Support Nix depexts with opam env

[RyanGibb]

Nix doesn't install packages in the traditional sense -- instead it puts them in a store and makes them available through environment variables. I.e., nix-shell -p gcc will drop us into a shell with gcc in the $PATH.

We can set appropriate environment variables with Opam to make system dependencies (depexts) available with Nix.
Similar to how nix-shell works under the hood, we create a Nix derivation such as

{ pkgs ? import <nixpkgs> {} }:
with pkgs;
let
  packages = [ gmp ];
  inputs = with buildPackages; packages ++ [ pkg-config ];
in
stdenv.mkDerivation {
  name = "opam-nix-env";
  nativeBuildInputs = inputs;

  phases = [ "buildPhase" ];

  buildPhase = ''
vars=("NIX_CC" "NIX_CC_FLAGS" "NIX_CFLAGS_COMPILE" "NIX_CC_WRAPPER_TARGET_HOST_x86_64_unknown_linux_gnu" "NIX_LDFLAGS" "PKG_CONFIG_PATH")
for var in "''${vars[@]}"; do
  escaped="$(echo "''${!var}" | sed -e 's/^$/@/' -e 's/ /\\ /g')"
  echo "$var    =       $escaped        Nix" >> $out
done
echo "PATH      =       $PATH   Nix"
  '';

  preferLocalBuild = true;
}

Which we can build to output a file with environment variables that make depexts available, in Opam's environment variable format. This file is a Nix store root, so it's dependencies won't be garbage collected by Nix until the file is removed.

This approach came from conversations with @dra27 and is distinct from previous approaches in that it supports providing development environment, which imperative installations with Nix don't #5332 (comment); and doesn't require the user to manage the environment outside of Opam, which would lead to a different workflow #5942.

Initial experiments were done using a package to set such environment variables https://github.com/RyanGibb/nix.opam.
However, in order to work with generic depexts (as opposed to just conf packages), to avoid cyclic dependencies (if conf packages depend on nix.opam but nix.opam depends on conf packages), and due to opam package sandboxing (nix derivation fetching would require opam sandboxing to be disabled or the nix store to be 'primed'), it's better implemented as a depext mechanism.

This has been tested and successfully creates an environment to provide packages conf-gmp and conf-libseccomp, as well as depexts directly.

[RyanGibb]

Rebased on master

[RyanGibb]

Looks like I'm running into NixOS/nix#10587 with the Docker image

[RyanGibb]

We might want to make these environment variables configurable in order to support new dependencies from Nix, which might require additional environment variables, without cutting a new release of Opam.

[RyanGibb]

I think capnproto might use a flag that isn't here.

[dra27]

Can we pattern match that NIX_CC_WRAPPER_TARGET_HOST_ - the x86_64_unknown_linux_gnu presumably doesn't want to stay hard-coded in here?

[RyanGibb]

Rebased on master -- and could do with another depext CI run if it needs re-approval!

[RyanGibb]

Okay! The CI is failing only due to ocaml/opam-repository#26261 (I've got it working locally with my branch of opam-repository)

[kit-ty-kate]

i think it might be worth using a dedicated record instead of a tuple at this point. Otherwise it could become confusing very quickly with all those similar types around

[RyanGibb]

We have opamSysPkg.status?

[RyanGibb]

Though, we're also passing around the couple of available and required a lot, which perhaps warrants a separate record.

[RyanGibb]

It would be good if we could trigger a re-build of any packages that depend on depexts if the drv path changes, as if they link against a previous derivation it could be GC'd. An alternative might be to keep the old nix.env files around as Nix GC roots.

[RyanGibb]

Anyone wanting to play around with this on a NixOS system can try:

$ nix shell github:RyanGibb/nixos/#legacyPackages.x86_64-linux.nixpkgs.opam
$ opam --version
2.3.0

Or add it to your own overlay with:

{
  nixpkgs.overlays = [
    (final: prev: {
      opam = prev.opam.overrideAttrs (_: {
       src = final.fetchurl {
          url = "http://ryan.freumh.org/software/opam-full-2.3.0-nixos-depexts.tar.gz";
          sha256 = "sha256-mRxxZtWFgQ8v1szVq5g5+qVqa+OffoG1aHzGUiMMvT0=";
        };
        version = "2.3.0";
      });
    })
  ];
}

This URL is just the https://github.com/RyanGibb/opam/tree/nixos-depexts-2.3.0 branch with vendored dependencies since I couldn't get them working in Nix,

[rjbou]

Is it possible to update that file for each installed package, like that there is no need to retrieve and pass the whole list of already installed packages and their system packages ?

[RyanGibb]

I think this is more ergonomic, as it allows system packages to be uninstalled too. It's bridging opam's imperative mode to nix's declarative model.

[RyanGibb]

David made an observation in today's Opam dev meeting that this PR will not remove depexts from the Nix derivation until the next install. This might effect reproducibility in some circumstances, but this isn't a huge deal as if Nix users want full reproducibility they can use opam2nix.

[kit-ty-kate]

while tracking down NixOS/nixpkgs#388471 i tried this branch and it worked really well in a nixos docker container. I was able to build opam-publish which requires openssl and gmp without any issues at all, like magic.

[kit-ty-kate]

This file seems to be there only as a sort of temporary file for nix-build. I also find the naming convention a bit confusing when taken together with nix.env.
env.nix and nix.env are way too close in terms of name and it's easy to confuse between them.

Wouldn't some sort of nameless temporary file be more indicated if a file has to be used?
Couldn't we use a constant string together with environment variables for packages (and possibly vars) instead?

[RyanGibb]

I have found the env.nix file useful sometimes in debugging what is actually in the nix environment, but I agree the naming is a bit confusing

[RyanGibb]

Thanks for the comments and commits @kit-ty-kate ! I'm glad it was useful :-) Apologies I haven't had a lot of time to work on this PR recently