Nixpkgs Reference Manual

Version 24.11pre-git


Table of Contents

Preface
Using Nixpkgs
Platform Support
Global configuration
Overlays
Overriding
Nixpkgs lib
Functions reference
Module System
Standard environment
The Standard Environment
Meta-attributes
Passthru-attributes
Multiple-output packages
Cross-compilation
Platform Notes
Build helpers
Fetchers
Trivial build helpers
Testers
Development Shell helpers
Special build helpers
Images
Hooks reference
Languages and frameworks
Packages
Development of Nixpkgs
Opening issues
Contributing to Nixpkgs
Quick Start to Adding a Package
Coding conventions
Submitting changes
Vulnerability Roundup
Reviewing contributions
Contributing to Nixpkgs documentation
Interoperability Standards
CycloneDX

List of Examples

1. Map over leaf attributes
2. Map over an leaf attributes defined by a condition
3. lib.versions.splitVersion usage example
4. lib.versions.major usage example
5. lib.versions.minor usage example
6. lib.versions.patch usage example
7. lib.versions.majorMinor usage example
8. lib.versions.pad usage example
9. lib.options.isOption usage example
10. lib.options.mkOption usage example
11. lib.options.mkEnableOption usage example
12. lib.options.mkPackageOption usage example
13. lib.options.getValues usage example
14. lib.options.getFiles usage example
15. lib.options.showOption usage example
16. lib.path.append usage example
17. lib.path.hasPrefix usage example
18. lib.path.removePrefix usage example
19. lib.path.splitRoot usage example
20. lib.path.hasStorePathPrefix usage example
21. lib.path.subpath.isValid usage example
22. lib.path.subpath.join usage example
23. lib.path.subpath.components usage example
24. lib.path.subpath.normalise usage example
25. lib.sources.commitIdFromGitRepo usage example
26. lib.sources.cleanSource usage example
27. lib.sources.cleanSourceWith usage example
28. lib.sources.sourceByRegex usage example
29. lib.sources.sourceFilesBySuffices usage example
30. Create an interdependent package set on top of pkgs
31. Using callPackage from a scope
32. Enable debug symbols for use with GDB
33. Setting and accessing passthru attributes
34. Update source hash with the fake hash method
35. Using fetchurl to download a file
36. Using fetchurl to download a file with multiple possible URLs
37. Manipulating the content downloaded by fetchurl
38. Using fetchzip to output contents directly
39. Using fetchzip to decompress a .rar file
40. Use sparseCheckout to only include some directories:
41. Invocation of runCommandWith
42. Invocation of runCommand
43. Usage 1 of makeDesktopItem
44. Usage 2 of makeDesktopItem
45. Usage 1 of writeTextFile
46. Usage 2 of writeTextFile
47. Usage 3 of writeTextFile
48. Usage of writeText
49. Usage of writeTextDir
50. Usage of writeScript
51. Usage of writeScriptBin
52. Usage of writeShellScript
53. Usage of writeShellScriptBin
54. Check that pkg-config modules are exposed using default values
55. Check that pkg-config modules are exposed using explicit module names
56. Check hyperlinks in the nix documentation
57. Run testers.shellcheck
58. Check a program version using all the default values
59. Check the program version using a specified command and expected version string
60. Check that a build fails, and verify the changes made during build
61. Check that two paths have the same contents
62. Check that two packages produce the same derivation
63. Prevent nix from reusing the output of a fetcher
64. Run a command with network access
65. Run a NixOS test using runNixOSTest
66. Using fakeNss with dockerTools.buildImage
67. Using fakeNss with an override to add extra lines
68. Wrapping an AppImage from GitHub
69. Wrapping an AppImage with extra packages
70. Extracting an AppImage to install extra files
71. Extracting an AppImage to install extra files, using postExtract
72. Building a Docker image
73. Building a Docker image with runAsRoot
74. Building a Docker image with extraCommands
75. Building a Docker image with a creation date set to the current time
76. Building a layered Docker image
77. Streaming a layered Docker image
78. Exploring the layers in an image built with streamLayeredImage
79. Building a layered Docker image with packages directly in config
80. Pulling the nixos/nix Docker image from the default registry
81. Pulling the nixos/nix Docker image from a specific registry
82. Finding the digest and hash values to use for dockerTools.pullImage
83. Exporting a Docker image with dockerTools.exportImage
84. Importing an archive built with dockerTools.exportImage in Docker
85. Exploring output naming with dockerTools.exportImage
86. Using dockerTools.exportImage with a path as fromImage
87. Using dockerTools’s environment helpers with buildImage
88. Using dockerTools’s environment helpers with buildLayeredImage
89. Using dockerTools.shadowSetup with dockerTools.buildImage
90. Using dockerTools.shadowSetup with dockerTools.buildLayeredImage
91. Building a Docker image with buildNixShellImage with the build environment for the hello package
92. Building a Docker image with streamNixShellImage with the build environment for the hello package
93. Adding extra packages to a Docker image built with streamNixShellImage
94. Adding a shellHook to a Docker image built with streamNixShellImage
95. Creating an OCI runtime container that runs bash
96. Building a Portable Service image
97. Specifying symlinks when building a Portable Service image
98. Copying a package and its closure to another machine with mkBinaryCache
99. Navigate Java compiler variants in javaPackages with nix repl
100. List all Python packages in Nixpkgs
101. Ephemeral shell
102. Declarative shell
103. Using pkgs.zlib.override {}
104. Using pkgs.buildEmscriptenPackage {}
105. Overriding the kernel derivation
106. Using pkgs.linuxPackages_custom with a specific source, version, and config file
107. Edit-compile-run loop when developing mellanox drivers
108. Usage of pkgs.substitute
109. Usage of pkgs.substituteAll
110. Usage of pkgs.substituteAllFiles

Preface

Table of Contents

Overview of Nixpkgs

The Nix Packages collection (Nixpkgs) is a set of thousands of packages for the Nix package manager, released under a permissive MIT license. Packages are available for several platforms, and can be used with the Nix package manager on most GNU/Linux distributions as well as NixOS.

This document is the user reference manual for Nixpkgs. It describes entire public interface of Nixpkgs in a concise and orderly manner, and all relevant behaviors, with examples and cross-references.

To discover other kinds of documentation:

Overview of Nixpkgs

Nix expressions describe how to build packages from source and are collected in the nixpkgs repository. Also included in the collection are Nix expressions for NixOS modules. With these expressions the Nix package manager can build binary packages.

Packages, including the Nix packages collection, are distributed through channels. The collection is distributed for users of Nix on non-NixOS distributions through the channel nixpkgs-unstable. Users of NixOS generally use one of the nixos-* channels, e.g. nixos-22.11, which includes all packages and modules for the stable NixOS 22.11. Stable NixOS releases are generally only given security updates. More up to date packages and modules are available via the nixos-unstable channel.

Both nixos-unstable and nixpkgs-unstable follow the master branch of the nixpkgs repository, although both do lag the master branch by generally a couple of days. Updates to a channel are distributed as soon as all tests for that channel pass, e.g. this table shows the status of tests for the nixpkgs-unstable channel.

The tests are conducted by a cluster called Hydra, which also builds binary packages from the Nix expressions in Nixpkgs for x86_64-linux, i686-linux and x86_64-darwin. The binaries are made available via a binary cache.

The current Nix expressions of the channels are available in the nixpkgs repository in branches that correspond to the channel names (e.g. nixos-22.11-small).

Using Nixpkgs

Platform Support

Packages receive varying degrees of support, both in terms of maintainer attention and available computation resources for continuous integration (CI).

Below is the list of the best supported platforms:

  • x86_64-linux: Highest level of support.

  • aarch64-linux: Well supported, with most packages building successfully in CI.

  • aarch64-darwin: Receives better support than x86_64-darwin.

  • x86_64-darwin: Receives some support.

There are many other platforms with varying levels of support. The provisional platform list in Appendix A of RFC046, while not up to date, can be used as guidance.

A more formal definition of the platform support tiers is provided in RFC046, but has not been fully implemented yet.

Global configuration

Nix comes with certain defaults about which packages can and cannot be installed, based on a package’s metadata. By default, Nix will prevent installation if any of the following criteria are true:

  • The package is thought to be broken, and has had its meta.broken set to true.

  • The package isn’t intended to run on the given system, as none of its meta.platforms match the given system.

  • The package’s meta.license is set to a license which is considered to be unfree.

  • The package has known security vulnerabilities but has not or can not be updated for some reason, and a list of issues has been entered in to the package’s meta.knownVulnerabilities.

Each of these criteria can be altered in the Nixpkgs configuration.

Note

All this is checked during evaluation already, and the check includes any package that is evaluated. In particular, all build-time dependencies are checked.

A user’s Nixpkgs configuration is stored in a user-specific configuration file located at ~/.config/nixpkgs/config.nix. For example:

{
  allowUnfree = true;
}

Caution

Unfree software is not tested or built in Nixpkgs continuous integration, and therefore not cached. Most unfree licenses prohibit either executing or distributing the software.

Installing broken packages

There are two ways to try compiling a package which has been marked as broken.

  • For allowing the build of a broken package once, you can use an environment variable for a single invocation of the nix tools:

    $ export NIXPKGS_ALLOW_BROKEN=1
    
  • For permanently allowing broken packages to be built, you may add allowBroken = true; to your user’s configuration file, like this:

    {
      allowBroken = true;
    }
    

Installing packages on unsupported systems

There are also two ways to try compiling a package which has been marked as unsupported for the given system.

  • For allowing the build of an unsupported package once, you can use an environment variable for a single invocation of the nix tools:

    $ export NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM=1
    
  • For permanently allowing unsupported packages to be built, you may add allowUnsupportedSystem = true; to your user’s configuration file, like this:

    {
      allowUnsupportedSystem = true;
    }
    

The difference between a package being unsupported on some system and being broken is admittedly a bit fuzzy. If a program ought to work on a certain platform, but doesn’t, the platform should be included in meta.platforms, but marked as broken with e.g. meta.broken = !hostPlatform.isWindows. Of course, this begs the question of what “ought” means exactly. That is left to the package maintainer.

Installing unfree packages

All users of Nixpkgs are free software users, and many users (and developers) of Nixpkgs want to limit and tightly control their exposure to unfree software. At the same time, many users need (or want) to run some specific pieces of proprietary software. Nixpkgs includes some expressions for unfree software packages. By default unfree software cannot be installed and doesn’t show up in searches.

There are several ways to tweak how Nix handles a package which has been marked as unfree.

  • To temporarily allow all unfree packages, you can use an environment variable for a single invocation of the nix tools:

    $ export NIXPKGS_ALLOW_UNFREE=1
    
  • It is possible to permanently allow individual unfree packages, while still blocking unfree packages by default using the allowUnfreePredicate configuration option in the user configuration file.

    This option is a function which accepts a package as a parameter, and returns a boolean. The following example configuration accepts a package and always returns false:

    {
      allowUnfreePredicate = (pkg: false);
    }
    

    For a more useful example, try the following. This configuration only allows unfree packages named roon-server and visual studio code:

    {
      allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
        "roon-server"
        "vscode"
      ];
    }
    
  • It is also possible to allow and block licenses that are specifically acceptable or not acceptable, using allowlistedLicenses and blocklistedLicenses, respectively.

    The following example configuration allowlists the licenses amd and wtfpl:

    {
      allowlistedLicenses = with lib.licenses; [ amd wtfpl ];
    }
    

    The following example configuration blocklists the gpl3Only and agpl3Only licenses:

    {
      blocklistedLicenses = with lib.licenses; [ agpl3Only gpl3Only ];
    }
    

    Note that allowlistedLicenses only applies to unfree licenses unless allowUnfree is enabled. It is not a generic allowlist for all types of licenses. blocklistedLicenses applies to all licenses.

A complete list of licenses can be found in the file lib/licenses.nix of the nixpkgs tree.

Installing insecure packages

There are several ways to tweak how Nix handles a package which has been marked as insecure.

  • To temporarily allow all insecure packages, you can use an environment variable for a single invocation of the nix tools:

    $ export NIXPKGS_ALLOW_INSECURE=1
    
  • It is possible to permanently allow individual insecure packages, while still blocking other insecure packages by default using the permittedInsecurePackages configuration option in the user configuration file.

    The following example configuration permits the installation of the hypothetically insecure package hello, version 1.2.3:

    {
      permittedInsecurePackages = [
        "hello-1.2.3"
      ];
    }
    
  • It is also possible to create a custom policy around which insecure packages to allow and deny, by overriding the allowInsecurePredicate configuration option.

    The allowInsecurePredicate option is a function which accepts a package and returns a boolean, much like allowUnfreePredicate.

    The following configuration example allows any version of the ovftool package:

    {
      allowInsecurePredicate = pkg: builtins.elem (lib.getName pkg) [
        "ovftool"
      ];
    }
    

    Note that permittedInsecurePackages is only checked if allowInsecurePredicate is not specified.

Modify packages via packageOverrides

You can define a function called packageOverrides in your local ~/.config/nixpkgs/config.nix to override Nix packages. It must be a function that takes pkgs as an argument and returns a modified set of packages.

{
  packageOverrides = pkgs: rec {
    foo = pkgs.foo.override { /* ... */ };
  };
}

config Options Reference

The following attributes can be passed in config.

enableParallelBuildingByDefault

Whether to set enableParallelBuilding to true by default while building nixpkgs packages. Changing the default may cause a mass rebuild.

Type: boolean

Default: false

Declared by:

pkgs/top-level/config.nix
allowAliases

Whether to expose old attribute names for compatibility.

The recommended setting is to enable this, as it improves backward compatibility, easing updates.

The only reason to disable aliases is for continuous integration purposes. For instance, Nixpkgs should not depend on aliases in its internal code. Projects that aren’t Nixpkgs should be cautious of instantly removing all usages of aliases, as migrating too soon can break compatibility with the stable Nixpkgs releases.

Type: boolean

Default: true

Declared by:

pkgs/top-level/config.nix
allowBroken

Whether to allow broken packages.

See Installing broken packages in the NixOS manual.

Type: boolean

Default: false || builtins.getEnv "NIXPKGS_ALLOW_BROKEN" == "1"

Declared by:

pkgs/top-level/config.nix
allowUnfree

Whether to allow unfree packages.

See Installing unfree packages in the NixOS manual.

Type: boolean

Default: false || builtins.getEnv "NIXPKGS_ALLOW_UNFREE" == "1"

Declared by:

pkgs/top-level/config.nix
allowUnsupportedSystem

Whether to allow unsupported packages.

See Installing packages on unsupported systems in the NixOS manual.

Type: boolean

Default: false || builtins.getEnv "NIXPKGS_ALLOW_UNSUPPORTED_SYSTEM" == "1"

Declared by:

pkgs/top-level/config.nix
checkMeta

Whether to check that the meta attribute of derivations are correct during evaluation time.

Type: boolean

Default: false

Declared by:

pkgs/top-level/config.nix
configurePlatformsByDefault

Whether to set configurePlatforms to ["build" "host"] by default while building nixpkgs packages. Changing the default may cause a mass rebuild.

Type: boolean

Default: false

Declared by:

pkgs/top-level/config.nix
contentAddressedByDefault

Whether to set __contentAddressed to true by default while building nixpkgs packages. Changing the default may cause a mass rebuild.

Type: boolean

Default: false

Declared by:

pkgs/top-level/config.nix
cudaSupport

Whether to build packages with CUDA support by default while building nixpkgs packages. Changing the default may cause a mass rebuild.

Type: boolean

Default: false

Declared by:

pkgs/top-level/config.nix
doCheckByDefault

Whether to run checkPhase by default while building nixpkgs packages. Changing the default may cause a mass rebuild.

Type: boolean

Default: false

Declared by:

pkgs/top-level/config.nix
replaceBootstrapFiles

Use the bootstrap files returned instead of the default bootstrap files. The default bootstrap files are passed as an argument. Changing the default may cause a mass rebuild.

Type: function that evaluates to a(n) attribute set of package

Default: lib.id

Example:

prevFiles:
let
  replacements = {
    "sha256-YQlr088HPoVWBU2jpPhpIMyOyoEDZYDw1y60SGGbUM0=" = import <nix/fetchurl.nix> {
      url = "(custom glibc linux x86_64 bootstrap-tools.tar.xz)";
      hash = "(...)";
    };
    "sha256-QrTEnQTBM1Y/qV9odq8irZkQSD9uOMbs2Q5NgCvKCNQ=" = import <nix/fetchurl.nix> {
      url = "(custom glibc linux x86_64 busybox)";
      hash = "(...)";
      executable = true;
    };
  };
in
builtins.mapAttrs (name: prev: replacements.${prev.outputHash} or prev) prevFiles

Declared by:

pkgs/top-level/config.nix
rocmSupport

Whether to build packages with ROCm support by default while building nixpkgs packages. Changing the default may cause a mass rebuild.

Type: boolean

Default: false

Declared by:

pkgs/top-level/config.nix
showDerivationWarnings

Which warnings to display for potentially dangerous or deprecated values passed into stdenv.mkDerivation.

A list of warnings can be found in /pkgs/stdenv/generic/check-meta.nix.

This is not a stable interface; warnings may be added, changed or removed without prior notice.

Type: list of value “maintainerless” (singular enum)

Default: [ ]

Declared by:

pkgs/top-level/config.nix
strictDepsByDefault

Whether to set strictDeps to true by default while building nixpkgs packages. Changing the default may cause a mass rebuild.

Type: boolean

Default: false

Declared by:

pkgs/top-level/config.nix
structuredAttrsByDefault

Whether to set __structuredAttrs to true by default while building nixpkgs packages. Changing the default may cause a mass rebuild.

Type: boolean

Default: false

Declared by:

pkgs/top-level/config.nix
warnUndeclaredOptions

Whether to warn when config contains an unrecognized attribute.

Type: boolean

Default: false

Declared by:

pkgs/top-level/config.nix

Declarative Package Management

Build an environment

Using packageOverrides, it is possible to manage packages declaratively. This means that we can list all of our desired packages within a declarative Nix expression. For example, to have aspell, bc, ffmpeg, coreutils, gdb, nixUnstable, emscripten, jq, nox, and silver-searcher, we could use the following in ~/.config/nixpkgs/config.nix:

{
  packageOverrides = pkgs: with pkgs; {
    myPackages = pkgs.buildEnv {
      name = "my-packages";
      paths = [
        aspell
        bc
        coreutils
        gdb
        ffmpeg
        nixUnstable
        emscripten
        jq
        nox
        silver-searcher
      ];
    };
  };
}

To install it into our environment, you can just run nix-env -iA nixpkgs.myPackages. If you want to load the packages to be built from a working copy of nixpkgs you just run nix-env -f. -iA myPackages. To explore what’s been installed, just look through ~/.nix-profile/. You can see that a lot of stuff has been installed. Some of this stuff is useful some of it isn’t. Let’s tell Nixpkgs to only link the stuff that we want:

{
  packageOverrides = pkgs: with pkgs; {
    myPackages = pkgs.buildEnv {
      name = "my-packages";
      paths = [
        aspell
        bc
        coreutils
        gdb
        ffmpeg
        nixUnstable
        emscripten
        jq
        nox
        silver-searcher
      ];
      pathsToLink = [ "/share" "/bin" ];
    };
  };
}

pathsToLink tells Nixpkgs to only link the paths listed which gets rid of the extra stuff in the profile. /bin and /share are good defaults for a user environment, getting rid of the clutter. If you are running on Nix on MacOS, you may want to add another path as well, /Applications, that makes GUI apps available.

Getting documentation

After building that new environment, look through ~/.nix-profile to make sure everything is there that we wanted. Discerning readers will note that some files are missing. Look inside ~/.nix-profile/share/man/man1/ to verify this. There are no man pages for any of the Nix tools! This is because some packages like Nix have multiple outputs for things like documentation (see section 4). Let’s make Nix install those as well.

{
  packageOverrides = pkgs: with pkgs; {
    myPackages = pkgs.buildEnv {
      name = "my-packages";
      paths = [
        aspell
        bc
        coreutils
        ffmpeg
        nixUnstable
        emscripten
        jq
        nox
        silver-searcher
      ];
      pathsToLink = [ "/share/man" "/share/doc" "/bin" ];
      extraOutputsToInstall = [ "man" "doc" ];
    };
  };
}

This provides us with some useful documentation for using our packages. However, if we actually want those manpages to be detected by man, we need to set up our environment. This can also be managed within Nix expressions.

{
  packageOverrides = pkgs: with pkgs; rec {
    myProfile = writeText "my-profile" ''
      export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin
      export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man
    '';
    myPackages = pkgs.buildEnv {
      name = "my-packages";
      paths = [
        (runCommand "profile" {} ''
          mkdir -p $out/etc/profile.d
          cp ${myProfile} $out/etc/profile.d/my-profile.sh
        '')
        aspell
        bc
        coreutils
        ffmpeg
        man
        nixUnstable
        emscripten
        jq
        nox
        silver-searcher
      ];
      pathsToLink = [ "/share/man" "/share/doc" "/bin" "/etc" ];
      extraOutputsToInstall = [ "man" "doc" ];
    };
  };
}

For this to work fully, you must also have this script sourced when you are logged in. Try adding something like this to your ~/.profile file:

#!/bin/sh
if [ -d "${HOME}/.nix-profile/etc/profile.d" ]; then
  for i in "${HOME}/.nix-profile/etc/profile.d/"*.sh; do
    if [ -r "$i" ]; then
      . "$i"
    fi
  done
fi

Now just run . "${HOME}/.profile" and you can start loading man pages from your environment.

GNU info setup

Configuring GNU info is a little bit trickier than man pages. To work correctly, info needs a database to be generated. This can be done with some small modifications to our environment scripts.

{
  packageOverrides = pkgs: with pkgs; rec {
    myProfile = writeText "my-profile" ''
      export PATH=$HOME/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/sbin:/bin:/usr/sbin:/usr/bin
      export MANPATH=$HOME/.nix-profile/share/man:/nix/var/nix/profiles/default/share/man:/usr/share/man
      export INFOPATH=$HOME/.nix-profile/share/info:/nix/var/nix/profiles/default/share/info:/usr/share/info
    '';
    myPackages = pkgs.buildEnv {
      name = "my-packages";
      paths = [
        (runCommand "profile" {} ''
          mkdir -p $out/etc/profile.d
          cp ${myProfile} $out/etc/profile.d/my-profile.sh
        '')
        aspell
        bc
        coreutils
        ffmpeg
        man
        nixUnstable
        emscripten
        jq
        nox
        silver-searcher
        texinfoInteractive
      ];
      pathsToLink = [ "/share/man" "/share/doc" "/share/info" "/bin" "/etc" ];
      extraOutputsToInstall = [ "man" "doc" "info" ];
      postBuild = ''
        if [ -x $out/bin/install-info -a -w $out/share/info ]; then
          shopt -s nullglob
          for i in $out/share/info/*.info $out/share/info/*.info.gz; do
              $out/bin/install-info $i $out/share/info/dir
          done
        fi
      '';
    };
  };
}

postBuild tells Nixpkgs to run a command after building the environment. In this case, install-info adds the installed info pages to dir which is GNU info’s default root node. Note that texinfoInteractive is added to the environment to give the install-info command.

Overlays

This chapter describes how to extend and change Nixpkgs using overlays. Overlays are used to add layers in the fixed-point used by Nixpkgs to compose the set of all packages.

Nixpkgs can be configured with a list of overlays, which are applied in order. This means that the order of the overlays can be significant if multiple layers override the same package.

Installing overlays

The list of overlays can be set either explicitly in a Nix expression, or through <nixpkgs-overlays> or user configuration files.

Set overlays in NixOS or Nix expressions

On a NixOS system the value of the nixpkgs.overlays option, if present, is passed to the system Nixpkgs directly as an argument. Note that this does not affect the overlays for non-NixOS operations (e.g. nix-env), which are looked up independently.

The list of overlays can be passed explicitly when importing nixpkgs, for example import <nixpkgs> { overlays = [ overlay1 overlay2 ]; }.

NOTE: DO NOT USE THIS in nixpkgs. Further overlays can be added by calling the pkgs.extend or pkgs.appendOverlays, although it is often preferable to avoid these functions, because they recompute the Nixpkgs fixpoint, which is somewhat expensive to do.

Install overlays via configuration lookup

The list of overlays is determined as follows.

  1. First, if an overlays argument to the Nixpkgs function itself is given, then that is used and no path lookup will be performed.

  2. Otherwise, if the Nix path entry <nixpkgs-overlays> exists, we look for overlays at that path, as described below.

    See the section on NIX_PATH in the Nix manual for more details on how to set a value for <nixpkgs-overlays>.

  3. If one of ~/.config/nixpkgs/overlays.nix and ~/.config/nixpkgs/overlays/ exists, then we look for overlays at that path, as described below. It is an error if both exist.

If we are looking for overlays at a path, then there are two cases:

  • If the path is a file, then the file is imported as a Nix expression and used as the list of overlays.

  • If the path is a directory, then we take the content of the directory, order it lexicographically, and attempt to interpret each as an overlay by:

    • Importing the file, if it is a .nix file.

    • Importing a top-level default.nix file, if it is a directory.

Because overlays that are set in NixOS configuration do not affect non-NixOS operations such as nix-env, the overlays.nix option provides a convenient way to use the same overlays for a NixOS system configuration and user configuration: the same file can be used as overlays.nix and imported as the value of nixpkgs.overlays.

Defining overlays

Overlays are Nix functions which accept two arguments, conventionally called self and super, and return a set of packages. For example, the following is a valid overlay.

self: super:

{
  boost = super.boost.override {
    python = self.python3;
  };
  rr = super.callPackage ./pkgs/rr {
    stdenv = self.stdenv_32bit;
  };
}

The first argument (self) corresponds to the final package set. You should use this set for the dependencies of all packages specified in your overlay. For example, all the dependencies of rr in the example above come from self, as well as the overridden dependencies used in the boost override.

The second argument (super) corresponds to the result of the evaluation of the previous stages of Nixpkgs. It does not contain any of the packages added by the current overlay, nor any of the following overlays. This set should be used either to refer to packages you wish to override, or to access functions defined in Nixpkgs. For example, the original recipe of boost in the above example, comes from super, as well as the callPackage function.

The value returned by this function should be a set similar to pkgs/top-level/all-packages.nix, containing overridden and/or new packages.

Overlays are similar to other methods for customizing Nixpkgs, in particular the packageOverrides attribute described in the section called “Modify packages via packageOverrides. Indeed, packageOverrides acts as an overlay with only the super argument. It is therefore appropriate for basic use, but overlays are more powerful and easier to distribute.

Using overlays to configure alternatives

Certain software packages have different implementations of the same interface. Other distributions have functionality to switch between these. For example, Debian provides DebianAlternatives. Nixpkgs has what we call alternatives, which are configured through overlays.

BLAS/LAPACK

In Nixpkgs, we have multiple implementations of the BLAS/LAPACK numerical linear algebra interfaces. They are:

  • OpenBLAS

    The Nixpkgs attribute is openblas for ILP64 (integer width = 64 bits) and openblasCompat for LP64 (integer width = 32 bits). openblasCompat is the default.

  • LAPACK reference (also provides BLAS and CBLAS)

    The Nixpkgs attribute is lapack-reference.

  • Intel MKL (only works on the x86_64 architecture, unfree)

    The Nixpkgs attribute is mkl.

  • BLIS

    BLIS, available through the attribute blis, is a framework for linear algebra kernels. In addition, it implements the BLAS interface.

  • AMD BLIS/LIBFLAME (optimized for modern AMD x86_64 CPUs)

    The AMD fork of the BLIS library, with attribute amd-blis, extends BLIS with optimizations for modern AMD CPUs. The changes are usually submitted to the upstream BLIS project after some time. However, AMD BLIS typically provides some performance improvements on AMD Zen CPUs. The complementary AMD LIBFLAME library, with attribute amd-libflame, provides a LAPACK implementation.

Introduced in PR #83888, we are able to override the blas and lapack packages to use different implementations, through the blasProvider and lapackProvider argument. This can be used to select a different provider. BLAS providers will have symlinks in $out/lib/libblas.so.3 and $out/lib/libcblas.so.3 to their respective BLAS libraries. Likewise, LAPACK providers will have symlinks in $out/lib/liblapack.so.3 and $out/lib/liblapacke.so.3 to their respective LAPACK libraries. For example, Intel MKL is both a BLAS and LAPACK provider. An overlay can be created to use Intel MKL that looks like:

self: super:

{
  blas = super.blas.override {
    blasProvider = self.mkl;
  };

  lapack = super.lapack.override {
    lapackProvider = self.mkl;
  };
}

This overlay uses Intel’s MKL library for both BLAS and LAPACK interfaces. Note that the same can be accomplished at runtime using LD_LIBRARY_PATH of libblas.so.3 and liblapack.so.3. For instance:

$ LD_LIBRARY_PATH=$(nix-build -A mkl)/lib${LD_LIBRARY_PATH:+:}$LD_LIBRARY_PATH nix-shell -p octave --run octave

Intel MKL requires an openmp implementation when running with multiple processors. By default, mkl will use Intel’s iomp implementation if no other is specified, but this is a runtime-only dependency and binary compatible with the LLVM implementation. To use that one instead, Intel recommends users set it with LD_PRELOAD. Note that mkl is only available on x86_64-linux and x86_64-darwin. Moreover, Hydra is not building and distributing pre-compiled binaries using it.

To override blas and lapack with its reference implementations (i.e. for development purposes), one can use the following overlay:

self: super:

{
  blas = super.blas.override {
    blasProvider = self.lapack-reference;
  };

  lapack = super.lapack.override {
    lapackProvider = self.lapack-reference;
  };
}

For BLAS/LAPACK switching to work correctly, all packages must depend on blas or lapack. This ensures that only one BLAS/LAPACK library is used at one time. There are two versions of BLAS/LAPACK currently in the wild, LP64 (integer size = 32 bits) and ILP64 (integer size = 64 bits). The attributes blas and lapack are LP64 by default. Their ILP64 version are provided through the attributes blas-ilp64 and lapack-ilp64. Some software needs special flags or patches to work with ILP64. You can check if ILP64 is used in Nixpkgs with blas.isILP64 and lapack.isILP64. Some software does NOT work with ILP64, and derivations need to specify an assertion to prevent this. You can prevent ILP64 from being used with the following:

{ stdenv, blas, lapack, ... }:

assert (!blas.isILP64) && (!lapack.isILP64);

stdenv.mkDerivation {
  # ...
}

Switching the MPI implementation

All programs that are built with MPI support use the generic attribute mpi as an input. At the moment Nixpkgs natively provides two different MPI implementations:

  • Open MPI (default), attribute name openmpi

  • MPICH, attribute name mpich

  • MVAPICH, attribute name mvapich

To provide MPI enabled applications that use MPICH, instead of the default Open MPI, use the following overlay:

self: super:

{
  mpi = self.mpich;
}

Overriding

Sometimes one wants to override parts of nixpkgs, e.g. derivation attributes, the results of derivations.

These functions are used to make changes to packages, returning only single packages. Overlays, on the other hand, can be used to combine the overridden packages across the entire package set of Nixpkgs.

<pkg>.override

The function override is usually available for all the derivations in the nixpkgs expression (pkgs).

It is used to override the arguments passed to a function.

Example usages:

pkgs.foo.override { arg1 = val1; arg2 = val2; /* ... */ }

It’s also possible to access the previous arguments.

pkgs.foo.override (previous: { arg1 = previous.arg1; /* ... */ })
import pkgs.path { overlays = [ (self: super: {
  foo = super.foo.override { barSupport = true ; };
  })];}
{
  mypkg = pkgs.callPackage ./mypkg.nix {
    mydep = pkgs.mydep.override { /* ... */ };
  };
}

In the first example, pkgs.foo is the result of a function call with some default arguments, usually a derivation. Using pkgs.foo.override will call the same function with the given new arguments.

Many packages, like the foo example above, provide package options with default values in their arguments, to facilitate overriding. Because it’s not usually feasible to test that packages build with all combinations of options, you might find that a package doesn’t build if you override options to non-default values.

Package maintainers are not expected to fix arbitrary combinations of options. If you find that something doesn’t work, please submit a fix, ideally with a regression test. If you want to ensure that things keep working, consider becoming a maintainer for the package.

<pkg>.overrideAttrs

The function overrideAttrs allows overriding the attribute set passed to a stdenv.mkDerivation call, producing a new derivation based on the original one. This function is available on all derivations produced by the stdenv.mkDerivation function, which is most packages in the nixpkgs expression pkgs.

Example usages:

{
  helloBar = pkgs.hello.overrideAttrs (finalAttrs: previousAttrs: {
    pname = previousAttrs.pname + "-bar";
  });
}

In the above example, “-bar” is appended to the pname attribute, while all other attributes will be retained from the original hello package.

The argument previousAttrs is conventionally used to refer to the attr set originally passed to stdenv.mkDerivation.

The argument finalAttrs refers to the final attributes passed to mkDerivation, plus the finalPackage attribute which is equal to the result of mkDerivation or subsequent overrideAttrs calls.

If only a one-argument function is written, the argument has the meaning of previousAttrs.

Function arguments can be omitted entirely if there is no need to access previousAttrs or finalAttrs.

{
  helloWithDebug = pkgs.hello.overrideAttrs {
    separateDebugInfo = true;
  };
}

In the above example, the separateDebugInfo attribute is overridden to be true, thus building debug info for helloWithDebug.

Note

Note that separateDebugInfo is processed only by the stdenv.mkDerivation function, not the generated, raw Nix derivation. Thus, using overrideDerivation will not work in this case, as it overrides only the attributes of the final derivation. It is for this reason that overrideAttrs should be preferred in (almost) all cases to overrideDerivation, i.e. to allow using stdenv.mkDerivation to process input arguments, as well as the fact that it is easier to use (you can use the same attribute names you see in your Nix code, instead of the ones generated (e.g. buildInputs vs nativeBuildInputs), and it involves less typing).

<pkg>.overrideDerivation

Warning

You should prefer overrideAttrs in almost all cases, see its documentation for the reasons why. overrideDerivation is not deprecated and will continue to work, but is less nice to use and does not have as many abilities as overrideAttrs.

Warning

Do not use this function in Nixpkgs as it evaluates a derivation before modifying it, which breaks package abstraction. In addition, this evaluation-per-function application incurs a performance penalty, which can become a problem if many overrides are used. It is only intended for ad-hoc customisation, such as in ~/.config/nixpkgs/config.nix.

The function overrideDerivation creates a new derivation based on an existing one by overriding the original’s attributes with the attribute set produced by the specified function. This function is available on all derivations defined using the makeOverridable function. Most standard derivation-producing functions, such as stdenv.mkDerivation, are defined using this function, which means most packages in the nixpkgs expression, pkgs, have this function.

Example usage:

{
  mySed = pkgs.gnused.overrideDerivation (oldAttrs: {
    name = "sed-4.2.2-pre";
    src = fetchurl {
      url = "ftp://alpha.gnu.org/gnu/sed/sed-4.2.2-pre.tar.bz2";
      hash = "sha256-MxBJRcM2rYzQYwJ5XKxhXTQByvSg5jZc5cSHEZoB2IY=";
    };
    patches = [];
  });
}

In the above example, the name, src, and patches of the derivation will be overridden, while all other attributes will be retained from the original derivation.

The argument oldAttrs is used to refer to the attribute set of the original derivation.

Note

A package’s attributes are evaluated before being modified by the overrideDerivation function. For example, the name attribute reference in url = "mirror://gnu/hello/${name}.tar.gz"; is filled-in before the overrideDerivation function modifies the attribute set. This means that overriding the name attribute, in this example, will not change the value of the url attribute. Instead, we need to override both the name and url attributes.

lib.makeOverridable

The function lib.makeOverridable is used to make the result of a function easily customizable. This utility only makes sense for functions that accept an argument set and return an attribute set.

Example usage:

{
  f = { a, b }: { result = a+b; };
  c = lib.makeOverridable f { a = 1; b = 2; };
}

The variable c is the value of the f function applied with some default arguments. Hence the value of c.result is 3, in this example.

The variable c however also has some additional functions, like c.override which can be used to override the default arguments. In this example the value of (c.override { a = 4; }).result is 6.

Nixpkgs lib

Functions reference

The nixpkgs repository has several utility functions to manipulate Nix expressions.

Nixpkgs Library Functions

Nixpkgs provides a standard library at pkgs.lib, or through import <nixpkgs/lib>.

lib.asserts: assertion functions

lib.asserts.assertMsg

Throw if pred is false, else return pred. Intended to be used to augment asserts with helpful error messages.

Inputs
pred

Predicate that needs to succeed, otherwise msg is thrown

msg

Message to throw in case pred fails

Type
assertMsg :: Bool -> String -> Bool
Examples
Example 1. lib.asserts.assertMsg usage example
assertMsg false "nope"
stderr> error: nope
assert assertMsg ("foo" == "bar") "foo is not bar, silly"; ""
stderr> error: foo is not bar, silly

Located at lib/asserts.nix:39 in <nixpkgs>.

lib.asserts.assertOneOf

Specialized assertMsg for checking if val is one of the elements of the list xs. Useful for checking enums.

Inputs
name

The name of the variable the user entered val into, for inclusion in the error message

val

The value of what the user provided, to be compared against the values in xs

xs

The list of valid values

Type
assertOneOf :: String -> ComparableVal -> List ComparableVal -> Bool
Examples
Example 2. lib.asserts.assertOneOf usage example
let sslLibrary = "libressl";
in assertOneOf "sslLibrary" sslLibrary [ "openssl" "bearssl" ]
stderr> error: sslLibrary must be one of [
stderr>   "openssl"
stderr>   "bearssl"
stderr> ], but is: "libressl"

Located at lib/asserts.nix:80 in <nixpkgs>.

lib.asserts.assertEachOneOf

Specialized assertMsg for checking if every one of vals is one of the elements of the list xs. Useful for checking lists of supported attributes.

Inputs
name

The name of the variable the user entered val into, for inclusion in the error message

vals

The list of values of what the user provided, to be compared against the values in xs

xs

The list of valid values

Type
assertEachOneOf :: String -> List ComparableVal -> List ComparableVal -> Bool
Examples
Example 3. lib.asserts.assertEachOneOf usage example
let sslLibraries = [ "libressl" "bearssl" ];
in assertEachOneOf "sslLibraries" sslLibraries [ "openssl" "bearssl" ]
stderr> error: each element in sslLibraries must be one of [
stderr>   "openssl"
stderr>   "bearssl"
stderr> ], but is: [
stderr>   "libressl"
stderr>   "bearssl"
stderr> ]

Located at lib/asserts.nix:128 in <nixpkgs>.

lib.attrsets: attribute set functions

Operations on attribute sets.

lib.attrsets.attrByPath

Return an attribute from nested attribute sets.

Nix has an attribute selection operator . or which is sufficient for such queries, as long as the number of attributes is static. For example:

(x.a.b or 6) == attrByPath ["a" "b"] 6 x
# and
(x.${f p}."example.com" or 6) == attrByPath [ (f p) "example.com" ] 6 x
Inputs
attrPath

A list of strings representing the attribute path to return from set

default

Default value if attrPath does not resolve to an existing value

set

The nested attribute set to select values from

Type
attrByPath :: [String] -> Any -> AttrSet -> Any
Examples
Example 4. lib.attrsets.attrByPath usage example
x = { a = { b = 3; }; }
# ["a" "b"] is equivalent to x.a.b
# 6 is a default value to return if the path does not exist in attrset
attrByPath ["a" "b"] 6 x
=> 3
attrByPath ["z" "z"] 6 x
=> 6

Located at lib/attrsets.nix:65 in <nixpkgs>.

lib.attrsets.hasAttrByPath

Return if an attribute from nested attribute set exists.

Nix has a has attribute operator ?, which is sufficient for such queries, as long as the number of attributes is static. For example:

(x?a.b) == hasAttrByPath ["a" "b"] x
# and
(x?${f p}."example.com") == hasAttrByPath [ (f p) "example.com" ] x

Laws:

  1. hasAttrByPath [] x == true
    
Inputs
attrPath

A list of strings representing the attribute path to check from set

e

The nested attribute set to check

Type
hasAttrByPath :: [String] -> AttrSet -> Bool
Examples
Example 5. lib.attrsets.hasAttrByPath usage example
x = { a = { b = 3; }; }
hasAttrByPath ["a" "b"] x
=> true
hasAttrByPath ["z" "z"] x
=> false
hasAttrByPath [] (throw "no need")
=> true

Located at lib/attrsets.nix:133 in <nixpkgs>.

lib.attrsets.longestValidPathPrefix

Return the longest prefix of an attribute path that refers to an existing attribute in a nesting of attribute sets.

Can be used after mapAttrsRecursiveCond to apply a condition, although this will evaluate the predicate function on sibling attributes as well.

Note that the empty attribute path is valid for all values, so this function only throws an exception if any of its inputs does.

Laws:

  1. attrsets.longestValidPathPrefix [] x == []
    
  2. hasAttrByPath (attrsets.longestValidPathPrefix p x) x == true
    
Inputs
attrPath

A list of strings representing the longest possible path that may be returned.

v

The nested attribute set to check.

Type
attrsets.longestValidPathPrefix :: [String] -> Value -> [String]
Examples
Example 6. lib.attrsets.longestValidPathPrefix usage example
x = { a = { b = 3; }; }
attrsets.longestValidPathPrefix ["a" "b" "c"] x
=> ["a" "b"]
attrsets.longestValidPathPrefix ["a"] x
=> ["a"]
attrsets.longestValidPathPrefix ["z" "z"] x
=> []
attrsets.longestValidPathPrefix ["z" "z"] (throw "no need")
=> []

Located at lib/attrsets.nix:202 in <nixpkgs>.

lib.attrsets.setAttrByPath

Create a new attribute set with value set at the nested attribute location specified in attrPath.

Inputs
attrPath

A list of strings representing the attribute path to set

value

The value to set at the location described by attrPath

Type
setAttrByPath :: [String] -> Any -> AttrSet
Examples
Example 7. lib.attrsets.setAttrByPath usage example
setAttrByPath ["a" "b"] 3
=> { a = { b = 3; }; }

Located at lib/attrsets.nix:265 in <nixpkgs>.

lib.attrsets.getAttrFromPath

Like attrByPath, but without a default value. If it doesn’t find the path it will throw an error.

Nix has an attribute selection operator which is sufficient for such queries, as long as the number of attributes is static. For example:

x.a.b == getAttrByPath ["a" "b"] x
# and
x.${f p}."example.com" == getAttrByPath [ (f p) "example.com" ] x
Inputs
attrPath

A list of strings representing the attribute path to get from set

set

The nested attribute set to find the value in.

Type
getAttrFromPath :: [String] -> AttrSet -> Any
Examples
Example 8. lib.attrsets.getAttrFromPath usage example
x = { a = { b = 3; }; }
getAttrFromPath ["a" "b"] x
=> 3
getAttrFromPath ["z" "z"] x
=> error: cannot find attribute `z.z'

Located at lib/attrsets.nix:319 in <nixpkgs>.

lib.attrsets.concatMapAttrs

Map each attribute in the given set and merge them into a new attribute set.

Inputs
f

1. Function argument

v

2. Function argument

Type
concatMapAttrs :: (String -> a -> AttrSet) -> AttrSet -> AttrSet
Examples
Example 9. lib.attrsets.concatMapAttrs usage example
concatMapAttrs
  (name: value: {
    ${name} = value;
    ${name + value} = value;
  })
  { x = "a"; y = "b"; }
=> { x = "a"; xa = "a"; y = "b"; yb = "b"; }

Located at lib/attrsets.nix:360 in <nixpkgs>.

lib.attrsets.updateManyAttrsByPath

Update or set specific paths of an attribute set.

Takes a list of updates to apply and an attribute set to apply them to, and returns the attribute set with the updates applied. Updates are represented as { path = ...; update = ...; } values, where path is a list of strings representing the attribute path that should be updated, and update is a function that takes the old value at that attribute path as an argument and returns the new value it should be.

Properties:

  • Updates to deeper attribute paths are applied before updates to more shallow attribute paths

  • Multiple updates to the same attribute path are applied in the order they appear in the update list

  • If any but the last path element leads into a value that is not an attribute set, an error is thrown

  • If there is an update for an attribute path that doesn’t exist, accessing the argument in the update function causes an error, but intermediate attribute sets are implicitly created as needed

Type
updateManyAttrsByPath :: [{ path :: [String]; update :: (Any -> Any); }] -> AttrSet -> AttrSet
Examples
Example 10. lib.attrsets.updateManyAttrsByPath usage example
updateManyAttrsByPath [
  {
    path = [ "a" "b" ];
    update = old: { d = old.c; };
  }
  {
    path = [ "a" "b" "c" ];
    update = old: old + 1;
  }
  {
    path = [ "x" "y" ];
    update = old: "xy";
  }
] { a.b.c = 0; }
=> { a = { b = { d = 1; }; }; x = { y = "xy"; }; }

Located at lib/attrsets.nix:423 in <nixpkgs>.

lib.attrsets.attrVals

Return the specified attributes from a set.

Inputs
nameList

The list of attributes to fetch from set. Each attribute name must exist on the attrbitue set

set

The set to get attribute values from

Type
attrVals :: [String] -> AttrSet -> [Any]
Examples
Example 11. lib.attrsets.attrVals usage example
attrVals ["a" "b" "c"] as
=> [as.a as.b as.c]

Located at lib/attrsets.nix:513 in <nixpkgs>.

lib.attrsets.attrValues

Return the values of all attributes in the given set, sorted by attribute name.

Type
attrValues :: AttrSet -> [Any]
Examples
Example 12. lib.attrsets.attrValues usage example
attrValues {c = 3; a = 1; b = 2;}
=> [1 2 3]

Located at lib/attrsets.nix:539 in <nixpkgs>.

lib.attrsets.getAttrs

Given a set of attribute names, return the set of the corresponding attributes from the given set.

Inputs
names

A list of attribute names to get out of set

attrs

The set to get the named attributes from

Type
getAttrs :: [String] -> AttrSet -> AttrSet
Examples
Example 13. lib.attrsets.getAttrs usage example
getAttrs [ "a" "b" ] { a = 1; b = 2; c = 3; }
=> { a = 1; b = 2; }

Located at lib/attrsets.nix:574 in <nixpkgs>.

lib.attrsets.catAttrs

Collect each attribute named attr from a list of attribute sets. Sets that don’t contain the named attribute are ignored.

Inputs
attr

The attribute name to get out of the sets.

list

The list of attribute sets to go through

Type
catAttrs :: String -> [AttrSet] -> [Any]
Examples
Example 14. lib.attrsets.catAttrs usage example
catAttrs "a" [{a = 1;} {b = 0;} {a = 2;}]
=> [1 2]

Located at lib/attrsets.nix:609 in <nixpkgs>.

lib.attrsets.filterAttrs

Filter an attribute set by removing all attributes for which the given predicate return false.

Inputs
pred

Predicate taking an attribute name and an attribute value, which returns true to include the attribute, or false to exclude the attribute.

set

The attribute set to filter

Type
filterAttrs :: (String -> Any -> Bool) -> AttrSet -> AttrSet
Examples
Example 15. lib.attrsets.filterAttrs usage example
filterAttrs (n: v: n == "foo") { foo = 1; bar = 2; }
=> { foo = 1; }

Located at lib/attrsets.nix:644 in <nixpkgs>.

lib.attrsets.filterAttrsRecursive

Filter an attribute set recursively by removing all attributes for which the given predicate return false.

Inputs
pred

Predicate taking an attribute name and an attribute value, which returns true to include the attribute, or false to exclude the attribute.

set

The attribute set to filter

Type
filterAttrsRecursive :: (String -> Any -> Bool) -> AttrSet -> AttrSet
Examples
Example 16. lib.attrsets.filterAttrsRecursive usage example
filterAttrsRecursive (n: v: v != null) { foo = { bar = null; }; }
=> { foo = {}; }

Located at lib/attrsets.nix:681 in <nixpkgs>.

lib.attrsets.foldlAttrs

Like lib.lists.foldl' but for attribute sets. Iterates over every name-value pair in the given attribute set. The result of the callback function is often called acc for accumulator. It is passed between callbacks from left to right and the final acc is the return value of foldlAttrs.

Attention:

There is a completely different function lib.foldAttrs which has nothing to do with this function, despite the similar name.

Inputs
f

1. Function argument

init

2. Function argument

set

3. Function argument

Type
foldlAttrs :: ( a -> String -> b -> a ) -> a -> { ... :: b } -> a
Examples
Example 17. lib.attrsets.foldlAttrs usage example
foldlAttrs
  (acc: name: value: {
    sum = acc.sum + value;
    names = acc.names ++ [name];
  })
  { sum = 0; names = []; }
  {
    foo = 1;
    bar = 10;
  }
->
  {
    sum = 11;
    names = ["bar" "foo"];
  }

foldlAttrs
  (throw "function not needed")
  123
  {};
->
  123

foldlAttrs
  (acc: _: _: acc)
  3
  { z = throw "value not needed"; a = throw "value not needed"; };
->
  3

The accumulator doesn't have to be an attrset.
It can be as simple as a number or string.

foldlAttrs
  (acc: _: v: acc * 10 + v)
  1
  { z = 1; a = 2; };
->
  121

Located at lib/attrsets.nix:775 in <nixpkgs>.

lib.attrsets.foldAttrs

Apply fold functions to values grouped by key.

Inputs
op

A function, given a value and a collector combines the two.

nul

The starting value.

list_of_attrs

A list of attribute sets to fold together by key.

Type
foldAttrs :: (Any -> Any -> Any) -> Any -> [AttrSets] -> Any
Examples
Example 18. lib.attrsets.foldAttrs usage example
foldAttrs (item: acc: [item] ++ acc) [] [{ a = 2; } { a = 3; }]
=> { a = [ 2 3 ]; }

Located at lib/attrsets.nix:816 in <nixpkgs>.

lib.attrsets.collect

Recursively collect sets that verify a given predicate named pred from the set attrs. The recursion is stopped when the predicate is verified.

Inputs
pred

Given an attribute’s value, determine if recursion should stop.

attrs

The attribute set to recursively collect.

Type
collect :: (AttrSet -> Bool) -> AttrSet -> [x]
Examples
Example 19. lib.attrsets.collect usage example
collect isList { a = { b = ["b"]; }; c = [1]; }
=> [["b"] [1]]

collect (x: x ? outPath)
   { a = { outPath = "a/"; }; b = { outPath = "b/"; }; }
=> [{ outPath = "a/"; } { outPath = "b/"; }]

Located at lib/attrsets.nix:864 in <nixpkgs>.

lib.attrsets.cartesianProduct

Return the cartesian product of attribute set value combinations.

Inputs
attrsOfLists

Attribute set with attributes that are lists of values

Type
cartesianProduct :: AttrSet -> [AttrSet]
Examples
Example 20. lib.attrsets.cartesianProduct usage example
cartesianProduct { a = [ 1 2 ]; b = [ 10 20 ]; }
=> [
     { a = 1; b = 10; }
     { a = 1; b = 20; }
     { a = 2; b = 10; }
     { a = 2; b = 20; }
   ]

Located at lib/attrsets.nix:906 in <nixpkgs>.

lib.attrsets.mapCartesianProduct

Return the result of function f applied to the cartesian product of attribute set value combinations. Equivalent to using cartesianProduct followed by map.

Inputs
f

A function, given an attribute set, it returns a new value.

attrsOfLists

Attribute set with attributes that are lists of values

Type
mapCartesianProduct :: (AttrSet -> a) -> AttrSet -> [a]
Examples
Example 21. lib.attrsets.mapCartesianProduct usage example
mapCartesianProduct ({a, b}: "${a}-${b}") { a = [ "1" "2" ]; b = [ "3" "4" ]; }
=> [ "1-3" "1-4" "2-3" "2-4" ]

Located at lib/attrsets.nix:947 in <nixpkgs>.

lib.attrsets.nameValuePair

Utility function that creates a {name, value} pair as expected by builtins.listToAttrs.

Inputs
name

Attribute name

value

Attribute value

Type
nameValuePair :: String -> Any -> { name :: String; value :: Any; }
Examples
Example 22. lib.attrsets.nameValuePair usage example
nameValuePair "some" 6
=> { name = "some"; value = 6; }

Located at lib/attrsets.nix:980 in <nixpkgs>.

lib.attrsets.mapAttrs

Apply a function to each element in an attribute set, creating a new attribute set.

Inputs
f

A function that takes an attribute name and its value, and returns the new value for the attribute.

attrset

The attribute set to iterate through.

Type
mapAttrs :: (String -> Any -> Any) -> AttrSet -> AttrSet
Examples
Example 23. lib.attrsets.mapAttrs usage example
mapAttrs (name: value: name + "-" + value)
   { x = "foo"; y = "bar"; }
=> { x = "x-foo"; y = "y-bar"; }

Located at lib/attrsets.nix:1017 in <nixpkgs>.

lib.attrsets.mapAttrs'

Like mapAttrs, but allows the name of each attribute to be changed in addition to the value. The applied function should return both the new name and value as a nameValuePair.

Inputs
f

A function, given an attribute’s name and value, returns a new nameValuePair.

set

Attribute set to map over.

Type
mapAttrs' :: (String -> Any -> { name :: String; value :: Any; }) -> AttrSet -> AttrSet
Examples
Example 24. lib.attrsets.mapAttrs' usage example
mapAttrs' (name: value: nameValuePair ("foo_" + name) ("bar-" + value))
   { x = "a"; y = "b"; }
=> { foo_x = "bar-a"; foo_y = "bar-b"; }

Located at lib/attrsets.nix:1054 in <nixpkgs>.

lib.attrsets.mapAttrsToList

Call a function for each attribute in the given set and return the result in a list.

Inputs
f

A function, given an attribute’s name and value, returns a new value.

attrs

Attribute set to map over.

Type
mapAttrsToList :: (String -> a -> b) -> AttrSet -> [b]
Examples
Example 25. lib.attrsets.mapAttrsToList usage example
mapAttrsToList (name: value: name + value)
   { x = "a"; y = "b"; }
=> [ "xa" "yb" ]

Located at lib/attrsets.nix:1092 in <nixpkgs>.

lib.attrsets.attrsToList

Deconstruct an attrset to a list of name-value pairs as expected by builtins.listToAttrs. Each element of the resulting list is an attribute set with these attributes:

  • name (string): The name of the attribute

  • value (any): The value of the attribute

The following is always true:

builtins.listToAttrs (attrsToList attrs) == attrs

Warning

The opposite is not always true. In general expect that

attrsToList (builtins.listToAttrs list) != list

This is because the listToAttrs removes duplicate names and doesn’t preserve the order of the list.

Inputs
set

The attribute set to deconstruct.

Type
attrsToList :: AttrSet -> [ { name :: String; value :: Any; } ]
Examples
Example 26. lib.attrsets.attrsToList usage example
attrsToList { foo = 1; bar = "asdf"; }
=> [ { name = "bar"; value = "asdf"; } { name = "foo"; value = 1; } ]

Located at lib/attrsets.nix:1140 in <nixpkgs>.

lib.attrsets.mapAttrsRecursive

Like mapAttrs, except that it recursively applies itself to the leaf attributes of a potentially-nested attribute set: the second argument of the function will never be an attrset. Also, the first argument of the mapping function is a list of the attribute names that form the path to the leaf attribute.

For a function that gives you control over what counts as a leaf, see mapAttrsRecursiveCond.

Example 27. Map over leaf attributes
mapAttrsRecursive (path: value: concatStringsSep "-" (path ++ [value]))
  { n = { a = "A"; m = { b = "B"; c = "C"; }; }; d = "D"; }

evaluates to

{ n = { a = "n-a-A"; m = { b = "n-m-b-B"; c = "n-m-c-C"; }; }; d = "d-D"; }

Type
mapAttrsRecursive :: ([String] -> a -> b) -> AttrSet -> AttrSet

Located at lib/attrsets.nix:1168 in <nixpkgs>.

lib.attrsets.mapAttrsRecursiveCond

Like mapAttrsRecursive, but it takes an additional predicate that tells it whether to recurse into an attribute set. If the predicate returns false, mapAttrsRecursiveCond does not recurse, but instead applies the mapping function. If the predicate returns true, it does recurse, and does not apply the mapping function.

Example 28. Map over an leaf attributes defined by a condition

Map derivations to their name attribute. Derivatons are identified as attribute sets that contain { type = "derivation"; }.

mapAttrsRecursiveCond
  (as: !(as ? "type" && as.type == "derivation"))
  (x: x.name)
  attrs

Type
mapAttrsRecursiveCond :: (AttrSet -> Bool) -> ([String] -> a -> b) -> AttrSet -> AttrSet

Located at lib/attrsets.nix:1197 in <nixpkgs>.

lib.attrsets.genAttrs

Generate an attribute set by mapping a function over a list of attribute names.

Inputs
names

Names of values in the resulting attribute set.

f

A function, given the name of the attribute, returns the attribute’s value.

Type
genAttrs :: [ String ] -> (String -> Any) -> AttrSet
Examples
Example 29. lib.attrsets.genAttrs usage example
genAttrs [ "foo" "bar" ] (name: "x_" + name)
=> { foo = "x_foo"; bar = "x_bar"; }

Located at lib/attrsets.nix:1244 in <nixpkgs>.

lib.attrsets.isDerivation

Check whether the argument is a derivation. Any set with { type = "derivation"; } counts as a derivation.

Inputs
value

Value to check.

Type
isDerivation :: Any -> Bool
Examples
Example 30. lib.attrsets.isDerivation usage example
nixpkgs = import <nixpkgs> {}
isDerivation nixpkgs.ruby
=> true
isDerivation "foobar"
=> false

Located at lib/attrsets.nix:1281 in <nixpkgs>.

lib.attrsets.toDerivation

Converts a store path to a fake derivation.

Inputs
path

A store path to convert to a derivation.

Type
toDerivation :: Path -> Derivation

Located at lib/attrsets.nix:1300 in <nixpkgs>.

lib.attrsets.optionalAttrs

If cond is true, return the attribute set as, otherwise an empty attribute set.

Inputs
cond

Condition under which the as attribute set is returned.

as

The attribute set to return if cond is true.

Type
optionalAttrs :: Bool -> AttrSet -> AttrSet
Examples
Example 31. lib.attrsets.optionalAttrs usage example
optionalAttrs (true) { my = "set"; }
=> { my = "set"; }
optionalAttrs (false) { my = "set"; }
=> { }

Located at lib/attrsets.nix:1349 in <nixpkgs>.

lib.attrsets.zipAttrsWithNames

Merge sets of attributes and use the function f to merge attributes values.

Inputs
names

List of attribute names to zip.

f

A function, accepts an attribute name, all the values, and returns a combined value.

sets

List of values from the list of attribute sets.

Type
zipAttrsWithNames :: [ String ] -> (String -> [ Any ] -> Any) -> [ AttrSet ] -> AttrSet
Examples
Example 32. lib.attrsets.zipAttrsWithNames usage example
zipAttrsWithNames ["a"] (name: vs: vs) [{a = "x";} {a = "y"; b = "z";}]
=> { a = ["x" "y"]; }

Located at lib/attrsets.nix:1391 in <nixpkgs>.

lib.attrsets.zipAttrsWith

Merge sets of attributes and use the function f to merge attribute values. Like lib.attrsets.zipAttrsWithNames with all key names are passed for names.

Implementation note: Common names appear multiple times in the list of names, hopefully this does not affect the system because the maximal laziness avoid computing twice the same expression and listToAttrs does not care about duplicated attribute names.

Type
zipAttrsWith :: (String -> [ Any ] -> Any) -> [ AttrSet ] -> AttrSet
Examples
Example 33. lib.attrsets.zipAttrsWith usage example
zipAttrsWith (name: values: values) [{a = "x";} {a = "y"; b = "z";}]
=> { a = ["x" "y"]; b = ["z"]; }

Located at lib/attrsets.nix:1427 in <nixpkgs>.

lib.attrsets.zipAttrs

Merge sets of attributes and combine each attribute value in to a list.

Like lib.attrsets.zipAttrsWith with (name: values: values) as the function.

Type
zipAttrs :: [ AttrSet ] -> AttrSet
Examples
Example 34. lib.attrsets.zipAttrs usage example
zipAttrs [{a = "x";} {a = "y"; b = "z";}]
=> { a = ["x" "y"]; b = ["z"]; }

Located at lib/attrsets.nix:1453 in <nixpkgs>.

lib.attrsets.mergeAttrsList

Merge a list of attribute sets together using the // operator. In case of duplicate attributes, values from later list elements take precedence over earlier ones. The result is the same as foldl mergeAttrs { }, but the performance is better for large inputs. For n list elements, each with an attribute set containing m unique attributes, the complexity of this operation is O(nm log n).

Inputs
list

1. Function argument

Type
mergeAttrsList :: [ Attrs ] -> Attrs
Examples
Example 35. lib.attrsets.mergeAttrsList usage example
mergeAttrsList [ { a = 0; b = 1; } { c = 2; d = 3; } ]
=> { a = 0; b = 1; c = 2; d = 3; }
mergeAttrsList [ { a = 0; } { a = 1; } ]
=> { a = 1; }

Located at lib/attrsets.nix:1487 in <nixpkgs>.

lib.attrsets.recursiveUpdateUntil

Does the same as the update operator ‘//’ except that attributes are merged until the given predicate is verified. The predicate should accept 3 arguments which are the path to reach the attribute, a part of the first attribute set and a part of the second attribute set. When the predicate is satisfied, the value of the first attribute set is replaced by the value of the second attribute set.

Inputs
pred

Predicate, taking the path to the current attribute as a list of strings for attribute names, and the two values at that path from the original arguments.

lhs

Left attribute set of the merge.

rhs

Right attribute set of the merge.

Type
recursiveUpdateUntil :: ( [ String ] -> AttrSet -> AttrSet -> Bool ) -> AttrSet -> AttrSet -> AttrSet
Examples
Example 36. lib.attrsets.recursiveUpdateUntil usage example
recursiveUpdateUntil (path: l: r: path == ["foo"]) {
  # first attribute set
  foo.bar = 1;
  foo.baz = 2;
  bar = 3;
} {
  #second attribute set
  foo.bar = 1;
  foo.quz = 2;
  baz = 4;
}

=> {
  foo.bar = 1; # 'foo.*' from the second set
  foo.quz = 2; #
  bar = 3;     # 'bar' from the first set
  baz = 4;     # 'baz' from the second set
}

Located at lib/attrsets.nix:1565 in <nixpkgs>.

lib.attrsets.recursiveUpdate

A recursive variant of the update operator ‘//’. The recursion stops when one of the attribute values is not an attribute set, in which case the right hand side value takes precedence over the left hand side value.

Inputs
lhs

Left attribute set of the merge.

rhs

Right attribute set of the merge.

Type
recursiveUpdate :: AttrSet -> AttrSet -> AttrSet
Examples
Example 37. lib.attrsets.recursiveUpdate usage example
recursiveUpdate {
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/hda";
} {
  boot.loader.grub.device = "";
}

returns: {
  boot.loader.grub.enable = true;
  boot.loader.grub.device = "";
}

Located at lib/attrsets.nix:1624 in <nixpkgs>.

lib.attrsets.matchAttrs

Recurse into every attribute set of the first argument and check that:

  • Each attribute path also exists in the second argument.

  • If the attribute’s value is not a nested attribute set, it must have the same value in the right argument.

Inputs
pattern

Attribute set structure to match

attrs

Attribute set to check

Type
matchAttrs :: AttrSet -> AttrSet -> Bool
Examples
Example 38. lib.attrsets.matchAttrs usage example
matchAttrs { cpu = {}; } { cpu = { bits = 64; }; }
=> true

Located at lib/attrsets.nix:1663 in <nixpkgs>.

lib.attrsets.overrideExisting

Override only the attributes that are already present in the old set useful for deep-overriding.

Inputs
old

Original attribute set

new

Attribute set with attributes to override in old.

Type
overrideExisting :: AttrSet -> AttrSet -> AttrSet
Examples
Example 39. lib.attrsets.overrideExisting usage example
overrideExisting {} { a = 1; }
=> {}
overrideExisting { b = 2; } { a = 1; }
=> { b = 2; }
overrideExisting { a = 3; b = 2; } { a = 1; }
=> { a = 1; b = 2; }

Located at lib/attrsets.nix:1719 in <nixpkgs>.

lib.attrsets.showAttrPath

Turns a list of strings into a human-readable description of those strings represented as an attribute path. The result of this function is not intended to be machine-readable. Create a new attribute set with value set at the nested attribute location specified in attrPath.

Inputs
path

Attribute path to render to a string

Type
showAttrPath :: [String] -> String
Examples
Example 40. lib.attrsets.showAttrPath usage example
showAttrPath [ "foo" "10" "bar" ]
=> "foo.\"10\".bar"
showAttrPath []
=> "<root attribute path>"

Located at lib/attrsets.nix:1757 in <nixpkgs>.

lib.attrsets.getOutput

Get a package output. If no output is found, fallback to .out and then to the default. The function is idempotent: getOutput "b" (getOutput "a" p) == getOutput "a" p.

Inputs
output

1. Function argument

pkg

2. Function argument

Type
getOutput :: String -> :: Derivation -> Derivation
Examples
Example 41. lib.attrsets.getOutput usage example
"${getOutput "dev" pkgs.openssl}"
=> "/nix/store/9rz8gxhzf8sw4kf2j2f1grr49w8zx5vj-openssl-1.0.1r-dev"

Located at lib/attrsets.nix:1796 in <nixpkgs>.

lib.attrsets.getFirstOutput

Get the first of the outputs provided by the package, or the default. This function is alligned with _overrideFirst() from the multiple-outputs.sh setup hook. Like getOutput, the function is idempotent.

Inputs
outputs

1. Function argument

pkg

2. Function argument

Type
getFirstOutput :: [String] -> Derivation -> Derivation
Examples
Example 42. lib.attrsets.getFirstOutput usage example
"${getFirstOutput [ "include" "dev" ] pkgs.openssl}"
=> "/nix/store/00000000000000000000000000000000-openssl-1.0.1r-dev"

Located at lib/attrsets.nix:1833 in <nixpkgs>.

lib.attrsets.getBin

Get a package’s bin output. If the output does not exist, fallback to .out and then to the default.

Inputs
pkg

The package whose bin output will be retrieved.

Type
getBin :: Derivation -> Derivation
Examples
Example 43. lib.attrsets.getBin usage example
"${getBin pkgs.openssl}"
=> "/nix/store/00000000000000000000000000000000-openssl-1.0.1r"

Located at lib/attrsets.nix:1871 in <nixpkgs>.

lib.attrsets.getLib

Get a package’s lib output. If the output does not exist, fallback to .out and then to the default.

Inputs
pkg

The package whose lib output will be retrieved.

Type
getLib :: Derivation -> Derivation
Examples
Example 44. lib.attrsets.getLib usage example
"${getLib pkgs.openssl}"
=> "/nix/store/9rz8gxhzf8sw4kf2j2f1grr49w8zx5vj-openssl-1.0.1r-lib"

Located at lib/attrsets.nix:1901 in <nixpkgs>.

lib.attrsets.getStatic

Get a package’s static output. If the output does not exist, fallback to .lib, then to .out, and then to the default.

Inputs
pkg

The package whose static output will be retrieved.

Type
getStatic :: Derivation -> Derivation
Examples
Example 45. lib.attrsets.getStatic usage example
"${lib.getStatic pkgs.glibc}"
=> "/nix/store/00000000000000000000000000000000-glibc-2.39-52-static"

Located at lib/attrsets.nix:1930 in <nixpkgs>.

lib.attrsets.getDev

Get a package’s dev output. If the output does not exist, fallback to .out and then to the default.

Inputs
pkg

The package whose dev output will be retrieved.

Type
getDev :: Derivation -> Derivation
Examples
Example 46. lib.attrsets.getDev usage example
"${getDev pkgs.openssl}"
=> "/nix/store/9rz8gxhzf8sw4kf2j2f1grr49w8zx5vj-openssl-1.0.1r-dev"

Located at lib/attrsets.nix:1960 in <nixpkgs>.

lib.attrsets.getInclude

Get a package’s include output. If the output does not exist, fallback to .dev, then to .out, and then to the default.

Inputs
pkg

The package whose include output will be retrieved.

Type
getInclude :: Derivation -> Derivation
Examples
Example 47. lib.attrsets.getInclude usage example
"${getInclude pkgs.openssl}"
=> "/nix/store/00000000000000000000000000000000-openssl-1.0.1r-dev"

Located at lib/attrsets.nix:1989 in <nixpkgs>.

lib.attrsets.getMan

Get a package’s man output. If the output does not exist, fallback to .out and then to the default.

Inputs
pkg

The package whose man output will be retrieved.

Type
getMan :: Derivation -> Derivation
Examples
Example 48. lib.attrsets.getMan usage example
"${getMan pkgs.openssl}"
=> "/nix/store/9rz8gxhzf8sw4kf2j2f1grr49w8zx5vj-openssl-1.0.1r-man"

Located at lib/attrsets.nix:2019 in <nixpkgs>.

lib.attrsets.chooseDevOutputs

Pick the outputs of packages to place in buildInputs

Inputs
pkgs

List of packages.

Type
chooseDevOutputs :: [Derivation] -> [Derivation]

Located at lib/attrsets.nix:2036 in <nixpkgs>.

lib.attrsets.recurseIntoAttrs

Make various Nix tools consider the contents of the resulting attribute set when looking for what to build, find, etc.

This function only affects a single attribute set; it does not apply itself recursively for nested attribute sets.

Inputs
attrs

An attribute set to scan for derivations.

Type
recurseIntoAttrs :: AttrSet -> AttrSet
Examples
Example 49. lib.attrsets.recurseIntoAttrs usage example
{ pkgs ? import <nixpkgs> {} }:
{
  myTools = pkgs.lib.recurseIntoAttrs {
    inherit (pkgs) hello figlet;
  };
}

Located at lib/attrsets.nix:2073 in <nixpkgs>.

lib.attrsets.dontRecurseIntoAttrs

Undo the effect of recurseIntoAttrs.

Inputs
attrs

An attribute set to not scan for derivations.

Type
dontRecurseIntoAttrs :: AttrSet -> AttrSet

Located at lib/attrsets.nix:2093 in <nixpkgs>.

lib.attrsets.unionOfDisjoint

unionOfDisjoint x y is equal to x // y // z where the attrnames in z are the intersection of the attrnames in x and y, and all values assert with an error message. This operator is commutative, unlike (//).

Inputs
x

1. Function argument

y

2. Function argument

Type
unionOfDisjoint :: AttrSet -> AttrSet -> AttrSet

Located at lib/attrsets.nix:2120 in <nixpkgs>.

lib.strings: string manipulation functions

String manipulation functions.

lib.strings.concatStrings

Concatenate a list of strings.

Type
concatStrings :: [string] -> string
Examples
Example 50. lib.strings.concatStrings usage example
concatStrings ["foo" "bar"]
=> "foobar"

Located at lib/strings.nix:64 in <nixpkgs>.

lib.strings.concatMapStrings

Map a function over a list and concatenate the resulting strings.

Inputs
f

1. Function argument

list

2. Function argument

Type
concatMapStrings :: (a -> string) -> [a] -> string
Examples
Example 51. lib.strings.concatMapStrings usage example
concatMapStrings (x: "a" + x) ["foo" "bar"]
=> "afooabar"

Located at lib/strings.nix:95 in <nixpkgs>.

lib.strings.concatImapStrings

Like concatMapStrings except that the f functions also gets the position as a parameter.

Inputs
f

1. Function argument

list

2. Function argument

Type
concatImapStrings :: (int -> a -> string) -> [a] -> string
Examples
Example 52. lib.strings.concatImapStrings usage example
concatImapStrings (pos: x: "${toString pos}-${x}") ["foo" "bar"]
=> "1-foo2-bar"

Located at lib/strings.nix:127 in <nixpkgs>.

lib.strings.intersperse

Place an element between each element of a list

Inputs
separator

Separator to add between elements

list

Input list

Type
intersperse :: a -> [a] -> [a]
Examples
Example 53. lib.strings.intersperse usage example
intersperse "/" ["usr" "local" "bin"]
=> ["usr" "/" "local" "/" "bin"].

Located at lib/strings.nix:158 in <nixpkgs>.

lib.strings.concatStringsSep

Concatenate a list of strings with a separator between each element

Inputs
sep

Separator to add between elements

list

List of input strings

Type
concatStringsSep :: string -> [string] -> string
Examples
Example 54. lib.strings.concatStringsSep usage example
concatStringsSep "/" ["usr" "local" "bin"]
=> "usr/local/bin"

Located at lib/strings.nix:193 in <nixpkgs>.

lib.strings.concatMapStringsSep

Maps a function over a list of strings and then concatenates the result with the specified separator interspersed between elements.

Inputs
sep

Separator to add between elements

f

Function to map over the list

list

List of input strings

Type
concatMapStringsSep :: string -> (a -> string) -> [a] -> string
Examples
Example 55. lib.strings.concatMapStringsSep usage example
concatMapStringsSep "-" (x: toUpper x)  ["foo" "bar" "baz"]
=> "FOO-BAR-BAZ"

Located at lib/strings.nix:229 in <nixpkgs>.

lib.strings.concatImapStringsSep

Same as concatMapStringsSep, but the mapping function additionally receives the position of its argument.

Inputs
sep

Separator to add between elements

f

Function that receives elements and their positions

list

List of input strings

Type
concatIMapStringsSep :: string -> (int -> a -> string) -> [a] -> string
Examples
Example 56. lib.strings.concatImapStringsSep usage example
concatImapStringsSep "-" (pos: x: toString (x / pos)) [ 6 6 6 ]
=> "6-3-2"

Located at lib/strings.nix:267 in <nixpkgs>.

lib.strings.concatLines

Concatenate a list of strings, adding a newline at the end of each one. Defined as concatMapStrings (s: s + "\n").

Inputs
list

List of strings. Any element that is not a string will be implicitly converted to a string.

Type
concatLines :: [string] -> string
Examples
Example 57. lib.strings.concatLines usage example
concatLines [ "foo" "bar" ]
=> "foo\nbar\n"

Located at lib/strings.nix:298 in <nixpkgs>.

lib.strings.replicate

Repeat a string n times, and concatenate the parts into a new string.

Inputs
n

1. Function argument

s

2. Function argument

Type
replicate :: int -> string -> string
Examples
Example 58. lib.strings.replicate usage example
replicate 3 "v"
=> "vvv"
replicate 5 "hello"
=> "hellohellohellohellohello"

Located at lib/strings.nix:332 in <nixpkgs>.

lib.strings.trim

Remove leading and trailing whitespace from a string s.

Whitespace is defined as any of the following characters: " ", “\t” “\r” “\n”

Inputs
s

The string to trim

Type
trim :: string -> string
Examples
Example 59. lib.strings.trim usage example
trim "   hello, world!   "
=> "hello, world!"

Located at lib/strings.nix:362 in <nixpkgs>.

lib.strings.trimWith

Remove leading and/or trailing whitespace from a string s.

To remove both leading and trailing whitespace, you can also use trim

Whitespace is defined as any of the following characters: " ", “\t” “\r” “\n”

Inputs
config (Attribute set)
start

Whether to trim leading whitespace (false by default)

end

Whether to trim trailing whitespace (false by default)

s

The string to trim

Type
trimWith :: { start :: Bool; end :: Bool } -> String -> String
Examples
Example 60. lib.strings.trimWith usage example
trimWith { start = true; } "   hello, world!   "}
=> "hello, world!   "

trimWith { end = true; } "   hello, world!   "}
=> "   hello, world!"

Located at lib/strings.nix:406 in <nixpkgs>.

lib.strings.makeSearchPath

Construct a Unix-style, colon-separated search path consisting of the given subDir appended to each of the given paths.

Inputs
subDir

Directory name to append

paths

List of base paths

Type
makeSearchPath :: string -> [string] -> string
Examples
Example 61. lib.strings.makeSearchPath usage example
makeSearchPath "bin" ["/root" "/usr" "/usr/local"]
=> "/root/bin:/usr/bin:/usr/local/bin"
makeSearchPath "bin" [""]
=> "/bin"

Located at lib/strings.nix:467 in <nixpkgs>.

lib.strings.makeSearchPathOutput

Construct a Unix-style search path by appending the given subDir to the specified output of each of the packages.

If no output by the given name is found, fallback to .out and then to the default.

Inputs
output

Package output to use

subDir

Directory name to append

pkgs

List of packages

Type
makeSearchPathOutput :: string -> string -> [package] -> string
Examples
Example 62. lib.strings.makeSearchPathOutput usage example
makeSearchPathOutput "dev" "bin" [ pkgs.openssl pkgs.zlib ]
=> "/nix/store/9rz8gxhzf8sw4kf2j2f1grr49w8zx5vj-openssl-1.0.1r-dev/bin:/nix/store/wwh7mhwh269sfjkm6k5665b5kgp7jrk2-zlib-1.2.8/bin"

Located at lib/strings.nix:508 in <nixpkgs>.

lib.strings.makeLibraryPath

Construct a library search path (such as RPATH) containing the libraries for a set of packages

Inputs
packages

List of packages

Type
makeLibraryPath :: [package] -> string
Examples
Example 63. lib.strings.makeLibraryPath usage example
makeLibraryPath [ "/usr" "/usr/local" ]
=> "/usr/lib:/usr/local/lib"
pkgs = import <nixpkgs> { }
makeLibraryPath [ pkgs.openssl pkgs.zlib ]
=> "/nix/store/9rz8gxhzf8sw4kf2j2f1grr49w8zx5vj-openssl-1.0.1r/lib:/nix/store/wwh7mhwh269sfjkm6k5665b5kgp7jrk2-zlib-1.2.8/lib"

Located at lib/strings.nix:542 in <nixpkgs>.

lib.strings.makeIncludePath

Construct an include search path (such as C_INCLUDE_PATH) containing the header files for a set of packages or paths.

Inputs
packages

List of packages

Type
makeIncludePath :: [package] -> string
Examples
Example 64. lib.strings.makeIncludePath usage example
makeIncludePath [ "/usr" "/usr/local" ]
=> "/usr/include:/usr/local/include"
pkgs = import <nixpkgs> { }
makeIncludePath [ pkgs.openssl pkgs.zlib ]
=> "/nix/store/9rz8gxhzf8sw4kf2j2f1grr49w8zx5vj-openssl-1.0.1r-dev/include:/nix/store/wwh7mhwh269sfjkm6k5665b5kgp7jrk2-zlib-1.2.8-dev/include"

Located at lib/strings.nix:573 in <nixpkgs>.

lib.strings.makeBinPath

Construct a binary search path (such as $PATH) containing the binaries for a set of packages.

Inputs
packages

List of packages

Type
makeBinPath :: [package] -> string
Examples
Example 65. lib.strings.makeBinPath usage example
makeBinPath ["/root" "/usr" "/usr/local"]
=> "/root/bin:/usr/bin:/usr/local/bin"

Located at lib/strings.nix:601 in <nixpkgs>.

lib.strings.normalizePath

Normalize path, removing extraneous /s

Inputs
s

1. Function argument

Type
normalizePath :: string -> string
Examples
Example 66. lib.strings.normalizePath usage example
normalizePath "/a//b///c/"
=> "/a/b/c/"

Located at lib/strings.nix:629 in <nixpkgs>.

lib.strings.optionalString

Depending on the boolean `cond’, return either the given string or the empty string. Useful to concatenate against a bigger string.

Inputs
cond

Condition

string

String to return if condition is true

Type
optionalString :: bool -> string -> string
Examples
Example 67. lib.strings.optionalString usage example
optionalString true "some-string"
=> "some-string"
optionalString false "some-string"
=> ""

Located at lib/strings.nix:676 in <nixpkgs>.

lib.strings.hasPrefix

Determine whether a string has given prefix.

Inputs
pref

Prefix to check for

str

Input string

Type
hasPrefix :: string -> string -> bool
Examples
Example 68. lib.strings.hasPrefix usage example
hasPrefix "foo" "foobar"
=> true
hasPrefix "foo" "barfoo"
=> false

Located at lib/strings.nix:711 in <nixpkgs>.

lib.strings.hasSuffix

Determine whether a string has given suffix.

Inputs
suffix

Suffix to check for

content

Input string

Type
hasSuffix :: string -> string -> bool
Examples
Example 69. lib.strings.hasSuffix usage example
hasSuffix "foo" "foobar"
=> false
hasSuffix "foo" "barfoo"
=> true

Located at lib/strings.nix:757 in <nixpkgs>.

lib.strings.hasInfix

Determine whether a string contains the given infix

Inputs
infix

1. Function argument

content

2. Function argument

Type
hasInfix :: string -> string -> bool
Examples
Example 70. lib.strings.hasInfix usage example
hasInfix "bc" "abcd"
=> true
hasInfix "ab" "abcd"
=> true
hasInfix "cd" "abcd"
=> true
hasInfix "foo" "abcd"
=> false

Located at lib/strings.nix:813 in <nixpkgs>.

lib.strings.stringToCharacters

Convert a string s to a list of characters (i.e. singleton strings). This allows you to, e.g., map a function over each character. However, note that this will likely be horribly inefficient; Nix is not a general purpose programming language. Complex string manipulations should, if appropriate, be done in a derivation. Also note that Nix treats strings as a list of bytes and thus doesn’t handle unicode.

Inputs
s

1. Function argument

Type
stringToCharacters :: string -> [string]
Examples
Example 71. lib.strings.stringToCharacters usage example
stringToCharacters ""
=> [ ]
stringToCharacters "abc"
=> [ "a" "b" "c" ]
stringToCharacters "🦄"
=> [ "�" "�" "�" "�" ]

Located at lib/strings.nix:861 in <nixpkgs>.

lib.strings.stringAsChars

Manipulate a string character by character and replace them by strings before concatenating the results.

Inputs
f

Function to map over each individual character

s

Input string

Type
stringAsChars :: (string -> string) -> string -> string
Examples
Example 72. lib.strings.stringAsChars usage example
stringAsChars (x: if x == "a" then "i" else x) "nax"
=> "nix"

Located at lib/strings.nix:894 in <nixpkgs>.

lib.strings.charToInt

Convert char to ascii value, must be in printable range

Inputs
c

1. Function argument

Type
charToInt :: string -> int
Examples
Example 73. lib.strings.charToInt usage example
charToInt "A"
=> 65
charToInt "("
=> 40

Located at lib/strings.nix:930 in <nixpkgs>.

lib.strings.escape

Escape occurrence of the elements of list in string by prefixing it with a backslash.

Inputs
list

1. Function argument

string

2. Function argument

Type
escape :: [string] -> string -> string
Examples
Example 74. lib.strings.escape usage example
escape ["(" ")"] "(foo)"
=> "\\(foo\\)"

Located at lib/strings.nix:962 in <nixpkgs>.

lib.strings.escapeC

Escape occurrence of the element of list in string by converting to its ASCII value and prefixing it with \x. Only works for printable ascii characters.

Inputs
list

1. Function argument

string

2. Function argument

Type
escapeC = [string] -> string -> string
Examples
Example 75. lib.strings.escapeC usage example
escapeC [" "] "foo bar"
=> "foo\\x20bar"

Located at lib/strings.nix:995 in <nixpkgs>.

lib.strings.escapeURL

Escape the string so it can be safely placed inside a URL query.

Inputs
string

1. Function argument

Type
escapeURL :: string -> string
Examples
Example 76. lib.strings.escapeURL usage example
escapeURL "foo/bar baz"
=> "foo%2Fbar%20baz"

Located at lib/strings.nix:1023 in <nixpkgs>.

lib.strings.escapeShellArg

Quote string to be used safely within the Bourne shell if it has any special characters.

Inputs
string

1. Function argument

Type
escapeShellArg :: string -> string
Examples
Example 77. lib.strings.escapeShellArg usage example
escapeShellArg "esc'ape\nme"
=> "'esc'\\''ape\nme'"

Located at lib/strings.nix:1056 in <nixpkgs>.

lib.strings.escapeShellArgs

Quote all arguments that have special characters to be safely passed to the Bourne shell.

Inputs
args

1. Function argument

Type
escapeShellArgs :: [string] -> string
Examples
Example 78. lib.strings.escapeShellArgs usage example
escapeShellArgs ["one" "two three" "four'five"]
=> "one 'two three' 'four'\\''five'"

Located at lib/strings.nix:1090 in <nixpkgs>.

lib.strings.isValidPosixName

Test whether the given name is a valid POSIX shell variable name.

Inputs
name

1. Function argument

Type
string -> bool
Examples
Example 79. lib.strings.isValidPosixName usage example
isValidPosixName "foo_bar000"
=> true
isValidPosixName "0-bad.jpg"
=> false

Located at lib/strings.nix:1120 in <nixpkgs>.

lib.strings.toShellVar

Translate a Nix value into a shell variable declaration, with proper escaping.

The value can be a string (mapped to a regular variable), a list of strings (mapped to a Bash-style array) or an attribute set of strings (mapped to a Bash-style associative array). Note that “string” includes string-coercible values like paths or derivations.

Strings are translated into POSIX sh-compatible code; lists and attribute sets assume a shell that understands Bash syntax (e.g. Bash or ZSH).

Inputs
name

1. Function argument

value

2. Function argument

Type
string -> ( string | [string] | { ${name} :: string; } ) -> string
Examples
Example 80. lib.strings.toShellVar usage example
''
  ${toShellVar "foo" "some string"}
  [[ "$foo" == "some string" ]]
''

Located at lib/strings.nix:1161 in <nixpkgs>.

lib.strings.toShellVars

Translate an attribute set vars into corresponding shell variable declarations using toShellVar.

Inputs
vars

1. Function argument

Type
toShellVars :: {
  ${name} :: string | [ string ] | { ${key} :: string; };
} -> string
Examples
Example 81. lib.strings.toShellVars usage example
let
  foo = "value";
  bar = foo;
in ''
  ${toShellVars { inherit foo bar; }}
  [[ "$foo" == "$bar" ]]
''

Located at lib/strings.nix:1209 in <nixpkgs>.

lib.strings.escapeNixString

Turn a string s into a Nix expression representing that string

Inputs
s

1. Function argument

Type
escapeNixString :: string -> string
Examples
Example 82. lib.strings.escapeNixString usage example
escapeNixString "hello\${}\n"
=> "\"hello\\\${}\\n\""

Located at lib/strings.nix:1236 in <nixpkgs>.

lib.strings.escapeRegex

Turn a string s into an exact regular expression

Inputs
s

1. Function argument

Type
escapeRegex :: string -> string
Examples
Example 83. lib.strings.escapeRegex usage example
escapeRegex "[^a-z]*"
=> "\\[\\^a-z]\\*"

Located at lib/strings.nix:1263 in <nixpkgs>.

lib.strings.escapeNixIdentifier

Quotes a string s if it can’t be used as an identifier directly.

Inputs
s

1. Function argument

Type
escapeNixIdentifier :: string -> string
Examples
Example 84. lib.strings.escapeNixIdentifier usage example
escapeNixIdentifier "hello"
=> "hello"
escapeNixIdentifier "0abc"
=> "\"0abc\""

Located at lib/strings.nix:1293 in <nixpkgs>.

lib.strings.escapeXML

Escapes a string s such that it is safe to include verbatim in an XML document.

Inputs
s

1. Function argument

Type
escapeXML :: string -> string
Examples
Example 85. lib.strings.escapeXML usage example
escapeXML ''"test" 'test' < & >''
=> "&quot;test&quot; &apos;test&apos; &lt; &amp; &gt;"

Located at lib/strings.nix:1324 in <nixpkgs>.

lib.strings.toLower

Converts an ASCII string s to lower-case.

Inputs
s

The string to convert to lower-case.

Type
toLower :: string -> string
Examples
Example 86. lib.strings.toLower usage example
toLower "HOME"
=> "home"

Located at lib/strings.nix:1360 in <nixpkgs>.

lib.strings.toUpper

Converts an ASCII string s to upper-case.

Inputs
s

The string to convert to upper-case.

Type
toUpper :: string -> string
Examples
Example 87. lib.strings.toUpper usage example
toUpper "home"
=> "HOME"

Located at lib/strings.nix:1388 in <nixpkgs>.

lib.strings.addContextFrom

Appends string context from string like object src to target.

Warning

This is an implementation detail of Nix and should be used carefully.

Strings in Nix carry an invisible context which is a list of strings representing store paths. If the string is later used in a derivation attribute, the derivation will properly populate the inputDrvs and inputSrcs.

Inputs
src

The string to take the context from. If the argument is not a string, it will be implicitly converted to a string.

target

The string to append the context to. If the argument is not a string, it will be implicitly converted to a string.

Type
addContextFrom :: string -> string -> string
Examples
Example 88. lib.strings.addContextFrom usage example
pkgs = import <nixpkgs> { };
addContextFrom pkgs.coreutils "bar"
=> "bar"

The context can be displayed using the toString function:

nix-repl> builtins.getContext (lib.strings.addContextFrom pkgs.coreutils "bar")
{
  "/nix/store/m1s1d2dk2dqqlw3j90jl3cjy2cykbdxz-coreutils-9.5.drv" = { ... };
}

Located at lib/strings.nix:1441 in <nixpkgs>.

lib.strings.splitString

Cut a string with a separator and produces a list of strings which were separated by this separator.

Inputs
sep

1. Function argument

s

2. Function argument

Type
splitString :: string -> string -> [string]
Examples
Example 89. lib.strings.splitString usage example
splitString "." "foo.bar.baz"
=> [ "foo" "bar" "baz" ]
splitString "/" "/usr/local/bin"
=> [ "" "usr" "local" "bin" ]

Located at lib/strings.nix:1474 in <nixpkgs>.

lib.strings.removePrefix

Return a string without the specified prefix, if the prefix matches.

Inputs
prefix

Prefix to remove if it matches

str

Input string

Type
removePrefix :: string -> string -> string
Examples
Example 90. lib.strings.removePrefix usage example
removePrefix "foo." "foo.bar.baz"
=> "bar.baz"
removePrefix "xxx" "foo.bar.baz"
=> "foo.bar.baz"

Located at lib/strings.nix:1511 in <nixpkgs>.

lib.strings.removeSuffix

Return a string without the specified suffix, if the suffix matches.

Inputs
suffix

Suffix to remove if it matches

str

Input string

Type
removeSuffix :: string -> string -> string
Examples
Example 91. lib.strings.removeSuffix usage example
removeSuffix "front" "homefront"
=> "home"
removeSuffix "xxx" "homefront"
=> "homefront"

Located at lib/strings.nix:1563 in <nixpkgs>.

lib.strings.versionOlder

Return true if string v1 denotes a version older than v2.

Inputs
v1

1. Function argument

v2

2. Function argument

Type
versionOlder :: String -> String -> Bool
Examples
Example 92. lib.strings.versionOlder usage example
versionOlder "1.1" "1.2"
=> true
versionOlder "1.1" "1.1"
=> false

Located at lib/strings.nix:1615 in <nixpkgs>.

lib.strings.versionAtLeast

Return true if string v1 denotes a version equal to or newer than v2.

Inputs
v1

1. Function argument

v2

2. Function argument

Type
versionAtLeast :: String -> String -> Bool
Examples
Example 93. lib.strings.versionAtLeast usage example
versionAtLeast "1.1" "1.0"
=> true
versionAtLeast "1.1" "1.1"
=> true
versionAtLeast "1.1" "1.2"
=> false

Located at lib/strings.nix:1650 in <nixpkgs>.

lib.strings.getName

This function takes an argument x that’s either a derivation or a derivation’s “name” attribute and extracts the name part from that argument.

Inputs
x

1. Function argument

Type
getName :: String | Derivation -> String
Examples
Example 94. lib.strings.getName usage example
getName "youtube-dl-2016.01.01"
=> "youtube-dl"
getName pkgs.youtube-dl
=> "youtube-dl"

Located at lib/strings.nix:1682 in <nixpkgs>.

lib.strings.getVersion

This function takes an argument x that’s either a derivation or a derivation’s “name” attribute and extracts the version part from that argument.

Inputs
x

1. Function argument

Type
getVersion :: String | Derivation -> String
Examples
Example 95. lib.strings.getVersion usage example
getVersion "youtube-dl-2016.01.01"
=> "2016.01.01"
getVersion pkgs.youtube-dl
=> "2016.01.01"

Located at lib/strings.nix:1719 in <nixpkgs>.

lib.strings.nameFromURL

Extract name and version from a URL as shown in the examples.

Separator sep is used to determine the end of the extension.

Inputs
url

1. Function argument

sep

2. Function argument

Type
nameFromURL :: String -> String
Examples
Example 96. lib.strings.nameFromURL usage example
nameFromURL "https://nixos.org/releases/nix/nix-1.7/nix-1.7-x86_64-linux.tar.bz2" "-"
=> "nix"
nameFromURL "https://nixos.org/releases/nix/nix-1.7/nix-1.7-x86_64-linux.tar.bz2" "_"
=> "nix-1.7-x86"

Located at lib/strings.nix:1759 in <nixpkgs>.

lib.strings.cmakeOptionType

Create a "-D<feature>:<type>=<value>" string that can be passed to typical CMake invocations.

Inputs
feature

The feature to be set

type

The type of the feature to be set, as described in https://cmake.org/cmake/help/latest/command/set.html the possible values (case insensitive) are: BOOL FILEPATH PATH STRING INTERNAL

value

The desired value

Type
cmakeOptionType :: string -> string -> string -> string
Examples
Example 97. lib.strings.cmakeOptionType usage example
cmakeOptionType "string" "ENGINE" "sdl2"
=> "-DENGINE:STRING=sdl2"

Located at lib/strings.nix:1801 in <nixpkgs>.

lib.strings.cmakeBool

Create a -D<condition>={TRUE,FALSE} string that can be passed to typical CMake invocations.

Inputs
condition

The condition to be made true or false

flag

The controlling flag of the condition

Type
cmakeBool :: string -> bool -> string
Examples
Example 98. lib.strings.cmakeBool usage example
cmakeBool "ENABLE_STATIC_LIBS" false
=> "-DENABLESTATIC_LIBS:BOOL=FALSE"

Located at lib/strings.nix:1839 in <nixpkgs>.

lib.strings.cmakeFeature

Create a -D<feature>:STRING=<value> string that can be passed to typical CMake invocations. This is the most typical usage, so it deserves a special case.

Inputs
feature

The feature to be set

value

The desired value

Type
cmakeFeature :: string -> string -> string
Examples
Example 99. lib.strings.cmakeFeature usage example
cmakeFeature "MODULES" "badblock"
=> "-DMODULES:STRING=badblock"

Located at lib/strings.nix:1876 in <nixpkgs>.

lib.strings.mesonOption

Create a -D<feature>=<value> string that can be passed to typical Meson invocations.

Inputs
feature

The feature to be set

value

The desired value

Type
mesonOption :: string -> string -> string
Examples
Example 100. lib.strings.mesonOption usage example
mesonOption "engine" "opengl"
=> "-Dengine=opengl"

Located at lib/strings.nix:1911 in <nixpkgs>.

lib.strings.mesonBool

Create a -D<condition>={true,false} string that can be passed to typical Meson invocations.

Inputs
condition

The condition to be made true or false

flag

The controlling flag of the condition

Type
mesonBool :: string -> bool -> string
Examples
Example 101. lib.strings.mesonBool usage example
mesonBool "hardened" true
=> "-Dhardened=true"
mesonBool "static" false
=> "-Dstatic=false"

Located at lib/strings.nix:1948 in <nixpkgs>.

lib.strings.mesonEnable

Create a -D<feature>={enabled,disabled} string that can be passed to typical Meson invocations.

Inputs
feature

The feature to be enabled or disabled

flag

The controlling flag

Type
mesonEnable :: string -> bool -> string
Examples
Example 102. lib.strings.mesonEnable usage example
mesonEnable "docs" true
=> "-Ddocs=enabled"
mesonEnable "savage" false
=> "-Dsavage=disabled"

Located at lib/strings.nix:1985 in <nixpkgs>.

lib.strings.enableFeature

Create an --{enable,disable}-<feature> string that can be passed to standard GNU Autoconf scripts.

Inputs
flag

1. Function argument

feature

2. Function argument

Type
enableFeature :: bool -> string -> string
Examples
Example 103. lib.strings.enableFeature usage example
enableFeature true "shared"
=> "--enable-shared"
enableFeature false "shared"
=> "--disable-shared"

Located at lib/strings.nix:2022 in <nixpkgs>.

lib.strings.enableFeatureAs

Create an --{enable-<feature>=<value>,disable-<feature>} string that can be passed to standard GNU Autoconf scripts.

Inputs
flag

1. Function argument

feature

2. Function argument

value

3. Function argument

Type
enableFeatureAs :: bool -> string -> string -> string
Examples
Example 104. lib.strings.enableFeatureAs usage example
enableFeatureAs true "shared" "foo"
=> "--enable-shared=foo"
enableFeatureAs false "shared" (throw "ignored")
=> "--disable-shared"

Located at lib/strings.nix:2062 in <nixpkgs>.

lib.strings.withFeature

Create an --{with,without}-<feature> string that can be passed to standard GNU Autoconf scripts.

Inputs
flag

1. Function argument

feature

2. Function argument

Type
withFeature :: bool -> string -> string
Examples
Example 105. lib.strings.withFeature usage example
withFeature true "shared"
=> "--with-shared"
withFeature false "shared"
=> "--without-shared"

Located at lib/strings.nix:2098 in <nixpkgs>.

lib.strings.withFeatureAs

Create an --{with-<feature>=<value>,without-<feature>} string that can be passed to standard GNU Autoconf scripts.

Inputs
flag

1. Function argument

feature

2. Function argument

value

3. Function argument

Type
withFeatureAs :: bool -> string -> string -> string
Examples
Example 106. lib.strings.withFeatureAs usage example
withFeatureAs true "shared" "foo"
=> "--with-shared=foo"
withFeatureAs false "shared" (throw "ignored")
=> "--without-shared"

Located at lib/strings.nix:2138 in <nixpkgs>.

lib.strings.fixedWidthString

Create a fixed width string with additional prefix to match required width.

This function will fail if the input string is longer than the requested length.

Inputs
width

1. Function argument

filler

2. Function argument

str

3. Function argument

Type
fixedWidthString :: int -> string -> string -> string
Examples
Example 107. lib.strings.fixedWidthString usage example
fixedWidthString 5 "0" (toString 15)
=> "00015"

Located at lib/strings.nix:2177 in <nixpkgs>.

lib.strings.fixedWidthNumber

Format a number adding leading zeroes up to fixed width.

Inputs
width

1. Function argument

n

2. Function argument

Type
fixedWidthNumber :: int -> int -> string
Examples
Example 108. lib.strings.fixedWidthNumber usage example
fixedWidthNumber 5 15
=> "00015"

Located at lib/strings.nix:2217 in <nixpkgs>.

lib.strings.floatToString

Convert a float to a string, but emit a warning when precision is lost during the conversion

Inputs
float

1. Function argument

Type
floatToString :: float -> string
Examples
Example 109. lib.strings.floatToString usage example
floatToString 0.000001
=> "0.000001"
floatToString 0.0000001
=> trace: warning: Imprecise conversion from float to string 0.000000
   "0.000000"

Located at lib/strings.nix:2250 in <nixpkgs>.

lib.strings.isCoercibleToString

Check whether a value val can be coerced to a string.

Warning

Soft-deprecated function. While the original implementation is available as isConvertibleWithToString, consider using isStringLike instead, if suitable.

Inputs
val

1. Function argument

Type
isCoercibleToString :: a -> bool

Located at lib/strings.nix:2275 in <nixpkgs>.

lib.strings.isConvertibleWithToString

Check whether a list or other value x can be passed to toString.

Many types of value are coercible to string this way, including int, float, null, bool, list of similarly coercible values.

Inputs
val

1. Function argument

Type
isConvertibleWithToString :: a -> bool

Located at lib/strings.nix:2296 in <nixpkgs>.

lib.strings.isStringLike

Check whether a value can be coerced to a string. The value must be a string, path, or attribute set.

String-like values can be used without explicit conversion in string interpolations and in most functions that expect a string.

Inputs
x

1. Function argument

Type
isStringLike :: a -> bool

Located at lib/strings.nix:2322 in <nixpkgs>.

lib.strings.isStorePath

Check whether a value x is a store path.

Inputs
x

1. Function argument

Type
isStorePath :: a -> bool
Examples
Example 110. lib.strings.isStorePath usage example
isStorePath "/nix/store/d945ibfx9x185xf04b890y4f9g3cbb63-python-2.7.11/bin/python"
=> false
isStorePath "/nix/store/d945ibfx9x185xf04b890y4f9g3cbb63-python-2.7.11"
=> true
isStorePath pkgs.python
=> true
isStorePath [] || isStorePath 42 || isStorePath {} || …
=> false

Located at lib/strings.nix:2360 in <nixpkgs>.

lib.strings.toInt

Parse a string as an int. Does not support parsing of integers with preceding zero due to ambiguity between zero-padded and octal numbers. See toIntBase10.

Inputs
str

A string to be interpreted as an int.

Type
toInt :: string -> int
Examples
Example 111. lib.strings.toInt usage example
toInt "1337"
=> 1337

toInt "-4"
=> -4

toInt " 123 "
=> 123

toInt "00024"
=> error: Ambiguity in interpretation of 00024 between octal and zero padded integer.

toInt "3.14"
=> error: floating point JSON numbers are not supported

Located at lib/strings.nix:2406 in <nixpkgs>.

lib.strings.toIntBase10

Parse a string as a base 10 int. This supports parsing of zero-padded integers.

Inputs
str

A string to be interpreted as an int.

Type
toIntBase10 :: string -> int
Examples
Example 112. lib.strings.toIntBase10 usage example
toIntBase10 "1337"
=> 1337

toIntBase10 "-4"
=> -4

toIntBase10 " 123 "
=> 123

toIntBase10 "00024"
=> 24

toIntBase10 "3.14"
=> error: floating point JSON numbers are not supported

Located at lib/strings.nix:2476 in <nixpkgs>.

lib.strings.readPathsFromFile

Read a list of paths from file, relative to the rootPath. Lines beginning with # are treated as comments and ignored. Whitespace is significant.

Warning

This function is deprecated and should be avoided.

Note

This function is not performant and should be avoided.

Inputs
rootPath

1. Function argument

file

2. Function argument

Type
readPathsFromFile :: string -> string -> [string]
Examples
Example 113. lib.strings.readPathsFromFile usage example
readPathsFromFile /prefix
  ./pkgs/development/libraries/qt-5/5.4/qtbase/series
=> [ "/prefix/dlopen-resolv.patch" "/prefix/tzdir.patch"
     "/prefix/dlopen-libXcursor.patch" "/prefix/dlopen-openssl.patch"
     "/prefix/dlopen-dbus.patch" "/prefix/xdg-config-dirs.patch"
     "/prefix/nix-profiles-library-paths.patch"
     "/prefix/compose-search-path.patch" ]

Located at lib/strings.nix:2552 in <nixpkgs>.

lib.strings.fileContents

Read the contents of a file removing the trailing \n

Inputs
file

1. Function argument

Type
fileContents :: path -> string
Examples
Example 114. lib.strings.fileContents usage example
$ echo "1.0" > ./version

fileContents ./version
=> "1.0"

Located at lib/strings.nix:2590 in <nixpkgs>.

lib.strings.sanitizeDerivationName

Creates a valid derivation name from a potentially invalid one.

Inputs
string

1. Function argument

Type
sanitizeDerivationName :: String -> String
Examples
Example 115. lib.strings.sanitizeDerivationName usage example
sanitizeDerivationName "../hello.bar # foo"
=> "-hello.bar-foo"
sanitizeDerivationName ""
=> "unknown"
sanitizeDerivationName pkgs.hello
=> "-nix-store-2g75chlbpxlrqn15zlby2dfh8hr9qwbk-hello-2.10"

Located at lib/strings.nix:2622 in <nixpkgs>.

lib.strings.levenshtein

Computes the Levenshtein distance between two strings a and b.

Complexity O(n*m) where n and m are the lengths of the strings. Algorithm adjusted from https://stackoverflow.com/a/9750974/6605742

Inputs
a

1. Function argument

b

2. Function argument

Type
levenshtein :: string -> string -> int
Examples
Example 116. lib.strings.levenshtein usage example
levenshtein "foo" "foo"
=> 0
levenshtein "book" "hook"
=> 1
levenshtein "hello" "Heyo"
=> 3

Located at lib/strings.nix:2683 in <nixpkgs>.

lib.strings.commonPrefixLength

Returns the length of the prefix that appears in both strings a and b.

Inputs
a

1. Function argument

b

2. Function argument

Type
commonPrefixLength :: string -> string -> int

Located at lib/strings.nix:2720 in <nixpkgs>.

lib.strings.commonSuffixLength

Returns the length of the suffix common to both strings a and b.

Inputs
a

1. Function argument

b

2. Function argument

Type
commonSuffixLength :: string -> string -> int

Located at lib/strings.nix:2744 in <nixpkgs>.

lib.strings.levenshteinAtMost

Returns whether the levenshtein distance between two strings a and b is at most some value k.

Complexity is O(min(n,m)) for k <= 2 and O(n*m) otherwise

Inputs
k

Distance threshold

a

String a

b

String b

Type
levenshteinAtMost :: int -> string -> string -> bool
Examples
Example 117. lib.strings.levenshteinAtMost usage example
levenshteinAtMost 0 "foo" "foo"
=> true
levenshteinAtMost 1 "foo" "boa"
=> false
levenshteinAtMost 2 "foo" "boa"
=> true
levenshteinAtMost 2 "This is a sentence" "this is a sentense."
=> false
levenshteinAtMost 3 "This is a sentence" "this is a sentense."
=> true

Located at lib/strings.nix:2791 in <nixpkgs>.

lib.versions: version string functions

lib.versions.splitVersion

Break a version string into its component parts.

Example 118. lib.versions.splitVersion usage example
splitVersion "1.2.3"
=> ["1" "2" "3"]

Located at lib/versions.nix:13 in <nixpkgs>.

lib.versions.major

Get the major version string from a string.

v

Function argument

Example 119. lib.versions.major usage example
major "1.2.3"
=> "1"

Located at lib/versions.nix:22 in <nixpkgs>.

lib.versions.minor

Get the minor version string from a string.

v

Function argument

Example 120. lib.versions.minor usage example
minor "1.2.3"
=> "2"

Located at lib/versions.nix:31 in <nixpkgs>.

lib.versions.patch

Get the patch version string from a string.

v

Function argument

Example 121. lib.versions.patch usage example
patch "1.2.3"
=> "3"

Located at lib/versions.nix:40 in <nixpkgs>.

lib.versions.majorMinor

Get string of the first two parts (major and minor) of a version string.

v

Function argument

Example 122. lib.versions.majorMinor usage example
majorMinor "1.2.3"
=> "1.2"

Located at lib/versions.nix:50 in <nixpkgs>.

lib.versions.pad

Pad a version string with zeros to match the given number of components.

n

Function argument

version

Function argument

Example 123. lib.versions.pad usage example
pad 3 "1.2"
=> "1.2.0"
pad 3 "1.3-rc1"
=> "1.3.0-rc1"
pad 3 "1.2.3.4"
=> "1.2.3"

Located at lib/versions.nix:63 in <nixpkgs>.

lib.trivial: miscellaneous functions

lib.trivial.id

The identity function For when you need a function that does “nothing”.

Inputs
x

The value to return

Type
id :: a -> a

Located at lib/trivial.nix:39 in <nixpkgs>.

lib.trivial.const

The constant function

Ignores the second argument. If called with only one argument, constructs a function that always returns a static value.

Inputs
x

Value to return

y

Value to ignore

Type
const :: a -> b -> a
Examples
Example 124. lib.trivial.const usage example
let f = const 5; in f 10
=> 5

Located at lib/trivial.nix:75 in <nixpkgs>.

lib.trivial.pipe

Pipes a value through a list of functions, left to right.

Inputs
value

Value to start piping.

fns

List of functions to apply sequentially.

Type
pipe :: a -> [<functions>] -> <return type of last function>
Examples
Example 125. lib.trivial.pipe usage example
pipe 2 [
    (x: x + 2)  # 2 + 2 = 4
    (x: x * 2)  # 4 * 2 = 8
  ]
=> 8

# ideal to do text transformations
pipe [ "a/b" "a/c" ] [

  # create the cp command
  (map (file: ''cp "${src}/${file}" $out\n''))

  # concatenate all commands into one string
  lib.concatStrings

  # make that string into a nix derivation
  (pkgs.runCommand "copy-to-out" {})

]
=> <drv which copies all files to $out>

The output type of each function has to be the input type
of the next function, and the last function returns the
final value.

Located at lib/trivial.nix:131 in <nixpkgs>.

lib.trivial.concat

Concatenate two lists

Inputs
x

1. Function argument

y

2. Function argument

Type
concat :: [a] -> [a] -> [a]
Examples
Example 126. lib.trivial.concat usage example
concat [ 1 2 ] [ 3 4 ]
=> [ 1 2 3 4 ]

Located at lib/trivial.nix:171 in <nixpkgs>.

lib.trivial.or

boolean “or”

Inputs
x

1. Function argument

y

2. Function argument

Located at lib/trivial.nix:187 in <nixpkgs>.

lib.trivial.and

boolean “and”

Inputs
x

1. Function argument

y

2. Function argument

Located at lib/trivial.nix:203 in <nixpkgs>.

lib.trivial.xor

boolean “exclusive or”

Inputs
x

1. Function argument

y

2. Function argument

Located at lib/trivial.nix:221 in <nixpkgs>.

lib.trivial.bitNot

bitwise “not”

Located at lib/trivial.nix:226 in <nixpkgs>.

lib.trivial.boolToString

Convert a boolean to a string.

This function uses the strings “true” and “false” to represent boolean values. Calling toString on a bool instead returns “1” and “” (sic!).

Inputs
b

1. Function argument

Type
boolToString :: bool -> string

Located at lib/trivial.nix:248 in <nixpkgs>.

lib.trivial.mergeAttrs

Merge two attribute sets shallowly, right side trumps left

mergeAttrs :: attrs -> attrs -> attrs

Inputs
x

Left attribute set

y

Right attribute set (higher precedence for equal keys)

Examples
Example 127. lib.trivial.mergeAttrs usage example
mergeAttrs { a = 1; b = 2; } { b = 3; c = 4; }
=> { a = 1; b = 3; c = 4; }

Located at lib/trivial.nix:278 in <nixpkgs>.

lib.trivial.flip

Flip the order of the arguments of a binary function.

Inputs
f

1. Function argument

a

2. Function argument

b

3. Function argument

Type
flip :: (a -> b -> c) -> (b -> a -> c)
Examples
Example 128. lib.trivial.flip usage example
flip concat [1] [2]
=> [ 2 1 ]

Located at lib/trivial.nix:317 in <nixpkgs>.

lib.trivial.mapNullable

Apply function if the supplied argument is non-null.

Inputs
f

Function to call

a

Argument to check for null before passing it to f

Examples
Example 129. lib.trivial.mapNullable usage example
mapNullable (x: x+1) null
=> null
mapNullable (x: x+1) 22
=> 23

Located at lib/trivial.nix:347 in <nixpkgs>.

lib.trivial.version

Returns the current full nixpkgs version number.

Located at lib/trivial.nix:363 in <nixpkgs>.

lib.trivial.release

Returns the current nixpkgs release number as string.

Located at lib/trivial.nix:368 in <nixpkgs>.

lib.trivial.oldestSupportedRelease

The latest release that is supported, at the time of release branch-off, if applicable.

Ideally, out-of-tree modules should be able to evaluate cleanly with all supported Nixpkgs versions (master, release and old release until EOL). So if possible, deprecation warnings should take effect only when all out-of-tree expressions/libs/modules can upgrade to the new way without losing support for supported Nixpkgs versions.

This release number allows deprecation warnings to be implemented such that they take effect as soon as the oldest release reaches end of life.

Located at lib/trivial.nix:383 in <nixpkgs>.

lib.trivial.isInOldestRelease

Whether a feature is supported in all supported releases (at the time of release branch-off, if applicable). See oldestSupportedRelease.

Inputs
release

Release number of feature introduction as an integer, e.g. 2111 for 21.11. Set it to the upcoming release, matching the nixpkgs/.version file.

Located at lib/trivial.nix:399 in <nixpkgs>.

lib.trivial.oldestSupportedReleaseIsAtLeast

Alias for isInOldestRelease introduced in 24.11. Use isInOldestRelease in expressions outside of Nixpkgs for greater compatibility.

Located at lib/trivial.nix:408 in <nixpkgs>.

lib.trivial.codeName

Returns the current nixpkgs release code name.

On each release the first letter is bumped and a new animal is chosen starting with that new letter.

Located at lib/trivial.nix:418 in <nixpkgs>.

lib.trivial.versionSuffix

Returns the current nixpkgs version suffix as string.

Located at lib/trivial.nix:423 in <nixpkgs>.

lib.trivial.revisionWithDefault

Attempts to return the the current revision of nixpkgs and returns the supplied default value otherwise.

Inputs
default

Default value to return if revision can not be determined

Type
revisionWithDefault :: string -> string

Located at lib/trivial.nix:446 in <nixpkgs>.

lib.trivial.inNixShell

Determine whether the function is being called from inside a Nix shell.

Type
inNixShell :: bool

Located at lib/trivial.nix:468 in <nixpkgs>.

lib.trivial.inPureEvalMode

Determine whether the function is being called from inside pure-eval mode by seeing whether builtins contains currentSystem. If not, we must be in pure-eval mode.

Type
inPureEvalMode :: bool

Located at lib/trivial.nix:481 in <nixpkgs>.

lib.trivial.min

Return minimum of two numbers.

Inputs
x

1. Function argument

y

2. Function argument

Located at lib/trivial.nix:499 in <nixpkgs>.

lib.trivial.max

Return maximum of two numbers.

Inputs
x

1. Function argument

y

2. Function argument

Located at lib/trivial.nix:515 in <nixpkgs>.

lib.trivial.mod

Integer modulus

Inputs
base

1. Function argument

int

2. Function argument

Examples
Example 130. lib.trivial.mod usage example
mod 11 10
=> 1
mod 1 10
=> 1

Located at lib/trivial.nix:545 in <nixpkgs>.

lib.trivial.compare

C-style comparisons

a < b, compare a b => -1 a == b, compare a b => 0 a > b, compare a b => 1

Inputs
a

1. Function argument

b

2. Function argument

Located at lib/trivial.nix:568 in <nixpkgs>.

lib.trivial.splitByAndCompare

Split type into two subtypes by predicate p, take all elements of the first subtype to be less than all the elements of the second subtype, compare elements of a single subtype with yes and no respectively.

Inputs
p

Predicate

yes

Comparison function if predicate holds for both values

no

Comparison function if predicate holds for neither value

a

First value to compare

b

Second value to compare

Type
(a -> bool) -> (a -> a -> int) -> (a -> a -> int) -> (a -> a -> int)
Examples
Example 131. lib.trivial.splitByAndCompare usage example
let cmp = splitByAndCompare (hasPrefix "foo") compare compare; in

cmp "a" "z" => -1
cmp "fooa" "fooz" => -1

cmp "f" "a" => 1
cmp "fooa" "a" => -1
# while
compare "fooa" "a" => 1

Located at lib/trivial.nix:628 in <nixpkgs>.

lib.trivial.importJSON

Reads a JSON file.

Examples
Example 132. lib.trivial.importJSON usage example

example.json

{
  "title": "Example JSON",
  "hello": {
    "world": "foo",
    "bar": {
      "foobar": true
    }
  }
}
importJSON ./example.json
=> {
  title = "Example JSON";
  hello = {
    world = "foo";
    bar = {
      foobar = true;
    };
  };
}

Inputs
path

1. Function argument

Type
importJSON :: path -> any

Located at lib/trivial.nix:682 in <nixpkgs>.

lib.trivial.importTOML

Reads a TOML file.

Examples
Example 133. lib.trivial.importTOML usage example

example.toml

title = "TOML Example"

[hello]
world = "foo"

[hello.bar]
foobar = true
importTOML ./example.toml
=> {
  title = "TOML Example";
  hello = {
    world = "foo";
    bar = {
      foobar = true;
    };
  };
}

Inputs
path

1. Function argument

Type
importTOML :: path -> any

Located at lib/trivial.nix:730 in <nixpkgs>.

lib.trivial.warn

warn message value

Print a warning before returning the second argument.

See builtins.warn (Nix >= 2.23). On older versions, the Nix 2.23 behavior is emulated with builtins.trace, including the NIX_ABORT_ON_WARN behavior, but not the nix.conf setting or command line option.

Inputs
message (String)

Warning message to print before evaluating value.

value (any value)

Value to return as-is.

Type
String -> a -> a

Located at lib/trivial.nix:758 in <nixpkgs>.

lib.trivial.warnIf

warnIf condition message value

Like warn, but only warn when the first argument is true.

Inputs
condition (Boolean)

true to trigger the warning before continuing with value.

message (String)

Warning message to print before evaluating

value (any value)

Value to return as-is.

Type
Bool -> String -> a -> a

Located at lib/trivial.nix:798 in <nixpkgs>.

lib.trivial.warnIfNot

warnIfNot condition message value

Like warnIf, but negated: warn if the first argument is false.

Inputs
condition

false to trigger the warning before continuing with val.

message

Warning message to print before evaluating value.

value

Value to return as-is.

Type
Boolean -> String -> a -> a

Located at lib/trivial.nix:826 in <nixpkgs>.

lib.trivial.throwIfNot

Like the assert b; e expression, but with a custom error message and without the semicolon.

If true, return the identity function, r: r.

If false, throw the error message.

Calls can be juxtaposed using function application, as (r: r) a = a, so (r: r) (r: r) a = a, and so forth.

Inputs
cond

1. Function argument

msg

2. Function argument

Type
bool -> string -> a -> a
Examples
Example 134. lib.trivial.throwIfNot usage example
throwIfNot (lib.isList overlays) "The overlays argument to nixpkgs must be a list."
lib.foldr (x: throwIfNot (lib.isFunction x) "All overlays passed to nixpkgs must be functions.") (r: r) overlays
pkgs

Located at lib/trivial.nix:868 in <nixpkgs>.

lib.trivial.throwIf

Like throwIfNot, but negated (throw if the first argument is true).

Inputs
cond

1. Function argument

msg

2. Function argument

Type
bool -> string -> a -> a

Located at lib/trivial.nix:890 in <nixpkgs>.

lib.trivial.checkListOfEnum

Check if the elements in a list are valid values from a enum, returning the identity function, or throwing an error message otherwise.

Inputs
msg

1. Function argument

valid

2. Function argument

given

3. Function argument

Type
String -> List ComparableVal -> List ComparableVal -> a -> a
Examples
Example 135. lib.trivial.checkListOfEnum usage example
let colorVariants = ["bright" "dark" "black"]
in checkListOfEnum "color variants" [ "standard" "light" "dark" ] colorVariants;
=>
error: color variants: bright, black unexpected; valid ones: standard, light, dark

Located at lib/trivial.nix:929 in <nixpkgs>.

lib.trivial.setFunctionArgs

Add metadata about expected function arguments to a function. The metadata should match the format given by builtins.functionArgs, i.e. a set from expected argument to a bool representing whether that argument has a default or not. setFunctionArgs : (a → b) → Map String Bool → (a → b)

This function is necessary because you can’t dynamically create a function of the { a, b ? foo, … }: format, but some facilities like callPackage expect to be able to query expected arguments.

Inputs
f

1. Function argument

args

2. Function argument

Located at lib/trivial.nix:964 in <nixpkgs>.

lib.trivial.functionArgs

Extract the expected function arguments from a function. This works both with nix-native { a, b ? foo, … }: style functions and functions with args set with ‘setFunctionArgs’. It has the same return type and semantics as builtins.functionArgs. setFunctionArgs : (a → b) → Map String Bool.

Inputs
f

1. Function argument

Located at lib/trivial.nix:984 in <nixpkgs>.

lib.trivial.isFunction

Check whether something is a function or something annotated with function args.

Inputs
f

1. Function argument

Located at lib/trivial.nix:1000 in <nixpkgs>.

lib.trivial.mirrorFunctionArgs

mirrorFunctionArgs f g creates a new function g' with the same behavior as g (g' x == g x) but its function arguments mirroring f (lib.functionArgs g' == lib.functionArgs f).

Inputs
f

Function to provide the argument metadata

g

Function to set the argument metadata to

Type
mirrorFunctionArgs :: (a -> b) -> (a -> c) -> (a -> c)
Examples
Example 136. lib.trivial.mirrorFunctionArgs usage example
addab = {a, b}: a + b
addab { a = 2; b = 4; }
=> 6
lib.functionArgs addab
=> { a = false; b = false; }
addab1 = attrs: addab attrs + 1
addab1 { a = 2; b = 4; }
=> 7
lib.functionArgs addab1
=> { }
addab1' = lib.mirrorFunctionArgs addab addab1
addab1' { a = 2; b = 4; }
=> 7
lib.functionArgs addab1'
=> { a = false; b = false; }

Located at lib/trivial.nix:1048 in <nixpkgs>.

lib.trivial.toFunction

Turns any non-callable values into constant functions. Returns callable values as is.

Inputs
v

Any value

Examples
Example 137. lib.trivial.toFunction usage example
nix-repl> lib.toFunction 1 2
1

nix-repl> lib.toFunction (x: x + 1) 2
3

Located at lib/trivial.nix:1082 in <nixpkgs>.

lib.trivial.fromHexString

Convert a hexadecimal string to it’s integer representation.

Type
fromHexString :: String -> [ String ]
Examples
fromHexString "FF"
=> 255

fromHexString (builtins.hashString "sha256" "test")
=> 9223372036854775807

Located at lib/trivial.nix:1107 in <nixpkgs>.

lib.trivial.toHexString

Convert the given positive integer to a string of its hexadecimal representation. For example:

toHexString 0 => “0”

toHexString 16 => “10”

toHexString 250 => “FA”

Located at lib/trivial.nix:1124 in <nixpkgs>.

lib.trivial.toBaseDigits

toBaseDigits base i converts the positive integer i to a list of its digits in the given base. For example:

toBaseDigits 10 123 => [ 1 2 3 ]

toBaseDigits 2 6 => [ 1 1 0 ]

toBaseDigits 16 250 => [ 15 10 ]

Inputs
base

1. Function argument

i

2. Function argument

Located at lib/trivial.nix:1160 in <nixpkgs>.

lib.fixedPoints: explicit recursion functions

lib.fixedPoints.fix

fix f computes the fixed point of the given function f. In other words, the return value is x in x = f x.

f must be a lazy function. This means that x must be a value that can be partially evaluated, such as an attribute set, a list, or a function. This way, f can use one part of x to compute another part.

Relation to syntactic recursion

This section explains fix by refactoring from syntactic recursion to a call of fix instead.

For context, Nix lets you define attributes in terms of other attributes syntactically using the rec { } syntax.

nix-repl> rec {
  foo = "foo";
  bar = "bar";
  foobar = foo + bar;
}
{ bar = "bar"; foo = "foo"; foobar = "foobar"; }

This is convenient when constructing a value to pass to a function for example, but an equivalent effect can be achieved with the let binding syntax:

nix-repl> let self = {
  foo = "foo";
  bar = "bar";
  foobar = self.foo + self.bar;
}; in self
{ bar = "bar"; foo = "foo"; foobar = "foobar"; }

But in general you can get more reuse out of let bindings by refactoring them to a function.

nix-repl> f = self: {
  foo = "foo";
  bar = "bar";
  foobar = self.foo + self.bar;
}

This is where fix comes in, it contains the syntactic recursion that’s not in f anymore.

nix-repl> fix = f:
  let self = f self; in self;

By applying fix we get the final result.

nix-repl> fix f
{ bar = "bar"; foo = "foo"; foobar = "foobar"; }

Such a refactored f using fix is not useful by itself. See extends for an example use case. There self is also often called final.

Inputs
f

1. Function argument

Type
fix :: (a -> a) -> a
Examples
Example 138. lib.fixedPoints.fix usage example
fix (self: { foo = "foo"; bar = "bar"; foobar = self.foo + self.bar; })
=> { bar = "bar"; foo = "foo"; foobar = "foobar"; }

fix (self: [ 1 2 (elemAt self 0 + elemAt self 1) ])
=> [ 1 2 3 ]

Located at lib/fixed-points.nix:92 in <nixpkgs>.

lib.fixedPoints.fix'

A variant of fix that records the original recursive attribute set in the result, in an attribute named __unfix__.

This is useful in combination with the extends function to implement deep overriding.

Inputs
f

1. Function argument

Located at lib/fixed-points.nix:112 in <nixpkgs>.

lib.fixedPoints.converge

Return the fixpoint that f converges to when called iteratively, starting with the input x.

nix-repl> converge (x: x / 2) 16
0
Inputs
f

1. Function argument

x

2. Function argument

Type
(a -> a) -> a -> a

Located at lib/fixed-points.nix:146 in <nixpkgs>.

lib.fixedPoints.extends

Extend a function using an overlay.

Overlays allow modifying and extending fixed-point functions, specifically ones returning attribute sets. A fixed-point function is a function which is intended to be evaluated by passing the result of itself as the argument. This is possible due to Nix’s lazy evaluation.

A fixed-point function returning an attribute set has the form

final: {
  # attributes
}

where final refers to the lazily evaluated attribute set returned by the fixed-point function.

An overlay to such a fixed-point function has the form

final: prev: {
  # attributes
}

where prev refers to the result of the original function to final, and final is the result of the composition of the overlay and the original function.

Applying an overlay is done with extends:

let
  f = final: {
    # attributes
  };
  overlay = final: prev: {
    # attributes
  };
in extends overlay f;

To get the value of final, use lib.fix:

let
  f = final: {
    # attributes
  };
  overlay = final: prev: {
    # attributes
  };
  g = extends overlay f;
in fix g

Note

The argument to the given fixed-point function after applying an overlay will not refer to its own return value, but rather to the value after evaluating the overlay function.

