+3 -3

doc/README.md

··· 1 # Contributing to the Nixpkgs reference manual 2 3 - This directory houses the sources files for the Nixpkgs reference manual. 4 5 > [!IMPORTANT] 6 > We are actively restructuring our documentation to follow the [Diátaxis framework](https://diataxis.fr/) ··· 92 93 #### Inline Anchors 94 95 - Allow linking arbitrary place in the text (e.g. individual list items, sentences…). 96 97 They are defined using a hybrid of the link syntax with the attributes syntax known from headings, called [bracketed spans](https://github.com/jgm/commonmark-hs/blob/master/commonmark-extensions/test/bracketed_spans.md): 98 ··· 203 204 In an effort to keep the Nixpkgs manual in a consistent style, please follow the conventions below, unless they prevent you from properly documenting something. 205 In that case, please open an issue about the particular documentation convention and tag it with a "needs: documentation" label. 206 - When needed, each convention explain why it exists, so you can make a decision whether to follow it or not based on your particular case. 207 Note that these conventions are about the **structure** of the manual (and its source files), not about the content that goes in it. 208 You, as the writer of documentation, are still in charge of its content. 209

··· 1 # Contributing to the Nixpkgs reference manual 2 3 + This directory houses the source files for the Nixpkgs reference manual. 4 5 > [!IMPORTANT] 6 > We are actively restructuring our documentation to follow the [Diátaxis framework](https://diataxis.fr/) ··· 92 93 #### Inline Anchors 94 95 + Allow linking to an arbitrary place in the text (e.g. individual list items, sentences…). 96 97 They are defined using a hybrid of the link syntax with the attributes syntax known from headings, called [bracketed spans](https://github.com/jgm/commonmark-hs/blob/master/commonmark-extensions/test/bracketed_spans.md): 98 ··· 203 204 In an effort to keep the Nixpkgs manual in a consistent style, please follow the conventions below, unless they prevent you from properly documenting something. 205 In that case, please open an issue about the particular documentation convention and tag it with a "needs: documentation" label. 206 + When needed, each convention explains why it exists, so you can make a decision whether to follow it or not based on your particular case. 207 Note that these conventions are about the **structure** of the manual (and its source files), not about the content that goes in it. 208 You, as the writer of documentation, are still in charge of its content. 209

+4 -4

doc/build-helpers/images/dockertools.section.md

··· 47 This can be seen as an equivalent of `FROM fromImage` in a `Dockerfile`. 48 A value of `null` can be seen as an equivalent of `FROM scratch`. 49 50 - If specified, the layer created by `buildImage` will be appended to the layers defined in the base image, resulting in an image with at least two layers (one or more layers from the base image, and the layer created by `buildImage`). 51 - Otherwise, the resulting image with contain the single layer created by `buildImage`. 52 53 :::{.note} 54 Only **Env** configuration is inherited from the base image. ··· 507 This can be seen as an equivalent of `ADD contents/ /` in a `Dockerfile`. 508 509 All the contents specified by `contents` will be added as a final layer in the generated image. 510 - They will be added as links to the actual files (e.g. links to the store paths). 511 The actual files will be added in previous layers. 512 513 _Default value:_ `[]` ··· 561 `gname` (String; _optional_) []{#dockerTools-buildLayeredImage-arg-gname} 562 563 : Credentials for Nix store ownership. 564 - Can be overridden to e.g. `1000` / `1000` / `"user"` / `"user"` to enable building a container where Nix can be used as an unprivileged user in single-user mode. 565 566 _Default value:_ `0` / `0` / `"root"` / `"root"` 567

··· 47 This can be seen as an equivalent of `FROM fromImage` in a `Dockerfile`. 48 A value of `null` can be seen as an equivalent of `FROM scratch`. 49 50 + If specified, the layer created by `buildImage` will be appended to the layers defined in the base image, resulting in an image with at least two layers (one or more layers from the base image and the layer created by `buildImage`). 51 + Otherwise, the resulting image will contain the single layer created by `buildImage`. 52 53 :::{.note} 54 Only **Env** configuration is inherited from the base image. ··· 507 This can be seen as an equivalent of `ADD contents/ /` in a `Dockerfile`. 508 509 All the contents specified by `contents` will be added as a final layer in the generated image. 510 + They will be added as links to the actual files (e.g., links to the store paths). 511 The actual files will be added in previous layers. 512 513 _Default value:_ `[]` ··· 561 `gname` (String; _optional_) []{#dockerTools-buildLayeredImage-arg-gname} 562 563 : Credentials for Nix store ownership. 564 + Can be overridden to, e.g., `1000` / `1000` / `"user"` / `"user"` to enable building a container where Nix can be used as an unprivileged user in single-user mode. 565 566 _Default value:_ `0` / `0` / `"root"` / `"root"` 567

+3 -3

doc/build-helpers/images/makediskimage.section.md

··· 23 - automatic or bound disk size: `diskSize` parameter, `additionalSpace` can be set when `diskSize` is `auto` to add a constant of disk space 24 - multiple partition table layouts: EFI, legacy, legacy + GPT, hybrid, none through `partitionTableType` parameter 25 - OVMF or EFI firmwares and variables templates can be customized 26 - - root filesystem `fsType` can be customized to whatever `mkfs.${fsType}` exist during operations 27 - root filesystem label can be customized, defaults to `nix-store` if it's a Nix store image, otherwise `nixpkgs/nixos` 28 - arbitrary code can be executed after disk image was produced with `postVM` 29 - the current nixpkgs can be realized as a channel in the disk image, which will change the hash of the image when the sources are updated ··· 41 42 Images are **NOT** deterministic, please do not hesitate to try to fix this, source of determinisms are (not exhaustive) : 43 44 - - bootloader installation have timestamps 45 - - SQLite Nix store database contain registration times 46 - `/etc/shadow` is in a non-deterministic order 47 48 A `deterministic` flag is available for best efforts determinism.

··· 23 - automatic or bound disk size: `diskSize` parameter, `additionalSpace` can be set when `diskSize` is `auto` to add a constant of disk space 24 - multiple partition table layouts: EFI, legacy, legacy + GPT, hybrid, none through `partitionTableType` parameter 25 - OVMF or EFI firmwares and variables templates can be customized 26 + - root filesystem `fsType` can be customized to whatever `mkfs.${fsType}` exists during operations 27 - root filesystem label can be customized, defaults to `nix-store` if it's a Nix store image, otherwise `nixpkgs/nixos` 28 - arbitrary code can be executed after disk image was produced with `postVM` 29 - the current nixpkgs can be realized as a channel in the disk image, which will change the hash of the image when the sources are updated ··· 41 42 Images are **NOT** deterministic, please do not hesitate to try to fix this, source of determinisms are (not exhaustive) : 43 44 + - bootloader installation has timestamps 45 + - SQLite Nix store database contains registration times 46 - `/etc/shadow` is in a non-deterministic order 47 48 A `deterministic` flag is available for best efforts determinism.

