguments as makeWrapper, except for --inherit-argv0 (used by the makeBinaryWrapper implementation) and --argv0 (used by both makeWrapper and makeBinaryWrapper wrapper implementations).

If you will apply it multiple times, it will overwrite the wrapper file and you will end up with double wrapping, which should be avoided.

6.7. Package setup hooks

Nix itself considers a build-time dependency as merely something that should previously be built and accessible at build time—packages themselves are on their own to perform any additional setup. In most cases, that is fine, and the downstream derivation can deal with its own dependencies. But for a few common tasks, that would result in almost every package doing the same sort of setup work—depending not on the package itself, but entirely on which dependencies were used.

In order to alleviate this burden, the setup hook mechanism was written, where any package can include a shell script that [by convention rather than enforcement by Nix], any downstream reverse-dependency will source as part of its build process. That allows the downstream dependency to merely specify its dependencies, and lets those dependencies effectively initialize themselves. No boilerplate mirroring the list of dependencies is needed.

The setup hook mechanism is a bit of a sledgehammer though: a powerful feature with a broad and indiscriminate area of effect. The combination of its power and implicit use may be expedient, but isn’t without costs. Nix itself is unchanged, but the spirit of added dependencies being effect-free is violated even if the letter isn’t. For example, if a derivation path is mentioned more than once, Nix itself doesn’t care and simply makes sure the dependency derivation is already built just the same—depending is just needing something to exist, and needing is idempotent. However, a dependency specified twice will have its setup hook run twice, and that could easily change the build environment (though a well-written setup hook will therefore strive to be idempotent so this is in fact not observable). More broadly, setup hooks are anti-modular in that multiple dependencies, whether the same or different, should not interfere and yet their setup hooks may well do so.

The most typical use of the setup hook is actually to add other hooks which are then run (i.e. after all the setup hooks) on each dependency. For example, the C compiler wrapper’s setup hook feeds itself flags for each dependency that contains relevant libraries and headers. This is done by defining a bash function, and appending its name to one of envBuildBuildHooks, envBuildHostHooks, envBuildTargetHooks, envHostHostHooks, envHostTargetHooks, or envTargetTargetHooks. These 6 bash variables correspond to the 6 sorts of dependencies by platform (there’s 12 total but we ignore the propagated/non-propagated axis).

Packages adding a hook should not hard code a specific hook, but rather choose a variable relative to how they are included. Returning to the C compiler wrapper example, if the wrapper itself is an n dependency, then it only wants to accumulate flags from n + 1 dependencies, as only those ones match the compiler’s target platform. The hostOffset variable is defined with the current dependency’s host offset targetOffset with its target offset, before its setup hook is sourced. Additionally, since most environment hooks don’t care about the target platform, that means the setup hook can append to the right bash array by doing something like 

addEnvHooks "$hostOffset" myBashFunction

The existence of setups hooks has long been documented and packages inside Nixpkgs are free to use this mechanism. Other packages, however, should not rely on these mechanisms not changing between Nixpkgs versions. Because of the existing issues with this system, there’s little benefit from mandating it be stable for any period of time.

First, let’s cover some setup hooks that are part of Nixpkgs default stdenv. This means that they are run for every package built using stdenv.mkDerivation or when using a custom builder that has source $stdenv/setup. Some of these are platform specific, so they may run on Linux but not Darwin or vice-versa.

6.7.1. move-docs.sh

This setup hook moves any installed documentation to the /share subdirectory directory. This includes the man, doc and info directories. This is needed for legacy programs that do not know how to use the share subdirectory.

6.7.2. compress-man-pages.sh

This setup hook compresses any man pages that have been installed. The compression is done using the gzip program. This helps to reduce the installed size of packages.

6.7.3. strip.sh

This runs the strip command on installed binaries and libraries. This removes unnecessary information like debug symbols when they are not needed. This also helps to reduce the installed size of packages.

6.7.4. patch-shebangs.sh

This setup hook patches installed scripts to add Nix store paths to their shebang interpreter as found in the build environment. The shebang line tells a Unix-like operating system which interpreter to use to execute the script’s contents.

6.7.4.1. Invocation

Multiple paths can be specified. 

patchShebangs [--build | --host] PATH...
6.7.4.1.1. Flags
--build

Look up commands available at build time

--host

Look up commands available at run time

6.7.4.1.2. Examples
patchShebangs --host /nix/store/<hash>-hello-1.0/bin

patchShebangs --build configure

#!/bin/sh will be rewritten to #!/nix/store/<hash>-some-bash/bin/sh.

#!/usr/bin/env gets special treatment: #!/usr/bin/env python is rewritten to /nix/store/<hash>/bin/python.

Interpreter paths that point to a valid Nix store location are not changed.

This mechanism ensures that the interpreter for a given script is always found and is exactly the one specified by the build.

It can be disabled by setting dontPatchShebangs: 

stdenv.mkDerivation {
  # ...
  dontPatchShebangs = true;
  # ...
}

The file patch-shebangs.sh defines the patchShebangs function. It is used to implement patchShebangsAuto, the setup hook that is registered to run during the fixup phase by default.

If you need to run patchShebangs at build time, it must be called explicitly within one of the build phases.

6.7.5. audit-tmpdir.sh

This verifies that no references are left from the install binaries to the directory used to build those binaries. This ensures that the binaries do not need things outside the Nix store. This is currently supported in Linux only.

6.7.6. multiple-outputs.sh

This setup hook adds configure flags that tell packages to install files into any one of the proper outputs listed in outputs. This behavior can be turned off by setting setOutputFlags to false in the derivation environment. See Chapter 8, Multiple-output packages for more information.

6.7.7. move-sbin.sh

This setup hook moves any binaries installed in the sbin/ subdirectory into bin/. In addition, a link is provided from sbin/ to bin/ for compatibility.

6.7.8. move-lib64.sh

This setup hook moves any libraries installed in the lib64/ subdirectory into lib/. In addition, a link is provided from lib64/ to lib/ for compatibility.

6.7.9. move-systemd-user-units.sh

This setup hook moves any systemd user units installed in the lib/ subdirectory into share/. In addition, a link is provided from share/ to lib/ for compatibility. This is needed for systemd to find user services when installed into the user profile.

This hook only runs when compiling for Linux.

6.7.10. set-source-date-epoch-to-latest.sh

This sets SOURCE_DATE_EPOCH to the modification time of the most recent file.

6.7.11. Bintools Wrapper and hook

The Bintools Wrapper wraps the binary utilities for a bunch of miscellaneous purposes. These are GNU Binutils when targeting Linux, and a mix of cctools and GNU binutils for Darwin. [The “Bintools” name is supposed to be a compromise between “Binutils” and “cctools” not denoting any specific implementation.] Specifically, the underlying bintools package, and a C standard library (glibc or Darwin’s libSystem, just for the dynamic loader) are all fed in, and dependency finding, hardening (see below), and purity checks for each are handled by the Bintools Wrapper. Packages typically depend on CC Wrapper, which in turn (at run time) depends on the Bintools Wrapper.

The Bintools Wrapper was only just recently split off from CC Wrapper, so the division of labor is still being worked out. For example, it shouldn’t care about the C standard library, but just take a derivation with the dynamic loader (which happens to be the glibc on linux). Dependency finding however is a task both wrappers will continue to need to share, and probably the most important to understand. It is currently accomplished by collecting directories of host-platform dependencies (i.e. buildInputs and nativeBuildInputs) in environment variables. The Bintools Wrapper’s setup hook causes any lib and lib64 subdirectories to be added to NIX_LDFLAGS. Since the CC Wrapper and the Bintools Wrapper use the same strategy, most of the Bintools Wrapper code is sparsely commented and refers to the CC Wrapper. But the CC Wrapper’s code, by contrast, has quite lengthy comments. The Bintools Wrapper merely cites those, rather than repeating them, to avoid falling out of sync.

A final task of the setup hook is defining a number of standard environment variables to tell build systems which executables fulfill which purpose. They are defined to just be the base name of the tools, under the assumption that the Bintools Wrapper’s binaries will be on the path. Firstly, this helps poorly-written packages, e.g. ones that look for just gcc when CC isn’t defined yet clang is to be used. Secondly, this helps packages not get confused when cross-compiling, in which case multiple Bintools Wrappers may simultaneously be in use. [7] BUILD_- and TARGET_-prefixed versions of the normal environment variable are defined for additional Bintools Wrappers, properly disambiguating them.

A problem with this final task is that the Bintools Wrapper is honest and defines LD as ld. Most packages, however, firstly use the C compiler for linking, secondly use LD anyways, defining it as the C compiler, and thirdly, only so define LD when it is undefined as a fallback. This triple-threat means Bintools Wrapper will break those packages, as LD is already defined as the actual linker which the package won’t override yet doesn’t want to use. The workaround is to define, just for the problematic package, LD as the C compiler. A good way to do this would be preConfigure = "LD=$CC".

6.7.12. CC Wrapper and hook

The CC Wrapper wraps a C toolchain for a bunch of miscellaneous purposes. Specifically, a C compiler (GCC or Clang), wrapped binary tools, and a C standard library (glibc or Darwin’s libSystem, just for the dynamic loader) are all fed in, and dependency finding, hardening (see below), and purity checks for each are handled by the CC Wrapper. Packages typically depend on the CC Wrapper, which in turn (at run-time) depends on the Bintools Wrapper.

Dependency finding is undoubtedly the main task of the CC Wrapper. This works just like the Bintools Wrapper, except that any include subdirectory of any relevant dependency is added to NIX_CFLAGS_COMPILE. The setup hook itself contains elaborate comments describing the exact mechanism by which this is accomplished.

Similarly, the CC Wrapper follows the Bintools Wrapper in defining standard environment variables with the names of the tools it wraps, for the same reasons described above. Importantly, while it includes a cc symlink to the c compiler for portability, the CC will be defined using the compiler’s “real name” (i.e. gcc or clang). This helps lousy build systems that inspect on the name of the compiler rather than run it.

Here are some more packages that provide a setup hook. Since the list of hooks is extensible, this is not an exhaustive list. The mechanism is only to be used as a last resort, so it might cover most uses.

6.7.13. Other hooks

Many other packages provide hooks, that are not part of stdenv. You can find these in the Hooks Reference.

6.7.14. Compiler and Linker wrapper hooks

If the file ${cc}/nix-support/cc-wrapper-hook exists, it will be run at the end of the compiler wrapper. If the file ${binutils}/nix-support/post-link-hook exists, it will be run at the end of the linker wrapper. These hooks allow a user to inject code into the wrappers. As an example, these hooks can be used to extract extraBefore, params and extraAfter which store all the command line arguments passed to the compiler and linker respectively.

6.8. Purity in Nixpkgs

Measures taken to prevent dependencies on packages outside the store, and what you can do to prevent them.

GCC doesn’t search in locations such as /usr/include. In fact, attempts to add such directories through the -I flag are filtered out. Likewise, the linker (from GNU binutils) doesn’t search in standard locations such as /usr/lib. Programs built on Linux are linked against a GNU C Library that likewise doesn’t search in the default system locations.

6.9. Hardening in Nixpkgs

There are flags available to harden packages at compile or link-time. These can be toggled using the stdenv.mkDerivation parameters hardeningDisable and hardeningEnable.

Both parameters take a list of flags as strings. The special "all" flag can be passed to hardeningDisable to turn off all hardening. These flags can also be used as environment variables for testing or development purposes.

For more in-depth information on these hardening flags and hardening in general, refer to the Debian Wiki, Ubuntu Wiki, Gentoo Wiki, and the Arch Wiki.

6.9.1. Hardening flags enabled by default

The following flags are enabled by default and might require disabling with hardeningDisable if the program to package is incompatible.

6.9.1.1. format

Adds the -Wformat -Wformat-security -Werror=format-security compiler options. At present, this warns about calls to printf and scanf functions where the format string is not a string literal and there are no format arguments, as in printf(foo);. This may be a security hole if the format string came from untrusted input and contains %n.

This needs to be turned off or fixed for errors similar to: 

/tmp/nix-build-zynaddsubfx-2.5.2.drv-0/zynaddsubfx-2.5.2/src/UI/guimain.cpp:571:28: error: format not a string literal and no format arguments [-Werror=format-security]
         printf(help_message);
                            ^
cc1plus: some warnings being treated as errors

6.9.1.2. stackprotector

Adds the -fstack-protector-strong --param ssp-buffer-size=4 compiler options. This adds safety checks against stack overwrites rendering many potential code injection attacks into aborting situations. In the best case this turns code injection vulnerabilities into denial of service or into non-issues (depending on the application).

This needs to be turned off or fixed for errors similar to: 

bin/blib.a(bios_console.o): In function `bios_handle_cup':
/tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail'

6.9.1.3. fortify

Adds the -O2 -D_FORTIFY_SOURCE=2 compiler options. During code generation the compiler knows a great deal of information about buffer sizes (where possible), and attempts to replace insecure unlimited length buffer function calls with length-limited ones. This is especially useful for old, crufty code. Additionally, format strings in writable memory that contain %n are blocked. If an application depends on such a format string, it will need to be worked around.

Additionally, some warnings are enabled which might trigger build failures if compiler warnings are treated as errors in the package build. In this case, set NIX_CFLAGS_COMPILE to -Wno-error=warning-type.

This needs to be turned off or fixed for errors similar to: 

malloc.c:404:15: error: return type is an incomplete type
malloc.c:410:19: error: storage size of 'ms' isn't known

strdup.h:22:1: error: expected identifier or '(' before '__extension__'

strsep.c:65:23: error: register name not specified for 'delim'

installwatch.c:3751:5: error: conflicting types for '__open_2'

fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments

6.9.1.4. pic

Adds the -fPIC compiler options. This options adds support for position independent code in shared libraries and thus making ASLR possible.

Most notably, the Linux kernel, kernel modules and other code not running in an operating system environment like boot loaders won’t build with PIC enabled. The compiler will is most cases complain that PIC is not supported for a specific build.

This needs to be turned off or fixed for assembler errors similar to: 

ccbLfRgg.s: Assembler messages:
ccbLfRgg.s:33: Error: missing or invalid displacement expression `private_key_len@GOTOFF'

6.9.1.5. strictoverflow

Signed integer overflow is undefined behaviour according to the C standard. If it happens, it is an error in the program as it should check for overflow before it can happen, not afterwards. GCC provides built-in functions to perform arithmetic with overflow checking, which are correct and faster than any custom implementation. As a workaround, the option -fno-strict-overflow makes gcc behave as if signed integer overflows were defined.

This flag should not trigger any build or runtime errors.

6.9.1.6. relro

Adds the -z relro linker option. During program load, several ELF memory sections need to be written to by the linker, but can be turned read-only before turning over control to the program. This prevents some GOT (and .dtors) overwrite attacks, but at least the part of the GOT used by the dynamic linker (.got.plt) is still vulnerable.

This flag can break dynamic shared object loading. For instance, the module systems of Xorg and OpenCV are incompatible with this flag. In almost all cases the bindnow flag must also be disabled and incompatible programs typically fail with similar errors at runtime.

6.9.1.7. bindnow

Adds the -z bindnow linker option. During program load, all dynamic symbols are resolved, allowing for the complete GOT to be marked read-only (due to relro). This prevents GOT overwrite attacks. For very large applications, this can incur some performance loss during initial load while symbols are resolved, but this shouldn’t be an issue for daemons.

This flag can break dynamic shared object loading. For instance, the module systems of Xorg and PHP are incompatible with this flag. Programs incompatible with this flag often fail at runtime due to missing symbols, like: 

intel_drv.so: undefined symbol: vgaHWFreeHWRec

6.9.2. Hardening flags disabled by default

The following flags are disabled by default and should be enabled with hardeningEnable for packages that take untrusted input like network services.

6.9.2.1. pie

This flag is disabled by default for normal glibc based NixOS package builds, but enabled by default for musl based package builds.

Adds the -fPIE compiler and -pie linker options. Position Independent Executables are needed to take advantage of Address Space Layout Randomization, supported by modern kernel versions. While ASLR can already be enforced for data areas in the stack and heap (brk and mmap), the code areas must be compiled as position-independent. Shared libraries already do this with the pic flag, so they gain ASLR automatically, but binary .text regions need to be build with pie to gain ASLR. When this happens, ROP attacks are much harder since there are no static locations to bounce off of during a memory corruption attack.

Static libraries need to be compiled with -fPIE so that executables can link them in with the -pie linker option. If the libraries lack -fPIE, you will get the error recompile with -fPIE.



[1] The build platform is ignored because it is a mere implementation detail of the package satisfying the dependency: As a general programming principle, dependencies are always specified as interfaces, not concrete implementation.

[2] Currently, this means for native builds all dependencies are put on the PATH. But in the future that may not be the case for sake of matching cross: the platforms would be assumed to be unique for native and cross builds alike, so only the depsBuild* and nativeBuildInputs would be added to the PATH.

[3] Nix itself already takes a package’s transitive dependencies into account, but this propagation ensures nixpkgs-specific infrastructure like setup hooks also are run as if it were a propagated dependency.

[4] The findInputs function, currently residing in pkgs/stdenv/generic/setup.sh, implements the propagation logic.

[5] It clears the sys_lib_*search_path variables in the Libtool script to prevent Libtool from using libraries in /usr/lib and such.

[6] Eventually these will be passed building natively as well, to improve determinism: build-time guessing, as is done today, is a risk of impurity.

[7] Each wrapper targets a single platform, so if binaries for multiple platforms are needed, the underlying binaries must be wrapped multiple times. As this is a property of the wrapper itself, the multiple wrappings are needed whether or not the same underlying binaries can target multiple platforms.

Chapter 7. Meta-attributes

Table of Contents

7.1. Standard meta-attributes
7.2. Licenses
7.3. Source provenance

Nix packages can declare meta-attributes that contain information about a package such as a description, its homepage, its license, and so on. For instance, the GNU Hello package has a meta declaration like this: 

meta = with lib; {
  description = "A program that produces a familiar, friendly greeting";
  longDescription = ''
    GNU Hello is a program that prints "Hello, world!" when you run it.
    It is fully customizable.
  '';
  homepage = "https://www.gnu.org/software/hello/manual/";
  license = licenses.gpl3Plus;
  maintainers = [ maintainers.eelco ];
  platforms = platforms.all;
};

Meta-attributes are not passed to the builder of the package. Thus, a change to a meta-attribute doesn’t trigger a recompilation of the package. The value of a meta-attribute must be a string.

The meta-attributes of a package can be queried from the command-line using nix-env: 

$ nix-env -qa hello --json
{
    "hello": {
        "meta": {
            "description": "A program that produces a familiar, friendly greeting",
            "homepage": "https://www.gnu.org/software/hello/manual/",
            "license": {
                "fullName": "GNU General Public License version 3 or later",
                "shortName": "GPLv3+",
                "url": "http://www.fsf.org/licensing/licenses/gpl.html"
            },
            "longDescription": "GNU Hello is a program that prints \"Hello, world!\" when you run it.\nIt is fully customizable.\n",
            "maintainers": [
                "Ludovic Court\u00e8s <ludo@gnu.org>"
            ],
            "platforms": [
                "i686-linux",
                "x86_64-linux",
                "armv5tel-linux",
                "armv7l-linux",
                "mips32-linux",
                "x86_64-darwin",
                "i686-cygwin",
                "i686-freebsd13",
                "x86_64-freebsd13",
                "i686-openbsd",
                "x86_64-openbsd"
            ],
            "position": "/home/user/dev/nixpkgs/pkgs/applications/misc/hello/default.nix:14"
        },
        "name": "hello-2.9",
        "system": "x86_64-linux"
    }
}

nix-env knows about the description field specifically: 

$ nix-env -qa hello --description
hello-2.3  A program that produces a familiar, friendly greeting

7.1. Standard meta-attributes

It is expected that each meta-attribute is one of the following:

7.1.1. description

A short (one-line) description of the package. This is shown by nix-env -q --description and also on the Nixpkgs release pages.

Don’t include a period at the end. Don’t include newline characters. Capitalise the first character. For brevity, don’t repeat the name of package — just describe what it does.

Wrong: "libpng is a library that allows you to decode PNG images."

Right: "A library for decoding PNG images"

7.1.2. longDescription

An arbitrarily long description of the package in CommonMark Markdown.

7.1.3. branch

Release branch. Used to specify that a package is not going to receive updates that are not in this branch; for example, Linux kernel 3.0 is supposed to be updated to 3.0.X, not 3.1.

7.1.4. homepage

The package’s homepage. Example: https://www.gnu.org/software/hello/manual/

7.1.5. downloadPage

The page where a link to the current version can be found. Example: https://ftp.gnu.org/gnu/hello/

7.1.6. changelog

A link or a list of links to the location of Changelog for a package. A link may use expansion to refer to the correct changelog version. Example: "https://git.savannah.gnu.org/cgit/hello.git/plain/NEWS?h=v${version}"

7.1.7. license

The license, or licenses, for the package. One from the attribute set defined in nixpkgs/lib/licenses.nix. At this moment using both a list of licenses and a single license is valid. If the license field is in the form of a list representation, then it means that parts of the package are licensed differently. Each license should preferably be referenced by their attribute. The non-list attribute value can also be a space delimited string representation of the contained attribute shortNames or spdxIds. The following are all valid examples:

  • Single license referenced by attribute (preferred) lib.licenses.gpl3Only.

  • Single license referenced by its attribute shortName (frowned upon) "gpl3Only".

  • Single license referenced by its attribute spdxId (frowned upon) "GPL-3.0-only".

  • Multiple licenses referenced by attribute (preferred) with lib.licenses; [ asl20 free ofl ].

  • Multiple licenses referenced as a space delimited string of attribute shortNames (frowned upon) "asl20 free ofl".

For details, see Licenses.

7.1.8. maintainers

A list of the maintainers of this Nix expression. Maintainers are defined in nixpkgs/maintainers/maintainer-list.nix. There is no restriction to becoming a maintainer, just add yourself to that list in a separate commit titled “maintainers: add alice”, and reference maintainers with maintainers = with lib.maintainers; [ alice bob ].

7.1.9. mainProgram

The name of the main binary for the package. This effects the binary nix run executes and falls back to the name of the package. Example: "rg"

7.1.10. priority

The priority of the package, used by nix-env to resolve file name conflicts between packages. See the Nix manual page for nix-env for details. Example: "10" (a low-priority package).

7.1.11. platforms

The list of Nix platform types on which the package is supported. Hydra builds packages according to the platform specified. If no platform is specified, the package does not have prebuilt binaries. An example is: 

meta.platforms = lib.platforms.linux;

Attribute Set lib.platforms defines various common lists of platforms types.

7.1.12. tests

An attribute set with tests as values. A test is a derivation that builds when the test passes and fails to build otherwise.

You can run these tests with: 

$ cd path/to/nixpkgs
$ nix-build -A your-package.tests

7.1.12.1. Package tests

Tests that are part of the source package are often executed in the installCheckPhase.

Prefer passthru.tests for tests that are introduced in nixpkgs because:

  • passthru.tests tests the real package, independently from the environment in which it was built

  • we can run passthru.tests independently

  • installCheckPhase adds overhead to each build

For more on how to write and run package tests, see Section 20.7, “Package tests”.

7.1.12.2. NixOS tests

The NixOS tests are available as nixosTests in parameters of derivations. For instance, the OpenSMTPD derivation includes lines similar to: 

{ /* ... */, nixosTests }:
{
  # ...
  passthru.tests = {
    basic-functionality-and-dovecot-integration = nixosTests.opensmtpd;
  };
}

NixOS tests run in a VM, so they are slower than regular package tests. For more information see NixOS module tests.

Alternatively, you can specify other derivations as tests. You can make use of the optional parameter to inject the correct package without relying on non-local definitions, even in the presence of overrideAttrs. Here that’s finalAttrs.finalPackage, but you could choose a different name if finalAttrs already exists in your scope.

(mypkg.overrideAttrs f).passthru.tests will be as expected, as long as the definition of tests does not rely on the original mypkg or overrides it in all places. 

# my-package/default.nix
{ stdenv, callPackage }:
stdenv.mkDerivation (finalAttrs: {
  # ...
  passthru.tests.example = callPackage ./example.nix { my-package = finalAttrs.finalPackage; };
})

# my-package/example.nix
{ runCommand, lib, my-package, ... }:
runCommand "my-package-test" {
  nativeBuildInputs = [ my-package ];
  src = lib.sources.sourcesByRegex ./. [ ".*.in" ".*.expected" ];
} ''
  my-package --help
  my-package <example.in >example.actual
  diff -U3 --color=auto example.expected example.actual
  mkdir $out
''

7.1.13. timeout

A timeout (in seconds) for building the derivation. If the derivation takes longer than this time to build, it can fail due to breaking the timeout. However, all computers do not have the same computing power, hence some builders may decide to apply a multiplicative factor to this value. When filling this value in, try to keep it approximately consistent with other values already present in nixpkgs.

meta attributes are not stored in the instantiated derivation. Therefore, this setting may be lost when the package is used as a dependency. To be effective, it must be presented directly to an evaluation process that handles the meta.timeout attribute.

7.1.14. hydraPlatforms

The list of Nix platform types for which the Hydra instance at hydra.nixos.org will build the package. (Hydra is the Nix-based continuous build system.) It defaults to the value of meta.platforms. Thus, the only reason to set meta.hydraPlatforms is if you want hydra.nixos.org to build the package on a subset of meta.platforms, or not at all, e.g. 

meta.platforms = lib.platforms.linux;
meta.hydraPlatforms = [];

7.1.15. broken

If set to true, the package is marked as broken, meaning that it won’t show up in nix-env -qa, and cannot be built or installed. Such packages should be removed from Nixpkgs eventually unless they are fixed.

7.2. Licenses

The meta.license attribute should preferably contain a value from lib.licenses defined in nixpkgs/lib/licenses.nix, or in-place license description of the same format if the license is unlikely to be useful in another expression.

Although it’s typically better to indicate the specific license, a few generic options are available:

7.2.1. lib.licenses.free, "free"

Catch-all for free software licenses not listed above.

7.2.2. lib.licenses.unfreeRedistributable, "unfree-redistributable"

Unfree package that can be redistributed in binary form. That is, it’s legal to redistribute the output of the derivation. This means that the package can be included in the Nixpkgs channel.

Sometimes proprietary software can only be redistributed unmodified. Make sure the builder doesn’t actually modify the original binaries; otherwise we’re breaking the license. For instance, the NVIDIA X11 drivers can be redistributed unmodified, but our builder applies patchelf to make them work. Thus, its license is "unfree" and it cannot be included in the Nixpkgs channel.

7.2.3. lib.licenses.unfree, "unfree"

Unfree package that cannot be redistributed. You can build it yourself, but you cannot redistribute the output of the derivation. Thus it cannot be included in the Nixpkgs channel.

7.2.4. lib.licenses.unfreeRedistributableFirmware, "unfree-redistributable-firmware"

This package supplies unfree, redistributable firmware. This is a separate value from unfree-redistributable because not everybody cares whether firmware is free.

7.3. Source provenance

The value of a package’s meta.sourceProvenance attribute specifies the provenance of the package’s derivation outputs.

If a package contains elements that are not built from the original source by a nixpkgs derivation, the meta.sourceProvenance attribute should be a list containing one or more value from lib.sourceTypes defined in nixpkgs/lib/source-types.nix.

Adding this information helps users who have needs related to build transparency and supply-chain security to gain some visibility into their installed software or set policy to allow or disallow installation based on source provenance.

The presence of a particular sourceType in a package’s meta.sourceProvenance list indicates that the package contains some components falling into that category, though the absence of that sourceType does not guarantee the absence of that category of sourceType in the package’s contents. A package with no meta.sourceProvenance set implies it has no known sourceTypes other than fromSource.

The meaning of the meta.sourceProvenance attribute does not depend on the value of the meta.license attribute.

7.3.1. lib.sourceTypes.fromSource

Package elements which are produced by a nixpkgs derivation which builds them from source code.

7.3.2. lib.sourceTypes.binaryNativeCode

Native code to be executed on the target system’s CPU, built by a third party. This includes packages which wrap a downloaded AppImage or Debian package.

7.3.3. lib.sourceTypes.binaryFirmware

Code to be executed on a peripheral device or embedded controller, built by a third party.

7.3.4. lib.sourceTypes.binaryBytecode

Code to run on a VM interpreter or JIT compiled into bytecode by a third party. This includes packages which download Java .jar files from another source.

Chapter 8. Multiple-output packages

Table of Contents

8.1. Introduction
8.2. Installing a split package
8.3. Using a split package
8.4. Writing a split derivation

8.1. Introduction

The Nix language allows a derivation to produce multiple outputs, which is similar to what is utilized by other Linux distribution packaging systems. The outputs reside in separate Nix store paths, so they can be mostly handled independently of each other, including passing to build inputs, garbage collection or binary substitution. The exception is that building from source always produces all the outputs.

The main motivation is to save disk space by reducing runtime closure sizes; consequently also sizes of substituted binaries get reduced. Splitting can be used to have more granular runtime dependencies, for example the typical reduction is to split away development-only files, as those are typically not needed during runtime. As a result, closure sizes of many packages can get reduced to a half or even much less.

A number of attributes can be used to work with a derivation with multiple outputs. The attribute outputs is a list of strings, which are the names of the outputs. For each of these names, an identically named attribute is created, corresponding to that output. The attribute meta.outputsToInstall is used to determine the default set of outputs to install when using the derivation name unqualified.

8.2. Installing a split package

When installing a package with multiple outputs, the package’s meta.outputsToInstall attribute determines which outputs are actually installed. meta.outputsToInstall is a list whose default installs binaries and the associated man pages. The following sections describe ways to install different outputs.

8.2.1. Selecting outputs to install via NixOS

NixOS provides two ways to select the outputs to install for packages listed in environment.systemPackages:

  • The configuration option environment.extraOutputsToInstall is appended to each package’s meta.outputsToInstall attribute to determine the outputs to install. It can for example be used to install info documentation or debug symbols for all packages.

  • The outputs can be listed as packages in environment.systemPackages. For example, the "out" and "info" outputs for the coreutils package can be installed by including coreutils and coreutils.info in environment.systemPackages.

8.2.2. Selecting outputs to install via nix-env

nix-env lacks an easy way to select the outputs to install. When installing a package, nix-env always installs the outputs listed in meta.outputsToInstall, even when the user explicitly selects an output.

The only recourse to select an output with nix-env is to override the package’s meta.outputsToInstall, using the functions described in Chapter 4, Overriding. For example, the following overlay adds the "info" output for the coreutils package: 

self: super:
{
  coreutils = super.coreutils.overrideAttrs (oldAttrs: {
    meta = oldAttrs.meta // { outputsToInstall = oldAttrs.meta.outputsToInstall or [ "out" ] ++ [ "info" ]; };
  });
}

8.3. Using a split package

In the Nix language the individual outputs can be reached explicitly as attributes, e.g. coreutils.info, but the typical case is just using packages as build inputs.

When a multiple-output derivation gets into a build input of another derivation, the dev output is added if it exists, otherwise the first output is added. In addition to that, propagatedBuildOutputs of that package which by default contain $outputBin and $outputLib are also added. (See Section 8.4.2, “File type groups”.)

In some cases it may be desirable to combine different outputs under a single store path. A function symlinkJoin can be used to do this. (Note that it may negate some closure size benefits of using a multiple-output package.)

8.4. Writing a split derivation

Here you find how to write a derivation that produces multiple outputs.

In nixpkgs there is a framework supporting multiple-output derivations. It tries to cover most cases by default behavior. You can find the source separated in <nixpkgs/pkgs/build-support/setup-hooks/multiple-outputs.sh>; it’s relatively well-readable. The whole machinery is triggered by defining the outputs attribute to contain the list of desired output names (strings). 

outputs = [ "bin" "dev" "out" "doc" ];

Often such a single line is enough. For each output an equally named environment variable is passed to the builder and contains the path in nix store for that output. Typically you also want to have the main out output, as it catches any files that didn’t get elsewhere.

8.4.1. “Binaries first”

A commonly adopted convention in nixpkgs is that executables provided by the package are contained within its first output. This convention allows the dependent packages to reference the executables provided by packages in a uniform manner. For instance, provided with the knowledge that the perl package contains a perl executable it can be referenced as ${pkgs.perl}/bin/perl within a Nix derivation that needs to execute a Perl script.

The glibc package is a deliberate single exception to the “binaries first” convention. The glibc has libs as its first output allowing the libraries provided by glibc to be referenced directly (e.g. ${glibc}/lib/ld-linux-x86-64.so.2). The executables provided by glibc can be accessed via its bin attribute (e.g. ${lib.getBin stdenv.cc.libc}/bin/ldd).

The reason for why glibc deviates from the convention is because referencing a library provided by glibc is a very common operation among Nix packages. For instance, third-party executables packaged by Nix are typically patched and relinked with the relevant version of glibc libraries from Nix packages (please see the documentation on patchelf for more details).

8.4.2. File type groups

The support code currently recognizes some particular kinds of outputs and either instructs the build system of the package to put files into their desired outputs or it moves the files during the fixup phase. Each group of file types has an outputFoo variable specifying the output name where they should go. If that variable isn’t defined by the derivation writer, it is guessed – a default output name is defined, falling back to other possibilities if the output isn’t defined.

8.4.2.1. $outputDev

is for development-only files. These include C(++) headers (include/), pkg-config (lib/pkgconfig/), cmake (lib/cmake/) and aclocal files (share/aclocal/). They go to dev or out by default.

8.4.2.2. $outputBin

is meant for user-facing binaries, typically residing in bin/. They go to bin or out by default.

8.4.2.3. $outputLib

is meant for libraries, typically residing in lib/ and libexec/. They go to lib or out by default.

8.4.2.4. $outputDoc

is for user documentation, typically residing in share/doc/. It goes to doc or out by default.

8.4.2.5. $outputDevdoc

is for developer documentation. Currently we count gtk-doc and devhelp books, typically residing in share/gtk-doc/ and share/devhelp/, in there. It goes to devdoc or is removed (!) by default. This is because e.g. gtk-doc tends to be rather large and completely unused by nixpkgs users.

8.4.2.6. $outputMan

is for man pages (except for section 3), typically residing in share/man/man[0-9]/. They go to man or $outputBin by default.

8.4.2.7. $outputDevman

is for section 3 man pages, typically residing in share/man/man[0-9]/. They go to devman or $outputMan by default.

8.4.2.8. $outputInfo

is for info pages, typically residing in share/info/. They go to info or $outputBin by default.

8.4.3. Common caveats

  • Some configure scripts don’t like some of the parameters passed by default by the framework, e.g. --docdir=/foo/bar. You can disable this by setting setOutputFlags = false;.

  • The outputs of a single derivation can retain references to each other, but note that circular references are not allowed. (And each strongly-connected component would act as a single output anyway.)

  • Most of split packages contain their core functionality in libraries. These libraries tend to refer to various kind of data that typically gets into out, e.g. locale strings, so there is often no advantage in separating the libraries into lib, as keeping them in out is easier.

  • Some packages have hidden assumptions on install paths, which complicates splitting.

Chapter 9. Cross-compilation

Table of Contents

9.1. Introduction
9.2. Packaging in a cross-friendly manner
9.3. Cross-building packages
9.4. Cross-compilation infrastructure

9.1. Introduction

Cross-compilation means compiling a program on one machine for another type of machine. For example, a typical use of cross-compilation is to compile programs for embedded devices. These devices often don’t have the computing power and memory to compile their own programs. One might think that cross-compilation is a fairly niche concern. However, there are significant advantages to rigorously distinguishing between build-time and run-time environments! Significant, because the benefits apply even when one is developing and deploying on the same machine. Nixpkgs is increasingly adopting the opinion that packages should be written with cross-compilation in mind, and Nixpkgs should evaluate in a similar way (by minimizing cross-compilation-specific special cases) whether or not one is cross-compiling.

This chapter will be organized in three parts. First, it will describe the basics of how to package software in a way that supports cross-compilation. Second, it will describe how to use Nixpkgs when cross-compiling. Third, it will describe the internal infrastructure supporting cross-compilation.