The given fixed-point function is called with a separate argument than if it was evaluated with lib.fix.

Example 139. Extend a fixed-point function with an overlay

Define a fixed-point function f that expects its own output as the argument final:

f = final: {
  # Constant value a
  a = 1;

  # b depends on the final value of a, available as final.a
  b = final.a + 2;
}

Evaluate this using lib.fix to get the final result:

fix f
=> { a = 1; b = 3; }

An overlay represents a modification or extension of such a fixed-point function. Here’s an example of an overlay:

overlay = final: prev: {
  # Modify the previous value of a, available as prev.a
  a = prev.a + 10;

  # Extend the attribute set with c, letting it depend on the final values of a and b
  c = final.a + final.b;
}

Use extends overlay f to apply the overlay to the fixed-point function f. This produces a new fixed-point function g with the combined behavior of f and overlay:

g = extends overlay f

The result is a function, so we can’t print it directly, but it’s the same as:

g' = final: {
  # The constant from f, but changed with the overlay
  a = 1 + 10;

  # Unchanged from f
  b = final.a + 2;

  # Extended in the overlay
  c = final.a + final.b;
}

Evaluate this using lib.fix again to get the final result:

fix g
=> { a = 11; b = 13; c = 24; }

Inputs
overlay

The overlay to apply to the fixed-point function

f

The fixed-point function

Type
extends :: (Attrs -> Attrs -> Attrs) # The overlay to apply to the fixed-point function
        -> (Attrs -> Attrs) # A fixed-point function
        -> (Attrs -> Attrs) # The resulting fixed-point function
Examples
Example 140. lib.fixedPoints.extends usage example
f = final: { a = 1; b = final.a + 2; }

fix f
=> { a = 1; b = 3; }

fix (extends (final: prev: { a = prev.a + 10; }) f)
=> { a = 11; b = 13; }

fix (extends (final: prev: { b = final.a + 5; }) f)
=> { a = 1; b = 6; }

fix (extends (final: prev: { c = final.a + final.b; }) f)
=> { a = 1; b = 3; c = 4; }

Located at lib/fixed-points.nix:319 in <nixpkgs>.

lib.fixedPoints.composeExtensions

Compose two overlay functions and return a single overlay function that combines them. For more details see: composeManyExtensions.

Located at lib/fixed-points.nix:334 in <nixpkgs>.

lib.fixedPoints.composeManyExtensions

Composes a list of overlays and returns a single overlay function that combines them.

Note

The result is produced by using the update operator //. This means nested values of previous overlays are not merged recursively. In other words, previously defined attributes are replaced, ignoring the previous value, unless referenced by the overlay; for example final: prev: { foo = final.foo + 1; }.

Inputs
extensions

A list of overlay functions

Note

The order of the overlays in the list is important.

Each overlay function takes two arguments, by convention final and prev, and returns an attribute set.

  • final is the result of the fixed-point function, with all overlays applied.

  • prev is the result of the previous overlay function(s).

Type
# Pseudo code
let
  #               final      prev
  #                 ↓          ↓
  OverlayFn = { ... } -> { ... } -> { ... };
in
  composeManyExtensions :: ListOf OverlayFn -> OverlayFn
Examples
Example 141. lib.fixedPoints.composeManyExtensions usage example
let
  # The "original function" that is extended by the overlays.
  # Note that it doesn't have prev: as argument since no overlay function precedes it.
  original = final: { a = 1; };

  # Each overlay function has 'final' and 'prev' as arguments.
  overlayA = final: prev: { b = final.c; c = 3; };
  overlayB = final: prev: { c = 10; x = prev.c or 5; };

  extensions = composeManyExtensions [ overlayA overlayB ];

  # Caluculate the fixed point of all composed overlays.
  fixedpoint = lib.fix (lib.extends extensions original );

in fixedpoint
=>
{
  a = 1;
  b = 10;
  c = 10;
  x = 3;
}

Located at lib/fixed-points.nix:406 in <nixpkgs>.

lib.fixedPoints.makeExtensible

Create an overridable, recursive attribute set. For example:

nix-repl> obj = makeExtensible (final: { })

nix-repl> obj
{ __unfix__ = «lambda»; extend = «lambda»; }

nix-repl> obj = obj.extend (final: prev: { foo = "foo"; })

nix-repl> obj
{ __unfix__ = «lambda»; extend = «lambda»; foo = "foo"; }

nix-repl> obj = obj.extend (final: prev: { foo = prev.foo + " + "; bar = "bar"; foobar = final.foo + final.bar; })

nix-repl> obj
{ __unfix__ = «lambda»; bar = "bar"; extend = «lambda»; foo = "foo + "; foobar = "foo + bar"; }

Located at lib/fixed-points.nix:428 in <nixpkgs>.

lib.fixedPoints.makeExtensibleWithCustomName

Same as makeExtensible but the name of the extending attribute is customized.

Inputs
extenderName

1. Function argument

rattrs

2. Function argument

Located at lib/fixed-points.nix:444 in <nixpkgs>.

lib.fixedPoints.toExtension

Convert to an extending function (overlay).

toExtension is the toFunction for extending functions (a.k.a. extensions or overlays). It converts a non-function or a single-argument function to an extending function, while returning a two-argument function as-is.

That is, it takes a value of the shape x, prev: x, or final: prev: x, and returns final: prev: x, assuming x is not a function.

This function takes care of the input to stdenv.mkDerivation’s overrideAttrs function. It bridges the gap between <pkg>.overrideAttrs before and after the overlay-style support.

Inputs
f

The function or value to convert to an extending function.

Type
toExtension ::
  b' -> Any -> Any -> b'
or
toExtension ::
  (a -> b') -> Any -> a -> b'
or
toExtension ::
  (a -> a -> b) -> a -> a -> b
where b' = ! Callable

Set a = b = b' = AttrSet & ! Callable to make toExtension return an extending function.
Examples
Example 142. lib.fixedPoints.toExtension usage example
fix (final: { a = 0; c = final.a; })
=> { a = 0; c = 0; };

fix (extends (toExtension { a = 1; b = 2; }) (final: { a = 0; c = final.a; }))
=> { a = 1; b = 2; c = 1; };

fix (extends (toExtension (prev: { a = 1; b = prev.a; })) (final: { a = 0; c = final.a; }))
=> { a = 1; b = 0; c = 1; };

fix (extends (toExtension (final: prev: { a = 1; b = prev.a; c = final.a + 1 })) (final: { a = 0; c = final.a; }))
=> { a = 1; b = 0; c = 2; };

Located at lib/fixed-points.nix:509 in <nixpkgs>.

lib.lists: list manipulation functions

General list operations.

lib.lists.singleton

Create a list consisting of a single element. singleton x is sometimes more convenient with respect to indentation than [x] when x spans multiple lines.

Inputs
x

1. Function argument

Type
singleton :: a -> [a]
Examples
Example 143. lib.lists.singleton usage example
singleton "foo"
=> [ "foo" ]

Located at lib/lists.nix:42 in <nixpkgs>.

lib.lists.forEach

Apply the function to each element in the list. Same as map, but arguments flipped.

Inputs
xs

1. Function argument

f

2. Function argument

Type
forEach :: [a] -> (a -> b) -> [b]
Examples
Example 144. lib.lists.forEach usage example
forEach [ 1 2 ] (x:
  toString x
)
=> [ "1" "2" ]

Located at lib/lists.nix:77 in <nixpkgs>.

lib.lists.foldr

“right fold” a binary function op between successive elements of list with nul as the starting value, i.e., foldr op nul [x_1 x_2 ... x_n] == op x_1 (op x_2 ... (op x_n nul)).

Inputs
op

1. Function argument

nul

2. Function argument

list

3. Function argument

Type
foldr :: (a -> b -> b) -> b -> [a] -> b
Examples
Example 145. lib.lists.foldr usage example
concat = foldr (a: b: a + b) "z"
concat [ "a" "b" "c" ]
=> "abcz"
# different types
strange = foldr (int: str: toString (int + 1) + str) "a"
strange [ 1 2 3 4 ]
=> "2345a"

Located at lib/lists.nix:121 in <nixpkgs>.

lib.lists.fold

fold is an alias of foldr for historic reasons

Located at lib/lists.nix:134 in <nixpkgs>.

lib.lists.foldl

“left fold”, like foldr, but from the left:

foldl op nul [x_1 x_2 ... x_n] == op (... (op (op nul x_1) x_2) ... x_n).

Inputs
op

1. Function argument

nul

2. Function argument

list

3. Function argument

Type
foldl :: (b -> a -> b) -> b -> [a] -> b
Examples
Example 146. lib.lists.foldl usage example
lconcat = foldl (a: b: a + b) "z"
lconcat [ "a" "b" "c" ]
=> "zabc"
# different types
lstrange = foldl (str: int: str + toString (int + 1)) "a"
lstrange [ 1 2 3 4 ]
=> "a2345"

Located at lib/lists.nix:178 in <nixpkgs>.

lib.lists.foldl'

Reduce a list by applying a binary operator from left to right, starting with an initial accumulator.

Before each application of the operator, the accumulator value is evaluated. This behavior makes this function stricter than foldl.

Unlike builtins.foldl', the initial accumulator argument is evaluated before the first iteration.

A call like

foldl' op acc₀ [ x₀ x₁ x₂ ... xₙ₋₁ xₙ ]

is (denotationally) equivalent to the following, but with the added benefit that foldl' itself will never overflow the stack.

let
  acc₁   = builtins.seq acc₀   (op acc₀   x₀  );
  acc₂   = builtins.seq acc₁   (op acc₁   x₁  );
  acc₃   = builtins.seq acc₂   (op acc₂   x₂  );
  ...
  accₙ   = builtins.seq accₙ₋₁ (op accₙ₋₁ xₙ₋₁);
  accₙ₊₁ = builtins.seq accₙ   (op accₙ   xₙ  );
in
accₙ₊₁

# Or ignoring builtins.seq
op (op (... (op (op (op acc₀ x₀) x₁) x₂) ...) xₙ₋₁) xₙ
Inputs
op

The binary operation to run, where the two arguments are:

  1. acc: The current accumulator value: Either the initial one for the first iteration, or the result of the previous iteration

  2. x: The corresponding list element for this iteration

acc

The initial accumulator value.

The accumulator value is evaluated in any case before the first iteration starts.

To avoid evaluation even before the list argument is given an eta expansion can be used:

list: lib.foldl' op acc list
list

The list to fold

Type
foldl' :: (acc -> x -> acc) -> acc -> [x] -> acc
Examples
Example 147. lib.lists.foldl' usage example
foldl' (acc: x: acc + x) 0 [1 2 3]
=> 6

Located at lib/lists.nix:262 in <nixpkgs>.

lib.lists.imap0

Map with index starting from 0

Inputs
f

1. Function argument

list

2. Function argument

Type
imap0 :: (int -> a -> b) -> [a] -> [b]
Examples
Example 148. lib.lists.imap0 usage example
imap0 (i: v: "${v}-${toString i}") ["a" "b"]
=> [ "a-0" "b-1" ]

Located at lib/lists.nix:301 in <nixpkgs>.

lib.lists.imap1

Map with index starting from 1

Inputs
f

1. Function argument

list

2. Function argument

Type
imap1 :: (int -> a -> b) -> [a] -> [b]
Examples
Example 149. lib.lists.imap1 usage example
imap1 (i: v: "${v}-${toString i}") ["a" "b"]
=> [ "a-1" "b-2" ]

Located at lib/lists.nix:334 in <nixpkgs>.

lib.lists.ifilter0

Filter a list for elements that satisfy a predicate function. The predicate function is called with both the index and value for each element. It must return true/false to include/exclude a given element in the result. This function is strict in the result of the predicate function for each element. This function has O(n) complexity.

Also see builtins.filter (available as lib.lists.filter), which can be used instead when the index isn’t needed.

Inputs
ipred

The predicate function, it takes two arguments:

    1. (int): the index of the element.

    1. (a): the value of the element.

It must return true/false to include/exclude a given element from the result.

list

The list to filter using the predicate.

Type
ifilter0 :: (int -> a -> bool) -> [a] -> [a]
Examples
Example 150. lib.lists.ifilter0 usage example
ifilter0 (i: v: i == 0 || v > 2) [ 1 2 3 ]
=> [ 1 3 ]

Located at lib/lists.nix:375 in <nixpkgs>.

lib.lists.concatMap

Map and concatenate the result.

Type
concatMap :: (a -> [b]) -> [a] -> [b]
Examples
Example 151. lib.lists.concatMap usage example
concatMap (x: [x] ++ ["z"]) ["a" "b"]
=> [ "a" "z" "b" "z" ]

Located at lib/lists.nix:404 in <nixpkgs>.

lib.lists.flatten

Flatten the argument into a single list; that is, nested lists are spliced into the top-level lists.

Inputs
x

1. Function argument

Examples
Example 152. lib.lists.flatten usage example
flatten [1 [2 [3] 4] 5]
=> [1 2 3 4 5]
flatten 1
=> [1]

Located at lib/lists.nix:431 in <nixpkgs>.

lib.lists.remove

Remove elements equal to ‘e’ from a list. Useful for buildInputs.

Inputs
e

Element to remove from list

list

The list

Type
remove :: a -> [a] -> [a]
Examples
Example 153. lib.lists.remove usage example
remove 3 [ 1 3 4 3 ]
=> [ 1 4 ]

Located at lib/lists.nix:467 in <nixpkgs>.

lib.lists.findSingle

Find the sole element in the list matching the specified predicate.

Returns default if no such element exists, or multiple if there are multiple matching elements.

Inputs
pred

Predicate

default

Default value to return if element was not found.

multiple

Default value to return if more than one element was found

list

Input list

Type
findSingle :: (a -> bool) -> a -> a -> [a] -> a
Examples
Example 154. lib.lists.findSingle usage example
findSingle (x: x == 3) "none" "multiple" [ 1 3 3 ]
=> "multiple"
findSingle (x: x == 3) "none" "multiple" [ 1 3 ]
=> 3
findSingle (x: x == 3) "none" "multiple" [ 1 9 ]
=> "none"

Located at lib/lists.nix:517 in <nixpkgs>.

lib.lists.findFirstIndex

Find the first index in the list matching the specified predicate or return default if no such element exists.

Inputs
pred

Predicate

default

Default value to return

list

Input list

Type
findFirstIndex :: (a -> Bool) -> b -> [a] -> (Int | b)
Examples
Example 155. lib.lists.findFirstIndex usage example
findFirstIndex (x: x > 3) null [ 0 6 4 ]
=> 1
findFirstIndex (x: x > 9) null [ 0 6 4 ]
=> null

Located at lib/lists.nix:564 in <nixpkgs>.

lib.lists.findFirst

Find the first element in the list matching the specified predicate or return default if no such element exists.

Inputs
pred

Predicate

default

Default value to return

list

Input list

Type
findFirst :: (a -> bool) -> a -> [a] -> a
Examples
Example 156. lib.lists.findFirst usage example
findFirst (x: x > 3) 7 [ 1 6 4 ]
=> 6
findFirst (x: x > 9) 7 [ 1 6 4 ]
=> 7

Located at lib/lists.nix:638 in <nixpkgs>.

lib.lists.any

Return true if function pred returns true for at least one element of list.

Inputs
pred

Predicate

list

Input list

Type
any :: (a -> bool) -> [a] -> bool
Examples
Example 157. lib.lists.any usage example
any isString [ 1 "a" { } ]
=> true
any isString [ 1 { } ]
=> false

Located at lib/lists.nix:683 in <nixpkgs>.

lib.lists.all

Return true if function pred returns true for all elements of list.

Inputs
pred

Predicate

list

Input list

Type
all :: (a -> bool) -> [a] -> bool
Examples
Example 158. lib.lists.all usage example
all (x: x < 3) [ 1 2 ]
=> true
all (x: x < 3) [ 1 2 3 ]
=> false

Located at lib/lists.nix:718 in <nixpkgs>.

lib.lists.count

Count how many elements of list match the supplied predicate function.

Inputs
pred

Predicate

Type
count :: (a -> bool) -> [a] -> int
Examples
Example 159. lib.lists.count usage example
count (x: x == 3) [ 3 2 3 4 6 ]
=> 2

Located at lib/lists.nix:747 in <nixpkgs>.

lib.lists.optional

Return a singleton list or an empty list, depending on a boolean value. Useful when building lists with optional elements (e.g. ++ optional (system == "i686-linux") firefox).

Inputs
cond

1. Function argument

elem

2. Function argument

Type
optional :: bool -> a -> [a]
Examples
Example 160. lib.lists.optional usage example
optional true "foo"
=> [ "foo" ]
optional false "foo"
=> [ ]

Located at lib/lists.nix:784 in <nixpkgs>.

lib.lists.optionals

Return a list or an empty list, depending on a boolean value.

Inputs
cond

Condition

elems

List to return if condition is true

Type
optionals :: bool -> [a] -> [a]
Examples
Example 161. lib.lists.optionals usage example
optionals true [ 2 3 ]
=> [ 2 3 ]
optionals false [ 2 3 ]
=> [ ]

Located at lib/lists.nix:818 in <nixpkgs>.

lib.lists.toList

If argument is a list, return it; else, wrap it in a singleton list. If you’re using this, you should almost certainly reconsider if there isn’t a more “well-typed” approach.

Inputs
x

1. Function argument

Examples
Example 162. lib.lists.toList usage example
toList [ 1 2 ]
=> [ 1 2 ]
toList "hi"
=> [ "hi "]

Located at lib/lists.nix:847 in <nixpkgs>.

lib.lists.range

Return a list of integers from first up to and including last.

Inputs
first

First integer in the range

last

Last integer in the range

Type
range :: int -> int -> [int]
Examples
Example 163. lib.lists.range usage example
range 2 4
=> [ 2 3 4 ]
range 3 2
=> [ ]

Located at lib/lists.nix:881 in <nixpkgs>.

lib.lists.replicate

Return a list with n copies of an element.

Inputs
n

1. Function argument

elem

2. Function argument

Type
replicate :: int -> a -> [a]
Examples
Example 164. lib.lists.replicate usage example
replicate 3 "a"
=> [ "a" "a" "a" ]
replicate 2 true
=> [ true true ]

Located at lib/lists.nix:921 in <nixpkgs>.

lib.lists.partition

Splits the elements of a list in two lists, right and wrong, depending on the evaluation of a predicate.

Inputs
pred

Predicate

list

Input list

Type
(a -> bool) -> [a] -> { right :: [a]; wrong :: [a]; }
Examples
Example 165. lib.lists.partition usage example
partition (x: x > 2) [ 5 1 2 3 4 ]
=> { right = [ 5 3 4 ]; wrong = [ 1 2 ]; }

Located at lib/lists.nix:954 in <nixpkgs>.

lib.lists.groupBy'

Splits the elements of a list into many lists, using the return value of a predicate. Predicate should return a string which becomes keys of attrset groupBy returns. groupBy' allows to customise the combining function and initial value

Inputs
op

1. Function argument

nul

2. Function argument

pred

3. Function argument

lst

4. Function argument

Examples
Example 166. lib.lists.groupBy' usage example
groupBy (x: boolToString (x > 2)) [ 5 1 2 3 4 ]
=> { true = [ 5 3 4 ]; false = [ 1 2 ]; }
groupBy (x: x.name) [ {name = "icewm"; script = "icewm &";}
                      {name = "xfce";  script = "xfce4-session &";}
                      {name = "icewm"; script = "icewmbg &";}
                      {name = "mate";  script = "gnome-session &";}
                    ]
=> { icewm = [ { name = "icewm"; script = "icewm &"; }
               { name = "icewm"; script = "icewmbg &"; } ];
     mate  = [ { name = "mate";  script = "gnome-session &"; } ];
     xfce  = [ { name = "xfce";  script = "xfce4-session &"; } ];
   }

groupBy' builtins.add 0 (x: boolToString (x > 2)) [ 5 1 2 3 4 ]
=> { true = 12; false = 3; }

Located at lib/lists.nix:1004 in <nixpkgs>.

lib.lists.zipListsWith

Merges two lists of the same size together. If the sizes aren’t the same the merging stops at the shortest. How both lists are merged is defined by the first argument.

Inputs
f

Function to zip elements of both lists

fst

First list

snd

Second list

Type
zipListsWith :: (a -> b -> c) -> [a] -> [b] -> [c]
Examples
Example 167. lib.lists.zipListsWith usage example
zipListsWith (a: b: a + b) ["h" "l"] ["e" "o"]
=> ["he" "lo"]

Located at lib/lists.nix:1050 in <nixpkgs>.

lib.lists.zipLists

Merges two lists of the same size together. If the sizes aren’t the same the merging stops at the shortest.

Inputs
fst

First list

snd

Second list

Type
zipLists :: [a] -> [b] -> [{ fst :: a; snd :: b; }]
Examples
Example 168. lib.lists.zipLists usage example
zipLists [ 1 2 ] [ "a" "b" ]
=> [ { fst = 1; snd = "a"; } { fst = 2; snd = "b"; } ]

Located at lib/lists.nix:1088 in <nixpkgs>.

lib.lists.reverseList

Reverse the order of the elements of a list.

Inputs
xs

1. Function argument

Type
reverseList :: [a] -> [a]
Examples
Example 169. lib.lists.reverseList usage example
reverseList [ "b" "o" "j" ]
=> [ "j" "o" "b" ]

Located at lib/lists.nix:1116 in <nixpkgs>.

lib.lists.listDfs

Depth-First Search (DFS) for lists list != [].

before a b == true means that b depends on a (there’s an edge from b to a).

Inputs
stopOnCycles

1. Function argument

before

2. Function argument

list

3. Function argument

Examples
Example 170. lib.lists.listDfs usage example
listDfs true hasPrefix [ "/home/user" "other" "/" "/home" ]
  == { minimal = "/";                  # minimal element
       visited = [ "/home/user" ];     # seen elements (in reverse order)
       rest    = [ "/home" "other" ];  # everything else
     }

listDfs true hasPrefix [ "/home/user" "other" "/" "/home" "/" ]
  == { cycle   = "/";                  # cycle encountered at this element
       loops   = [ "/" ];              # and continues to these elements
       visited = [ "/" "/home/user" ]; # elements leading to the cycle (in reverse order)
       rest    = [ "/home" "other" ];  # everything else

Located at lib/lists.nix:1161 in <nixpkgs>.

lib.lists.toposort

Sort a list based on a partial ordering using DFS. This implementation is O(N^2), if your ordering is linear, use sort instead.

before a b == true means that b should be after a in the result.

Inputs
before

1. Function argument

list

2. Function argument

Examples
Example 171. lib.lists.toposort usage example
toposort hasPrefix [ "/home/user" "other" "/" "/home" ]
  == { result = [ "/" "/home" "/home/user" "other" ]; }

toposort hasPrefix [ "/home/user" "other" "/" "/home" "/" ]
  == { cycle = [ "/home/user" "/" "/" ]; # path leading to a cycle
       loops = [ "/" ]; }                # loops back to these elements

toposort hasPrefix [ "other" "/home/user" "/home" "/" ]
  == { result = [ "other" "/" "/home" "/home/user" ]; }

toposort (a: b: a < b) [ 3 2 1 ] == { result = [ 1 2 3 ]; }

Located at lib/lists.nix:1218 in <nixpkgs>.

lib.lists.sort

Sort a list based on a comparator function which compares two elements and returns true if the first argument is strictly below the second argument. The returned list is sorted in an increasing order. The implementation does a quick-sort.

See also sortOn, which applies the default comparison on a function-derived property, and may be more efficient.

Inputs
comparator

1. Function argument

list

2. Function argument

Type
sort :: (a -> a -> Bool) -> [a] -> [a]
Examples
Example 172. lib.lists.sort usage example
sort (p: q: p < q) [ 5 3 7 ]
=> [ 3 5 7 ]

Located at lib/lists.nix:1273 in <nixpkgs>.

lib.lists.sortOn

Sort a list based on the default comparison of a derived property b.

The items are returned in b-increasing order.

Performance:

The passed function f is only evaluated once per item, unlike an unprepared sort using f p < f q.

Laws:

sortOn f == sort (p: q: f p < f q)
Inputs
f

1. Function argument

list

2. Function argument

Type
sortOn :: (a -> b) -> [a] -> [a], for comparable b
Examples
Example 173. lib.lists.sortOn usage example
sortOn stringLength [ "aa" "b" "cccc" ]
=> [ "b" "aa" "cccc" ]

Located at lib/lists.nix:1319 in <nixpkgs>.

lib.lists.compareLists

Compare two lists element-by-element.

Inputs
cmp

1. Function argument

a

2. Function argument

b

3. Function argument

Examples
Example 174. lib.lists.compareLists usage example
compareLists compare [] []
=> 0
compareLists compare [] [ "a" ]
=> -1
compareLists compare [ "a" ] []
=> 1
compareLists compare [ "a" "b" ] [ "a" "c" ]
=> -1

Located at lib/lists.nix:1367 in <nixpkgs>.

lib.lists.naturalSort

Sort list using “Natural sorting”. Numeric portions of strings are sorted in numeric order.

Inputs
lst

1. Function argument

Examples
Example 175. lib.lists.naturalSort usage example
naturalSort ["disk11" "disk8" "disk100" "disk9"]
=> ["disk8" "disk9" "disk11" "disk100"]
naturalSort ["10.46.133.149" "10.5.16.62" "10.54.16.25"]
=> ["10.5.16.62" "10.46.133.149" "10.54.16.25"]
naturalSort ["v0.2" "v0.15" "v0.0.9"]
=> [ "v0.0.9" "v0.2" "v0.15" ]

Located at lib/lists.nix:1406 in <nixpkgs>.

lib.lists.take

Return the first (at most) N elements of a list.

Inputs
count

Number of elements to take

list

Input list

Type
take :: int -> [a] -> [a]
Examples
Example 176. lib.lists.take usage example
take 2 [ "a" "b" "c" "d" ]
=> [ "a" "b" ]
take 2 [ ]
=> [ ]

Located at lib/lists.nix:1447 in <nixpkgs>.

lib.lists.drop

Remove the first (at most) N elements of a list.

Inputs
count

Number of elements to drop

list

Input list

Type
drop :: int -> [a] -> [a]
Examples
Example 177. lib.lists.drop usage example
drop 2 [ "a" "b" "c" "d" ]
=> [ "c" "d" ]
drop 2 [ ]
=> [ ]

Located at lib/lists.nix:1483 in <nixpkgs>.

lib.lists.hasPrefix

Whether the first list is a prefix of the second list.

Inputs
list1

1. Function argument

list2

2. Function argument

Type
hasPrefix :: [a] -> [a] -> bool
Examples
Example 178. lib.lists.hasPrefix usage example
hasPrefix [ 1 2 ] [ 1 2 3 4 ]
=> true
hasPrefix [ 0 1 ] [ 1 2 3 4 ]
=> false

Located at lib/lists.nix:1520 in <nixpkgs>.

lib.lists.removePrefix

Remove the first list as a prefix from the second list. Error if the first list isn’t a prefix of the second list.

Inputs
list1

1. Function argument

list2

2. Function argument

Type
removePrefix :: [a] -> [a] -> [a]
Examples
Example 179. lib.lists.removePrefix usage example
removePrefix [ 1 2 ] [ 1 2 3 4 ]
=> [ 3 4 ]
removePrefix [ 0 1 ] [ 1 2 3 4 ]
=> <error>

Located at lib/lists.nix:1558 in <nixpkgs>.

lib.lists.sublist

Return a list consisting of at most count elements of list, starting at index start.

Inputs
start

Index at which to start the sublist

count

Number of elements to take

list

Input list

Type
sublist :: int -> int -> [a] -> [a]
Examples
Example 180. lib.lists.sublist usage example
sublist 1 3 [ "a" "b" "c" "d" "e" ]
=> [ "b" "c" "d" ]
sublist 1 3 [ ]
=> [ ]

Located at lib/lists.nix:1603 in <nixpkgs>.

lib.lists.commonPrefix

The common prefix of two lists.

Inputs
list1

1. Function argument

list2

2. Function argument

Type
commonPrefix :: [a] -> [a] -> [a]
Examples
Example 181. lib.lists.commonPrefix usage example
commonPrefix [ 1 2 3 4 5 6 ] [ 1 2 4 8 ]
=> [ 1 2 ]
commonPrefix [ 1 2 3 ] [ 1 2 3 4 5 ]
=> [ 1 2 3 ]
commonPrefix [ 1 2 3 ] [ 4 5 6 ]
=> [ ]

Located at lib/lists.nix:1649 in <nixpkgs>.

lib.lists.last

Return the last element of a list.

This function throws an error if the list is empty.

Inputs
list

1. Function argument

Type
last :: [a] -> a
Examples
Example 182. lib.lists.last usage example
last [ 1 2 3 ]
=> 3

Located at lib/lists.nix:1692 in <nixpkgs>.

lib.lists.init

Return all elements but the last.

This function throws an error if the list is empty.

Inputs
list

1. Function argument

Type
init :: [a] -> [a]
Examples
Example 183. lib.lists.init usage example
init [ 1 2 3 ]
=> [ 1 2 ]

Located at lib/lists.nix:1725 in <nixpkgs>.

lib.lists.crossLists

Return the image of the cross product of some lists by a function.

Examples
Example 184. lib.lists.crossLists usage example
crossLists (x: y: "${toString x}${toString y}") [[1 2] [3 4]]
=> [ "13" "14" "23" "24" ]

The following function call is equivalent to the one deprecated above:

mapCartesianProduct (x: "${toString x.a}${toString x.b}") { a = [1 2]; b = [3 4]; }
=> [ "13" "14" "23" "24" ]

Located at lib/lists.nix:1751 in <nixpkgs>.

lib.lists.unique

Remove duplicate elements from the list. O(n^2) complexity.

Inputs
list

Input list

Type
unique :: [a] -> [a]
Examples
Example 185. lib.lists.unique usage example
unique [ 3 2 3 4 ]
=> [ 3 2 4 ]

Located at lib/lists.nix:1793 in <nixpkgs>.

lib.lists.allUnique

Check if list contains only unique elements. O(n^2) complexity.

Inputs
list

1. Function argument

Type
allUnique :: [a] -> bool
Examples
Example 186. lib.lists.allUnique usage example
allUnique [ 3 2 3 4 ]
=> false
allUnique [ 3 2 4 1 ]
=> true

Located at lib/lists.nix:1824 in <nixpkgs>.

lib.lists.intersectLists

Intersects list ‘list1’ and another list (list2).

O(nm) complexity.

Inputs
list1

First list

list2

Second list

Examples
Example 187. lib.lists.intersectLists usage example
intersectLists [ 1 2 3 ] [ 6 3 2 ]
=> [ 3 2 ]

Located at lib/lists.nix:1854 in <nixpkgs>.

lib.lists.subtractLists

Subtracts list ‘e’ from another list (list2).

O(nm) complexity.

Inputs
e

First list

list2

Second list

Examples
Example 188. lib.lists.subtractLists usage example
subtractLists [ 3 2 ] [ 1 2 3 4 5 3 ]
=> [ 1 4 5 ]

Located at lib/lists.nix:1883 in <nixpkgs>.

lib.lists.mutuallyExclusive

Test if two lists have no common element. It should be slightly more efficient than (intersectLists a b == [])

Inputs
a

1. Function argument

b

2. Function argument

Located at lib/lists.nix:1899 in <nixpkgs>.

lib.debug: debugging functions

Collection of functions useful for debugging broken nix expressions.

  • trace-like functions take two values, print the first to stderr and return the second.

  • traceVal-like functions take one argument which both printed and returned.

  • traceSeq-like functions fully evaluate their traced value before printing (not just to “weak head normal form” like trace does by default).

  • Functions that end in -Fn take an additional function as their first argument, which is applied to the traced value before it is printed.

lib.debug.traceIf

Conditionally trace the supplied message, based on a predicate.

Inputs
pred

Predicate to check

msg

Message that should be traced

x

Value to return

Type
traceIf :: bool -> string -> a -> a
Examples
Example 189. lib.debug.traceIf usage example
traceIf true "hello" 3
trace: hello
=> 3

Located at lib/debug.nix:72 in <nixpkgs>.

lib.debug.traceValFn

Trace the supplied value after applying a function to it, and return the original value.

Inputs
f

Function to apply

x

Value to trace and return

Type
traceValFn :: (a -> b) -> a -> a
Examples
Example 190. lib.debug.traceValFn usage example
traceValFn (v: "mystring ${v}") "foo"
trace: mystring foo
=> "foo"

Located at lib/debug.nix:108 in <nixpkgs>.

lib.debug.traceVal

Trace the supplied value and return it.

Inputs
x

Value to trace and return

Type
traceVal :: a -> a
Examples
Example 191. lib.debug.traceVal usage example
traceVal 42
# trace: 42
=> 42

Located at lib/debug.nix:137 in <nixpkgs>.

lib.debug.traceSeq

builtins.trace, but the value is builtins.deepSeqed first.

Inputs
x

The value to trace

y

The value to return

Type
traceSeq :: a -> b -> b
Examples
Example 192. lib.debug.traceSeq usage example
trace { a.b.c = 3; } null
trace: { a = <CODE>; }
=> null
traceSeq { a.b.c = 3; } null
trace: { a = { b = { c = 3; }; }; }
=> null

Located at lib/debug.nix:173 in <nixpkgs>.

lib.debug.traceSeqN

Like traceSeq, but only evaluate down to depth n. This is very useful because lots of traceSeq usages lead to an infinite recursion.

Inputs
depth

1. Function argument

x

2. Function argument

y

3. Function argument

Type
traceSeqN :: Int -> a -> b -> b
Examples
Example 193. lib.debug.traceSeqN usage example
traceSeqN 2 { a.b.c = 3; } null
trace: { a = { b = {…}; }; }
=> null

Located at lib/debug.nix:212 in <nixpkgs>.

lib.debug.traceValSeqFn

A combination of traceVal and traceSeq that applies a provided function to the value to be traced after deepSeqing it.

Inputs
f

Function to apply

v

Value to trace

Located at lib/debug.nix:255 in <nixpkgs>.

lib.debug.traceValSeq

A combination of traceVal and traceSeq.

Inputs
v

Value to trace

Located at lib/debug.nix:266 in <nixpkgs>.

lib.debug.traceValSeqNFn

A combination of traceVal and traceSeqN that applies a provided function to the value to be traced.

Inputs
f

Function to apply

depth

2. Function argument

v

Value to trace

Located at lib/debug.nix:286 in <nixpkgs>.

lib.debug.traceValSeqN

A combination of traceVal and traceSeqN.

Inputs
depth

1. Function argument

v

Value to trace

Located at lib/debug.nix:303 in <nixpkgs>.

lib.debug.traceFnSeqN

Trace the input and output of a function f named name, both down to depth.

This is useful for adding around a function call, to see the before/after of values as they are transformed.

Inputs
depth

1. Function argument

name

2. Function argument

f

3. Function argument

v

4. Function argument

Examples
Example 194. lib.debug.traceFnSeqN usage example
traceFnSeqN 2 "id" (x: x) { a.b.c = 3; }
trace: { fn = "id"; from = { a.b = {…}; }; to = { a.b = {…}; }; }
=> { a.b.c = 3; }

Located at lib/debug.nix:342 in <nixpkgs>.

lib.debug.runTests

Evaluates a set of tests.

A test is an attribute set {expr, expected}, denoting an expression and its expected result.

The result is a list of failed tests, each represented as {name, expected, result},

  • expected

    • What was passed as expected

  • result

    • The actual result of the test

Used for regression testing of the functions in lib; see tests.nix for more examples.

Important: Only attributes that start with test are executed.

  • If you want to run only a subset of the tests add the attribute tests = ["testName"];

Inputs
tests

Tests to run

Type
runTests :: {
  tests = [ String ];
  ${testName} :: {
    expr :: a;
    expected :: a;
  };
}
->
[
  {
    name :: String;
    expected :: a;
    result :: a;
  }
]
Examples
Example 195. lib.debug.runTests usage example
runTests {
  testAndOk = {
    expr = lib.and true false;
    expected = false;
  };
  testAndFail = {
    expr = lib.and true false;
    expected = true;
  };
}
->
[
  {
    name = "testAndFail";
    expected = true;
    result = false;
  }
]

Located at lib/debug.nix:429 in <nixpkgs>.

lib.debug.testAllTrue

Create a test assuming that list elements are true.

Inputs
expr

1. Function argument

Examples
Example 196. lib.debug.testAllTrue usage example
{ testX = allTrue [ true ]; }

Located at lib/debug.nix:476 in <nixpkgs>.

lib.options: NixOS / nixpkgs option handling

Nixpkgs/NixOS option handling.

lib.options.isOption

Type: isOption :: a -> bool

Returns true when the given argument is an option

Example 197. lib.options.isOption usage example
isOption 1             // => false
isOption (mkOption {}) // => true

Located at lib/options.nix:56 in <nixpkgs>.

lib.options.mkOption

Creates an Option attribute set. mkOption accepts an attribute set with the following keys:

All keys default to null when not given.

structured function argument
default

Default value used when no definition is given in the configuration.

defaultText

Textual representation of the default, for the manual.

example

Example value used in the manual.

description

String describing the option.

relatedPackages

Related packages used in the manual (see genRelatedPackages in …/nixos/lib/make-options-doc/default.nix).

type

Option type, providing type-checking and value merging.

apply

Function that converts the option value to something else.

internal

Whether the option is for NixOS developers only.

visible

Whether the option shows up in the manual. Default: true. Use false to hide the option and any sub-options from submodules. Use “shallow” to hide only sub-options.

readOnly

Whether the option can be set only once

Example 198. lib.options.mkOption usage example
mkOption { }  // => { _type = "option"; }
mkOption { default = "foo"; } // => { _type = "option"; default = "foo"; }

Located at lib/options.nix:66 in <nixpkgs>.

lib.options.mkEnableOption

Creates an Option attribute set for a boolean value option i.e an option to be toggled on or off:

name

Name for the created option

Example 199. lib.options.mkEnableOption usage example
mkEnableOption "foo"
=> { _type = "option"; default = false; description = "Whether to enable foo."; example = true; type = { ... }; }

Located at lib/options.nix:98 in <nixpkgs>.

lib.options.mkPackageOption

Type: mkPackageOption :: pkgs -> (string|[string]) -> { nullable? :: bool, default? :: string|[string], example? :: null|string|[string], extraDescription? :: string, pkgsText? :: string } -> option

Creates an Option attribute set for an option that specifies the package a module should use for some purpose.

The package is specified in the third argument under default as a list of strings representing its attribute path in nixpkgs (or another package set). Because of this, you need to pass nixpkgs itself (usually pkgs in a module; alternatively to nixpkgs itself, another package set) as the first argument.

If you pass another package set you should set the pkgsText option. This option is used to display the expression for the package set. It is "pkgs" by default. If your expression is complex you should parenthesize it, as the pkgsText argument is usually immediately followed by an attribute lookup (.).

The second argument may be either a string or a list of strings. It provides the display name of the package in the description of the generated option (using only the last element if the passed value is a list) and serves as the fallback value for the default argument.

To include extra information in the description, pass extraDescription to append arbitrary text to the generated description.

You can also pass an example value, either a literal string or an attribute path.

The default argument can be omitted if the provided name is an attribute of pkgs (if name is a string) or a valid attribute path in pkgs (if name is a list). You can also set default to just a string in which case it is interpreted as an attribute name (a singleton attribute path, if you will).

If you wish to explicitly provide no default, pass null as default.

If you want users to be able to set no package, pass nullable = true. In this mode a default = null will not be interpreted as no default and is interpreted literally.

pkgs

Package set (an instantiation of nixpkgs such as pkgs in modules or another package set)

name

Name for the package, shown in option description

structured function argument
nullable

Whether the package can be null, for example to disable installing a package altogether (defaults to false)

default

The attribute path where the default package is located (may be omitted, in which case it is copied from name)

example

A string or an attribute path to use as an example (may be omitted)

extraDescription

Additional text to include in the option description (may be omitted)

pkgsText

Representation of the package set passed as pkgs (defaults to "pkgs")

Example 200. lib.options.mkPackageOption usage example
mkPackageOption pkgs "hello" { }
=> { ...; default = pkgs.hello; defaultText = literalExpression "pkgs.hello"; description = "The hello package to use."; type = package; }


mkPackageOption pkgs "GHC" {
  default = [ "ghc" ];
  example = "pkgs.haskell.packages.ghc92.ghc.withPackages (hkgs: [ hkgs.primes ])";
}
=> { ...; default = pkgs.ghc; defaultText = literalExpression "pkgs.ghc"; description = "The GHC package to use."; example = literalExpression "pkgs.haskell.packages.ghc92.ghc.withPackages (hkgs: [ hkgs.primes ])"; type = package; }


mkPackageOption pkgs [ "python3Packages" "pytorch" ] {
  extraDescription = "This is an example and doesn't actually do anything.";
}
=> { ...; default = pkgs.python3Packages.pytorch; defaultText = literalExpression "pkgs.python3Packages.pytorch"; description = "The pytorch package to use. This is an example and doesn't actually do anything."; type = package; }


mkPackageOption pkgs "nushell" {
  nullable = true;
}
=> { ...; default = pkgs.nushell; defaultText = literalExpression "pkgs.nushell"; description = "The nushell package to use."; type = nullOr package; }


mkPackageOption pkgs "coreutils" {
  default = null;
}
=> { ...; description = "The coreutils package to use."; type = package; }


mkPackageOption pkgs "dbus" {
  nullable = true;
  default = null;
}
=> { ...; default = null; description = "The dbus package to use."; type = nullOr package; }


mkPackageOption pkgs.javaPackages "OpenJFX" {
  default = "openjfx20";
  pkgsText = "pkgs.javaPackages";
}
=> { ...; default = pkgs.javaPackages.openjfx20; defaultText = literalExpression "pkgs.javaPackages.openjfx20"; description = "The OpenJFX package to use."; type = package; }

Located at lib/options.nix:185 in <nixpkgs>.

lib.options.mkPackageOptionMD

Deprecated alias of mkPackageOption, to be removed in 25.05. Previously used to create options with markdown documentation, which is no longer required.

Located at lib/options.nix:226 in <nixpkgs>.

lib.options.mkSinkUndeclaredOptions

This option accepts anything, but it does not produce any result.

This is useful for sharing a module across different module sets without having to implement similar features as long as the values of the options are not accessed.

attrs

Function argument

Located at lib/options.nix:233 in <nixpkgs>.

lib.options.mergeOneOption

Require a single definition.

WARNING: Does not perform nested checks, as this does not run the merge function!

Located at lib/options.nix:262 in <nixpkgs>.

lib.options.mergeUniqueOption

Require a single definition.

NOTE: When the type is not checked completely by check, pass a merge function for further checking (of sub-attributes, etc).

structured function argument
message

Function argument

merge

WARNING: the default merge function assumes that the definition is a valid (option) value. You MUST pass a merge function if the return value needs to be - type checked beyond what .check does (which should be very litte; only on the value head; not attribute values, etc) - if you want attribute values to be checked, or list items - if you want coercedTo-like behavior to work

loc

Function argument

defs

Function argument

Located at lib/options.nix:269 in <nixpkgs>.

lib.options.mergeEqualOption

“Merge” option definitions by checking that they all have the same value.

loc

Function argument

defs

Function argument

Located at lib/options.nix:284 in <nixpkgs>.

lib.options.getValues

Type: getValues :: [ { value :: a; } ] -> [a]

Extracts values of all “value” keys of the given list.

Example 201. lib.options.getValues usage example
getValues [ { value = 1; } { value = 2; } ] // => [ 1 2 ]
getValues [ ]                               // => [ ]

Located at lib/options.nix:304 in <nixpkgs>.

lib.options.getFiles

Type: getFiles :: [ { file :: a; } ] -> [a]

Extracts values of all “file” keys of the given list

Example 202. lib.options.getFiles usage example
getFiles [ { file = "file1"; } { file = "file2"; } ] // => [ "file1" "file2" ]
getFiles [ ]                                         // => [ ]

Located at lib/options.nix:314 in <nixpkgs>.

lib.options.scrubOptionValue

This function recursively removes all derivation attributes from x except for the name attribute.

This is to make the generation of options.xml much more efficient: the XML representation of derivations is very large (on the order of megabytes) and is not actually used by the manual generator.

This function was made obsolete by renderOptionValue and is kept for compatibility with out-of-tree code.

x

Function argument

Located at lib/options.nix:372 in <nixpkgs>.

lib.options.renderOptionValue

Ensures that the given option value (default or example) is a _typed string by rendering Nix values to literalExpressions.

v

Function argument

Located at lib/options.nix:383 in <nixpkgs>.

lib.options.literalExpression

For use in the defaultText and example option attributes. Causes the given string to be rendered verbatim in the documentation as Nix code. This is necessary for complex values, e.g. functions, or values that depend on other values or packages.

text

Function argument

Located at lib/options.nix:396 in <nixpkgs>.

lib.options.literalMD

For use in the defaultText and example option attributes. Causes the given MD text to be inserted verbatim in the documentation, for when a literalExpression would be too hard to read.

text

Function argument

Located at lib/options.nix:406 in <nixpkgs>.

lib.options.showOption

Convert an option, described as a list of the option parts to a human-readable version.

parts

Function argument

Example 203. lib.options.showOption usage example
(showOption ["foo" "bar" "baz"]) == "foo.bar.baz"
  (showOption ["foo" "bar.baz" "tux"]) == "foo.\"bar.baz\".tux"
  (showOption ["windowManager" "2bwm" "enable"]) == "windowManager.\"2bwm\".enable"

Placeholders will not be quoted as they are not actual values:
  (showOption ["foo" "*" "bar"]) == "foo.*.bar"
  (showOption ["foo" "<name>" "bar"]) == "foo.<name>.bar"

Located at lib/options.nix:424 in <nixpkgs>.

lib.path: path functions

lib.path.append

Type: append :: Path -> String -> Path

Append a subpath string to a path.

Like path + ("/" + string) but safer, because it errors instead of returning potentially surprising results. More specifically, it checks that the first argument is a path value type, and that the second argument is a valid subpath string.

Laws:

  • Not influenced by subpath normalisation:

    append p s == append p (subpath.normalise s)
    
path

The absolute path to append to

subpath

The subpath string to append

Example 204. lib.path.append usage example
append /foo "bar/baz"
=> /foo/bar/baz

# subpaths don't need to be normalised
append /foo "./bar//baz/./"
=> /foo/bar/baz

# can append to root directory
append /. "foo/bar"
=> /foo/bar

# first argument needs to be a path value type
append "/foo" "bar"
=> <error>

# second argument needs to be a valid subpath string
append /foo /bar
=> <error>
append /foo ""
=> <error>
append /foo "/bar"
=> <error>
append /foo "../bar"
=> <error>

Located at lib/path/default.nix:210 in <nixpkgs>.

lib.path.hasPrefix

Type: hasPrefix :: Path -> Path -> Bool

Whether the first path is a component-wise prefix of the second path.

Laws:

path1

Function argument

Example 205. lib.path.hasPrefix usage example
hasPrefix /foo /foo/bar
=> true
hasPrefix /foo /foo
=> true
hasPrefix /foo/bar /foo
=> false
hasPrefix /. /foo
=> true

Located at lib/path/default.nix:244 in <nixpkgs>.

lib.path.removePrefix

Type: removePrefix :: Path -> Path -> String

Remove the first path as a component-wise prefix from the second path. The result is a normalised subpath string.

Laws:

path1

Function argument

Example 206. lib.path.removePrefix usage example
removePrefix /foo /foo/bar/baz
=> "./bar/baz"
removePrefix /foo /foo
=> "./."
removePrefix /foo/bar /foo
=> <error>
removePrefix /. /foo
=> "./foo"

Located at lib/path/default.nix:287 in <nixpkgs>.

lib.path.splitRoot

Type: splitRoot :: Path -> { root :: Path, subpath :: String }

Split the filesystem root from a path. The result is an attribute set with these attributes:

  • root: The filesystem root of the path, meaning that this directory has no parent directory.

  • subpath: The normalised subpath string that when appended to root returns the original path.

Laws:

  • Appending the root and subpath gives the original path:

    p ==
      append
        (splitRoot p).root
        (splitRoot p).subpath
    
  • Trying to get the parent directory of root using readDir returns root itself:

    dirOf (splitRoot p).root == (splitRoot p).root
    
path

The path to split the root off of

Example 207. lib.path.splitRoot usage example
splitRoot /foo/bar
=> { root = /.; subpath = "./foo/bar"; }

splitRoot /.
=> { root = /.; subpath = "./."; }

# Nix neutralises `..` path components for all path values automatically
splitRoot /foo/../bar
=> { root = /.; subpath = "./bar"; }

splitRoot "/foo/bar"
=> <error>

Located at lib/path/default.nix:348 in <nixpkgs>.

lib.path.hasStorePathPrefix

Type: hasStorePathPrefix :: Path -> Bool

Whether a path has a store path as a prefix.

Note

As with all functions of this lib.path library, it does not work on paths in strings, which is how you’d typically get store paths.

Instead, this function only handles path values themselves, which occur when Nix files in the store use relative path expressions.

path

Function argument

Example 208. lib.path.hasStorePathPrefix usage example
# Subpaths of derivation outputs have a store path as a prefix
hasStorePathPrefix /nix/store/nvl9ic0pj1fpyln3zaqrf4cclbqdfn1j-foo/bar/baz
=> true

# The store directory itself is not a store path
hasStorePathPrefix /nix/store
=> false

# Derivation outputs are store paths themselves
hasStorePathPrefix /nix/store/nvl9ic0pj1fpyln3zaqrf4cclbqdfn1j-foo
=> true

# Paths outside the Nix store don't have a store path prefix
hasStorePathPrefix /home/user
=> false

# Not all paths under the Nix store are store paths
hasStorePathPrefix /nix/store/.links/10gg8k3rmbw8p7gszarbk7qyd9jwxhcfq9i6s5i0qikx8alkk4hq
=> false

# Store derivations are also store paths themselves
hasStorePathPrefix /nix/store/nvl9ic0pj1fpyln3zaqrf4cclbqdfn1j-foo.drv
=> true

Located at lib/path/default.nix:402 in <nixpkgs>.

lib.path.subpath.isValid

Type: subpath.isValid :: String -> Bool

Whether a value is a valid subpath string.

A subpath string points to a specific file or directory within an absolute base directory. It is a stricter form of a relative path that excludes .. components, since those could escape the base directory.

  • The value is a string.

  • The string is not empty.

  • The string doesn’t start with a /.

  • The string doesn’t contain any .. path components.

value

The value to check

Example 209. lib.path.subpath.isValid usage example
# Not a string
subpath.isValid null
=> false

# Empty string
subpath.isValid ""
=> false

# Absolute path
subpath.isValid "/foo"
=> false

# Contains a `..` path component
subpath.isValid "../foo"
=> false

# Valid subpath
subpath.isValid "foo/bar"
=> true

# Doesn't need to be normalised
subpath.isValid "./foo//bar/"
=> true

Located at lib/path/default.nix:459 in <nixpkgs>.

lib.path.subpath.join

Type: subpath.join :: [ String ] -> String

Join subpath strings together using /, returning a normalised subpath string.

Like concatStringsSep "/" but safer, specifically:

  • All elements must be valid subpath strings.

  • The result gets normalised.

  • The edge case of an empty list gets properly handled by returning the neutral subpath "./.".

Laws:

  • Associativity:

    subpath.join [ x (subpath.join [ y z ]) ] == subpath.join [ (subpath.join [ x y ]) z ]
    
  • Identity - "./." is the neutral element for normalised paths:

    subpath.join [ ] == "./."
    subpath.join [ (subpath.normalise p) "./." ] == subpath.normalise p
    subpath.join [ "./." (subpath.normalise p) ] == subpath.normalise p
    
  • Normalisation - the result is normalised:

    subpath.join ps == subpath.normalise (subpath.join ps)
    
  • For non-empty lists, the implementation is equivalent to normalising the result of concatStringsSep "/". Note that the above laws can be derived from this one:

    ps != [] -> subpath.join ps == subpath.normalise (concatStringsSep "/" ps)
    
subpaths

The list of subpaths to join together

Example 210. lib.path.subpath.join usage example
subpath.join [ "foo" "bar/baz" ]
=> "./foo/bar/baz"

# normalise the result
subpath.join [ "./foo" "." "bar//./baz/" ]
=> "./foo/bar/baz"

# passing an empty list results in the current directory
subpath.join [ ]
=> "./."

# elements must be valid subpath strings
subpath.join [ /foo ]
=> <error>
subpath.join [ "" ]
=> <error>
subpath.join [ "/foo" ]
=> <error>
subpath.join [ "../foo" ]
=> <error>

Located at lib/path/default.nix:520 in <nixpkgs>.

lib.path.subpath.components

Type: subpath.components :: String -> [ String ]

Split a subpath into its path component strings. Throw an error if the subpath isn’t valid. Note that the returned path components are also valid subpath strings, though they are intentionally not normalised.

Laws:

  • Splitting a subpath into components and joining the components gives the same subpath but normalised:

    subpath.join (subpath.components s) == subpath.normalise s
    
subpath

The subpath string to split into components

Example 211. lib.path.subpath.components usage example
subpath.components "."
=> [ ]

subpath.components "./foo//bar/./baz/"
=> [ "foo" "bar" "baz" ]

subpath.components "/foo"
=> <error>

Located at lib/path/default.nix:564 in <nixpkgs>.

lib.path.subpath.normalise

Type: subpath.normalise :: String -> String

Normalise a subpath. Throw an error if the subpath isn’t valid.

  • Limit repeating / to a single one.

  • Remove redundant . components.

  • Remove trailing / and /..

  • Add leading ./.

Laws:

  • Idempotency - normalising multiple times gives the same result:

    subpath.normalise (subpath.normalise p) == subpath.normalise p
    
  • Uniqueness - there’s only a single normalisation for the paths that lead to the same file system node:

    subpath.normalise p != subpath.normalise q -> $(realpath ${p}) != $(realpath ${q})
    
  • Don’t change the result when appended to a Nix path value:

    append base p == append base (subpath.normalise p)
    
  • Don’t change the path according to realpath:

    $(realpath ${p}) == $(realpath ${subpath.normalise p})
    
  • Only error on invalid subpaths:

    builtins.tryEval (subpath.normalise p)).success == subpath.isValid p
    
subpath

The subpath string to normalise

Example 212. lib.path.subpath.normalise usage example
# limit repeating `/` to a single one
subpath.normalise "foo//bar"
=> "./foo/bar"

# remove redundant `.` components
subpath.normalise "foo/./bar"
=> "./foo/bar"

# add leading `./`
subpath.normalise "foo/bar"
=> "./foo/bar"

# remove trailing `/`
subpath.normalise "foo/bar/"
=> "./foo/bar"

# remove trailing `/.`
subpath.normalise "foo/bar/."
=> "./foo/bar"

# Return the current directory as `./.`
subpath.normalise "."
=> "./."

# error on `..` path components
subpath.normalise "foo/../bar"
=> <error>

# error on empty string
subpath.normalise ""
=> <error>

# error on absolute path
subpath.normalise "/foo"
=> <error>

Located at lib/path/default.nix:645 in <nixpkgs>.

lib.filesystem: filesystem functions

Functions for querying information about the filesystem without copying any files to the Nix store.

lib.filesystem.pathType

The type of a path. The path needs to exist and be accessible. The result is either “directory” for a directory, “regular” for a regular file, “symlink” for a symlink, or “unknown” for anything else.

Inputs
path

The path to query

Type
pathType :: Path -> String
Examples
Example 213. lib.filesystem.pathType usage example
pathType /.
=> "directory"

pathType /some/file.nix
=> "regular"

Located at lib/filesystem.nix:62 in <nixpkgs>.

lib.filesystem.pathIsDirectory

Whether a path exists and is a directory.

Inputs
path

1. Function argument

Type
pathIsDirectory :: Path -> Bool
Examples
Example 214. lib.filesystem.pathIsDirectory usage example
pathIsDirectory /.
=> true

pathIsDirectory /this/does/not/exist
=> false

pathIsDirectory /some/file.nix
=> false

Located at lib/filesystem.nix:111 in <nixpkgs>.

lib.filesystem.pathIsRegularFile

Whether a path exists and is a regular file, meaning not a symlink or any other special file type.

Inputs
path

1. Function argument

Type
pathIsRegularFile :: Path -> Bool
Examples
Example 215. lib.filesystem.pathIsRegularFile usage example
pathIsRegularFile /.
=> false

pathIsRegularFile /this/does/not/exist
=> false

pathIsRegularFile /some/file.nix
=> true

Located at lib/filesystem.nix:147 in <nixpkgs>.

lib.filesystem.haskellPathsInDir

A map of all haskell packages defined in the given path, identified by having a cabal file with the same name as the directory itself.

Inputs
root

The directory within to search

Type
Path -> Map String Path

Located at lib/filesystem.nix:168 in <nixpkgs>.

lib.filesystem.locateDominatingFile

Find the first directory containing a file matching ‘pattern’ upward from a given ‘file’. Returns ‘null’ if no directories contain a file matching ‘pattern’.

Inputs
pattern

The pattern to search for

file

The file to start searching upward from

Type
RegExp -> Path -> Nullable { path : Path; matches : [ MatchResults ]; }

Located at lib/filesystem.nix:205 in <nixpkgs>.

lib.filesystem.listFilesRecursive

Given a directory, return a flattened list of all files within it recursively.

Inputs
dir

The path to recursively list

Type
Path -> [ Path ]

Located at lib/filesystem.nix:242 in <nixpkgs>.

lib.filesystem.packagesFromDirectoryRecursive

Transform a directory tree containing package files suitable for callPackage into a matching nested attribute set of derivations.

For a directory tree like this:

my-packages
├── a.nix
├── b.nix
├── c
│  ├── my-extra-feature.patch
│  ├── package.nix
│  └── support-definitions.nix
└── my-namespace
   ├── d.nix
   ├── e.nix
   └── f
      └── package.nix

packagesFromDirectoryRecursive will produce an attribute set like this:

# packagesFromDirectoryRecursive {
#   callPackage = pkgs.callPackage;
#   directory = ./my-packages;
# }
{
  a = pkgs.callPackage ./my-packages/a.nix { };
  b = pkgs.callPackage ./my-packages/b.nix { };
  c = pkgs.callPackage ./my-packages/c/package.nix { };
  my-namespace = {
    d = pkgs.callPackage ./my-packages/my-namespace/d.nix { };
    e = pkgs.callPackage ./my-packages/my-namespace/e.nix { };
    f = pkgs.callPackage ./my-packages/my-namespace/f/package.nix { };
  };
}

In particular:

  • If the input directory contains a package.nix file, then callPackage <directory>/package.nix { } is returned.

  • Otherwise, the input directory’s contents are listed and transformed into an attribute set.

    • If a file name has the .nix extension, it is turned into attribute where:

      • The attribute name is the file name without the .nix extension

      • The attribute value is callPackage <file path> { }

    • Other files are ignored.

    • Directories are turned into an attribute where:

      • The attribute name is the name of the directory

      • The attribute value is the result of calling packagesFromDirectoryRecursive { ... } on the directory.

      As a result, directories with no .nix files (including empty directories) will be transformed into empty attribute sets.

Inputs
Structured function argument

Attribute set containing the following attributes. Additional attributes are ignored.

callPackage

pkgs.callPackage

Type: Path -> AttrSet -> a

directory

The directory to read package files from

Type: Path

Type
packagesFromDirectoryRecursive :: AttrSet -> AttrSet
Examples
Example 216. lib.filesystem.packagesFromDirectoryRecursive usage example
packagesFromDirectoryRecursive {
  inherit (pkgs) callPackage;
  directory = ./my-packages;
}
=> { ... }

lib.makeScope pkgs.newScope (
  self: packagesFromDirectoryRecursive {
    callPackage = self.callPackage;
    directory = ./my-packages;
  }
)
=> { ... }

Located at lib/filesystem.nix:357 in <nixpkgs>.

lib.fileset: file set functions

The lib.fileset library allows you to work with file sets. A file set is a (mathematical) set of local files that can be added to the Nix store for use in Nix derivations. File sets are easy and safe to use, providing obvious and composable semantics with good error messages to prevent mistakes.

Overview

Basics:

Combinators:

Filtering:

Utilities:

If you need more file set functions, see this issue to request it.

Implicit coercion from paths to file sets

All functions accepting file sets as arguments can also accept paths as arguments. Such path arguments are implicitly coerced to file sets containing all files under that path:

  • A path to a file turns into a file set containing that single file.

  • A path to a directory turns into a file set containing all files recursively in that directory.

If the path points to a non-existent location, an error is thrown.

Note

Just like in Git, file sets cannot represent empty directories. Because of this, a path to a directory that contains no files (recursively) will turn into a file set containing no files.

Note

File set coercion does not add any of the files under the coerced paths to the store. Only the toSource function adds files to the Nix store, and only those files contained in the fileset argument. This is in contrast to using paths in string interpolation, which does add the entire referenced path to the store.

Example

Assume we are in a local directory with a file hierarchy like this:

├─ a/
│  ├─ x (file)
│  └─ b/
│     └─ y (file)
└─ c/
   └─ d/

Here’s a listing of which files get included when different path expressions get coerced to file sets:

  • ./. as a file set contains both a/x and a/b/y (c/ does not contain any files and is therefore omitted).

  • ./a as a file set contains both a/x and a/b/y.

  • ./a/x as a file set contains only a/x.

  • ./a/b as a file set contains only a/b/y.

  • ./c as a file set is empty, since neither c nor c/d contain any files.

lib.fileset.maybeMissing

Create a file set from a path that may or may not exist:

  • If the path does exist, the path is coerced to a file set.

  • If the path does not exist, a file set containing no files is returned.

Inputs
path

1. Function argument

Type
maybeMissing :: Path -> FileSet
Examples
Example 217. lib.fileset.maybeMissing usage example
# All files in the current directory, but excluding main.o if it exists
difference ./. (maybeMissing ./main.o)

Located at lib/fileset/default.nix:188 in <nixpkgs>.

lib.fileset.trace

Incrementally evaluate and trace a file set in a pretty way. This function is only intended for debugging purposes. The exact tracing format is unspecified and may change.

This function takes a final argument to return. In comparison, traceVal returns the given file set argument.

This variant is useful for tracing file sets in the Nix repl.

Inputs
fileset

The file set to trace.

This argument can also be a path, which gets implicitly coerced to a file set.

val

The value to return.

Type
trace :: FileSet -> Any -> Any
Examples
Example 218. lib.fileset.trace usage example
trace (unions [ ./Makefile ./src ./tests/run.sh ]) null
=>
trace: /home/user/src/myProject
trace: - Makefile (regular)
trace: - src (all files in directory)
trace: - tests
trace:   - run.sh (regular)
null

Located at lib/fileset/default.nix:247 in <nixpkgs>.

lib.fileset.traceVal

Incrementally evaluate and trace a file set in a pretty way. This function is only intended for debugging purposes. The exact tracing format is unspecified and may change.

This function returns the given file set. In comparison, trace takes another argument to return.

This variant is useful for tracing file sets passed as arguments to other functions.

Inputs
fileset

The file set to trace and return.

This argument can also be a path, which gets implicitly coerced to a file set.

Type
traceVal :: FileSet -> FileSet
Examples
Example 219. lib.fileset.traceVal usage example
toSource {
  root = ./.;
  fileset = traceVal (unions [
    ./Makefile
    ./src
    ./tests/run.sh
  ]);
}
=>
trace: /home/user/src/myProject
trace: - Makefile (regular)
trace: - src (all files in directory)
trace: - tests
trace:   - run.sh (regular)
"/nix/store/...-source"

Located at lib/fileset/default.nix:305 in <nixpkgs>.

lib.fileset.toSource

Add the local files contained in fileset to the store as a single store path rooted at root.

The result is the store path as a string-like value, making it usable e.g. as the src of a derivation, or in string interpolation:

stdenv.mkDerivation {
  src = lib.fileset.toSource { ... };
  # ...
}

The name of the store path is always source.

Inputs

Takes an attribute set with the following attributes

root (Path; required)

The local directory path that will correspond to the root of the resulting store path. Paths in strings, including Nix store paths, cannot be passed as root. root has to be a directory.

Note

Changing root only affects the directory structure of the resulting store path, it does not change which files are added to the store. The only way to change which files get added to the store is by changing the fileset attribute.

fileset (FileSet; required)

The file set whose files to import into the store. File sets can be created using other functions in this library. This argument can also be a path, which gets implicitly coerced to a file set.

Note

If a directory does not recursively contain any file, it is omitted from the store path contents.

Type
toSource :: {
  root :: Path,
  fileset :: FileSet,
} -> SourceLike
Examples
Example 220. lib.fileset.toSource usage example
# Import the current directory into the store
# but only include files under ./src
toSource {
  root = ./.;
  fileset = ./src;
}
=> "/nix/store/...-source"

# Import the current directory into the store
# but only include ./Makefile and all files under ./src
toSource {
  root = ./.;
  fileset = union
    ./Makefile
    ./src;
}
=> "/nix/store/...-source"

# Trying to include a file outside the root will fail
toSource {
  root = ./.;
  fileset = unions [
    ./Makefile
    ./src
    ../LICENSE
  ];
}
=> <error>

# The root needs to point to a directory that contains all the files
toSource {
  root = ../.;
  fileset = unions [
    ./Makefile
    ./src
    ../LICENSE
  ];
}
=> "/nix/store/...-source"

# The root has to be a local filesystem path
toSource {
  root = "/nix/store/...-source";
  fileset = ./.;
}
=> <error>

Located at lib/fileset/default.nix:420 in <nixpkgs>.

lib.fileset.toList

The list of file paths contained in the given file set.

Note

This function is strict in the entire file set. This is in contrast with combinators lib.fileset.union, lib.fileset.intersection and lib.fileset.difference.

Thus it is recommended to call toList on file sets created using the combinators, instead of doing list processing on the result of toList.

The resulting list of files can be turned back into a file set using lib.fileset.unions.

Inputs
fileset

The file set whose file paths to return. This argument can also be a path, which gets implicitly coerced to a file set.

Type
toList :: FileSet -> [ Path ]
Examples
Example 221. lib.fileset.toList usage example
toList ./.
[ ./README.md ./Makefile ./src/main.c ./src/main.h ]

toList (difference ./. ./src)
[ ./README.md ./Makefile ]

Located at lib/fileset/default.nix:514 in <nixpkgs>.

lib.fileset.union

The file set containing all files that are in either of two given file sets. This is the same as unions, but takes just two file sets instead of a list. See also Union (set theory).

The given file sets are evaluated as lazily as possible, with the first argument being evaluated first if needed.

Inputs
fileset1

The first file set. This argument can also be a path, which gets implicitly coerced to a file set.

fileset2

The second file set. This argument can also be a path, which gets implicitly coerced to a file set.

Type
union :: FileSet -> FileSet -> FileSet
Examples
Example 222. lib.fileset.union usage example
# Create a file set containing the file `Makefile`
# and all files recursively in the `src` directory
union ./Makefile ./src

# Create a file set containing the file `Makefile`
# and the LICENSE file from the parent directory
union ./Makefile ../LICENSE

Located at lib/fileset/default.nix:557 in <nixpkgs>.

lib.fileset.unions

The file set containing all files that are in any of the given file sets. This is the same as union, but takes a list of file sets instead of just two. See also Union (set theory).

The given file sets are evaluated as lazily as possible, with earlier elements being evaluated first if needed.

Inputs
filesets

A list of file sets. The elements can also be paths, which get implicitly coerced to file sets.

Type
unions :: [ FileSet ] -> FileSet
Examples
Example 223. lib.fileset.unions usage example
# Create a file set containing selected files
unions [
  # Include the single file `Makefile` in the current directory
  # This errors if the file doesn't exist
  ./Makefile

  # Recursively include all files in the `src/code` directory
  # If this directory is empty this has no effect
  ./src/code

  # Include the files `run.sh` and `unit.c` from the `tests` directory
  ./tests/run.sh
  ./tests/unit.c

  # Include the `LICENSE` file from the parent directory
  ../LICENSE
]

Located at lib/fileset/default.nix:619 in <nixpkgs>.

lib.fileset.intersection

The file set containing all files that are in both of two given file sets. See also Intersection (set theory).

The given file sets are evaluated as lazily as possible, with the first argument being evaluated first if needed.

Inputs
fileset1

The first file set. This argument can also be a path, which gets implicitly coerced to a file set.

fileset2

The second file set. This argument can also be a path, which gets implicitly coerced to a file set.

Type
intersection :: FileSet -> FileSet -> FileSet
Examples
Example 224. lib.fileset.intersection usage example
# Limit the selected files to the ones in ./., so only ./src and ./Makefile
intersection ./. (unions [ ../LICENSE ./src ./Makefile ])

Located at lib/fileset/default.nix:670 in <nixpkgs>.

lib.fileset.difference

The file set containing all files from the first file set that are not in the second file set. See also Difference (set theory).

The given file sets are evaluated as lazily as possible, with the first argument being evaluated first if needed.

Inputs
positive

The positive file set. The result can only contain files that are also in this file set. This argument can also be a path, which gets implicitly coerced to a file set.

negative

The negative file set. The result will never contain files that are also in this file set. This argument can also be a path, which gets implicitly coerced to a file set.

Type
union :: FileSet -> FileSet -> FileSet
Examples
Example 225. lib.fileset.difference usage example
# Create a file set containing all files from the current directory,
# except ones under ./tests
difference ./. ./tests

let
  # A set of Nix-related files
  nixFiles = unions [ ./default.nix ./nix ./tests/default.nix ];
in
# Create a file set containing all files under ./tests, except ones in `nixFiles`,
# meaning only without ./tests/default.nix
difference ./tests nixFiles

Located at lib/fileset/default.nix:729 in <nixpkgs>.

lib.fileset.fileFilter

Filter a file set to only contain files matching some predicate.

Inputs
predicate

The predicate function to call on all files contained in given file set. A file is included in the resulting file set if this function returns true for it.

This function is called with an attribute set containing these attributes:

  • name (String): The name of the file

  • type (String, one of "regular", "symlink" or "unknown"): The type of the file. This matches result of calling builtins.readFileType on the file’s path.

  • hasExt (String -> Bool): Whether the file has a certain file extension. hasExt ext is true only if hasSuffix ".${ext}" name.

    This also means that e.g. for a file with name .gitignore, hasExt "gitignore" is true.

Other attributes may be added in the future.

path

The path whose files to filter

Type
fileFilter ::
  ({
    name :: String,
    type :: String,
    hasExt :: String -> Bool,
    ...
  } -> Bool)
  -> Path
  -> FileSet
Examples
Example 226. lib.fileset.fileFilter usage example
# Include all regular `default.nix` files in the current directory
fileFilter (file: file.name == "default.nix") ./.

# Include all non-Nix files from the current directory
fileFilter (file: ! file.hasExt "nix") ./.

# Include all files that start with a "." in the current directory
fileFilter (file: hasPrefix "." file.name) ./.

# Include all regular files (not symlinks or others) in the current directory
fileFilter (file: file.type == "regular") ./.

Located at lib/fileset/default.nix:808 in <nixpkgs>.

lib.fileset.fromSource

Create a file set with the same files as a lib.sources-based value. This does not import any of the files into the store.

This can be used to gradually migrate from lib.sources-based filtering to lib.fileset.

A file set can be turned back into a source using toSource.

Note

File sets cannot represent empty directories. Turning the result of this function back into a source using toSource will therefore not preserve empty directories.

Inputs
source

1. Function argument

Type
fromSource :: SourceLike -> FileSet
Examples
Example 227. lib.fileset.fromSource usage example
# There's no cleanSource-like function for file sets yet,
# but we can just convert cleanSource to a file set and use it that way
toSource {
  root = ./.;
  fileset = fromSource (lib.sources.cleanSource ./.);
}

# Keeping a previous sourceByRegex (which could be migrated to `lib.fileset.unions`),
# but removing a subdirectory using file set functions
difference
  (fromSource (lib.sources.sourceByRegex ./. [
    "^README\.md$"
    # This regex includes everything in ./doc
    "^doc(/.*)?$"
  ])
  ./doc/generated

# Use cleanSource, but limit it to only include ./Makefile and files under ./src
intersection
  (fromSource (lib.sources.cleanSource ./.))
  (unions [
    ./Makefile
    ./src
  ]);

Located at lib/fileset/default.nix:882 in <nixpkgs>.

lib.fileset.gitTracked

Create a file set containing all Git-tracked files in a repository.

This function behaves like gitTrackedWith { } - using the defaults.

Inputs
path

The path to the working directory of a local Git repository. This directory must contain a .git file or subdirectory.

Type
gitTracked :: Path -> FileSet
Examples
Example 228. lib.fileset.gitTracked usage example
# Include all files tracked by the Git repository in the current directory
gitTracked ./.

# Include only files tracked by the Git repository in the parent directory
# that are also in the current directory
intersection ./. (gitTracked ../.)

Located at lib/fileset/default.nix:941 in <nixpkgs>.

lib.fileset.gitTrackedWith

Create a file set containing all Git-tracked files in a repository. The first argument allows configuration with an attribute set, while the second argument is the path to the Git working tree.

gitTrackedWith does not perform any filtering when the path is a Nix store path and not a repository. In this way, it accommodates the use case where the expression that makes the gitTracked call does not reside in an actual git repository anymore, and has presumably already been fetched in a way that excludes untracked files. Fetchers with such equivalent behavior include builtins.fetchGit, builtins.fetchTree (experimental), and pkgs.fetchgit when used without leaveDotGit.

If you don’t need the configuration, you can use gitTracked instead.

This is equivalent to the result of unions on all files returned by git ls-files (which uses --cached by default).

Warning

Currently this function is based on builtins.fetchGit As such, this function causes all Git-tracked files to be unnecessarily added to the Nix store, without being re-usable by toSource.

This may change in the future.

Inputs
options (attribute set)
recurseSubmodules (optional, default: false)

Whether to recurse into Git submodules to also include their tracked files. If true, this is equivalent to passing the –recurse-submodules flag to git ls-files.

path

The path to the working directory of a local Git repository. This directory must contain a .git file or subdirectory.

Type
gitTrackedWith :: { recurseSubmodules :: Bool ? false } -> Path -> FileSet
Examples
Example 229. lib.fileset.gitTrackedWith usage example
# Include all files tracked by the Git repository in the current directory
# and any submodules under it
gitTracked { recurseSubmodules = true; } ./.

Located at lib/fileset/default.nix:996 in <nixpkgs>.

lib.sources: source filtering functions

lib.sources.commitIdFromGitRepo

Get the commit id of a git repo.

path

Function argument

Example 230. lib.sources.commitIdFromGitRepo usage example
commitIdFromGitRepo <nixpkgs/.git>

Located at lib/sources.nix:333 in <nixpkgs>.

lib.sources.cleanSource

Filters a source tree removing version control files and directories using cleanSourceFilter.

src

Function argument

Example 231. lib.sources.cleanSource usage example
cleanSource ./.

Located at lib/sources.nix:335 in <nixpkgs>.

lib.sources.cleanSourceWith

Like builtins.filterSource, except it will compose with itself, allowing you to chain multiple calls together without any intermediate copies being put in the nix store.

structured function argument
src

A path or cleanSourceWith result to filter and/or rename.

filter

Optional with default value: constant true (include everything) The function will be combined with the && operator such that src.filter is called lazily. For implementing a filter, see https://nixos.org/nix/manual/#builtin-filterSource Type: A function (path -> type -> bool)

name

Optional name to use as part of the store path. This defaults to src.name or otherwise "source".

Example 232. lib.sources.cleanSourceWith usage example
lib.cleanSourceWith {
  filter = f;
  src = lib.cleanSourceWith {
    filter = g;
    src = ./.;
  };
}
# Succeeds!

builtins.filterSource f (builtins.filterSource g ./.)
# Fails!

Located at lib/sources.nix:336 in <nixpkgs>.

lib.sources.cleanSourceFilter

A basic filter for cleanSourceWith that removes directories of version control system, backup files (*~) and some generated files.

name

Function argument

type

Function argument

Located at lib/sources.nix:337 in <nixpkgs>.

lib.sources.sourceByRegex

Filter sources by a list of regular expressions.

src

Function argument

regexes

Function argument

Example 233. lib.sources.sourceByRegex usage example
src = sourceByRegex ./my-subproject [".*\.py$" "^database.sql$"]

Located at lib/sources.nix:341 in <nixpkgs>.

lib.sources.sourceFilesBySuffices

Type: sourceLike -> [String] -> Source

Get all files ending with the specified suffices from the given source directory or its descendants, omitting files that do not match any suffix. The result of the example below will include files like ./dir/module.c and ./dir/subdir/doc.xml if present.

src

Path or source containing the files to be returned

exts

A list of file suffix strings

Example 234. lib.sources.sourceFilesBySuffices usage example
sourceFilesBySuffices ./. [ ".xml" ".c" ]

Located at lib/sources.nix:342 in <nixpkgs>.

lib.sources.trace

Type: sources.trace :: sourceLike -> Source

Add logging to a source, for troubleshooting the filtering behavior.

src

Source to debug. The returned source will behave like this source, but also log its filter invocations.

Located at lib/sources.nix:344 in <nixpkgs>.

lib.cli: command-line serialization functions

lib.cli.toGNUCommandLineShell

Automatically convert an attribute set to command-line options.

This helps protect against malformed command lines and also to reduce boilerplate related to command-line construction for simple use cases.

toGNUCommandLineShell returns an escaped shell string.

Inputs
options

How to format the arguments, see toGNUCommandLine

attrs

The attributes to transform into arguments.

Examples
Example 235. lib.cli.toGNUCommandLineShell usage example
cli.toGNUCommandLineShell {} {
  data = builtins.toJSON { id = 0; };
  X = "PUT";
  retry = 3;
  retry-delay = null;
  url = [ "https://example.com/foo" "https://example.com/bar" ];
  silent = false;
  verbose = true;
}
=> "'-X' 'PUT' '--data' '{\"id\":0}' '--retry' '3' '--url' 'https://example.com/foo' '--url' 'https://example.com/bar' '--verbose'";

Located at lib/cli.nix:41 in <nixpkgs>.

lib.cli.toGNUCommandLine

Automatically convert an attribute set to a list of command-line options.

toGNUCommandLine returns a list of string arguments.

Inputs
options

How to format the arguments, see below.

attrs

The attributes to transform into arguments.

Options
mkOptionName

How to string-format the option name; By default one character is a short option (-), more than one characters a long option (--).

mkBool

How to format a boolean value to a command list; By default it’s a flag option (only the option name if true, left out completely if false).

mkList

How to format a list value to a command list; By default the option name is repeated for each value and mkOption is applied to the values themselves.

mkOption

How to format any remaining value to a command list; On the toplevel, booleans and lists are handled by mkBool and mkList, though they can still appear as values of a list. By default, everything is printed verbatim and complex types are forbidden (lists, attrsets, functions). null values are omitted.

optionValueSeparator

How to separate an option from its flag; By default, there is no separator, so option -c and value 5 would become [“-c” “5”]. This is useful if the command requires equals, for example, -c=5.

Examples
Example 236. lib.cli.toGNUCommandLine usage example
cli.toGNUCommandLine {} {
  data = builtins.toJSON { id = 0; };
  X = "PUT";
  retry = 3;
  retry-delay = null;
  url = [ "https://example.com/foo" "https://example.com/bar" ];
  silent = false;
  verbose = true;
}
=> [
  "-X" "PUT"
  "--data" "{\"id\":0}"
  "--retry" "3"
  "--url" "https://example.com/foo"
  "--url" "https://example.com/bar"
  "--verbose"
]

Located at lib/cli.nix:113 in <nixpkgs>.

lib.generators: functions that create file formats from nix data structures

Functions that generate widespread file formats from nix data structures.

They all follow a similar interface:

generator { config-attrs } data

config-attrs are “holes” in the generators with sensible default implementations that can be overwritten. The default implementations are mostly generators themselves, called with their respective default values; they can be reused.

Tests can be found in ./tests/misc.nix

Further Documentation can be found here.

lib.generators.mkValueStringDefault

Convert a value to a sensible default string representation. The builtin toString function has some strange defaults, suitable for bash scripts but not much else.

Inputs
Options

Empty set, there may be configuration options in the future

v

2. Function argument

Located at lib/generators.nix:90 in <nixpkgs>.

lib.generators.mkKeyValueDefault

Generate a line of key k and value v, separated by character sep. If sep appears in k, it is escaped. Helper for synaxes with different separators.

mkValueString specifies how values should be formatted.

mkKeyValueDefault {} ":" "f:oo" "bar"
> "f\:oo:bar"
Inputs
Structured function argument
mkValueString (optional, default: mkValueStringDefault {})

Function to convert values to strings

sep

2. Function argument

k

3. Function argument

v

4. Function argument

Located at lib/generators.nix:147 in <nixpkgs>.

lib.generators.toKeyValue

Generate a key-value-style config file from an attrset.

Inputs
Structured function argument
mkKeyValue (optional, default: mkKeyValueDefault {} "=")

format a setting line from key and value

listsAsDuplicateKeys (optional, default: false)

allow lists as values for duplicate keys

indent (optional, default: "")

Initial indentation level

Located at lib/generators.nix:173 in <nixpkgs>.

lib.generators.toINI

Generate an INI-style config file from an attrset of sections to an attrset of key-value pairs.

Inputs
Structured function argument
mkSectionName (optional, default: (name: escape [ "[" "]" ] name))

apply transformations (e.g. escapes) to section names

mkKeyValue (optional, default: {} "=")

format a setting line from key and value

listsAsDuplicateKeys (optional, default: false)

allow lists as values for duplicate keys

Examples
Example 237. lib.generators.toINI usage example
generators.toINI {} {
  foo = { hi = "${pkgs.hello}"; ciao = "bar"; };
  baz = { "also, integers" = 42; };
}

> [baz]
> also, integers=42
>
> [foo]
> ciao=bar
> hi=/nix/store/y93qql1p5ggfnaqjjqhxcw0vqw95rlz0-hello-2.10

The mk* configuration attributes can generically change the way sections and key-value strings are generated.

For more examples see the test cases in ./tests/misc.nix.


Located at lib/generators.nix:227 in <nixpkgs>.

lib.generators.toINIWithGlobalSection

Generate an INI-style config file from an attrset specifying the global section (no header), and an attrset of sections to an attrset of key-value pairs.

Inputs
1. Structured function argument
mkSectionName (optional, default: (name: escape [ "[" "]" ] name))

apply transformations (e.g. escapes) to section names

mkKeyValue (optional, default: {} "=")

format a setting line from key and value

listsAsDuplicateKeys (optional, default: false)

allow lists as values for duplicate keys

2. Structured function argument
globalSection (required)

global section key-value pairs

sections (optional, default: {})

attrset of sections to key-value pairs

Examples
Example 238. lib.generators.toINIWithGlobalSection usage example
generators.toINIWithGlobalSection {} {
  globalSection = {
    someGlobalKey = "hi";
  };
  sections = {
    foo = { hi = "${pkgs.hello}"; ciao = "bar"; };
    baz = { "also, integers" = 42; };
}

> someGlobalKey=hi
>
> [baz]
> also, integers=42
>
> [foo]
> ciao=bar
> hi=/nix/store/y93qql1p5ggfnaqjjqhxcw0vqw95rlz0-hello-2.10

The mk* configuration attributes can generically change the way sections and key-value strings are generated.

For more examples see the test cases in ./tests/misc.nix.


If you don’t need a global section, you can also use generators.toINI directly, which only takes the part in sections.

Located at lib/generators.nix:305 in <nixpkgs>.

lib.generators.toGitINI

Generate a git-config file from an attrset.

It has two major differences from the regular INI format:

  1. values are indented with tabs

  2. sections can have sub-sections

Further: https://git-scm.com/docs/git-config#EXAMPLES

Examples
Example 239. lib.generators.toGitINI usage example
generators.toGitINI {
  url."ssh://git@github.com/".insteadOf = "https://github.com";
  user.name = "edolstra";
}

> [url "ssh://git@github.com/"]
>   insteadOf = "https://github.com"
>
> [user]
>   name = "edolstra"

Inputs
attrs

Key-value pairs to be converted to a git-config file. See: https://git-scm.com/docs/git-config#_variables for possible values.

Located at lib/generators.nix:353 in <nixpkgs>.

lib.generators.mkDconfKeyValue

mkKeyValueDefault wrapper that handles dconf INI quirks. The main differences of the format is that it requires strings to be quoted.

Located at lib/generators.nix:400 in <nixpkgs>.

lib.generators.toDconfINI

Generates INI in dconf keyfile style. See https://help.gnome.org/admin/system-admin-guide/stable/dconf-keyfiles.html.en for details.

Located at lib/generators.nix:406 in <nixpkgs>.

lib.generators.withRecursion

Recurses through a Value limited to a certain depth. (depthLimit)

If the depth is exceeded, an error is thrown, unless throwOnDepthLimit is set to false.

Inputs
Structured function argument
depthLimit (required)

If this option is not null, the given value will stop evaluating at a certain depth

throwOnDepthLimit (optional, default: true)

If this option is true, an error will be thrown, if a certain given depth is exceeded

Value

The value to be evaluated recursively

Located at lib/generators.nix:426 in <nixpkgs>.

lib.generators.toPretty

Pretty print a value, akin to builtins.trace.

Should probably be a builtin as well.

The pretty-printed string should be suitable for rendering default values in the NixOS manual. In particular, it should be as close to a valid Nix expression as possible.

Inputs
Structured function argument
allowPrettyValues

If this option is true, attrsets like { __pretty = fn; val = …; } will use fn to convert val to a pretty printed representation. (This means fn is type Val -> String.)

multiline

If this option is true, the output is indented with newlines for attribute sets and lists

indent

Initial indentation level

Value

The value to be pretty printed

Located at lib/generators.nix:483 in <nixpkgs>.

lib.generators.toPlist

Translate a simple Nix expression to Plist notation.

Inputs
Options

Empty set, there may be configuration options in the future

Value

The value to be converted to Plist

Located at lib/generators.nix:557 in <nixpkgs>.

lib.generators.toDhall

Translate a simple Nix expression to Dhall notation.

Note that integers are translated to Integer and never the Natural type.

Inputs
Options

Empty set, there may be configuration options in the future

Value

The value to be converted to Dhall

Located at lib/generators.nix:622 in <nixpkgs>.

lib.generators.toLua

Translate a simple Nix expression to Lua representation with occasional Lua-inlines that can be constructed by mkLuaInline function.

Configuration:

  • multiline - by default is true which results in indented block-like view.

  • indent - initial indent.

  • asBindings - by default generate single value, but with this use attrset to set global vars.

Attention:

Regardless of multiline parameter there is no trailing newline.

Inputs
Structured function argument
multiline (optional, default: true)

If this option is true, the output is indented with newlines for attribute sets and lists

indent (optional, default: "")

Initial indentation level

asBindings (optional, default: false)

Interpret as variable bindings

Value

The value to be converted to Lua

Type
toLua :: AttrSet -> Any -> String
Examples
Example 240. lib.generators.toLua usage example
generators.toLua {}
  {
    cmd = [ "typescript-language-server" "--stdio" ];
    settings.workspace.library = mkLuaInline ''vim.api.nvim_get_runtime_file("", true)'';
  }
->
 {
   ["cmd"] = {
     "typescript-language-server",
     "--stdio"
   },
   ["settings"] = {
     ["workspace"] = {
       ["library"] = (vim.api.nvim_get_runtime_file("", true))
     }
   }
 }

Located at lib/generators.nix:704 in <nixpkgs>.

lib.generators.mkLuaInline

Mark string as Lua expression to be inlined when processed by toLua.

Inputs
expr

1. Function argument

Type
mkLuaInline :: String -> AttrSet

Located at lib/generators.nix:771 in <nixpkgs>.

lib.gvariant: GVariant formatted string serialization functions

A partial and basic implementation of GVariant formatted strings. See GVariant Format Strings for details.

Warning

This API is not considered fully stable and it might therefore change in backwards incompatible ways without prior notice.

lib.gvariant.isGVariant

Check if a value is a GVariant value

Inputs
v

value to check

Type
isGVariant :: Any -> Bool

Located at lib/gvariant.nix:69 in <nixpkgs>.

lib.gvariant.mkValue

Returns the GVariant value that most closely matches the given Nix value. If no GVariant value can be found unambiguously then error is thrown.

Inputs
v

1. Function argument

Type
mkValue :: Any -> gvariant

Located at lib/gvariant.nix:134 in <nixpkgs>.

lib.gvariant.mkArray

Returns the GVariant array from the given type of the elements and a Nix list.

Inputs
elems

1. Function argument

Type
mkArray :: [Any] -> gvariant
Examples
Example 241. lib.gvariant.mkArray usage example
# Creating a string array
lib.gvariant.mkArray [ "a" "b" "c" ]

Located at lib/gvariant.nix:191 in <nixpkgs>.

lib.gvariant.mkEmptyArray

Returns the GVariant array from the given empty Nix list.

Inputs
elemType

1. Function argument

Type
mkEmptyArray :: gvariant.type -> gvariant
Examples
Example 242. lib.gvariant.mkEmptyArray usage example
# Creating an empty string array
lib.gvariant.mkEmptyArray (lib.gvariant.type.string)

Located at lib/gvariant.nix:230 in <nixpkgs>.

lib.gvariant.mkVariant

Returns the GVariant variant from the given Nix value. Variants are containers of different GVariant type.

Inputs
elem

1. Function argument

Type
mkVariant :: Any -> gvariant
Examples
Example 243. lib.gvariant.mkVariant usage example
lib.gvariant.mkArray [
  (lib.gvariant.mkVariant "a string")
  (lib.gvariant.mkVariant (lib.gvariant.mkInt32 1))
]

Located at lib/gvariant.nix:266 in <nixpkgs>.

lib.gvariant.mkDictionaryEntry

Returns the GVariant dictionary entry from the given key and value.

Inputs
name

The key of the entry

value

The value of the entry

Type
mkDictionaryEntry :: String -> Any -> gvariant
Examples
Example 244. lib.gvariant.mkDictionaryEntry usage example
# A dictionary describing an Epiphany’s search provider
[
  (lib.gvariant.mkDictionaryEntry "url" (lib.gvariant.mkVariant "https://duckduckgo.com/?q=%s&t=epiphany"))
  (lib.gvariant.mkDictionaryEntry "bang" (lib.gvariant.mkVariant "!d"))
  (lib.gvariant.mkDictionaryEntry "name" (lib.gvariant.mkVariant "DuckDuckGo"))
]

Located at lib/gvariant.nix:310 in <nixpkgs>.

lib.gvariant.mkMaybe

Returns the GVariant maybe from the given element type.

Inputs
elemType

1. Function argument

elem

2. Function argument

Type
mkMaybe :: gvariant.type -> Any -> gvariant

Located at lib/gvariant.nix:341 in <nixpkgs>.

lib.gvariant.mkNothing

Returns the GVariant nothing from the given element type.

Inputs
elemType

1. Function argument

Type
mkNothing :: gvariant.type -> gvariant

Located at lib/gvariant.nix:364 in <nixpkgs>.

lib.gvariant.mkJust

Returns the GVariant just from the given Nix value.

Inputs
elem

1. Function argument

Type
mkJust :: Any -> gvariant

Located at lib/gvariant.nix:381 in <nixpkgs>.

lib.gvariant.mkTuple

Returns the GVariant tuple from the given Nix list.

Inputs
elems

1. Function argument

Type
mkTuple :: [Any] -> gvariant

Located at lib/gvariant.nix:403 in <nixpkgs>.

lib.gvariant.mkBoolean

Returns the GVariant boolean from the given Nix bool value.

Inputs
v

1. Function argument

Type
mkBoolean :: Bool -> gvariant

Located at lib/gvariant.nix:429 in <nixpkgs>.

lib.gvariant.mkString

Returns the GVariant string from the given Nix string value.

Inputs
v

1. Function argument

Type
mkString :: String -> gvariant

Located at lib/gvariant.nix:451 in <nixpkgs>.

lib.gvariant.mkObjectpath

Returns the GVariant object path from the given Nix string value.

Inputs
v

1. Function argument

Type
mkObjectpath :: String -> gvariant

Located at lib/gvariant.nix:476 in <nixpkgs>.

lib.gvariant.mkUchar

Returns the GVariant uchar from the given Nix int value.

Type
mkUchar :: Int -> gvariant

Located at lib/gvariant.nix:492 in <nixpkgs>.

lib.gvariant.mkInt16

Returns the GVariant int16 from the given Nix int value.

Type
mkInt16 :: Int -> gvariant

Located at lib/gvariant.nix:503 in <nixpkgs>.

lib.gvariant.mkUint16

Returns the GVariant uint16 from the given Nix int value.

Type
mkUint16 :: Int -> gvariant

Located at lib/gvariant.nix:514 in <nixpkgs>.

lib.gvariant.mkInt32

Returns the GVariant int32 from the given Nix int value.

Inputs
v

1. Function argument

Type
mkInt32 :: Int -> gvariant

Located at lib/gvariant.nix:531 in <nixpkgs>.

lib.gvariant.mkUint32

Returns the GVariant uint32 from the given Nix int value.

Type
mkUint32 :: Int -> gvariant

Located at lib/gvariant.nix:547 in <nixpkgs>.

lib.gvariant.mkInt64

Returns the GVariant int64 from the given Nix int value.

Type
mkInt64 :: Int -> gvariant

Located at lib/gvariant.nix:558 in <nixpkgs>.

lib.gvariant.mkUint64

Returns the GVariant uint64 from the given Nix int value.

Type
mkUint64 :: Int -> gvariant

Located at lib/gvariant.nix:569 in <nixpkgs>.

lib.gvariant.mkDouble

Returns the GVariant double from the given Nix float value.

Inputs
v

1. Function argument

Type
mkDouble :: Float -> gvariant

Located at lib/gvariant.nix:586 in <nixpkgs>.

lib.customisation: Functions to customise (derivation-related) functions, derivations, or attribute sets

lib.customisation.overrideDerivation

overrideDerivation drv f takes a derivation (i.e., the result of a call to the builtin function derivation) and returns a new derivation in which the attributes of the original are overridden according to the function f. The function f is called with the original derivation attributes.

overrideDerivation allows certain “ad-hoc” customisation scenarios (e.g. in ~/.config/nixpkgs/config.nix). For instance, if you want to “patch” the derivation returned by a package function in Nixpkgs to build another version than what the function itself provides.

For another application, see build-support/vm, where this function is used to build arbitrary derivations inside a QEMU virtual machine.

Note that in order to preserve evaluation errors, the new derivation’s outPath depends on the old one’s, which means that this function cannot be used in circular situations when the old derivation also depends on the new one.

You should in general prefer drv.overrideAttrs over this function; see the nixpkgs manual for more information on overriding.

Inputs
drv

1. Function argument

f

2. Function argument

Type
overrideDerivation :: Derivation -> ( Derivation -> AttrSet ) -> Derivation
Examples
Example 245. lib.customisation.overrideDerivation usage example
mySed = overrideDerivation pkgs.gnused (oldAttrs: {
  name = "sed-4.2.2-pre";
  src = fetchurl {
    url = ftp://alpha.gnu.org/gnu/sed/sed-4.2.2-pre.tar.bz2;
    hash = "sha256-MxBJRcM2rYzQYwJ5XKxhXTQByvSg5jZc5cSHEZoB2IY=";
  };
  patches = [];
});

Located at lib/customisation.nix:77 in <nixpkgs>.

lib.customisation.makeOverridable

makeOverridable takes a function from attribute set to attribute set and injects override attribute which can be used to override arguments of the function.

Please refer to documentation on <pkg>.overrideDerivation to learn about overrideDerivation and caveats related to its use.

Inputs
f

1. Function argument

Type
makeOverridable :: (AttrSet -> a) -> AttrSet -> a
Examples
Example 246. lib.customisation.makeOverridable usage example
nix-repl> x = {a, b}: { result = a + b; }

nix-repl> y = lib.makeOverridable x { a = 1; b = 2; }

nix-repl> y
{ override = «lambda»; overrideDerivation = «lambda»; result = 3; }

nix-repl> y.override { a = 10; }
{ override = «lambda»; overrideDerivation = «lambda»; result = 12; }

Located at lib/customisation.nix:131 in <nixpkgs>.

lib.customisation.callPackageWith

Call the package function in the file fn with the required arguments automatically. The function is called with the arguments args, but any missing arguments are obtained from autoArgs. This function is intended to be partially parameterised, e.g.,

callPackage = callPackageWith pkgs;
pkgs = {
  libfoo = callPackage ./foo.nix { };
  libbar = callPackage ./bar.nix { };
};

If the libbar function expects an argument named libfoo, it is automatically passed as an argument. Overrides or missing arguments can be supplied in args, e.g.

libbar = callPackage ./bar.nix {
  libfoo = null;
  enableX11 = true;
};
Inputs
autoArgs

1. Function argument

fn

2. Function argument

args

3. Function argument

Type
callPackageWith :: AttrSet -> ((AttrSet -> a) | Path) -> AttrSet -> a

Located at lib/customisation.nix:212 in <nixpkgs>.

lib.customisation.callPackagesWith

Like callPackage, but for a function that returns an attribute set of derivations. The override function is added to the individual attributes.

Inputs
autoArgs

1. Function argument

fn

2. Function argument

args

3. Function argument

Type
callPackagesWith :: AttrSet -> ((AttrSet -> AttrSet) | Path) -> AttrSet -> AttrSet

Located at lib/customisation.nix:298 in <nixpkgs>.

lib.customisation.extendDerivation

Add attributes to each output of a derivation without changing the derivation itself and check a given condition when evaluating.

Inputs
condition

1. Function argument

passthru

2. Function argument

drv

3. Function argument

Type
extendDerivation :: Bool -> Any -> Derivation -> Derivation

Located at lib/customisation.nix:339 in <nixpkgs>.

lib.customisation.hydraJob

Strip a derivation of all non-essential attributes, returning only those needed by hydra-eval-jobs. Also strictly evaluate the result to ensure that there are no thunks kept alive to prevent garbage collection.

Inputs
drv

1. Function argument

Type
hydraJob :: (Derivation | Null) -> (Derivation | Null)

Located at lib/customisation.nix:388 in <nixpkgs>.

lib.customisation.makeScope

Make an attribute set (a “scope”) from functions that take arguments from that same attribute set. See Example 247 for how to use it.

Inputs
  1. newScope (AttrSet -> ((AttrSet -> a) | Path) -> AttrSet -> a)

    A function that takes an attribute set attrs and returns what ends up as callPackage in the output.

    Typical values are callPackageWith or the output attribute newScope.

  2. f (AttrSet -> AttrSet)

    A function that takes an attribute set as returned by makeScope newScope f (a “scope”) and returns any attribute set.

    This function is used to compute the fixpoint of the resulting scope using callPackage. Its argument is the lazily evaluated reference to the value of that fixpoint, and is typically called self or final.

    See Example 247 for how to use it. See the section called “lib.fixedPoints: explicit recursion functions” for details on fixpoint computation.

Output

makeScope returns an attribute set of a form called scope, which also contains the final attributes produced by f:

scope :: {
  callPackage :: ((AttrSet -> a) | Path) -> AttrSet -> a
  newScope = AttrSet -> scope
  overrideScope = (scope -> scope -> AttrSet) -> scope
  packages :: AttrSet -> AttrSet
}
  • callPackage (((AttrSet -> a) | Path) -> AttrSet -> a)

    A function that

    1. Takes a function p, or a path to a Nix file that contains a function p, which takes an attribute set and returns value of arbitrary type a,

    2. Takes an attribute set args with explicit attributes to pass to p,

    3. Calls f with attributes from the original attribute set attrs passed to newScope updated with args, i.e. attrs // args, if they match the attributes in the argument of p.

    All such functions p will be called with the same value for attrs.

    See Example 248 for how to use it.

  • newScope (AttrSet -> scope)

    Takes an attribute set attrs and returns a scope that extends the original scope.

  • overrideScope ((scope -> scope -> AttrSet) -> scope)

    Takes a function g of the form final: prev: { # attributes } to act as an overlay on f, and returns a new scope with values determined by extends g f. See for details.

    This allows subsequent modification of the final attribute set in a consistent way, i.e. all functions p invoked with callPackage will be called with the modified values.

  • packages (AttrSet -> AttrSet)

    The value of the argument f to makeScope.

  • final attributes

    The final values returned by f.

Examples
Example 247. Create an interdependent package set on top of pkgs

The functions in foo.nix and bar.nix can depend on each other, in the sense that foo.nix can contain a function that expects bar as an attribute in its argument.

let
  pkgs = import <nixpkgs> { };
in
pkgs.lib.makeScope pkgs.newScope (self: {
  foo = self.callPackage ./foo.nix { };
  bar = self.callPackage ./bar.nix { };
})

evaluates to

{
  callPackage = «lambda»;
  newScope = «lambda»;
  overrideScope = «lambda»;
  packages = «lambda»;
  foo = «derivation»;
  bar = «derivation»;
}

Example 248. Using callPackage from a scope
let
  pkgs = import <nixpkgs> { };
  inherit (pkgs) lib;
  scope = lib.makeScope lib.callPackageWith (self: { a = 1; b = 2; });
  three = scope.callPackage ({ a, b }: a + b) { };
  four = scope.callPackage ({ a, b }: a + b) { a = 2; };
in
[ three four ]

evaluates to

[ 3 4 ]

Type
makeScope :: (AttrSet -> ((AttrSet -> a) | Path) -> AttrSet -> a) -> (AttrSet -> AttrSet) -> scope

Located at lib/customisation.nix:541 in <nixpkgs>.

lib.customisation.makeScopeWithSplicing

backward compatibility with old uncurried form; deprecated

Inputs
splicePackages

1. Function argument

newScope

2. Function argument

otherSplices

3. Function argument

keep

4. Function argument

extra

5. Function argument

f

6. Function argument

Located at lib/customisation.nix:584 in <nixpkgs>.

lib.customisation.makeScopeWithSplicing'

Like makeScope, but aims to support cross compilation. It’s still ugly, but hopefully it helps a little bit.

Type
makeScopeWithSplicing' ::
  { splicePackages :: Splice -> AttrSet
  , newScope :: AttrSet -> ((AttrSet -> a) | Path) -> AttrSet -> a
  }
  -> { otherSplices :: Splice, keep :: AttrSet -> AttrSet, extra :: AttrSet -> AttrSet }
  -> AttrSet

Splice ::
  { pkgsBuildBuild :: AttrSet
  , pkgsBuildHost :: AttrSet
  , pkgsBuildTarget :: AttrSet
  , pkgsHostHost :: AttrSet
  , pkgsHostTarget :: AttrSet
  , pkgsTargetTarget :: AttrSet
  }

Located at lib/customisation.nix:614 in <nixpkgs>.

lib.meta: functions for derivation metadata

Some functions for manipulating meta attributes, as well as the name attribute.

lib.meta.addMetaAttrs

Add to or override the meta attributes of the given derivation.

Inputs
newAttrs

1. Function argument

drv

2. Function argument

Examples
Example 249. lib.meta.addMetaAttrs usage example
addMetaAttrs {description = "Bla blah";} somePkg

Located at lib/meta.nix:42 in <nixpkgs>.

lib.meta.dontDistribute

Disable Hydra builds of given derivation.

Inputs
drv

1. Function argument

Located at lib/meta.nix:55 in <nixpkgs>.

lib.meta.setName

Change the symbolic name of a derivation.

Warning

Dependent derivations will be rebuilt when the symbolic name is changed.

Inputs
name

1. Function argument

drv

2. Function argument

Located at lib/meta.nix:75 in <nixpkgs>.

lib.meta.updateName

Like setName, but takes the previous name as an argument.

Inputs
updater

1. Function argument

drv

2. Function argument

Examples
Example 250. lib.meta.updateName usage example
updateName (oldName: oldName + "-experimental") somePkg

Located at lib/meta.nix:102 in <nixpkgs>.

lib.meta.appendToName

Append a suffix to the name of a package (before the version part).

Inputs
suffix

1. Function argument

Located at lib/meta.nix:115 in <nixpkgs>.

lib.meta.mapDerivationAttrset

Apply a function to each derivation and only to derivations in an attrset.

Inputs
f

1. Function argument

set

2. Function argument

Located at lib/meta.nix:133 in <nixpkgs>.

lib.meta.defaultPriority

The default priority of packages in Nix. See defaultPriority in src/nix/profile.cc.

Located at lib/meta.nix:138 in <nixpkgs>.

lib.meta.setPrio

Set the nix-env priority of the package. Note that higher values are lower priority, and vice versa.

Inputs
priority

1. The priority to set.

drv

2. Function argument

Located at lib/meta.nix:151 in <nixpkgs>.

lib.meta.lowPrio

Decrease the nix-env priority of the package, i.e., other versions/variants of the package will be preferred.

Inputs
drv

1. Function argument

Located at lib/meta.nix:164 in <nixpkgs>.

lib.meta.lowPrioSet

Apply lowPrio to an attrset with derivations.

Inputs
set

1. Function argument

Located at lib/meta.nix:175 in <nixpkgs>.

lib.meta.hiPrio

Increase the nix-env priority of the package, i.e., this version/variant of the package will be preferred.

Inputs
drv

1. Function argument

Located at lib/meta.nix:188 in <nixpkgs>.

lib.meta.hiPrioSet

Apply hiPrio to an attrset with derivations.

Inputs
set

1. Function argument

Located at lib/meta.nix:199 in <nixpkgs>.

lib.meta.platformMatch

Check to see if a platform is matched by the given meta.platforms element.

A meta.platform pattern is either

  1. (legacy) a system string.

  2. (modern) a pattern for the entire platform structure (see lib.systems.inspect.platformPatterns).

  3. (modern) a pattern for the platform parsed field (see lib.systems.inspect.patterns).

We can inject these into a pattern for the whole of a structured platform, and then match that.

Inputs
platform

1. Function argument

elem

2. Function argument

Examples
Example 251. lib.meta.platformMatch usage example
lib.meta.platformMatch { system = "aarch64-darwin"; } "aarch64-darwin"
=> true

Located at lib/meta.nix:240 in <nixpkgs>.

lib.meta.availableOn

Check if a package is available on a given platform.

A package is available on a platform if both

  1. One of meta.platforms pattern matches the given platform, or meta.platforms is not present.

  2. None of meta.badPlatforms pattern matches the given platform.

Inputs
platform

1. Function argument

pkg

2. Function argument

Examples
Example 252. lib.meta.availableOn usage example
lib.meta.availableOn { system = "aarch64-darwin"; } pkg.zsh
=> true

Located at lib/meta.nix:289 in <nixpkgs>.

lib.meta.licensesSpdx

Mapping of SPDX ID to the attributes in lib.licenses.

For SPDX IDs, see https://spdx.org/licenses. Note that some SPDX licenses might be missing.

Examples
Example 253. lib.meta.licensesSpdx usage example
lib.licensesSpdx.MIT == lib.licenses.mit
=> true
lib.licensesSpdx."MY LICENSE"
=> error: attribute 'MY LICENSE' missing

Located at lib/meta.nix:312 in <nixpkgs>.

lib.meta.getLicenseFromSpdxId

Get the corresponding attribute in lib.licenses from the SPDX ID or warn and fallback to { shortName = <license string>; }.

For SPDX IDs, see https://spdx.org/licenses. Note that some SPDX licenses might be missing.

Type
getLicenseFromSpdxId :: str -> AttrSet
Examples
Example 254. lib.meta.getLicenseFromSpdxId usage example
lib.getLicenseFromSpdxId "MIT" == lib.licenses.mit
=> true
lib.getLicenseFromSpdxId "mIt" == lib.licenses.mit
=> true
lib.getLicenseFromSpdxId "MY LICENSE"
=> trace: warning: getLicenseFromSpdxId: No license matches the given SPDX ID: MY LICENSE
=> { shortName = "MY LICENSE"; }

Located at lib/meta.nix:349 in <nixpkgs>.

lib.meta.getLicenseFromSpdxIdOr

Get the corresponding attribute in lib.licenses from the SPDX ID or fallback to the given default value.

For SPDX IDs, see https://spdx.org/licenses. Note that some SPDX licenses might be missing.

Inputs
licstr

1. SPDX ID string to find a matching license

default

2. Fallback value when a match is not found

Type
getLicenseFromSpdxIdOr :: str -> Any -> Any
Examples
Example 255. lib.meta.getLicenseFromSpdxIdOr usage example
lib.getLicenseFromSpdxIdOr "MIT" null == lib.licenses.mit
=> true
lib.getLicenseFromSpdxId "mIt" null == lib.licenses.mit
=> true
lib.getLicenseFromSpdxIdOr "MY LICENSE" lib.licenses.free == lib.licenses.free
=> true
lib.getLicenseFromSpdxIdOr "MY LICENSE" null
=> null
lib.getLicenseFromSpdxIdOr "MY LICENSE" (builtins.throw "No SPDX ID matches MY LICENSE")
=> error: No SPDX ID matches MY LICENSE

Located at lib/meta.nix:395 in <nixpkgs>.

lib.meta.getExe

Get the path to the main program of a package based on meta.mainProgram

Inputs
x

1. Function argument

Type
getExe :: package -> string
Examples
Example 256. lib.meta.getExe usage example
getExe pkgs.hello
=> "/nix/store/g124820p9hlv4lj8qplzxw1c44dxaw1k-hello-2.12/bin/hello"
getExe pkgs.mustache-go
=> "/nix/store/am9ml4f4ywvivxnkiaqwr0hyxka1xjsf-mustache-go-1.3.0/bin/mustache"

Located at lib/meta.nix:433 in <nixpkgs>.

lib.meta.getExe'

Get the path of a program of a derivation.

Inputs
x

1. Function argument

y

2. Function argument

Type
getExe' :: derivation -> string -> string
Examples
Example 257. lib.meta.getExe' usage example
getExe' pkgs.hello "hello"
=> "/nix/store/g124820p9hlv4lj8qplzxw1c44dxaw1k-hello-2.12/bin/hello"
getExe' pkgs.imagemagick "convert"
=> "/nix/store/5rs48jamq7k6sal98ymj9l4k2bnwq515-imagemagick-7.1.1-15/bin/convert"

Located at lib/meta.nix:473 in <nixpkgs>.

lib.derivations: miscellaneous derivation-specific functions

lib.derivations.lazyDerivation

Restrict a derivation to a predictable set of attribute names, so that the returned attrset is not strict in the actual derivation, saving a lot of computation when the derivation is non-trivial.

This is useful in situations where a derivation might only be used for its passthru attributes, improving evaluation performance.

The returned attribute set is lazy in derivation. Specifically, this means that the derivation will not be evaluated in at least the situations below.

For illustration and/or testing, we define derivation such that its evaluation is very noticeable.

let derivation = throw "This won't be evaluated.";

In the following expressions, derivation will not be evaluated:

(lazyDerivation { inherit derivation; }).type

attrNames (lazyDerivation { inherit derivation; })

(lazyDerivation { inherit derivation; } // { foo = true; }).foo

(lazyDerivation { inherit derivation; meta.foo = true; }).meta

In these expressions, derivation will be evaluated:

"${lazyDerivation { inherit derivation }}"

(lazyDerivation { inherit derivation }).outPath

(lazyDerivation { inherit derivation }).meta

And the following expressions are not valid, because the refer to implementation details and/or attributes that may not be present on some derivations:

(lazyDerivation { inherit derivation }).buildInputs

(lazyDerivation { inherit derivation }).passthru

(lazyDerivation { inherit derivation }).pythonPath
Inputs

Takes an attribute set with the following attributes

derivation

The derivation to be wrapped.

meta

Optional meta attribute.

While this function is primarily about derivations, it can improve the meta package attribute, which is usually specified through mkDerivation.

passthru

Optional extra values to add to the returned attrset.

This can be used for adding package attributes, such as tests.

outputs

Optional list of assumed outputs. Default: [“out”]

This must match the set of outputs that the returned derivation has. You must use this when the derivation has multiple outputs.

Located at lib/derivations.nix:92 in <nixpkgs>.

lib.derivations.optionalDrvAttr

Conditionally set a derivation attribute.

Because mkDerivation sets __ignoreNulls = true, a derivation attribute set to null will not impact the derivation output hash. Thus, this function passes through its value argument if the cond is true, but returns null if not.

Inputs
cond

Condition

value

Attribute value

Type
optionalDrvAttr :: Bool -> a -> a | Null
Examples
Example 258. lib.derivations.optionalDrvAttr usage example
(stdenv.mkDerivation {
  name = "foo";
  x = optionalDrvAttr true 1;
  y = optionalDrvAttr false 1;
}).drvPath == (stdenv.mkDerivation {
  name = "foo";
  x = 1;
}).drvPath
=> true

Located at lib/derivations.nix:212 in <nixpkgs>.

Generators

Generators are functions that create file formats from nix data structures, e. g. for configuration files. There are generators available for: INI, JSON and YAML

All generators follow a similar call interface: generatorName configFunctions data, where configFunctions is an attrset of user-defined functions that format nested parts of the content. They each have common defaults, so often they do not need to be set manually. An example is mkSectionName ? (name: libStr.escape [ "[" "]" ] name) from the INI generator. It receives the name of a section and sanitizes it. The default mkSectionName escapes [ and ] with a backslash.

Generators can be fine-tuned to produce exactly the file format required by your application/service. One example is an INI-file format which uses : as separator, the strings "yes"/"no" as boolean values and requires all string values to be quoted:

let
  inherit (lib) generators isString;

  customToINI = generators.toINI {
    # specifies how to format a key/value pair
    mkKeyValue = generators.mkKeyValueDefault {
      # specifies the generated string for a subset of nix values
      mkValueString = v:
             if v == true then ''"yes"''
        else if v == false then ''"no"''
        else if isString v then ''"${v}"''
        # and delegates all other values to the default generator
        else generators.mkValueStringDefault {} v;
    } ":";
  };

# the INI file can now be given as plain old nix values
in customToINI {
  main = {
    pushinfo = true;
    autopush = false;
    host = "localhost";
    port = 42;
  };
  mergetool = {
    merge = "diff3";
  };
}

This will produce the following INI file as nix string:

[main]
autopush:"no"
host:"localhost"
port:42
pushinfo:"yes"
str\:ange:"very::strange"

[mergetool]
merge:"diff3"

Note

Nix store paths can be converted to strings by enclosing a derivation attribute like so: "${drv}".

Detailed documentation for each generator can be found here

Debugging Nix Expressions

Nix is a unityped, dynamic language, this means every value can potentially appear anywhere. Since it is also non-strict, evaluation order and what ultimately is evaluated might surprise you. Therefore it is important to be able to debug nix expressions.

In the lib/debug.nix file you will find a number of functions that help (pretty-)printing values while evaluation is running. You can even specify how deep these values should be printed recursively, and transform them on the fly. Please consult the docstrings in lib/debug.nix for usage information.

prefer-remote-fetch overlay

prefer-remote-fetch is an overlay that download sources on remote builder. This is useful when the evaluating machine has a slow upload while the builder can fetch faster directly from the source. To use it, put the following snippet as a new overlay:

self: super:
  (super.prefer-remote-fetch self super)

A full configuration example for that sets the overlay up for your own account, could look like this

$ mkdir ~/.config/nixpkgs/overlays/
$ cat > ~/.config/nixpkgs/overlays/prefer-remote-fetch.nix <<EOF
  self: super: super.prefer-remote-fetch self super
EOF

pkgs.nix-gitignore

pkgs.nix-gitignore is a function that acts similarly to builtins.filterSource but also allows filtering with the help of the gitignore format.

Usage

pkgs.nix-gitignore exports a number of functions, but you’ll most likely need either gitignoreSource or gitignoreSourcePure. As their first argument, they both accept either 1. a file with gitignore lines or 2. a string with gitignore lines, or 3. a list of either of the two. They will be concatenated into a single big string.

{ pkgs ? import <nixpkgs> {} }: {

 src = nix-gitignore.gitignoreSource [] ./source;
     # Simplest version

 src = nix-gitignore.gitignoreSource "supplemental-ignores\n" ./source;
     # This one reads the ./source/.gitignore and concats the auxiliary ignores

 src = nix-gitignore.gitignoreSourcePure "ignore-this\nignore-that\n" ./source;
     # Use this string as gitignore, don't read ./source/.gitignore.

 src = nix-gitignore.gitignoreSourcePure ["ignore-this\nignore-that\n" ~/.gitignore] ./source;
     # It also accepts a list (of strings and paths) that will be concatenated
     # once the paths are turned to strings via readFile.
}

These functions are derived from the Filter functions by setting the first filter argument to (_: _: true):

{
  gitignoreSourcePure = gitignoreFilterSourcePure (_: _: true);
  gitignoreSource = gitignoreFilterSource (_: _: true);
}

Those filter functions accept the same arguments the builtins.filterSource function would pass to its filters, thus fn: gitignoreFilterSourcePure fn "" should be extensionally equivalent to filterSource. The file is blacklisted if it’s blacklisted by either your filter or the gitignoreFilter.

If you want to make your own filter from scratch, you may use

{
  gitignoreFilter = ign: root: filterPattern (gitignoreToPatterns ign) root;
}

gitignore files in subdirectories

If you wish to use a filter that would search for .gitignore files in subdirectories, just like git does by default, use this function:

{
  # gitignoreFilterRecursiveSource = filter: patterns: root:
  # OR
  gitignoreRecursiveSource = gitignoreFilterSourcePure (_: _: true);
}

Module System

Table of Contents

Introduction
lib.evalModules

Introduction

The module system is a language for handling configuration, implemented as a Nix library.

Compared to plain Nix, it adds documentation, type checking and composition or extensibility.

Note

This chapter is new and not complete yet. For a gentle introduction to the module system, in the context of NixOS, see Writing NixOS Modules in the NixOS manual.

lib.evalModules

Evaluate a set of modules. This function is typically only used once per application (e.g. once in NixOS, once in Home Manager, …).

Parameters

modules

A list of modules. These are merged together to form the final configuration.

specialArgs

An attribute set of module arguments that can be used in imports.

This is in contrast to config._module.args, which is only available after all imports have been resolved.

class

If the class attribute is set and non-null, the module system will reject imports with a different _class declaration.

The class value should be a string in lower camel case.

If applicable, the class should match the “prefix” of the attributes used in (experimental) flakes. Some examples are:

  • nixos as in flake.nixosModules

  • nixosTest: modules that constitute a NixOS VM test

prefix

A list of strings representing the location at or below which all options are evaluated. This is used by types.submodule to improve error reporting and find the implicit name module argument.

Return value

The result is an attribute set with the following attributes:

options

The nested attribute set of all option declarations.

config

The nested attribute set of all option values.

type

A module system type. This type is an instance of types.submoduleWith containing the current modules.

The option definitions that are typed with this type will extend the current set of modules, like extendModules.

However, the value returned from the type is just the config, like any submodule.

If you’re familiar with prototype inheritance, you can think of this evalModules invocation as the prototype, and usages of this type as the instances.

This type is also available to the modules as the module argument moduleType.

extendModules

A function similar to evalModules but building on top of the already passed modules. Its arguments, modules and specialArgs are added to the existing values.

If you’re familiar with prototype inheritance, you can think of the current, actual evalModules invocation as the prototype, and the return value of extendModules as the instance.

This functionality is also available to modules as the extendModules module argument.

Note

Evaluation Performance

extendModules returns a configuration that shares very little with the original evalModules invocation, because the module arguments may be different.

So if you have a configuration that has been (or will be) largely evaluated, almost none of the computation is shared with the configuration returned by extendModules.

The real work of module evaluation happens while computing the values in config and options, so multiple invocations of extendModules have a particularly small cost, as long as only the final config and options are evaluated.

If you do reference multiple config (or options) from before and after extendModules, evaluation performance is the same as with multiple evalModules invocations, because the new modules’ ability to override existing configuration fundamentally requires constructing a new config and options fixpoint.

_module

A portion of the configuration tree which is elided from config.

_type

A nominal type marker, always "configuration".

class

The class argument.

Standard environment

The Standard Environment

The standard build environment in the Nix Packages collection provides an environment for building Unix packages that does a lot of common build tasks automatically. In fact, for Unix packages that use the standard ./configure; make; make install build interface, you don’t need to write a build script at all; the standard environment does everything automatically. If stdenv doesn’t do what you need automatically, you can easily customise or override the various build phases.

Using stdenv

To build a package with the standard environment, you use the function stdenv.mkDerivation, instead of the primitive built-in function derivation, e.g.

stdenv.mkDerivation {
  name = "libfoo-1.2.3";
  src = fetchurl {
    url = "http://example.org/libfoo-1.2.3.tar.bz2";
    hash = "sha256-tWxU/LANbQE32my+9AXyt3nCT7NBVfJ45CX757EMT3Q=";
  };
}

(stdenv needs to be in scope, so if you write this in a separate Nix expression from pkgs/all-packages.nix, you need to pass it as a function argument.) Specifying a name and a src is the absolute minimum Nix requires. For convenience, you can also use pname and version attributes and mkDerivation will automatically set name to "${pname}-${version}" by default. Since RFC 0035, this is preferred for packages in Nixpkgs, as it allows us to reuse the version easily:

stdenv.mkDerivation rec {
  pname = "libfoo";
  version = "1.2.3";
  src = fetchurl {
    url = "http://example.org/libfoo-source-${version}.tar.bz2";
    hash = "sha256-tWxU/LANbQE32my+9AXyt3nCT7NBVfJ45CX757EMT3Q=";
  };
}

Many packages have dependencies that are not provided in the standard environment. It’s usually sufficient to specify those dependencies in the buildInputs attribute:

stdenv.mkDerivation {
  pname = "libfoo";
  version = "1.2.3";
  # ...
  buildInputs = [libbar perl ncurses];
}

This attribute ensures that the bin subdirectories of these packages appear in the PATH environment variable during the build, that their include subdirectories are searched by the C compiler, and so on. (See the section called “Package setup hooks” for details.)

Often it is necessary to override or modify some aspect of the build. To make this easier, the standard environment breaks the package build into a number of phases, all of which can be overridden or modified individually: unpacking the sources, applying patches, configuring, building, and installing. (There are some others; see the section called “Phases”.) For instance, a package that doesn’t supply a makefile but instead has to be compiled “manually” could be handled like this:

stdenv.mkDerivation {
  pname = "fnord";
  version = "4.5";
  # ...
  buildPhase = ''
    gcc foo.c -o foo
  '';
  installPhase = ''
    mkdir -p $out/bin
    cp foo $out/bin
  '';
}

(Note the use of ''-style string literals, which are very convenient for large multi-line script fragments because they don’t need escaping of " and \, and because indentation is intelligently removed.)

There are many other attributes to customise the build. These are listed in the section called “Attributes”.

While the standard environment provides a generic builder, you can still supply your own build script:

stdenv.mkDerivation {
  pname = "libfoo";
  version = "1.2.3";
  # ...
  builder = ./builder.sh;
}

where the builder can do anything it wants, but typically starts with

source $stdenv/setup

to let stdenv set up the environment (e.g. by resetting PATH and populating it from build inputs). If you want, you can still use stdenv’s generic builder:

source $stdenv/setup

buildPhase() {
  echo "... this is my custom build phase ..."
  gcc foo.c -o foo
}

installPhase() {
  mkdir -p $out/bin
  cp foo $out/bin
}

genericBuild

Building a stdenv package in nix-shell

To build a stdenv package in a nix-shell, enter a shell, find the phases you wish to build, then invoke genericBuild manually:

Go to an empty directory, invoke nix-shell with the desired package, and from inside the shell, set the output variables to a writable directory:

cd "$(mktemp -d)"
nix-shell '<nixpkgs>' -A some_package
export out=$(pwd)/out

Next, invoke the desired parts of the build. First, run the phases that generate a working copy of the sources, which will change directory to the sources for you:

phases="${prePhases[*]:-} unpackPhase patchPhase" genericBuild

Then, run more phases up until the failure is reached. If the failure is in the build or check phase, the following phases would be required:

phases="${preConfigurePhases[*]:-} configurePhase ${preBuildPhases[*]:-} buildPhase checkPhase" genericBuild

Use this command to run all install phases:

phases="${preInstallPhases[*]:-} installPhase ${preFixupPhases[*]:-} fixupPhase installCheckPhase" genericBuild

Single phase can be re-run as many times as necessary to examine the failure like so:

phases="buildPhase" genericBuild

To modify a phase, first print it with

echo "$buildPhase"

Or, if that is empty, for instance, if it is using a function:

type buildPhase

then change it in a text editor, and paste it back to the terminal.

Note

This method may have some inconsistencies in environment variables and behaviour compared to a normal build within the Nix build sandbox. The following is a non-exhaustive list of such differences:

  • TMP, TMPDIR, and similar variables likely point to non-empty directories that the build might conflict with files in.

  • Output store paths are not writable, so the variables for outputs need to be overridden to writable paths.

  • Other environment variables may be inconsistent with a nix-build either due to nix-shell’s initialization script or due to the use of nix-shell without the --pure option.

If the build fails differently inside the shell than in the sandbox, consider using breakpointHook and invoking nix-build instead. The --keep-failed option for nix-build may also be useful to examine the build directory of a failed build.

Tools provided by stdenv

The standard environment provides the following packages:

  • The GNU C Compiler, configured with C and C++ support.

  • GNU coreutils (contains a few dozen standard Unix commands).

  • GNU findutils (contains find).

  • GNU diffutils (contains diff, cmp).

  • GNU sed.

  • GNU grep.

  • GNU awk.

  • GNU tar.

  • gzip, bzip2 and xz.

  • GNU Make.

  • Bash. This is the shell used for all builders in the Nix Packages collection. Not using /bin/sh removes a large source of portability problems.

  • The patch command.

On Linux, stdenv also includes the patchelf utility.

Specifying dependencies

Build systems often require more dependencies than just what stdenv provides. This section describes attributes accepted by stdenv.mkDerivation that can be used to make these dependencies available to the build system.