+1 -1

doc/build-helpers/testers.chapter.md

··· 607 608 This is a wrapper around `pkgs.runCommandWith`, which 609 - produces a fixed-output derivation, enabling the command(s) to access the network ; 610 - - salts the derivation's name based on its inputs, ensuring the command is re-run whenever the inputs changes. 611 612 It accepts the following attributes: 613 - the derivation's `name` ;

··· 607 608 This is a wrapper around `pkgs.runCommandWith`, which 609 - produces a fixed-output derivation, enabling the command(s) to access the network ; 610 + - salts the derivation's name based on its inputs, ensuring the command is re-run whenever the inputs change. 611 612 It accepts the following attributes: 613 - the derivation's `name` ;

+1 -1

doc/build-helpers/trivial-build-helpers.chapter.md

··· 60 [allowSubstitutes]: https://nix.dev/manual/nix/latest/language/advanced-attributes.html#adv-attr-allowSubstitutes 61 [preferLocalBuild]: https://nix.dev/manual/nix/latest/language/advanced-attributes.html#adv-attr-preferLocalBuild 62 [substituter]: https://nix.dev/manual/nix/latest/glossary#gloss-substituter 63 - [substitutes]: https://nix.dev/manual/nix/2.23/glossary#gloss-substitute 64 65 ::: {.example #ex-runcommandwith} 66 # Invocation of `runCommandWith`

··· 60 [allowSubstitutes]: https://nix.dev/manual/nix/latest/language/advanced-attributes.html#adv-attr-allowSubstitutes 61 [preferLocalBuild]: https://nix.dev/manual/nix/latest/language/advanced-attributes.html#adv-attr-preferLocalBuild 62 [substituter]: https://nix.dev/manual/nix/latest/glossary#gloss-substituter 63 + [substitutes]: https://nix.dev/manual/nix/latest/glossary#gloss-substitute 64 65 ::: {.example #ex-runcommandwith} 66 # Invocation of `runCommandWith`

+2 -2

doc/functions/prefer-remote-fetch.section.md

··· 1 # prefer-remote-fetch overlay {#sec-prefer-remote-fetch} 2 3 - `prefer-remote-fetch` is an overlay that download sources on remote builder. This is useful when the evaluating machine has a slow upload while the builder can fetch faster directly from the source. To use it, put the following snippet as a new overlay: 4 5 ```nix 6 self: super: (super.prefer-remote-fetch self super) 7 ``` 8 9 - A full configuration example for that sets the overlay up for your own account, could look like this 10 11 ```ShellSession 12 $ mkdir ~/.config/nixpkgs/overlays/

··· 1 # prefer-remote-fetch overlay {#sec-prefer-remote-fetch} 2 3 + `prefer-remote-fetch` is an overlay that downloads sources on a remote builder. This is useful when the evaluating machine has a slow upload while the builder can fetch faster, directly from the source. To use it, put the following snippet as a new overlay: 4 5 ```nix 6 self: super: (super.prefer-remote-fetch self super) 7 ``` 8 9 + A full configuration example that sets the overlay up for your own account could look like this 10 11 ```ShellSession 12 $ mkdir ~/.config/nixpkgs/overlays/

+1 -1

doc/hooks/autopatchelf.section.md

··· 2 3 This is a special setup hook which helps in packaging proprietary software in that it automatically tries to find missing shared library dependencies of ELF files based on the given `buildInputs` and `nativeBuildInputs`. 4 5 - You can also specify a `runtimeDependencies` variable which lists dependencies to be unconditionally added to rpath of all executables. This is useful for programs that use dlopen 3 to load libraries at runtime. 6 7 In certain situations you may want to run the main command (`autoPatchelf`) of the setup hook on a file or a set of directories instead of unconditionally patching all outputs. This can be done by setting the `dontAutoPatchelf` environment variable to a non-empty value. 8

··· 2 3 This is a special setup hook which helps in packaging proprietary software in that it automatically tries to find missing shared library dependencies of ELF files based on the given `buildInputs` and `nativeBuildInputs`. 4 5 + You can also specify a `runtimeDependencies` variable which lists dependencies to be unconditionally added to the rpath of all executables. This is useful for programs that use `dlopen` to load libraries at runtime. 6 7 In certain situations you may want to run the main command (`autoPatchelf`) of the setup hook on a file or a set of directories instead of unconditionally patching all outputs. This can be done by setting the `dontAutoPatchelf` environment variable to a non-empty value. 8

+1 -1

doc/hooks/bmake.section.md

··· 1 # bmake {#bmake-hook} 2 3 [bmake](https://www.crufty.net/help/sjg/bmake.html) is the portable variant of 4 - NetBSD make utility. 5 6 In Nixpkgs, `bmake` comes with a hook that overrides the default build, check, 7 install and dist phases.

··· 1 # bmake {#bmake-hook} 2 3 [bmake](https://www.crufty.net/help/sjg/bmake.html) is the portable variant of 4 + NetBSD `make` utility. 5 6 In Nixpkgs, `bmake` comes with a hook that overrides the default build, check, 7 install and dist phases.

+1 -1

doc/hooks/breakpoint.section.md

··· 1 # breakpointHook {#breakpointhook} 2 3 - This hook makes a build pause instead of stopping when a failure occurs. It prevents Nix from cleaning up the build environment immediately and allows the user to attach to the build environment. Upon a build error, it will print instructions that can be used to enter the environment for debugging. breakpointHook is only available on Linux. To use it, add `breakpointHook` to `nativeBuildInputs` in the package to be inspected. 4 5 ```nix 6 { nativeBuildInputs = [ breakpointHook ]; }

··· 1 # breakpointHook {#breakpointhook} 2 3 + This hook makes a build pause instead of stopping when a failure occurs. It prevents Nix from cleaning up the build environment immediately and allows the user to attach to the build environment. Upon a build error, it will print instructions that can be used to enter the environment for debugging. The `breakpointHook` is only available on Linux. To use it, add `breakpointHook` to `nativeBuildInputs` in the package to be inspected. 4 5 ```nix 6 { nativeBuildInputs = [ breakpointHook ]; }

+1 -1

doc/hooks/cernlib.section.md

··· 1 # CERNLIB {#cernlib-hook} 2 3 - This hook sets the `CERN`, `CERN_LEVEL`, and `CERN_ROOT` environment variables. They are part of [CERNLIB's build system](https://cernlib.web.cern.ch/install/install.html), and are are needed for some programs to compile correctly.