9.2. Packaging in a cross-friendly manner

9.2.1. Platform parameters

Nixpkgs follows the conventions of GNU autoconf. We distinguish between 3 types of platforms when building a derivation: build, host, and target. In summary, build is the platform on which a package is being built, host is the platform on which it will run. The third attribute, target, is relevant only for certain specific compilers and build tools.

In Nixpkgs, these three platforms are defined as attribute sets under the names buildPlatform, hostPlatform, and targetPlatform. They are always defined as attributes in the standard environment. That means one can access them like: 

{ stdenv, fooDep, barDep, ... }: ...stdenv.buildPlatform...
buildPlatform

The build platform is the platform on which a package is built. Once someone has a built package, or pre-built binary package, the build platform should not matter and can be ignored.

hostPlatform

The host platform is the platform on which a package will be run. This is the simplest platform to understand, but also the one with the worst name.

targetPlatform

The target platform attribute is, unlike the other two attributes, not actually fundamental to the process of building software. Instead, it is only relevant for compatibility with building certain specific compilers and build tools. It can be safely ignored for all other packages.

The build process of certain compilers is written in such a way that the compiler resulting from a single build can itself only produce binaries for a single platform. The task of specifying this single target platform is thus pushed to build time of the compiler. The root cause of this is that the compiler (which will be run on the host) and the standard library/runtime (which will be run on the target) are built by a single build process.

There is no fundamental need to think about a single target ahead of time like this. If the tool supports modular or pluggable backends, both the need to specify the target at build time and the constraint of having only a single target disappear. An example of such a tool is LLVM.

Although the existence of a target platform is arguably a historical mistake, it is a common one: examples of tools that suffer from it are GCC, Binutils, GHC and Autoconf. Nixpkgs tries to avoid sharing in the mistake where possible. Still, because the concept of a target platform is so ingrained, it is best to support it as is.

The exact schema these fields follow is a bit ill-defined due to a long and convoluted evolution, but this is slowly being cleaned up. You can see examples of ones used in practice in lib.systems.examples; note how they are not all very consistent. For now, here are few fields can count on them containing:

system

This is a two-component shorthand for the platform. Examples of this would be x86_64-darwin and i686-linux; see lib.systems.doubles for more. The first component corresponds to the CPU architecture of the platform and the second to the operating system of the platform ([cpu]-[os]). This format has built-in support in Nix, such as the builtins.currentSystem impure string.

config

This is a 3- or 4- component shorthand for the platform. Examples of this would be x86_64-unknown-linux-gnu and aarch64-apple-darwin14. This is a standard format called the LLVM target triple, as they are pioneered by LLVM. In the 4-part form, this corresponds to [cpu]-[vendor]-[os]-[abi]. This format is strictly more informative than the Nix host double, as the previous format could analogously be termed. This needs a better name than config!

parsed

This is a Nix representation of a parsed LLVM target triple with white-listed components. This can be specified directly, or actually parsed from the config. See lib.systems.parse for the exact representation.

libc

This is a string identifying the standard C library used. Valid identifiers include glibc for GNU libc, libSystem for Darwin’s Libsystem, and uclibc for µClibc. It should probably be refactored to use the module system, like parse.

is*

These predicates are defined in lib.systems.inspect, and slapped onto every platform. They are superior to the ones in stdenv as they force the user to be explicit about which platform they are inspecting. Please use these instead of those.

platform

This is, quite frankly, a dumping ground of ad-hoc settings (it’s an attribute set). See lib.systems.platforms for examples—there’s hopefully one in there that will work verbatim for each platform that is working. Please help us triage these flags and give them better homes!

9.2.2. Theory of dependency categorization

In this section we explore the relationship between both runtime and build-time dependencies and the 3 Autoconf platforms.

A run time dependency between two packages requires that their host platforms match. This is directly implied by the meaning of host platform and runtime dependency: The package dependency exists while both packages are running on a single host platform.

A build time dependency, however, has a shift in platforms between the depending package and the depended-on package. build time dependency means that to build the depending package we need to be able to run the depended-on’s package. The depending package’s build platform is therefore equal to the depended-on package’s host platform.

If both the dependency and depending packages aren’t compilers or other machine-code-producing tools, we’re done. And indeed buildInputs and nativeBuildInputs have covered these simpler cases for many years. But if the dependency does produce machine code, we might need to worry about its target platform too. In principle, that target platform might be any of the depending package’s build, host, or target platforms, but we prohibit dependencies from a later platform to an earlier platform to limit confusion because we’ve never seen a legitimate use for them.

Finally, if the depending package is a compiler or other machine-code-producing tool, it might need dependencies that run at emit time. This is for compilers that (regrettably) insist on being built together with their source languages’ standard libraries. Assuming build != host != target, a run-time dependency of the standard library cannot be run at the compiler’s build time or run time, but only at the run time of code emitted by the compiler.

Putting this all together, that means that we have dependency types of the form X→ E, which means that the dependency executes on X and emits code for E; each of X and E can be build, host, or target, and E can be * to indicate that the dependency is not a compiler-like package.

Dependency types describe the relationships that a package has with each of its transitive dependencies. You could think of attaching one or more dependency types to each of the formal parameters at the top of a package’s .nix file, as well as to all of their formal parameters, and so on. Triples like (foo, bar, baz), on the other hand, are a property of an instantiated derivation – you could would attach a triple (mips-linux, mips-linux, sparc-solaris) to a .drv file in /nix/store.

Only nine dependency types matter in practice:

9.2.2.1. Possible dependency types

Dependency type Dependency’s host platform Dependency’s target platform
build → * build (none)
build → build build build
build → host build host
build → target build target
host → * host (none)
host → host host host
host → target host target
target → * target (none)
target → target target target

Let’s use g++ as an example to make this table clearer. g++ is a C++ compiler written in C. Suppose we are building g++ with a (build, host, target) platform triple of (foo, bar, baz). This means we are using a foo-machine to build a copy of g++ which will run on a bar-machine and emit binaries for the baz-machine.

  • g++ links against the host platform’s glibc C library, which is a host→ * dependency with a triple of (bar, bar, *). Since it is a library, not a compiler, it has no target.

  • Since g++ is written in C, the gcc compiler used to compile it is a build→ host dependency of g++ with a triple of (foo, foo, bar). This compiler runs on the build platform and emits code for the host platform.

  • gcc links against the build platform’s glibc C library, which is a build→ * dependency with a triple of (foo, foo, *). Since it is a library, not a compiler, it has no target.

  • This gcc is itself compiled by an earlier copy of gcc. This earlier copy of gcc is a build→ build dependency of g++ with a triple of (foo, foo, foo). This early gcc runs on the build platform and emits code for the build platform.

  • g++ is bundled with libgcc, which includes a collection of target-machine routines for exception handling and software floating point emulation. libgcc would be a target→ * dependency with triple (foo, baz, *), because it consists of machine code which gets linked against the output of the compiler that we are building. It is a library, not a compiler, so it has no target of its own.

  • libgcc is written in C and compiled with gcc. The gcc that compiles it will be a build→ target dependency with triple (foo, foo, baz). It gets compiled and run at g++-build-time (on platform foo), but must emit code for the baz-platform.

  • g++ allows inline assembler code, so it depends on access to a copy of the gas assembler. This would be a host→ target dependency with triple (foo, bar, baz).

  • g++ (and gcc) include a library libgccjit.so, which wrap the compiler in a library to create a just-in-time compiler. In nixpkgs, this library is in the libgccjit package; if C++ required that programs have access to a JIT, g++ would need to add a target→ target dependency for libgccjit with triple (foo, baz, baz). This would ensure that the compiler ships with a copy of libgccjit which both executes on and generates code for the baz-platform.

  • If g++ itself linked against libgccjit.so (for example, to allow compile-time-evaluated C++ expressions), then the libgccjit package used to provide this functionality would be a host→ host dependency of g++: it is code which runs on the host and emits code for execution on the host.

9.2.3. Cross packaging cookbook

Some frequently encountered problems when packaging for cross-compilation should be answered here. Ideally, the information above is exhaustive, so this section cannot provide any new information, but it is ludicrous and cruel to expect everyone to spend effort working through the interaction of many features just to figure out the same answer to the same common problem. Feel free to add to this list!

9.2.3.1. My package fails to find a binutils command (cc/ar/ld etc.)

Many packages assume that an unprefixed binutils (cc/ar/ld etc.) is available, but Nix doesn’t provide one. It only provides a prefixed one, just as it only does for all the other binutils programs. It may be necessary to patch the package to fix the build system to use a prefix. For instance, instead of cc, use ${stdenv.cc.targetPrefix}cc. 

makeFlags = [ "CC=${stdenv.cc.targetPrefix}cc" ];

9.2.3.2. How do I avoid compiling a GCC cross-compiler from source?

On less powerful machines, it can be inconvenient to cross-compile a package only to find out that GCC has to be compiled from source, which could take up to several hours. Nixpkgs maintains a limited cross-related jobset on Hydra, which tests cross-compilation to various platforms from build platforms x86_64-darwin, x86_64-linux, and aarch64-linux. See pkgs/top-level/release-cross.nix for the full list of target platforms and packages. For instance, the following invocation fetches the pre-built cross-compiled GCC for armv6l-unknown-linux-gnueabihf and builds GNU Hello from source. 

$ nix-build '<nixpkgs>' -A pkgsCross.raspberryPi.hello

9.2.3.3. What if my package’s build system needs to build a C program to be run under the build environment?

Add the following to your mkDerivation invocation. 

depsBuildBuild = [ buildPackages.stdenv.cc ];

9.2.3.4. My package’s testsuite needs to run host platform code.

Add the following to your mkDerivation invocation. 

doCheck = stdenv.hostPlatform == stdenv.buildPlatform;

9.2.3.5. Package using Meson needs to run binaries for the host platform during build.

Add mesonEmulatorHook to nativeBuildInputs conditionally on if the target binaries can be executed.

e.g. 

nativeBuildInputs = [
  meson
] ++ lib.optionals (!stdenv.buildPlatform.canExecute stdenv.hostPlatform) [
  mesonEmulatorHook
];

Example of an error which this fixes.

[Errno 8] Exec format error: './gdk3-scan'

9.3. Cross-building packages

Nixpkgs can be instantiated with localSystem alone, in which case there is no cross-compiling and everything is built by and for that system, or also with crossSystem, in which case packages run on the latter, but all building happens on the former. Both parameters take the same schema as the 3 (build, host, and target) platforms defined in the previous section. As mentioned above, lib.systems.examples has some platforms which are used as arguments for these parameters in practice. You can use them programmatically, or on the command line: 

$ nix-build '<nixpkgs>' --arg crossSystem '(import <nixpkgs/lib>).systems.examples.fooBarBaz' -A whatever

While one is free to pass both parameters in full, there’s a lot of logic to fill in missing fields. As discussed in the previous section, only one of system, config, and parsed is needed to infer the other two. Additionally, libc will be inferred from parse. Finally, localSystem.system is also impurely inferred based on the platform evaluation occurs. This means it is often not necessary to pass localSystem at all, as in the command-line example in the previous paragraph.

One would think that localSystem and crossSystem overlap horribly with the three *Platforms (buildPlatform, hostPlatform, and targetPlatform; see stage.nix or the manual). Actually, those identifiers are purposefully not used here to draw a subtle but important distinction: While the granularity of having 3 platforms is necessary to properly build packages, it is overkill for specifying the user’s intent when making a build plan or package set. A simple build vs deploy dichotomy is adequate: the sliding window principle described in the previous section shows how to interpolate between the these two end points to get the 3 platform triple for each bootstrapping stage. That means for any package a given package set, even those not bound on the top level but only reachable via dependencies or buildPackages, the three platforms will be defined as one of localSystem or crossSystem, with the former replacing the latter as one traverses build-time dependencies. A last simple difference is that crossSystem should be null when one doesn’t want to cross-compile, while the *Platforms are always non-null. localSystem is always non-null.

9.4. Cross-compilation infrastructure

9.4.1. Implementation of dependencies

The categories of dependencies developed in Section 9.2.2, “Theory of dependency categorization” are specified as lists of derivations given to mkDerivation, as documented in Section 6.3, “Specifying dependencies”. In short, each list of dependencies for host → target is called deps<host><target> (where host, and target values are either build, host, or target), with exceptions for backwards compatibility that depsBuildHost is instead called nativeBuildInputs and depsHostTarget is instead called buildInputs. Nixpkgs is now structured so that each deps<host><target> is automatically taken from pkgs<host><target>. (These pkgs<host><target>s are quite new, so there is no special case for nativeBuildInputs and buildInputs.) For example, pkgsBuildHost.gcc should be used at build-time, while pkgsHostTarget.gcc should be used at run-time.

Now, for most of Nixpkgs’s history, there were no pkgs<host><target> attributes, and most packages have not been refactored to use it explicitly. Prior to those, there were just buildPackages, pkgs, and targetPackages. Those are now redefined as aliases to pkgsBuildHost, pkgsHostTarget, and pkgsTargetTarget. It is acceptable, even recommended, to use them for libraries to show that the host platform is irrelevant.

But before that, there was just pkgs, even though both buildInputs and nativeBuildInputs existed. [Cross barely worked, and those were implemented with some hacks on mkDerivation to override dependencies.] What this means is the vast majority of packages do not use any explicit package set to populate their dependencies, just using whatever callPackage gives them even if they do correctly sort their dependencies into the multiple lists described above. And indeed, asking that users both sort their dependencies, and take them from the right attribute set, is both too onerous and redundant, so the recommended approach (for now) is to continue just categorizing by list and not using an explicit package set.

To make this work, we splice together the six pkgsFooBar package sets and have callPackage actually take its arguments from that. This is currently implemented in pkgs/top-level/splice.nix. mkDerivation then, for each dependency attribute, pulls the right derivation out from the splice. This splicing can be skipped when not cross-compiling as the package sets are the same, but still is a bit slow for cross-compiling. We’d like to do something better, but haven’t come up with anything yet.

9.4.2. Bootstrapping

Each of the package sets described above come from a single bootstrapping stage. While pkgs/top-level/default.nix, coordinates the composition of stages at a high level, pkgs/top-level/stage.nix ties the knot (creates the fixed point) of each stage. The package sets are defined per-stage however, so they can be thought of as edges between stages (the nodes) in a graph. Compositions like pkgsBuildTarget.targetPackages can be thought of as paths to this graph.

While there are many package sets, and thus many edges, the stages can also be arranged in a linear chain. In other words, many of the edges are redundant as far as connectivity is concerned. This hinges on the type of bootstrapping we do. Currently for cross it is:

  1. (native, native, native)

  2. (native, native, foreign)

  3. (native, foreign, foreign)

In each stage, pkgsBuildHost refers to the previous stage, pkgsBuildBuild refers to the one before that, and pkgsHostTarget refers to the current one, and pkgsTargetTarget refers to the next one. When there is no previous or next stage, they instead refer to the current stage. Note how all the invariants regarding the mapping between dependency and depending packages’ build host and target platforms are preserved. pkgsBuildTarget and pkgsHostHost are more complex in that the stage fitting the requirements isn’t always a fixed chain of prevs and nexts away (modulo the saturating self-references at the ends). We just special case each instead. All the primary edges are implemented is in pkgs/stdenv/booter.nix, and secondarily aliases in pkgs/top-level/stage.nix.

If one looks at the 3 platform triples, one can see that they overlap such that one could put them together into a chain like: 

(native, native, native, foreign, foreign)

If one imagines the saturating self references at the end being replaced with infinite stages, and then overlays those platform triples, one ends up with the infinite tuple: 

(native..., native, native, native, foreign, foreign, foreign...)

One can then imagine any sequence of platforms such that there are bootstrap stages with their 3 platforms determined by sliding a window that is the 3 tuple through the sequence. This was the original model for bootstrapping. Without a target platform (assume a better world where all compilers are multi-target and all standard libraries are built in their own derivation), this is sufficient. Conversely if one wishes to cross compile faster, with a Canadian Cross bootstrapping stage where build != host != target, more bootstrapping stages are needed since no sliding window provides the pesky pkgsBuildTarget package set since it skips the Canadian cross stage’s host.

Chapter 10. Platform Notes

Table of Contents

10.1. Darwin (macOS)

10.1. Darwin (macOS)

Some common issues when packaging software for Darwin:

  • The Darwin stdenv uses clang instead of gcc. When referring to the compiler $CC or cc will work in both cases. Some builds hardcode gcc/g++ in their build scripts, that can usually be fixed with using something like makeFlags = [ "CC=cc" ]; or by patching the build scripts. 

    stdenv.mkDerivation {
  name = "libfoo-1.2.3";
  # ...
  buildPhase = ''
    $CC -o hello hello.c
  '';
}

  • On Darwin, libraries are linked using absolute paths, libraries are resolved by their install_name at link time. Sometimes packages won’t set this correctly causing the library lookups to fail at runtime. This can be fixed by adding extra linker flags or by running install_name_tool -id during the fixupPhase. 

    stdenv.mkDerivation {
  name = "libfoo-1.2.3";
  # ...
  makeFlags = lib.optional stdenv.isDarwin "LDFLAGS=-Wl,-install_name,$(out)/lib/libfoo.dylib";
}

  • Even if the libraries are linked using absolute paths and resolved via their install_name correctly, tests can sometimes fail to run binaries. This happens because the checkPhase runs before the libraries are installed.

    This can usually be solved by running the tests after the installPhase or alternatively by using DYLD_LIBRARY_PATH. More information about this variable can be found in the dyld(1) manpage. 

    dyld: Library not loaded: /nix/store/7hnmbscpayxzxrixrgxvvlifzlxdsdir-jq-1.5-lib/lib/libjq.1.dylib
Referenced from: /private/tmp/nix-build-jq-1.5.drv-0/jq-1.5/tests/../jq
Reason: image not found
./tests/jqtest: line 5: 75779 Abort trap: 6

    stdenv.mkDerivation {
  name = "libfoo-1.2.3";
  # ...
  doInstallCheck = true;
  installCheckTarget = "check";
}

  • Some packages assume xcode is available and use xcrun to resolve build tools like clang, etc. This causes errors like xcode-select: error: no developer tools were found at '/Applications/Xcode.app' while the build doesn’t actually depend on xcode. 

    stdenv.mkDerivation {
  name = "libfoo-1.2.3";
  # ...
  prePatch = ''
    substituteInPlace Makefile \
        --replace '/usr/bin/xcrun clang' clang
  '';
}

    The package xcbuild can be used to build projects that really depend on Xcode. However, this replacement is not 100% compatible with Xcode and can occasionally cause issues.

  • x86_64-darwin uses the 10.12 SDK by default, but some software is not compatible with that version of the SDK. In that case, the 11.0 SDK used by aarch64-darwin is available for use on x86_64-darwin. To use it, reference apple_sdk_11_0 instead of apple_sdk in your derivation and use pkgs.darwin.apple_sdk_11_0.callPackage instead of pkgs.callPackage. On Linux, this will have the same effect as pkgs.callPackage, so you can use pkgs.darwin.apple_sdk_11_0.callPackage regardless of platform.

Part III. Builders

Table of Contents

11. Fetchers
12. Trivial builders
13. Testers
14. Special builders
15. Images
16. Hooks reference
17. Languages and frameworks
18. Packages

Chapter 11. Fetchers

Table of Contents

11.1. Caveats
11.2. fetchurl and fetchzip
11.3. fetchpatch
11.4. fetchsvn
11.5. fetchgit
11.6. fetchfossil
11.7. fetchcvs
11.8. fetchhg
11.9. fetchFromGitea
11.10. fetchFromGitHub
11.11. fetchFromGitLab
11.12. fetchFromGitiles
11.13. fetchFromBitbucket
11.14. fetchFromSavannah
11.15. fetchFromRepoOrCz
11.16. fetchFromSourcehut

Building software with Nix often requires downloading source code and other files from the internet. nixpkgs provides fetchers for different protocols and services. Fetchers are functions that simplify downloading files.

11.1. Caveats

Fetchers create fixed output derivations from downloaded files. Nix can reuse the downloaded files via the hash of the resulting derivation.

The fact that the hash belongs to the Nix derivation output and not the file itself can lead to confusion. For example, consider the following fetcher: 

fetchurl {
  url = "http://www.example.org/hello-1.0.tar.gz";
  sha256 = "0v6r3wwnsk5pdjr188nip3pjgn1jrn5pc5ajpcfy6had6b3v4dwm";
};

A common mistake is to update a fetcher’s URL, or a version parameter, without updating the hash. 

fetchurl {
  url = "http://www.example.org/hello-1.1.tar.gz";
  sha256 = "0v6r3wwnsk5pdjr188nip3pjgn1jrn5pc5ajpcfy6had6b3v4dwm";
};

This will reuse the old contents. Remember to invalidate the hash argument, in this case by setting the sha256 attribute to an empty string. 

fetchurl {
  url = "http://www.example.org/hello-1.1.tar.gz";
  sha256 = "";
};

Use the resulting error message to determine the correct hash. 

error: hash mismatch in fixed-output derivation '/path/to/my.drv':
         specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
            got:    sha256-RApQUm78dswhBLC/rfU9y0u6pSAzHceIJqgmetRD24E=

A similar problem arises while testing changes to a fetcher’s implementation. If the output of the derivation already exists in the Nix store, test failures can go undetected. The invalidateFetcherByDrvHash function helps prevent reusing cached derivations.

11.2. fetchurl and fetchzip

Two basic fetchers are fetchurl and fetchzip. Both of these have two required arguments, a URL and a hash. The hash is typically sha256, although many more hash algorithms are supported. Nixpkgs contributors are currently recommended to use sha256. This hash will be used by Nix to identify your source. A typical usage of fetchurl is provided below. 

{ stdenv, fetchurl }:

stdenv.mkDerivation {
  name = "hello";
  src = fetchurl {
    url = "http://www.example.org/hello.tar.gz";
    sha256 = "1111111111111111111111111111111111111111111111111111";
  };
}

The main difference between fetchurl and fetchzip is in how they store the contents. fetchurl will store the unaltered contents of the URL within the Nix store. fetchzip on the other hand, will decompress the archive for you, making files and directories directly accessible in the future. fetchzip can only be used with archives. Despite the name, fetchzip is not limited to .zip files and can also be used with any tarball.

11.3. fetchpatch

fetchpatch works very similarly to fetchurl with the same arguments expected. It expects patch files as a source and performs normalization on them before computing the checksum. For example, it will remove comments or other unstable parts that are sometimes added by version control systems and can change over time.

  • relative: Similar to using git-diff’s --relative flag, only keep changes inside the specified directory, making paths relative to it.

  • stripLen: Remove the first stripLen components of pathnames in the patch.

  • extraPrefix: Prefix pathnames by this string.

  • excludes: Exclude files matching these patterns (applies after the above arguments).

  • includes: Include only files matching these patterns (applies after the above arguments).

  • revert: Revert the patch.

Note that because the checksum is computed after applying these effects, using or modifying these arguments will have no effect unless the sha256 argument is changed as well.

Most other fetchers return a directory rather than a single file.

11.4. fetchsvn

Used with Subversion. Expects url to a Subversion directory, rev, and sha256.

11.5. fetchgit

Used with Git. Expects url to a Git repo, rev, and sha256. rev in this case can be full the git commit id (SHA1 hash) or a tag name like refs/tags/v1.0.

Additionally, the following optional arguments can be given: fetchSubmodules = true makes fetchgit also fetch the submodules of a repository. If deepClone is set to true, the entire repository is cloned as opposing to just creating a shallow clone. deepClone = true also implies leaveDotGit = true which means that the .git directory of the clone won’t be removed after checkout.

If only parts of the repository are needed, sparseCheckout can be used. This will prevent git from fetching unnecessary blobs from server, see git sparse-checkout for more information: 

{ stdenv, fetchgit }:

stdenv.mkDerivation {
  name = "hello";
  src = fetchgit {
    url = "https://...";
    sparseCheckout = [
      "directory/to/be/included"
      "another/directory"
    ];
    sha256 = "0000000000000000000000000000000000000000000000000000";
  };
}

11.6. fetchfossil

Used with Fossil. Expects url to a Fossil archive, rev, and sha256.

11.7. fetchcvs

Used with CVS. Expects cvsRoot, tag, and sha256.

11.8. fetchhg

Used with Mercurial. Expects url, rev, and sha256.

A number of fetcher functions wrap part of fetchurl and fetchzip. They are mainly convenience functions intended for commonly used destinations of source code in Nixpkgs. These wrapper fetchers are listed below.

11.9. fetchFromGitea

fetchFromGitea expects five arguments. domain is the gitea server name. owner is a string corresponding to the Gitea user or organization that controls this repository. repo corresponds to the name of the software repository. These are located at the top of every Gitea HTML page as owner/repo. rev corresponds to the Git commit hash or tag (e.g v1.0) that will be downloaded from Git. Finally, sha256 corresponds to the hash of the extracted directory. Again, other hash algorithms are also available but sha256 is currently preferred.

11.10. fetchFromGitHub

fetchFromGitHub expects four arguments. owner is a string corresponding to the GitHub user or organization that controls this repository. repo corresponds to the name of the software repository. These are located at the top of every GitHub HTML page as owner/repo. rev corresponds to the Git commit hash or tag (e.g v1.0) that will be downloaded from Git. Finally, sha256 corresponds to the hash of the extracted directory. Again, other hash algorithms are also available, but sha256 is currently preferred.

fetchFromGitHub uses fetchzip to download the source archive generated by GitHub for the specified revision. If leaveDotGit, deepClone or fetchSubmodules are set to true, fetchFromGitHub will use fetchgit instead. Refer to its section for documentation of these options.

11.11. fetchFromGitLab

This is used with GitLab repositories. The arguments expected are very similar to fetchFromGitHub above.

11.12. fetchFromGitiles

This is used with Gitiles repositories. The arguments expected are similar to fetchgit.

11.13. fetchFromBitbucket

This is used with BitBucket repositories. The arguments expected are very similar to fetchFromGitHub above.

11.14. fetchFromSavannah

This is used with Savannah repositories. The arguments expected are very similar to fetchFromGitHub above.

11.15. fetchFromRepoOrCz

This is used with repo.or.cz repositories. The arguments expected are very similar to fetchFromGitHub above.

11.16. fetchFromSourcehut

This is used with sourcehut repositories. Similar to fetchFromGitHub above, it expects owner, repo, rev and sha256, but don’t forget the tilde (~) in front of the username! Expected arguments also include vc (git (default) or hg), domain and fetchSubmodules.

If fetchSubmodules is true, fetchFromSourcehut uses fetchgit or fetchhg with fetchSubmodules or fetchSubrepos set to true, respectively. Otherwise, the fetcher uses fetchzip.

Chapter 12. Trivial builders

Table of Contents

12.1. runCommand
12.2. runCommandCC
12.3. runCommandLocal
12.4. writeTextFile, writeText, writeTextDir, writeScript, writeScriptBin
12.5. concatTextFile, concatText, concatScript
12.6. writeShellApplication
12.7. symlinkJoin
12.8. writeReferencesToFile
12.9. writeDirectReferencesToFile

Nixpkgs provides a couple of functions that help with building derivations. The most important one, stdenv.mkDerivation, has already been documented above. The following functions wrap stdenv.mkDerivation, making it easier to use in certain cases.

12.1. runCommand

This takes three arguments, name, env, and buildCommand. name is just the name that Nix will append to the store path in the same way that stdenv.mkDerivation uses its name attribute. env is an attribute set specifying environment variables that will be set for this derivation. These attributes are then passed to the wrapped stdenv.mkDerivation. buildCommand specifies the commands that will be run to create this derivation. Note that you will need to create $out for Nix to register the command as successful.

An example of using runCommand is provided below. 

(import <nixpkgs> {}).runCommand "my-example" {} ''
  echo My example command is running

  mkdir $out

  echo I can write data to the Nix store > $out/message

  echo I can also run basic commands like:

  echo ls
  ls

  echo whoami
  whoami

  echo date
  date
''

12.2. runCommandCC

This works just like runCommand. The only difference is that it also provides a C compiler in buildCommand’s environment. To minimize your dependencies, you should only use this if you are sure you will need a C compiler as part of running your command.

12.3. runCommandLocal

Variant of runCommand that forces the derivation to be built locally, it is not substituted. This is intended for very cheap commands (<1s execution time). It saves on the network round-trip and can speed up a build.

12.4. writeTextFile, writeText, writeTextDir, writeScript, writeScriptBin

These functions write text to the Nix store. This is useful for creating scripts from Nix expressions. writeTextFile takes an attribute set and expects two arguments, name and text. name corresponds to the name used in the Nix store path. text will be the contents of the file. You can also set executable to true to make this file have the executable bit set.

Many more commands wrap writeTextFile including writeText, writeTextDir, writeScript, and writeScriptBin. These are convenience functions over writeTextFile.

Here are a few examples: 

# Writes my-file to /nix/store/<store path>
writeTextFile {
  name = "my-file";
  text = ''
    Contents of File
  '';
}
# See also the `writeText` helper function below.

# Writes executable my-file to /nix/store/<store path>/bin/my-file
writeTextFile {
  name = "my-file";
  text = ''
    Contents of File
  '';
  executable = true;
  destination = "/bin/my-file";
}
# Writes contents of file to /nix/store/<store path>
writeText "my-file"
  ''
  Contents of File
  '';
# Writes contents of file to /nix/store/<store path>/share/my-file
writeTextDir "share/my-file"
  ''
  Contents of File
  '';
# Writes my-file to /nix/store/<store path> and makes executable
writeScript "my-file"
  ''
  Contents of File
  '';
# Writes my-file to /nix/store/<store path>/bin/my-file and makes executable.
writeScriptBin "my-file"
  ''
  Contents of File
  '';
# Writes my-file to /nix/store/<store path> and makes executable.
writeShellScript "my-file"
  ''
  Contents of File
  '';
# Writes my-file to /nix/store/<store path>/bin/my-file and makes executable.
writeShellScriptBin "my-file"
  ''
  Contents of File
  '';

12.5. concatTextFile, concatText, concatScript

These functions concatenate files to the Nix store in a single file. This is useful for configuration files structured in lines of text. concatTextFile takes an attribute set and expects two arguments, name and files. name corresponds to the name used in the Nix store path. files will be the files to be concatenated. You can also set executable to true to make this file have the executable bit set. concatText andconcatScript are simple wrappers over concatTextFile.

Here are a few examples: 


# Writes my-file to /nix/store/<store path>
concatTextFile {
  name = "my-file";
  files = [ drv1 "${drv2}/path/to/file" ];
}
# See also the `concatText` helper function below.

# Writes executable my-file to /nix/store/<store path>/bin/my-file
concatTextFile {
  name = "my-file";
  files = [ drv1 "${drv2}/path/to/file" ];
  executable = true;
  destination = "/bin/my-file";
}
# Writes contents of files to /nix/store/<store path>
concatText "my-file" [ file1 file2 ]

# Writes contents of files to /nix/store/<store path>
concatScript "my-file" [ file1 file2 ]

12.6. writeShellApplication

This can be used to easily produce a shell script that has some dependencies (runtimeInputs). It automatically sets the PATH of the script to contain all of the listed inputs, sets some sanity shellopts (errexit, nounset, pipefail), and checks the resulting script with shellcheck.

For example, look at the following code: 

writeShellApplication {
  name = "show-nixos-org";

  runtimeInputs = [ curl w3m ];

  text = ''
    curl -s 'https://nixos.org' | w3m -dump -T text/html
  '';
}

Unlike with normal writeShellScriptBin, there is no need to manually write out ${curl}/bin/curl, setting the PATH was handled by writeShellApplication. Moreover, the script is being checked with shellcheck for more strict validation.

12.7. symlinkJoin

This can be used to put many derivations into the same directory structure. It works by creating a new derivation and adding symlinks to each of the paths listed. It expects two arguments, name, and paths. name is the name used in the Nix store path for the created derivation. paths is a list of paths that will be symlinked. These paths can be to Nix store derivations or any other subdirectory contained within. Here is an example: 

# adds symlinks of hello and stack to current build and prints "links added"
symlinkJoin { name = "myexample"; paths = [ pkgs.hello pkgs.stack ]; postBuild = "echo links added"; }

This creates a derivation with a directory structure like the following: 

/nix/store/sglsr5g079a5235hy29da3mq3hv8sjmm-myexample
|-- bin
|   |-- hello -> /nix/store/qy93dp4a3rqyn2mz63fbxjg228hffwyw-hello-2.10/bin/hello
|   `-- stack -> /nix/store/6lzdpxshx78281vy056lbk553ijsdr44-stack-2.1.3.1/bin/stack
`-- share
    |-- bash-completion
    |   `-- completions
    |       `-- stack -> /nix/store/6lzdpxshx78281vy056lbk553ijsdr44-stack-2.1.3.1/share/bash-completion/completions/stack
    |-- fish
    |   `-- vendor_completions.d
    |       `-- stack.fish -> /nix/store/6lzdpxshx78281vy056lbk553ijsdr44-stack-2.1.3.1/share/fish/vendor_completions.d/stack.fish
...

12.8. writeReferencesToFile

Writes the closure of transitive dependencies to a file.

This produces the equivalent of nix-store -q --requisites.

For example, 

writeReferencesToFile (writeScriptBin "hi" ''${hello}/bin/hello'')

produces an output path /nix/store/<hash>-runtime-deps containing 

/nix/store/<hash>-hello-2.10
/nix/store/<hash>-hi
/nix/store/<hash>-libidn2-2.3.0
/nix/store/<hash>-libunistring-0.9.10
/nix/store/<hash>-glibc-2.32-40

You can see that this includes hi, the original input path, hello, which is a direct reference, but also the other paths that are indirectly required to run hello.

12.9. writeDirectReferencesToFile

Writes the set of references to the output file, that is, their immediate dependencies.

This produces the equivalent of nix-store -q --references.

For example, 

writeDirectReferencesToFile (writeScriptBin "hi" ''${hello}/bin/hello'')

produces an output path /nix/store/<hash>-runtime-references containing 

/nix/store/<hash>-hello-2.10

but none of hello’s dependencies because those are not referenced directly by hi’s output.

Chapter 13. Testers

Table of Contents

13.1. testVersion
13.2. testBuildFailure
13.3. testEqualContents
13.4. testEqualDerivation
13.5. invalidateFetcherByDrvHash
13.6. nixosTest

This chapter describes several testing builders which are available in the testers namespace.

13.1. testVersion

Checks the command output contains the specified version

Although simplistic, this test assures that the main program can run. While there’s no substitute for a real test case, it does catch dynamic linking errors and such. It also provides some protection against accidentally building the wrong version, for example when using an old hash in a fixed-output derivation.

Examples: 

passthru.tests.version = testers.testVersion { package = hello; };

passthru.tests.version = testers.testVersion {
  package = seaweedfs;
  command = "weed version";
};

passthru.tests.version = testers.testVersion {
  package = key;
  command = "KeY --help";
  # Wrong '2.5' version in the code. Drop on next version.
  version = "2.5";
};

passthru.tests.version = testers.testVersion {
  package = ghr;
  # The output needs to contain the 'version' string without any prefix or suffix.
  version = "v${version}";
};

13.2. testBuildFailure

Make sure that a build does not succeed. This is useful for testing testers.

This returns a derivation with an override on the builder, with the following effects:

  • Fail the build when the original builder succeeds

  • Move $out to $out/result, if it exists (assuming out is the default output)

  • Save the build log to $out/testBuildFailure.log (same)

Example: 

runCommand "example" {
  failed = testers.testBuildFailure (runCommand "fail" {} ''
    echo ok-ish >$out
    echo failing though
    exit 3
  '');
} ''
  grep -F 'ok-ish' $failed/result
  grep -F 'failing though' $failed/testBuildFailure.log
  [[ 3 = $(cat $failed/testBuildFailure.exit) ]]
  touch $out
'';

While testBuildFailure is designed to keep changes to the original builder’s environment to a minimum, some small changes are inevitable.