Overview

A full reference of the different kinds of dependencies is provided in the section called “Reference”, but here is an overview of the most common ones. It should cover most use cases.

Add dependencies to nativeBuildInputs if they are executed during the build:

  • those which are needed on $PATH during the build, for example cmake and pkg-config

  • setup hooks, for example makeWrapper

  • interpreters needed by patchShebangs for build scripts (with the --build flag), which can be the case for e.g. perl

Add dependencies to buildInputs if they will end up copied or linked into the final output or otherwise used at runtime:

  • libraries used by compilers, for example zlib,

  • interpreters needed by patchShebangs for scripts which are installed, which can be the case for e.g. perl

Note

These criteria are independent.

For example, software using Wayland usually needs the wayland library at runtime, so wayland should be added to buildInputs. But it also executes the wayland-scanner program as part of the build to generate code, so wayland should also be added to nativeBuildInputs.

Dependencies needed only to run tests are similarly classified between native (executed during build) and non-native (executed at runtime):

  • nativeCheckInputs for test tools needed on $PATH (such as ctest) and setup hooks (for example pytestCheckHook)

  • checkInputs for libraries linked into test executables (for example the qcheck OCaml package)

These dependencies are only injected when doCheck is set to true.

Example

Consider for example this simplified derivation for solo5, a sandboxing tool:

stdenv.mkDerivation rec {
  pname = "solo5";
  version = "0.7.5";

  src = fetchurl {
    url = "https://github.com/Solo5/solo5/releases/download/v${version}/solo5-v${version}.tar.gz";
    hash = "sha256-viwrS9lnaU8sTGuzK/+L/PlMM/xRRtgVuK5pixVeDEw=";
  };

  nativeBuildInputs = [ makeWrapper pkg-config ];
  buildInputs = [ libseccomp ];

  postInstall = ''
    substituteInPlace $out/bin/solo5-virtio-mkimage \
      --replace-fail "/usr/lib/syslinux" "${syslinux}/share/syslinux" \
      --replace-fail "/usr/share/syslinux" "${syslinux}/share/syslinux" \
      --replace-fail "cp " "cp --no-preserve=mode "

    wrapProgram $out/bin/solo5-virtio-mkimage \
      --prefix PATH : ${lib.makeBinPath [ dosfstools mtools parted syslinux ]}
  '';

  doCheck = true;
  nativeCheckInputs = [ util-linux qemu ];
  checkPhase = '' [elided] '';
}
  • makeWrapper is a setup hook, i.e., a shell script sourced by the generic builder of stdenv. It is thus executed during the build and must be added to nativeBuildInputs.

  • pkg-config is a build tool which the configure script of solo5 expects to be on $PATH during the build: therefore, it must be added to nativeBuildInputs.

  • libseccomp is a library linked into $out/bin/solo5-elftool. As it is used at runtime, it must be added to buildInputs.

  • Tests need qemu and getopt (from util-linux) on $PATH, these must be added to nativeCheckInputs.

  • Some dependencies are injected directly in the shell code of phases: syslinux, dosfstools, mtools, and parted. In this specific case, they will end up in the output of the derivation ($out here). As Nix marks dependencies whose absolute path is present in the output as runtime dependencies, adding them to buildInputs is not required.

For more complex cases, like libraries linked into an executable which is then executed as part of the build system, see the section called “Reference”.

Reference

As described in the Nix manual, almost any *.drv store path in a derivation’s attribute set will induce a dependency on that derivation. mkDerivation, however, takes a few attributes intended to include all the dependencies of a package. This is done both for structure and consistency, but also so that certain other setup can take place. For example, certain dependencies need their bin directories added to the PATH. That is built-in, but other setup is done via a pluggable mechanism that works in conjunction with these dependency attributes. See the section called “Package setup hooks” for details.

Dependencies can be broken down along these axes: their host and target platforms relative to the new derivation’s. The platform distinctions are motivated by cross compilation; see Cross-compilation for exactly what each platform means. [1] But even if one is not cross compiling, the platforms imply whether a dependency is needed at run-time or build-time.

The extension of PATH with dependencies, alluded to above, proceeds according to the relative platforms alone. The process is carried out only for dependencies whose host platform matches the new derivation’s build platform i.e. dependencies which run on the platform where the new derivation will be built. [2] For each dependency <dep> of those dependencies, dep/bin, if present, is added to the PATH environment variable.

Dependency propagation

Propagated dependencies are made available to all downstream dependencies. This is particularly useful for interpreted languages, where all transitive dependencies have to be present in the same environment. Therefore it is used for the Python infrastructure in Nixpkgs.

Note

Propagated dependencies should be used with care, because they obscure the actual build inputs of dependent derivations and cause side effects through setup hooks. This can lead to conflicting dependencies that cannot easily be resolved.

Example 259. A propagated dependency
with import <nixpkgs> {};
let
  bar = stdenv.mkDerivation {
    name = "bar";
    dontUnpack = true;
    # `hello` is also made available to dependents, such as `foo`
    propagatedBuildInputs = [ hello ];
    postInstall = "mkdir $out";
  };
  foo = stdenv.mkDerivation {
    name = "foo";
    dontUnpack = true;
    # `bar` is a direct dependency, which implicitly includes the propagated `hello`
    buildInputs = [ bar ];
    # The `hello` binary is available!
    postInstall = "hello > $out";
  };
in
foo

Dependency propagation takes cross compilation into account, meaning that dependencies that cross platform boundaries are properly adjusted.

To determine the exact rules for dependency propagation, we start by assigning to each dependency a couple of ternary numbers (-1 for build, 0 for host, and 1 for target) representing its dependency type, which captures how its host and target platforms are each “offset” from the depending derivation’s host and target platforms. The following table summarize the different combinations that can be obtained:

host → targetattribute nameoffset
build --> builddepsBuildBuild-1, -1
build --> hostnativeBuildInputs-1, 0
build --> targetdepsBuildTarget-1, 1
host --> hostdepsHostHost0, 0
host --> targetbuildInputs0, 1
target --> targetdepsTargetTarget1, 1

Algorithmically, we traverse propagated inputs, accumulating every propagated dependency’s propagated dependencies and adjusting them to account for the “shift in perspective” described by the current dependency’s platform offsets. This results is sort of a transitive closure of the dependency relation, with the offsets being approximately summed when two dependency links are combined. We also prune transitive dependencies whose combined offsets go out-of-bounds, which can be viewed as a filter over that transitive closure removing dependencies that are blatantly absurd.

We can define the process precisely with Natural Deduction using the inference rules. This probably seems a bit obtuse, but so is the bash code that actually implements it! [3] They’re confusing in very different ways so… hopefully if something doesn’t make sense in one presentation, it will in the other!

let mapOffset(h, t, i) = i + (if i <= 0 then h else t - 1)

propagated-dep(h0, t0, A, B)
propagated-dep(h1, t1, B, C)
h0 + h1 in {-1, 0, 1}
h0 + t1 in {-1, 0, 1}
-------------------------------------- Transitive property
propagated-dep(mapOffset(h0, t0, h1),
               mapOffset(h0, t0, t1),
               A, C)
let mapOffset(h, t, i) = i + (if i <= 0 then h else t - 1)

dep(h0, t0, A, B)
propagated-dep(h1, t1, B, C)
h0 + h1 in {-1, 0, 1}
h0 + t1 in {-1, 0, -1}
----------------------------- Take immediate dependencies' propagated dependencies
propagated-dep(mapOffset(h0, t0, h1),
               mapOffset(h0, t0, t1),
               A, C)
propagated-dep(h, t, A, B)
----------------------------- Propagated dependencies count as dependencies
dep(h, t, A, B)

Some explanation of this monstrosity is in order. In the common case, the target offset of a dependency is the successor to the target offset: t = h + 1. That means that:

let f(h, t, i) = i + (if i <= 0 then h else t - 1)
let f(h, h + 1, i) = i + (if i <= 0 then h else (h + 1) - 1)
let f(h, h + 1, i) = i + (if i <= 0 then h else h)
let f(h, h + 1, i) = i + h

This is where “sum-like” comes in from above: We can just sum all of the host offsets to get the host offset of the transitive dependency. The target offset is the transitive dependency is the host offset + 1, just as it was with the dependencies composed to make this transitive one; it can be ignored as it doesn’t add any new information.

Because of the bounds checks, the uncommon cases are h = t and h + 2 = t. In the former case, the motivation for mapOffset is that since its host and target platforms are the same, no transitive dependency of it should be able to “discover” an offset greater than its reduced target offsets. mapOffset effectively “squashes” all its transitive dependencies’ offsets so that none will ever be greater than the target offset of the original h = t package. In the other case, h + 1 is skipped over between the host and target offsets. Instead of squashing the offsets, we need to “rip” them apart so no transitive dependencies’ offset is that one.

Overall, the unifying theme here is that propagation shouldn’t be introducing transitive dependencies involving platforms the depending package is unaware of. [One can imagine the depending package asking for dependencies with the platforms it knows about; other platforms it doesn’t know how to ask for. The platform description in that scenario is a kind of unforgeable capability.] The offset bounds checking and definition of mapOffset together ensure that this is the case. Discovering a new offset is discovering a new platform, and since those platforms weren’t in the derivation “spec” of the needing package, they cannot be relevant. From a capability perspective, we can imagine that the host and target platforms of a package are the capabilities a package requires, and the depending package must provide the capability to the dependency.

Variables specifying dependencies

depsBuildBuild

A list of dependencies whose host and target platforms are the new derivation’s build platform. These are programs and libraries used at build time that produce programs and libraries also used at build time. If the dependency doesn’t care about the target platform (i.e. isn’t a compiler or similar tool), put it in nativeBuildInputs instead. The most common use of this buildPackages.stdenv.cc, the default C compiler for this role. That example crops up more than one might think in old commonly used C libraries.

Since these packages are able to be run at build-time, they are always added to the PATH, as described above. But since these packages are only guaranteed to be able to run then, they shouldn’t persist as run-time dependencies. This isn’t currently enforced, but could be in the future.

nativeBuildInputs

A list of dependencies whose host platform is the new derivation’s build platform, and target platform is the new derivation’s host platform. These are programs and libraries used at build-time that, if they are a compiler or similar tool, produce code to run at run-time—i.e. tools used to build the new derivation. If the dependency doesn’t care about the target platform (i.e. isn’t a compiler or similar tool), put it here, rather than in depsBuildBuild or depsBuildTarget. This could be called depsBuildHost but nativeBuildInputs is used for historical continuity.

Since these packages are able to be run at build-time, they are added to the PATH, as described above. But since these packages are only guaranteed to be able to run then, they shouldn’t persist as run-time dependencies. This isn’t currently enforced, but could be in the future.

depsBuildTarget

A list of dependencies whose host platform is the new derivation’s build platform, and target platform is the new derivation’s target platform. These are programs used at build time that produce code to run with code produced by the depending package. Most commonly, these are tools used to build the runtime or standard library that the currently-being-built compiler will inject into any code it compiles. In many cases, the currently-being-built-compiler is itself employed for that task, but when that compiler won’t run (i.e. its build and host platform differ) this is not possible. Other times, the compiler relies on some other tool, like binutils, that is always built separately so that the dependency is unconditional.

This is a somewhat confusing concept to wrap one’s head around, and for good reason. As the only dependency type where the platform offsets, -1 and 1, are not adjacent integers, it requires thinking of a bootstrapping stage two away from the current one. It and its use-case go hand in hand and are both considered poor form: try to not need this sort of dependency, and try to avoid building standard libraries and runtimes in the same derivation as the compiler produces code using them. Instead strive to build those like a normal library, using the newly-built compiler just as a normal library would. In short, do not use this attribute unless you are packaging a compiler and are sure it is needed.

Since these packages are able to run at build time, they are added to the PATH, as described above. But since these packages are only guaranteed to be able to run then, they shouldn’t persist as run-time dependencies. This isn’t currently enforced, but could be in the future.

depsHostHost

A list of dependencies whose host and target platforms match the new derivation’s host platform. In practice, this would usually be tools used by compilers for macros or a metaprogramming system, or libraries used by the macros or metaprogramming code itself. It’s always preferable to use a depsBuildBuild dependency in the derivation being built over a depsHostHost on the tool doing the building for this purpose.

buildInputs

A list of dependencies whose host platform and target platform match the new derivation’s. This would be called depsHostTarget but for historical continuity. If the dependency doesn’t care about the target platform (i.e. isn’t a compiler or similar tool), put it here, rather than in depsBuildBuild.

These are often programs and libraries used by the new derivation at run-time, but that isn’t always the case. For example, the machine code in a statically-linked library is only used at run-time, but the derivation containing the library is only needed at build-time. Even in the dynamic case, the library may also be needed at build-time to appease the linker.

depsTargetTarget

A list of dependencies whose host platform matches the new derivation’s target platform. These are packages that run on the target platform, e.g. the standard library or run-time deps of standard library that a compiler insists on knowing about. It’s poor form in almost all cases for a package to depend on another from a future stage [future stage corresponding to positive offset]. Do not use this attribute unless you are packaging a compiler and are sure it is needed.

depsBuildBuildPropagated

The propagated equivalent of depsBuildBuild. This perhaps never ought to be used, but it is included for consistency [see below for the others].

propagatedNativeBuildInputs

The propagated equivalent of nativeBuildInputs. This would be called depsBuildHostPropagated but for historical continuity. For example, if package Y has propagatedNativeBuildInputs = [X], and package Z has buildInputs = [Y], then package Z will be built as if it included package X in its nativeBuildInputs. If instead, package Z has nativeBuildInputs = [Y], then Z will be built as if it included X in the depsBuildBuild of package Z, because of the sum of the two -1 host offsets.

depsBuildTargetPropagated

The propagated equivalent of depsBuildTarget. This is prefixed for the same reason of alerting potential users.

depsHostHostPropagated

The propagated equivalent of depsHostHost.

propagatedBuildInputs

The propagated equivalent of buildInputs. This would be called depsHostTargetPropagated but for historical continuity.

depsTargetTargetPropagated

The propagated equivalent of depsTargetTarget. This is prefixed for the same reason of alerting potential users.

Attributes

Variables affecting stdenv initialisation

NIX_DEBUG

A number between 0 and 7 indicating how much information to log. If set to 1 or higher, stdenv will print moderate debugging information during the build. In particular, the gcc and ld wrapper scripts will print out the complete command line passed to the wrapped tools. If set to 6 or higher, the stdenv setup script will be run with set -x tracing. If set to 7 or higher, the gcc and ld wrapper scripts will also be run with set -x tracing.

Attributes affecting build properties

enableParallelBuilding

If set to true, stdenv will pass specific flags to make and other build tools to enable parallel building with up to build-cores workers.

Unless set to false, some build systems with good support for parallel building including cmake, meson, and qmake will set it to true.

Fixed-point arguments of mkDerivation

If you pass a function to mkDerivation, it will receive as its argument the final arguments, including the overrides when reinvoked via overrideAttrs. For example:

mkDerivation (finalAttrs: {
  pname = "hello";
  withFeature = true;
  configureFlags =
    lib.optionals finalAttrs.withFeature ["--with-feature"];
})

Note that this does not use the rec keyword to reuse withFeature in configureFlags. The rec keyword works at the syntax level and is unaware of overriding.

Instead, the definition references finalAttrs, allowing users to change withFeature consistently with overrideAttrs.

finalAttrs also contains the attribute finalPackage, which includes the output paths, etc.

Let’s look at a more elaborate example to understand the differences between various bindings:

# `pkg` is the _original_ definition (for illustration purposes)
let pkg =
  mkDerivation (finalAttrs: {
    # ...

    # An example attribute
    packages = [];

    # `passthru.tests` is a commonly defined attribute.
    passthru.tests.simple = f finalAttrs.finalPackage;

    # An example of an attribute containing a function
    passthru.appendPackages = packages':
      finalAttrs.finalPackage.overrideAttrs (newSelf: super: {
        packages = super.packages ++ packages';
      });

    # For illustration purposes; referenced as
    # `(pkg.overrideAttrs(x)).finalAttrs` etc in the text below.
    passthru.finalAttrs = finalAttrs;
    passthru.original = pkg;
  });
in pkg

Unlike the pkg binding in the above example, the finalAttrs parameter always references the final attributes. For instance (pkg.overrideAttrs(x)).finalAttrs.finalPackage is identical to pkg.overrideAttrs(x), whereas (pkg.overrideAttrs(x)).original is the same as the original pkg.

See also the section about passthru.tests.

Phases

stdenv.mkDerivation sets the Nix derivation’s builder to a script that loads the stdenv setup.sh bash library and calls genericBuild. Most packaging functions rely on this default builder.

This generic command either invokes a script at buildCommandPath, or a buildCommand, or a number of phases. Package builds are split into phases to make it easier to override specific parts of the build (e.g., unpacking the sources or installing the binaries).

Each phase can be overridden in its entirety either by setting the environment variable namePhase to a string containing some shell commands to be executed, or by redefining the shell function namePhase. The former is convenient to override a phase from the derivation, while the latter is convenient from a build script. However, typically one only wants to add some commands to a phase, e.g. by defining postInstall or preFixup, as skipping some of the default actions may have unexpected consequences. The default script for each phase is defined in the file pkgs/stdenv/generic/setup.sh.

When overriding a phase, for example installPhase, it is important to start with runHook preInstall and end it with runHook postInstall, otherwise preInstall and postInstall will not be run. Even if you don’t use them directly, it is good practice to do so anyways for downstream users who would want to add a postInstall by overriding your derivation.

While inside an interactive nix-shell, if you wanted to run all phases in the order they would be run in an actual build, you can invoke genericBuild yourself.

Controlling phases

There are a number of variables that control what phases are executed and in what order:

Variables affecting phase control

phases

Specifies the phases. You can change the order in which phases are executed, or add new phases, by setting this variable. If it’s not set, the default value is used, which is $prePhases unpackPhase patchPhase $preConfigurePhases configurePhase $preBuildPhases buildPhase checkPhase $preInstallPhases installPhase fixupPhase installCheckPhase $preDistPhases distPhase $postPhases.

The elements of phases must not contain spaces. If phases is specified as a Nix Language attribute, it should be specified as lists instead of strings. The same rules apply to the *Phases variables.

It is discouraged to set this variable, as it is easy to miss some important functionality hidden in some of the less obviously needed phases (like fixupPhase which patches the shebang of scripts). Usually, if you just want to add a few phases, it’s more convenient to set one of the *Phases variables below.

prePhases

Additional phases executed before any of the default phases.

preConfigurePhases

Additional phases executed just before the configure phase.

preBuildPhases

Additional phases executed just before the build phase.

preInstallPhases

Additional phases executed just before the install phase.

preFixupPhases

Additional phases executed just before the fixup phase.

preDistPhases

Additional phases executed just before the distribution phase.

postPhases

Additional phases executed after any of the default phases.

The unpack phase

The unpack phase is responsible for unpacking the source code of the package. The default implementation of unpackPhase unpacks the source files listed in the src environment variable to the current directory. It supports the following files by default:

Tar files

These can optionally be compressed using gzip (.tar.gz, .tgz or .tar.Z), bzip2 (.tar.bz2, .tbz2 or .tbz) or xz (.tar.xz, .tar.lzma or .txz).

Zip files

Zip files are unpacked using unzip. However, unzip is not in the standard environment, so you should add it to nativeBuildInputs yourself.

Directories in the Nix store

These are copied to the current directory. The hash part of the file name is stripped, e.g. /nix/store/1wydxgby13cz...-my-sources would be copied to my-sources.

Additional file types can be supported by setting the unpackCmd variable (see below).

Variables controlling the unpack phase

srcs / src

The list of source files or directories to be unpacked or copied. One of these must be set. Note that if you use srcs, you should also set sourceRoot or setSourceRoot.

sourceRoot

After unpacking all of src and srcs, if neither of sourceRoot and setSourceRoot are set, unpackPhase of the generic builder checks that the unpacking produced a single directory and moves the current working directory into it.

If unpackPhase produces multiple source directories, you should set sourceRoot to the name of the intended directory. You can also set sourceRoot = "."; if you want to control it yourself in a later phase.

For example, if you want your build to start in a sub-directory inside your sources, and you are using fetchzip-derived src (like fetchFromGitHub or similar), you need to set sourceRoot = "${src.name}/my-sub-directory".

setSourceRoot

Alternatively to setting sourceRoot, you can set setSourceRoot to a shell command to be evaluated by the unpack phase after the sources have been unpacked. This command must set sourceRoot.

For example, if you are using fetchurl on an archive file that gets unpacked into a single directory the name of which changes between package versions, and you want your build to start in its sub-directory, you need to set setSourceRoot = "sourceRoot=$(echo */my-sub-directory)";, or in the case of multiple sources, you could use something more specific, like setSourceRoot = "sourceRoot=$(echo ${pname}-*/my-sub-directory)";.

preUnpack

Hook executed at the start of the unpack phase.

postUnpack

Hook executed at the end of the unpack phase.

dontUnpack

Set to true to skip the unpack phase.

dontMakeSourcesWritable

If set to 1, the unpacked sources are not made writable. By default, they are made writable to prevent problems with read-only sources. For example, copied store directories would be read-only without this.

unpackCmd

The unpack phase evaluates the string $unpackCmd for any unrecognised file. The path to the current source file is contained in the curSrc variable.

The patch phase

The patch phase applies the list of patches defined in the patches variable.

Variables controlling the patch phase

dontPatch

Set to true to skip the patch phase.

patches

The list of patches. They must be in the format accepted by the patch command, and may optionally be compressed using gzip (.gz), bzip2 (.bz2) or xz (.xz).

patchFlags

Flags to be passed to patch. If not set, the argument -p1 is used, which causes the leading directory component to be stripped from the file names in each patch.

prePatch

Hook executed at the start of the patch phase.

postPatch

Hook executed at the end of the patch phase.

The configure phase

The configure phase prepares the source tree for building. The default configurePhase runs ./configure (typically an Autoconf-generated script) if it exists.

Variables controlling the configure phase

configureScript

The name of the configure script. It defaults to ./configure if it exists; otherwise, the configure phase is skipped. This can actually be a command (like perl ./Configure.pl).

configureFlags

A list of strings passed as additional arguments to the configure script.

dontConfigure

Set to true to skip the configure phase.

configureFlagsArray

A shell array containing additional arguments passed to the configure script. You must use this instead of configureFlags if the arguments contain spaces.

dontAddPrefix

By default, ./configure is passed the concatenation of prefixKey and prefix on the command line. Disable this by setting dontAddPrefix to true.

prefix

The prefix under which the package must be installed, passed via the --prefix option to the configure script. It defaults to $out.

prefixKey

The key to use when specifying the installation prefix. By default, this is set to --prefix= as that is used by the majority of packages. Other packages may need --prefix (with a trailing space) or PREFIX=.

dontAddStaticConfigureFlags

By default, when building statically, stdenv will try to add build system appropriate configure flags to try to enable static builds.

If this is undesirable, set this variable to true.

dontAddDisableDepTrack

By default, the flag --disable-dependency-tracking is added to the configure flags to speed up Automake-based builds. If this is undesirable, set this variable to true.

dontFixLibtool

By default, the configure phase applies some special hackery to all files called ltmain.sh before running the configure script in order to improve the purity of Libtool-based packages [4] . If this is undesirable, set this variable to true.

dontDisableStatic

By default, when the configure script has --enable-static, the option --disable-static is added to the configure flags.

If this is undesirable, set this variable to true. It is automatically set to true when building statically, for example through pkgsStatic.

configurePlatforms

By default, when cross compiling, the configure script has --build=... and --host=... passed. Packages can instead pass [ "build" "host" "target" ] or a subset to control exactly which platform flags are passed. Compilers and other tools can use this to also pass the target platform. [5]

preConfigure

Hook executed at the start of the configure phase.

postConfigure

Hook executed at the end of the configure phase.

The build phase

The build phase is responsible for actually building the package (e.g. compiling it). The default buildPhase calls make if a file named Makefile, makefile or GNUmakefile exists in the current directory (or the makefile is explicitly set); otherwise it does nothing.

Variables controlling the build phase

dontBuild

Set to true to skip the build phase.

makefile

The file name of the Makefile.

makeFlags

A list of strings passed as additional flags to make. These flags are also used by the default install and check phase. For setting make flags specific to the build phase, use buildFlags (see below).

{
  makeFlags = [ "PREFIX=$(out)" ];
}

Note

The flags are quoted in bash, but environment variables can be specified by using the make syntax.

makeFlagsArray

A shell array containing additional arguments passed to make. You must use this instead of makeFlags if the arguments contain spaces, e.g.

{
  preBuild = ''
    makeFlagsArray+=(CFLAGS="-O0 -g" LDFLAGS="-lfoo -lbar")
  '';
}

Note that shell arrays cannot be passed through environment variables, so you cannot set makeFlagsArray in a derivation attribute (because those are passed through environment variables): you have to define them in shell code.

buildFlags / buildFlagsArray

A list of strings passed as additional flags to make. Like makeFlags and makeFlagsArray, but only used by the build phase. Any build targets should be specified as part of the buildFlags.

preBuild

Hook executed at the start of the build phase.

postBuild

Hook executed at the end of the build phase.

You can set flags for make through the makeFlags variable.

Before and after running make, the hooks preBuild and postBuild are called, respectively.

The check phase

The check phase checks whether the package was built correctly by running its test suite. The default checkPhase calls make $checkTarget, but only if the doCheck variable is enabled.

It is highly recommended, for packages’ sources that are not distributed with any tests, to at least use versionCheckHook to test that the resulting executable is basically functional.

Variables controlling the check phase

doCheck

Controls whether the check phase is executed. By default it is skipped, but if doCheck is set to true, the check phase is usually executed. Thus you should set

{
  doCheck = true;
}

in the derivation to enable checks. The exception is cross compilation. Cross compiled builds never run tests, no matter how doCheck is set, as the newly-built program won’t run on the platform used to build it.

makeFlags / makeFlagsArray / makefile

See the build phase for details.

checkTarget

The make target that runs the tests. If unset, use check if it exists, otherwise test; if neither is found, do nothing.

checkFlags / checkFlagsArray

A list of strings passed as additional flags to make. Like makeFlags and makeFlagsArray, but only used by the check phase. Unlike with buildFlags, the checkTarget is automatically added to the make invocation in addition to any checkFlags specified.

checkInputs

A list of host dependencies used by the phase, usually libraries linked into executables built during tests. This gets included in buildInputs when doCheck is set.

nativeCheckInputs

A list of native dependencies used by the phase, notably tools needed on $PATH. This gets included in nativeBuildInputs when doCheck is set.

preCheck

Hook executed at the start of the check phase.

postCheck

Hook executed at the end of the check phase.

The install phase

The install phase is responsible for installing the package in the Nix store under out. The default installPhase creates the directory $out and calls make install.

Variables controlling the install phase

dontInstall

Set to true to skip the install phase.

makeFlags / makeFlagsArray / makefile

See the build phase for details.

installTargets

The make targets that perform the installation. Defaults to install. Example:

{
  installTargets = "install-bin install-doc";
}
installFlags / installFlagsArray

A list of strings passed as additional flags to make. Like makeFlags and makeFlagsArray, but only used by the install phase. Unlike with buildFlags, the installTargets are automatically added to the make invocation in addition to any installFlags specified.

preInstall

Hook executed at the start of the install phase.

postInstall

Hook executed at the end of the install phase.

The fixup phase

The fixup phase performs (Nix-specific) post-processing actions on the files installed under $out by the install phase. The default fixupPhase does the following:

  • It moves the man/, doc/ and info/ subdirectories of $out to share/.

  • It strips libraries and executables of debug information.

  • On Linux, it applies the patchelf command to ELF executables and libraries to remove unused directories from the RPATH in order to prevent unnecessary runtime dependencies.

  • It rewrites the interpreter paths of shell scripts to paths found in PATH. E.g., /usr/bin/perl will be rewritten to /nix/store/some-perl/bin/perl found in PATH. See the section called “patch-shebangs.sh for details.

Variables controlling the fixup phase

dontFixup

Set to true to skip the fixup phase.

dontStrip

If set, libraries and executables are not stripped. By default, they are.

dontStripHost

Like dontStrip, but only affects the strip command targeting the package’s host platform. Useful when supporting cross compilation, but otherwise feel free to ignore.

dontStripTarget

Like dontStrip, but only affects the strip command targeting the packages’ target platform. Useful when supporting cross compilation, but otherwise feel free to ignore.

dontMoveSbin

If set, files in $out/sbin are not moved to $out/bin. By default, they are.

stripAllList

List of directories to search for libraries and executables from which all symbols should be stripped. By default, it’s empty. Stripping all symbols is risky, since it may remove not just debug symbols but also ELF information necessary for normal execution.

stripAllListTarget

Like stripAllList, but only applies to packages’ target platform. By default, it’s empty. Useful when supporting cross compilation.

stripAllFlags

Flags passed to the strip command applied to the files in the directories listed in stripAllList. Defaults to -s (i.e. --strip-all).

stripDebugList

List of directories to search for libraries and executables from which only debugging-related symbols should be stripped. It defaults to lib lib32 lib64 libexec bin sbin.

stripDebugListTarget

Like stripDebugList, but only applies to packages’ target platform. By default, it’s empty. Useful when supporting cross compilation.

stripDebugFlags

Flags passed to the strip command applied to the files in the directories listed in stripDebugList. Defaults to -S (i.e. --strip-debug).

stripExclude

A list of filenames or path patterns to avoid stripping. A file is excluded if its name or path (from the derivation root) matches.

This example prevents all *.rlib files from being stripped:

stdenv.mkDerivation {
  # ...
  stripExclude = [ "*.rlib" ];
}

This example prevents files within certain paths from being stripped:

stdenv.mkDerivation {
  # ...
  stripExclude = [ "lib/modules/*/build/*" ];
}
dontPatchELF

If set, the patchelf command is not used to remove unnecessary RPATH entries. Only applies to Linux.

dontPatchShebangs

If set, scripts starting with #! do not have their interpreter paths rewritten to paths in the Nix store. See the section called “patch-shebangs.sh on how patching shebangs works.

dontPruneLibtoolFiles

If set, libtool .la files associated with shared libraries won’t have their dependency_libs field cleared.

forceShare

The list of directories that must be moved from $out to $out/share. Defaults to man doc info.

setupHook

A package can export a setup hook by setting this variable. The setup hook, if defined, is copied to $out/nix-support/setup-hook. Environment variables are then substituted in it using substituteAll.

preFixup

Hook executed at the start of the fixup phase.

postFixup

Hook executed at the end of the fixup phase.

separateDebugInfo

If set to true, the standard environment will enable debug information in C/C++ builds. After installation, the debug information will be separated from the executables and stored in the output named debug. (This output is enabled automatically; you don’t need to set the outputs attribute explicitly.) To be precise, the debug information is stored in debug/lib/debug/.build-id/XX/YYYY…, where <XXYYYY…> is the <build ID> of the binary — a SHA-1 hash of the contents of the binary. Debuggers like GDB use the build ID to look up the separated debug information.

Example 260. Enable debug symbols for use with GDB

To make GDB find debug information for the socat package and its dependencies, you can use the following shell.nix:

let
  pkgs = import ./. {
    config = {};
    overlays = [
      (final: prev: {
        ncurses = prev.ncurses.overrideAttrs { separateDebugInfo = true; };
        readline = prev.readline.overrideAttrs { separateDebugInfo = true; };
      })
    ];
  };

  myDebugInfoDirs = pkgs.symlinkJoin {
    name = "myDebugInfoDirs";
    paths = with pkgs; [
      glibc.debug
      ncurses.debug
      openssl.debug
      readline.debug
    ];
  };
in
  pkgs.mkShell {

    NIX_DEBUG_INFO_DIRS = "${pkgs.lib.getLib myDebugInfoDirs}/lib/debug";

    packages = [
      pkgs.gdb
      pkgs.socat
    ];

    shellHook = ''
      ${pkgs.lib.getBin pkgs.gdb}/bin/gdb ${pkgs.lib.getBin pkgs.socat}/bin/socat
    '';
  }

This setup works as follows:

  • Add overlays to the package set, since debug symbols are disabled for ncurses and readline by default.

  • Create a derivation to combine all required debug symbols under one path with symlinkJoin.

  • Set the environment variable NIX_DEBUG_INFO_DIRS in the shell. Nixpkgs patches gdb to use it for looking up debug symbols.

  • Run gdb on the socat binary on shell startup in the shellHook. Here we use lib.getBin to ensure that the correct derivation output is selected rather than the default one.


The installCheck phase

The installCheck phase checks whether the package was installed correctly by running its test suite against the installed directories. The default installCheck calls make installcheck.

It is often better to add tests that are not part of the source distribution to passthru.tests (see the section called “passthru.tests). This avoids adding overhead to every build and enables us to run them independently.

Variables controlling the installCheck phase

doInstallCheck

Controls whether the installCheck phase is executed. By default it is skipped, but if doInstallCheck is set to true, the installCheck phase is usually executed. Thus you should set

{
  doInstallCheck = true;
}

in the derivation to enable install checks. The exception is cross compilation. Cross compiled builds never run tests, no matter how doInstallCheck is set, as the newly-built program won’t run on the platform used to build it.

installCheckTarget

The make target that runs the install tests. Defaults to installcheck.

installCheckFlags / installCheckFlagsArray

A list of strings passed as additional flags to make. Like makeFlags and makeFlagsArray, but only used by the installCheck phase.

installCheckInputs

A list of host dependencies used by the phase, usually libraries linked into executables built during tests. This gets included in buildInputs when doInstallCheck is set.

nativeInstallCheckInputs

A list of native dependencies used by the phase, notably tools needed on $PATH. This gets included in nativeBuildInputs when doInstallCheck is set.

preInstallCheck

Hook executed at the start of the installCheck phase.

postInstallCheck

Hook executed at the end of the installCheck phase.

The distribution phase

The distribution phase is intended to produce a source distribution of the package. The default distPhase first calls make dist, then it copies the resulting source tarballs to $out/tarballs/. This phase is only executed if the attribute doDist is set.

Variables controlling the distribution phase

doDist

If set, the distribution phase is executed.

distTarget

The make target that produces the distribution. Defaults to dist.

distFlags / distFlagsArray

Additional flags passed to make.

tarballs

The names of the source distribution files to be copied to $out/tarballs/. It can contain shell wildcards. The default is *.tar.gz.

dontCopyDist

If set, no files are copied to $out/tarballs/.

preDist

Hook executed at the start of the distribution phase.

postDist

Hook executed at the end of the distribution phase.

Shell functions and utilities

The standard environment provides a number of useful functions.

makeWrapper <executable> <wrapperfile> <args>

Constructs a wrapper for a program with various possible arguments. It is defined as part of 2 setup-hooks named makeWrapper and makeBinaryWrapper that implement the same bash functions. Hence, to use it you have to add makeWrapper to your nativeBuildInputs. Here’s an example usage:

# adds `FOOBAR=baz` to `$out/bin/foo`’s environment
makeWrapper $out/bin/foo $wrapperfile --set FOOBAR baz

# Prefixes the binary paths of `hello` and `git`
# and suffixes the binary path of `xdg-utils`.
# Be advised that paths often should be patched in directly
# (via string replacements or in `configurePhase`).
makeWrapper $out/bin/foo $wrapperfile \
  --prefix PATH : ${lib.makeBinPath [ hello git ]} \
  --suffix PATH : ${lib.makeBinPath [ xdg-utils ]}

Packages may expect or require other utilities to be available at runtime. makeWrapper can be used to add packages to a PATH environment variable local to a wrapper.

Use --prefix to explicitly set dependencies in PATH.

Note

--prefix essentially hard-codes dependencies into the wrapper. They cannot be overridden without rebuilding the package.

If dependencies should be resolved at runtime, use --suffix to append fallback values to PATH.

There’s many more kinds of arguments, they are documented in nixpkgs/pkgs/build-support/setup-hooks/make-wrapper.sh for the makeWrapper implementation and in nixpkgs/pkgs/build-support/setup-hooks/make-binary-wrapper/make-binary-wrapper.sh for the makeBinaryWrapper implementation.

wrapProgram is a convenience function you probably want to use most of the time, implemented by both makeWrapper and makeBinaryWrapper.

Using the makeBinaryWrapper implementation is usually preferred, as it creates a tiny compiled wrapper executable, that can be used as a shebang interpreter. This is needed mostly on Darwin, where shebangs cannot point to scripts, due to a limitation with the execve-syscall. Compiled wrappers generated by makeBinaryWrapper can be inspected with less <path-to-wrapper> - by scrolling past the binary data you should be able to see the shell command that generated the executable and there see the environment variables that were injected into the wrapper.

remove-references-to -t <storepath> [ -t <storepath> … ] <file> …

Removes the references of the specified files to the specified store files. This is done without changing the size of the file by replacing the hash by eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee, and should work on compiled executables. This is meant to be used to remove the dependency of the output on inputs that are known to be unnecessary at runtime. Of course, reckless usage will break the patched programs. To use this, add removeReferencesTo to nativeBuildInputs.

As remove-references-to is an actual executable and not a shell function, it can be used with find. Example removing all references to the compiler in the output:

{
  postInstall = ''
    find "$out" -type f -exec remove-references-to -t ${stdenv.cc} '{}' +
  '';
}

runHook <hook>

Execute <hook> and the values in the array associated with it. The array’s name is determined by removing Hook from the end of <hook> and appending Hooks.

For example, runHook postHook would run the hook postHook and all of the values contained in the postHooks array, if it exists.

substitute <infile> <outfile> <subs>

Performs string substitution on the contents of <infile>, writing the result to <outfile>. The substitutions in <subs> are of the following form:

--replace-fail <s1> <s2>

Replace every occurrence of the string <s1> by <s2>. Will error if no change is made.

--replace-warn <s1> <s2>

Replace every occurrence of the string <s1> by <s2>. Will print a warning if no change is made.

--replace-quiet <s1> <s2>

Replace every occurrence of the string <s1> by <s2>. Will do nothing if no change can be made.

--subst-var <varName>

Replace every occurrence of @varName@ by the contents of the environment variable <varName>. This is useful for generating files from templates, using @...@ in the template as placeholders.

--subst-var-by <varName> <s>

Replace every occurrence of @varName@ by the string <s>.

Example:

substitute ./foo.in ./foo.out \
    --replace-fail /usr/bin/bar $bar/bin/bar \
    --replace-fail "a string containing spaces" "some other text" \
    --subst-var someVar

substituteInPlace <multiple files> <subs>

Like substitute, but performs the substitutions in place on the files passed.

substituteAll <infile> <outfile>

Replaces every occurrence of @varName@, where <varName> is any environment variable, in <infile>, writing the result to <outfile>. For instance, if <infile> has the contents

#! @bash@/bin/sh
PATH=@coreutils@/bin
echo @foo@

and the environment contains bash=/nix/store/bmwp0q28cf21...-bash-3.2-p39 and coreutils=/nix/store/68afga4khv0w...-coreutils-6.12, but does not contain the variable foo, then the output will be

#! /nix/store/bmwp0q28cf21...-bash-3.2-p39/bin/sh
PATH=/nix/store/68afga4khv0w...-coreutils-6.12/bin
echo @foo@

That is, no substitution is performed for undefined variables.

Environment variables that start with an uppercase letter or an underscore are filtered out, to prevent global variables (like HOME) or private variables (like __ETC_PROFILE_DONE) from accidentally getting substituted. The variables also have to be valid bash “names”, as defined in the bash manpage (alphanumeric or _, must not start with a number).

substituteAllInPlace <file>

Like substituteAll, but performs the substitutions in place on the file <file>.

stripHash <path>

Strips the directory and hash part of a store path, outputting the name part to stdout. For example:

# prints coreutils-8.24
stripHash "/nix/store/9s9r019176g7cvn2nvcw41gsp862y6b4-coreutils-8.24"

If you wish to store the result in another variable, then the following idiom may be useful:

name="/nix/store/9s9r019176g7cvn2nvcw41gsp862y6b4-coreutils-8.24"
someVar=$(stripHash $name)

wrapProgram <executable> <makeWrapperArgs>

Convenience function for makeWrapper that replaces <executable> with a wrapper that executes the original program. It takes all the same arguments as makeWrapper, except for --inherit-argv0 (used by the makeBinaryWrapper implementation) and --argv0 (used by both makeWrapper and makeBinaryWrapper wrapper implementations).

If you will apply it multiple times, it will overwrite the wrapper file and you will end up with double wrapping, which should be avoided.

prependToVar <variableName> <elements…>

Prepend elements to a variable.

Example:

$ configureFlags="--disable-static"
$ prependToVar configureFlags --disable-dependency-tracking --enable-foo
$ echo $configureFlags
--disable-dependency-tracking --enable-foo --disable-static

appendToVar <variableName> <elements…>

Append elements to a variable.

Example:

$ configureFlags="--disable-static"
$ appendToVar configureFlags --disable-dependency-tracking --enable-foo
$ echo $configureFlags
--disable-static --disable-dependency-tracking --enable-foo

Package setup hooks

Nix itself considers a build-time dependency as merely something that should previously be built and accessible at build time—packages themselves are on their own to perform any additional setup. In most cases, that is fine, and the downstream derivation can deal with its own dependencies. But for a few common tasks, that would result in almost every package doing the same sort of setup work—depending not on the package itself, but entirely on which dependencies were used.

In order to alleviate this burden, the setup hook mechanism was written, where any package can include a shell script that [by convention rather than enforcement by Nix], any downstream reverse-dependency will source as part of its build process. That allows the downstream dependency to merely specify its dependencies, and lets those dependencies effectively initialize themselves. No boilerplate mirroring the list of dependencies is needed.

The setup hook mechanism is a bit of a sledgehammer though: a powerful feature with a broad and indiscriminate area of effect. The combination of its power and implicit use may be expedient, but isn’t without costs. Nix itself is unchanged, but the spirit of added dependencies being effect-free is violated even if the latter isn’t. For example, if a derivation path is mentioned more than once, Nix itself doesn’t care and makes sure the dependency derivation is already built just the same—depending is just needing something to exist, and needing is idempotent. However, a dependency specified twice will have its setup hook run twice, and that could easily change the build environment (though a well-written setup hook will therefore strive to be idempotent so this is in fact not observable). More broadly, setup hooks are anti-modular in that multiple dependencies, whether the same or different, should not interfere and yet their setup hooks may well do so.

The most typical use of the setup hook is actually to add other hooks which are then run (i.e. after all the setup hooks) on each dependency. For example, the C compiler wrapper’s setup hook feeds itself flags for each dependency that contains relevant libraries and headers. This is done by defining a bash function, and appending its name to one of envBuildBuildHooks, envBuildHostHooks, envBuildTargetHooks, envHostHostHooks, envHostTargetHooks, or envTargetTargetHooks. These 6 bash variables correspond to the 6 sorts of dependencies by platform (there’s 12 total but we ignore the propagated/non-propagated axis).

Packages adding a hook should not hard code a specific hook, but rather choose a variable relative to how they are included. Returning to the C compiler wrapper example, if the wrapper itself is an n dependency, then it only wants to accumulate flags from n + 1 dependencies, as only those ones match the compiler’s target platform. The hostOffset variable is defined with the current dependency’s host offset targetOffset with its target offset, before its setup hook is sourced. Additionally, since most environment hooks don’t care about the target platform, that means the setup hook can append to the right bash array by doing something like

addEnvHooks "$hostOffset" myBashFunction

The existence of setups hooks has long been documented and packages inside Nixpkgs are free to use this mechanism. Other packages, however, should not rely on these mechanisms not changing between Nixpkgs versions. Because of the existing issues with this system, there’s little benefit from mandating it be stable for any period of time.

First, let’s cover some setup hooks that are part of Nixpkgs default stdenv. This means that they are run for every package built using stdenv.mkDerivation or when using a custom builder that has source $stdenv/setup. Some of these are platform specific, so they may run on Linux but not Darwin or vice-versa.

move-docs.sh

This setup hook moves any installed documentation to the /share subdirectory directory. This includes the man, doc and info directories. This is needed for legacy programs that do not know how to use the share subdirectory.

compress-man-pages.sh

This setup hook compresses any man pages that have been installed. The compression is done using the gzip program. This helps to reduce the installed size of packages.

strip.sh

This runs the strip command on installed binaries and libraries. This removes unnecessary information like debug symbols when they are not needed. This also helps to reduce the installed size of packages.

patch-shebangs.sh

This setup hook patches installed scripts to add Nix store paths to their shebang interpreter as found in the build environment. The shebang line tells a Unix-like operating system which interpreter to use to execute the script’s contents.

Note

The generic builder populates PATH from inputs of the derivation.

Invocation

Multiple paths can be specified.

patchShebangs [--build | --host] PATH...
Flags
--build

Look up commands available at build time

--host

Look up commands available at run time

Examples
patchShebangs --host /nix/store/<hash>-hello-1.0/bin
patchShebangs --build configure

#!/bin/sh will be rewritten to #!/nix/store/<hash>-some-bash/bin/sh.

#!/usr/bin/env gets special treatment: #!/usr/bin/env python is rewritten to /nix/store/<hash>/bin/python.

Interpreter paths that point to a valid Nix store location are not changed.

Note

A script file must be marked as executable, otherwise it will not be considered.

This mechanism ensures that the interpreter for a given script is always found and is exactly the one specified by the build.

It can be disabled by setting dontPatchShebangs:

stdenv.mkDerivation {
  # ...
  dontPatchShebangs = true;
  # ...
}

The file patch-shebangs.sh defines the patchShebangs function. It is used to implement patchShebangsAuto, the setup hook that is registered to run during the fixup phase by default.

If you need to run patchShebangs at build time, it must be called explicitly within one of the build phases.

audit-tmpdir.sh

This verifies that no references are left from the install binaries to the directory used to build those binaries. This ensures that the binaries do not need things outside the Nix store. This is currently supported in Linux only.

multiple-outputs.sh

This setup hook adds configure flags that tell packages to install files into any one of the proper outputs listed in outputs. This behavior can be turned off by setting setOutputFlags to false in the derivation environment. See Multiple-output packages for more information.

move-sbin.sh

This setup hook moves any binaries installed in the sbin/ subdirectory into bin/. In addition, a link is provided from sbin/ to bin/ for compatibility.

move-lib64.sh

This setup hook moves any libraries installed in the lib64/ subdirectory into lib/. In addition, a link is provided from lib64/ to lib/ for compatibility.

move-systemd-user-units.sh

This setup hook moves any systemd user units installed in the lib/ subdirectory into share/. In addition, a link is provided from share/ to lib/ for compatibility. This is needed for systemd to find user services when installed into the user profile.

This hook only runs when compiling for Linux.

set-source-date-epoch-to-latest.sh

This sets SOURCE_DATE_EPOCH to the modification time of the most recent file.

Bintools Wrapper and hook

The Bintools Wrapper wraps the binary utilities for a bunch of miscellaneous purposes. These are GNU Binutils when targeting Linux, and a mix of cctools and GNU binutils for Darwin. [The “Bintools” name is supposed to be a compromise between “Binutils” and “cctools” not denoting any specific implementation.] Specifically, the underlying bintools package, and a C standard library (glibc or Darwin’s libSystem, just for the dynamic loader) are all fed in, and dependency finding, hardening (see below), and purity checks for each are handled by the Bintools Wrapper. Packages typically depend on CC Wrapper, which in turn (at run time) depends on the Bintools Wrapper.

The Bintools Wrapper was only just recently split off from CC Wrapper, so the division of labor is still being worked out. For example, it shouldn’t care about the C standard library, but just take a derivation with the dynamic loader (which happens to be the glibc on linux). Dependency finding however is a task both wrappers will continue to need to share, and probably the most important to understand. It is currently accomplished by collecting directories of host-platform dependencies (i.e. buildInputs and nativeBuildInputs) in environment variables. The Bintools Wrapper’s setup hook causes any lib and lib64 subdirectories to be added to NIX_LDFLAGS. Since the CC Wrapper and the Bintools Wrapper use the same strategy, most of the Bintools Wrapper code is sparsely commented and refers to the CC Wrapper. But the CC Wrapper’s code, by contrast, has quite lengthy comments. The Bintools Wrapper merely cites those, rather than repeating them, to avoid falling out of sync.

A final task of the setup hook is defining a number of standard environment variables to tell build systems which executables fulfill which purpose. They are defined to just be the base name of the tools, under the assumption that the Bintools Wrapper’s binaries will be on the path. Firstly, this helps poorly-written packages, e.g. ones that look for just gcc when CC isn’t defined yet clang is to be used. Secondly, this helps packages not get confused when cross-compiling, in which case multiple Bintools Wrappers may simultaneously be in use. [6] BUILD_- and TARGET_-prefixed versions of the normal environment variable are defined for additional Bintools Wrappers, properly disambiguating them.

A problem with this final task is that the Bintools Wrapper is honest and defines LD as ld. Most packages, however, firstly use the C compiler for linking, secondly use LD anyways, defining it as the C compiler, and thirdly, only so define LD when it is undefined as a fallback. This triple-threat means Bintools Wrapper will break those packages, as LD is already defined as the actual linker which the package won’t override yet doesn’t want to use. The workaround is to define, just for the problematic package, LD as the C compiler. A good way to do this would be preConfigure = "LD=$CC".

CC Wrapper and hook

The CC Wrapper wraps a C toolchain for a bunch of miscellaneous purposes. Specifically, a C compiler (GCC or Clang), wrapped binary tools, and a C standard library (glibc or Darwin’s libSystem, just for the dynamic loader) are all fed in, and dependency finding, hardening (see below), and purity checks for each are handled by the CC Wrapper. Packages typically depend on the CC Wrapper, which in turn (at run-time) depends on the Bintools Wrapper.

Dependency finding is undoubtedly the main task of the CC Wrapper. This works just like the Bintools Wrapper, except that any include subdirectory of any relevant dependency is added to NIX_CFLAGS_COMPILE. The setup hook itself contains elaborate comments describing the exact mechanism by which this is accomplished.

Similarly, the CC Wrapper follows the Bintools Wrapper in defining standard environment variables with the names of the tools it wraps, for the same reasons described above. Importantly, while it includes a cc symlink to the c compiler for portability, the CC will be defined using the compiler’s “real name” (i.e. gcc or clang). This helps lousy build systems that inspect on the name of the compiler rather than run it.

Here are some more packages that provide a setup hook. Since the list of hooks is extensible, this is not an exhaustive list. The mechanism is only to be used as a last resort, so it might cover most uses.

Other hooks

Many other packages provide hooks, that are not part of stdenv. You can find these in the Hooks Reference.

Compiler and Linker wrapper hooks

If the file ${cc}/nix-support/cc-wrapper-hook exists, it will be run at the end of the compiler wrapper. If the file ${binutils}/nix-support/post-link-hook exists, it will be run at the end of the linker wrapper. These hooks allow a user to inject code into the wrappers. As an example, these hooks can be used to extract extraBefore, params and extraAfter which store all the command line arguments passed to the compiler and linker respectively.

Purity in Nixpkgs

Measures taken to prevent dependencies on packages outside the store, and what you can do to prevent them.

GCC doesn’t search in locations such as /usr/include. In fact, attempts to add such directories through the -I flag are filtered out. Likewise, the linker (from GNU binutils) doesn’t search in standard locations such as /usr/lib. Programs built on Linux are linked against a GNU C Library that likewise doesn’t search in the default system locations.

Hardening in Nixpkgs

There are flags available to harden packages at compile or link-time. These can be toggled using the stdenv.mkDerivation parameters hardeningDisable and hardeningEnable.

Both parameters take a list of flags as strings. The special "all" flag can be passed to hardeningDisable to turn off all hardening. These flags can also be used as environment variables for testing or development purposes.

For more in-depth information on these hardening flags and hardening in general, refer to the Debian Wiki, Ubuntu Wiki, Gentoo Wiki, and the Arch Wiki.

Note that support for some hardening flags varies by compiler, CPU architecture, target OS and libc. Combinations of these that don’t support a particular hardening flag will silently ignore attempts to enable it. To see exactly which hardening flags are being employed in any invocation, the NIX_DEBUG environment variable can be used.

Hardening flags enabled by default

The following flags are enabled by default and might require disabling with hardeningDisable if the program to package is incompatible.

format

Adds the -Wformat -Wformat-security -Werror=format-security compiler options. At present, this warns about calls to printf and scanf functions where the format string is not a string literal and there are no format arguments, as in printf(foo);. This may be a security hole if the format string came from untrusted input and contains %n.

This needs to be turned off or fixed for errors similar to:

/tmp/nix-build-zynaddsubfx-2.5.2.drv-0/zynaddsubfx-2.5.2/src/UI/guimain.cpp:571:28: error: format not a string literal and no format arguments [-Werror=format-security]
         printf(help_message);
                            ^
cc1plus: some warnings being treated as errors

stackprotector

Adds the -fstack-protector-strong --param ssp-buffer-size=4 compiler options. This adds safety checks against stack overwrites rendering many potential code injection attacks into aborting situations. In the best case this turns code injection vulnerabilities into denial of service or into non-issues (depending on the application).

This needs to be turned off or fixed for errors similar to:

bin/blib.a(bios_console.o): In function `bios_handle_cup':
/tmp/nix-build-ipxe-20141124-5cbdc41.drv-0/ipxe-5cbdc41/src/arch/i386/firmware/pcbios/bios_console.c:86: undefined reference to `__stack_chk_fail'

fortify

Adds the -O2 -D_FORTIFY_SOURCE=2 compiler options. During code generation the compiler knows a great deal of information about buffer sizes (where possible), and attempts to replace insecure unlimited length buffer function calls with length-limited ones. This is especially useful for old, crufty code. Additionally, format strings in writable memory that contain %n are blocked. If an application depends on such a format string, it will need to be worked around.

Additionally, some warnings are enabled which might trigger build failures if compiler warnings are treated as errors in the package build. In this case, set env.NIX_CFLAGS_COMPILE to -Wno-error=warning-type.

This needs to be turned off or fixed for errors similar to:

malloc.c:404:15: error: return type is an incomplete type
malloc.c:410:19: error: storage size of 'ms' isn't known

strdup.h:22:1: error: expected identifier or '(' before '__extension__'

strsep.c:65:23: error: register name not specified for 'delim'

installwatch.c:3751:5: error: conflicting types for '__open_2'

fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments

Disabling fortify implies disablement of fortify3

fortify3

Adds the -O2 -D_FORTIFY_SOURCE=3 compiler options. This expands the cases that can be protected by fortify-checks to include some situations with dynamic-length buffers whose length can be inferred at runtime using compiler hints.

Enabling this flag implies enablement of fortify. Disabling this flag does not imply disablement of fortify.

This flag can sometimes conflict with a build-system’s own attempts at enabling fortify support and result in errors complaining about redefinition of _FORTIFY_SOURCE.

pic

Adds the -fPIC compiler options. This options adds support for position independent code in shared libraries and thus making ASLR possible.

Most notably, the Linux kernel, kernel modules and other code not running in an operating system environment like boot loaders won’t build with PIC enabled. The compiler will is most cases complain that PIC is not supported for a specific build.

This needs to be turned off or fixed for assembler errors similar to:

ccbLfRgg.s: Assembler messages:
ccbLfRgg.s:33: Error: missing or invalid displacement expression `private_key_len@GOTOFF'

strictoverflow

Signed integer overflow is undefined behaviour according to the C standard. If it happens, it is an error in the program as it should check for overflow before it can happen, not afterwards. GCC provides built-in functions to perform arithmetic with overflow checking, which are correct and faster than any custom implementation. As a workaround, the option -fno-strict-overflow makes gcc behave as if signed integer overflows were defined.

This flag should not trigger any build or runtime errors.

relro

Adds the -z relro linker option. During program load, several ELF memory sections need to be written to by the linker, but can be turned read-only before turning over control to the program. This prevents some GOT (and .dtors) overwrite attacks, but at least the part of the GOT used by the dynamic linker (.got.plt) is still vulnerable.

This flag can break dynamic shared object loading. For instance, the module systems of Xorg and OpenCV are incompatible with this flag. In almost all cases the bindnow flag must also be disabled and incompatible programs typically fail with similar errors at runtime.

bindnow

Adds the -z now linker option. During program load, all dynamic symbols are resolved, allowing for the complete GOT to be marked read-only (due to relro). This prevents GOT overwrite attacks. For very large applications, this can incur some performance loss during initial load while symbols are resolved, but this shouldn’t be an issue for daemons.

This flag can break dynamic shared object loading. For instance, the module systems of Xorg and PHP are incompatible with this flag. Programs incompatible with this flag often fail at runtime due to missing symbols, like:

intel_drv.so: undefined symbol: vgaHWFreeHWRec

zerocallusedregs

Adds the -fzero-call-used-regs=used-gpr compiler option. This causes the general-purpose registers that an architecture’s calling convention considers “call-used” to be zeroed on return from the function. This can make it harder for attackers to construct useful ROP gadgets and also reduces the chance of data leakage from a function call.

Hardening flags disabled by default

The following flags are disabled by default and should be enabled with hardeningEnable for packages that take untrusted input like network services.

pie

This flag is disabled by default for normal glibc based NixOS package builds, but enabled by default for

  • musl-based package builds, except on Aarch64 and Aarch32, where there are issues.

  • Statically-linked for OpenBSD builds, where it appears to be required to get a working binary.

Adds the -fPIE compiler and -pie linker options. Position Independent Executables are needed to take advantage of Address Space Layout Randomization, supported by modern kernel versions. While ASLR can already be enforced for data areas in the stack and heap (brk and mmap), the code areas must be compiled as position-independent. Shared libraries already do this with the pic flag, so they gain ASLR automatically, but binary .text regions need to be build with pie to gain ASLR. When this happens, ROP attacks are much harder since there are no static locations to bounce off of during a memory corruption attack.

Static libraries need to be compiled with -fPIE so that executables can link them in with the -pie linker option. If the libraries lack -fPIE, you will get the error recompile with -fPIE.

shadowstack

Adds the -fcf-protection=return compiler option. This enables the Shadow Stack feature supported by some newer processors, which maintains a user-inaccessible copy of the program’s stack containing only return-addresses. When returning from a function, the processor compares the return-address value on the two stacks and throws an error if they do not match, considering it a sign of corruption and possible tampering. This should significantly increase the difficulty of ROP attacks.

For the Shadow Stack to be enabled at runtime, all code linked into a process must be built with Shadow Stack enabled, so this is probably only useful to enable on a wide scale, so that all of a packages dependencies also have the feature enabled.

This is currently only supported on some newer Intel and AMD processors as part of the Intel CET set of features. However, the generated code should continue to work on older processors which will simply omit any of this checking.

This breaks some code that does advanced stack management or exception handling. If enabling this hardening flag it is important to test the result on a system that has known working and enabled CET support, so that any such breakage can be discovered.

trivialautovarinit

Adds the -ftrivial-auto-var-init=pattern compiler option. This causes “trivially-initializable” uninitialized stack variables to be forcibly initialized with a nonzero value that is likely to cause a crash (and therefore be noticed). Uninitialized variables generally take on their values based on fragments of previous program state, and attackers can carefully manipulate that state to craft malicious initial values for these variables.

Use of this flag is controversial as it can prevent tools that detect uninitialized variable use (such as valgrind) from operating correctly.

This should be turned off or fixed for build errors such as:

sorry, unimplemented: __builtin_clear_padding not supported for variable length aggregates

stackclashprotection

This flag adds the -fstack-clash-protection compiler option, which causes growth of a program’s stack to access each successive page in order. This should force the guard page to be accessed and cause an attempt to “jump over” this guard page to crash.

pacret

This flag adds the -mbranch-protection=pac-ret compiler option on aarch64-linux targets. This uses ARM v8.3’s Pointer Authentication feature to sign function return pointers before adding them to the stack. The pointer’s authenticity is then validated before returning to its destination. This dramatically increases the difficulty of ROP exploitation techniques.

This may cause problems with code that does advanced stack manipulation, and debugging/stack-unwinding tools need to be pac-ret aware to work correctly when these features are in operation.

Pre-ARM v8.3 processors will ignore Pointer Authentication instructions, so code built with this flag will continue to work on older processors, though without any of the intended protections. If enabling this flag, it is recommended to ensure the resultant packages are tested against an ARM v8.3+ linux system with known-working Pointer Authentication support so that any breakage caused by this feature is actually detected.



The build platform is ignored because it is a mere implementation detail of the package satisfying the dependency: As a general programming principle, dependencies are always specified as interfaces, not concrete implementation.[1]

Currently, this means for native builds all dependencies are put on the PATH. But in the future that may not be the case for sake of matching cross: the platforms would be assumed to be unique for native and cross builds alike, so only the depsBuild* and nativeBuildInputs would be added to the PATH.[2]

The findInputs function, currently residing in pkgs/stdenv/generic/setup.sh, implements the propagation logic.[3]

It clears the sys_lib_*search_path variables in the Libtool script to prevent Libtool from using libraries in /usr/lib and such.[4]

Eventually these will be passed building natively as well, to improve determinism: build-time guessing, as is done today, is a risk of impurity.[5]

Each wrapper targets a single platform, so if binaries for multiple platforms are needed, the underlying binaries must be wrapped multiple times. As this is a property of the wrapper itself, the multiple wrappings are needed whether or not the same underlying binaries can target multiple platforms.[6]

Meta-attributes

Nix packages can declare meta-attributes that contain information about a package such as a description, its homepage, its license, and so on. For instance, the GNU Hello package has a meta declaration like this:

{
  meta = {
    description = "Program that produces a familiar, friendly greeting";
    longDescription = ''
      GNU Hello is a program that prints "Hello, world!" when you run it.
      It is fully customizable.
    '';
    homepage = "https://www.gnu.org/software/hello/manual/";
    license = lib.licenses.gpl3Plus;
    maintainers = with lib.maintainers; [ eelco ];
    platforms = lib.platforms.all;
  };
}

Meta-attributes are not passed to the builder of the package. Thus, a change to a meta-attribute doesn’t trigger a recompilation of the package.

Standard meta-attributes

If the package is to be submitted to Nixpkgs, please check out the requirements for meta attributes in the contributing documentation.

It is expected that each meta-attribute is one of the following:

description

A short (one-line) description of the package. This is displayed on search.nixos.org.

The general requirements of a description are:

  • Be short, just one sentence.

  • Be capitalized.

  • Not start with definite (“The”) or indefinite (“A”/“An”) article.

  • Not start with the package name.

    • More generally, it should not refer to the package name.

  • Not end with a period (or any punctuation for that matter).

  • Provide factual information.

    • Avoid subjective language.

Wrong: "libpng is a library that allows you to decode PNG images."

Right: "Library for decoding PNG images"

longDescription

An arbitrarily long description of the package in CommonMark Markdown.

branch

Release branch. Used to specify that a package is not going to receive updates that are not in this branch; for example, Linux kernel 3.0 is supposed to be updated to 3.0.X, not 3.1.

homepage

The package’s homepage. Example: https://www.gnu.org/software/hello/manual/

downloadPage

The page where a link to the current version can be found. Example: https://ftp.gnu.org/gnu/hello/

changelog

A link or a list of links to the location of Changelog for a package. A link may use expansion to refer to the correct changelog version. Example: "https://git.savannah.gnu.org/cgit/hello.git/plain/NEWS?h=v${version}"

license

The license, or licenses, for the package. One from the attribute set defined in nixpkgs/lib/licenses.nix. At this moment using both a list of licenses and a single license is valid. If the license field is in the form of a list representation, then it means that parts of the package are licensed differently. Each license should preferably be referenced by their attribute. The non-list attribute value can also be a space delimited string representation of the contained attribute shortNames or spdxIds. The following are all valid examples:

  • Single license referenced by attribute (preferred) lib.licenses.gpl3Only.

  • Single license referenced by its attribute shortName (frowned upon) "gpl3Only".

  • Single license referenced by its attribute spdxId (frowned upon) "GPL-3.0-only".

  • Multiple licenses referenced by attribute (preferred) with lib.licenses; [ asl20 free ofl ].

  • Multiple licenses referenced as a space delimited string of attribute shortNames (frowned upon) "asl20 free ofl".

For details, see Licenses.

sourceProvenance

A list containing the type or types of source inputs from which the package is built, e.g. original source code, pre-built binaries, etc.

For details, see Source provenance.

maintainers

A list of the maintainers of this Nix expression. Maintainers are defined in nixpkgs/maintainers/maintainer-list.nix. There is no restriction to becoming a maintainer, just add yourself to that list in a separate commit titled “maintainers: add alice” in the same pull request, and reference maintainers with maintainers = with lib.maintainers; [ alice bob ].

mainProgram

The name of the main binary for the package. This affects the binary nix run executes. Example: "rg"

priority

The priority of the package, used by nix-env to resolve file name conflicts between packages. See the manual page for nix-env for details. Example: "10" (a low-priority package).

platforms

The list of Nix platform types on which the package is supported. Hydra builds packages according to the platform specified. If no platform is specified, the package does not have prebuilt binaries. An example is:

{
  meta.platforms = lib.platforms.linux;
}

Attribute Set lib.platforms defines various common lists of platforms types.

badPlatforms

The list of Nix platform types on which the package is known not to be buildable. Hydra will never create prebuilt binaries for these platform types, even if they are in meta.platforms. In general it is preferable to set meta.platforms = lib.platforms.all and then exclude any platforms on which the package is known not to build. For example, a package which requires dynamic linking and cannot be linked statically could use this:

{
  meta.platforms = lib.platforms.all;
  meta.badPlatforms = [ lib.systems.inspect.platformPatterns.isStatic ];
}

The lib.meta.availableOn function can be used to test whether or not a package is available (i.e. buildable) on a given platform. Some packages use this to automatically detect the maximum set of features with which they can be built. For example, systemd requires dynamic linking, and has a meta.badPlatforms setting similar to the one above. Packages which can be built with or without systemd support will use lib.meta.availableOn to detect whether or not systemd is available on the hostPlatform for which they are being built; if it is not available (e.g. due to a statically-linked host platform like pkgsStatic) this support will be disabled by default.

timeout

A timeout (in seconds) for building the derivation. If the derivation takes longer than this time to build, Hydra will fail it due to breaking the timeout. However, all computers do not have the same computing power, hence some builders may decide to apply a multiplicative factor to this value. When filling this value in, try to keep it approximately consistent with other values already present in nixpkgs.

meta attributes are not stored in the instantiated derivation. Therefore, this setting may be lost when the package is used as a dependency. To be effective, it must be presented directly to an evaluation process that handles the meta.timeout attribute.

hydraPlatforms

The list of Nix platform types for which the Hydra instance at hydra.nixos.org will build the package. (Hydra is the Nix-based continuous build system.) It defaults to the value of meta.platforms. Thus, the only reason to set meta.hydraPlatforms is if you want hydra.nixos.org to build the package on a subset of meta.platforms, or not at all, e.g.

{
  meta.platforms = lib.platforms.linux;
  meta.hydraPlatforms = [];
}

broken

If set to true, the package is marked as “broken”, meaning that it won’t show up in search.nixos.org, and cannot be built or installed unless the environment variable NIXPKGS_ALLOW_BROKEN is set. Such unconditionally-broken packages should be removed from Nixpkgs eventually unless they are fixed.

The value of this attribute can depend on a package’s arguments, including stdenv. This means that broken can be used to express constraints, for example:

  • Does not cross compile

    {
      meta.broken = !(stdenv.buildPlatform.canExecute stdenv.hostPlatform);
    }
    
  • Broken if all of a certain set of its dependencies are broken

    {
      meta.broken = lib.all (map (p: p.meta.broken) [ glibc musl ]);
    }
    

This makes broken strictly more powerful than meta.badPlatforms. However meta.availableOn currently examines only meta.platforms and meta.badPlatforms, so meta.broken does not influence the default values for optional dependencies.

Licenses

The meta.license attribute should preferably contain a value from lib.licenses defined in nixpkgs/lib/licenses.nix, or in-place license description of the same format if the license is unlikely to be useful in another expression.

Although it’s typically better to indicate the specific license, a few generic options are available:

lib.licenses.free, "free"

Catch-all for free software licenses not listed above.

lib.licenses.unfreeRedistributable, "unfree-redistributable"

Unfree package that can be redistributed in binary form. That is, it’s legal to redistribute the output of the derivation. This means that the package can be included in the Nixpkgs channel.

Sometimes proprietary software can only be redistributed unmodified. Make sure the builder doesn’t actually modify the original binaries; otherwise we’re breaking the license. For instance, the NVIDIA X11 drivers can be redistributed unmodified, but our builder applies patchelf to make them work. Thus, its license is "unfree" and it cannot be included in the Nixpkgs channel.

lib.licenses.unfree, "unfree"

Unfree package that cannot be redistributed. You can build it yourself, but you cannot redistribute the output of the derivation. Thus it cannot be included in the Nixpkgs channel.

lib.licenses.unfreeRedistributableFirmware, "unfree-redistributable-firmware"

This package supplies unfree, redistributable firmware. This is a separate value from unfree-redistributable because not everybody cares whether firmware is free.

Source provenance

The value of a package’s meta.sourceProvenance attribute specifies the provenance of the package’s derivation outputs.

If a package contains elements that are not built from the original source by a nixpkgs derivation, the meta.sourceProvenance attribute should be a list containing one or more value from lib.sourceTypes defined in nixpkgs/lib/source-types.nix.

Adding this information helps users who have needs related to build transparency and supply-chain security to gain some visibility into their installed software or set policy to allow or disallow installation based on source provenance.

The presence of a particular sourceType in a package’s meta.sourceProvenance list indicates that the package contains some components falling into that category, though the absence of that sourceType does not guarantee the absence of that category of sourceType in the package’s contents. A package with no meta.sourceProvenance set implies it has no known sourceTypes other than fromSource.

The meaning of the meta.sourceProvenance attribute does not depend on the value of the meta.license attribute.

lib.sourceTypes.fromSource

Package elements which are produced by a nixpkgs derivation which builds them from source code.

lib.sourceTypes.binaryNativeCode

Native code to be executed on the target system’s CPU, built by a third party. This includes packages which wrap a downloaded AppImage or Debian package.

lib.sourceTypes.binaryFirmware

Code to be executed on a peripheral device or embedded controller, built by a third party.

lib.sourceTypes.binaryBytecode

Code to run on a VM interpreter or JIT compiled into bytecode by a third party. This includes packages which download Java .jar files from another source.

Passthru-attributes

Table of Contents

Common passthru-attributes

As opposed to most other mkDerivation input attributes, passthru is not passed to the derivation’s builder executable. Changing it will not trigger a rebuild – it is “passed through”. Its value can be accessed as if it was set inside a derivation.

Note

passthru attributes follow no particular schema, but there are a few conventional patterns.

Example 261. Setting and accessing passthru attributes
{ stdenv, fetchGit }:
let
  hello = stdenv.mkDerivation {
    pname = "hello";
    src = fetchGit { /* ... */ };

    passthru = {
      foo = "bar";
      baz = {
        value1 = 4;
        value2 = 5;
      };
    };
  };
in
hello.baz.value1
4

Common passthru-attributes

Many passthru attributes are situational, so this section only lists recurring patterns. They fall in one of these categories:

  • Global conventions, which are applied almost universally in Nixpkgs.

    Generally these don’t entail any special support built into the derivation they belong to. Common examples of this type are passthru.tests and passthru.updateScript.

  • Conventions for adding extra functionality to a derivation.

    These tend to entail support from the derivation or the passthru attribute in question. Common examples of this type are passthru.optional-dependencies, passthru.withPlugins, and passthru.withPackages. All of those allow associating the package with a set of components built for that specific package, such as when building Python runtime environments using (python.withPackages)[#python.withpackages-function].

Attributes that apply only to particular build helpers or language ecosystems are documented there.

passthru.tests

An attribute set with tests as values. A test is a derivation that builds when the test passes and fails to build otherwise.

Run these tests with:

$ cd path/to/nixpkgs
$ nix-build -A your-package.tests

Note

The Nixpkgs systems for continuous integration Hydra and nixpkgs-review don’t build these derivations by default, and (@ofborg) only builds them when evaluating pull requests for that particular package, or when manually instructed.

Package tests

Besides tests provided by upstream, that you run in the checkPhase, you may want to define tests derivations in the passthru.tests attribute, which won’t change the build. passthru.tests have several advantages over running tests during any of the standard phases:

  • They access the package as consumers would, independently from the environment in which it was built

  • They can be run and debugged without rebuilding the package, which is useful if that takes a long time

  • They don’t add overhead to each build, as opposed checks added to the installCheckPhase, such as versionCheckHook.

It is also possible to use passthru.tests to test the version with testVersion, but since that is pretty trivial and recommended thing to do, we recommend using versionCheckHook for that, which has the following advantages over passthru.tests:

  • If the versionCheckPhase (the phase defined by versionCheckHook) fails, it triggers a failure which can’t be ignored if you use the package, or if you find out about it in a nixpkgs-review report.

  • Sometimes packages become silently broken - meaning they fail to launch but their build passes because they don’t perform any tests in the checkPhase. If you use this tool infrequently, such a silent breakage may rot in your system / profile configuration, and you will not notice the failure until you will want to use this package. Testing such basic functionality ensures you have to deal with the failure when you update your system / profile.

  • When you open a PR, ofborg’s CI will run passthru.tests of packages that are directly changed by your PR (according to your commits’ messages), but if you’d want to use the @ofborg build command for dependent packages, you won’t have to specify in addition the .tests attribute of the packages you want to build, and no body will be able to avoid these tests.

For more on how to write and run package tests for Nixpkgs, see the testing section in the package contributor guide.

NixOS tests

Tests written for NixOS are available as the nixosTests argument to package recipes. For instance, the OpenSMTPD derivation includes lines similar to:

{ nixosTests, ... }:
{
  # ...
  passthru.tests = {
    basic-functionality-and-dovecot-integration = nixosTests.opensmtpd;
  };
}

NixOS tests run in a virtual machine (VM), so they are slower than regular package tests. For more information see the NixOS manual on NixOS module tests.

passthru.updateScript

Nixpkgs tries to automatically update all packages that have an passthru.updateScript attribute. See the section on automatic package updates in the package contributor guide for details.

Multiple-output packages

The Nix language allows a derivation to produce multiple outputs, which is similar to what is utilized by other Linux distribution packaging systems. The outputs reside in separate Nix store paths, so they can be mostly handled independently of each other, including passing to build inputs, garbage collection or binary substitution. The exception is that building from source always produces all the outputs.

The main motivation is to save disk space by reducing runtime closure sizes; consequently also sizes of substituted binaries get reduced. Splitting can be used to have more granular runtime dependencies, for example the typical reduction is to split away development-only files, as those are typically not needed during runtime. As a result, closure sizes of many packages can get reduced to a half or even much less.

Note

The reduction effects could be instead achieved by building the parts in completely separate derivations. That would often additionally reduce build-time closures, but it tends to be much harder to write such derivations, as build systems typically assume all parts are being built at once. This compromise approach of single source package producing multiple binary packages is also utilized often by rpm and deb.

A number of attributes can be used to work with a derivation with multiple outputs. The attribute outputs is a list of strings, which are the names of the outputs. For each of these names, an identically named attribute is created, corresponding to that output.

The attribute meta.outputsToInstall is used to determine the default set of outputs to install when using the derivation name unqualified: bin, or out, or the first specified output; as well as man if that is specified.

Using a split package

In the Nix language the individual outputs can be reached explicitly as attributes, e.g. coreutils.info, but the typical case is just using packages as build inputs.

When a multiple-output derivation gets into a build input of another derivation, the dev output is added if it exists, otherwise the first output is added. In addition to that, propagatedBuildOutputs of that package which by default contain $outputBin and $outputLib are also added. (See the section called “File type groups”.)

In some cases it may be desirable to combine different outputs under a single store path. The symlinkJoin builder can be used to do this. (See the section called “symlinkJoin). Note that this may negate some closure size benefits of using a multiple-output package.

Writing a split derivation

Here you find how to write a derivation that produces multiple outputs.

In nixpkgs there is a framework supporting multiple-output derivations. It tries to cover most cases by default behavior. You can find the source separated in <nixpkgs/pkgs/build-support/setup-hooks/multiple-outputs.sh>; it’s relatively well-readable. The whole machinery is triggered by defining the outputs attribute to contain the list of desired output names (strings).

{
  outputs = [ "bin" "dev" "out" "doc" ];
}

Often such a single line is enough. For each output an equally named environment variable is passed to the builder and contains the path in nix store for that output. Typically you also want to have the main out output, as it catches any files that didn’t get elsewhere.

Note

There is a special handling of the debug output, described at the section called “separateDebugInfo.

“Binaries first”

A commonly adopted convention in nixpkgs is that executables provided by the package are contained within its first output. This convention allows the dependent packages to reference the executables provided by packages in a uniform manner. For instance, provided with the knowledge that the perl package contains a perl executable it can be referenced as ${pkgs.perl}/bin/perl within a Nix derivation that needs to execute a Perl script.

The glibc package is a deliberate single exception to the “binaries first” convention. The glibc has libs as its first output allowing the libraries provided by glibc to be referenced directly (e.g. ${glibc}/lib/ld-linux-x86-64.so.2). The executables provided by glibc can be accessed via its bin attribute (e.g. ${lib.getBin stdenv.cc.libc}/bin/ldd).

The reason for why glibc deviates from the convention is because referencing a library provided by glibc is a very common operation among Nix packages. For instance, third-party executables packaged by Nix are typically patched and relinked with the relevant version of glibc libraries from Nix packages (please see the documentation on patchelf for more details).

File type groups

The support code currently recognizes some particular kinds of outputs and either instructs the build system of the package to put files into their desired outputs or it moves the files during the fixup phase. Each group of file types has an outputFoo variable specifying the output name where they should go. If that variable isn’t defined by the derivation writer, it is guessed – a default output name is defined, falling back to other possibilities if the output isn’t defined.

$outputDev

is for development-only files. These include C(++) headers (include/), pkg-config (lib/pkgconfig/), cmake (lib/cmake/) and aclocal files (share/aclocal/). They go to dev or out by default.

$outputBin

is meant for user-facing binaries, typically residing in bin/. They go to bin or out by default.

$outputLib

is meant for libraries, typically residing in lib/ and libexec/. They go to lib or out by default.

$outputDoc

is for user documentation, typically residing in share/doc/. It goes to doc or out by default.

$outputDevdoc

is for developer documentation. Currently we count gtk-doc and devhelp books, typically residing in share/gtk-doc/ and share/devhelp/, in there. It goes to devdoc or is removed (!) by default. This is because e.g. gtk-doc tends to be rather large and completely unused by nixpkgs users.

$outputMan

is for man pages (except for section 3), typically residing in share/man/man[0-9]/. They go to man or $outputBin by default.

$outputDevman

is for section 3 man pages, typically residing in share/man/man[0-9]/. They go to devman or $outputMan by default.

$outputInfo

is for info pages, typically residing in share/info/. They go to info or $outputBin by default.

Common caveats

  • Some configure scripts don’t like some of the parameters passed by default by the framework, e.g. --docdir=/foo/bar. You can disable this by setting setOutputFlags = false;.

  • The outputs of a single derivation can retain references to each other, but note that circular references are not allowed. (And each strongly-connected component would act as a single output anyway.)

  • Most of split packages contain their core functionality in libraries. These libraries tend to refer to various kind of data that typically gets into out, e.g. locale strings, so there is often no advantage in separating the libraries into lib, as keeping them in out is easier.

  • Some packages have hidden assumptions on install paths, which complicates splitting.

Cross-compilation

Introduction

“Cross-compilation” means compiling a program on one machine for another type of machine. For example, a typical use of cross-compilation is to compile programs for embedded devices. These devices often don’t have the computing power and memory to compile their own programs. One might think that cross-compilation is a fairly niche concern. However, there are significant advantages to rigorously distinguishing between build-time and run-time environments! Significant, because the benefits apply even when one is developing and deploying on the same machine. Nixpkgs is increasingly adopting the opinion that packages should be written with cross-compilation in mind, and Nixpkgs should evaluate in a similar way (by minimizing cross-compilation-specific special cases) whether or not one is cross-compiling.

This chapter will be organized in three parts. First, it will describe the basics of how to package software in a way that supports cross-compilation. Second, it will describe how to use Nixpkgs when cross-compiling. Third, it will describe the internal infrastructure supporting cross-compilation.

Packaging in a cross-friendly manner

Platform parameters

Nixpkgs follows the conventions of GNU autoconf. We distinguish between 3 types of platforms when building a derivation: build, host, and target. In summary, build is the platform on which a package is being built, host is the platform on which it will run. The third attribute, target, is relevant only for certain specific compilers and build tools.

In Nixpkgs, these three platforms are defined as attribute sets under the names buildPlatform, hostPlatform, and targetPlatform. They are always defined as attributes in the standard environment. That means one can access them like:

{ stdenv, fooDep, barDep, ... }: {
  # ...stdenv.buildPlatform...
}
buildPlatform

The “build platform” is the platform on which a package is built. Once someone has a built package, or pre-built binary package, the build platform should not matter and can be ignored.

hostPlatform

The “host platform” is the platform on which a package will be run. This is the simplest platform to understand, but also the one with the worst name.

targetPlatform

The “target platform” attribute is, unlike the other two attributes, not actually fundamental to the process of building software. Instead, it is only relevant for compatibility with building certain specific compilers and build tools. It can be safely ignored for all other packages.

The build process of certain compilers is written in such a way that the compiler resulting from a single build can itself only produce binaries for a single platform. The task of specifying this single “target platform” is thus pushed to build time of the compiler. The root cause of this is that the compiler (which will be run on the host) and the standard library/runtime (which will be run on the target) are built by a single build process.

There is no fundamental need to think about a single target ahead of time like this. If the tool supports modular or pluggable backends, both the need to specify the target at build time and the constraint of having only a single target disappear. An example of such a tool is LLVM.

Although the existence of a “target platform” is arguably a historical mistake, it is a common one: examples of tools that suffer from it are GCC, Binutils, GHC and Autoconf. Nixpkgs tries to avoid sharing in the mistake where possible. Still, because the concept of a target platform is so ingrained, it is best to support it as is.

The exact schema these fields follow is a bit ill-defined due to a long and convoluted evolution, but this is slowly being cleaned up. You can see examples of ones used in practice in lib.systems.examples; note how they are not all very consistent. For now, here are few fields can count on them containing:

system

This is a two-component shorthand for the platform. Examples of this would be “x86_64-darwin” and “i686-linux”; see lib.systems.doubles for more. The first component corresponds to the CPU architecture of the platform and the second to the operating system of the platform ([cpu]-[os]). This format has built-in support in Nix, such as the builtins.currentSystem impure string.

config

This is a 3- or 4- component shorthand for the platform. Examples of this would be x86_64-unknown-linux-gnu and aarch64-apple-darwin14. This is a standard format called the “LLVM target triple”, as they are pioneered by LLVM. In the 4-part form, this corresponds to [cpu]-[vendor]-[os]-[abi]. This format is strictly more informative than the “Nix host double”, as the previous format could analogously be termed. This needs a better name than config!

parsed

This is a Nix representation of a parsed LLVM target triple with white-listed components. This can be specified directly, or actually parsed from the config. See lib.systems.parse for the exact representation.

libc

This is a string identifying the standard C library used. Valid identifiers include “glibc” for GNU libc, “libSystem” for Darwin’s Libsystem, and “uclibc” for µClibc. It should probably be refactored to use the module system, like parse.

is*

These predicates are defined in lib.systems.inspect, and slapped onto every platform. They are superior to the ones in stdenv as they force the user to be explicit about which platform they are inspecting. Please use these instead of those.

platform

This is, quite frankly, a dumping ground of ad-hoc settings (it’s an attribute set). See lib.systems.platforms for examples—there’s hopefully one in there that will work verbatim for each platform that is working. Please help us triage these flags and give them better homes!

Theory of dependency categorization

Note

This is a rather philosophical description that isn’t very Nixpkgs-specific. For an overview of all the relevant attributes given to mkDerivation, see the section called “Specifying dependencies”. For a description of how everything is implemented, see the section called “Implementation of dependencies”.

In this section we explore the relationship between both runtime and build-time dependencies and the 3 Autoconf platforms.

A run time dependency between two packages requires that their host platforms match. This is directly implied by the meaning of “host platform” and “runtime dependency”: The package dependency exists while both packages are running on a single host platform.

A build time dependency, however, has a shift in platforms between the depending package and the depended-on package. “build time dependency” means that to build the depending package we need to be able to run the depended-on’s package. The depending package’s build platform is therefore equal to the depended-on package’s host platform.

If both the dependency and depending packages aren’t compilers or other machine-code-producing tools, we’re done. And indeed buildInputs and nativeBuildInputs have covered these simpler cases for many years. But if the dependency does produce machine code, we might need to worry about its target platform too. In principle, that target platform might be any of the depending package’s build, host, or target platforms, but we prohibit dependencies from a “later” platform to an earlier platform to limit confusion because we’ve never seen a legitimate use for them.

Finally, if the depending package is a compiler or other machine-code-producing tool, it might need dependencies that run at “emit time”. This is for compilers that (regrettably) insist on being built together with their source languages’ standard libraries. Assuming build != host != target, a run-time dependency of the standard library cannot be run at the compiler’s build time or run time, but only at the run time of code emitted by the compiler.

Putting this all together, that means that we have dependency types of the form “X→ E”, which means that the dependency executes on X and emits code for E; each of X and E can be build, host, or target, and E can be * to indicate that the dependency is not a compiler-like package.

Dependency types describe the relationships that a package has with each of its transitive dependencies. You could think of attaching one or more dependency types to each of the formal parameters at the top of a package’s .nix file, as well as to all of their formal parameters, and so on. Triples like (foo, bar, baz), on the other hand, are a property of an instantiated derivation – you could would attach a triple (mips-linux, mips-linux, sparc-solaris) to a .drv file in /nix/store.

Only nine dependency types matter in practice:

Possible dependency types

Dependency typeDependency’s host platformDependency’s target platform
build → *build(none)
build → buildbuildbuild
build → hostbuildhost
build → targetbuildtarget
host → *host(none)
host → hosthosthost
host → targethosttarget
target → *target(none)
target → targettargettarget

Let’s use g++ as an example to make this table clearer. g++ is a C++ compiler written in C. Suppose we are building g++ with a (build, host, target) platform triple of (foo, bar, baz). This means we are using a foo-machine to build a copy of g++ which will run on a bar-machine and emit binaries for the baz-machine.

  • g++ links against the host platform’s glibc C library, which is a “host→ *” dependency with a triple of (bar, bar, *). Since it is a library, not a compiler, it has no “target”.

  • Since g++ is written in C, the gcc compiler used to compile it is a “build→ host” dependency of g++ with a triple of (foo, foo, bar). This compiler runs on the build platform and emits code for the host platform.

  • gcc links against the build platform’s glibc C library, which is a “build→ *” dependency with a triple of (foo, foo, *). Since it is a library, not a compiler, it has no “target”.

  • This gcc is itself compiled by an earlier copy of gcc. This earlier copy of gcc is a “build→ build” dependency of g++ with a triple of (foo, foo, foo). This “early gcc” runs on the build platform and emits code for the build platform.

  • g++ is bundled with libgcc, which includes a collection of target-machine routines for exception handling and software floating point emulation. libgcc would be a “target→ *” dependency with triple (foo, baz, *), because it consists of machine code which gets linked against the output of the compiler that we are building. It is a library, not a compiler, so it has no target of its own.

  • libgcc is written in C and compiled with gcc. The gcc that compiles it will be a “build→ target” dependency with triple (foo, foo, baz). It gets compiled and run at g++-build-time (on platform foo), but must emit code for the baz-platform.

  • g++ allows inline assembler code, so it depends on access to a copy of the gas assembler. This would be a “host→ target” dependency with triple (foo, bar, baz).

  • g++ (and gcc) include a library libgccjit.so, which wrap the compiler in a library to create a just-in-time compiler. In nixpkgs, this library is in the libgccjit package; if C++ required that programs have access to a JIT, g++ would need to add a “target→ target” dependency for libgccjit with triple (foo, baz, baz). This would ensure that the compiler ships with a copy of libgccjit which both executes on and generates code for the baz-platform.

  • If g++ itself linked against libgccjit.so (for example, to allow compile-time-evaluated C++ expressions), then the libgccjit package used to provide this functionality would be a “host→ host” dependency of g++: it is code which runs on the host and emits code for execution on the host.

Cross packaging cookbook

Some frequently encountered problems when packaging for cross-compilation should be answered here. Ideally, the information above is exhaustive, so this section cannot provide any new information, but it is ludicrous and cruel to expect everyone to spend effort working through the interaction of many features just to figure out the same answer to the same common problem. Feel free to add to this list!

My package fails to find a binutils command (cc/ar/ld etc.)

Many packages assume that an unprefixed binutils (cc/ar/ld etc.) is available, but Nix doesn’t provide one. It only provides a prefixed one, just as it only does for all the other binutils programs. It may be necessary to patch the package to fix the build system to use a prefix. For instance, instead of cc, use ${stdenv.cc.targetPrefix}cc.

{
  makeFlags = [ "CC=${stdenv.cc.targetPrefix}cc" ];
}

How do I avoid compiling a GCC cross-compiler from source?

On less powerful machines, it can be inconvenient to cross-compile a package only to find out that GCC has to be compiled from source, which could take up to several hours. Nixpkgs maintains a limited cross-related jobset on Hydra, which tests cross-compilation to various platforms from build platforms “x86_64-darwin”, “x86_64-linux”, and “aarch64-linux”. See pkgs/top-level/release-cross.nix for the full list of target platforms and packages. For instance, the following invocation fetches the pre-built cross-compiled GCC for armv6l-unknown-linux-gnueabihf and builds GNU Hello from source.

$ nix-build '<nixpkgs>' -A pkgsCross.raspberryPi.hello

What if my package’s build system needs to build a C program to be run under the build environment?

Add the following to your mkDerivation invocation.

{
  depsBuildBuild = [ buildPackages.stdenv.cc ];
}

My package’s testsuite needs to run host platform code.

Add the following to your mkDerivation invocation.

{
  doCheck = stdenv.buildPlatform.canExecute stdenv.hostPlatform;
}

Package using Meson needs to run binaries for the host platform during build.

Add mesonEmulatorHook to nativeBuildInputs conditionally on if the target binaries can be executed.

e.g.

{
  nativeBuildInputs = [
    meson
  ] ++ lib.optionals (!stdenv.buildPlatform.canExecute stdenv.hostPlatform) [
    mesonEmulatorHook
  ];
}

Example of an error which this fixes.

[Errno 8] Exec format error: './gdk3-scan'

Using -static outside a isStatic platform.

Add stdenv.cc.libc.static (static output of glibc) to buildInputs conditionally on if hostPlatform uses glibc.

e.g.

{
  buildInputs = lib.optionals (stdenv.hostPlatform.libc == "glibc") [ stdenv.cc.libc.static ];
}

Examples of errors which this fixes.

cannot find -lm: No such file or directory

cannot find -lc: No such file or directory

Note

At the time of writing it is assumed the issue only happens on glibc because it splits the static libraries in to a different output.

Note

You may want to look in to using stdenvAdapters.makeStatic or pkgsStatic or a isStatic = true platform.

Cross-building packages

Nixpkgs can be instantiated with localSystem alone, in which case there is no cross-compiling and everything is built by and for that system, or also with crossSystem, in which case packages run on the latter, but all building happens on the former. Both parameters take the same schema as the 3 (build, host, and target) platforms defined in the previous section. As mentioned above, lib.systems.examples has some platforms which are used as arguments for these parameters in practice. You can use them programmatically, or on the command line:

$ nix-build '<nixpkgs>' --arg crossSystem '(import <nixpkgs/lib>).systems.examples.fooBarBaz' -A whatever

Note

Eventually we would like to make these platform examples an unnecessary convenience so that

$ nix-build '<nixpkgs>' --arg crossSystem '{ config = "<arch>-<os>-<vendor>-<abi>"; }' -A whatever

works in the vast majority of cases. The problem today is dependencies on other sorts of configuration which aren’t given proper defaults. We rely on the examples to crudely to set those configuration parameters in some vaguely sane manner on the users behalf. Issue #34274 tracks this inconvenience along with its root cause in crufty configuration options.

While one is free to pass both parameters in full, there’s a lot of logic to fill in missing fields. As discussed in the previous section, only one of system, config, and parsed is needed to infer the other two. Additionally, libc will be inferred from parse. Finally, localSystem.system is also impurely inferred based on the platform evaluation occurs. This means it is often not necessary to pass localSystem at all, as in the command-line example in the previous paragraph.

Note

Many sources (manual, wiki, etc) probably mention passing system, platform, along with the optional crossSystem to Nixpkgs: import <nixpkgs> { system = ..; platform = ..; crossSystem = ..; }. Passing those two instead of localSystem is still supported for compatibility, but is discouraged. Indeed, much of the inference we do for these parameters is motivated by compatibility as much as convenience.

One would think that localSystem and crossSystem overlap horribly with the three *Platforms (buildPlatform, hostPlatform, and targetPlatform; see stage.nix or the manual). Actually, those identifiers are purposefully not used here to draw a subtle but important distinction: While the granularity of having 3 platforms is necessary to properly build packages, it is overkill for specifying the user’s intent when making a build plan or package set. A simple “build vs deploy” dichotomy is adequate: the sliding window principle described in the previous section shows how to interpolate between the these two “end points” to get the 3 platform triple for each bootstrapping stage. That means for any package a given package set, even those not bound on the top level but only reachable via dependencies or buildPackages, the three platforms will be defined as one of localSystem or crossSystem, with the former replacing the latter as one traverses build-time dependencies. A last simple difference is that crossSystem should be null when one doesn’t want to cross-compile, while the *Platforms are always non-null. localSystem is always non-null.

Cross-compilation infrastructure

Implementation of dependencies

The categories of dependencies developed in the section called “Theory of dependency categorization” are specified as lists of derivations given to mkDerivation, as documented in the section called “Specifying dependencies”. In short, each list of dependencies for “host → target” is called deps<host><target> (where host, and target values are either build, host, or target), with exceptions for backwards compatibility that depsBuildHost is instead called nativeBuildInputs and depsHostTarget is instead called buildInputs. Nixpkgs is now structured so that each deps<host><target> is automatically taken from pkgs<host><target>. (These pkgs<host><target>s are quite new, so there is no special case for nativeBuildInputs and buildInputs.) For example, pkgsBuildHost.gcc should be used at build-time, while pkgsHostTarget.gcc should be used at run-time.

Now, for most of Nixpkgs’s history, there were no pkgs<host><target> attributes, and most packages have not been refactored to use it explicitly. Prior to those, there were just buildPackages, pkgs, and targetPackages. Those are now redefined as aliases to pkgsBuildHost, pkgsHostTarget, and pkgsTargetTarget. It is acceptable, even recommended, to use them for libraries to show that the host platform is irrelevant.

But before that, there was just pkgs, even though both buildInputs and nativeBuildInputs existed. [Cross barely worked, and those were implemented with some hacks on mkDerivation to override dependencies.] What this means is the vast majority of packages do not use any explicit package set to populate their dependencies, just using whatever callPackage gives them even if they do correctly sort their dependencies into the multiple lists described above. And indeed, asking that users both sort their dependencies, and take them from the right attribute set, is both too onerous and redundant, so the recommended approach (for now) is to continue just categorizing by list and not using an explicit package set.

To make this work, we “splice” together the six pkgsFooBar package sets and have callPackage actually take its arguments from that. This is currently implemented in pkgs/top-level/splice.nix. mkDerivation then, for each dependency attribute, pulls the right derivation out from the splice. This splicing can be skipped when not cross-compiling as the package sets are the same, but still is a bit slow for cross-compiling. We’d like to do something better, but haven’t come up with anything yet.

Bootstrapping

Each of the package sets described above come from a single bootstrapping stage. While pkgs/top-level/default.nix, coordinates the composition of stages at a high level, pkgs/top-level/stage.nix “ties the knot” (creates the fixed point) of each stage. The package sets are defined per-stage however, so they can be thought of as edges between stages (the nodes) in a graph. Compositions like pkgsBuildTarget.targetPackages can be thought of as paths to this graph.

While there are many package sets, and thus many edges, the stages can also be arranged in a linear chain. In other words, many of the edges are redundant as far as connectivity is concerned. This hinges on the type of bootstrapping we do. Currently for cross it is:

  1. (native, native, native)

  2. (native, native, foreign)

  3. (native, foreign, foreign)

In each stage, pkgsBuildHost refers to the previous stage, pkgsBuildBuild refers to the one before that, and pkgsHostTarget refers to the current one, and pkgsTargetTarget refers to the next one. When there is no previous or next stage, they instead refer to the current stage. Note how all the invariants regarding the mapping between dependency and depending packages’ build host and target platforms are preserved. pkgsBuildTarget and pkgsHostHost are more complex in that the stage fitting the requirements isn’t always a fixed chain of “prevs” and “nexts” away (modulo the “saturating” self-references at the ends). We just special case each instead. All the primary edges are implemented is in pkgs/stdenv/booter.nix, and secondarily aliases in pkgs/top-level/stage.nix.

Note

The native stages are bootstrapped in legacy ways that predate the current cross implementation. This is why the bootstrapping stages leading up to the final stages are ignored in the previous paragraph.

If one looks at the 3 platform triples, one can see that they overlap such that one could put them together into a chain like:

(native, native, native, foreign, foreign)

If one imagines the saturating self references at the end being replaced with infinite stages, and then overlays those platform triples, one ends up with the infinite tuple:

(native..., native, native, native, foreign, foreign, foreign...)

One can then imagine any sequence of platforms such that there are bootstrap stages with their 3 platforms determined by “sliding a window” that is the 3 tuple through the sequence. This was the original model for bootstrapping. Without a target platform (assume a better world where all compilers are multi-target and all standard libraries are built in their own derivation), this is sufficient. Conversely if one wishes to cross compile “faster”, with a “Canadian Cross” bootstrapping stage where build != host != target, more bootstrapping stages are needed since no sliding window provides the pesky pkgsBuildTarget package set since it skips the Canadian cross stage’s “host”.

Note

It is much better to refer to buildPackages than targetPackages, or more broadly package sets that do not mention “target”. There are three reasons for this.

First, it is because bootstrapping stages do not have a unique targetPackages. For example a (x86-linux, x86-linux, arm-linux) and (x86-linux, x86-linux, x86-windows) package set both have a (x86-linux, x86-linux, x86-linux) package set. Because there is no canonical targetPackages for such a native (build == host == target) package set, we set their targetPackages

Second, it is because this is a frequent source of hard-to-follow “infinite recursions” / cycles. When only package sets that don’t mention target are used, the package set forms a directed acyclic graph. This means that all cycles that exist are confined to one stage. This means they are a lot smaller, and easier to follow in the code or a backtrace. It also means they are present in native and cross builds alike, and so more likely to be caught by CI and other users.

Thirdly, it is because everything target-mentioning only exists to accommodate compilers with lousy build systems that insist on the compiler itself and standard library being built together. Of course that is bad because bigger derivations means longer rebuilds. It is also problematic because it tends to make the standard libraries less like other libraries than they could be, complicating code and build systems alike. Because of the other problems, and because of these innate disadvantages, compilers ought to be packaged another way where possible.

Note

If one explores Nixpkgs, they will see derivations with names like gccCross. Such *Cross derivations is a holdover from before we properly distinguished between the host and target platforms—the derivation with “Cross” in the name covered the build = host != target case, while the other covered the host = target, with build platform the same or not based on whether one was using its .__spliced.buildHost or .__spliced.hostTarget.

Platform Notes

Table of Contents

Darwin (macOS)

Darwin (macOS)

The Darwin stdenv differs from most other ones in Nixpkgs in a few key ways. These differences reflect the default assumptions for building software on that platform. In many cases, you can ignore these differences because the software you are packaging is already written with them in mind. When you do that, write your derivation as normal. You don’t have to include any Darwin-specific special cases. The easiest way to know whether your derivation requires special handling for Darwin is to write it as if it doesn’t and see if it works. If it does, you’re done; skip the rest of this.

  • Darwin uses Clang by default instead of GCC. Packages that refer to $CC or cc should just work in most cases. Some packages may hardcode gcc or g++. You can usually fix that by setting makeFlags = [ "CC=cc" "CXX=C++" ]. If that does not work, you will have to patch the build scripts yourself to use the correct compiler for Darwin.

  • Darwin needs an SDK to build software. The SDK provides a default set of frameworks and libraries to build software, most of which are specific to Darwin. There are multiple versions of the SDK packages in Nixpkgs, but one is included by default in the stdenv. Usually, you don’t have to change or pick a different SDK. When in doubt, use the default.

  • The SDK used by your build can be found using the DEVELOPER_DIR environment variable. There are also versions of this variable available when cross-compiling depending on the SDK’s role. The SDKROOT variable is also set with the path to the SDK’s libraries and frameworks. SDKROOT is always a sub-folder of DEVELOPER_DIR.

  • Darwin includes a platform-specific tool called xcrun to help builds locate binaries they need. A version of xcrun is part of the stdenv on Darwin. If your package invokes xcrun via an absolute path (such as /usr/bin/xcrun), you will need to patch the build scripts to use xcrun instead.

To reiterate: you usually don’t have to worry about this stuff. Start with writing your derivation as if everything is already set up for you (because in most cases it already is). If you run into issues or failures, continue reading below for how to deal with the most common issues you may encounter.

Darwin Issue Troubleshooting

Package requires a non-default SDK or fails to build due to missing frameworks or symbols

In some cases, you may have to use a non-default SDK. This can happen when a package requires APIs that are not present in the default SDK. For example, Metal Performance Shaders were added in macOS 12. If the default SDK is 11.3, then a package that requires Metal Performance Shaders will fail to build due to missing frameworks and symbols.

To use a non-default SDK, add it to your derivation’s buildInputs. It is not necessary to override the SDK in the stdenv nor is it necessary to override the SDK used by your dependencies. If your derivation needs a non-default SDK at build time (e.g., for a depsBuildBuild compiler), see the cross-compilation documentation for which input you should use.

When determining whether to use a non-default SDK, consider the following:

  • Try building your derivation with the default SDK. If it works, you’re done.

  • If the package specifies a specific version, use that. See below for how to map Xcode version to SDK version.

  • If the package’s documentation indicates it supports optional features on newer SDKs, consider using the SDK that enables those features. If you’re not sure, use the default SDK.

Note: It is possible to have multiple, different SDK versions in your inputs. When that happens, the one with the highest version is always used.

stdenv.mkDerivation {
  name = "libfoo-1.2.3";
  # ...
  buildInputs = [ apple-sdk_14 ];
}

What is a “deployment target” (or minimum version)?

The “deployment target” refers to the minimum version of macOS that is expected to run an application. In most cases, the default is fine, and you don’t have to do anything else. If you’re not sure, don’t do anything, and that will probably be fine.

Some packages require setting a non-default deployment target (or minimum version) to gain access to certain APIs. You do that using the darwinMinVersionHook, which takes the deployment target version as a parameter. There are primarily two ways to determine the deployment target.

  • The upstream documentation will specify a deployment target or minimum version. Use that.

  • The build will fail because an API requires a certain version. Use that.

  • In all other cases, you probably don’t need to specify a minimum version. The default is usually good enough.

stdenv.mkDerivation {
  name = "libfoo-1.2.3"; # Upstream specifies the minimum supported version as 12.5.
  buildInputs = [ (darwinMinVersionHook "12.5") ];
}

Note: It is possible to have multiple, different instances of darwinMinVerisonHook in your inputs. When that happens, the one with the highest version is always used.

Picking an SDK version

The following is a list of Xcode versions, the SDK version in Nixpkgs, and the attribute to use to add it. Check your package’s documentation (platform support or installation instructions) to find which Xcode or SDK version to use. Generally, only the last SDK release for a major version is packaged (each x in 10.x until 10.15 is considered a major version).

Xcode versionSDK versionNixpkgs attribute
Varies by platform10.12.2 (x86_64-darwin)<br/>11.3 (aarch64-darwin)apple-sdk
8.0–8.3.310.12.2apple-sdk_10_12
9.0–9.4.110.13.2apple-sdk_10_13
10.0–10.310.14.6apple-sdk_10_14
11.0–11.710.15.6apple-sdk_10_15
12.0–12.5.111.3apple-sdk_11
13.0–13.4.112.3apple-sdk_12
14.0–14.3.113.3apple-sdk_13
15.0–15.414.4apple-sdk_14
16.015.0apple-sdk_15

Darwin Default SDK versions

The current default versions of the deployment target (minimum version) and SDK are indicated by Darwin-specific attributes on the platform. Because of the ways that minimum version and SDK can be changed that are not visible to Nix, they should be treated as lower bounds. If you need to parameterize over a specific version, create a function that takes the version as a parameter instead of relying on these attributes.

  • darwinMinVersion defaults to 10.12 on x86_64-darwin and 11.0 on aarch64-darwin. It sets the default deployment target.

  • darwinSdkVersion defaults to 10.12 on x86-64-darwin and 11.0 on aarch64-darwin. Only the major version determines the SDK version, resulting in the 10.12.2 and 11.3 SDKs being used on these platforms respectively.

xcrun cannot find a binary

xcrun searches PATH and the SDK’s toolchain for binaries to run. If it cannot find a required binary, it will fail. When that happens, add the package for that binary to your derivation’s nativeBuildInputs (or nativeCheckInputs if the failure is happening when running tests).

stdenv.mkDerivation {
  name = "libfoo-1.2.3";
  # ...
  nativeBuildInputs = [ bison ];
  buildCommand = ''
    xcrun bison foo.y # produces foo.tab.c
    # ...
  '';
}

Package requires xcodebuild

The xcbuild package provides an xcodebuild command for packages that really depend on Xcode. This replacement is not 100% compatible and may run into some issues, but it is able to build many packages. To use xcodebuild, add xcbuildHook to your package’s nativeBuildInputs. It will provide a buildPhase for your derivation. You can use xcbuildFlags to specify flags to xcodebuild such as the required schema. If a schema has spaces in its name, you must set __structuredAttrs to true. See MoltenVK for an example of setting up xcbuild.

stdenv.mkDerivation {
  name = "libfoo-1.2.3";
  xcbuildFlags = [
    "-configuration"
    "Release"
    "-project"
    "libfoo-project.xcodeproj"
    "-scheme"
    "libfoo Package (macOS only)"
  ];
  __structuredAttrs = true;
}
Fixing absolute paths to xcodebuild, xcrun, and PlistBuddy

Many build systems hardcode the absolute paths to xcodebuild, xcrun, and PlistBuddy as /usr/bin/xcodebuild, /usr/bin/xcrun, and /usr/libexec/PlistBuddy respectively. These paths will need to be replaced with relative paths and the xcbuild package if xcodebuild or PListBuddy are used.

stdenv.mkDerivation {
  name = "libfoo-1.2.3";
  postPatch = ''
    substituteInPlace Makefile \
      --replace-fail '/usr/bin/xcodebuild' 'xcodebuild' \
      --replace-fail '/usr/bin/xcrun' 'xcrun' \
      --replace-fail '/usr/bin/PListBuddy' 'PListBuddy'
  '';
}

How to use libiconv on Darwin

The libiconv package is included in the SDK by default along with libresolv and libsbuf. You do not need to do anything to use these packages. They are available automatically. If your derivation needs the iconv binary, add the libiconv package to your nativeBuildInputs (or nativeCheckInputs for tests).

Library install name issues

Libraries on Darwin are usually linked with absolute paths. This is determined by something called an “install name”, which is resolved at link time. Sometimes packages will not set this correctly, causing binaries linking to it not to find their libraries at runtime. This can be fixed by adding extra linker flags or by using install_name_tool to set it in fixupPhase.

Setting the install name via linker flags
stdenv.mkDerivation {
  name = "libfoo-1.2.3";
  # ...
  makeFlags = lib.optional stdenv.hostPlatform.isDarwin "LDFLAGS=-Wl,-install_name,$(out)/lib/libfoo.dylib";
}
Setting the install name using install_name_tool
stdenv.mkDerivation {
  name = "libfoo-1.2.3";
  # ...
  postFixup = ''
    # `-id <install_name>` takes the install name. The last parameter is the path to the library.
    ${stdenv.cc.targetPrefix}install_name_tool -id "$out/lib/libfoo.dylib" "$out/lib/libfoo.dylib"
  '';
}

Even if libraries are linked using absolute paths and resolved via their install name correctly, tests in checkPhase can sometimes fail to run binaries because they are linked against libraries that have not yet been installed. This can usually be solved by running the tests after the installPhase or by using DYLD_LIBRARY_PATH (see dyld(1) for more on setting DYLD_LIBRARY_PATH).

Setting the install name using fixDarwinDylibNames hook

If your package has numerous dylibs needing fixed, while it is preferable to fix the issue in the package’s build, you can update them all by adding the fixDarwinDylibNames hook to your nativeBuildInputs. This hook will scan your package’s outputs for dylibs and correct their install names. Note that if any binaries in your outputs linked those dylibs, you may need to use install_name_tool to replace references to them with the correct paths.

Propagating an SDK (advanced, compilers-only)

The SDK is a package, and it can be propagated. darwinMinVersionHook with a version specified can also be propagated. However, most packages should not do this. The exception is compilers. When you propagate an SDK, it becomes part of your derivation’s public API, and changing the SDK or removing it can be a breaking change. That is why propagating it is only recommended for compilers.

When authoring a compiler derivation, propagate the SDK only for the ways you expect users to use your compiler. Depending on your expected use cases, you may have to do one or all of these.

  • Put it in depsTargetTargetPropagated when your compiler is expected to be added to nativeBuildInputs. That will ensure the SDK is effectively part of the target derivation’s buildInputs.

  • If your compiler uses a hook, put it in the hook’s depsTargetTargetPropagated instead. The effect should be the same as the above.

  • If your package uses the builder pattern, update your builder to add the SDK to the derivation’s buildInputs.

If you’re not sure whether to propagate an SDK, don’t. If your package is a compiler or language, and you’re not sure, ask @NixOS/darwin-maintainers for help deciding.

Dealing with darwin.apple_sdk.frameworks

You may see references to darwin.apple_sdk.frameworks. This is the legacy SDK pattern, and it is being phased out. All packages in darwin.apple_sdk, darwin.apple_sdk_11_0, and darwin.apple_sdk_12_3 are stubs that do nothing. If your derivation references them, you can delete them. The default SDK should be enough to build your package.

Note: the new SDK pattern uses the name apple-sdk to better align with Nixpkgs naming conventions. The legacy SDK pattern uses apple_sdk. You always know you are using the old SDK pattern if the name is apple_sdk.

Some derivations may depend on the location of frameworks in those old packages. To update your derivation to find them in the new SDK, use $SDKROOT instead in preConfigure. For example, if you substitute ${darwin.apple_sdk.frameworks.OpenGL}/Library/Frameworks/OpenGL.framework in postPatch, replace it with $SDKROOT/System/Library/Frameworks/OpenGL.framework in preConfigure.

Note that if your derivation is changing a system path (such as /System/Library/Frameworks/OpenGL.framework), you may be able to remove the path. Compilers and binutils targeting Darwin look for system paths in the SDK sysroot. Some of them (such as Zig or bindgen for Rust) depend on it.

Updating legacy SDK overrides

The legacy SDK provided two ways of overriding the default SDK. These are both being phased out along with the legacy SDKs. They have been updated to set up the new SDK for you, but you should replace them with doing that directly.

  • pkgs.darwin.apple_sdk_11_0.callPackage - this pattern was used to provide frameworks from the 11.0 SDK. It now adds the apple-sdk_11 package to your derivation’s build inputs.

  • overrideSDK - this stdenv adapter would try to replace the frameworks used by your derivation and its transitive dependencies. It now adds the apple-sdk_11 package for 11.0 or the apple-sdk_12 package for 12.3. If darwinMinVersion is specified, it will add darwinMinVersionHook with the specified minimum version. No other SDK versions are supported.

Darwin Cross-Compilation

Darwin supports cross-compilation between Darwin platforms. Cross-compilation from Linux is not currently supported but may be supported in the future. To cross-compile to Darwin, you can set crossSystem or use one of the Darwin systems in pkgsCross. The darwinMinVersionHook and the SDKs support cross-compilation. If you need to specify a different SDK version for a depsBuildBuild compiler, add it to your nativeBuildInputs.

stdenv.mkDerivation {
  name = "libfoo-1.2.3";
  # ...
  depsBuildBuild = [ buildPackages.stdenv.cc ];
  nativeBuildInputs = [ apple-sdk_12 ];
  buildInputs = [ apple-sdk_13 ];
  depsTargetTargetPropagated = [ apple-sdk_14 ];
}
# The build-build `clang` will use the 12.3 SDK while the package build itself will use the 13.3 SDK.
# Derivations that add this package as an input will have the 14.4 SDK propagated to them.

The different target SDK and hooks are mangled based on role:

  • DEVELOPER_DIR_FOR_BUILD and MACOSX_DEPLOYMENT_TARGET_FOR_BUILD for the build platform;

  • DEVELOPER_DIR and MACOSX_DEPLOYMENT_TARGET for the host platform; and

  • DEVELOPER_DIR_FOR_TARGET and MACOSX_DEPLOYMENT_TARGET_FOR_TARGET for the build platform.

In static compilation situations, it is possible for the build and host platform to be the same platform but have different SDKs with the same version (one dynamic and one static). cc-wrapper and bintools-wrapper take care of handling this distinction.

Build helpers

A build helper is a function that produces derivations.

Warning

This is not to be confused with the builder argument of the Nix derivation primitive, which refers to the executable that produces the build result, or remote builder, which refers to a remote machine that could run such an executable.

Such a function is usually designed to abstract over a typical workflow for a given programming language or framework. This allows declaring a build recipe by setting a limited number of options relevant to the particular use case instead of using the derivation function directly.

stdenv.mkDerivation is the most widely used build helper, and serves as a basis for many others. In addition, it offers various options to customize parts of the builds.

There is no uniform interface for build helpers. Trivial build helpers and fetchers have various input types for convenience. Language- or framework-specific build helpers usually follow the style of stdenv.mkDerivation, which accepts an attribute set or a fixed-point function taking an attribute set.

Fetchers

Building software with Nix often requires downloading source code and other files from the internet. To this end, we use functions that we call fetchers, which obtain remote sources via various protocols and services.

Nix provides built-in fetchers such as builtins.fetchTarball. Nixpkgs provides its own fetchers, which work differently:

  • A built-in fetcher will download and cache files at evaluation time and produce a store path. A Nixpkgs fetcher will create a (fixed-output) derivation, and files are downloaded at build time.

  • Built-in fetchers will invalidate their cache after tarball-ttl expires, and will require network activity to check if the cache entry is up to date. Nixpkgs fetchers only re-download if the specified hash changes or the store object is not available.

  • Built-in fetchers do not use substituters. Derivations produced by Nixpkgs fetchers will use any configured binary cache transparently.

This significantly reduces the time needed to evaluate Nixpkgs, and allows Hydra to retain and re-distribute sources used by Nixpkgs in the public binary cache. For these reasons, Nix’s built-in fetchers are not allowed in Nixpkgs.

The following table summarises the differences:

FetchersDownloadOutputCacheRe-download when
builtins.fetch*evaluation timestore path/nix/store, ~/.cache/nixtarball-ttl expires, cache miss in ~/.cache/nix, output store object not in local store
pkgs.fetch*build timederivation/nix/store, substitutersoutput store object not available

Tip

pkgs.fetchFrom* helpers retrieve snapshots of version-controlled sources, as opposed to the entire version history, which is more efficient. pkgs.fetchgit by default also has the same behaviour, but can be changed through specific attributes given to it.

Caveats

Because Nixpkgs fetchers are fixed-output derivations, an output hash has to be specified, usually indirectly through a hash attribute. This hash refers to the derivation output, which can be different from the remote source itself!

This has the following implications that you should be aware of:

  • Use Nix (or Nix-aware) tooling to produce the output hash.

  • When changing any fetcher parameters, always update the output hash. Use one of the methods from the section called “Updating source hashes”. Otherwise, existing store objects that match the output hash will be re-used rather than fetching new content.

    Note

    A similar problem arises while testing changes to a fetcher’s implementation. If the output of the derivation already exists in the Nix store, test failures can go undetected. The invalidateFetcherByDrvHash function helps prevent reusing cached derivations.

Updating source hashes

There are several ways to obtain the hash corresponding to a remote source. Unless you understand how the fetcher you’re using calculates the hash from the downloaded contents, you should use the fake hash method.

  1. The fake hash method: In your package recipe, set the hash to one of

    • ""

    • lib.fakeHash

    • lib.fakeSha256

    • lib.fakeSha512

    Attempt to build, extract the calculated hashes from error messages, and put them into the recipe.

    Warning

    You must use one of these four fake hashes and not some arbitrarily-chosen hash. See the section called “Obtaining hashes securely” for details.

    Example 262. Update source hash with the fake hash method

    Consider the following recipe that produces a plain file:

    { fetchurl }:
    fetchurl {
      url = "https://raw.githubusercontent.com/NixOS/nixpkgs/23.05/.version";
      hash = "sha256-ZHl1emidXVojm83LCVrwULpwIzKE/mYwfztVkvpruOM=";
    }
    

    A common mistake is to update a fetcher parameter, such as url, without updating the hash:

    { fetchurl }:
    fetchurl {
      url = "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version";
      hash = "sha256-ZHl1emidXVojm83LCVrwULpwIzKE/mYwfztVkvpruOM=";
    }
    

    This will produce the same output as before! Set the hash to an empty string:

    { fetchurl }:
    fetchurl {
      url = "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version";
      hash = "";
    }
    

    When building the package, use the error message to determine the correct hash:

    $ nix-build
    (some output removed for clarity)
    error: hash mismatch in fixed-output derivation '/nix/store/7yynn53jpc93l76z9zdjj4xdxgynawcw-version.drv':
            specified: sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
                got:    sha256-BZqI7r0MNP29yGH5+yW2tjU9OOpOCEvwWKrWCv5CQ0I=
    error: build of '/nix/store/bqdjcw5ij5ymfbm41dq230chk9hdhqff-version.drv' failed
    

  2. Prefetch the source with nix-prefetch-<type> <URL>, where <type> is one of

    • url

    • git

    • hg

    • cvs

    • bzr

    • svn

    The hash is printed to stdout.

  3. Prefetch by package source (with nix-prefetch-url '<nixpkgs>' -A <package>.src, where <package> is package attribute name). The hash is printed to stdout.

    This works well when you’ve upgraded the existing package version and want to find out new hash, but is useless if the package can’t be accessed by attribute or the package has multiple sources (.srcs, architecture-dependent sources, etc).

  4. Upstream hash: use it when upstream provides sha256 or sha512. Don’t use it when upstream provides md5, compute sha256 instead.

    A little nuance is that nix-prefetch-* tools produce hashes with the nix32 encoding (a Nix-specific base32 adaptation), but upstream usually provides hexadecimal (base16) encoding. Fetchers understand both formats. Nixpkgs does not standardise on any one format.

    You can convert between hash formats with nix-hash.

  5. Extract the hash from a local source archive with sha256sum. Use nix-prefetch-url file:///path/to/archive if you want the custom Nix base32 hash.

Obtaining hashes securely

It’s always a good idea to avoid Man-in-the-Middle (MITM) attacks when downloading source contents. Otherwise, you could unknowingly download malware instead of the intended source, and instead of the actual source hash, you’ll end up using the hash of malware. Here are security considerations for this scenario:

  • http:// URLs are not secure to prefetch hashes.

  • Upstream hashes should be obtained via a secure protocol.

  • https:// URLs give you more protections when using nix-prefetch-* or for upstream hashes.

  • https:// URLs are secure when using the fake hash method only if you use one of the listed fake hashes. If you use any other hash, the download will be exposed to MITM attacks even if you use HTTPS URLs.

    In more concrete terms, if you use any other hash, the --insecure flag will be passed to the underlying call to curl when downloading content.

Proxy usage

Nixpkgs fetchers can make use of a http(s) proxy. Each fetcher will automatically inherit proxy-related environment variables (http_proxy, https_proxy, etc) via impureEnvVars.

The environment variable NIX_SSL_CERT_FILE is also inherited in fetchers, and can be used to provide a custom certificate bundle to fetchers. This is usually required for a https proxy to work without certificate validation errors.

fetchurl

fetchurl returns a fixed-output derivation which downloads content from a given URL and stores the unaltered contents within the Nix store.

It uses curl(1) internally, and allows its behaviour to be modified by specifying a few attributes in the argument to fetchurl (see the documentation for attributes curlOpts, curlOptsList, and netrcPhase).

The resulting store path is determined by the hash given to fetchurl, and also the name (or pname and version) values.

If neither name nor pname and version are specified when calling fetchurl, it will default to using the basename of url or the first element of urls. If pname and version are specified, fetchurl will use those values and will ignore name, even if it is also specified.

Inputs

fetchurl requires an attribute set with the following attributes:

url (String; optional)

The URL to download from.

Note

Either url or urls must be specified, but not both.

All URLs of the format specified here are supported.

Default value: "".

urls (List of String; optional)

A list of URLs, specifying download locations for the same content. Each URL will be tried in order until one of them succeeds with some content or all of them fail. See Example 264 to understand how this attribute affects the behaviour of fetchurl.

Note

Either url or urls must be specified, but not both.

Default value: [].

hash (String; optional)

Hash of the derivation output of fetchurl, following the format for integrity metadata as defined by SRI. For more information, see the section called “Caveats”.

Note

It is recommended that you use the hash attribute instead of the other hash-specific attributes that exist for backwards compatibility.

If hash is not specified, you must specify outputHash and outputHashAlgo, or one of sha512, sha256, or sha1.

Default value: "".

outputHash (String; optional)

Hash of the derivation output of fetchurl in the format expected by Nix. See the documentation on the Nix manual for more information about its format.

Note

It is recommended that you use the hash attribute instead.

If outputHash is specified, you must also specify outputHashAlgo.

Default value: "".

outputHashAlgo (String; optional)

Algorithm used to generate the value specified in outputHash. See the documentation on the Nix manual for more information about the values it supports.

Note

It is recommended that you use the hash attribute instead.

The value specified in outputHashAlgo will be ignored if outputHash isn’t also specified.

Default value: "".

sha1 (String; optional)

SHA-1 hash of the derivation output of fetchurl in the format expected by Nix. See the documentation on the Nix manual for more information about its format.

Note

It is recommended that you use the hash attribute instead.

Default value: "".

sha256 (String; optional)

SHA-256 hash of the derivation output of fetchurl in the format expected by Nix. See the documentation on the Nix manual for more information about its format.

Note

It is recommended that you use the hash attribute instead.

Default value: "".

sha512 (String; optional)

SHA-512 hash of the derivation output of fetchurl in the format expected by Nix. See the documentation on the Nix manual for more information about its format.

Note

It is recommended that you use the hash attribute instead.

Default value: "".

name (String; optional)

The symbolic name of the downloaded file when saved in the Nix store. See the fetchurl overview for details on how the name of the file is decided.

Default value: "".

pname (String; optional)

A base name, which will be combined with version to form the symbolic name of the downloaded file when saved in the Nix store. See the fetchurl overview for details on how the name of the file is decided.

Note

If pname is specified, you must also specify version, otherwise fetchurl will ignore the value of pname.

Default value: "".

version (String; optional)

A version, which will be combined with pname to form the symbolic name of the downloaded file when saved in the Nix store. See the fetchurl overview for details on how the name of the file is decided.

Default value: "".

recursiveHash (Boolean; optional)

If set to true, will signal to Nix that the hash given to fetchurl was calculated using the "recursive" mode. See the documentation on the Nix manual for more information about the existing modes.

By default, fetchurl uses "recursive" mode when the executable attribute is set to true, so you don’t need to specify recursiveHash in this case.

Default value: false.

executable (Boolean; optional)

If true, sets the executable bit on the downloaded file.

Default value: false.

downloadToTemp (Boolean; optional)

If true, saves the downloaded file to a temporary location instead of the expected Nix store location. This is useful when used in conjunction with postFetch attribute, otherwise fetchurl will not produce any meaningful output.

The location of the downloaded file will be set in the $downloadedFile variable, which should be used by the script in the postFetch attribute. See Example 265 to understand how to work with this attribute.

Default value: false.

postFetch (String; optional)

Script executed after the file has been downloaded successfully, and before fetchurl finishes running. Useful for post-processing, to check or transform the file in some way. See Example 265 to understand how to work with this attribute.

Default value: "".

netrcPhase (String or Null; optional)

Script executed to create a netrc(5) file to be used with curl(1). The script should create the netrc file (note that it does not begin with a “.”) in the directory it’s currently running in ($PWD).

The script is executed during the setup done by fetchurl before it runs any of its code to download the specified content.

Note

If specified, fetchurl will automatically alter its invocation of curl(1) to use the netrc file, so you don’t need to add anything to curlOpts or curlOptsList.

Caution

Since netrcPhase needs to be specified in your source Nix code, any secrets that you put directly in it will be world-readable by design (both in your source code, and when the derivation gets created in the Nix store).

If you want to avoid this behaviour, see the documentation of netrcImpureEnvVars for an alternative way of dealing with these secrets.

Default value: null.

netrcImpureEnvVars (List of String; optional)

If specified, fetchurl will add these environment variable names to the list of impure environment variables, which will be passed from the environment of the calling user to the builder running the fetchurl code.

This is useful when used with netrcPhase to hide any secrets that are used in it, because the script in netrcPhase only needs to reference the environment variables with the secrets in them instead. However, note that these are called impure variables for a reason: the environment that starts the build needs to have these variables declared for everything to work properly, which means that additional setup is required outside what Nix controls.

Default value: [].

curlOpts (String; optional)

If specified, this value will be appended to the invocation of curl(1) when downloading the URL(s) given to fetchurl. Multiple arguments can be separated by spaces normally, but values with whitespaces will be interpreted as multiple arguments (instead of a single value), even if the value is escaped. See curlOptsList for a way to pass values with whitespaces in them.