··· 1 # CERNLIB {#cernlib-hook} 2 3 + This hook sets the `CERN`, `CERN_LEVEL`, and `CERN_ROOT` environment variables. They are part of [CERNLIB's build system](https://cernlib.web.cern.ch/install/install.html) and are needed for some programs to compile correctly.

+1 -1

doc/hooks/cmake.section.md

··· 25 Directory where CMake will put intermediate files. 26 27 Setting this can be useful for debugging multiple CMake builds while in the same source directory, for example, when building for different platforms. 28 - Different values for each build will prevent build artefacts from interefering with each other. 29 This setting has no tangible effect when running the build in a sandboxed derivation. 30 31 The default value is `build`.

··· 25 Directory where CMake will put intermediate files. 26 27 Setting this can be useful for debugging multiple CMake builds while in the same source directory, for example, when building for different platforms. 28 + Different values for each build will prevent build artifacts from interfering with each other. 29 This setting has no tangible effect when running the build in a sandboxed derivation. 30 31 The default value is `build`.

+1 -1

doc/hooks/haredo.section.md

··· 2 3 This hook uses [the `haredo` command runner](https://sr.ht/~autumnull/haredo/) to build, check, and install the package. It overrides `buildPhase`, `checkPhase`, and `installPhase` by default. 4 5 - The hook builds its targets in parallel if [`config.enableParallelBuilding`](#var-stdenv-enableParallelBuilding) is set to `true`. 6 7 ## `buildPhase` {#haredo-hook-buildPhase} 8

··· 2 3 This hook uses [the `haredo` command runner](https://sr.ht/~autumnull/haredo/) to build, check, and install the package. It overrides `buildPhase`, `checkPhase`, and `installPhase` by default. 4 5 + The hook builds its targets in parallel if [`enableParallelBuilding`](#var-stdenv-enableParallelBuilding) is set to `true`. 6 7 ## `buildPhase` {#haredo-hook-buildPhase} 8

+2 -2

doc/hooks/installShellFiles.section.md

··· 19 { 20 nativeBuildInputs = [ installShellFiles ]; 21 22 - # Sometimes the file has an undersirable name. It should be renamed before 23 # being installed via installBin 24 postInstall = '' 25 mv a.out delmar ··· 42 { 43 nativeBuildInputs = [ installShellFiles ]; 44 45 - # Sometimes the manpage file has an undersirable name; e.g. it conflicts with 46 # another software with an equal name. It should be renamed before being 47 # installed via installManPage 48 postInstall = ''

··· 19 { 20 nativeBuildInputs = [ installShellFiles ]; 21 22 + # Sometimes the file has an undesirable name. It should be renamed before 23 # being installed via installBin 24 postInstall = '' 25 mv a.out delmar ··· 42 { 43 nativeBuildInputs = [ installShellFiles ]; 44 45 + # Sometimes the manpage file has an undesirable name; e.g., it conflicts with 46 # another software with an equal name. It should be renamed before being 47 # installed via installManPage 48 postInstall = ''

+1 -1

doc/hooks/just.section.md

··· 12 13 ## `checkPhase` {#just-hook-checkPhase} 14 15 - This phase attempts to invoke the `just test` recipe, if it is available. This can be overrided by setting `checkTarget` to a string. 16 17 []{#just-hook-dontUseJustCheck} This behavior can be disabled by setting `dontUseJustCheck` to `true`. 18

··· 12 13 ## `checkPhase` {#just-hook-checkPhase} 14 15 + This phase attempts to invoke the `just test` recipe, if it is available. This can be overridden by setting `checkTarget` to a string. 16 17 []{#just-hook-dontUseJustCheck} This behavior can be disabled by setting `dontUseJustCheck` to `true`. 18

+6 -6

doc/hooks/meson.section.md

··· 23 Directory where Meson will put intermediate files. 24 25 Setting this can be useful for debugging multiple Meson builds while in the same source directory, for example, when building for different platforms. 26 - Different values for each build will prevent build artefacts from interefering with each other. 27 This setting has no tangible effect when running the build in a sandboxed derivation. 28 29 The default value is `build`. ··· 31 #### `mesonWrapMode` {#meson-wrap-mode} 32 33 Which value is passed as 34 - [`-Dwrap_mode=`](https://mesonbuild.com/Builtin-options.html#core-options) 35 - to. In Nixpkgs the default value is `nodownload`, so that no subproject will be 36 downloaded (since network access is already disabled during deployment in 37 Nixpkgs). 38 ··· 43 44 Which value is passed as 45 [`--buildtype`](https://mesonbuild.com/Builtin-options.html#core-options) to 46 - `meson setup` during configure phase. In Nixpkgs the default value is `plain`. 47 48 #### `mesonAutoFeatures` {#meson-auto-features} 49 50 Which value is passed as 51 [`-Dauto_features=`](https://mesonbuild.com/Builtin-options.html#core-options) 52 - to `meson setup` during configure phase. In Nixpkgs the default value is 53 `enabled`, meaning that every feature declared as "auto" by the meson scripts 54 will be enabled. 55 ··· 67 [`--tags`](https://mesonbuild.com/Installing.html#installation-tags) during 68 install phase. 69 70 - Note: `mesonInstallTags` should be a list of strings, that will be converted to 71 a comma-separated string that is recognized to `--tags`. 72 Example: `mesonInstallTags = [ "emulator" "assembler" ];` will be converted to 73 `--tags emulator,assembler`.

··· 23 Directory where Meson will put intermediate files. 24 25 Setting this can be useful for debugging multiple Meson builds while in the same source directory, for example, when building for different platforms. 26 + Different values for each build will prevent build artifacts from interfering with each other. 27 This setting has no tangible effect when running the build in a sandboxed derivation. 28 29 The default value is `build`. ··· 31 #### `mesonWrapMode` {#meson-wrap-mode} 32 33 Which value is passed as 34 + [`-Dwrap_mode=`](https://mesonbuild.com/Builtin-options.html#core-options). 35 + In Nixpkgs, the default value is `nodownload`, so that no subproject will be 36 downloaded (since network access is already disabled during deployment in 37 Nixpkgs). 38 ··· 43 44 Which value is passed as 45 [`--buildtype`](https://mesonbuild.com/Builtin-options.html#core-options) to 46 + `meson setup` during configure phase. In Nixpkgs, the default value is `plain`. 47 48 #### `mesonAutoFeatures` {#meson-auto-features} 49 50 Which value is passed as 51 [`-Dauto_features=`](https://mesonbuild.com/Builtin-options.html#core-options) 52 + to `meson setup` during configure phase. In Nixpkgs, the default value is 53 `enabled`, meaning that every feature declared as "auto" by the meson scripts 54 will be enabled. 55 ··· 67 [`--tags`](https://mesonbuild.com/Installing.html#installation-tags) during 68 install phase. 69 70 + Note: `mesonInstallTags` should be a list of strings that will be converted to 71 a comma-separated string that is recognized to `--tags`. 72 Example: `mesonInstallTags = [ "emulator" "assembler" ];` will be converted to 73 `--tags emulator,assembler`.