  • The file $TMPDIR/testBuildFailure.log is present. It should not be deleted.

  • stdout and stderr are a pipe instead of a tty. This could be improved.

  • One or two extra processes are present in the sandbox during the original builder’s execution.

  • The derivation and output hashes are different, but not unusual.

  • The derivation includes a dependency on buildPackages.bash and expect-failure.sh, which is built to include a transitive dependency on buildPackages.coreutils and possibly more. These are not added to PATH or any other environment variable, so they should be hard to observe.

13.3. testEqualContents

Check that two paths have the same contents.

Example: 

testers.testEqualContents {
  assertion = "sed -e performs replacement";
  expected = writeText "expected" ''
    foo baz baz
  '';
  actual = runCommand "actual" {
    # not really necessary for a package that's in stdenv
    nativeBuildInputs = [ gnused ];
    base = writeText "base" ''
      foo bar baz
    '';
  } ''
    sed -e 's/bar/baz/g' $base >$out
  '';
}

13.4. testEqualDerivation

Checks that two packages produce the exact same build instructions.

This can be used to make sure that a certain difference of configuration, such as the presence of an overlay does not cause a cache miss.

When the derivations are equal, the return value is an empty file. Otherwise, the build log explains the difference via nix-diff.

Example: 

testers.testEqualDerivation
  "The hello package must stay the same when enabling checks."
  hello
  (hello.overrideAttrs(o: { doCheck = true; }))

13.5. invalidateFetcherByDrvHash

Use the derivation hash to invalidate the output via name, for testing.

Type: (a@{ name, ... } -> Derivation) -> a -> Derivation

Normally, fixed output derivations can and should be cached by their output hash only, but for testing we want to re-fetch everytime the fetcher changes.

Changes to the fetcher become apparent in the drvPath, which is a hash of how to fetch, rather than a fixed store path. By inserting this hash into the name, we can make sure to re-run the fetcher every time the fetcher changes.

This relies on the assumption that Nix isn’t clever enough to reuse its database of local store contents to optimize fetching.

You might notice that the salted name derives from the normal invocation, not the final derivation. invalidateFetcherByDrvHash has to invoke the fetcher function twice: once to get a derivation hash, and again to produce the final fixed output derivation.

Example: 

tests.fetchgit = testers.invalidateFetcherByDrvHash fetchgit {
  name = "nix-source";
  url = "https://github.com/NixOS/nix";
  rev = "9d9dbe6ed05854e03811c361a3380e09183f4f4a";
  sha256 = "sha256-7DszvbCNTjpzGRmpIVAWXk20P0/XTrWZ79KSOGLrUWY=";
};

13.6. nixosTest

Run a NixOS VM network test using this evaluation of Nixpkgs.

NOTE: This function is primarily for external use. NixOS itself uses make-test-python.nix directly. Packages defined in Nixpkgs reuse NixOS tests via nixosTests, plural.

It is mostly equivalent to the function import ./make-test-python.nix from the NixOS manual, except that the current application of Nixpkgs (pkgs) will be used, instead of letting NixOS invoke Nixpkgs anew.

If a test machine needs to set NixOS options under nixpkgs, it must set only the nixpkgs.pkgs option.

13.6.1. Parameter

A NixOS VM test network, or path to it. Example: 

{
  name = "my-test";
  nodes = {
    machine1 = { lib, pkgs, nodes, ... }: {
      environment.systemPackages = [ pkgs.hello ];
      services.foo.enable = true;
    };
    # machine2 = ...;
  };
  testScript = ''
    start_all()
    machine1.wait_for_unit("foo.service")
    machine1.succeed("hello | foo-send")
  '';
}

13.6.2. Result

A derivation that runs the VM test.

Notable attributes:

  • nodes: the evaluated NixOS configurations. Useful for debugging and exploring the configuration.

  • driverInteractive: a script that launches an interactive Python session in the context of the testScript.

Chapter 14. Special builders

Table of Contents

14.1. buildFHSUserEnv
14.2. pkgs.mkShell
14.3. darwin.builder

This chapter describes several special builders.

14.1. buildFHSUserEnv

buildFHSUserEnv provides a way to build and run FHS-compatible lightweight sandboxes. It creates an isolated root with bound /nix/store, so its footprint in terms of disk space needed is quite small. This allows one to run software which is hard or unfeasible to patch for NixOS – 3rd-party source trees with FHS assumptions, games distributed as tarballs, software with integrity checking and/or external self-updated binaries. It uses Linux namespaces feature to create temporary lightweight environments which are destroyed after all child processes exit, without root user rights requirement. Accepted arguments are:

  • name Environment name.

  • targetPkgs Packages to be installed for the main host’s architecture (i.e. x86_64 on x86_64 installations). Along with libraries binaries are also installed.

  • multiPkgs Packages to be installed for all architectures supported by a host (i.e. i686 and x86_64 on x86_64 installations). Only libraries are installed by default.

  • extraBuildCommands Additional commands to be executed for finalizing the directory structure.

  • extraBuildCommandsMulti Like extraBuildCommands, but executed only on multilib architectures.

  • extraOutputsToInstall Additional derivation outputs to be linked for both target and multi-architecture packages.

  • extraInstallCommands Additional commands to be executed for finalizing the derivation with runner script.

  • runScript A command that would be executed inside the sandbox and passed all the command line arguments. It defaults to bash.

  • profile Optional script for /etc/profile within the sandbox.

One can create a simple environment using a shell.nix like that: 

{ pkgs ? import <nixpkgs> {} }:

(pkgs.buildFHSUserEnv {
  name = "simple-x11-env";
  targetPkgs = pkgs: (with pkgs;
    [ udev
      alsa-lib
    ]) ++ (with pkgs.xorg;
    [ libX11
      libXcursor
      libXrandr
    ]);
  multiPkgs = pkgs: (with pkgs;
    [ udev
      alsa-lib
    ]);
  runScript = "bash";
}).env

Running nix-shell would then drop you into a shell with these libraries and binaries available. You can use this to run closed-source applications which expect FHS structure without hassles: simply change runScript to the application path, e.g. ./bin/start.sh – relative paths are supported.

Additionally, the FHS builder links all relocated gsettings-schemas (the glib setup-hook moves them to share/gsettings-schemas/${name}/glib-2.0/schemas) to their standard FHS location. This means you don’t need to wrap binaries with wrapGAppsHook.

14.2. pkgs.mkShell

pkgs.mkShell is a specialized stdenv.mkDerivation that removes some repetition when using it with nix-shell (or nix develop).

14.2.1. Usage

Here is a common usage example: 

{ pkgs ? import <nixpkgs> {} }:
pkgs.mkShell {
  packages = [ pkgs.gnumake ];

  inputsFrom = [ pkgs.hello pkgs.gnutar ];

  shellHook = ''
    export DEBUG=1
  '';
}

14.2.2. Attributes

  • name (default: nix-shell). Set the name of the derivation.

  • packages (default: []). Add executable packages to the nix-shell environment.

  • inputsFrom (default: []). Add build dependencies of the listed derivations to the nix-shell environment.

  • shellHook (default: ""). Bash statements that are executed by nix-shell.

… all the attributes of stdenv.mkDerivation.

14.2.3. Building the shell

This derivation output will contain a text file that contains a reference to all the build inputs. This is useful in CI where we want to make sure that every derivation, and its dependencies, build properly. Or when creating a GC root so that the build dependencies don’t get garbage-collected.

14.3. darwin.builder

darwin.builder provides a way to bootstrap a Linux builder on a macOS machine.

This requires macOS version 12.4 or later.

This also requires that port 22 on your machine is free (since Nix does not permit specifying a non-default SSH port for builders).

You will also need to be a trusted user for your Nix installation. In other words, your /etc/nix/nix.conf should have something like: 

extra-trusted-users = <your username goes here>

To launch the builder, run the following flake: 

$ nix run nixpkgs#darwin.builder

That will prompt you to enter your sudo password: 

+ sudo --reset-timestamp /nix/store/…-install-credentials.sh ./keys
Password:

… so that it can install a private key used to ssh into the build server. After that the script will launch the virtual machine: 

<<< Welcome to NixOS 22.11.20220901.1bd8d11 (aarch64) - ttyAMA0 >>>

Run 'nixos-help' for the NixOS manual.

nixos login:

Note: When you need to stop the VM, type Ctrl-a + c to open the qemu prompt and then type quit followed by Enter

To delegate builds to the remote builder, add the following options to your nix.conf file: 

# - Replace ${ARCH} with either aarch64 or x86_64 to match your host machine
# - Replace ${MAX_JOBS} with the maximum number of builds (pick 4 if you're not sure)
builders = ssh-ng://builder@localhost ${ARCH}-linux /etc/nix/builder_ed25519 ${MAX_JOBS} - - - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpCV2N4Yi9CbGFxdDFhdU90RStGOFFVV3JVb3RpQzVxQkorVXVFV2RWQ2Igcm9vdEBuaXhvcwo='

# Not strictly necessary, but this will reduce your disk utilization
builders-use-substitutes = true

… and then restart your Nix daemon to apply the change: 

$ sudo launchctl kickstart -k system/org.nixos.nix-daemon

Chapter 15. Images

Table of Contents

15.1. pkgs.appimageTools
15.2. pkgs.dockerTools
15.3. pkgs.ociTools
15.4. pkgs.snapTools
15.5. pkgs.portableService

This chapter describes tools for creating various types of images.

15.1. pkgs.appimageTools

pkgs.appimageTools is a set of functions for extracting and wrapping AppImage files. They are meant to be used if traditional packaging from source is infeasible, or it would take too long. To quickly run an AppImage file, pkgs.appimage-run can be used as well.

15.1.1. AppImage formats

There are different formats for AppImages, see the specification for details.

  • Type 1 images are ISO 9660 files that are also ELF executables.

  • Type 2 images are ELF executables with an appended filesystem.

They can be told apart with file -k: 

$ file -k type1.AppImage
type1.AppImage: ELF 64-bit LSB executable, x86-64, version 1 (SYSV) ISO 9660 CD-ROM filesystem data 'AppImage' (Lepton 3.x), scale 0-0,
spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 0.000000, dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=d629f6099d2344ad82818172add1d38c5e11bc6d, stripped\012- data

$ file -k type2.AppImage
type2.AppImage: ELF 64-bit LSB executable, x86-64, version 1 (SYSV) (Lepton 3.x), scale 232-60668, spot sensor temperature -4.187500, color scheme 15, show scale bar, calibration: offset -0.000000, slope 0.000000 (Lepton 2.x), scale 4111-45000, spot sensor temperature 412442.250000, color scheme 3, minimum point enabled, calibration: offset -75402534979642766821519867692934234112.000000, slope 5815371847733706829839455140374904832.000000, dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=79dcc4e55a61c293c5e19edbd8d65b202842579f, stripped\012- data

Note how the type 1 AppImage is described as an ISO 9660 CD-ROM filesystem, and the type 2 AppImage is not.

15.1.2. Wrapping

Depending on the type of AppImage you’re wrapping, you’ll have to use wrapType1 or wrapType2. 

appimageTools.wrapType2 { # or wrapType1
  name = "patchwork";
  src = fetchurl {
    url = "https://github.com/ssbc/patchwork/releases/download/v3.11.4/Patchwork-3.11.4-linux-x86_64.AppImage";
    sha256 = "1blsprpkvm0ws9b96gb36f0rbf8f5jgmw4x6dsb1kswr4ysf591s";
  };
  extraPkgs = pkgs: with pkgs; [ ];
}

  • name specifies the name of the resulting image.

  • src specifies the AppImage file to extract.

  • extraPkgs allows you to pass a function to include additional packages inside the FHS environment your AppImage is going to run in. There are a few ways to learn which dependencies an application needs:

    • Looking through the extracted AppImage files, reading its scripts and running patchelf and ldd on its executables. This can also be done in appimage-run, by setting APPIMAGE_DEBUG_EXEC=bash.

    • Running strace -vfefile on the wrapped executable, looking for libraries that can’t be found.

15.2. pkgs.dockerTools

pkgs.dockerTools is a set of functions for creating and manipulating Docker images according to the Docker Image Specification v1.2.0. Docker itself is not used to perform any of the operations done by these functions.

15.2.1. buildImage

This function is analogous to the docker build command, in that it can be used to build a Docker-compatible repository tarball containing a single image with one or multiple layers. As such, the result is suitable for being loaded in Docker with docker load.

The parameters of buildImage with relative example values are described below: 

buildImage {
  name = "redis";
  tag = "latest";

  fromImage = someBaseImage;
  fromImageName = null;
  fromImageTag = "latest";

  copyToRoot = pkgs.buildEnv {
    name = "image-root";
    paths = [ pkgs.redis ];
    pathsToLink = [ "/bin" ];
  };

  runAsRoot = ''
    #!${pkgs.runtimeShell}
    mkdir -p /data
  '';

  config = {
    Cmd = [ "/bin/redis-server" ];
    WorkingDir = "/data";
    Volumes = { "/data" = { }; };
  };

  diskSize = 1024;
  buildVMMemorySize = 512;
}

The above example will build a Docker image redis/latest from the given base image. Loading and running this image in Docker results in redis-server being started automatically.

  • name specifies the name of the resulting image. This is the only required argument for buildImage.

  • tag specifies the tag of the resulting image. By default it’s null, which indicates that the nix output hash will be used as tag.

  • fromImage is the repository tarball containing the base image. It must be a valid Docker image, such as exported by docker save. By default it’s null, which can be seen as equivalent to FROM scratch of a Dockerfile.

  • fromImageName can be used to further specify the base image within the repository, in case it contains multiple images. By default it’s null, in which case buildImage will peek the first image available in the repository.

  • fromImageTag can be used to further specify the tag of the base image within the repository, in case an image contains multiple tags. By default it’s null, in which case buildImage will peek the first tag available for the base image.

  • copyToRoot is a derivation that will be copied in the new layer of the resulting image. This can be similarly seen as ADD contents/ / in a Dockerfile. By default it’s null.

  • runAsRoot is a bash script that will run as root in an environment that overlays the existing layers of the base image with the new resulting layer, including the previously copied contents derivation. This can be similarly seen as RUN ... in a Dockerfile.

NOTE: Using this parameter requires the kvm device to be available.

  • config is used to specify the configuration of the containers that will be started off the built image in Docker. The available options are listed in the Docker Image Specification v1.2.0.

  • diskSize is used to specify the disk size of the VM used to build the image in megabytes. By default it’s 1024 MiB.

  • buildVMMemorySize is used to specify the memory size of the VM to build the image in megabytes. By default it’s 512 MiB.

After the new layer has been created, its closure (to which contents, config and runAsRoot contribute) will be copied in the layer itself. Only new dependencies that are not already in the existing layers will be copied.

At the end of the process, only one new single layer will be produced and added to the resulting image.

The resulting repository will only list the single image image/tag. In the case of the buildImage example, it would be redis/latest.

It is possible to inspect the arguments with which an image was built using its buildArgs attribute.

NOTE: If you see errors similar to getProtocolByName: does not exist (no such protocol name: tcp) you may need to add pkgs.iana-etc to contents.

NOTE: If you see errors similar to Error_Protocol ("certificate has unknown CA",True,UnknownCa) you may need to add pkgs.cacert to contents.

By default buildImage will use a static date of one second past the UNIX Epoch. This allows buildImage to produce binary reproducible images. When listing images with docker images, the newly created images will be listed like this: 

$ docker images
REPOSITORY   TAG      IMAGE ID       CREATED        SIZE
hello        latest   08c791c7846e   48 years ago   25.2MB

You can break binary reproducibility but have a sorted, meaningful CREATED column by setting created to now. 

pkgs.dockerTools.buildImage {
  name = "hello";
  tag = "latest";
  created = "now";
  copyToRoot = pkgs.buildEnv {
    name = "image-root";
    paths = [ pkgs.hello ];
    pathsToLink = [ "/bin" ];
  };

  config.Cmd = [ "/bin/hello" ];
}

Now the Docker CLI will display a reasonable date and sort the images as expected: 

$ docker images
REPOSITORY   TAG      IMAGE ID       CREATED              SIZE
hello        latest   de2bf4786de6   About a minute ago   25.2MB

However, the produced images will not be binary reproducible.

15.2.2. buildLayeredImage

Create a Docker image with many of the store paths being on their own layer to improve sharing between images. The image is realized into the Nix store as a gzipped tarball. Depending on the intended usage, many users might prefer to use streamLayeredImage instead, which this function uses internally.

name

The name of the resulting image.

tag optional

Tag of the generated image.

Default: the output path’s hash

fromImage optional

The repository tarball containing the base image. It must be a valid Docker image, such as one exported by docker save.

Default: null, which can be seen as equivalent to FROM scratch of a Dockerfile.

contents optional

Top-level paths in the container. Either a single derivation, or a list of derivations.

Default: []

config optional

Run-time configuration of the container. A full list of the options are available at in the Docker Image Specification v1.2.0.

Default: {}

created optional

Date and time the layers were created. Follows the same now exception supported by buildImage.

Default: 1970-01-01T00:00:01Z

maxLayers optional

Maximum number of layers to create.

Default: 100

Maximum: 125

extraCommands optional

Shell commands to run while building the final layer, without access to most of the layer contents. Changes to this layer are on top of all the other layers, so can create additional directories and files.

fakeRootCommands optional

Shell commands to run while creating the archive for the final layer in a fakeroot environment. Unlike extraCommands, you can run chown to change the owners of the files in the archive, changing fakeroot’s state instead of the real filesystem. The latter would require privileges that the build user does not have. Static binaries do not interact with the fakeroot environment. By default all files in the archive will be owned by root.

enableFakechroot optional

Whether to run in fakeRootCommands in fakechroot, making programs behave as though / is the root of the image being created, while files in the Nix store are available as usual. This allows scripts that perform installation in / to work as expected. Considering that fakechroot is implemented via the same mechanism as fakeroot, the same caveats apply.

Default: false

15.2.2.1. Behavior of contents in the final image

Each path directly listed in contents will have a symlink in the root of the image.

For example: 

pkgs.dockerTools.buildLayeredImage {
  name = "hello";
  contents = [ pkgs.hello ];
}

will create symlinks for all the paths in the hello package: 

/bin/hello -> /nix/store/h1zb1padqbbb7jicsvkmrym3r6snphxg-hello-2.10/bin/hello
/share/info/hello.info -> /nix/store/h1zb1padqbbb7jicsvkmrym3r6snphxg-hello-2.10/share/info/hello.info
/share/locale/bg/LC_MESSAGES/hello.mo -> /nix/store/h1zb1padqbbb7jicsvkmrym3r6snphxg-hello-2.10/share/locale/bg/LC_MESSAGES/hello.mo

15.2.2.2. Automatic inclusion of config references

The closure of config is automatically included in the closure of the final image.

This allows you to make very simple Docker images with very little code. This container will start up and run hello: 

pkgs.dockerTools.buildLayeredImage {
  name = "hello";
  config.Cmd = [ "${pkgs.hello}/bin/hello" ];
}

15.2.2.3. Adjusting maxLayers

Increasing the maxLayers increases the number of layers which have a chance to be shared between different images.

Modern Docker installations support up to 128 layers, but older versions support as few as 42.

If the produced image will not be extended by other Docker builds, it is safe to set maxLayers to 128. However, it will be impossible to extend the image further.

The first (maxLayers-2) most popular paths will have their own individual layers, then layer #maxLayers-1 will contain all the remaining unpopular paths, and finally layer #maxLayers will contain the Image configuration.

Docker’s Layers are not inherently ordered, they are content-addressable and are not explicitly layered until they are composed in to an Image.

15.2.3. streamLayeredImage

Builds a script which, when run, will stream an uncompressed tarball of a Docker image to stdout. The arguments to this function are as for buildLayeredImage. This method of constructing an image does not realize the image into the Nix store, so it saves on IO and disk/cache space, particularly with large images.

The image produced by running the output script can be piped directly into docker load, to load it into the local docker daemon: 

$(nix-build) | docker load

Alternatively, the image be piped via gzip into skopeo, e.g., to copy it into a registry: 

$(nix-build) | gzip --fast | skopeo copy docker-archive:/dev/stdin docker://some_docker_registry/myimage:tag

15.2.4. pullImage

This function is analogous to the docker pull command, in that it can be used to pull a Docker image from a Docker registry. By default Docker Hub is used to pull images.

Its parameters are described in the example below: 

pullImage {
  imageName = "nixos/nix";
  imageDigest =
    "sha256:20d9485b25ecfd89204e843a962c1bd70e9cc6858d65d7f5fadc340246e2116b";
  finalImageName = "nix";
  finalImageTag = "1.11";
  sha256 = "0mqjy3zq2v6rrhizgb9nvhczl87lcfphq9601wcprdika2jz7qh8";
  os = "linux";
  arch = "x86_64";
}

  • imageName specifies the name of the image to be downloaded, which can also include the registry namespace (e.g. nixos). This argument is required.

  • imageDigest specifies the digest of the image to be downloaded. This argument is required.

  • finalImageName, if specified, this is the name of the image to be created. Note it is never used to fetch the image since we prefer to rely on the immutable digest ID. By default it’s equal to imageName.

  • finalImageTag, if specified, this is the tag of the image to be created. Note it is never used to fetch the image since we prefer to rely on the immutable digest ID. By default it’s latest.

  • sha256 is the checksum of the whole fetched image. This argument is required.

  • os, if specified, is the operating system of the fetched image. By default it’s linux.

  • arch, if specified, is the cpu architecture of the fetched image. By default it’s x86_64.

nix-prefetch-docker command can be used to get required image parameters: 

$ nix run nixpkgs.nix-prefetch-docker -c nix-prefetch-docker --image-name mysql --image-tag 5

Since a given imageName may transparently refer to a manifest list of images which support multiple architectures and/or operating systems, you can supply the --os and --arch arguments to specify exactly which image you want. By default it will match the OS and architecture of the host the command is run on. 

$ nix-prefetch-docker --image-name mysql --image-tag 5 --arch x86_64 --os linux

Desired image name and tag can be set using --final-image-name and --final-image-tag arguments: 

$ nix-prefetch-docker --image-name mysql --image-tag 5 --final-image-name eu.gcr.io/my-project/mysql --final-image-tag prod

15.2.5. exportImage

This function is analogous to the docker export command, in that it can be used to flatten a Docker image that contains multiple layers. It is in fact the result of the merge of all the layers of the image. As such, the result is suitable for being imported in Docker with docker import.

NOTE: Using this function requires the kvm device to be available.

The parameters of exportImage are the following: 

exportImage {
  fromImage = someLayeredImage;
  fromImageName = null;
  fromImageTag = null;

  name = someLayeredImage.name;
}

The parameters relative to the base image have the same synopsis as described in buildImage, except that fromImage is the only required argument in this case.

The name argument is the name of the derivation output, which defaults to fromImage.name.

15.2.6. Environment Helpers

Some packages expect certain files to be available globally. When building an image from scratch (i.e. without fromImage), these files are missing. pkgs.dockerTools provides some helpers to set up an environment with the necessary files. You can include them in copyToRoot like this: 

buildImage {
  name = "environment-example";
  copyToRoot = with pkgs.dockerTools; [
    usrBinEnv
    binSh
    caCertificates
    fakeNss
  ];
}

15.2.6.1. usrBinEnv

This provides the env utility at /usr/bin/env.

15.2.6.2. binSh

This provides bashInteractive at /bin/sh.

15.2.6.3. caCertificates

This sets up /etc/ssl/certs/ca-certificates.crt.

15.2.6.4. fakeNss

Provides /etc/passwd and /etc/group that contain root and nobody. Useful when packaging binaries that insist on using nss to look up username/groups (like nginx).

15.2.6.5. shadowSetup

This constant string is a helper for setting up the base files for managing users and groups, only if such files don’t exist already. It is suitable for being used in a buildImage runAsRoot script for cases like in the example below: 

buildImage {
  name = "shadow-basic";

  runAsRoot = ''
    #!${pkgs.runtimeShell}
    ${pkgs.dockerTools.shadowSetup}
    groupadd -r redis
    useradd -r -g redis redis
    mkdir /data
    chown redis:redis /data
  '';
}

Creating base files like /etc/passwd or /etc/login.defs is necessary for shadow-utils to manipulate users and groups.

15.2.7. fakeNss

If your primary goal is providing a basic skeleton for user lookups to work, and/or a lesser privileged user, adding pkgs.fakeNss to the container image root might be the better choice than a custom script running useradd and friends.

It provides a /etc/passwd and /etc/group, containing root and nobody users and groups.

It also provides a /etc/nsswitch.conf, configuring NSS host resolution to first check /etc/hosts, before checking DNS, as the default in the absence of a config file (dns [!UNAVAIL=return] files) is quite unexpected.

You can pair it with binSh, which provides bin/sh as a symlink to bashInteractive (as /bin/sh is configured as a shell). 

buildImage {
  name = "shadow-basic";

  copyToRoot = pkgs.buildEnv {
    name = "image-root";
    paths = [ binSh pkgs.fakeNss ];
    pathsToLink = [ "/bin" "/etc" "/var" ];
  };
}

15.3. pkgs.ociTools

pkgs.ociTools is a set of functions for creating containers according to the OCI container specification v1.0.0. Beyond that, it makes no assumptions about the container runner you choose to use to run the created container.

15.3.1. buildContainer

This function creates a simple OCI container that runs a single command inside of it. An OCI container consists of a config.json and a rootfs directory. The nix store of the container will contain all referenced dependencies of the given command.

The parameters of buildContainer with an example value are described below: 

buildContainer {
  args = [
    (with pkgs;
      writeScript "run.sh" ''
        #!${bash}/bin/bash
        exec ${bash}/bin/bash
      '').outPath
  ];

  mounts = {
    "/data" = {
      type = "none";
      source = "/var/lib/mydata";
      options = [ "bind" ];
    };
  };

  readonly = false;
}

  • args specifies a set of arguments to run inside the container. This is the only required argument for buildContainer. All referenced packages inside the derivation will be made available inside the container.

  • mounts specifies additional mount points chosen by the user. By default only a minimal set of necessary filesystems are mounted into the container (e.g procfs, cgroupfs)

  • readonly makes the container's rootfs read-only if it is set to true. The default value is false false.

15.4. pkgs.snapTools

pkgs.snapTools is a set of functions for creating Snapcraft images. Snap and Snapcraft is not used to perform these operations.

15.4.1. The makeSnap Function

makeSnap takes a single named argument, meta. This argument mirrors the upstream snap.yaml format exactly.

The base should not be specified, as makeSnap will force set it.

Currently, makeSnap does not support creating GUI stubs.

15.4.2. Build a Hello World Snap

The following expression packages GNU Hello as a Snapcraft snap. 

let
  inherit (import <nixpkgs> { }) snapTools hello;
in snapTools.makeSnap {
  meta = {
    name = "hello";
    summary = hello.meta.description;
    description = hello.meta.longDescription;
    architectures = [ "amd64" ];
    confinement = "strict";
    apps.hello.command = "${hello}/bin/hello";
  };
}

nix-build this expression and install it with snap install ./result --dangerous. hello will now be the Snapcraft version of the package.

15.4.3. Build a Graphical Snap

Graphical programs require many more integrations with the host. This example uses Firefox as an example because it is one of the most complicated programs we could package. 

let
  inherit (import <nixpkgs> { }) snapTools firefox;
in snapTools.makeSnap {
  meta = {
    name = "nix-example-firefox";
    summary = firefox.meta.description;
    architectures = [ "amd64" ];
    apps.nix-example-firefox = {
      command = "${firefox}/bin/firefox";
      plugs = [
        "pulseaudio"
        "camera"
        "browser-support"
        "avahi-observe"
        "cups-control"
        "desktop"
        "desktop-legacy"
        "gsettings"
        "home"
        "network"
        "mount-observe"
        "removable-media"
        "x11"
      ];
    };
    confinement = "strict";
  };
}

nix-build this expression and install it with snap install ./result --dangerous. nix-example-firefox will now be the Snapcraft version of the Firefox package.

The specific meaning behind plugs can be looked up in the Snapcraft interface documentation.

15.5. pkgs.portableService

pkgs.portableService is a function to create portable service images, as read-only, immutable, squashfs archives.

systemd supports a concept of Portable Services. Portable Services are a delivery method for system services that uses two specific features of container management:

  • Applications are bundled. I.e. multiple services, their binaries and all their dependencies are packaged in an image, and are run directly from it.

  • Stricter default security policies, i.e. sandboxing of applications.

This allows using Nix to build images which can be run on many recent Linux distributions.

The primary tool for interacting with Portable Services is portablectl, and they are managed by the systemd-portabled system service.

A very simple example of using portableService is described below: 

pkgs.portableService {
  pname = "demo";
  version = "1.0";
  units = [ demo-service demo-socket ];
}

The above example will build an squashfs archive image in result/$pname_$version.raw. The image will contain the file system structure as required by the portable service specification, and a subset of the Nix store with all the dependencies of the two derivations in the units list. units must be a list of derivations, and their names must be prefixed with the service name ("demo" in this case). Otherwise systemd-portabled will ignore them.

Some other options available are:

  • description, homepage

    Are added to the /etc/os-release in the image and are shown by the portable services tooling. Default to empty values, not added to os-release.

  • symlinks

    A list of attribute sets {object, symlink}. Symlinks will be created in the root filesystem of the image to objects in the Nix store. Defaults to an empty list.

  • contents

    A list of additional derivations to be included in the image Nix store, as-is. Defaults to an empty list.

  • squashfsTools

    Defaults to pkgs.squashfsTools, allows you to override the package that provides mksquashfs.

  • squash-compression, squash-block-size

    Options to mksquashfs. Default to "xz -Xdict-size 100%" and "1M" respectively.

A typical usage of symlinks would be: 

  symlinks = [
    { object = "${pkgs.cacert}/etc/ssl"; symlink = "/etc/ssl"; }
    { object = "${pkgs.bash}/bin/bash"; symlink = "/bin/sh"; }
    { object = "${pkgs.php}/bin/php"; symlink = "/usr/bin/php"; }
  ];

to create these symlinks for legacy applications that assume them existing globally.

Once the image is created, and deployed on a host in /var/lib/portables/, you can attach the image and run the service. As root run: 

portablectl attach demo_1.0.raw
systemctl enable --now demo.socket
systemctl enable --now demo.service

Chapter 16. Hooks reference

Table of Contents

16.1. Autoconf
16.2. Automake
16.3. autoPatchelfHook
16.4. breakpointHook
16.5. cmake
16.6. gdk-pixbuf
16.7. GHC
16.8. GNOME platform
16.9. installShellFiles
16.10. libiconv, libintl
16.11. libxml2
16.12. Meson
16.13. ninja
16.14. patchRcPath hooks
16.15. Perl
16.16. pkg-config
16.17. postgresqlTestHook
16.18. Python
16.19. Qt 4
16.20. scons
16.21. teTeX / TeX Live
16.22. unzip
16.23. validatePkgConfig
16.24. wafHook
16.25. xcbuildHook

Nixpkgs has several hook packages that augment the stdenv phases.

The stdenv built-in hooks are documented in Section 6.7, “Package setup hooks”.

16.1. Autoconf

The autoreconfHook derivation adds autoreconfPhase, which runs autoreconf, libtoolize and automake, essentially preparing the configure script in autotools-based builds. Most autotools-based packages come with the configure script pre-generated, but this hook is necessary for a few packages and when you need to patch the package’s configure scripts.

16.2. Automake

Adds the share/aclocal subdirectory of each build input to the ACLOCAL_PATH environment variable.

16.3. autoPatchelfHook

This is a special setup hook which helps in packaging proprietary software in that it automatically tries to find missing shared library dependencies of ELF files based on the given buildInputs and nativeBuildInputs.

You can also specify a runtimeDependencies variable which lists dependencies to be unconditionally added to rpath of all executables. This is useful for programs that use dlopen 3 to load libraries at runtime.

In certain situations you may want to run the main command (autoPatchelf) of the setup hook on a file or a set of directories instead of unconditionally patching all outputs. This can be done by setting the dontAutoPatchelf environment variable to a non-empty value.

By default autoPatchelf will fail as soon as any ELF file requires a dependency which cannot be resolved via the given build inputs. In some situations you might prefer to just leave missing dependencies unpatched and continue to patch the rest. This can be achieved by setting the autoPatchelfIgnoreMissingDeps environment variable to a non-empty value. autoPatchelfIgnoreMissingDeps can be set to a list like autoPatchelfIgnoreMissingDeps = [ "libcuda.so.1" "libcudart.so.1" ]; or to simply [ "*" ] to ignore all missing dependencies.

The autoPatchelf command also recognizes a --no-recurse command line flag, which prevents it from recursing into subdirectories.

16.4. breakpointHook

This hook will make a build pause instead of stopping when a failure happens. It prevents nix from cleaning up the build environment immediately and allows the user to attach to a build environment using the cntr command. Upon build error it will print instructions on how to use cntr, which can be used to enter the environment for debugging. Installing cntr and running the command will provide shell access to the build sandbox of failed build. At /var/lib/cntr the sandboxed filesystem is mounted. All commands and files of the system are still accessible within the shell. To execute commands from the sandbox use the cntr exec subcommand. cntr is only supported on Linux-based platforms. To use it first add cntr to your environment.systemPackages on NixOS or alternatively to the root user on non-NixOS systems. Then in the package that is supposed to be inspected, add breakpointHook to nativeBuildInputs. 

nativeBuildInputs = [ breakpointHook ];

When a build failure happens there will be an instruction printed that shows how to attach with cntr to the build sandbox.

16.5. cmake

Overrides the default configure phase to run the CMake command. By default, we use the Make generator of CMake. In addition, dependencies are added automatically to CMAKE_PREFIX_PATH so that packages are correctly detected by CMake. Some additional flags are passed in to give similar behavior to configure-based packages. You can disable this hook’s behavior by setting configurePhase to a custom value, or by setting dontUseCmakeConfigure. cmakeFlags controls flags passed only to CMake. By default, parallel building is enabled as CMake supports parallel building almost everywhere. When Ninja is also in use, CMake will detect that and use the ninja generator.

16.6. gdk-pixbuf

Exports GDK_PIXBUF_MODULE_FILE environment variable to the builder. Add librsvg package to buildInputs to get svg support. See also the setup hook description in GNOME platform docs.

16.7. GHC

Creates a temporary package database and registers every Haskell build input in it (TODO: how?).

16.8. GNOME platform

Hooks related to GNOME platform and related libraries like GLib, GTK and GStreamer are described in Section 17.12, “GNOME”.

16.9. installShellFiles

This hook helps with installing manpages and shell completion files. It exposes 2 shell functions installManPage and installShellCompletion that can be used from your postInstall hook.

The installManPage function takes one or more paths to manpages to install. The manpages must have a section suffix, and may optionally be compressed (with .gz suffix). This function will place them into the correct directory.

The installShellCompletion function takes one or more paths to shell completion files. By default it will autodetect the shell type from the completion file extension, but you may also specify it by passing one of --bash, --fish, or --zsh. These flags apply to all paths listed after them (up until another shell flag is given). Each path may also have a custom installation name provided by providing a flag --name NAME before the path. If this flag is not provided, zsh completions will be renamed automatically such that foobar.zsh becomes _foobar. A root name may be provided for all paths using the flag --cmd NAME; this synthesizes the appropriate name depending on the shell (e.g. --cmd foo will synthesize the name foo.bash for bash and _foo for zsh). The path may also be a fifo or named fd (such as produced by <(cmd)), in which case the shell and name must be provided. 

nativeBuildInputs = [ installShellFiles ];
postInstall = ''
  installManPage doc/foobar.1 doc/barfoo.3
  # explicit behavior
  installShellCompletion --bash --name foobar.bash share/completions.bash
  installShellCompletion --fish --name foobar.fish share/completions.fish
  installShellCompletion --zsh --name _foobar share/completions.zsh
  # implicit behavior
  installShellCompletion share/completions/foobar.{bash,fish,zsh}
  # using named fd
  installShellCompletion --cmd foobar \
    --bash <($out/bin/foobar --bash-completion) \
    --fish <($out/bin/foobar --fish-completion) \
    --zsh <($out/bin/foobar --zsh-completion)
'';

16.10. libiconv, libintl

A few libraries automatically add to NIX_LDFLAGS their library, making their symbols automatically available to the linker. This includes libiconv and libintl (gettext). This is done to provide compatibility between GNU Linux, where libiconv and libintl are bundled in, and other systems where that might not be the case. Sometimes, this behavior is not desired. To disable this behavior, set dontAddExtraLibs.