Default value: "".

curlOptsList (List of String; optional)

If specified, each element of this list will be passed as an argument to the invocation of curl(1) when downloading the URL(s) given to fetchurl. This allows passing values that contain spaces, with no escaping needed.

Default value: [].

showURLs (Boolean; optional)

If set to true, this will stop fetchurl from downloading anything at all. Instead, it will output a list of all the URLs it would’ve used to download the content (after resolving mirror:// URLs, for example). This is useful for debugging.

Default value: false.

meta (Attribute Set; optional)

Specifies any meta-attributes for the derivation returned by fetchurl.

Default value: {}.

passthru (Attribute Set; optional)

Specifies any extra passthru attributes for the derivation returned by fetchurl. Note that fetchurl defines passthru attributes of its own. Attributes specified in passthru can override the default attributes returned by fetchurl.

Default value: {}.

preferLocalBuild (Boolean; optional)

This is the same attribute as defined in the Nix manual. It is true by default because making a remote machine download the content just duplicates network traffic (since the local machine might download the results from the derivation anyway), but this could be useful in cases where network access is restricted on local machines.

Default value: true.

nativeBuildInputs (List of Attribute Set; optional)

Additional packages needed to download the content. This is useful if you need extra packages for postFetch or netrcPhase, for example. Has the same semantics as in the section called “nativeBuildInputs. See Example 265 to understand how this can be used with postFetch.

Default value: [].

Passthru outputs

fetchurl also defines its own passthru attributes:

url (String)

The same url attribute passed in the argument to fetchurl.

Examples

Example 263. Using fetchurl to download a file

The following package downloads a small file from a URL and shows the most common way to use fetchurl:

{ fetchurl }:
fetchurl {
  url = "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version";
  hash = "sha256-BZqI7r0MNP29yGH5+yW2tjU9OOpOCEvwWKrWCv5CQ0I=";
}

After building the package, the file will be downloaded and place into the Nix store:

$ nix-build
(output removed for clarity)
/nix/store/4g9y3x851wqrvim4zcz5x2v3zivmsq8n-version

$ cat /nix/store/4g9y3x851wqrvim4zcz5x2v3zivmsq8n-version
23.11

Example 264. Using fetchurl to download a file with multiple possible URLs

The following package adapts Example 263 to use multiple URLs. The first URL was crafted to intentionally return an error to illustrate how fetchurl will try multiple URLs until it finds one that works (or all URLs fail).

{ fetchurl }:
fetchurl {
  urls = [
    "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/does-not-exist"
    "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version"
  ];
  hash = "sha256-BZqI7r0MNP29yGH5+yW2tjU9OOpOCEvwWKrWCv5CQ0I=";
}

After building the package, both URLs will be used to download the file:

$ nix-build
(some output removed for clarity)
trying https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/does-not-exist
(some output removed for clarity)
curl: (22) The requested URL returned error: 404

trying https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version
(some output removed for clarity)
/nix/store/n9asny31z32q7sdw6a8r1gllrsfy53kl-does-not-exist

$ cat /nix/store/n9asny31z32q7sdw6a8r1gllrsfy53kl-does-not-exist
23.11

However, note that the name of the file was derived from the first URL (this is further explained in the fetchurl overview). To ensure the result will have the same name regardless of which URLs are used, we can modify the package:

{ fetchurl }:
fetchurl {
  name = "nixpkgs-version";
  urls = [
    "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/does-not-exist"
    "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version"
  ];
  hash = "sha256-BZqI7r0MNP29yGH5+yW2tjU9OOpOCEvwWKrWCv5CQ0I=";
}

After building the package, the result will have the name we specified:

$ nix-build
(output removed for clarity)
/nix/store/zczb6wl3al6jm9sm5h3pr6nqn0i5ji9z-nixpkgs-version

Example 265. Manipulating the content downloaded by fetchurl

It might be useful to manipulate the content downloaded by fetchurl directly in its derivation. In this example, we’ll adapt Example 263 to append the result of running the hello package to the contents we download, purely to illustrate how to manipulate the content.

{ fetchurl, hello, lib }:
fetchurl {
  url = "https://raw.githubusercontent.com/NixOS/nixpkgs/23.11/.version";

  nativeBuildInputs = [ hello ];

  downloadToTemp = true;
  postFetch = ''
    ${lib.getExe hello} >> $downloadedFile
    mv $downloadedFile $out
  '';

  hash = "sha256-ceooQQYmDx5+0nfg40uU3NNI2yKrixP7HZ/xLZUNv+w=";
}

After building the package, the resulting file will have “Hello, world!” appended to it:

$ nix-build
(output removed for clarity)
/nix/store/ifi6pp7q0ag5h7c5v9h1c1c7bhd10c7f-version

$ cat /nix/store/ifi6pp7q0ag5h7c5v9h1c1c7bhd10c7f-version
23.11
Hello, world!

Note that the hash specified in the package is different than the hash specified in Example 263, because the contents of the output have changed (even though the actual file that was downloaded is the same). See the section called “Caveats” for more details on how to work with the hash attribute when the output changes.


fetchzip

Returns a fixed-output derivation which downloads an archive from a given URL and decompresses it.

Despite its name, fetchzip is not limited to .zip files but can also be used with various compressed tarball formats by default. This can extended by specifying additional attributes, see Example 267 to understand how to do that.

Inputs

fetchzip requires an attribute set, and most attributes are passed to the underlying call to fetchurl.

The attributes below are treated differently by fetchzip when compared to what fetchurl expects:

name (String; optional)

Works as defined in fetchurl, but has a different default value than fetchurl.

Default value: "source".

nativeBuildInputs (List of Attribute Set; optional)

Works as defined in fetchurl, but it is also augmented by fetchzip to include packages to deal with additional archives (such as .zip).

Default value: [].

postFetch (String; optional)

Works as defined in fetchurl, but it is also augmented with the code needed to make fetchzip work.

Caution

It is only safe to modify files in $out in postFetch. Consult the implementation of fetchzip for anything more involved.

Default value: "".

stripRoot (Boolean; optional)

If true, the decompressed contents are moved one level up the directory tree.

This is useful for archives that decompress into a single directory which commonly includes some values that change with time, such as version numbers. When this is the case (and stripRoot is true), fetchzip will remove this directory and make the decompressed contents available in the top-level directory.

Example 266 shows what this attribute does.

This attribute is not passed through to fetchurl.

Default value: true.

extension (String or Null; optional)

If set, the archive downloaded by fetchzip will be renamed to a filename with the extension specified in this attribute.

This is useful when making fetchzip support additional types of archives, because the implementation may use the extension of an archive to determine whether they can decompress it. If the URL you’re using to download the contents doesn’t end with the extension associated with the archive, use this attribute to fix the filename of the archive.

This attribute is not passed through to fetchurl.

Default value: null.

recursiveHash (Boolean; optional)

Works as defined in fetchurl, but its default value is different than for fetchurl.

Default value: true.

downloadToTemp (Boolean; optional)

Works as defined in fetchurl, but its default value is different than for fetchurl.

Default value: true.

extraPostFetch DEPRECATED

This attribute is deprecated. Please use postFetch instead.

This attribute is not passed through to fetchurl.

Examples

Example 266. Using fetchzip to output contents directly

The following recipe shows how to use fetchzip to decompress a .tar.gz archive:

{ fetchzip }:
fetchzip {
  url = "https://github.com/NixOS/patchelf/releases/download/0.18.0/patchelf-0.18.0.tar.gz";
  hash = "sha256-3ABYlME9R8klcpJ7MQpyFEFwHmxDDEzIYBqu/CpDYmg=";
}

This archive has all its contents in a directory named patchelf-0.18.0. This means that after decompressing, you’d have to enter this directory to see the contents of the archive. However, fetchzip makes this easier through the attribute stripRoot (enabled by default).

After building the recipe, the derivation output will show all the files in the archive at the top level:

$ nix-build
(output removed for clarity)
/nix/store/1b7h3fvmgrcddvs0m299hnqxlgli1yjw-source

$ ls /nix/store/1b7h3fvmgrcddvs0m299hnqxlgli1yjw-source
aclocal.m4  completions  configure.ac  m4           Makefile.in  patchelf.spec     README.md  tests
build-aux   configure    COPYING       Makefile.am  patchelf.1   patchelf.spec.in  src        version

If stripRoot is set to false, the derivation output will be the decompressed archive as-is:

{ fetchzip }:
fetchzip {
  url = "https://github.com/NixOS/patchelf/releases/download/0.18.0/patchelf-0.18.0.tar.gz";
  hash = "sha256-uv3FuKE4DqpHT3yfE0qcnq0gYjDNQNKZEZt2+PUAneg=";
  stripRoot = false;
}

Caution

The hash changed! Whenever changing attributes of a Nixpkgs fetcher, remember to invalidate the hash, otherwise you won’t get the results you’re expecting!

After building the recipe:

$ nix-build
(output removed for clarity)
/nix/store/2hy5bxw7xgbgxkn0i4x6hjr8w3dbx16c-source

$ ls /nix/store/2hy5bxw7xgbgxkn0i4x6hjr8w3dbx16c-source
patchelf-0.18.0

Example 267. Using fetchzip to decompress a .rar file

The unrar package provides a setup hook to decompress .rar archives during the unpack phase, which can be used with fetchzip to decompress those archives:

{ fetchzip, unrar }:
fetchzip {
  url = "https://archive.org/download/SpaceCadet_Plus95/Space_Cadet.rar";
  hash = "sha256-fC+zsR8BY6vXpUkVd6i1jF0IZZxVKVvNi6VWCKT+pA4=";
  stripRoot = false;
  nativeBuildInputs = [ unrar ];
}

Since this particular .rar file doesn’t put its contents in a directory inside the archive, stripRoot must be set to false.

After building the recipe, the derivation output will show the decompressed files:

$ nix-build
(output removed for clarity)
/nix/store/zpn7knxfva6rfjja2gbb4p3l9w1f0d36-source

$ ls /nix/store/zpn7knxfva6rfjja2gbb4p3l9w1f0d36-source
FONT.DAT      PINBALL.DAT  PINBALL.EXE	PINBALL2.MID  TABLE.BMP    WMCONFIG.EXE
MSCREATE.DIR  PINBALL.DOC  PINBALL.MID	Sounds	     WAVEMIX.INF

fetchpatch

fetchpatch works very similarly to fetchurl with the same arguments expected. It expects patch files as a source and performs normalization on them before computing the checksum. For example, it will remove comments or other unstable parts that are sometimes added by version control systems and can change over time.

  • relative: Similar to using git-diff’s --relative flag, only keep changes inside the specified directory, making paths relative to it.

  • stripLen: Remove the first stripLen components of pathnames in the patch.

  • decode: Pipe the downloaded data through this command before processing it as a patch.

  • extraPrefix: Prefix pathnames by this string.

  • excludes: Exclude files matching these patterns (applies after the above arguments).

  • includes: Include only files matching these patterns (applies after the above arguments).

  • revert: Revert the patch.

Note that because the checksum is computed after applying these effects, using or modifying these arguments will have no effect unless the hash argument is changed as well.

Most other fetchers return a directory rather than a single file.

fetchDebianPatch

A wrapper around fetchpatch, which takes:

  • patch and hash: the patch’s filename, and its hash after normalization by fetchpatch ;

  • pname: the Debian source package’s name ;

  • version: the upstream version number ;

  • debianRevision: the Debian revision number if applicable ;

  • the area of the Debian archive: main (default), contrib, or non-free.

Here is an example of fetchDebianPatch in action:

{ lib
, fetchDebianPatch
, buildPythonPackage
}:

buildPythonPackage rec {
  pname = "pysimplesoap";
  version = "1.16.2";
  src = <...>;

  patches = [
    (fetchDebianPatch {
      inherit pname version;
      debianRevision = "5";
      name = "Add-quotes-to-SOAPAction-header-in-SoapClient.patch";
      hash = "sha256-xA8Wnrpr31H8wy3zHSNfezFNjUJt1HbSXn3qUMzeKc0=";
    })
  ];

  # ...
}

Patches are fetched from sources.debian.org, and so must come from a package version that was uploaded to the Debian archive. Packages may be removed from there once that specific version isn’t in any suite anymore (stable, testing, unstable, etc.), so maintainers should use copy-tarballs.pl to archive the patch if it needs to be available longer-term.

fetchsvn

Used with Subversion. Expects url to a Subversion directory, rev, and hash.

fetchgit

Used with Git. Expects url to a Git repo, rev, and hash. rev in this case can be full the git commit id (SHA1 hash) or a tag name like refs/tags/v1.0.

If you want to fetch a tag you should pass the tag parameter instead of rev which has the same effect as setting rev = "refs/tags"/${version}". This is safer than just setting rev = version w.r.t. possible branch and tag name conflicts.

Additionally, the following optional arguments can be given:

fetchSubmodules (Boolean)

Whether to also fetch the submodules of a repository.

fetchLFS (Boolean)

Whether to fetch LFS objects.

postFetch (String)

Shell code executed after the file has been fetched successfully. This can do things like check or transform the file.

leaveDotGit (Boolean)

Whether the .git directory of the clone should not be removed after checkout.

Be warned though that the git repository format is not stable and this flag is therefore not suitable for actual use by itself. Only use this for testing purposes or in conjunction with removing the .git directory in postFetch.

deepClone (Boolean)

Clone the entire repository as opposing to just creating a shallow clone. This implies leaveDotGit.

sparseCheckout (List of String)

Prevent git from fetching unnecessary blobs from server. This is useful if only parts of the repository are needed.

Example 268. Use sparseCheckout to only include some directories:
{ stdenv, fetchgit }:

stdenv.mkDerivation {
  name = "hello";
  src = fetchgit {
    url = "https://...";
    sparseCheckout = [
      "directory/to/be/included"
      "another/directory"
    ];
    hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
  };
}

See git sparse-checkout for more information.

Some additional parameters for niche use-cases can be found listed in the function parameters in the declaration of fetchgit: pkgs/build-support/fetchgit/default.nix. Future parameters additions might also happen without immediately being documented here.

fetchfossil

Used with Fossil. Expects url to a Fossil archive, rev, and hash.

fetchcvs

Used with CVS. Expects cvsRoot, tag, and hash.

fetchhg

Used with Mercurial. Expects url, rev, and hash.

A number of fetcher functions wrap part of fetchurl and fetchzip. They are mainly convenience functions intended for commonly used destinations of source code in Nixpkgs. These wrapper fetchers are listed below.

fetchFromGitea

fetchFromGitea expects five arguments. domain is the gitea server name. owner is a string corresponding to the Gitea user or organization that controls this repository. repo corresponds to the name of the software repository. These are located at the top of every Gitea HTML page as owner/repo. rev corresponds to the Git commit hash or tag (e.g v1.0) that will be downloaded from Git. Finally, hash corresponds to the hash of the extracted directory. Again, other hash algorithms are also available but hash is currently preferred.

fetchFromGitHub

fetchFromGitHub expects four arguments. owner is a string corresponding to the GitHub user or organization that controls this repository. repo corresponds to the name of the software repository. These are located at the top of every GitHub HTML page as owner/repo. rev corresponds to the Git commit hash or tag (e.g v1.0) that will be downloaded from Git. If you need to fetch a tag however, you should prefer to use the tag parameter which achieves this in a safer way with less boilerplate. Finally, hash corresponds to the hash of the extracted directory. Again, other hash algorithms are also available, but hash is currently preferred.

To use a different GitHub instance, use githubBase (defaults to "github.com").

fetchFromGitHub uses fetchzip to download the source archive generated by GitHub for the specified revision. If leaveDotGit, deepClone or fetchSubmodules are set to true, fetchFromGitHub will use fetchgit instead. Refer to its section for documentation of these options.

fetchFromGitLab

This is used with GitLab repositories. It behaves similarly to fetchFromGitHub, and expects owner, repo, rev, and hash.

To use a specific GitLab instance, use domain (defaults to "gitlab.com").

fetchFromGitiles

This is used with Gitiles repositories. The arguments expected are similar to fetchgit.

fetchFromBitbucket

This is used with BitBucket repositories. The arguments expected are very similar to fetchFromGitHub above.

fetchFromSavannah

This is used with Savannah repositories. The arguments expected are very similar to fetchFromGitHub above.

fetchFromRepoOrCz

This is used with repo.or.cz repositories. The arguments expected are very similar to fetchFromGitHub above.

fetchFromSourcehut

This is used with sourcehut repositories. Similar to fetchFromGitHub above, it expects owner, repo, rev and hash, but don’t forget the tilde (~) in front of the username! Expected arguments also include vc (“git” (default) or “hg”), domain and fetchSubmodules.

If fetchSubmodules is true, fetchFromSourcehut uses fetchgit or fetchhg with fetchSubmodules or fetchSubrepos set to true, respectively. Otherwise, the fetcher uses fetchzip.

requireFile

requireFile allows requesting files that cannot be fetched automatically, but whose content is known. This is a useful last-resort workaround for license restrictions that prohibit redistribution, or for downloads that are only accessible after authenticating interactively in a browser. If the requested file is present in the Nix store, the resulting derivation will not be built, because its expected output is already available. Otherwise, the builder will run, but fail with a message explaining to the user how to provide the file. The following code, for example:

requireFile {
  name = "jdk-${version}_linux-x64_bin.tar.gz";
  url = "https://www.oracle.com/java/technologies/javase-jdk11-downloads.html";
  hash = "sha256-lL00+F7jjT71nlKJ7HRQuUQ7kkxVYlZh//5msD8sjeI=";
}

results in this error message:

***
Unfortunately, we cannot download file jdk-11.0.10_linux-x64_bin.tar.gz automatically.
Please go to https://www.oracle.com/java/technologies/javase-jdk11-downloads.html to download it yourself, and add it to the Nix store
using either
  nix-store --add-fixed sha256 jdk-11.0.10_linux-x64_bin.tar.gz
or
  nix-prefetch-url --type sha256 file:///path/to/jdk-11.0.10_linux-x64_bin.tar.gz

***

This function should only be used by non-redistributable software with an unfree license that we need to require the user to download manually. It produces packages that cannot be built automatically.

fetchtorrent

fetchtorrent expects two arguments. url which can either be a Magnet URI (Magnet Link) such as magnet:?xt=urn:btih:dd8255ecdc7ca55fb0bbf81323d87062db1f6d1c or an HTTP URL pointing to a .torrent file. It can also take a config argument which will craft a settings.json configuration file and give it to transmission, the underlying program that is performing the fetch. The available config options for transmission can be found here

{ fetchtorrent }:

fetchtorrent {
  config = { peer-limit-global = 100; };
  url = "magnet:?xt=urn:btih:dd8255ecdc7ca55fb0bbf81323d87062db1f6d1c";
  hash = "";
}

Parameters

  • url: Magnet URI (Magnet Link) such as magnet:?xt=urn:btih:dd8255ecdc7ca55fb0bbf81323d87062db1f6d1c or an HTTP URL pointing to a .torrent file.

  • backend: Which bittorrent program to use. Default: "transmission". Valid values are "rqbit" or "transmission". These are the two most suitable torrent clients for fetching in a fixed-output derivation at the time of writing, as they can be easily exited after usage. rqbit is written in Rust and has a smaller closure size than transmission, and the performance and peer discovery properties differs between these clients, requiring experimentation to decide upon which is the best.

  • config: When using transmission as the backend, a json configuration can be supplied to transmission. Refer to the upstream documentation for information on how to configure.

Trivial build helpers

Nixpkgs provides a variety of wrapper functions that help build commonly useful derivations. Like stdenv.mkDerivation, each of these build helpers creates a derivation, but the arguments passed are different (usually simpler) from those required by stdenv.mkDerivation.

runCommandWith

The function runCommandWith returns a derivation built using the specified command(s), in a specified environment.

It is the underlying base function of all runCommand* variants. The general behavior is controlled via a single attribute set passed as the first argument, and allows specifying stdenv freely.

The following runCommand* variants exist: runCommand, runCommandCC, and runCommandLocal.

Type

runCommandWith :: {
  name :: name;
  stdenv? :: Derivation;
  runLocal? :: Bool;
  derivationArgs? :: { ... };
} -> String -> Derivation

Inputs

name (String)

The derivation’s name, which Nix will append to the store path; see mkDerivation.

runLocal (Boolean)

If set to true this forces the derivation to be built locally, not using substitutes nor remote builds. This is intended for very cheap commands (<1s execution time) which can be sped up by avoiding the network round-trip(s). Its effect is to set preferLocalBuild = true and allowSubstitutes = false.

Note

This prevents the use of substituters, so only set runLocal (or use runCommandLocal) when certain the user will always have a builder for the system of the derivation. This should be true for most trivial use cases (e.g., just copying some files to a different location or adding symlinks) because there the system is usually the same as builtins.currentSystem.

stdenv (Derivation)

The standard environment to use, defaulting to pkgs.stdenv

derivationArgs (Attribute set)

Additional arguments for mkDerivation.

buildCommand (String)

Shell commands to run in the derivation builder.

Note

You have to create a file or directory $out for Nix to be able to run the builder successfully.

Example 269. Invocation of runCommandWith
runCommandWith {
  name = "example";
  derivationArgs.nativeBuildInputs = [ cowsay ];
} ''
  cowsay > $out <<EOMOO
  'runCommandWith' is a bit cumbersome,
  so we have more ergonomic wrappers.
  EOMOO
''

runCommand and runCommandCC

The function runCommand returns a derivation built using the specified command(s), in the stdenvNoCC environment.

runCommandCC is similar but uses the default compiler environment. To minimize dependencies, runCommandCC should only be used when the build command needs a C compiler.

runCommandLocal is also similar to runCommand, but forces the derivation to be built locally. See the note on runCommandWith about runLocal.

Type

runCommand      :: String -> AttrSet -> String -> Derivation
runCommandCC    :: String -> AttrSet -> String -> Derivation
runCommandLocal :: String -> AttrSet -> String -> Derivation

Input

While the type signature(s) differ from runCommandWith, individual arguments with the same name will have the same type and meaning:

name (String)

The derivation’s name

derivationArgs (Attribute set)

Additional parameters passed to [mkDerivation]

buildCommand (String)

The command(s) run to build the derivation.

Example 270. Invocation of runCommand
runCommand "my-example" {} ''
  echo My example command is running

  mkdir $out

  echo I can write data to the Nix store > $out/message

  echo I can also run basic commands like:

  echo ls
  ls

  echo whoami
  whoami

  echo date
  date
''

Note

runCommand name derivationArgs buildCommand is equivalent to

runCommandWith {
  inherit name derivationArgs;
  stdenv = stdenvNoCC;
} buildCommand

Likewise, runCommandCC name derivationArgs buildCommand is equivalent to

runCommandWith {
  inherit name derivationArgs;
} buildCommand

Writing text files

Nixpkgs provides the following functions for producing derivations which write text files or executable scripts into the Nix store. They are useful for creating files from Nix expression, and are all implemented as convenience wrappers around writeTextFile.

Each of these functions will cause a derivation to be produced. When you coerce the result of each of these functions to a string with string interpolation or builtins.toString, it will evaluate to the store path of this derivation.

Note

Some of these functions will put the resulting files within a directory inside the derivation output. If you need to refer to the resulting files somewhere else in a Nix expression, append their path to the derivation’s store path.

For example, if the file destination is a directory:

{
  my-file = writeTextFile {
    name = "my-file";
    text = ''
      Contents of File
    '';
    destination = "/share/my-file";
  };
}

Remember to append “/share/my-file” to the resulting store path when using it elsewhere:

writeShellScript "evaluate-my-file.sh" ''
  cat ${my-file}/share/my-file
''

makeDesktopItem

Write an XDG desktop file to the Nix store.

This function is usually used to add desktop items to a package through the copyDesktopItems hook.

makeDesktopItem adheres to version 1.4 of the specification.

Inputs

makeDesktopItem takes an attribute set that accepts most values from the XDG specification.

All recognised keys from the specification are supported with the exception of the “Hidden” field. The keys are converted into camelCase format, but correspond 1:1 to their equivalent in the specification: genericName, noDisplay, comment, icon, onlyShowIn, notShowIn, dbusActivatable, tryExec, exec, path, terminal, mimeTypes, categories, implements, keywords, startupNotify, startupWMClass, url, prefersNonDefaultGPU.

The “Version” field is hardcoded to the version makeDesktopItem currently adheres to.

The following fields are either required, are of a different type than in the specification, carry specific default values, or are additional fields supported by makeDesktopItem:

name (String)

The name of the desktop file in the Nix store.

type (String; optional)

Default value: "Application"

desktopName (String)

Corresponds to the “Name” field of the specification.

actions (List of Attribute set; optional)

A list of attribute sets {name, exec?, icon?}

extraConfig (Attribute set; optional)

Additional key/value pairs to be added verbatim to the desktop file. Attributes need to be prefixed with ‘X-’.

Examples

Example 271. Usage 1 of makeDesktopItem

Write a desktop file /nix/store/<store path>/my-program.desktop to the Nix store.

{makeDesktopItem}:
makeDesktopItem {
  name = "my-program";
  desktopName = "My Program";
  genericName = "Video Player";
  noDisplay = false;
  comment = "Cool video player";
  icon = "/path/to/icon";
  onlyShowIn = [ "KDE" ];
  dbusActivatable = true;
  tryExec = "my-program";
  exec = "my-program --someflag";
  path = "/some/working/path";
  terminal = false;
  actions.example = {
    name = "New Window";
    exec = "my-program --new-window";
    icon = "/some/icon";
  };
  mimeTypes = [ "video/mp4" ];
  categories = [ "Utility" ];
  implements = [ "org.my-program" ];
  keywords = [ "Video" "Player" ];
  startupNotify = false;
  startupWMClass = "MyProgram";
  prefersNonDefaultGPU = false;
  extraConfig.X-SomeExtension = "somevalue";
}

Example 272. Usage 2 of makeDesktopItem

Override the hello package to add a desktop item.

{ copyDesktopItems
, hello
, makeDesktopItem }:

hello.overrideAttrs {
  nativeBuildInputs = [ copyDesktopItems ];

  desktopItems = [(makeDesktopItem {
    name = "hello";
    desktopName = "Hello";
    exec = "hello";
  })];
}

writeTextFile

Write a text file to the Nix store.

writeTextFile takes an attribute set with the following possible attributes:

name (String)

Corresponds to the name used in the Nix store path identifier.

text (String)

The contents of the file.

executable (Bool, optional)

Make this file have the executable bit set.

Default: false

destination (String, optional)

A subpath under the derivation’s output path into which to put the file. Subdirectories are created automatically when the derivation is realised.

By default, the store path itself will be a file containing the text contents.

Default: ""

checkPhase (String, optional)

Commands to run after generating the file.

Default: ""

meta (Attribute set, optional)

Additional metadata for the derivation.

Default: {}

allowSubstitutes (Bool, optional)

Whether to allow substituting from a binary cache. Passed through to allowSubstitutes of the underlying call to builtins.derivation.

It defaults to false, as running the derivation’s simple builder executable locally is assumed to be faster than network operations. Set it to true if the checkPhase step is expensive.

Default: false

preferLocalBuild (Bool, optional)

Whether to prefer building locally, even if faster remote build machines are available.

Passed through to preferLocalBuild of the underlying call to builtins.derivation.

It defaults to true for the same reason allowSubstitutes defaults to false.

Default: true

derivationArgs (Attribute set, optional)

Extra arguments to pass to the underlying call to stdenv.mkDerivation.

Default: {}

The resulting store path will include some variation of the name, and it will be a file unless destination is used, in which case it will be a directory.

Example 273. Usage 1 of writeTextFile

Write my-file to /nix/store/<store path>/some/subpath/my-cool-script, making it executable. Also run a check on the resulting file in a checkPhase, and supply values for the less-used options.

writeTextFile {
  name = "my-cool-script";
  text = ''
    #!/bin/sh
    echo "This is my cool script!"
  '';
  executable = true;
  destination = "/some/subpath/my-cool-script";
  checkPhase = ''
    ${pkgs.shellcheck}/bin/shellcheck $out/some/subpath/my-cool-script
  '';
  meta = {
    license = pkgs.lib.licenses.cc0;
  };
  allowSubstitutes = true;
  preferLocalBuild = false;
}

Example 274. Usage 2 of writeTextFile

Write the string Contents of File to /nix/store/<store path>. See also the the section called “writeText helper function.

writeTextFile {
  name = "my-file";
  text = ''
    Contents of File
  '';
}

Example 275. Usage 3 of writeTextFile

Write an executable script my-script to /nix/store/<store path>/bin/my-script. See also the the section called “writeScriptBin helper function.

writeTextFile {
  name = "my-script";
  text = ''
    echo "hi"
  '';
  executable = true;
  destination = "/bin/my-script";
}

writeText

Write a text file to the Nix store

writeText takes the following arguments: a string.

name (String)

The name used in the Nix store path.

text (String)

The contents of the file.

The store path will include the name, and it will be a file.

Example 276. Usage of writeText

Write the string Contents of File to /nix/store/<store path>:

writeText "my-file"
  ''
  Contents of File
  ''

This is equivalent to:

writeTextFile {
  name = "my-file";
  text = ''
    Contents of File
  '';
}

writeTextDir

Write a text file within a subdirectory of the Nix store.

writeTextDir takes the following arguments:

path (String)

The destination within the Nix store path under which to create the file.

text (String)

The contents of the file.

The store path will be a directory.

Example 277. Usage of writeTextDir

Write the string Contents of File to /nix/store/<store path>/share/my-file:

writeTextDir "share/my-file"
  ''
  Contents of File
  ''

This is equivalent to:

writeTextFile {
  name = "my-file";
  text = ''
    Contents of File
  '';
  destination = "/share/my-file";
}

writeScript

Write an executable script file to the Nix store.

writeScript takes the following arguments:

name (String)

The name used in the Nix store path.

text (String)

The contents of the file.

The created file is marked as executable. The store path will include the name, and it will be a file.

Example 278. Usage of writeScript

Write the string Contents of File to /nix/store/<store path> and make the file executable.

writeScript "my-file"
  ''
  Contents of File
  ''

This is equivalent to:

writeTextFile {
  name = "my-file";
  text = ''
    Contents of File
  '';
  executable = true;
}

writeScriptBin

Write a script within a bin subdirectory of a directory in the Nix store. This is for consistency with the convention of software packages placing executables under bin.

writeScriptBin takes the following arguments:

name (String)

The name used in the Nix store path and within the file created under the store path.

text (String)

The contents of the file.

The created file is marked as executable. The file’s contents will be put into /nix/store/<store path>/bin/<name>. The store path will include the name, and it will be a directory.

Example 279. Usage of writeScriptBin
writeScriptBin "my-script"
  ''
  echo "hi"
  ''

This is equivalent to:

writeTextFile {
  name = "my-script";
  text = ''
    echo "hi"
  '';
  executable = true;
  destination = "/bin/my-script";
}

writeShellScript

Write a Bash script to the store.

writeShellScript takes the following arguments:

name (String)

The name used in the Nix store path.

text (String)

The contents of the file.

The created file is marked as executable. The store path will include the name, and it will be a file.

This function is almost exactly like the section called “writeScript, except that it prepends to the file a shebang line that points to the version of Bash used in Nixpkgs.

Example 280. Usage of writeShellScript
writeShellScript "my-script"
  ''
  echo "hi"
  ''

This is equivalent to:

writeTextFile {
  name = "my-script";
  text = ''
    #! ${pkgs.runtimeShell}
    echo "hi"
  '';
  executable = true;
}

writeShellScriptBin

Write a Bash script to a “bin” subdirectory of a directory in the Nix store.

writeShellScriptBin takes the following arguments:

name (String)

The name used in the Nix store path and within the file generated under the store path.

text (String)

The contents of the file.

The file’s contents will be put into /nix/store/<store path>/bin/<name>. The store path will include the the name, and it will be a directory.

This function is a combination of the section called “writeShellScript and the section called “writeScriptBin.

Example 281. Usage of writeShellScriptBin
writeShellScriptBin "my-script"
  ''
  echo "hi"
  ''

This is equivalent to:

writeTextFile {
  name = "my-script";
  text = ''
    #! ${pkgs.runtimeShell}
    echo "hi"
  '';
  executable = true;
  destination = "/bin/my-script";
}

concatTextFile, concatText, concatScript

These functions concatenate files to the Nix store in a single file. This is useful for configuration files structured in lines of text. concatTextFile takes an attribute set and expects two arguments, name and files. name corresponds to the name used in the Nix store path. files will be the files to be concatenated. You can also set executable to true to make this file have the executable bit set. concatText andconcatScript are simple wrappers over concatTextFile.

Here are a few examples:


# Writes my-file to /nix/store/<store path>
concatTextFile {
  name = "my-file";
  files = [ drv1 "${drv2}/path/to/file" ];
}
# See also the `concatText` helper function below.

# Writes executable my-file to /nix/store/<store path>/bin/my-file
concatTextFile {
  name = "my-file";
  files = [ drv1 "${drv2}/path/to/file" ];
  executable = true;
  destination = "/bin/my-file";
}
# Writes contents of files to /nix/store/<store path>
concatText "my-file" [ file1 file2 ]

# Writes contents of files to /nix/store/<store path>
concatScript "my-file" [ file1 file2 ]

writeShellApplication

writeShellApplication is similar to writeShellScriptBin and writeScriptBin but supports runtime dependencies with runtimeInputs. Writes an executable shell script to /nix/store/<store path>/bin/<name> and checks its syntax with shellcheck and the bash’s -n option. Some basic Bash options are set by default (errexit, nounset, and pipefail), but can be overridden with bashOptions.

Extra arguments may be passed to stdenv.mkDerivation by setting derivationArgs; note that variables set in this manner will be set when the shell script is built, not when it’s run. Runtime environment variables can be set with the runtimeEnv argument.

For example, the following shell application can refer to curl directly, rather than needing to write ${curl}/bin/curl:

writeShellApplication {
  name = "show-nixos-org";

  runtimeInputs = [ curl w3m ];

  text = ''
    curl -s 'https://nixos.org' | w3m -dump -T text/html
  '';
}

symlinkJoin

This can be used to put many derivations into the same directory structure. It works by creating a new derivation and adding symlinks to each of the paths listed. It expects two arguments, name, and paths. name (or alternatively pname and version) is the name used in the Nix store path for the created derivation. paths is a list of paths that will be symlinked. These paths can be to Nix store derivations or any other subdirectory contained within. Here is an example:

# adds symlinks of hello and stack to current build and prints "links added"
symlinkJoin { name = "myexample"; paths = [ pkgs.hello pkgs.stack ]; postBuild = "echo links added"; }

This creates a derivation with a directory structure like the following:

/nix/store/sglsr5g079a5235hy29da3mq3hv8sjmm-myexample
|-- bin
|   |-- hello -> /nix/store/qy93dp4a3rqyn2mz63fbxjg228hffwyw-hello-2.10/bin/hello
|   `-- stack -> /nix/store/6lzdpxshx78281vy056lbk553ijsdr44-stack-2.1.3.1/bin/stack
`-- share
    |-- bash-completion
    |   `-- completions
    |       `-- stack -> /nix/store/6lzdpxshx78281vy056lbk553ijsdr44-stack-2.1.3.1/share/bash-completion/completions/stack
    |-- fish
    |   `-- vendor_completions.d
    |       `-- stack.fish -> /nix/store/6lzdpxshx78281vy056lbk553ijsdr44-stack-2.1.3.1/share/fish/vendor_completions.d/stack.fish
...

writeClosure

Given a list of store paths (or string-like expressions coercible to store paths), write their collective closure to a text file.

The result is equivalent to the output of nix-store -q --requisites.

For example,

writeClosure [ (writeScriptBin "hi" ''${hello}/bin/hello'') ]

produces an output path /nix/store/<hash>-runtime-deps containing

/nix/store/<hash>-hello-2.10
/nix/store/<hash>-hi
/nix/store/<hash>-libidn2-2.3.0
/nix/store/<hash>-libunistring-0.9.10
/nix/store/<hash>-glibc-2.32-40

You can see that this includes hi, the original input path, hello, which is a direct reference, but also the other paths that are indirectly required to run hello.

writeDirectReferencesToFile

Writes the set of references to the output file, that is, their immediate dependencies.

This produces the equivalent of nix-store -q --references.

For example,

writeDirectReferencesToFile (writeScriptBin "hi" ''${hello}/bin/hello'')

produces an output path /nix/store/<hash>-runtime-references containing

/nix/store/<hash>-hello-2.10

but none of hello’s dependencies because those are not referenced directly by hi’s output.

Testers

This chapter describes several testing builders which are available in the testers namespace.

hasPkgConfigModules

Checks whether a package exposes a given list of pkg-config modules. If the moduleNames argument is omitted, hasPkgConfigModules will use meta.pkgConfigModules.

Example 282. Check that pkg-config modules are exposed using default values
{
  passthru.tests.pkg-config = testers.hasPkgConfigModules {
    package = finalAttrs.finalPackage;
  };

  meta.pkgConfigModules = [ "libfoo" ];
}

Example 283. Check that pkg-config modules are exposed using explicit module names
{
  passthru.tests.pkg-config = testers.hasPkgConfigModules {
    package = finalAttrs.finalPackage;
    moduleNames = [ "libfoo" ];
  };
}

lycheeLinkCheck

Check a packaged static site’s links with the lychee package.

You may use Nix to reproducibly build static websites, such as for software documentation. Some packages will install documentation in their out or doc outputs, or maybe you have dedicated package where you’ve made your static site reproducible by running a generator, such as Hugo or mdBook, in a derivation.

If you have a static site that can be built with Nix, you can use lycheeLinkCheck to check that the hyperlinks in your site are correct, and do so as part of your Nix workflow and CI.

Example 284. Check hyperlinks in the nix documentation
testers.lycheeLinkCheck {
  site = nix.doc + "/share/doc/nix/manual";
}

Return value

This tester produces a package that does not produce useful outputs, but only succeeds if the hyperlinks in your site are correct. The build log will list the broken links.

It has two modes:

  • Build the returned derivation; its build process will check that internal hyperlinks are correct. This runs in the sandbox, so it will not check external hyperlinks, but it is quick and reliable.

  • Invoke the .online attribute with nix run (experimental). This runs outside the sandbox, and checks that both internal and external hyperlinks are correct. Example:

    nix run nixpkgs#lychee.tests.ok.online
    

Inputs

site (path or derivation) {#tester-lycheeLinkCheck-param-site}

The path to the files to check.

remap (attribe set, optional) {#tester-lycheeLinkCheck-param-remap}

An attribute set where the attribute names are regular expressions. The values should be strings, derivations, or path values.

In the returned check’s default configuration, external URLs are only checked when you run the .online attribute.

By adding remappings, you can check offline that URLs to external resources are correct, by providing a stand-in from the file system.

Before checking the existence of a URL, the regular expressions are matched and replaced by their corresponding values.

Example:

{
  "https://nix\\.dev/manual/nix/[a-z0-9.-]*" = "${nix.doc}/share/doc/nix/manual";
  "https://nixos\\.org/manual/nix/(un)?stable" = "${emptyDirectory}/placeholder-to-disallow-old-nix-docs-urls";
}

Store paths in the attribute values are automatically prefixed with file://, because lychee requires this for paths in the file system. If this is a problem, or if you need to control the order in which replacements are performed, use extraConfig.remap instead.

extraConfig (attribute set) {#tester-lycheeLinkCheck-param-extraConfig}

Extra configuration to pass to lychee in its configuration file. It is automatically translated to TOML.

Example: { "include_verbatim" = true; }

lychee (derivation, optional) {#tester-lycheeLinkCheck-param-lychee}

The lychee package to use.

shellcheck

Runs files through shellcheck, a static analysis tool for shell scripts.

Example 285. Run testers.shellcheck

A single script

testers.shellcheck {
  name = "shellcheck";
  src = ./script.sh;
}

Multiple files

let
  inherit (lib) fileset;
in
testers.shellcheck {
  name = "shellcheck";
  src = fileset.toSource {
    root = ./.;
    fileset = fileset.unions [
      ./lib.sh
      ./nixbsd-activate
    ];
  };
}

Inputs

src (path or string)

The path to the shell script(s) to check. This can be a single file or a directory containing shell files. All files in src will be checked, so you may want to provide fileset-based source instead of a whole directory.

Return value

A derivation that runs shellcheck on the given script(s). The build will fail if shellcheck finds any issues.

testVersion

Checks that the output from running a command contains the specified version string in it as a whole word.

NOTE: In most cases, versionCheckHook should be preferred, but this function is provided and documented here anyway. The motivation for adding either tests would be:

  • Catch dynamic linking errors and such and missing environment variables that should be added by wrapping.

  • Probable protection against accidentally building the wrong version, for example when using an “old” hash in a fixed-output derivation.

By default, the command to be run will be inferred from the given package attribute: it will check meta.mainProgram first, and fall back to pname or name. The default argument to the command is --version, and the version to be checked will be inferred from the given package attribute as well.

Example 286. Check a program version using all the default values

This example will run the command hello --version, and then check that the version of the hello package is in the output of the command.

{
  passthru.tests.version = testers.testVersion { package = hello; };
}

Example 287. Check the program version using a specified command and expected version string

This example will run the command leetcode -V, and then check that leetcode 0.4.2 is in the output of the command as a whole word (separated by whitespaces). This means that an output like “leetcode 0.4.21” would fail the tests, and an output like “You’re running leetcode 0.4.2” would pass the tests.

A common usage of the version attribute is to specify version = "v${version}".

{
  version = "0.4.2";

  passthru.tests.version = testers.testVersion {
    package = leetcode-cli;
    command = "leetcode -V";
    version = "leetcode ${version}";
  };
}

testBuildFailure

Make sure that a build does not succeed. This is useful for testing testers.

This returns a derivation with an override on the builder, with the following effects:

  • Fail the build when the original builder succeeds

  • Move $out to $out/result, if it exists (assuming out is the default output)

  • Save the build log to $out/testBuildFailure.log (same)

While testBuildFailure is designed to keep changes to the original builder’s environment to a minimum, some small changes are inevitable:

  • The file $TMPDIR/testBuildFailure.log is present. It should not be deleted.

  • stdout and stderr are a pipe instead of a tty. This could be improved.

  • One or two extra processes are present in the sandbox during the original builder’s execution.

  • The derivation and output hashes are different, but not unusual.

  • The derivation includes a dependency on buildPackages.bash and expect-failure.sh, which is built to include a transitive dependency on buildPackages.coreutils and possibly more. These are not added to PATH or any other environment variable, so they should be hard to observe.

Example 288. Check that a build fails, and verify the changes made during build
runCommand "example" {
  failed = testers.testBuildFailure (runCommand "fail" {} ''
    echo ok-ish >$out
    echo failing though
    exit 3
  '');
} ''
  grep -F 'ok-ish' $failed/result
  grep -F 'failing though' $failed/testBuildFailure.log
  [[ 3 = $(cat $failed/testBuildFailure.exit) ]]
  touch $out
''

testEqualContents

Check that two paths have the same contents.

Example 289. Check that two paths have the same contents
testers.testEqualContents {
  assertion = "sed -e performs replacement";
  expected = writeText "expected" ''
    foo baz baz
  '';
  actual = runCommand "actual" {
    # not really necessary for a package that's in stdenv
    nativeBuildInputs = [ gnused ];
    base = writeText "base" ''
      foo bar baz
    '';
  } ''
    sed -e 's/bar/baz/g' $base >$out
  '';
}

testEqualDerivation

Checks that two packages produce the exact same build instructions.

This can be used to make sure that a certain difference of configuration, such as the presence of an overlay does not cause a cache miss.

When the derivations are equal, the return value is an empty file. Otherwise, the build log explains the difference via nix-diff.

Example 290. Check that two packages produce the same derivation
testers.testEqualDerivation
  "The hello package must stay the same when enabling checks."
  hello
  (hello.overrideAttrs(o: { doCheck = true; }))

invalidateFetcherByDrvHash

Use the derivation hash to invalidate the output via name, for testing.

Type: (a@{ name, ... } -> Derivation) -> a -> Derivation

Normally, fixed output derivations can and should be cached by their output hash only, but for testing we want to re-fetch everytime the fetcher changes.

Changes to the fetcher become apparent in the drvPath, which is a hash of how to fetch, rather than a fixed store path. By inserting this hash into the name, we can make sure to re-run the fetcher every time the fetcher changes.

This relies on the assumption that Nix isn’t clever enough to reuse its database of local store contents to optimize fetching.

You might notice that the “salted” name derives from the normal invocation, not the final derivation. invalidateFetcherByDrvHash has to invoke the fetcher function twice: once to get a derivation hash, and again to produce the final fixed output derivation.

Example 291. Prevent nix from reusing the output of a fetcher
{
  tests.fetchgit = testers.invalidateFetcherByDrvHash fetchgit {
    name = "nix-source";
    url = "https://github.com/NixOS/nix";
    rev = "9d9dbe6ed05854e03811c361a3380e09183f4f4a";
    hash = "sha256-7DszvbCNTjpzGRmpIVAWXk20P0/XTrWZ79KSOGLrUWY=";
  };
}

runCommand

runCommand :: { name, script, stdenv ? stdenvNoCC, hash ? "...", ... } -> Derivation

This is a wrapper around pkgs.runCommandWith, which

  • produces a fixed-output derivation, enabling the command(s) to access the network ;

  • salts the derivation’s name based on its inputs, ensuring the command is re-run whenever the inputs changes.

It accepts the following attributes:

  • the derivation’s name ;

  • the script to be executed ;

  • stdenv, the environment to use, defaulting to stdenvNoCC ;

  • the derivation’s output hash, defaulting to the empty file’s. The derivation’s outputHashMode is set by default to recursive, so the script can output a directory as well.

All other attributes are passed through to mkDerivation, including nativeBuildInputs to specify dependencies available to the script.

Example 292. Run a command with network access
testers.runCommand {
  name = "access-the-internet";
  script = ''
    curl -o /dev/null https://example.com
    touch $out
  '';
  nativeBuildInputs = with pkgs; [ cacert curl ];
}

runNixOSTest

A helper function that behaves exactly like the NixOS runTest, except it also assigns this Nixpkgs package set as the pkgs of the test and makes the nixpkgs.* options read-only.

If your test is part of the Nixpkgs repository, or if you need a more general entrypoint, see “Calling a test” in the NixOS manual.

Example 293. Run a NixOS test using runNixOSTest
pkgs.testers.runNixOSTest ({ lib, ... }: {
  name = "hello";
  nodes.machine = { pkgs, ... }: {
    environment.systemPackages = [ pkgs.hello ];
  };
  testScript = ''
    machine.succeed("hello")
  '';
})

nixosTest

Run a NixOS VM network test using this evaluation of Nixpkgs.

NOTE: This function is primarily for external use. NixOS itself uses make-test-python.nix directly. Packages defined in Nixpkgs reuse NixOS tests via nixosTests, plural.

It is mostly equivalent to the function import ./make-test-python.nix from the NixOS manual, except that the current application of Nixpkgs (pkgs) will be used, instead of letting NixOS invoke Nixpkgs anew.

If a test machine needs to set NixOS options under nixpkgs, it must set only the nixpkgs.pkgs option.

Parameter

A NixOS VM test network, or path to it. Example:

{
  name = "my-test";
  nodes = {
    machine1 = { lib, pkgs, nodes, ... }: {
      environment.systemPackages = [ pkgs.hello ];
      services.foo.enable = true;
    };
    # machine2 = ...;
  };
  testScript = ''
    start_all()
    machine1.wait_for_unit("foo.service")
    machine1.succeed("hello | foo-send")
  '';
}

Result

A derivation that runs the VM test.

Notable attributes:

  • nodes: the evaluated NixOS configurations. Useful for debugging and exploring the configuration.

  • driverInteractive: a script that launches an interactive Python session in the context of the testScript.

Development Shell helpers

The nix-shell command has popularized the concept of transient shell environments for development or testing purposes. However, nix-shell is not the only way to create such environments, and even nix-shell itself can indirectly benefit from this library.

This library provides a set of functions that help create such environments.

devShellTools.valueToString

Converts Nix values to strings in the way the derivation built-in function does.

Example 294. valueToString usage examples
devShellTools.valueToString (builtins.toFile "foo" "bar")
=> "/nix/store/...-foo"
devShellTools.valueToString false
=> ""

devShellTools.unstructuredDerivationInputEnv

Convert a set of derivation attributes (as would be passed to [derivation]) to a set of environment variables that can be used in a shell script. This function does not support __structuredAttrs, but does support passAsFile.

Example 295. unstructuredDerivationInputEnv usage example
devShellTools.unstructuredDerivationInputEnv {
  drvAttrs = {
    name = "foo";
    buildInputs = [ hello figlet ];
    builder = bash;
    args = [ "-c" "${./builder.sh}" ];
  };
}
=> {
  name = "foo";
  buildInputs = "/nix/store/...-hello /nix/store/...-figlet";
  builder = "/nix/store/...-bash";
}

Note that args is not included, because Nix does not added it to the builder process environment.


devShellTools.derivationOutputEnv

Takes the relevant parts of a derivation and returns a set of environment variables, that would be present in the derivation.

Example 296. derivationOutputEnv usage example
let
  pkg = hello;
in
devShellTools.derivationOutputEnv { outputList = pkg.outputs; outputMap = pkg; }

Special build helpers

This chapter describes several special build helpers.

fakeNss

Provides /etc/passwd and /etc/group files that contain root and nobody, allowing user/group lookups to work in binaries that insist on doing those. This might be a better choice than a custom script running useradd and related utilities if you only need those files to exist with some entries.

fakeNss also provides /etc/nsswitch.conf, configuring NSS host resolution to first check /etc/hosts before checking DNS, since the default in the absence of a config file (dns [!UNAVAIL=return] files) is quite unexpected.

It also creates an empty directory at /var/empty because it uses that as the home directory for the root and nobody users. The /var/empty directory can also be used as a chroot target to prevent file access in processes that do not need to access files, if your container runs such processes.

The user entries created by fakeNss use the /bin/sh shell, which is not provided by fakeNss because in most cases it won’t be used. If you need that to be available, see dockerTools.binSh or provide your own.

Inputs

fakeNss is made available in Nixpkgs as a package rather than a function, but it has two attributes that can be overridden and might be useful in particular cases. For more details on how overriding works, see Example 298 and the section called “<pkg>.override”.

extraPasswdLines (List of Strings; optional)

A list of lines that will be added to /etc/passwd. Useful if extra users need to exist in the output of fakeNss. If extraPasswdLines is specified, it will not override the root and nobody entries created by fakeNss. Those entries will always exist.

Lines specified here must follow the format in passwd(5).

Default value: [].

extraGroupLines (List of Strings; optional)

A list of lines that will be added to /etc/group. Useful if extra groups need to exist in the output of fakeNss. If extraGroupLines is specified, it will not override the root and nobody entries created by fakeNss. Those entries will always exist.

Lines specified here must follow the format in group(5).

Default value: [].

Examples

Example 297. Using fakeNss with dockerTools.buildImage

This example shows how to use fakeNss as-is. It is useful with functions in dockerTools to allow building Docker images that have the /etc/passwd and /etc/group files. This example includes the hello binary in the image so it can do something besides just have the extra files.

{ dockerTools, fakeNss, hello }:
dockerTools.buildImage {
  name = "image-with-passwd";
  tag = "latest";

  copyToRoot = [ fakeNss hello ];

  config = {
    Cmd = [ "/bin/hello" ];
  };
}

Example 298. Using fakeNss with an override to add extra lines

The following code uses override to add extra lines to /etc/passwd and /etc/group to create another user and group entry.

{ fakeNss }:
fakeNss.override {
  extraPasswdLines = ["newuser:x:9001:9001:new user:/var/empty:/bin/sh"];
  extraGroupLines = ["newuser:x:9001:"];
}

buildFHSEnv

buildFHSEnv provides a way to build and run FHS-compatible lightweight sandboxes. It creates an isolated root filesystem with the host’s /nix/store, so its footprint in terms of disk space is quite small. This allows you to run software which is hard or unfeasible to patch for NixOS; 3rd-party source trees with FHS assumptions, games distributed as tarballs, software with integrity checking and/or external self-updated binaries for instance. It uses Linux’ namespaces feature to create temporary lightweight environments which are destroyed after all child processes exit, without requiring elevated privileges. It works similar to containerisation technology such as Docker or FlatPak but provides no security-relevant separation from the host system.

Accepted arguments are:

  • name The name of the environment, and the wrapper executable if pname is unset.

  • pname The pname of the environment and the wrapper executable.

  • version The version of the environment.

  • targetPkgs Packages to be installed for the main host’s architecture (i.e. x86_64 on x86_64 installations). Along with libraries binaries are also installed.

  • multiPkgs Packages to be installed for all architectures supported by a host (i.e. i686 and x86_64 on x86_64 installations). Only libraries are installed by default.

  • multiArch Whether to install 32bit multiPkgs into the FHSEnv in 64bit environments

  • extraBuildCommands Additional commands to be executed for finalizing the directory structure.

  • extraBuildCommandsMulti Like extraBuildCommands, but executed only on multilib architectures.

  • extraOutputsToInstall Additional derivation outputs to be linked for both target and multi-architecture packages.

  • extraInstallCommands Additional commands to be executed for finalizing the derivation with runner script.

  • runScript A shell command to be executed inside the sandbox. It defaults to bash. Command line arguments passed to the resulting wrapper are appended to this command by default. This command must be escaped; i.e. "foo app" --do-stuff --with "some file". See lib.escapeShellArgs.

  • profile Optional script for /etc/profile within the sandbox.

You can create a simple environment using a shell.nix like this:

{ pkgs ? import <nixpkgs> {} }:

(pkgs.buildFHSEnv {
  name = "simple-x11-env";
  targetPkgs = pkgs: (with pkgs; [
    udev
    alsa-lib
  ]) ++ (with pkgs.xorg; [
    libX11
    libXcursor
    libXrandr
  ]);
  multiPkgs = pkgs: (with pkgs; [
    udev
    alsa-lib
  ]);
  runScript = "bash";
}).env

Running nix-shell on it would drop you into a shell inside an FHS env where those libraries and binaries are available in FHS-compliant paths. Applications that expect an FHS structure (i.e. proprietary binaries) can run inside this environment without modification. You can build a wrapper by running your binary in runScript, e.g. ./bin/start.sh. Relative paths work as expected.

Additionally, the FHS builder links all relocated gsettings-schemas (the glib setup-hook moves them to share/gsettings-schemas/${name}/glib-2.0/schemas) to their standard FHS location. This means you don’t need to wrap binaries with wrapGApps* hook.

pkgs.makeSetupHook

pkgs.makeSetupHook is a build helper that produces hooks that go in to nativeBuildInputs

Usage

pkgs.makeSetupHook {
  name = "something-hook";
  propagatedBuildInputs = [ pkgs.commandsomething ];
  depsTargetTargetPropagated = [ pkgs.libsomething ];
} ./script.sh;

setup hook that depends on the hello package and runs hello and @shell@ is substituted with path to bash

pkgs.makeSetupHook
  {
    name = "run-hello-hook";
    # Put dependencies here if they have hooks or necessary dependencies propagated
    # otherwise prefer direct paths to executables.
    propagatedBuildInputs = [
      pkgs.hello
      pkgs.cowsay
    ];
    substitutions = {
      shell = "${pkgs.bash}/bin/bash";
      cowsay = "${pkgs.cowsay}/bin/cowsay";
    };
  }
  (
    writeScript "run-hello-hook.sh" ''
      #!@shell@
      # the direct path to the executable has to be here because
      # this will be run when the file is sourced
      # at which point '$PATH' has not yet been populated with inputs
      @cowsay@ cow

      _printHelloHook() {
        hello
      }
      preConfigureHooks+=(_printHelloHook)
    ''
  );

Attributes

  • name Set the name of the hook.

  • propagatedBuildInputs Runtime dependencies (such as binaries) of the hook.

  • depsTargetTargetPropagated Non-binary dependencies.

  • meta

  • passthru

  • substitutions Variables for substituteAll

pkgs.mkShell

pkgs.mkShell is a specialized stdenv.mkDerivation that removes some repetition when using it with nix-shell (or nix develop).

Usage

Here is a common usage example:

{ pkgs ? import <nixpkgs> {} }:
pkgs.mkShell {
  packages = [ pkgs.gnumake ];

  inputsFrom = [ pkgs.hello pkgs.gnutar ];

  shellHook = ''
    export DEBUG=1
  '';
}

Attributes

  • name (default: nix-shell). Set the name of the derivation.

  • packages (default: []). Add executable packages to the nix-shell environment.

  • inputsFrom (default: []). Add build dependencies of the listed derivations to the nix-shell environment.

  • shellHook (default: ""). Bash statements that are executed by nix-shell.

… all the attributes of stdenv.mkDerivation.

Variants

pkgs.mkShellNoCC is a variant that uses stdenvNoCC instead of stdenv as base environment. This is useful if no C compiler is needed in the shell environment.

Building the shell

This derivation output will contain a text file that contains a reference to all the build inputs. This is useful in CI where we want to make sure that every derivation, and its dependencies, build properly. Or when creating a GC root so that the build dependencies don’t get garbage-collected.

vmTools

A set of VM related utilities, that help in building some packages in more advanced scenarios.

vmTools.createEmptyImage

A bash script fragment that produces a disk image at destination.

Attributes

  • size. The disk size, in MiB.

  • fullName. Name that will be written to ${destination}/nix-support/full-name.

  • destination (optional, default $out). Where to write the image files.

vmTools.runInLinuxVM

Run a derivation in a Linux virtual machine (using Qemu/KVM). By default, there is no disk image; the root filesystem is a tmpfs, and the Nix store is shared with the host (via the 9P protocol). Thus, any pure Nix derivation should run unmodified.

If the build fails and Nix is run with the -K/--keep-failed option, a script run-vm will be left behind in the temporary build directory that allows you to boot into the VM and debug it interactively.

Attributes

  • preVM (optional). Shell command to be evaluated before the VM is started (i.e., on the host).

  • memSize (optional, default 512). The memory size of the VM in MiB.

  • diskImage (optional). A file system image to be attached to /dev/sda. Note that currently we expect the image to contain a filesystem, not a full disk image with a partition table etc.

Examples

Build the derivation hello inside a VM:

{ pkgs }: with pkgs; with vmTools;
runInLinuxVM hello

Build inside a VM with extra memory:

{ pkgs }: with pkgs; with vmTools;
runInLinuxVM (hello.overrideAttrs (_: { memSize = 1024; }))

Use VM with a disk image (implicitly sets diskImage, see vmTools.createEmptyImage):

{ pkgs }: with pkgs; with vmTools;
runInLinuxVM (hello.overrideAttrs (_: {
  preVM = createEmptyImage {
    size = 1024;
    fullName = "vm-image";
  };
}))

vmTools.extractFs

Takes a file, such as an ISO, and extracts its contents into the store.

Attributes

  • file. Path to the file to be extracted. Note that currently we expect the image to contain a filesystem, not a full disk image with a partition table etc.

  • fs (optional). Filesystem of the contents of the file.

Examples

Extract the contents of an ISO file:

{ pkgs }: with pkgs; with vmTools;
extractFs { file = ./image.iso; }

vmTools.extractMTDfs

Like the section called “vmTools.extractFs, but it makes use of a Memory Technology Device (MTD).

vmTools.runInLinuxImage

Like the section called “vmTools.runInLinuxVM, but instead of using stdenv from the Nix store, run the build using the tools provided by /bin, /usr/bin, etc. from the specified filesystem image, which typically is a filesystem containing a FHS-based Linux distribution.

vmTools.makeImageTestScript

Generate a script that can be used to run an interactive session in the given image.

Examples

Create a script for running a Fedora 27 VM:

{ pkgs }: with pkgs; with vmTools;
makeImageTestScript diskImages.fedora27x86_64

Create a script for running an Ubuntu 20.04 VM:

{ pkgs }: with pkgs; with vmTools;
makeImageTestScript diskImages.ubuntu2004x86_64

vmTools.diskImageFuns

A set of functions that build a predefined set of minimal Linux distributions images.

Images

  • Fedora

    • fedora26x86_64

    • fedora27x86_64

  • CentOS

    • centos6i386

    • centos6x86_64

    • centos7x86_64

  • Ubuntu

    • ubuntu1404i386

    • ubuntu1404x86_64

    • ubuntu1604i386

    • ubuntu1604x86_64

    • ubuntu1804i386

    • ubuntu1804x86_64

    • ubuntu2004i386

    • ubuntu2004x86_64

    • ubuntu2204i386

    • ubuntu2204x86_64

  • Debian

    • debian10i386

    • debian10x86_64

    • debian11i386

    • debian11x86_64

    • debian12i386

    • debian12x86_64

Attributes

  • size (optional, defaults to 4096). The size of the image, in MiB.

  • extraPackages (optional). A list names of additional packages from the distribution that should be included in the image.

Examples

8GiB image containing Firefox in addition to the default packages:

{ pkgs }: with pkgs; with vmTools;
diskImageFuns.ubuntu2004x86_64 { extraPackages = [ "firefox" ]; size = 8192; }

vmTools.diskImageExtraFuns

Shorthand for vmTools.diskImageFuns.<attr> { extraPackages = ... }.

vmTools.diskImages

Shorthand for vmTools.diskImageFuns.<attr> { }.

pkgs.checkpointBuildTools

pkgs.checkpointBuildTools provides a way to build derivations incrementally. It consists of two functions to make checkpoint builds using Nix possible.

For hermeticity, Nix derivations do not allow any state to be carried over between builds, making a transparent incremental build within a derivation impossible.

However, we can tell Nix explicitly what the previous build state was, by representing that previous state as a derivation output. This allows the passed build state to be used for an incremental build.

To change a normal derivation to a checkpoint based build, these steps must be taken:

  • apply prepareCheckpointBuild on the desired derivation, e.g.

{
  checkpointArtifacts = (pkgs.checkpointBuildTools.prepareCheckpointBuild pkgs.virtualbox);
}
  • change something you want in the sources of the package, e.g. use a source override:

{
  changedVBox = pkgs.virtualbox.overrideAttrs (old: {
    src = path/to/vbox/sources;
  });
}
  • use mkCheckpointBuild changedVBox checkpointArtifacts

  • enjoy shorter build times

Example

{ pkgs ? import <nixpkgs> {} }:
let
  inherit (pkgs.checkpointBuildTools)
    prepareCheckpointBuild
    mkCheckpointBuild
    ;
  helloCheckpoint = prepareCheckpointBuild pkgs.hello;
  changedHello = pkgs.hello.overrideAttrs (_: {
    doCheck = false;
    patchPhase = ''
      sed -i 's/Hello, world!/Hello, Nix!/g' src/hello.c
    '';
  });
in mkCheckpointBuild changedHello helloCheckpoint

Images

This chapter describes tools for creating various types of images.

pkgs.appimageTools

pkgs.appimageTools is a set of functions for extracting and wrapping AppImage files. They are meant to be used if traditional packaging from source is infeasible, or if it would take too long. To quickly run an AppImage file, pkgs.appimage-run can be used as well.

Warning

The appimageTools API is unstable and may be subject to backwards-incompatible changes in the future.

Wrapping

Use wrapType2 to wrap any AppImage. This will create a FHS environment with many packages expected to exist for the AppImage to work. wrapType2 expects an argument with the src attribute, and either a name attribute or pname and version attributes.

It will eventually call into buildFHSEnv, and any extra attributes in the argument to wrapType2 will be passed through to it. This means that you can pass the extraInstallCommands attribute, for example, and it will have the same effect as described in buildFHSEnv.

Note

In the past, appimageTools provided both wrapType1 and wrapType2, to be used depending on the type of AppImage that was being wrapped. However, those were unified early 2020, meaning that both wrapType1 and wrapType2 have the same behaviour now.

Example 299. Wrapping an AppImage from GitHub
{ appimageTools, fetchurl }:
let
  pname = "nuclear";
  version = "0.6.30";

  src = fetchurl {
    url = "https://github.com/nukeop/nuclear/releases/download/v${version}/${pname}-v${version}.AppImage";
    hash = "sha256-he1uGC1M/nFcKpMM9JKY4oeexJcnzV0ZRxhTjtJz6xw=";
  };
in
appimageTools.wrapType2 {
  inherit pname version src;
}

The argument passed to wrapType2 can also contain an extraPkgs attribute, which allows you to include additional packages inside the FHS environment your AppImage is going to run in. extraPkgs must be a function that returns a list of packages. There are a few ways to learn which dependencies an application needs:

  • Looking through the extracted AppImage files, reading its scripts and running patchelf and ldd on its executables. This can also be done in appimage-run, by setting APPIMAGE_DEBUG_EXEC=bash.

  • Running strace -vfefile on the wrapped executable, looking for libraries that can’t be found.

Example 300. Wrapping an AppImage with extra packages
{ appimageTools, fetchurl }:
let
  pname = "irccloud";
  version = "0.16.0";

  src = fetchurl {
    url = "https://github.com/irccloud/irccloud-desktop/releases/download/v${version}/IRCCloud-${version}-linux-x86_64.AppImage";
    hash = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
  };
in appimageTools.wrapType2 {
  inherit pname version src;
  extraPkgs = pkgs: [ pkgs.at-spi2-core ];
}

Extracting

Use extract if you need to extract the contents of an AppImage. This is usually used in Nixpkgs to install extra files in addition to wrapping the AppImage. extract expects an argument with the src attribute, and either a name attribute or pname and version attributes.

Note

In the past, appimageTools provided both extractType1 and extractType2, to be used depending on the type of AppImage that was being extracted. However, those were unified early 2020, meaning that both extractType1 and extractType2 have the same behaviour as extract now.

Example 301. Extracting an AppImage to install extra files

This example was adapted from a real package in Nixpkgs to show how extract is usually used in combination with wrapType2. Note how appimageContents is used in extraInstallCommands to install additional files that were extracted from the AppImage.

{ appimageTools, fetchurl }:
let
  pname = "irccloud";
  version = "0.16.0";

  src = fetchurl {
    url = "https://github.com/irccloud/irccloud-desktop/releases/download/v${version}/IRCCloud-${version}-linux-x86_64.AppImage";
    hash = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
  };

  appimageContents = appimageTools.extract {
    inherit pname version src;
  };
in appimageTools.wrapType2 {
  inherit pname version src;

  extraPkgs = pkgs: [ pkgs.at-spi2-core ];

  extraInstallCommands = ''
    mv $out/bin/${pname}-${version} $out/bin/${pname}
    install -m 444 -D ${appimageContents}/irccloud.desktop $out/share/applications/irccloud.desktop
    install -m 444 -D ${appimageContents}/usr/share/icons/hicolor/512x512/apps/irccloud.png \
      $out/share/icons/hicolor/512x512/apps/irccloud.png
    substituteInPlace $out/share/applications/irccloud.desktop \
      --replace-fail 'Exec=AppRun' 'Exec=${pname}'
  '';
}

The argument passed to extract can also contain a postExtract attribute, which allows you to execute additional commands after the files are extracted from the AppImage. postExtract must be a string with commands to run.

Example 302. Extracting an AppImage to install extra files, using postExtract

This is a rewrite of Example 301 to use postExtract.

{ appimageTools, fetchurl }:
let
  pname = "irccloud";
  version = "0.16.0";

  src = fetchurl {
    url = "https://github.com/irccloud/irccloud-desktop/releases/download/v${version}/IRCCloud-${version}-linux-x86_64.AppImage";
    hash = "sha256-/hMPvYdnVB1XjKgU2v47HnVvW4+uC3rhRjbucqin4iI=";
  };

  appimageContents = appimageTools.extract {
    inherit pname version src;
    postExtract = ''
      substituteInPlace $out/irccloud.desktop --replace-fail 'Exec=AppRun' 'Exec=${pname}'
    '';
  };
in appimageTools.wrapType2 {
  inherit pname version src;

  extraPkgs = pkgs: [ pkgs.at-spi2-core ];

  extraInstallCommands = ''
    mv $out/bin/${pname}-${version} $out/bin/${pname}
    install -m 444 -D ${appimageContents}/irccloud.desktop $out/share/applications/irccloud.desktop
    install -m 444 -D ${appimageContents}/usr/share/icons/hicolor/512x512/apps/irccloud.png \
      $out/share/icons/hicolor/512x512/apps/irccloud.png
  '';
}

pkgs.dockerTools

pkgs.dockerTools is a set of functions for creating and manipulating Docker images according to the Docker Image Specification v1.3.0. Docker itself is not used to perform any of the operations done by these functions.

buildImage

This function builds a Docker-compatible repository tarball containing a single image. As such, the result is suitable for being loaded in Docker with docker image load (see Example 303 for how to do this).

This function will create a single layer for all files (and dependencies) that are specified in its argument. Only new dependencies that are not already in the existing layers will be copied. If you prefer to create multiple layers for the files and dependencies you want to add to the image, see the section called “buildLayeredImage” or the section called “streamLayeredImage” instead.

This function allows a script to be run during the layer generation process, allowing custom behaviour to affect the final results of the image (see the documentation of the runAsRoot and extraCommands attributes).

The resulting repository tarball will list a single image as specified by the name and tag attributes. By default, that image will use a static creation date (see documentation for the created attribute). This allows buildImage to produce reproducible images.

Tip

When running an image built with buildImage, you might encounter certain errors depending on what you included in the image, especially if you did not start with any base image.

If you encounter errors similar to getProtocolByName: does not exist (no such protocol name: tcp), you may need to add the contents of pkgs.iana-etc in the copyToRoot attribute. Similarly, if you encounter errors similar to Error_Protocol ("certificate has unknown CA",True,UnknownCa), you may need to add the contents of pkgs.cacert in the copyToRoot attribute.

Inputs

buildImage expects an argument with the following attributes:

name (String)

The name of the generated image.

tag (String or Null; optional)

Tag of the generated image. If null, the hash of the nix derivation will be used as the tag.

Default value: null.

fromImage (Path or Null; optional)

The repository tarball of an image to be used as the base for the generated image. It must be a valid Docker image, such as one exported by docker image save, or another image built with the dockerTools utility functions. This can be seen as an equivalent of FROM fromImage in a Dockerfile. A value of null can be seen as an equivalent of FROM scratch.

If specified, the layer created by buildImage will be appended to the layers defined in the base image, resulting in an image with at least two layers (one or more layers from the base image, and the layer created by buildImage). Otherwise, the resulting image with contain the single layer created by buildImage.

Note

Only Env configuration is inherited from the base image.

Default value: null.

fromImageName (String or Null; optional)

Used to specify the image within the repository tarball in case it contains multiple images. A value of null means that buildImage will use the first image available in the repository.

Note

This must be used with fromImageTag. Using only fromImageName without fromImageTag will make buildImage use the first image available in the repository.

Default value: null.

fromImageTag (String or Null; optional)

Used to specify the image within the repository tarball in case it contains multiple images. A value of null means that buildImage will use the first image available in the repository.

Note

This must be used with fromImageName. Using only fromImageTag without fromImageName will make buildImage use the first image available in the repository

Default value: null.

copyToRoot (Path, List of Paths, or Null; optional)

Files to add to the generated image. Anything that coerces to a path (e.g. a derivation) can also be used. This can be seen as an equivalent of ADD contents/ / in a Dockerfile.

Default value: null.

keepContentsDirlinks (Boolean; optional)

When adding files to the generated image (as specified by copyToRoot), this attribute controls whether to preserve symlinks to directories. If false, the symlinks will be transformed into directories. This behaves the same as rsync -k when keepContentsDirlinks is false, and the same as rsync -K when keepContentsDirlinks is true.

Default value: false.

runAsRoot (String or Null; optional)

A bash script that will run as root inside a VM that contains the existing layers of the base image and the new generated layer (including the files from copyToRoot). The script will be run with a working directory of /. This can be seen as an equivalent of RUN ... in a Dockerfile. A value of null means that this step in the image generation process will be skipped.

See Example 304 for how to work with this attribute.

Caution

Using this attribute requires the kvm device to be available, see system-features. If the kvm device isn’t available, you should consider using buildLayeredImage or streamLayeredImage instead. Those functions allow scripts to be run as root without access to the kvm device.

Note

At the time the script in runAsRoot is run, the files specified directly in copyToRoot will be present in the VM, but their dependencies might not be there yet. Copying their dependencies into the generated image is a step that happens after runAsRoot finishes running.

Default value: null.

extraCommands (String; optional)

A bash script that will run before the layer created by buildImage is finalised. The script will be run on some (opaque) working directory which will become / once the layer is created. This is similar to runAsRoot, but the script specified in extraCommands is not run as root, and does not involve creating a VM. It is simply run as part of building the derivation that outputs the layer created by buildImage.

See Example 305 for how to work with this attribute, and subtle differences compared to runAsRoot.

Default value: "".

config (Attribute Set or Null; optional)

Used to specify the configuration of the containers that will be started off the generated image. Must be an attribute set, with each attribute as listed in the Docker Image Specification v1.3.0.

Default value: null.

architecture (String; optional)

Used to specify the image architecture. This is useful for multi-architecture builds that don’t need cross compiling. If specified, its value should follow the OCI Image Configuration Specification, which should still be compatible with Docker. According to the linked specification, all possible values for $GOARCH in the Go docs should be valid, but will commonly be one of 386, amd64, arm, or arm64.

Default value: the same value from pkgs.go.GOARCH.

diskSize (Number; optional)

Controls the disk size (in megabytes) of the VM used to run the script specified in runAsRoot. This attribute is ignored if runAsRoot is null.

Default value: 1024.

buildVMMemorySize (Number; optional)

Controls the amount of memory (in megabytes) provisioned for the VM used to run the script specified in runAsRoot. This attribute is ignored if runAsRoot is null.

Default value: 512.

created (String; optional)

Specifies the time of creation of the generated image. This should be either a date and time formatted according to ISO-8601 or "now", in which case buildImage will use the current date.

See Example 306 for how to use "now".

Caution

Using "now" means that the generated image will not be reproducible anymore (because the date will always change whenever it’s built).

Default value: "1970-01-01T00:00:01Z".

uid (Number; optional)

The uid of the user that will own the files packed in the new layer built by buildImage.

Default value: 0.

gid (Number; optional)

The gid of the group that will own the files packed in the new layer built by buildImage.

Default value: 0.

compressor (String; optional)

Selects the algorithm used to compress the image.

Default value: "gz".
Possible values: "none", "gz", "zstd".

includeNixDB (Boolean; optional)

Populate the nix database in the image with the dependencies of copyToRoot. The main purpose is to be able to use nix commands in the container.

Caution

Be careful since this doesn’t work well in combination with fromImage. In particular, in a multi-layered image, only the Nix paths from the lower image will be in the database.

This also neglects to register the store paths that are pulled into the image as a dependency of one of the other values, but aren’t a dependency of copyToRoot.

Default value: false.

contents DEPRECATED

This attribute is deprecated, and users are encouraged to use copyToRoot instead.

Passthru outputs

buildImage defines a few passthru attributes:

buildArgs (Attribute Set)

The argument passed to buildImage itself. This allows you to inspect all attributes specified in the argument, as described above.

layer (Attribute Set)

The derivation with the layer created by buildImage. This allows easier inspection of the contents added by buildImage in the generated image.

imageTag (String)

The tag of the generated image. This is useful if no tag was specified in the attributes of the argument to buildImage, because an automatic tag will be used instead. imageTag allows you to retrieve the value of the tag used in this case.

Examples

Example 303. Building a Docker image

The following package builds a Docker image that runs the redis-server executable from the redis package. The Docker image will have name redis and tag latest.

{ dockerTools, buildEnv, redis }:
dockerTools.buildImage {
  name = "redis";
  tag = "latest";

  copyToRoot = buildEnv {
    name = "image-root";
    paths = [ redis ];
    pathsToLink = [ "/bin" ];
  };

  runAsRoot = ''
    mkdir -p /data
  '';

  config = {
    Cmd = [ "/bin/redis-server" ];
    WorkingDir = "/data";
    Volumes = { "/data" = { }; };
  };
}

The result of building this package is a .tar.gz file that can be loaded into Docker:

$ nix-build
(some output removed for clarity)
building '/nix/store/yw0adm4wpsw1w6j4fb5hy25b3arr9s1v-docker-image-redis.tar.gz.drv'...
Adding layer...
tar: Removing leading `/' from member names
Adding meta...
Cooking the image...
Finished.
/nix/store/p4dsg62inh9d2ksy3c7bv58xa851dasr-docker-image-redis.tar.gz

$ docker image load -i /nix/store/p4dsg62inh9d2ksy3c7bv58xa851dasr-docker-image-redis.tar.gz
(some output removed for clarity)
Loaded image: redis:latest

Example 304. Building a Docker image with runAsRoot

The following package builds a Docker image with the hello executable from the hello package. It uses runAsRoot to create a directory and a file inside the image.

This works the same as Example 305, but uses runAsRoot instead of extraCommands.

{ dockerTools, buildEnv, hello }:
dockerTools.buildImage {
  name = "hello";
  tag = "latest";

  copyToRoot = buildEnv {
    name = "image-root";
    paths = [ hello ];
    pathsToLink = [ "/bin" ];
  };

  runAsRoot = ''
    mkdir -p /data
    echo "some content" > my-file
  '';

  config = {
    Cmd = [ "/bin/hello" ];
    WorkingDir = "/data";
  };
}

Example 305. Building a Docker image with extraCommands

The following package builds a Docker image with the hello executable from the hello package. It uses extraCommands to create a directory and a file inside the image.

This works the same as Example 304, but uses extraCommands instead of runAsRoot. Note that with extraCommands, we can’t directly reference / and must create files and directories as if we were already on /.

{ dockerTools, buildEnv, hello }:
dockerTools.buildImage {
  name = "hello";
  tag = "latest";

  copyToRoot = buildEnv {
    name = "image-root";
    paths = [ hello ];
    pathsToLink = [ "/bin" ];
  };

  extraCommands = ''
    mkdir -p data
    echo "some content" > my-file
  '';

  config = {
    Cmd = [ "/bin/hello" ];
    WorkingDir = "/data";
  };
}

Example 306. Building a Docker image with a creation date set to the current time

Note that using a value of "now" in the created attribute will break reproducibility.

{ dockerTools, buildEnv, hello }:
dockerTools.buildImage {
  name = "hello";
  tag = "latest";

  created = "now";

  copyToRoot = buildEnv {
    name = "image-root";
    paths = [ hello ];
    pathsToLink = [ "/bin" ];
  };

  config.Cmd = [ "/bin/hello" ];
}

After importing the generated repository tarball with Docker, its CLI will display a reasonable date and sort the images as expected:

$ docker image ls
REPOSITORY   TAG      IMAGE ID       CREATED              SIZE
hello        latest   de2bf4786de6   About a minute ago   25.2MB

buildLayeredImage

buildLayeredImage uses streamLayeredImage underneath to build a compressed Docker-compatible repository tarball. Basically, buildLayeredImage runs the script created by streamLayeredImage to save the compressed image in the Nix store. buildLayeredImage supports the same options as streamLayeredImage, see streamLayeredImage for details.

Note

Despite the similar name, buildImage works completely differently from buildLayeredImage and streamLayeredImage.

Even though some of the arguments may seem related, they cannot be interchanged.

You can load the result of this function in Docker with docker image load. See Example 307 to see how to do that.

Examples

Example 307. Building a layered Docker image

The following package builds a layered Docker image that runs the hello executable from the hello package. The Docker image will have name hello and tag latest.

{ dockerTools, hello }:
dockerTools.buildLayeredImage {
  name = "hello";
  tag = "latest";

  contents = [ hello ];

  config.Cmd = [ "/bin/hello" ];
}

The result of building this package is a .tar.gz file that can be loaded into Docker:

$ nix-build
(some output removed for clarity)
building '/nix/store/bk8bnrbw10nq7p8pvcmdr0qf57y6scha-hello.tar.gz.drv'...
No 'fromImage' provided
Creating layer 1 from paths: ['/nix/store/i93s7xxblavsacpy82zdbn4kplsyq48l-libunistring-1.1']
Creating layer 2 from paths: ['/nix/store/ji01n9vinnj22nbrb86nx8a1ssgpilx8-libidn2-2.3.4']
Creating layer 3 from paths: ['/nix/store/ldrslljw4rg026nw06gyrdwl78k77vyq-xgcc-12.3.0-libgcc']
Creating layer 4 from paths: ['/nix/store/9y8pmvk8gdwwznmkzxa6pwyah52xy3nk-glibc-2.38-27']
Creating layer 5 from paths: ['/nix/store/zhl06z4lrfrkw5rp0hnjjfrgsclzvxpm-hello-2.12.1']
Creating layer 6 with customisation...
Adding manifests...
Done.
/nix/store/hxcz7snvw7f8rzhbh6mv8jq39d992905-hello.tar.gz

$ docker image load -i /nix/store/hxcz7snvw7f8rzhbh6mv8jq39d992905-hello.tar.gz
(some output removed for clarity)
Loaded image: hello:latest

streamLayeredImage

streamLayeredImage builds a script which, when run, will stream to stdout a Docker-compatible repository tarball containing a single image, using multiple layers to improve sharing between images. This means that streamLayeredImage does not output an image into the Nix store, but only a script that builds the image, saving on IO and disk/cache space, particularly with large images.

You can load the result of this function in Docker with docker image load. See Example 308 to see how to do that.

For this function, you specify a store path or a list of store paths to be added to the image, and the functions will automatically include any dependencies of those paths in the image. The function will attempt to create one layer per object in the Nix store that needs to be added to the image. In case there are more objects to include than available layers, the function will put the most “popular” objects in their own layers, and group all remaining objects into a single layer.

An additional layer will be created with symlinks to the store paths you specified to be included in the image. These symlinks are built with symlinkJoin, so they will be included in the root of the image. See Example 309 to understand how these symlinks are laid out in the generated image.

streamLayeredImage allows scripts to be run when creating the additional layer with symlinks, allowing custom behaviour to affect the final results of the image (see the documentation of the extraCommands and fakeRootCommands attributes).

The resulting repository tarball will list a single image as specified by the name and tag attributes. By default, that image will use a static creation date (see documentation for the created and mtime attributes). This allows the function to produce reproducible images.

Inputs

streamLayeredImage expects one argument with the following attributes:

name (String)

The name of the generated image.

tag (String or Null; optional)

Tag of the generated image. If null, the hash of the nix derivation will be used as the tag.

Default value: null.

fromImage(Path or Null; optional)

The repository tarball of an image to be used as the base for the generated image. It must be a valid Docker image, such as one exported by docker image save, or another image built with the dockerTools utility functions. This can be seen as an equivalent of FROM fromImage in a Dockerfile. A value of null can be seen as an equivalent of FROM scratch.

If specified, the created layers will be appended to the layers defined in the base image.

Default value: null.

contents (Path or List of Paths; optional)

Directories whose contents will be added to the generated image. Things that coerce to paths (e.g. a derivation) can also be used. This can be seen as an equivalent of ADD contents/ / in a Dockerfile.

All the contents specified by contents will be added as a final layer in the generated image. They will be added as links to the actual files (e.g. links to the store paths). The actual files will be added in previous layers.

Default value: []

config (Attribute Set or Null; optional)

Used to specify the configuration of the containers that will be started off the generated image. Must be an attribute set, with each attribute as listed in the Docker Image Specification v1.3.0.

If any packages are used directly in config, they will be automatically included in the generated image. See Example 310 for an example.

Default value: null.

architecture (String; optional)

Used to specify the image architecture. This is useful for multi-architecture builds that don’t need cross compiling. If specified, its value should follow the OCI Image Configuration Specification, which should still be compatible with Docker. According to the linked specification, all possible values for $GOARCH in the Go docs should be valid, but will commonly be one of 386, amd64, arm, or arm64.

Default value: the same value from pkgs.go.GOARCH.

created (String; optional)

Specifies the time of creation of the generated image. This date will be used for the image metadata. This should be either a date and time formatted according to ISO-8601 or "now", in which case the current date will be used.

Caution

Using "now" means that the generated image will not be reproducible anymore (because the date will always change whenever it’s built).

Default value: "1970-01-01T00:00:01Z".

mtime (String; optional)

Specifies the time used for the modification timestamp of files within the layers of the generated image. This should be either a date and time formatted according to ISO-8601 or "now", in which case the current date will be used.

Caution

Using a non-constant date will cause built layers to have a different hash each time, preventing deduplication. Using "now" also means that the generated image will not be reproducible anymore (because the date will always change whenever it’s built).

Default value: "1970-01-01T00:00:01Z".

uid (Number; optional) gid (Number; optional) uname (String; optional) gname (String; optional)

: Credentials for Nix store ownership. Can be overridden to e.g. 1000 / 1000 / "user" / "user" to enable building a container where Nix can be used as an unprivileged user in single-user mode.

Default value: 0 / 0 / "root" / "root"

maxLayers (Number; optional)

The maximum number of layers that will be used by the generated image. If a fromImage was specified, the number of layers used by fromImage will be subtracted from maxLayers to ensure that the image generated will have at most maxLayers.

Caution

Depending on the tool/runtime where the image will be used, there might be a limit to the number of layers that an image can have. For Docker, see this issue on GitHub.

Default value: 100.

extraCommands (String; optional)

A bash script that will run in the context of the layer created with the contents specified by contents. At the moment this script runs, only the contents directly specified by contents will be available as links.

Default value: "".

fakeRootCommands (String; optional)

A bash script that will run in the context of the layer created with the contents specified by contents. During the process to generate that layer, the script in extraCommands will be run first, if specified. After that, a fakeroot(1) environment will be entered. The script specified in fakeRootCommands runs inside the fakeroot environment, and the layer is then generated from the view of the files inside the fakeroot environment.

This is useful to change the owners of the files in the layer (by running chown, for example), or performing any other privileged operations related to file manipulation (by default, all files in the layer will be owned by root, and the build environment doesn’t have enough privileges to directly perform privileged operations on these files).

For more details, see the manpage for fakeroot(1).

Caution

Due to how fakeroot works, static binaries cannot perform privileged file operations in fakeRootCommands, unless enableFakechroot is set to true.

Default value: "".

enableFakechroot (Boolean; optional)

By default, the script specified in fakeRootCommands only runs inside a fakeroot environment. If enableFakechroot is true, a more complete chroot environment will be created using proot before running the script in fakeRootCommands. Files in the Nix store will be available. This allows scripts that perform installation in / to work as expected. This can be seen as an equivalent of RUN ... in a Dockerfile.

Default value: false

includeStorePaths (Boolean; optional)

The files specified in contents are put into layers in the generated image. If includeStorePaths is false, the actual files will not be included in the generated image, and only links to them will be added instead. It is not recommended to set this to false unless you have other tooling to insert the store paths via other means (such as bind mounting the host store) when running containers with the generated image. If you don’t provide any extra tooling, the generated image won’t run properly.

See Example 309 to understand the impact of setting includeStorePaths to false.

Default value: true

includeNixDB (Boolean; optional)

Populate the nix database in the image with the dependencies of copyToRoot. The main purpose is to be able to use nix commands in the container.

Caution

Be careful since this doesn’t work well in combination with fromImage. In particular, in a multi-layered image, only the Nix paths from the lower image will be in the database.

This also neglects to register the store paths that are pulled into the image as a dependency of one of the other values, but aren’t a dependency of copyToRoot.

Default value: false.

passthru (Attribute Set; optional)

Use this to pass any attributes as passthru for the resulting derivation.

Default value: {}

Passthru outputs

streamLayeredImage also defines its own passthru attributes:

imageTag (String)

The tag of the generated image. This is useful if no tag was specified in the attributes of the argument to the function, because an automatic tag will be used instead. imageTag allows you to retrieve the value of the tag used in this case.

Examples

Example 308. Streaming a layered Docker image

The following package builds a script which, when run, will stream a layered Docker image that runs the hello executable from the hello package. The Docker image will have name hello and tag latest.

{ dockerTools, hello }:
dockerTools.streamLayeredImage {
  name = "hello";
  tag = "latest";

  contents = [ hello ];

  config.Cmd = [ "/bin/hello" ];
}

The result of building this package is a script. Running this script and piping it into docker image load gives you the same image that was built in Example 307. Note that in this case, the image is never added to the Nix store, but instead streamed directly into Docker.

$ nix-build
(output removed for clarity)
/nix/store/wsz2xl8ckxnlb769irvq6jv1280dfvxd-stream-hello

$ /nix/store/wsz2xl8ckxnlb769irvq6jv1280dfvxd-stream-hello | docker image load
No 'fromImage' provided
Creating layer 1 from paths: ['/nix/store/i93s7xxblavsacpy82zdbn4kplsyq48l-libunistring-1.1']
Creating layer 2 from paths: ['/nix/store/ji01n9vinnj22nbrb86nx8a1ssgpilx8-libidn2-2.3.4']
Creating layer 3 from paths: ['/nix/store/ldrslljw4rg026nw06gyrdwl78k77vyq-xgcc-12.3.0-libgcc']
Creating layer 4 from paths: ['/nix/store/9y8pmvk8gdwwznmkzxa6pwyah52xy3nk-glibc-2.38-27']
Creating layer 5 from paths: ['/nix/store/zhl06z4lrfrkw5rp0hnjjfrgsclzvxpm-hello-2.12.1']
Creating layer 6 with customisation...
Adding manifests...
Done.
(some output removed for clarity)
Loaded image: hello:latest

Example 309. Exploring the layers in an image built with streamLayeredImage

Assume the following package, which builds a layered Docker image with the hello package.

{ dockerTools, hello }:
dockerTools.streamLayeredImage {
  name = "hello";
  contents = [ hello ];
}

The hello package depends on 4 other packages:

$ nix-store --query -R $(nix-build -A hello)
/nix/store/i93s7xxblavsacpy82zdbn4kplsyq48l-libunistring-1.1
/nix/store/ji01n9vinnj22nbrb86nx8a1ssgpilx8-libidn2-2.3.4
/nix/store/ldrslljw4rg026nw06gyrdwl78k77vyq-xgcc-12.3.0-libgcc
/nix/store/9y8pmvk8gdwwznmkzxa6pwyah52xy3nk-glibc-2.38-27
/nix/store/zhl06z4lrfrkw5rp0hnjjfrgsclzvxpm-hello-2.12.1

This means that all these packages will be included in the image generated by streamLayeredImage. It will put each package in its own layer, for a total of 5 layers with actual files in them. A final layer will be created only with symlinks for the hello package.

The image generated will have the following directory structure (some directories were collapsed for readability):

├── bin
│   └── hello → /nix/store/zhl06z4lrfrkw5rp0hnjjfrgsclzvxpm-hello-2.12.1/bin/hello
├── nix
│   └── store
│       ├─⊕ 9y8pmvk8gdwwznmkzxa6pwyah52xy3nk-glibc-2.38-27
│       ├─⊕ i93s7xxblavsacpy82zdbn4kplsyq48l-libunistring-1.1
│       ├─⊕ ji01n9vinnj22nbrb86nx8a1ssgpilx8-libidn2-2.3.4
│       ├─⊕ ldrslljw4rg026nw06gyrdwl78k77vyq-xgcc-12.3.0-libgcc
│       └─⊕ zhl06z4lrfrkw5rp0hnjjfrgsclzvxpm-hello-2.12.1
└── share
    ├── info
    │   └── hello.info → /nix/store/zhl06z4lrfrkw5rp0hnjjfrgsclzvxpm-hello-2.12.1/share/info/hello.info
    ├─⊕ locale
    └── man
        └── man1
            └── hello.1.gz → /nix/store/zhl06z4lrfrkw5rp0hnjjfrgsclzvxpm-hello-2.12.1/share/man/man1/hello.1.gz

Each of the packages in /nix/store comes from a layer in the image. The final layer adds the /bin and /share directories, but they only contain links to the actual files in /nix/store.

If our package sets includeStorePaths to false, we’ll end up with only the final layer with the links, but the actual files won’t exist in the image:

{ dockerTools, hello }:
dockerTools.streamLayeredImage {
  name = "hello";
  contents = [ hello ];
  includeStorePaths = false;
}

After building this package, the image will have the following directory structure:

├── bin
│   └── hello → /nix/store/zhl06z4lrfrkw5rp0hnjjfrgsclzvxpm-hello-2.12.1/bin/hello
└── share
    ├── info
    │   └── hello.info → /nix/store/zhl06z4lrfrkw5rp0hnjjfrgsclzvxpm-hello-2.12.1/share/info/hello.info
    ├─⊕ locale
    └── man
        └── man1
            └── hello.1.gz → /nix/store/zhl06z4lrfrkw5rp0hnjjfrgsclzvxpm-hello-2.12.1/share/man/man1/hello.1.gz

Note how the links point to paths in /nix/store, but they’re not included in the image itself. This is why you need extra tooling when using includeStorePaths: a container created from such image won’t find any of the files it needs to run otherwise.


Example 310. Building a layered Docker image with packages directly in config

The closure of config is automatically included in the generated image. The following package shows a more compact way to create the same output generated in Example 308.

{ dockerTools, hello, lib }:
dockerTools.streamLayeredImage {
  name = "hello";
  tag = "latest";
  config.Cmd = [ "${lib.getExe hello}" ];
}

pullImage

This function is similar to the docker image pull command, which means it can be used to pull a Docker image from a registry that implements the Docker Registry HTTP API V2. By default, the docker.io registry is used.

The image will be downloaded as an uncompressed Docker-compatible repository tarball, which is suitable for use with other dockerTools functions such as buildImage, buildLayeredImage, and streamLayeredImage.

This function requires two different types of hashes/digests to be specified:

  • One of them is used to identify a unique image within the registry (see the documentation for the imageDigest attribute).

  • The other is used by Nix to ensure the contents of the output haven’t changed (see the documentation for the sha256 attribute).

Both hashes are required because they must uniquely identify some content in two completely different systems (the Docker registry and the Nix store), but their values will not be the same. See Example 313 for a tool that can help gather these values.

Inputs

pullImage expects a single argument with the following attributes:

imageName (String)

Specifies the name of the image to be downloaded, as well as the registry endpoint. By default, the docker.io registry is used. To specify a different registry, prepend the endpoint to imageName, separated by a slash (/). See Example 312 for how to do that.

imageDigest (String)

Specifies the digest of the image to be downloaded.

Tip

Why can’t I specify a tag to pull from, and have to use a digest instead?

Tags are often updated to point to different image contents. The most common example is the latest tag, which is usually updated whenever a newer image version is available.

An image tag isn’t enough to guarantee the contents of an image won’t change, but a digest guarantees this. Providing a digest helps ensure that you will still be able to build the same Nix code and get the same output even if newer versions of an image are released.

sha256 (String)

The hash of the image after it is downloaded. Internally, this is passed to the outputHash attribute of the resulting derivation. This is needed to provide a guarantee to Nix that the contents of the image haven’t changed, because Nix doesn’t support the value in imageDigest.

finalImageName (String; optional)

Specifies the name that will be used for the image after it has been downloaded. This only applies after the image is downloaded, and is not used to identify the image to be downloaded in the registry. Use imageName for that instead.

Default value: the same value specified in imageName.

finalImageTag (String; optional)

Specifies the tag that will be used for the image after it has been downloaded. This only applies after the image is downloaded, and is not used to identify the image to be downloaded in the registry.

Default value: "latest".

os (String; optional)

Specifies the operating system of the image to pull. If specified, its value should follow the OCI Image Configuration Specification, which should still be compatible with Docker. According to the linked specification, all possible values for $GOOS in the Go docs should be valid, but will commonly be one of darwin or linux.

Default value: "linux".

arch (String; optional)

Specifies the architecture of the image to pull. If specified, its value should follow the OCI Image Configuration Specification, which should still be compatible with Docker. According to the linked specification, all possible values for $GOARCH in the Go docs should be valid, but will commonly be one of 386, amd64, arm, or arm64.

Default value: the same value from pkgs.go.GOARCH.

tlsVerify (Boolean; optional)

Used to enable or disable HTTPS and TLS certificate verification when communicating with the chosen Docker registry. Setting this to false will make pullImage connect to the registry through HTTP.

Default value: true.

name (String; optional)

The name used for the output in the Nix store path.

Default value: a value derived from finalImageName and finalImageTag, with some symbols replaced. It is recommended to treat the default as an opaque value.

Examples

Example 311. Pulling the nixos/nix Docker image from the default registry

This example pulls the nixos/nix image and saves it in the Nix store.

{ dockerTools }:
dockerTools.pullImage {
  imageName = "nixos/nix";
  imageDigest = "sha256:b8ea88f763f33dfda2317b55eeda3b1a4006692ee29e60ee54ccf6d07348c598";
  finalImageName = "nix";
  finalImageTag = "2.19.3";
  sha256 = "zRwlQs1FiKrvHPaf8vWOR/Tlp1C5eLn1d9pE4BZg3oA=";
}

Example 312. Pulling the nixos/nix Docker image from a specific registry

This example pulls the coreos/etcd image from the quay.io registry.

{ dockerTools }:
dockerTools.pullImage {
  imageName = "quay.io/coreos/etcd";
  imageDigest = "sha256:24a23053f29266fb2731ebea27f915bb0fb2ae1ea87d42d890fe4e44f2e27c5d";
  finalImageName = "etcd";
  finalImageTag = "v3.5.11";
  sha256 = "Myw+85f2/EVRyMB3axECdmQ5eh9p1q77FWYKy8YpRWU=";
}

Example 313. Finding the digest and hash values to use for dockerTools.pullImage

Since dockerTools.pullImage requires two different hashes, one can run the nix-prefetch-docker tool to find out the values for the hashes. The tool outputs some text for an attribute set which you can pass directly to pullImage.

$ nix run nixpkgs#nix-prefetch-docker -- --image-name nixos/nix --image-tag 2.19.3 --arch amd64 --os linux
(some output removed for clarity)
Writing manifest to image destination
-> ImageName: nixos/nix
-> ImageDigest: sha256:498fa2d7f2b5cb3891a4edf20f3a8f8496e70865099ba72540494cd3e2942634
-> FinalImageName: nixos/nix
-> FinalImageTag: latest
-> ImagePath: /nix/store/4mxy9mn6978zkvlc670g5703nijsqc95-docker-image-nixos-nix-latest.tar
-> ImageHash: 1q6cf2pdrasa34zz0jw7pbs6lvv52rq2aibgxccbwcagwkg2qj1q
{
  imageName = "nixos/nix";
  imageDigest = "sha256:498fa2d7f2b5cb3891a4edf20f3a8f8496e70865099ba72540494cd3e2942634";
  sha256 = "1q6cf2pdrasa34zz0jw7pbs6lvv52rq2aibgxccbwcagwkg2qj1q";
  finalImageName = "nixos/nix";
  finalImageTag = "latest";
}

It is important to supply the --arch and --os arguments to nix-prefetch-docker to filter to a single image, in case there are multiple architectures and/or operating systems supported by the image name and tags specified. By default, nix-prefetch-docker will set os to linux and arch to amd64.

Run nix-prefetch-docker --help for a list of all supported arguments:

$ nix run nixpkgs#nix-prefetch-docker -- --help
(output removed for clarity)

exportImage

This function is similar to the docker container export command, which means it can be used to export an image’s filesystem as an uncompressed tarball archive. The difference is that docker container export is applied to containers, but dockerTools.exportImage applies to Docker images. The resulting archive will not contain any image metadata (such as command to run with docker container run), only the filesystem contents.

You can use this function to import an archive in Docker with docker image import. See Example 315 to understand how to do that.

Caution

exportImage works by unpacking the given image inside a VM. Because of this, using this function requires the kvm device to be available, see system-features.

Inputs

exportImage expects an argument with the following attributes:

fromImage (Attribute Set or String)

The repository tarball of the image whose filesystem will be exported. It must be a valid Docker image, such as one exported by docker image save, or another image built with the dockerTools utility functions.

If name is not specified, fromImage must be an Attribute Set corresponding to a derivation, i.e. it can’t be a path to a tarball. If name is specified, fromImage can be either an Attribute Set corresponding to a derivation or simply a path to a tarball.

See Example 316 and Example 317 to understand the connection between fromImage, name, and the name used for the output of exportImage.

fromImageName (String or Null; optional)

Used to specify the image within the repository tarball in case it contains multiple images. A value of null means that exportImage will use the first image available in the repository.

Note

This must be used with fromImageTag. Using only fromImageName without fromImageTag will make exportImage use the first image available in the repository.

Default value: null.

fromImageTag (String or Null; optional)

Used to specify the image within the repository tarball in case it contains multiple images. A value of null means that exportImage will use the first image available in the repository.

Note

This must be used with fromImageName. Using only fromImageTag without fromImageName will make exportImage use the first image available in the repository

Default value: null.

diskSize (Number; optional)

Controls the disk size (in megabytes) of the VM used to unpack the image.

Default value: 1024.

name (String; optional)

The name used for the output in the Nix store path.

Default value: the value of fromImage.name.

Examples

Example 314. Exporting a Docker image with dockerTools.exportImage

This example first builds a layered image with dockerTools.buildLayeredImage, and then exports its filesystem with dockerTools.exportImage.

{ dockerTools, hello }:
dockerTools.exportImage {
  name = "hello";
  fromImage = dockerTools.buildLayeredImage {
    name = "hello";
    contents = [ hello ];
  };
}

When building the package above, we can see the layers of the Docker image being unpacked to produce the final output:

$ nix-build
(some output removed for clarity)
Unpacking base image...
From-image name or tag wasn't set. Reading the first ID.
Unpacking layer 5731199219418f175d1580dbca05677e69144425b2d9ecb60f416cd57ca3ca42/layer.tar
tar: Removing leading `/' from member names
Unpacking layer e2897bf34bb78c4a65736510204282d9f7ca258ba048c183d665bd0f3d24c5ec/layer.tar
tar: Removing leading `/' from member names
Unpacking layer 420aa5876dca4128cd5256da7dea0948e30ef5971712f82601718cdb0a6b4cda/layer.tar
tar: Removing leading `/' from member names
Unpacking layer ea5f4e620e7906c8ecbc506b5e6f46420e68d4b842c3303260d5eb621b5942e5/layer.tar
tar: Removing leading `/' from member names
Unpacking layer 65807b9abe8ab753fa97da8fb74a21fcd4725cc51e1b679c7973c97acd47ebcf/layer.tar
tar: Removing leading `/' from member names
Unpacking layer b7da2076b60ebc0ea6824ef641978332b8ac908d47b2d07ff31b9cc362245605/layer.tar
Executing post-mount steps...
Packing raw image...
[    1.660036] reboot: Power down
/nix/store/x6a5m7c6zdpqz1d8j7cnzpx9glzzvd2h-hello

The following command lists some of the contents of the output to verify that the structure of the archive is as expected:

$ tar --exclude '*/share/*' --exclude 'nix/store/*/*' -tvf /nix/store/x6a5m7c6zdpqz1d8j7cnzpx9glzzvd2h-hello
drwxr-xr-x root/0            0 1979-12-31 16:00 ./
drwxr-xr-x root/0            0 1979-12-31 16:00 ./bin/
lrwxrwxrwx root/0            0 1979-12-31 16:00 ./bin/hello -> /nix/store/h92a9jd0lhhniv2q417hpwszd4jhys7q-hello-2.12.1/bin/hello
dr-xr-xr-x root/0            0 1979-12-31 16:00 ./nix/
dr-xr-xr-x root/0            0 1979-12-31 16:00 ./nix/store/
dr-xr-xr-x root/0            0 1979-12-31 16:00 ./nix/store/05zbwhz8a7i2v79r9j21pl6m6cj0xi8k-libunistring-1.1/
dr-xr-xr-x root/0            0 1979-12-31 16:00 ./nix/store/ayg5rhjhi9ic73hqw33mjqjxwv59ndym-xgcc-13.2.0-libgcc/
dr-xr-xr-x root/0            0 1979-12-31 16:00 ./nix/store/h92a9jd0lhhniv2q417hpwszd4jhys7q-hello-2.12.1/
dr-xr-xr-x root/0            0 1979-12-31 16:00 ./nix/store/m59xdgkgnjbk8kk6k6vbxmqnf82mk9s0-libidn2-2.3.4/
dr-xr-xr-x root/0            0 1979-12-31 16:00 ./nix/store/p3jshbwxiwifm1py0yq544fmdyy98j8a-glibc-2.38-27/
drwxr-xr-x root/0            0 1979-12-31 16:00 ./share/

Example 315. Importing an archive built with dockerTools.exportImage in Docker

We will use the same package from Example 314 and import it into Docker.

{ dockerTools, hello }:
dockerTools.exportImage {
  name = "hello";
  fromImage = dockerTools.buildLayeredImage {
    name = "hello";
    contents = [ hello ];
  };
}

Building and importing it into Docker:

$ nix-build
(output removed for clarity)
/nix/store/x6a5m7c6zdpqz1d8j7cnzpx9glzzvd2h-hello
$ docker image import /nix/store/x6a5m7c6zdpqz1d8j7cnzpx9glzzvd2h-hello
sha256:1d42dba415e9b298ea0decf6497fbce954de9b4fcb2984f91e307c8fedc1f52f
$ docker image ls
REPOSITORY                              TAG                IMAGE ID       CREATED         SIZE
<none>                                  <none>             1d42dba415e9   4 seconds ago   32.6MB

Example 316. Exploring output naming with dockerTools.exportImage

exportImage does not require a name attribute if fromImage is a derivation, which means that the following works:

{ dockerTools, hello }:
dockerTools.exportImage {
  fromImage = dockerTools.buildLayeredImage {
    name = "hello";
    contents = [ hello ];
  };
}

However, since dockerTools.buildLayeredImage’s output ends with .tar.gz, the output of exportImage will also end with .tar.gz, even though the archive created with exportImage is uncompressed:

$ nix-build
(output removed for clarity)
/nix/store/by3f40xvc4l6bkis74l0fj4zsy0djgkn-hello.tar.gz
$ file /nix/store/by3f40xvc4l6bkis74l0fj4zsy0djgkn-hello.tar.gz
/nix/store/by3f40xvc4l6bkis74l0fj4zsy0djgkn-hello.tar.gz: POSIX tar archive (GNU)

If the archive was actually compressed, the output of file would’ve mentioned that fact. Because of this, it may be important to set a proper name attribute when using exportImage with other functions from dockerTools.


Example 317. Using dockerTools.exportImage with a path as fromImage

It is possible to use a path as the value of the fromImage attribute when calling dockerTools.exportImage. However, when doing so, a name attribute MUST be specified, or you’ll encounter an error when evaluating the Nix code.

For this example, we’ll assume a Docker tarball image named image.tar.gz exists in the same directory where our package is defined:

{ dockerTools }:
dockerTools.exportImage {
  name = "filesystem.tar";
  fromImage = ./image.tar.gz;
}

Building this will give us the expected output:

$ nix-build
(output removed for clarity)
/nix/store/w13l8h3nlkg0zv56k7rj0ai0l2zlf7ss-filesystem.tar

If you don’t specify a name attribute, you’ll encounter an evaluation error and the package won’t build.


Environment Helpers

When building Docker images with Nix, you might also want to add certain files that are expected to be available globally by the software you’re packaging. Simple examples are the env utility in /usr/bin/env, or trusted root TLS/SSL certificates. Such files will most likely not be included if you’re building a Docker image from scratch with Nix, and they might also not be included if you’re starting from a Docker image that doesn’t include them. The helpers in this section are packages that provide some of these commonly-needed global files.

Most of these helpers are packages, which means you have to add them to the list of contents to be included in the image (this changes depending on the function you’re using to build the image). Example 318 and Example 319 show how to include these packages on dockerTools functions that build an image. For more details on how that works, see the documentation for the function you’re using.

usrBinEnv

This provides the env utility at /usr/bin/env. This is currently implemented by linking to the env binary from the coreutils package, but is considered an implementation detail that could change in the future.

binSh

This provides a /bin/sh link to the bash binary from the bashInteractive package. Because of this, it supports cases such as running a command interactively in a container (for example by running docker container run -it <image_name>).

caCertificates

This adds trusted root TLS/SSL certificates from the cacert package in multiple locations in an attempt to be compatible with binaries built for multiple Linux distributions. The locations currently used are:

  • /etc/ssl/certs/ca-bundle.crt

  • /etc/ssl/certs/ca-certificates.crt

  • /etc/pki/tls/certs/ca-bundle.crt

fakeNss

This is a re-export of the fakeNss package from Nixpkgs. See the section called “fakeNss”.

shadowSetup

This is a string containing a script that sets up files needed for shadow to work (using the shadow package from Nixpkgs), and alters PATH to make all its utilities available in the same script. It is intended to be used with other dockerTools functions in attributes that expect scripts. After the script in shadowSetup runs, you’ll then be able to add more commands that make use of the utilities in shadow, such as adding any extra users and/or groups. See Example 320 and Example 321 to better understand how to use it.

shadowSetup achieves a result similar to fakeNss, but only sets up a root user with different values for the home directory and the shell to use, in addition to setting up files for PAM and a login.defs(5) file.

Caution

Using both fakeNss and shadowSetup at the same time will either cause your build to break or produce unexpected results. Use either fakeNss or shadowSetup depending on your use case, but avoid using both.

Note

When used with buildLayeredImage or streamLayeredImage, you will have to set the enableFakechroot attribute to true, or else the script in shadowSetup won’t run properly. See Example 321.

Examples

Example 318. Using dockerTools’s environment helpers with buildImage

This example adds the binSh helper to a basic Docker image built with dockerTools.buildImage. This helper makes it possible to enter a shell inside the container. This is the buildImage equivalent of Example 319.

{ dockerTools, hello }:
dockerTools.buildImage {
  name = "env-helpers";
  tag = "latest";

  copyToRoot = [
    hello
    dockerTools.binSh
  ];
}

After building the image and loading it in Docker, we can create a container based on it and enter a shell inside the container. This is made possible by binSh.

$ nix-build
(some output removed for clarity)
/nix/store/2p0i3i04cgjlk71hsn7ll4kxaxxiv4qg-docker-image-env-helpers.tar.gz
$ docker image load -i /nix/store/2p0i3i04cgjlk71hsn7ll4kxaxxiv4qg-docker-image-env-helpers.tar.gz
(output removed for clarity)
$ docker container run --rm -it env-helpers:latest /bin/sh
sh-5.2# help
GNU bash, version 5.2.21(1)-release (x86_64-pc-linux-gnu)
(rest of output removed for clarity)

Example 319. Using dockerTools’s environment helpers with buildLayeredImage

This example adds the binSh helper to a basic Docker image built with dockerTools.buildLayeredImage. This helper makes it possible to enter a shell inside the container. This is the buildLayeredImage equivalent of Example 318.

{ dockerTools, hello }:
dockerTools.buildLayeredImage {
  name = "env-helpers";
  tag = "latest";

  contents = [
    hello
    dockerTools.binSh
  ];

  config = {
    Cmd = [ "/bin/hello" ];
  };
}

After building the image and loading it in Docker, we can create a container based on it and enter a shell inside the container. This is made possible by binSh.

$ nix-build
(some output removed for clarity)
/nix/store/rpf47f4z5b9qr4db4ach9yr4b85hjhxq-env-helpers.tar.gz
$ docker image load -i /nix/store/rpf47f4z5b9qr4db4ach9yr4b85hjhxq-env-helpers.tar.gz
(output removed for clarity)
$ docker container run --rm -it env-helpers:latest /bin/sh
sh-5.2# help
GNU bash, version 5.2.21(1)-release (x86_64-pc-linux-gnu)
(rest of output removed for clarity)

Example 320. Using dockerTools.shadowSetup with dockerTools.buildImage

This is an example that shows how to use shadowSetup with dockerTools.buildImage. Note that the extra script in runAsRoot uses groupadd and useradd, which are binaries provided by the shadow package. These binaries are added to the PATH by the shadowSetup script, but only for the duration of runAsRoot.

{ dockerTools, hello }:
dockerTools.buildImage {
  name = "shadow-basic";
  tag = "latest";

  copyToRoot = [ hello ];

  runAsRoot = ''
    ${dockerTools.shadowSetup}
    groupadd -r hello
    useradd -r -g hello hello
    mkdir /data
    chown hello:hello /data
  '';

  config = {
    Cmd = [ "/bin/hello" ];
    WorkingDir = "/data";
  };
}

Example 321. Using dockerTools.shadowSetup with dockerTools.buildLayeredImage

It accomplishes the same thing as Example 320, but using buildLayeredImage instead.

Note that the extra script in fakeRootCommands uses groupadd and useradd, which are binaries provided by the shadow package. These binaries are added to the PATH by the shadowSetup script, but only for the duration of fakeRootCommands.

{ dockerTools, hello }:
dockerTools.buildLayeredImage {
  name = "shadow-basic";
  tag = "latest";

  contents = [ hello ];

  fakeRootCommands = ''
    ${dockerTools.shadowSetup}
    groupadd -r hello
    useradd -r -g hello hello
    mkdir /data
    chown hello:hello /data
  '';
  enableFakechroot = true;

  config = {
    Cmd = [ "/bin/hello" ];
    WorkingDir = "/data";
  };
}

buildNixShellImage

buildNixShellImage uses streamNixShellImage underneath to build a compressed Docker-compatible repository tarball of an image that sets up an environment similar to that of running nix-shell on a derivation. Basically, buildNixShellImage runs the script created by streamNixShellImage to save the compressed image in the Nix store.

buildNixShellImage supports the same options as streamNixShellImage, see streamNixShellImage for details.

Examples

Example 322. Building a Docker image with buildNixShellImage with the build environment for the hello package

This example shows how to build the hello package inside a Docker container built with buildNixShellImage. The Docker image generated will have a name like hello-<version>-env and tag latest. This example is the buildNixShellImage equivalent of Example 323.

{ dockerTools, hello }:
dockerTools.buildNixShellImage {
  drv = hello;
  tag = "latest";
}

The result of building this package is a .tar.gz file that can be loaded into Docker:

$ nix-build
(some output removed for clarity)
/nix/store/pkj1sgzaz31wl0pbvbg3yp5b3kxndqms-hello-2.12.1-env.tar.gz

$ docker image load -i /nix/store/pkj1sgzaz31wl0pbvbg3yp5b3kxndqms-hello-2.12.1-env.tar.gz
(some output removed for clarity)
Loaded image: hello-2.12.1-env:latest

After starting an interactive container, the derivation can be built by running buildDerivation, and the output can be executed as expected:

$ docker container run -it hello-2.12.1-env:latest
[nix-shell:~]$ buildDerivation
Running phase: unpackPhase
unpacking source archive /nix/store/pa10z4ngm0g83kx9mssrqzz30s84vq7k-hello-2.12.1.tar.gz
source root is hello-2.12.1
(some output removed for clarity)
Running phase: fixupPhase
shrinking RPATHs of ELF executables and libraries in /nix/store/f2vs29jibd7lwxyj35r9h87h6brgdysz-hello-2.12.1
shrinking /nix/store/f2vs29jibd7lwxyj35r9h87h6brgdysz-hello-2.12.1/bin/hello
checking for references to /build/ in /nix/store/f2vs29jibd7lwxyj35r9h87h6brgdysz-hello-2.12.1...
gzipping man pages under /nix/store/f2vs29jibd7lwxyj35r9h87h6brgdysz-hello-2.12.1/share/man/
patching script interpreter paths in /nix/store/f2vs29jibd7lwxyj35r9h87h6brgdysz-hello-2.12.1
stripping (with command strip and flags -S -p) in  /nix/store/f2vs29jibd7lwxyj35r9h87h6brgdysz-hello-2.12.1/bin

[nix-shell:~]$ $out/bin/hello
Hello, world!

streamNixShellImage

streamNixShellImage builds a script which, when run, will stream to stdout a Docker-compatible repository tarball of an image that sets up an environment similar to that of running nix-shell on a derivation. This means that streamNixShellImage does not output an image into the Nix store, but only a script that builds the image, saving on IO and disk/cache space, particularly with large images. See Example 323 to understand how to load in Docker the image generated by this script.

The environment set up by streamNixShellImage somewhat resembles the Nix sandbox typically used by nix-build, with a major difference being that access to the internet is allowed. It also behaves like an interactive nix-shell, running things like shellHook (see Example 325) and setting an interactive prompt. If the derivation is buildable (i.e. nix-build can be used on it), running buildDerivation in the container will build the derivation, with all its outputs being available in the correct /nix/store paths, pointed to by the respective environment variables (e.g. $out).

Caution

The environment in the image doesn’t match nix-shell or nix-build exactly, and this function is known not to work correctly for fixed-output derivations, content-addressed derivations, impure derivations and other special types of derivations.

Inputs

streamNixShellImage expects one argument with the following attributes:

drv (Attribute Set)

The derivation for which the environment in the image will be set up. Adding packages to the Docker image is possible by extending the list of nativeBuildInputs of this derivation. See Example 324 for how to do that. Similarly, you can extend the image initialization script by extending shellHook. Example 325 shows how to do that.

name (String; optional)

The name of the generated image.

Default value: the value of drv.name + "-env".

tag (String or Null; optional)

Tag of the generated image. If null, the hash of the nix derivation that builds the Docker image will be used as the tag.

Default value: null.

uid (Number; optional)

The user ID to run the container as. This can be seen as a nixbld build user.

Default value: 1000.

gid (Number; optional)

The group ID to run the container as. This can be seen as a nixbld build group.

Default value: 1000.

homeDirectory (String; optional)

The home directory of the user the container is running as.

Default value: /build.

shell (String; optional)

The path to the bash binary to use as the shell. This shell is started when running the image. This can be seen as an equivalent of the NIX_BUILD_SHELL environment variable for nix-shell(1).

Default value: the bash binary from the bashInteractive package.

command (String or Null; optional)

If specified, this command will be run in the environment of the derivation in an interactive shell. A call to exit will be added after the command if it is specified, so the shell will exit after it’s finished running. This can be seen as an equivalent of the --command option in nix-shell(1).

Default value: null.

run (String or Null; optional)

Similar to the command attribute, but runs the command in a non-interactive shell instead. A call to exit will be added after the command if it is specified, so the shell will exit after it’s finished running. This can be seen as an equivalent of the --run option in nix-shell(1).

Default value: null.

Examples

Example 323. Building a Docker image with streamNixShellImage with the build environment for the hello package

This example shows how to build the hello package inside a Docker container built with streamNixShellImage. The Docker image generated will have a name like hello-<version>-env and tag latest. This example is the streamNixShellImage equivalent of Example 322.

{ dockerTools, hello }:
dockerTools.streamNixShellImage {
  drv = hello;
  tag = "latest";
}

The result of building this package is a script. Running this script and piping it into docker image load gives you the same image that was built in Example 322.

$ nix-build
(some output removed for clarity)
/nix/store/8vhznpz2frqazxnd8pgdvf38jscdypax-stream-hello-2.12.1-env

$ /nix/store/8vhznpz2frqazxnd8pgdvf38jscdypax-stream-hello-2.12.1-env | docker image load
(some output removed for clarity)
Loaded image: hello-2.12.1-env:latest

After starting an interactive container, the derivation can be built by running buildDerivation, and the output can be executed as expected:

$ docker container run -it hello-2.12.1-env:latest
[nix-shell:~]$ buildDerivation
Running phase: unpackPhase
unpacking source archive /nix/store/pa10z4ngm0g83kx9mssrqzz30s84vq7k-hello-2.12.1.tar.gz
source root is hello-2.12.1
(some output removed for clarity)
Running phase: fixupPhase
shrinking RPATHs of ELF executables and libraries in /nix/store/f2vs29jibd7lwxyj35r9h87h6brgdysz-hello-2.12.1
shrinking /nix/store/f2vs29jibd7lwxyj35r9h87h6brgdysz-hello-2.12.1/bin/hello
checking for references to /build/ in /nix/store/f2vs29jibd7lwxyj35r9h87h6brgdysz-hello-2.12.1...
gzipping man pages under /nix/store/f2vs29jibd7lwxyj35r9h87h6brgdysz-hello-2.12.1/share/man/
patching script interpreter paths in /nix/store/f2vs29jibd7lwxyj35r9h87h6brgdysz-hello-2.12.1
stripping (with command strip and flags -S -p) in  /nix/store/f2vs29jibd7lwxyj35r9h87h6brgdysz-hello-2.12.1/bin

[nix-shell:~]$ $out/bin/hello
Hello, world!

Example 324. Adding extra packages to a Docker image built with streamNixShellImage

This example shows how to add extra packages to an image built with streamNixShellImage. In this case, we’ll add the cowsay package. The Docker image generated will have a name like hello-<version>-env and tag latest. This example uses Example 323 as a starting point.

{ dockerTools, cowsay, hello }:
dockerTools.streamNixShellImage {
  tag = "latest";
  drv = hello.overrideAttrs (old: {
    nativeBuildInputs = old.nativeBuildInputs or [] ++ [
      cowsay
    ];
  });
}

The result of building this package is a script which can be run and piped into docker image load to load the generated image.

$ nix-build
(some output removed for clarity)
/nix/store/h5abh0vljgzg381lna922gqknx6yc0v7-stream-hello-2.12.1-env

$ /nix/store/h5abh0vljgzg381lna922gqknx6yc0v7-stream-hello-2.12.1-env | docker image load
(some output removed for clarity)
Loaded image: hello-2.12.1-env:latest

After starting an interactive container, we can verify the extra package is available by running cowsay:

$ docker container run -it hello-2.12.1-env:latest
[nix-shell:~]$ cowsay "Hello, world!"
 _______________
< Hello, world! >
 ---------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

Example 325. Adding a shellHook to a Docker image built with streamNixShellImage

This example shows how to add a shellHook command to an image built with streamNixShellImage. In this case, we’ll simply output the string Hello, world!. The Docker image generated will have a name like hello-<version>-env and tag latest. This example uses Example 323 as a starting point.

{ dockerTools, hello }:
dockerTools.streamNixShellImage {
  tag = "latest";
  drv = hello.overrideAttrs (old: {
    shellHook = ''
      ${old.shellHook or ""}
      echo "Hello, world!"
    '';
  });
}

The result of building this package is a script which can be run and piped into docker image load to load the generated image.

$ nix-build
(some output removed for clarity)
/nix/store/iz4dhdvgzazl5vrgyz719iwjzjy6xlx1-stream-hello-2.12.1-env

$ /nix/store/iz4dhdvgzazl5vrgyz719iwjzjy6xlx1-stream-hello-2.12.1-env | docker image load
(some output removed for clarity)
Loaded image: hello-2.12.1-env:latest

After starting an interactive container, we can see the result of the shellHook:

$ docker container run -it hello-2.12.1-env:latest
Hello, world!

[nix-shell:~]$

pkgs.ociTools

pkgs.ociTools is a set of functions for creating runtime container bundles according to the OCI runtime specification v1.0.0. It makes no assumptions about the container runner you choose to use to run the created container.

The set of functions in pkgs.ociTools currently does not handle the OCI image specification.

At a high-level an OCI implementation would download an OCI Image then unpack that image into an OCI Runtime filesystem bundle. At this point the OCI Runtime Bundle would be run by an OCI Runtime. pkgs.ociTools provides utilities to create OCI Runtime bundles.

buildContainer

This function creates an OCI runtime container (consisting of a config.json and a root filesystem directory) that runs a single command inside of it. The nix store of the container will contain all referenced dependencies of the given command.

This function has an assumption that the container will run on POSIX platforms, and sets configurations (such as the user running the process or certain mounts) according to this assumption. Because of this, a container built with buildContainer will not work on Windows or other non-POSIX platforms without modifications to the container configuration. These modifications aren’t supported by buildContainer.

For linux platforms, buildContainer also configures the following namespaces (see unshare(1)) to isolate the OCI container from the global namespace: PID, network, mount, IPC, and UTS.

Note that no user namespace is created, which means that you won’t be able to run the container unless you are the root user.

Inputs

buildContainer expects an argument with the following attributes:

args (List of String)

Specifies a set of arguments to run inside the container. Any packages referenced by args will be made available inside the container.

mounts (Attribute Set; optional)

Would specify additional mounts that the runtime must make available to the container.

Warning

As explained in issue #290879, this attribute is currently ignored.

Note

buildContainer includes a minimal set of necessary filesystems to be mounted into the container, and this set can’t be changed with the mounts attribute.

Default value: {}.

readonly (Boolean; optional)

If true, sets the container’s root filesystem as read-only.

Default value: false.

os DEPRECATED

Specifies the operating system on which the container filesystem is based on. If specified, its value should follow the OCI Image Configuration Specification. According to the linked specification, all possible values for $GOOS in the Go docs should be valid, but will commonly be one of darwin or linux.

Default value: "linux".

arch DEPRECATED

Used to specify the architecture for which the binaries in the container filesystem have been compiled. If specified, its value should follow the OCI Image Configuration Specification. According to the linked specification, all possible values for $GOARCH in the Go docs should be valid, but will commonly be one of 386, amd64, arm, or arm64.

Default value: x86_64.

Examples

Example 326. Creating an OCI runtime container that runs bash

This example uses ociTools.buildContainer to create a simple container that runs bash.

{ ociTools, lib, bash }:
ociTools.buildContainer {
  args = [
    (lib.getExe bash)
  ];

  readonly = false;
}

As an example of how to run the container generated by this package, we’ll use runc to start the container. Any other tool that supports OCI containers could be used instead.

$ nix-build
(some output removed for clarity)
/nix/store/7f9hgx0arvhzp2a3qphp28rxbn748l25-join

$ cd /nix/store/7f9hgx0arvhzp2a3qphp28rxbn748l25-join
$ nix-shell -p runc
[nix-shell:/nix/store/7f9hgx0arvhzp2a3qphp28rxbn748l25-join]$ sudo runc run ocitools-example
help
GNU bash, version 5.2.26(1)-release (x86_64-pc-linux-gnu)
(some output removed for clarity)

pkgs.portableService

pkgs.portableService is a function to create Portable Services in a read-only, immutable, squashfs raw disk image. This lets you use Nix to build images which can be run on many recent Linux distributions.

Note

Portable services are supported starting with systemd 239 (released on 2018-06-22).

The generated image will contain the file system structure as required by the Portable Services specification, along with the packages given to portableService and all of their dependencies. When generated, the image will exist in the Nix store with the .raw file extension, as required by the specification. See Example 327 to understand how to use the output of portableService.

