flake: migrate to crane, unpin Nixpkgs, use static builds on Darwin (#…

…1380)

* flake: remove `default` from the overlay

This belongs in `packages` instead (where a duplicate is already
present anyway).

* flake: migrate to crane

Crane handles cross‐compilation a bit better and seems to be
generally more actively maintained than Naersk.

We use Nixpkgs’ stock Rust toolchains instead of bringing in fenix,
as Nixpkgs provides everything we need and tracks upstream stable
Rust well. This also simplifies the cross‐compilation story.

This doesn’t build the documentation like the Naersk build did,
which I guess might be useful to ensure that the documentation
always builds? That could be added on as a check if desired, using
`craneLib.cargoDoc`.

* flake: remove redundant `pname` and `version`

Crane handles setting these for us.

* flake: remove inert `preBuild`

This would be done differently with crane using
`craneLib.cargoClippy`. That could be added as a check if desired.

* flake: move flags to `installerAttrs`

I assume it was not the intent to override the configuration flags
and test behaviour of all dependencies.

* flake: use `pkgsStatic` for static builds

This is cleaner, handles any future native dependencies correctly,
and will work more consistently across platforms (such as Darwin).

* flake: unpin Nixpkgs

* flake: use static builds on Darwin

Fix a bug where the installer would link against a `libiconv` in the
Nix store.

This would silently fail to load (falling back to the system
`libiconv`, I suppose? I’m not sure) when the Nix store was not
present – as is usually the case when running the installer – but
after installation, the store path could be populated by normal use
of Nix. If that happened, then upon uninstallation, the Nix store
`libiconv` would be loaded, the installer would delete the `/nix`
partition, and then the next time a system library indirectly caused
`dyld` to check up on what’s going on with the loaded dynamic
libraries, it would try to read from an address mapped to the library
in the now‐deleted Nix store and crash.

Now that `pkgsStatic` works after Randy’s Darwin rework to provide
mostly‐static builds (system libraries and frameworks are dynamically
linked, but libraries from Nixpkgs are linked statically), we can build
a truly standalone installer that has no dependency on `/nix/store`,
fixing the crash for good.

* flake: remove old Darwin SDK pattern detritus

None of this is required or does anything as of 24.11.

.github/workflows/build-aarch64-darwin.yml

@@ -10,7 +10,7 @@ on:
 
 jobs:
   build-aarch64-darwin:
-    name: Build aarch64 Darwin
+    name: Build aarch64 Darwin (static)
     runs-on: macos-latest-xlarge
     concurrency: ${{ inputs.cache-key }}
     permissions:
@@ -27,7 +27,7 @@ jobs:
           use-gha-cache: false
       - name: Build the installer
         run: |
-          nix build .#packages.aarch64-darwin.nix-installer -L
+          nix build .#packages.aarch64-darwin.nix-installer-static -L
           cp result/bin/nix-installer .
       - name: Create GitHub cache from build artifacts
         uses: actions/cache/save@v3

.github/workflows/build-x86_64-darwin.yml

@@ -10,7 +10,7 @@ on:
 
 jobs:
   build-x86_64-darwin:
-    name: Build x86_64 Darwin
+    name: Build x86_64 Darwin (static)
     runs-on: macos-13-large
     concurrency: ${{ inputs.cache-key }}
     permissions:
@@ -27,7 +27,7 @@ jobs:
           use-gha-cache: false
       - name: Build the installer
         run: |
-          nix build .#packages.x86_64-darwin.nix-installer -L
+          nix build .#packages.x86_64-darwin.nix-installer-static -L
           cp result/bin/nix-installer .
       - name: Create GitHub cache from build artifacts
         uses: actions/cache/save@v3

flake.nix

@@ -2,18 +2,9 @@
   description = "The Determinate Nix Installer";
 
   inputs = {
-    # The very next version and beyond we get SIGBUS on uninstall
-    nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/=0.1.698755";
+    nixpkgs.url = "https://flakehub.com/f/NixOS/nixpkgs/0.1.tar.gz";
 
-    fenix = {
-      url = "https://flakehub.com/f/nix-community/fenix/0.1.1584.tar.gz";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    naersk = {
-      url = "github:nix-community/naersk";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
+    crane.url = "github:ipetkov/crane/v0.20.0";
 
     nix = {
       url = "https://flakehub.com/f/DeterminateSystems/nix/=2.25.3.tar.gz";
@@ -39,8 +30,7 @@
   outputs =
     { self
     , nixpkgs
-    , fenix
-    , naersk
+    , crane
     , nix
     , determinate
     , ...
@@ -57,103 +47,77 @@
         lib = pkgs.lib;
       };
 