+2 -2

doc/hooks/mpi-check-hook.section.md

··· 3 4 This hook can be used to setup a check phase that 5 requires running a MPI application. It detects the 6 - used present MPI implementation type and exports 7 - the neceesary environment variables to use 8 `mpirun` and `mpiexec` in a Nix sandbox. 9 10

··· 3 4 This hook can be used to setup a check phase that 5 requires running a MPI application. It detects the 6 + present MPI implementation type and exports 7 + the necessary environment variables to use 8 `mpirun` and `mpiexec` in a Nix sandbox. 9 10

+1 -1

doc/hooks/ninja.section.md

··· 1 # ninja {#ninja} 2 3 - Overrides the build, install, and check phase to run ninja instead of make. You can disable this behavior with the `dontUseNinjaBuild`, `dontUseNinjaInstall`, and `dontUseNinjaCheck`, respectively. Parallel building is enabled by default in Ninja. 4 5 Note that if the [Meson setup hook](#meson) is also active, Ninja's install and check phases will be disabled in favor of Meson's.

··· 1 # ninja {#ninja} 2 3 + Overrides the build, install, and check phase to run ninja instead of make. You can disable this behavior with `dontUseNinjaBuild`, `dontUseNinjaInstall`, and `dontUseNinjaCheck`, respectively. Parallel building is enabled by default in Ninja. 4 5 Note that if the [Meson setup hook](#meson) is also active, Ninja's install and check phases will be disabled in favor of Meson's.

+1 -1

doc/hooks/patch-rc-path-hooks.section.md

··· 12 - `patchRcPathBash`: [Bash](https://www.gnu.org/software/bash/), [ksh](http://www.kornshell.org/), [zsh](https://www.zsh.org/) and other shells supporting the Bash-like parameter expansions. 13 - `patchRcPathCsh`: Csh scripts, such as those targeting [tcsh](https://www.tcsh.org/). 14 - `patchRcPathFish`: [Fish](https://fishshell.com/) scripts. 15 - - `patchRcPathPosix`: POSIX-conformant shells supporting the limited parameter expansions specified by the POSIX standard. Current implementation uses the parameter expansion `${foo-}` only. 16 17 For each supported shell, it modifies the script with a `PATH` prefix that is later removed when the script ends. 18 It allows nested patching, which guarantees that a patched script may source another patched script.

··· 12 - `patchRcPathBash`: [Bash](https://www.gnu.org/software/bash/), [ksh](http://www.kornshell.org/), [zsh](https://www.zsh.org/) and other shells supporting the Bash-like parameter expansions. 13 - `patchRcPathCsh`: Csh scripts, such as those targeting [tcsh](https://www.tcsh.org/). 14 - `patchRcPathFish`: [Fish](https://fishshell.com/) scripts. 15 + - `patchRcPathPosix`: POSIX-conformant shells supporting the limited parameter expansions specified by the POSIX standard. The current implementation uses the parameter expansion `${foo-}` only. 16 17 For each supported shell, it modifies the script with a `PATH` prefix that is later removed when the script ends. 18 It allows nested patching, which guarantees that a patched script may source another patched script.

+2 -2

doc/hooks/postgresql-test-hook.section.md

··· 53 54 ## Hooks {#sec-postgresqlTestHook-hooks} 55 56 - A number of additional hooks are ran in postgresqlTestHook 57 58 - - `postgresqlTestSetupPost`: ran after postgresql has been set up. 59 60 ## TCP and the Nix sandbox {#sec-postgresqlTestHook-tcp} 61

··· 53 54 ## Hooks {#sec-postgresqlTestHook-hooks} 55 56 + A number of additional hooks are run in postgresqlTestHook 57 58 + - `postgresqlTestSetupPost`: run after postgresql has been set up. 59 60 ## TCP and the Nix sandbox {#sec-postgresqlTestHook-tcp} 61

+1 -1

doc/hooks/redis-test-hook.section.md

··· 40 41 Bash-only variables: 42 43 - - `redisTestPort`: Port to use by Redis. Defaults to `6379` 44 45 Example usage: 46

··· 40 41 Bash-only variables: 42 43 + - `redisTestPort`: Port to use by Redis. Defaults to `6379` 44 45 Example usage: 46

+1 -1

doc/hooks/udevCheckHook.section.md

··· 2 3 The `udevCheckHook` derivation adds `udevCheckPhase` to the [`preInstallCheckHooks`](#ssec-installCheck-phase), 4 which finds all udev rules in all outputs and verifies them using `udevadm verify --resolve-names=never --no-style`. 5 - It should be used in any package that has udev rules outputs to ensure the rules are and stay valid. 6 7 The hook runs in `installCheckPhase`, requiring `doInstallCheck` is enabled for the hook to take effect: 8 ```nix

··· 2 3 The `udevCheckHook` derivation adds `udevCheckPhase` to the [`preInstallCheckHooks`](#ssec-installCheck-phase), 4 which finds all udev rules in all outputs and verifies them using `udevadm verify --resolve-names=never --no-style`. 5 + It should be used in any package that has udev rules outputs to ensure the rules are and remain valid. 6 7 The hook runs in `installCheckPhase`, requiring `doInstallCheck` is enabled for the hook to take effect: 8 ```nix

+1 -1

doc/hooks/validatePkgConfig.section.md

··· 1 # validatePkgConfig {#validatepkgconfig} 2 3 - The `validatePkgConfig` hook validates all pkg-config (`.pc`) files in a package. This helps catching some common errors in pkg-config files, such as undefined variables.

··· 1 # validatePkgConfig {#validatepkgconfig} 2 3 + The `validatePkgConfig` hook validates all pkg-config (`.pc`) files in a package. This helps catch some common errors in pkg-config files, such as undefined variables.