Inputs

portableService expects one argument with the following attributes:

pname (String)

The name of the portable service. The generated image will be named according to the template $pname_$version.raw, which is supported by the Portable Services specification.

version (String)

The version of the portable service. The generated image will be named according to the template $pname_$version.raw, which is supported by the Portable Services specification.

units (List of Attribute Set)

A list of derivations for systemd unit files. Each derivation must produce a single file, and must have a name that starts with the value of pname and ends with the suffix of the unit type (e.g. “.service”, “.socket”, “.timer”, and so on). See Example 327 to better understand this naming constraint.

description (String or Null; optional)

If specified, the value is added as PORTABLE_PRETTY_NAME to the /etc/os-release file in the generated image. This could be used to provide more information to anyone inspecting the image.

Default value: null.

homepage (String or Null; optional)

If specified, the value is added as HOME_URL to the /etc/os-release file in the generated image. This could be used to provide more information to anyone inspecting the image.

Default value: null.

symlinks (List of Attribute Set; optional)

A list of attribute sets in the format {object, symlink}. For each item in the list, portableService will create a symlink in the path specified by symlink (relative to the root of the image) that points to object.

All packages that object depends on and their dependencies are automatically copied into the image.

This can be used to create symlinks for applications that assume some files to exist globally (/etc/ssl or /bin/bash, for example). See Example 328 to understand how to do that.

Default value: [].

contents (List of Attribute Set; optional)

A list of additional derivations to be included as-is in the image. These derivations will be included directly in a /nix/store directory inside the image.

Default value: [].

squashfsTools (Attribute Set; optional)

Allows you to override the package that provides mksquashfs(1), which is used internally by portableService.

Default value: pkgs.squashfsTools.

squash-compression (String; optional)

Passed as the compression option to mksquashfs(1), which is used internally by portableService.

Default value: "xz -Xdict-size 100%".

squash-block-size (String; optional)

Passed as the block size option to mksquashfs(1), which is used internally by portableService.

Default value: "1M".

Examples

Example 327. Building a Portable Service image

The following example builds a Portable Service image with the hello package, along with a service unit that runs it.

{ lib, writeText, portableService, hello }:
let
  hello-service = writeText "hello.service" ''
    [Unit]
    Description=Hello world service

    [Service]
    Type=oneshot
    ExecStart=${lib.getExe hello}
  '';
in
portableService {
  pname = "hello";
  inherit (hello) version;
  units = [ hello-service ];
}

After building the package, the generated image can be loaded into a system through portablectl(1):

$ nix-build
(some output removed for clarity)
/nix/store/8c20z1vh7z8w8dwagl8w87b45dn5k6iq-hello-img-2.12.1

$ portablectl attach /nix/store/8c20z1vh7z8w8dwagl8w87b45dn5k6iq-hello-img-2.12.1/hello_2.12.1.raw
Created directory /etc/systemd/system.attached.
Created directory /etc/systemd/system.attached/hello.service.d.
Written /etc/systemd/system.attached/hello.service.d/20-portable.conf.
Created symlink /etc/systemd/system.attached/hello.service.d/10-profile.conf → /usr/lib/systemd/portable/profile/default/service.conf.
Copied /etc/systemd/system.attached/hello.service.
Created symlink /etc/portables/hello_2.12.1.raw → /nix/store/8c20z1vh7z8w8dwagl8w87b45dn5k6iq-hello-img-2.12.1/hello_2.12.1.raw.

$ systemctl start hello
$ journalctl -u hello
Feb 28 22:39:16 hostname systemd[1]: Starting Hello world service...
Feb 28 22:39:16 hostname hello[102887]: Hello, world!
Feb 28 22:39:16 hostname systemd[1]: hello.service: Deactivated successfully.
Feb 28 22:39:16 hostname systemd[1]: Finished Hello world service.

$ portablectl detach hello_2.12.1
Removed /etc/systemd/system.attached/hello.service.
Removed /etc/systemd/system.attached/hello.service.d/10-profile.conf.
Removed /etc/systemd/system.attached/hello.service.d/20-portable.conf.
Removed /etc/systemd/system.attached/hello.service.d.
Removed /etc/portables/hello_2.12.1.raw.
Removed /etc/systemd/system.attached.

Example 328. Specifying symlinks when building a Portable Service image

Some services may expect files or directories to be available globally. An example is a service which expects all trusted SSL certificates to exist in a specific location by default.

To make things available globally, you must specify the symlinks attribute when using portableService. The following package builds on the package from Example 327 to make /etc/ssl available globally (this is only for illustrative purposes, because hello doesn’t use /etc/ssl).

{ lib, writeText, portableService, hello, cacert }:
let
  hello-service = writeText "hello.service" ''
    [Unit]
    Description=Hello world service

    [Service]
    Type=oneshot
    ExecStart=${lib.getExe hello}
  '';
in
portableService {
  pname = "hello";
  inherit (hello) version;
  units = [ hello-service ];
  symlinks = [
    { object = "${cacert}/etc/ssl"; symlink = "/etc/ssl"; }
  ];
}

<nixpkgs/nixos/lib/make-disk-image.nix>

<nixpkgs/nixos/lib/make-disk-image.nix> is a function to create disk images in multiple formats: raw, QCOW2 (QEMU), QCOW2-Compressed (compressed version), VDI (VirtualBox), VPC (VirtualPC).

This function can create images in two ways:

  • using cptofs without any virtual machine to create a Nix store disk image,

  • using a virtual machine to create a full NixOS installation.

When testing early-boot or lifecycle parts of NixOS such as a bootloader or multiple generations, it is necessary to opt for a full NixOS system installation. Whereas for many web servers, applications, it is possible to work with a Nix store only disk image and is faster to build.

NixOS tests also use this function when preparing the VM. The cptofs method is used when virtualisation.useBootLoader is false (the default). Otherwise the second method is used.

Features

For reference, read the function signature source code for documentation on arguments: https://github.com/NixOS/nixpkgs/blob/master/nixos/lib/make-disk-image.nix. Features are separated in various sections depending on if you opt for a Nix-store only image or a full NixOS image.

Common

  • arbitrary NixOS configuration

  • automatic or bound disk size: diskSize parameter, additionalSpace can be set when diskSize is auto to add a constant of disk space

  • multiple partition table layouts: EFI, legacy, legacy + GPT, hybrid, none through partitionTableType parameter

  • OVMF or EFI firmwares and variables templates can be customized

  • root filesystem fsType can be customized to whatever mkfs.${fsType} exist during operations

  • root filesystem label can be customized, defaults to nix-store if it’s a Nix store image, otherwise nixpkgs/nixos

  • arbitrary code can be executed after disk image was produced with postVM

  • the current nixpkgs can be realized as a channel in the disk image, which will change the hash of the image when the sources are updated

  • additional store paths can be provided through additionalPaths

Full NixOS image

  • arbitrary contents with permissions can be placed in the target filesystem using contents

  • a /etc/nixpkgs/nixos/configuration.nix can be provided through configFile

  • bootloaders are supported

  • EFI variables can be mutated during image production and the result is exposed in $out

  • boot partition size when partition table is efi or hybrid

On bit-to-bit reproducibility

Images are NOT deterministic, please do not hesitate to try to fix this, source of determinisms are (not exhaustive) :

  • bootloader installation have timestamps

  • SQLite Nix store database contain registration times

  • /etc/shadow is in a non-deterministic order

A deterministic flag is available for best efforts determinism.

Usage

To produce a Nix-store only image:

let
  pkgs = import <nixpkgs> {};
  lib = pkgs.lib;
  make-disk-image = import <nixpkgs/nixos/lib/make-disk-image.nix>;
in
  make-disk-image {
    inherit pkgs lib;
    config = {};
    additionalPaths = [ ];
    format = "qcow2";
    onlyNixStore = true;
    partitionTableType = "none";
    installBootLoader = false;
    touchEFIVars = false;
    diskSize = "auto";
    additionalSpace = "0M"; # Defaults to 512M.
    copyChannel = false;
  }

Some arguments can be left out, they are shown explicitly for the sake of the example.

Building this derivation will provide a QCOW2 disk image containing only the Nix store and its registration information.

To produce a NixOS installation image disk with UEFI and bootloader installed:

let
  pkgs = import <nixpkgs> {};
  lib = pkgs.lib;
  make-disk-image = import <nixpkgs/nixos/lib/make-disk-image.nix>;
  evalConfig = import <nixpkgs/nixos/lib/eval-config.nix>;
in
  make-disk-image {
    inherit pkgs lib;
    inherit (evalConfig {
      modules = [
        {
          fileSystems."/" = { device = "/dev/vda"; fsType = "ext4"; autoFormat = true; };
          boot.grub.device = "/dev/vda";
        }
      ];
    }) config;
    format = "qcow2";
    onlyNixStore = false;
    partitionTableType = "legacy+gpt";
    installBootLoader = true;
    touchEFIVars = true;
    diskSize = "auto";
    additionalSpace = "0M"; # Defaults to 512M.
    copyChannel = false;
    memSize = 2048; # Qemu VM memory size in megabytes. Defaults to 1024M.
  }

pkgs.mkBinaryCache

pkgs.mkBinaryCache is a function for creating Nix flat-file binary caches. Such a cache exists as a directory on disk, and can be used as a Nix substituter by passing --substituter file:///path/to/cache to Nix commands.

Nix packages are most commonly shared between machines using HTTP, SSH, or S3, but a flat-file binary cache can still be useful in some situations. For example, you can copy it directly to another machine, or make it available on a network file system. It can also be a convenient way to make some Nix packages available inside a container via bind-mounting.

mkBinaryCache expects an argument with the rootPaths attribute. rootPaths must be a list of derivations. The transitive closure of these derivations’ outputs will be copied into the cache.

Note

This function is meant for advanced use cases. The more idiomatic way to work with flat-file binary caches is via the nix-copy-closure command. You may also want to consider dockerTools for your containerization needs.

Example 329. Copying a package and its closure to another machine with mkBinaryCache

The following derivation will construct a flat-file binary cache containing the closure of hello.

{ mkBinaryCache, hello }:
mkBinaryCache {
  rootPaths = [hello];
}

Build the cache on a machine. Note that the command still builds the exact nix package above, but adds some boilerplate to build it directly from an expression.

$ nix-build -E 'let pkgs = import <nixpkgs> {}; in pkgs.callPackage ({ mkBinaryCache, hello }: mkBinaryCache { rootPaths = [hello]; }) {}'
/nix/store/azf7xay5xxdnia4h9fyjiv59wsjdxl0g-binary-cache

Copy the resulting directory to another machine, which we’ll call host2:

$ scp result host2:/tmp/hello-cache

At this point, the cache can be used as a substituter when building derivations on host2:

$ nix-build -A hello '<nixpkgs>' \
  --option require-sigs false \
  --option trusted-substituters file:///tmp/hello-cache \
  --option substituters file:///tmp/hello-cache
/nix/store/zhl06z4lrfrkw5rp0hnjjfrgsclzvxpm-hello-2.12.1

Hooks reference

Nixpkgs has several hook packages that augment the stdenv phases.

The stdenv built-in hooks are documented in the section called “Package setup hooks”.

Autoconf

The autoreconfHook derivation adds autoreconfPhase, which runs autoreconf, libtoolize and automake, essentially preparing the configure script in autotools-based builds. Most autotools-based packages come with the configure script pre-generated, but this hook is necessary for a few packages and when you need to patch the package’s configure scripts.

Automake

Adds the share/aclocal subdirectory of each build input to the ACLOCAL_PATH environment variable.

autoPatchelfHook

This is a special setup hook which helps in packaging proprietary software in that it automatically tries to find missing shared library dependencies of ELF files based on the given buildInputs and nativeBuildInputs.

You can also specify a runtimeDependencies variable which lists dependencies to be unconditionally added to rpath of all executables. This is useful for programs that use dlopen 3 to load libraries at runtime.

In certain situations you may want to run the main command (autoPatchelf) of the setup hook on a file or a set of directories instead of unconditionally patching all outputs. This can be done by setting the dontAutoPatchelf environment variable to a non-empty value.

By default autoPatchelf will fail as soon as any ELF file requires a dependency which cannot be resolved via the given build inputs. In some situations you might prefer to just leave missing dependencies unpatched and continue to patch the rest. This can be achieved by setting the autoPatchelfIgnoreMissingDeps environment variable to a non-empty value. autoPatchelfIgnoreMissingDeps can be set to a list like autoPatchelfIgnoreMissingDeps = [ "libcuda.so.1" "libcudart.so.1" ]; or to [ "*" ] to ignore all missing dependencies.

The autoPatchelf command also recognizes a --no-recurse command line flag, which prevents it from recursing into subdirectories.

aws-c-common

This hook exposes its own CMake modules by setting CMAKE_MODULE_PATH through the cmakeFlags variable to the nonstandard $out/lib/cmake directory, as a workaround for an upstream bug.

bmake

bmake is the portable variant of NetBSD make utility.

In Nixpkgs, bmake comes with a hook that overrides the default build, check, install and dist phases.

breakpointHook

This hook will make a build pause instead of stopping when a failure happens. It prevents nix from cleaning up the build environment immediately and allows the user to attach to a build environment using the cntr command. Upon build error it will print instructions on how to use cntr, which can be used to enter the environment for debugging. Installing cntr and running the command will provide shell access to the build sandbox of failed build. At /var/lib/cntr the sandboxed filesystem is mounted. All commands and files of the system are still accessible within the shell. To execute commands from the sandbox use the cntr exec subcommand. cntr is only supported on Linux-based platforms. To use it first add cntr to your environment.systemPackages on NixOS or alternatively to the root user on non-NixOS systems. Then in the package that is supposed to be inspected, add breakpointHook to nativeBuildInputs.

{
  nativeBuildInputs = [ breakpointHook ];
}

When a build failure happens there will be an instruction printed that shows how to attach with cntr to the build sandbox.

Note

Caution with remote builds

This won’t work with remote builds as the build environment is on a different machine and can’t be accessed by cntr. Remote builds can be turned off by setting --option builders '' for nix-build or --builders '' for nix build.

CERNLIB

This hook sets the CERN, CERN_LEVEL, and CERN_ROOT environment variables. They are part of CERNLIB’s build system, and are are needed for some programs to compile correctly.

cmake

Overrides the default configure phase to run the CMake command.

By default, we use the Make generator of CMake. But when Ninja is also available as a nativeBuildInput, this setup hook will detect that and use the ninja generator.

Dependencies are added automatically to CMAKE_PREFIX_PATH so that packages are correctly detected by CMake. Some additional flags are passed in to give similar behavior to configure-based packages.

By default, parallel building is enabled as CMake supports parallel building almost everywhere.

You can disable this hook’s behavior by setting configurePhase to a custom value, or by setting dontUseCmakeConfigure.

Variables controlling CMake

CMake Exclusive Variables

cmakeFlags

Controls the flags passed to cmake setup during configure phase.

cmakeBuildDir

Directory where CMake will put intermediate files.

Setting this can be useful for debugging multiple CMake builds while in the same source directory, for example, when building for different platforms. Different values for each build will prevent build artefacts from interefering with each other. This setting has no tangible effect when running the build in a sandboxed derivation.

The default value is build.

dontUseCmakeConfigure

When set to true, don’t use the predefined cmakeConfigurePhase.

desktop-file-utils

This setup hook removes the MIME cache (located at $out/share/applications/mimeinfo.cache) in the preFixupPhase.

This hook is necessary because mimeinfo.cache can be created when a package uses desktop-file-utils, resulting in collisions if multiple packages are installed that contain this file (as in #48295).

gdk-pixbuf

Exports GDK_PIXBUF_MODULE_FILE environment variable to the builder. Add librsvg package to buildInputs to get svg support. See also the setup hook description in GNOME platform docs.

GHC

Creates a temporary package database and registers every Haskell build input in it (TODO: how?).

GNOME platform

Hooks related to GNOME platform and related libraries like GLib, GTK and GStreamer are described in the section called “GNOME”.

haredo

This hook uses the haredo command runner to build, check, and install the package. It overrides buildPhase, checkPhase, and installPhase by default.

The hook builds its targets in parallel if config.enableParallelBuilding is set to true.

buildPhase

This phase attempts to build the default target.

Targets can be explicitly set by adding a string to the haredoBuildTargets list.

This behavior can be disabled by setting dontUseHaredoBuild to true.

checkPhase

This phase searches for the check.do or test.do targets, running them if they exist.

Targets can be explicitly set by adding a string to the haredoCheckTargets list.

This behavior can be disabled by setting dontUseHaredoCheck to true.

installPhase

This phase attempts to build the install.do target, if it exists.

Targets can be explicitly set by adding a string to the haredoInstallTargets list.

This behavior can be disabled by setting dontUseHaredoInstall to true.

installShellFiles

This hook adds helpers that install artifacts like executable files, manpages and shell completions.

It exposes the following functions that can be used from your postInstall hook:

installBin

The installBin function takes one or more paths to files to install as executable files.

This function will place them into outputBin.

Example Usage

{
  nativeBuildInputs = [ installShellFiles ];

  # Sometimes the file has an undersirable name. It should be renamed before
  # being installed via installBin
  postInstall = ''
    mv a.out delmar
    installBin foobar delmar
  '';
}

installManPage

The installManPage function takes one or more paths to manpages to install.

The manpages must have a section suffix, and may optionally be compressed (with .gz suffix). This function will place them into the correct share/man/man<section>/ directory in outputMan.

Example Usage

{
  nativeBuildInputs = [ installShellFiles ];

  # Sometimes the manpage file has an undersirable name; e.g. it conflicts with
  # another software with an equal name. It should be renamed before being
  # installed via installManPage
  postInstall = ''
    mv fromsea.3 delmar.3
    installManPage foobar.1 delmar.3
  '';
}

installShellCompletion

The installShellCompletion function takes one or more paths to shell completion files.

By default it will autodetect the shell type from the completion file extension, but you may also specify it by passing one of --bash, --fish, or --zsh. These flags apply to all paths listed after them (up until another shell flag is given). Each path may also have a custom installation name provided by providing a flag --name NAME before the path. If this flag is not provided, zsh completions will be renamed automatically such that foobar.zsh becomes _foobar. A root name may be provided for all paths using the flag --cmd NAME; this synthesizes the appropriate name depending on the shell (e.g. --cmd foo will synthesize the name foo.bash for bash and _foo for zsh).

Example Usage

{
  nativeBuildInputs = [ installShellFiles ];
  postInstall = ''
    # explicit behavior
    installShellCompletion --bash --name foobar.bash share/completions.bash
    installShellCompletion --fish --name foobar.fish share/completions.fish
    installShellCompletion --zsh --name _foobar share/completions.zsh
    # implicit behavior
    installShellCompletion share/completions/foobar.{bash,fish,zsh}
  '';
}

The path may also be a fifo or named fd (such as produced by <(cmd)), in which case the shell and name must be provided (see below).

If the destination shell completion file is not actually present or consists of zero bytes after calling installShellCompletion this is treated as a build failure. In particular, if completion files are not vendored but are generated by running an executable, this is likely to fail in cross compilation scenarios. The result will be a zero byte completion file and hence a build failure. To prevent this, guard the completion generation commands.

Example Usage

{
  nativeBuildInputs = [ installShellFiles ];
  postInstall = lib.optionalString (stdenv.buildPlatform.canExecute stdenv.hostPlatform) ''
    # using named fd
    installShellCompletion --cmd foobar \
      --bash <($out/bin/foobar --bash-completion) \
      --fish <($out/bin/foobar --fish-completion) \
      --zsh <($out/bin/foobar --zsh-completion)
  '';
}

just

This setup hook attempts to use the just command runner to build, check, and install the package. The hook overrides buildPhase, checkPhase, and installPhase by default.

The justFlags variable can be set to a list of strings to add additional flags passed to all invocations of just.

buildPhase

This phase attempts to invoke just with the default recipe.

This behavior can be disabled by setting dontUseJustBuild to true.

checkPhase

This phase attempts to invoke the just test recipe, if it is available. This can be overrided by setting checkTarget to a string.

This behavior can be disabled by setting dontUseJustCheck to true.

installPhase

This phase attempts to invoke the just install recipe.

This behavior can be disabled by setting dontUseJustInstall to true.

libiconv, libintl

A few libraries automatically add to NIX_LDFLAGS their library, making their symbols automatically available to the linker. This includes libiconv and libintl (gettext). This is done to provide compatibility between GNU Linux, where libiconv and libintl are bundled in, and other systems where that might not be the case. Sometimes, this behavior is not desired. To disable this behavior, set dontAddExtraLibs.

libxml2

Adds every file named catalog.xml found under the xml/dtd and xml/xsl subdirectories of each build input to the XML_CATALOG_FILES environment variable.

Meson

Meson is an open source meta build system meant to be fast and user-friendly.

In Nixpkgs, meson comes with a setup hook that overrides the configure, check, and install phases.

Being a meta build system, meson needs an accompanying backend. In the context of Nixpkgs, the typical companion backend is Ninja, that provides a setup hook registering ninja-based build and install phases.

Variables controlling Meson

Meson Exclusive Variables

mesonFlags

Controls the flags passed to meson setup during configure phase.

mesonBuildDir

Directory where Meson will put intermediate files.

Setting this can be useful for debugging multiple Meson builds while in the same source directory, for example, when building for different platforms. Different values for each build will prevent build artefacts from interefering with each other. This setting has no tangible effect when running the build in a sandboxed derivation.

The default value is build.

mesonWrapMode

Which value is passed as -Dwrap_mode= to. In Nixpkgs the default value is nodownload, so that no subproject will be downloaded (since network access is already disabled during deployment in Nixpkgs).

Note: Meson allows pre-population of subprojects that would otherwise be downloaded.

mesonBuildType

Which value is passed as --buildtype to meson setup during configure phase. In Nixpkgs the default value is plain.

mesonAutoFeatures

Which value is passed as -Dauto_features= to meson setup during configure phase. In Nixpkgs the default value is enabled, meaning that every feature declared as “auto” by the meson scripts will be enabled.

mesonCheckFlags

Controls the flags passed to meson test during check phase.

mesonInstallFlags

Controls the flags passed to meson install during install phase.

mesonInstallTags

A list of installation tags passed to Meson’s commandline option --tags during install phase.

Note: mesonInstallTags should be a list of strings, that will be converted to a comma-separated string that is recognized to --tags. Example: mesonInstallTags = [ "emulator" "assembler" ]; will be converted to --tags emulator,assembler.

dontUseMesonConfigure

When set to true, don’t use the predefined mesonConfigurePhase.

dontUseMesonCheck

When set to true, don’t use the predefined mesonCheckPhase.

dontUseMesonInstall

When set to true, don’t use the predefined mesonInstallPhase.

Honored variables

The following variables commonly used by stdenv.mkDerivation are honored by Meson setup hook.

  • prefixKey

  • enableParallelBuilding

mpiCheckPhaseHook

This hook can be used to setup a check phase that requires running a MPI application. It detects the used present MPI implementation type and exports the neceesary environment variables to use mpirun and mpiexec in a Nix sandbox.

Example:

  { mpiCheckPhaseHook, mpi, ... }:
  {
    # ...

    nativeCheckInputs = [
      openssh
      mpiCheckPhaseHook
    ];
  }

ninja

Overrides the build, install, and check phase to run ninja instead of make. You can disable this behavior with the dontUseNinjaBuild, dontUseNinjaInstall, and dontUseNinjaCheck, respectively. Parallel building is enabled by default in Ninja.

Note that if the Meson setup hook is also active, Ninja’s install and check phases will be disabled in favor of Meson’s.

patchRcPath hooks

These hooks provide shell-specific utilities (with the same name as the hook) to patch shell scripts meant to be sourced by software users.

The typical usage is to patch initialisation or rc scripts inside $out/bin or $out/etc. Such scripts, when being sourced, would insert the binary locations of certain commands into PATH, modify other environment variables or run a series of start-up commands. When shipped from the upstream, they sometimes use commands that might not be available in the environment they are getting sourced in.

The compatible shells for each hook are:

  • patchRcPathBash: Bash, ksh, zsh and other shells supporting the Bash-like parameter expansions.

  • patchRcPathCsh: Csh scripts, such as those targeting tcsh.

  • patchRcPathFish: Fish scripts.

  • patchRcPathPosix: POSIX-conformant shells supporting the limited parameter expansions specified by the POSIX standard. Current implementation uses the parameter expansion ${foo-} only.

For each supported shell, it modifies the script with a PATH prefix that is later removed when the script ends. It allows nested patching, which guarantees that a patched script may source another patched script.

Syntax to apply the utility to a script:

patchRcPath<shell> <file> <PATH-prefix>

Example usage:

Given a package foo containing an init script this-foo.fish that depends on coreutils, man and which, patch the init script for users to source without having the above dependencies in their PATH:

{ lib, stdenv, patchRcPathFish}:
stdenv.mkDerivation {

  # ...

  nativeBuildInputs = [
    patchRcPathFish
  ];

  postFixup = ''
    patchRcPathFish $out/bin/this-foo.fish ${lib.makeBinPath [ coreutils man which ]}
  '';
}

Note

patchRcPathCsh and patchRcPathPosix implementation depends on sed to do the string processing. The others are in vanilla shell and have no third-party dependencies.

Perl

Adds the lib/site_perl subdirectory of each build input to the PERL5LIB environment variable. For instance, if buildInputs contains Perl, then the lib/site_perl subdirectory of each input is added to the PERL5LIB environment variable.

pkg-config

Adds the lib/pkgconfig and share/pkgconfig subdirectories of each build input to the PKG_CONFIG_PATH environment variable.

postgresqlTestHook

This hook starts a PostgreSQL server during the checkPhase. Example:

{ stdenv, postgresql, postgresqlTestHook }:
stdenv.mkDerivation {

  # ...

  nativeCheckInputs = [
    postgresql
    postgresqlTestHook
  ];
}

If you use a custom checkPhase, remember to add the runHook calls:

  checkPhase ''
    runHook preCheck

    # ... your tests

    runHook postCheck
  ''

Variables

The hook logic will read a number of variables and set them to a default value if unset or empty.

Exported variables:

  • PGDATA: location of server files.

  • PGHOST: location of UNIX domain socket directory; the default host in a connection string.

  • PGUSER: user to create / log in with, default: test_user.

  • PGDATABASE: database name, default: test_db.

Bash-only variables:

  • postgresqlTestUserOptions: SQL options to use when creating the $PGUSER role, default: "LOGIN". Example: "LOGIN SUPERUSER"

  • postgresqlTestSetupSQL: SQL commands to run as database administrator after startup, default: statements that create $PGUSER and $PGDATABASE.

  • postgresqlTestSetupCommands: bash commands to run after database start, defaults to running $postgresqlTestSetupSQL as database administrator.

  • postgresqlEnableTCP: set to 1 to enable TCP listening. Flaky; not recommended.

  • postgresqlStartCommands: defaults to pg_ctl start.

  • postgresqlExtraSettings: Additional configuration to add to postgresql.conf

Hooks

A number of additional hooks are ran in postgresqlTestHook

  • postgresqlTestSetupPost: ran after postgresql has been set up.

TCP and the Nix sandbox

postgresqlEnableTCP relies on network sandboxing, which is not available on macOS and some custom Nix installations, resulting in flaky tests. For this reason, it is disabled by default.

The preferred solution is to make the test suite use a UNIX domain socket connection. This is the default behavior when no host connection parameter is provided. Some test suites hardcode a value for host though, so a patch may be required. If you can upstream the patch, you can make host default to the PGHOST environment variable when set. Otherwise, you can patch it locally to omit the host connection string parameter altogether.

Note

The error libpq: failed (could not receive data from server: Connection refused is generally an indication that the test suite is trying to connect through TCP.

Premake

This setup hook attempts to configure the package using the Premake build configuration system. It overrides the configurePhase by default, if none exists.

The Premakefile to use can be specified by setting premakefile in the derivation.

The flags passed to Premake can be configured by adding strings to the premakeFlags list.

Python

Adds the python.sitePackages subdirectory (i.e. lib/pythonX.Y/site-packages) of each build input to the PYTHONPATH environment variable.

scons

Overrides the build, install, and check phases. This uses the scons build system as a replacement for make. scons does not provide a configure phase, so everything is managed at build and install time.

cargo-tauri.hook

Tauri is a framework for building smaller, faster, and more secure desktop applications with a web frontend.

In Nixpkgs, cargo-tauri.hook overrides the default build and install phases.

Example code snippet

{
  lib,
  stdenv,
  rustPlatform,
  fetchNpmDeps,
  cargo-tauri,
  glib-networking,
  nodejs,
  npmHooks,
  openssl,
  pkg-config,
  webkitgtk_4_1,
  wrapGAppsHook4,
}:

rustPlatform.buildRustPackage rec {
  # . . .

  cargoHash = "...";

  # Assuming our app's frontend uses `npm` as a package manager
  npmDeps = fetchNpmDeps {
    name = "${pname}-npm-deps-${version}";
    inherit src;
    hash = "...";
  };

  nativeBuildInputs = [
    # Pull in our main hook
    cargo-tauri.hook

    # Setup npm
    nodejs
    npmHooks.npmConfigHook

    # Make sure we can find our libraries
    pkg-config
    wrapGAppsHook4
  ];

  buildInputs =
    [ openssl ]
    ++ lib.optionals stdenv.hostPlatform.isLinux [
      glib-networking # Most Tauri apps need networking
      webkitgtk_4_1
    ];

  # Set our Tauri source directory
  cargoRoot = "src-tauri";
  # And make sure we build there too
  buildAndTestSubdir = cargoRoot;

  # . . .
}

Variables controlling cargo-tauri

Tauri Exclusive Variables

tauriBuildFlags

Controls the flags passed to cargo tauri build.

tauriBundleType

The bundle type to build.

dontTauriBuild

Disables using tauriBuildHook.

dontTauriInstall

Disables using tauriInstallPostBuildHook and tauriInstallHook.

Honored Variables

Along with those found in the section called “buildRustPackage: Compiling Rust applications with Cargo”, the following variables used by cargoBuildHook and cargoInstallHook are honored by the cargo-tauri setup hook.

  • buildAndTestSubdir

  • cargoBuildType

  • cargoBuildNoDefaultFeatures

  • cargoBuildFeatures

teTeX / TeX Live

Adds the share/texmf-nix subdirectory of each build input to the TEXINPUTS environment variable.

unzip

This setup hook will allow you to unzip .zip files specified in $src. There are many similar packages like unrar, undmg, etc.

validatePkgConfig

The validatePkgConfig hook validates all pkg-config (.pc) files in a package. This helps catching some common errors in pkg-config files, such as undefined variables.

versionCheckHook

This hook adds a versionCheckPhase to the preInstallCheckHooks that runs the main program of the derivation with a --help or --version argument, and checks that the ${version} string is found in that output. You use it like this:

{
  lib,
  stdenv,
  versionCheckHook,
  # ...
}:

stdenv.mkDerivation (finalAttrs: {
  # ...

  nativeInstallCheckInputs = [
    versionCheckHook
  ];
  doInstallCheck = true;

  # ...
})

Note that for buildPythonPackage and buildPythonApplication, doInstallCheck is enabled by default.

It does so in a clean environment (using env --ignore-environment), and it checks for the ${version} string in both the stdout and the stderr of the command. It will report to you in the build log the output it received and it will fail the build if it failed to find ${version}.

The variables that this phase control are:

  • dontVersionCheck: Disable adding this hook to the preInstallCheckHooks. Useful if you do want to load the bash functions of the hook, but run them differently.

  • versionCheckProgram: The full path to the program that should print the ${version} string. Defaults roughly to ${placeholder "out"}/bin/${pname}. Using $out in the value of this variable won’t work, as environment variables from this variable are not expanded by the hook. Hence using placeholder is unavoidable.

  • versionCheckProgramArg: The argument that needs to be passed to versionCheckProgram. If undefined the hook tries first --help and then --version. Examples: version, -V, -v.

  • preVersionCheck: A hook to run before the check is done.

  • postVersionCheck: A hook to run after the check is done.

wafHook

Waf is a Python-based software building system.

In Nixpkgs, wafHook overrides the default configure, build, and install phases.

Variables controlling wafHook

wafHook Exclusive Variables

The variables below are exclusive of wafHook.

wafPath

Location of the waf tool. It defaults to ./waf, to honor software projects that include it directly inside their source trees.

If wafPath doesn’t exist, then wafHook will copy the waf provided from Nixpkgs to it.

wafFlags

Controls the flags passed to waf tool during build and install phases. For settings specific to build or install phases, use wafBuildFlags or wafInstallFlags respectively.

dontUseWafConfigure

When set to true, don’t use the predefined wafConfigurePhase.

dontUseWafBuild

When set to true, don’t use the predefined wafBuildPhase.

dontUseWafInstall

When set to true, don’t use the predefined wafInstallPhase.

Similar variables

The following variables are similar to their stdenv.mkDerivation counterparts.

wafHook Variablestdenv.mkDerivation Counterpart
wafConfigureFlagsconfigureFlags
wafConfigureTargetsconfigureTargets
wafBuildFlagsbuildFlags
wafBuildTargetsbuildTargets
wafInstallFlagsinstallFlags
wafInstallTargetsinstallTargets

Honored variables

The following variables commonly used by stdenv.mkDerivation are honored by wafHook.

  • prefixKey

  • enableParallelBuilding

  • enableParallelInstalling

zig.hook

Zig is a general-purpose programming language and toolchain for maintaining robust, optimal and reusable software.

In Nixpkgs, zig.hook overrides the default build, check and install phases.

Example code snippet

{ lib
, stdenv
, zig
}:

stdenv.mkDerivation {
  # . . .

  nativeBuildInputs = [
    zig.hook
  ];

  zigBuildFlags = [ "-Dman-pages=true" ];

  dontUseZigCheck = true;

  # . . .
}

Variables controlling zig.hook

zig.hook Exclusive Variables

The variables below are exclusive to zig.hook.

dontUseZigBuild

Disables using zigBuildPhase.

dontUseZigCheck

Disables using zigCheckPhase.

dontUseZigInstall

Disables using zigInstallPhase.

Similar variables

The following variables are similar to their stdenv.mkDerivation counterparts.

zig.hook Variablestdenv.mkDerivation Counterpart
zigBuildFlagsbuildFlags
zigCheckFlagscheckFlags
zigInstallFlagsinstallFlags

Variables honored by zig.hook

The following variables commonly used by stdenv.mkDerivation are honored by zig.hook.

  • prefixKey

  • dontAddPrefix

xcbuildHook

Overrides the build and install phases to run the “xcbuild” command. This hook is needed when a project only comes with build files for the XCode build system. You can disable this behavior by setting buildPhase and configurePhase to a custom value. xcbuildFlags controls flags passed only to xcbuild.

xfce.xfce4-dev-tools

This setup hook attempts to run xdt-autogen in xdtAutogenPhase, which is part of preConfigurePhases.

This behavior can be disabled by setting dontUseXdtAutogenPhase to true.

Languages and frameworks

The standard build environment makes it easy to build typical Autotools-based packages with very little code. Any other kind of package can be accommodated by overriding the appropriate phases of stdenv. However, there are specialised functions in Nixpkgs to easily build packages for other programming languages, such as Perl or Haskell. These are described in this chapter.

Each supported language or software ecosystem has its own package set named <language or ecosystem>Packages, which can be explored in various ways:

  • Search on search.nixos.org

    For example, search for haskellPackages or rubyPackages.

  • Navigate attribute sets with nix repl.

    This technique is generally useful to inspect Nix language data structures.

    Example 330. Navigate Java compiler variants in javaPackages with nix repl
    $ nix repl '<nixpkgs>' -I nixpkgs=channel:nixpkgs-unstable
    nix-repl> javaPackages.<tab>
    javaPackages.compiler               javaPackages.openjfx15              javaPackages.openjfx21              javaPackages.recurseForDerivations
    javaPackages.jogl_2_4_0             javaPackages.openjfx17              javaPackages.openjfx22
    javaPackages.mavenfod               javaPackages.openjfx19              javaPackages.override
    javaPackages.openjfx11              javaPackages.openjfx20              javaPackages.overrideDerivation
    

  • List all derivations on the command line with nix-env --query.

    nix-env is the only convenient way to do that, as it will skip attributes that fail assertions, such as when a package is marked as broken, rather than failing the entire evaluation.

    Example 331. List all Python packages in Nixpkgs

    The following command lists all derivations names with their attribute path from the latest Nixpkgs rolling release (nixpkgs-unstable).

    $ nix-env -qaP -f '<nixpkgs>' -A pythonPackages -I nixpkgs=channel:nixpkgs-unstable
    
    pythonPackages.avahi                                                  avahi-0.8
    pythonPackages.boost                                                  boost-1.81.0
    pythonPackages.caffe                                                  caffe-1.0
    pythonPackages.caffeWithCuda                                          caffe-1.0
    pythonPackages.cbeams                                                 cbeams-1.0.3
    …
    

Agda

How to use Agda

Agda is available as the agda package.

The agda package installs an Agda-wrapper, which calls agda with --library-file set to a generated library-file within the nix store, this means your library-file in $HOME/.agda/libraries will be ignored. By default the agda package installs Agda with no libraries, i.e. the generated library-file is empty. To use Agda with libraries, the agda.withPackages function can be used. This function either takes:

  • A list of packages,

  • or a function which returns a list of packages when given the agdaPackages attribute set,

  • or an attribute set containing a list of packages and a GHC derivation for compilation (see below).

  • or an attribute set containing a function which returns a list of packages when given the agdaPackages attribute set and a GHC derivation for compilation (see below).

For example, suppose we wanted a version of Agda which has access to the standard library. This can be obtained with the expressions:

agda.withPackages [ agdaPackages.standard-library ]

or

agda.withPackages (p: [ p.standard-library ])

or can be called as in the Compiling Agda section.

If you want to use a different version of a library (for instance a development version) override the src attribute of the package to point to your local repository

agda.withPackages (p: [
  (p.standard-library.overrideAttrs (oldAttrs: {
    version = "local version";
    src = /path/to/local/repo/agda-stdlib;
  }))
])

You can also reference a GitHub repository

agda.withPackages (p: [
  (p.standard-library.overrideAttrs (oldAttrs: {
    version = "1.5";
    src =  fetchFromGitHub {
      repo = "agda-stdlib";
      owner = "agda";
      rev = "v1.5";
      hash = "sha256-nEyxYGSWIDNJqBfGpRDLiOAnlHJKEKAOMnIaqfVZzJk=";
    };
  }))
])

If you want to use a library not added to Nixpkgs, you can add a dependency to a local library by calling agdaPackages.mkDerivation.

agda.withPackages (p: [
  (p.mkDerivation {
    pname = "your-agda-lib";
    version = "1.0.0";
    src = /path/to/your-agda-lib;
  })
])

Again you can reference GitHub

agda.withPackages (p: [
  (p.mkDerivation {
    pname = "your-agda-lib";
    version = "1.0.0";
    src = fetchFromGitHub {
      repo = "repo";
      owner = "owner";
      version = "...";
      rev = "...";
      hash = "...";
    };
  })
])

See Building Agda Packages for more information on mkDerivation.

Agda will not by default use these libraries. To tell Agda to use a library we have some options:

  • Call agda with the library flag:

    $ agda -l standard-library -i . MyFile.agda
    
  • Write a my-library.agda-lib file for the project you are working on which may look like:

    name: my-library
    include: .
    depend: standard-library
    
  • Create the file ~/.agda/defaults and add any libraries you want to use by default.

More information can be found in the official Agda documentation on library management.

Compiling Agda

Agda modules can be compiled using the GHC backend with the --compile flag. A version of ghc with ieee754 is made available to the Agda program via the --with-compiler flag. This can be overridden by a different version of ghc as follows:

agda.withPackages {
  pkgs = [ /* ... */ ];
  ghc = haskell.compiler.ghcHEAD;
}

Writing Agda packages

To write a nix derivation for an Agda library, first check that the library has a *.agda-lib file.

A derivation can then be written using agdaPackages.mkDerivation. This has similar arguments to stdenv.mkDerivation with the following additions:

  • everythingFile can be used to specify the location of the Everything.agda file, defaulting to ./Everything.agda. If this file does not exist then either it should be patched in or the buildPhase should be overridden (see below).

  • libraryName should be the name that appears in the *.agda-lib file, defaulting to pname.

  • libraryFile should be the file name of the *.agda-lib file, defaulting to ${libraryName}.agda-lib.

Here is an example default.nix

{ nixpkgs ?  <nixpkgs> }:
with (import nixpkgs {});
agdaPackages.mkDerivation {
  version = "1.0";
  pname = "my-agda-lib";
  src = ./.;
  buildInputs = [
    agdaPackages.standard-library
  ];
}

Building Agda packages

The default build phase for agdaPackages.mkDerivation runs agda on the Everything.agda file. If something else is needed to build the package (e.g. make) then the buildPhase should be overridden. Additionally, a preBuild or configurePhase can be used if there are steps that need to be done prior to checking the Everything.agda file. agda and the Agda libraries contained in buildInputs are made available during the build phase.

Installing Agda packages

The default install phase copies Agda source files, Agda interface files (*.agdai) and *.agda-lib files to the output directory. This can be overridden.

By default, Agda sources are files ending on .agda, or literate Agda files ending on .lagda, .lagda.tex, .lagda.org, .lagda.md, .lagda.rst. The list of recognised Agda source extensions can be extended by setting the extraExtensions config variable.

Maintaining the Agda package set on Nixpkgs

We are aiming at providing all common Agda libraries as packages on nixpkgs, and keeping them up to date. Contributions and maintenance help is always appreciated, but the maintenance effort is typically low since the Agda ecosystem is quite small.

The nixpkgs Agda package set tries to take up a role similar to that of Stackage in the Haskell world. It is a curated set of libraries that:

  1. Always work together.

  2. Are as up-to-date as possible.

While the Haskell ecosystem is huge, and Stackage is highly automatised, the Agda package set is small and can (still) be maintained by hand.

Adding Agda packages to Nixpkgs

To add an Agda package to nixpkgs, the derivation should be written to pkgs/development/libraries/agda/${library-name}/ and an entry should be added to pkgs/top-level/agda-packages.nix. Here it is called in a scope with access to all other Agda libraries, so the top line of the default.nix can look like:

{ mkDerivation, standard-library, fetchFromGitHub }:
{}

Note that the derivation function is called with mkDerivation set to agdaPackages.mkDerivation, therefore you could use a similar set as in your default.nix from Writing Agda Packages with agdaPackages.mkDerivation replaced with mkDerivation.

Here is an example skeleton derivation for iowa-stdlib:

mkDerivation {
  version = "1.5.0";
  pname = "iowa-stdlib";

  src = <...>;

  libraryFile = "";
  libraryName = "IAL-1.3";

  buildPhase = ''
    patchShebangs find-deps.sh
    make
  '';
}

This library has a file called .agda-lib, and so we give an empty string to libraryFile as nothing precedes .agda-lib in the filename. This file contains name: IAL-1.3, and so we let libraryName = "IAL-1.3". This library does not use an Everything.agda file and instead has a Makefile, so there is no need to set everythingFile and we set a custom buildPhase.

When writing an Agda package it is essential to make sure that no .agda-lib file gets added to the store as a single file (for example by using writeText). This causes Agda to think that the nix store is a Agda library and it will attempt to write to it whenever it typechecks something. See https://github.com/agda/agda/issues/4613.

In the pull request adding this library, you can test whether it builds correctly by writing in a comment:

@ofborg build agdaPackages.iowa-stdlib

Maintaining Agda packages

As mentioned before, the aim is to have a compatible, and up-to-date package set. These two conditions sometimes exclude each other: For example, if we update agdaPackages.standard-library because there was an upstream release, this will typically break many reverse dependencies, i.e. downstream Agda libraries that depend on the standard library. In nixpkgs we are typically among the first to notice this, since we have build tests in place to check this.

In a pull request updating e.g. the standard library, you should write the following comment:

@ofborg build agdaPackages.standard-library.passthru.tests

This will build all reverse dependencies of the standard library, for example agdaPackages.agda-categories, or agdaPackages.generic.

In some cases it is useful to build all Agda packages. This can be done with the following Github comment:

@ofborg build agda.passthru.tests.allPackages

Sometimes, the builds of the reverse dependencies fail because they have not yet been updated and released. You should drop the maintainers a quick issue notifying them of the breakage, citing the build error (which you can get from the ofborg logs). If you are motivated, you might even send a pull request that fixes it. Usually, the maintainers will answer within a week or two with a new release. Bumping the version of that reverse dependency should be a further commit on your PR.

In the rare case that a new release is not to be expected within an acceptable time, mark the broken package as broken by setting meta.broken = true;. This will exclude it from the build test. It can be added later when it is fixed, and does not hinder the advancement of the whole package set in the meantime.

Android

The Android build environment provides three major features and a number of supporting features.

Using androidenv with Android Studio

Use the android-studio-full attribute for a very complete Android SDK, including system images:

buildInputs = [ android-studio-full ];

This is identical to:

buildInputs = [ androidStudioPackages.stable.full ];

Alternatively, you can pass composeAndroidPackages to the withSdk passthru:

buildInputs = [
  (android-studio.withSdk (androidenv.composeAndroidPackages {
    includeNDK = true;
  }).androidsdk)
];

These will export ANDROID_SDK_ROOT and ANDROID_NDK_ROOT to the SDK and NDK directories in the specified Android build environment.

Deploying an Android SDK installation with plugins

Alternatively, you can deploy the SDK separately with a desired set of plugins, or subsets of an SDK.

with import <nixpkgs> {};

let
  androidComposition = androidenv.composeAndroidPackages {
    cmdLineToolsVersion = "8.0";
    toolsVersion = "26.1.1";
    platformToolsVersion = "30.0.5";
    buildToolsVersions = [ "30.0.3" ];
    includeEmulator = false;
    emulatorVersion = "30.3.4";
    platformVersions = [ "28" "29" "30" ];
    includeSources = false;
    includeSystemImages = false;
    systemImageTypes = [ "google_apis_playstore" ];
    abiVersions = [ "armeabi-v7a" "arm64-v8a" ];
    cmakeVersions = [ "3.10.2" ];
    includeNDK = true;
    ndkVersions = ["22.0.7026061"];
    useGoogleAPIs = false;
    useGoogleTVAddOns = false;
    includeExtras = [
      "extras;google;gcm"
    ];
  };
in
androidComposition.androidsdk

The above function invocation states that we want an Android SDK with the above specified plugin versions. By default, most plugins are disabled. Notable exceptions are the tools, platform-tools and build-tools sub packages.

The following parameters are supported:

  • cmdLineToolsVersion , specifies the version of the cmdline-tools package to use

  • toolsVersion, specifies the version of the tools package. Notice tools is obsolete, and currently only 26.1.1 is available, so there’s not a lot of options here, however, you can set it as null if you don’t want it.

  • platformsToolsVersion specifies the version of the platform-tools plugin

  • buildToolsVersions specifies the versions of the build-tools plugins to use.

  • includeEmulator specifies whether to deploy the emulator package (false by default). When enabled, the version of the emulator to deploy can be specified by setting the emulatorVersion parameter.

  • cmakeVersions specifies which CMake versions should be deployed.

  • includeNDK specifies that the Android NDK bundle should be included. Defaults to: false.

  • ndkVersions specifies the NDK versions that we want to use. These are linked under the ndk directory of the SDK root, and the first is linked under the ndk-bundle directory.

  • ndkVersion is equivalent to specifying one entry in ndkVersions, and ndkVersions overrides this parameter if provided.

  • includeExtras is an array of identifier strings referring to arbitrary add-on packages that should be installed.

  • platformVersions specifies which platform SDK versions should be included.

For each platform version that has been specified, we can apply the following options:

  • includeSystemImages specifies whether a system image for each platform SDK should be included.

  • includeSources specifies whether the sources for each SDK version should be included.

  • useGoogleAPIs specifies that for each selected platform version the Google API should be included.

  • useGoogleTVAddOns specifies that for each selected platform version the Google TV add-on should be included.

For each requested system image we can specify the following options:

  • systemImageTypes specifies what kind of system images should be included. Defaults to: default.

  • abiVersions specifies what kind of ABI version of each system image should be included. Defaults to: armeabi-v7a.

Most of the function arguments have reasonable default settings.

You can specify license names:

  • extraLicenses is a list of license names. You can get these names from repo.json or querypackages.sh licenses. The SDK license (android-sdk-license) is accepted for you if you set accept_license to true. If you are doing something like working with preview SDKs, you will want to add android-sdk-preview-license or whichever license applies here.

Additionally, you can override the repositories that composeAndroidPackages will pull from:

  • repoJson specifies a path to a generated repo.json file. You can generate this by running generate.sh, which in turn will call into mkrepo.rb.

  • repoXmls is an attribute set containing paths to repo XML files. If specified, it takes priority over repoJson, and will trigger a local build writing out a repo.json to the Nix store based on the given repository XMLs.

{
  repoXmls = {
    packages = [ ./xml/repository2-1.xml ];
    images = [
      ./xml/android-sys-img2-1.xml
      ./xml/android-tv-sys-img2-1.xml
      ./xml/android-wear-sys-img2-1.xml
      ./xml/android-wear-cn-sys-img2-1.xml
      ./xml/google_apis-sys-img2-1.xml
      ./xml/google_apis_playstore-sys-img2-1.xml
    ];
    addons = [ ./xml/addon2-1.xml ];
  };
}

When building the above expression with:

$ nix-build

The Android SDK gets deployed with all desired plugin versions.

We can also deploy subsets of the Android SDK. For example, to only the platform-tools package, you can evaluate the following expression:

with import <nixpkgs> {};

let
  androidComposition = androidenv.composeAndroidPackages {
    # ...
  };
in
androidComposition.platform-tools

Using predefined Android package compositions

In addition to composing an Android package set manually, it is also possible to use a predefined composition that contains a fairly complete set of Android packages:

The following Nix expression can be used to deploy the entire SDK:

with import <nixpkgs> {};

androidenv.androidPkgs.androidsdk

It is also possible to use one plugin only:

with import <nixpkgs> {};

androidenv.androidPkgs.platform-tools

Spawning emulator instances

For testing purposes, it can also be quite convenient to automatically generate scripts that spawn emulator instances with all desired configuration settings.

An emulator spawn script can be configured by invoking the emulateApp {} function:

with import <nixpkgs> {};

androidenv.emulateApp {
  name = "emulate-MyAndroidApp";
  platformVersion = "28";
  abiVersion = "x86"; # armeabi-v7a, mips, x86_64
  systemImageType = "google_apis_playstore";
}

Additional flags may be applied to the Android SDK’s emulator through the runtime environment variable $NIX_ANDROID_EMULATOR_FLAGS.

It is also possible to specify an APK to deploy inside the emulator and the package and activity names to launch it:

with import <nixpkgs> {};

androidenv.emulateApp {
  name = "emulate-MyAndroidApp";
  platformVersion = "24";
  abiVersion = "armeabi-v7a"; # mips, x86, x86_64
  systemImageType = "default";
  app = ./MyApp.apk;
  package = "MyApp";
  activity = "MainActivity";
}

In addition to prebuilt APKs, you can also bind the APK parameter to a buildApp {} function invocation shown in the previous example.

Notes on environment variables in Android projects

  • ANDROID_HOME should point to the Android SDK. In your Nix expressions, this should be ${androidComposition.androidsdk}/libexec/android-sdk. Note that ANDROID_SDK_ROOT is deprecated, but if you rely on tools that need it, you can export it too.

  • ANDROID_NDK_ROOT should point to the Android NDK, if you’re doing NDK development. In your Nix expressions, this should be ${ANDROID_HOME}/ndk-bundle.

If you are running the Android Gradle plugin, you need to export GRADLE_OPTS to override aapt2 to point to the aapt2 binary in the Nix store as well, or use a FHS environment so the packaged aapt2 can run. If you don’t want to use a FHS environment, something like this should work:

let
  buildToolsVersion = "30.0.3";

  # Use buildToolsVersion when you define androidComposition
  androidComposition = <...>;
in
pkgs.mkShell rec {
  ANDROID_HOME = "${androidComposition.androidsdk}/libexec/android-sdk";
  ANDROID_NDK_ROOT = "${ANDROID_HOME}/ndk-bundle";

  # Use the same buildToolsVersion here
  GRADLE_OPTS = "-Dorg.gradle.project.android.aapt2FromMavenOverride=${ANDROID_HOME}/build-tools/${buildToolsVersion}/aapt2";
}

If you are using cmake, you need to add it to PATH in a shell hook or FHS env profile. The path is suffixed with a build number, but properly prefixed with the version. So, something like this should suffice:

let
  cmakeVersion = "3.10.2";

  # Use cmakeVersion when you define androidComposition
  androidComposition = <...>;
in
pkgs.mkShell rec {
  ANDROID_HOME = "${androidComposition.androidsdk}/libexec/android-sdk";
  ANDROID_NDK_ROOT = "${ANDROID_HOME}/ndk-bundle";

  # Use the same cmakeVersion here
  shellHook = ''
    export PATH="$(echo "$ANDROID_HOME/cmake/${cmakeVersion}".*/bin):$PATH"
  '';
}

Note that running Android Studio with ANDROID_HOME set will automatically write a local.properties file with sdk.dir set to $ANDROID_HOME if one does not already exist. If you are using the NDK as well, you may have to add ndk.dir to this file.

An example shell.nix that does all this for you is provided in examples/shell.nix. This shell.nix includes a shell hook that overwrites local.properties with the correct sdk.dir and ndk.dir values. This will ensure that the SDK and NDK directories will both be correct when you run Android Studio inside nix-shell.

Notes on improving build.gradle compatibility

Ensure that your buildToolsVersion and ndkVersion match what is declared in androidenv. If you are using cmake, make sure its declared version is correct too.

Otherwise, you may get cryptic errors from aapt2 and the Android Gradle plugin warning that it cannot install the build tools because the SDK directory is not writeable.

android {
    buildToolsVersion "30.0.3"
    ndkVersion = "22.0.7026061"
    externalNativeBuild {
        cmake {
            version "3.10.2"
        }
    }
}

Querying the available versions of each plugin

repo.json provides all the options in one file now.

A shell script in the pkgs/development/mobile/androidenv/ subdirectory can be used to retrieve all possible options:

./querypackages.sh packages

The above command-line instruction queries all package versions in repo.json.

Updating the generated expressions

repo.json is generated from XML files that the Android Studio package manager uses. To update the expressions run the generate.sh script that is stored in the pkgs/development/mobile/androidenv/ subdirectory:

./generate.sh

Building an Android application with Ant

In addition to the SDK, it is also possible to build an Ant-based Android project and automatically deploy all the Android plugins that a project requires. Most newer Android projects use Gradle, and this is included for historical purposes.

with import <nixpkgs> {};

androidenv.buildApp {
  name = "MyAndroidApp";
  src = ./myappsources;
  release = true;

  # If release is set to true, you need to specify the following parameters
  keyStore = ./keystore;
  keyAlias = "myfirstapp";
  keyStorePassword = "mykeystore";
  keyAliasPassword = "myfirstapp";

  # Any Android SDK parameters that install all the relevant plugins that a
  # build requires
  platformVersions = [ "24" ];

  # When we include the NDK, then ndk-build is invoked before Ant gets invoked
  includeNDK = true;
}

Aside from the app-specific build parameters (name, src, release and keystore parameters), the buildApp {} function supports all the function parameters that the SDK composition function (the function shown in the previous section) supports.

This build function is particularly useful when it is desired to use Hydra: the Nix-based continuous integration solution to build Android apps. An Android APK gets exposed as a build product and can be installed on any Android device with a web browser by navigating to the build result page.

BEAM Languages (Erlang, Elixir & LFE)

Introduction

In this document and related Nix expressions, we use the term, BEAM, to describe the environment. BEAM is the name of the Erlang Virtual Machine and, as far as we’re concerned, from a packaging perspective, all languages that run on the BEAM are interchangeable. That which varies, like the build system, is transparent to users of any given BEAM package, so we make no distinction.

Available versions and deprecations schedule

Elixir

nixpkgs follows the official elixir deprecation schedule and keeps the last 5 released versions of Elixir available.

Structure

All BEAM-related expressions are available via the top-level beam attribute, which includes:

  • interpreters: a set of compilers running on the BEAM, including multiple Erlang/OTP versions (beam.interpreters.erlang_22, etc), Elixir (beam.interpreters.elixir) and LFE (Lisp Flavoured Erlang) (beam.interpreters.lfe).

  • packages: a set of package builders (Mix and rebar3), each compiled with a specific Erlang/OTP version, e.g. beam.packages.erlang22.

The default Erlang compiler, defined by beam.interpreters.erlang, is aliased as erlang. The default BEAM package set is defined by beam.packages.erlang and aliased at the top level as beamPackages.

To create a package builder built with a custom Erlang version, use the lambda, beam.packagesWith, which accepts an Erlang/OTP derivation and produces a package builder similar to beam.packages.erlang.

Many Erlang/OTP distributions available in beam.interpreters have versions with ODBC and/or Java enabled or without wx (no observer support). For example, there’s beam.interpreters.erlang_22_odbc_javac, which corresponds to beam.interpreters.erlang_22 and beam.interpreters.erlang_22_nox, which corresponds to beam.interpreters.erlang_22.

Build Tools

Rebar3

We provide a version of Rebar3, under rebar3. We also provide a helper to fetch Rebar3 dependencies from a lockfile under fetchRebar3Deps.

We also provide a version on Rebar3 with plugins included, under rebar3WithPlugins. This package is a function which takes two arguments: plugins, a list of nix derivations to include as plugins (loaded only when specified in rebar.config), and globalPlugins, which should always be loaded by rebar3. Example: rebar3WithPlugins { globalPlugins = [beamPackages.pc]; }.

When adding a new plugin it is important that the packageName attribute is the same as the atom used by rebar3 to refer to the plugin.

Mix & Erlang.mk

Erlang.mk works exactly as expected. There is a bootstrap process that needs to be run, which is supported by the buildErlangMk derivation.

For Elixir applications use mixRelease to make a release. See examples for more details.

There is also a buildMix helper, whose behavior is closer to that of buildErlangMk and buildRebar3. The primary difference is that mixRelease makes a release, while buildMix only builds the package, making it useful for libraries and other dependencies.

How to Install BEAM Packages

BEAM builders are not registered at the top level, because they are not relevant to the vast majority of Nix users. To use any of those builders into your environment, refer to them by their attribute path under beamPackages, e.g. beamPackages.rebar3:

Example 332. Ephemeral shell
$ nix-shell -p beamPackages.rebar3

Example 333. Declarative shell
let
  pkgs = import <nixpkgs> { config = {}; overlays = []; };
in
pkgs.mkShell {
  packages = [ pkgs.beamPackages.rebar3 ];
}

Packaging BEAM Applications

Erlang Applications

Rebar3 Packages

The Nix function, buildRebar3, defined in beam.packages.erlang.buildRebar3 and aliased at the top level, can be used to build a derivation that understands how to build a Rebar3 project.

If a package needs to compile native code via Rebar3’s port compilation mechanism, add compilePort = true; to the derivation.

Erlang.mk Packages

Erlang.mk functions similarly to Rebar3, except we use buildErlangMk instead of buildRebar3.

Mix Packages

mixRelease is used to make a release in the mix sense. Dependencies will need to be fetched with fetchMixDeps and passed to it.

mixRelease - Elixir Phoenix example

there are 3 steps, frontend dependencies (javascript), backend dependencies (elixir) and the final derivation that puts both of those together

mixRelease - Frontend dependencies (javascript)

For phoenix projects, inside of nixpkgs you can either use yarn2nix (mkYarnModule) or node2nix. An example with yarn2nix can be found here. An example with node2nix will follow. To package something outside of nixpkgs, you have alternatives like npmlock2nix or nix-npm-buildpackage

mixRelease - backend dependencies (mix)

There are 2 ways to package backend dependencies. With mix2nix and with a fixed-output-derivation (FOD).

mix2nix

mix2nix is a cli tool available in nixpkgs. it will generate a nix expression from a mix.lock file. It is quite standard in the 2nix tool series.

Note that currently mix2nix can’t handle git dependencies inside the mix.lock file. If you have git dependencies, you can either add them manually (see example) or use the FOD method.

The advantage of using mix2nix is that nix will know your whole dependency graph. On a dependency update, this won’t trigger a full rebuild and download of all the dependencies, where FOD will do so.

Practical steps:

  • run mix2nix > mix_deps.nix in the upstream repo.

  • pass mixNixDeps = with pkgs; import ./mix_deps.nix { inherit lib beamPackages; }; as an argument to mixRelease.

If there are git dependencies.

  • You’ll need to fix the version artificially in mix.exs and regenerate the mix.lock with fixed version (on upstream). This will enable you to run mix2nix > mix_deps.nix.

  • From the mix_deps.nix file, remove the dependencies that had git versions and pass them as an override to the import function.

{
  mixNixDeps = import ./mix.nix {
    inherit beamPackages lib;
    overrides = (final: prev: {
      # mix2nix does not support git dependencies yet,
      # so we need to add them manually
      prometheus_ex = beamPackages.buildMix rec {
        name = "prometheus_ex";
        version = "3.0.5";

        # Change the argument src with the git src that you actually need
        src = fetchFromGitLab {
          domain = "git.pleroma.social";
          group = "pleroma";
          owner = "elixir-libraries";
          repo = "prometheus.ex";
          rev = "a4e9beb3c1c479d14b352fd9d6dd7b1f6d7deee5";
          hash = "sha256-U17LlN6aGUKUFnT4XyYXppRN+TvUBIBRHEUsfeIiGOw=";
        };
        # you can re-use the same beamDeps argument as generated
        beamDeps = with final; [ prometheus ];
      };
    });
  };
}

You will need to run the build process once to fix the hash to correspond to your new git src.

FOD

A fixed output derivation will download mix dependencies from the internet. To ensure reproducibility, a hash will be supplied. Note that mix is relatively reproducible. An FOD generating a different hash on each run hasn’t been observed (as opposed to npm where the chances are relatively high). See elixir-ls for a usage example of FOD.

Practical steps

  • start with the following argument to mixRelease

{
  mixFodDeps = fetchMixDeps {
    pname = "mix-deps-${pname}";
    inherit src version;
    hash = lib.fakeHash;
  };
}

The first build will complain about the hash value, you can replace with the suggested value after that.

Note that if after you’ve replaced the value, nix suggests another hash, then mix is not fetching the dependencies reproducibly. An FOD will not work in that case and you will have to use mix2nix.

mixRelease - example

Here is how your default.nix file would look for a phoenix project.

with import <nixpkgs> { };

let
  # beam.interpreters.erlang_26 is available if you need a particular version
  packages = beam.packagesWith beam.interpreters.erlang;

  pname = "your_project";
  version = "0.0.1";

  src = builtins.fetchgit {
    url = "ssh://git@github.com/your_id/your_repo";
    rev = "replace_with_your_commit";
  };

  # if using mix2nix you can use the mixNixDeps attribute
  mixFodDeps = packages.fetchMixDeps {
    pname = "mix-deps-${pname}";
    inherit src version;
    # nix will complain and tell you the right value to replace this with
    hash = lib.fakeHash;
    mixEnv = ""; # default is "prod", when empty includes all dependencies, such as "dev", "test".
    # if you have build time environment variables add them here
    MY_ENV_VAR="my_value";
  };

  nodeDependencies = (pkgs.callPackage ./assets/default.nix { }).shell.nodeDependencies;

in packages.mixRelease {
  inherit src pname version mixFodDeps;
  # if you have build time environment variables add them here
  MY_ENV_VAR="my_value";

  postBuild = ''
    ln -sf ${nodeDependencies}/lib/node_modules assets/node_modules
    npm run deploy --prefix ./assets

    # for external task you need a workaround for the no deps check flag
    # https://github.com/phoenixframework/phoenix/issues/2690
    mix do deps.loadpaths --no-deps-check, phx.digest
    mix phx.digest --no-deps-check
  '';
}

Setup will require the following steps:

  • Move your secrets to runtime environment variables. For more information refer to the runtime.exs docs. On a fresh Phoenix build that would mean that both DATABASE_URL and SECRET_KEY need to be moved to runtime.exs.

  • cd assets and nix-shell -p node2nix --run "node2nix --development" will generate a Nix expression containing your frontend dependencies

  • commit and push those changes

  • you can now nix-build .

  • To run the release, set the RELEASE_TMP environment variable to a directory that your program has write access to. It will be used to store the BEAM settings.

Example of creating a service for an Elixir - Phoenix project

In order to create a service with your release, you could add a service.nix in your project with the following

{config, pkgs, lib, ...}:

let
  release = pkgs.callPackage ./default.nix;
  release_name = "app";
  working_directory = "/home/app";
in
{
  systemd.services.${release_name} = {
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" "postgresql.service" ];
    # note that if you are connecting to a postgres instance on a different host
    # postgresql.service should not be included in the requires.
    requires = [ "network-online.target" "postgresql.service" ];
    description = "my app";
    environment = {
      # RELEASE_TMP is used to write the state of the
      # VM configuration when the system is running
      # it needs to be a writable directory
      RELEASE_TMP = working_directory;
      # can be generated in an elixir console with
      # Base.encode32(:crypto.strong_rand_bytes(32))
      RELEASE_COOKIE = "my_cookie";
      MY_VAR = "my_var";
    };
    serviceConfig = {
      Type = "exec";
      DynamicUser = true;
      WorkingDirectory = working_directory;
      # Implied by DynamicUser, but just to emphasize due to RELEASE_TMP
      PrivateTmp = true;
      ExecStart = ''
        ${release}/bin/${release_name} start
      '';
      ExecStop = ''
        ${release}/bin/${release_name} stop
      '';
      ExecReload = ''
        ${release}/bin/${release_name} restart
      '';
      Restart = "on-failure";
      RestartSec = 5;
      StartLimitBurst = 3;
      StartLimitInterval = 10;
    };
    # disksup requires bash
    path = [ pkgs.bash ];
  };

  # in case you have migration scripts or you want to use a remote shell
  environment.systemPackages = [ release ];
}

How to Develop

Creating a Shell

Usually, we need to create a shell.nix file and do our development inside of the environment specified therein. Just install your version of Erlang and any other interpreters, and then use your normal build tools. As an example with Elixir:

{ pkgs ? import <nixpkgs> {} }:

with pkgs;
let
  elixir = beam.packages.erlang_24.elixir_1_12;
in
mkShell {
  buildInputs = [ elixir ];
}

Using an overlay

If you need to use an overlay to change some attributes of a derivation, e.g. if you need a bugfix from a version that is not yet available in nixpkgs, you can override attributes such as version (and the corresponding hash) and then use this overlay in your development environment:

shell.nix
let
  elixir_1_13_1_overlay = (self: super: {
      elixir_1_13 = super.elixir_1_13.override {
        version = "1.13.1";
        sha256 = "sha256-t0ic1LcC7EV3avWGdR7VbyX7pGDpnJSW1ZvwvQUPC3w=";
      };
    });
  pkgs = import <nixpkgs> { overlays = [ elixir_1_13_1_overlay ]; };
in
with pkgs;
mkShell {
  buildInputs = [
    elixir_1_13
  ];
}
Elixir - Phoenix project

Here is an example shell.nix.

with import <nixpkgs> { };

let
  # define packages to install
  basePackages = [
    git
    # replace with beam.packages.erlang.elixir_1_13 if you need
    beam.packages.erlang.elixir
    nodejs
    postgresql_14
    # only used for frontend dependencies
    # you are free to use yarn2nix as well
    nodePackages.node2nix
    # formatting js file
    nodePackages.prettier
  ];

  inputs = basePackages ++ lib.optionals stdenv.hostPlatform.isLinux [ inotify-tools ]
    ++ lib.optionals stdenv.hostPlatform.isDarwin
    (with darwin.apple_sdk.frameworks; [ CoreFoundation CoreServices ]);

  # define shell startup command
  hooks = ''
    # this allows mix to work on the local directory
    mkdir -p .nix-mix .nix-hex
    export MIX_HOME=$PWD/.nix-mix
    export HEX_HOME=$PWD/.nix-mix
    # make hex from Nixpkgs available
    # `mix local.hex` will install hex into MIX_HOME and should take precedence
    export MIX_PATH="${beam.packages.erlang.hex}/lib/erlang/lib/hex/ebin"
    export PATH=$MIX_HOME/bin:$HEX_HOME/bin:$PATH
    export LANG=C.UTF-8
    # keep your shell history in iex
    export ERL_AFLAGS="-kernel shell_history enabled"

    # postges related
    # keep all your db data in a folder inside the project
    export PGDATA="$PWD/db"

    # phoenix related env vars
    export POOL_SIZE=15
    export DB_URL="postgresql://postgres:postgres@localhost:5432/db"
    export PORT=4000
    export MIX_ENV=dev
    # add your project env vars here, word readable in the nix store.
    export ENV_VAR="your_env_var"
  '';

in mkShell {
  buildInputs = inputs;
  shellHook = hooks;
}

Initializing the project will require the following steps:

  • create the db directory initdb ./db (inside your mix project folder)

  • create the postgres user createuser postgres -ds

  • create the db createdb db

  • start the postgres instance pg_ctl -l "$PGDATA/server.log" start

  • add the /db folder to your .gitignore

  • you can start your phoenix server and get a shell with iex -S mix phx.server

Bower

Bower is a package manager for web site front-end components. Bower packages (comprising of build artifacts and sometimes sources) are stored in git repositories, typically on Github. The package registry is run by the Bower team with package metadata coming from the bower.json file within each package.

The end result of running Bower is a bower_components directory which can be included in the web app’s build process.

Bower can be run interactively, by installing nodePackages.bower. More interestingly, the Bower components can be declared in a Nix derivation, with the help of bower2nix.

bower2nix usage

Suppose you have a bower.json with the following contents:

Example bower.json

  "name": "my-web-app",
  "dependencies": {
    "angular": "~1.5.0",
    "bootstrap": "~3.3.6"
  }

Running bower2nix will produce something like the following output:

{ fetchbower, buildEnv }:
buildEnv { name = "bower-env"; ignoreCollisions = true; paths = [
  (fetchbower "angular" "1.5.3" "~1.5.0" "1749xb0firxdra4rzadm4q9x90v6pzkbd7xmcyjk6qfza09ykk9y")
  (fetchbower "bootstrap" "3.3.6" "~3.3.6" "1vvqlpbfcy0k5pncfjaiskj3y6scwifxygfqnw393sjfxiviwmbv")
  (fetchbower "jquery" "2.2.2" "1.9.1 - 2" "10sp5h98sqwk90y4k6hbdviwqzvzwqf47r3r51pakch5ii2y7js1")
]; }

Using the bower2nix command line arguments, the output can be redirected to a file. A name like bower-packages.nix would be fine.

The resulting derivation is a union of all the downloaded Bower packages (and their dependencies). To use it, they still need to be linked together by Bower, which is where buildBowerComponents is useful.

buildBowerComponents function

The function is implemented in pkgs/development/bower-modules/generic/default.nix.

Example buildBowerComponents

{
  bowerComponents = buildBowerComponents {
    name = "my-web-app";
    generated = ./bower-packages.nix; # note 1
    src = myWebApp; # note 2
  };
}

In “buildBowerComponents” example the following arguments are of special significance to the function:

  1. generated specifies the file which was created by bower2nix.

  2. src is your project’s sources. It needs to contain a bower.json file.

buildBowerComponents will run Bower to link together the output of bower2nix, resulting in a bower_components directory which can be used.

Here is an example of a web frontend build process using gulp. You might use grunt, or anything else.

Example build script (gulpfile.js)

var gulp = require('gulp');

gulp.task('default', [], function () {
  gulp.start('build');
});

gulp.task('build', [], function () {
  console.log("Just a dummy gulp build");
  gulp
    .src(["./bower_components/**/*"])
    .pipe(gulp.dest("./gulpdist/"));
});

Example Full example — default.nix

{ myWebApp ? { outPath = ./.; name = "myWebApp"; }
, pkgs ? import <nixpkgs> {}
}:

pkgs.stdenv.mkDerivation {
  name = "my-web-app-frontend";
  src = myWebApp;

  buildInputs = [ pkgs.nodePackages.gulp ];

  bowerComponents = pkgs.buildBowerComponents { # note 1
    name = "my-web-app";
    generated = ./bower-packages.nix;
    src = myWebApp;
  };

  buildPhase = ''
    cp --reflink=auto --no-preserve=mode -R $bowerComponents/bower_components . # note 2
    export HOME=$PWD # note 3
    ${pkgs.nodePackages.gulp}/bin/gulp build # note 4
  '';

  installPhase = "mv gulpdist $out";
}

A few notes about Full example — default.nix:

  1. The result of buildBowerComponents is an input to the frontend build.

  2. Whether to symlink or copy the bower_components directory depends on the build tool in use. In this case a copy is used to avoid gulp silliness with permissions.

  3. gulp requires HOME to refer to a writeable directory.

  4. The actual build command in this example is gulp. Other tools could be used instead.

Troubleshooting

ENOCACHE errors from buildBowerComponents

This means that Bower was looking for a package version which doesn’t exist in the generated bower-packages.nix.

If bower.json has been updated, then run bower2nix again.

It could also be a bug in bower2nix or fetchbower. If possible, try reformulating the version specification in bower.json.

CHICKEN

CHICKEN is a R⁵RS-compliant Scheme compiler. It includes an interactive mode and a custom package format, “eggs”.

Using Eggs

Eggs described in nixpkgs are available inside the chickenPackages.chickenEggs attrset. Including an egg as a build input is done in the typical Nix fashion. For example, to include support for SRFI 189 in a derivation, one might write:

{
  buildInputs = [
    chicken
    chickenPackages.chickenEggs.srfi-189
  ];
}

Both chicken and its eggs have a setup hook which configures the environment variables CHICKEN_INCLUDE_PATH and CHICKEN_REPOSITORY_PATH.

Updating Eggs

nixpkgs only knows about a subset of all published eggs. It uses egg2nix to generate a package set from a list of eggs to include.

The package set is regenerated by running the following shell commands:

$ nix-shell -p chickenPackages.egg2nix
$ cd pkgs/development/compilers/chicken/5/
$ egg2nix eggs.scm > eggs.nix

Adding Eggs

When we run egg2nix, we obtain one collection of eggs with mutually-compatible versions. This means that when we add new eggs, we may need to update existing eggs. To keep those separate, follow the procedure for updating eggs before including more eggs.

To include more eggs, edit pkgs/development/compilers/chicken/5/eggs.scm. The first section of this file lists eggs which are required by egg2nix itself; all other eggs go into the second section. After editing, follow the procedure for updating eggs.

Override Scope

The chicken package and its eggs, respectively, reside in a scope. This means, the scope can be overridden to effect other packages in it.

This example shows how to use a local copy of srfi-180 and have it affect all the other eggs:

let
  myChickenPackages = pkgs.chickenPackages.overrideScope' (self: super: {
      # The chicken package itself can be overridden to effect the whole ecosystem.
      # chicken = super.chicken.overrideAttrs {
      #   src = ...
      # };

      chickenEggs = super.chickenEggs.overrideScope' (eggself: eggsuper: {
        srfi-180 = eggsuper.srfi-180.overrideAttrs {
          # path to a local copy of srfi-180
          src = <...>;
        };
      });
  });
in
# Here, `myChickenPackages.chickenEggs.json-rpc`, which depends on `srfi-180` will use
# the local copy of `srfi-180`.
<...>

Coq and coq packages

Coq derivation: coq

The Coq derivation is overridable through the coq.override overrides, where overrides is an attribute set which contains the arguments to override. We recommend overriding either of the following

  • version (optional, defaults to the latest version of Coq selected for nixpkgs, see pkgs/top-level/coq-packages to witness this choice), which follows the conventions explained in the coqPackages section below,

  • customOCamlPackages (optional, defaults to null, which lets Coq choose a version automatically), which can be set to any of the ocaml packages attribute of ocaml-ng (such as ocaml-ng.ocamlPackages_4_10 which is the default for Coq 8.11 for example).

  • coq-version (optional, defaults to the short version e.g. “8.10”), is a version number of the form “x.y” that indicates which Coq’s version build behavior to mimic when using a source which is not a release. E.g. coq.override { version = "d370a9d1328a4e1cdb9d02ee032f605a9d94ec7a"; coq-version = "8.10"; }.

The associated package set can be obtained using mkCoqPackages coq, where coq is the derivation to use.

Coq packages attribute sets: coqPackages

The recommended way of defining a derivation for a Coq library, is to use the coqPackages.mkCoqDerivation function, which is essentially a specialization of mkDerivation taking into account most of the specifics of Coq libraries. The following attributes are supported:

  • pname (required) is the name of the package,

  • version (optional, defaults to null), is the version to fetch and build, this attribute is interpreted in several ways depending on its type and pattern:

    • if it is a known released version string, i.e. from the release attribute below, the according release is picked, and the version attribute of the resulting derivation is set to this release string,

    • if it is a majorMinor "x.y" prefix of a known released version (as defined above), then the latest "x.y.z" known released version is selected (for the ordering given by versionAtLeast),

    • if it is a path or a string representing an absolute path (i.e. starting with "/"), the provided path is selected as a source, and the version attribute of the resulting derivation is set to "dev",

    • if it is a string of the form owner:branch then it tries to download the branch of owner owner for a project of the same name using the same vcs, and the version attribute of the resulting derivation is set to "dev", additionally if the owner is not provided (i.e. if the owner: prefix is missing), it defaults to the original owner of the package (see below),

    • if it is a string of the form "#N", and the domain is github, then it tries to download the current head of the pull request #N from github,

  • defaultVersion (optional). Coq libraries may be compatible with some specific versions of Coq only. The defaultVersion attribute is used when no version is provided (or if version = null) to select the version of the library to use by default, depending on the context. This selection will mainly depend on a coq version number but also possibly on other packages versions (e.g. mathcomp). If its value ends up to be null, the package is marked for removal in end-user coqPackages attribute set.

  • release (optional, defaults to {}), lists all the known releases of the library and for each of them provides an attribute set with at least a hash attribute (you may put the empty string "" in order to automatically insert a fake hash, this will trigger an error which will allow you to find the correct hash), each attribute set of the list of releases also takes optional overloading arguments for the fetcher as below (i.e.domain, owner, repo, rev, artifact assuming the default fetcher is used) and optional overrides for the result of the fetcher (i.e. version and src).

  • fetcher (optional, defaults to a generic fetching mechanism supporting github or gitlab based infrastructures), is a function that takes at least an owner, a repo, a rev, and a hash and returns an attribute set with a version and src.

  • repo (optional, defaults to the value of pname),

  • owner (optional, defaults to "coq-community").

  • domain (optional, defaults to "github.com"), domains including the strings "github" or "gitlab" in their names are automatically supported, otherwise, one must change the fetcher argument to support them (cf pkgs/development/coq-modules/heq/default.nix for an example),

  • releaseRev (optional, defaults to (v: v)), provides a default mapping from release names to revision hashes/branch names/tags,

  • releaseArtifact (optional, defaults to (v: null)), provides a default mapping from release names to artifact names (only works for github artifact for now),

  • displayVersion (optional), provides a way to alter the computation of name from pname, by explaining how to display version numbers,

  • namePrefix (optional, defaults to [ "coq" ]), provides a way to alter the computation of name from pname, by explaining which dependencies must occur in name,

  • nativeBuildInputs (optional), is a list of executables that are required to build the current derivation, in addition to the default ones (namely which, dune and ocaml depending on whether useDune, useDuneifVersion and mlPlugin are set).

  • extraNativeBuildInputs (optional, deprecated), an additional list of derivation to add to nativeBuildInputs,

  • overrideNativeBuildInputs (optional) replaces the default list of derivation to which nativeBuildInputs and extraNativeBuildInputs adds extra elements,

  • buildInputs (optional), is a list of libraries and dependencies that are required to build and run the current derivation, in addition to the default one [ coq ],

  • extraBuildInputs (optional, deprecated), an additional list of derivation to add to buildInputs,

  • overrideBuildInputs (optional) replaces the default list of derivation to which buildInputs and extraBuildInputs adds extras elements,

  • propagatedBuildInputs (optional) is passed as is to mkDerivation, we recommend to use this for Coq libraries and Coq plugin dependencies, as this makes sure the paths of the compiled libraries and plugins will always be added to the build environments of subsequent derivation, which is necessary for Coq packages to work correctly,

  • mlPlugin (optional, defaults to false). Some extensions (plugins) might require OCaml and sometimes other OCaml packages. Standard dependencies can be added by setting the current option to true. For a finer grain control, the coq.ocamlPackages attribute can be used in nativeBuildInputs, buildInputs, and propagatedBuildInputs to depend on the same package set Coq was built against.

  • useDuneifVersion (optional, default to (x: false) uses Dune to build the package if the provided predicate evaluates to true on the version, e.g. useDuneifVersion = versions.isGe "1.1" will use dune if the version of the package is greater or equal to "1.1",

  • useDune (optional, defaults to false) uses Dune to build the package if set to true, the presence of this attribute overrides the behavior of the previous one.

  • opam-name (optional, defaults to concatenating with a dash separator the components of namePrefix and pname), name of the Dune package to build.

  • enableParallelBuilding (optional, defaults to true), since it is activated by default, we provide a way to disable it.

  • extraInstallFlags (optional), allows to extend installFlags which initializes the variable COQMF_COQLIB so as to install in the proper subdirectory. Indeed Coq libraries should be installed in $(out)/lib/coq/${coq.coq-version}/user-contrib/. Such directories are automatically added to the $COQPATH environment variable by the hook defined in the Coq derivation.

  • setCOQBIN (optional, defaults to true), by default, the environment variable $COQBIN is set to the current Coq’s binary, but one can disable this behavior by setting it to false,

  • useMelquiondRemake (optional, default to null) is an attribute set, which, if given, overloads the preConfigurePhases, configureFlags, buildPhase, and installPhase attributes of the derivation for a specific use in libraries using remake as set up by Guillaume Melquiond for flocq, gappalib, interval, and coquelicot (see the corresponding derivation for concrete examples of use of this option). For backward compatibility, the attribute useMelquiondRemake.logpath must be set to the logical root of the library (otherwise, one can pass useMelquiondRemake = {} to activate this without backward compatibility).

  • dropAttrs, keepAttrs, dropDerivationAttrs are all optional and allow to tune which attribute is added or removed from the final call to mkDerivation.

It also takes other standard mkDerivation attributes, they are added as such, except for meta which extends an automatically computed meta (where the platform is the same as coq and the homepage is automatically computed).

Here is a simple package example. It is a pure Coq library, thus it depends on Coq. It builds on the Mathematical Components library, thus it also takes some mathcomp derivations as extraBuildInputs.

{ lib, mkCoqDerivation, version ? null
, coq, mathcomp, mathcomp-finmap, mathcomp-bigenough }:

mkCoqDerivation {
  /* namePrefix leads to e.g. `name = coq8.11-mathcomp1.11-multinomials-1.5.2` */
  namePrefix = [ "coq" "mathcomp" ];
  pname = "multinomials";
  owner = "math-comp";
  inherit version;
  defaultVersion = with lib.versions; lib.switch [ coq.version mathcomp.version ] [
      { cases = [ (range "8.7" "8.12") (isEq "1.11") ];        out = "1.5.2"; }
      { cases = [ (range "8.7" "8.11") (range "1.8" "1.10") ]; out = "1.5.0"; }
      { cases = [ (range "8.7" "8.10") (range "1.8" "1.10") ]; out = "1.4"; }
      { cases = [ (isEq "8.6")         (range "1.6" "1.7") ];  out = "1.1"; }
    ] null;
  release = {
    "1.5.2".hash = "sha256-mjCx9XKa38Nz9E6wNK7YSqHdJ7YTua5fD3d6J4e7WpU=";
    "1.5.1".hash = "sha256-Q8tm0y2FQAt2V1kZYkDlHWRia/lTvXAMVjdmzEV11I4=";
    "1.5.0".hash = "sha256-HIK0f21G69oEW8JG46gSBde/Q2LR3GiBCv680gHbmRg=";
    "1.5.0".rev  = "1.5";
    "1.4".hash   = "sha256-F9g3MSIr3B6UZ3p8QWjz3/Jpw9sudJ+KRlvjiHSO024=";
    "1.3".hash   = "sha256-BPJTlAL0ETHvLMBslE0KFVt3DNoaGuMrHt2SBGyJe1A=";
    "1.2".hash   = "sha256-mHXBXSLYO4BN+jfN50y/+XCx0Qq5g4Ac2Y/qlsbgAdY=";
    "1.1".hash   = "sha256-ejAsMQbB/LtU9j+g160VdGXULrCe9s0gBWzyhKqmCuE=";
    "1.0".hash   = "sha256-tZTOltEBBKWciDxDMs/Ye4Jnq/33CANrHJ4FBMPtq+I=";
  };

  propagatedBuildInputs =
    [ mathcomp.ssreflect mathcomp.algebra mathcomp-finmap mathcomp-bigenough ];

  meta = {
    description = "Coq/SSReflect Library for Monoidal Rings and Multinomials";
    license = lib.licenses.cecill-c;
  };
}

Three ways of overriding Coq packages

There are three distinct ways of changing a Coq package by overriding one of its values: .override, overrideCoqDerivation, and .overrideAttrs. This section explains what sort of values can be overridden with each of these methods.

.override

.override lets you change arguments to a Coq derivation. In the case of the multinomials package above, .override would let you override arguments like mkCoqDerivation, version, coq, mathcomp, mathcom-finmap, etc.

For example, assuming you have a special mathcomp dependency you want to use, here is how you could override the mathcomp dependency:

multinomials.override {
  mathcomp = my-special-mathcomp;
}

In Nixpkgs, all Coq derivations take a version argument. This can be overridden in order to easily use a different version:

coqPackages.multinomials.override {
  version = "1.5.1";
}

Refer to the section called “Coq packages attribute sets: coqPackages for all the different formats that you can potentially pass to version, as well as the restrictions.

overrideCoqDerivation

The overrideCoqDerivation function lets you easily change arguments to mkCoqDerivation. These arguments are described in the section called “Coq packages attribute sets: coqPackages.

For example, here is how you could locally add a new release of the multinomials library, and set the defaultVersion to use this release:

coqPackages.lib.overrideCoqDerivation
  {
    defaultVersion = "2.0";
    release."2.0".hash = "sha256-czoP11rtrIM7+OLdMisv2EF7n/IbGuwFxHiPtg3qCNM=";
  }
  coqPackages.multinomials

.overrideAttrs

.overrideAttrs lets you override arguments to the underlying stdenv.mkDerivation call. Internally, mkCoqDerivation uses stdenv.mkDerivation to create derivations for Coq libraries. You can override arguments to stdenv.mkDerivation with .overrideAttrs.

For instance, here is how you could add some code to be performed in the derivation after installation is complete:

coqPackages.multinomials.overrideAttrs (oldAttrs: {
  postInstall = oldAttrs.postInstall or "" + ''
    echo "you can do anything you want here"
  '';
})

Crystal

Building a Crystal package

This section uses Mint as an example for how to build a Crystal package.

If the Crystal project has any dependencies, the first step is to get a shards.nix file encoding those. Get a copy of the project and go to its root directory such that its shard.lock file is in the current directory. Executable projects should usually commit the shard.lock file, but sometimes that’s not the case, which means you need to generate it yourself. With an existing shard.lock file, crystal2nix can be run.

$ git clone https://github.com/mint-lang/mint
$ cd mint
$ git checkout 0.5.0
$ if [ ! -f shard.lock ]; then nix-shell -p shards --run "shards lock"; fi
$ nix-shell -p crystal2nix --run crystal2nix

This should have generated a shards.nix file.

Next create a Nix file for your derivation and use pkgs.crystal.buildCrystalPackage as follows:

with import <nixpkgs> {};
crystal.buildCrystalPackage rec {
  pname = "mint";
  version = "0.5.0";

  src = fetchFromGitHub {
    owner = "mint-lang";
    repo = "mint";
    rev = version;
    hash = "sha256-dFN9l5fgrM/TtOPqlQvUYgixE4KPr629aBmkwdDoq28=";
  };

  # Insert the path to your shards.nix file here
  shardsFile = ./shards.nix;

  # ...
}

This won’t build anything yet, because we haven’t told it what files build. We can specify a mapping from binary names to source files with the crystalBinaries attribute. The project’s compilation instructions should show this. For Mint, the binary is called “mint”, which is compiled from the source file src/mint.cr, so we’ll specify this as follows:

{
  crystalBinaries.mint.src = "src/mint.cr";

  # ...
}

Additionally you can override the default crystal build options (which are currently --release --progress --no-debug --verbose) with

{
  crystalBinaries.mint.options = [ "--release" "--verbose" ];
}

Depending on the project, you might need additional steps to get it to compile successfully. In Mint’s case, we need to link against openssl, so in the end the Nix file looks as follows:

with import <nixpkgs> {};
crystal.buildCrystalPackage rec {
  version = "0.5.0";
  pname = "mint";
  src = fetchFromGitHub {
    owner = "mint-lang";
    repo = "mint";
    rev = version;
    hash = "sha256-dFN9l5fgrM/TtOPqlQvUYgixE4KPr629aBmkwdDoq28=";
  };

  shardsFile = ./shards.nix;
  crystalBinaries.mint.src = "src/mint.cr";

  buildInputs = [ openssl ];
}

CUDA

CUDA-only packages are stored in the cudaPackages packages set. This set includes the cudatoolkit, portions of the toolkit in separate derivations, cudnn, cutensor and nccl.

A package set is available for each CUDA version, so for example cudaPackages_11_6. Within each set is a matching version of the above listed packages. Additionally, other versions of the packages that are packaged and compatible are available as well. For example, there can be a cudaPackages.cudnn_8_3 package.

To use one or more CUDA packages in an expression, give the expression a cudaPackages parameter, and in case CUDA is optional

{ config
, cudaSupport ? config.cudaSupport
, cudaPackages ? { }
, ...
}: {}

When using callPackage, you can choose to pass in a different variant, e.g. when a different version of the toolkit suffices

{
  mypkg = callPackage { cudaPackages = cudaPackages_11_5; };
}

If another version of say cudnn or cutensor is needed, you can override the package set to make it the default. This guarantees you get a consistent package set.

{
  mypkg = let
    cudaPackages = cudaPackages_11_5.overrideScope (final: prev: {
      cudnn = prev.cudnn_8_3;
    });
  in callPackage { inherit cudaPackages; };
}

The CUDA NVCC compiler requires flags to determine which hardware you want to target for in terms of SASS (real hardware) or PTX (JIT kernels).

Nixpkgs tries to target support real architecture defaults based on the CUDA toolkit version with PTX support for future hardware. Experienced users may optimize this configuration for a variety of reasons such as reducing binary size and compile time, supporting legacy hardware, or optimizing for specific hardware.

You may provide capabilities to add support or reduce binary size through config using cudaCapabilities = [ "6.0" "7.0" ]; and cudaForwardCompat = true; if you want PTX support for future hardware.

Please consult GPUs supported for your specific card(s).

Library maintainers should consult NVCC Docs and release notes for their software package.

Adding a new CUDA release

WARNING

This section of the docs is still very much in progress. Feedback is welcome in GitHub Issues tagging @NixOS/cuda-maintainers or on Matrix.

The CUDA Toolkit is a suite of CUDA libraries and software meant to provide a development environment for CUDA-accelerated applications. Until the release of CUDA 11.4, NVIDIA had only made the CUDA Toolkit available as a multi-gigabyte runfile installer, which we provide through the cudaPackages.cudatoolkit attribute. From CUDA 11.4 and onwards, NVIDIA has also provided CUDA redistributables (“CUDA-redist”): individually packaged CUDA Toolkit components meant to facilitate redistribution and inclusion in downstream projects. These packages are available in the cudaPackages package set.

All new projects should use the CUDA redistributables available in cudaPackages in place of cudaPackages.cudatoolkit, as they are much easier to maintain and update.

Updating CUDA redistributables

  1. Go to NVIDIA’s index of CUDA redistributables: https://developer.download.nvidia.com/compute/cuda/redist/

  2. Make a note of the new version of CUDA available.

  3. Run

    nix run github:connorbaker/cuda-redist-find-features -- \
       download-manifests \
       --log-level DEBUG \
       --version <newest CUDA version> \
       https://developer.download.nvidia.com/compute/cuda/redist \
       ./pkgs/development/cuda-modules/cuda/manifests
    

    This will download a copy of the manifest for the new version of CUDA.

  4. Run

    nix run github:connorbaker/cuda-redist-find-features -- \
       process-manifests \
       --log-level DEBUG \
       --version <newest CUDA version> \
       https://developer.download.nvidia.com/compute/cuda/redist \
       ./pkgs/development/cuda-modules/cuda/manifests
    

    This will generate a redistrib_features_<newest CUDA version>.json file in the same directory as the manifest.

  5. Update the cudaVersionMap attribute set in pkgs/development/cuda-modules/cuda/extension.nix.

Updating cuTensor

  1. Repeat the steps present in Updating CUDA redistributables with the following changes:

    • Use the index of cuTensor redistributables: https://developer.download.nvidia.com/compute/cutensor/redist

    • Use the newest version of cuTensor available instead of the newest version of CUDA.

    • Use pkgs/development/cuda-modules/cutensor/manifests instead of pkgs/development/cuda-modules/cuda/manifests.

    • Skip the step of updating cudaVersionMap in pkgs/development/cuda-modules/cuda/extension.nix.

Updating supported compilers and GPUs

  1. Update nvcc-compatibilities.nix in pkgs/development/cuda-modules/ to include the newest release of NVCC, as well as any newly supported host compilers.

  2. Update gpus.nix in pkgs/development/cuda-modules/ to include any new GPUs supported by the new release of CUDA.

Updating the CUDA Toolkit runfile installer

WARNING

While the CUDA Toolkit runfile installer is still available in Nixpkgs as the cudaPackages.cudatoolkit attribute, its use is not recommended and should it be considered deprecated. Please migrate to the CUDA redistributables provided by the cudaPackages package set.

To ensure packages relying on the CUDA Toolkit runfile installer continue to build, it will continue to be updated until a migration path is available.

  1. Go to NVIDIA’s CUDA Toolkit runfile installer download page: https://developer.nvidia.com/cuda-downloads

  2. Select the appropriate OS, architecture, distribution, and version, and installer type.

    • For example: Linux, x86_64, Ubuntu, 22.04, runfile (local)

    • NOTE: Typically, we use the Ubuntu runfile. It is unclear if the runfile for other distributions will work.

  3. Take the link provided by the installer instructions on the webpage after selecting the installer type and get its hash by running:

    nix store prefetch-file --hash-type sha256 <link>
    
  4. Update pkgs/development/cuda-modules/cudatoolkit/releases.nix to include the release.

Updating the CUDA package set

  1. Include a new cudaPackages_<major>_<minor> package set in pkgs/top-level/all-packages.nix.

    • NOTE: Changing the default CUDA package set should occur in a separate PR, allowing time for additional testing.

  2. Successfully build the closure of the new package set, updating pkgs/development/cuda-modules/cuda/overrides.nix as needed. Below are some common failures:

Unable to …During …ReasonSolutionNote
Find headersconfigurePhase or buildPhaseMissing dependency on a dev outputAdd the missing dependencyThe dev output typically contain the headers
Find librariesconfigurePhaseMissing dependency on a dev outputAdd the missing dependencyThe dev output typically contain CMake configuration files
Find librariesbuildPhase or patchelfMissing dependency on a lib or static outputAdd the missing dependencyThe lib or static output typically contain the libraries

In the scenario you are unable to run the resulting binary: this is arguably the most complicated as it could be any combination of the previous reasons. This type of failure typically occurs when a library attempts to load or open a library it depends on that it does not declare in its DT_NEEDED section. As a first step, ensure that dependencies are patched with autoAddDriverRunpath. Failing that, try running the application with nixGL or a similar wrapper tool. If that works, it likely means that the application is attempting to load a library that is not in the RPATH or RUNPATH of the binary.

Running Docker or Podman containers with CUDA support

It is possible to run Docker or Podman containers with CUDA support. The recommended mechanism to perform this task is to use the NVIDIA Container Toolkit.

The NVIDIA Container Toolkit can be enabled in NixOS like follows:

{
  hardware.nvidia-container-toolkit.enable = true;
}

This will automatically enable a service that generates a CDI specification (located at /var/run/cdi/nvidia-container-toolkit.json) based on the auto-detected hardware of your machine. You can check this service by running:

$ systemctl status nvidia-container-toolkit-cdi-generator.service

Note

Depending on what settings you had already enabled in your system, you might need to restart your machine in order for the NVIDIA Container Toolkit to generate a valid CDI specification for your machine.

Once that a valid CDI specification has been generated for your machine on boot time, both Podman and Docker (> 25) will use this spec if you provide them with the --device flag:

$ podman run --rm -it --device=nvidia.com/gpu=all ubuntu:latest nvidia-smi -L
GPU 0: NVIDIA GeForce RTX 4090 (UUID: <REDACTED>)
GPU 1: NVIDIA GeForce RTX 2080 SUPER (UUID: <REDACTED>)
$ docker run --rm -it --device=nvidia.com/gpu=all ubuntu:latest nvidia-smi -L
GPU 0: NVIDIA GeForce RTX 4090 (UUID: <REDACTED>)
GPU 1: NVIDIA GeForce RTX 2080 SUPER (UUID: <REDACTED>)

You can check all the identifiers that have been generated for your auto-detected hardware by checking the contents of the /var/run/cdi/nvidia-container-toolkit.json file:

$ nix run nixpkgs#jq -- -r '.devices[].name' < /var/run/cdi/nvidia-container-toolkit.json
0
1
all

Specifying what devices to expose to the container

You can choose what devices are exposed to your containers by using the identifier on the generated CDI specification. Like follows:

$ podman run --rm -it --device=nvidia.com/gpu=0 ubuntu:latest nvidia-smi -L
GPU 0: NVIDIA GeForce RTX 4090 (UUID: <REDACTED>)

You can repeat the --device argument as many times as necessary if you have multiple GPU’s and you want to pick up which ones to expose to the container:

$ podman run --rm -it --device=nvidia.com/gpu=0 --device=nvidia.com/gpu=1 ubuntu:latest nvidia-smi -L
GPU 0: NVIDIA GeForce RTX 4090 (UUID: <REDACTED>)
GPU 1: NVIDIA GeForce RTX 2080 SUPER (UUID: <REDACTED>)

Note

By default, the NVIDIA Container Toolkit will use the GPU index to identify specific devices. You can change the way to identify what devices to expose by using the hardware.nvidia-container-toolkit.device-name-strategy NixOS attribute.

Using docker-compose

It’s possible to expose GPU’s to a docker-compose environment as well. With a docker-compose.yaml file like follows:

services:
  some-service:
    image: ubuntu:latest
    command: sleep infinity
    deploy:
      resources:
        reservations:
          devices:
          - driver: cdi
            device_ids:
            - nvidia.com/gpu=all

In the same manner, you can pick specific devices that will be exposed to the container:

services:
  some-service:
    image: ubuntu:latest
    command: sleep infinity
    deploy:
      resources:
        reservations:
          devices:
          - driver: cdi
            device_ids:
            - nvidia.com/gpu=0
            - nvidia.com/gpu=1

Cue (Cuelang)

Cuelang is a language to:

  • describe schemas and validate backward-compatibility

  • generate code and schemas in various formats (e.g. JSON Schema, OpenAPI)

  • do configuration akin to Dhall Lang

  • perform data validation

Cuelang schema quick start

Cuelang schemas are similar to JSON, here is a quick cheatsheet:

  • Default types includes: null, string, bool, bytes, number, int, float, lists as [...T] where T is a type.

  • All structures, defined by: myStructName: { <fields> } are open – they accept fields which are not specified.

  • Closed structures can be built by doing myStructName: close({ <fields> }) – they are strict in what they accept.

  • #X are definitions, referenced definitions are recursively closed, i.e. all its children structures are closed.

  • & operator is the unification operator (similar to a type-level merging operator), | is the disjunction operator (similar to a type-level union operator).

  • Values are types, i.e. myStruct: { a: 3 } is a valid type definition that only allows 3 as value.

  • Read https://cuelang.org/docs/concepts/logic/ to learn more about the semantics.

  • Read https://cuelang.org/docs/references/spec/ to learn about the language specification.

writeCueValidator

Nixpkgs provides a pkgs.writeCueValidator helper, which will write a validation script based on the provided Cuelang schema.

Here is an example:

pkgs.writeCueValidator
  (pkgs.writeText "schema.cue" ''
    #Def1: {
      field1: string
    }
  '')
  { document = "#Def1"; }
  • The first parameter is the Cue schema file.

  • The second parameter is an options parameter, currently, only: document can be passed.

document : match your input data against this fragment of structure or definition, e.g. you may use the same schema file but different documents based on the data you are validating.

Another example, given the following validator.nix :

{ pkgs ? import <nixpkgs> {} }:
let
  genericValidator = version:
  pkgs.writeCueValidator
    (pkgs.writeText "schema.cue" ''
      #Version1: {
        field1: string
      }
      #Version2: #Version1 & {
        field1: "unused"
      }''
    )
    { document = "#Version${toString version}"; };
in
{
  validateV1 = genericValidator 1;
  validateV2 = genericValidator 2;
}

The result is a script that will validate the file you pass as the first argument against the schema you provided writeCueValidator.

It can be any format that cue vet supports, i.e. YAML or JSON for example.

Here is an example, named example.json, given the following JSON:

{ "field1": "abc" }

You can run the result script (named validate) as the following:

$ nix-build validator.nix
$ ./result example.json
$ ./result-2 example.json
field1: conflicting values "unused" and "abc":
    ./example.json:1:13
    ../../../../../../nix/store/v64dzx3vr3glpk0cq4hzmh450lrwh6sg-schema.cue:5:11
$ sed -i 's/"abc"/3/' example.json
$ ./result example.json
field1: conflicting values 3 and string (mismatched types int and string):
    ./example.json:1:13
    ../../../../../../nix/store/v64dzx3vr3glpk0cq4hzmh450lrwh6sg-schema.cue:5:11

Known limitations

  • The script will enforce concrete values and will not accept lossy transformations (strictness). You can add these options if you need them.

Dart

Dart applications

The function buildDartApplication builds Dart applications managed with pub.

It fetches its Dart dependencies automatically through pub2nix, and (through a series of hooks) builds and installs the executables specified in the pubspec file. The hooks can be used in other derivations, if needed. The phases can also be overridden to do something different from installing binaries.

If you are packaging a Flutter desktop application, use buildFlutterApplication instead.

pubspecLock is the parsed pubspec.lock file. pub2nix uses this to download required packages. This can be converted to JSON from YAML with something like yq . pubspec.lock, and then read by Nix.

Alternatively, autoPubspecLock can be used instead, and set to a path to a regular pubspec.lock file. This relies on import-from-derivation, and is not permitted in Nixpkgs, but can be useful at other times.

Warning

When using autoPubspecLock with a local source directory, make sure to use a concatenation operator (e.g. autoPubspecLock = src + "/pubspec.lock";), and not string interpolation.

String interpolation will copy your entire source directory to the Nix store and use its store path, meaning that unrelated changes to your source tree will cause the generated pubspec.lock derivation to rebuild!

If the package has Git package dependencies, the hashes must be provided in the gitHashes set. If a hash is missing, an error message prompting you to add it will be shown.

The dart commands run can be overridden through pubGetScript and dartCompileCommand, you can also add flags using dartCompileFlags or dartJitFlags.

Dart supports multiple outputs types, you can choose between them using dartOutputType (defaults to exe). If you want to override the binaries path or the source path they come from, you can use dartEntryPoints. Outputs that require a runtime will automatically be wrapped with the relevant runtime (dartaotruntime for aot-snapshot, dart run for jit-snapshot and kernel, node for js), this can be overridden through dartRuntimeCommand.

{ lib, buildDartApplication, fetchFromGitHub }:

buildDartApplication rec {
  pname = "dart-sass";
  version = "1.62.1";

  src = fetchFromGitHub {
    owner = "sass";
    repo = pname;
    rev = version;
    hash = "sha256-U6enz8yJcc4Wf8m54eYIAnVg/jsGi247Wy8lp1r1wg4=";
  };

  pubspecLock = lib.importJSON ./pubspec.lock.json;
}

Patching dependencies

Some Dart packages require patches or build environment changes. Package derivations can be customised with the customSourceBuilders argument.

A collection of such customisations can be found in Nixpkgs, in the development/compilers/dart/package-source-builders directory.

This allows fixes for packages to be shared between all applications that use them. It is strongly recommended to add to this collection instead of including fixes in your application derivation itself.

Running executables from dev_dependencies

Many Dart applications require executables from the dev_dependencies section in pubspec.yaml to be run before building them.

This can be done in preBuild, in one of two ways:

  1. Packaging the tool with buildDartApplication, adding it to Nixpkgs, and running it like any other application

  2. Running the tool from the package cache

Of these methods, the first is recommended when using a tool that does not need to be of a specific version.

For the second method, the packageRun function from the dartConfigHook can be used. This is an alternative to dart run that does not rely on Pub.

e.g., for build_runner:

packageRun build_runner build

Do not use dart run <package_name>, as this will attempt to download dependencies with Pub.

Usage with nix-shell

Using dependencies from the Nix store

As buildDartApplication provides dependencies instead of pub get, Dart needs to be explicitly told where to find them.

Run the following commands in the source directory to configure Dart appropriately. Do not use pub after doing so; it will download the dependencies itself and overwrite these changes.

cp --no-preserve=all "$pubspecLockFilePath" pubspec.lock
mkdir -p .dart_tool && cp --no-preserve=all "$packageConfig" .dart_tool/package_config.json

Flutter applications

The function buildFlutterApplication builds Flutter applications.

See the Dart documentation for more details on required files and arguments.

flutter in Nixpkgs always points to flutterPackages.stable, which is the latest packaged version. To avoid unforeseen breakage during upgrade, packages in Nixpkgs should use a specific flutter version, such as flutter319 and flutter322, instead of using flutter directly.

{  flutter322, fetchFromGitHub }:

flutter322.buildFlutterApplication {
  pname = "firmware-updater";
  version = "0-unstable-2023-04-30";

  # To build for the Web, use the targetFlutterPlatform argument.
  # targetFlutterPlatform = "web";

  src = fetchFromGitHub {
    owner = "canonical";
    repo = "firmware-updater";
    rev = "6e7dbdb64e344633ea62874b54ff3990bd3b8440";
    hash = "sha256-s5mwtr5MSPqLMN+k851+pFIFFPa0N1hqz97ys050tFA=";
    fetchSubmodules = true;
  };

  pubspecLock = lib.importJSON ./pubspec.lock.json;
}

Usage with nix-shell

Flutter-specific nix-shell usage notes are included here. See the Dart documentation for general nix-shell instructions.

Entering the shell

By default, dependencies for only the targetFlutterPlatform are available in the build environment. This is useful for keeping closures small, but be problematic during development. It’s common, for example, to build Web apps for Linux during development to take advantage of native features such as stateful hot reload.

To enter a shell with all the usual target platforms available, use the multiShell attribute.

e.g. nix-shell '<nixpkgs>' -A fluffychat-web.multiShell.

Dhall

The Nixpkgs support for Dhall assumes some familiarity with Dhall’s language support for importing Dhall expressions, which is documented here:

Remote imports

Nixpkgs bypasses Dhall’s support for remote imports using Dhall’s semantic integrity checks. Specifically, any Dhall import can be protected by an integrity check like:

https://prelude.dhall-lang.org/v20.1.0/package.dhall
  sha256:26b0ef498663d269e4dc6a82b0ee289ec565d683ef4c00d0ebdd25333a5a3c98

… and if the import is cached then the interpreter will load the import from cache instead of fetching the URL.

Nixpkgs uses this trick to add all of a Dhall expression’s dependencies into the cache so that the Dhall interpreter never needs to resolve any remote URLs. In fact, Nixpkgs uses a Dhall interpreter with remote imports disabled when packaging Dhall expressions to enforce that the interpreter never resolves a remote import. This means that Nixpkgs only supports building Dhall expressions if all of their remote imports are protected by semantic integrity checks.

Instead of remote imports, Nixpkgs uses Nix to fetch remote Dhall code. For example, the Prelude Dhall package uses pkgs.fetchFromGitHub to fetch the dhall-lang repository containing the Prelude. Relying exclusively on Nix to fetch Dhall code ensures that Dhall packages built using Nix remain pure and also behave well when built within a sandbox.

Packaging a Dhall expression from scratch

We can illustrate how Nixpkgs integrates Dhall by beginning from the following trivial Dhall expression with one dependency (the Prelude):

-- ./true.dhall

let Prelude = https://prelude.dhall-lang.org/v20.1.0/package.dhall

in  Prelude.Bool.not False

As written, this expression cannot be built using Nixpkgs because the expression does not protect the Prelude import with a semantic integrity check, so the first step is to freeze the expression using dhall freeze, like this:

$ dhall freeze --inplace ./true.dhall

… which gives us:

-- ./true.dhall

let Prelude =
      https://prelude.dhall-lang.org/v20.1.0/package.dhall
        sha256:26b0ef498663d269e4dc6a82b0ee289ec565d683ef4c00d0ebdd25333a5a3c98

in  Prelude.Bool.not False

To package that expression, we create a ./true.nix file containing the following specification for the Dhall package:

# ./true.nix

{ buildDhallPackage, Prelude }:

buildDhallPackage {
  name = "true";
  code = ./true.dhall;
  dependencies = [ Prelude ];
  source = true;
}

… and we complete the build by incorporating that Dhall package into the pkgs.dhallPackages hierarchy using an overlay, like this:

# ./example.nix

let
  nixpkgs = builtins.fetchTarball {
    url    = "https://github.com/NixOS/nixpkgs/archive/94b2848559b12a8ed1fe433084686b2a81123c99.tar.gz";
    hash = "sha256-B4Q3c6IvTLg3Q92qYa8y+i4uTaphtFdjp+Ir3QQjdN0=";
  };

  dhallOverlay = self: super: {
    true = self.callPackage ./true.nix { };
  };

  overlay = self: super: {
    dhallPackages = super.dhallPackages.override (old: {
      overrides =
        self.lib.composeExtensions (old.overrides or (_: _: {})) dhallOverlay;
    });
  };

  pkgs = import nixpkgs { config = {}; overlays = [ overlay ]; };

in
  pkgs

… which we can then build using this command:

$ nix build --file ./example.nix dhallPackages.true

Contents of a Dhall package

The above package produces the following directory tree:

$ tree -a ./result
result
├── .cache
│   └── dhall
│       └── 122027abdeddfe8503496adeb623466caa47da5f63abd2bc6fa19f6cfcb73ecfed70
├── binary.dhall
└── source.dhall

… where:

  • source.dhall contains the result of interpreting our Dhall package:

    $ cat ./result/source.dhall
    True
    
  • The .cache subdirectory contains one binary cache product encoding the same result as source.dhall:

    $ dhall decode < ./result/.cache/dhall/122027abdeddfe8503496adeb623466caa47da5f63abd2bc6fa19f6cfcb73ecfed70
    True
    
  • binary.dhall contains a Dhall expression which handles fetching and decoding the same cache product:

    $ cat ./result/binary.dhall
    missing sha256:27abdeddfe8503496adeb623466caa47da5f63abd2bc6fa19f6cfcb73ecfed70
    $ cp -r ./result/.cache .cache
    
    $ chmod -R u+w .cache
    
    $ XDG_CACHE_HOME=.cache dhall --file ./result/binary.dhall
    True
    

The source.dhall file is only present for packages that specify source = true;. By default, Dhall packages omit the source.dhall in order to conserve disk space when they are used exclusively as dependencies. For example, if we build the Prelude package it will only contain the binary encoding of the expression:

$ nix build --file ./example.nix dhallPackages.Prelude

$ tree -a result
result
├── .cache
│   └── dhall
│       └── 122026b0ef498663d269e4dc6a82b0ee289ec565d683ef4c00d0ebdd25333a5a3c98
└── binary.dhall

2 directories, 2 files

Typically, you only specify source = true; for the top-level Dhall expression of interest (such as our example true.nix Dhall package). However, if you wish to specify source = true for all Dhall packages, then you can amend the Dhall overlay like this:

{
  dhallOverrides = self: super: {
    # Enable source for all Dhall packages
    buildDhallPackage =
      args: super.buildDhallPackage (args // { source = true; });

    true = self.callPackage ./true.nix { };
  };
}

… and now the Prelude will contain the fully decoded result of interpreting the Prelude:

$ nix build --file ./example.nix dhallPackages.Prelude

$ tree -a result
result
├── .cache
│   └── dhall
│       └── 122026b0ef498663d269e4dc6a82b0ee289ec565d683ef4c00d0ebdd25333a5a3c98
├── binary.dhall
└── source.dhall

$ cat ./result/source.dhall
{ Bool =
  { and =
      \(_ : List Bool) ->
        List/fold Bool _ Bool (\(_ : Bool) -> \(_ : Bool) -> _@1 && _) True
  , build = \(_ : Type -> _ -> _@1 -> _@2) -> _ Bool True False
  , even =
      \(_ : List Bool) ->
        List/fold Bool _ Bool (\(_ : Bool) -> \(_ : Bool) -> _@1 == _) True
  , fold =
      \(_ : Bool) ->
…

Packaging functions

We already saw an example of using buildDhallPackage to create a Dhall package from a single file, but most Dhall packages consist of more than one file and there are two derived utilities that you may find more useful when packaging multiple files:

  • buildDhallDirectoryPackage - build a Dhall package from a local directory

  • buildDhallGitHubPackage - build a Dhall package from a GitHub repository

The buildDhallPackage is the lowest-level function and accepts the following arguments:

  • name: The name of the derivation

  • dependencies: Dhall dependencies to build and cache ahead of time

  • code: The top-level expression to build for this package

    Note that the code field accepts an arbitrary Dhall expression. You’re not limited to just a file.

  • source: Set to true to include the decoded result as source.dhall in the build product, at the expense of requiring more disk space

  • documentationRoot: Set to the root directory of the package if you want dhall-docs to generate documentation underneath the docs subdirectory of the build product

The buildDhallDirectoryPackage is a higher-level function implemented in terms of buildDhallPackage that accepts the following arguments:

  • name: Same as buildDhallPackage

  • dependencies: Same as buildDhallPackage

  • source: Same as buildDhallPackage

  • src: The directory containing Dhall code that you want to turn into a Dhall package

  • file: The top-level file (package.dhall by default) that is the entrypoint to the rest of the package

  • document: Set to true to generate documentation for the package

The buildDhallGitHubPackage is another higher-level function implemented in terms of buildDhallPackage that accepts the following arguments:

  • name: Same as buildDhallPackage

  • dependencies: Same as buildDhallPackage

  • source: Same as buildDhallPackage

  • owner: The owner of the repository

  • repo: The repository name

  • rev: The desired revision (or branch, or tag)

  • directory: The subdirectory of the Git repository to package (if a directory other than the root of the repository)

  • file: The top-level file (${directory}/package.dhall by default) that is the entrypoint to the rest of the package

  • document: Set to true to generate documentation for the package

Additionally, buildDhallGitHubPackage accepts the same arguments as fetchFromGitHub, such as hash or fetchSubmodules.

dhall-to-nixpkgs

You can use the dhall-to-nixpkgs command-line utility to automate packaging Dhall code. For example:

$ nix-shell -p haskellPackages.dhall-nixpkgs nix-prefetch-git
[nix-shell]$ dhall-to-nixpkgs github https://github.com/Gabriella439/dhall-semver.git
{ buildDhallGitHubPackage, Prelude }:
  buildDhallGitHubPackage {
    name = "dhall-semver";
    githubBase = "github.com";
    owner = "Gabriella439";
    repo = "dhall-semver";
    rev = "2d44ae605302ce5dc6c657a1216887fbb96392a4";
    fetchSubmodules = false;
    hash = "sha256-n0nQtswVapWi/x7or0O3MEYmAkt/a1uvlOtnje6GGnk=";
    directory = "";
    file = "package.dhall";
    source = false;
    document = false;
    dependencies = [ (Prelude.overridePackage { file = "package.dhall"; }) ];
    }

Note

nix-prefetch-git is added to the nix-shell -p invocation above, because it has to be in $PATH for dhall-to-nixpkgs to work.

The utility takes care of automatically detecting remote imports and converting them to package dependencies. You can also use the utility on local Dhall directories, too:

$ dhall-to-nixpkgs directory ~/proj/dhall-semver
{ buildDhallDirectoryPackage, Prelude }:
  buildDhallDirectoryPackage {
    name = "proj";
    src = ~/proj/dhall-semver;
    file = "package.dhall";
    source = false;
    document = false;
    dependencies = [ (Prelude.overridePackage { file = "package.dhall"; }) ];
    }

Remote imports as fixed-output derivations

dhall-to-nixpkgs has the ability to fetch and build remote imports as fixed-output derivations by using their Dhall integrity check. This is sometimes easier than manually packaging all remote imports.

This can be used like the following:

$ dhall-to-nixpkgs directory --fixed-output-derivations ~/proj/dhall-semver
{ buildDhallDirectoryPackage, buildDhallUrl }:
  buildDhallDirectoryPackage {
    name = "proj";
    src = ~/proj/dhall-semver;
    file = "package.dhall";
    source = false;
    document = false;
    dependencies = [
      (buildDhallUrl {
        url = "https://prelude.dhall-lang.org/v17.0.0/package.dhall";
        hash = "sha256-ENs8kZwl6QRoM9+Jeo/+JwHcOQ+giT2VjDQwUkvlpD4=";
        dhallHash = "sha256:10db3c919c25e9046833df897a8ffe2701dc390fa0893d958c3430524be5a43e";
        })
      ];
    }

Here, dhall-semver’s Prelude dependency is fetched and built with the buildDhallUrl helper function, instead of being passed in as a function argument.

Overriding dependency versions

Suppose that we change our true.dhall example expression to depend on an older version of the Prelude (19.0.0):

-- ./true.dhall

let Prelude =
      https://prelude.dhall-lang.org/v19.0.0/package.dhall
        sha256:eb693342eb769f782174157eba9b5924cf8ac6793897fc36a31ccbd6f56dafe2

in  Prelude.Bool.not False

If we try to rebuild that expression the build will fail:

$ nix build --file ./example.nix dhallPackages.true
builder for '/nix/store/0f1hla7ff1wiaqyk1r2ky4wnhnw114fi-true.drv' failed with exit code 1; last 10 log lines:

  Dhall was compiled without the 'with-http' flag.

  The requested URL was: https://prelude.dhall-lang.org/v19.0.0/package.dhall


  4│       https://prelude.dhall-lang.org/v19.0.0/package.dhall
  5│         sha256:eb693342eb769f782174157eba9b5924cf8ac6793897fc36a31ccbd6f56dafe2

  /nix/store/rsab4y99h14912h4zplqx2iizr5n4rc2-true.dhall:4:7
[1 built (1 failed), 0.0 MiB DL]
error: build of '/nix/store/0f1hla7ff1wiaqyk1r2ky4wnhnw114fi-true.drv' failed

… because the default Prelude selected by Nixpkgs revision 94b2848559b12a8ed1fe433084686b2a81123c99is is version 20.1.0, which doesn’t have the same integrity check as version 19.0.0. This means that version 19.0.0 is not cached and the interpreter is not allowed to fall back to importing the URL.

However, we can override the default Prelude version by using dhall-to-nixpkgs to create a Dhall package for our desired Prelude:

$ dhall-to-nixpkgs github https://github.com/dhall-lang/dhall-lang.git \
    --name Prelude \
    --directory Prelude \
    --rev v19.0.0 \
    > Prelude.nix

… and then referencing that package in our Dhall overlay, by either overriding the Prelude globally for all packages, like this:

{
  dhallOverrides = self: super: {
    true = self.callPackage ./true.nix { };

    Prelude = self.callPackage ./Prelude.nix { };
  };
}

… or selectively overriding the Prelude dependency for just the true package, like this:

{
  dhallOverrides = self: super: {
    true = self.callPackage ./true.nix {
      Prelude = self.callPackage ./Prelude.nix { };
    };
  };
}

Overrides

You can override any of the arguments to buildDhallGitHubPackage or buildDhallDirectoryPackage using the overridePackage attribute of a package. For example, suppose we wanted to selectively enable source = true just for the Prelude. We can do that like this:

{
  dhallOverrides = self: super: {
    Prelude = super.Prelude.overridePackage { source = true; };

    # ...
  };
}

D (Dlang)

Nixpkgs provides multiple D compilers such as ldc, dmd and gdc. These can be used like any other package during build time.

However, Nixpkgs provides a build helper for compiling packages using the dub package manager.

Here’s an example:

{
  lib,
  buildDubPackage,
  fetchFromGitHub,
  ncurses,
  zlib,
}:

buildDubPackage rec {
  pname = "btdu";
  version = "0.5.1";

  src = fetchFromGitHub {
    owner = "CyberShadow";
    repo = "btdu";
    rev = "v${version}";
    hash = "sha256-3sSZq+5UJH02IO0Y1yL3BLHDb4lk8k6awb5ZysBQciE=";
  };

  # generated by dub-to-nix, see below
  dubLock = ./dub-lock.json;

  buildInputs = [
    ncurses
    zlib
  ];

  installPhase = ''
    runHook preInstall
    install -Dm755 btdu -t $out/bin
    runHook postInstall
  '';
}

Note that you need to define installPhase because dub doesn’t know where files should go in $out.

Also note that running dub test is disabled by default. You can enable it by setting doCheck = true.

Lockfiles

Nixpkgs has its own lockfile format for dub dependencies, because dub’s official “lockfile” format (dub.selections.json) is not hash based.

A lockfile can be generated using the dub-to-nix helper package.

  • Firstly, install dub-to-nix into your shell session by running nix-shell -p dub-to-nix

  • Then navigate to the root of the source of the program you want to package

  • Finally, run dub-to-nix and it will print the lockfile to stdout. You could pipe stdout into a text file or just copy the output manually into a file.

buildDubPackage parameters

The buildDubPackage function takes an attrset of parameters that are passed on to stdenv.mkDerivation.

The following parameters are specific to buildDubPackage:

  • dubLock: A lockfile generated by dub-to-nix from the source of the package. Can be either a path to the file, or an attrset already parsed with lib.importJSON. The latter useful if the package uses dub dependencies not already in the lockfile. (e.g. if the package calls dub run some-dub-package manually)

  • dubBuildType ? "release": The build type to pass to dub build as a value for the --build= flag.

  • dubFlags ? []: The flags to pass to dub build and dub test.

  • dubBuildFlags ? []: The flags to pass to dub build.

  • dubTestFlags ? []: The flags to pass to dub test.

  • compiler ? ldc: The D compiler to be used by dub.

Dotnet

Local Development Workflow

For local development, it’s recommended to use nix-shell to create a dotnet environment:

# shell.nix
with import <nixpkgs> {};

mkShell {
  name = "dotnet-env";
  packages = [
    dotnet-sdk
  ];
}

Using many sdks in a workflow

It’s very likely that more than one sdk will be needed on a given project. Dotnet provides several different frameworks (E.g dotnetcore, aspnetcore, etc.) as well as many versions for a given framework. Normally, dotnet is able to fetch a framework and install it relative to the executable. However, this would mean writing to the nix store in nixpkgs, which is read-only. To support the many-sdk use case, one can compose an environment using dotnetCorePackages.combinePackages:

with import <nixpkgs> {};

mkShell {
  name = "dotnet-env";
  packages = [
    (with dotnetCorePackages; combinePackages [
      sdk_8_0
      sdk_9_0
    ])
  ];
}

This will produce a dotnet installation that has the dotnet 8.0 9.0 sdk. The first sdk listed will have it’s cli utility present in the resulting environment. Example info output:

$ dotnet --info
.NET SDK:
 Version:           9.0.100
 Commit:            59db016f11
 Workload version:  9.0.100-manifests.3068a692
 MSBuild version:   17.12.7+5b8665660

Runtime Environment:
 OS Name:     nixos
 OS Version:  25.05
 OS Platform: Linux
 RID:         linux-x64
 Base Path:   /nix/store/a03c70i7x6rjdr6vikczsp5ck3v6rixh-dotnet-sdk-9.0.100/share/dotnet/sdk/9.0.100/

.NET workloads installed:
There are no installed workloads to display.
Configured to use loose manifests when installing new manifests.

Host:
  Version:      9.0.0
  Architecture: x64
  Commit:       9d5a6a9aa4

.NET SDKs installed:
  8.0.404 [/nix/store/6wlrjiy10wg766490dcmp6x64zb1vc8j-dotnet-core-combined/share/dotnet/sdk]
  9.0.100 [/nix/store/6wlrjiy10wg766490dcmp6x64zb1vc8j-dotnet-core-combined/share/dotnet/sdk]

.NET runtimes installed:
  Microsoft.AspNetCore.App 8.0.11 [/nix/store/6wlrjiy10wg766490dcmp6x64zb1vc8j-dotnet-core-combined/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.AspNetCore.App 9.0.0 [/nix/store/6wlrjiy10wg766490dcmp6x64zb1vc8j-dotnet-core-combined/share/dotnet/shared/Microsoft.AspNetCore.App]
  Microsoft.NETCore.App 8.0.11 [/nix/store/6wlrjiy10wg766490dcmp6x64zb1vc8j-dotnet-core-combined/share/dotnet/shared/Microsoft.NETCore.App]
  Microsoft.NETCore.App 9.0.0 [/nix/store/6wlrjiy10wg766490dcmp6x64zb1vc8j-dotnet-core-combined/share/dotnet/shared/Microsoft.NETCore.App]

Other architectures found:
  None

Environment variables:
  Not set

global.json file:
  Not found

Learn more:
  https://aka.ms/dotnet/info

Download .NET:
  https://aka.ms/dotnet/download

dotnet-sdk vs dotnetCorePackages.sdk

The dotnetCorePackages.sdk_X_Y is preferred over the old dotnet-sdk as both major and minor version are very important for a dotnet environment. If a given minor version isn’t present (or was changed), then this will likely break your ability to build a project.

dotnetCorePackages.sdk vs dotnetCorePackages.runtime vs dotnetCorePackages.aspnetcore

The dotnetCorePackages.sdk contains both a runtime and the full sdk of a given version. The runtime and aspnetcore packages are meant to serve as minimal runtimes to deploy alongside already built applications.