16.11. libxml2

Adds every file named catalog.xml found under the xml/dtd and xml/xsl subdirectories of each build input to the XML_CATALOG_FILES environment variable.

16.12. Meson

Overrides the configure phase to run meson to generate Ninja files. To run these files, you should accompany Meson with ninja. By default, enableParallelBuilding is enabled as Meson supports parallel building almost everywhere.

16.12.1. Variables controlling Meson

16.12.1.1. mesonFlags

Controls the flags passed to meson.

16.12.1.2. mesonBuildType

Which --buildtype to pass to Meson. We default to plain.

16.12.1.3. mesonAutoFeatures

What value to set -Dauto_features= to. We default to enabled.

16.12.1.4. mesonWrapMode

What value to set -Dwrap_mode= to. We default to nodownload as we disallow network access.

16.12.1.5. dontUseMesonConfigure

Disables using Meson’s configurePhase.

16.13. ninja

Overrides the build, install, and check phase to run ninja instead of make. You can disable this behavior with the dontUseNinjaBuild, dontUseNinjaInstall, and dontUseNinjaCheck, respectively. Parallel building is enabled by default in Ninja.

16.14. patchRcPath hooks

These hooks provide shell-specific utilities (with the same name as the hook) to patch shell scripts meant to be sourced by software users.

The typical usage is to patch initialisation or rc scripts inside $out/bin or $out/etc. Such scripts, when being sourced, would insert the binary locations of certain commands into PATH, modify other environment variables or run a series of start-up commands. When shipped from the upstream, they sometimes use commands that might not be available in the environment they are getting sourced in.

The compatible shells for each hook are:

  • patchRcPathBash: Bash, ksh, zsh and other shells supporting the Bash-like parameter expansions.

  • patchRcPathCsh: Csh scripts, such as those targeting tcsh.

  • patchRcPathFish: Fish scripts.

  • patchRcPathPosix: POSIX-conformant shells supporting the limited parameter expansions specified by the POSIX standard. Current implementation uses the parameter expansion ${foo-} only.

For each supported shell, it modifies the script with a PATH prefix that is later removed when the script ends. It allows nested patching, which guarantees that a patched script may source another patched script.

Syntax to apply the utility to a script: 

patchRcPath<shell> <file> <PATH-prefix>

Example usage:

Given a package foo containing an init script this-foo.fish that depends on coreutils, man and which, patch the init script for users to source without having the above dependencies in their PATH: 

{ lib, stdenv, patchRcPathFish}:
stdenv.mkDerivation {

  # ...

  nativeBuildInputs = [
    patchRcPathFish
  ];

  postFixup = ''
    patchRcPathFish $out/bin/this-foo.fish ${lib.makeBinPath [ coreutils man which ]}
  '';
}

16.15. Perl

Adds the lib/site_perl subdirectory of each build input to the PERL5LIB environment variable. For instance, if buildInputs contains Perl, then the lib/site_perl subdirectory of each input is added to the PERL5LIB environment variable.

16.16. pkg-config

Adds the lib/pkgconfig and share/pkgconfig subdirectories of each build input to the PKG_CONFIG_PATH environment variable.

16.17. postgresqlTestHook

This hook starts a PostgreSQL server during the checkPhase. Example: 

{ stdenv, postgresql, postgresqlTestHook }:
stdenv.mkDerivation {

  # ...

  checkInputs = [
    postgresql
    postgresqlTestHook
  ];
}

If you use a custom checkPhase, remember to add the runHook calls: 

  checkPhase ''
    runHook preCheck

    # ... your tests

    runHook postCheck
  ''

16.17.1. Variables

The hook logic will read a number of variables and set them to a default value if unset or empty.

Exported variables:

  • PGDATA: location of server files.

  • PGHOST: location of UNIX domain socket directory; the default host in a connection string.

  • PGUSER: user to create / log in with, default: test_user.

  • PGDATABASE: database name, default: test_db.

Bash-only variables:

  • postgresqlTestUserOptions: SQL options to use when creating the $PGUSER role, default: "LOGIN". Example: "LOGIN SUPERUSER"

  • postgresqlTestSetupSQL: SQL commands to run as database administrator after startup, default: statements that create $PGUSER and $PGDATABASE.

  • postgresqlTestSetupCommands: bash commands to run after database start, defaults to running $postgresqlTestSetupSQL as database administrator.

  • postgresqlEnableTCP: set to 1 to enable TCP listening. Flaky; not recommended.

  • postgresqlStartCommands: defaults to pg_ctl start.

16.17.2. TCP and the Nix sandbox

postgresqlEnableTCP relies on network sandboxing, which is not available on macOS and some custom Nix installations, resulting in flaky tests. For this reason, it is disabled by default.

The preferred solution is to make the test suite use a UNIX domain socket connection. This is the default behavior when no host connection parameter is provided. Some test suites hardcode a value for host though, so a patch may be required. If you can upstream the patch, you can make host default to the PGHOST environment variable when set. Otherwise, you can patch it locally to omit the host connection string parameter altogether.

16.18. Python

Adds the lib/${python.libPrefix}/site-packages subdirectory of each build input to the PYTHONPATH environment variable.

16.19. Qt 4

Sets the QTDIR environment variable to Qt’s path.

16.20. scons

Overrides the build, install, and check phases. This uses the scons build system as a replacement for make. scons does not provide a configure phase, so everything is managed at build and install time.

16.21. teTeX / TeX Live

Adds the share/texmf-nix subdirectory of each build input to the TEXINPUTS environment variable.

16.22. unzip

This setup hook will allow you to unzip .zip files specified in $src. There are many similar packages like unrar, undmg, etc.

16.23. validatePkgConfig

The validatePkgConfig hook validates all pkg-config (.pc) files in a package. This helps catching some common errors in pkg-config files, such as undefined variables.

16.24. wafHook

Overrides the configure, build, and install phases. This will run the “waf” script used by many projects. If wafPath (default ./waf) doesn’t exist, it will copy the version of waf available in Nixpkgs. wafFlags can be used to pass flags to the waf script.

16.25. xcbuildHook

Overrides the build and install phases to run the xcbuild command. This hook is needed when a project only comes with build files for the XCode build system. You can disable this behavior by setting buildPhase and configurePhase to a custom value. xcbuildFlags controls flags passed only to xcbuild.

Chapter 17. Languages and frameworks

Table of Contents

17.1. Agda
17.2. Android
17.3. BEAM Languages (Erlang, Elixir & LFE)
17.4. Bower
17.5. CHICKEN
17.6. Coq and coq packages
17.7. Crystal
17.8. CUDA
17.9. Dhall
17.10. Dotnet
17.11. Emscripten
17.12. GNOME
17.13. Go
17.14. Haskell
17.15. Hy
17.16. Idris
17.17. iOS
17.18. Java
17.19. Javascript
17.20. User’s Guide to Lua Infrastructure
17.21. Maven
17.22. Nim
17.23. OCaml
17.24. Octave
17.25. Perl
17.26. PHP
17.27. Python
17.28. Qt
17.29. R
17.30. Ruby
17.31. Rust
17.32. TeX Live
17.33. Titanium
17.34. Vim

The standard build environment makes it easy to build typical Autotools-based packages with very little code. Any other kind of package can be accomodated by overriding the appropriate phases of stdenv. However, there are specialised functions in Nixpkgs to easily build packages for other programming languages, such as Perl or Haskell. These are described in this chapter.

17.1. Agda

17.1.1. How to use Agda

Agda is available as the agda package.

The agda package installs an Agda-wrapper, which calls agda with --library-file set to a generated library-file within the nix store, this means your library-file in $HOME/.agda/libraries will be ignored. By default the agda package installs Agda with no libraries, i.e. the generated library-file is empty. To use Agda with libraries, the agda.withPackages function can be used. This function either takes:

  • A list of packages,

  • or a function which returns a list of packages when given the agdaPackages attribute set,

  • or an attribute set containing a list of packages and a GHC derivation for compilation (see below).

  • or an attribute set containing a function which returns a list of packages when given the agdaPackages attribute set and a GHC derivation for compilation (see below).

For example, suppose we wanted a version of Agda which has access to the standard library. This can be obtained with the expressions: 

agda.withPackages [ agdaPackages.standard-library ]

or 

agda.withPackages (p: [ p.standard-library ])

or can be called as in the Compiling Agda section.

If you want to use a different version of a library (for instance a development version) override the src attribute of the package to point to your local repository 

agda.withPackages (p: [
  (p.standard-library.overrideAttrs (oldAttrs: {
    version = "local version";
    src = /path/to/local/repo/agda-stdlib;
  }))
])

You can also reference a GitHub repository 

agda.withPackages (p: [
  (p.standard-library.overrideAttrs (oldAttrs: {
    version = "1.5";
    src =  fetchFromGitHub {
      repo = "agda-stdlib";
      owner = "agda";
      rev = "v1.5";
      sha256 = "16fcb7ssj6kj687a042afaa2gq48rc8abihpm14k684ncihb2k4w";
    };
  }))
])

If you want to use a library not added to Nixpkgs, you can add a dependency to a local library by calling agdaPackages.mkDerivation. 

agda.withPackages (p: [
  (p.mkDerivation {
    pname = "your-agda-lib";
    version = "1.0.0";
    src = /path/to/your-agda-lib;
  })
])

Again you can reference GitHub 

agda.withPackages (p: [
  (p.mkDerivation {
    pname = "your-agda-lib";
    version = "1.0.0";
    src = fetchFromGitHub {
      repo = "repo";
      owner = "owner";
      version = "...";
      rev = "...";
      sha256 = "...";
    };
  })
])

See Building Agda Packages for more information on mkDerivation.

Agda will not by default use these libraries. To tell Agda to use a library we have some options:

  • Call agda with the library flag: 

    $ agda -l standard-library -i . MyFile.agda

  • Write a my-library.agda-lib file for the project you are working on which may look like: 

    name: my-library
include: .
depend: standard-library

  • Create the file ~/.agda/defaults and add any libraries you want to use by default.

More information can be found in the official Agda documentation on library management.

17.1.2. Compiling Agda

Agda modules can be compiled using the GHC backend with the --compile flag. A version of ghc with ieee754 is made available to the Agda program via the --with-compiler flag. This can be overridden by a different version of ghc as follows: 

agda.withPackages {
  pkgs = [ ... ];
  ghc = haskell.compiler.ghcHEAD;
}

17.1.3. Writing Agda packages

To write a nix derivation for an Agda library, first check that the library has a *.agda-lib file.

A derivation can then be written using agdaPackages.mkDerivation. This has similar arguments to stdenv.mkDerivation with the following additions:

  • everythingFile can be used to specify the location of the Everything.agda file, defaulting to ./Everything.agda. If this file does not exist then either it should be patched in or the buildPhase should be overridden (see below).

  • libraryName should be the name that appears in the *.agda-lib file, defaulting to pname.

  • libraryFile should be the file name of the *.agda-lib file, defaulting to ${libraryName}.agda-lib.

Here is an example default.nix 

{ nixpkgs ?  <nixpkgs> }:
with (import nixpkgs {});
agdaPackages.mkDerivation {
  version = "1.0";
  pname = "my-agda-lib";
  src = ./.;
  buildInputs = [
    agdaPackages.standard-library
  ];
}

17.1.3.1. Building Agda packages

The default build phase for agdaPackages.mkDerivation simply runs agda on the Everything.agda file. If something else is needed to build the package (e.g. make) then the buildPhase should be overridden. Additionally, a preBuild or configurePhase can be used if there are steps that need to be done prior to checking the Everything.agda file. agda and the Agda libraries contained in buildInputs are made available during the build phase.

17.1.3.2. Installing Agda packages

The default install phase copies Agda source files, Agda interface files (*.agdai) and *.agda-lib files to the output directory. This can be overridden.

By default, Agda sources are files ending on .agda, or literate Agda files ending on .lagda, .lagda.tex, .lagda.org, .lagda.md, .lagda.rst. The list of recognised Agda source extensions can be extended by setting the extraExtensions config variable.

17.1.4. Maintaining the Agda package set on Nixpkgs

We are aiming at providing all common Agda libraries as packages on nixpkgs, and keeping them up to date. Contributions and maintenance help is always appreciated, but the maintenance effort is typically low since the Agda ecosystem is quite small.

The nixpkgs Agda package set tries to take up a role similar to that of Stackage in the Haskell world. It is a curated set of libraries that:

  1. Always work together.

  2. Are as up-to-date as possible.

While the Haskell ecosystem is huge, and Stackage is highly automatised, the Agda package set is small and can (still) be maintained by hand.

17.1.4.1. Adding Agda packages to Nixpkgs

To add an Agda package to nixpkgs, the derivation should be written to pkgs/development/libraries/agda/${library-name}/ and an entry should be added to pkgs/top-level/agda-packages.nix. Here it is called in a scope with access to all other Agda libraries, so the top line of the default.nix can look like: 

{ mkDerivation, standard-library, fetchFromGitHub }:

Note that the derivation function is called with mkDerivation set to agdaPackages.mkDerivation, therefore you could use a similar set as in your default.nix from Writing Agda Packages with agdaPackages.mkDerivation replaced with mkDerivation.

Here is an example skeleton derivation for iowa-stdlib: 

mkDerivation {
  version = "1.5.0";
  pname = "iowa-stdlib";

  src = ...

  libraryFile = "";
  libraryName = "IAL-1.3";

  buildPhase = ''
    patchShebangs find-deps.sh
    make
  '';
}

This library has a file called .agda-lib, and so we give an empty string to libraryFile as nothing precedes .agda-lib in the filename. This file contains name: IAL-1.3, and so we let libraryName = "IAL-1.3". This library does not use an Everything.agda file and instead has a Makefile, so there is no need to set everythingFile and we set a custom buildPhase.

When writing an Agda package it is essential to make sure that no .agda-lib file gets added to the store as a single file (for example by using writeText). This causes Agda to think that the nix store is a Agda library and it will attempt to write to it whenever it typechecks something. See https://github.com/agda/agda/issues/4613.

In the pull request adding this library, you can test whether it builds correctly by writing in a comment: 

@ofborg build agdaPackages.iowa-stdlib

17.1.4.2. Maintaining Agda packages

As mentioned before, the aim is to have a compatible, and up-to-date package set. These two conditions sometimes exclude each other: For example, if we update agdaPackages.standard-library because there was an upstream release, this will typically break many reverse dependencies, i.e. downstream Agda libraries that depend on the standard library. In nixpkgs we are typically among the first to notice this, since we have build tests in place to check this.

In a pull request updating e.g. the standard library, you should write the following comment: 

@ofborg build agdaPackages.standard-library.passthru.tests

This will build all reverse dependencies of the standard library, for example agdaPackages.agda-categories, or agdaPackages.generic.

In some cases it is useful to build all Agda packages. This can be done with the following Github comment: 

@ofborg build agda.passthru.tests.allPackages

Sometimes, the builds of the reverse dependencies fail because they have not yet been updated and released. You should drop the maintainers a quick issue notifying them of the breakage, citing the build error (which you can get from the ofborg logs). If you are motivated, you might even send a pull request that fixes it. Usually, the maintainers will answer within a week or two with a new release. Bumping the version of that reverse dependency should be a further commit on your PR.

In the rare case that a new release is not to be expected within an acceptable time, simply mark the broken package as broken by setting meta.broken = true;. This will exclude it from the build test. It can be added later when it is fixed, and does not hinder the advancement of the whole package set in the meantime.

17.2. Android

The Android build environment provides three major features and a number of supporting features.

17.2.1. Deploying an Android SDK installation with plugins

The first use case is deploying the SDK with a desired set of plugins or subsets of an SDK. 

with import <nixpkgs> {};

let
  androidComposition = androidenv.composeAndroidPackages {
    toolsVersion = "26.1.1";
    platformToolsVersion = "30.0.5";
    buildToolsVersions = [ "30.0.3" ];
    includeEmulator = false;
    emulatorVersion = "30.3.4";
    platformVersions = [ "28" "29" "30" ];
    includeSources = false;
    includeSystemImages = false;
    systemImageTypes = [ "google_apis_playstore" ];
    abiVersions = [ "armeabi-v7a" "arm64-v8a" ];
    cmakeVersions = [ "3.10.2" ];
    includeNDK = true;
    ndkVersions = ["22.0.7026061"];
    useGoogleAPIs = false;
    useGoogleTVAddOns = false;
    includeExtras = [
      "extras;google;gcm"
    ];
  };
in
androidComposition.androidsdk

The above function invocation states that we want an Android SDK with the above specified plugin versions. By default, most plugins are disabled. Notable exceptions are the tools, platform-tools and build-tools sub packages.

The following parameters are supported:

  • toolsVersion, specifies the version of the tools package to use

  • platformsToolsVersion specifies the version of the platform-tools plugin

  • buildToolsVersions specifies the versions of the build-tools plugins to use.

  • includeEmulator specifies whether to deploy the emulator package (false by default). When enabled, the version of the emulator to deploy can be specified by setting the emulatorVersion parameter.

  • cmakeVersions specifies which CMake versions should be deployed.

  • includeNDK specifies that the Android NDK bundle should be included. Defaults to: false.

  • ndkVersions specifies the NDK versions that we want to use. These are linked under the ndk directory of the SDK root, and the first is linked under the ndk-bundle directory.

  • ndkVersion is equivalent to specifying one entry in ndkVersions, and ndkVersions overrides this parameter if provided.

  • includeExtras is an array of identifier strings referring to arbitrary add-on packages that should be installed.

  • platformVersions specifies which platform SDK versions should be included.

For each platform version that has been specified, we can apply the following options:

  • includeSystemImages specifies whether a system image for each platform SDK should be included.

  • includeSources specifies whether the sources for each SDK version should be included.

  • useGoogleAPIs specifies that for each selected platform version the Google API should be included.

  • useGoogleTVAddOns specifies that for each selected platform version the Google TV add-on should be included.

For each requested system image we can specify the following options:

  • systemImageTypes specifies what kind of system images should be included. Defaults to: default.

  • abiVersions specifies what kind of ABI version of each system image should be included. Defaults to: armeabi-v7a.

Most of the function arguments have reasonable default settings.

You can specify license names:

  • extraLicenses is a list of license names. You can get these names from repo.json or querypackages.sh licenses. The SDK license (android-sdk-license) is accepted for you if you set accept_license to true. If you are doing something like working with preview SDKs, you will want to add android-sdk-preview-license or whichever license applies here.

Additionally, you can override the repositories that composeAndroidPackages will pull from:

  • repoJson specifies a path to a generated repo.json file. You can generate this by running generate.sh, which in turn will call into mkrepo.rb.

  • repoXmls is an attribute set containing paths to repo XML files. If specified, it takes priority over repoJson, and will trigger a local build writing out a repo.json to the Nix store based on the given repository XMLs. 

repoXmls = {
  packages = [ ./xml/repository2-1.xml ];
  images = [
    ./xml/android-sys-img2-1.xml
    ./xml/android-tv-sys-img2-1.xml
    ./xml/android-wear-sys-img2-1.xml
    ./xml/android-wear-cn-sys-img2-1.xml
    ./xml/google_apis-sys-img2-1.xml
    ./xml/google_apis_playstore-sys-img2-1.xml
  ];
  addons = [ ./xml/addon2-1.xml ];
};

When building the above expression with: 

$ nix-build

The Android SDK gets deployed with all desired plugin versions.

We can also deploy subsets of the Android SDK. For example, to only the platform-tools package, you can evaluate the following expression: 

with import <nixpkgs> {};

let
  androidComposition = androidenv.composeAndroidPackages {
    # ...
  };
in
androidComposition.platform-tools

17.2.2. Using predefined Android package compositions

In addition to composing an Android package set manually, it is also possible to use a predefined composition that contains all basic packages for a specific Android version, such as version 9.0 (API-level 28).

The following Nix expression can be used to deploy the entire SDK with all basic plugins: 

with import <nixpkgs> {};

androidenv.androidPkgs_9_0.androidsdk

It is also possible to use one plugin only: 

with import <nixpkgs> {};

androidenv.androidPkgs_9_0.platform-tools

17.2.3. Building an Android application

In addition to the SDK, it is also possible to build an Ant-based Android project and automatically deploy all the Android plugins that a project requires. 

with import <nixpkgs> {};

androidenv.buildApp {
  name = "MyAndroidApp";
  src = ./myappsources;
  release = true;

  # If release is set to true, you need to specify the following parameters
  keyStore = ./keystore;
  keyAlias = "myfirstapp";
  keyStorePassword = "mykeystore";
  keyAliasPassword = "myfirstapp";

  # Any Android SDK parameters that install all the relevant plugins that a
  # build requires
  platformVersions = [ "24" ];

  # When we include the NDK, then ndk-build is invoked before Ant gets invoked
  includeNDK = true;
}

Aside from the app-specific build parameters (name, src, release and keystore parameters), the buildApp {} function supports all the function parameters that the SDK composition function (the function shown in the previous section) supports.

This build function is particularly useful when it is desired to use Hydra: the Nix-based continuous integration solution to build Android apps. An Android APK gets exposed as a build product and can be installed on any Android device with a web browser by navigating to the build result page.

17.2.4. Spawning emulator instances

For testing purposes, it can also be quite convenient to automatically generate scripts that spawn emulator instances with all desired configuration settings.

An emulator spawn script can be configured by invoking the emulateApp {} function: 

with import <nixpkgs> {};

androidenv.emulateApp {
  name = "emulate-MyAndroidApp";
  platformVersion = "28";
  abiVersion = "x86"; # armeabi-v7a, mips, x86_64
  systemImageType = "google_apis_playstore";
}

Additional flags may be applied to the Android SDK’s emulator through the runtime environment variable $NIX_ANDROID_EMULATOR_FLAGS.

It is also possible to specify an APK to deploy inside the emulator and the package and activity names to launch it: 

with import <nixpkgs> {};

androidenv.emulateApp {
  name = "emulate-MyAndroidApp";
  platformVersion = "24";
  abiVersion = "armeabi-v7a"; # mips, x86, x86_64
  systemImageType = "default";
  app = ./MyApp.apk;
  package = "MyApp";
  activity = "MainActivity";
}

In addition to prebuilt APKs, you can also bind the APK parameter to a buildApp {} function invocation shown in the previous example.

17.2.5. Notes on environment variables in Android projects

  • ANDROID_SDK_ROOT should point to the Android SDK. In your Nix expressions, this should be ${androidComposition.androidsdk}/libexec/android-sdk. Note that ANDROID_HOME is deprecated, but if you rely on tools that need it, you can export it too.

  • ANDROID_NDK_ROOT should point to the Android NDK, if you’re doing NDK development. In your Nix expressions, this should be ${ANDROID_SDK_ROOT}/ndk-bundle.

If you are running the Android Gradle plugin, you need to export GRADLE_OPTS to override aapt2 to point to the aapt2 binary in the Nix store as well, or use a FHS environment so the packaged aapt2 can run. If you don’t want to use a FHS environment, something like this should work: 

let
  buildToolsVersion = "30.0.3";

  # Use buildToolsVersion when you define androidComposition
  androidComposition = <...>;
in
pkgs.mkShell rec {
  ANDROID_SDK_ROOT = "${androidComposition.androidsdk}/libexec/android-sdk";
  ANDROID_NDK_ROOT = "${ANDROID_SDK_ROOT}/ndk-bundle";

  # Use the same buildToolsVersion here
  GRADLE_OPTS = "-Dorg.gradle.project.android.aapt2FromMavenOverride=${ANDROID_SDK_ROOT}/build-tools/${buildToolsVersion}/aapt2";
}

If you are using cmake, you need to add it to PATH in a shell hook or FHS env profile. The path is suffixed with a build number, but properly prefixed with the version. So, something like this should suffice: 

let
  cmakeVersion = "3.10.2";

  # Use cmakeVersion when you define androidComposition
  androidComposition = <...>;
in
pkgs.mkShell rec {
  ANDROID_SDK_ROOT = "${androidComposition.androidsdk}/libexec/android-sdk";
  ANDROID_NDK_ROOT = "${ANDROID_SDK_ROOT}/ndk-bundle";

  # Use the same cmakeVersion here
  shellHook = ''
    export PATH="$(echo "$ANDROID_SDK_ROOT/cmake/${cmakeVersion}".*/bin):$PATH"
  '';
}

Note that running Android Studio with ANDROID_SDK_ROOT set will automatically write a local.properties file with sdk.dir set to $ANDROID_SDK_ROOT if one does not already exist. If you are using the NDK as well, you may have to add ndk.dir to this file.

An example shell.nix that does all this for you is provided in examples/shell.nix. This shell.nix includes a shell hook that overwrites local.properties with the correct sdk.dir and ndk.dir values. This will ensure that the SDK and NDK directories will both be correct when you run Android Studio inside nix-shell.

17.2.6. Notes on improving build.gradle compatibility

Ensure that your buildToolsVersion and ndkVersion match what is declared in androidenv. If you are using cmake, make sure its declared version is correct too.

Otherwise, you may get cryptic errors from aapt2 and the Android Gradle plugin warning that it cannot install the build tools because the SDK directory is not writeable. 

android {
    buildToolsVersion "30.0.3"
    ndkVersion = "22.0.7026061"
    externalNativeBuild {
        cmake {
            version "3.10.2"
        }
    }
}

17.2.7. Querying the available versions of each plugin

repo.json provides all the options in one file now.

A shell script in the pkgs/development/mobile/androidenv/ subdirectory can be used to retrieve all possible options: 

./querypackages.sh packages

The above command-line instruction queries all package versions in repo.json.

17.2.8. Updating the generated expressions

repo.json is generated from XML files that the Android Studio package manager uses. To update the expressions run the generate.sh script that is stored in the pkgs/development/mobile/androidenv/ subdirectory: 

./generate.sh

17.3. BEAM Languages (Erlang, Elixir & LFE)

17.3.1. Introduction

In this document and related Nix expressions, we use the term, BEAM, to describe the environment. BEAM is the name of the Erlang Virtual Machine and, as far as we’re concerned, from a packaging perspective, all languages that run on the BEAM are interchangeable. That which varies, like the build system, is transparent to users of any given BEAM package, so we make no distinction.

17.3.2. Available versions and deprecations schedule

17.3.2.1. Elixir

nixpkgs follows the official elixir deprecation schedule and keeps the last 5 released versions of Elixir available.

17.3.3. Structure

All BEAM-related expressions are available via the top-level beam attribute, which includes:

  • interpreters: a set of compilers running on the BEAM, including multiple Erlang/OTP versions (beam.interpreters.erlangR22, etc), Elixir (beam.interpreters.elixir) and LFE (Lisp Flavoured Erlang) (beam.interpreters.lfe).

  • packages: a set of package builders (Mix and rebar3), each compiled with a specific Erlang/OTP version, e.g. beam.packages.erlang22.

The default Erlang compiler, defined by beam.interpreters.erlang, is aliased as erlang. The default BEAM package set is defined by beam.packages.erlang and aliased at the top level as beamPackages.

To create a package builder built with a custom Erlang version, use the lambda, beam.packagesWith, which accepts an Erlang/OTP derivation and produces a package builder similar to beam.packages.erlang.

Many Erlang/OTP distributions available in beam.interpreters have versions with ODBC and/or Java enabled or without wx (no observer support). For example, there’s beam.interpreters.erlangR22_odbc_javac, which corresponds to beam.interpreters.erlangR22 and beam.interpreters.erlangR22_nox, which corresponds to beam.interpreters.erlangR22.

17.3.4. Build Tools

17.3.4.1. Rebar3

We provide a version of Rebar3, under rebar3. We also provide a helper to fetch Rebar3 dependencies from a lockfile under fetchRebar3Deps.

We also provide a version on Rebar3 with plugins included, under rebar3WithPlugins. This package is a function which takes two arguments: plugins, a list of nix derivations to include as plugins (loaded only when specified in rebar.config), and globalPlugins, which should always be loaded by rebar3. Example: rebar3WithPlugins { globalPlugins = [beamPackages.pc]; }.

When adding a new plugin it is important that the packageName attribute is the same as the atom used by rebar3 to refer to the plugin.

17.3.4.2. Mix & Erlang.mk

Erlang.mk works exactly as expected. There is a bootstrap process that needs to be run, which is supported by the buildErlangMk derivation.

For Elixir applications use mixRelease to make a release. See examples for more details.

There is also a buildMix helper, whose behavior is closer to that of buildErlangMk and buildRebar3. The primary difference is that mixRelease makes a release, while buildMix only builds the package, making it useful for libraries and other dependencies.

17.3.5. How to Install BEAM Packages

BEAM builders are not registered at the top level, simply because they are not relevant to the vast majority of Nix users. To install any of those builders into your profile, refer to them by their attribute path beamPackages.rebar3: 

$ nix-env -f "<nixpkgs>" -iA beamPackages.rebar3

17.3.6. Packaging BEAM Applications

17.3.6.1. Erlang Applications

17.3.6.1.1. Rebar3 Packages

The Nix function, buildRebar3, defined in beam.packages.erlang.buildRebar3 and aliased at the top level, can be used to build a derivation that understands how to build a Rebar3 project.

If a package needs to compile native code via Rebar3’s port compilation mechanism, add compilePort = true; to the derivation.

17.3.6.1.2. Erlang.mk Packages

Erlang.mk functions similarly to Rebar3, except we use buildErlangMk instead of buildRebar3.

17.3.6.1.3. Mix Packages

mixRelease is used to make a release in the mix sense. Dependencies will need to be fetched with fetchMixDeps and passed to it.

17.3.6.1.4. mixRelease - Elixir Phoenix example

there are 3 steps, frontend dependencies (javascript), backend dependencies (elixir) and the final derivation that puts both of those together

17.3.6.1.4.1. mixRelease - Frontend dependencies (javascript)

For phoenix projects, inside of nixpkgs you can either use yarn2nix (mkYarnModule) or node2nix. An example with yarn2nix can be found here. An example with node2nix will follow. To package something outside of nixpkgs, you have alternatives like npmlock2nix or nix-npm-buildpackage

17.3.6.1.4.2. mixRelease - backend dependencies (mix)

There are 2 ways to package backend dependencies. With mix2nix and with a fixed-output-derivation (FOD).

mix2nix

mix2nix is a cli tool available in nixpkgs. it will generate a nix expression from a mix.lock file. It is quite standard in the 2nix tool series.

Note that currently mix2nix can’t handle git dependencies inside the mix.lock file. If you have git dependencies, you can either add them manually (see example) or use the FOD method.

The advantage of using mix2nix is that nix will know your whole dependency graph. On a dependency update, this won’t trigger a full rebuild and download of all the dependencies, where FOD will do so.

Practical steps:

  • run mix2nix > mix_deps.nix in the upstream repo.

  • pass mixNixDeps = with pkgs; import ./mix_deps.nix { inherit lib beamPackages; }; as an argument to mixRelease.

If there are git depencencies.

  • You’ll need to fix the version artificially in mix.exs and regenerate the mix.lock with fixed version (on upstream). This will enable you to run mix2nix > mix_deps.nix.

  • From the mix_deps.nix file, remove the dependencies that had git versions and pass them as an override to the import function. 

  mixNixDeps = import ./mix.nix {
    inherit beamPackages lib;
    overrides = (final: prev: {
      # mix2nix does not support git dependencies yet,
      # so we need to add them manually
      prometheus_ex = beamPackages.buildMix rec {
        name = "prometheus_ex";
        version = "3.0.5";

        # Change the argument src with the git src that you actually need
        src = fetchFromGitLab {
          domain = "git.pleroma.social";
          group = "pleroma";
          owner = "elixir-libraries";
          repo = "prometheus.ex";
          rev = "a4e9beb3c1c479d14b352fd9d6dd7b1f6d7deee5";
          sha256 = "1v0q4bi7sb253i8q016l7gwlv5562wk5zy3l2sa446csvsacnpjk";
        };
        # you can re-use the same beamDeps argument as generated
        beamDeps = with final; [ prometheus ];
      };
  });
};

You will need to run the build process once to fix the sha256 to correspond to your new git src.

FOD

A fixed output derivation will download mix dependencies from the internet. To ensure reproducibility, a hash will be supplied. Note that mix is relatively reproducible. An FOD generating a different hash on each run hasn’t been observed (as opposed to npm where the chances are relatively high). See elixir_ls for a usage example of FOD.

Practical steps

  • start with the following argument to mixRelease 

  mixFodDeps = fetchMixDeps {
    pname = "mix-deps-${pname}";
    inherit src version;
    sha256 = lib.fakeSha256;
  };

The first build will complain about the sha256 value, you can replace with the suggested value after that.

Note that if after you’ve replaced the value, nix suggests another sha256, then mix is not fetching the dependencies reproducibly. An FOD will not work in that case and you will have to use mix2nix.

17.3.6.1.4.3. mixRelease - example

Here is how your default.nix file would look for a phoenix project. 

with import <nixpkgs> { };

let
  # beam.interpreters.erlangR23 is available if you need a particular version
  packages = beam.packagesWith beam.interpreters.erlang;

  pname = "your_project";
  version = "0.0.1";

  src = builtins.fetchgit {
    url = "ssh://git@github.com/your_id/your_repo";
    rev = "replace_with_your_commit";
  };

  # if using mix2nix you can use the mixNixDeps attribute
  mixFodDeps = packages.fetchMixDeps {
    pname = "mix-deps-${pname}";
    inherit src version;
    # nix will complain and tell you the right value to replace this with
    sha256 = lib.fakeSha256;
    # if you have build time environment variables add them here
    MY_ENV_VAR="my_value";
  };

  nodeDependencies = (pkgs.callPackage ./assets/default.nix { }).shell.nodeDependencies;

in packages.mixRelease {
  inherit src pname version mixFodDeps;
  # if you have build time environment variables add them here
  MY_ENV_VAR="my_value";

  postBuild = ''
    ln -sf ${nodeDependencies}/lib/node_modules assets/node_modules
    npm run deploy --prefix ./assets

    # for external task you need a workaround for the no deps check flag
    # https://github.com/phoenixframework/phoenix/issues/2690
    mix do deps.loadpaths --no-deps-check, phx.digest
    mix phx.digest --no-deps-check
  '';
}

Setup will require the following steps:

  • Move your secrets to runtime environment variables. For more information refer to the runtime.exs docs. On a fresh Phoenix build that would mean that both DATABASE_URL and SECRET_KEY need to be moved to runtime.exs.

  • cd assets and nix-shell -p node2nix --run node2nix --development will generate a Nix expression containing your frontend dependencies

  • commit and push those changes

  • you can now nix-build .

  • To run the release, set the RELEASE_TMP environment variable to a directory that your program has write access to. It will be used to store the BEAM settings.