+1 -1

doc/hooks/waf.section.md

··· 18 19 #### `wafFlags` {#waf-flags} 20 21 - Controls the flags passed to waf tool during build and install phases. For settings specific to build or install phases, use `wafBuildFlags` or `wafInstallFlags` respectively. 22 23 #### `dontUseWafConfigure` {#dont-use-waf-configure} 24

··· 18 19 #### `wafFlags` {#waf-flags} 20 21 + Controls the flags passed to waf tool during build and install phases. For settings specific to build or install phases, use `wafBuildFlags` or `wafInstallFlags`, respectively. 22 23 #### `dontUseWafConfigure` {#dont-use-waf-configure} 24

+2 -2

doc/interoperability/cyclonedx.md

··· 47 The `nix:fod:method` property is required and must be accompanied by a `nix:store_path` property within the same property list. 48 All other properties in this namespace are method-specific. 49 To reproduce the build of a component the `nix:fod:method` value is resolved to an [appropriate function](#chap-pkgs-fetchers) within Nixpkgs whose arguments intersect with the given properties. 50 - When generating `nix:fod` properties the method selected should be a stable function with a minimal number arguments. 51 For example, the `fetchFromGitHub` is commonly used within Nixpkgs but should be reduced to a call to the function by which it is implemented, `fetchzip`. 52 53 | Property | Description | 54 |------------------|-------------| 55 - | `nix:fod:method` | Nixpkg function that produces this FOD. Required. Examples: `"fetchzip"`, `"fetchgit"` | 56 | `nix:fod:name` | Derivation name, present when method is `"fetchzip"` | 57 | `nix:fod:ref` | [Git ref](https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddefrefaref), present when method is `"fetchgit"` | 58 | `nix:fod:rev` | [Git rev](https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddefrevisionarevision), present when method is `"fetchgit"` |

··· 47 The `nix:fod:method` property is required and must be accompanied by a `nix:store_path` property within the same property list. 48 All other properties in this namespace are method-specific. 49 To reproduce the build of a component the `nix:fod:method` value is resolved to an [appropriate function](#chap-pkgs-fetchers) within Nixpkgs whose arguments intersect with the given properties. 50 + When generating `nix:fod` properties the method selected should be a stable function with a minimal number of arguments. 51 For example, the `fetchFromGitHub` is commonly used within Nixpkgs but should be reduced to a call to the function by which it is implemented, `fetchzip`. 52 53 | Property | Description | 54 |------------------|-------------| 55 + | `nix:fod:method` | Nixpkgs function that produces this FOD. Required. Examples: `"fetchzip"`, `"fetchgit"` | 56 | `nix:fod:name` | Derivation name, present when method is `"fetchzip"` | 57 | `nix:fod:ref` | [Git ref](https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddefrefaref), present when method is `"fetchgit"` | 58 | `nix:fod:rev` | [Git rev](https://git-scm.com/docs/gitglossary#Documentation/gitglossary.txt-aiddefrevisionarevision), present when method is `"fetchgit"` |

+27 -2

doc/languages-frameworks/agda.section.md

··· 174 1. Always work together. 175 2. Are as up-to-date as possible. 176 177 - While the Haskell ecosystem is huge, and Stackage is highly automatised, 178 the Agda package set is small and can (still) be maintained by hand. 179 180 ### Adding Agda packages to Nixpkgs {#adding-agda-packages-to-nixpkgs} ··· 203 could use a similar set as in your `default.nix` from [Writing Agda Packages](#writing-agda-packages) with 204 `agdaPackages.mkDerivation` replaced with `mkDerivation`. 205 206 - When writing an Agda package it is essential to make sure that no `.agda-lib` file gets added to the store as a single file (for example by using `writeText`). This causes Agda to think that the nix store is a Agda library and it will attempt to write to it whenever it typechecks something. See [https://github.com/agda/agda/issues/4613](https://github.com/agda/agda/issues/4613). 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 207 208 In the pull request adding this library, 209 you can test whether it builds correctly by writing in a comment:

··· 174 1. Always work together. 175 2. Are as up-to-date as possible. 176 177 + While the Haskell ecosystem is huge, and Stackage is highly automated, 178 the Agda package set is small and can (still) be maintained by hand. 179 180 ### Adding Agda packages to Nixpkgs {#adding-agda-packages-to-nixpkgs} ··· 203 could use a similar set as in your `default.nix` from [Writing Agda Packages](#writing-agda-packages) with 204 `agdaPackages.mkDerivation` replaced with `mkDerivation`. 205 206 + Here is an example skeleton derivation for iowa-stdlib: 207 + 208 + ```nix 209 + mkDerivation { 210 + version = "1.5.0"; 211 + pname = "iowa-stdlib"; 212 + 213 + src = <...>; 214 + 215 + libraryFile = ""; 216 + libraryName = "IAL-1.3"; 217 + 218 + buildPhase = '' 219 + runHook preBuild 220 + 221 + patchShebangs find-deps.sh 222 + make 223 + 224 + runHook postBuild 225 + ''; 226 + } 227 + ``` 228 + 229 + This library has a file called `.agda-lib`, and so we give an empty string to `libraryFile` as nothing precedes `.agda-lib` in the filename. This file contains `name: IAL-1.3`, and so we let `libraryName = "IAL-1.3"`. This library does not use an `Everything.agda` file and instead has a Makefile, so there is no need to set `everythingFile` and we set a custom `buildPhase`. 230 + 231 + When writing an Agda package, it is essential to make sure that no `.agda-lib` file gets added to the store as a single file (for example by using `writeText`). This causes Agda to think that the nix store is a Agda library and it will attempt to write to it whenever it typechecks something. See [https://github.com/agda/agda/issues/4613](https://githcub.com/agda/agda/issues/4613). 232 233 In the pull request adding this library, 234 you can test whether it builds correctly by writing in a comment:

+2 -2

doc/languages-frameworks/android.section.md

··· 17 { buildInputs = [ androidStudioPackages.stable.full ]; } 18 ``` 19 20 - Alternatively, you can pass composeAndroidPackages to the `withSdk` passthru: 21 22 ```nix 23 { ··· 297 `local.properties` file with `sdk.dir` set to $ANDROID_HOME if one does not already 298 exist. If you are using the NDK as well, you may have to add `ndk.dir` to this file. 299 300 - An example shell.nix that does all this for you is provided in examples/shell.nix. 301 This shell.nix includes a shell hook that overwrites local.properties with the correct 302 sdk.dir and ndk.dir values. This will ensure that the SDK and NDK directories will 303 both be correct when you run Android Studio inside nix-shell.

··· 17 { buildInputs = [ androidStudioPackages.stable.full ]; } 18 ``` 19 20 + Alternatively, you can pass composeAndroidPackages to the `withSdk` passthrough: 21 22 ```nix 23 { ··· 297 `local.properties` file with `sdk.dir` set to $ANDROID_HOME if one does not already 298 exist. If you are using the NDK as well, you may have to add `ndk.dir` to this file. 299 300 + An example `shell.nix` that does all this for you is provided in `examples/shell.nix`. 301 This shell.nix includes a shell hook that overwrites local.properties with the correct 302 sdk.dir and ndk.dir values. This will ensure that the SDK and NDK directories will 303 both be correct when you run Android Studio inside nix-shell.