Packaging a Dotnet Application

To package Dotnet applications, you can use buildDotnetModule. This has similar arguments to stdenv.mkDerivation, with the following additions:

  • projectFile is used for specifying the dotnet project file, relative to the source root. These have .sln (entire solution) or .csproj (single project) file extensions. This can be a list of multiple projects as well. When omitted, will attempt to find and build the solution (.sln). If running into problems, make sure to set it to a file (or a list of files) with the .csproj extension - building applications as entire solutions is not fully supported by the .NET CLI.

  • nugetDeps takes either a path to a deps.nix file, or a derivation. The deps.nix file can be generated using the script attached to passthru.fetch-deps. For compatibility, if the argument is a list of derivations, they will be added to buildInputs.

Note

For more detail about managing the deps.nix file, see Generating and updating NuGet dependencies

  • packNupkg is used to pack project as a nupkg, and installs it to $out/share. If set to true, the derivation can be used as a dependency for another dotnet project by adding it to buildInputs.

  • buildInputs can be used to resolve ProjectReference project items. Referenced projects can be packed with buildDotnetModule by setting the packNupkg = true attribute and passing a list of derivations to buildInputs. Since we are sharing referenced projects as NuGets they must be added to csproj/fsproj files as PackageReference as well. For example, your project has a local dependency:

    <ProjectReference Include="../foo/bar.fsproj" />

To enable discovery through buildInputs you would need to add:

    <ProjectReference Include="../foo/bar.fsproj" />
    <PackageReference Include="bar" Version="*" Condition=" '$(ContinuousIntegrationBuild)'=='true' "/>
  • executables is used to specify which executables get wrapped to $out/bin, relative to $out/lib/$pname. If this is unset, all executables generated will get installed. If you do not want to install any, set this to []. This gets done in the preFixup phase.

  • runtimeDeps is used to wrap libraries into LD_LIBRARY_PATH. This is how dotnet usually handles runtime dependencies.

  • buildType is used to change the type of build. Possible values are Release, Debug, etc. By default, this is set to Release.

  • selfContainedBuild allows to enable the self-contained build flag. By default, it is set to false and generated applications have a dependency on the selected dotnet runtime. If enabled, the dotnet runtime is bundled into the executable and the built app has no dependency on .NET.

  • useAppHost will enable creation of a binary executable that runs the .NET application using the specified root. More info in Microsoft docs. Enabled by default.

  • useDotnetFromEnv will change the binary wrapper so that it uses the .NET from the environment. The runtime specified by dotnet-runtime is given as a fallback in case no .NET is installed in the user’s environment. This is most useful for .NET global tools and LSP servers, which often extend the .NET CLI and their runtime should match the users’ .NET runtime.

  • dotnet-sdk is useful in cases where you need to change what dotnet SDK is being used. You can also set this to the result of dotnetSdkPackages.combinePackages, if the project uses multiple SDKs to build.

  • dotnet-runtime is useful in cases where you need to change what dotnet runtime is being used. This can be either a regular dotnet runtime, or an aspnetcore.

  • testProjectFile is useful in cases where the regular project file does not contain the unit tests. It gets restored and build, but not installed. You may need to regenerate your nuget lockfile after setting this. Note that if set, only tests from this project are executed.

  • testFilters is used to disable running unit tests based on various filters. This gets passed as: dotnet test --filter "{}", with each filter being concatenated using "&".

  • disabledTests is used to disable running specific unit tests. This gets passed as: dotnet test --filter "FullyQualifiedName!={}", to ensure compatibility with all unit test frameworks.

  • dotnetRestoreFlags can be used to pass flags to dotnet restore.

  • dotnetBuildFlags can be used to pass flags to dotnet build.

  • dotnetTestFlags can be used to pass flags to dotnet test. Used only if doCheck is set to true.

  • dotnetInstallFlags can be used to pass flags to dotnet install.

  • dotnetPackFlags can be used to pass flags to dotnet pack. Used only if packNupkg is set to true.

  • dotnetFlags can be used to pass flags to all of the above phases.

When packaging a new application, you need to fetch its dependencies. Create an empty deps.nix, set nugetDeps = ./deps.nix, then run nix-build -A package.fetch-deps to generate a script that will build the lockfile for you.

Here is an example default.nix, using some of the previously discussed arguments:

{ lib, buildDotnetModule, dotnetCorePackages, ffmpeg }:

let
  referencedProject = import ../../bar { /* ... */ };
in buildDotnetModule rec {
  pname = "someDotnetApplication";
  version = "0.1";

  src = ./.;

  projectFile = "src/project.sln";
  nugetDeps = ./deps.nix; # see "Generating and updating NuGet dependencies" section for details

  buildInputs = [ referencedProject ]; # `referencedProject` must contain `nupkg` in the folder structure.

  dotnet-sdk = dotnetCorePackages.sdk_8_0;
  dotnet-runtime = dotnetCorePackages.runtime_8_0;

  executables = [ "foo" ]; # This wraps "$out/lib/$pname/foo" to `$out/bin/foo`.
  executables = []; # Don't install any executables.

  packNupkg = true; # This packs the project as "foo-0.1.nupkg" at `$out/share`.

  runtimeDeps = [ ffmpeg ]; # This will wrap ffmpeg's library path into `LD_LIBRARY_PATH`.
}

Keep in mind that you can tag the @NixOS/dotnet team for help and code review.

Dotnet global tools

.NET Global tools are a mechanism provided by the dotnet CLI to install .NET binaries from Nuget packages.

They can be installed either as a global tool for the entire system, or as a local tool specific to project.

The local installation is the easiest and works on NixOS in the same way as on other Linux distributions. See dotnet documentation to learn more.

The global installation method should also work most of the time. You have to remember to update the PATH value to the location the tools are installed to (the CLI will inform you about it during installation) and also set the DOTNET_ROOT value, so that the tool can find the .NET SDK package. You can find the path to the SDK by running nix eval --raw nixpkgs#dotnet-sdk (substitute the dotnet-sdk package for another if a different SDK version is needed).

This method is not recommended on NixOS, since it’s not declarative and involves installing binaries not made for NixOS, which will not always work.

The third, and preferred way, is packaging the tool into a Nix derivation.

Packaging Dotnet global tools

Dotnet global tools are standard .NET binaries, just made available through a special NuGet package. Therefore, they can be built and packaged like every .NET application, using buildDotnetModule.

If however the source is not available or difficult to build, the buildDotnetGlobalTool helper can be used, which will package the tool straight from its NuGet package.

This helper has the same arguments as buildDotnetModule, with a few differences:

  • pname and version are required, and will be used to find the NuGet package of the tool

  • nugetName can be used to override the NuGet package name that will be downloaded, if it’s different from pname

  • nugetHash is the hash of the fetched NuGet package. nugetSha256 is also supported, but not recommended. Set this to lib.fakeHash for the first build, and it will error out, giving you the proper hash. Also remember to update it during version updates (it will not error out if you just change the version while having a fetched package in /nix/store)

  • dotnet-runtime is set to dotnet-sdk by default. When changing this, remember that .NET tools fetched from NuGet require an SDK.

Here is an example of packaging pbm, an unfree binary without source available:

{ buildDotnetGlobalTool, lib }:

buildDotnetGlobalTool {
  pname = "pbm";
  version = "1.3.1";

  nugetHash = "sha256-ZG2HFyKYhVNVYd2kRlkbAjZJq88OADe3yjxmLuxXDUo=";

  meta = {
    homepage = "https://cmd.petabridge.com/index.html";
    changelog = "https://cmd.petabridge.com/articles/RELEASE_NOTES.html";
    license = lib.licenses.unfree;
    platforms = lib.platforms.linux;
  };
}

Generating and updating NuGet dependencies

When writing a new expression, you can use the generated fetch-deps script to initialise the lockfile. After setting nugetDeps to the desired location of the lockfile (e.g. ./deps.nix), build the script with nix-build -A package.fetch-deps and then run the result. (When the root attr is your package, it’s simply nix-build -A fetch-deps.)

There is also a manual method: First, restore the packages to the out directory, ensure you have cloned the upstream repository and you are inside it.

$ dotnet restore --packages out
  Determining projects to restore...
  Restored /home/lychee/Celeste64/Celeste64.csproj (in 1.21 sec).

Next, use nuget-to-nix tool provided in nixpkgs to generate a lockfile to deps.nix from the packages inside the out directory.

$ nuget-to-nix out > deps.nix

Which nuget-to-nix will generate an output similar to below

{ fetchNuGet }: [
  (fetchNuGet { pname = "FosterFramework"; version = "0.1.15-alpha"; hash = "sha256-lM6eYgOGjl1fx6WFD7rnRi/YAQieM0mx60h0p5dr+l8="; })
  (fetchNuGet { pname = "Microsoft.AspNetCore.App.Runtime.linux-x64"; version = "8.0.1"; hash = "sha256-QbUQXjCzr8j8u/5X0af9jE++EugdoxMhT08F49MZX74="; })
  (fetchNuGet { pname = "Microsoft.NET.ILLink.Tasks"; version = "8.0.1"; hash = "sha256-SopZpGaZ48/8dpUwDFDM3ix+g1rP4Yqs1PGuzRp+K7c="; })
  (fetchNuGet { pname = "Microsoft.NETCore.App.Runtime.linux-x64"; version = "8.0.1"; hash = "sha256-jajBI5GqG2IIcsIMgxTHfXbMapoXrZGl/EEhShwYq7w="; })
  (fetchNuGet { pname = "SharpGLTF.Core"; version = "1.0.0-alpha0031"; hash = "sha256-Bs4baD5wNIH6wAbGK4Xaem0i3luQkOQs37izBWdFx1I="; })
  (fetchNuGet { pname = "SharpGLTF.Runtime"; version = "1.0.0-alpha0031"; hash = "sha256-TwJO6b8ubmwBQh6NyHha8+JT5zHDJ4dROBbsEbUaa1M="; })
  (fetchNuGet { pname = "Sledge.Formats"; version = "1.2.2"; hash = "sha256-0Ddhuwpu3wwIzA4NuPaEVdMkx6tUukh8uKD6nKoxFPg="; })
  (fetchNuGet { pname = "Sledge.Formats.Map"; version = "1.1.5"; hash = "sha256-hkYJ2iWIz7vhPWlDOw2fvTenlh+4/D/37Z71tCEwnK8="; })
  (fetchNuGet { pname = "System.Numerics.Vectors"; version = "4.5.0"; hash = "sha256-qdSTIFgf2htPS+YhLGjAGiLN8igCYJnCCo6r78+Q+c8="; })
]

Finally, you move the deps.nix file to the appropriate location to be used by nugetDeps, then you’re all set!

If you ever need to update the dependencies of a package, you instead do

  • nix-build -A package.fetch-deps to generate the update script for package

  • Run ./result to regenerate the lockfile to the path passed for nugetDeps (keep in mind if it can’t be resolved to a local path, the script will write to $1 or a temporary path instead)

  • Finally, ensure the correct file was written and the derivation can be built.

Emscripten

Emscripten: An LLVM-to-JavaScript Compiler

If you want to work with emcc, emconfigure and emmake as you are used to from Ubuntu and similar distributions,

nix-shell -p emscripten

A few things to note:

  • export EMCC_DEBUG=2 is nice for debugging

  • The build artifact cache in ~/.emscripten sometimes creates issues and needs to be removed from time to time

Examples

Let’s see two different examples from pkgs/top-level/emscripten-packages.nix:

  • pkgs.zlib.override

  • pkgs.buildEmscriptenPackage

A special requirement of the pkgs.buildEmscriptenPackage is the doCheck = true. This means each Emscripten package requires that a checkPhase is implemented.

  • Use export EMCC_DEBUG=2 from within a phase to get more detailed debug output what is going wrong.

  • The cache at ~/.emscripten requires to set HOME=$TMPDIR in individual phases. This makes compilation slower but also more deterministic.

Example 334. Using pkgs.zlib.override {}

This example uses zlib from Nixpkgs, but instead of compiling C to ELF it compiles C to JavaScript since we were using pkgs.zlib.override and changed stdenv to pkgs.emscriptenStdenv.

A few adaptions and hacks were put in place to make it work. One advantage is that when pkgs.zlib is updated, it will automatically update this package as well.

(pkgs.zlib.override {
  stdenv = pkgs.emscriptenStdenv;
}).overrideAttrs
(old: rec {
  buildInputs = old.buildInputs ++ [ pkg-config ];
  # we need to reset this setting!
  env = (old.env or { }) // { NIX_CFLAGS_COMPILE = ""; };
  configurePhase = ''
    # FIXME: Some tests require writing at $HOME
    HOME=$TMPDIR
    runHook preConfigure

    #export EMCC_DEBUG=2
    emconfigure ./configure --prefix=$out --shared

    runHook postConfigure
  '';
  dontStrip = true;
  outputs = [ "out" ];
  buildPhase = ''
    emmake make
  '';
  installPhase = ''
    emmake make install
  '';
  checkPhase = ''
    echo "================= testing zlib using node ================="

    echo "Compiling a custom test"
    set -x
    emcc -O2 -s EMULATE_FUNCTION_POINTER_CASTS=1 test/example.c -DZ_SOLO \
    libz.so.${old.version} -I . -o example.js

    echo "Using node to execute the test"
    ${pkgs.nodejs}/bin/node ./example.js

    set +x
    if [ $? -ne 0 ]; then
      echo "test failed for some reason"
      exit 1;
    else
      echo "it seems to work! very good."
    fi
    echo "================= /testing zlib using node ================="
  '';

  postPatch = pkgs.lib.optionalString pkgs.stdenv.hostPlatform.isDarwin ''
    substituteInPlace configure \
      --replace-fail '/usr/bin/libtool' 'ar' \
      --replace-fail 'AR="libtool"' 'AR="ar"' \
      --replace-fail 'ARFLAGS="-o"' 'ARFLAGS="-r"'
  '';
})
Example 335. Using pkgs.buildEmscriptenPackage {}

This xmlmirror example features an Emscripten package that is defined completely from this context and no pkgs.zlib.override is used.

pkgs.buildEmscriptenPackage rec {
  name = "xmlmirror";

  buildInputs = [ pkg-config autoconf automake libtool gnumake libxml2 nodejs openjdk json_c ];
  nativeBuildInputs = [ pkg-config zlib ];

  src = pkgs.fetchgit {
    url = "https://gitlab.com/odfplugfest/xmlmirror.git";
    rev = "4fd7e86f7c9526b8f4c1733e5c8b45175860a8fd";
    hash = "sha256-i+QgY+5PYVg5pwhzcDnkfXAznBg3e8sWH2jZtixuWsk=";
  };

  configurePhase = ''
    rm -f fastXmlLint.js*
    # a fix for ERROR:root:For asm.js, TOTAL_MEMORY must be a multiple of 16MB, was 234217728
    # https://gitlab.com/odfplugfest/xmlmirror/issues/8
    sed -e "s/TOTAL_MEMORY=234217728/TOTAL_MEMORY=268435456/g" -i Makefile.emEnv
    # https://github.com/kripken/emscripten/issues/6344
    # https://gitlab.com/odfplugfest/xmlmirror/issues/9
    sed -e "s/\$(JSONC_LDFLAGS) \$(ZLIB_LDFLAGS) \$(LIBXML20_LDFLAGS)/\$(JSONC_LDFLAGS) \$(LIBXML20_LDFLAGS) \$(ZLIB_LDFLAGS) /g" -i Makefile.emEnv
    # https://gitlab.com/odfplugfest/xmlmirror/issues/11
    sed -e "s/-o fastXmlLint.js/-s EXTRA_EXPORTED_RUNTIME_METHODS='[\"ccall\", \"cwrap\"]' -o fastXmlLint.js/g" -i Makefile.emEnv
  '';

  buildPhase = ''
    HOME=$TMPDIR
    make -f Makefile.emEnv
  '';

  outputs = [ "out" "doc" ];

  installPhase = ''
    mkdir -p $out/share
    mkdir -p $doc/share/${name}

    cp Demo* $out/share
    cp -R codemirror-5.12 $out/share
    cp fastXmlLint.js* $out/share
    cp *.xsd $out/share
    cp *.js $out/share
    cp *.xhtml $out/share
    cp *.html $out/share
    cp *.json $out/share
    cp *.rng $out/share
    cp README.md $doc/share/${name}
  '';
  checkPhase = ''

  '';
}


Debugging

Use nix-shell -I nixpkgs=/some/dir/nixpkgs -A emscriptenPackages.libz and from there you can go trough the individual steps. This makes it easy to build a good unit test or list the files of the project.

  1. nix-shell -I nixpkgs=/some/dir/nixpkgs -A emscriptenPackages.libz

  2. cd /tmp/

  3. unpackPhase

  4. cd libz-1.2.3

  5. configurePhase

  6. buildPhase

  7. … happy hacking…

GNOME

Packaging GNOME applications

Programs in the GNOME universe are written in various languages but they all use GObject-based libraries like GLib, GTK or GStreamer. These libraries are often modular, relying on looking into certain directories to find their modules. However, due to Nix’s specific file system organization, this will fail without our intervention. Fortunately, the libraries usually allow overriding the directories through environment variables, either natively or thanks to a patch in nixpkgs. Wrapping the executables to ensure correct paths are available to the application constitutes a significant part of packaging a modern desktop application. In this section, we will describe various modules needed by such applications, environment variables needed to make the modules load, and finally a script that will do the work for us.

Settings

GSettings API is often used for storing settings. GSettings schemas are required, to know the type and other metadata of the stored values. GLib looks for glib-2.0/schemas/gschemas.compiled files inside the directories of XDG_DATA_DIRS.

On Linux, GSettings API is implemented using dconf backend. You will need to add dconf GIO module to GIO_EXTRA_MODULES variable, otherwise the memory backend will be used and the saved settings will not be persistent.

Last you will need the dconf database D-Bus service itself. You can enable it using programs.dconf.enable.

Some applications will also require gsettings-desktop-schemas for things like reading proxy configuration or user interface customization. This dependency is often not mentioned by upstream, you should grep for org.gnome.desktop and org.gnome.system to see if the schemas are needed.

GIO modules

GLib’s GIO library supports several extension points. Notably, they allow:

  • implementing settings backends (already mentioned)

  • adding TLS support

  • proxy settings

  • virtual file systems

The modules are typically installed to lib/gio/modules/ directory of a package and you need to add them to GIO_EXTRA_MODULES if you need any of those features.

In particular, we recommend:

  • adding dconf.lib for any software on Linux that reads GSettings (even transitively through e.g. GTK’s file manager)

  • adding glib-networking for any software that accesses network using GIO or libsoup – glib-networking contains a module that implements TLS support and loads system-wide proxy settings

To allow software to use various virtual file systems, gvfs package can be also added. But that is usually an optional feature so we typically use gvfs from the system (e.g. installed globally using NixOS module).

GdkPixbuf loaders

GTK applications typically use GdkPixbuf to load images. But gdk-pixbuf package only supports basic bitmap formats like JPEG, PNG or TIFF, requiring to use third-party loader modules for other formats. This is especially painful since GTK itself includes SVG icons, which cannot be rendered without a loader provided by librsvg.

Unlike other libraries mentioned in this section, GdkPixbuf only supports a single value in its controlling environment variable GDK_PIXBUF_MODULE_FILE. It is supposed to point to a cache file containing information about the available loaders. Each loader package will contain a lib/gdk-pixbuf-2.0/2.10.0/loaders.cache file describing the default loaders in gdk-pixbuf package plus the loader contained in the package itself. If you want to use multiple third-party loaders, you will need to create your own cache file manually. Fortunately, this is pretty rare as not many loaders exist.

gdk-pixbuf contains a setup hook that sets GDK_PIXBUF_MODULE_FILE from dependencies but as mentioned in further section, it is pretty limited. Loaders should propagate this setup hook.

Icons

When an application uses icons, an icon theme should be available in XDG_DATA_DIRS during runtime. The package for the default, icon-less hicolor-icon-theme (should be propagated by every icon theme) contains a setup hook that will pick up icon themes from buildInputs and add their datadirs to XDG_ICON_DIRS environment variable (this is Nixpkgs specific, not actually a XDG standard variable). Unfortunately, relying on that would mean every user has to download the theme included in the package expression no matter their preference. For that reason, we leave the installation of icon theme on the user. If you use one of the desktop environments, you probably already have an icon theme installed.

In the rare case you need to use icons from dependencies (e.g. when an app forces an icon theme), you can use the following to pick them up:

{
  buildInputs = [
    pantheon.elementary-icon-theme
  ];
  preFixup = ''
    gappsWrapperArgs+=(
      # The icon theme is hardcoded.
      --prefix XDG_DATA_DIRS : "$XDG_ICON_DIRS"
    )
  '';
}

To avoid costly file system access when locating icons, GTK, as well as Qt, can rely on icon-theme.cache files from the themes’ top-level directories. These files are generated using gtk-update-icon-cache, which is expected to be run whenever an icon is added or removed to an icon theme (typically an application icon into hicolor theme) and some programs do indeed run this after icon installation. However, since packages are installed into their own prefix by Nix, this would lead to conflicts. For that reason, gtk3 provides a setup hook that will clean the file from installation. Since most applications only ship their own icon that will be loaded on start-up, it should not affect them too much. On the other hand, icon themes are much larger and more widely used so we need to cache them. Because we recommend installing icon themes globally, we will generate the cache files from all packages in a profile using a NixOS module. You can enable the cache generation using gtk.iconCache.enable option if your desktop environment does not already do that.

Packaging icon themes

Icon themes may inherit from other icon themes. The inheritance is specified using the Inherits key in the index.theme file distributed with the icon theme. According to the icon theme specification, icons not provided by the theme are looked for in its parent icon themes. Therefore the parent themes should be installed as dependencies for a more complete experience regarding the icon sets used.

The package hicolor-icon-theme provides a setup hook which makes symbolic links for the parent themes into the directory share/icons of the current theme directory in the nix store, making sure they can be found at runtime. For that to work the packages providing parent icon themes should be listed as propagated build dependencies, together with hicolor-icon-theme.

Also make sure that icon-theme.cache is installed for each theme provided by the package, and set dontDropIconThemeCache to true so that the cache file is not removed by the gtk3 setup hook.

GTK Themes

Previously, a GTK theme needed to be in XDG_DATA_DIRS. This is no longer necessary for most programs since GTK incorporated Adwaita theme. Some programs (for example, those designed for elementary HIG) might require a special theme like pantheon.elementary-gtk-theme.

GObject introspection typelibs

GObject introspection allows applications to use C libraries in other languages easily. It does this through typelib files searched in GI_TYPELIB_PATH.

Various plug-ins

If your application uses GStreamer or Grilo, you should set GST_PLUGIN_SYSTEM_PATH_1_0 and GRL_PLUGIN_PATH, respectively.

Onto wrapGApps* hooks

Given the requirements above, the package expression would become messy quickly:

{
  preFixup = ''
    for f in $(find $out/bin/ $out/libexec/ -type f -executable); do
      wrapProgram "$f" \
        --prefix GIO_EXTRA_MODULES : "${getLib dconf}/lib/gio/modules" \
        --prefix XDG_DATA_DIRS : "$out/share" \
        --prefix XDG_DATA_DIRS : "$out/share/gsettings-schemas/${name}" \
        --prefix XDG_DATA_DIRS : "${gsettings-desktop-schemas}/share/gsettings-schemas/${gsettings-desktop-schemas.name}" \
        --prefix XDG_DATA_DIRS : "${hicolor-icon-theme}/share" \
        --prefix GI_TYPELIB_PATH : "${lib.makeSearchPath "lib/girepository-1.0" [ pango json-glib ]}"
    done
  '';
}

Fortunately, we have a family of hooks that automate this. They work in conjunction with other setup hooks that populate environment variables, and will then wrap all executables in bin and libexec directories using said variables.

  • wrapGAppsHook3 for GTK 3 apps. For convenience, it also adds dconf.lib for a GIO module implementing a GSettings backend using dconf, gtk3 for GSettings schemas, and librsvg for GdkPixbuf loader to the closure.

  • wrapGAppsHook4 for GTK 4 apps. Same as wrapGAppsHook3 but replaces gtk3 with gtk4.

  • wrapGAppsNoGuiHook for programs without a graphical interface. Same as the above but does not bring gtk3 and librsvg into the closure.

The hooks do the the following:

  • wrapGApps* hook itself will add the package’s share directory to XDG_DATA_DIRS.

  • glib setup hook will populate GSETTINGS_SCHEMAS_PATH and then wrapGApps* hook will prepend it to XDG_DATA_DIRS.

  • gdk-pixbuf setup hook will populate GDK_PIXBUF_MODULE_FILE with the path to biggest loaders.cache file from the dependencies containing GdkPixbuf loaders. This works fine when there are only two packages containing loaders (gdk-pixbuf and e.g. librsvg) – it will choose the second one, reasonably expecting that it will be bigger since it describes extra loader in addition to the default ones. But when there are more than two loader packages, this logic will break. One possible solution would be constructing a custom cache file for each package containing a program like services/x11/gdk-pixbuf.nix NixOS module does. wrapGApps* hook copies the GDK_PIXBUF_MODULE_FILE environment variable into the produced wrapper.

  • One of gtk3’s setup hooks will remove icon-theme.cache files from package’s icon theme directories to avoid conflicts. Icon theme packages should prevent this with dontDropIconThemeCache = true;.

  • dconf.lib is a dependency of wrapGApps* hook, which then also adds it to the GIO_EXTRA_MODULES variable.

  • hicolor-icon-theme’s setup hook will add icon themes to XDG_ICON_DIRS.

  • gobject-introspection setup hook populates GI_TYPELIB_PATH variable with lib/girepository-1.0 directories of dependencies, which is then added to wrapper by wrapGApps* hook. It also adds share directories of dependencies to XDG_DATA_DIRS, which is intended to promote GIR files but it also pollutes the closures of packages using wrapGApps* hook.

  • Setup hooks of gst_all_1.gstreamer and grilo will populate the GST_PLUGIN_SYSTEM_PATH_1_0 and GRL_PLUGIN_PATH variables, respectively, which will then be added to the wrapper by wrapGApps* hook.

You can also pass additional arguments to makeWrapper using gappsWrapperArgs in preFixup hook:

{
  preFixup = ''
    gappsWrapperArgs+=(
      # Thumbnailers
      --prefix XDG_DATA_DIRS : "${gdk-pixbuf}/share"
      --prefix XDG_DATA_DIRS : "${librsvg}/share"
      --prefix XDG_DATA_DIRS : "${shared-mime-info}/share"
    )
  '';
}

Updating GNOME packages

Most GNOME package offer updateScript, it is therefore possible to update to latest source tarball by running nix-shell maintainers/scripts/update.nix --argstr package nautilus or even en masse with nix-shell maintainers/scripts/update.nix --argstr path gnome. Read the package’s NEWS file to see what changed.

Frequently encountered issues

GLib-GIO-ERROR **: 06:04:50.903: No GSettings schemas are installed on the system

There are no schemas available in XDG_DATA_DIRS. Temporarily add a random package containing schemas like gsettings-desktop-schemas to buildInputs. glib and wrapGApps* setup hooks will take care of making the schemas available to application and you will see the actual missing schemas with the next error. Or you can try looking through the source code for the actual schemas used.

GLib-GIO-ERROR **: 06:04:50.903: Settings schema ‘org.gnome.foo’ is not installed

Package is missing some GSettings schemas. You can find out the package containing the schema with nix-locate org.gnome.foo.gschema.xml and let the hooks handle the wrapping as above.

When using wrapGApps* hook with special derivers or hooks you can end up with double wrapped binaries.

This is because some setup hooks like qt6.wrapQtAppsHook also wrap programs using makeWrapper. Likewise, some derivers (e.g. python.pkgs.buildPythonApplication) automatically pull in their own setup hooks that produce wrappers.

The simplest workaround is to disable the wrapGApps* hook’s automatic wrapping using dontWrapGApps = true; while passing its makeWrapper arguments to another wrapper.

In the case of a Python application it could look like:

python3.pkgs.buildPythonApplication {
  pname = "gnome-music";
  version = "3.32.2";

  nativeBuildInputs = [
    wrapGAppsHook3
    gobject-introspection
    # ...
  ];

  dontWrapGApps = true;

  # Arguments to be passed to `makeWrapper`, only used by buildPython*
  preFixup = ''
    makeWrapperArgs+=("''${gappsWrapperArgs[@]}")
  '';
}

And for a QT app like:

stdenv.mkDerivation {
  pname = "calibre";
  version = "3.47.0";

  nativeBuildInputs = [
    wrapGAppsHook3
    qt6.wrapQtAppsHook
    qmake
    # ...
  ];

  dontWrapGApps = true;

  preFixup = ''
    qtWrapperArgs+=("''${gappsWrapperArgs[@]}")
  '';
}

I am packaging a project that cannot be wrapped, like a library or GNOME Shell extension.

You can rely on applications depending on the library setting the necessary environment variables but that is often easy to miss. Instead we recommend to patch the paths in the source code whenever possible. Here are some examples:

I need to wrap a binary outside bin and libexec directories.

You can manually trigger the wrapping with wrapGApp in preFixup phase. It takes a path to a program as a first argument; the remaining arguments are passed directly to wrapProgram function.

Go

Building Go modules with buildGoModule

The function buildGoModule builds Go programs managed with Go modules. It builds Go Modules through a two phase build:

  • An intermediate fetcher derivation called goModules. This derivation will be used to fetch all the dependencies of the Go module.

  • A final derivation will use the output of the intermediate derivation to build the binaries and produce the final output.

Attributes of buildGoModule

The buildGoModule function accepts the following parameters in addition to the attributes accepted by both Go builders:

  • vendorHash: is the hash of the output of the intermediate fetcher derivation (the dependencies of the Go modules).

    vendorHash can be set to null. In that case, rather than fetching the dependencies, the dependencies already vendored in the vendor directory of the source repo will be used.

    To avoid updating this field when dependencies change, run go mod vendor in your source repo and set vendorHash = null;. You can read more about vendoring in the Go documentation.

    To obtain the actual hash, set vendorHash = lib.fakeHash; and run the build (more details here).

  • proxyVendor: If true, the intermediate fetcher downloads dependencies from the Go module proxy (using go mod download) instead of vendoring them. The resulting module cache is then passed to the final derivation.

    This is useful if your code depends on C code and go mod tidy does not include the needed sources to build or if any dependency has case-insensitive conflicts which will produce platform-dependent vendorHash checksums.

    Defaults to false.

  • modPostBuild: Shell commands to run after the build of the goModules executes go mod vendor, and before calculating fixed output derivation’s vendorHash. Note that if you change this attribute, you need to update vendorHash attribute.

  • modRoot: The root directory of the Go module that contains the go.mod file. Defaults to ./, which is the root of src.

Example for buildGoModule

The following is an example expression using buildGoModule:

{
  pet = buildGoModule rec {
    pname = "pet";
    version = "0.3.4";

    src = fetchFromGitHub {
      owner = "knqyf263";
      repo = "pet";
      rev = "v${version}";
      hash = "sha256-Gjw1dRrgM8D3G7v6WIM2+50r4HmTXvx0Xxme2fH9TlQ=";
    };

    vendorHash = "sha256-ciBIR+a1oaYH+H1PcC8cD8ncfJczk1IiJ8iYNM+R6aA=";

    meta = {
      description = "Simple command-line snippet manager, written in Go";
      homepage = "https://github.com/knqyf263/pet";
      license = lib.licenses.mit;
      maintainers = with lib.maintainers; [ kalbasit ];
    };
  };
}

Obtaining and overriding vendorHash for buildGoModule

We can use nix-prefetch to obtain the actual hash. The following command gets the value of vendorHash for package pet:

cd path/to/nixpkgs
nix-prefetch -E "{ sha256 }: ((import ./. { }).my-package.overrideAttrs { vendorHash = sha256; }).goModules"

To obtain the hash without external tools, set vendorHash = lib.fakeHash; and run the build. (more details here).

vendorHash can be overridden with overrideAttrs. Override the above example like this:

{
  pet_0_4_0 = pet.overrideAttrs (
    finalAttrs: previousAttrs: {
      version = "0.4.0";
      src = fetchFromGitHub {
        inherit (previousAttrs.src) owner repo;
        rev = "v${finalAttrs.version}";
        hash = "sha256-gVTpzmXekQxGMucDKskGi+e+34nJwwsXwvQTjRO6Gdg=";
      };
      vendorHash = "sha256-dUvp7FEW09V0xMuhewPGw3TuAic/sD7xyXEYviZ2Ivs=";
    }
  );
}

Overriding goModules

Overriding <pkg>.goModules by calling goModules.overrideAttrs is unsupported. Still, it is possible to override the vendorHash (goModules’s outputHash) and the pre/post hooks for both the build and patch phases of the primary and goModules derivation. Alternatively, the primary derivation provides an overridable passthru.overrideModAttrs function to store the attribute overlay implicitly taken by goModules.overrideAttrs. Here’s an example usage of overrideModAttrs:

{
  pet-overridden = pet.overrideAttrs (
    finalAttrs: previousAttrs: {
      passthru = previousAttrs.passthru // {
        # If the original package has an `overrideModAttrs` attribute set, you'd
        # want to extend it, and not replace it. Hence we use
        # `lib.composeExtensions`. If you are sure the `overrideModAttrs` of the
        # original package trivially does nothing, you can safely replace it
        # with your own by not using `lib.composeExtensions`.
        overrideModAttrs = lib.composeExtensions previousAttrs.passthru.overrideModAttrs (
          finalModAttrs: previousModAttrs: {
            # goModules-specific overriding goes here
            postBuild = ''
              # Here you have access to the `vendor` directory.
              substituteInPlace vendor/github.com/example/repo/file.go \
                --replace-fail "panic(err)" ""
            '';
          }
        );
      };
    }
  );
}

buildGoPackage (legacy)

The function buildGoPackage builds legacy Go programs, not supporting Go modules.

Warning

buildGoPackage is deprecated and will be removed for the 25.05 release.

Migrating from buildGoPackage to buildGoModule

Go modules, released 6y ago, are now widely adopted in the ecosystem. Most upstream projects are using Go modules, and the tooling previously used for dependency management in Go is mostly deprecated, archived or at least unmaintained at this point.

In case a project doesn’t have external dependencies or dependencies are vendored in a way understood by go mod init, migration can be done with a few changes in the package.

  • Switch the builder from buildGoPackage to buildGoModule

  • Remove goPackagePath and other attributes specific to buildGoPackage

  • Set vendorHash = null;

  • Run go mod init <module name> in postPatch

In case the package has external dependencies that aren’t vendored or the build setup is more complex the upstream source might need to be patched. Examples for the migration can be found in the issue tracking migration withing nixpkgs.

Example for buildGoPackage

In the following is an example expression using buildGoPackage, the following arguments are of special significance to the function:

  • goPackagePath specifies the package’s canonical Go import path.

  • goDeps is where the Go dependencies of a Go program are listed as a list of package source identified by Go import path. It could be imported as a separate deps.nix file for readability. The dependency data structure is described below.

{
  deis = buildGoPackage rec {
    pname = "deis";
    version = "1.13.0";

    goPackagePath = "github.com/deis/deis";

    src = fetchFromGitHub {
      owner = "deis";
      repo = "deis";
      rev = "v${version}";
      hash = "sha256-XCPD4LNWtAd8uz7zyCLRfT8rzxycIUmTACjU03GnaeM=";
    };

    goDeps = ./deps.nix;
  };
}

The goDeps attribute can be imported from a separate nix file that defines which Go libraries are needed and should be included in GOPATH for buildPhase:

# deps.nix
[ # goDeps is a list of Go dependencies.
  {
    # goPackagePath specifies Go package import path.
    goPackagePath = "gopkg.in/yaml.v2";
    fetch = {
      # `fetch type` that needs to be used to get package source.
      # If `git` is used there should be `url`, `rev` and `hash` defined next to it.
      type = "git";
      url = "https://gopkg.in/yaml.v2";
      rev = "a83829b6f1293c91addabc89d0571c246397bbf4";
      hash = "sha256-EMrdy0M0tNuOcITaTAmT5/dPSKPXwHDKCXFpkGbVjdQ=";
    };
  }
  {
    goPackagePath = "github.com/docopt/docopt-go";
    fetch = {
      type = "git";
      url = "https://github.com/docopt/docopt-go";
      rev = "784ddc588536785e7299f7272f39101f7faccc3f";
      hash = "sha256-Uo89zjE+v3R7zzOq/gbQOHj3SMYt2W1nDHS7RCUin3M=";
    };
  }
]

To extract dependency information from a Go package in automated way use go2nix (deprecated). It can produce complete derivation and goDeps file for Go programs.

You may use Go packages installed into the active Nix profiles by adding the following to your ~/.bashrc:

for p in $NIX_PROFILES; do
    GOPATH="$p/share/go:$GOPATH"
done

Attributes used by both builders

Many attributes controlling the build phase are respected by both buildGoModule and buildGoPackage. Note that buildGoModule reads the following attributes also when building the vendor/ goModules fixed output derivation as well:

To control test execution of the build derivation, the following attributes are of interest:

In addition to the above attributes, and the many more variables respected also by stdenv.mkDerivation, both buildGoModule and buildGoPackage respect Go-specific attributes that tweak them to behave slightly differently:

ldflags

A string list of flags to pass to the Go linker tool via the -ldflags argument of go build. Possible values can be retrieved by running go tool link --help. The most common use case for this argument is to make the resulting executable aware of its own version by injecting the value of string variable using the -X flag. For example:

{
  ldflags = [
    "-X main.Version=${version}"
    "-X main.Commit=${version}"
  ];
}

tags

A string list of Go build tags (also called build constraints) that are passed via the -tags argument of go build. These constraints control whether Go files from the source should be included in the build. For example:

{
  tags = [
    "production"
    "sqlite"
  ];
}

Tags can also be set conditionally:

{
  tags = [ "production" ] ++ lib.optionals withSqlite [ "sqlite" ];
}

deleteVendor

If set to true, removes the pre-existing vendor directory. This should only be used if the dependencies included in the vendor folder are broken or incomplete.

subPackages

Specified as a string or list of strings. Limits the builder from building child packages that have not been listed. If subPackages is not specified, all child packages will be built.

Many Go projects keep the main package in a cmd directory. Following example could be used to only build the example-cli and example-server binaries:

{
  subPackages = [
    "cmd/example-cli"
    "cmd/example-server"
  ];
}

excludedPackages

Specified as a string or list of strings. Causes the builder to skip building child packages that match any of the provided values.

CGO_ENABLED

When set to 0, the cgo command is disabled. As consequence, the build program can’t link against C libraries anymore, and the resulting binary is statically linked.

When building with CGO enabled, Go will likely link some packages from the Go standard library against C libraries, even when the target code does not explicitly call into C dependencies. With CGO_ENABLED = 0;, Go will always use the Go native implementation of these internal packages. For reference see net and os/user packages. Notice that the decision whether these packages should use native Go implementation or not can also be controlled on a per package level using build tags (tags). In case CGO is disabled, these tags have no additional effect.

When a Go program depends on C libraries, place those dependencies in buildInputs:

{
  buildInputs = [
    libvirt
    libxml2
  ];
}

CGO_ENABLED defaults to 1.

enableParallelBuilding

Whether builds and tests should run in parallel.

Defaults to true.

allowGoReference

Whether the build result should be allowed to contain references to the Go tool chain. This might be needed for programs that are coupled with the compiler, but shouldn’t be set without a good reason.

Defaults to false

Controlling the Go environment

The Go build can be further tweaked by setting environment variables. In most cases, this isn’t needed. Possible values can be found in the Go documentation of accepted environment variables. Notice that some of these flags are set by the builder itself and should not be set explicitly. If in doubt, grep the implementation of the builder.

Skipping tests

buildGoModule runs tests by default. Failing tests can be disabled using the checkFlags parameter. This is done with the -skip or -run flags of the go test command.

For example, only a selection of tests could be run with:

{
  # -run and -skip accept regular expressions
  checkFlags = [
    "-run=^Test(Simple|Fast)$"
  ];
}

If a larger amount of tests should be skipped, the following pattern can be used:

{
  checkFlags =
    let
      # Skip tests that require network access
      skippedTests = [
        "TestNetwork"
        "TestDatabase/with_mysql" # exclude only the subtest
        "TestIntegration"
      ];
    in
    [ "-skip=^${builtins.concatStringsSep "$|^" skippedTests}$" ];
}

To disable tests altogether, set doCheck = false;. buildGoPackage does not execute tests by default.

Gradle

Gradle is a popular build tool for Java/Kotlin. Gradle itself doesn’t currently provide tools to make dependency resolution reproducible, so nixpkgs has a proxy designed for intercepting Gradle web requests to record dependencies so they can be restored in a reproducible fashion.

Building a Gradle package

Here’s how a typical derivation will look like:

stdenv.mkDerivation (finalAttrs: {
  pname = "pdftk";
  version = "3.3.3";

  src = fetchFromGitLab {
    owner = "pdftk-java";
    repo = "pdftk";
    rev = "v${finalAttrs.version}";
    hash = "sha256-ciKotTHSEcITfQYKFZ6sY2LZnXGChBJy0+eno8B3YHY=";
  };

  nativeBuildInputs = [ gradle ];

  # if the package has dependencies, mitmCache must be set
  mitmCache = gradle.fetchDeps {
    inherit (finalAttrs) pname;
    data = ./deps.json;
  };

  # this is required for using mitm-cache on Darwin
  __darwinAllowLocalNetworking = true;

  gradleFlags = [ "-Dfile.encoding=utf-8" ];

  # defaults to "assemble"
  gradleBuildTask = "shadowJar";

  # will run the gradleCheckTask (defaults to "test")
  doCheck = true;

  installPhase = ''
    mkdir -p $out/{bin,share/pdftk}
    cp build/libs/pdftk-all.jar $out/share/pdftk

    makeWrapper ${jre}/bin/java $out/bin/pdftk \
      --add-flags "-jar $out/share/pdftk/pdftk-all.jar"

    cp ${finalAttrs.src}/pdftk.1 $out/share/man/man1
  '';

  meta.sourceProvenance = with lib.sourceTypes; [
    fromSource
    binaryBytecode # mitm cache
  ];
})

To update (or initialize) dependencies, run the update script via something like $(nix-build -A <pname>.mitmCache.updateScript) (nix-build builds the updateScript, $(...) runs the script at the path printed by nix-build).

If your package can’t be evaluated using a simple pkgs.<pname> expression (for example, if your package isn’t located in nixpkgs, or if you want to override some of its attributes), you will usually have to pass pkg instead of pname to gradle.fetchDeps. There are two ways of doing it.

The first is to add the derivation arguments required for getting the package. Using the pdftk example above:

{ lib
, stdenv
# ...
, pdftk
}:

stdenv.mkDerivation (finalAttrs: {
  # ...
  mitmCache = gradle.fetchDeps {
    pkg = pdftk;
    data = ./deps.json;
  };
})

This allows you to override any arguments of the pkg used for the update script (for example, pkg = pdftk.override { enableSomeFlag = true };), so this is the preferred way.

The second is to create a let binding for the package, like this:

let self = stdenv.mkDerivation {
  # ...
  mitmCache = gradle.fetchDeps {
    pkg = self;
    data = ./deps.json;
  };
}; in self

This is useful if you can’t easily pass the derivation as its own argument, or if your mkDerivation call is responsible for building multiple packages.

In the former case, the update script will stay the same even if the derivation is called with different arguments. In the latter case, the update script will change depending on the derivation arguments. It’s up to you to decide which one would work best for your derivation.

Update Script

The update script does the following:

  • Build the derivation’s source via pkgs.srcOnly

  • Enter a nix-shell for the derivation in a bwrap sandbox (the sandbox is only used on Linux)

  • Set the IN_GRADLE_UPDATE_DEPS environment variable to 1

  • Run the derivation’s unpackPhase, patchPhase, configurePhase

  • Run the derivation’s gradleUpdateScript (the Gradle setup hook sets a default value for it, which runs preBuild, preGradleUpdate hooks, fetches the dependencies using gradleUpdateTask, and finally runs the postGradleUpdate hook)

  • Finally, store all of the fetched files’ hashes in the lockfile. They may be .jar/.pom files from Maven repositories, or they may be files otherwise used for building the package.

fetchDeps takes the following arguments:

  • attrPath - the path to the package in nixpkgs (for example, "javaPackages.openjfx22"). Used for update script metadata.

  • pname - an alias for attrPath for convenience. This is what you will generally use instead of pkg or attrPath.

  • pkg - the package to be used for fetching the dependencies. Defaults to getAttrFromPath (splitString "." attrPath) pkgs.

  • bwrapFlags - allows you to override bwrap flags (only relevant for downstream, non-nixpkgs projects)

  • data - path to the dependencies lockfile (can be relative to the package, can be absolute). In nixpkgs, it’s discouraged to have the lockfiles be named anything other deps.json, consider creating subdirectories if your package requires multiple deps.json files.

Environment

The Gradle setup hook accepts the following environment variables:

  • mitmCache - the MITM proxy cache imported using gradle.fetchDeps

  • gradleFlags - command-line flags to be used for every Gradle invocation (this simply registers a function that uses the necessary flags).

    • You can’t use gradleFlags for flags that contain spaces, in that case you must add gradleFlagsArray+=("-flag with spaces") to the derivation’s bash code instead.

    • If you want to build the package using a specific Java version, you can pass "-Dorg.gradle.java.home=${jdk}" as one of the flags.

  • gradleBuildTask - the Gradle task (or tasks) to be used for building the package. Defaults to assemble.

  • gradleCheckTask - the Gradle task (or tasks) to be used for checking the package if doCheck is set to true. Defaults to test.

  • gradleUpdateTask - the Gradle task (or tasks) to be used for fetching all of the package’s dependencies in mitmCache.updateScript. Defaults to nixDownloadDeps.

  • gradleUpdateScript - the code to run for fetching all of the package’s dependencies in mitmCache.updateScript. Defaults to running the preBuild and preGradleUpdate hooks, running the gradleUpdateTask, and finally running the postGradleUpdate hook.

  • gradleInitScript - path to the --init-script to pass to Gradle. By default, a simple init script that enables reproducible archive creation is used.

    • Note that reproducible archives might break some builds. One example of an error caused by it is Could not create task ':jar'. Replacing an existing task that may have already been used by other plugins is not supported. If you get such an error, the easiest “fix” is disabling reproducible archives altogether by setting gradleInitScript to something like writeText "empty-init-script.gradle" ""

  • enableParallelBuilding / enableParallelChecking / enableParallelUpdating - pass --parallel to Gradle in the build/check phase or in the update script. Defaults to true. If the build fails for mysterious reasons, consider setting this to false.

  • dontUseGradleConfigure / dontUseGradleBuild / dontUseGradleCheck - force disable the Gradle setup hook for certain phases.

    • Note that if you disable the configure hook, you may face issues such as Failed to load native library 'libnative-platform.so', because the configure hook is responsible for initializing Gradle.

Hare

Building Hare programs with hareHook

The hareHook package sets up the environment for building Hare programs by doing the following:

  1. Setting the HARECACHE, HAREPATH and NIX_HAREFLAGS environment variables;

  2. Propagating harec, qbe and two wrapper scripts for the hare binary.

It is not a function as is the case for some other languages — e. g., Go or Rust —, but a package to be added to nativeBuildInputs.

Attributes of hareHook

The following attributes are accepted by hareHook:

  1. hareBuildType: Either release (default) or debug. It controls if the -R flag is added to NIX_HAREFLAGS.

Example for hareHook

{
  hareHook,
  lib,
  stdenv,
}: stdenv.mkDerivation {
  pname = "<name>";
  version = "<version>";
  src = "<src>";

  nativeBuildInputs = [ hareHook ];

  meta = {
    description = "<description>";
    inherit (hareHook) badPlatforms platforms;
  };
}

Cross Compilation

hareHook should handle cross compilation out of the box. This is the main purpose of NIX_HAREFLAGS: In it, the -a flag is passed with the architecture of the hostPlatform.

However, manual intervention may be needed when a binary compiled by the build process must be run for the build to complete — e. g., when using Hare’s hare module for code generation.

In those cases, hareHook provides the hare-native script, which is a wrapper around the hare binary for using the native (buildPlatform) toolchain.

Haskell

The Haskell infrastructure in Nixpkgs has two main purposes: The primary purpose is to provide a Haskell compiler and build tools as well as infrastructure for packaging Haskell-based packages.

The secondary purpose is to provide support for Haskell development environments including prebuilt Haskell libraries. However, in this area sacrifices have been made due to self-imposed restrictions in Nixpkgs, to lessen the maintenance effort and to improve performance. (More details in the subsection Limitations.)

Available packages

The compiler and most build tools are exposed at the top level:

  • ghc is the default version of GHC

  • Language specific tools: cabal-install, stack, hpack, …

Many “normal” user facing packages written in Haskell, like niv or cachix, are also exposed at the top level, and there is nothing Haskell specific to installing and using them.

All of these packages are originally defined in the haskellPackages package set. The same packages are re-exposed with a reduced dependency closure for convenience (see justStaticExecutables or separateBinOutput below).

Note

See Languages and frameworks for techniques to explore package sets.

The haskellPackages set includes at least one version of every package from Hackage as well as some manually injected packages.

The attribute names in haskellPackages always correspond with their name on Hackage. Since Hackage allows names that are not valid Nix without escaping, you need to take care when handling attribute names like 3dmodels.

For packages that are part of Stackage (a curated set of known to be compatible packages), we use the version prescribed by a Stackage snapshot (usually the current LTS one) as the default version. For all other packages we use the latest version from Hackage (the repository of basically all open source Haskell packages). See below for a few more details on this.

Roughly half of the 16K packages contained in haskellPackages don’t actually build and are marked as broken semi-automatically. Most of those packages are deprecated or unmaintained, but sometimes packages that should build, do not build. Very often fixing them is not a lot of work.

haskellPackages is built with our default compiler, but we also provide other releases of GHC and package sets built with them. Available compilers are collected under haskell.compiler.

Each of those compiler versions has a corresponding attribute set packages built with it. However, the non-standard package sets are not tested regularly and, as a result, contain fewer working packages. The corresponding package set for GHC 9.4.5 is haskell.packages.ghc945. In fact haskellPackages (at the time of writing) is just an alias for haskell.packages.ghc966:

Every package set also re-exposes the GHC used to build its packages as haskell.packages.*.ghc.

Available package versions

We aim for a “blessed” package set which only contains one version of each package, like Stackage, which is a curated set of known to be compatible packages. We use the version information from Stackage snapshots and extend it with more packages. Normally in Nixpkgs the number of building Haskell packages is roughly two to three times the size of Stackage. For choosing the version to use for a certain package we use the following rules:

  1. By default, for haskellPackages.foo is the newest version of the package foo found on Hackage, which is the central registry of all open source Haskell packages. Nixpkgs contains a reference to a pinned Hackage snapshot, thus we use the state of Hackage as of the last time we updated this pin.

  2. If the Stackage snapshot that we use (usually the newest LTS snapshot) contains a package, we use instead the version in the Stackage snapshot as default version for that package.

  3. For some packages, which are not on Stackage, we have if necessary manual overrides to set the default version to a version older than the newest on Hackage.

  4. For all packages, for which the newest Hackage version is not the default version, there will also be a haskellPackages.foo_x_y_z package with the newest version. The x_y_z part encodes the version with dots replaced by underscores. When the newest version changes by a new release to Hackage the old package will disappear under that name and be replaced by a newer one under the name with the new version. The package name including the version will also disappear when the default version e.g. from Stackage catches up with the newest version from Hackage. E.g. if haskellPackages.foo gets updated from 1.0.0 to 1.1.0 the package haskellPackages.foo_1_1_0 becomes obsolete and gets dropped.

  5. For some packages, we also manually add other haskellPackages.foo_x_y_z versions, if they are required for a certain build.

Relying on haskellPackages.foo_x_y_z attributes in derivations outside nixpkgs is discouraged because they may change or disappear with every package set update.

All haskell.packages.* package sets use the same package descriptions and the same sets of versions by default. There are however GHC version specific override .nix files to loosen this a bit.

Dependency resolution

Normally when you build Haskell packages with cabal-install, cabal-install does dependency resolution. It will look at all Haskell package versions known on Hackage and tries to pick for every (transitive) dependency of your build exactly one version. Those versions need to satisfy all the version constraints given in the .cabal file of your package and all its dependencies.

The Haskell builder in nixpkgs does no such thing. It will take as input packages with names off the desired dependencies and just check whether they fulfill the version bounds and fail if they don’t (by default, see jailbreak to circumvent this).

The haskellPackages.callPackage function does the package resolution. It will, e.g., use haskellPackages.aesonwhich has the default version as described above for a package input of name aeson. (More general: <packages>.callPackage f will call f with named inputs provided from the package set <packages>.) While this is the default behavior, it is possible to override the dependencies for a specific package, see override and overrideScope.

Limitations

Our main objective with haskellPackages is to package Haskell software in nixpkgs. This entails some limitations, partially due to self-imposed restrictions of nixpkgs, partially in the name of maintainability:

  • Only the packages built with the default compiler see extensive testing of the whole package set. For other GHC versions only a few essential packages are tested and cached.

  • As described above we only build one version of most packages.

The experience using an older or newer packaged compiler or using different versions may be worse, because builds will not be cached on cache.nixos.org or may fail.

Thus, to get the best experience, make sure that your project can be compiled using the default compiler of nixpkgs and recent versions of its dependencies.

A result of this setup is, that getting a valid build plan for a given package can sometimes be quite painful, and in fact this is where most of the maintenance work for haskellPackages is required. Besides that, it is not possible to get the dependencies of a legacy project from nixpkgs or to use a specific stack solver for compiling a project.

Even though we couldn’t use them directly in nixpkgs, it would be desirable to have tooling to generate working Nix package sets from build plans generated by cabal-install or a specific Stackage snapshot via import-from-derivation. Sadly we currently don’t have tooling for this. For this you might be interested in the alternative haskell.nix framework, which, be warned, is completely incompatible with packages from haskellPackages.

haskellPackages.mkDerivation

Every haskell package set has its own haskell-aware mkDerivation which is used to build its packages. Generally you won’t have to interact with this builder since cabal2nix can generate packages using it for an arbitrary cabal package definition. Still it is useful to know the parameters it takes when you need to override a generated Nix expression.

haskellPackages.mkDerivation is a wrapper around stdenv.mkDerivation which re-defines the default phases to be haskell aware and handles dependency specification, test suites, benchmarks etc. by compiling and invoking the package’s Setup.hs. It does not use or invoke the cabal-install binary, but uses the underlying Cabal library instead.

General arguments

pname

Package name, assumed to be the same as on Hackage (if applicable)

version

Packaged version, assumed to be the same as on Hackage (if applicable)

src

Source of the package. If omitted, fetch package corresponding to pname and version from Hackage.

sha256

Hash to use for the default case of src.

sourceRoot, setSourceRoot

Passed to stdenv.mkDerivation; see “Variables controlling the unpack phase”.

revision

Revision number of the updated cabal file to fetch from Hackage. If null (which is the default value), the one included in src is used.

editedCabalFile

sha256 hash of the cabal file identified by revision or null.

configureFlags

Extra flags passed when executing the configure command of Setup.hs.

buildFlags

Extra flags passed when executing the build command of Setup.hs.

haddockFlags

Extra flags passed to Setup.hs haddock when building the documentation.

doCheck

Whether to execute the package’s test suite if it has one. Defaults to true unless cross-compiling.

doBenchmark

Whether to execute the package’s benchmark if it has one. Defaults to false.

doHoogle

Whether to generate an index file for hoogle as part of haddockPhase by passing the --hoogle option. Defaults to true.

doHaddockQuickjump

Whether to generate an index for interactive navigation of the HTML documentation. Defaults to true if supported.

doInstallIntermediates

Whether to install intermediate build products (files written to dist/build by GHC during the build process). With enableSeparateIntermediatesOutput, these files are instead installed to a separate intermediates output. The output can then be passed into a future build of the same package with the previousIntermediates argument to support incremental builds. See “Incremental builds” for more information. Defaults to false.

enableLibraryProfiling

Whether to enable profiling for libraries contained in the package. Enabled by default if supported.

enableExecutableProfiling

Whether to enable profiling for executables contained in the package. Disabled by default.

profilingDetail

Profiling detail level to set. Defaults to exported-functions.

enableSharedExecutables

Whether to link executables dynamically. By default, executables are linked statically.

enableSharedLibraries

Whether to build shared Haskell libraries. This is enabled by default unless we are using pkgsStatic or shared libraries have been disabled in GHC.

enableStaticLibraries

Whether to build static libraries. Enabled by default if supported.

enableDeadCodeElimination

Whether to enable linker based dead code elimination in GHC. Enabled by default if supported.

enableHsc2hsViaAsm

Whether to pass --via-asm to hsc2hs. Enabled by default only on Windows.

hyperlinkSource

Whether to render the source as well as part of the haddock documentation by passing the --hyperlinked-source flag. Defaults to true.

isExecutable

Whether the package contains an executable.

isLibrary

Whether the package contains a library.

jailbreak

Whether to execute jailbreak-cabal before configurePhase to lift any version constraints in the cabal file. Note that this can’t lift version bounds if they are conditional, i.e. if a dependency is hidden behind a flag.

enableParallelBuilding

Whether to use the -j flag to make GHC/Cabal start multiple jobs in parallel.

maxBuildCores

Upper limit of jobs to use in parallel for compilation regardless of $NIX_BUILD_CORES. Defaults to 16 as Haskell compilation with GHC currently sees a performance regression if too many parallel jobs are used.

doCoverage

Whether to generate and install files needed for HPC. Defaults to false.

doHaddock

Whether to build (HTML) documentation using haddock. Defaults to true if supported.

testTarget

Name of the test suite to build and run. If unset, all test suites will be executed.

preCompileBuildDriver

Shell code to run before compiling Setup.hs.

postCompileBuildDriver

Shell code to run after compiling Setup.hs.

preHaddock

Shell code to run before building documentation using haddock.

postHaddock

Shell code to run after building documentation using haddock.

coreSetup

Whether to only allow core libraries to be used while building Setup.hs. Defaults to false.

useCpphs

Whether to enable the cpphs preprocessor. Defaults to false.

enableSeparateBinOutput

Whether to install executables to a separate bin output. Defaults to false.

enableSeparateDataOutput

Whether to install data files shipped with the package to a separate data output. Defaults to false.

enableSeparateDocOutput

Whether to install documentation to a separate doc output. Is automatically enabled if doHaddock is true.

enableSeparateIntermediatesOutput

When doInstallIntermediates is true, whether to install intermediate build products to a separate intermediates output. See “Incremental builds” for more information. Defaults to false.

allowInconsistentDependencies

If enabled, allow multiple versions of the same Haskell package in the dependency tree at configure time. Often in such a situation compilation would later fail because of type mismatches. Defaults to false.

enableLibraryForGhci

Build and install a special object file for GHCi. This improves performance when loading the library in the REPL, but requires extra build time and disk space. Defaults to false.

previousIntermediates

If non-null, intermediate build artifacts are copied from this input to dist/build before performing compiling. See “Incremental builds” for more information. Defaults to null.

buildTarget

Name of the executable or library to build and install. If unset, all available targets are built and installed.

Specifying dependencies

Since haskellPackages.mkDerivation is intended to be generated from cabal files, it reflects cabal’s way of specifying dependencies. For one, dependencies are grouped by what part of the package they belong to. This helps to reduce the dependency closure of a derivation, for example benchmark dependencies are not included if doBenchmark == false.

setup*Depends

dependencies necessary to compile Setup.hs

library*Depends

dependencies of a library contained in the package

executable*Depends

dependencies of an executable contained in the package

test*Depends

dependencies of a test suite contained in the package

benchmark*Depends

dependencies of a benchmark contained in the package

The other categorization relates to the way the package depends on the dependency:

*ToolDepends

Tools we need to run as part of the build process. They are added to the derivation’s nativeBuildInputs.

*HaskellDepends

Haskell libraries the package depends on. They are added to propagatedBuildInputs.

*SystemDepends

Non-Haskell libraries the package depends on. They are added to buildInputs

*PkgconfigDepends

*SystemDepends which are discovered using pkg-config. They are added to buildInputs and it is additionally ensured that pkg-config is available at build time.

*FrameworkDepends

Apple SDK Framework which the package depends on when compiling it on Darwin.

Using these two distinctions, you should be able to categorize most of the dependency specifications that are available: benchmarkFrameworkDepends, benchmarkHaskellDepends, benchmarkPkgconfigDepends, benchmarkSystemDepends, benchmarkToolDepends, executableFrameworkDepends, executableHaskellDepends, executablePkgconfigDepends, executableSystemDepends, executableToolDepends, libraryFrameworkDepends, libraryHaskellDepends, libraryPkgconfigDepends, librarySystemDepends, libraryToolDepends, setupHaskellDepends, testFrameworkDepends, testHaskellDepends, testPkgconfigDepends, testSystemDepends and testToolDepends.

That only leaves the following extra ways for specifying dependencies:

buildDepends

Allows specifying Haskell dependencies which are added to propagatedBuildInputs unconditionally.

buildTools

Like *ToolDepends, but are added to nativeBuildInputs unconditionally.

extraLibraries

Like *SystemDepends, but are added to buildInputs unconditionally.

pkg-configDepends

Like *PkgconfigDepends, but are added to buildInputs unconditionally.

testDepends

Deprecated, use either testHaskellDepends or testSystemDepends.

benchmarkDepends

Deprecated, use either benchmarkHaskellDepends or benchmarkSystemDepends.

The dependency specification methods in this list which are unconditional are especially useful when writing overrides when you want to make sure that they are definitely included. However, it is recommended to use the more accurate ones listed above when possible.

Meta attributes

haskellPackages.mkDerivation accepts the following attributes as direct arguments which are transparently set in meta of the resulting derivation. See the Meta-attributes section for their documentation.

  • These attributes are populated with a default value if omitted:

    • homepage: defaults to the Hackage page for pname.

    • platforms: defaults to lib.platforms.all (since GHC can cross-compile)

  • These attributes are only set if given:

    • description

    • license

    • changelog

    • maintainers

    • broken

    • hydraPlatforms

Incremental builds

haskellPackages.mkDerivation supports incremental builds for GHC 9.4 and newer with the doInstallIntermediates, enableSeparateIntermediatesOutput, and previousIntermediates arguments.

The basic idea is to first perform a full build of the package in question, save its intermediate build products for later, and then copy those build products into the build directory of an incremental build performed later. Then, GHC will use those build artifacts to avoid recompiling unchanged modules.

For more detail on how to store and use incremental build products, see Gabriella Gonzalez’ blog post “Nixpkgs support for incremental Haskell builds”. motivation behind this feature.

An incremental build for the turtle package can be performed like so:

let
  pkgs = import <nixpkgs> {};
  inherit (pkgs) haskell;
  inherit (haskell.lib.compose) overrideCabal;

  # Incremental builds work with GHC >=9.4.
  turtle = haskell.packages.ghc944.turtle;

  # This will do a full build of `turtle`, while writing the intermediate build products
  # (compiled modules, etc.) to the `intermediates` output.
  turtle-full-build-with-incremental-output = overrideCabal (drv: {
    doInstallIntermediates = true;
    enableSeparateIntermediatesOutput = true;
  }) turtle;

  # This will do an incremental build of `turtle` by copying the previously
  # compiled modules and intermediate build products into the source tree
  # before running the build.
  #
  # GHC will then naturally pick up and reuse these products, making this build
  # complete much more quickly than the previous one.
  turtle-incremental-build = overrideCabal (drv: {
    previousIntermediates = turtle-full-build-with-incremental-output.intermediates;
  }) turtle;
in
  turtle-incremental-build

Development environments

In addition to building and installing Haskell software, nixpkgs can also provide development environments for Haskell projects. This has the obvious advantage that you benefit from cache.nixos.org and no longer need to compile all project dependencies yourself. While it is often very useful, this is not the primary use case of our package set. Have a look at the section available package versions to learn which versions of packages we provide and the section limitations, to judge whether a haskellPackages based development environment for your project is feasible.

By default, every derivation built using haskellPackages.mkDerivation exposes an environment suitable for building it interactively as the env attribute. For example, if you have a local checkout of random, you can enter a development environment for it like this (if the dependencies in the development and packaged version match):

$ cd ~/src/random
$ nix-shell -A haskellPackages.random.env '<nixpkgs>'
[nix-shell:~/src/random]$ ghc-pkg list
/nix/store/a8hhl54xlzfizrhcf03c1l3f6l9l8qwv-ghc-9.2.4-with-packages/lib/ghc-9.2.4/package.conf.d
    Cabal-3.6.3.0
    array-0.5.4.0
    base-4.16.3.0
    binary-0.8.9.0
    …
    ghc-9.2.4
    …

As you can see, the environment contains a GHC which is set up so it finds all dependencies of random. Note that this environment does not mirror the environment used to build the package, but is intended as a convenient tool for development and simple debugging. env relies on the ghcWithPackages wrapper which automatically injects a pre-populated package-db into every GHC invocation. In contrast, using nix-shell -A haskellPackages.random will not result in an environment in which the dependencies are in GHCs package database. Instead, the Haskell builder will pass in all dependencies explicitly via configure flags.

env mirrors the normal derivation environment in one aspect: It does not include familiar development tools like cabal-install, since we rely on plain Setup.hs to build all packages. However, cabal-install will work as expected if in PATH (e.g. when installed globally and using a nix-shell without --pure). A declarative and pure way of adding arbitrary development tools is provided via shellFor.

When using cabal-install for dependency resolution you need to be a bit careful to achieve build purity. cabal-install will find and use all dependencies installed from the packages env via Nix, but it will also consult Hackage to potentially download and compile dependencies if it can’t find a valid build plan locally. To prevent this you can either never run cabal update, remove the cabal database from your ~/.cabal folder or run cabal with --offline. Note though, that for some usecases cabal2nix needs the local Hackage db.

Often you won’t work on a package that is already part of haskellPackages or Hackage, so we first need to write a Nix expression to obtain the development environment from. Luckily, we can generate one very easily from an already existing cabal file using cabal2nix:

$ ls
my-project.cabal src …
$ cabal2nix ./. > my-project.nix

The generated Nix expression evaluates to a function ready to be callPackage-ed. For now, we can add a minimal default.nix which does just that:

# Retrieve nixpkgs impurely from NIX_PATH for now, you can pin it instead, of course.
{ pkgs ? import <nixpkgs> {} }:

# use the nixpkgs default haskell package set
pkgs.haskellPackages.callPackage ./my-project.nix { }

Using nix-build default.nix we can now build our project, but we can also enter a shell with all the package’s dependencies available using nix-shell -A env default.nix. If you have cabal-install installed globally, it’ll work inside the shell as expected.

shellFor

Having to install tools globally is obviously not great, especially if you want to provide a batteries-included shell.nix with your project. Luckily there’s a proper tool for making development environments out of packages’ build environments: shellFor, a function exposed by every haskell package set. It takes the following arguments and returns a derivation which is suitable as a development environment inside nix-shell:

packages

This argument is used to select the packages for which to build the development environment. This should be a function which takes a haskell package set and returns a list of packages. shellFor will pass the used package set to this function and include all dependencies of the returned package in the build environment. This means you can reuse Nix expressions of packages included in nixpkgs, but also use local Nix expressions like this: hpkgs: [ (hpkgs.callPackage ./my-project.nix { }) ].

nativeBuildInputs

Expects a list of derivations to add as build tools to the build environment. This is the place to add packages like cabal-install, doctest or hlint. Defaults to [].

buildInputs

Expects a list of derivations to add as library dependencies, like openssl. This is rarely necessary as the haskell package expressions usually track system dependencies as well. Defaults to []. (see also derivation dependencies)

withHoogle

If this is true, hoogle will be added to nativeBuildInputs. Additionally, its database will be populated with all included dependencies, so you’ll be able search through the documentation of your dependencies. Defaults to false.

genericBuilderArgsModifier

This argument accepts a function allowing you to modify the arguments passed to mkDerivation in order to create the development environment. For example, args: { doCheck = false; } would cause the environment to not include any test dependencies. Defaults to lib.id.

doBenchmark

This is a shortcut for enabling doBenchmark via genericBuilderArgsModifier. Setting it to true will cause the development environment to include all benchmark dependencies which would be excluded by default. Defaults to false.

One neat property of shellFor is that it allows you to work on multiple packages using the same environment in conjunction with cabal.project files. Say our example above depends on distribution-nixpkgs and we have a project file set up for both, we can add the following shell.nix expression:

{ pkgs ? import <nixpkgs> {} }:

pkgs.haskellPackages.shellFor {
  packages = hpkgs: [
    # reuse the nixpkgs for this package
    hpkgs.distribution-nixpkgs
    # call our generated Nix expression manually
    (hpkgs.callPackage ./my-project/my-project.nix { })
  ];

  # development tools we use
  nativeBuildInputs = [
    pkgs.cabal-install
    pkgs.haskellPackages.doctest
    pkgs.cabal2nix
  ];

  # Extra arguments are added to mkDerivation's arguments as-is.
  # Since it adds all passed arguments to the shell environment,
  # we can use this to set the environment variable the `Paths_`
  # module of distribution-nixpkgs uses to search for bundled
  # files.
  # See also: https://cabal.readthedocs.io/en/latest/cabal-package.html#accessing-data-files-from-package-code
  distribution_nixpkgs_datadir = toString ./distribution-nixpkgs;
}

haskell-language-server

To use HLS in short: Install pkgs.haskell-language-server e.g. in nativeBuildInputs in shellFor and use the haskell-language-server-wrapper command to run it. See the HLS user guide on how to configure your text editor to use HLS and how to test your setup.

HLS needs to be compiled with the GHC version of the project you use it on.

pkgs.haskell-language-server provides haskell-language-server-wrapper, haskell-language-server and haskell-language-server-x.x.x binaries, where x.x.x is the GHC version for which it is compiled. By default, it only includes binaries for the current GHC version, to reduce closure size. The closure size is large, because HLS needs to be dynamically linked to work reliably. You can override the list of supported GHC versions with e.g.

pkgs.haskell-language-server.override { supportedGhcVersions = [ "90" "94" ]; }

Where all strings version are allowed such that haskell.packages.ghc${version} is an existing package set.

When you run haskell-language-server-wrapper it will detect the GHC version used by the project you are working on (by asking e.g. cabal or stack) and pick the appropriate versioned binary from your path.

Be careful when installing HLS globally and using a pinned nixpkgs for a Haskell project in a nix-shell. If the nixpkgs versions deviate to much (e.g., use different glibc versions) the haskell-language-server-?.?.? executable will try to detect these situations and refuse to start. It is recommended to obtain HLS via nix-shell from the nixpkgs version pinned in there instead.

The top level pkgs.haskell-language-server attribute is just a convenience wrapper to make it possible to install HLS for multiple GHC versions at the same time. If you know, that you only use one GHC version, e.g., in a project specific nix-shell you can use pkgs.haskellPackages.haskell-language-server or pkgs.haskell.packages.*.haskell-language-server from the package set you use.

If you use nix-shell for your development environments remember to start your editor in that environment. You may want to use something like direnv and/or an editor plugin to achieve this.

Overriding Haskell packages

Overriding a single package

Like many language specific subsystems in nixpkgs, the Haskell infrastructure also has its own quirks when it comes to overriding. Overriding of the inputs to a package at least follows the standard procedure. For example, imagine you need to build nix-tree with a more recent version of brick than the default one provided by haskellPackages:

haskellPackages.nix-tree.override {
  brick = haskellPackages.brick_0_67;
}

The custom interface comes into play when you want to override the arguments passed to haskellPackages.mkDerivation. For this, the function overrideCabal from haskell.lib.compose is used. E.g., if you want to install a man page that is distributed with the package, you can do something like this:

haskell.lib.compose.overrideCabal (drv: {
  postInstall = ''
    ${drv.postInstall or ""}
    install -Dm644 man/pnbackup.1 -t $out/share/man/man1
  '';
}) haskellPackages.pnbackup

overrideCabal takes two arguments:

  1. A function which receives all arguments passed to haskellPackages.mkDerivation before and returns a set of arguments to replace (or add) with a new value.

  2. The Haskell derivation to override.

The arguments are ordered so that you can easily create helper functions by making use of currying:

let
  installManPage = haskell.lib.compose.overrideCabal (drv: {
    postInstall = ''
      ${drv.postInstall or ""}
      install -Dm644 man/${drv.pname}.1 -t "$out/share/man/man1"
    '';
  });
in

installManPage haskellPackages.pnbackup

In fact, haskell.lib.compose already provides lots of useful helpers for common tasks, detailed in the next section. They are also structured in such a way that they can be combined using lib.pipe:

lib.pipe my-haskell-package [
  # lift version bounds on dependencies
  haskell.lib.compose.doJailbreak
  # disable building the haddock documentation
  haskell.lib.compose.dontHaddock
  # pass extra package flag to Cabal's configure step
  (haskell.lib.compose.enableCabalFlag "myflag")
]
haskell.lib.compose

The base interface for all overriding is the following function:

overrideCabal f drv

Takes the arguments passed to obtain drv to f and uses the resulting attribute set to update the argument set. Then a recomputed version of drv using the new argument set is returned.

All other helper functions are implemented in terms of overrideCabal and make common overrides shorter and more complicate ones trivial. The simple overrides which only change a single argument are only described very briefly in the following overview. Refer to the documentation of haskellPackages.mkDerivation for a more detailed description of the effects of the respective arguments.

Packaging Helpers
overrideSrc { src, version } drv

Replace the source used for building drv with the path or derivation given as src. The version attribute is optional. Prefer this function over overriding src via overrideCabal, since it also automatically takes care of removing any Hackage revisions.

justStaticExecutables drv

Only build and install the executables produced by drv, removing everything that may refer to other Haskell packages’ store paths (like libraries and documentation). This dramatically reduces the closure size of the resulting derivation. Note that the executables are only statically linked against their Haskell dependencies, but will still link dynamically against libc, GMP and other system library dependencies.

If a library or its dependencies use their Cabal-generated Paths_* module, this may not work as well if GHC’s dead code elimination is unable to remove the references to the dependency’s store path that module contains. As a consequence, an unused reference may be created from the static binary to such a library store path. (See nixpkgs#164630 for more information.)

Importing the Paths_* module may cause builds to fail with this message:

error: output '/nix/store/64k8iw0ryz76qpijsnl9v87fb26v28z8-my-haskell-package-1.0.0.0' is not allowed to refer to the following paths:
         /nix/store/5q5s4a07gaz50h04zpfbda8xjs8wrnhg-ghc-9.6.3

If that happens, first disable the check for GHC references and rebuild the derivation:

pkgs.haskell.lib.overrideCabal
  (pkgs.haskell.lib.justStaticExecutables my-haskell-package)
  (drv: {
    disallowGhcReference = false;
  })

Then use strings to determine which libraries are responsible:

$ nix-build ...
$ strings result/bin/my-haskell-binary | grep /nix/store/
...
/nix/store/n7ciwdlg8yyxdhbrgd6yc2d8ypnwpmgq-hs-opentelemetry-sdk-0.0.3.6/bin
...

Finally, use remove-references-to to delete those store paths from the produced output:

pkgs.haskell.lib.overrideCabal
  (pkgs.haskell.lib.justStaticExecutables my-haskell-package)
  (drv: {
    postInstall = ''
      ${drv.postInstall or ""}
      remove-references-to -t ${pkgs.haskellPackages.hs-opentelemetry-sdk}
    '';
  })
enableSeparateBinOutput drv

Install executables produced by drv to a separate bin output. This has a similar effect as justStaticExecutables, but preserves the libraries and documentation in the out output alongside the bin output with a much smaller closure size.

markBroken drv

Sets the broken flag to true for drv.

markUnbroken drv, unmarkBroken drv

Set the broken flag to false for drv.

doDistribute drv

Updates hydraPlatforms so that Hydra will build drv. This is sometimes necessary when working with versioned packages in haskellPackages which are not built by default.

dontDistribute drv

Sets hydraPlatforms to [], causing Hydra to skip this package altogether. Useful if it fails to evaluate cleanly and is causing noise in the evaluation errors tab on Hydra.

Development Helpers
sdistTarball drv

Create a source distribution tarball like those found on Hackage instead of building the package drv.

documentationTarball drv

Create a documentation tarball suitable for uploading to Hackage instead of building the package drv.

buildFromSdist drv

Uses sdistTarball drv as the source to compile drv. This helps to catch packaging bugs when building from a local directory, e.g. when required files are missing from extra-source-files.

failOnAllWarnings drv

Enables all warnings GHC supports and makes it fail the build if any of them are emitted.

enableDWARFDebugging drv

Compiles the package with additional debug symbols enabled, useful for debugging with e.g. gdb.

doStrip drv

Sets doStrip to true for drv.

dontStrip drv

Sets doStrip to false for drv.

Trivial Helpers
doJailbreak drv

Sets the jailbreak argument to true for drv.

dontJailbreak drv

Sets the jailbreak argument to false for drv.

doHaddock drv

Sets doHaddock to true for drv.

dontHaddock drv

Sets doHaddock to false for drv. Useful if the build of a package is failing because of e.g. a syntax error in the Haddock documentation.

doHyperlinkSource drv

Sets hyperlinkSource to true for drv.

dontHyperlinkSource drv

Sets hyperlinkSource to false for drv.

doCheck drv

Sets doCheck to true for drv.

dontCheck drv

Sets doCheck to false for drv. Useful if a package has a broken, flaky or otherwise problematic test suite breaking the build.

dontCheckIf condition drv

Sets doCheck to false for drv, but only if condition applies. Otherwise it’s a no-op. Useful to conditionally disable tests for a package without interfering with previous overrides or default values.

appendConfigureFlags list drv

Adds the strings in list to the configureFlags argument for drv.

enableCabalFlag flag drv

Makes sure that the Cabal flag flag is enabled in Cabal’s configure step.

disableCabalFlag flag drv

Makes sure that the Cabal flag flag is disabled in Cabal’s configure step.

appendBuildFlags list drv

Adds the strings in list to the buildFlags argument for drv.

appendPatches list drv

Adds the list of derivations or paths to the patches argument for drv.

addBuildTools list drv

Adds the list of derivations to the buildTools argument for drv.

addExtraLibraries list drv

Adds the list of derivations to the extraLibraries argument for drv.

addBuildDepends list drv

Adds the list of derivations to the buildDepends argument for drv.

addTestToolDepends list drv

Adds the list of derivations to the testToolDepends argument for drv.

addPkgconfigDepends list drv

Adds the list of derivations to the pkg-configDepends argument for drv.

addSetupDepends list drv

Adds the list of derivations to the setupHaskellDepends argument for drv.

doBenchmark drv

Set doBenchmark to true for drv. Useful if your development environment is missing the dependencies necessary for compiling the benchmark component.

dontBenchmark drv

Set doBenchmark to false for drv.

setBuildTargets drv list

Sets the buildTarget argument for drv so that the targets specified in list are built.

doCoverage drv

Sets the doCoverage argument to true for drv.

dontCoverage drv

Sets the doCoverage argument to false for drv.

enableExecutableProfiling drv

Sets the enableExecutableProfiling argument to true for drv.

disableExecutableProfiling drv

Sets the enableExecutableProfiling argument to false for drv.

enableLibraryProfiling drv

Sets the enableLibraryProfiling argument to true for drv.

disableLibraryProfiling drv

Sets the enableLibraryProfiling argument to false for drv.

disableParallelBuilding drv

Sets the enableParallelBuilding argument to false for drv.

Library functions in the Haskell package sets

Some library functions depend on packages from the Haskell package sets. Thus they are exposed from those instead of from haskell.lib.compose which can only access what is passed directly to it. When using the functions below, make sure that you are obtaining them from the same package set (haskellPackages, haskell.packages.ghc944 etc.) as the packages you are working with or – even better – from the self/final fix point of your overlay to haskellPackages.

Note: Some functions like shellFor that are not intended for overriding per se, are omitted in this section.

cabalSdist { src, name ? ... }

Generates the Cabal sdist tarball for src, suitable for uploading to Hackage. Contrary to haskell.lib.compose.sdistTarball, it uses cabal-install over Setup.hs, so it is usually faster: No build dependencies need to be downloaded, and we can skip compiling Setup.hs.

buildFromCabalSdist drv

Build drv, but run its src attribute through cabalSdist first. Useful for catching files necessary for compilation that are missing from the sdist.

generateOptparseApplicativeCompletions list drv

Generate and install shell completion files for the installed executables whose names are given via list. The executables need to be using optparse-applicative for this to work. Note that this feature is automatically disabled when cross-compiling, since it requires executing the binaries in question.

Import-from-Derivation helpers

cabal2nix

cabal2nix can generate Nix package definitions for arbitrary Haskell packages using import from derivation. cabal2nix will generate Nix expressions that look like this:

# cabal get mtl-2.2.1 && cd mtl-2.2.1 && cabal2nix .
{ mkDerivation, base, lib, transformers }:
mkDerivation {
  pname = "mtl";
  version = "2.2.1";
  src = ./.;
  libraryHaskellDepends = [ base transformers ];
  homepage = "http://github.com/ekmett/mtl";
  description = "Monad classes, using functional dependencies";
  license = lib.licenses.bsd3;
}

This expression should be called with haskellPackages.callPackage, which will supply haskellPackages.mkDerivation and the Haskell dependencies as arguments.

callCabal2nix name src args

Create a package named name from the source derivation src using cabal2nix.

args are extra arguments provided to haskellPackages.callPackage.

callCabal2nixWithOptions name src opts args

Create a package named name from the source derivation src using cabal2nix.

opts are extra options for calling cabal2nix. If opts is a string, it will be used as extra command line arguments for cabal2nix, e.g. --subpath path/to/dir/containing/cabal-file. Otherwise, opts should be an AttrSet which can contain the following attributes:

extraCabal2nixOptions

Extra command line arguments for cabal2nix.

srcModifier

A function which is used to modify the given src instead of the default filter.

The default source filter will remove all files from src except for .cabal files and package.yaml files.

F.A.Q.

Why is topic X not covered in this section? Why is section Y missing?

We have been working on moving the nixpkgs Haskell documentation back into the nixpkgs manual. Since this process has not been completed yet, you may find some topics missing here covered in the old haskell4nix docs.

If you feel any important topic is not documented at all, feel free to comment on the issue linked above.

How to enable or disable profiling builds globally?

By default, Nixpkgs builds a profiling version of each Haskell library. The exception to this rule are some platforms where it is disabled due to concerns over output size. You may want to…

  • …enable profiling globally so that you can build a project you are working on with profiling ability giving you insight in the time spent across your code and code you depend on using GHC’s profiling feature.

  • …disable profiling (globally) to reduce the time spent building the profiling versions of libraries which a significant amount of build time is spent on (although they are not as expensive as the “normal” build of a Haskell library).

Note

The method described below affects the build of all libraries in the respective Haskell package set as well as GHC. If your choices differ from Nixpkgs’ default for your (host) platform, you will lose the ability to substitute from the official binary cache.

If you are concerned about build times and thus want to disable profiling, it probably makes sense to use haskell.lib.compose.disableLibraryProfiling (see the section called “Trivial Helpers”) on the packages you are building locally while continuing to substitute their dependencies and GHC.

Since we need to change the profiling settings for the desired Haskell package set and GHC (as the core libraries like base, filepath etc. are bundled with GHC), it is recommended to use overlays for Nixpkgs to change them. Since the interrelated parts, i.e. the package set and GHC, are connected via the Nixpkgs fixpoint, we need to modify them both in a way that preserves their connection (or else we’d have to wire it up again manually). This is achieved by changing GHC and the package set in separate overlays to prevent the package set from pulling in GHC from prev.

The result is two overlays like the ones shown below. Adjustable parts are annotated with comments, as are any optional or alternative ways to achieve the desired profiling settings without causing too many rebuilds.

let
  # Name of the compiler and package set you want to change. If you are using
  # the default package set `haskellPackages`, you need to look up what version
  # of GHC it currently uses (note that this is subject to change).
  ghcName = "ghc92";
  # Desired new setting
  enableProfiling = true;
in

[
  # The first overlay modifies the GHC derivation so that it does or does not
  # build profiling versions of the core libraries bundled with it. It is
  # recommended to only use such an overlay if you are enabling profiling on a
  # platform that doesn't by default, because compiling GHC from scratch is
  # quite expensive.
  (final: prev:
  let
    inherit (final) lib;
  in

  {
    haskell = prev.haskell // {
      compiler = prev.haskell.compiler // {
        ${ghcName} = prev.haskell.compiler.${ghcName}.override {
          # Unfortunately, the GHC setting is named differently for historical reasons
          enableProfiledLibs = enableProfiling;
        };
      };
    };
  })

  (final: prev:
  let
    inherit (final) lib;
    haskellLib = final.haskell.lib.compose;
  in

  {
    haskell = prev.haskell // {
      packages = prev.haskell.packages // {
        ${ghcName} = prev.haskell.packages.${ghcName}.override {
          overrides = hfinal: hprev: {
            mkDerivation = args: hprev.mkDerivation (args // {
              # Since we are forcing our ideas upon mkDerivation, this change will
              # affect every package in the package set.
              enableLibraryProfiling = enableProfiling;

              # To actually use profiling on an executable, executable profiling
              # needs to be enabled for the executable you want to profile. You
              # can either do this globally or…
              enableExecutableProfiling = enableProfiling;
            });

            # …only for the package that contains an executable you want to profile.
            # That saves on unnecessary rebuilds for packages that you only depend
            # on for their library, but also contain executables (e.g. pandoc).
            my-executable = haskellLib.enableExecutableProfiling hprev.my-executable;

            # If you are disabling profiling to save on build time, but want to
            # retain the ability to substitute from the binary cache. Drop the
            # override for mkDerivation above and instead have an override like
            # this for the specific packages you are building locally and want
            # to make cheaper to build.
            my-library = haskellLib.disableLibraryProfiling hprev.my-library;
          };
        };
      };
    };
  })
]

Hy

Installation

Installation without packages

You can install hy via nix-env or by adding it to configuration.nix by referring to it as a hy attribute. This kind of installation adds hy to your environment and it successfully works with python3.

Caution

Packages that are installed with your python derivation, are not accessible by hy this way.

Installation with packages

Creating hy derivation with custom python packages is really simple and similar to the way that python does it. Attribute hy provides function withPackages that creates custom hy derivation with specified packages.

For example if you want to create shell with matplotlib and numpy, you can do it like so:

$ nix-shell -p "hy.withPackages (ps: with ps; [ numpy matplotlib ])"

Or if you want to extend your configuration.nix:

{ # ...

  environment.systemPackages = with pkgs; [
    (hy.withPackages (py-packages: with py-packages; [ numpy matplotlib ]))
  ];
}

Idris

Installing Idris

The easiest way to get a working idris version is to install the idris attribute:

$ nix-env -f "<nixpkgs>" -iA idris

This however only provides the prelude and base libraries. To install idris with additional libraries, you can use the idrisPackages.with-packages function, e.g. in an overlay in ~/.config/nixpkgs/overlays/my-idris.nix:

self: super: {
  myIdris = with self.idrisPackages; with-packages [ contrib pruviloj ];
}

And then:

$ # On NixOS
$ nix-env -iA nixos.myIdris
$ # On non-NixOS
$ nix-env -iA nixpkgs.myIdris

To see all available Idris packages:

$ # On NixOS
$ nix-env -qaPA nixos.idrisPackages
$ # On non-NixOS
$ nix-env -qaPA nixpkgs.idrisPackages

Similarly, entering a nix-shell:

$ nix-shell -p 'idrisPackages.with-packages (with idrisPackages; [ contrib pruviloj ])'

Starting Idris with library support

To have access to these libraries in idris, call it with an argument -p <library name> for each library:

$ nix-shell -p 'idrisPackages.with-packages (with idrisPackages; [ contrib pruviloj ])'
[nix-shell:~]$ idris -p contrib -p pruviloj

A listing of all available packages the Idris binary has access to is available via --listlibs:

$ idris --listlibs
00prelude-idx.ibc
pruviloj
base
contrib
prelude
00pruviloj-idx.ibc
00base-idx.ibc
00contrib-idx.ibc

Building an Idris project with Nix

As an example of how a Nix expression for an Idris package can be created, here is the one for idrisPackages.yaml:

{ lib
, build-idris-package
, fetchFromGitHub
, contrib
, lightyear
}:
build-idris-package  {
  name = "yaml";
  version = "2018-01-25";

  # This is the .ipkg file that should be built, defaults to the package name
  # In this case it should build `Yaml.ipkg` instead of `yaml.ipkg`
  # This is only necessary because the yaml packages ipkg file is
  # different from its package name here.
  ipkgName = "Yaml";
  # Idris dependencies to provide for the build
  idrisDeps = [ contrib lightyear ];

  src = fetchFromGitHub {
    owner = "Heather";
    repo = "Idris.Yaml";
    rev = "5afa51ffc839844862b8316faba3bafa15656db4";
    hash = "sha256-h28F9EEPuvab6zrfeE+0k1XGQJGwINnsJEG8yjWIl7w=";
  };

  meta = {
    description = "Idris YAML lib";
    homepage = "https://github.com/Heather/Idris.Yaml";
    license = lib.licenses.mit;
    maintainers = [ lib.maintainers.brainrape ];
  };
}

Assuming this file is saved as yaml.nix, it’s buildable using

$ nix-build -E '(import <nixpkgs> {}).idrisPackages.callPackage ./yaml.nix {}'

Or it’s possible to use

with import <nixpkgs> {};

{
  yaml = idrisPackages.callPackage ./yaml.nix {};
}

in another file (say default.nix) to be able to build it with

$ nix-build -A yaml

Passing options to idris commands

The build-idris-package function provides also optional input values to set additional options for the used idris commands.

Specifically, you can set idrisBuildOptions, idrisTestOptions, idrisInstallOptions and idrisDocOptions to provide additional options to the idris command respectively when building, testing, installing and generating docs for your package.

For example you could set

build-idris-package {
  idrisBuildOptions = [ "--log" "1" "--verbose" ];

  # ...
}

to require verbose output during idris build phase.

Idris2

In addition to exposing the Idris2 compiler itself, Nixpkgs exposes an idris2Packages.buildIdris helper to make it a bit more ergonomic to build Idris2 executables or libraries.

The buildIdris function takes an attribute set that defines at a minimum the src and ipkgName of the package to be built and any idrisLibraries required to build it. The src is the same source you’re familiar with and the ipkgName must be the name of the ipkg file for the project (omitting the .ipkg extension). The idrisLibraries is a list of other library derivations created with buildIdris. You can optionally specify other derivation properties as needed but sensible defaults for configurePhase, buildPhase, and installPhase are provided.

Importantly, buildIdris does not create a single derivation but rather an attribute set with two properties: executable and library. The executable property is a derivation and the library property is a function that will return a derivation for the library with or without source code included. Source code need not be included unless you are aiming to use IDE or LSP features that are able to jump to definitions within an editor.

A simple example of a fully packaged library would be the LSP-lib found in the idris-community GitHub organization.

{ fetchFromGitHub, idris2Packages }:
let lspLibPkg = idris2Packages.buildIdris {
  ipkgName = "lsp-lib";
  src = fetchFromGitHub {
   owner = "idris-community";
   repo = "LSP-lib";
   rev = "main";
   hash = "sha256-EvSyMCVyiy9jDZMkXQmtwwMoLaem1GsKVFqSGNNHHmY=";
  };
  idrisLibraries = [ ];
};
in lspLibPkg.library { withSource = true; }

The above results in a derivation with the installed library results (with sourcecode).

A slightly more involved example of a fully packaged executable would be the idris2-lsp which is an Idris2 language server that uses the LSP-lib found above.

{ callPackage, fetchFromGitHub, idris2Packages }:

# Assuming the previous example lives in `lsp-lib.nix`:
let lspLib = callPackage ./lsp-lib.nix { };
    inherit (idris2Packages) idris2Api;
    lspPkg = idris2Packages.buildIdris {
      ipkgName = "idris2-lsp";
      src = fetchFromGitHub {
         owner = "idris-community";
         repo = "idris2-lsp";
         rev = "main";
         hash = "sha256-vQTzEltkx7uelDtXOHc6QRWZ4cSlhhm5ziOqWA+aujk=";
      };
      idrisLibraries = [idris2Api lspLib];
    };
in lspPkg.executable

The above uses the default value of withSource = false for the idris2Api but could be modified to include that library’s source by passing (idris2Api { withSource = true; }) to idrisLibraries instead. idris2Api in the above derivation comes built in with idris2Packages. This library exposes many of the otherwise internal APIs of the Idris2 compiler.

iOS

This component is basically a wrapper/workaround that makes it possible to expose an Xcode installation as a Nix package by means of symlinking to the relevant executables on the host system.

Since Xcode can’t be packaged with Nix, nor we can publish it as a Nix package (because of its license) this is basically the only integration strategy making it possible to do iOS application builds that integrate with other components of the Nix ecosystem

The primary objective of this project is to use the Nix expression language to specify how iOS apps can be built from source code, and to automatically spawn iOS simulator instances for testing.

This component also makes it possible to use Hydra, the Nix-based continuous integration server to regularly build iOS apps and to do wireless ad-hoc installations of enterprise IPAs on iOS devices through Hydra.

The Xcode build environment implements a number of features.

Deploying a proxy component wrapper exposing Xcode

The first use case is deploying a Nix package that provides symlinks to the Xcode installation on the host system. This package can be used as a build input to any build function implemented in the Nix expression language that requires Xcode.

let
  pkgs = import <nixpkgs> {};

  xcodeenv = import ./xcodeenv {
    inherit (pkgs) stdenv;
  };
in
xcodeenv.composeXcodeWrapper {
  version = "9.2";
  xcodeBaseDir = "/Applications/Xcode.app";
}

By deploying the above expression with nix-build and inspecting its content you will notice that several Xcode-related executables are exposed as a Nix package:

$ ls result/bin
lrwxr-xr-x  1 sander  staff  94  1 jan  1970 Simulator -> /Applications/Xcode.app/Contents/Developer/Applications/Simulator.app/Contents/MacOS/Simulator
lrwxr-xr-x  1 sander  staff  17  1 jan  1970 codesign -> /usr/bin/codesign
lrwxr-xr-x  1 sander  staff  17  1 jan  1970 security -> /usr/bin/security
lrwxr-xr-x  1 sander  staff  21  1 jan  1970 xcode-select -> /usr/bin/xcode-select
lrwxr-xr-x  1 sander  staff  61  1 jan  1970 xcodebuild -> /Applications/Xcode.app/Contents/Developer/usr/bin/xcodebuild
lrwxr-xr-x  1 sander  staff  14  1 jan  1970 xcrun -> /usr/bin/xcrun

Building an iOS application

We can build an iOS app executable for the simulator, or an IPA/xcarchive file for release purposes, e.g. ad-hoc, enterprise or store installations, by executing the xcodeenv.buildApp {} function:

let
  pkgs = import <nixpkgs> {};

  xcodeenv = import ./xcodeenv {
    inherit (pkgs) stdenv;
  };
in
xcodeenv.buildApp {
  name = "MyApp";
  src = ./myappsources;
  sdkVersion = "11.2";

  target = null; # Corresponds to the name of the app by default
  configuration = null; # Release for release builds, Debug for debug builds
  scheme = null; # -scheme will correspond to the app name by default
  sdk = null; # null will set it to 'iphonesimulator` for simulator builds or `iphoneos` to real builds
  xcodeFlags = "";

  release = true;
  certificateFile = ./mycertificate.p12;
  certificatePassword = "secret";
  provisioningProfile = ./myprovisioning.profile;
  signMethod = "ad-hoc"; # 'enterprise' or 'store'
  generateIPA = true;
  generateXCArchive = false;

  enableWirelessDistribution = true;
  installURL = "/installipa.php";
  bundleId = "mycompany.myapp";
  appVersion = "1.0";

  # Supports all xcodewrapper parameters as well
  xcodeBaseDir = "/Applications/Xcode.app";
}

The above function takes a variety of parameters:

  • The name and src parameters are mandatory and specify the name of the app and the location where the source code resides

  • sdkVersion specifies which version of the iOS SDK to use.

It also possible to adjust the xcodebuild parameters. This is only needed in rare circumstances. In most cases the default values should suffice:

  • Specifies which xcodebuild target to build. By default it takes the target that has the same name as the app.

  • The configuration parameter can be overridden if desired. By default, it will do a debug build for the simulator and a release build for real devices.

  • The scheme parameter specifies which -scheme parameter to propagate to xcodebuild. By default, it corresponds to the app name.

  • The sdk parameter specifies which SDK to use. By default, it picks iphonesimulator for simulator builds and iphoneos for release builds.

  • The xcodeFlags parameter specifies arbitrary command line parameters that should be propagated to xcodebuild.

By default, builds are carried out for the iOS simulator. To do release builds (builds for real iOS devices), you must set the release parameter to true. In addition, you need to set the following parameters:

  • certificateFile refers to a P12 certificate file.

  • certificatePassword specifies the password of the P12 certificate.

  • provisioningProfile refers to the provision profile needed to sign the app

  • signMethod should refer to ad-hoc for signing the app with an ad-hoc certificate, enterprise for enterprise certificates and app-store for App store certificates.

  • generateIPA specifies that we want to produce an IPA file (this is probably what you want)

  • generateXCArchive specifies that we want to produce an xcarchive file.

When building IPA files on Hydra and when it is desired to allow iOS devices to install IPAs by browsing to the Hydra build products page, you can enable the enableWirelessDistribution parameter.

When enabled, you need to configure the following options:

  • The installURL parameter refers to the URL of a PHP script that composes the itms-services:// URL allowing iOS devices to install the IPA file.

  • bundleId refers to the bundle ID value of the app

  • appVersion refers to the app’s version number

To use wireless adhoc distributions, you must also install the corresponding PHP script on a web server (see section: ‘Installing the PHP script for wireless ad hoc installations from Hydra’ for more information).

In addition to the build parameters, you can also specify any parameters that the xcodeenv.composeXcodeWrapper {} function takes. For example, the xcodeBaseDir parameter can be overridden to refer to a different Xcode version.

Spawning simulator instances

In addition to building iOS apps, we can also automatically spawn simulator instances:

let
  pkgs = import <nixpkgs> {};

  xcodeenv = import ./xcodeenv {
    inherit (pkgs) stdenv;
  };
in
xcode.simulateApp {
  name = "simulate";

  # Supports all xcodewrapper parameters as well
  xcodeBaseDir = "/Applications/Xcode.app";
}

The above expression produces a script that starts the simulator from the provided Xcode installation. The script can be started as follows:

./result/bin/run-test-simulator

By default, the script will show an overview of UDID for all available simulator instances and asks you to pick one. You can also provide a UDID as a command-line parameter to launch an instance automatically:

./result/bin/run-test-simulator 5C93129D-CF39-4B1A-955F-15180C3BD4B8

You can also extend the simulator script to automatically deploy and launch an app in the requested simulator instance:

let
  pkgs = import <nixpkgs> {};

  xcodeenv = import ./xcodeenv {
    inherit (pkgs) stdenv;
  };
in
xcode.simulateApp {
  name = "simulate";
  bundleId = "mycompany.myapp";
  app = xcode.buildApp {
    # ...
  };

  # Supports all xcodewrapper parameters as well
  xcodeBaseDir = "/Applications/Xcode.app";
}

By providing the result of an xcode.buildApp {} function and configuring the app bundle id, the app gets deployed automatically and started.

Troubleshooting

In some rare cases, it may happen that after a failure, changes are not picked up. Most likely, this is caused by a derived data cache that Xcode maintains. To wipe it you can run:

$ rm -rf ~/Library/Developer/Xcode/DerivedData

Java

Ant-based Java packages are typically built from source as follows:

stdenv.mkDerivation {
  pname = "...";
  version = "...";

  src = fetchurl { /* ... */ };

  nativeBuildInputs = [
    ant
    jdk
    stripJavaArchivesHook # removes timestamp metadata from jar files
  ];

  buildPhase = ''
    runHook preBuild
    ant # build the project using ant
    runHook postBuild
  '';

  installPhase = ''
    runHook preInstall

    # copy generated jar file(s) to an appropriate location in $out
    install -Dm644 build/foo.jar $out/share/java/foo.jar

    runHook postInstall
  '';
}

Note that jdk is an alias for the OpenJDK (self-built where available, or pre-built via Zulu).

Also note that not using stripJavaArchivesHook will likely cause the generated .jar files to be non-deterministic, which is not optimal. Using it, however, does not always guarantee reproducibility.

JAR files that are intended to be used by other packages should be installed in $out/share/java. JDKs have a stdenv setup hook that add any JARs in the share/java directories of the build inputs to the CLASSPATH environment variable. For instance, if the package libfoo installs a JAR named foo.jar in its share/java directory, and another package declares the attribute

{
  buildInputs = [ libfoo ];
  nativeBuildInputs = [ jdk ];
}

then CLASSPATH will be set to /nix/store/...-libfoo/share/java/foo.jar.

Private JARs should be installed in a location like $out/share/package-name.

If your Java package provides a program, you need to generate a wrapper script to run it using a JRE. You can use makeWrapper for this:

{
  nativeBuildInputs = [ makeWrapper ];

  installPhase = ''
    mkdir -p $out/bin
    makeWrapper ${jre}/bin/java $out/bin/foo \
      --add-flags "-cp $out/share/java/foo.jar org.foo.Main"
  '';
}

Since the introduction of the Java Platform Module System in Java 9, Java distributions typically no longer ship with a general-purpose JRE: instead, they allow generating a JRE with only the modules required for your application(s). Because we can’t predict what modules will be needed on a general-purpose system, the default jre package is the full JDK. When building a minimal system/image, you can override the modules parameter on jre_minimal to build a JRE with only the modules relevant for you:

let
  my_jre = pkgs.jre_minimal.override {
    modules = [
      # The modules used by 'something' and 'other' combined:
      "java.base"
      "java.logging"
    ];
  };
  something = (pkgs.something.override { jre = my_jre; });
  other = (pkgs.other.override { jre = my_jre; });
in
  <...>

You can also specify what JDK your JRE should be based on, for example selecting a ‘headless’ build to avoid including a link to GTK+:

{
  my_jre = pkgs.jre_minimal.override {
    jdk = jdk11_headless;
  };
}

Note all JDKs passthru home, so if your application requires environment variables like JAVA_HOME being set, that can be done in a generic fashion with the --set argument of makeWrapper:

--set JAVA_HOME ${jdk.home}

It is possible to use a different Java compiler than javac from the OpenJDK. For instance, to use the GNU Java Compiler:

{
  nativeBuildInputs = [ gcj ant ];
}

Here, Ant will automatically use gij (the GNU Java Runtime) instead of the OpenJRE.

Javascript

Introduction

This contains instructions on how to package javascript applications.

The various tools available will be listed in the tools-overview. Some general principles for packaging will follow. Finally some tool specific instructions will be given.

Getting unstuck / finding code examples

If you find you are lacking inspiration for packaging javascript applications, the links below might prove useful. Searching online for prior art can be helpful if you are running into solved problems.

Github

Tools overview

General principles

The following principles are given in order of importance with potential exceptions.

Try to use the same node version used upstream

It is often not documented which node version is used upstream, but if it is, try to use the same version when packaging.

This can be a problem if upstream is using the latest and greatest and you are trying to use an earlier version of node. Some cryptic errors regarding V8 may appear.

Try to respect the package manager originally used by upstream (and use the upstream lock file)

A lock file (package-lock.json, yarn.lock…) is supposed to make reproducible installations of node_modules for each tool.

Guidelines of package managers, recommend to commit those lock files to the repos. If a particular lock file is present, it is a strong indication of which package manager is used upstream.

It’s better to try to use a Nix tool that understand the lock file. Using a different tool might give you hard to understand error because different packages have been installed. An example of problems that could arise can be found here. Upstream use npm, but this is an attempt to package it with yarn2nix (that uses yarn.lock).

Using a different tool forces to commit a lock file to the repository. Those files are fairly large, so when packaging for nixpkgs, this approach does not scale well.

Exceptions to this rule are:

  • When you encounter one of the bugs from a Nix tool. In each of the tool specific instructions, known problems will be detailed. If you have a problem with a particular tool, then it’s best to try another tool, even if this means you will have to recreate a lock file and commit it to nixpkgs. In general yarn2nix has less known problems and so a simple search in nixpkgs will reveal many yarn.lock files committed.

  • Some lock files contain particular version of a package that has been pulled off npm for some reason. In that case, you can recreate upstream lock (by removing the original and npm install, yarn, …) and commit this to nixpkgs.

  • The only tool that supports workspaces (a feature of npm that helps manage sub-directories with different package.json from a single top level package.json) is yarn2nix. If upstream has workspaces you should try yarn2nix.

Try to use upstream package.json

Exceptions to this rule are:

  • Sometimes the upstream repo assumes some dependencies be installed globally. In that case you can add them manually to the upstream package.json (yarn add xxx or npm install xxx, …). Dependencies that are installed locally can be executed with npx for CLI tools. (e.g. npx postcss ..., this is how you can call those dependencies in the phases).

  • Sometimes there is a version conflict between some dependency requirements. In that case you can fix a version by removing the ^.

  • Sometimes the script defined in the package.json does not work as is. Some scripts for example use CLI tools that might not be available, or cd in directory with a different package.json (for workspaces notably). In that case, it’s perfectly fine to look at what the particular script is doing and break this down in the phases. In the build script you can see build:* calling in turns several other build scripts like build:ui or build:server. If one of those fails, you can try to separate those into,

    yarn build:ui
    yarn build:server
    # OR
    npm run build:ui
    npm run build:server
    

    when you need to override a package.json. It’s nice to use the one from the upstream source and do some explicit override. Here is an example:

    {
      patchedPackageJSON = final.runCommand "package.json" { } ''
        ${jq}/bin/jq '.version = "0.4.0" |
          .devDependencies."@jsdoc/cli" = "^0.2.5"
          ${sonar-src}/package.json > $out
      '';
    }
    

    You will still need to commit the modified version of the lock files, but at least the overrides are explicit for everyone to see.

Using node_modules directly

Each tool has an abstraction to just build the node_modules (dependencies) directory. You can always use the stdenv.mkDerivation with the node_modules to build the package (symlink the node_modules directory and then use the package build command). The node_modules abstraction can be also used to build some web framework frontends. For an example of this see how plausible is built. mkYarnModules to make the derivation containing node_modules. Then when building the frontend you can just symlink the node_modules directory.

Javascript packages inside nixpkgs

The pkgs/development/node-packages folder contains a generated collection of npm packages that can be installed with the Nix package manager.

As a rule of thumb, the package set should only provide end user software packages, such as command-line utilities. Libraries should only be added to the package set if there is a non-npm package that requires it.

When it is desired to use npm libraries in a development project, use the node2nix generator directly on the package.json configuration file of the project.

The package set provides support for the official stable Node.js versions. The latest stable LTS release in nodePackages, as well as the latest stable current release in nodePackages_latest.

If your package uses native addons, you need to examine what kind of native build system it uses. Here are some examples:

  • node-gyp

  • node-gyp-builder

  • node-pre-gyp

After you have identified the correct system, you need to override your package expression while adding in build system as a build input. For example, dat requires node-gyp-build, so we override its expression in pkgs/development/node-packages/overrides.nix:

  {
    dat = prev.dat.override (oldAttrs: {
      buildInputs = [ final.node-gyp-build pkgs.libtool pkgs.autoconf pkgs.automake ];
      meta = oldAttrs.meta // { broken = since "12"; };
    });
  }

Adding and Updating Javascript packages in nixpkgs

To add a package from npm to nixpkgs:

  1. Modify pkgs/development/node-packages/node-packages.json to add, update or remove package entries to have it included in nodePackages and nodePackages_latest.

  2. Run the script:

    ./pkgs/development/node-packages/generate.sh
    
  3. Build your new package to test your changes:

    nix-build -A nodePackages.<new-or-updated-package>
    

    To build against the latest stable Current Node.js version (e.g. 18.x):

    nix-build -A nodePackages_latest.<new-or-updated-package>
    

    If the package doesn’t build, you may need to add an override as explained above.

  4. If the package’s name doesn’t match any of the executables it provides, add an entry in pkgs/development/node-packages/main-programs.nix. This will be the case for all scoped packages, e.g., @angular/cli.

  5. Add and commit all modified and generated files.

For more information about the generation process, consult the README.md file of the node2nix tool.

To update npm packages in nixpkgs, run the same generate.sh script:

./pkgs/development/node-packages/generate.sh
Git protocol error

Some packages may have Git dependencies from GitHub specified with git://. GitHub has disabled unencrypted Git connections, so you may see the following error when running the generate script:

The unauthenticated git protocol on port 9418 is no longer supported

Use the following Git configuration to resolve the issue:

git config --global url."https://github.com/".insteadOf git://github.com/

Tool specific instructions

buildNpmPackage

buildNpmPackage allows you to package npm-based projects in Nixpkgs without the use of an auto-generated dependencies file (as used in node2nix). It works by utilizing npm’s cache functionality – creating a reproducible cache that contains the dependencies of a project, and pointing npm to it.

Here’s an example:

{ lib, buildNpmPackage, fetchFromGitHub }:

buildNpmPackage rec {
  pname = "flood";
  version = "4.7.0";

  src = fetchFromGitHub {
    owner = "jesec";
    repo = pname;
    rev = "v${version}";
    hash = "sha256-BR+ZGkBBfd0dSQqAvujsbgsEPFYw/ThrylxUbOksYxM=";
  };

  npmDepsHash = "sha256-tuEfyePwlOy2/mOPdXbqJskO6IowvAP4DWg8xSZwbJw=";

  # The prepack script runs the build script, which we'd rather do in the build phase.
  npmPackFlags = [ "--ignore-scripts" ];

  NODE_OPTIONS = "--openssl-legacy-provider";

  meta = {
    description = "Modern web UI for various torrent clients with a Node.js backend and React frontend";
    homepage = "https://flood.js.org";
    license = lib.licenses.gpl3Only;
    maintainers = with lib.maintainers; [ winter ];
  };
}

In the default installPhase set by buildNpmPackage, it uses npm pack --json --dry-run to decide what files to install in $out/lib/node_modules/$name/, where $name is the name string defined in the package’s package.json. Additionally, the bin and man keys in the source’s package.json are used to decide what binaries and manpages are supposed to be installed. If these are not defined, npm pack may miss some files, and no binaries will be produced.

Arguments
  • npmDepsHash: The output hash of the dependencies for this project. Can be calculated in advance with prefetch-npm-deps.

  • makeCacheWritable: Whether to make the cache writable prior to installing dependencies. Don’t set this unless npm tries to write to the cache directory, as it can slow down the build.

  • npmBuildScript: The script to run to build the project. Defaults to "build".

  • npmWorkspace: The workspace directory within the project to build and install.

  • dontNpmBuild: Option to disable running the build script. Set to true if the package does not have a build script. Defaults to false. Alternatively, setting buildPhase explicitly also disables this.

  • dontNpmInstall: Option to disable running npm install. Defaults to false. Alternatively, setting installPhase explicitly also disables this.

  • npmFlags: Flags to pass to all npm commands.

  • npmInstallFlags: Flags to pass to npm ci.

  • npmBuildFlags: Flags to pass to npm run ${npmBuildScript}.

  • npmPackFlags: Flags to pass to npm pack.

  • npmPruneFlags: Flags to pass to npm prune. Defaults to the value of npmInstallFlags.

  • makeWrapperArgs: Flags to pass to makeWrapper, added to executable calling the generated .js with node as an interpreter. These scripts are defined in package.json.

  • nodejs: The nodejs package to build against, using the corresponding npm shipped with that version of node. Defaults to pkgs.nodejs.

  • npmDeps: The dependencies used to build the npm package. Especially useful to not have to recompute workspace dependencies.

prefetch-npm-deps

prefetch-npm-deps is a Nixpkgs package that calculates the hash of the dependencies of an npm project ahead of time.

$ ls
package.json package-lock.json index.js
$ prefetch-npm-deps package-lock.json
...
sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
fetchNpmDeps

fetchNpmDeps is a Nix function that requires the following mandatory arguments:

  • src: A directory / tarball with package-lock.json file

  • hash: The output hash of the node dependencies defined in package-lock.json.

It returns a derivation with all package-lock.json dependencies downloaded into $out/, usable as an npm cache.

importNpmLock

This function replaces the npm dependency references in package.json and package-lock.json with paths to the Nix store. How each dependency is fetched can be customized with the fetcherOpts argument.

This is a simpler and more convenient alternative to fetchNpmDeps for managing npm dependencies in Nixpkgs. There is no need to specify a hash, since it relies entirely on the integrity hashes already present in the package-lock.json file.

Inputs
  • npmRoot: Path to package directory containing the source tree. If this is omitted, the package and packageLock arguments must be specified instead.

  • package: Parsed contents of package.json

  • packageLock: Parsed contents of package-lock.json

  • pname: Package name

  • version: Package version

  • fetcherOpts: An attribute set of arguments forwarded to the underlying fetcher.

It returns a derivation with a patched package.json & package-lock.json with all dependencies resolved to Nix store paths.

Note

npmHooks.npmConfigHook cannot be used with importNpmLock. Use importNpmLock.npmConfigHook instead.

Example 336. pkgs.importNpmLock usage example
{ buildNpmPackage, importNpmLock }:

buildNpmPackage {
  pname = "hello";
  version = "0.1.0";
  src = ./.;

  npmDeps = importNpmLock {
    npmRoot = ./.;
  };

  npmConfigHook = importNpmLock.npmConfigHook;
}

Example 337. pkgs.importNpmLock usage example with fetcherOpts

importNpmLock uses the following fetchers:

  • pkgs.fetchurl for http(s) dependencies

  • builtins.fetchGit for git dependencies

It is possible to provide additional arguments to individual fetchers as needed:

{ buildNpmPackage, importNpmLock }:

buildNpmPackage {
  pname = "hello";
  version = "0.1.0";
  src = ./.;

  npmDeps = importNpmLock {
    npmRoot = ./.;
    fetcherOpts = {
      # Pass 'curlOptsList' to 'pkgs.fetchurl' while fetching 'axios'
      { "node_modules/axios" = { curlOptsList = [ "--verbose" ]; }; }
    };
  };

  npmConfigHook = importNpmLock.npmConfigHook;
}

importNpmLock.buildNodeModules

importNpmLock.buildNodeModules returns a derivation with a pre-built node_modules directory, as imported by importNpmLock.

This is to be used together with importNpmLock.hooks.linkNodeModulesHook to facilitate nix-shell/nix develop based development workflows.

It accepts an argument with the following attributes:

npmRoot (Path; optional)

Path to package directory containing the source tree. If not specified, the package and packageLock arguments must both be specified.

package (Attrset; optional)

Parsed contents of package.json, as returned by lib.importJSON ./my-package.json. If not specified, the package.json in npmRoot is used.

packageLock (Attrset; optional)

Parsed contents of package-lock.json, as returned lib.importJSON ./my-package-lock.json. If not specified, the package-lock.json in npmRoot is used.

derivationArgs (mkDerivation attrset; optional)

Arguments passed to stdenv.mkDerivation

For example:

pkgs.mkShell {
  packages = [
    importNpmLock.hooks.linkNodeModulesHook
    nodejs
  ];

  npmDeps = importNpmLock.buildNodeModules {
    npmRoot = ./.;
    inherit nodejs;
  };
}

will create a development shell where a node_modules directory is created & packages symlinked to the Nix store when activated.

corepack

This package puts the corepack wrappers for pnpm and yarn in your PATH, and they will honor the packageManager setting in the package.json.

node2nix

Preparation

You will need to generate a Nix expression for the dependencies. Don’t forget the -l package-lock.json if there is a lock file. Most probably you will need the --development to include the devDependencies

So the command will most likely be:

node2nix --development -l package-lock.json

See node2nix docs for more info.

Pitfalls
  • If upstream package.json does not have a “version” attribute, node2nix will crash. You will need to add it like shown in the package.json section.

  • node2nix has some bugs related to working with lock files from npm distributed with nodejs_16.

  • node2nix does not like missing packages from npm. If you see something like Cannot resolve version: vue-loader-v16@undefined then you might want to try another tool. The package might have been pulled off of npm.

pnpm

Pnpm is available as the top-level package pnpm. Additionally, there are variants pinned to certain major versions, like pnpm_8 and pnpm_9, which support different sets of lock file versions.

When packaging an application that includes a pnpm-lock.yaml, you need to fetch the pnpm store for that project using a fixed-output-derivation. The functions pnpm_8.fetchDeps and pnpm_9.fetchDeps can create this pnpm store derivation. In conjunction, the setup hooks pnpm_8.configHook and pnpm_9.configHook will prepare the build environment to install the prefetched dependencies store. Here is an example for a package that contains a package.json and a pnpm-lock.yaml files using the above pnpm_ attributes:

{
  stdenv,
  nodejs,
  # This is pinned as { pnpm = pnpm_9; }
  pnpm
}:

stdenv.mkDerivation (finalAttrs: {
  pname = "foo";
  version = "0-unstable-1980-01-01";

  src = ...;

  nativeBuildInputs = [
    nodejs
    pnpm.configHook
  ];

  pnpmDeps = pnpm.fetchDeps {
    inherit (finalAttrs) pname version src;
    hash = "...";
  };
})

NOTE: It is highly recommended to use a pinned version of pnpm (i.e. pnpm_8 or pnpm_9), to increase future reproducibility. It might also be required to use an older version, if the package needs support for a certain lock file version.

In case you are patching package.json or pnpm-lock.yaml, make sure to pass finalAttrs.patches to the function as well (i.e. inherit (finalAttrs) patches.

pnpm.configHook supports adding additional pnpm install flags via pnpmInstallFlags which can be set to a Nix string array:

{
  pnpm,
}:

stdenv.mkDerivation (finalAttrs: {
  pname = "foo";
  version = "0-unstable-1980-01-01";

  src = ...;

  pnpmInstallFlags = [ "--shamefully-hoist" ];

  pnpmDeps = pnpm.fetchDeps {
    inherit (finalAttrs) pnpmInstallFlags;
  };
})
Dealing with sourceRoot

If the pnpm project is in a subdirectory, you can just define sourceRoot or setSourceRoot for fetchDeps. If sourceRoot is different between the parent derivation and fetchDeps, you will have to set pnpmRoot to effectively be the same location as it is in fetchDeps.

Assuming the following directory structure, we can define sourceRoot and pnpmRoot as follows:

.
├── frontend
│   ├── ...
│   ├── package.json
│   └── pnpm-lock.yaml
└── ...
  ...
  pnpmDeps = pnpm.fetchDeps {
    ...
    sourceRoot = "${finalAttrs.src.name}/frontend";
  };

  # by default the working directory is the extracted source
  pnpmRoot = "frontend";
PNPM Workspaces

If you need to use a PNPM workspace for your project, then set pnpmWorkspaces = [ "<workspace project name 1>" "<workspace project name 2>" ], etc, in your pnpm.fetchDeps call, which will make PNPM only install dependencies for those workspace packages.

For example:

...
pnpmWorkspaces = [ "@astrojs/language-server" ];
pnpmDeps = pnpm.fetchDeps {
  inherit (finalAttrs) pnpmWorkspaces;
  ...
}

The above would make pnpm.fetchDeps call only install dependencies for the @astrojs/language-server workspace package. Note that you do not need to set sourceRoot to make this work.

Usually in such cases, you’d want to use pnpm --filter=<pnpm workspace name> build to build your project, as npmHooks.npmBuildHook probably won’t work. A buildPhase based on the following example will probably fit most workspace projects:

buildPhase = ''
  runHook preBuild

  pnpm --filter=@astrojs/language-server build

  runHook postBuild
'';
Additional PNPM Commands and settings

If you require setting an additional PNPM configuration setting (such as dedupe-peer-dependents or similar), set prePnpmInstall to the right commands to run. For example:

prePnpmInstall = ''
  pnpm config set dedupe-peer-dependants false
'';
pnpmDeps = pnpm.fetchDeps {
  inherit (finalAttrs) prePnpmInstall;
  ...
};

In this example, prePnpmInstall will be run by both pnpm.configHook and by the pnpm.fetchDeps builder.

Yarn

Yarn based projects use a yarn.lock file instead of a package-lock.json to pin dependencies. Nixpkgs provides the Nix function fetchYarnDeps which fetches an offline cache suitable for running yarn install before building the project. In addition, Nixpkgs provides the hooks:

  • yarnConfigHook: Fetches the dependencies from the offline cache and installs them into node_modules.

  • yarnBuildHook: Runs yarn build or a specified yarn command that builds the project.

  • yarnInstallHook: Runs yarn install --production to prune dependencies and installs the project into $out.

An example usage of the above attributes is:

{
  lib,
  stdenv,
  fetchFromGitHub,
  fetchYarnDeps,
  yarnConfigHook,
  yarnBuildHook,
  yarnInstallHook,
  nodejs,
}:

stdenv.mkDerivation (finalAttrs: {
  pname = "...";
  version = "...";

  src = fetchFromGitHub {
    owner = "...";
    repo = "...";
    rev = "v${finalAttrs.version}";
    hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
  };

  yarnOfflineCache = fetchYarnDeps {
    yarnLock = finalAttrs.src + "/yarn.lock";
    hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
  };

  nativeBuildInputs = [
    yarnConfigHook
    yarnBuildHook
    yarnInstallHook
    # Needed for executing package.json scripts
    nodejs
  ];

  meta = {
    # ...
  };
})
yarnConfigHook arguments

By default, yarnConfigHook relies upon the attribute ${yarnOfflineCache} (or ${offlineCache} if the former is not set) to find the location of the offline cache produced by fetchYarnDeps. To disable this phase, you can set dontYarnInstallDeps = true or override the configurePhase.

yarnBuildHook arguments

This script by default runs yarn --offline build, and it relies upon the project’s dependencies installed at node_modules. Below is a list of additional mkDerivation arguments read by this hook:

  • yarnBuildScript: Sets a different yarn --offline subcommand (defaults to build).

  • yarnBuildFlags: Single string list of additional flags to pass the above command, or a Nix list of such additional flags.

yarnInstallHook arguments

To install the package yarnInstallHook uses both npm and yarn to cleanup project files and dependencies. To disable this phase, you can set dontYarnInstall = true or override the installPhase. Below is a list of additional mkDerivation arguments read by this hook:

  • yarnKeepDevDeps: Disables the removal of devDependencies from node_modules before installation.

yarn2nix

WARNING: The yarn2nix functions have been deprecated in favor of the new yarnConfigHook, yarnBuildHook and yarnInstallHook. Documentation for them still appears here for the sake of the packages that still use them. See also a tracking issue #324246.

Preparation

You will need at least a yarn.lock file. If upstream does not have one you need to generate it and reference it in your package definition.

If the downloaded files contain the package.json and yarn.lock files they can be used like this:

{
  offlineCache = fetchYarnDeps {
    yarnLock = src + "/yarn.lock";
    hash = "....";
  };
}
mkYarnPackage

mkYarnPackage will by default try to generate a binary. For package only generating static assets (Svelte, Vue, React, WebPack, …), you will need to explicitly override the build step with your instructions.

It’s important to use the --offline flag. For example if you script is "build": "something" in package.json use:

{
  buildPhase = ''
    export HOME=$(mktemp -d)
    yarn --offline build
  '';
}

The distPhase is packing the package’s dependencies in a tarball using yarn pack. You can disable it using:

{
  doDist = false;
}

The configure phase can sometimes fail because it makes many assumptions which may not always apply. One common override is:

{
  configurePhase = ''
    ln -s $node_modules node_modules
  '';
}

or if you need a writeable node_modules directory:

{
  configurePhase = ''
    cp -r $node_modules node_modules
    chmod +w node_modules
  '';
}
mkYarnModules

This will generate a derivation including the node_modules directory. If you have to build a derivation for an integrated web framework (rails, phoenix…), this is probably the easiest way.

Overriding dependency behavior

In the mkYarnPackage record the property pkgConfig can be used to override packages when you encounter problems building.

For instance, say your package is throwing errors when trying to invoke node-sass:

ENOENT: no such file or directory, scandir '/build/source/node_modules/node-sass/vendor'

To fix this we will specify different versions of build inputs to use, as well as some post install steps to get the software built the way we want:

mkYarnPackage rec {
  pkgConfig = {
    node-sass = {
      buildInputs = with final;[ python libsass pkg-config ];
      postInstall = ''
        LIBSASS_EXT=auto yarn --offline run build
        rm build/config.gypi
      '';
    };
  };
}
Pitfalls
  • If version is missing from upstream package.json, yarn will silently install nothing. In that case, you will need to override package.json as shown in the package.json section

  • Having trouble with node-gyp? Try adding these lines to the yarnPreBuild steps:

    {
      yarnPreBuild = ''
        mkdir -p $HOME/.node-gyp/${nodejs.version}
        echo 9 > $HOME/.node-gyp/${nodejs.version}/installVersion
        ln -sfv ${nodejs}/include $HOME/.node-gyp/${nodejs.version}
        export npm_config_nodedir=${nodejs}
      '';
    }
    
  • offlineCache (described above) must be specified to avoid Import From Derivation (IFD) when used inside Nixpkgs.

Outside Nixpkgs

There are some other tools available, which are written in the Nix language. These that can’t be used inside Nixpkgs because they require Import From Derivation, which is not allowed in Nixpkgs.

If you are packaging something outside Nixpkgs, consider the following:

npmlock2nix

npmlock2nix aims at building node_modules without code generation. It hasn’t reached v1 yet, the API might be subject to change.

Pitfalls

There are some problems with npm v7.

nix-npm-buildpackage

nix-npm-buildpackage aims at building node_modules without code generation. It hasn’t reached v1 yet, the API might change. It supports both package-lock.json and yarn.lock.