17.3.6.1.5. Example of creating a service for an Elixir - Phoenix project

In order to create a service with your release, you could add a service.nix in your project with the following 

{config, pkgs, lib, ...}:

let
  release = pkgs.callPackage ./default.nix;
  release_name = "app";
  working_directory = "/home/app";
in
{
  systemd.services.${release_name} = {
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" "postgresql.service" ];
    # note that if you are connecting to a postgres instance on a different host
    # postgresql.service should not be included in the requires.
    requires = [ "network-online.target" "postgresql.service" ];
    description = "my app";
    environment = {
      # RELEASE_TMP is used to write the state of the
      # VM configuration when the system is running
      # it needs to be a writable directory
      RELEASE_TMP = working_directory;
      # can be generated in an elixir console with
      # Base.encode32(:crypto.strong_rand_bytes(32))
      RELEASE_COOKIE = "my_cookie";
      MY_VAR = "my_var";
    };
    serviceConfig = {
      Type = "exec";
      DynamicUser = true;
      WorkingDirectory = working_directory;
      # Implied by DynamicUser, but just to emphasize due to RELEASE_TMP
      PrivateTmp = true;
      ExecStart = ''
        ${release}/bin/${release_name} start
      '';
      ExecStop = ''
        ${release}/bin/${release_name} stop
      '';
      ExecReload = ''
        ${release}/bin/${release_name} restart
      '';
      Restart = "on-failure";
      RestartSec = 5;
      StartLimitBurst = 3;
      StartLimitInterval = 10;
    };
    # disksup requires bash
    path = [ pkgs.bash ];
  };

  # in case you have migration scripts or you want to use a remote shell
  environment.systemPackages = [ release ];
}

17.3.7. How to Develop

17.3.7.1. Creating a Shell

Usually, we need to create a shell.nix file and do our development inside of the environment specified therein. Just install your version of Erlang and any other interpreters, and then use your normal build tools. As an example with Elixir: 

{ pkgs ? import <nixpkgs> {} }:

with pkgs;
let
  elixir = beam.packages.erlangR24.elixir_1_12;
in
mkShell {
  buildInputs = [ elixir ];
}

17.3.7.2. Using an overlay

If you need to use an overlay to change some attributes of a derivation, e.g. if you need a bugfix from a version that is not yet available in nixpkgs, you can override attributes such as version (and the corresponding sha256) and then use this overlay in your development environment:

17.3.7.2.1. shell.nix
let
  elixir_1_13_1_overlay = (self: super: {
      elixir_1_13 = super.elixir_1_13.override {
        version = "1.13.1";
        sha256 = "0z0b1w2vvw4vsnb99779c2jgn9bgslg7b1pmd9vlbv02nza9qj5p";
      };
    });
  pkgs = import <nixpkgs> { overlays = [ elixir_1_13_1_overlay ]; };
in
with pkgs;
mkShell {
  buildInputs = [
    elixir_1_13
  ];
}
17.3.7.2.2. Elixir - Phoenix project

Here is an example shell.nix. 

with import <nixpkgs> { };

let
  # define packages to install
  basePackages = [
    git
    # replace with beam.packages.erlang.elixir_1_13 if you need
    beam.packages.erlang.elixir
    nodejs
    postgresql_14
    # only used for frontend dependencies
    # you are free to use yarn2nix as well
    nodePackages.node2nix
    # formatting js file
    nodePackages.prettier
  ];

  inputs = basePackages ++ lib.optionals stdenv.isLinux [ inotify-tools ]
    ++ lib.optionals stdenv.isDarwin
    (with darwin.apple_sdk.frameworks; [ CoreFoundation CoreServices ]);

  # define shell startup command
  hooks = ''
    # this allows mix to work on the local directory
    mkdir -p .nix-mix .nix-hex
    export MIX_HOME=$PWD/.nix-mix
    export HEX_HOME=$PWD/.nix-mix
    # make hex from Nixpkgs available
    # `mix local.hex` will install hex into MIX_HOME and should take precedence
    export MIX_PATH="${beam.packages.erlang.hex}/lib/erlang/lib/hex/ebin"
    export PATH=$MIX_HOME/bin:$HEX_HOME/bin:$PATH
    export LANG=C.UTF-8
    # keep your shell history in iex
    export ERL_AFLAGS="-kernel shell_history enabled"

    # postges related
    # keep all your db data in a folder inside the project
    export PGDATA="$PWD/db"

    # phoenix related env vars
    export POOL_SIZE=15
    export DB_URL="postgresql://postgres:postgres@localhost:5432/db"
    export PORT=4000
    export MIX_ENV=dev
    # add your project env vars here, word readable in the nix store.
    export ENV_VAR="your_env_var"
  '';

in mkShell {
  buildInputs = inputs;
  shellHook = hooks;
}

Initializing the project will require the following steps:

  • create the db directory initdb ./db (inside your mix project folder)

  • create the postgres user createuser postgres -ds

  • create the db createdb db

  • start the postgres instance pg_ctl -l "$PGDATA/server.log" start

  • add the /db folder to your .gitignore

  • you can start your phoenix server and get a shell with iex -S mix phx.server

17.4. Bower

Bower is a package manager for web site front-end components. Bower packages (comprising of build artefacts and sometimes sources) are stored in git repositories, typically on Github. The package registry is run by the Bower team with package metadata coming from the bower.json file within each package.

The end result of running Bower is a bower_components directory which can be included in the web app’s build process.

Bower can be run interactively, by installing nodePackages.bower. More interestingly, the Bower components can be declared in a Nix derivation, with the help of nodePackages.bower2nix.

17.4.1. bower2nix usage

Suppose you have a bower.json with the following contents:

17.4.1.1. Example bower.json

  "name": "my-web-app",
  "dependencies": {
    "angular": "~1.5.0",
    "bootstrap": "~3.3.6"
  }

Running bower2nix will produce something like the following output: 

{ fetchbower, buildEnv }:
buildEnv { name = "bower-env"; ignoreCollisions = true; paths = [
  (fetchbower "angular" "1.5.3" "~1.5.0" "1749xb0firxdra4rzadm4q9x90v6pzkbd7xmcyjk6qfza09ykk9y")
  (fetchbower "bootstrap" "3.3.6" "~3.3.6" "1vvqlpbfcy0k5pncfjaiskj3y6scwifxygfqnw393sjfxiviwmbv")
  (fetchbower "jquery" "2.2.2" "1.9.1 - 2" "10sp5h98sqwk90y4k6hbdviwqzvzwqf47r3r51pakch5ii2y7js1")
];

Using the bower2nix command line arguments, the output can be redirected to a file. A name like bower-packages.nix would be fine.

The resulting derivation is a union of all the downloaded Bower packages (and their dependencies). To use it, they still need to be linked together by Bower, which is where buildBowerComponents is useful.

17.4.2. buildBowerComponents function

The function is implemented in pkgs/development/bower-modules/generic/default.nix.

17.4.2.1. Example buildBowerComponents

      bowerComponents = buildBowerComponents {
        name = "my-web-app";
        generated = ./bower-packages.nix; 1
        src = myWebApp; 2
      };

In buildBowerComponents example the following arguments are of special significance to the function:

1

generated specifies the file which was created by bower2nix.

2

src is your project's sources. It needs to contain a bower.json file.

buildBowerComponents will run Bower to link together the output of bower2nix, resulting in a bower_components directory which can be used.

Here is an example of a web frontend build process using gulp. You might use grunt, or anything else.

17.4.2.2. Example build script (gulpfile.js)

var gulp = require('gulp');

gulp.task('default', [], function () {
  gulp.start('build');
});

gulp.task('build', [], function () {
  console.log("Just a dummy gulp build");
  gulp
    .src(["./bower_components/**/*"])
    .pipe(gulp.dest("./gulpdist/"));
});

17.4.2.3. Example Full example — default.nix

      { myWebApp ? { outPath = ./.; name = "myWebApp"; }
      , pkgs ? import <nixpkgs> {}
      }:

      pkgs.stdenv.mkDerivation {
        name = "my-web-app-frontend";
        src = myWebApp;

        buildInputs = [ pkgs.nodePackages.gulp ];

        bowerComponents = pkgs.buildBowerComponents { 1
          name = "my-web-app";
          generated = ./bower-packages.nix;
          src = myWebApp;
        };

        buildPhase = ''
          cp --reflink=auto --no-preserve=mode -R $bowerComponents/bower_components . 2
          export HOME=$PWD 3
          ${pkgs.nodePackages.gulp}/bin/gulp build 4
        '';

        installPhase = "mv gulpdist $out";
      }

A few notes about Full example — default.nix:

1

The result of buildBowerComponents is an input to the frontend build.

2

Whether to symlink or copy the bower_components directory depends on the build tool in use. In this case a copy is used to avoid gulp silliness with permissions.

3

gulp requires HOME to refer to a writeable directory.

4

The actual build command. Other tools could be used.

17.4.3. Troubleshooting

17.4.3.1. ENOCACHE errors from buildBowerComponents

This means that Bower was looking for a package version which doesn’t exist in the generated bower-packages.nix.

If bower.json has been updated, then run bower2nix again.

It could also be a bug in bower2nix or fetchbower. If possible, try reformulating the version specification in bower.json.

17.5. CHICKEN

CHICKEN is a R⁵RS-compliant Scheme compiler. It includes an interactive mode and a custom package format, eggs.

17.5.1. Using Eggs

Eggs described in nixpkgs are available inside the chickenPackages.chickenEggs attrset. Including an egg as a build input is done in the typical Nix fashion. For example, to include support for SRFI 189 in a derivation, one might write: 

  buildInputs = [
    chicken
    chickenPackages.chickenEggs.srfi-189
  ];

Both chicken and its eggs have a setup hook which configures the environment variables CHICKEN_INCLUDE_PATH and CHICKEN_REPOSITORY_PATH.

17.5.2. Updating Eggs

nixpkgs only knows about a subset of all published eggs. It uses egg2nix to generate a package set from a list of eggs to include.

The package set is regenerated by running the following shell commands: 

$ nix-shell -p chickenPackages.egg2nix
$ cd pkgs/development/compilers/chicken/5/
$ egg2nix eggs.scm > eggs.nix

17.5.3. Adding Eggs

When we run egg2nix, we obtain one collection of eggs with mutually-compatible versions. This means that when we add new eggs, we may need to update existing eggs. To keep those separate, follow the procedure for updating eggs before including more eggs.

To include more eggs, edit pkgs/development/compilers/chicken/5/eggs.scm. The first section of this file lists eggs which are required by egg2nix itself; all other eggs go into the second section. After editing, follow the procedure for updating eggs.

17.6. Coq and coq packages

17.6.1. Coq derivation: coq

The Coq derivation is overridable through the coq.override overrides, where overrides is an attribute set which contains the arguments to override. We recommend overriding either of the following

  • version (optional, defaults to the latest version of Coq selected for nixpkgs, see pkgs/top-level/coq-packages to witness this choice), which follows the conventions explained in the coqPackages section below,

  • customOCamlPackages (optional, defaults to null, which lets Coq choose a version automatically), which can be set to any of the ocaml packages attribute of ocaml-ng (such as ocaml-ng.ocamlPackages_4_10 which is the default for Coq 8.11 for example).

  • coq-version (optional, defaults to the short version e.g. 8.10), is a version number of the form x.y that indicates which Coq’s version build behavior to mimic when using a source which is not a release. E.g. coq.override { version = "d370a9d1328a4e1cdb9d02ee032f605a9d94ec7a"; coq-version = "8.10"; }.

The associated package set can be optained using mkCoqPackages coq, where coq is the derivation to use.

17.6.2. Coq packages attribute sets: coqPackages

The recommended way of defining a derivation for a Coq library, is to use the coqPackages.mkCoqDerivation function, which is essentially a specialization of mkDerivation taking into account most of the specifics of Coq libraries. The following attributes are supported:

  • pname (required) is the name of the package,

  • version (optional, defaults to null), is the version to fetch and build, this attribute is interpreted in several ways depending on its type and pattern:

    • if it is a known released version string, i.e. from the release attribute below, the according release is picked, and the version attribute of the resulting derivation is set to this release string,

    • if it is a majorMinor "x.y" prefix of a known released version (as defined above), then the latest "x.y.z" known released version is selected (for the ordering given by versionAtLeast),

    • if it is a path or a string representing an absolute path (i.e. starting with "/"), the provided path is selected as a source, and the version attribute of the resulting derivation is set to "dev",

    • if it is a string of the form owner:branch then it tries to download the branch of owner owner for a project of the same name using the same vcs, and the version attribute of the resulting derivation is set to "dev", additionally if the owner is not provided (i.e. if the owner: prefix is missing), it defaults to the original owner of the package (see below),

    • if it is a string of the form "#N", and the domain is github, then it tries to download the current head of the pull request #N from github,

  • defaultVersion (optional). Coq libraries may be compatible with some specific versions of Coq only. The defaultVersion attribute is used when no version is provided (or if version = null) to select the version of the library to use by default, depending on the context. This selection will mainly depend on a coq version number but also possibly on other packages versions (e.g. mathcomp). If its value ends up to be null, the package is marked for removal in end-user coqPackages attribute set.

  • release (optional, defaults to {}), lists all the known releases of the library and for each of them provides an attribute set with at least a sha256 attribute (you may put the empty string "" in order to automatically insert a fake sha256, this will trigger an error which will allow you to find the correct sha256), each attribute set of the list of releases also takes optional overloading arguments for the fetcher as below (i.e.domain, owner, repo, rev assuming the default fetcher is used) and optional overrides for the result of the fetcher (i.e. version and src).

  • fetcher (optional, defaults to a generic fetching mechanism supporting github or gitlab based infrastructures), is a function that takes at least an owner, a repo, a rev, and a sha256 and returns an attribute set with a version and src.

  • repo (optional, defaults to the value of pname),

  • owner (optional, defaults to "coq-community").

  • domain (optional, defaults to "github.com"), domains including the strings "github" or "gitlab" in their names are automatically supported, otherwise, one must change the fetcher argument to support them (cf pkgs/development/coq-modules/heq/default.nix for an example),

  • releaseRev (optional, defaults to (v: v)), provides a default mapping from release names to revision hashes/branch names/tags,

  • displayVersion (optional), provides a way to alter the computation of name from pname, by explaining how to display version numbers,

  • namePrefix (optional, defaults to [ "coq" ]), provides a way to alter the computation of name from pname, by explaining which dependencies must occur in name,

  • nativeBuildInputs (optional), is a list of executables that are required to build the current derivation, in addition to the default ones (namely which, dune and ocaml depending on whether useDune, useDuneifVersion and mlPlugin are set).

  • extraNativeBuildInputs (optional, deprecated), an additional list of derivation to add to nativeBuildInputs,

  • overrideNativeBuildInputs (optional) replaces the default list of derivation to which nativeBuildInputs and extraNativeBuildInputs adds extra elements,

  • buildInputs (optional), is a list of libraries and dependencies that are required to build and run the current derivation, in addition to the default one [ coq ],

  • extraBuildInputs (optional, deprecated), an additional list of derivation to add to buildInputs,

  • overrideBuildInputs (optional) replaces the default list of derivation to which buildInputs and extraBuildInputs adds extras elements,

  • propagatedBuildInputs (optional) is passed as is to mkDerivation, we recommend to use this for Coq libraries and Coq plugin dependencies, as this makes sure the paths of the compiled libraries and plugins will always be added to the build environements of subsequent derivation, which is necessary for Coq packages to work correctly,

  • mlPlugin (optional, defaults to false). Some extensions (plugins) might require OCaml and sometimes other OCaml packages. Standard dependencies can be added by setting the current option to true. For a finer grain control, the coq.ocamlPackages attribute can be used in nativeBuildInputs, buildInputs, and propagatedBuildInputs to depend on the same package set Coq was built against.

  • useDuneifVersion (optional, default to (x: false) uses Dune to build the package if the provided predicate evaluates to true on the version, e.g. useDuneifVersion = versions.isGe "1.1" will use dune if the version of the package is greater or equal to "1.1",

  • useDune (optional, defaults to false) uses Dune to build the package if set to true, the presence of this attribute overrides the behavior of the previous one.

  • opam-name (optional, defaults to concatenating with a dash separator the components of namePrefix and pname), name of the Dune package to build.

  • enableParallelBuilding (optional, defaults to true), since it is activated by default, we provide a way to disable it.

  • extraInstallFlags (optional), allows to extend installFlags which initializes the variable COQMF_COQLIB so as to install in the proper subdirectory. Indeed Coq libraries should be installed in $(out)/lib/coq/${coq.coq-version}/user-contrib/. Such directories are automatically added to the $COQPATH environment variable by the hook defined in the Coq derivation.

  • setCOQBIN (optional, defaults to true), by default, the environment variable $COQBIN is set to the current Coq’s binary, but one can disable this behavior by setting it to false,

  • useMelquiondRemake (optional, default to null) is an attribute set, which, if given, overloads the preConfigurePhases, configureFlags, buildPhase, and installPhase attributes of the derivation for a specific use in libraries using remake as set up by Guillaume Melquiond for flocq, gappalib, interval, and coquelicot (see the corresponding derivation for concrete examples of use of this option). For backward compatibility, the attribute useMelquiondRemake.logpath must be set to the logical root of the library (otherwise, one can pass useMelquiondRemake = {} to activate this without backward compatibility).

  • dropAttrs, keepAttrs, dropDerivationAttrs are all optional and allow to tune which attribute is added or removed from the final call to mkDerivation.

It also takes other standard mkDerivation attributes, they are added as such, except for meta which extends an automatically computed meta (where the platform is the same as coq and the homepage is automatically computed).

Here is a simple package example. It is a pure Coq library, thus it depends on Coq. It builds on the Mathematical Components library, thus it also takes some mathcomp derivations as extraBuildInputs. 

{ lib, mkCoqDerivation, version ? null
, coq, mathcomp, mathcomp-finmap, mathcomp-bigenough }:
with lib; mkCoqDerivation {
  /* namePrefix leads to e.g. `name = coq8.11-mathcomp1.11-multinomials-1.5.2` */
  namePrefix = [ "coq" "mathcomp" ];
  pname = "multinomials";
  owner = "math-comp";
  inherit version;
  defaultVersion =  with versions; switch [ coq.version mathcomp.version ] [
      { cases = [ (range "8.7" "8.12")  "1.11.0" ];             out = "1.5.2"; }
      { cases = [ (range "8.7" "8.11")  (range "1.8" "1.10") ]; out = "1.5.0"; }
      { cases = [ (range "8.7" "8.10")  (range "1.8" "1.10") ]; out = "1.4"; }
      { cases = [ "8.6"                 (range "1.6" "1.7") ];  out = "1.1"; }
    ] null;
  release = {
    "1.5.2".sha256 = "15aspf3jfykp1xgsxf8knqkxv8aav2p39c2fyirw7pwsfbsv2c4s";
    "1.5.1".sha256 = "13nlfm2wqripaq671gakz5mn4r0xwm0646araxv0nh455p9ndjs3";
    "1.5.0".sha256 = "064rvc0x5g7y1a0nip6ic91vzmq52alf6in2bc2dmss6dmzv90hw";
    "1.5.0".rev    = "1.5";
    "1.4".sha256   = "0vnkirs8iqsv8s59yx1fvg1nkwnzydl42z3scya1xp1b48qkgn0p";
    "1.3".sha256   = "0l3vi5n094nx3qmy66hsv867fnqm196r8v605kpk24gl0aa57wh4";
    "1.2".sha256   = "1mh1w339dslgv4f810xr1b8v2w7rpx6fgk9pz96q0fyq49fw2xcq";
    "1.1".sha256   = "1q8alsm89wkc0lhcvxlyn0pd8rbl2nnxg81zyrabpz610qqjqc3s";
    "1.0".sha256   = "1qmbxp1h81cy3imh627pznmng0kvv37k4hrwi2faa101s6bcx55m";
  };

  propagatedBuildInputs =
    [ mathcomp.ssreflect mathcomp.algebra mathcomp-finmap mathcomp-bigenough ];

  meta = {
    description = "A Coq/SSReflect Library for Monoidal Rings and Multinomials";
    license = licenses.cecill-c;
  };
}

17.6.3. Three ways of overriding Coq packages

There are three distinct ways of changing a Coq package by overriding one of its values: .override, overrideCoqDerivation, and .overrideAttrs. This section explains what sort of values can be overridden with each of these methods.

17.6.3.1. .override

.override lets you change arguments to a Coq derivation. In the case of the multinomials package above, .override would let you override arguments like mkCoqDerivation, version, coq, mathcomp, mathcom-finmap, etc.

For example, assuming you have a special mathcomp dependency you want to use, here is how you could override the mathcomp dependency: 

multinomials.override {
  mathcomp = my-special-mathcomp;
}

In Nixpkgs, all Coq derivations take a version argument. This can be overridden in order to easily use a different version: 

coqPackages.multinomials.override {
  version = "1.5.1";
}

Refer to Section 17.6.2, “Coq packages attribute sets: coqPackages for all the different formats that you can potentially pass to version, as well as the restrictions.

17.6.3.2. overrideCoqDerivation

The overrideCoqDerivation function lets you easily change arguments to mkCoqDerivation. These arguments are described in Section 17.6.2, “Coq packages attribute sets: coqPackages.

For example, here is how you could locally add a new release of the multinomials library, and set the defaultVersion to use this release: 

coqPackages.lib.overrideCoqDerivation
  {
    defaultVersion = "2.0";
    release."2.0".sha256 = "1lq8x86vd3vqqh2yq6hvyagpnhfq5wmk5pg2z0xq7b7dbbbhyfkk";
  }
  coqPackages.multinomials

17.6.3.3. .overrideAttrs

.overrideAttrs lets you override arguments to the underlying stdenv.mkDerivation call. Internally, mkCoqDerivation uses stdenv.mkDerivation to create derivations for Coq libraries. You can override arguments to stdenv.mkDerivation with .overrideAttrs.

For instance, here is how you could add some code to be performed in the derivation after installation is complete: 

coqPackages.multinomials.overrideAttrs (oldAttrs: {
  postInstall = oldAttrs.postInstall or "" + ''
    echo "you can do anything you want here"
  '';
})

17.7. Crystal

17.7.1. Building a Crystal package

This section uses Mint as an example for how to build a Crystal package.

If the Crystal project has any dependencies, the first step is to get a shards.nix file encoding those. Get a copy of the project and go to its root directory such that its shard.lock file is in the current directory. Executable projects should usually commit the shard.lock file, but sometimes that’s not the case, which means you need to generate it yourself. With an existing shard.lock file, crystal2nix can be run. 

$ git clone https://github.com/mint-lang/mint
$ cd mint
$ git checkout 0.5.0
$ if [ ! -f shard.lock ]; then nix-shell -p shards --run "shards lock"; fi
$ nix-shell -p crystal2nix --run crystal2nix

This should have generated a shards.nix file.

Next create a Nix file for your derivation and use pkgs.crystal.buildCrystalPackage as follows: 

with import <nixpkgs> {};
crystal.buildCrystalPackage rec {
  pname = "mint";
  version = "0.5.0";

  src = fetchFromGitHub {
    owner = "mint-lang";
    repo = "mint";
    rev = version;
    sha256 = "0vxbx38c390rd2ysvbwgh89v2232sh5rbsp3nk9wzb70jybpslvl";
  };

  # Insert the path to your shards.nix file here
  shardsFile = ./shards.nix;

  ...
}

This won’t build anything yet, because we haven’t told it what files build. We can specify a mapping from binary names to source files with the crystalBinaries attribute. The project’s compilation instructions should show this. For Mint, the binary is called mint, which is compiled from the source file src/mint.cr, so we’ll specify this as follows: 

  crystalBinaries.mint.src = "src/mint.cr";

  # ...

Additionally you can override the default crystal build options (which are currently --release --progress --no-debug --verbose) with 

  crystalBinaries.mint.options = [ "--release" "--verbose" ];

Depending on the project, you might need additional steps to get it to compile successfully. In Mint’s case, we need to link against openssl, so in the end the Nix file looks as follows: 

with import <nixpkgs> {};
crystal.buildCrystalPackage rec {
  version = "0.5.0";
  pname = "mint";
  src = fetchFromGitHub {
    owner = "mint-lang";
    repo = "mint";
    rev = version;
    sha256 = "0vxbx38c390rd2ysvbwgh89v2232sh5rbsp3nk9wzb70jybpslvl";
  };

  shardsFile = ./shards.nix;
  crystalBinaries.mint.src = "src/mint.cr";

  buildInputs = [ openssl ];
}

17.8. CUDA

CUDA-only packages are stored in the cudaPackages packages set. This set includes the cudatoolkit, portions of the toolkit in separate derivations, cudnn, cutensor and nccl.

A package set is available for each CUDA version, so for example cudaPackages_11_6. Within each set is a matching version of the above listed packages. Additionally, other versions of the packages that are packaged and compatible are available as well. For example, there can be a cudaPackages.cudnn_8_3_2 package.

To use one or more CUDA packages in an expression, give the expression a cudaPackages parameter, and in case CUDA is optional 

cudaSupport ? false
cudaPackages ? {}

When using callPackage, you can choose to pass in a different variant, e.g. when a different version of the toolkit suffices 

mypkg = callPackage { cudaPackages = cudaPackages_11_5; }

If another version of say cudnn or cutensor is needed, you can override the package set to make it the default. This guarantees you get a consistent package set. 

mypkg = let
  cudaPackages = cudaPackages_11_5.overrideScope' (final: prev {
    cudnn = prev.cudnn_8_3_2;
  }});
in callPackage { inherit cudaPackages; };

17.9. Dhall

The Nixpkgs support for Dhall assumes some familiarity with Dhall’s language support for importing Dhall expressions, which is documented here:

17.9.1. Remote imports

Nixpkgs bypasses Dhall’s support for remote imports using Dhall’s semantic integrity checks. Specifically, any Dhall import can be protected by an integrity check like: 

https://prelude.dhall-lang.org/v20.1.0/package.dhall
  sha256:26b0ef498663d269e4dc6a82b0ee289ec565d683ef4c00d0ebdd25333a5a3c98

… and if the import is cached then the interpreter will load the import from cache instead of fetching the URL.

Nixpkgs uses this trick to add all of a Dhall expression’s dependencies into the cache so that the Dhall interpreter never needs to resolve any remote URLs. In fact, Nixpkgs uses a Dhall interpreter with remote imports disabled when packaging Dhall expressions to enforce that the interpreter never resolves a remote import. This means that Nixpkgs only supports building Dhall expressions if all of their remote imports are protected by semantic integrity checks.

Instead of remote imports, Nixpkgs uses Nix to fetch remote Dhall code. For example, the Prelude Dhall package uses pkgs.fetchFromGitHub to fetch the dhall-lang repository containing the Prelude. Relying exclusively on Nix to fetch Dhall code ensures that Dhall packages built using Nix remain pure and also behave well when built within a sandbox.

17.9.2. Packaging a Dhall expression from scratch

We can illustrate how Nixpkgs integrates Dhall by beginning from the following trivial Dhall expression with one dependency (the Prelude): 

-- ./true.dhall

let Prelude = https://prelude.dhall-lang.org/v20.1.0/package.dhall

in  Prelude.Bool.not False

As written, this expression cannot be built using Nixpkgs because the expression does not protect the Prelude import with a semantic integrity check, so the first step is to freeze the expression using dhall freeze, like this: 

$ dhall freeze --inplace ./true.dhall

… which gives us: 

-- ./true.dhall

let Prelude =
      https://prelude.dhall-lang.org/v20.1.0/package.dhall
        sha256:26b0ef498663d269e4dc6a82b0ee289ec565d683ef4c00d0ebdd25333a5a3c98

in  Prelude.Bool.not False

To package that expression, we create a ./true.nix file containing the following specification for the Dhall package: 

# ./true.nix

{ buildDhallPackage, Prelude }:

buildDhallPackage {
  name = "true";
  code = ./true.dhall;
  dependencies = [ Prelude ];
  source = true;
}

… and we complete the build by incorporating that Dhall package into the pkgs.dhallPackages hierarchy using an overlay, like this: 

# ./example.nix

let
  nixpkgs = builtins.fetchTarball {
    url    = "https://github.com/NixOS/nixpkgs/archive/94b2848559b12a8ed1fe433084686b2a81123c99.tar.gz";
    sha256 = "1pbl4c2dsaz2lximgd31m96jwbps6apn3anx8cvvhk1gl9rkg107";
  };

  dhallOverlay = self: super: {
    true = self.callPackage ./true.nix { };
  };

  overlay = self: super: {
    dhallPackages = super.dhallPackages.override (old: {
      overrides =
        self.lib.composeExtensions (old.overrides or (_: _: {})) dhallOverlay;
    });
  };

  pkgs = import nixpkgs { config = {}; overlays = [ overlay ]; };

in
  pkgs

… which we can then build using this command: 

$ nix build --file ./example.nix dhallPackages.true

17.9.3. Contents of a Dhall package

The above package produces the following directory tree: 

$ tree -a ./result
result
├── .cache
│   └── dhall
│       └── 122027abdeddfe8503496adeb623466caa47da5f63abd2bc6fa19f6cfcb73ecfed70
├── binary.dhall
└── source.dhall

… where:

  • source.dhall contains the result of interpreting our Dhall package: 

    $ cat ./result/source.dhall
True

  • The .cache subdirectory contains one binary cache product encoding the same result as source.dhall: 

    $ dhall decode < ./result/.cache/dhall/122027abdeddfe8503496adeb623466caa47da5f63abd2bc6fa19f6cfcb73ecfed70
True

  • binary.dhall contains a Dhall expression which handles fetching and decoding the same cache product: 

    $ cat ./result/binary.dhall
missing sha256:27abdeddfe8503496adeb623466caa47da5f63abd2bc6fa19f6cfcb73ecfed70
$ cp -r ./result/.cache .cache

$ chmod -R u+w .cache

$ XDG_CACHE_HOME=.cache dhall --file ./result/binary.dhall
True

The source.dhall file is only present for packages that specify source = true;. By default, Dhall packages omit the source.dhall in order to conserve disk space when they are used exclusively as dependencies. For example, if we build the Prelude package it will only contain the binary encoding of the expression: 

$ nix build --file ./example.nix dhallPackages.Prelude

$ tree -a result
result
├── .cache
│   └── dhall
│       └── 122026b0ef498663d269e4dc6a82b0ee289ec565d683ef4c00d0ebdd25333a5a3c98
└── binary.dhall

2 directories, 2 files

Typically, you only specify source = true; for the top-level Dhall expression of interest (such as our example true.nix Dhall package). However, if you wish to specify source = true for all Dhall packages, then you can amend the Dhall overlay like this: 

  dhallOverrides = self: super: {
    # Enable source for all Dhall packages
    buildDhallPackage =
      args: super.buildDhallPackage (args // { source = true; });

    true = self.callPackage ./true.nix { };
  };

… and now the Prelude will contain the fully decoded result of interpreting the Prelude: 

$ nix build --file ./example.nix dhallPackages.Prelude

$ tree -a result
result
├── .cache
│   └── dhall
│       └── 122026b0ef498663d269e4dc6a82b0ee289ec565d683ef4c00d0ebdd25333a5a3c98
├── binary.dhall
└── source.dhall

$ cat ./result/source.dhall
{ Bool =
  { and =
      \(_ : List Bool) ->
        List/fold Bool _ Bool (\(_ : Bool) -> \(_ : Bool) -> _@1 && _) True
  , build = \(_ : Type -> _ -> _@1 -> _@2) -> _ Bool True False
  , even =
      \(_ : List Bool) ->
        List/fold Bool _ Bool (\(_ : Bool) -> \(_ : Bool) -> _@1 == _) True
  , fold =
      \(_ : Bool) ->
…

17.9.4. Packaging functions

We already saw an example of using buildDhallPackage to create a Dhall package from a single file, but most Dhall packages consist of more than one file and there are two derived utilities that you may find more useful when packaging multiple files:

  • buildDhallDirectoryPackage - build a Dhall package from a local directory

  • buildDhallGitHubPackage - build a Dhall package from a GitHub repository

The buildDhallPackage is the lowest-level function and accepts the following arguments:

  • name: The name of the derivation

  • dependencies: Dhall dependencies to build and cache ahead of time

  • code: The top-level expression to build for this package

    Note that the code field accepts an arbitrary Dhall expression. You’re not limited to just a file.

  • source: Set to true to include the decoded result as source.dhall in the build product, at the expense of requiring more disk space

  • documentationRoot: Set to the root directory of the package if you want dhall-docs to generate documentation underneath the docs subdirectory of the build product

The buildDhallDirectoryPackage is a higher-level function implemented in terms of buildDhallPackage that accepts the following arguments:

  • name: Same as buildDhallPackage

  • dependencies: Same as buildDhallPackage

  • source: Same as buildDhallPackage

  • src: The directory containing Dhall code that you want to turn into a Dhall package

  • file: The top-level file (package.dhall by default) that is the entrypoint to the rest of the package

  • document: Set to true to generate documentation for the package

The buildDhallGitHubPackage is another higher-level function implemented in terms of buildDhallPackage that accepts the following arguments:

  • name: Same as buildDhallPackage

  • dependencies: Same as buildDhallPackage

  • source: Same as buildDhallPackage

  • owner: The owner of the repository

  • repo: The repository name

  • rev: The desired revision (or branch, or tag)

  • directory: The subdirectory of the Git repository to package (if a directory other than the root of the repository)

  • file: The top-level file (${directory}/package.dhall by default) that is the entrypoint to the rest of the package

  • document: Set to true to generate documentation for the package

Additionally, buildDhallGitHubPackage accepts the same arguments as fetchFromGitHub, such as sha256 or fetchSubmodules.

17.9.5. dhall-to-nixpkgs

You can use the dhall-to-nixpkgs command-line utility to automate packaging Dhall code. For example: 

$ nix-env --install --attr haskellPackages.dhall-nixpkgs

$ nix-env --install --attr nix-prefetch-git  # Used by dhall-to-nixpkgs

$ dhall-to-nixpkgs github https://github.com/Gabriel439/dhall-semver.git
{ buildDhallGitHubPackage, Prelude }:
  buildDhallGitHubPackage {
    name = "dhall-semver";
    githubBase = "github.com";
    owner = "Gabriel439";
    repo = "dhall-semver";
    rev = "2d44ae605302ce5dc6c657a1216887fbb96392a4";
    fetchSubmodules = false;
    sha256 = "0y8shvp8srzbjjpmnsvz9c12ciihnx1szs0yzyi9ashmrjvd0jcz";
    directory = "";
    file = "package.dhall";
    source = false;
    document = false;
    dependencies = [ (Prelude.overridePackage { file = "package.dhall"; }) ];
    }

The utility takes care of automatically detecting remote imports and converting them to package dependencies. You can also use the utility on local Dhall directories, too: 

$ dhall-to-nixpkgs directory ~/proj/dhall-semver
{ buildDhallDirectoryPackage, Prelude }:
  buildDhallDirectoryPackage {
    name = "proj";
    src = ~/proj/dhall-semver;
    file = "package.dhall";
    source = false;
    document = false;
    dependencies = [ (Prelude.overridePackage { file = "package.dhall"; }) ];
    }

17.9.5.1. Remote imports as fixed-output derivations

dhall-to-nixpkgs has the ability to fetch and build remote imports as fixed-output derivations by using their Dhall integrity check. This is sometimes easier than manually packaging all remote imports.

This can be used like the following: 

$ dhall-to-nixpkgs directory --fixed-output-derivations ~/proj/dhall-semver
{ buildDhallDirectoryPackage, buildDhallUrl }:
  buildDhallDirectoryPackage {
    name = "proj";
    src = ~/proj/dhall-semver;
    file = "package.dhall";
    source = false;
    document = false;
    dependencies = [
      (buildDhallUrl {
        url = "https://prelude.dhall-lang.org/v17.0.0/package.dhall";
        hash = "sha256-ENs8kZwl6QRoM9+Jeo/+JwHcOQ+giT2VjDQwUkvlpD4=";
        dhallHash = "sha256:10db3c919c25e9046833df897a8ffe2701dc390fa0893d958c3430524be5a43e";
        })
      ];
    }

Here, dhall-semver’s Prelude dependency is fetched and built with the buildDhallUrl helper function, instead of being passed in as a function argument.

17.9.6. Overriding dependency versions

Suppose that we change our true.dhall example expression to depend on an older version of the Prelude (19.0.0): 

-- ./true.dhall

let Prelude =
      https://prelude.dhall-lang.org/v19.0.0/package.dhall
        sha256:eb693342eb769f782174157eba9b5924cf8ac6793897fc36a31ccbd6f56dafe2

in  Prelude.Bool.not False

If we try to rebuild that expression the build will fail: 

$ nix build --file ./example.nix dhallPackages.true
builder for '/nix/store/0f1hla7ff1wiaqyk1r2ky4wnhnw114fi-true.drv' failed with exit code 1; last 10 log lines:

  Dhall was compiled without the 'with-http' flag.