+2 -2

doc/languages-frameworks/astal.section.md

··· 4 5 ## Bundling {#astal-bundling} 6 7 - Bundling Astal application is done using `ags` tool, you can use it like this: 8 9 ```nix 10 ags.bundle { ··· 19 entry = "app.ts"; 20 21 dependencies = [ 22 - # list here astal modules, that your package depends on 23 # `astal3`, `astal4` and `astal.io` are automatically included 24 astal.apps 25 astal.battery

··· 4 5 ## Bundling {#astal-bundling} 6 7 + Bundling an Astal application is done using the `ags` tool. You can use it like this: 8 9 ```nix 10 ags.bundle { ··· 19 entry = "app.ts"; 20 21 dependencies = [ 22 + # list here astal modules that your package depends on 23 # `astal3`, `astal4` and `astal.io` are automatically included 24 astal.apps 25 astal.battery

+8 -8

doc/languages-frameworks/beam.section.md

··· 8 9 ### Elixir {#elixir} 10 11 - nixpkgs follows the [official elixir deprecation schedule](https://hexdocs.pm/elixir/compatibility-and-deprecations.html) and keeps the last 5 released versions of Elixir available. 12 13 ## Structure {#beam-structure} 14 ··· 89 90 #### mixRelease - Elixir Phoenix example {#mix-release-elixir-phoenix-example} 91 92 - there are 3 steps, frontend dependencies (javascript), backend dependencies (elixir) and the final derivation that puts both of those together 93 94 ##### mixRelease - Frontend dependencies (javascript) {#mix-release-javascript-deps} 95 96 - For phoenix projects, inside of nixpkgs you can either use yarn2nix (mkYarnModule) or node2nix. An example with yarn2nix can be found [here](https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/web-apps/plausible/default.nix#L39). An example with node2nix will follow. To package something outside of nixpkgs, you have alternatives like [npmlock2nix](https://github.com/nix-community/npmlock2nix) or [nix-npm-buildpackage](https://github.com/serokell/nix-npm-buildpackage) 97 98 ##### mixRelease - backend dependencies (mix) {#mix-release-mix-deps} 99 ··· 101 102 ###### mix2nix {#mix2nix} 103 104 - `mix2nix` is a cli tool available in nixpkgs. it will generate a nix expression from a mix.lock file. It is quite standard in the 2nix tool series. 105 106 Note that currently mix2nix can't handle git dependencies inside the mix.lock file. If you have git dependencies, you can either add them manually (see [example](https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/pleroma/default.nix#L20)) or use the FOD method. 107 ··· 173 174 ##### mixRelease - example {#mix-release-example} 175 176 - Here is how your `default.nix` file would look for a phoenix project. 177 178 ```nix 179 with import <nixpkgs> { }; ··· 311 312 ### Creating a Shell {#creating-a-shell} 313 314 - Usually, we need to create a `shell.nix` file and do our development inside of the environment specified therein. Just install your version of Erlang and any other interpreters, and then use your normal build tools. As an example with Elixir: 315 316 ```nix 317 { ··· 327 328 ### Using an overlay {#beam-using-overlays} 329 330 - If you need to use an overlay to change some attributes of a derivation, e.g. if you need a bugfix from a version that is not yet available in nixpkgs, you can override attributes such as `version` (and the corresponding `hash`) and then use this overlay in your development environment: 331 332 #### `shell.nix` {#beam-using-overlays-shell.nix} 333 ··· 412 - create the db `createdb db` 413 - start the postgres instance `pg_ctl -l "$PGDATA/server.log" start` 414 - add the `/db` folder to your `.gitignore` 415 - - you can start your phoenix server and get a shell with `iex -S mix phx.server`

··· 8 9 ### Elixir {#elixir} 10 11 + Nixpkgs follows the [official elixir deprecation schedule](https://hexdocs.pm/elixir/compatibility-and-deprecations.html) and keeps the last 5 released versions of Elixir available. 12 13 ## Structure {#beam-structure} 14 ··· 89 90 #### mixRelease - Elixir Phoenix example {#mix-release-elixir-phoenix-example} 91 92 + there are 3 steps: frontend dependencies (javascript), backend dependencies (elixir), and the final derivation that puts both of those together 93 94 ##### mixRelease - Frontend dependencies (javascript) {#mix-release-javascript-deps} 95 96 + For phoenix projects, inside of Nixpkgs you can either use yarn2nix (mkYarnModule) or node2nix. An example with yarn2nix can be found [here](https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/web-apps/plausible/default.nix#L39). An example with node2nix will follow. To package something outside of nixpkgs, you have alternatives like [npmlock2nix](https://github.com/nix-community/npmlock2nix) or [nix-npm-buildpackage](https://github.com/serokell/nix-npm-buildpackage) 97 98 ##### mixRelease - backend dependencies (mix) {#mix-release-mix-deps} 99 ··· 101 102 ###### mix2nix {#mix2nix} 103 104 + `mix2nix` is a cli tool available in Nixpkgs. It will generate a Nix expression from a `mix.lock` file. It is quite standard in the 2nix tool series. 105 106 Note that currently mix2nix can't handle git dependencies inside the mix.lock file. If you have git dependencies, you can either add them manually (see [example](https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/pleroma/default.nix#L20)) or use the FOD method. 107 ··· 173 174 ##### mixRelease - example {#mix-release-example} 175 176 + Here is how your `default.nix` file would look for a Phoenix project. 177 178 ```nix 179 with import <nixpkgs> { }; ··· 311 312 ### Creating a Shell {#creating-a-shell} 313 314 + Usually, we need to create a `shell.nix` file and do our development inside the environment specified therein. Just install your version of Erlang and any other interpreters, and then use your normal build tools. As an example, with Elixir: 315 316 ```nix 317 { ··· 327 328 ### Using an overlay {#beam-using-overlays} 329 330 + If you need to use an overlay to change some attributes of a derivation, e.g. if you need a bugfix from a version that is not yet available in Nixpkgs, you can override attributes such as `version` (and the corresponding `hash`) and then use this overlay in your development environment: 331 332 #### `shell.nix` {#beam-using-overlays-shell.nix} 333 ··· 412 - create the db `createdb db` 413 - start the postgres instance `pg_ctl -l "$PGDATA/server.log" start` 414 - add the `/db` folder to your `.gitignore` 415 + - you can start your Phoenix server and get a shell with `iex -S mix phx.server`

+1 -1

doc/languages-frameworks/bower.section.md

··· 132 133 1. The result of `buildBowerComponents` is an input to the frontend build. 134 2. Whether to symlink or copy the {file}`bower_components` directory depends on the build tool in use. 135 - In this case a copy is used to avoid {command}`gulp` silliness with permissions. 136 3. {command}`gulp` requires `HOME` to refer to a writeable directory. 137 4. The actual build command in this example is {command}`gulp`. Other tools could be used instead. 138