Pitfalls

There are some problems with npm v7.

Julia

Introduction

Nixpkgs includes Julia as the julia derivation. You can get specific versions by looking at the other julia* top-level derivations available. For example, julia_19 corresponds to Julia 1.9. We also provide the current stable version as julia-stable, and an LTS version as julia-lts.

Occasionally, a Julia version has been too difficult to build from source in Nixpkgs and has been fetched prebuilt instead. These Julia versions are differentiated with the *-bin suffix; for example, julia-stable-bin.

julia.withPackages

The basic Julia derivations only provide the built-in packages that come with the distribution.

You can build Julia environments with additional packages using the julia.withPackages command. This function accepts a list of strings representing Julia package names. For example, you can build a Julia environment with the Plots package as follows.

julia.withPackages ["Plots"]

Arguments can be passed using .override. For example:

(julia.withPackages.override {
  precompile = false; # Turn off precompilation
}) ["Plots"]

Here’s a nice way to run a Julia environment with a shell one-liner:

nix-shell -p 'julia.withPackages ["Plots"]' --run julia

Arguments

  • precompile: Whether to run Pkg.precompile() on the generated environment.

    This will make package imports faster, but may fail in some cases. For example, there is an upstream issue with Gtk.jl that prevents precompilation from working in the Nix build sandbox, because the precompiled code tries to access a display. Packages like this will work fine if you build with precompile=false, and then precompile as needed once your environment starts.

    Defaults: true

  • extraLibs: Extra library dependencies that will be placed on the LD_LIBRARY_PATH for Julia.

    Should not be needed as we try to obtain library dependencies automatically using Julia’s artifacts system.

  • makeWrapperArgs: Extra arguments to pass to the makeWrapper call which we use to wrap the Julia binary.

  • setDefaultDepot: Whether to automatically prepend $HOME/.julia to the JULIA_DEPOT_PATH.

    This is useful because Julia expects a writable depot path as the first entry, which the one we build in Nixpkgs is not. If there’s no writable depot, then Julia will show a warning and be unable to save command history logs etc.

    Default: true

  • packageOverrides: Allows you to override packages by name by passing an alternative source.

    For example, you can use a custom version of the LanguageServer package by passing packageOverrides = { "LanguageServer" = fetchFromGitHub {...}; }.

  • augmentedRegistry: Allows you to change the registry from which Julia packages are drawn.

    This normally points at a special augmented version of the Julia General packages registry. If you want to use a bleeding-edge version to pick up the latest package updates, you can plug in a later revision than the one in Nixpkgs.

lisp-modules

This document describes the Nixpkgs infrastructure for building Common Lisp systems that use ASDF (Another System Definition Facility). It lives in pkgs/development/lisp-modules.

Overview

The main entry point of the API are the Common Lisp implementation packages themselves (e.g. abcl, ccl, clasp-common-lisp, clisp, ecl, sbcl). They have the pkgs and withPackages attributes, which can be used to discover available packages and to build wrappers, respectively.

The pkgs attribute set contains packages that were automatically imported from Quicklisp, and any other manually defined ones. Not every package works for all the CL implementations (e.g. nyxt only makes sense for sbcl).

The withPackages function is of primary utility. It is used to build runnable wrappers, with a pinned and pre-built ASDF FASL available in the ASDF environment variable, and CL_SOURCE_REGISTRY/ASDF_OUTPUT_TRANSLATIONS configured to find the desired systems on runtime.

In addition, Lisps have the withOverrides function, which can be used to substitute any package in the scope of their pkgs. This will also be useful together with overrideLispAttrs when dealing with slashy systems, because they should stay in the main package and be built by specifying the systems argument to build-asdf-system.

The 90% use case example

The most common way to use the library is to run ad-hoc wrappers like this:

nix-shell -p 'sbcl.withPackages (ps: with ps; [ alexandria ])'

Then, in a shell:

$ sbcl
* (load (sb-ext:posix-getenv "ASDF"))
* (asdf:load-system 'alexandria)

Also one can create a pkgs.mkShell environment in shell.nix/flake.nix:

let
  sbcl' = sbcl.withPackages (ps: [ ps.alexandria ]);
in mkShell {
  packages = [ sbcl' ];
}

Such a Lisp can be now used e.g. to compile your sources:

{
  buildPhase = ''
    ${sbcl'}/bin/sbcl --load my-build-file.lisp
  '';
}

Importing packages from Quicklisp

To save some work of writing Nix expressions, there is a script that imports all the packages distributed by Quicklisp into imported.nix. This works by parsing its releases.txt and systems.txt files, which are published every couple of months on quicklisp.org.

The import process is implemented in the import directory as Common Lisp code in the org.lispbuilds.nix ASDF system. To run the script, one can execute ql-import.lisp:

cd pkgs/development/lisp-modules
nix-shell --run 'sbcl --script ql-import.lisp'

The script will:

  1. Download the latest Quicklisp systems.txt and releases.txt files

  2. Generate a temporary SQLite database of all QL systems in packages.sqlite

  3. Generate an imported.nix file from the database

(The packages.sqlite file can be deleted at will, because it is regenerated each time the script runs.)

The maintainer’s job is to:

  1. Re-run the ql-import.lisp script when there is a new Quicklisp release

  2. Add any missing native dependencies in ql.nix

  3. For packages that still don’t build, package them manually in packages.nix

Also, the imported.nix file must not be edited manually! It should only be generated as described in this section (by running ql-import.lisp).

Adding native dependencies

The Quicklisp files contain ASDF dependency data, but don’t include native library (CFFI) dependencies, and, in the case of ABCL, Java dependencies.

The ql.nix file contains a long list of overrides, where these dependencies can be added.

Packages defined in packages.nix contain these dependencies naturally.

Trusting systems.txt and releases.txt

The previous implementation of lisp-modules didn’t fully trust the Quicklisp data, because there were times where the dependencies specified were not complete and caused broken builds. It instead used a nix-shell environment to discover real dependencies by using the ASDF APIs.

The current implementation has chosen to trust this data, because it’s faster to parse a text file than to build each system to generate its Nix file, and because that way packages can be mass-imported. Because of that, there may come a day where some packages will break, due to bugs in Quicklisp. In that case, the fix could be a manual override in packages.nix and ql.nix.

A known fact is that Quicklisp doesn’t include dependencies on slashy systems in its data. This is an example of a situation where such fixes were used, e.g. to replace the systems attribute of the affected packages. (See the definition of iolib).

Quirks

During Quicklisp import:

  • + in names is converted to _plus{_,}: cl+ssl->cl_plus_ssl, alexandria+->alexandria_plus

  • . in names is converted to _dot_: iolib.base->iolib_dot_base

  • names starting with a number have a _ prepended (3d-vectors->_3d-vectors)

  • _ in names is converted to __ for reversibility

Defining packages manually inside Nixpkgs

Packages that for some reason are not in Quicklisp, and so cannot be auto-imported, or don’t work straight from the import, are defined in the packages.nix file.

In that file, use the build-asdf-system function, which is a wrapper around mkDerivation for building ASDF systems. Various other hacks are present, such as build-with-compile-into-pwd for systems which create files during compilation (such as cl-unicode).

The build-asdf-system function is documented here. Also, packages.nix is full of examples of how to use it.

Defining packages manually outside Nixpkgs

Lisp derivations (abcl, sbcl etc.) also export the buildASDFSystem function, which is similar to build-asdf-system from packages.nix, but is part of the public API.

It takes the following arguments:

  • pname: the package name

  • version: the package version

  • src: the package source

  • patches: patches to apply to the source before build

  • nativeLibs: native libraries used by CFFI and grovelling

  • javaLibs: Java libraries for ABCL

  • lispLibs: dependencies on other packages build with buildASDFSystem

  • systems: list of systems to build

It can be used to define packages outside Nixpkgs, and, for example, add them into the package scope with withOverrides.

Including an external package in scope

A package defined outside Nixpkgs using buildASDFSystem can be woven into the Nixpkgs-provided scope like this:

let
  alexandria = sbcl.buildASDFSystem rec {
    pname = "alexandria";
    version = "1.4";
    src = fetchFromGitLab {
      domain = "gitlab.common-lisp.net";
      owner = "alexandria";
      repo = "alexandria";
      rev = "v${version}";
      hash = "sha256-1Hzxt65dZvgOFIljjjlSGgKYkj+YBLwJCACi5DZsKmQ=";
    };
  };
  sbcl' = sbcl.withOverrides (self: super: {
    inherit alexandria;
  });
in sbcl'.pkgs.alexandria

Overriding package attributes

Packages export the overrideLispAttrs function, which can be used to build a new package with different parameters.

Example of overriding alexandria:

sbcl.pkgs.alexandria.overrideLispAttrs (oldAttrs: rec {
  version = "1.4";
  src = fetchFromGitLab {
    domain = "gitlab.common-lisp.net";
    owner = "alexandria";
    repo = "alexandria";
    rev = "v${version}";
    hash = "sha256-1Hzxt65dZvgOFIljjjlSGgKYkj+YBLwJCACi5DZsKmQ=";
  };
})

Dealing with slashy systems

Slashy (secondary) systems should not exist in their own packages! Instead, they should be included in the parent package as an extra entry in the systems argument to the build-asdf-system/buildASDFSystem functions.

The reason is that ASDF searches for a secondary system in the .asd of the parent package. Thus, having them separate would cause either one of them not to load cleanly, because one will contains FASLs of itself but not the other, and vice versa.

To package slashy systems, use overrideLispAttrs, like so:

ecl.pkgs.alexandria.overrideLispAttrs (oldAttrs: {
  systems = oldAttrs.systems ++ [ "alexandria/tests" ];
  lispLibs = oldAttrs.lispLibs ++ [ ecl.pkgs.rt ];
})

See the respective section on using withOverrides for how to weave it back into ecl.pkgs.

Note that sometimes the slashy systems might not only have more dependencies than the main one, but create a circular dependency between .asd files. Unfortunately, in this case an adhoc solution becomes necessary.

Building Wrappers

Wrappers can be built using the withPackages function of Common Lisp implementations (abcl, ecl, sbcl etc.):

nix-shell -p 'sbcl.withPackages (ps: [ ps.alexandria ps.bordeaux-threads ])'

Such a wrapper can then be used like this:

$ sbcl
* (load (sb-ext:posix-getenv "ASDF"))
* (asdf:load-system 'alexandria)
* (asdf:load-system 'bordeaux-threads)

Loading ASDF

For best results, avoid calling (require 'asdf) When using the library-generated wrappers.

Use (load (ext:getenv "ASDF")) instead, supplying your implementation’s way of getting an environment variable for ext:getenv. This will load the (pre-compiled to FASL) Nixpkgs-provided version of ASDF.

Loading systems

There, you can use asdf:load-system. This works by setting the right values for the CL_SOURCE_REGISTRY/ASDF_OUTPUT_TRANSLATIONS environment variables, so that systems are found in the Nix store and pre-compiled FASLs are loaded.

Adding a new Lisp

The function wrapLisp is used to wrap Common Lisp implementations. It adds the pkgs, withPackages, withOverrides and buildASDFSystem attributes to the derivation.

wrapLisp takes these arguments:

  • pkg: the Lisp package

  • faslExt: Implementation-specific extension for FASL files

  • program: The name of executable file in ${pkg}/bin/ (Default: pkg.pname)

  • flags: A list of flags to always pass to program (Default: [])

  • asdf: The ASDF version to use (Default: pkgs.asdf_3_3)

  • packageOverrides: Package overrides config (Default: (self: super: {}))

This example wraps CLISP:

wrapLisp {
  pkg = clisp;
  faslExt = "fas";
  flags = ["-E" "UTF8"];
}

Lua

Using Lua

Overview of Lua

Several versions of the Lua interpreter are available: luajit, lua 5.1, 5.2, 5.3. The attribute lua refers to the default interpreter, it is also possible to refer to specific versions, e.g. lua5_2 refers to Lua 5.2.

Lua libraries are in separate sets, with one set per interpreter version.

The interpreters have several common attributes. One of these attributes is pkgs, which is a package set of Lua libraries for this specific interpreter. E.g., the busted package corresponding to the default interpreter is lua.pkgs.busted, and the lua 5.2 version is lua5_2.pkgs.busted. The main package set contains aliases to these package sets, e.g. luaPackages refers to lua5_1.pkgs and lua52Packages to lua5_2.pkgs.

Note that nixpkgs patches the non-luajit interpreters to avoid referring to /usr and have ;; (a placeholder replaced with the default LUA_PATH) work correctly.

Installing Lua and packages

Lua environment defined in separate .nix file

Create a file, e.g. build.nix, with the following expression

with import <nixpkgs> {};

lua5_2.withPackages (ps: with ps; [ busted luafilesystem ])

and install it in your profile with

nix-env -if build.nix

Now you can use the Lua interpreter, as well as the extra packages (busted, luafilesystem) that you added to the environment.

Lua environment defined in ~/.config/nixpkgs/config.nix

If you prefer to, you could also add the environment as a package override to the Nixpkgs set, e.g. using config.nix,

{ # ...

  packageOverrides = pkgs: with pkgs; {
    myLuaEnv = lua5_2.withPackages (ps: with ps; [ busted luafilesystem ]);
  };
}

and install it in your profile with

nix-env -iA nixpkgs.myLuaEnv

The environment is installed by referring to the attribute, and considering the nixpkgs channel was used.

Lua environment defined in /etc/nixos/configuration.nix

For the sake of completeness, here’s another example how to install the environment system-wide.

{ # ...

  environment.systemPackages = with pkgs; [
    (lua.withPackages(ps: with ps; [ busted luafilesystem ]))
  ];
}

How to override a Lua package using overlays?

Use the following overlay template:

final: prev:
{

  lua = prev.lua.override {
    packageOverrides = luaself: luaprev: {

      luarocks-nix = luaprev.luarocks-nix.overrideAttrs(oa: {
        pname = "luarocks-nix";
        src = /home/my_luarocks/repository;
      });
    };
  };

  luaPackages = lua.pkgs;
}

Temporary Lua environment with nix-shell

There are two methods for loading a shell with Lua packages. The first and recommended method is to create an environment with lua.buildEnv or lua.withPackages and load that. E.g.

$ nix-shell -p 'lua.withPackages(ps: with ps; [ busted luafilesystem ])'

opens a shell from which you can launch the interpreter

[nix-shell:~] lua

The other method, which is not recommended, does not create an environment and requires you to list the packages directly,

$ nix-shell -p lua.pkgs.busted lua.pkgs.luafilesystem

Again, it is possible to launch the interpreter from the shell. The Lua interpreter has the attribute pkgs which contains all Lua libraries for that specific interpreter.

Developing with lua

Now that you know how to get a working Lua environment with Nix, it is time to go forward and start actually developing with Lua. There are two ways to package lua software, either it is on luarocks and most of it can be taken care of by the luarocks2nix converter or the packaging has to be done manually. Let’s present the luarocks way first and the manual one in a second time.

Packaging a library on luarocks

Luarocks.org is the main repository of lua packages. The site proposes two types of packages, the rockspec and the src.rock (equivalent of a rockspec but with the source).

Luarocks-based packages are generated in pkgs/development/lua-modules/generated-packages.nix from the whitelist maintainers/scripts/luarocks-packages.csv and updated by running the package luarocks-packages-updater:


nix-shell -p luarocks-packages-updater --run luarocks-packages-updater

luarocks2nix is a tool capable of generating nix derivations from both rockspec and src.rock (and favors the src.rock). The automation only goes so far though and some packages need to be customized. These customizations go in pkgs/development/lua-modules/overrides.nix. For instance if the rockspec defines external_dependencies, these need to be manually added to the overrides.nix.

You can try converting luarocks packages to nix packages with the command nix-shell -p luarocks-nix and then luarocks nix PKG_NAME.

Packaging a library manually

You can develop your package as you usually would, just don’t forget to wrap it within a toLuaModule call, for instance

{
  mynewlib = toLuaModule ( stdenv.mkDerivation { /* ... */ });
}

There is also the buildLuaPackage function that can be used when lua modules are not packaged for luarocks. You can see a few examples at pkgs/top-level/lua-packages.nix.

Lua Reference

Lua interpreters

Versions 5.1, 5.2, 5.3 and 5.4 of the lua interpreter are available as respectively lua5_1, lua5_2, lua5_3 and lua5_4. Luajit is available too. The Nix expressions for the interpreters can be found in pkgs/development/interpreters/lua-5.

Attributes on lua interpreters packages

Each interpreter has the following attributes:

  • interpreter. Alias for ${pkgs.lua}/bin/lua.

  • buildEnv. Function to build lua interpreter environments with extra packages bundled together. See section lua.buildEnv function for usage and documentation.

  • withPackages. Simpler interface to buildEnv.

  • pkgs. Set of Lua packages for that specific interpreter. The package set can be modified by overriding the interpreter and passing packageOverrides.

buildLuarocksPackage function

The buildLuarocksPackage function is implemented in pkgs/development/interpreters/lua-5/build-luarocks-package.nix The following is an example:

{
  luaposix = buildLuarocksPackage {
    pname = "luaposix";
    version = "34.0.4-1";

    src = fetchurl {
      url    = "https://raw.githubusercontent.com/rocks-moonscript-org/moonrocks-mirror/master/luaposix-34.0.4-1.src.rock";
      hash = "sha256-4mLJG8n4m6y4Fqd0meUDfsOb9RHSR0qa/KD5KCwrNXs=";
    };
    disabled = (luaOlder "5.1") || (luaAtLeast "5.4");
    propagatedBuildInputs = [ bit32 lua std_normalize ];

    meta = {
      homepage = "https://github.com/luaposix/luaposix/";
      description = "Lua bindings for POSIX";
      maintainers = with lib.maintainers; [ vyp lblasc ];
      license.fullName = "MIT/X11";
    };
  };
}

The buildLuarocksPackage delegates most tasks to luarocks:

  • it adds luarocks as an unpacker for src.rock files (zip files really).

  • configurePhase writes a temporary luarocks configuration file which location is exported via the environment variable LUAROCKS_CONFIG.

  • the buildPhase does nothing.

  • installPhase calls luarocks make --deps-mode=none --tree $out to build and install the package

  • In the postFixup phase, the wrapLuaPrograms bash function is called to wrap all programs in the $out/bin/* directory to include $PATH environment variable and add dependent libraries to script’s LUA_PATH and LUA_CPATH.

It accepts as arguments:

  • ‘luarocksConfig’: a nix value that directly maps to the luarocks config used during the installation

By default meta.platforms is set to the same value as the interpreter unless overridden otherwise.

buildLuaApplication function

The buildLuaApplication function is practically the same as buildLuaPackage. The difference is that buildLuaPackage by default prefixes the names of the packages with the version of the interpreter. Because with an application we’re not interested in multiple version the prefix is dropped.

lua.withPackages function

The lua.withPackages takes a function as an argument that is passed the set of lua packages and returns the list of packages to be included in the environment. Using the withPackages function, the previous example for the luafilesystem environment can be written like this:

lua.withPackages (ps: [ps.luafilesystem])

withPackages passes the correct package set for the specific interpreter version as an argument to the function. In the above example, ps equals luaPackages. But you can also easily switch to using lua5_1:

lua5_1.withPackages (ps: [ps.lua])

Now, ps is set to lua5_1.pkgs, matching the version of the interpreter.

Lua Contributing guidelines

Following rules should be respected:

  • Commit names of Lua libraries should reflect that they are Lua libraries, so write for example luaPackages.luafilesystem: 1.11 -> 1.12.

Maven

Maven is a well-known build tool for the Java ecosystem however it has some challenges when integrating into the Nix build system.

The following provides a list of common patterns with how to package a Maven project (or any JVM language that can export to Maven) as a Nix package.

Building a package using maven.buildMavenPackage

Consider the following package:

{ lib, fetchFromGitHub, jre, makeWrapper, maven }:

maven.buildMavenPackage rec {
  pname = "jd-cli";
  version = "1.2.1";

  src = fetchFromGitHub {
    owner = "intoolswetrust";
    repo = pname;
    rev = "${pname}-${version}";
    hash = "sha256-rRttA5H0A0c44loBzbKH7Waoted3IsOgxGCD2VM0U/Q=";
  };

  mvnHash = "sha256-kLpjMj05uC94/5vGMwMlFzLKNFOKeyNvq/vmB6pHTAo=";

  nativeBuildInputs = [ makeWrapper ];

  installPhase = ''
    mkdir -p $out/bin $out/share/jd-cli
    install -Dm644 jd-cli/target/jd-cli.jar $out/share/jd-cli

    makeWrapper ${jre}/bin/java $out/bin/jd-cli \
      --add-flags "-jar $out/share/jd-cli/jd-cli.jar"
  '';

  meta = {
    description = "Simple command line wrapper around JD Core Java Decompiler project";
    homepage = "https://github.com/intoolswetrust/jd-cli";
    license = lib.licenses.gpl3Plus;
    maintainers = with lib.maintainers; [ majiir ];
  };
}

This package calls maven.buildMavenPackage to do its work. The primary difference from stdenv.mkDerivation is the mvnHash variable, which is a hash of all of the Maven dependencies.

Tip

After setting maven.buildMavenPackage, we then do standard Java .jar installation by saving the .jar to $out/share/java and then making a wrapper which allows executing that file; see the section called “Java” for additional generic information about packaging Java applications.

Stable Maven plugins

Maven defines default versions for its core plugins, e.g. maven-compiler-plugin. If your project does not override these versions, an upgrade of Maven will change the version of the used plugins, and therefore the derivation and hash.

When maven is upgraded, mvnHash for the derivation must be updated as well: otherwise, the project will be built on the derivation of old plugins, and fail because the requested plugins are missing.

This clearly prevents automatic upgrades of Maven: a manual effort must be made throughout nixpkgs by any maintainer wishing to push the upgrades.

To make sure that your package does not add extra manual effort when upgrading Maven, explicitly define versions for all plugins. You can check if this is the case by adding the following plugin to your (parent) POM:

<plugin>
  <groupId>org.apache.maven.plugins</groupId>
  <artifactId>maven-enforcer-plugin</artifactId>
  <version>3.3.0</version>
  <executions>
    <execution>
      <id>enforce-plugin-versions</id>
      <goals>
        <goal>enforce</goal>
      </goals>
      <configuration>
        <rules>
          <requirePluginVersions />
        </rules>
      </configuration>
    </execution>
  </executions>
</plugin>

Manually using mvn2nix

Warning

This way is no longer recommended; see the section called “Building a package using maven.buildMavenPackage for the simpler and preferred way.

For the purposes of this example let’s consider a very basic Maven project with the following pom.xml with a single dependency on emoji-java.

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>io.github.fzakaria</groupId>
  <artifactId>maven-demo</artifactId>
  <version>1.0</version>
  <packaging>jar</packaging>
  <name>NixOS Maven Demo</name>

  <dependencies>
    <dependency>
        <groupId>com.vdurmont</groupId>
        <artifactId>emoji-java</artifactId>
        <version>5.1.1</version>
      </dependency>
  </dependencies>
</project>

Our main class file will be very simple:

import com.vdurmont.emoji.EmojiParser;

public class Main {
  public static void main(String[] args) {
    String str = "NixOS :grinning: is super cool :smiley:!";
    String result = EmojiParser.parseToUnicode(str);
    System.out.println(result);
  }
}

You find this demo project at https://github.com/fzakaria/nixos-maven-example.

Solving for dependencies

buildMaven with NixOS/mvn2nix-maven-plugin

buildMaven is an alternative method that tries to follow similar patterns of other programming languages by generating a lock file. It relies on the maven plugin mvn2nix-maven-plugin.

First you generate a project-info.json file using the maven plugin.

This should be executed in the project’s source repository or be told which pom.xml to execute with.

# run this step within the project's source repository
❯ mvn org.nixos.mvn2nix:mvn2nix-maven-plugin:mvn2nix

❯ cat project-info.json | jq | head
{
  "project": {
    "artifactId": "maven-demo",
    "groupId": "org.nixos",
    "version": "1.0",
    "classifier": "",
    "extension": "jar",
    "dependencies": [
      {
        "artifactId": "maven-resources-plugin",

This file is then given to the buildMaven function, and it returns 2 attributes.

repo: A Maven repository that is a symlink farm of all the dependencies found in the project-info.json

build: A simple derivation that runs through mvn compile & mvn package to build the JAR. You may use this as inspiration for more complicated derivations.

Here is an example of building the Maven repository

{ pkgs ? import <nixpkgs> { } }:
with pkgs;
(buildMaven ./project-info.json).repo

The benefit over the double invocation as we will see below, is that the /nix/store entry is a linkFarm of every package, so that changes to your dependency set doesn’t involve downloading everything from scratch.

❯ tree $(nix-build --no-out-link build-maven-repository.nix) | head
/nix/store/g87va52nkc8jzbmi1aqdcf2f109r4dvn-maven-repository
├── antlr
│   └── antlr
│       └── 2.7.2
│           ├── antlr-2.7.2.jar -> /nix/store/d027c8f2cnmj5yrynpbq2s6wmc9cb559-antlr-2.7.2.jar
│           └── antlr-2.7.2.pom -> /nix/store/mv42fc5gizl8h5g5vpywz1nfiynmzgp2-antlr-2.7.2.pom
├── avalon-framework
│   └── avalon-framework
│       └── 4.1.3
│           ├── avalon-framework-4.1.3.jar -> /nix/store/iv5fp3955w3nq28ff9xfz86wvxbiw6n9-avalon-framework-4.1.3.jar
Double Invocation

Note

This pattern is the simplest but may cause unnecessary rebuilds due to the output hash changing.

The double invocation is a simple way to get around the problem that nix-build may be sandboxed and have no Internet connectivity.

It treats the entire Maven repository as a single source to be downloaded, relying on Maven’s dependency resolution to satisfy the output hash. This is similar to fetchers like fetchgit, except it has to run a Maven build to determine what to download.

The first step will be to build the Maven project as a fixed-output derivation in order to collect the Maven repository – below is an example.

Note

Traditionally the Maven repository is at ~/.m2/repository. We will override this to be the $out directory.

{ lib, stdenv, maven }:
stdenv.mkDerivation {
  name = "maven-repository";
  buildInputs = [ maven ];
  src = ./.; # or fetchFromGitHub, cleanSourceWith, etc
  buildPhase = ''
    mvn package -Dmaven.repo.local=$out
  '';

  # keep only *.{pom,jar,sha1,nbm} and delete all ephemeral files with lastModified timestamps inside
  installPhase = ''
    find $out -type f \
      -name \*.lastUpdated -or \
      -name resolver-status.properties -or \
      -name _remote.repositories \
      -delete
  '';

  # don't do any fixup
  dontFixup = true;
  outputHashAlgo = null;
  outputHashMode = "recursive";
  # replace this with the correct SHA256
  outputHash = lib.fakeHash;
}

The build will fail, and tell you the expected outputHash to place. When you’ve set the hash, the build will return with a /nix/store entry whose contents are the full Maven repository.

Warning

Some additional files are deleted that would cause the output hash to change potentially on subsequent runs.

❯ tree $(nix-build --no-out-link double-invocation-repository.nix) | head
/nix/store/8kicxzp98j68xyi9gl6jda67hp3c54fq-maven-repository
├── backport-util-concurrent
│   └── backport-util-concurrent
│       └── 3.1
│           ├── backport-util-concurrent-3.1.pom
│           └── backport-util-concurrent-3.1.pom.sha1
├── classworlds
│   └── classworlds
│       ├── 1.1
│       │   ├── classworlds-1.1.jar

If your package uses SNAPSHOT dependencies or version ranges; there is a strong likelihood that over-time your output hash will change since the resolved dependencies may change. Hence this method is less recommended then using buildMaven.

Building a JAR

Regardless of which strategy is chosen above, the step to build the derivation is the same.

{ stdenv, maven, callPackage }:
# pick a repository derivation, here we will use buildMaven
let repository = callPackage ./build-maven-repository.nix { };
in stdenv.mkDerivation rec {
  pname = "maven-demo";
  version = "1.0";

  src = builtins.fetchTarball "https://github.com/fzakaria/nixos-maven-example/archive/main.tar.gz";
  buildInputs = [ maven ];

  buildPhase = ''
    echo "Using repository ${repository}"
    mvn --offline -Dmaven.repo.local=${repository} package;
  '';

  installPhase = ''
    install -Dm644 target/${pname}-${version}.jar $out/share/java
  '';
}

Tip

We place the library in $out/share/java since JDK package has a stdenv setup hook that adds any JARs in the share/java directories of the build inputs to the CLASSPATH environment.

❯ tree $(nix-build --no-out-link build-jar.nix)
/nix/store/7jw3xdfagkc2vw8wrsdv68qpsnrxgvky-maven-demo-1.0
└── share
    └── java
        └── maven-demo-1.0.jar

2 directories, 1 file

Runnable JAR

The previous example builds a jar file but that’s not a file one can run.

You need to use it with java -jar $out/share/java/output.jar and make sure to provide the required dependencies on the classpath.

The following explains how to use makeWrapper in order to make the derivation produce an executable that will run the JAR file you created.

We will use the same repository we built above (either double invocation or buildMaven) to setup a CLASSPATH for our JAR.

The following two methods are more suited to Nix then building an UberJar which may be the more traditional approach.

CLASSPATH

This method is ideal if you are providing a derivation for nixpkgs and don’t want to patch the project’s pom.xml.

We will read the Maven repository and flatten it to a single list. This list will then be concatenated with the CLASSPATH separator to create the full classpath.

We make sure to provide this classpath to the makeWrapper.

{ stdenv, maven, callPackage, makeWrapper, jre }:
let
  repository = callPackage ./build-maven-repository.nix { };
in stdenv.mkDerivation rec {
  pname = "maven-demo";
  version = "1.0";

  src = builtins.fetchTarball
    "https://github.com/fzakaria/nixos-maven-example/archive/main.tar.gz";
  nativeBuildInputs = [ makeWrapper ];
  buildInputs = [ maven ];

  buildPhase = ''
    echo "Using repository ${repository}"
    mvn --offline -Dmaven.repo.local=${repository} package;
  '';

  installPhase = ''
    mkdir -p $out/bin

    classpath=$(find ${repository} -name "*.jar" -printf ':%h/%f');
    install -Dm644 target/${pname}-${version}.jar $out/share/java
    # create a wrapper that will automatically set the classpath
    # this should be the paths from the dependency derivation
    makeWrapper ${jre}/bin/java $out/bin/${pname} \
          --add-flags "-classpath $out/share/java/${pname}-${version}.jar:''${classpath#:}" \
          --add-flags "Main"
  '';
}
MANIFEST file via Maven Plugin

This method is ideal if you are the project owner and want to change your pom.xml to set the CLASSPATH within it.

Augment the pom.xml to create a JAR with the following manifest:

<build>
  <plugins>
    <plugin>
        <artifactId>maven-jar-plugin</artifactId>
        <configuration>
            <archive>
                <manifest>
                    <addClasspath>true</addClasspath>
                    <classpathPrefix>../../repository/</classpathPrefix>
                    <classpathLayoutType>repository</classpathLayoutType>
                    <mainClass>Main</mainClass>
                </manifest>
                <manifestEntries>
                    <Class-Path>.</Class-Path>
                </manifestEntries>
            </archive>
        </configuration>
    </plugin>
  </plugins>
</build>

The above plugin instructs the JAR to look for the necessary dependencies in the lib/ relative folder. The layout of the folder is also in the maven repository style.

❯ unzip -q -c $(nix-build --no-out-link runnable-jar.nix)/share/java/maven-demo-1.0.jar META-INF/MANIFEST.MF

Manifest-Version: 1.0
Archiver-Version: Plexus Archiver
Built-By: nixbld
Class-Path: . ../../repository/com/vdurmont/emoji-java/5.1.1/emoji-jav
 a-5.1.1.jar ../../repository/org/json/json/20170516/json-20170516.jar
Created-By: Apache Maven 3.6.3
Build-Jdk: 1.8.0_265
Main-Class: Main

We will modify the derivation above to add a symlink to our repository so that it’s accessible to our JAR during the installPhase.

{ stdenv, maven, callPackage, makeWrapper, jre }:
# pick a repository derivation, here we will use buildMaven
let repository = callPackage ./build-maven-repository.nix { };
in stdenv.mkDerivation rec {
  pname = "maven-demo";
  version = "1.0";

  src = builtins.fetchTarball
    "https://github.com/fzakaria/nixos-maven-example/archive/main.tar.gz";
  nativeBuildInputs = [ makeWrapper ];
  buildInputs = [ maven ];

  buildPhase = ''
    echo "Using repository ${repository}"
    mvn --offline -Dmaven.repo.local=${repository} package;
  '';

  installPhase = ''
    mkdir -p $out/bin

    # create a symbolic link for the repository directory
    ln -s ${repository} $out/repository

    install -Dm644 target/${pname}-${version}.jar $out/share/java
    # create a wrapper that will automatically set the classpath
    # this should be the paths from the dependency derivation
    makeWrapper ${jre}/bin/java $out/bin/${pname} \
          --add-flags "-jar $out/share/java/${pname}-${version}.jar"
  '';
}

Note

Our script produces a dependency on jre rather than jdk to restrict the runtime closure necessary to run the application.

This will give you an executable shell-script that launches your JAR with all the dependencies available.

❯ tree $(nix-build --no-out-link runnable-jar.nix)
/nix/store/8d4c3ibw8ynsn01ibhyqmc1zhzz75s26-maven-demo-1.0
├── bin
│   └── maven-demo
├── repository -> /nix/store/g87va52nkc8jzbmi1aqdcf2f109r4dvn-maven-repository
└── share
    └── java
        └── maven-demo-1.0.jar

❯ $(nix-build --no-out-link --option tarball-ttl 1 runnable-jar.nix)/bin/maven-demo
NixOS 😀 is super cool 😃!

Nim

The Nim compiler and a builder function is available. Nim programs are built using buildNimPackage and a lockfile containing Nim dependencies.

The following example shows a Nim program that depends only on Nim libraries:

{ lib, buildNimPackage, fetchFromGitHub }:

buildNimPackage (finalAttrs: {
  pname = "ttop";
  version = "1.2.7";

  src = fetchFromGitHub {
    owner = "inv2004";
    repo = "ttop";
    rev = "v${finalAttrs.version}";
    hash = "sha256-oPdaUqh6eN1X5kAYVvevOndkB/xnQng9QVLX9bu5P5E=";
  };

  lockFile = ./lock.json;

  nimFlags = [
    "-d:NimblePkgVersion=${finalAttrs.version}"
  ];
})

buildNimPackage parameters

The buildNimPackage function takes an attrset of parameters that are passed on to stdenv.mkDerivation.

The following parameters are specific to buildNimPackage:

  • lockFile: JSON formatted lockfile.

  • nimbleFile: Specify the Nimble file location of the package being built rather than discover the file at build-time.

  • nimRelease ? true: Build the package in release mode.

  • nimDefines ? []: A list of Nim defines. Key-value tuples are not supported.

  • nimFlags ? []: A list of command line arguments to pass to the Nim compiler. Use this to specify defines with arguments in the form of -d:${name}=${value}.

  • nimDoc ? false`: Build and install HTML documentation.

Lockfiles

Nim lockfiles are created with the nim_lk utility. Run nim_lk with the source directory as an argument and it will print a lockfile to stdout.

$ cd nixpkgs
$ nix build -f . ttop.src
$ nix run -f . nim_lk ./result | jq --sort-keys > pkgs/by-name/tt/ttop/lock.json

Overriding Nim packages

The buildNimPackage function generates flags and additional build dependencies from the lockFile parameter passed to buildNimPackage. Using overrideAttrs on the final package will apply after this has already been generated, so this can’t be used to override the lockFile in a package built with buildNimPackage. To be able to override parameters before flags and build dependencies are generated from the lockFile, use overrideNimAttrs instead with the same syntax as overrideAttrs:

pkgs.nitter.overrideNimAttrs {
  # using a different source which has different dependencies from the standard package
  src = pkgs.fetchFromGithub { /* … */ };
  # new lock file generated from the source
  lockFile = ./custom-lock.json;
}

Lockfile dependency overrides

The buildNimPackage function matches the libraries specified by lockFile to attrset of override functions that are then applied to the package derivation. The default overrides are maintained as the top-level nimOverrides attrset at pkgs/top-level/nim-overrides.nix.

For example, to propagate a dependency on SDL2 for lockfiles that select the Nim sdl2 library, an overlay is added to the set in the nim-overrides.nix file:

{ lib
/* … */
, SDL2
/* … */
}:

{
  /* … */
  sdl2 =
    lockAttrs:
    { buildInputs ? [ ], ... }:
    {
      buildInputs = buildInputs ++ [ SDL2 ];
    };
  /* … */
}

The annotations in the nim-overrides.nix set are functions that take two arguments and return a new attrset to be overlaid on the package being built.

  • lockAttrs: the attrset for this library from within a lockfile. This can be used to implement library version constraints, such as marking libraries as broken or insecure.

  • prevAttrs: the attrset produced by initial arguments to buildNimPackage and any preceding lockfile overlays.

Overriding an Nim library override

The nimOverrides attrset makes it possible to modify overrides in a few different ways.

Override a package internal to its definition:

{ lib, buildNimPackage, nimOverrides, libressl }:

let
  buildNimPackage' = buildNimPackage.override {
    nimOverrides = nimOverrides.override { openssl = libressl; };
  };
in buildNimPackage' (finalAttrs: {
  pname = "foo";
  # …
})

Override a package externally:

{ pkgs }: {
  foo = pkgs.foo.override {
    buildNimPackage = pkgs.buildNimPackage.override {
      nimOverrides = pkgs.nimOverrides.override { openssl = libressl; };
    };
  };
}

OCaml

User guide

OCaml libraries are available in attribute sets of the form ocaml-ng.ocamlPackages_X_XX where X is to be replaced with the desired compiler version. For example, ocamlgraph compiled with OCaml 4.12 can be found in ocaml-ng.ocamlPackages_4_12.ocamlgraph. The compiler itself is also located in this set, under the name ocaml.

If you don’t care about the exact compiler version, ocamlPackages is a top-level alias pointing to a recent version of OCaml.

OCaml applications are usually available top-level, and not inside ocamlPackages. Notable exceptions are build tools that must be built with the same compiler version as the compiler you intend to use like dune or ocaml-lsp.

To open a shell able to build a typical OCaml project, put the dependencies in buildInputs and add ocamlPackages.ocaml and ocamlPackages.findlib to nativeBuildInputs at least. For example:

let
 pkgs = import <nixpkgs> {};
 # choose the ocaml version you want to use
 ocamlPackages = pkgs.ocaml-ng.ocamlPackages_4_12;
in
pkgs.mkShell {
  # build tools
  nativeBuildInputs = with ocamlPackages; [ ocaml findlib dune_2 ocaml-lsp ];
  # dependencies
  buildInputs = with ocamlPackages; [ ocamlgraph ];
}

Packaging guide

OCaml libraries should be installed in $(out)/lib/ocaml/${ocaml.version}/site-lib/. Such directories are automatically added to the $OCAMLPATH environment variable when building another package that depends on them or when opening a nix-shell.

Given that most of the OCaml ecosystem is now built with dune, nixpkgs includes a convenience build support function called buildDunePackage that will build an OCaml package using dune, OCaml and findlib and any additional dependencies provided as buildInputs or propagatedBuildInputs.

Here is a simple package example.

  • It defines an (optional) attribute minimalOCamlVersion (see note below) that will be used to throw a descriptive evaluation error if building with an older OCaml is attempted.

  • It uses the fetchFromGitHub fetcher to get its source.

  • It also accept duneVersion parameter (valid value are "1", "2", and "3"). The recommended practice it to set only if you don’t want the default value and/or it depends on something else like package version. You might see a not-supported argument useDune2. The behavior was useDune2 = true; => duneVersion = "2"; and useDune2 = false; => duneVersion = "1";. It was used at the time when dune3 didn’t existed.

  • It sets the optional doCheck attribute such that tests will be run with dune runtest -p angstrom after the build (dune build -p angstrom) is complete, but only if the Ocaml version is at at least "4.05".

  • It uses the package ocaml-syntax-shims as a build input, alcotest and ppx_let as check inputs (because they are needed to run the tests), and bigstringaf and result as propagated build inputs (thus they will also be available to libraries depending on this library).

  • The library will be installed using the angstrom.install file that dune generates.

{ lib,
  fetchFromGitHub,
  buildDunePackage,
  ocaml,
  ocaml-syntax-shims,
  alcotest,
  result,
  bigstringaf,
  ppx_let }:

buildDunePackage rec {
  pname = "angstrom";
  version = "0.15.0";

  minimalOCamlVersion = "4.04";

  src = fetchFromGitHub {
    owner  = "inhabitedtype";
    repo   = pname;
    rev    = version;
    hash   = "sha256-MK8o+iPGANEhrrTc1Kz9LBilx2bDPQt7Pp5P2libucI=";
  };

  checkInputs = [ alcotest ppx_let ];
  buildInputs = [ ocaml-syntax-shims ];
  propagatedBuildInputs = [ bigstringaf result ];
  doCheck = lib.versionAtLeast ocaml.version "4.05";

  meta = {
    homepage = "https://github.com/inhabitedtype/angstrom";
    description = "OCaml parser combinators built for speed and memory efficiency";
    license = lib.licenses.bsd3;
    maintainers = with lib.maintainers; [ sternenseemann ];
  };
}

Here is a second example, this time using a source archive generated with dune-release. It is a good idea to use this archive when it is available as it will usually contain substituted variables such as a %%VERSION%% field. This library does not depend on any other OCaml library and no tests are run after building it.

{ lib, fetchurl, buildDunePackage }:

buildDunePackage rec {
  pname = "wtf8";
  version = "1.0.2";

  minimalOCamlVersion = "4.02";

  src = fetchurl {
    url = "https://github.com/flowtype/ocaml-${pname}/releases/download/v${version}/${pname}-v${version}.tbz";
    hash = "sha256-d5/3KUBAWRj8tntr4RkJ74KWW7wvn/B/m1nx0npnzyc=";
  };

  meta = {
    homepage = "https://github.com/flowtype/ocaml-wtf8";
    description = "WTF-8 is a superset of UTF-8 that allows unpaired surrogates";
    license = lib.licenses.mit;
    maintainers = [ lib.maintainers.eqyiel ];
  };
}

The build will automatically fail if two distinct versions of the same library are added to buildInputs (which usually happens transitively because of propagatedBuildInputs). Set dontDetectOcamlConflicts to true to disable this behavior.

Octave

Introduction

Octave is a modular scientific programming language and environment. A majority of the packages supported by Octave from their website are packaged in nixpkgs.

Structure

All Octave add-on packages are available in two ways:

  1. Under the top-level Octave attribute, octave.pkgs.

  2. As a top-level attribute, octavePackages.

Packaging Octave Packages

Nixpkgs provides a function buildOctavePackage, a generic package builder function for any Octave package that complies with the Octave’s current packaging format.

All Octave packages are defined in pkgs/top-level/octave-packages.nix rather than pkgs/all-packages.nix. Each package is defined in their own file in the pkgs/development/octave-modules directory. Octave packages are made available through all-packages.nix through both the attribute octavePackages and octave.pkgs. You can test building an Octave package as follows:

$ nix-build -A octavePackages.symbolic

To install it into your user profile, run this command from the root of the repository:

$ nix-env -f. -iA octavePackages.symbolic

You can build Octave with packages by using the withPackages passed-through function.

$ nix-shell -p 'octave.withPackages (ps: with ps; [ symbolic ])'

This will also work in a shell.nix file.

{ pkgs ? import <nixpkgs> { }}:

pkgs.mkShell {
  nativeBuildInputs = with pkgs; [
    (octave.withPackages (opkgs: with opkgs; [ symbolic ]))
  ];
}

buildOctavePackage Steps

The buildOctavePackage does several things to make sure things work properly.

  1. Sets the environment variable OCTAVE_HISTFILE to /dev/null during package compilation so that the commands run through the Octave interpreter directly are not logged.

  2. Skips the configuration step, because the packages are stored as gzipped tarballs, which Octave itself handles directly.

  3. Change the hierarchy of the tarball so that only a single directory is at the top-most level of the tarball.

  4. Use Octave itself to run the pkg build command, which unzips the tarball, extracts the necessary files written in Octave, and compiles any code written in C++ or Fortran, and places the fully compiled artifact in $out.

buildOctavePackage is built on top of stdenv in a standard way, allowing most things to be customized.

Handling Dependencies

In Octave packages, there are four sets of dependencies that can be specified:

nativeBuildInputs

Just like other packages, nativeBuildInputs is intended for architecture-dependent build-time-only dependencies.

buildInputs

Like other packages, buildInputs is intended for architecture-independent build-time-only dependencies.

propagatedBuildInputs

Similar to other packages, propagatedBuildInputs is intended for packages that are required for both building and running of the package. See Symbolic for how this works and why it is needed.

requiredOctavePackages

This is a special dependency that ensures the specified Octave packages are dependent on others, and are made available simultaneously when loading them in Octave.

Installing Octave Packages

By default, the buildOctavePackage function does not install the requested package into Octave for use. The function will only build the requested package. This is due to Octave maintaining an text-based database about which packages are installed where. To this end, when all the requested packages have been built, the Octave package and all its add-on packages are put together into an environment, similar to Python.

  1. First, all the Octave binaries are wrapped with the environment variable OCTAVE_SITE_INITFILE set to a file in $out, which is required for Octave to be able to find the non-standard package database location.

  2. Because of the way buildEnv works, all tarballs that are present (which should be all Octave packages to install) should be removed.

  3. The path down to the default install location of Octave packages is recreated so that Nix-operated Octave can install the packages.

  4. Install the packages into the $out environment while writing package entries to the database file. This database file is unique for each different (according to Nix) environment invocation.

  5. Rewrite the Octave-wide startup file to read from the list of packages installed in that particular environment.

  6. Wrap any programs that are required by the Octave packages so that they work with all the paths defined within the environment.

Perl

Running Perl programs on the shell

When executing a Perl script, it is possible you get an error such as ./myscript.pl: bad interpreter: /usr/bin/perl: no such file or directory. This happens when the script expects Perl to be installed at /usr/bin/perl, which is not the case when using Perl from nixpkgs. You can fix the script by changing the first line to:

#!/usr/bin/env perl

to take the Perl installation from the PATH environment variable, or invoke Perl directly with:

$ perl ./myscript.pl

When the script is using a Perl library that is not installed globally, you might get an error such as Can't locate DB_File.pm in @INC (you may need to install the DB_File module). In that case, you can use nix-shell to start an ad-hoc shell with that library installed, for instance:

$ nix-shell -p perl perlPackages.DBFile --run ./myscript.pl

If you are always using the script in places where nix-shell is available, you can embed the nix-shell invocation in the shebang like this:

#!/usr/bin/env nix-shell
#! nix-shell -i perl -p perl perlPackages.DBFile

Packaging Perl programs

Nixpkgs provides a function buildPerlPackage, a generic package builder function for any Perl package that has a standard Makefile.PL. It’s implemented in pkgs/development/perl-modules/generic.

Perl packages from CPAN are defined in pkgs/top-level/perl-packages.nix rather than pkgs/all-packages.nix. Most Perl packages are so straight-forward to build that they are defined here directly, rather than having a separate function for each package called from perl-packages.nix. However, more complicated packages should be put in a separate file, typically in pkgs/development/perl-modules. Here is an example of the former:

{
  ClassC3 = buildPerlPackage rec {
    pname = "Class-C3";
    version = "0.21";
    src = fetchurl {
      url = "mirror://cpan/authors/id/F/FL/FLORA/${pname}-${version}.tar.gz";
      hash = "sha256-/5GE5xHT0uYGOQxroqj6LMU7CtKn2s6vMVoSXxL4iK4=";
    };
  };
}

Note the use of mirror://cpan/, and the pname and version in the URL definition to ensure that the pname attribute is consistent with the source that we’re actually downloading. Perl packages are made available in all-packages.nix through the variable perlPackages. For instance, if you have a package that needs ClassC3, you would typically write

{
  foo = import ../path/to/foo.nix {
    inherit stdenv fetchurl /* ... */;
    inherit (perlPackages) ClassC3;
  };
}

in all-packages.nix. You can test building a Perl package as follows:

$ nix-build -A perlPackages.ClassC3

To install it with nix-env instead: nix-env -f. -iA perlPackages.ClassC3.

So what does buildPerlPackage do? It does the following:

  1. In the configure phase, it calls perl Makefile.PL to generate a Makefile. You can set the variable makeMakerFlags to pass flags to Makefile.PL

  2. It adds the contents of the PERL5LIB environment variable to #! .../bin/perl line of Perl scripts as -Idir flags. This ensures that a script can find its dependencies. (This can cause this shebang line to become too long for Darwin to handle; see the note below.)

  3. In the fixup phase, it writes the propagated build inputs (propagatedBuildInputs) to the file $out/nix-support/propagated-user-env-packages. nix-env recursively installs all packages listed in this file when you install a package that has it. This ensures that a Perl package can find its dependencies.

buildPerlPackage is built on top of stdenv, so everything can be customised in the usual way. For instance, the BerkeleyDB module has a preConfigure hook to generate a configuration file used by Makefile.PL:

{ buildPerlPackage, fetchurl, db }:

buildPerlPackage rec {
  pname = "BerkeleyDB";
  version = "0.36";

  src = fetchurl {
    url = "mirror://cpan/authors/id/P/PM/PMQS/${pname}-${version}.tar.gz";
    hash = "sha256-4Y+HGgGQqcOfdiKcFIyMrWBEccVNVAMDBWZlFTMorh8=";
  };

  preConfigure = ''
    echo "LIB = ${db.out}/lib" > config.in
    echo "INCLUDE = ${db.dev}/include" >> config.in
  '';
}

Dependencies on other Perl packages can be specified in the buildInputs and propagatedBuildInputs attributes. If something is exclusively a build-time dependency, use buildInputs; if it’s (also) a runtime dependency, use propagatedBuildInputs. For instance, this builds a Perl module that has runtime dependencies on a bunch of other modules:

{
  ClassC3Componentised = buildPerlPackage rec {
    pname = "Class-C3-Componentised";
    version = "1.0004";
    src = fetchurl {
      url = "mirror://cpan/authors/id/A/AS/ASH/${pname}-${version}.tar.gz";
      hash = "sha256-ASO9rV/FzJYZ0BH572Fxm2ZrFLMZLFATJng1NuU4FHc=";
    };
    propagatedBuildInputs = [
      ClassC3 ClassInspector TestException MROCompat
    ];
  };
}

On Darwin, if a script has too many -Idir flags in its first line (its “shebang line”), it will not run. This can be worked around by calling the shortenPerlShebang function from the postInstall phase:

{ lib, stdenv, buildPerlPackage, fetchurl, shortenPerlShebang }:

{
  ImageExifTool = buildPerlPackage {
    pname = "Image-ExifTool";
    version = "12.50";

    src = fetchurl {
      url = "https://exiftool.org/${pname}-${version}.tar.gz";
      hash = "sha256-vOhB/FwQMC8PPvdnjDvxRpU6jAZcC6GMQfc0AH4uwKg=";
    };

    nativeBuildInputs = lib.optional stdenv.hostPlatform.isDarwin shortenPerlShebang;
    postInstall = lib.optionalString stdenv.hostPlatform.isDarwin ''
      shortenPerlShebang $out/bin/exiftool
    '';
  };
}

This will remove the -I flags from the shebang line, rewrite them in the use lib form, and put them on the next line instead. This function can be given any number of Perl scripts as arguments; it will modify them in-place.

Generation from CPAN

Nix expressions for Perl packages can be generated (almost) automatically from CPAN. This is done by the program nix-generate-from-cpan, which can be installed as follows:

$ nix-env -f "<nixpkgs>" -iA nix-generate-from-cpan

Substitute <nixpkgs> by the path of a nixpkgs clone to use the latest version.

This program takes a Perl module name, looks it up on CPAN, fetches and unpacks the corresponding package, and prints a Nix expression on standard output. For example:

$ nix-generate-from-cpan XML::Simple
  XMLSimple = buildPerlPackage rec {
    pname = "XML-Simple";
    version = "2.22";
    src = fetchurl {
      url = "mirror://cpan/authors/id/G/GR/GRANTM/XML-Simple-2.22.tar.gz";
      hash = "sha256-uUUO8i6pZErl1q2ghtxDAPoQW+BQogMOvU79KMGY60k=";
    };
    propagatedBuildInputs = [ XMLNamespaceSupport XMLSAX XMLSAXExpat ];
    meta = {
      description = "API for simple XML files";
      license = with lib.licenses; [ artistic1 gpl1Plus ];
    };
  };

The output can be pasted into pkgs/top-level/perl-packages.nix or wherever else you need it.

Cross-compiling modules

Nixpkgs has experimental support for cross-compiling Perl modules. In many cases, it will just work out of the box, even for modules with native extensions. Sometimes, however, the Makefile.PL for a module may (indirectly) import a native module. In that case, you will need to make a stub for that module that will satisfy the Makefile.PL and install it into lib/perl5/site_perl/cross_perl/${perl.version}. See the postInstall for DBI for an example.

PHP

User Guide

Overview

Several versions of PHP are available on Nix, each of which having a wide variety of extensions and libraries available.

The different versions of PHP that nixpkgs provides are located under attributes named based on major and minor version number; e.g., php81 is PHP 8.1.

Only versions of PHP that are supported by upstream for the entirety of a given NixOS release will be included in that release of NixOS. See PHP Supported Versions.

The attribute php refers to the version of PHP considered most stable and thoroughly tested in nixpkgs for any given release of NixOS - not necessarily the latest major release from upstream.

All available PHP attributes are wrappers around their respective binary PHP package and provide commonly used extensions this way. The real PHP 8.1 package, i.e. the unwrapped one, is available as php81.unwrapped; see the next section for more details.

Interactive tools built on PHP are put in php.packages; composer is for example available at php.packages.composer.

Most extensions that come with PHP, as well as some popular third-party ones, are available in php.extensions; for example, the opcache extension shipped with PHP is available at php.extensions.opcache and the third-party ImageMagick extension at php.extensions.imagick.

Installing PHP with extensions

A PHP package with specific extensions enabled can be built using php.withExtensions. This is a function which accepts an anonymous function as its only argument; the function should accept two named parameters: enabled - a list of currently enabled extensions and all - the set of all extensions, and return a list of wanted extensions. For example, a PHP package with all default extensions and ImageMagick enabled:

php.withExtensions ({ enabled, all }:
  enabled ++ [ all.imagick ])

To exclude some, but not all, of the default extensions, you can filter the enabled list like this:

php.withExtensions ({ enabled, all }:
  (lib.filter (e: e != php.extensions.opcache) enabled)
  ++ [ all.imagick ])

To build your list of extensions from the ground up, you can ignore enabled:

php.withExtensions ({ all, ... }: with all; [ imagick opcache ])

php.withExtensions provides extensions by wrapping a minimal php base package, providing a php.ini file listing all extensions to be loaded. You can access this package through the php.unwrapped attribute; useful if you, for example, need access to the dev output. The generated php.ini file can be accessed through the php.phpIni attribute.

If you want a PHP build with extra configuration in the php.ini file, you can use php.buildEnv. This function takes two named and optional parameters: extensions and extraConfig. extensions takes an extension specification equivalent to that of php.withExtensions, extraConfig a string of additional php.ini configuration parameters. For example, a PHP package with the opcache and ImageMagick extensions enabled, and memory_limit set to 256M:

php.buildEnv {
  extensions = { all, ... }: with all; [ imagick opcache ];
  extraConfig = "memory_limit=256M";
}
Example setup for phpfpm

You can use the previous examples in a phpfpm pool called foo as follows:

let
  myPhp = php.withExtensions ({ all, ... }: with all; [ imagick opcache ]);
in {
  services.phpfpm.pools."foo".phpPackage = myPhp;
}
let
  myPhp = php.buildEnv {
    extensions = { all, ... }: with all; [ imagick opcache ];
    extraConfig = "memory_limit=256M";
  };
in {
  services.phpfpm.pools."foo".phpPackage = myPhp;
}
Example usage with nix-shell

This brings up a temporary environment that contains a PHP interpreter with the extensions imagick and opcache enabled:

nix-shell -p 'php.withExtensions ({ all, ... }: with all; [ imagick opcache ])'

Installing PHP packages with extensions

All interactive tools use the PHP package you get them from, so all packages at php.packages.* use the php package with its default extensions. Sometimes this default set of extensions isn’t enough and you may want to extend it. A common case of this is the composer package: a project may depend on certain extensions and composer won’t work with that project unless those extensions are loaded.

Example of building composer with additional extensions:

(php.withExtensions ({ all, enabled }:
  enabled ++ (with all; [ imagick redis ]))
).packages.composer

Overriding PHP packages

php-packages.nix form a scope, allowing us to override the packages defined within. For example, to apply a patch to a mysqlnd extension, you can pass an overlay-style function to php’s packageOverrides argument:

php.override {
  packageOverrides = final: prev: {
    extensions = prev.extensions // {
      mysqlnd = prev.extensions.mysqlnd.overrideAttrs (attrs: {
        patches = attrs.patches or [] ++ [
          # ...
        ];
      });
    };
  };
}

Building PHP projects

With Composer, you can effectively build PHP projects by streamlining dependency management. As the de-facto standard dependency manager for PHP, Composer enables you to declare and manage the libraries your project relies on, ensuring a more organized and efficient development process.

Composer is not a package manager in the same sense as Yum or Apt are. Yes, it deals with “packages” or libraries, but it manages them on a per-project basis, installing them in a directory (e.g. vendor) inside your project. By default, it does not install anything globally. This idea is not new and Composer is strongly inspired by node’s npm and ruby’s bundler.

Currently, there is no other PHP tool that offers the same functionality as Composer. Consequently, incorporating a helper in Nix to facilitate building such applications is a logical choice.

In a Composer project, dependencies are defined in a composer.json file, while their specific versions are locked in a composer.lock file. Some Composer-based projects opt to include this composer.lock file in their source code, while others choose not to.

In Nix, there are multiple approaches to building a Composer-based project.

One such method is the php.buildComposerProject helper function, which serves as a wrapper around mkDerivation.

Using this function, you can build a PHP project that includes both a composer.json and composer.lock file. If the project specifies binaries using the bin attribute in composer.json, these binaries will be automatically linked and made accessible in the derivation. In this context, “binaries” refer to PHP scripts that are intended to be executable.

To use the helper effectively, add the vendorHash attribute, which enables the wrapper to handle the heavy lifting.

Internally, the helper operates in three stages:

  1. It constructs a composerRepository attribute derivation by creating a composer repository on the filesystem containing dependencies specified in composer.json. This process uses the function php.mkComposerRepository which in turn uses the php.composerHooks.composerRepositoryHook hook. Internally this function uses a custom Composer plugin to generate the repository.

  2. The resulting composerRepository derivation is then used by the php.composerHooks.composerInstallHook hook, which is responsible for creating the final vendor directory.

  3. Any “binary” specified in the composer.json are linked and made accessible in the derivation.

As the autoloader optimization can be activated directly within the composer.json file, we do not enable any autoloader optimization flags.

To customize the PHP version, you can specify the php attribute. Similarly, if you wish to modify the Composer version, use the composer attribute. It is important to note that both attributes should be of the derivation type.

Here’s an example of working code example using php.buildComposerProject:

{ php, fetchFromGitHub }:

php.buildComposerProject (finalAttrs: {
  pname = "php-app";
  version = "1.0.0";

  src = fetchFromGitHub {
    owner = "git-owner";
    repo = "git-repo";
    rev = finalAttrs.version;
    hash = "sha256-VcQRSss2dssfkJ+iUb5qT+FJ10GHiFDzySigcmuVI+8=";
  };

  # PHP version containing the `ast` extension enabled
  php = php.buildEnv {
    extensions = ({ enabled, all }: enabled ++ (with all; [
      ast
    ]));
  };

  # The composer vendor hash
  vendorHash = "sha256-86s/F+/5cBAwBqZ2yaGRM5rTGLmou5//aLRK5SA0WiQ=";

  # If the composer.lock file is missing from the repository, add it:
  # composerLock = ./path/to/composer.lock;
})

In case the file composer.lock is missing from the repository, it is possible to specify it using the composerLock attribute.

The other method is to use all these methods and hooks individually. This has the advantage of building a PHP library within another derivation very easily when necessary.

Here’s a working code example to build a PHP library using mkDerivation and separate functions and hooks:

{ stdenvNoCC, fetchFromGitHub, php }:

stdenvNoCC.mkDerivation (finalAttrs:
let
  src = fetchFromGitHub {
    owner = "git-owner";
    repo = "git-repo";
    rev = finalAttrs.version;
    hash = "sha256-VcQRSss2dssfkJ+iUb5qT+FJ10GHiFDzySigcmuVI+8=";
  };
in {
  inherit src;
  pname = "php-app";
  version = "1.0.0";

  buildInputs = [ php ];

  nativeBuildInputs = [
    php.packages.composer
    # This hook will use the attribute `composerRepository`
    php.composerHooks.composerInstallHook
  ];

  composerRepository = php.mkComposerRepository {
    inherit (finalAttrs) pname version src;
    composerNoDev = true;
    composerNoPlugins = true;
    composerNoScripts = true;
    # Specifying a custom composer.lock since it is not present in the sources.
    composerLock = ./composer.lock;
    # The composer vendor hash
    vendorHash = "sha256-86s/F+/5cBAwBqZ2yaGRM5rTGLmou5//aLRK5SA0WiQ=";
  };
})

pkg-config

pkg-config is a unified interface for declaring and querying built C/C++ libraries.

Nixpkgs provides a couple of facilities for working with this tool.

Writing packages providing pkg-config modules

Packages should set meta.pkgConfigModules with the list of package config modules they provide. They should also use testers.hasPkgConfigModules to check that the final built package matches that list, and optionally check that the pkgconf modules’ version metadata matches the derivation’s. Additionally, the validatePkgConfig setup hook, will do extra checks on to-be-installed pkg-config modules.

A good example of all these things is miniz:

{ pkg-config, testers, ... }:

stdenv.mkDerivation (finalAttrs: {
  /* ... */

  nativeBuildInputs = [ pkg-config validatePkgConfig ];

  passthru.tests.pkg-config = testers.hasPkgConfigModules {
    package = finalAttrs.finalPackage;
    versionCheck = true;
  };

  meta = {
    /* ... */
    pkgConfigModules = [ "miniz" ];
  };
})

Accessing packages via pkg-config module name

Within Nixpkgs

A setup hook is bundled in the pkg-config package to bring a derivation’s declared build inputs into the environment. This will populate environment variables like PKG_CONFIG_PATH, PKG_CONFIG_PATH_FOR_BUILD, and PKG_CONFIG_PATH_HOST based on:

  • how pkg-config itself is depended upon

  • how other dependencies are depended upon

For more details see the section on specifying dependencies in general.

Normal pkg-config commands to look up dependencies by name will then work with those environment variables defined by the hook.

Externally

The defaultPkgConfigPackages package set is a set of aliases, named after the modules they provide. This is meant to be used by language-to-nix integrations. Hand-written packages should use the normal Nixpkgs attribute name instead.

Python

Reference

Interpreters

PackageAliasesInterpeter
python314CPython 3.14
python313CPython 3.13
python312python3CPython 3.12
python311CPython 3.11
python310CPython 3.10
python39CPython 3.9
python27python, python2CPython 2.7
pypy310PyPy 3.10
pypy39pypy3PyPy 3.9
pypy27pypy, pypy2PyPy 2.7

The Nix expressions for the interpreters can be found in pkgs/development/interpreters/python.

All packages depending on any Python interpreter get appended out/{python.sitePackages} to $PYTHONPATH if such directory exists.

Missing tkinter module standard library

To reduce closure size the Tkinter/tkinter is available as a separate package, pythonPackages.tkinter.

Attributes on interpreters packages

Each interpreter has the following attributes:

  • libPrefix. Name of the folder in ${python}/lib/ for corresponding interpreter.

  • interpreter. Alias for ${python}/bin/${executable}.

  • buildEnv. Function to build python interpreter environments with extra packages bundled together. See the section called “python.buildEnv function” for usage and documentation.

  • withPackages. Simpler interface to buildEnv. See the section called “python.withPackages function” for usage and documentation.

  • sitePackages. Alias for lib/${libPrefix}/site-packages.

  • executable. Name of the interpreter executable, e.g. python3.10.

  • pkgs. Set of Python packages for that specific interpreter. The package set can be modified by overriding the interpreter and passing packageOverrides.

Building packages and applications

Python libraries and applications that use tools to follow PEP 517 (e.g. setuptools or hatchling, etc.) or previous tools such as distutils are typically built with respectively the buildPythonPackage and buildPythonApplication functions. These two functions also support installing a wheel.

All Python packages reside in pkgs/top-level/python-packages.nix and all applications elsewhere. In case a package is used as both a library and an application, then the package should be in pkgs/top-level/python-packages.nix since only those packages are made available for all interpreter versions. The preferred location for library expressions is in pkgs/development/python-modules. It is important that these packages are called from pkgs/top-level/python-packages.nix and not elsewhere, to guarantee the right version of the package is built.

Based on the packages defined in pkgs/top-level/python-packages.nix an attribute set is created for each available Python interpreter. The available sets are

  • pkgs.python27Packages

  • pkgs.python3Packages

  • pkgs.python39Packages

  • pkgs.python310Packages

  • pkgs.python311Packages

  • pkgs.python312Packages

  • pkgs.python313Packages

  • pkgs.python314Packages

  • pkgs.pypy27Packages

  • pkgs.pypy39Packages

  • pkgs.pypy310Packages

and the aliases

  • pkgs.python2Packages pointing to pkgs.python27Packages

  • pkgs.python3Packages pointing to pkgs.python312Packages

  • pkgs.pythonPackages pointing to pkgs.python2Packages

  • pkgs.pypy2Packages pointing to pkgs.pypy27Packages

  • pkgs.pypy3Packages pointing to pkgs.pypy39Packages

  • pkgs.pypyPackages pointing to pkgs.pypy2Packages

buildPythonPackage function

The buildPythonPackage function has its name binding in pkgs/development/interpreters/python/python-packages-base.nix and is implemented in pkgs/development/interpreters/python/mk-python-derivation.nix using setup hooks.

The following is an example:

{ lib
, buildPythonPackage
, fetchPypi

# build-system
, setuptools
, setuptools-scm

# dependencies
, attrs
, pluggy
, py
, setuptools
, six

# tests
, hypothesis
 }:

buildPythonPackage rec {
  pname = "pytest";
  version = "3.3.1";
  pyproject = true;

  src = fetchPypi {
    inherit pname version;
    hash = "sha256-z4Q23FnYaVNG/NOrKW3kZCXsqwDWQJbOvnn7Ueyy65M=";
  };

  postPatch = ''
    # don't test bash builtins
    rm testing/test_argcomplete.py
  '';

  build-system = [
    setuptools
    setuptools-scm
  ];

  dependencies = [
    attrs
    py
    setuptools
    six
    pluggy
  ];

  nativeCheckInputs = [
    hypothesis
  ];

  meta = {
    changelog = "https://github.com/pytest-dev/pytest/releases/tag/${version}";
    description = "Framework for writing tests";
    homepage = "https://github.com/pytest-dev/pytest";
    license = lib.licenses.mit;
    maintainers = with lib.maintainers; [ domenkozar lovek323 madjar lsix ];
  };
}

The buildPythonPackage mainly does four things:

  • In the buildPhase, it calls ${python.pythonOnBuildForHost.interpreter} -m build --wheel to build a wheel binary zipfile.

  • In the installPhase, it installs the wheel file using ${python.pythonOnBuildForHost.interpreter} -m installer *.whl.

  • In the postFixup phase, the wrapPythonPrograms bash function is called to wrap all programs in the $out/bin/* directory to include $PATH environment variable and add dependent libraries to script’s sys.path.

  • In the installCheck phase, ${python.interpreter} -m pytest is run.

By default tests are run because doCheck = true. Test dependencies, like e.g. the test runner, should be added to nativeCheckInputs.

By default meta.platforms is set to the same value as the interpreter unless overridden otherwise.

buildPythonPackage parameters

All parameters from stdenv.mkDerivation function are still supported. The following are specific to buildPythonPackage:

  • catchConflicts ? true: If true, abort package build if a package name appears more than once in dependency tree. Default is true.

  • disabled ? false: If true, package is not built for the particular Python interpreter version.

  • dontWrapPythonPrograms ? false: Skip wrapping of Python programs.

  • permitUserSite ? false: Skip setting the PYTHONNOUSERSITE environment variable in wrapped programs.

  • pyproject: Whether the pyproject format should be used. As all other formats are deprecated, you are recommended to set this to true. When you do so, pypaBuildHook will be used, and you can add the required build dependencies from build-system.requires to build-system. Note that the pyproject format falls back to using setuptools, so you can use pyproject = true even if the package only has a setup.py. When set to false, you can use the existing hooks or provide your own logic to build the package. This can be useful for packages that don’t support the pyproject format. When unset, the legacy setuptools hooks are used for backwards compatibility.

  • makeWrapperArgs ? []: A list of strings. Arguments to be passed to makeWrapper, which wraps generated binaries. By default, the arguments to makeWrapper set PATH and PYTHONPATH environment variables before calling the binary. Additional arguments here can allow a developer to set environment variables which will be available when the binary is run. For example, makeWrapperArgs = ["--set FOO BAR" "--set BAZ QUX"].

  • namePrefix: Prepends text to ${name} parameter. In case of libraries, this defaults to "python3.8-" for Python 3.8, etc., and in case of applications to "".

  • pypaBuildFlags ? []: A list of strings. Arguments to be passed to python -m build --wheel.

  • pythonPath ? []: List of packages to be added into $PYTHONPATH. Packages in pythonPath are not propagated (contrary to propagatedBuildInputs).

  • preShellHook: Hook to execute commands before shellHook.

  • postShellHook: Hook to execute commands after shellHook.

  • removeBinByteCode ? true: Remove bytecode from /bin. Bytecode is only created when the filenames end with .py.

  • setupPyGlobalFlags ? []: List of flags passed to setup.py command.

  • setupPyBuildFlags ? []: List of flags passed to setup.py build_ext command.

The stdenv.mkDerivation function accepts various parameters for describing build inputs (see “Specifying dependencies”). The following are of special interest for Python packages, either because these are primarily used, or because their behaviour is different:

  • nativeBuildInputs ? []: Build-time only dependencies. Typically executables.

  • build-system ? []: Build-time only Python dependencies. Items listed in build-system.requires/setup_requires.

  • buildInputs ? []: Build and/or run-time dependencies that need to be compiled for the host machine. Typically non-Python libraries which are being linked.

  • nativeCheckInputs ? []: Dependencies needed for running the checkPhase. These are added to nativeBuildInputs when doCheck = true. Items listed in tests_require go here.

  • dependencies ? []: Aside from propagating dependencies, buildPythonPackage also injects code into and wraps executables with the paths included in this list. Items listed in install_requires go here.

  • optional-dependencies ? { }: Optional feature flagged dependencies. Items listed in extras_requires go here.

Overriding Python packages

The buildPythonPackage function has a overridePythonAttrs method that can be used to override the package. In the following example we create an environment where we have the blaze package using an older version of pandas. We override first the Python interpreter and pass packageOverrides which contains the overrides for packages in the package set.

with import <nixpkgs> {};

(let
  python = let
    packageOverrides = self: super: {
      pandas = super.pandas.overridePythonAttrs(old: rec {
        version = "0.19.1";
        src =  fetchPypi {
          pname = "pandas";
          inherit version;
          hash = "sha256-JQn+rtpy/OA2deLszSKEuxyttqBzcAil50H+JDHUdCE=";
        };
      });
    };
  in pkgs.python3.override {inherit packageOverrides; self = python;};

in python.withPackages(ps: [ ps.blaze ])).env

The next example shows a non trivial overriding of the blas implementation to be used through out all of the Python package set:

{
  python3MyBlas = pkgs.python3.override {
    packageOverrides = self: super: {
      # We need toPythonModule for the package set to evaluate this
      blas = super.toPythonModule(super.pkgs.blas.override {
        blasProvider = super.pkgs.mkl;
      });
      lapack = super.toPythonModule(super.pkgs.lapack.override {
        lapackProvider = super.pkgs.mkl;
      });
    };
  };
}

This is particularly useful for numpy and scipy users who want to gain speed with other blas implementations. Note that using scipy = super.scipy.override { blas = super.pkgs.mkl; }; will likely result in compilation issues, because scipy dependencies need to use the same blas implementation as well.

buildPythonApplication function

The buildPythonApplication function is practically the same as buildPythonPackage. The main purpose of this function is to build a Python package where one is interested only in the executables, and not importable modules. For that reason, when adding this package to a python.buildEnv, the modules won’t be made available.

Another difference is that buildPythonPackage by default prefixes the names of the packages with the version of the interpreter. Because this is irrelevant for applications, the prefix is omitted.

When packaging a Python application with buildPythonApplication, it should be called with callPackage and passed python3 or python3Packages (possibly specifying an interpreter version), like this:

{ lib
, python3Packages
, fetchPypi
}:

python3Packages.buildPythonApplication rec {
  pname = "luigi";
  version = "2.7.9";
  pyproject = true;

  src = fetchPypi {
    inherit pname version;
    hash  = "sha256-Pe229rT0aHwA98s+nTHQMEFKZPo/yw6sot8MivFDvAw=";
  };

  build-system = with python3Packages; [
    setuptools
  ];

  dependencies = with python3Packages; [
    tornado
    python-daemon
  ];

  meta = {
    # ...
  };
}

This is then added to pkgs/by-name just as any other application would be.

Since the package is an application, a consumer doesn’t need to care about Python versions or modules, which is why they don’t go in python3Packages.

toPythonApplication function

A distinction is made between applications and libraries, however, sometimes a package is used as both. In this case the package is added as a library to python-packages.nix and as an application to pkgs/by-name. To reduce duplication the toPythonApplication can be used to convert a library to an application.

The Nix expression shall use buildPythonPackage and be called from python-packages.nix. A reference shall be created from pkgs/by-name to the attribute in python-packages.nix, and the toPythonApplication shall be applied to the reference:

{
  python3Packages,
}:

python3Packages.toPythonApplication python3Packages.youtube-dl
toPythonModule function

In some cases, such as bindings, a package is created using stdenv.mkDerivation and added as attribute in pkgs/by-name or in all-packages.nix. The Python bindings should be made available from python-packages.nix. The toPythonModule function takes a derivation and makes certain Python-specific modifications.

{
  opencv = toPythonModule (pkgs.opencv.override {
    enablePython = true;
    pythonPackages = self;
  });
}

Do pay attention to passing in the right Python version!

mkPythonMetaPackage function

This will create a meta package containing metadata files to satisfy a dependency on a package, without it actually having been installed into the environment. In nixpkgs this is used to package Python packages with split binary/source distributions such as psycopg2/psycopg2-binary.

mkPythonMetaPackage {
  pname = "psycopg2-binary";
  inherit (psycopg2) optional-dependencies version;
  dependencies = [ psycopg2 ];
  meta = {
    inherit (psycopg2.meta) description homepage;
  };
}
mkPythonEditablePackage function

When developing Python packages it’s common to install packages in editable mode. Like mkPythonMetaPackage this function exists to create an otherwise empty package, but also containing a pointer to an impure location outside the Nix store that can be changed without rebuilding.

The editable root is passed as a string. Normally .pth files contains absolute paths to the mutable location. This isn’t always ergonomic with Nix, so environment variables are expanded at runtime. This means that a shell hook setting up something like a $REPO_ROOT variable can be used as the relative package root.

As an implementation detail, the PEP-518 build-system specified won’t be used, but instead the editable package will be built using hatchling. The build-system’s provided will instead become runtime dependencies of the editable package.

Note that overriding packages deeper in the dependency graph can work, but it’s not the primary use case and overriding existing packages can make others break in unexpected ways.

{ pkgs ? import <nixpkgs> { } }:

let
  pyproject = pkgs.lib.importTOML ./pyproject.toml;

  myPython = pkgs.python.override {
    self = myPython;
    packageOverrides = pyfinal: pyprev: {
      # An editable package with a script that loads our mutable location
      my-editable = pyfinal.mkPythonEditablePackage {
        # Inherit project metadata from pyproject.toml
        pname = pyproject.project.name;
        inherit (pyproject.project) version;

        # The editable root passed as a string
        root = "$REPO_ROOT/src"; # Use environment variable expansion at runtime

        # Inject a script (other PEP-621 entrypoints are also accepted)
        inherit (pyproject.project) scripts;
      };
    };
  };

  pythonEnv =  myPython.withPackages (ps: [ ps.my-editable ]);

in pkgs.mkShell {
  packages = [ pythonEnv ];
}
python.buildEnv function

Python environments can be created using the low-level pkgs.buildEnv function. This example shows how to create an environment that has the Pyramid Web Framework. Saving the following as default.nix

with import <nixpkgs> {};

python3.buildEnv.override {
  extraLibs = [ python3Packages.pyramid ];
  ignoreCollisions = true;
}

and running nix-build will create

/nix/store/cf1xhjwzmdki7fasgr4kz6di72ykicl5-python-2.7.8-env

with wrapped binaries in bin/.

You can also use the env attribute to create local environments with needed packages installed. This is somewhat comparable to virtualenv. For example, running nix-shell with the following shell.nix

with import <nixpkgs> {};

(python3.buildEnv.override {
  extraLibs = with python3Packages; [
    numpy
    requests
  ];
}).env

will drop you into a shell where Python will have the specified packages in its path.

python.buildEnv arguments
  • extraLibs: List of packages installed inside the environment.

  • postBuild: Shell command executed after the build of environment.

  • ignoreCollisions: Ignore file collisions inside the environment (default is false).

  • permitUserSite: Skip setting the PYTHONNOUSERSITE environment variable in wrapped binaries in the environment.

python.withPackages function

The python.withPackages function provides a simpler interface to the python.buildEnv functionality. It takes a function as an argument that is passed the set of python packages and returns the list of the packages to be included in the environment. Using the withPackages function, the previous example for the Pyramid Web Framework environment can be written like this:

with import <nixpkgs> {};

python.withPackages (ps: [ ps.pyramid ])

withPackages passes the correct package set for the specific interpreter version as an argument to the function. In the above example, ps equals pythonPackages. But you can also easily switch to using python3:

with import <nixpkgs> {};

python3.withPackages (ps: [ ps.pyramid ])

Now, ps is set to python3Packages, matching the version of the interpreter.

As python.withPackages uses python.buildEnv under the hood, it also supports the env attribute. The shell.nix file from the previous section can thus be also written like this:

with import <nixpkgs> {};

(python3.withPackages (ps: with ps; [
  numpy
  requests
])).env

In contrast to python.buildEnv, python.withPackages does not support the more advanced options such as ignoreCollisions = true or postBuild. If you need them, you have to use python.buildEnv.

Python 2 namespace packages may provide __init__.py that collide. In that case python.buildEnv should be used with ignoreCollisions = true.

Setup hooks

The following are setup hooks specifically for Python packages. Most of these are used in buildPythonPackage.

  • eggUnpackhook to move an egg to the correct folder so it can be installed with the eggInstallHook

  • eggBuildHook to skip building for eggs.

  • eggInstallHook to install eggs.

  • pypaBuildHook to build a wheel using pypa/build and PEP 517/518. Note a build system (e.g. setuptools or flit) should still be added as build-system.

  • pypaInstallHook to install wheels.

  • pytestCheckHook to run tests with pytest. See example usage.

  • pythonCatchConflictsHook to fail if the package depends on two different versions of the same dependency.

  • pythonImportsCheckHook to check whether importing the listed modules works.

  • pythonRelaxDepsHook will relax Python dependencies restrictions for the package. See example usage.

  • pythonRemoveBinBytecode to remove bytecode from the /bin folder.

  • setuptoolsBuildHook to build a wheel using setuptools.

  • sphinxHook to build documentation and manpages using Sphinx.

  • venvShellHook to source a Python 3 venv at the venvDir location. A venv is created if it does not yet exist. postVenvCreation can be used to to run commands only after venv is first created.

  • wheelUnpackHook to move a wheel to the correct folder so it can be installed with the pipInstallHook.

  • unittestCheckHook will run tests with python -m unittest discover. See example usage.

User Guide

Using Python

Overview

Several versions of the Python interpreter are available on Nix, as well as a high amount of packages. The attribute python3 refers to the default interpreter, which is currently CPython 3.12. The attribute python refers to CPython 2.7 for backwards-compatibility. It is also possible to refer to specific versions, e.g. python312 refers to CPython 3.12, and pypy refers to the default PyPy interpreter.

Python is used a lot, and in different ways. This affects also how it is packaged. In the case of Python on Nix, an important distinction is made between whether the package is considered primarily an application, or whether it should be used as a library, i.e., of primary interest are the modules in site-packages that should be importable.

In the Nixpkgs tree Python applications can be found throughout, depending on what they do, and are called from the main package set. Python libraries, however, are in separate sets, with one set per interpreter version.

The interpreters have several common attributes. One of these attributes is pkgs, which is a package set of Python libraries for this specific interpreter. E.g., the toolz package corresponding to the default interpreter is python3.pkgs.toolz, and the CPython 3.12 version is python312.pkgs.toolz. The main package set contains aliases to these package sets, e.g. pythonPackages refers to python.pkgs and python312Packages to python312.pkgs.

Installing Python and packages

The Nix and NixOS manuals explain how packages are generally installed. In the case of Python and Nix, it is important to make a distinction between whether the package is considered an application or a library.

Applications on Nix are typically installed into your user profile imperatively using nix-env -i, and on NixOS declaratively by adding the package name to environment.systemPackages in /etc/nixos/configuration.nix. Dependencies such as libraries are automatically installed and should not be installed explicitly.

The same goes for Python applications. Python applications can be installed in your profile, and will be wrapped to find their exact library dependencies, without impacting other applications or polluting your user environment.

But Python libraries you would like to use for development cannot be installed, at least not individually, because they won’t be able to find each other resulting in import errors. Instead, it is possible to create an environment with python.buildEnv or python.withPackages where the interpreter and other executables are wrapped to be able to find each other and all of the modules.

In the following examples we will start by creating a simple, ad-hoc environment with a nix-shell that has numpy and toolz in Python 3.12; then we will create a re-usable environment in a single-file Python script; then we will create a full Python environment for development with this same environment.

Philosophically, this should be familiar to users who are used to a venv style of development: individual projects create their own Python environments without impacting the global environment or each other.

Ad-hoc temporary Python environment with nix-shell

The simplest way to start playing with the way nix wraps and sets up Python environments is with nix-shell at the cmdline. These environments create a temporary shell session with a Python and a precise list of packages (plus their runtime dependencies), with no other Python packages in the Python interpreter’s scope.

To create a Python 3.12 session with numpy and toolz available, run:

$ nix-shell -p 'python312.withPackages(ps: with ps; [ numpy toolz ])'

By default nix-shell will start a bash session with this interpreter in our PATH, so if we then run:

[nix-shell:~/src/nixpkgs]$ python3
Python 3.12.4 (main, Jun  6 2024, 18:26:44) [GCC 13.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import numpy; import toolz

Note that no other modules are in scope, even if they were imperatively installed into our user environment as a dependency of a Python application:

>>> import requests
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
ModuleNotFoundError: No module named 'requests'

We can add as many additional modules onto the nix-shell as we need, and we will still get 1 wrapped Python interpreter. We can start the interpreter directly like so:

$ nix-shell -p "python312.withPackages (ps: with ps; [ numpy toolz requests ])" --run python3
Python 3.12.4 (main, Jun  6 2024, 18:26:44) [GCC 13.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import requests
>>>

Notice that this time it built a new Python environment, which now includes requests. Building an environment just creates wrapper scripts that expose the selected dependencies to the interpreter while re-using the actual modules. This means if any other env has installed requests or numpy in a different context, we don’t need to recompile them – we just recompile the wrapper script that sets up an interpreter pointing to them. This matters much more for “big” modules like pytorch or tensorflow.

Module names usually match their names on pypi.org, but normalized according to PEP 503/508. (e.g. Foo__Bar.baz -> foo-bar-baz) You can use the Nixpkgs search website to find them as well (along with non-python packages).

At this point we can create throwaway experimental Python environments with arbitrary dependencies. This is a good way to get a feel for how the Python interpreter and dependencies work in Nix and NixOS, but to do some actual development, we’ll want to make it a bit more persistent.

Running Python scripts and using nix-shell as shebang

Sometimes, we have a script whose header looks like this:

#!/usr/bin/env python3
import numpy as np
a = np.array([1,2])
b = np.array([3,4])
print(f"The dot product of {a} and {b} is: {np.dot(a, b)}")

Executing this script requires a python3 that has numpy. Using what we learned in the previous section, we could startup a shell and just run it like so:

$ nix-shell -p 'python312.withPackages (ps: with ps; [ numpy ])' --run 'python3 foo.py'
The dot product of [1 2] and [3 4] is: 11

But if we maintain the script ourselves, and if there are more dependencies, it may be nice to encode those dependencies in source to make the script re-usable without that bit of knowledge. That can be done by using nix-shell as a shebang, like so:

#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p "python3.withPackages(ps: [ ps.numpy ])"
import numpy as np
a = np.array([1,2])
b = np.array([3,4])
print(f"The dot product of {a} and {b} is: {np.dot(a, b)}")

Then we execute it, without requiring any environment setup at all!

$ ./foo.py
The dot product of [1 2] and [3 4] is: 11

If the dependencies are not available on the host where foo.py is executed, it will build or download them from a Nix binary cache prior to starting up, prior that it is executed on a machine with a multi-user nix installation.

This provides a way to ship a self bootstrapping Python script, akin to a statically linked binary, where it can be run on any machine (provided nix is installed) without having to assume that numpy is installed globally on the system.

By default it is pulling the import checkout of Nixpkgs itself from our nix channel, which is nice as it cache aligns with our other package builds, but we can make it fully reproducible by pinning the nixpkgs import:

#!/usr/bin/env nix-shell
#!nix-shell -i python3 -p "python3.withPackages (ps: [ ps.numpy ])"
#!nix-shell -I nixpkgs=https://github.com/NixOS/nixpkgs/archive/e51209796c4262bfb8908e3d6d72302fe4e96f5f.tar.gz
import numpy as np
a = np.array([1,2])
b = np.array([3,4])
print(f"The dot product of {a} and {b} is: {np.dot(a, b)}")

This will execute with the exact same versions of Python 3.10, numpy, and system dependencies a year from now as it does today, because it will always use exactly git commit e51209796c4262bfb8908e3d6d72302fe4e96f5f of Nixpkgs for all of the package versions.

This is also a great way to ensure the script executes identically on different servers.

Load environment from .nix expression

We’ve now seen how to create an ad-hoc temporary shell session, and how to create a single script with Python dependencies, but in the course of normal development we’re usually working in an entire package repository.

As explained in the nix-shell section of the Nix manual, nix-shell can also load an expression from a .nix file. Say we want to have Python 3.12, numpy and toolz, like before, in an environment. We can add a shell.nix file describing our dependencies:

with import <nixpkgs> {};
(python312.withPackages (ps: with ps; [
  numpy
  toolz
])).env

And then at the command line, just typing nix-shell produces the same environment as before. In a normal project, we’ll likely have many more dependencies; this can provide a way for developers to share the environments with each other and with CI builders.

What’s happening here?

  1. We begin with importing the Nix Packages collections. import <nixpkgs> imports the <nixpkgs> function, {} calls it and the with statement brings all attributes of nixpkgs in the local scope. These attributes form the main package set.

  2. Then we create a Python 3.12 environment with the withPackages function, as before.

  3. The withPackages function expects us to provide a function as an argument that takes the set of all Python packages and returns a list of packages to include in the environment. Here, we select the packages numpy and toolz from the package set.

To combine this with mkShell you can:

with import <nixpkgs> {};
let
  pythonEnv = python312.withPackages (ps: [
    ps.numpy
    ps.toolz
  ]);
in mkShell {
  packages = [
    pythonEnv

    black
    mypy

    libffi
    openssl
  ];
}

This will create a unified environment that has not just our Python interpreter and its Python dependencies, but also tools like black or mypy and libraries like libffi the openssl in scope. This is generic and can span any number of tools or languages across the Nixpkgs ecosystem.

Installing environments globally on the system

Up to now, we’ve been creating environments scoped to an ad-hoc shell session, or a single script, or a single project. This is generally advisable, as it avoids pollution across contexts.

However, sometimes we know we will often want a Python with some basic packages, and want this available without having to enter into a shell or build context. This can be useful to have things like vim/emacs editors and plugins or shell tools “just work” without having to set them up, or when running other software that expects packages to be installed globally.

To create your own custom environment, create a file in ~/.config/nixpkgs/overlays/ that looks like this:

# ~/.config/nixpkgs/overlays/myEnv.nix
self: super: {
  myEnv = super.buildEnv {
    name = "myEnv";
    paths = [
      # A Python 3 interpreter with some packages
      (self.python3.withPackages (
        ps: with ps; [
          pyflakes
          pytest
          black
        ]
      ))

      # Some other packages we'd like as part of this env
      self.mypy
      self.black
      self.ripgrep
      self.tmux
    ];
  };
}

You can then build and install this to your profile with:

nix-env -iA myEnv

One limitation of this is that you can only have 1 Python env installed globally, since they conflict on the python to load out of your PATH.

If you get a conflict or prefer to keep the setup clean, you can have nix-env atomically uninstall all other imperatively installed packages and replace your profile with just myEnv by using the --replace flag.

Environment defined in /etc/nixos/configuration.nix

For the sake of completeness, here’s how to install the environment system-wide on NixOS.

{ # ...

  environment.systemPackages = with pkgs; [
    (python310.withPackages(ps: with ps; [ numpy toolz ]))
  ];
}

Developing with Python

Above, we were mostly just focused on use cases and what to do to get started creating working Python environments in nix.

Now that you know the basics to be up and running, it is time to take a step back and take a deeper look at how Python packages are packaged on Nix.

Python library packages in Nixpkgs

With Nix all packages are built by functions. The main function in Nix for building Python libraries is buildPythonPackage. Let’s see how we can build the toolz package.

{ lib
, buildPythonPackage
, fetchPypi
, setuptools
}:

buildPythonPackage rec {
  pname = "toolz";
  version = "0.10.0";
  pyproject = true;

  src = fetchPypi {
    inherit pname version;
    hash = "sha256-CP3V73yWSArRHBLUct4hrNMjWZlvaaUlkpm1QP66RWA=";
  };

  build-system = [
    setuptools
  ];

  # has no tests
  doCheck = false;

  pythonImportsCheck = [
    "toolz.itertoolz"
    "toolz.functoolz"
    "toolz.dicttoolz"
  ];

  meta = {
    changelog = "https://github.com/pytoolz/toolz/releases/tag/${version}";
    homepage = "https://github.com/pytoolz/toolz";
    description = "List processing tools and functional utilities";
    license = lib.licenses.bsd3;
  };
}

What happens here? The function buildPythonPackage is called and as argument it accepts a set. In this case the set is a recursive set, rec. One of the arguments is the name of the package, which consists of a basename (generally following the name on PyPI) and a version. Another argument, src specifies the source, which in this case is fetched from PyPI using the helper function fetchPypi. The argument doCheck is used to set whether tests should be run when building the package. Since there are no tests, we rely on pythonImportsCheck to test whether the package can be imported. Furthermore, we specify some meta information. The output of the function is a derivation.

An expression for toolz can be found in the Nixpkgs repository. As explained in the introduction of this Python section, a derivation of toolz is available for each interpreter version, e.g. python312.pkgs.toolz refers to the toolz derivation corresponding to the CPython 3.12 interpreter.

The above example works when you’re directly working on pkgs/top-level/python-packages.nix in the Nixpkgs repository. Often though, you will want to test a Nix expression outside of the Nixpkgs tree.

The following expression creates a derivation for the toolz package, and adds it along with a numpy package to a Python environment.

with import <nixpkgs> {};

( let
    my_toolz = python312.pkgs.buildPythonPackage rec {
      pname = "toolz";
      version = "0.10.0";
      pyproject = true;

      src = fetchPypi {
        inherit pname version;
        hash = "sha256-CP3V73yWSArRHBLUct4hrNMjWZlvaaUlkpm1QP66RWA=";
      };

      build-system = [
        python312.pkgs.setuptools
      ];

      # has no tests
      doCheck = false;

      meta = {
        homepage = "https://github.com/pytoolz/toolz/";
        description = "List processing tools and functional utilities";
        # [...]
      };
    };

  in python312.withPackages (ps: with ps; [
    numpy
    my_toolz
  ])
).env

Executing nix-shell will result in an environment in which you can use Python 3.12 and the toolz package. As you can see we had to explicitly mention for which Python version we want to build a package.

So, what did we do here? Well, we took the Nix expression that we used earlier to build a Python environment, and said that we wanted to include our own version of toolz, named my_toolz. To introduce our own package in the scope of withPackages we used a let expression. You can see that we used ps.numpy to select numpy from the nixpkgs package set (ps). We did not take toolz from the Nixpkgs package set this time, but instead took our own version that we introduced with the let expression.

Handling dependencies

Our example, toolz, does not have any dependencies on other Python packages or system libraries. buildPythonPackage uses the the following arguments in the following circumstances:

  • dependencies - For Python runtime dependencies.

  • build-system - For Python build-time requirements.

  • buildInputs - For non-Python build-time requirements.

  • nativeCheckInputs - For test dependencies

Dependencies can belong to multiple arguments, for example if something is both a build time requirement & a runtime dependency.

The following example shows which arguments are given to buildPythonPackage in order to build datashape.

{ lib
, buildPythonPackage
, fetchPypi

# build dependencies
, setuptools

# dependencies
, numpy, multipledispatch, python-dateutil

# tests
, pytestCheckHook
}:

buildPythonPackage rec {
  pname = "datashape";
  version = "0.4.7";
  pyproject = true;

  src = fetchPypi {
    inherit pname version;
    hash = "sha256-FLLvdm1MllKrgTGC6Gb0k0deZeVYvtCCLji/B7uhong=";
  };

  build-system = [
    setuptools
  ];

  dependencies = [
    multipledispatch
    numpy
    python-dateutil
  ];

  nativeCheckInputs = [
    pytestCheckHook
  ];

  meta = {
    changelog = "https://github.com/blaze/datashape/releases/tag/${version}";
    homepage = "https://github.com/ContinuumIO/datashape";
    description = "Data description language";
    license = lib.licenses.bsd2;
  };
}

We can see several runtime dependencies, numpy, multipledispatch, and python-dateutil. Furthermore, we have nativeCheckInputs with pytestCheckHook. pytestCheckHook is a test runner hook and is only used during the checkPhase and is therefore not added to dependencies.

In the previous case we had only dependencies on other Python packages to consider. Occasionally you have also system libraries to consider. E.g., lxml provides Python bindings to libxml2 and libxslt. These libraries are only required when building the bindings and are therefore added as buildInputs.

{ lib
, buildPythonPackage
, fetchPypi
, setuptools
, libxml2
, libxslt
}:

buildPythonPackage rec {
  pname = "lxml";
  version = "3.4.4";
  pyproject = true;

  src = fetchPypi {
    inherit pname version;
    hash = "sha256-s9NiusRxFydHzaNRMjjxFcvWxfi45jGb9ql6eJJyQJk=";
  };

  build-system = [
    setuptools
  ];

  buildInputs = [
    libxml2
    libxslt
  ];

  # tests are meant to be ran "in-place" in the same directory as src
  doCheck = false;

  pythonImportsCheck = [
    "lxml"
    "lxml.etree"
  ];

  meta = {
    changelog = "https://github.com/lxml/lxml/releases/tag/lxml-${version}";
    description = "Pythonic binding for the libxml2 and libxslt libraries";
    homepage = "https://lxml.de";
    license = lib.licenses.bsd3;
    maintainers = with lib.maintainers; [ sjourdois ];
  };
}

In this example lxml and Nix are able to work out exactly where the relevant files of the dependencies are. This is not always the case.

The example below shows bindings to The Fastest Fourier Transform in the West, commonly known as FFTW. On Nix we have separate packages of FFTW for the different types of floats ("single", "double", "long-double"). The bindings need all three types, and therefore we add all three as buildInputs. The bindings don’t expect to find each of them in a different folder, and therefore we have to set LDFLAGS and CFLAGS.

{ lib
, buildPythonPackage
, fetchPypi

# build dependencies
, setuptools

# dependencies
, fftw
, fftwFloat
, fftwLongDouble
, numpy
, scipy
}:

buildPythonPackage rec {
  pname = "pyfftw";
  version = "0.9.2";
  pyproject = true;

  src = fetchPypi {
    inherit pname version;
    hash = "sha256-9ru2r6kwhUCaskiFoaPNuJCfCVoUL01J40byvRt4kHQ=";
  };

  build-system = [
    setuptools
  ];

  buildInputs = [
    fftw
    fftwFloat
    fftwLongDouble
  ];

  dependencies = [
    numpy
    scipy
  ];

  preConfigure = ''
    export LDFLAGS="-L${fftw.dev}/lib -L${fftwFloat.out}/lib -L${fftwLongDouble.out}/lib"
    export CFLAGS="-I${fftw.dev}/include -I${fftwFloat.dev}/include -I${fftwLongDouble.dev}/include"
  '';

  # Tests cannot import pyfftw. pyfftw works fine though.
  doCheck = false;

  pythonImportsCheck = [ "pyfftw" ];

  meta = {
    changelog = "https://github.com/pyFFTW/pyFFTW/releases/tag/v${version}";
    description = "Pythonic wrapper around FFTW, the FFT library, presenting a unified interface for all the supported transforms";
    homepage = "http://hgomersall.github.com/pyFFTW";
    license = with lib.licenses; [ bsd2 bsd3 ];
  };
}

Note also the line doCheck = false;, we explicitly disabled running the test-suite.

Testing Python Packages

It is highly encouraged to have testing as part of the package build. This helps to avoid situations where the package was able to build and install, but is not usable at runtime. Your package should provide its own checkPhase.

Note

The checkPhase for python maps to the installCheckPhase on a normal derivation. This is due to many python packages not behaving well to the pre-installed version of the package. Version info, and natively compiled extensions generally only exist in the install directory, and thus can cause issues when a test suite asserts on that behavior.

Note

Tests should only be disabled if they don’t agree with nix (e.g. external dependencies, network access, flakey tests), however, as many tests should be enabled as possible. Failing tests can still be a good indication that the package is not in a valid state.

Using pytest

Pytest is the most common test runner for python repositories. A trivial test run would be:

{
  nativeCheckInputs = [ pytest ];
  checkPhase = ''
    runHook preCheck

    pytest

    runHook postCheck
  '';
}

However, many repositories’ test suites do not translate well to nix’s build sandbox, and will generally need many tests to be disabled.

To filter tests using pytest, one can do the following:

{
  nativeCheckInputs = [ pytest ];
  # avoid tests which need additional data or touch network
  checkPhase = ''
    runHook preCheck

    pytest tests/ --ignore=tests/integration -k 'not download and not update' --ignore=tests/test_failing.py

    runHook postCheck
  '';
}

--ignore will tell pytest to ignore that file or directory from being collected as part of a test run. This is useful is a file uses a package which is not available in nixpkgs, thus skipping that test file is much easier than having to create a new package.

-k is used to define a predicate for test names. In this example, we are filtering out tests which contain download or update in their test case name. Only one -k argument is allowed, and thus a long predicate should be concatenated with “\” and wrapped to the next line.

Note

In pytest==6.0.1, the use of “\” to continue a line (e.g. -k 'not download \') has been removed, in this case, it’s recommended to use pytestCheckHook.

Using pytestCheckHook

pytestCheckHook is a convenient hook which will set up (or configure) a checkPhase to run pytest. This is also beneficial when a package may need many items disabled to run the test suite. Most packages use pytest or unittest, which is compatible with pytest, so you will most likely use pytestCheckHook.

Using the example above, the analogous pytestCheckHook usage would be:

{
  nativeCheckInputs = [
    pytestCheckHook
  ];

  # requires additional data
  pytestFlagsArray = [
    "tests/"
    "--ignore=tests/integration"
  ];

  disabledTests = [
    # touches network
    "download"
    "update"
  ];

  disabledTestPaths = [
    "tests/test_failing.py"
  ];
}

This is especially useful when tests need to be conditionally disabled, for example:

{
  disabledTests = [
    # touches network
    "download"
    "update"
  ] ++ lib.optionals (pythonAtLeast "3.8") [
    # broken due to python3.8 async changes
    "async"
  ] ++ lib.optionals stdenv.buildPlatform.isDarwin [
    # can fail when building with other packages
    "socket"
  ];
}

Trying to concatenate the related strings to disable tests in a regular checkPhase would be much harder to read. This also enables us to comment on why specific tests are disabled.

Using pythonImportsCheck

Although unit tests are highly preferred to validate correctness of a package, not all packages have test suites that can be run easily, and some have none at all. To help ensure the package still works, pythonImportsCheck can attempt to import the listed modules.

{
  pythonImportsCheck = [
    "requests"
    "urllib"
  ];
}

roughly translates to:

{
  postCheck = ''
    PYTHONPATH=$out/${python.sitePackages}:$PYTHONPATH
    python -c "import requests; import urllib"
  '';
}

However, this is done in its own phase, and not dependent on whether doCheck = true;.

This can also be useful in verifying that the package doesn’t assume commonly present packages (e.g. setuptools).

Using pythonRelaxDepsHook

It is common for upstream to specify a range of versions for its package dependencies. This makes sense, since it ensures that the package will be built with a subset of packages that is well tested. However, this commonly causes issues when packaging in Nixpkgs, because the dependencies that this package may need are too new or old for the package to build correctly. We also cannot package multiple versions of the same package since this may cause conflicts in PYTHONPATH.

One way to side step this issue is to relax the dependencies. This can be done by either removing the package version range or by removing the package declaration entirely. This can be done using the pythonRelaxDepsHook hook. For example, given the following requirements.txt file:

pkg1<1.0
pkg2
pkg3>=1.0,<=2.0

we can do:

{
  pythonRelaxDeps = [
    "pkg1"
    "pkg3"
  ];
  pythonRemoveDeps = [
    "pkg2"
  ];
}

which would result in the following requirements.txt file:

pkg1
pkg3

Another option is to pass true, that will relax/remove all dependencies, for example:

{
  pythonRelaxDeps = true;
}

which would result in the following requirements.txt file:

pkg1
pkg2
pkg3

In general you should always use pythonRelaxDeps, because pythonRemoveDeps will convert build errors into runtime errors. However pythonRemoveDeps may still be useful in exceptional cases, and also to remove dependencies wrongly declared by upstream (for example, declaring black as a runtime dependency instead of a dev dependency).

Keep in mind that while the examples above are done with requirements.txt, pythonRelaxDepsHook works by modifying the resulting wheel file, so it should work with any of the existing hooks.

The pythonRelaxDepsHook has no effect on build time dependencies, such as those specified in build-system. If a package requires incompatible build time dependencies, they should be removed in postPatch through substituteInPlace or similar.

For ease of use, both buildPythonPackage and buildPythonApplication will automatically add pythonRelaxDepsHook if either pythonRelaxDeps or pythonRemoveDeps is specified.

Using unittestCheckHook

unittestCheckHook is a hook which will set up (or configure) a checkPhase to run python -m unittest discover:

{
  nativeCheckInputs = [
    unittestCheckHook
  ];

  unittestFlagsArray = [
    "-s" "tests" "-v"
  ];
}

pytest is compatible with unittest, so in most cases you can use pytestCheckHook instead.

Using sphinxHook

The sphinxHook is a helpful tool to build documentation and manpages using the popular Sphinx documentation generator. It is setup to automatically find common documentation source paths and render them using the default html style.

{
  outputs = [
    "out"
    "doc"
  ];

  nativeBuildInputs = [
    sphinxHook
  ];
}

The hook will automatically build and install the artifact into the doc output, if it exists. It also provides an automatic diversion for the artifacts of the man builder into the man target.

{
  outputs = [
    "out"
    "doc"
    "man"
  ];

  # Use multiple builders
  sphinxBuilders = [
    "singlehtml"
    "man"
  ];
}

Overwrite sphinxRoot when the hook is unable to find your documentation source root.

{
  # Configure sphinxRoot for uncommon paths
  sphinxRoot = "weird/docs/path";
}

The hook is also available to packages outside the python ecosystem by referencing it using sphinxHook from top-level.

Organising your packages

So far we discussed how you can use Python on Nix, and how you can develop with it. We’ve looked at how you write expressions to package Python packages, and we looked at how you can create environments in which specified packages are available.

At some point you’ll likely have multiple packages which you would like to be able to use in different projects. In order to minimise unnecessary duplication we now look at how you can maintain a repository with your own packages. The important functions here are import and callPackage.

Including a derivation using callPackage

Earlier we created a Python environment using withPackages, and included the toolz package via a let expression. Let’s split the package definition from the environment definition.

We first create a function that builds toolz in ~/path/to/toolz/release.nix

{ lib
, buildPythonPackage
, fetchPypi
, setuptools
}:

buildPythonPackage rec {
  pname = "toolz";
  version = "0.10.0";
  pyproject = true;

  src = fetchPypi {
    inherit pname version;
    hash = "sha256-CP3V73yWSArRHBLUct4hrNMjWZlvaaUlkpm1QP66RWA=";
  };

  build-system = [
    setuptools
  ];

  meta = {
    changelog = "https://github.com/pytoolz/toolz/releases/tag/${version}";
    homepage = "https://github.com/pytoolz/toolz/";
    description = "List processing tools and functional utilities";
    license = lib.licenses.bsd3;
  };
}

It takes an argument buildPythonPackage. We now call this function using callPackage in the definition of our environment

with import <nixpkgs> {};

( let
    toolz = callPackage /path/to/toolz/release.nix {
      buildPythonPackage = python3Packages.buildPythonPackage;
    };
  in python3.withPackages (ps: [
    ps.numpy
    toolz
  ])
).env

Important to remember is that the Python version for which the package is made depends on the python derivation that is passed to buildPythonPackage. Nix tries to automatically pass arguments when possible, which is why generally you don’t explicitly define which python derivation should be used. In the above example we use buildPythonPackage that is part of the set python3Packages, and in this case the python3 interpreter is automatically used.

FAQ

How to solve circular dependencies?

Consider the packages A and B that depend on each other. When packaging B, a solution is to override package A not to depend on B as an input. The same should also be done when packaging A.

How to override a Python package?

We can override the interpreter and pass packageOverrides. In the following example we rename the pandas package and build it.

with import <nixpkgs> {};

(let
  python = let
    packageOverrides = self: super: {
      pandas = super.pandas.overridePythonAttrs(old: {name="foo";});
    };
  in pkgs.python310.override {
    inherit packageOverrides;
  };

in python.withPackages (ps: [
  ps.pandas
])).env

Using nix-build on this expression will build an environment that contains the package pandas but with the new name foo.

All packages in the package set will use the renamed package. A typical use case is to switch to another version of a certain package. For example, in the Nixpkgs repository we have multiple versions of django and scipy. In the following example we use a different version of scipy and create an environment that uses it. All packages in the Python package set will now use the updated scipy version.

with import <nixpkgs> {};

( let
    packageOverrides = self: super: {
      scipy = super.scipy_0_17;
    };
  in (pkgs.python310.override {
    inherit packageOverrides;
  }).withPackages (ps: [
    ps.blaze
  ])
).env

The requested package blaze depends on pandas which itself depends on scipy.

If you want the whole of Nixpkgs to use your modifications, then you can use overlays as explained in this manual. In the following example we build a inkscape using a different version of numpy.

let
  pkgs = import <nixpkgs> {};
  newpkgs = import pkgs.path { overlays = [ (self: super: {
    python310 = let
      packageOverrides = python-self: python-super: {
        numpy = python-super.numpy_1_18;
      };
    in super.python310.override {inherit packageOverrides;};
  } ) ]; };
in newpkgs.inkscape

python setup.py bdist_wheel cannot create .whl

Executing python setup.py bdist_wheel in a nix-shellfails with

ValueError: ZIP does not support timestamps before 1980

This is because files from the Nix store (which have a timestamp of the UNIX epoch of January 1, 1970) are included in the .ZIP, but .ZIP archives follow the DOS convention of counting timestamps from 1980.

The command bdist_wheel reads the SOURCE_DATE_EPOCH environment variable, which nix-shell sets to 1. Unsetting this variable or giving it a value corresponding to 1980 or later enables building wheels.

Use 1980 as timestamp:

nix-shell --run "SOURCE_DATE_EPOCH=315532800 python3 setup.py bdist_wheel"

or the current time:

nix-shell --run "SOURCE_DATE_EPOCH=$(date +%s) python3 setup.py bdist_wheel"

or unset SOURCE_DATE_EPOCH:

nix-shell --run "unset SOURCE_DATE_EPOCH; python3 setup.py bdist_wheel"

install_data / data_files problems

If you get the following error:

could not create '/nix/store/6l1bvljpy8gazlsw2aw9skwwp4pmvyxw-python-2.7.8/etc':
Permission denied

This is a known bug in setuptools. Setuptools install_data does not respect --prefix. An example of such package using the feature is pkgs/tools/X11/xpra/default.nix.

As workaround install it as an extra preInstall step:

${python.pythonOnBuildForHost.interpreter} setup.py install_data --install-dir=$out --root=$out
sed -i '/ = data\_files/d' setup.py

Rationale of non-existent global site-packages

On most operating systems a global site-packages is maintained. This however becomes problematic if you want to run multiple Python versions or have multiple versions of certain libraries for your projects. Generally, you would solve such issues by creating virtual environments using virtualenv.

On Nix each package has an isolated dependency tree which, in the case of Python, guarantees the right versions of the interpreter and libraries or packages are available. There is therefore no need to maintain a global site-packages.

If you want to create a Python environment for development, then the recommended method is to use nix-shell, either with or without the python.buildEnv function.

How to consume Python modules using pip in a virtual environment like I am used to on other Operating Systems?

While this approach is not very idiomatic from Nix perspective, it can still be useful when dealing with pre-existing projects or in situations where it’s not feasible or desired to write derivations for all required dependencies.

This is an example of a default.nix for a nix-shell, which allows to consume a virtual environment created by venv, and install Python modules through pip the traditional way.

Create this default.nix file, together with a requirements.txt and execute nix-shell.

with import <nixpkgs> { };

let
  pythonPackages = python3Packages;
in pkgs.mkShell rec {
  name = "impurePythonEnv";
  venvDir = "./.venv";
  buildInputs = [
    # A Python interpreter including the 'venv' module is required to bootstrap
    # the environment.
    pythonPackages.python

    # This executes some shell code to initialize a venv in $venvDir before
    # dropping into the shell
    pythonPackages.venvShellHook

    # Those are dependencies that we would like to use from nixpkgs, which will
    # add them to PYTHONPATH and thus make them accessible from within the venv.
    pythonPackages.numpy
    pythonPackages.requests

    # In this particular example, in order to compile any binary extensions they may
    # require, the Python modules listed in the hypothetical requirements.txt need
    # the following packages to be installed locally:
    taglib
    openssl
    git
    libxml2
    libxslt
    libzip
    zlib
  ];

  # Run this command, only after creating the virtual environment
  postVenvCreation = ''
    unset SOURCE_DATE_EPOCH
    pip install -r requirements.txt
  '';

  # Now we can execute any commands within the virtual environment.
  # This is optional and can be left out to run pip manually.
  postShellHook = ''
    # allow pip to install wheels
    unset SOURCE_DATE_EPOCH
  '';

}

In case the supplied venvShellHook is insufficient, or when Python 2 support is needed, you can define your own shell hook and adapt to your needs like in the following example:

with import <nixpkgs> { };

let
  venvDir = "./.venv";
  pythonPackages = python3Packages;
in pkgs.mkShell rec {
  name = "impurePythonEnv";
  buildInputs = [
    pythonPackages.python
    # Needed when using python 2.7
    # pythonPackages.virtualenv
    # ...
  ];

  # This is very close to how venvShellHook is implemented, but
  # adapted to use 'virtualenv'
  shellHook = ''
    SOURCE_DATE_EPOCH=$(date +%s)

    if [ -d "${venvDir}" ]; then
      echo "Skipping venv creation, '${venvDir}' already exists"
    else
      echo "Creating new venv environment in path: '${venvDir}'"
      # Note that the module venv was only introduced in python 3, so for 2.7
      # this needs to be replaced with a call to virtualenv
      ${pythonPackages.python.interpreter} -m venv "${venvDir}"
    fi

    # Under some circumstances it might be necessary to add your virtual
    # environment to PYTHONPATH, which you can do here too;
    # PYTHONPATH=$PWD/${venvDir}/${pythonPackages.python.sitePackages}/:$PYTHONPATH

    source "${venvDir}/bin/activate"

    # As in the previous example, this is optional.
    pip install -r requirements.txt
  '';
}

Note that the pip install is an imperative action. So every time nix-shell is executed it will attempt to download the Python modules listed in requirements.txt. However these will be cached locally within the virtualenv folder and not downloaded again.

How to override a Python package from configuration.nix?

If you need to change a package’s attribute(s) from configuration.nix you could do:

{
  nixpkgs.config.packageOverrides = super: {
    python3 = super.python3.override {
      packageOverrides = python-self: python-super: {
        twisted = python-super.twisted.overridePythonAttrs (oldAttrs: {
          src = super.fetchPypi {
            pname = "Twisted";
            version = "19.10.0";
            hash = "sha256-c5S6fycq5yKnTz2Wnc9Zm8TvCTvDkgOHSKSQ8XJKUV0=";
            extension = "tar.bz2";
          };
        });
      };
    };
  };
}

python3Packages.twisted is now globally overridden. All packages and also all NixOS services that reference twisted (such as services.buildbot-worker) now use the new definition. Note that python-super refers to the old package set and python-self to the new, overridden version.

To modify only a Python package set instead of a whole Python derivation, use this snippet:

{
  myPythonPackages = python3Packages.override {
    overrides = self: super: {
      twisted = <...>;
    };
  };
}

How to override a Python package using overlays?

Use the following overlay template:

self: super: {
  python = super.python.override {
    packageOverrides = python-self: python-super: {
      twisted = python-super.twisted.overrideAttrs (oldAttrs: {
        src = super.fetchPypi {
          pname = "Twisted";
          version = "19.10.0";
          hash = "sha256-c5S6fycq5yKnTz2Wnc9Zm8TvCTvDkgOHSKSQ8XJKUV0=";
          extension = "tar.bz2";
        };
      });
    };
  };
}

How to override a Python package for all Python versions using extensions?

The following overlay overrides the call to buildPythonPackage for the foo package for all interpreters by appending a Python extension to the pythonPackagesExtensions list of extensions.

final: prev: {
  pythonPackagesExtensions = prev.pythonPackagesExtensions ++ [
    (
      python-final: python-prev: {
        foo = python-prev.foo.overridePythonAttrs (oldAttrs: {
          # ...
        });
      }
    )
  ];
}

How to use Intel’s MKL with numpy and scipy?

MKL can be configured using an overlay. See the section “Using overlays to configure alternatives”.

What inputs do setup_requires, install_requires and tests_require map to?

In a setup.py or setup.cfg it is common to declare dependencies:

  • setup_requires corresponds to build-system

  • install_requires corresponds to dependencies

  • tests_require corresponds to nativeCheckInputs

How to enable interpreter optimizations?

The Python interpreters are by default not built with optimizations enabled, because the builds are in that case not reproducible. To enable optimizations, override the interpreter of interest, e.g using

let
  pkgs = import ./. {};
  mypython = pkgs.python3.override {
    enableOptimizations = true;
    reproducibleBuild = false;
    self = mypython;
  };
in mypython

How to add optional dependencies?

Some packages define optional dependencies for additional features. With setuptools this is called extras_require and flit calls it extras-require, while PEP 621 calls these optional-dependencies.

{
  optional-dependencies = {
    complete = [ distributed ];
  };
}

and letting the package requiring the extra add the list to its dependencies

{
  dependencies = [
    # ...
  ] ++ dask.optional-dependencies.complete;
}

This method is using passthru, meaning that changing optional-dependencies of a package won’t cause it to rebuild.

Note this method is preferred over adding parameters to builders, as that can result in packages depending on different variants and thereby causing collisions.

How to contribute a Python package to nixpkgs?

Packages inside nixpkgs must use the buildPythonPackage or buildPythonApplication function directly, because we can only provide security support for non-vendored dependencies.

We recommend nix-init for creating new python packages within nixpkgs, as it already prefetches the source, parses dependencies for common formats and prefills most things in meta.

See also contributing section.

Are Python interpreters built deterministically?

The Python interpreters are now built deterministically. Minor modifications had to be made to the interpreters in order to generate deterministic bytecode. This has security implications and is relevant for those using Python in a nix-shell.

When the environment variable DETERMINISTIC_BUILD is set, all bytecode will have timestamp 1. The buildPythonPackage function sets DETERMINISTIC_BUILD=1 and PYTHONHASHSEED=0. Both are also exported in nix-shell.

How to provide automatic tests to Python packages?

It is recommended to test packages as part of the build process. Source distributions (sdist) often include test files, but not always.

The best practice today is to pass a test hook (e.g. pytestCheckHook, unittestCheckHook) into nativeCheckInputs. This will reconfigure the checkPhase to make use of that particular test framework. Occasionally packages don’t make use of a common test framework, which may then require a custom checkPhase.

Common issues
  • Non-working tests can often be deselected. Most Python modules do follow the standard test protocol where the pytest runner can be used. pytest supports the -k and --ignore parameters to ignore test methods or classes as well as whole files. For pytestCheckHook these are conveniently exposed as disabledTests and disabledTestPaths respectively.

    buildPythonPackage {
      # ...
      nativeCheckInputs = [
        pytestCheckHook
      ];
    
      disabledTests = [
        "function_name"
        "other_function"
      ];
    
      disabledTestPaths = [
        "this/file.py"
      ];
    }
    
  • Tests that attempt to access $HOME can be fixed by using the following work-around before running tests (e.g. preCheck): export HOME=$(mktemp -d)

  • Compiling with Cython causes tests to fail with a ModuleNotLoadedError. This can be fixed with two changes in the derivation: 1) replacing pytest with pytestCheckHook and 2) adding a preCheck containing cd $out to run tests within the built output.

Contributing

Contributing guidelines

The following rules are desired to be respected:

  • Python libraries are called from python-packages.nix and packaged with buildPythonPackage. The expression of a library should be in pkgs/development/python-modules/<name>/default.nix.

  • Python applications live outside of python-packages.nix and are packaged with buildPythonApplication.

  • Make sure libraries build for all Python interpreters. If it fails to build on some Python versions, consider disabling them by setting disable = pythonAtLeast "3.x" along with a comment.

  • The two parameters, pyproject and build-system are set to avoid the legacy setuptools/distutils build.

  • Only unversioned attributes (e.g. pydantic, but not pypdantic_1) can be included in dependencies, since due to PYTHONPATH limitations we can only ever support a single version for libraries without running into duplicate module name conflicts.

  • The version restrictions of dependencies can be relaxed by pythonRelaxDepsHook.

  • Make sure the tests are enabled using for example pytestCheckHook and, in the case of libraries, are passing for all interpreters. If certain tests fail they can be disabled individually. Try to avoid disabling the tests altogether. In any case, when you disable tests, leave a comment explaining why.

  • pythonImportsCheck is set. This is still a good smoke test even if pytestCheckHook is set.

  • meta.platforms takes the default value in many cases. It does not need to be set explicitly unless the package requires a specific platform.

  • The file is formatted with nixfmt-rfc-style.

  • Commit names of Python libraries must reflect that they are Python libraries (e.g. python312Packages.numpy: 1.11 -> 1.12 rather than numpy: 1.11 -> 1.12).

  • The current default version of python should be included in commit messages to enable automatic builds by ofborg. For example python312Packages.numpy: 1.11 -> 1.12 should be used rather than python3Packages.numpy: 1.11 -> 1.12. Note that pythonPackages is an alias for python27Packages.

  • Attribute names in python-packages.nix as well as pnames should match the library’s name on PyPI, but be normalized according to PEP 0503. This means that characters should be converted to lowercase and . and _ should be replaced by a single - (foo-bar-baz instead of Foo__Bar.baz). If necessary, pname has to be given a different value within fetchPypi.

  • Packages from sources such as GitHub and GitLab that do not exist on PyPI should not use a name that is already used on PyPI. When possible, they should use the package repository name prefixed with the owner (e.g. organization) name and using a - as delimiter.

  • Attribute names in python-packages.nix should be sorted alphanumerically to avoid merge conflicts and ease locating attributes.

This list is useful for reviewers as well as for self-checking when submitting packages.

Package set maintenance

The whole Python package set has a lot of packages that do not see regular updates, because they either are a very fragile component in the Python ecosystem, like for example the hypothesis package, or packages that have no maintainer, so maintenance falls back to the package set maintainers.

Updating packages in bulk

A tool to bulk-update numerous Python libraries is available in the repository at maintainers/scripts/update-python-libraries.

It can quickly update minor or major versions for all packages selected and create update commits, and supports the fetchPypi, fetchurl and fetchFromGitHub fetchers. When updating lots of packages that are hosted on GitHub, exporting a GITHUB_API_TOKEN is highly recommended.

Updating packages in bulk leads to lots of breakages, which is why a stabilization period on the python-updates branch is required.

If a package is fragile and often breaks during these bulks updates, it may be reasonable to set passthru.skipBulkUpdate = true in the derivation. This decision should not be made on a whim and should always be supported by a qualifying comment.

Once the branch is sufficiently stable it should normally be merged into the staging branch.

An exemplary call to update all python libraries between minor versions would be:

$ maintainers/scripts/update-python-libraries --target minor --commit --use-pkgs-prefix pkgs/development/python-modules/**/default.nix

CPython Update Schedule

With PEP 602, CPython now follows a yearly release cadence. In nixpkgs, all supported interpreters are made available, but only the most recent two interpreters package sets are built; this is a compromise between being the latest interpreter, and what the majority of the Python packages support.

New CPython interpreters are released in October. Generally, it takes some time for the majority of active Python projects to support the latest stable interpreter. To help ease the migration for Nixpkgs users between Python interpreters the schedule below will be used:

WhenEvent
After YY.11 ReleaseBump CPython package set window. The latest and previous latest stable should now be built.
After YY.05 ReleaseBump default CPython interpreter to latest stable.

In practice, this means that the Python community will have had a stable interpreter for ~2 months before attempting to update the package set. And this will allow for ~7 months for Python applications to support the latest interpreter.

Qt

Writing Nix expressions for Qt libraries and applications is largely similar as for other C++ software. This section assumes some knowledge of the latter.

The major caveat with Qt applications is that Qt uses a plugin system to load additional modules at runtime. In Nixpkgs, we wrap Qt applications to inject environment variables telling Qt where to discover the required plugins and QML modules.

This effectively makes the runtime dependencies pure and explicit at build-time, at the cost of introducing an extra indirection.

Nix expression for a Qt package (default.nix)

{ stdenv, qt6 }:

stdenv.mkDerivation {
  pname = "myapp";
  version = "1.0";

  buildInputs = [ qt6.qtbase ];
  nativeBuildInputs = [ qt6.wrapQtAppsHook ];
}

The same goes for Qt 5 where libraries and tools are under libsForQt5.

Any Qt package should include wrapQtAppsHook or wrapQtAppsNoGuiHook in nativeBuildInputs, or explicitly set dontWrapQtApps to bypass generating the wrappers.

Note

wrapQtAppsHook propagates plugins and QML components from qtwayland on platforms that support it, to allow applications to act as native Wayland clients. It should be used for all graphical applications.

wrapQtAppsNoGuiHook does not propagate qtwayland to reduce closure size for purely command-line applications.

Packages supporting multiple Qt versions

If your package is a library that can be built with multiple Qt versions, you may want to take Qt modules as separate arguments (qtbase, qtdeclarative etc.), and invoke the package from pkgs/top-level/qt5-packages.nix or pkgs/top-level/qt6-packages.nix using the respective callPackage functions.

Applications should generally be built with upstream’s preferred Qt version.

Locating additional runtime dependencies

Add entries to qtWrapperArgs are to modify the wrappers created by wrapQtAppsHook:

{ stdenv, qt6 }:

stdenv.mkDerivation {
  # ...
  nativeBuildInputs = [ qt6.wrapQtAppsHook ];
  qtWrapperArgs = [ ''--prefix PATH : /path/to/bin'' ];
}

The entries are passed as arguments to wrapProgram.

If you need more control over the wrapping process, set dontWrapQtApps to disable automatic wrapper generation, and then create wrappers manually in fixupPhase, using wrapQtApp, which itself is a small wrapper over wrapProgram:

The makeWrapper arguments required for Qt are also exposed in the environment as $qtWrapperArgs.

{ stdenv, lib, wrapQtAppsHook }:

stdenv.mkDerivation {
  # ...
  nativeBuildInputs = [ wrapQtAppsHook ];
  dontWrapQtApps = true;
  preFixup = ''
      wrapQtApp "$out/bin/myapp" --prefix PATH : /path/to/bin
  '';
}

Note

wrapQtAppsHook ignores files that are non-ELF executables. This means that scripts won’t be automatically wrapped so you’ll need to manually wrap them as previously mentioned. An example of when you’d always need to do this is with Python applications that use PyQt.

R

Installation

Define an environment for R that contains all the libraries that you’d like to use by adding the following snippet to your $HOME/.config/nixpkgs/config.nix file:

{
    packageOverrides = super: let self = super.pkgs; in
    {

        rEnv = super.rWrapper.override {
            packages = with self.rPackages; [
                devtools
                ggplot2
                reshape2
                yaml
                optparse
                ];
        };
    };
}

Then you can use nix-env -f "<nixpkgs>" -iA rEnv to install it into your user profile. The set of available libraries can be discovered by running the command nix-env -f "<nixpkgs>" -qaP -A rPackages. The first column from that output is the name that has to be passed to rWrapper in the code snipped above.