-      fenixToolchain = system: with fenix.packages.${system};
-        combine ([
-          stable.clippy
-          stable.rustc
-          stable.cargo
-          stable.rustfmt
-          stable.rust-src
-        ] ++ nixpkgs.lib.optionals (system == "x86_64-linux") [
-          targets.x86_64-unknown-linux-musl.stable.rust-std
-        ] ++ nixpkgs.lib.optionals (system == "aarch64-linux") [
-          targets.aarch64-unknown-linux-musl.stable.rust-std
-        ]);
-
       nixTarballs = forAllSystems ({ system, ... }:
         inputs.nix.tarballs_direct.${system}
           or "${inputs.nix.checks."${system}".binaryTarball}/nix-${inputs.nix.packages."${system}".default.version}-${system}.tar.xz");
 
       optionalPathToDeterminateNixd = system: if builtins.elem system systemsSupportedByDeterminateNixd then "${inputs.determinate.packages.${system}.default}/bin/determinate-nixd" else null;
-    in
-    {
-      overlays.default = final: prev:
+
+      installerPackage = { pkgs, stdenv, buildPackages }:
         let
-          toolchain = fenixToolchain final.stdenv.system;
-          naerskLib = final.callPackage naersk {
-            cargo = toolchain;
-            rustc = toolchain;
-          };
+          craneLib = crane.mkLib pkgs;
           sharedAttrs = {
-            pname = "nix-installer";
-            version = (builtins.fromTOML (builtins.readFile ./Cargo.toml)).package.version;
             src = builtins.path {
               name = "nix-installer-source";
               path = self;
               filter = (path: type: baseNameOf path != "nix" && baseNameOf path != ".github");
             };
 
-            nativeBuildInputs = with final; [ ];
-            buildInputs = with final; [ ] ++ lib.optionals (final.stdenv.isDarwin) (with final.darwin.apple_sdk.frameworks; [
-              SystemConfiguration
-              final.darwin.libiconv
-            ]);
-
-            copyBins = true;
-            copyDocsToSeparateOutput = true;
-
-            doCheck = true;
-            doDoc = true;
-            doDocFail = true;
-            RUSTFLAGS = "--cfg tokio_unstable";
-            cargoTestOptions = f: f ++ [ "--all" ];
-
-            NIX_INSTALLER_TARBALL_PATH = nixTarballs.${final.stdenv.system};
-            DETERMINATE_NIXD_BINARY_PATH = optionalPathToDeterminateNixd final.stdenv.system;
-
-            override = { preBuild ? "", ... }: {
-              preBuild = preBuild + ''
-                # logRun "cargo clippy --all-targets --all-features -- -D warnings"
-              '';
+            # Required to link build scripts.
+            pkgsBuildBuild = [ buildPackages.stdenv.cc ];
+
+            env = {
+              # For whatever reason, these don’t seem to get set
+              # automatically when using crane.
+              #
+              # Possibly related: <https://github.com/NixOS/nixpkgs/pull/369424>
+              "CC_${stdenv.hostPlatform.rust.cargoEnvVarTarget}" = "${stdenv.cc.targetPrefix}cc";
+              "CXX_${stdenv.hostPlatform.rust.cargoEnvVarTarget}" = "${stdenv.cc.targetPrefix}c++";
+              "CARGO_TARGET_${stdenv.hostPlatform.rust.cargoEnvVarTarget}_LINKER" = "${stdenv.cc.targetPrefix}cc";
+              CARGO_BUILD_TARGET = stdenv.hostPlatform.rust.rustcTarget;
             };
-            postInstall = ''
-              cp nix-installer.sh $out/bin/nix-installer.sh
-            '';
           };
         in
-        rec {
-          nix-installer = naerskLib.buildPackage sharedAttrs;
-        } // nixpkgs.lib.optionalAttrs (prev.stdenv.system == "x86_64-linux") rec {
-          default = nix-installer-static;
-          nix-installer-static = naerskLib.buildPackage
-            (sharedAttrs // {
-              CARGO_BUILD_TARGET = "x86_64-unknown-linux-musl";
-            });
-        } // nixpkgs.lib.optionalAttrs (prev.stdenv.system == "aarch64-linux") rec {
-          default = nix-installer-static;
-          nix-installer-static = naerskLib.buildPackage
-            (sharedAttrs // {
-              CARGO_BUILD_TARGET = "aarch64-unknown-linux-musl";
-            });
-        };
+        craneLib.buildPackage (sharedAttrs // {
+          cargoArtifacts = craneLib.buildDepsOnly sharedAttrs;
+
+          cargoTestExtraArgs = "--all";
 