··· 132 133 1. The result of `buildBowerComponents` is an input to the frontend build. 134 2. Whether to symlink or copy the {file}`bower_components` directory depends on the build tool in use. 135 + In this case, a copy is used to avoid {command}`gulp` silliness with permissions. 136 3. {command}`gulp` requires `HOME` to refer to a writeable directory. 137 4. The actual build command in this example is {command}`gulp`. Other tools could be used instead. 138

+2 -2

doc/languages-frameworks/chicken.section.md

··· 53 ## Override Scope {#sec-chicken-override-scope} 54 55 The chicken package and its eggs, respectively, reside in a scope. This means, 56 - the scope can be overridden to effect other packages in it. 57 58 This example shows how to use a local copy of `srfi-180` and have it affect 59 all the other eggs: ··· 62 let 63 myChickenPackages = pkgs.chickenPackages.overrideScope ( 64 self: super: { 65 - # The chicken package itself can be overridden to effect the whole ecosystem. 66 # chicken = super.chicken.overrideAttrs { 67 # src = ... 68 # };

··· 53 ## Override Scope {#sec-chicken-override-scope} 54 55 The chicken package and its eggs, respectively, reside in a scope. This means, 56 + the scope can be overridden to affect other packages in it. 57 58 This example shows how to use a local copy of `srfi-180` and have it affect 59 all the other eggs: ··· 62 let 63 myChickenPackages = pkgs.chickenPackages.overrideScope ( 64 self: super: { 65 + # The chicken package itself can be overridden to affect the whole ecosystem. 66 # chicken = super.chicken.overrideAttrs { 67 # src = ... 68 # };

+1 -1

doc/languages-frameworks/coq.section.md

··· 2 3 ## Coq derivation: `coq` {#coq-derivation-coq} 4 5 - The Coq derivation is overridable through the `coq.override overrides`, where overrides is an attribute set which contains the arguments to override. We recommend overriding either of the following 6 7 * `version` (optional, defaults to the latest version of Coq selected for nixpkgs, see `pkgs/top-level/coq-packages` to witness this choice), which follows the conventions explained in the `coqPackages` section below, 8 * `customOCamlPackages` (optional, defaults to `null`, which lets Coq choose a version automatically), which can be set to any of the ocaml packages attribute of `ocaml-ng` (such as `ocaml-ng.ocamlPackages_4_10` which is the default for Coq 8.11 for example).

··· 2 3 ## Coq derivation: `coq` {#coq-derivation-coq} 4 5 + The Coq derivation is overridable through the `coq.override overrides`, where overrides is an attribute set which contains the arguments to override. We recommend overriding either of the following: 6 7 * `version` (optional, defaults to the latest version of Coq selected for nixpkgs, see `pkgs/top-level/coq-packages` to witness this choice), which follows the conventions explained in the `coqPackages` section below, 8 * `customOCamlPackages` (optional, defaults to `null`, which lets Coq choose a version automatically), which can be set to any of the ocaml packages attribute of `ocaml-ng` (such as `ocaml-ng.ocamlPackages_4_10` which is the default for Coq 8.11 for example).

+1 -1

doc/languages-frameworks/cuda.section.md

··· 265 266 #### Using docker-compose {#cuda-using-docker-compose} 267 268 - It's possible to expose GPU's to a `docker-compose` environment as well. With a `docker-compose.yaml` file like follows: 269 270 ```yaml 271 services:

··· 265 266 #### Using docker-compose {#cuda-using-docker-compose} 267 268 + It's possible to expose GPUs to a `docker-compose` environment as well. With a `docker-compose.yaml` file like follows: 269 270 ```yaml 271 services:

+3 -3

doc/languages-frameworks/dart.section.md

··· 25 26 If the package has Git package dependencies, the hashes must be provided in the `gitHashes` set. If a hash is missing, an error message prompting you to add it will be shown. 27 28 - The `dart` commands run can be overridden through `pubGetScript` and `dartCompileCommand`, you can also add flags using `dartCompileFlags` or `dartJitFlags`. 29 30 - Dart supports multiple [outputs types](https://dart.dev/tools/dart-compile#types-of-output), you can choose between them using `dartOutputType` (defaults to `exe`). If you want to override the binaries path or the source path they come from, you can use `dartEntryPoints`. Outputs that require a runtime will automatically be wrapped with the relevant runtime (`dartaotruntime` for `aot-snapshot`, `dart run` for `jit-snapshot` and `kernel`, `node` for `js`), this can be overridden through `dartRuntimeCommand`. 31 32 ```nix 33 { ··· 133 #### Entering the shell {#ssec-dart-flutter-nix-shell-enter} 134 135 By default, dependencies for only the `targetFlutterPlatform` are available in the 136 - build environment. This is useful for keeping closures small, but be problematic 137 during development. It's common, for example, to build Web apps for Linux during 138 development to take advantage of native features such as stateful hot reload. 139

··· 25 26 If the package has Git package dependencies, the hashes must be provided in the `gitHashes` set. If a hash is missing, an error message prompting you to add it will be shown. 27 28 + The `dart` commands run can be overridden through `pubGetScript` and `dartCompileCommand`; you can also add flags using `dartCompileFlags` or `dartJitFlags`. 29 30 + Dart supports multiple [outputs types](https://dart.dev/tools/dart-compile#types-of-output); you can choose between them using `dartOutputType` (defaults to `exe`). If you want to override the binaries path or the source path they come from, you can use `dartEntryPoints`. Outputs that require a runtime will automatically be wrapped with the relevant runtime (`dartaotruntime` for `aot-snapshot`, `dart run` for `jit-snapshot` and `kernel`, `node` for `js`); this can be overridden through `dartRuntimeCommand`. 31 32 ```nix 33 { ··· 133 #### Entering the shell {#ssec-dart-flutter-nix-shell-enter} 134 135 By default, dependencies for only the `targetFlutterPlatform` are available in the 136 + build environment. This is useful for keeping closures small but can be problematic 137 during development. It's common, for example, to build Web apps for Linux during 138 development to take advantage of native features such as stateful hot reload. 139