  The requested URL was: https://prelude.dhall-lang.org/v19.0.0/package.dhall


  4│       https://prelude.dhall-lang.org/v19.0.0/package.dhall
  5│         sha256:eb693342eb769f782174157eba9b5924cf8ac6793897fc36a31ccbd6f56dafe2

  /nix/store/rsab4y99h14912h4zplqx2iizr5n4rc2-true.dhall:4:7
[1 built (1 failed), 0.0 MiB DL]
error: build of '/nix/store/0f1hla7ff1wiaqyk1r2ky4wnhnw114fi-true.drv' failed

… because the default Prelude selected by Nixpkgs revision 94b2848559b12a8ed1fe433084686b2a81123c99is is version 20.1.0, which doesn’t have the same integrity check as version 19.0.0. This means that version 19.0.0 is not cached and the interpreter is not allowed to fall back to importing the URL.

However, we can override the default Prelude version by using dhall-to-nixpkgs to create a Dhall package for our desired Prelude: 

$ dhall-to-nixpkgs github https://github.com/dhall-lang/dhall-lang.git \
    --name Prelude \
    --directory Prelude \
    --rev v19.0.0 \
    > Prelude.nix

… and then referencing that package in our Dhall overlay, by either overriding the Prelude globally for all packages, like this: 

  dhallOverrides = self: super: {
    true = self.callPackage ./true.nix { };

    Prelude = self.callPackage ./Prelude.nix { };
  };

… or selectively overriding the Prelude dependency for just the true package, like this: 

  dhallOverrides = self: super: {
    true = self.callPackage ./true.nix {
      Prelude = self.callPackage ./Prelude.nix { };
    };
  };

17.9.7. Overrides

You can override any of the arguments to buildDhallGitHubPackage or buildDhallDirectoryPackage using the overridePackage attribute of a package. For example, suppose we wanted to selectively enable source = true just for the Prelude. We can do that like this: 

  dhallOverrides = self: super: {
    Prelude = super.Prelude.overridePackage { source = true; };

    …
  };

17.10. Dotnet

17.10.1. Local Development Workflow

For local development, it’s recommended to use nix-shell to create a dotnet environment: 

# shell.nix
with import <nixpkgs> {};

mkShell {
  name = "dotnet-env";
  packages = [
    dotnet-sdk_3
  ];
}

17.10.1.1. Using many sdks in a workflow

It’s very likely that more than one sdk will be needed on a given project. Dotnet provides several different frameworks (E.g dotnetcore, aspnetcore, etc.) as well as many versions for a given framework. Normally, dotnet is able to fetch a framework and install it relative to the executable. However, this would mean writing to the nix store in nixpkgs, which is read-only. To support the many-sdk use case, one can compose an environment using dotnetCorePackages.combinePackages: 

with import <nixpkgs> {};

mkShell {
  name = "dotnet-env";
  packages = [
    (with dotnetCorePackages; combinePackages [
      sdk_3_1
      sdk_5_0
    ])
  ];
}

This will produce a dotnet installation that has the dotnet 3.1, 3.0, and 2.1 sdk. The first sdk listed will have it’s cli utility present in the resulting environment. Example info output: 

$ dotnet --info
.NET Core SDK (reflecting any global.json):
 Version:   3.1.101
 Commit:    b377529961

...

.NET Core SDKs installed:
  2.1.803 [/nix/store/iiv98i2jdi226dgh4jzkkj2ww7f8jgpd-dotnet-core-combined/sdk]
  3.0.102 [/nix/store/iiv98i2jdi226dgh4jzkkj2ww7f8jgpd-dotnet-core-combined/sdk]
  3.1.101 [/nix/store/iiv98i2jdi226dgh4jzkkj2ww7f8jgpd-dotnet-core-combined/sdk]

.NET Core runtimes installed:
  Microsoft.AspNetCore.All 2.1.15 [/nix/store/iiv98i2jdi226dgh4jzkkj2ww7f8jgpd-dotnet-core-combined/shared/Microsoft.AspNetCore.All]
  Microsoft.AspNetCore.App 2.1.15 [/nix/store/iiv98i2jdi226dgh4jzkkj2ww7f8jgpd-dotnet-core-combined/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.0.2 [/nix/store/iiv98i2jdi226dgh4jzkkj2ww7f8jgpd-dotnet-core-combined/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 3.1.1 [/nix/store/iiv98i2jdi226dgh4jzkkj2ww7f8jgpd-dotnet-core-combined/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 2.1.15 [/nix/store/iiv98i2jdi226dgh4jzkkj2ww7f8jgpd-dotnet-core-combined/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.0.2 [/nix/store/iiv98i2jdi226dgh4jzkkj2ww7f8jgpd-dotnet-core-combined/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 3.1.1 [/nix/store/iiv98i2jdi226dgh4jzkkj2ww7f8jgpd-dotnet-core-combined/shared/Microsoft.NETCore.App]

17.10.2. dotnet-sdk vs dotnetCorePackages.sdk

The dotnetCorePackages.sdk_X_Y is preferred over the old dotnet-sdk as both major and minor version are very important for a dotnet environment. If a given minor version isn’t present (or was changed), then this will likely break your ability to build a project.

17.10.3. dotnetCorePackages.sdk vs dotnetCorePackages.runtime vs dotnetCorePackages.aspnetcore

The dotnetCorePackages.sdk contains both a runtime and the full sdk of a given version. The runtime and aspnetcore packages are meant to serve as minimal runtimes to deploy alongside already built applications.

17.10.4. Packaging a Dotnet Application

To package Dotnet applications, you can use buildDotnetModule. This has similar arguments to stdenv.mkDerivation, with the following additions:

  • projectFile is used for specifying the dotnet project file, relative to the source root. These usually have .sln or .csproj file extensions. This can be a list of multiple projects as well. Most of the time dotnet can figure this location out by itself, so this should only be set if necessary.

  • nugetDeps takes either a path to a deps.nix file, or a derivation. The deps.nix file can be generated using the script attached to passthru.fetch-deps. This file can also be generated manually using nuget-to-nix tool, which is available in nixpkgs. If the argument is a derivation, it will be used directly and assume it has the same output as mkNugetDeps.

  • packNupkg is used to pack project as a nupkg, and installs it to $out/share. If set to true, the derivation can be used as a dependency for another dotnet project by adding it to projectReferences.

  • projectReferences can be used to resolve ProjectReference project items. Referenced projects can be packed with buildDotnetModule by setting the packNupkg = true attribute and passing a list of derivations to projectReferences. Since we are sharing referenced projects as NuGets they must be added to csproj/fsproj files as PackageReference as well. For example, your project has a local dependency: 

    <ProjectReference Include="../foo/bar.fsproj" />

To enable discovery through projectReferences you would need to add: 

    <ProjectReference Include="../foo/bar.fsproj" />
    <PackageReference Include="bar" Version="*" Condition=" '$(ContinuousIntegrationBuild)'=='true' "/>

  • executables is used to specify which executables get wrapped to $out/bin, relative to $out/lib/$pname. If this is unset, all executables generated will get installed. If you do not want to install any, set this to []. This gets done in the preFixup phase.

  • runtimeDeps is used to wrap libraries into LD_LIBRARY_PATH. This is how dotnet usually handles runtime dependencies.

  • buildType is used to change the type of build. Possible values are Release, Debug, etc. By default, this is set to Release.

  • selfContainedBuild allows to enable the self-contained build flag. By default, it is set to false and generated applications have a dependency on the selected dotnet runtime. If enabled, the dotnet runtime is bundled into the executable and the built app has no dependency on Dotnet.

  • dotnet-sdk is useful in cases where you need to change what dotnet SDK is being used.

  • dotnet-runtime is useful in cases where you need to change what dotnet runtime is being used. This can be either a regular dotnet runtime, or an aspnetcore.

  • dotnet-test-sdk is useful in cases where unit tests expect a different dotnet SDK. By default, this is set to the dotnet-sdk attribute.

  • testProjectFile is useful in cases where the regular project file does not contain the unit tests. It gets restored and build, but not installed. You may need to regenerate your nuget lockfile after setting this.

  • disabledTests is used to disable running specific unit tests. This gets passed as: dotnet test --filter "FullyQualifiedName!={}", to ensure compatibility with all unit test frameworks.

  • dotnetRestoreFlags can be used to pass flags to dotnet restore.

  • dotnetBuildFlags can be used to pass flags to dotnet build.

  • dotnetTestFlags can be used to pass flags to dotnet test. Used only if doCheck is set to true.

  • dotnetInstallFlags can be used to pass flags to dotnet install.

  • dotnetPackFlags can be used to pass flags to dotnet pack. Used only if packNupkg is set to true.

  • dotnetFlags can be used to pass flags to all of the above phases.

When packaging a new application, you need to fetch its dependencies. You can run nix-build -A package.fetch-deps to generate a script that will build a lockfile for you. After running the script you should have the location of the generated lockfile printed to the console, which can be copied to a stable directory. Then set nugetDeps = ./deps.nix and you’re ready to build the derivation.

Here is an example default.nix, using some of the previously discussed arguments: 

{ lib, buildDotnetModule, dotnetCorePackages, ffmpeg }:

let
  referencedProject = import ../../bar { ... };
in buildDotnetModule rec {
  pname = "someDotnetApplication";
  version = "0.1";

  src = ./.;

  projectFile = "src/project.sln";
  nugetDeps = ./deps.nix; # File generated with `nix-build -A package.passthru.fetch-deps`.

  projectReferences = [ referencedProject ]; # `referencedProject` must contain `nupkg` in the folder structure.

  dotnet-sdk = dotnetCorePackages.sdk_3_1;
  dotnet-runtime = dotnetCorePackages.net_5_0;
  dotnetFlags = [ "--runtime linux-x64" ];

  executables = [ "foo" ]; # This wraps "$out/lib/$pname/foo" to `$out/bin/foo`.
  executables = []; # Don't install any executables.

  packNupkg = true; # This packs the project as "foo-0.1.nupkg" at `$out/share`.

  runtimeDeps = [ ffmpeg ]; # This will wrap ffmpeg's library path into `LD_LIBRARY_PATH`.
}

17.11. Emscripten

Emscripten: An LLVM-to-JavaScript Compiler

This section of the manual covers how to use emscripten in nixpkgs.

Minimal requirements:

  • nix

  • nixpkgs

Modes of use of emscripten:

  • Imperative usage (on the command line):

    If you want to work with emcc, emconfigure and emmake as you are used to from Ubuntu and similar distributions you can use these commands:

    • nix-env -f "<nixpkgs>" -iA emscripten

    • nix-shell -p emscripten

  • Declarative usage:

    This mode is far more power full since this makes use of nix for dependency management of emscripten libraries and targets by using the mkDerivation which is implemented by pkgs.emscriptenStdenv and pkgs.buildEmscriptenPackage. The source for the packages is in pkgs/top-level/emscripten-packages.nix and the abstraction behind it in pkgs/development/em-modules/generic/default.nix. From the root of the nixpkgs repository:

    • build and install all packages:

      • nix-env -iA emscriptenPackages

    • dev-shell for zlib implementation hacking:

      • nix-shell -A emscriptenPackages.zlib

17.11.1. Imperative usage

A few things to note:

  • export EMCC_DEBUG=2 is nice for debugging

  • ~/.emscripten, the build artifact cache sometimes creates issues and needs to be removed from time to time

17.11.2. Declarative usage

Let’s see two different examples from pkgs/top-level/emscripten-packages.nix:

  • pkgs.zlib.override

  • pkgs.buildEmscriptenPackage

Both are interesting concepts.

A special requirement of the pkgs.buildEmscriptenPackage is the doCheck = true is a default meaning that each emscriptenPackage requires a checkPhase implemented.

  • Use export EMCC_DEBUG=2 from within a emscriptenPackage’s phase to get more detailed debug output what is going wrong.

  • ~/.emscripten cache is requiring us to set HOME=$TMPDIR in individual phases. This makes compilation slower but also makes it more deterministic.

17.11.2.1. Usage 1: pkgs.zlib.override

This example uses zlib from nixpkgs but instead of compiling C to ELF it compiles C to JS since we were using pkgs.zlib.override and changed stdenv to pkgs.emscriptenStdenv. A few adaptions and hacks were set in place to make it working. One advantage is that when pkgs.zlib is updated, it will automatically update this package as well. However, this can also be the downside…

See the zlib example: 

zlib = (pkgs.zlib.override {
  stdenv = pkgs.emscriptenStdenv;
}).overrideDerivation
(old: rec {
  buildInputs = old.buildInputs ++ [ pkg-config ];
  # we need to reset this setting!
  NIX_CFLAGS_COMPILE="";
  configurePhase = ''
    # FIXME: Some tests require writing at $HOME
    HOME=$TMPDIR
    runHook preConfigure

    #export EMCC_DEBUG=2
    emconfigure ./configure --prefix=$out --shared

    runHook postConfigure
  '';
  dontStrip = true;
  outputs = [ "out" ];
  buildPhase = ''
    emmake make
  '';
  installPhase = ''
    emmake make install
  '';
  checkPhase = ''
    echo "================= testing zlib using node ================="

    echo "Compiling a custom test"
    set -x
    emcc -O2 -s EMULATE_FUNCTION_POINTER_CASTS=1 test/example.c -DZ_SOLO \
    libz.so.${old.version} -I . -o example.js

    echo "Using node to execute the test"
    ${pkgs.nodejs}/bin/node ./example.js

    set +x
    if [ $? -ne 0 ]; then
      echo "test failed for some reason"
      exit 1;
    else
      echo "it seems to work! very good."
    fi
    echo "================= /testing zlib using node ================="
  '';

  postPatch = pkgs.lib.optionalString pkgs.stdenv.isDarwin ''
    substituteInPlace configure \
      --replace '/usr/bin/libtool' 'ar' \
      --replace 'AR="libtool"' 'AR="ar"' \
      --replace 'ARFLAGS="-o"' 'ARFLAGS="-r"'
  '';
});

17.11.2.2. Usage 2: pkgs.buildEmscriptenPackage

This xmlmirror example features a emscriptenPackage which is defined completely from this context and no pkgs.zlib.override is used. 

xmlmirror = pkgs.buildEmscriptenPackage rec {
  name = "xmlmirror";

  buildInputs = [ pkg-config autoconf automake libtool gnumake libxml2 nodejs openjdk json_c ];
  nativeBuildInputs = [ pkg-config zlib ];

  src = pkgs.fetchgit {
    url = "https://gitlab.com/odfplugfest/xmlmirror.git";
    rev = "4fd7e86f7c9526b8f4c1733e5c8b45175860a8fd";
    sha256 = "1jasdqnbdnb83wbcnyrp32f36w3xwhwp0wq8lwwmhqagxrij1r4b";
  };

  configurePhase = ''
    rm -f fastXmlLint.js*
    # a fix for ERROR:root:For asm.js, TOTAL_MEMORY must be a multiple of 16MB, was 234217728
    # https://gitlab.com/odfplugfest/xmlmirror/issues/8
    sed -e "s/TOTAL_MEMORY=234217728/TOTAL_MEMORY=268435456/g" -i Makefile.emEnv
    # https://github.com/kripken/emscripten/issues/6344
    # https://gitlab.com/odfplugfest/xmlmirror/issues/9
    sed -e "s/\$(JSONC_LDFLAGS) \$(ZLIB_LDFLAGS) \$(LIBXML20_LDFLAGS)/\$(JSONC_LDFLAGS) \$(LIBXML20_LDFLAGS) \$(ZLIB_LDFLAGS) /g" -i Makefile.emEnv
    # https://gitlab.com/odfplugfest/xmlmirror/issues/11
    sed -e "s/-o fastXmlLint.js/-s EXTRA_EXPORTED_RUNTIME_METHODS='[\"ccall\", \"cwrap\"]' -o fastXmlLint.js/g" -i Makefile.emEnv
  '';

  buildPhase = ''
    HOME=$TMPDIR
    make -f Makefile.emEnv
  '';

  outputs = [ "out" "doc" ];

  installPhase = ''
    mkdir -p $out/share
    mkdir -p $doc/share/${name}

    cp Demo* $out/share
    cp -R codemirror-5.12 $out/share
    cp fastXmlLint.js* $out/share
    cp *.xsd $out/share
    cp *.js $out/share
    cp *.xhtml $out/share
    cp *.html $out/share
    cp *.json $out/share
    cp *.rng $out/share
    cp README.md $doc/share/${name}
  '';
  checkPhase = ''

  '';
};

17.11.2.3. Declarative debugging

Use nix-shell -I nixpkgs=/some/dir/nixpkgs -A emscriptenPackages.libz and from there you can go trough the individual steps. This makes it easy to build a good unit test or list the files of the project.

  1. nix-shell -I nixpkgs=/some/dir/nixpkgs -A emscriptenPackages.libz

  2. cd /tmp/

  3. unpackPhase

  4. cd libz-1.2.3

  5. configurePhase

  6. buildPhase

  7. … happy hacking…

17.11.3. Summary

Using this toolchain makes it easy to leverage nix from NixOS, MacOSX or even Windows (WSL+ubuntu+nix). This toolchain is reproducible, behaves like the rest of the packages from nixpkgs and contains a set of well working examples to learn and adapt from.

If in trouble, ask the maintainers.

17.12. GNOME

17.12.1. Packaging GNOME applications

Programs in the GNOME universe are written in various languages but they all use GObject-based libraries like GLib, GTK or GStreamer. These libraries are often modular, relying on looking into certain directories to find their modules. However, due to Nix’s specific file system organization, this will fail without our intervention. Fortunately, the libraries usually allow overriding the directories through environment variables, either natively or thanks to a patch in nixpkgs. Wrapping the executables to ensure correct paths are available to the application constitutes a significant part of packaging a modern desktop application. In this section, we will describe various modules needed by such applications, environment variables needed to make the modules load, and finally a script that will do the work for us.

17.12.1.1. Settings

GSettings API is often used for storing settings. GSettings schemas are required, to know the type and other metadata of the stored values. GLib looks for glib-2.0/schemas/gschemas.compiled files inside the directories of XDG_DATA_DIRS.

On Linux, GSettings API is implemented using dconf backend. You will need to add dconf GIO module to GIO_EXTRA_MODULES variable, otherwise the memory backend will be used and the saved settings will not be persistent.

Last you will need the dconf database D-Bus service itself. You can enable it using programs.dconf.enable.

Some applications will also require gsettings-desktop-schemas for things like reading proxy configuration or user interface customization. This dependency is often not mentioned by upstream, you should grep for org.gnome.desktop and org.gnome.system to see if the schemas are needed.

17.12.1.2. GIO modules

GLib’s GIO library supports several extension points. Notably, they allow:

  • implementing settings backends (already mentioned)

  • adding TLS support

  • proxy settings

  • virtual file systems

The modules are typically installed to lib/gio/modules/ directory of a package and you need to add them to GIO_EXTRA_MODULES if you need any of those features.

In particular, we recommend:

  • adding dconf.lib for any software on Linux that reads GSettings (even transitivily through e.g. GTK’s file manager)

  • adding glib-networking for any software that accesses network using GIO or libsoup – glib-networking contains a module that implements TLS support and loads system-wide proxy settings

To allow software to use various virtual file systems, gvfs package can be also added. But that is usually an optional feature so we typically use gvfs from the system (e.g. installed globally using NixOS module).

17.12.1.3. GdkPixbuf loaders

GTK applications typically use GdkPixbuf to load images. But gdk-pixbuf package only supports basic bitmap formats like JPEG, PNG or TIFF, requiring to use third-party loader modules for other formats. This is especially painful since GTK itself includes SVG icons, which cannot be rendered without a loader provided by librsvg.

Unlike other libraries mentioned in this section, GdkPixbuf only supports a single value in its controlling environment variable GDK_PIXBUF_MODULE_FILE. It is supposed to point to a cache file containing information about the available loaders. Each loader package will contain a lib/gdk-pixbuf-2.0/2.10.0/loaders.cache file describing the default loaders in gdk-pixbuf package plus the loader contained in the package itself. If you want to use multiple third-party loaders, you will need to create your own cache file manually. Fortunately, this is pretty rare as not many loaders exist.

gdk-pixbuf contains a setup hook that sets GDK_PIXBUF_MODULE_FILE from dependencies but as mentioned in further section, it is pretty limited. Loaders should propagate this setup hook.

17.12.1.4. Icons

When an application uses icons, an icon theme should be available in XDG_DATA_DIRS during runtime. The package for the default, icon-less hicolor-icon-theme (should be propagated by every icon theme) contains a setup hook that will pick up icon themes from buildInputs and add their datadirs to XDG_ICON_DIRS environment variable (this is Nixpkgs specific, not actually a XDG standard variable). Unfortunately, relying on that would mean every user has to download the theme included in the package expression no matter their preference. For that reason, we leave the installation of icon theme on the user. If you use one of the desktop environments, you probably already have an icon theme installed.

In the rare case you need to use icons from dependencies (e.g. when an app forces an icon theme), you can use the following to pick them up: 

  buildInputs = [
    pantheon.elementary-icon-theme
  ];
  preFixup = ''
    gappsWrapperArgs+=(
      # The icon theme is hardcoded.
      --prefix XDG_DATA_DIRS : "$XDG_ICON_DIRS"
    )
  '';

To avoid costly file system access when locating icons, GTK, as well as Qt, can rely on icon-theme.cache files from the themes’ top-level directories. These files are generated using gtk-update-icon-cache, which is expected to be run whenever an icon is added or removed to an icon theme (typically an application icon into hicolor theme) and some programs do indeed run this after icon installation. However, since packages are installed into their own prefix by Nix, this would lead to conflicts. For that reason, gtk3 provides a setup hook that will clean the file from installation. Since most applications only ship their own icon that will be loaded on start-up, it should not affect them too much. On the other hand, icon themes are much larger and more widely used so we need to cache them. Because we recommend installing icon themes globally, we will generate the cache files from all packages in a profile using a NixOS module. You can enable the cache generation using gtk.iconCache.enable option if your desktop environment does not already do that.

17.12.1.5. Packaging icon themes

Icon themes may inherit from other icon themes. The inheritance is specified using the Inherits key in the index.theme file distributed with the icon theme. According to the icon theme specification, icons not provided by the theme are looked for in its parent icon themes. Therefore the parent themes should be installed as dependencies for a more complete experience regarding the icon sets used.

The package hicolor-icon-theme provides a setup hook which makes symbolic links for the parent themes into the directory share/icons of the current theme directory in the nix store, making sure they can be found at runtime. For that to work the packages providing parent icon themes should be listed as propagated build dependencies, together with hicolor-icon-theme.

Also make sure that icon-theme.cache is installed for each theme provided by the package, and set dontDropIconThemeCache to true so that the cache file is not removed by the gtk3 setup hook.

17.12.1.6. GTK Themes

Previously, a GTK theme needed to be in XDG_DATA_DIRS. This is no longer necessary for most programs since GTK incorporated Adwaita theme. Some programs (for example, those designed for elementary HIG) might require a special theme like pantheon.elementary-gtk-theme.

17.12.1.7. GObject introspection typelibs

GObject introspection allows applications to use C libraries in other languages easily. It does this through typelib files searched in GI_TYPELIB_PATH.

17.12.1.8. Various plug-ins

If your application uses GStreamer or Grilo, you should set GST_PLUGIN_SYSTEM_PATH_1_0 and GRL_PLUGIN_PATH, respectively.

17.12.2. Onto wrapGAppsHook

Given the requirements above, the package expression would become messy quickly: 

preFixup = ''
  for f in $(find $out/bin/ $out/libexec/ -type f -executable); do
    wrapProgram "$f" \
      --prefix GIO_EXTRA_MODULES : "${getLib dconf}/lib/gio/modules" \
      --prefix XDG_DATA_DIRS : "$out/share" \
      --prefix XDG_DATA_DIRS : "$out/share/gsettings-schemas/${name}" \
      --prefix XDG_DATA_DIRS : "${gsettings-desktop-schemas}/share/gsettings-schemas/${gsettings-desktop-schemas.name}" \
      --prefix XDG_DATA_DIRS : "${hicolor-icon-theme}/share" \
      --prefix GI_TYPELIB_PATH : "${lib.makeSearchPath "lib/girepository-1.0" [ pango json-glib ]}"
  done
'';

Fortunately, there is wrapGAppsHook. It works in conjunction with other setup hooks that populate environment variables, and it will then wrap all executables in bin and libexec directories using said variables.

For convenience, it also adds dconf.lib for a GIO module implementing a GSettings backend using dconf, gtk3 for GSettings schemas, and librsvg for GdkPixbuf loader to the closure. There is also wrapGAppsHook4, which replaces GTK 3 with GTK 4. And in case you are packaging a program without a graphical interface, you might want to use wrapGAppsNoGuiHook, which runs the same script as wrapGAppsHook but does not bring gtk3 and librsvg into the closure.

  • wrapGAppsHook itself will add the package’s share directory to XDG_DATA_DIRS.

  • glib setup hook will populate GSETTINGS_SCHEMAS_PATH and then wrapGAppsHook will prepend it to XDG_DATA_DIRS.

  • gdk-pixbuf setup hook will populate GDK_PIXBUF_MODULE_FILE with the path to biggest loaders.cache file from the dependencies containing GdkPixbuf loaders. This works fine when there are only two packages containing loaders (gdk-pixbuf and e.g. librsvg) – it will choose the second one, reasonably expecting that it will be bigger since it describes extra loader in addition to the default ones. But when there are more than two loader packages, this logic will break. One possible solution would be constructing a custom cache file for each package containing a program like services/x11/gdk-pixbuf.nix NixOS module does. wrapGAppsHook copies the GDK_PIXBUF_MODULE_FILE environment variable into the produced wrapper.

  • One of gtk3’s setup hooks will remove icon-theme.cache files from package’s icon theme directories to avoid conflicts. Icon theme packages should prevent this with dontDropIconThemeCache = true;.

  • dconf.lib is a dependency of wrapGAppsHook, which then also adds it to the GIO_EXTRA_MODULES variable.

  • hicolor-icon-theme’s setup hook will add icon themes to XDG_ICON_DIRS.

  • gobject-introspection setup hook populates GI_TYPELIB_PATH variable with lib/girepository-1.0 directories of dependencies, which is then added to wrapper by wrapGAppsHook. It also adds share directories of dependencies to XDG_DATA_DIRS, which is intended to promote GIR files but it also pollutes the closures of packages using wrapGAppsHook.

  • Setup hooks of gst_all_1.gstreamer and grilo will populate the GST_PLUGIN_SYSTEM_PATH_1_0 and GRL_PLUGIN_PATH variables, respectively, which will then be added to the wrapper by wrapGAppsHook.

You can also pass additional arguments to makeWrapper using gappsWrapperArgs in preFixup hook: 

preFixup = ''
  gappsWrapperArgs+=(
    # Thumbnailers
    --prefix XDG_DATA_DIRS : "${gdk-pixbuf}/share"
    --prefix XDG_DATA_DIRS : "${librsvg}/share"
    --prefix XDG_DATA_DIRS : "${shared-mime-info}/share"
  )
'';

17.12.3. Updating GNOME packages

Most GNOME package offer updateScript, it is therefore possible to update to latest source tarball by running nix-shell maintainers/scripts/update.nix --argstr package gnome.nautilus or even en masse with nix-shell maintainers/scripts/update.nix --argstr path gnome. Read the package’s NEWS file to see what changed.

17.12.4. Frequently encountered issues

17.12.4.1. GLib-GIO-ERROR **: 06:04:50.903: No GSettings schemas are installed on the system

There are no schemas available in XDG_DATA_DIRS. Temporarily add a random package containing schemas like gsettings-desktop-schemas to buildInputs. glib and wrapGAppsHook setup hooks will take care of making the schemas available to application and you will see the actual missing schemas with the next error. Or you can try looking through the source code for the actual schemas used.

17.12.4.2. GLib-GIO-ERROR **: 06:04:50.903: Settings schema ‘org.gnome.foo’ is not installed

Package is missing some GSettings schemas. You can find out the package containing the schema with nix-locate org.gnome.foo.gschema.xml and let the hooks handle the wrapping as above.

17.12.4.3. When using wrapGAppsHook with special derivers you can end up with double wrapped binaries.

This is because derivers like python.pkgs.buildPythonApplication or qt5.mkDerivation have setup-hooks automatically added that produce wrappers with makeWrapper. The simplest way to workaround that is to disable the wrapGAppsHook automatic wrapping with dontWrapGApps = true; and pass the arguments it intended to pass to makeWrapper to another.

In the case of a Python application it could look like: 

python3.pkgs.buildPythonApplication {
  pname = "gnome-music";
  version = "3.32.2";

  nativeBuildInputs = [
    wrapGAppsHook
    gobject-introspection
    ...
  ];

  dontWrapGApps = true;

  # Arguments to be passed to `makeWrapper`, only used by buildPython*
  preFixup = ''
    makeWrapperArgs+=("''${gappsWrapperArgs[@]}")
  '';
}

And for a QT app like: 

mkDerivation {
  pname = "calibre";
  version = "3.47.0";

  nativeBuildInputs = [
    wrapGAppsHook
    qmake
    ...
  ];

  dontWrapGApps = true;

  # Arguments to be passed to `makeWrapper`, only used by qt5’s mkDerivation
  preFixup = ''
    qtWrapperArgs+=("''${gappsWrapperArgs[@]}")
  '';
}

17.12.4.4. I am packaging a project that cannot be wrapped, like a library or GNOME Shell extension.

You can rely on applications depending on the library setting the necessary environment variables but that is often easy to miss. Instead we recommend to patch the paths in the source code whenever possible. Here are some examples:

17.12.4.5. I need to wrap a binary outside bin and libexec directories.

You can manually trigger the wrapping with wrapGApp in preFixup phase. It takes a path to a program as a first argument; the remaining arguments are passed directly to wrapProgram function.

17.13. Go

17.13.1. Go modules

The function buildGoModule builds Go programs managed with Go modules. It builds a Go Modules through a two phase build:

  • An intermediate fetcher derivation. This derivation will be used to fetch all of the dependencies of the Go module.

  • A final derivation will use the output of the intermediate derivation to build the binaries and produce the final output.

17.13.1.1. Example for buildGoModule

In the following is an example expression using buildGoModule, the following arguments are of special significance to the function:

  • vendorHash: is the hash of the output of the intermediate fetcher derivation. vendorHash can also take null as an input. When null is used as a value, rather than fetching the dependencies and vendoring them, we use the vendoring included within the source repo. If you’d like to not have to update this field on dependency changes, run go mod vendor in your source repo and set vendorHash = null;

  • proxyVendor: Fetches (go mod download) and proxies the vendor directory. This is useful if your code depends on c code and go mod tidy does not include the needed sources to build or if any dependency has case-insensitive conflicts which will produce platform dependant vendorHash checksums. 

pet = buildGoModule rec {
  pname = "pet";
  version = "0.3.4";

  src = fetchFromGitHub {
    owner = "knqyf263";
    repo = "pet";
    rev = "v${version}";
    sha256 = "0m2fzpqxk7hrbxsgqplkg7h2p7gv6s1miymv3gvw0cz039skag0s";
  };

  vendorHash = "sha256-ciBIR+a1oaYH+H1PcC8cD8ncfJczk1IiJ8iYNM+R6aA=";

  meta = with lib; {
    description = "Simple command-line snippet manager, written in Go";
    homepage = "https://github.com/knqyf263/pet";
    license = licenses.mit;
    maintainers = with maintainers; [ kalbasit ];
  };
}

17.13.2. buildGoPackage (legacy)

The function buildGoPackage builds legacy Go programs, not supporting Go modules.

17.13.2.1. Example for buildGoPackage

In the following is an example expression using buildGoPackage, the following arguments are of special significance to the function:

  • goPackagePath specifies the package’s canonical Go import path.

  • goDeps is where the Go dependencies of a Go program are listed as a list of package source identified by Go import path. It could be imported as a separate deps.nix file for readability. The dependency data structure is described below. 

deis = buildGoPackage rec {
  pname = "deis";
  version = "1.13.0";

  goPackagePath = "github.com/deis/deis";

  src = fetchFromGitHub {
    owner = "deis";
    repo = "deis";
    rev = "v${version}";
    sha256 = "1qv9lxqx7m18029lj8cw3k7jngvxs4iciwrypdy0gd2nnghc68sw";
  };

  goDeps = ./deps.nix;
}

The goDeps attribute can be imported from a separate nix file that defines which Go libraries are needed and should be included in GOPATH for buildPhase: 

# deps.nix
[ # goDeps is a list of Go dependencies.
  {
    # goPackagePath specifies Go package import path.
    goPackagePath = "gopkg.in/yaml.v2";
    fetch = {
      # `fetch type` that needs to be used to get package source.
      # If `git` is used there should be `url`, `rev` and `sha256` defined next to it.
      type = "git";
      url = "https://gopkg.in/yaml.v2";
      rev = "a83829b6f1293c91addabc89d0571c246397bbf4";
      sha256 = "1m4dsmk90sbi17571h6pld44zxz7jc4lrnl4f27dpd1l8g5xvjhh";
    };
  }
  {
    goPackagePath = "github.com/docopt/docopt-go";
    fetch = {
      type = "git";
      url = "https://github.com/docopt/docopt-go";
      rev = "784ddc588536785e7299f7272f39101f7faccc3f";
      sha256 = "0wwz48jl9fvl1iknvn9dqr4gfy1qs03gxaikrxxp9gry6773v3sj";
    };
  }
]

To extract dependency information from a Go package in automated way use go2nix. It can produce complete derivation and goDeps file for Go programs.

You may use Go packages installed into the active Nix profiles by adding the following to your ~/.bashrc: 

for p in $NIX_PROFILES; do
    GOPATH="$p/share/go:$GOPATH"
done

17.13.3. Attributes used by the builders

Both buildGoModule and buildGoPackage can be tweaked to behave slightly differently, if the following attributes are used:

17.13.3.1. ldflags

Arguments to pass to the Go linker tool via the -ldflags argument of go build. The most common use case for this argument is to make the resulting executable aware of its own version. For example: 

  ldflags = [
    "-s" "-w"
    "-X main.Version=${version}"
    "-X main.Commit=${version}"
  ];

17.13.3.2. tags

Arguments to pass to the Go via the -tags argument of go build. For example: 

  tags = [
    "production"
    "sqlite"
  ];

  tags = [ "production" ] ++ lib.optionals withSqlite [ "sqlite" ];

17.13.3.3. deleteVendor

Removes the pre-existing vendor directory. This should only be used if the dependencies included in the vendor folder are broken or incomplete.

17.13.3.4. subPackages

Specified as a string or list of strings. Limits the builder from building child packages that have not been listed. If subPackages is not specified, all child packages will be built.

17.13.3.5. excludedPackages

Specified as a string or list of strings. Causes the builder to skip building child packages that match any of the provided values. If excludedPackages is not specified, all child packages will be built.

17.14. Haskell

The documentation for the Haskell infrastructure is published at https://haskell4nix.readthedocs.io/. The source code for that site lives in the doc/ sub-directory of the cabal2nix Git repository and changes can be submitted there.

17.15. Hy

17.15.1. Installation

17.15.1.1. Installation without packages

You can install hy via nix-env or by adding it to configuration.nix by reffering to it as a hy attribute. This kind of installation adds hy to your environment and it succesfully works with python3.

17.15.1.2. Installation with packages

Creating hy derivation with custom python packages is really simple and similar to the way that python does it. Attribute hy provides function withPackages that creates custom hy derivation with specified packages.