However, if you’d like to add a file to your project source to make the environment available for other contributors, you can create a default.nix file like so:

with import <nixpkgs> {};
{
  myProject = stdenv.mkDerivation {
    name = "myProject";
    version = "1";
    src = if lib.inNixShell then null else nix;

    buildInputs = with rPackages; [
      R
      ggplot2
      knitr
    ];
  };
}

and then run nix-shell . to be dropped into a shell with those packages available.

RStudio

RStudio uses a standard set of packages and ignores any custom R environments or installed packages you may have. To create a custom environment, see rstudioWrapper, which functions similarly to rWrapper:

{
    packageOverrides = super: let self = super.pkgs; in
    {

        rstudioEnv = super.rstudioWrapper.override {
            packages = with self.rPackages; [
                dplyr
                ggplot2
                reshape2
                ];
        };
    };
}

Then like above, nix-env -f "<nixpkgs>" -iA rstudioEnv will install this into your user profile.

Alternatively, you can create a self-contained shell.nix without the need to modify any configuration files:

{ pkgs ? import <nixpkgs> {}
}:

pkgs.rstudioWrapper.override {
  packages = with pkgs.rPackages; [ dplyr ggplot2 reshape2 ];
}

Executing nix-shell will then drop you into an environment equivalent to the one above. If you need additional packages just add them to the list and re-enter the shell.

Updating the package set

There is a script and associated environment for regenerating the package sets and synchronising the rPackages tree to the current CRAN and matching BIOC release. These scripts are found in the pkgs/development/r-modules directory and executed as follows:

nix-shell generate-shell.nix

Rscript generate-r-packages.R cran  > cran-packages.json.new
mv cran-packages.json.new cran-packages.json

Rscript generate-r-packages.R bioc  > bioc-packages.json.new
mv bioc-packages.json.new bioc-packages.json

Rscript generate-r-packages.R bioc-annotation > bioc-annotation-packages.json.new
mv bioc-annotation-packages.json.new bioc-annotation-packages.json

Rscript generate-r-packages.R bioc-experiment > bioc-experiment-packages.json.new
mv bioc-experiment-packages.json.new bioc-experiment-packages.json

generate-r-packages.R <repo> reads <repo>-packages.json, therefore the renaming.

The contents of a generated *-packages.json file will be used to create a package derivation for each R package listed in the file.

Some packages require overrides to specify external dependencies or other patches and special requirements. These overrides are specified in the pkgs/development/r-modules/default.nix file. As the *-packages.json contents are automatically generated it should not be edited and broken builds should be addressed using overrides.

Ruby

Using Ruby

Several versions of Ruby interpreters are available on Nix, as well as over 250 gems and many applications written in Ruby. The attribute ruby refers to the default Ruby interpreter, which is currently MRI 3.3. It’s also possible to refer to specific versions, e.g. ruby_3_y, jruby, or mruby.

In the Nixpkgs tree, Ruby packages can be found throughout, depending on what they do, and are called from the main package set. Ruby gems, however are separate sets, and there’s one default set for each interpreter (currently MRI only).

There are two main approaches for using Ruby with gems. One is to use a specifically locked Gemfile for an application that has very strict dependencies. The other is to depend on the common gems, which we’ll explain further down, and rely on them being updated regularly.

The interpreters have common attributes, namely gems, and withPackages. So you can refer to ruby.gems.nokogiri, or ruby_3_2.gems.nokogiri to get the Nokogiri gem already compiled and ready to use.

Since not all gems have executables like nokogiri, it’s usually more convenient to use the withPackages function like this: ruby.withPackages (p: with p; [ nokogiri ]). This will also make sure that the Ruby in your environment will be able to find the gem and it can be used in your Ruby code (for example via ruby or irb executables) via require "nokogiri" as usual.

Temporary Ruby environment with nix-shell

Rather than having a single Ruby environment shared by all Ruby development projects on a system, Nix allows you to create separate environments per project. nix-shell gives you the possibility to temporarily load another environment akin to a combined chruby or rvm and bundle exec.

There are two methods for loading a shell with Ruby packages. The first and recommended method is to create an environment with ruby.withPackages and load that.

$ nix-shell -p "ruby.withPackages (ps: with ps; [ nokogiri pry ])"

The other method, which is not recommended, is to create an environment and list all the packages directly.

$ nix-shell -p ruby.gems.nokogiri ruby.gems.pry

Again, it’s possible to launch the interpreter from the shell. The Ruby interpreter has the attribute gems which contains all Ruby gems for that specific interpreter.

Load Ruby environment from .nix expression

As explained in the nix-shell section of the Nix manual, nix-shell can also load an expression from a .nix file. Say we want to have Ruby, nokogori, and pry. Consider a shell.nix file with:

with import <nixpkgs> {};
ruby.withPackages (ps: with ps; [ nokogiri pry ])

What’s happening here?

  1. We begin with importing the Nix Packages collections. import <nixpkgs> imports the <nixpkgs> function, {} calls it and the with statement brings all attributes of nixpkgs in the local scope. These attributes form the main package set.

  2. Then we create a Ruby environment with the withPackages function.

  3. The withPackages function expects us to provide a function as an argument that takes the set of all ruby gems and returns a list of packages to include in the environment. Here, we select the packages nokogiri and pry from the package set.

Execute command with --run

A convenient flag for nix-shell is --run. It executes a command in the nix-shell. We can e.g. directly open a pry REPL:

$ nix-shell -p "ruby.withPackages (ps: with ps; [ nokogiri pry ])" --run "pry"

Or immediately require nokogiri in pry:

$ nix-shell -p "ruby.withPackages (ps: with ps; [ nokogiri pry ])" --run "pry -rnokogiri"

Or run a script using this environment:

$ nix-shell -p "ruby.withPackages (ps: with ps; [ nokogiri pry ])" --run "ruby example.rb"
Using nix-shell as shebang

In fact, for the last case, there is a more convenient method. You can add a shebang to your script specifying which dependencies nix-shell needs. With the following shebang, you can just execute ./example.rb, and it will run with all dependencies.

#! /usr/bin/env nix-shell
#! nix-shell -i ruby -p "ruby.withPackages (ps: with ps; [ nokogiri rest-client ])"

require 'nokogiri'
require 'rest-client'

body = RestClient.get('http://example.com').body
puts Nokogiri::HTML(body).at('h1').text

Developing with Ruby

Using an existing Gemfile

In most cases, you’ll already have a Gemfile.lock listing all your dependencies. This can be used to generate a gemset.nix which is used to fetch the gems and combine them into a single environment. The reason why you need to have a separate file for this, is that Nix requires you to have a checksum for each input to your build. Since the Gemfile.lock that bundler generates doesn’t provide us with checksums, we have to first download each gem, calculate its SHA256, and store it in this separate file.

So the steps from having just a Gemfile to a gemset.nix are:

$ bundle lock
$ bundix

If you already have a Gemfile.lock, you can run bundix and it will work the same.

To update the gems in your Gemfile.lock, you may use the bundix -l flag, which will create a new Gemfile.lock in case the Gemfile has a more recent time of modification.

Once the gemset.nix is generated, it can be used in a bundlerEnv derivation. Here is an example you could use for your shell.nix:

# ...
let
  gems = bundlerEnv {
    name = "gems-for-some-project";
    gemdir = ./.;
  };
in mkShell { packages = [ gems gems.wrappedRuby ]; }

With this file in your directory, you can run nix-shell to build and use the gems. The important parts here are bundlerEnv and wrappedRuby.

The bundlerEnv is a wrapper over all the gems in your gemset. This means that all the /lib and /bin directories will be available, and the executables of all gems (even of indirect dependencies) will end up in your $PATH. The wrappedRuby provides you with all executables that come with Ruby itself, but wrapped so they can easily find the gems in your gemset.

One common issue that you might have is that you have Ruby, but also bundler in your gemset. That leads to a conflict for /bin/bundle and /bin/bundler. You can resolve this by wrapping either your Ruby or your gems in a lowPrio call. So in order to give the bundler from your gemset priority, it would be used like this:

# ...
mkShell { buildInputs = [ gems (lowPrio gems.wrappedRuby) ]; }

Sometimes a Gemfile references other files. Such as .ruby-version or vendored gems. When copying the Gemfile to the nix store we need to copy those files alongside. This can be done using extraConfigPaths. For example:

{
  gems = bundlerEnv {
    name = "gems-for-some-project";
    gemdir = ./.;
    extraConfigPaths = [ "${./.}/.ruby-version" ];
  };
}

Gem-specific configurations and workarounds

In some cases, especially if the gem has native extensions, you might need to modify the way the gem is built.

This is done via a common configuration file that includes all of the workarounds for each gem.

This file lives at /pkgs/development/ruby-modules/gem-config/default.nix, since it already contains a lot of entries, it should be pretty easy to add the modifications you need for your needs.

In the meanwhile, or if the modification is for a private gem, you can also add the configuration to only your own environment.

Two places that allow this modification are the ruby derivation, or bundlerEnv.

Here’s the ruby one:

{ pg_version ? "10", pkgs ? import <nixpkgs> { } }:
let
  myRuby = pkgs.ruby.override {
    defaultGemConfig = pkgs.defaultGemConfig // {
      pg = attrs: {
        buildFlags =
        [ "--with-pg-config=${lib.getDev pkgs."postgresql_${pg_version}"}/bin/pg_config" ];
      };
    };
  };
in myRuby.withPackages (ps: with ps; [ pg ])

And an example with bundlerEnv:

{ pg_version ? "10", pkgs ? import <nixpkgs> { } }:
let
  gems = pkgs.bundlerEnv {
    name = "gems-for-some-project";
    gemdir = ./.;
    gemConfig = pkgs.defaultGemConfig // {
      pg = attrs: {
        buildFlags =
        [ "--with-pg-config=${lib.getDev pkgs."postgresql_${pg_version}"}/bin/pg_config" ];
      };
    };
  };
in mkShell { buildInputs = [ gems gems.wrappedRuby ]; }

And finally via overlays:

{ pg_version ? "10" }:
let
  pkgs = import <nixpkgs> {
    overlays = [
      (self: super: {
        defaultGemConfig = super.defaultGemConfig // {
          pg = attrs: {
            buildFlags = [
              "--with-pg-config=${lib.getDev pkgs."postgresql_${pg_version}"}/bin/pg_config"
            ];
          };
        };
      })
    ];
  };
in pkgs.ruby.withPackages (ps: with ps; [ pg ])

Then we can get whichever postgresql version we desire and the pg gem will always reference it correctly:

$ nix-shell --argstr pg_version 9_4 --run 'ruby -rpg -e "puts PG.library_version"'
90421

$ nix-shell --run 'ruby -rpg -e "puts PG.library_version"'
100007

Of course for this use-case one could also use overlays since the configuration for pg depends on the postgresql alias, but for demonstration purposes this has to suffice.

Platform-specific gems

Right now, bundix has some issues with pre-built, platform-specific gems: bundix PR #68. Until this is solved, you can tell bundler to not use platform-specific gems and instead build them from source each time:

  • globally (will be set in ~/.config/.bundle/config):

$ bundle config set force_ruby_platform true
  • locally (will be set in <project-root>/.bundle/config):

$ bundle config set --local force_ruby_platform true

Adding a gem to the default gemset

Now that you know how to get a working Ruby environment with Nix, it’s time to go forward and start actually developing with Ruby. We will first have a look at how Ruby gems are packaged on Nix. Then, we will look at how you can use development mode with your code.

All gems in the standard set are automatically generated from a single Gemfile. The dependency resolution is done with bundler and makes it more likely that all gems are compatible to each other.

In order to add a new gem to nixpkgs, you can put it into the /pkgs/development/ruby-modules/with-packages/Gemfile and run ./maintainers/scripts/update-ruby-packages.

To test that it works, you can then try using the gem with:

NIX_PATH=nixpkgs=$PWD nix-shell -p "ruby.withPackages (ps: with ps; [ name-of-your-gem ])"

Packaging applications

A common task is to add a ruby executable to nixpkgs, popular examples would be chef, jekyll, or sass. A good way to do that is to use the bundlerApp function, that allows you to make a package that only exposes the listed executables, otherwise the package may cause conflicts through common paths like bin/rake or bin/bundler that aren’t meant to be used.

The absolute easiest way to do that is to write a Gemfile along these lines:

source 'https://rubygems.org' do
  gem 'mdl'
end

If you want to package a specific version, you can use the standard Gemfile syntax for that, e.g. gem 'mdl', '0.5.0', but if you want the latest stable version anyway, it’s easier to update by running the bundle lock and bundix steps again.

Now you can also make a default.nix that looks like this:

{ bundlerApp }:

bundlerApp {
  pname = "mdl";
  gemdir = ./.;
  exes = [ "mdl" ];
}

All that’s left to do is to generate the corresponding Gemfile.lock and gemset.nix as described above in the Using an existing Gemfile section.

Packaging executables that require wrapping

Sometimes your app will depend on other executables at runtime, and tries to find it through the PATH environment variable.

In this case, you can provide a postBuild hook to bundlerApp that wraps the gem in another script that prefixes the PATH.

Of course you could also make a custom gemConfig if you know exactly how to patch it, but it’s usually much easier to maintain with a simple wrapper so the patch doesn’t have to be adjusted for each version.

Here’s another example:

{ lib, bundlerApp, makeWrapper, git, gnutar, gzip }:

bundlerApp {
  pname = "r10k";
  gemdir = ./.;
  exes = [ "r10k" ];

  nativeBuildInputs = [ makeWrapper ];

  postBuild = ''
    wrapProgram $out/bin/r10k --prefix PATH : ${lib.makeBinPath [ git gnutar gzip ]}
  '';
}

Rust

To install the rust compiler and cargo put

{
  environment.systemPackages = [
    rustc
    cargo
  ];
}

into your configuration.nix or bring them into scope with nix-shell -p rustc cargo.

For other versions such as daily builds (beta and nightly), use either rustup from nixpkgs (which will manage the rust installation in your home directory), or use community maintained Rust toolchains.

buildRustPackage: Compiling Rust applications with Cargo

Rust applications are packaged by using the buildRustPackage helper from rustPlatform:

{ lib, fetchFromGitHub, rustPlatform }:

rustPlatform.buildRustPackage rec {
  pname = "ripgrep";
  version = "12.1.1";

  src = fetchFromGitHub {
    owner = "BurntSushi";
    repo = pname;
    rev = version;
    hash = "sha256-+s5RBC3XSgb8omTbUNLywZnP6jSxZBKSS1BmXOjRF8M=";
  };

  cargoHash = "sha256-jtBw4ahSl88L0iuCXxQgZVm1EcboWRJMNtjxLVTtzts=";

  meta = {
    description = "Fast line-oriented regex search tool, similar to ag and ack";
    homepage = "https://github.com/BurntSushi/ripgrep";
    license = lib.licenses.unlicense;
    maintainers = [ ];
  };
}

buildRustPackage requires a cargoHash attribute, computed over all crate sources of this package.

Warning

cargoSha256 is already deprecated, and is subject to removal in favor of cargoHash which supports SRI hashes.

If you are still using cargoSha256, you can simply replace it with cargoHash and recompute the hash, or convert the original sha256 to SRI hash using nix-hash --to-sri --type sha256 "<original sha256>".

{
  cargoHash = "sha256-l1vL2ZdtDRxSGvP0X/l3nMw8+6WF67KPutJEzUROjg8=";
}

Exception: If the application has cargo git dependencies, the cargoHash approach will not work by default. In this case, you can set useFetchCargoVendor = true to use an improved fetcher that supports handling git dependencies.

{
  useFetchCargoVendor = true;
  cargoHash = "sha256-RqPVFovDaD2rW31HyETJfQ0qVwFxoGEvqkIgag3H6KU=";
}

If this method still does not work, you can resort to copying the Cargo.lock file into nixpkgs and importing it as described in the next section.

Both types of hashes are permitted when contributing to nixpkgs. The Cargo hash is obtained by inserting a fake checksum into the expression and building the package once. The correct checksum can then be taken from the failed build. A fake hash can be used for cargoHash as follows:

{
  cargoHash = lib.fakeHash;
}

Per the instructions in the Cargo Book best practices guide, Rust applications should always commit the Cargo.lock file in git to ensure a reproducible build. However, a few packages do not, and Nix depends on this file, so if it is missing you can use cargoPatches to apply it in the patchPhase. Consider sending a PR upstream with a note to the maintainer describing why it’s important to include in the application.

The fetcher will verify that the Cargo.lock file is in sync with the src attribute, and fail the build if not. It will also will compress the vendor directory into a tar.gz archive.

The tarball with vendored dependencies contains a directory with the package’s name, which is normally composed of pname and version. This means that the vendored dependencies hash (cargoHash) is dependent on the package name and version. The cargoDepsName attribute can be used to use another name for the directory of vendored dependencies. For example, the hash can be made invariant to the version by setting cargoDepsName to pname:

rustPlatform.buildRustPackage rec {
  pname = "broot";
  version = "1.2.0";

  src = fetchCrate {
    inherit pname version;
    hash = "sha256-aDQA4A5mScX9or3Lyiv/5GyAehidnpKKE0grhbP1Ctc=";
  };

  cargoHash = "sha256-tbrTbutUs5aPSV+yE0IBUZAAytgmZV7Eqxia7g+9zRs=";
  cargoDepsName = pname;

  # ...
}

Importing a Cargo.lock file

Using a vendored hash (cargoHash) is tedious when using buildRustPackage within a project, since it requires that the hash is updated after every change to Cargo.lock. Therefore, buildRustPackage also supports vendoring dependencies directly from a Cargo.lock file using the cargoLock argument. For example:

rustPlatform.buildRustPackage {
  pname = "myproject";
  version = "1.0.0";

  cargoLock = {
    lockFile = ./Cargo.lock;
  };

  # ...
}

This will retrieve the dependencies using fixed-output derivations from the specified lockfile.

One caveat is that Cargo.lock cannot be patched in the patchPhase because it runs after the dependencies have already been fetched. If you need to patch or generate the lockfile you can alternatively set cargoLock.lockFileContents to a string of its contents:

rustPlatform.buildRustPackage {
  pname = "myproject";
  version = "1.0.0";

  cargoLock = let
    fixupLockFile = path: f (builtins.readFile path);
  in {
    lockFileContents = fixupLockFile ./Cargo.lock;
  };

  # ...
}

If the upstream source repository lacks a Cargo.lock file, you must add one to src, as it is essential for building a Rust package. Setting cargoLock.lockFile or cargoLock.lockFileContents will not automatically add a Cargo.lock file to src. A straightforward solution is to use:

{
  postPatch = ''
    ln -s ${./Cargo.lock} Cargo.lock
  '';
}

The output hash of each dependency that uses a git source must be specified in the outputHashes attribute. For example:

rustPlatform.buildRustPackage rec {
  pname = "myproject";
  version = "1.0.0";

  cargoLock = {
    lockFile = ./Cargo.lock;
    outputHashes = {
      "finalfusion-0.14.0" = "17f4bsdzpcshwh74w5z119xjy2if6l2wgyjy56v621skr2r8y904";
    };
  };

  # ...
}

If you do not specify an output hash for a git dependency, building the package will fail and inform you of which crate needs to be added. To find the correct hash, you can first use lib.fakeSha256 or lib.fakeHash as a stub hash. Building the package (and thus the vendored dependencies) will then inform you of the correct hash.

For usage outside nixpkgs, allowBuiltinFetchGit could be used to avoid having to specify outputHashes. For example:

rustPlatform.buildRustPackage rec {
  pname = "myproject";
  version = "1.0.0";

  cargoLock = {
    lockFile = ./Cargo.lock;
    allowBuiltinFetchGit = true;
  };

  # ...
}

Cargo features

You can disable default features using buildNoDefaultFeatures, and extra features can be added with buildFeatures.

If you want to use different features for check phase, you can use checkNoDefaultFeatures and checkFeatures. They are only passed to cargo test and not cargo build. If left unset, they default to buildNoDefaultFeatures and buildFeatures.

For example:

rustPlatform.buildRustPackage rec {
  pname = "myproject";
  version = "1.0.0";

  buildNoDefaultFeatures = true;
  buildFeatures = [ "color" "net" ];

  # disable network features in tests
  checkFeatures = [ "color" ];

  # ...
}

Cross compilation

By default, Rust packages are compiled for the host platform, just like any other package is. The --target passed to rust tools is computed from this. By default, it takes the stdenv.hostPlatform.config and replaces components where they are known to differ. But there are ways to customize the argument:

  • To choose a different target by name, define stdenv.hostPlatform.rust.rustcTarget as that name (a string), and that name will be used instead.

    For example:

    import <nixpkgs> {
      crossSystem = (import <nixpkgs/lib>).systems.examples.armhf-embedded // {
        rust.rustcTarget = "thumbv7em-none-eabi";
      };
    }
    

    will result in:

    --target thumbv7em-none-eabi
    
  • To pass a completely custom target, define stdenv.hostPlatform.rust.rustcTarget with its name, and stdenv.hostPlatform.rust.platform with the value. The value will be serialized to JSON in a file called ${stdenv.hostPlatform.rust.rustcTarget}.json, and the path of that file will be used instead.

    For example:

    import <nixpkgs> {
      crossSystem = (import <nixpkgs/lib>).systems.examples.armhf-embedded // {
        rust.rustcTarget = "thumb-crazy";
        rust.platform = { foo = ""; bar = ""; };
      };
    }
    

    will result in:

    --target /nix/store/asdfasdfsadf-thumb-crazy.json # contains {"foo":"","bar":""}
    

Note that currently custom targets aren’t compiled with std, so cargo test will fail. This can be ignored by adding doCheck = false; to your derivation.

Running package tests

When using buildRustPackage, the checkPhase is enabled by default and runs cargo test on the package to build. To make sure that we don’t compile the sources twice and to actually test the artifacts that will be used at runtime, the tests will be ran in the release mode by default.

However, in some cases the test-suite of a package doesn’t work properly in the release mode. For these situations, the mode for checkPhase can be changed like so:

rustPlatform.buildRustPackage {
  /* ... */
  checkType = "debug";
}

Please note that the code will be compiled twice here: once in release mode for the buildPhase, and again in debug mode for the checkPhase.

Test flags, e.g., --package foo, can be passed to cargo test via the cargoTestFlags attribute.

Another attribute, called checkFlags, is used to pass arguments to the test binary itself, as stated here.

Tests relying on the structure of the target/ directory

Some tests may rely on the structure of the target/ directory. Those tests are likely to fail because we use cargo --target during the build. This means that the artifacts are stored in target/<architecture>/release/, rather than in target/release/.

This can only be worked around by patching the affected tests accordingly.

Disabling package-tests

In some instances, it may be necessary to disable testing altogether (with doCheck = false;):

  • If no tests exist – the checkPhase should be explicitly disabled to skip unnecessary build steps to speed up the build.

  • If tests are highly impure (e.g. due to network usage).

There will obviously be some corner-cases not listed above where it’s sensible to disable tests. The above are just guidelines, and exceptions may be granted on a case-by-case basis.

However, please check if it’s possible to disable a problematic subset of the test suite and leave a comment explaining your reasoning.

This can be achieved with --skip in checkFlags:

rustPlatform.buildRustPackage {
  /* ... */
  checkFlags = [
    # reason for disabling test
    "--skip=example::tests:example_test"
  ];
}
Using cargo-nextest

Tests can be run with cargo-nextest by setting useNextest = true. The same options still apply, but nextest accepts a different set of arguments and the settings might need to be adapted to be compatible with cargo-nextest.

rustPlatform.buildRustPackage {
  /* ... */
  useNextest = true;
}
Setting test-threads

buildRustPackage will use parallel test threads by default, sometimes it may be necessary to disable this so the tests run consecutively.

rustPlatform.buildRustPackage {
  /* ... */
  dontUseCargoParallelTests = true;
}

Building a package in debug mode

By default, buildRustPackage will use release mode for builds. If a package should be built in debug mode, it can be configured like so:

rustPlatform.buildRustPackage {
  /* ... */
  buildType = "debug";
}

In this scenario, the checkPhase will be ran in debug mode as well.

Custom build/install-procedures

Some packages may use custom scripts for building/installing, e.g. with a Makefile. In these cases, it’s recommended to override the buildPhase/installPhase/checkPhase.

Otherwise, some steps may fail because of the modified directory structure of target/.

Building a crate with an absent or out-of-date Cargo.lock file

buildRustPackage needs a Cargo.lock file to get all dependencies in the source code in a reproducible way. If it is missing or out-of-date one can use the cargoPatches attribute to update or add it.

rustPlatform.buildRustPackage rec {
  # ...
  cargoPatches = [
    # a patch file to add/update Cargo.lock in the source code
    ./add-Cargo.lock.patch
  ];
}

Compiling non-Rust packages that include Rust code

Several non-Rust packages incorporate Rust code for performance- or security-sensitive parts. rustPlatform exposes several functions and hooks that can be used to integrate Cargo in non-Rust packages.

Vendoring of dependencies

Since network access is not allowed in sandboxed builds, Rust crate dependencies need to be retrieved using a fetcher. rustPlatform provides the fetchCargoTarball fetcher, which vendors all dependencies of a crate. For example, given a source path src containing Cargo.toml and Cargo.lock, fetchCargoTarball can be used as follows:

{
  cargoDeps = rustPlatform.fetchCargoTarball {
    inherit src;
    hash = "sha256-BoHIN/519Top1NUBjpB/oEMqi86Omt3zTQcXFWqrek0=";
  };
}

The src attribute is required, as well as a hash specified through one of the hash attribute. The following optional attributes can also be used:

  • name: the name that is used for the dependencies tarball. If name is not specified, then the name cargo-deps will be used.

  • sourceRoot: when the Cargo.lock/Cargo.toml are in a subdirectory, sourceRoot specifies the relative path to these files.

  • patches: patches to apply before vendoring. This is useful when the Cargo.lock/Cargo.toml files need to be patched before vendoring.

In case the lockfile contains cargo git dependencies, you can use fetchCargoVendor instead.

{
  cargoDeps = rustPlatform.fetchCargoVendor {
    inherit src;
    hash = "sha256-RqPVFovDaD2rW31HyETJfQ0qVwFxoGEvqkIgag3H6KU=";
  };
}

If a Cargo.lock file is available, you can alternatively use the importCargoLock function. In contrast to fetchCargoTarball, this function does not require a hash (unless git dependencies are used) and fetches every dependency as a separate fixed-output derivation. importCargoLock can be used as follows:

{
  cargoDeps = rustPlatform.importCargoLock {
    lockFile = ./Cargo.lock;
  };
}

If the Cargo.lock file includes git dependencies, then their output hashes need to be specified since they are not available through the lock file. For example:

{
  cargoDeps = rustPlatform.importCargoLock {
    lockFile = ./Cargo.lock;
    outputHashes = {
      "rand-0.8.3" = "0ya2hia3cn31qa8894s3av2s8j5bjwb6yq92k0jsnlx7jid0jwqa";
    };
  };
}

If you do not specify an output hash for a git dependency, building cargoDeps will fail and inform you of which crate needs to be added. To find the correct hash, you can first use lib.fakeSha256 or lib.fakeHash as a stub hash. Building cargoDeps will then inform you of the correct hash.

Hooks

rustPlatform provides the following hooks to automate Cargo builds:

  • cargoSetupHook: configure Cargo to use dependencies vendored through fetchCargoTarball. This hook uses the cargoDeps environment variable to find the vendored dependencies. If a project already vendors its dependencies, the variable cargoVendorDir can be used instead. When the Cargo.toml/Cargo.lock files are not in sourceRoot, then the optional cargoRoot is used to specify the Cargo root directory relative to sourceRoot.

  • cargoBuildHook: use Cargo to build a crate. If the crate to be built is a crate in e.g. a Cargo workspace, the relative path to the crate to build can be set through the optional buildAndTestSubdir environment variable. Features can be specified with cargoBuildNoDefaultFeatures and cargoBuildFeatures. Additional Cargo build flags can be passed through cargoBuildFlags.

  • maturinBuildHook: use Maturin to build a Python wheel. Similar to cargoBuildHook, the optional variable buildAndTestSubdir can be used to build a crate in a Cargo workspace. Additional Maturin flags can be passed through maturinBuildFlags.

  • cargoCheckHook: run tests using Cargo. The build type for checks can be set using cargoCheckType. Features can be specified with cargoCheckNoDefaultFeatures and cargoCheckFeatures. Additional flags can be passed to the tests using checkFlags and checkFlagsArray. By default, tests are run in parallel. This can be disabled by setting dontUseCargoParallelTests.

  • cargoNextestHook: run tests using cargo-nextest. The same options for cargoCheckHook also applies to cargoNextestHook.

  • cargoInstallHook: install binaries and static/shared libraries that were built using cargoBuildHook.

  • bindgenHook: for crates which use bindgen as a build dependency, lets bindgen find libclang and libclang find the libraries in buildInputs.

Examples
Python package using setuptools-rust

For Python packages using setuptools-rust, you can use fetchCargoTarball and cargoSetupHook to retrieve and set up Cargo dependencies. The build itself is then performed by buildPythonPackage.

The following example outlines how the tokenizers Python package is built. Since the Python package is in the source/bindings/python directory of the tokenizers project’s source archive, we use sourceRoot to point the tooling to this directory:

{ fetchFromGitHub
, buildPythonPackage
, cargo
, rustPlatform
, rustc
, setuptools-rust
}:

buildPythonPackage rec {
  pname = "tokenizers";
  version = "0.10.0";

  src = fetchFromGitHub {
    owner = "huggingface";
    repo = pname;
    rev = "python-v${version}";
    hash = "sha256-rQ2hRV52naEf6PvRsWVCTN7B1oXAQGmnpJw4iIdhamw=";
  };

  cargoDeps = rustPlatform.fetchCargoTarball {
    inherit pname version src sourceRoot;
    hash = "sha256-miW//pnOmww2i6SOGbkrAIdc/JMDT4FJLqdMFojZeoY=";
  };

  sourceRoot = "${src.name}/bindings/python";

  nativeBuildInputs = [
    cargo
    rustPlatform.cargoSetupHook
    rustc
    setuptools-rust
  ];

  # ...
}

In some projects, the Rust crate is not in the main Python source directory. In such cases, the cargoRoot attribute can be used to specify the crate’s directory relative to sourceRoot. In the following example, the crate is in src/rust, as specified in the cargoRoot attribute. Note that we also need to specify the correct path for fetchCargoTarball.


{ buildPythonPackage
, fetchPypi
, rustPlatform
, setuptools-rust
, openssl
}:

buildPythonPackage rec {
  pname = "cryptography";
  version = "3.4.2"; # Also update the hash in vectors.nix

  src = fetchPypi {
    inherit pname version;
    hash = "sha256-xGDilsjLOnls3MfVbGKnj80KCUCczZxlis5PmHzpNcQ=";
  };

  cargoDeps = rustPlatform.fetchCargoTarball {
    inherit pname version src;
    sourceRoot = "${pname}-${version}/${cargoRoot}";
    hash = "sha256-PS562W4L1NimqDV2H0jl5vYhL08H9est/pbIxSdYVfo=";
  };

  cargoRoot = "src/rust";

  # ...
}
Python package using maturin

Python packages that use Maturin can be built with fetchCargoTarball, cargoSetupHook, and maturinBuildHook. For example, the following (partial) derivation builds the retworkx Python package. fetchCargoTarball and cargoSetupHook are used to fetch and set up the crate dependencies. maturinBuildHook is used to perform the build.

{ lib
, buildPythonPackage
, rustPlatform
, fetchFromGitHub
}:

buildPythonPackage rec {
  pname = "retworkx";
  version = "0.6.0";
  pyproject = true;

  src = fetchFromGitHub {
    owner = "Qiskit";
    repo = "retworkx";
    rev = version;
    hash = "sha256-11n30ldg3y3y6qxg3hbj837pnbwjkqw3nxq6frds647mmmprrd20=";
  };

  cargoDeps = rustPlatform.fetchCargoTarball {
    inherit pname version src;
    hash = "sha256-heOBK8qi2nuc/Ib+I/vLzZ1fUUD/G/KTw9d7M4Hz5O0=";
  };

  nativeBuildInputs = with rustPlatform; [ cargoSetupHook maturinBuildHook ];

  # ...
}
Rust package built with meson

Some projects, especially GNOME applications, are built with the Meson Build System instead of calling Cargo directly. Using rustPlatform.buildRustPackage may successfully build the main program, but related files will be missing. Instead, you need to set up Cargo dependencies with fetchCargoTarball and cargoSetupHook and leave the rest to Meson. rust and cargo are still needed in nativeBuildInputs for Meson to use.

{ lib
, stdenv
, fetchFromGitLab
, meson
, ninja
, pkg-config
, rustPlatform
, rustc
, cargo
, wrapGAppsHook4
, blueprint-compiler
, libadwaita
, libsecret
, tinysparql
}:

stdenv.mkDerivation rec {
  pname = "health";
  version = "0.95.0";

  src = fetchFromGitLab {
    domain = "gitlab.gnome.org";
    owner = "World";
    repo = "health";
    rev = version;
    hash = "sha256-PrNPprSS98yN8b8yw2G6hzTSaoE65VbsM3q7FVB4mds=";
  };

  cargoDeps = rustPlatform.fetchCargoTarball {
    inherit pname version src;
    hash = "sha256-8fa3fa+sFi5H+49B5sr2vYPkp9C9s6CcE0zv4xB8gww=";
  };

  nativeBuildInputs = [
    meson
    ninja
    pkg-config
    rustPlatform.cargoSetupHook
    rustc
    cargo
    wrapGAppsHook4
    blueprint-compiler
  ];

  buildInputs = [
    libadwaita
    libsecret
    tinysparql
  ];

  # ...
}

buildRustCrate: Compiling Rust crates using Nix instead of Cargo

Simple operation

When run, cargo build produces a file called Cargo.lock, containing pinned versions of all dependencies. Nixpkgs contains a tool called crate2Nix (nix-shell -p crate2nix), which can be used to turn a Cargo.lock into a Nix expression. That Nix expression calls rustc directly (hence bypassing Cargo), and can be used to compile a crate and all its dependencies.

See crate2nix’s documentation for instructions on how to use it.

Handling external dependencies

Some crates require external libraries. For crates from crates.io, such libraries can be specified in defaultCrateOverrides package in nixpkgs itself.

Starting from that file, one can add more overrides, to add features or build inputs by overriding the hello crate in a separate file.

with import <nixpkgs> {};
((import ./hello.nix).hello {}).override {
  crateOverrides = defaultCrateOverrides // {
    hello = attrs: { buildInputs = [ openssl ]; };
  };
}

Here, crateOverrides is expected to be a attribute set, where the key is the crate name without version number and the value a function. The function gets all attributes passed to buildRustCrate as first argument and returns a set that contains all attribute that should be overwritten.

For more complicated cases, such as when parts of the crate’s derivation depend on the crate’s version, the attrs argument of the override above can be read, as in the following example, which patches the derivation:

with import <nixpkgs> {};
((import ./hello.nix).hello {}).override {
  crateOverrides = defaultCrateOverrides // {
    hello = attrs: lib.optionalAttrs (lib.versionAtLeast attrs.version "1.0")  {
      postPatch = ''
        substituteInPlace lib/zoneinfo.rs \
          --replace-fail "/usr/share/zoneinfo" "${tzdata}/share/zoneinfo"
      '';
    };
  };
}

Another situation is when we want to override a nested dependency. This actually works in the exact same way, since the crateOverrides parameter is forwarded to the crate’s dependencies. For instance, to override the build inputs for crate libc in the example above, where libc is a dependency of the main crate, we could do:

with import <nixpkgs> {};
((import hello.nix).hello {}).override {
  crateOverrides = defaultCrateOverrides // {
    libc = attrs: { buildInputs = []; };
  };
}

Options and phases configuration

Actually, the overrides introduced in the previous section are more general. A number of other parameters can be overridden:

  • The version of rustc used to compile the crate:

    (hello {}).override { rust = pkgs.rust; }
    
  • Whether to build in release mode or debug mode (release mode by default):

    (hello {}).override { release = false; }
    
  • Whether to print the commands sent to rustc when building (equivalent to --verbose in cargo:

    (hello {}).override { verbose = false; }
    
  • Extra arguments to be passed to rustc:

    (hello {}).override { extraRustcOpts = "-Z debuginfo=2"; }
    
  • Phases, just like in any other derivation, can be specified using the following attributes: preUnpack, postUnpack, prePatch, patches, postPatch, preConfigure (in the case of a Rust crate, this is run before calling the “build” script), postConfigure (after the “build” script),preBuild, postBuild, preInstall and postInstall. As an example, here is how to create a new module before running the build script:

    (hello {}).override {
      preConfigure = ''
         echo "pub const PATH=\"${hi.out}\";" >> src/path.rs"
      '';
    }
    

Setting Up nix-shell

Oftentimes you want to develop code from within nix-shell. Unfortunately buildRustCrate does not support common nix-shell operations directly (see this issue) so we will use stdenv.mkDerivation instead.

Using the example hello project above, we want to do the following:

  • Have access to cargo and rustc

  • Have the openssl library available to a crate through it’s normal compilation mechanism (pkg-config).

A typical shell.nix might look like:

with import <nixpkgs> {};

stdenv.mkDerivation {
  name = "rust-env";
  nativeBuildInputs = [
    rustc cargo

    # Example Build-time Additional Dependencies
    pkg-config
  ];
  buildInputs = [
    # Example Run-time Additional Dependencies
    openssl
  ];

  # Set Environment Variables
  RUST_BACKTRACE = 1;
}

You should now be able to run the following:

$ nix-shell --pure
$ cargo build
$ cargo test

Using community maintained Rust toolchains

Note

The following projects cannot be used within Nixpkgs since Import From Derivation (IFD) is disallowed in Nixpkgs. To package things that require Rust nightly, RUSTC_BOOTSTRAP = true; can sometimes be used as a hack.

There are two community maintained approaches to Rust toolchain management:

Despite their names, both projects provides a similar set of packages and overlays under different APIs.

Oxalica’s overlay allows you to select a particular Rust version without you providing a hash or a flake input, but comes with a larger git repository than fenix.

Fenix also provides rust-analyzer nightly in addition to the Rust toolchains.

Both oxalica’s overlay and fenix better integrate with nix and cache optimizations. Because of this and ergonomics, either of those community projects should be preferred to the Mozilla’s Rust overlay (nixpkgs-mozilla).

The following documentation demonstrates examples using fenix and oxalica’s Rust overlay with nix-shell and building derivations. More advanced usages like flake usage are documented in their own repositories.

Using Rust nightly with nix-shell

Here is a simple shell.nix that provides Rust nightly (default profile) using fenix:

with import <nixpkgs> { };
let
  fenix = callPackage
    (fetchFromGitHub {
      owner = "nix-community";
      repo = "fenix";
      # commit from: 2023-03-03
      rev = "e2ea04982b892263c4d939f1cc3bf60a9c4deaa1";
      hash = "sha256-AsOim1A8KKtMWIxG+lXh5Q4P2bhOZjoUhFWJ1EuZNNk=";
    })
    { };
in
mkShell {
  name = "rust-env";
  nativeBuildInputs = [
    # Note: to use stable, just replace `default` with `stable`
    fenix.default.toolchain

    # Example Build-time Additional Dependencies
    pkg-config
  ];
  buildInputs = [
    # Example Run-time Additional Dependencies
    openssl
  ];

  # Set Environment Variables
  RUST_BACKTRACE = 1;
}

Save this to shell.nix, then run:

$ rustc --version
rustc 1.69.0-nightly (13471d3b2 2023-03-02)

To see that you are using nightly.

Oxalica’s Rust overlay has more complete examples of shell.nix (and cross compilation) under its examples directory.

Using Rust nightly in a derivation with buildRustPackage

You can also use Rust nightly to build rust packages using makeRustPlatform. The below snippet demonstrates invoking buildRustPackage with a Rust toolchain from oxalica’s overlay:

with import <nixpkgs>
{
  overlays = [
    (import (fetchTarball "https://github.com/oxalica/rust-overlay/archive/master.tar.gz"))
  ];
};
let
  rustPlatform = makeRustPlatform {
    cargo = rust-bin.selectLatestNightlyWith (toolchain: toolchain.default);
    rustc = rust-bin.selectLatestNightlyWith (toolchain: toolchain.default);
  };
in

rustPlatform.buildRustPackage rec {
  pname = "ripgrep";
  version = "12.1.1";

  src = fetchFromGitHub {
    owner = "BurntSushi";
    repo = "ripgrep";
    rev = version;
    hash = "sha256-+s5RBC3XSgb8omTbUNLywZnP6jSxZBKSS1BmXOjRF8M=";
  };

  cargoHash = "sha256-l1vL2ZdtDRxSGvP0X/l3nMw8+6WF67KPutJEzUROjg8=";

  doCheck = false;

  meta = {
    description = "Fast line-oriented regex search tool, similar to ag and ack";
    homepage = "https://github.com/BurntSushi/ripgrep";
    license = with lib.licenses; [ mit unlicense ];
    maintainers = with lib.maintainers; [];
  };
}

Follow the below steps to try that snippet.

  1. save the above snippet as default.nix in that directory

  2. cd into that directory and run nix-build

Fenix also has examples with buildRustPackage, crane, naersk, and cross compilation in its Examples section.

Using git bisect on the Rust compiler

Sometimes an upgrade of the Rust compiler (rustc) will break a downstream package. In these situations, being able to git bisect the rustc version history to find the offending commit is quite useful. Nixpkgs makes it easy to do this.

First, roll back your nixpkgs to a commit in which its rustc used the most recent one which doesn’t have the problem. You’ll need to do this because of rustc’s extremely aggressive version-pinning.

Next, add the following overlay, updating the Rust version to the one in your rolled-back nixpkgs, and replacing /git/scratch/rust with the path into which you have git cloned the rustc git repository:

 (final: prev: /*lib.optionalAttrs prev.stdenv.targetPlatform.isAarch64*/ {
   rust_1_72 =
     lib.updateManyAttrsByPath [{
       path = [ "packages" "stable" ];
       update = old: old.overrideScope(final: prev: {
         rustc-unwrapped = prev.rustc-unwrapped.overrideAttrs (_: {
           src = lib.cleanSource /git/scratch/rust;
           # do *not* put passthru.isReleaseTarball=true here
         });
       });
     }]
       prev.rust_1_72;
 })

If the problem you’re troubleshooting only manifests when cross-compiling you can uncomment the lib.optionalAttrs in the example above, and replace isAarch64 with the target that is having problems. This will speed up your bisect quite a bit, since the host compiler won’t need to be rebuilt.

Now, you can start a git bisect in the directory where you checked out the rustc source code. It is recommended to select the endpoint commits by searching backwards from origin/master for the commits which added the release notes for the versions in question. If you set the endpoints to commits on the release branches (i.e. the release tags), git-bisect will often get confused by the complex merge-commit structures it will need to traverse.

The command loop you’ll want to use for bisecting looks like this:

git bisect {good,bad}  # depending on result of last build
git submodule update --init
CARGO_NET_OFFLINE=false cargo vendor \
  --sync ./src/tools/cargo/Cargo.toml \
  --sync ./src/tools/rust-analyzer/Cargo.toml \
  --sync ./compiler/rustc_codegen_cranelift/Cargo.toml \
  --sync ./src/bootstrap/Cargo.toml
nix-build $NIXPKGS -A package-broken-by-rust-changes

The git submodule update --init and cargo vendor commands above require network access, so they can’t be performed from within the rustc derivation, unfortunately.

Scheme

Package Management

Akku

About two hundred R6RS & R7RS libraries from Akku (which also mirrors snow-fort) are available inside the akkuPackages attrset, and the Akku executable itself is at the top level as akku. The packages could be used in a derivation’s buildInputs, work inside of nix-shell, and are tested using Chez & Chibi Scheme during build time.

Including a package as a build input is done in the typical Nix fashion. For example, to include a bunch of SRFIs primarily for Chez Scheme in a derivation, one might write:

{
  buildInputs = [
    chez
    akkuPackages.chez-srfi
  ];
}

The package index is located in pkgs/tools/package-management/akku as deps.toml, and should be updated occasionally by running ./update.sh in the directory. Doing so will pull the source URLs for new packages and more recent versions, then write them to the TOML.

Swift

The Swift compiler is provided by the swift package:

# Compile and link a simple executable.
nix-shell -p swift --run 'swiftc -' <<< 'print("Hello world!")'
# Run it!
./main

The swift package also provides the swift command, with some caveats:

  • Swift Package Manager (SwiftPM) is packaged separately as swiftpm. If you need functionality like swift build, swift run, swift test, you must also add the swiftpm package to your closure.

  • On Darwin, the swift repl command requires an Xcode installation. This is because it uses the system LLDB debugserver, which has special entitlements.

Module search paths

Like other toolchains in Nixpkgs, the Swift compiler executables are wrapped to help Swift find your application’s dependencies in the Nix store. These wrappers scan the buildInputs of your package derivation for specific directories where Swift modules are placed by convention, and automatically add those directories to the Swift compiler search paths.

Swift follows different conventions depending on the platform. The wrappers look for the following directories:

  • On Darwin platforms: lib/swift/macosx (If not targeting macOS, replace macosx with the Xcode platform name.)

  • On other platforms: lib/swift/linux/x86_64 (Where linux and x86_64 are from lowercase uname -sm.)

  • For convenience, Nixpkgs also adds lib/swift to the search path. This can save a bit of work packaging Swift modules, because many Nix builds will produce output for just one target any way.

Core libraries

In addition to the standard library, the Swift toolchain contains some additional ‘core libraries’ that, on Apple platforms, are normally distributed as part of the OS or Xcode. These are packaged separately in Nixpkgs, and can be found (for use in buildInputs) as:

  • swiftPackages.Dispatch

  • swiftPackages.Foundation

  • swiftPackages.XCTest

Packaging with SwiftPM

Nixpkgs includes a small helper swiftpm2nix that can fetch your SwiftPM dependencies for you, when you need to write a Nix expression to package your application.

The first step is to run the generator:

cd /path/to/my/project
# Enter a Nix shell with the required tools.
nix-shell -p swift swiftpm swiftpm2nix
# First, make sure the workspace is up-to-date.
swift package resolve
# Now generate the Nix code.
swiftpm2nix

This produces some files in a directory nix, which will be part of your Nix expression. The next step is to write that expression:

{ stdenv, swift, swiftpm, swiftpm2nix, fetchFromGitHub }:

let
  # Pass the generated files to the helper.
  generated = swiftpm2nix.helpers ./nix;
in

stdenv.mkDerivation rec {
  pname = "myproject";
  version = "0.0.0";

  src = fetchFromGitHub {
    owner = "nixos";
    repo = pname;
    rev = version;
    hash = "sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=";
  };

  # Including SwiftPM as a nativeBuildInput provides a buildPhase for you.
  # This by default performs a release build using SwiftPM, essentially:
  #   swift build -c release
  nativeBuildInputs = [ swift swiftpm ];

  # The helper provides a configure snippet that will prepare all dependencies
  # in the correct place, where SwiftPM expects them.
  configurePhase = generated.configure;

  installPhase = ''
    # This is a special function that invokes swiftpm to find the location
    # of the binaries it produced.
    binPath="$(swiftpmBinPath)"
    # Now perform any installation steps.
    mkdir -p $out/bin
    cp $binPath/myproject $out/bin/
  '';
}

Custom build flags

If you’d like to build a different configuration than release:

{
  swiftpmBuildConfig = "debug";
}

It is also possible to provide additional flags to swift build:

{
  swiftpmFlags = [ "--disable-dead-strip" ];
}

The default buildPhase already passes -j for parallel building.

If these two customization options are insufficient, provide your own buildPhase that invokes swift build.

Running tests

Including swiftpm in your nativeBuildInputs also provides a default checkPhase, but it must be enabled with:

{
  doCheck = true;
}

This essentially runs: swift test -c release

Patching dependencies

In some cases, it may be necessary to patch a SwiftPM dependency. SwiftPM dependencies are located in .build/checkouts, but the swiftpm2nix helper provides these as symlinks to read-only /nix/store paths. In order to patch them, we need to make them writable.

A special function swiftpmMakeMutable is available to replace the symlink with a writable copy:

{
  configurePhase = generated.configure ++ ''
    # Replace the dependency symlink with a writable copy.
    swiftpmMakeMutable swift-crypto
    # Now apply a patch.
    patch -p1 -d .build/checkouts/swift-crypto -i ${./some-fix.patch}
  '';
}

Considerations for custom build tools

Linking the standard library

The swift package has a separate lib output containing just the Swift standard library, to prevent Swift applications needing a dependency on the full Swift compiler at run-time. Linking with the Nixpkgs Swift toolchain already ensures binaries correctly reference the lib output.

Sometimes, Swift is used only to compile part of a mixed codebase, and the link step is manual. Custom build tools often locate the standard library relative to the swift compiler executable, and while the result will work, when this path ends up in the binary, it will have the Swift compiler as an unintended dependency.

In this case, you should investigate how your build process discovers the standard library, and override the path. The correct path will be something like: "${swift.swift.lib}/${swift.swiftModuleSubdir}"

Tcl

User guide

Tcl interpreters are available under the tcl and tcl-X_Y attributes, where X_Y is the Tcl version.

Tcl libraries are available in the tclPackages attribute set. They are only guaranteed to work with the default Tcl version, but will probably also work with others thanks to the stubs mechanism.

Packaging guide

Tcl packages are typically built with tclPackages.mkTclDerivation. Tcl dependencies go in buildInputs/nativeBuildInputs/… like other packages. For more complex package definitions, such as packages with mixed languages, use tcl.tclPackageHook.

Where possible, make sure to enable stubs for maximum compatibility, usually with the --enable-stubs configure flag.

Here is a simple package example to be called with tclPackages.callPackage.

{ lib, fetchzip, mkTclDerivation, openssl }:

mkTclDerivation rec {
  pname = "tcltls";
  version = "1.7.22";

  src = fetchzip {
    url = "https://core.tcl-lang.org/tcltls/uv/tcltls-${version}.tar.gz";
    hash = "sha256-TOouWcQc3MNyJtaAGUGbaQoaCWVe6g3BPERct/V65vk=";
  };

  buildInputs = [ openssl ];

  configureFlags = [
    "--with-ssl-dir=${openssl.dev}"
    "--enable-stubs"
  ];

  meta = {
    homepage = "https://core.tcl-lang.org/tcltls/index";
    description = "OpenSSL / RSA-bsafe Tcl extension";
    maintainers = [ lib.maintainers.agbrooks ];
    license = lib.licenses.tcltk;
    platforms = lib.platforms.unix;
  };
}

All Tcl libraries are declared in pkgs/top-level/tcl-packages.nix and are defined in pkgs/development/tcl-modules/. If possible, prefer the by-name hierarchy in pkgs/development/tcl-modules/by-name/. Its use is documented in pkgs/development/tcl-modules/by-name/README.md.

All Tcl applications reside elsewhere. In case a package is used as both a library and an application (for example expect), it should be defined in tcl-packages.nix, with an alias elsewhere.

TeX Live

There is a TeX Live packaging that lives entirely under attribute texlive.

User’s guide (experimental new interface)

Release 23.11 ships with a new interface that will eventually replace texlive.combine.

  • For basic usage, use some of the prebuilt environments available at the top level, such as texliveBasic, texliveSmall. For the full list of prebuilt environments, inspect texlive.schemes.

  • Packages cannot be used directly but must be assembled in an environment. To create or add packages to an environment, use

    texliveSmall.withPackages (ps: with ps; [ collection-langkorean algorithms cm-super ])
    

    The function withPackages can be called multiple times to add more packages.

    • Note. Within Nixpkgs, packages should only use prebuilt environments as inputs, such as texliveSmall or texliveInfraOnly, and should not depend directly on texlive. Further dependencies should be added by calling withPackages. This is to ensure that there is a consistent and simple way to override the inputs.

  • texlive.withPackages uses the same logic as buildEnv. Only parts of a package are installed in an environment: its ‘runtime’ files (tex output), binaries (out output), and support files (tlpkg output). Moreover, man and info pages are assembled into separate man and info outputs. To add only the TeX files of a package, or its documentation (texdoc output), just specify the outputs:

    texlive.withPackages (ps: with ps; [
      texdoc # recommended package to navigate the documentation
      perlPackages.LaTeXML.tex # tex files of LaTeXML, omit binaries
      cm-super
      cm-super.texdoc # documentation of cm-super
    ])
    
  • All packages distributed by TeX Live, which contains most of CTAN, are available and can be found under texlive.pkgs:

    $ nix repl
    nix-repl> :l <nixpkgs>
    nix-repl> texlive.pkgs.[TAB]
    

    Note that the packages in texlive.pkgs are only provided for search purposes and must not be used directly.

  • Experimental and subject to change without notice: to add the documentation for all packages in the environment, use

    texliveSmall.__overrideTeXConfig { withDocs = true; }
    

    This can be applied before or after calling withPackages.

    The function currently support the parameters withDocs, withSources, and requireTeXPackages.

User’s guide

  • For basic usage just pull texlive.combined.scheme-basic for an environment with basic LaTeX support.

  • It typically won’t work to use separately installed packages together. Instead, you can build a custom set of packages like this. Most CTAN packages should be available:

    texlive.combine {
      inherit (texlive) scheme-small collection-langkorean algorithms cm-super;
    }
    
  • There are all the schemes, collections and a few thousand packages, as defined upstream (perhaps with tiny differences).

  • By default you only get executables and files needed during runtime, and a little documentation for the core packages. To change that, you need to add pkgFilter function to combine.

    texlive.combine {
      # inherit (texlive) whatever-you-want;
      pkgFilter = pkg:
        pkg.tlType == "run" || pkg.tlType == "bin" || pkg.hasManpages || pkg.pname == "cm-super";
      # elem tlType [ "run" "bin" "doc" "source" ]
      # there are also other attributes: version, name
    }
    
  • You can list packages e.g. by nix repl.

    $ nix repl
    nix-repl> :l <nixpkgs>
    nix-repl> texlive.collection-[TAB]
    
  • Note that the wrapper assumes that the result has a chance to be useful. For example, the core executables should be present, as well as some core data files. The supported way of ensuring this is by including some scheme, for example scheme-basic, into the combination.

  • TeX Live packages are also available under texlive.pkgs as derivations with outputs out, tex, texdoc, texsource, tlpkg, man, info. They cannot be installed outside of texlive.combine but are available for other uses. To repackage a font, for instance, use

    stdenvNoCC.mkDerivation rec {
      src = texlive.pkgs.iwona;
      dontUnpack = true;
    
      inherit (src) pname version;
    
      installPhase = ''
        runHook preInstall
        install -Dm644 $src/fonts/opentype/nowacki/iwona/*.otf -t $out/share/fonts/opentype
        runHook postInstall
      '';
    }
    

    See biber, iwona for complete examples.

Custom packages

You may find that you need to use an external TeX package. A derivation for such package has to provide the contents of the “texmf” directory in its "tex" output, according to the TeX Directory Structure. Dependencies on other TeX packages can be listed in the attribute tlDeps.

The functions texlive.combine and texlive.withPackages recognise the following outputs:

  • "out": contents are linked in the TeX Live environment, and binaries in the $out/bin folder are wrapped;

  • "tex": linked in $TEXMFDIST; files should follow the TDS (for instance $tex/tex/latex/foiltex/foiltex.cls);

  • "texdoc", "texsource": ignored by default, treated as "tex";

  • "tlpkg": linked in $TEXMFROOT/tlpkg;

  • "man", "info", …: the other outputs are combined into separate outputs.

When using pkgFilter, texlive.combine will assign tlType respectively "bin", "run", "doc", "source", "tlpkg" to the above outputs.

Here is a (very verbose) example. See also the packages auctex, eukleides, mftrace for more examples.

with import <nixpkgs> {};

let
  foiltex = stdenvNoCC.mkDerivation {
    pname = "latex-foiltex";
    version = "2.1.4b";

    outputs = [ "tex" "texdoc" ];
    passthru.tlDeps = with texlive; [ latex ];

    srcs = [
      (fetchurl {
        url = "http://mirrors.ctan.org/macros/latex/contrib/foiltex/foiltex.dtx";
        hash = "sha256-/2I2xHXpZi0S988uFsGuPV6hhMw8e0U5m/P8myf42R0=";
      })
      (fetchurl {
        url = "http://mirrors.ctan.org/macros/latex/contrib/foiltex/foiltex.ins";
        hash = "sha256-KTm3pkd+Cpu0nSE2WfsNEa56PeXBaNfx/sOO2Vv0kyc=";
      })
    ];

    unpackPhase = ''
      runHook preUnpack

      for _src in $srcs; do
        cp "$_src" $(stripHash "$_src")
      done

      runHook postUnpack
    '';

    nativeBuildInputs = [
      (texliveSmall.withPackages (ps: with ps; [ cm-super hypdoc latexmk ]))
      # multiple-outputs.sh fails if $out is not defined
      (writeShellScript "force-tex-output.sh" ''
        out="''${tex-}"
      '')
    ];

    dontConfigure = true;

    buildPhase = ''
      runHook preBuild

      # Generate the style files
      latex foiltex.ins

      # Generate the documentation
      export HOME=.
      latexmk -pdf foiltex.dtx

      runHook postBuild
    '';

    installPhase = ''
      runHook preInstall

      path="$tex/tex/latex/foiltex"
      mkdir -p "$path"
      cp *.{cls,def,clo,sty} "$path/"

      path="$texdoc/doc/tex/latex/foiltex"
      mkdir -p "$path"
      cp *.pdf "$path/"

      runHook postInstall
    '';

    meta = {
      description = "LaTeX2e class for overhead transparencies";
      license = lib.licenses.unfreeRedistributable;
      maintainers = with lib.maintainers; [ veprbl ];
      platforms = lib.platforms.all;
    };
  };

  latex_with_foiltex = texliveSmall.withPackages (_: [ foiltex ]);
in
  runCommand "test.pdf" {
    nativeBuildInputs = [ latex_with_foiltex ];
  } ''
cat >test.tex <<EOF
\documentclass{foils}

\title{Presentation title}
\date{}

\begin{document}
\maketitle
\end{document}
EOF
  pdflatex test.tex
  cp test.pdf $out
''

LuaLaTeX font cache

The font cache for LuaLaTeX is written to $HOME. Therefore, it is necessary to set $HOME to a writable path, e.g. before using LuaLaTeX in nix derivations:

runCommandNoCC "lualatex-hello-world" {
  buildInputs = [ texliveFull ];
} ''
  mkdir $out
  echo '\documentclass{article} \begin{document} Hello world \end{document}' > main.tex
  env HOME=$(mktemp -d) lualatex  -interaction=nonstopmode -output-format=pdf -output-directory=$out ./main.tex
''

Additionally, the cache of a user can diverge from the nix store. To resolve font issues that might follow, the cache can be removed by the user:

luaotfload-tool --cache=erase --flush-lookups --force

Titanium

The Nixpkgs repository contains facilities to deploy a variety of versions of the Titanium SDK versions, a cross-platform mobile app development framework using JavaScript as an implementation language, and includes a function abstraction making it possible to build Titanium applications for Android and iOS devices from source code.

Not all Titanium features supported – currently, it can only be used to build Android and iOS apps.

Building a Titanium app

We can build a Titanium app from source for Android or iOS and for debugging or release purposes by invoking the titaniumenv.buildApp {} function:

titaniumenv.buildApp {
  name = "myapp";
  src = ./myappsource;

  preBuild = "";
  target = "android"; # or 'iphone'
  tiVersion = "7.1.0.GA";
  release = true;

  androidsdkArgs = {
    platformVersions = [ "25" "26" ];
  };
  androidKeyStore = ./keystore;
  androidKeyAlias = "myfirstapp";
  androidKeyStorePassword = "secret";

  xcodeBaseDir = "/Applications/Xcode.app";
  xcodewrapperArgs = {
    version = "9.3";
  };
  iosMobileProvisioningProfile = ./myprovisioning.profile;
  iosCertificateName = "My Company";
  iosCertificate = ./mycertificate.p12;
  iosCertificatePassword = "secret";
  iosVersion = "11.3";
  iosBuildStore = false;

  enableWirelessDistribution = true;
  installURL = "/installipa.php";
}

The titaniumenv.buildApp {} function takes the following parameters:

  • The name parameter refers to the name in the Nix store.

  • The src parameter refers to the source code location of the app that needs to be built.

  • preRebuild contains optional build instructions that are carried out before the build starts.

  • target indicates for which device the app must be built. Currently only ‘android’ and ‘iphone’ (for iOS) are supported.

  • tiVersion can be used to optionally override the requested Titanium version in tiapp.xml. If not specified, it will use the version in tiapp.xml.

  • release should be set to true when building an app for submission to the Google Playstore or Apple Appstore. Otherwise, it should be false.

When the target has been set to android, we can configure the following parameters:

  • The androidSdkArgs parameter refers to an attribute set that propagates all parameters to the androidenv.composeAndroidPackages {} function. This can be used to install all relevant Android plugins that may be needed to perform the Android build. If no parameters are given, it will deploy the platform SDKs for API-levels 25 and 26 by default.

When the release parameter has been set to true, you need to provide parameters to sign the app:

  • androidKeyStore is the path to the keystore file

  • androidKeyAlias is the key alias

  • androidKeyStorePassword refers to the password to open the keystore file.

When the target has been set to iphone, we can configure the following parameters:

  • The xcodeBaseDir parameter refers to the location where Xcode has been installed. When none value is given, the above value is the default.

  • The xcodewrapperArgs parameter passes arbitrary parameters to the xcodeenv.composeXcodeWrapper {} function. This can, for example, be used to adjust the default version of Xcode.

When release has been set to true, you also need to provide the following parameters:

  • iosMobileProvisioningProfile refers to a mobile provisioning profile needed for signing.

  • iosCertificateName refers to the company name in the P12 certificate.

  • iosCertificate refers to the path to the P12 file.

  • iosCertificatePassword contains the password to open the P12 file.

  • iosVersion refers to the iOS SDK version to use. It defaults to the latest version.

  • iosBuildStore should be set to true when building for the Apple Appstore submission. For enterprise or ad-hoc builds it should be set to false.

When enableWirelessDistribution has been enabled, you must also provide the path of the PHP script (installURL) (that is included with the iOS build environment) to enable wireless ad-hoc installations.

Emulating or simulating the app

It is also possible to simulate the correspond iOS simulator build by using xcodeenv.simulateApp {} and emulate an Android APK by using androidenv.emulateApp {}.

Vim

Both Neovim and Vim can be configured to include your favorite plugins and additional libraries.

Loading can be deferred; see examples.

At the moment we support two different methods for managing plugins:

  • Vim packages (recommended)

  • vim-plug (vim only)

Right now two Vim packages are available: vim which has most features that require extra dependencies disabled and vim-full which has them configurable and enabled by default.

Note

vim_configurable is a deprecated alias for vim-full and refers to the fact that its build-time features are configurable. It has nothing to do with user configuration, and both the vim and vim-full packages can be customized as explained in the next section.

Custom configuration

Adding custom .vimrc lines can be done using the following code:

vim-full.customize {
  # `name` optionally specifies the name of the executable and package
  name = "vim-with-plugins";

  vimrcConfig.customRC = ''
    set hidden
  '';
}

This configuration is used when Vim is invoked with the command specified as name, in this case vim-with-plugins. You can also omit name to customize Vim itself. See the definition of vimUtils.makeCustomizable for all supported options.

For Neovim the configure argument can be overridden to achieve the same:

neovim.override {
  configure = {
    customRC = ''
      # here your custom configuration goes!
    '';
  };
}

If you want to use neovim-qt as a graphical editor, you can configure it by overriding Neovim in an overlay or passing it an overridden Neovim:

neovim-qt.override {
  neovim = neovim.override {
    configure = {
      customRC = ''
        # your custom configuration
      '';
    };
  };
}

Managing plugins with Vim packages

To store your plugins in Vim packages (the native Vim plugin manager, see :help packages) the following example can be used:

vim-full.customize {
  vimrcConfig.packages.myVimPackage = with pkgs.vimPlugins; {
    # loaded on launch
    start = [ youcompleteme fugitive ];
    # manually loadable by calling `:packadd $plugin-name`
    # however, if a Vim plugin has a dependency that is not explicitly listed in
    # opt that dependency will always be added to start to avoid confusion.
    opt = [ phpCompletion elm-vim ];
    # To automatically load a plugin when opening a filetype, add vimrc lines like:
    # autocmd FileType php :packadd phpCompletion
  };
}

myVimPackage is an arbitrary name for the generated package. You can choose any name you like. For Neovim the syntax is:

neovim.override {
  configure = {
    customRC = ''
      # here your custom configuration goes!
    '';
    packages.myVimPackage = with pkgs.vimPlugins; {
      # see examples below how to use custom packages
      start = [ ];
      # If a Vim plugin has a dependency that is not explicitly listed in
      # opt that dependency will always be added to start to avoid confusion.
      opt = [ ];
    };
  };
}

The resulting package can be added to packageOverrides in ~/.nixpkgs/config.nix to make it installable:

{
  packageOverrides = pkgs: with pkgs; {
    myVim = vim-full.customize {
      # `name` specifies the name of the executable and package
      name = "vim-with-plugins";
      # add here code from the example section
    };
    myNeovim = neovim.override {
      configure = {
      # add code from the example section here
      };
    };
  };
}

After that you can install your special grafted myVim or myNeovim packages.

What if your favourite Vim plugin isn’t already packaged?

If one of your favourite plugins isn’t packaged, you can package it yourself:

{ config, pkgs, ... }:

let
  easygrep = pkgs.vimUtils.buildVimPlugin {
    name = "vim-easygrep";
    src = pkgs.fetchFromGitHub {
      owner = "dkprice";
      repo = "vim-easygrep";
      rev = "d0c36a77cc63c22648e792796b1815b44164653a";
      hash = "sha256-bL33/S+caNmEYGcMLNCanFZyEYUOUmSsedCVBn4tV3g=";
    };
  };
in
{
  environment.systemPackages = [
    (
      pkgs.neovim.override {
        configure = {
          packages.myPlugins = with pkgs.vimPlugins; {
          start = [
            vim-go # already packaged plugin
            easygrep # custom package
          ];
          opt = [];
        };
        # ...
      };
     }
    )
  ];
}

If your package requires building specific parts, use instead pkgs.vimUtils.buildVimPlugin.

Specificities for some plugins

Treesitter

By default nvim-treesitter encourages you to download, compile and install the required Treesitter grammars at run time with :TSInstall. This works poorly on NixOS. Instead, to install the nvim-treesitter plugins with a set of precompiled grammars, you can use nvim-treesitter.withPlugins function:

(pkgs.neovim.override {
  configure = {
    packages.myPlugins = with pkgs.vimPlugins; {
      start = [
        (nvim-treesitter.withPlugins (
          plugins: with plugins; [
            nix
            python
          ]
        ))
      ];
    };
  };
})

To enable all grammars packaged in nixpkgs, use pkgs.vimPlugins.nvim-treesitter.withAllGrammars.

Managing plugins with vim-plug

To use vim-plug to manage your Vim plugins the following example can be used:

vim-full.customize {
  vimrcConfig.packages.myVimPackage = with pkgs.vimPlugins; {
    # loaded on launch
    plug.plugins = [ youcompleteme fugitive phpCompletion elm-vim ];
  };
}

Note: this is not possible anymore for Neovim.

Adding new plugins to nixpkgs

Nix expressions for Vim plugins are stored in pkgs/applications/editors/vim/plugins. For the vast majority of plugins, Nix expressions are automatically generated by running nix-shell -p vimPluginsUpdater --run vim-plugins-updater. This creates a generated.nix file based on the plugins listed in vim-plugin-names.

When the vim updater detects an nvim-treesitter update, it also runs nvim-treesitter/update.py $(nix-build -A vimPlugins.nvim-treesitter) to update the tree sitter grammars for nvim-treesitter.

Some plugins require overrides in order to function properly. Overrides are placed in overrides.nix. Overrides are most often required when a plugin requires some dependencies, or extra steps are required during the build process. For example deoplete-fish requires both deoplete-nvim and vim-fish, and so the following override was added:

{
  deoplete-fish = super.deoplete-fish.overrideAttrs(old: {
    dependencies = with super; [ deoplete-nvim vim-fish ];
  });
}

Sometimes plugins require an override that must be changed when the plugin is updated. This can cause issues when Vim plugins are auto-updated but the associated override isn’t updated. For these plugins, the override should be written so that it specifies all information required to install the plugin, and running nix-shell -p vimPluginsUpdater --run vim-plugins-updater doesn’t change the derivation for the plugin. Manually updating the override is required to update these types of plugins. An example of such a plugin is LanguageClient-neovim.

To add a new plugin, run nix-shell -p vimPluginsUpdater --run 'vim-plugins-updater add "[owner]/[name]"'. NOTE: This script automatically commits to your git repository. Be sure to check out a fresh branch before running.

Finally, there are some plugins that are also packaged in nodePackages because they have Javascript-related build steps, such as running webpack. Those plugins are not listed in vim-plugin-names or managed by vimPluginsUpdater at all, and are included separately in overrides.nix. Currently, all these plugins are related to the coc.nvim ecosystem of the Language Server Protocol integration with Vim/Neovim.

Testing Neovim plugins

nvimRequireCheck=MODULE is a simple test which checks if Neovim can requires the lua module MODULE without errors. This is often enough to catch missing dependencies.

This can be manually added through plugin definition overrides in the overrides.nix.

  gitsigns-nvim = super.gitsigns-nvim.overrideAttrs {
    dependencies = [ self.plenary-nvim ];
    nvimRequireCheck = "gitsigns";
  };

Plugin optional configuration

Some plugins require specific configuration to work. We choose not to patch those plugins but expose the necessary configuration under PLUGIN.passthru.initLua for neovim plugins. For instance, the unicode-vim plugin needs the path towards a unicode database so we expose the following snippet vim.g.Unicode_data_directory="${self.unicode-vim}/autoload/unicode" under vimPlugins.unicode-vim.passthru.initLua.

Updating plugins in nixpkgs

Run the update script with a GitHub API token that has at least public_repo access. Running the script without the token is likely to result in rate-limiting (429 errors). For steps on creating an API token, please refer to GitHub’s token documentation.

nix-shell -p vimPluginsUpdater --run 'vim-plugins-updater --github-token=mytoken' # or set GITHUB_API_TOKEN environment variable

Alternatively, set the number of processes to a lower count to avoid rate-limiting.


nix-shell -p vimPluginsUpdater --run 'vim-plugins-updater --proc 1'

How to maintain an out-of-tree overlay of vim plugins ?

You can use the updater script to generate basic packages out of a custom vim plugin list:

nix-shell -p vimPluginsUpdater --run vim-plugins-updater -i vim-plugin-names -o generated.nix --no-commit

with the contents of vim-plugin-names being for example:

repo,branch,alias
pwntester/octo.nvim,,

You can then reference the generated vim plugins via:

{
  myVimPlugins = pkgs.vimPlugins.extend (
    (pkgs.callPackage ./generated.nix {})
  );
}

Packages

This chapter contains information about how to use and maintain the Nix expressions for a number of specific packages, such as the Linux kernel or X.org.

Citrix Workspace

The Citrix Workspace App is a remote desktop viewer which provides access to XenDesktop installations.

Basic usage

The tarball archive needs to be downloaded manually, as the license agreements of the vendor for Citrix Workspace needs to be accepted first. Then run nix-prefetch-url file://$PWD/linuxx64-$version.tar.gz. With the archive available in the store, the package can be built and installed with Nix.

Citrix Self-service

The self-service is an application managing Citrix desktops and applications. Please note that this feature only works with at least citrix_workspace_20_06_0 and later versions.

In order to set this up, you first have to download the .cr file from the Netscaler Gateway. After that, you can configure the selfservice like this:

$ storebrowse -C ~/Downloads/receiverconfig.cr
$ selfservice

Custom certificates

The Citrix Workspace App in nixpkgs trusts several certificates from the Mozilla database by default. However, several companies using Citrix might require their own corporate certificate. On distros with imperative packaging, these certs can be stored easily in $ICAROOT, however this directory is a store path in nixpkgs. In order to work around this issue, the package provides a simple mechanism to add custom certificates without rebuilding the entire package using symlinkJoin:

with import <nixpkgs> { config.allowUnfree = true; };
let
  extraCerts = [
    ./custom-cert-1.pem
    ./custom-cert-2.pem # ...
  ];
in citrix_workspace.override { inherit extraCerts; }

darwin.linux-builder

Warning

By default, darwin.linux-builder uses a publicly-known private SSH host key (this is different from the SSH key used by the user that connects to the builder).

Given the intended use case for it (a Linux builder that runs on the same machine), this shouldn’t be an issue. However, if you plan to deviate from this use case in any way (e.g. by exposing this builder to remote machines), you should understand the security implications of doing so and take any appropriate measures.

darwin.linux-builder provides a way to bootstrap a Linux remote builder on a macOS machine.

This requires macOS version 12.4 or later.

The remote builder runs on host port 31022 by default. You can change it by overriding virtualisation.darwin-builder.hostPort. See the example.

You will also need to be a trusted user for your Nix installation. In other words, your /etc/nix/nix.conf should have something like:

extra-trusted-users = <your username goes here>

To launch the remote builder, run the following flake:

$ nix run nixpkgs#darwin.linux-builder

That will prompt you to enter your sudo password:

+ sudo --reset-timestamp /nix/store/…-install-credentials.sh ./keys
Password:

… so that it can install a private key used to ssh into the build server. After that the script will launch the virtual machine and automatically log you in as the builder user:

<<< Welcome to NixOS 22.11.20220901.1bd8d11 (aarch64) - ttyAMA0 >>>

Run 'nixos-help' for the NixOS manual.

nixos login: builder (automatic login)


[builder@nixos:~]$

Note: When you need to stop the VM, run shutdown now as the builder user.

To delegate builds to the remote builder, add the following options to your nix.conf file:

# - Replace ${ARCH} with either aarch64 or x86_64 to match your host machine
# - Replace ${MAX_JOBS} with the maximum number of builds (pick 4 if you're not sure)
builders = ssh-ng://builder@linux-builder ${ARCH}-linux /etc/nix/builder_ed25519 ${MAX_JOBS} - - - c3NoLWVkMjU1MTkgQUFBQUMzTnphQzFsWkRJMU5URTVBQUFBSUpCV2N4Yi9CbGFxdDFhdU90RStGOFFVV3JVb3RpQzVxQkorVXVFV2RWQ2Igcm9vdEBuaXhvcwo=

# Not strictly necessary, but this will reduce your disk utilization
builders-use-substitutes = true

To allow Nix to connect to a remote builder not running on port 22, you will also need to create a new file at /etc/ssh/ssh_config.d/100-linux-builder.conf:

Host linux-builder
  Hostname localhost
  HostKeyAlias linux-builder
  Port 31022

… and then restart your Nix daemon to apply the change:

$ sudo launchctl kickstart -k system/org.nixos.nix-daemon

Example flake usage

{
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-22.11-darwin";
    darwin.url = "github:lnl7/nix-darwin/master";
    darwin.inputs.nixpkgs.follows = "nixpkgs";
  };

  outputs = { self, darwin, nixpkgs, ... }@inputs:
  let

    inherit (darwin.lib) darwinSystem;
    system = "aarch64-darwin";
    pkgs = nixpkgs.legacyPackages."${system}";
    linuxSystem = builtins.replaceStrings [ "darwin" ] [ "linux" ] system;

    darwin-builder = nixpkgs.lib.nixosSystem {
      system = linuxSystem;
      modules = [
        "${nixpkgs}/nixos/modules/profiles/nix-builder-vm.nix"
        { virtualisation = {
            host.pkgs = pkgs;
            darwin-builder.workingDirectory = "/var/lib/darwin-builder";
            darwin-builder.hostPort = 22;
          };
        }
      ];
    };
  in {

    darwinConfigurations = {
      machine1 = darwinSystem {
        inherit system;
        modules = [
          {
            nix.distributedBuilds = true;
            nix.buildMachines = [{
              hostName = "localhost";
              sshUser = "builder";
              sshKey = "/etc/nix/builder_ed25519";
              system = linuxSystem;
              maxJobs = 4;
              supportedFeatures = [ "kvm" "benchmark" "big-parallel" ];
            }];

            launchd.daemons.darwin-builder = {
              command = "${darwin-builder.config.system.build.macos-builder-installer}/bin/create-builder";
              serviceConfig = {
                KeepAlive = true;
                RunAtLoad = true;
                StandardOutPath = "/var/log/darwin-builder.log";
                StandardErrorPath = "/var/log/darwin-builder.log";
              };
            };
          }
        ];
      };
    };

  };
}

Reconfiguring the remote builder

Initially you should not change the remote builder configuration else you will not be able to use the binary cache. However, after you have the remote builder running locally you may use it to build a modified remote builder with additional storage or memory.

To do this, you just need to set the virtualisation.darwin-builder.* parameters as in the example below and rebuild.

  {
    darwin-builder = nixpkgs.lib.nixosSystem {
      system = linuxSystem;
      modules = [
        "${nixpkgs}/nixos/modules/profiles/nix-builder-vm.nix"
        {
          virtualisation.host.pkgs = pkgs;
          virtualisation.darwin-builder.diskSize = 5120;
          virtualisation.darwin-builder.memorySize = 1024;
          virtualisation.darwin-builder.hostPort = 33022;
          virtualisation.darwin-builder.workingDirectory = "/var/lib/darwin-builder";
        }
      ];
    };
  }

You may make any other changes to your VM in this attribute set. For example, you could enable Docker or X11 forwarding to your Darwin host.

Troubleshooting the generated configuration

The linux-builder package exposes the attributes nixosConfig and nixosOptions that allow you to inspect the generated NixOS configuration in the nix repl. For example:

$ nix repl --file ~/src/nixpkgs --argstr system aarch64-darwin

nix-repl> darwin.linux-builder.nixosConfig.nix.package
«derivation /nix/store/...-nix-2.17.0.drv»

nix-repl> :p darwin.linux-builder.nixosOptions.virtualisation.memorySize.definitionsWithLocations
[ { file = "/home/user/src/nixpkgs/nixos/modules/profiles/nix-builder-vm.nix"; value = 3072; } ]

DLib

DLib is a modern, C++-based toolkit which provides several machine learning algorithms.

Compiling without AVX support

Especially older CPUs don’t support AVX (Advanced Vector Extensions) instructions that are used by DLib to optimize their algorithms.

On the affected hardware errors like Illegal instruction will occur. In those cases AVX support needs to be disabled:

self: super: { dlib = super.dlib.override { avxSupport = false; }; }

Eclipse

The Nix expressions related to the Eclipse platform and IDE are in pkgs/applications/editors/eclipse.

Nixpkgs provides a number of packages that will install Eclipse in its various forms. These range from the bare-bones Eclipse Platform to the more fully featured Eclipse SDK or Scala-IDE packages and multiple version are often available. It is possible to list available Eclipse packages by issuing the command:

$ nix-env -f '<nixpkgs>' -qaP -A eclipses --description

Once an Eclipse variant is installed, it can be run using the eclipse command, as expected. From within Eclipse, it is then possible to install plugins in the usual manner by either manually specifying an Eclipse update site or by installing the Marketplace Client plugin and using it to discover and install other plugins. This installation method provides an Eclipse installation that closely resemble a manually installed Eclipse.

If you prefer to install plugins in a more declarative manner, then Nixpkgs also offer a number of Eclipse plugins that can be installed in an Eclipse environment. This type of environment is created using the function eclipseWithPlugins found inside the nixpkgs.eclipses attribute set. This function takes as argument { eclipse, plugins ? [], jvmArgs ? [] } where eclipse is a one of the Eclipse packages described above, plugins is a list of plugin derivations, and jvmArgs is a list of arguments given to the JVM running the Eclipse. For example, say you wish to install the latest Eclipse Platform with the popular Eclipse Color Theme plugin and also allow Eclipse to use more RAM. You could then add:

{
  packageOverrides = pkgs: {
    myEclipse = with pkgs.eclipses; eclipseWithPlugins {
      eclipse = eclipse-platform;
      jvmArgs = [ "-Xmx2048m" ];
      plugins = [ plugins.color-theme ];
    };
  };
}

to your Nixpkgs configuration (~/.config/nixpkgs/config.nix) and install it by running nix-env -f '<nixpkgs>' -iA myEclipse and afterward run Eclipse as usual. It is possible to find out which plugins are available for installation using eclipseWithPlugins by running:

$ nix-env -f '<nixpkgs>' -qaP -A eclipses.plugins --description

If there is a need to install plugins that are not available in Nixpkgs then it may be possible to define these plugins outside Nixpkgs using the buildEclipseUpdateSite and buildEclipsePlugin functions found in the nixpkgs.eclipses.plugins attribute set. Use the buildEclipseUpdateSite function to install a plugin distributed as an Eclipse update site. This function takes { name, src } as argument, where src indicates the Eclipse update site archive. All Eclipse features and plugins within the downloaded update site will be installed. When an update site archive is not available, then the buildEclipsePlugin function can be used to install a plugin that consists of a pair of feature and plugin JARs. This function takes an argument { name, srcFeature, srcPlugin } where srcFeature and srcPlugin are the feature and plugin JARs, respectively.

Expanding the previous example with two plugins using the above functions, we have:

{
  packageOverrides = pkgs: {
    myEclipse = with pkgs.eclipses; eclipseWithPlugins {
      eclipse = eclipse-platform;
      jvmArgs = [ "-Xmx2048m" ];
      plugins = [
        plugins.color-theme
        (plugins.buildEclipsePlugin {
          name = "myplugin1-1.0";
          srcFeature = fetchurl {
            url = "http://…/features/myplugin1.jar";
            hash = "sha256-123…";
          };
          srcPlugin = fetchurl {
            url = "http://…/plugins/myplugin1.jar";
            hash = "sha256-123…";
          };
        })
        (plugins.buildEclipseUpdateSite {
          name = "myplugin2-1.0";
          src = fetchurl {
            stripRoot = false;
            url = "http://…/myplugin2.zip";
            hash = "sha256-123…";
          };
        })
      ];
    };
  };
}

Elm

To start a development environment, run:

nix-shell -p elmPackages.elm elmPackages.elm-format

To update the Elm compiler, see nixpkgs/pkgs/development/compilers/elm/README.md.

To package Elm applications, read about elm2nix.

Emacs

Configuring Emacs

The Emacs package comes with some extra helpers to make it easier to configure. emacs.pkgs.withPackages allows you to manage packages from ELPA. This means that you will not have to install that packages from within Emacs. For instance, if you wanted to use company counsel, flycheck, ivy, magit, projectile, and use-package you could use this as a ~/.config/nixpkgs/config.nix override:

{
  packageOverrides = pkgs: with pkgs; {
    myEmacs = emacs.pkgs.withPackages (epkgs: (with epkgs.melpaStablePackages; [
      company
      counsel
      flycheck
      ivy
      magit
      projectile
      use-package
    ]));
  };
}

You can install it like any other packages via nix-env -iA myEmacs. However, this will only install those packages. It will not configure them for us. To do this, we need to provide a configuration file. Luckily, it is possible to do this from within Nix! By modifying the above example, we can make Emacs load a custom config file. The key is to create a package that provides a default.el file in /share/emacs/site-start/. Emacs knows to load this file automatically when it starts.

{
  packageOverrides = pkgs: with pkgs; rec {
    myEmacsConfig = writeText "default.el" ''
      (eval-when-compile
        (require 'use-package))

      ;; load some packages

      (use-package company
        :bind ("<C-tab>" . company-complete)
        :diminish company-mode
        :commands (company-mode global-company-mode)
        :defer 1
        :config
        (global-company-mode))

      (use-package counsel
        :commands (counsel-descbinds)
        :bind (([remap execute-extended-command] . counsel-M-x)
               ("C-x C-f" . counsel-find-file)
               ("C-c g" . counsel-git)
               ("C-c j" . counsel-git-grep)
               ("C-c k" . counsel-ag)
               ("C-x l" . counsel-locate)
               ("M-y" . counsel-yank-pop)))

      (use-package flycheck
        :defer 2
        :config (global-flycheck-mode))

      (use-package ivy
        :defer 1
        :bind (("C-c C-r" . ivy-resume)
               ("C-x C-b" . ivy-switch-buffer)
               :map ivy-minibuffer-map
               ("C-j" . ivy-call))
        :diminish ivy-mode
        :commands ivy-mode
        :config
        (ivy-mode 1))

      (use-package magit
        :defer
        :if (executable-find "git")
        :bind (("C-x g" . magit-status)
               ("C-x G" . magit-dispatch-popup))
        :init
        (setq magit-completing-read-function 'ivy-completing-read))

      (use-package projectile
        :commands projectile-mode
        :bind-keymap ("C-c p" . projectile-command-map)
        :defer 5
        :config
        (projectile-global-mode))
    '';

    myEmacs = emacs.pkgs.withPackages (epkgs: (with epkgs.melpaStablePackages; [
      (runCommand "default.el" {} ''
         mkdir -p $out/share/emacs/site-lisp
         cp ${myEmacsConfig} $out/share/emacs/site-lisp/default.el
       '')
      company
      counsel
      flycheck
      ivy
      magit
      projectile
      use-package
    ]));
  };
}

This provides a fairly full Emacs start file. It will load in addition to the user’s personal config. You can always disable it by passing -q to the Emacs command.

Sometimes emacs.pkgs.withPackages is not enough, as this package set has some priorities imposed on packages (with the lowest priority assigned to GNU-devel ELPA, and the highest for packages manually defined in pkgs/applications/editors/emacs/elisp-packages/manual-packages). But you can’t control these priorities when some package is installed as a dependency. You can override it on a per-package-basis, providing all the required dependencies manually, but it’s tedious and there is always a possibility that an unwanted dependency will sneak in through some other package. To completely override such a package, you can use overrideScope.

let
  overrides = self: super: rec {
    haskell-mode = self.melpaPackages.haskell-mode;
    # ...
  };
in
((emacsPackagesFor emacs).overrideScope overrides).withPackages
  (p: with p; [
    # here both these package will use haskell-mode of our own choice
    ghc-mod
    dante
  ])

}

Firefox

Build wrapped Firefox with extensions and policies

The wrapFirefox function allows to pass policies, preferences and extensions that are available to Firefox. With the help of fetchFirefoxAddon this allows to build a Firefox version that already comes with add-ons pre-installed:

{
  # Nix firefox addons only work with the firefox-esr package.
  myFirefox = wrapFirefox firefox-esr-unwrapped {
    nixExtensions = [
      (fetchFirefoxAddon {
        name = "ublock"; # Has to be unique!
        url = "https://addons.mozilla.org/firefox/downloads/file/3679754/ublock_origin-1.31.0-an+fx.xpi";
        hash = "sha256-2e73AbmYZlZXCP5ptYVcFjQYdjDp4iPoEPEOSCVF5sA=";
      })
    ];

    extraPolicies = {
      CaptivePortal = false;
      DisableFirefoxStudies = true;
      DisablePocket = true;
      DisableTelemetry = true;
      DisableFirefoxAccounts = true;
      FirefoxHome = {
        Pocket = false;
        Snippets = false;
      };
      UserMessaging = {
        ExtensionRecommendations = false;
        SkipOnboarding = true;
      };
      SecurityDevices = {
        # Use a proxy module rather than `nixpkgs.config.firefox.smartcardSupport = true`
        "PKCS#11 Proxy Module" = "${pkgs.p11-kit}/lib/p11-kit-proxy.so";
      };
    };

    extraPrefs = ''
      // Show more ssl cert infos
      lockPref("security.identityblock.show_extended_validation", true);
    '';
  };
}

If nixExtensions != null, then all manually installed add-ons will be uninstalled from your browser profile. To view available enterprise policies, visit enterprise policies or type into the Firefox URL bar: about:policies#documentation. Nix installed add-ons do not have a valid signature, which is why signature verification is disabled. This does not compromise security because downloaded add-ons are checksummed and manual add-ons can’t be installed. Also, make sure that the name field of fetchFirefoxAddon is unique. If you remove an add-on from the nixExtensions array, rebuild and start Firefox: the removed add-on will be completely removed with all of its settings.

Troubleshooting

If add-ons are marked as broken or the signature is invalid, make sure you have Firefox ESR installed. Normal Firefox does not provide the ability anymore to disable signature verification for add-ons thus nix add-ons get disabled by the normal Firefox binary.

If add-ons do not appear installed despite being defined in your nix configuration file, reset the local add-on state of your Firefox profile by clicking Help -> More Troubleshooting Information -> Refresh Firefox. This can happen if you switch from manual add-on mode to nix add-on mode and then back to manual mode and then again to nix add-on mode.

Fish

Fish is a “smart and user-friendly command line shell” with support for plugins.

Vendor Fish scripts

Any package may ship its own Fish completions, configuration snippets, and functions. Those should be installed to $out/share/fish/vendor_{completions,conf,functions}.d respectively.

When the programs.fish.enable and programs.fish.vendor.{completions,config,functions}.enable options from the NixOS Fish module are set to true, those paths are symlinked in the current system environment and automatically loaded by Fish.

Packaging Fish plugins

While packages providing standalone executables belong to the top level, packages which have the sole purpose of extending Fish belong to the fishPlugins scope and should be registered in pkgs/shells/fish/plugins/default.nix.

The buildFishPlugin utility function can be used to automatically copy Fish scripts from $src/{completions,conf,conf.d,functions} to the standard vendor installation paths. It also sets up the test environment so that the optional checkPhase is executed in a Fish shell with other already packaged plugins and package-local Fish functions specified in checkPlugins and checkFunctionDirs respectively.

See pkgs/shells/fish/plugins/pure.nix for an example of Fish plugin package using buildFishPlugin and running unit tests with the fishtape test runner.

Fish wrapper

The wrapFish package is a wrapper around Fish which can be used to create Fish shells initialized with some plugins as well as completions, configuration snippets and functions sourced from the given paths. This provides a convenient way to test Fish plugins and scripts without having to alter the environment.

wrapFish {
  pluginPkgs = with fishPlugins; [ pure foreign-env ];
  completionDirs = [];
  functionDirs = [];
  confDirs = [ "/path/to/some/fish/init/dir/" ];
}

FUSE

Some packages rely on FUSE to provide support for additional filesystems not supported by the kernel.

In general, FUSE software are primarily developed for Linux but many of them can also run on macOS. Nixpkgs supports FUSE packages on macOS, but it requires macFUSE to be installed outside of Nix. macFUSE currently isn’t packaged in Nixpkgs mainly because it includes a kernel extension, which isn’t supported by Nix outside of NixOS.

If a package fails to run on macOS with an error message similar to the following, it’s a likely sign that you need to have macFUSE installed.

dyld: Library not loaded: /usr/local/lib/libfuse.2.dylib
Referenced from: /nix/store/w8bi72bssv0bnxhwfw3xr1mvn7myf37x-sshfs-fuse-2.10/bin/sshfs
Reason: image not found
[1]    92299 abort      /nix/store/w8bi72bssv0bnxhwfw3xr1mvn7myf37x-sshfs-fuse-2.10/bin/sshfs

Package maintainers may often encounter the following error when building FUSE packages on macOS:

checking for fuse.h... no
configure: error: No fuse.h found.

This happens on autoconf based projects that use AC_CHECK_HEADERS or AC_CHECK_LIBS to detect libfuse, and will occur even when the fuse package is included in buildInputs. It happens because libfuse headers throw an error on macOS if the FUSE_USE_VERSION macro is undefined. Many projects do define FUSE_USE_VERSION, but only inside C source files. This results in the above error at configure time because the configure script would attempt to compile sample FUSE programs without defining FUSE_USE_VERSION.

There are two possible solutions for this problem in Nixpkgs:

  1. Pass FUSE_USE_VERSION to the configure script by adding CFLAGS=-DFUSE_USE_VERSION=25 in configureFlags. The actual value would have to match the definition used in the upstream source code.

  2. Remove AC_CHECK_HEADERS / AC_CHECK_LIBS for libfuse.

However, a better solution might be to fix the build script upstream to use PKG_CHECK_MODULES instead. This approach wouldn’t suffer from the problem that AC_CHECK_HEADERS/AC_CHECK_LIBS has at the price of introducing a dependency on pkg-config.

Geant4

Geant4 is a toolkit for simulating how particles pass through matter. It is available through the geant4 package.

Setup hook

The setup hook included in the package applies the environment variables set by the geant4.sh script, which is typically necessary for compiling make-based programs that depend on Geant4.

Datasets

All of the Geant4 datasets provided by CERN are available through the geant4.data attrset.

Setup hook

The hook provided by the packages in geant4.data will set an appropriate environment variable in the form of G4[...]DATA. For example, for the G4RadioactiveDecay dataset, the G4RADIOACTIVEDATA environment variable is set to the value expected by Geant4.

ibus-engines.typing-booster

This package is an ibus-based completion method to speed up typing.

Activating the engine

IBus needs to be configured accordingly to activate typing-booster. The configuration depends on the desktop manager in use. For detailed instructions, please refer to the upstream docs.

On NixOS, you need to explicitly enable ibus with given engines before customizing your desktop to use typing-booster. This can be achieved using the ibus module:

{ pkgs, ... }: {
  i18n.inputMethod = {
    enable = true;
    type = "ibus";
    ibus.engines = with pkgs.ibus-engines; [ typing-booster ];
  };
}

Using custom hunspell dictionaries

The IBus engine is based on hunspell to support completion in many languages. By default, the dictionaries de-de, en-us, fr-moderne es-es, it-it, sv-se and sv-fi are in use. To add another dictionary, the package can be overridden like this:

ibus-engines.typing-booster.override { langs = [ "de-at" "en-gb" ]; }

Note: each language passed to langs must be an attribute name in pkgs.hunspellDicts.

Built-in emoji picker

The ibus-engines.typing-booster package contains a program named emoji-picker. To display all emojis correctly, a special font such as noto-fonts-color-emoji is needed:

On NixOS, it can be installed using the following expression:

{ pkgs, ... }: {
  fonts.packages = with pkgs; [ noto-fonts-color-emoji ];
}

Kakoune

Kakoune can be built to autoload plugins:

(kakoune.override {
  plugins = with pkgs.kakounePlugins; [ parinfer-rust ];
})

Krita

Python plugins

“pykrita” plugins should be installed following Krita’s manual. This generally involves extracting the extension to ~/.local/share/krita/pykrita/.

Binary plugins

Binary plugins are Dynamically Linked Libraries to be loaded by Krita.

Note: You most likely won’t need to deal with binary plugins, all known plugins are bundled and enabled by default.

Installing binary plugins

You can choose what plugins are added to Krita by overriding the binaryPlugins attribute.

If you want to add plugins instead of replacing, you can read the list of previous plugins via pkgs.krita.binaryPlugins:

(pkgs.krita.override (old: {
    binaryPlugins = old.binaryPlugins ++ [ your-plugin ];
}))

Example structure of a binary plugin

/nix/store/00000000000000000000000000000000-krita-plugin-example-1.2.3
└── lib
   └── kritaplugins
      └── krita_example.so

Linux kernel

The Nix expressions to build the Linux kernel are in pkgs/os-specific/linux/kernel.

The function pkgs.buildLinux builds a kernel with common configuration values. This is the preferred option unless you have a very specific use case. Most kernels packaged in Nixpkgs are built that way, and it will also generate kernels suitable for NixOS. pkgs.linuxManualConfig requires a complete configuration to be passed. It has fewer additional features than pkgs.buildLinux, which provides common configuration values and exposes the features attribute, as explained below.

Both functions have an argument kernelPatches which should be a list of {name, patch, extraConfig} attribute sets, where name is the name of the patch (which is included in the kernel’s meta.description attribute), patch is the patch itself (possibly compressed), and extraConfig (optional) is a string specifying extra options to be concatenated to the kernel configuration file (.config).

The kernel derivation created with pkgs.buildLinux exports an attribute features specifying whether optional functionality is or isn’t enabled. This is used in NixOS to implement kernel-specific behaviour.

If you are using a kernel packaged in Nixpkgs, you can customize it by overriding its arguments. For details on how each argument affects the generated kernel, refer to the pkgs.buildLinux source code.

Example 338. Overriding the kernel derivation

Assuming you are using the kernel from pkgs.linux_latest:

pkgs.linux_latest.override {
  ignoreConfigErrors = true;
  autoModules = false;
  kernelPreferBuiltin = true;
  extraStructuredConfig = with lib.kernel; {
    DEBUG_KERNEL = yes;
    FRAME_POINTER = yes;
    KGDB = yes;
    KGDB_SERIAL_CONSOLE = yes;
    DEBUG_INFO = yes;
  };
}

Manual kernel configuration

Sometimes it may not be desirable to use kernels built with pkgs.buildLinux, especially if most of the common configuration has to be altered or disabled to achieve a kernel as expected by the target use case. An example of this is building a kernel for use in a VM or micro VM. You can use pkgs.linuxPackages_custom in these cases. It requires the src, version, and configfile attributes to be specified.

Example 339. Using pkgs.linuxPackages_custom with a specific source, version, and config file
{ pkgs, ... }:
pkgs.linuxPackages_custom {
  version = "6.1.55";
  src = pkgs.fetchurl {
    url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${version}.tar.xz";
    hash = "sha256-qH4kHsFdU0UsTv4hlxOjdp2IzENrW5jPbvsmLEr/FcA=";
  };
  configfile = ./path_to_config_file;
}

If necessary, the version string can be slightly modified to explicitly mark it as a custom version. If you do so, ensure the modDirVersion attribute matches the source’s version, otherwise the build will fail.

{ pkgs, ... }:
pkgs.linuxPackages_custom {
  version = "6.1.55-custom";
  modDirVersion = "6.1.55";
  src = pkgs.fetchurl {
    url = "https://cdn.kernel.org/pub/linux/kernel/v6.x/linux-${modDirVersion}.tar.xz";
    hash = "sha256-qH4kHsFdU0UsTv4hlxOjdp2IzENrW5jPbvsmLEr/FcA=";
  };
  configfile = ./path_to_config_file;
}

Additional attributes can be used with linuxManualConfig for further customisation instead of linuxPackages_custom. You’re encouraged to read the pkgs.linuxManualConfig source code to understand how to use them.

To edit the .config file for Linux X.Y from within Nix, proceed as follows:

$ nix-shell '<nixpkgs>' -A linuxKernel.kernels.linux_X_Y.configEnv
$ unpackPhase
$ cd linux-*
$ make nconfig

Developing kernel modules

When developing kernel modules it’s often convenient to run the edit-compile-run loop as quickly as possible. See the snippet below as an example.

Example 340. Edit-compile-run loop when developing mellanox drivers
$ nix-build '<nixpkgs>' -A linuxPackages.kernel.dev
$ nix-shell '<nixpkgs>' -A linuxPackages.kernel
$ unpackPhase
$ cd linux-*
$ make -C $dev/lib/modules/*/build M=$(pwd)/drivers/net/ethernet/mellanox modules
# insmod ./drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.ko

LHAPDF

LHAPDF is a tool for evaluating parton distribution functions (PDFs) in high-energy physics. LHAPDF is available in the lhapdf package.

PDF sets

All of the PDF sets made available by the LHAPDF project are available through the lhapdf.pdf_sets attrset.

Setup hook

Each package provided in the lhapdf.pdf_sets attrset contains a setup hook which adds itself to the LHAPDF_DATA_PATH environment variable.

Locales

To allow simultaneous use of packages linked against different versions of glibc with different locale archive formats, Nixpkgs patches glibc to rely on LOCALE_ARCHIVE environment variable.

On non-NixOS distributions, this variable is obviously not set. This can cause regressions in language support or even crashes in some Nixpkgs-provided programs. The simplest way to mitigate this problem is exporting the LOCALE_ARCHIVE variable pointing to ${glibcLocales}/lib/locale/locale-archive. The drawback (and the reason this is not the default) is the relatively large (a hundred MiB) size of the full set of locales. It is possible to build a custom set of locales by overriding parameters allLocales and locales of the package.

/etc files

Certain calls in glibc require access to runtime files found in /etc such as /etc/protocols or /etc/servicesgetprotobyname is one such function.

On non-NixOS distributions these files are typically provided by packages (i.e., netbase) if not already pre-installed in your distribution. This can cause non-reproducibility for code if they rely on these files being present.

If iana-etc is part of your buildInputs, then it will set the environment variables NIX_ETC_PROTOCOLS and NIX_ETC_SERVICES to the corresponding files in the package through a setup hook.

> nix-shell -p iana-etc

[nix-shell:~]$ env | grep NIX_ETC
NIX_ETC_SERVICES=/nix/store/aj866hr8fad8flnggwdhrldm0g799ccz-iana-etc-20210225/etc/services
NIX_ETC_PROTOCOLS=/nix/store/aj866hr8fad8flnggwdhrldm0g799ccz-iana-etc-20210225/etc/protocols

Nixpkg’s version of glibc has been patched to check for the existence of these environment variables. If the environment variables are not set, then it will attempt to find the files at the default location within /etc.

Nginx

Nginx is a reverse proxy and lightweight webserver.

ETags on static files served from the Nix store

HTTP has a couple of different mechanisms for caching to prevent clients from having to download the same content repeatedly if a resource has not changed since the last time it was requested. When nginx is used as a server for static files, it implements the caching mechanism based on the Last-Modified response header automatically; unfortunately, it works by using filesystem timestamps to determine the value of the Last-Modified header. This doesn’t give the desired behavior when the file is in the Nix store because all file timestamps are set to 0 (for reasons related to build reproducibility).

Fortunately, HTTP supports an alternative (and more effective) caching mechanism: the ETag response header. The value of the ETag header specifies some identifier for the particular content that the server is sending (e.g., a hash). When a client makes a second request for the same resource, it sends that value back in an If-None-Match header. If the ETag value is unchanged, then the server does not need to resend the content.

The nginx package in Nixpkgs is patched such that when nginx serves a file out of /nix/store, the hash in the store path is used as the ETag header in the HTTP response, thus providing proper caching functionality. With NixOS 24.05 and later, the ETag additionally includes the response content length, to ensure files served with static compression do not share ETags with their uncompressed version. This ETag functionality is enabled automatically; you do not need to do modify any configuration to get this behavior.

OpenGL

OpenGL support varies depending on which hardware is used and which drivers are available and loaded.

Broadly, we support both GL vendors: Mesa and NVIDIA.

NixOS Desktop

The NixOS desktop or other non-headless configurations are the primary target for OpenGL libraries and applications. The current solution for discovering which drivers are available is based on libglvnd. libglvnd performs “vendor-neutral dispatch”, trying a variety of techniques to find the system’s GL implementation. In practice, this will be either via standard GLX for X11 users or EGL for Wayland users, and supporting either NVIDIA or Mesa extensions.

Nix on GNU/Linux

If you are using a non-NixOS GNU/Linux/X11 desktop with free software video drivers, consider launching OpenGL-dependent programs from Nixpkgs with Nixpkgs versions of libglvnd and mesa.drivers in LD_LIBRARY_PATH. For Mesa drivers, the Linux kernel version doesn’t have to match nixpkgs.

For proprietary video drivers, you might have luck with also adding the corresponding video driver package.

Interactive shell helpers

Some packages provide the shell integration to be more useful. But unlike other systems, nix doesn’t have a standard share directory location. This is why a bunch PACKAGE-share scripts are shipped that print the location of the corresponding shared folder. Current list of such packages is as following:

  • fzf : fzf-share

E.g. fzf can then be used in the .bashrc like this:

source "$(fzf-share)/completion.bash"
source "$(fzf-share)/key-bindings.bash"

Steam

Steam in Nix

Steam is distributed as a .deb file, for now only as an i686 package (the amd64 package only has documentation). When unpacked, it has a script called steam that in Ubuntu (their target distro) would go to /usr/bin. When run for the first time, this script copies some files to the user’s home, which include another script that is the ultimate responsible for launching the steam binary, which is also in $HOME.

Nix problems and constraints:

  • We don’t have /bin/bash and many scripts point there. Same thing for /usr/bin/python.

  • We don’t have the dynamic loader in /lib.

  • The steam.sh script in $HOME cannot be patched, as it is checked and rewritten by steam.

  • The steam binary cannot be patched, it’s also checked.

The current approach to deploy Steam in NixOS is composing a FHS-compatible chroot environment, as documented here. This allows us to have binaries in the expected paths without disrupting the system, and to avoid patching them to work in a non FHS environment.

How to play

Use programs.steam.enable = true; if you want to add steam to systemPackages and also enable a few workarounds as well as Steam controller support or other Steam supported controllers such as the DualShock 4 or Nintendo Switch Pro Controller.

Troubleshooting

  • Steam fails to start. What do I do?

    Try to run

    strace steam
    

    to see what is causing steam to fail.

  • Using the FOSS Radeon or nouveau (nvidia) drivers

    • Steam ships statically linked with a version of libcrypto that conflicts with the one dynamically loaded by radeonsi_dri.so. If you get the error:

      steam.sh: line 713: 7842 Segmentation fault (core dumped)
      

      have a look at this pull request.

steam-run

The FHS-compatible chroot used for Steam can also be used to run other Linux games that expect a FHS environment. To use it, install the steam-run package and run the game with:

steam-run ./foo

Cataclysm: Dark Days Ahead

How to install Cataclysm DDA

To install the latest stable release of Cataclysm DDA to your profile, execute nix-env -f "<nixpkgs>" -iA cataclysm-dda. For the curses build (build without tiles), install cataclysmDDA.stable.curses. Note: cataclysm-dda is an alias to cataclysmDDA.stable.tiles.

If you like access to a development build of your favorite git revision, override cataclysm-dda-git (or cataclysmDDA.git.curses if you like curses build):

cataclysm-dda-git.override {
  version = "YYYY-MM-DD";
  rev = "YOUR_FAVORITE_REVISION";
  sha256 = "CHECKSUM_OF_THE_REVISION";
}

The sha256 checksum can be obtained by

nix-prefetch-url --unpack "https://github.com/CleverRaven/Cataclysm-DDA/archive/${YOUR_FAVORITE_REVISION}.tar.gz"

The default configuration directory is ~/.cataclysm-dda. If you prefer $XDG_CONFIG_HOME/cataclysm-dda, override the derivation:

cataclysm-dda.override {
  useXdgDir = true;
}

Important note for overriding packages

After applying overrideAttrs, you need to fix passthru.pkgs and passthru.withMods attributes either manually or by using attachPkgs:

let
  # You enabled parallel building.
  myCDDA = cataclysm-dda-git.overrideAttrs (_: {
    enableParallelBuilding = true;
  });

  # Unfortunately, this refers to the package before overriding and
  # parallel building is still disabled.
  badExample = myCDDA.withMods (_: []);

  inherit (cataclysmDDA) attachPkgs pkgs wrapCDDA;

  # You can fix it by hand
  goodExample1 = myCDDA.overrideAttrs (old: {
    passthru = old.passthru // {
      pkgs = pkgs.override { build = goodExample1; };
      withMods = wrapCDDA goodExample1;
    };
  });

  # or by using a helper function `attachPkgs`.
  goodExample2 = attachPkgs pkgs myCDDA;
in

# badExample                     # parallel building disabled
# goodExample1.withMods (_: [])  # parallel building enabled
goodExample2.withMods (_: [])    # parallel building enabled

Customizing with mods

To install Cataclysm DDA with mods of your choice, you can use withMods attribute:

cataclysm-dda.withMods (mods: with mods; [
  tileset.UndeadPeople
])

All mods, soundpacks, and tilesets available in nixpkgs are found in cataclysmDDA.pkgs.

Here is an example to modify existing mods and/or add more mods not available in nixpkgs:

let
  customMods = self: super: lib.recursiveUpdate super {
    # Modify existing mod
    tileset.UndeadPeople = super.tileset.UndeadPeople.overrideAttrs (old: {
      # If you like to apply a patch to the tileset for example
      patches = [ ./path/to/your.patch ];
    });

    # Add another mod
    mod.Awesome = cataclysmDDA.buildMod {
      modName = "Awesome";
      version = "0.x";
      src = fetchFromGitHub {
        owner = "Someone";
        repo = "AwesomeMod";
        rev = "...";
        hash = "...";
      };
      # Path to be installed in the unpacked source (default: ".")
      modRoot = "contents/under/this/path/will/be/installed";
    };

    # Add another soundpack
    soundpack.Fantastic = cataclysmDDA.buildSoundPack {
      # ditto
    };

    # Add another tileset
    tileset.SuperDuper = cataclysmDDA.buildTileSet {
      # ditto
    };
  };
in
cataclysm-dda.withMods (mods: with mods.extend customMods; [
  tileset.UndeadPeople
  mod.Awesome
  soundpack.Fantastic
  tileset.SuperDuper
])

Urxvt

Urxvt, also known as rxvt-unicode, is a highly customizable terminal emulator.

Configuring urxvt

In nixpkgs, urxvt is provided by the package rxvt-unicode. It can be configured to include your choice of plugins, reducing its closure size from the default configuration which includes all available plugins. To make use of this functionality, use an overlay or directly install an expression that overrides its configuration, such as:

rxvt-unicode.override {
  configure = { availablePlugins, ... }: {
    plugins = with availablePlugins; [ perls resize-font vtwheel ];
  };
}

If the configure function returns an attrset without the plugins attribute, availablePlugins will be used automatically.

In order to add plugins but also keep all default plugins installed, it is possible to use the following method:

rxvt-unicode.override {
  configure = { availablePlugins, ... }: {
    plugins = (builtins.attrValues availablePlugins) ++ [ custom-plugin ];
  };
}

To get a list of all the plugins available, open the Nix REPL and run

$ nix repl
:l <nixpkgs>
map (p: p.name) pkgs.rxvt-unicode.plugins

Alternatively, if your shell is bash or zsh and have completion enabled, type nixpkgs.rxvt-unicode.plugins.<tab>.

In addition to plugins the options extraDeps and perlDeps can be used to install extra packages. extraDeps can be used, for example, to provide xsel (a clipboard manager) to the clipboard plugin, without installing it globally:

rxvt-unicode.override {
  configure = { availablePlugins, ... }: {
    pluginsDeps = [ xsel ];
  };
}

perlDeps is a handy way to provide Perl packages to your custom plugins (in $HOME/.urxvt/ext). For example, if you need AnyEvent you can do:

rxvt-unicode.override {
  configure = { availablePlugins, ... }: {
    perlDeps = with perlPackages; [ AnyEvent ];
  };
}

Packaging urxvt plugins

Urxvt plugins resides in pkgs/applications/misc/rxvt-unicode-plugins. To add a new plugin, create an expression in a subdirectory and add the package to the set in pkgs/applications/misc/rxvt-unicode-plugins/default.nix.

A plugin can be any kind of derivation, the only requirement is that it should always install perl scripts in $out/lib/urxvt/perl. Look for existing plugins for examples.

If the plugin is itself a Perl package that needs to be imported from other plugins or scripts, add the following passthrough:

{
  passthru.perlPackages = [ "self" ];
}

This will make the urxvt wrapper pick up the dependency and set up the Perl path accordingly.

VCPKG

The vcpkg-tool package has a wrapper around the vcpkg executable to avoid writing to the nix store. The wrapper will also be present in vcpkg, unless you specify vcpkg.override { vcpkg-tool = vcpkg-tool-unwrapped; }

The wrapper has been made in a way so that it will provide default cli arguments, but tries not to interfere if the user provides the same arguments. The arguments also have corresponding environment variables that can be used as an alternative way of overriding these paths.

Run the wrapper with the environment variable NIX_VCPKG_DEBUG_PRINT_ENVVARS=true to get a full list of corresponding environment variables.

Nix specific environment variables

The wrapper also provides some new nix-specific environment variables that lets you control some of the wrapper functionality.

  • NIX_VCPKG_WRITABLE_PATH = <path>

    Set this environment variable to specify the path where vcpkg will store buildtime artifacts. This will become the base path for all of the other paths.

  • NIX_VCPKG_DEBUG_PRINT_ENVVARS = true | false

    Set this to true for the wrapper to print the corresponding environment variables for the arguments that will be provided to the unwrapped executable. The list of variables will be printed right before invoking vcpkg. This can be useful if you suspect that the wrapper for some reason was unable to prioritize user-provided cli args over its default ones, or for fixing other issues like typos or unexpanded environment variables.

WeeChat

WeeChat can be configured to include your choice of plugins, reducing its closure size from the default configuration which includes all available plugins. To make use of this functionality, install an expression that overrides its configuration, such as:

weechat.override {configure = ({availablePlugins, ...}: {
    plugins = with availablePlugins; [ python perl ];
  });
}

If the configure function returns an attrset without the plugins attribute, availablePlugins will be used automatically.

The plugins currently available are python, perl, ruby, guile, tcl and lua.

The Python and Perl plugins allows the addition of extra libraries. For instance, the inotify.py script in weechat-scripts requires D-Bus or libnotify, and the fish.py script requires pycrypto. To use these scripts, use the plugin’s withPackages attribute:

weechat.override { configure = {availablePlugins, ...}: {
    plugins = with availablePlugins; [
            (python.withPackages (ps: with ps; [ pycrypto python-dbus ]))
        ];
    };
}

In order to also keep all default plugins installed, it is possible to use the following method:

weechat.override { configure = { availablePlugins, ... }: {
  plugins = builtins.attrValues (availablePlugins // {
    python = availablePlugins.python.withPackages (ps: with ps; [ pycrypto python-dbus ]);
  });
}; }

WeeChat allows to set defaults on startup using the --run-command. The configure method can be used to pass commands to the program:

weechat.override {
  configure = { availablePlugins, ... }: {
    init = ''
      /set foo bar
      /server add libera irc.libera.chat
    '';
  };
}

Further values can be added to the list of commands when running weechat --run-command "your-commands".

Additionally, it’s possible to specify scripts to be loaded when starting weechat. These will be loaded before the commands from init:

weechat.override {
  configure = { availablePlugins, ... }: {
    scripts = with pkgs.weechatScripts; [
      weechat-xmpp weechat-matrix-bridge wee-slack
    ];
    init = ''
      /set plugins.var.python.jabber.key "val"
    '';
  };
}

In nixpkgs there’s a subpackage which contains derivations for WeeChat scripts. Such derivations expect a passthru.scripts attribute, which contains a list of all scripts inside the store path. Furthermore, all scripts have to live in $out/share. An exemplary derivation looks like this:

{ stdenv, fetchurl }:

stdenv.mkDerivation {
  name = "exemplary-weechat-script";
  src = fetchurl {
    url = "https://scripts.tld/your-scripts.tar.gz";
    hash = "...";
  };
  passthru.scripts = [ "foo.py" "bar.lua" ];
  installPhase = ''
    mkdir $out/share
    cp foo.py $out/share
    cp bar.lua $out/share
  '';
}

X.org

The Nix expressions for the X.org packages reside in pkgs/servers/x11/xorg/default.nix. This file is automatically generated from lists of tarballs in an X.org release. As such it should not be modified directly; rather, you should modify the lists, the generator script or the file pkgs/servers/x11/xorg/overrides.nix, in which you can override or add to the derivations produced by the generator.

Katamari Tarballs

X.org upstream releases used to include katamari releases, which included a holistic recommended version for each tarball, up until 7.7. To create a list of tarballs in a katamari release:

export release="X11R7.7"
export url="mirror://xorg/$release/src/everything/"
cat $(PRINT_PATH=1 nix-prefetch-url $url | tail -n 1) \
  | perl -e 'while (<>) { if (/(href|HREF)="([^"]*.bz2)"/) { print "$ENV{'url'}$2\n"; }; }' \
  | sort > "tarballs-$release.list"

Individual Tarballs

The upstream release process for X11R7.8 does not include a planned katamari. Instead, each component of X.org is released as its own tarball. We maintain pkgs/servers/x11/xorg/tarballs.list as a list of tarballs for each individual package. This list includes X.org core libraries and protocol descriptions, extra newer X11 interface libraries, like xorg.libxcb, and classic utilities which are largely unused but still available if needed, like xorg.imake.

Generating Nix Expressions

The generator is invoked as follows:

cd pkgs/servers/x11/xorg
<tarballs.list perl ./generate-expr-from-tarballs.pl

For each of the tarballs in the .list files, the script downloads it, unpacks it, and searches its configure.ac and *.pc.in files for dependencies. This information is used to generate default.nix. The generator caches downloaded tarballs between runs. Pay close attention to the NOT FOUND: $NAME messages at the end of the run, since they may indicate missing dependencies. (Some might be optional dependencies, however.)

Overriding the Generator

If the expression for a package requires derivation attributes that the generator cannot figure out automatically (say, patches or a postInstall hook), you should modify pkgs/servers/x11/xorg/overrides.nix.

Build Support

pkgs.substitute

pkgs.substitute is a wrapper around the substitute Bash function in the standard environment. It replaces strings in src as specified by the substitutions argument.

Example 341. Usage of pkgs.substitute

In a build script, the line:

substitute $infile $outfile --replace-fail @foo@ ${foopkg}/bin/foo

is equivalent to:

{ substitute, foopkg }:
substitute {
  src = ./sourcefile.txt;
  substitutions = [
    "--replace"
    "@foo@"
    "${foopkg}/bin/foo"
  ];
}

pkgs.substituteAll

pkgs.substituteAll substitutes all instances of @varName@ (@s included) in file src with the value of the corresponding environment variable. As this uses the [substituteAll] (#fun-substitute) function, its limitations regarding variable names that will or will not be replaced also apply here.

Example 342. Usage of pkgs.substituteAll

If say-goodbye.sh contains the following:

#! @bash@/bin/bash

echo @unchanged@
@hello@/bin/hello --greeting @greeting@

the following derivation will make substitutions to @bash@, @hello@, and @greeting@:

{
  substituteAll,
  bash,
  hello,
}:
substituteAll {
  src = ./say-goodbye.sh;
  env = {
    inherit bash hello;
    greeting = "goodbye";
  };
}

such that $out will result in something like the following:

#! /nix/store/s30jrpgav677fpc9yvkqsib70xfmx7xi-bash-5.2p26/bin/bash

echo @unchanged@
/nix/store/566f5isbvw014h7knmzmxa5l6hshx43k-hello-2.12.1/bin/hello --greeting goodbye

pkgs.substituteAllFiles

pkgs.substituteAllFiles replaces @varName@ with the value of the environment variable varName. It expects src to be a directory and requires a files argument that specifies which files will be subject to replacements; only these files will be placed in $out.

As it also uses the substituteAll function, it is subject to the same limitations on environment variables as discussed in pkgs.substituteAll.

Example 343. Usage of pkgs.substituteAllFiles

If the current directory contains {foo,bar,baz}.txt and the following default.nix

{ substituteAllFiles }:
substituteAllFiles {
  src = ./.;
  files = [
    "foo.txt"
    "bar.txt"
  ];
  hello = "there";
}

in the resulting derivation, every instance of @hello@ will be replaced with there in $out/foo.txt and $out/bar.txt; baz.txtwill not be processed nor will it appear in$out`.


Development of Nixpkgs

This section shows you how Nixpkgs is being developed and how you can interact with the contributors and the latest updates. If you are interested in contributing yourself, see CONTRIBUTING.md.

Table of Contents

Opening issues

Opening issues

Contributing to Nixpkgs

Quick Start to Adding a Package

This section has been moved to pkgs/README.md.

Coding conventions

This section has been moved to CONTRIBUTING.md.

Syntax

This section has been moved to CONTRIBUTING.md.

Package naming

This section has been moved to pkgs/README.md.

File naming and organisation

This section has been moved to CONTRIBUTING.md.

Versioning

This section has been moved to pkgs/README.md.

Fetching Sources

This section has been moved to pkgs/README.md.

Obtaining source hash

This section has been moved to pkgs/README.md.

Obtaining hashes securely

This section has been moved to pkgs/README.md.

Patches

This section has been moved to pkgs/README.md.

Package tests

This section has been moved to pkgs/README.md.

Writing inline package tests

This section has been moved to pkgs/README.md.

Writing larger package tests

This section has been moved to pkgs/README.md.

Running package tests

This section has been moved to pkgs/README.md.

Examples of package tests

This section has been moved to pkgs/README.md.

Linking NixOS module tests to a package

This section has been moved to pkgs/README.md.

Import From Derivation

This section has been moved to pkgs/README.md.

Submitting changes

This section has been moved to CONTRIBUTING.md.

Submitting changes

This section has been moved to CONTRIBUTING.md.

Submitting security fixes

This section has been moved to pkgs/README.md.

Deprecating/removing packages

This section has been moved to pkgs/README.md.

Steps to remove a package from Nixpkgs

This section has been moved to pkgs/README.md.

Pull Request Template

This section has been moved to CONTRIBUTING.md.

Tested using sandboxing

This section has been moved to CONTRIBUTING.md.

Built on platform(s)

This section has been moved to CONTRIBUTING.md.

Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)

This section has been moved to CONTRIBUTING.md.

Tested compilation of all pkgs that depend on this change using nixpkgs-review

This section has been moved to CONTRIBUTING.md.

Tested execution of all binary files (usually in ./result/bin/)

This section has been moved to CONTRIBUTING.md.

Meets Nixpkgs contribution standards

This section has been moved to CONTRIBUTING.md.

Hotfixing pull requests

This section has been moved to CONTRIBUTING.md.

Commit policy

This section has been moved to CONTRIBUTING.md.

Branches

This section has been moved to CONTRIBUTING.md.

Master branch

This section has been moved to CONTRIBUTING.md.

Staging branch

This section has been moved to CONTRIBUTING.md.

Staging-next branch

This section has been moved to CONTRIBUTING.md.

Stable release branches

This section has been moved to CONTRIBUTING.md.

Automatically backporting a Pull Request

This section has been moved to CONTRIBUTING.md.

Manually backporting changes

This section has been moved to CONTRIBUTING.md.

Acceptable backport criteria

This section has been moved to CONTRIBUTING.md.

Vulnerability Roundup

Table of Contents

Issues
Triaging and Fixing

This section has been moved to pkgs/README.md.

Issues

This section has been moved to pkgs/README.md.

Triaging and Fixing

This section has been moved to pkgs/README.md.

Reviewing contributions

This section has been moved to CONTRIBUTING.md.

Package updates

This section has been moved to pkgs/README.md.

New packages

This section has been moved to pkgs/README.md.

Module updates

This section has been moved to nixos/README.md.

New modules

This section has been moved to nixos/README.md.

Individual maintainer list

This section has been moved to maintainers/README.md.

Maintainer teams

This section has been moved to maintainers/README.md.

Other submissions

This section has been moved to CONTRIBUTING.md.

Merging pull requests

This section has been moved to CONTRIBUTING.md.

Contributing to Nixpkgs documentation

Table of Contents

devmode
Syntax

This section has been moved to doc/README.md.

devmode

This section has been moved to doc/README.md.

Syntax

This section has been moved to doc/README.md.

Interoperability Standards

Table of Contents

CycloneDX

CycloneDX

OWASP CycloneDX is a Software Bill of Materials (SBOM) standard. The standards described here are for including Nix specific information within SBOMs in a way that is interoperable with external SBOM tooling.

nix Namespace Property Taxonomy

The following tables describe namespaces for properties that may be attached to components within SBOMs. Component properties are lists of name-value-pairs where values must be strings. Properties with the same name may appear more than once. Names and values are case-sensitive.

PropertyDescription
nix:store_pathA Nix store path for the given component. This property should be contextualized by additional properties that describe the production of the store path, such as those from the nix:narinfo: and nix:fod namespaces.
NamespaceDescription
nix:narinfoNamespace for properties that are specific to how a component is stored as a Nix archive (NAR) in a binary cache.
nix:fodNamespace for properties that describe a fixed-output derivation.

nix:narinfo

Narinfo properties describe component archives that may be available from binary caches. The nix:narinfo properties should be accompanied by a nix:store_path property within the same property list.

PropertyDescription
nix:narinfo:store_pathStore path for the given store component.
nix:narinfo:urlURL path component.
nix:narinfo:nar_hashHash of the file system object part of the component when serialized as a Nix Archive.
nix:narinfo:nar_sizeSize of the component when serialized as a Nix Archive.
nix:narinfo:compressionThe compression format that component archive is in.
nix:narinfo:file_hashA digest for the compressed component archive itself, as opposed to the data contained within.
nix:narinfo:file_sizeThe size of the compressed component archive itself.
nix:narinfo:deriverThe path to the derivation from which this component is produced.
nix:narinfo:systemThe hardware and software platform on which this component is produced.
nix:narinfo:sigSignatures claiming that this component is what it claims to be.
nix:narinfo:caContent address of this store object’s file system object, used to compute its store path.
nix:narinfo:referencesA whitespace separated array of store paths that this component references.

nix:fod

FOD properties describe a fixed-output derivation. The nix:fod:method property is required and must be accompanied by a nix:store_path property within the same property list. All other properties in this namespace are method-specific. To reproduce the build of a component the nix:fod:method value is resolved to an appropriate function within Nixpkgs whose arguments intersect with the given properties. When generating nix:fod properties the method selected should be a stable function with a minimal number arguments. For example, the fetchFromGitHub is commonly used within Nixpkgs but should be reduced to a call to the function by which it is implemented, fetchzip.

PropertyDescription
nix:fod:methodNixpkg function that produces this FOD. Required. Examples: "fetchzip", "fetchgit"
nix:fod:nameDerivation name, present when method is "fetchzip"
nix:fod:refGit ref, present when method is "fetchgit"
nix:fod:revGit rev, present when method is "fetchgit"
nix:fod:sha256FOD hash
nix:fod:urlURL to fetch

nix:fod properties may be extracted and evaluated to a derivation using code similar to the following, assuming a fictitious function filterPropertiesToAttrs:

{ pkgs, filterPropertiesToAttrs, properties }:
let
  fodProps = filterPropertiesToAttrs "nix:fod:" properties;

  methods = {
    fetchzip =
      { name, url, sha256, ... }:
      pkgs.fetchzip {
        inherit name url sha256;
      };
  };

in methods.${fodProps.method} fodProps