+          postInstall = ''
+            cp nix-installer.sh $out/bin/nix-installer.sh
+          '';
+
+          env = sharedAttrs.env // {
+            RUSTFLAGS = "--cfg tokio_unstable";
+            NIX_INSTALLER_TARBALL_PATH = nixTarballs.${stdenv.hostPlatform.system};
+            DETERMINATE_NIXD_BINARY_PATH = optionalPathToDeterminateNixd stdenv.hostPlatform.system;
+          };
+        });
+    in
+    {
+      overlays.default = final: prev: {
+        nix-installer = final.callPackage installerPackage { };
+        nix-installer-static = final.pkgsStatic.callPackage installerPackage { };
+      };
 
       devShells = forAllSystems ({ system, pkgs, ... }:
         let
-          toolchain = fenixToolchain system;
-          check = import ./nix/check.nix { inherit pkgs toolchain; };
+          check = import ./nix/check.nix { inherit pkgs; };
         in
         {
           default = pkgs.mkShell {
             name = "nix-install-shell";
 
-            RUST_SRC_PATH = "${toolchain}/lib/rustlib/src/rust/library";
+            RUST_SRC_PATH = "${pkgs.rustPlatform.rustcSrc}/library";
             NIX_INSTALLER_TARBALL_PATH = nixTarballs.${system};
             DETERMINATE_NIXD_BINARY_PATH = optionalPathToDeterminateNixd system;
 
             nativeBuildInputs = with pkgs; [ ];
             buildInputs = with pkgs; [
-              toolchain
+              rustc
+              cargo
+              clippy
+              rustfmt
               shellcheck
               rust-analyzer
               cargo-outdated
@@ -169,11 +133,6 @@
               check.check-clippy
               editorconfig-checker
             ]
-            ++ lib.optionals (pkgs.stdenv.isDarwin) (with pkgs; [
-              libiconv
-              darwin.apple_sdk.frameworks.Security
-              darwin.apple_sdk.frameworks.SystemConfiguration
-            ])
             ++ lib.optionals (pkgs.stdenv.isLinux) (with pkgs; [
               checkpolicy
               semodule-utils
@@ -184,8 +143,7 @@
 
       checks = forAllSystems ({ system, pkgs, ... }:
         let
-          toolchain = fenixToolchain system;
-          check = import ./nix/check.nix { inherit pkgs toolchain; };
+          check = import ./nix/check.nix { inherit pkgs; };
         in
         {
           check-rustfmt = pkgs.runCommand "check-rustfmt" { buildInputs = [ check.check-rustfmt ]; } ''
@@ -212,16 +170,9 @@
 
       packages = forAllSystems ({ system, pkgs, ... }:
         {
-          inherit (pkgs) nix-installer;
-        } // nixpkgs.lib.optionalAttrs (system == "x86_64-linux") {
-          inherit (pkgs) nix-installer-static;
-          default = pkgs.nix-installer-static;
-        } // nixpkgs.lib.optionalAttrs (system == "aarch64-linux") {
-          inherit (pkgs) nix-installer-static;
+          inherit (pkgs) nix-installer nix-installer-static;
           default = pkgs.nix-installer-static;
         } // nixpkgs.lib.optionalAttrs (pkgs.stdenv.isDarwin) {
-          default = pkgs.nix-installer;
-
           determinate-nixd = pkgs.runCommand "determinate-nixd-link" { } ''
             ln -s ${optionalPathToDeterminateNixd system} $out
           '';

nix/check.nix

@@ -1,4 +1,4 @@
-{ pkgs, toolchain }:
+{ pkgs }:
 
 let
   inherit (pkgs) writeShellApplication;
@@ -8,7 +8,7 @@ in
   # Format
   check-rustfmt = (writeShellApplication {
     name = "check-rustfmt";
-    runtimeInputs = [ toolchain ];
+    runtimeInputs = with pkgs; [ cargo rustfmt ];
     text = "cargo fmt --check";
   });