For example if you want to create shell with matplotlib and numpy, you can do it like so: 

$ nix-shell -p "hy.withPackages (ps: with ps; [ numpy matplotlib ])"

Or if you want to extend your configuration.nix: 

{ # ...

  environment.systemPackages = with pkgs; [
    (hy.withPackages (py-packages: with py-packages; [ numpy matplotlib ]))
  ];
}

17.16. Idris

17.16.1. Installing Idris

The easiest way to get a working idris version is to install the idris attribute: 

$ nix-env -f "<nixpkgs>" -iA idris

This however only provides the prelude and base libraries. To install idris with additional libraries, you can use the idrisPackages.with-packages function, e.g. in an overlay in ~/.config/nixpkgs/overlays/my-idris.nix: 

self: super: {
  myIdris = with self.idrisPackages; with-packages [ contrib pruviloj ];
}

And then: 

$ # On NixOS
$ nix-env -iA nixos.myIdris
$ # On non-NixOS
$ nix-env -iA nixpkgs.myIdris

To see all available Idris packages: 

$ # On NixOS
$ nix-env -qaPA nixos.idrisPackages
$ # On non-NixOS
$ nix-env -qaPA nixpkgs.idrisPackages

Similarly, entering a nix-shell: 

$ nix-shell -p 'idrisPackages.with-packages (with idrisPackages; [ contrib pruviloj ])'

17.16.2. Starting Idris with library support

To have access to these libraries in idris, call it with an argument -p <library name> for each library: 

$ nix-shell -p 'idrisPackages.with-packages (with idrisPackages; [ contrib pruviloj ])'
[nix-shell:~]$ idris -p contrib -p pruviloj

A listing of all available packages the Idris binary has access to is available via --listlibs: 

$ idris --listlibs
00prelude-idx.ibc
pruviloj
base
contrib
prelude
00pruviloj-idx.ibc
00base-idx.ibc
00contrib-idx.ibc

17.16.3. Building an Idris project with Nix

As an example of how a Nix expression for an Idris package can be created, here is the one for idrisPackages.yaml: 

{ lib
, build-idris-package
, fetchFromGitHub
, contrib
, lightyear
}:
build-idris-package  {
  name = "yaml";
  version = "2018-01-25";

  # This is the .ipkg file that should be built, defaults to the package name
  # In this case it should build `Yaml.ipkg` instead of `yaml.ipkg`
  # This is only necessary because the yaml packages ipkg file is
  # different from its package name here.
  ipkgName = "Yaml";
  # Idris dependencies to provide for the build
  idrisDeps = [ contrib lightyear ];

  src = fetchFromGitHub {
    owner = "Heather";
    repo = "Idris.Yaml";
    rev = "5afa51ffc839844862b8316faba3bafa15656db4";
    sha256 = "1g4pi0swmg214kndj85hj50ccmckni7piprsxfdzdfhg87s0avw7";
  };

  meta = with lib; {
    description = "Idris YAML lib";
    homepage = "https://github.com/Heather/Idris.Yaml";
    license = licenses.mit;
    maintainers = [ maintainers.brainrape ];
  };
}

Assuming this file is saved as yaml.nix, it’s buildable using 

$ nix-build -E '(import <nixpkgs> {}).idrisPackages.callPackage ./yaml.nix {}'

Or it’s possible to use 

with import <nixpkgs> {};

{
  yaml = idrisPackages.callPackage ./yaml.nix {};
}

in another file (say default.nix) to be able to build it with 

$ nix-build -A yaml

17.16.4. Passing options to idris commands

The build-idris-package function provides also optional input values to set additional options for the used idris commands.

Specifically, you can set idrisBuildOptions, idrisTestOptions, idrisInstallOptions and idrisDocOptions to provide additional options to the idris command respectively when building, testing, installing and generating docs for your package.

For example you could set 

build-idris-package {
  idrisBuildOptions = [ "--log" "1" "--verbose" ]

  ...
}

to require verbose output during idris build phase.

17.17. iOS

This component is basically a wrapper/workaround that makes it possible to expose an Xcode installation as a Nix package by means of symlinking to the relevant executables on the host system.

Since Xcode can’t be packaged with Nix, nor we can publish it as a Nix package (because of its license) this is basically the only integration strategy making it possible to do iOS application builds that integrate with other components of the Nix ecosystem

The primary objective of this project is to use the Nix expression language to specify how iOS apps can be built from source code, and to automatically spawn iOS simulator instances for testing.

This component also makes it possible to use Hydra, the Nix-based continuous integration server to regularly build iOS apps and to do wireless ad-hoc installations of enterprise IPAs on iOS devices through Hydra.

The Xcode build environment implements a number of features.

17.17.1. Deploying a proxy component wrapper exposing Xcode

The first use case is deploying a Nix package that provides symlinks to the Xcode installation on the host system. This package can be used as a build input to any build function implemented in the Nix expression language that requires Xcode. 

let
  pkgs = import <nixpkgs> {};

  xcodeenv = import ./xcodeenv {
    inherit (pkgs) stdenv;
  };
in
xcodeenv.composeXcodeWrapper {
  version = "9.2";
  xcodeBaseDir = "/Applications/Xcode.app";
}

By deploying the above expression with nix-build and inspecting its content you will notice that several Xcode-related executables are exposed as a Nix package: 

$ ls result/bin
lrwxr-xr-x  1 sander  staff  94  1 jan  1970 Simulator -> /Applications/Xcode.app/Contents/Developer/Applications/Simulator.app/Contents/MacOS/Simulator
lrwxr-xr-x  1 sander  staff  17  1 jan  1970 codesign -> /usr/bin/codesign
lrwxr-xr-x  1 sander  staff  17  1 jan  1970 security -> /usr/bin/security
lrwxr-xr-x  1 sander  staff  21  1 jan  1970 xcode-select -> /usr/bin/xcode-select
lrwxr-xr-x  1 sander  staff  61  1 jan  1970 xcodebuild -> /Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild
lrwxr-xr-x  1 sander  staff  14  1 jan  1970 xcrun -> /usr/bin/xcrun

17.17.2. Building an iOS application

We can build an iOS app executable for the simulator, or an IPA/xcarchive file for release purposes, e.g. ad-hoc, enterprise or store installations, by executing the xcodeenv.buildApp {} function: 

let
  pkgs = import <nixpkgs> {};

  xcodeenv = import ./xcodeenv {
    inherit (pkgs) stdenv;
  };
in
xcodeenv.buildApp {
  name = "MyApp";
  src = ./myappsources;
  sdkVersion = "11.2";

  target = null; # Corresponds to the name of the app by default
  configuration = null; # Release for release builds, Debug for debug builds
  scheme = null; # -scheme will correspond to the app name by default
  sdk = null; # null will set it to 'iphonesimulator` for simulator builds or `iphoneos` to real builds
  xcodeFlags = "";

  release = true;
  certificateFile = ./mycertificate.p12;
  certificatePassword = "secret";
  provisioningProfile = ./myprovisioning.profile;
  signMethod = "ad-hoc"; # 'enterprise' or 'store'
  generateIPA = true;
  generateXCArchive = false;

  enableWirelessDistribution = true;
  installURL = "/installipa.php";
  bundleId = "mycompany.myapp";
  appVersion = "1.0";

  # Supports all xcodewrapper parameters as well
  xcodeBaseDir = "/Applications/Xcode.app";
}

The above function takes a variety of parameters:

  • The name and src parameters are mandatory and specify the name of the app and the location where the source code resides

  • sdkVersion specifies which version of the iOS SDK to use.

It also possile to adjust the xcodebuild parameters. This is only needed in rare circumstances. In most cases the default values should suffice:

  • Specifies which xcodebuild target to build. By default it takes the target that has the same name as the app.

  • The configuration parameter can be overridden if desired. By default, it will do a debug build for the simulator and a release build for real devices.

  • The scheme parameter specifies which -scheme parameter to propagate to xcodebuild. By default, it corresponds to the app name.

  • The sdk parameter specifies which SDK to use. By default, it picks iphonesimulator for simulator builds and iphoneos for release builds.

  • The xcodeFlags parameter specifies arbitrary command line parameters that should be propagated to xcodebuild.

By default, builds are carried out for the iOS simulator. To do release builds (builds for real iOS devices), you must set the release parameter to true. In addition, you need to set the following parameters:

  • certificateFile refers to a P12 certificate file.

  • certificatePassword specifies the password of the P12 certificate.

  • provisioningProfile refers to the provision profile needed to sign the app

  • signMethod should refer to ad-hoc for signing the app with an ad-hoc certificate, enterprise for enterprise certificates and app-store for App store certificates.

  • generateIPA specifies that we want to produce an IPA file (this is probably what you want)

  • generateXCArchive specifies thet we want to produce an xcarchive file.

When building IPA files on Hydra and when it is desired to allow iOS devices to install IPAs by browsing to the Hydra build products page, you can enable the enableWirelessDistribution parameter.

When enabled, you need to configure the following options:

  • The installURL parameter refers to the URL of a PHP script that composes the itms-services:// URL allowing iOS devices to install the IPA file.

  • bundleId refers to the bundle ID value of the app

  • appVersion refers to the app’s version number

To use wireless adhoc distributions, you must also install the corresponding PHP script on a web server (see section: Installing the PHP script for wireless ad hoc installations from Hydra for more information).

In addition to the build parameters, you can also specify any parameters that the xcodeenv.composeXcodeWrapper {} function takes. For example, the xcodeBaseDir parameter can be overridden to refer to a different Xcode version.

17.17.3. Spawning simulator instances

In addition to building iOS apps, we can also automatically spawn simulator instances: 

let
  pkgs = import <nixpkgs> {};

  xcodeenv = import ./xcodeenv {
    inherit (pkgs) stdenv;
  };
in
xcode.simulateApp {
  name = "simulate";

  # Supports all xcodewrapper parameters as well
  xcodeBaseDir = "/Applications/Xcode.app";
}

The above expression produces a script that starts the simulator from the provided Xcode installation. The script can be started as follows: 

./result/bin/run-test-simulator

By default, the script will show an overview of UDID for all available simulator instances and asks you to pick one. You can also provide a UDID as a command-line parameter to launch an instance automatically: 

./result/bin/run-test-simulator 5C93129D-CF39-4B1A-955F-15180C3BD4B8

You can also extend the simulator script to automatically deploy and launch an app in the requested simulator instance: 

let
  pkgs = import <nixpkgs> {};

  xcodeenv = import ./xcodeenv {
    inherit (pkgs) stdenv;
  };
in
xcode.simulateApp {
  name = "simulate";
  bundleId = "mycompany.myapp";
  app = xcode.buildApp {
    # ...
  };

  # Supports all xcodewrapper parameters as well
  xcodeBaseDir = "/Applications/Xcode.app";
}

By providing the result of an xcode.buildApp {} function and configuring the app bundle id, the app gets deployed automatically and started.

17.17.4. Troubleshooting

In some rare cases, it may happen that after a failure, changes are not picked up. Most likely, this is caused by a derived data cache that Xcode maintains. To wipe it you can run: 

$ rm -rf ~/Library/Developer/Xcode/DerivedData

17.18. Java

Ant-based Java packages are typically built from source as follows: 

stdenv.mkDerivation {
  name = "...";
  src = fetchurl { ... };

  nativeBuildInputs = [ jdk ant ];

  buildPhase = "ant";
}

Note that jdk is an alias for the OpenJDK (self-built where available, or pre-built via Zulu). Platforms with OpenJDK not (yet) in Nixpkgs (Aarch32, Aarch64) point to the (unfree) oraclejdk.

JAR files that are intended to be used by other packages should be installed in $out/share/java. JDKs have a stdenv setup hook that add any JARs in the share/java directories of the build inputs to the CLASSPATH environment variable. For instance, if the package libfoo installs a JAR named foo.jar in its share/java directory, and another package declares the attribute 

buildInputs = [ libfoo ];
nativeBuildInputs = [ jdk ];

then CLASSPATH will be set to /nix/store/...-libfoo/share/java/foo.jar.

Private JARs should be installed in a location like $out/share/package-name.

If your Java package provides a program, you need to generate a wrapper script to run it using a JRE. You can use makeWrapper for this: 

nativeBuildInputs = [ makeWrapper ];

installPhase = ''
  mkdir -p $out/bin
  makeWrapper ${jre}/bin/java $out/bin/foo \
    --add-flags "-cp $out/share/java/foo.jar org.foo.Main"
'';

Since the introduction of the Java Platform Module System in Java 9, Java distributions typically no longer ship with a general-purpose JRE: instead, they allow generating a JRE with only the modules required for your application(s). Because we can’t predict what modules will be needed on a general-purpose system, the default jre package is the full JDK. When building a minimal system/image, you can override the modules parameter on jre_minimal to build a JRE with only the modules relevant for you: 

let
  my_jre = pkgs.jre_minimal.override {
    modules = [
      # The modules used by 'something' and 'other' combined:
      "java.base"
      "java.logging"
    ];
  };
  something = (pkgs.something.override { jre = my_jre; });
  other = (pkgs.other.override { jre = my_jre; });
in
  ...

You can also specify what JDK your JRE should be based on, for example selecting a headless build to avoid including a link to GTK+: 

my_jre = pkgs.jre_minimal.override {
  jdk = jdk11_headless;
};

Note all JDKs passthru home, so if your application requires environment variables like JAVA_HOME being set, that can be done in a generic fashion with the --set argument of makeWrapper: 

--set JAVA_HOME ${jdk.home}

It is possible to use a different Java compiler than javac from the OpenJDK. For instance, to use the GNU Java Compiler: 

nativeBuildInputs = [ gcj ant ];

Here, Ant will automatically use gij (the GNU Java Runtime) instead of the OpenJRE.

17.19. Javascript

17.19.1. Introduction

This contains instructions on how to package javascript applications.

The various tools available will be listed in the tools-overview. Some general principles for packaging will follow. Finally some tool specific instructions will be given.

17.19.2. Getting unstuck / finding code examples

If you find you are lacking inspiration for packing javascript applications, the links below might prove useful. Searching online for prior art can be helpful if you are running into solved problems.

17.19.2.1. Github

17.19.2.2. Gitlab

17.19.3. Tools overview

17.19.4. General principles

The following principles are given in order of importance with potential exceptions.

17.19.4.1. Try to use the same node version used upstream

It is often not documented which node version is used upstream, but if it is, try to use the same version when packaging.

This can be a problem if upstream is using the latest and greatest and you are trying to use an earlier version of node. Some cryptic errors regarding V8 may appear.

17.19.4.2. Try to respect the package manager originally used by upstream (and use the upstream lock file)

A lock file (package-lock.json, yarn.lock…) is supposed to make reproducible installations of node_modules for each tool.

Guidelines of package managers, recommend to commit those lock files to the repos. If a particular lock file is present, it is a strong indication of which package manager is used upstream.

It’s better to try to use a Nix tool that understand the lock file. Using a different tool might give you hard to understand error because different packages have been installed. An example of problems that could arise can be found here. Upstream use NPM, but this is an attempt to package it with yarn2nix (that uses yarn.lock).

Using a different tool forces to commit a lock file to the repository. Those files are fairly large, so when packaging for nixpkgs, this approach does not scale well.

Exceptions to this rule are:

  • When you encounter one of the bugs from a Nix tool. In each of the tool specific instructions, known problems will be detailed. If you have a problem with a particular tool, then it’s best to try another tool, even if this means you will have to recreate a lock file and commit it to nixpkgs. In general yarn2nix has less known problems and so a simple search in nixpkgs will reveal many yarn.lock files committed.

  • Some lock files contain particular version of a package that has been pulled off NPM for some reason. In that case, you can recreate upstream lock (by removing the original and npm install, yarn, …) and commit this to nixpkgs.

  • The only tool that supports workspaces (a feature of NPM that helps manage sub-directories with different package.json from a single top level package.json) is yarn2nix. If upstream has workspaces you should try yarn2nix.

17.19.4.3. Try to use upstream package.json

Exceptions to this rule are:

  • Sometimes the upstream repo assumes some dependencies be installed globally. In that case you can add them manually to the upstream package.json (yarn add xxx or npm install xxx, …). Dependencies that are installed locally can be executed with npx for CLI tools. (e.g. npx postcss ..., this is how you can call those dependencies in the phases).

  • Sometimes there is a version conflict between some dependency requirements. In that case you can fix a version by removing the ^.

  • Sometimes the script defined in the package.json does not work as is. Some scripts for example use CLI tools that might not be available, or cd in directory with a different package.json (for workspaces notably). In that case, it’s perfectly fine to look at what the particular script is doing and break this down in the phases. In the build script you can see build:* calling in turns several other build scripts like build:ui or build:server. If one of those fails, you can try to separate those into, 

    yarn build:ui
yarn build:server
# OR
npm run build:ui
npm run build:server

    when you need to override a package.json. It’s nice to use the one from the upstream source and do some explicit override. Here is an example: 

    patchedPackageJSON = final.runCommand "package.json" { } ''
  ${jq}/bin/jq '.version = "0.4.0" |
    .devDependencies."@jsdoc/cli" = "^0.2.5"
    ${sonar-src}/package.json > $out
'';

    You will still need to commit the modified version of the lock files, but at least the overrides are explicit for everyone to see.

17.19.4.4. Using node_modules directly

Each tool has an abstraction to just build the node_modules (dependencies) directory. You can always use the stdenv.mkDerivation with the node_modules to build the package (symlink the node_modules directory and then use the package build command). The node_modules abstraction can be also used to build some web framework frontends. For an example of this see how plausible is built. mkYarnModules to make the derivation containing node_modules. Then when building the frontend you can just symlink the node_modules directory.

17.19.5. Javascript packages inside nixpkgs

The pkgs/development/node-packages folder contains a generated collection of NPM packages that can be installed with the Nix package manager.

As a rule of thumb, the package set should only provide end user software packages, such as command-line utilities. Libraries should only be added to the package set if there is a non-NPM package that requires it.

When it is desired to use NPM libraries in a development project, use the node2nix generator directly on the package.json configuration file of the project.

The package set provides support for the official stable Node.js versions. The latest stable LTS release in nodePackages, as well as the latest stable current release in nodePackages_latest.

If your package uses native addons, you need to examine what kind of native build system it uses. Here are some examples:

  • node-gyp

  • node-gyp-builder

  • node-pre-gyp

After you have identified the correct system, you need to override your package expression while adding in build system as a build input. For example, dat requires node-gyp-build, so we override its expression in pkgs/development/node-packages/overrides.nix: 

    dat = prev.dat.override (oldAttrs: {
      buildInputs = [ final.node-gyp-build pkgs.libtool pkgs.autoconf pkgs.automake ];
      meta = oldAttrs.meta // { broken = since "12"; };
    });

17.19.5.1. Adding and Updating Javascript packages in nixpkgs

To add a package from NPM to nixpkgs:

  1. Modify pkgs/development/node-packages/node-packages.json to add, update or remove package entries to have it included in nodePackages and nodePackages_latest.

  2. Run the script: 

    ./pkgs/development/node-packages/generate.sh

  3. Build your new package to test your changes: 

    nix-build -A nodePackages.<new-or-updated-package>

    To build against the latest stable Current Node.js version (e.g. 18.x): 

    nix-build -A nodePackages_latest.<new-or-updated-package>

    If the package doesn’t build, you may need to add an override as explained above.

  4. If the package’s name doesn’t match any of the executables it provides, add an entry in pkgs/development/node-packages/main-programs.nix. This will be the case for all scoped packages, e.g., @angular/cli.

  5. Add and commit all modified and generated files.

For more information about the generation process, consult the README.md file of the node2nix tool.

To update NPM packages in nixpkgs, run the same generate.sh script: 

./pkgs/development/node-packages/generate.sh
17.19.5.1.1. Git protocol error

Some packages may have Git dependencies from GitHub specified with git://. GitHub has disabled unecrypted Git connections, so you may see the following error when running the generate script: 

The unauthenticated git protocol on port 9418 is no longer supported

Use the following Git configuration to resolve the issue: 

git config --global url."https://github.com/".insteadOf git://github.com/

17.19.6. Tool specific instructions

17.19.6.1. buildNpmPackage

buildNpmPackage allows you to package npm-based projects in Nixpkgs without the use of an auto-generated dependencies file (as used in node2nix). It works by utilizing npm’s cache functionality – creating a reproducible cache that contains the dependencies of a project, and pointing npm to it. 

{ lib, buildNpmPackage, fetchFromGitHub }:

buildNpmPackage rec {
  pname = "flood";
  version = "4.7.0";

  src = fetchFromGitHub {
    owner = "jesec";
    repo = pname;
    rev = "v${version}";
    hash = "sha256-BR+ZGkBBfd0dSQqAvujsbgsEPFYw/ThrylxUbOksYxM=";
  };

  npmDepsHash = "sha256-tuEfyePwlOy2/mOPdXbqJskO6IowvAP4DWg8xSZwbJw=";

  # The prepack script runs the build script, which we'd rather do in the build phase.
  npmPackFlags = [ "--ignore-scripts" ];

  NODE_OPTIONS = "--openssl-legacy-provider";

  meta = with lib; {
    description = "A modern web UI for various torrent clients with a Node.js backend and React frontend";
    homepage = "https://flood.js.org";
    license = licenses.gpl3Only;
    maintainers = with maintainers; [ winter ];
  };
}
17.19.6.1.1. Arguments

  • npmDepsHash: The output hash of the dependencies for this project. Can be calculated in advance with prefetch-npm-deps.

  • makeCacheWritable: Whether to make the cache writable prior to installing dependencies. Don’t set this unless npm tries to write to the cache directory, as it can slow down the build.

  • npmBuildScript: The script to run to build the project. Defaults to "build".

  • npmFlags: Flags to pass to all npm commands.

  • npmInstallFlags: Flags to pass to npm ci and npm prune.

  • npmBuildFlags: Flags to pass to npm run ${npmBuildScript}.

  • npmPackFlags: Flags to pass to npm pack.

17.19.6.1.2. prefetch-npm-deps

prefetch-npm-deps can calculate the hash of the dependencies of an npm project ahead of time. 

$ ls
package.json package-lock.json index.js
$ prefetch-npm-deps package-lock.json
...
sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=

17.19.6.2. node2nix

17.19.6.2.1. Preparation

You will need to generate a Nix expression for the dependencies. Don’t forget the -l package-lock.json if there is a lock file. Most probably you will need the --development to include the devDependencies

So the command will most likely be: 

node2nix --development -l package-lock.json

See node2nix docs for more info.

17.19.6.2.2. Pitfalls

  • If upstream package.json does not have a version attribute, node2nix will crash. You will need to add it like shown in the package.json section.

  • node2nix has some bugs related to working with lock files from NPM distributed with nodejs-16_x.

  • node2nix does not like missing packages from NPM. If you see something like Cannot resolve version: vue-loader-v16@undefined then you might want to try another tool. The package might have been pulled off of NPM.

17.19.6.3. yarn2nix

17.19.6.3.1. Preparation

You will need at least a yarn.lock file. If upstream does not have one you need to generate it and reference it in your package definition.

If the downloaded files contain the package.json and yarn.lock files they can be used like this: 

offlineCache = fetchYarnDeps {
  yarnLock = src + "/yarn.lock";
  sha256 = "....";
};
17.19.6.3.2. mkYarnPackage

mkYarnPackage will by default try to generate a binary. For package only generating static assets (Svelte, Vue, React, WebPack, …), you will need to explicitly override the build step with your instructions.

It’s important to use the --offline flag. For example if you script is "build": "something" in package.json use: 

buildPhase = ''
  export HOME=$(mktemp -d)
  yarn --offline build
'';

The dist phase is also trying to build a binary, the only way to override it is with: 

distPhase = "true";

The configure phase can sometimes fail because it makes many assumptions which may not always apply. One common override is: 

configurePhase = ''
  ln -s $node_modules node_modules
'';

or if you need a writeable node_modules directory: 

configurePhase = ''
  cp -r $node_modules node_modules
  chmod +w node_modules
'';
17.19.6.3.3. mkYarnModules

This will generate a derivation including the node_modules directory. If you have to build a derivation for an integrated web framework (rails, phoenix..), this is probably the easiest way.

17.19.6.3.4. Overriding dependency behavior

In the mkYarnPackage record the property pkgConfig can be used to override packages when you encounter problems building.

For instance, say your package is throwing errors when trying to invoke node-sass: 

ENOENT: no such file or directory, scandir '/build/source/node_modules/node-sass/vendor'

To fix this we will specify different versions of build inputs to use, as well as some post install steps to get the software built the way we want: 

mkYarnPackage rec {
  pkgConfig = {
    node-sass = {
      buildInputs = with final;[ python libsass pkg-config ];
      postInstall = ''
        LIBSASS_EXT=auto yarn --offline run build
        rm build/config.gypi
      '';
    };
  };
}
17.19.6.3.5. Pitfalls

  • If version is missing from upstream package.json, yarn will silently install nothing. In that case, you will need to override package.json as shown in the package.json section

  • Having trouble with node-gyp? Try adding these lines to the yarnPreBuild steps: 

    yarnPreBuild = ''
  mkdir -p $HOME/.node-gyp/${nodejs.version}
  echo 9 > $HOME/.node-gyp/${nodejs.version}/installVersion
  ln -sfv ${nodejs}/include $HOME/.node-gyp/${nodejs.version}
  export npm_config_nodedir=${nodejs}
'';

17.19.7. Outside of nixpkgs

There are some other options available that can’t be used inside nixpkgs. Those other options are written in Nix. Importing them in nixpkgs will require moving the source code into nixpkgs. Using Import From Derivation is not allowed in Hydra at present. If you are packaging something outside nixpkgs, those can be considered

17.19.7.1. npmlock2nix

npmlock2nix aims at building node_modules without code generation. It hasn’t reached v1 yet, the API might be subject to change.

17.19.7.1.1. Pitfalls

There are some problems with npm v7.

17.19.7.2. nix-npm-buildpackage

nix-npm-buildpackage aims at building node_modules without code generation. It hasn’t reached v1 yet, the API might change. It supports both package-lock.json and yarn.lock.

17.19.7.2.1. Pitfalls

There are some problems with npm v7.

17.20. User’s Guide to Lua Infrastructure

17.20.1. Using Lua

17.20.1.1. Overview of Lua

Several versions of the Lua interpreter are available: luajit, lua 5.1, 5.2, 5.3. The attribute lua refers to the default interpreter, it is also possible to refer to specific versions, e.g. lua5_2 refers to Lua 5.2.

Lua libraries are in separate sets, with one set per interpreter version.

The interpreters have several common attributes. One of these attributes is pkgs, which is a package set of Lua libraries for this specific interpreter. E.g., the busted package corresponding to the default interpreter is lua.pkgs.busted, and the lua 5.2 version is lua5_2.pkgs.busted. The main package set contains aliases to these package sets, e.g. luaPackages refers to lua5_1.pkgs and lua52Packages to lua5_2.pkgs.

17.20.1.2. Installing Lua and packages

17.20.1.2.1. Lua environment defined in separate .nix file

Create a file, e.g. build.nix, with the following expression 

with import <nixpkgs> {};

lua5_2.withPackages (ps: with ps; [ busted luafilesystem ])

and install it in your profile with 

nix-env -if build.nix

Now you can use the Lua interpreter, as well as the extra packages (busted, luafilesystem) that you added to the environment.

17.20.1.2.2. Lua environment defined in ~/.config/nixpkgs/config.nix

If you prefer to, you could also add the environment as a package override to the Nixpkgs set, e.g. using config.nix, 

{ # ...

  packageOverrides = pkgs: with pkgs; {
    myLuaEnv = lua5_2.withPackages (ps: with ps; [ busted luafilesystem ]);
  };
}

and install it in your profile with 

nix-env -iA nixpkgs.myLuaEnv

The environment is installed by referring to the attribute, and considering the nixpkgs channel was used.

17.20.1.2.3. Lua environment defined in /etc/nixos/configuration.nix

For the sake of completeness, here’s another example how to install the environment system-wide. 

{ # ...

  environment.systemPackages = with pkgs; [
    (lua.withPackages(ps: with ps; [ busted luafilesystem ]))
  ];
}

17.20.1.3. How to override a Lua package using overlays?

Use the following overlay template: 

final: prev:
{

  lua = prev.lua.override {
    packageOverrides = luaself: luaprev: {

      luarocks-nix = luaprev.luarocks-nix.overrideAttrs(oa: {
        pname = "luarocks-nix";
        src = /home/my_luarocks/repository;
      });
  };

  luaPackages = lua.pkgs;
}

17.20.1.4. Temporary Lua environment with nix-shell

There are two methods for loading a shell with Lua packages. The first and recommended method is to create an environment with lua.buildEnv or lua.withPackages and load that. E.g. 

$ nix-shell -p 'lua.withPackages(ps: with ps; [ busted luafilesystem ])'

opens a shell from which you can launch the interpreter 

[nix-shell:~] lua

The other method, which is not recommended, does not create an environment and requires you to list the packages directly, 

$ nix-shell -p lua.pkgs.busted lua.pkgs.luafilesystem

Again, it is possible to launch the interpreter from the shell. The Lua interpreter has the attribute pkgs which contains all Lua libraries for that specific interpreter.

17.20.2. Developing with Lua

Now that you know how to get a working Lua environment with Nix, it is time to go forward and start actually developing with Lua. There are two ways to package lua software, either it is on luarocks and most of it can be taken care of by the luarocks2nix converter or the packaging has to be done manually. Let’s present the luarocks way first and the manual one in a second time.

17.20.2.1. Packaging a library on luarocks

Luarocks.org is the main repository of lua packages. The site proposes two types of packages, the rockspec and the src.rock (equivalent of a rockspec but with the source). These packages can have different build types such as cmake, builtin etc .

Luarocks-based packages are generated in pkgs/development/lua-modules/generated-packages.nix from the whitelist maintainers/scripts/luarocks-packages.csv and updated by running maintainers/scripts/update-luarocks-packages.

luarocks2nix is a tool capable of generating nix derivations from both rockspec and src.rock (and favors the src.rock). The automation only goes so far though and some packages need to be customized. These customizations go in pkgs/development/lua-modules/overrides.nix. For instance if the rockspec defines external_dependencies, these need to be manually added to the overrides.nix.

You can try converting luarocks packages to nix packages with the command nix-shell -p luarocks-nix and then luarocks nix PKG_NAME.

17.20.2.1.1. Packaging a library manually

You can develop your package as you usually would, just don’t forget to wrap it within a toLuaModule call, for instance 

mynewlib = toLuaModule ( stdenv.mkDerivation { ... });

There is also the buildLuaPackage function that can be used when lua modules are not packaged for luarocks. You can see a few examples at pkgs/top-level/lua-packages.nix.

17.20.3. Lua Reference

17.20.3.1. Lua interpreters

Versions 5.1, 5.2, 5.3 and 5.4 of the lua interpreter are available as respectively lua5_1, lua5_2, lua5_3 and lua5_4. Luajit is available too. The Nix expressions for the interpreters can be found in pkgs/development/interpreters/lua-5.

17.20.3.1.1. Attributes on lua interpreters packages

Each interpreter has the following attributes:

  • interpreter. Alias for ${pkgs.lua}/bin/lua.

  • buildEnv. Function to build lua interpreter environments with extra packages bundled together. See section lua.buildEnv function for usage and documentation.

  • withPackages. Simpler interface to buildEnv.

  • pkgs. Set of Lua packages for that specific interpreter. The package set can be modified by overriding the interpreter and passing packageOverrides.

17.20.3.1.2. buildLuarocksPackage function

The buildLuarocksPackage function is implemented in pkgs/development/interpreters/lua-5/build-lua-package.nix The following is an example: 

luaposix = buildLuarocksPackage {
  pname = "luaposix";
  version = "34.0.4-1";

  src = fetchurl {
    url    = "https://raw.githubusercontent.com/rocks-moonscript-org/moonrocks-mirror/master/luaposix-34.0.4-1.src.rock";
    sha256 = "0yrm5cn2iyd0zjd4liyj27srphvy0gjrjx572swar6zqr4dwjqp2";
  };
  disabled = (luaOlder "5.1") || (luaAtLeast "5.4");
  propagatedBuildInputs = [ bit32 lua std_normalize ];

  meta = with lib; {
    homepage = "https://github.com/luaposix/luaposix/";
    description = "Lua bindings for POSIX";
    maintainers = with maintainers; [ vyp lblasc ];
    license.fullName = "MIT/X11";
  };
};

The buildLuarocksPackage delegates most tasks to luarocks:

  • it adds luarocks as an unpacker for src.rock files (zip files really).

  • configurePhase writes a temporary luarocks configuration file which location is exported via the environment variable LUAROCKS_CONFIG.

  • the buildPhase does nothing.

  • installPhase calls luarocks make --deps-mode=none --tree $out to build and install the package

  • In the postFixup phase, the wrapLuaPrograms bash function is called to wrap all programs in the $out/bin/* directory to include $PATH environment variable and add dependent libraries to script’s LUA_PATH and LUA_CPATH.

By default meta.platforms is set to the same value as the interpreter unless overridden otherwise.

17.20.3.1.3. buildLuaApplication function

The buildLuaApplication function is practically the same as buildLuaPackage. The difference is that buildLuaPackage by default prefixes the names of the packages with the version of the interpreter. Because with an application we’re not interested in multiple version the prefix is dropped.

17.20.3.1.4. lua.withPackages function

The lua.withPackages takes a function as an argument that is passed the set of lua packages and returns the list of packages to be included in the environment. Using the withPackages function, the previous example for the luafilesystem environment can be written like this: 

with import <nixpkgs> {};

lua.withPackages (ps: [ps.luafilesystem])

withPackages passes the correct package set for the specific interpreter version as an argument to the function. In the above example, ps equals luaPackages. But you can also easily switch to using lua5_2: 

with import <nixpkgs> {};

lua5_2.withPackages (ps: [ps.lua])

Now, ps is set to lua52Packages, matching the version of the interpreter.

17.20.3.2. Possible Todos

  • export/use version specific variables such as LUA_PATH_5_2/LUAROCKS_CONFIG_5_2

  • let luarocks check for dependencies via exporting the different rocktrees in temporary config

17.20.3.3. Lua Contributing guidelines

Following rules should be respected:

  • Make sure libraries build for all Lua interpreters.

  • Commit names of Lua libraries should reflect that they are Lua libraries, so write for example luaPackages.luafilesystem: 1.11 -> 1.12.

17.21. Maven

Maven is a well-known build tool for the Java ecosystem however it has some challenges when integrating into the Nix build system.

The following provides a list of common patterns with how to package a Maven project (or any JVM language that can export to Maven) as a Nix package.

For the purposes of this example let’s consider a very basic Maven project with the following pom.xml with a single dependency on emoji-java. 

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>io.github.fzakaria</groupId>
  <artifactId>maven-demo</artifactId>
  <version>1.0</version>
  <packaging>jar</packaging>
  <name>NixOS Maven Demo</name>

  <dependencies>
    <dependency>
        <groupId>com.vdurmont</groupId>
        <artifactId>emoji-java</artifactId>
        <version>5.1.1</version>
      </dependency>
  </dependencies>
</project>

Our main class file will be very simple: 

import com.vdurmont.emoji.EmojiParser;

public class Main {
  public static void main(String[] args) {
    String str = "NixOS :grinning: is super cool :smiley:!";
    String result = EmojiParser.parseToUnicode(str);
    System.out.println(result);
  }
}

You find this demo project at https://github.com/fzakaria/nixos-maven-example

17.21.1. Solving for dependencies

17.21.1.1. buildMaven with NixOS/mvn2nix-maven-plugin

⚠️ Although buildMaven is the blessed way within nixpkgs, as of 2020, it hasn’t seen much activity in quite a while.

buildMaven is an alternative method that tries to follow similar patterns of other programming languages by generating a lock file. It relies on the maven plugin mvn2nix-maven-plugin.

First you generate a project-info.json file using the maven plugin.

This should be executed in the project’s source repository or be told which pom.xml to execute with. 

# run this step within the project's source repository
❯ mvn org.nixos.mvn2nix:mvn2nix-maven-plugin:mvn2nix

❯ cat project-info.json | jq | head
{
  "project": {
    "artifactId": "maven-demo",
    "groupId": "org.nixos",
    "version": "1.0",
    "classifier": "",
    "extension": "jar",
    "dependencies": [
      {
        "artifactId": "maven-resources-plugin",

This file is then given to the buildMaven function, and it returns 2 attributes.

repo: A Maven repository that is a symlink farm of all the dependencies found in the project-info.json

build: A simple derivation that runs through mvn compile & mvn package to build the JAR. You may use this as inspiration for more complicated derivations.

Here is an example of building the Maven repository 

{ pkgs ? import <nixpkgs> { } }:
with pkgs;
(buildMaven ./project-info.json).repo

The benefit over the double invocation as we will see below, is that the /nix/store entry is a linkFarm of every package, so that changes to your dependency set doesn’t involve downloading everything from scratch. 

❯ tree $(nix-build --no-out-link build-maven-repository.nix) | head
/nix/store/g87va52nkc8jzbmi1aqdcf2f109r4dvn-maven-repository
├── antlr
│   └── antlr
│       └── 2.7.2
│           ├── antlr-2.7.2.jar -> /nix/store/d027c8f2cnmj5yrynpbq2s6wmc9cb559-antlr-2.7.2.jar
│           └── antlr-2.7.2.pom -> /nix/store/mv42fc5gizl8h5g5vpywz1nfiynmzgp2-antlr-2.7.2.pom
├── avalon-framework
│   └── avalon-framework
│       └── 4.1.3
│           ├── avalon-framework-4.1.3.jar -> /nix/store/iv5fp3955w3nq28ff9xfz86wvxbiw6n9-avalon-framework-4.1.3.jar

17.21.1.2. Double Invocation

⚠️ This pattern is the simplest but may cause unnecessary rebuilds due to the output hash changing.

The double invocation is a simple way to get around the problem that nix-build may be sandboxed and have no Internet connectivity.

It treats the entire Maven repository as a single source to be downloaded, relying on Maven’s dependency resolution to satisfy the output hash. This is similar to fetchers like fetchgit, except it has to run a Maven build to determine what to download.

The first step will be to build the Maven project as a fixed-output derivation in order to collect the Maven repository – below is an example.

Traditionally the Maven repository is at ~/.m2/repository. We will override this to be the $out directory. 

{ lib, stdenv, maven }:
stdenv.mkDerivation {
  name = "maven-repository";
  buildInputs = [ maven ];
  src = ./.; # or fetchFromGitHub, cleanSourceWith, etc
  buildPhase = ''
    mvn package -Dmaven.repo.local=$out
  '';

  # keep only *.{pom,jar,sha1,nbm} and delete all ephemeral files with lastModified timestamps inside
  installPhase = ''
    find $out -type f \
      -name \*.lastUpdated -or \
      -name resolver-status.properties -or \
      -name _remote.repositories \
      -delete
  '';

  # don't do any fixup
  dontFixup = true;
  outputHashAlgo = "sha256";
  outputHashMode = "recursive";
  # replace this with the correct SHA256
  outputHash = lib.fakeSha256;
}

The build will fail, and tell you the expected outputHash to place. When you’ve set the hash, the build will return with a /nix/store entry whose contents are the full Maven repository.

Some additional files are deleted that would cause the output hash to change potentially on subsequent runs. 

❯ tree $(nix-build --no-out-link double-invocation-repository.nix) | head
/nix/store/8kicxzp98j68xyi9gl6jda67hp3c54fq-maven-repository
├── backport-util-concurrent
│   └── backport-util-concurrent
│       └── 3.1
│           ├── backport-util-concurrent-3.1.pom
│           └── backport-util-concurrent-3.1.pom.sha1
├── classworlds
│   └── classworlds
│       ├── 1.1
│       │   ├── classworlds-1.1.jar

If your package uses SNAPSHOT dependencies or version ranges; there is a strong likelihood that over-time your output hash will change since the resolved dependencies may change. Hence this method is less recommended then using buildMaven.

17.21.2. Building a JAR

Regardless of which strategy is chosen above, the step to build the derivation is the same. 

{ stdenv, maven, callPackage }:
# pick a repository derivation, here we will use buildMaven
let repository = callPackage ./build-maven-repository.nix { };
in stdenv.mkDerivation rec {
  pname = "maven-demo";
  version = "1.0";

  src = builtins.fetchTarball "https://github.com/fzakaria/nixos-maven-example/archive/main.tar.gz";
  buildInputs = [ maven ];

  buildPhase = ''
    echo "Using repository ${repository}"
    mvn --offline -Dmaven.repo.local=${repository} package;
  '';

  installPhase = ''
    install -Dm644 target/${pname}-${version}.jar $out/share/java
  '';
}

We place the library in $out/share/java since JDK package has a stdenv setup hook that adds any JARs in the share/java directories of the build inputs to the CLASSPATH environment. 

❯ tree $(nix-build --no-out-link build-jar.nix)
/nix/store/7jw3xdfagkc2vw8wrsdv68qpsnrxgvky-maven-demo-1.0
└── share
    └── java
        └── maven-demo-1.0.jar

2 directories, 1 file

17.21.3. Runnable JAR

The previous example builds a jar file but that’s not a file one can run.

You need to use it with java -jar $out/share/java/output.jar and make sure to provide the required dependencies on the classpath.

The following explains how to use makeWrapper in order to make the derivation produce an executable that will run the JAR file you created.

We will use the same repository we built above (either double invocation or buildMaven) to setup a CLASSPATH for our JAR.

The following two methods are more suited to Nix then building an UberJar which may be the more traditional approach.

17.21.3.1. CLASSPATH

This is ideal if you are providing a derivation for nixpkgs and don’t want to patch the project’s pom.xml.

We will read the Maven repository and flatten it to a single list. This list will then be concatenated with the CLASSPATH separator to create the full classpath.

We make sure to provide this classpath to the makeWrapper. 

{ stdenv, maven, callPackage, makeWrapper, jre }:
let
  repository = callPackage ./build-maven-repository.nix { };
in stdenv.mkDerivation rec {
  pname = "maven-demo";
  version = "1.0";

  src = builtins.fetchTarball
    "https://github.com/fzakaria/nixos-maven-example/archive/main.tar.gz";
  nativeBuildInputs = [ makeWrapper ];
  buildInputs = [ maven ];

  buildPhase = ''
    echo "Using repository ${repository}"
    mvn --offline -Dmaven.repo.local=${repository} package;
  '';

  installPhase = ''
    mkdir -p $out/bin

    classpath=$(find ${repository} -name "*.jar" -printf ':%h/%f');
    install -Dm644 target/${pname}-${version}.jar $out/share/java
    # create a wrapper that will automatically set the classpath
    # this should be the paths from the dependency derivation
    makeWrapper ${jre}/bin/java $out/bin/${pname} \
          --add-flags "-classpath $out/share/java/${pname}-${version}.jar:''${classpath#:}" \
          --add-flags "Main"
  '';
}

17.21.3.2. MANIFEST file via Maven Plugin

This is ideal if you are the project owner and want to change your pom.xml to set the CLASSPATH within it.

Augment the pom.xml to create a JAR with the following manifest: 

<build>
  <plugins>
    <plugin>
        <artifactId>maven-jar-plugin</artifactId>
        <configuration>
            <archive>
                <manifest>
                    <addClasspath>true</addClasspath>
                    <classpathPrefix>../../repository/</classpathPrefix>
                    <classpathLayoutType>repository</classpathLayoutType>
                    <mainClass>Main</mainClass>
                </manifest>
                <manifestEntries>
                    <Class-Path>.</Class-Path>
                </manifestEntries>
            </archive>
        </configuration>
    </plugin>
  </plugins>
</build>

The above plugin instructs the JAR to look for the necessary dependencies in the lib/ relative folder. The layout of the folder is also in the maven repository style. 

❯ unzip -q -c $(nix-build --no-out-link runnable-jar.nix)/share/java/maven-demo-1.0.jar META-INF/MANIFEST.MF

Manifest-Version: 1.0
Archiver-Version: Plexus Archiver
Built-By: nixbld
Class-Path: . ../../repository/com/vdurmont/emoji-java/5.1.1/emoji-jav
 a-5.1.1.jar ../../repository/org/json/json/20170516/json-20170516.jar
Created-By: Apache Maven 3.6.3
Build-Jdk: 1.8.0_265
Main-Class: Main

We will modify the derivation above to add a symlink to our repository so that it’s accessible to our JAR during the installPhase. 

{ stdenv, maven, callPackage, makeWrapper, jre }:
# pick a repository derivation, here we will use buildMaven
let repository = callPackage ./build-maven-repository.nix { };
in stdenv.mkDerivation rec {
  pname = "maven-demo";
  version = "1.0";

  src = builtins.fetchTarball
    "https://github.com/fzakaria/nixos-maven-example/archive/main.tar.gz";
  nativeBuildInputs = [ makeWrapper ];
  buildInputs = [ maven ];

  buildPhase = ''
    echo "Using repository ${repository}"
    mvn --offline -Dmaven.repo.local=${repository} package;
  '';

  installPhase = ''
    mkdir -p $out/bin

    # create a symbolic link for the repository directory
    ln -s ${repository} $out/repository

    install -Dm644 target/${pname}-${version}.jar $out/share/java
    # create a wrapper that will automatically set the classpath
    # this should be the paths from the dependency derivation
    makeWrapper ${jre}/bin/java $out/bin/${pname} \
          --add-flags "-jar $out/share/java/${pname}-${version}.jar"
  '';
}

Our script produces a dependency on jre rather than jdk to restrict the runtime closure necessary to run the application.

This will give you an executable shell-script that launches your JAR with all the dependencies available. 

❯ tree $(nix-build --no-out-link runnable-jar.nix)
/nix/store/8d4c3ibw8ynsn01ibhyqmc1zhzz75s26-maven-demo-1.0
├── bin
│   └── maven-demo
├── repository -> /nix/store/g87va52nkc8jzbmi1aqdcf2f109r4dvn-maven-repository
└── share
    └── java
        └── maven-demo-1.0.jar

❯ $(nix-build --no-out-link --option tarball-ttl 1 runnable-jar.nix)/bin/maven-demo
NixOS 😀 is super cool 😃!

17.22. Nim

17.22.1. Overview

The Nim compiler, a builder function, and some packaged libraries are available in Nixpkgs. Until now each compiler release has been effectively backwards compatible so only the latest version is available.

17.22.2. Nim program packages in Nixpkgs

Nim programs can be built using nimPackages.buildNimPackage. In the case of packages not containing exported library code the attribute nimBinOnly should be set to true.

The following example shows a Nim program that depends only on Nim libraries: 

{ lib, nimPackages, fetchurl }:

nimPackages.buildNimPackage rec {
  pname = "hottext";
  version = "1.4";

  nimBinOnly = true;

  src = fetchurl {
    url = "https://git.sr.ht/~ehmry/hottext/archive/v${version}.tar.gz";
    sha256 = "sha256-hIUofi81zowSMbt1lUsxCnVzfJGN3FEiTtN8CEFpwzY=";
  };

  buildInputs = with nimPackages; [
    bumpy
    chroma
    flatty
    nimsimd
    pixie
    sdl2
    typography
    vmath
    zippy
  ];
}

17.22.3. Nim library packages in Nixpkgs

Nim libraries can also be built using nimPackages.buildNimPackage, but often the product of a fetcher is sufficient to satisfy a dependency. The fetchgit, fetchFromGitHub, and fetchNimble functions yield an output that can be discovered during the configurePhase of buildNimPackage.

Nim library packages are listed in pkgs/top-level/nim-packages.nix and implemented at pkgs/development/nim-packages.

The following example shows a Nim library that propagates a dependency on a non-Nim package: 

{ lib, buildNimPackage, fetchNimble, SDL2 }:

buildNimPackage rec {
  pname = "sdl2";
  version = "2.0.4";
  src = fetchNimble {
    inherit pname version;
    hash = "sha256-Vtcj8goI4zZPQs2TbFoBFlcR5UqDtOldaXSH/+/xULk=";
  };
  propagatedBuildInputs = [ SDL2 ];
}

17.22.4. buildNimPackage parameters

All parameters from stdenv.mkDerivation function are still supported. The following are specific to buildNimPackage:

  • nimBinOnly ? false: If true then build only the programs listed in the Nimble file in the packages sources.

  • nimbleFile: Specify the Nimble file location of the package being built rather than discover the file at build-time.

  • nimRelease ? true: Build the package in release mode.

  • nimDefines ? []: A list of Nim defines. Key-value tuples are not supported.

  • nimFlags ? []: A list of command line arguments to pass to the Nim compiler. Use this to specify defines with arguments in the form of -d:${name}=${value}.

  • nimDoc ? false`: Build and install HTML documentation.

  • buildInputs ? []: The packages listed here will be searched for *.nimble files which are used to populate the Nim library path. Otherwise the standard behavior is in effect.

17.23. OCaml

17.23.1. User guide

OCaml libraries are available in attribute sets of the form ocaml-ng.ocamlPackages_X_XX where X is to be replaced with the desired compiler version. For example, ocamlgraph compiled with OCaml 4.12 can be found in ocaml-ng.ocamlPackages_4_12.ocamlgraph. The compiler itself is also located in this set, under the name ocaml.

If you don’t care about the exact compiler version, ocamlPackages is a top-level alias pointing to a recent version of OCaml.

OCaml applications are usually available top-level, and not inside ocamlPackages. Notable exceptions are build tools that must be built with the same compiler version as the compiler you intend to use like dune or ocaml-lsp.

To open a shell able to build a typical OCaml project, put the dependencies in buildInputs and add ocamlPackages.ocaml and ocamlPackages.findlib to nativeBuildInputs at least. For example: 

let
 pkgs = import <nixpkgs> {};
 # choose the ocaml version you want to use
 ocamlPackages = pkgs.ocaml-ng.ocamlPackages_4_12;
in
pkgs.mkShell {
  # build tools
  nativeBuildInputs = with ocamlPackages; [ ocaml findlib dune_2 ocaml-lsp ];
  # dependencies
  buildInputs = with ocamlPackages; [ ocamlgraph ];
}

17.23.2. Packaging guide

OCaml libraries should be installed in $(out)/lib/ocaml/${ocaml.version}/site-lib/. Such directories are automatically added to the $OCAMLPATH environment variable when building another package that depends on them or when opening a nix-shell.

Given that most of the OCaml ecosystem is now built with dune, nixpkgs includes a convenience build support function called buildDunePackage that will build an OCaml package using dune, OCaml and findlib and any additional dependencies provided as buildInputs or propagatedBuildInputs.

Here is a simple package example.

  • It defines an (optional) attribute minimalOCamlVersion (see note below) that will be used to throw a descriptive evaluation error if building with an older OCaml is attempted.

  • It uses the fetchFromGitHub fetcher to get its source.

  • duneVersion = "2" ensures that Dune version 2 is used for the build (this is the default; valid values are "1", "2", and "3"); note that there is also a legacy useDune2 boolean attribute: set to false it corresponds to duneVersion = "1"; set to true it corresponds to duneVersion = "2". If both arguments (duneVersion and useDune2) are given, the second one (useDune2) is silently ignored.

  • It sets the optional doCheck attribute such that tests will be run with dune runtest -p angstrom after the build (dune build -p angstrom) is complete, but only if the Ocaml version is at at least "4.05".

  • It uses the package ocaml-syntax-shims as a build input, alcotest and ppx_let as check inputs (because they are needed to run the tests), and bigstringaf and result as propagated build inputs (thus they will also be available to libraries depending on this library).

  • The library will be installed using the angstrom.install file that dune generates. 

{ lib,
  fetchFromGitHub,
  buildDunePackage,
  ocaml,
  ocaml-syntax-shims,
  alcotest,
  result,
  bigstringaf,
  ppx_let }:

buildDunePackage rec {
  pname = "angstrom";
  version = "0.15.0";
  duneVersion = "2";

  minimalOCamlVersion = "4.04";

  src = fetchFromGitHub {
    owner  = "inhabitedtype";
    repo   = pname;
    rev    = version;
    sha256 = "1hmrkdcdlkwy7rxhngf3cv3sa61cznnd9p5lmqhx20664gx2ibrh";
  };

  checkInputs = [ alcotest ppx_let ];
  buildInputs = [ ocaml-syntax-shims ];
  propagatedBuildInputs = [ bigstringaf result ];
  doCheck = lib.versionAtLeast ocaml.version "4.05";

  meta = {
    homepage = "https://github.com/inhabitedtype/angstrom";
    description = "OCaml parser combinators built for speed and memory efficiency";
    license = lib.licenses.bsd3;
    maintainers = with lib.maintainers; [ sternenseemann ];
  };

Here is a second example, this time using a source archive generated with dune-release. It is a good idea to use this archive when it is available as it will usually contain substituted variables such as a %%VERSION%% field. This library does not depend on any other OCaml library and no tests are run after building it. 

{ lib, fetchurl, buildDunePackage }:

buildDunePackage rec {
  pname = "wtf8";
  version = "1.0.2";

  useDune2 = true;

  minimalOCamlVersion = "4.02";

  src = fetchurl {
    url = "https://github.com/flowtype/ocaml-${pname}/releases/download/v${version}/${pname}-v${version}.tbz";
    sha256 = "09ygcxxd5warkdzz17rgpidrd0pg14cy2svvnvy1hna080lzg7vp";
  };

  meta = with lib; {
    homepage = "https://github.com/flowtype/ocaml-wtf8";
    description = "WTF-8 is a superset of UTF-8 that allows unpaired surrogates.";
    license = licenses.mit;
    maintainers = [ maintainers.eqyiel ];
  };
}

Note about minimalOCamlVersion. A deprecated version of this argument was spelled minimumOCamlVersion; setting the old attribute wrongly modifies the derivation hash and is therefore inappropriate. As a technical dept, currently packaged libraries may still use the old spelling: maintainers are invited to fix this when updating packages. Massive renaming is strongly discouraged as it would be challenging to review, difficult to test, and will cause unnecessary rebuild.

17.24. Octave

17.24.1. Introduction

Octave is a modular scientific programming language and environment. A majority of the packages supported by Octave from their website are packaged in nixpkgs.

17.24.2. Structure

All Octave add-on packages are available in two ways:

  1. Under the top-level Octave attribute, octave.pkgs.

  2. As a top-level attribute, octavePackages.

17.24.3. Packaging Octave Packages

Nixpkgs provides a function buildOctavePackage, a generic package builder function for any Octave package that complies with the Octave’s current packaging format.

All Octave packages are defined in pkgs/top-level/octave-packages.nix rather than pkgs/all-packages.nix. Each package is defined in their own file in the pkgs/development/octave-modules directory. Octave packages are made available through all-packages.nix through both the attribute octavePackages and octave.pkgs. You can test building an Octave package as follows: 

$ nix-build -A octavePackages.symbolic

To install it into your user profile, run this command from the root of the repository: 

$ nix-env -f. -iA octavePackages.symbolic

You can build Octave with packages by using the withPackages passed-through function. 

$ nix-shell -p 'octave.withPackages (ps: with ps; [ symbolic ])'

This will also work in a shell.nix file. 

{ pkgs ? import <nixpkgs> { }}:

pkgs.mkShell {
  nativeBuildInputs = with pkgs; [
    (octave.withPackages (opkgs: with opkgs; [ symbolic ]))
  ];
}

17.24.3.1. buildOctavePackage Steps

The buildOctavePackage does several things to make sure things work properly.

  1. Sets the environment variable OCTAVE_HISTFILE to /dev/null during package compilation so that the commands run through the Octave interpreter directly are not logged.

  2. Skips the configuration step, because the packages are stored as gzipped tarballs, which Octave itself handles directly.

  3. Change the hierarchy of the tarball so that only a single directory is at the top-most level of the tarball.

  4. Use Octave itself to run the pkg build command, which unzips the tarball, extracts the necessary files written in Octave, and compiles any code written in C++ or Fortran, and places the fully compiled artifact in $out.

buildOctavePackage is built on top of stdenv in a standard way, allowing most things to be customized.

17.24.3.2. Handling Dependencies

In Octave packages, there are four sets of dependencies that can be specified:

nativeBuildInputs

Just like other packages, nativeBuildInputs is intended for architecture-dependent build-time-only dependencies.

buildInputs

Like other packages, buildInputs is intended for architecture-independent build-time-only dependencies.

propagatedBuildInputs

Similar to other packages, propagatedBuildInputs is intended for packages that are required for both building and running of the package. See Symbolic for how this works and why it is needed.

requiredOctavePackages

This is a special dependency that ensures the specified Octave packages are dependent on others, and are made available simultaneously when loading them in Octave.

17.24.3.3. Installing Octave Packages

By default, the buildOctavePackage function does not install the requested package into Octave for use. The function will only build the requested package. This is due to Octave maintaining an text-based database about which packages are installed where. To this end, when all the requested packages have been built, the Octave package and all its add-on packages are put together into an environment, similar to Python.

  1. First, all the Octave binaries are wrapped with the environment variable OCTAVE_SITE_INITFILE set to a file in $out, which is required for Octave to be able to find the non-standard package database location.

  2. Because of the way buildEnv works, all tarballs that are present (which should be all Octave packages to install) should be removed.

  3. The path down to the default install location of Octave packages is recreated so that Nix-operated Octave can install the packages.

  4. Install the packages into the $out environment while writing package entries to the database file. This database file is unique for each different (according to Nix) environment invocation.

  5. Rewrite the Octave-wide startup file to read from the list of packages installed in that particular environment.

  6. Wrap any programs that are required by the Octave packages so that they work with all the paths defined within the environment.

17.25. Perl

17.25.1. Running Perl programs on the shell

When executing a Perl script, it is possible you get an error such as ./myscript.pl: bad interpreter: /usr/bin/perl: no such file or directory. This happens when the script expects Perl to be installed at /usr/bin/perl, which is not the case when using Perl from nixpkgs. You can fix the script by changing the first line to: 

#!/usr/bin/env perl

to take the Perl installation from the PATH environment variable, or invoke Perl directly with: 

$ perl ./myscript.pl

When the script is using a Perl library that is not installed globally, you might get an error such as Can't locate DB_File.pm in @INC (you may need to install the DB_File module). In that case, you can use nix-shell to start an ad-hoc shell with that library installed, for instance: 

$ nix-shell -p perl perlPackages.DBFile --run ./myscript.pl

If you are always using the script in places where nix-shell is available, you can embed the nix-shell invocation in the shebang like this: 

#!/usr/bin/env nix-shell
#! nix-shell -i perl -p perl perlPackages.DBFile

17.25.2. Packaging Perl programs

Nixpkgs provides a function buildPerlPackage, a generic package builder function for any Perl package that has a standard Makefile.PL. It’s implemented in pkgs/development/perl-modules/generic.

Perl packages from CPAN are defined in pkgs/top-level/perl-packages.nix rather than pkgs/all-packages.nix. Most Perl packages are so straight-forward to build that they are defined here directly, rather than having a separate function for each package called from perl-packages.nix. However, more complicated packages should be put in a separate file, typically in pkgs/development/perl-modules. Here is an example of the former: 

ClassC3 = buildPerlPackage rec {
  pname = "Class-C3";
  version = "0.21";
  src = fetchurl {
    url = "mirror://cpan/authors/id/F/FL/FLORA/${pname}-${version}.tar.gz";
    sha256 = "1bl8z095y4js66pwxnm7s853pi9czala4sqc743fdlnk27kq94gz";
  };
};

Note the use of mirror://cpan/, and the pname and version in the URL definition to ensure that the pname attribute is consistent with the source that we’re actually downloading. Perl packages are made available in all-packages.nix through the variable perlPackages. For instance, if you have a package that needs ClassC3, you would typically write 

foo = import ../path/to/foo.nix {
  inherit stdenv fetchurl ...;
  inherit (perlPackages) ClassC3;
};

in all-packages.nix. You can test building a Perl package as follows: 

$ nix-build -A perlPackages.ClassC3

To install it with nix-env instead: nix-env -f. -iA perlPackages.ClassC3.

So what does buildPerlPackage do? It does the following:

  1. In the configure phase, it calls perl Makefile.PL to generate a Makefile. You can set the variable makeMakerFlags to pass flags to Makefile.PL

  2. It adds the contents of the PERL5LIB environment variable to #! .../bin/perl line of Perl scripts as -Idir flags. This ensures that a script can find its dependencies. (This can cause this shebang line to become too long for Darwin to handle; see the note below.)

  3. In the fixup phase, it writes the propagated build inputs (propagatedBuildInputs) to the file $out/nix-support/propagated-user-env-packages. nix-env recursively installs all packages listed in this file when you install a package that has it. This ensures that a Perl package can find its dependencies.

buildPerlPackage is built on top of stdenv, so everything can be customised in the usual way. For instance, the BerkeleyDB module has a preConfigure hook to generate a configuration file used by Makefile.PL: 

{ buildPerlPackage, fetchurl, db }:

buildPerlPackage rec {
  pname = "BerkeleyDB";
  version = "0.36";

  src = fetchurl {
    url = "mirror://cpan/authors/id/P/PM/PMQS/${pname}-${version}.tar.gz";
    sha256 = "07xf50riarb60l1h6m2dqmql8q5dij619712fsgw7ach04d8g3z1";
  };

  preConfigure = ''
    echo "LIB = ${db.out}/lib" > config.in
    echo "INCLUDE = ${db.dev}/include" >> config.in
  '';
}

Dependencies on other Perl packages can be specified in the buildInputs and propagatedBuildInputs attributes. If something is exclusively a build-time dependency, use buildInputs; if it’s (also) a runtime dependency, use propagatedBuildInputs. For instance, this builds a Perl module that has runtime dependencies on a bunch of other modules: 

ClassC3Componentised = buildPerlPackage rec {
  pname = "Class-C3-Componentised";
  version = "1.0004";
  src = fetchurl {
    url = "mirror://cpan/authors/id/A/AS/ASH/${pname}-${version}.tar.gz";
    sha256 = "0xql73jkcdbq4q9m0b0rnca6nrlvf5hyzy8is0crdk65bynvs8q1";
  };
  propagatedBuildInputs = [
    ClassC3 ClassInspector TestException MROCompat
  ];
};

On Darwin, if a script has too many -Idir flags in its first line (its “shebang line”), it will not run. This can be worked around by calling the shortenPerlShebang function from the postInstall phase: 

{ lib, stdenv, buildPerlPackage, fetchurl, shortenPerlShebang }:

ImageExifTool = buildPerlPackage {
  pname = "Image-ExifTool";
  version = "11.50";

  src = fetchurl {
    url = "https://www.sno.phy.queensu.ca/~phil/exiftool/${pname}-${version}.tar.gz";
    sha256 = "0d8v48y94z8maxkmw1rv7v9m0jg2dc8xbp581njb6yhr7abwqdv3";
  };

  buildInputs = lib.optional stdenv.isDarwin shortenPerlShebang;
  postInstall = lib.optionalString stdenv.isDarwin ''
    shortenPerlShebang $out/bin/exiftool
  '';
};

This will remove the -I flags from the shebang line, rewrite them in the use lib form, and put them on the next line instead. This function can be given any number of Perl scripts as arguments; it will modify them in-place.

17.25.2.1. Generation from CPAN

Nix expressions for Perl packages can be generated (almost) automatically from CPAN. This is done by the program nix-generate-from-cpan, which can be installed as follows: 

$ nix-env -f "<nixpkgs>" -iA nix-generate-from-cpan

Substitute <nixpkgs> by the path of a nixpkgs clone to use the latest version.

This program takes a Perl module name, looks it up on CPAN, fetches and unpacks the corresponding package, and prints a Nix expression on standard output. For example: 

$ nix-generate-from-cpan XML::Simple
  XMLSimple = buildPerlPackage rec {
    pname = "XML-Simple";
    version = "2.22";
    src = fetchurl {
      url = "mirror://cpan/authors/id/G/GR/GRANTM/XML-Simple-2.22.tar.gz";
      sha256 = "b9450ef22ea9644ae5d6ada086dc4300fa105be050a2030ebd4efd28c198eb49";
    };
    propagatedBuildInputs = [ XMLNamespaceSupport XMLSAX XMLSAXExpat ];
    meta = {
      description = "An API for simple XML files";
      license = with lib.licenses; [ artistic1 gpl1Plus ];
    };
  };

The output can be pasted into pkgs/top-level/perl-packages.nix or wherever else you need it.

17.25.2.2. Cross-compiling modules

Nixpkgs has experimental support for cross-compiling Perl modules. In many cases, it will just work out of the box, even for modules with native extensions. Sometimes, however, the Makefile.PL for a module may (indirectly) import a native module. In that case, you will need to make a stub for that module that will satisfy the Makefile.PL and install it into lib/perl5/site_perl/cross_perl/${perl.version}. See the postInstall for DBI for an example.

17.26. PHP

17.26.1. User Guide

17.26.1.1. Overview

Several versions of PHP are available on Nix, each of which having a wide variety of extensions and libraries available.

The different versions of PHP that nixpkgs provides are located under attributes named based on major and minor version number; e.g., php81 is PHP 8.1.

Only versions of PHP that are supported by upstream for the entirety of a given NixOS release will be included in that release of NixOS. See PHP Supported Versions.

The attribute php refers to the version of PHP considered most stable and thoroughly tested in nixpkgs for any given release of NixOS - not necessarily the latest major release from upstream.

All available PHP attributes are wrappers around their respective binary PHP package and provide commonly used extensions this way. The real PHP 7.4 package, i.e. the unwrapped one, is available as php81.unwrapped; see the next section for more details.

Interactive tools built on PHP are put in php.packages; composer is for example available at php.packages.composer.

Most extensions that come with PHP, as well as some popular third-party ones, are available in php.extensions; for example, the opcache extension shipped with PHP is available at php.extensions.opcache and the third-party ImageMagick extension at php.extensions.imagick.

17.26.1.2. Installing PHP with extensions

A PHP package with specific extensions enabled can be built using php.withExtensions. This is a function which accepts an anonymous function as its only argument; the function should accept two named parameters: enabled - a list of currently enabled extensions and all - the set of all extensions, and return a list of wanted extensions. For example, a PHP package with all default extensions and ImageMagick enabled: 

php.withExtensions ({ enabled, all }:
  enabled ++ [ all.imagick ])

To exclude some, but not all, of the default extensions, you can filter the enabled list like this: 

php.withExtensions ({ enabled, all }:
  (lib.filter (e: e != php.extensions.opcache) enabled)
  ++ [ all.imagick ])

To build your list of extensions from the ground up, you can simply ignore enabled: 

php.withExtensions ({ all, ... }: with all; [ imagick opcache ])

php.withExtensions provides extensions by wrapping a minimal php base package, providing a php.ini file listing all extensions to be loaded. You can access this package through the php.unwrapped attribute; useful if you, for example, need access to the dev output. The generated php.ini file can be accessed through the php.phpIni attribute.

If you want a PHP build with extra configuration in the php.ini file, you can use php.buildEnv. This function takes two named and optional parameters: extensions and extraConfig. extensions takes an extension specification equivalent to that of php.withExtensions, extraConfig a string of additional php.ini configuration parameters. For example, a PHP package with the opcache and ImageMagick extensions enabled, and memory_limit set to 256M: 

php.buildEnv {
  extensions = { all, ... }: with all; [ imagick opcache ];
  extraConfig = "memory_limit=256M";
}
17.26.1.2.1. Example setup for phpfpm

You can use the previous examples in a phpfpm pool called foo as follows: 

let
  myPhp = php.withExtensions ({ all, ... }: with all; [ imagick opcache ]);
in {
  services.phpfpm.pools."foo".phpPackage = myPhp;
};

let
  myPhp = php.buildEnv {
    extensions = { all, ... }: with all; [ imagick opcache ];
    extraConfig = "memory_limit=256M";
  };
in {
  services.phpfpm.pools."foo".phpPackage = myPhp;
};
17.26.1.2.2. Example usage with nix-shell

This brings up a temporary environment that contains a PHP interpreter with the extensions imagick and opcache enabled: 

nix-shell -p 'php.withExtensions ({ all, ... }: with all; [ imagick opcache ])'

17.26.1.3. Installing PHP packages with extensions

All interactive tools use the PHP package you get them from, so all packages at php.packages.* use the php package with its default extensions. Sometimes this default set of extensions isn’t enough and you may want to extend it. A common case of this is the composer package: a project may depend on certain extensions and composer won’t work with that project unless those extensions are loaded.

Example of building composer with additional extensions: 

(php.withExtensions ({ all, enabled }:
  enabled ++ (with all; [ imagick redis ]))
).packages.composer

17.26.1.4. Overriding PHP packages

php-packages.nix form a scope, allowing us to override the packages defined within. For example, to apply a patch to a mysqlnd extension, you can simply pass an overlay-style function to php’s packageOverrides argument: 

php.override {
  packageOverrides = final: prev: {
    extensions = prev.extensions // {
      mysqlnd = prev.extensions.mysqlnd.overrideAttrs (attrs: {
        patches = attrs.patches or [] ++ [
          …
        ];
      });
    };
  };
}

17.27. Python

17.27.1. User Guide

17.27.1.1. Using Python

17.27.1.1.1. Overview

Several versions of the Python interpreter are available on Nix, as well as a high amount of packages. The attribute python3 refers to the default interpreter, which is currently CPython 3.10. The attribute python refers to CPython 2.7 for backwards-compatibility. It is also possible to refer to specific versions, e.g. python39 refers to CPython 3.9, and pypy refers to the default PyPy interpreter.

Python is used a lot, and in different ways. This affects also how it is packaged. In the case of Python on Nix, an important distinction is made between whether the package is considered primarily an application, or whether it should be used as a library, i.e., of primary interest are the modules in site-packages that should be importable.

In the Nixpkgs tree Python applications can be found throughout, depending on what they do, and are called from the main package set. Python libraries, however, are in separate sets, with one set per interpreter version.

The interpreters have several common attributes. One of these attributes is pkgs, which is a package set of Python libraries for this specific interpreter. E.g., the toolz package corresponding to the default interpreter is python.pkgs.toolz, and the CPython 3.9 version is python39.pkgs.toolz. The main package set contains aliases to these package sets, e.g. pythonPackages refers to python.pkgs and python39Packages to python39.pkgs.

17.27.1.1.2. Installing Python and packages

The Nix and NixOS manuals explain how packages are generally installed. In the case of Python and Nix, it is important to make a distinction between whether the package is considered an application or a library.

Applications on Nix are typically installed into your user profile imperatively using nix-env -i, and on NixOS declaratively by adding the package name to environment.systemPackages in /etc/nixos/configuration.nix. Dependencies such as libraries are automatically installed and should not be installed explicitly.

The same goes for Python applications. Python applications can be installed in your profile, and will be wrapped to find their exact library dependencies, without impacting other applications or polluting your user environment.

But Python libraries you would like to use for development cannot be installed, at least not individually, because they won’t be able to find each other resulting in import errors. Instead, it is possible to create an environment with python.buildEnv or python.withPackages where the interpreter and other executables are wrapped to be able to find each other and all of the modules.

In the following examples we will start by creating a simple, ad-hoc environment with a nix-shell that has numpy and toolz in Python 3.9; then we will create a re-usable environment in a single-file Python script; then we will create a full Python environment for development with this same environment.

Philosphically, this should be familiar to users who are used to a venv style of development: individual projects create their own Python environments without impacting the global environment or each other.

17.27.1.1.3. Ad-hoc temporary Python environment with nix-shell

The simplest way to start playing with the way nix wraps and sets up Python environments is with nix-shell at the cmdline. These environments create a temporary shell session with a Python and a precise list of packages (plus their runtime dependencies), with no other Python packages in the Python interpreter’s scope.

To create a Python 3.9 session with numpy and toolz available, run: 

$ nix-shell -p 'python39.withPackages(ps: with ps; [ numpy toolz ])'

By default nix-shell will start a bash session with this interpreter in our PATH, so if we then run: 

[nix-shell:~/src/nixpkgs]$ python3
Python 3.9.12 (main, Mar 23 2022, 21:36:19)
[GCC 11.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import numpy; import toolz

Note that no other modules are in scope, even if they were imperatively installed into our user environment as a dependency of a Python application: 

>>> import requests
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ModuleNotFoundError: No module named 'requests'

We can add as many additional modules onto the nix-shell as we need, a