+10 -10

doc/languages-frameworks/dhall.section.md

··· 16 sha256:26b0ef498663d269e4dc6a82b0ee289ec565d683ef4c00d0ebdd25333a5a3c98 17 ``` 18 19 - … and if the import is cached then the interpreter will load the import from 20 - cache instead of fetching the URL. 21 22 Nixpkgs uses this trick to add all of a Dhall expression's dependencies into the 23 cache so that the Dhall interpreter never needs to resolve any remote URLs. In ··· 163 ``` 164 165 The `source.dhall` file is only present for packages that specify 166 - `source = true;`. By default, Dhall packages omit the `source.dhall` in order 167 - to conserve disk space when they are used exclusively as dependencies. For 168 example, if we build the Prelude package it will only contain the binary 169 encoding of the expression: 170 ··· 182 ``` 183 184 Typically, you only specify `source = true;` for the top-level Dhall expression 185 - of interest (such as our example `true.nix` Dhall package). However, if you 186 wish to specify `source = true` for all Dhall packages, then you can amend the 187 Dhall overlay like this: 188 ··· 267 * `src`: The directory containing Dhall code that you want to turn into a Dhall 268 package 269 270 - * `file`: The top-level file (`package.dhall` by default) that is the entrypoint 271 to the rest of the package 272 273 * `document`: Set to `true` to generate documentation for the package ··· 291 directory other than the root of the repository) 292 293 * `file`: The top-level file (`${directory}/package.dhall` by default) that is 294 - the entrypoint to the rest of the package 295 296 * `document`: Set to `true` to generate documentation for the package 297 ··· 410 ``` 411 412 … because the default Prelude selected by Nixpkgs revision 413 - `94b2848559b12a8ed1fe433084686b2a81123c99is` is version 20.1.0, which doesn't 414 - have the same integrity check as version 19.0.0. This means that version 415 - 19.0.0 is not cached and the interpreter is not allowed to fall back to 416 importing the URL. 417 418 However, we can override the default Prelude version by using `dhall-to-nixpkgs`

··· 16 sha256:26b0ef498663d269e4dc6a82b0ee289ec565d683ef4c00d0ebdd25333a5a3c98 17 ``` 18 19 + … and if the import is cached, then the interpreter will load the import from 20 + the cache instead of fetching the URL. 21 22 Nixpkgs uses this trick to add all of a Dhall expression's dependencies into the 23 cache so that the Dhall interpreter never needs to resolve any remote URLs. In ··· 163 ``` 164 165 The `source.dhall` file is only present for packages that specify 166 + `source = true;`. By default, Dhall packages omit the `source.dhall` in order 167 + to conserve disk space when they are used exclusively as dependencies. For 168 example, if we build the Prelude package it will only contain the binary 169 encoding of the expression: 170 ··· 182 ``` 183 184 Typically, you only specify `source = true;` for the top-level Dhall expression 185 + of interest (such as our example `true.nix` Dhall package). However, if you 186 wish to specify `source = true` for all Dhall packages, then you can amend the 187 Dhall overlay like this: 188 ··· 267 * `src`: The directory containing Dhall code that you want to turn into a Dhall 268 package 269 270 + * `file`: The top-level file (`package.dhall` by default) that is the entry point 271 to the rest of the package 272 273 * `document`: Set to `true` to generate documentation for the package ··· 291 directory other than the root of the repository) 292 293 * `file`: The top-level file (`${directory}/package.dhall` by default) that is 294 + the entry point to the rest of the package 295 296 * `document`: Set to `true` to generate documentation for the package 297 ··· 410 ``` 411 412 … because the default Prelude selected by Nixpkgs revision 413 + `94b2848559b12a8ed1fe433084686b2a81123c99` is version 20.1.0, which doesn't 414 + have the same integrity check as version 19.0.0. This means that version 415 + 19.0.0 is not cached, and the interpreter is not allowed to fall back to 416 importing the URL. 417 418 However, we can override the default Prelude version by using `dhall-to-nixpkgs`

+4 -4

doc/languages-frameworks/dlang.section.md

··· 47 Also note that running `dub test` is disabled by default. You can enable it by setting `doCheck = true`. 48 49 ## Lockfiles {#dub-lockfiles} 50 - Nixpkgs has its own lockfile format for `dub` dependencies, because `dub`'s official "lockfile" format (`dub.selections.json`) is not hash based. 51 52 A lockfile can be generated using the `dub-to-nix` helper package. 53 - * Firstly, install `dub-to-nix` into your shell session by running `nix-shell -p dub-to-nix` 54 - * Then navigate to the root of the source of the program you want to package 55 - * Finally, run `dub-to-nix` and it will print the lockfile to stdout. You could pipe stdout into a text file or just copy the output manually into a file. 56 57 ## `buildDubPackage` parameters {#builddubpackage-parameters} 58

··· 47 Also note that running `dub test` is disabled by default. You can enable it by setting `doCheck = true`. 48 49 ## Lockfiles {#dub-lockfiles} 50 + Nixpkgs has its own lockfile format for `dub` dependencies, because `dub`'s official "lockfile" format (`dub.selections.json`) is not hash-based. 51 52 A lockfile can be generated using the `dub-to-nix` helper package. 53 + * Firstly, install `dub-to-nix` into your shell session by running `nix-shell -p dub-to-nix`. 54 + * Then navigate to the root of the source of the program you want to package. 55 + * Finally, run `dub-to-nix`, and it will print the lockfile to stdout. You can pipe stdout into a text file or just copy the output manually into a file. 56 57 ## `buildDubPackage` parameters {#builddubpackage-parameters} 58

+4 -4

doc/languages-frameworks/dotnet.section.md

··· 35 } 36 ``` 37 38 - This will produce a dotnet installation that has the dotnet 8.0 9.0 sdk. The first sdk listed will have it's cli utility present in the resulting environment. Example info output: 39 40 ```ShellSession 41 $ dotnet --info ··· 121 * `buildType` is used to change the type of build. Possible values are `Release`, `Debug`, etc. By default, this is set to `Release`. 122 * `selfContainedBuild` allows to enable the [self-contained](https://docs.microsoft.com/en-us/dotnet/core/deploying/#publish-self-contained) build flag. By default, it is set to false and generated applications have a dependency on the selected dotnet runtime. If enabled, the dotnet runtime is bundled into the executable and the built app has no dependency on .NET. 123 * `useAppHost` will enable creation of a binary executable that runs the .NET application using the specified root. More info in [Microsoft docs](https://learn.microsoft.com/en-us/dotnet/core/deploying/#publish-framework-dependent). Enabled by default. 124 - * `useDotnetFromEnv` will change the binary wrapper so that it uses the .NET from the environment. The runtime specified by `dotnet-runtime` is given as a fallback in case no .NET is installed in the user's environment. This is most useful for .NET global tools and LSP servers, which often extend the .NET CLI and their runtime should match the users' .NET runtime. 125 * `dotnet-sdk` is useful in cases where you need to change what dotnet SDK is being used. You can also set this to the result of `dotnetSdkPackages.combinePackages`, if the project uses multiple SDKs to build. 126 * `dotnet-runtime` is useful in cases where you need to change what dotnet runtime is being used. This can be either a regular dotnet runtime, or an aspnetcore. 127 * `testProjectFile` is useful in cases where the regular project file does not contain the unit tests. It gets restored and build, but not installed. You may need to regenerate your nuget lockfile after setting this. Note that if set, only tests from this project are executed. ··· 250 Restored /home/ggg/git-credential-manager/src/shared/Git-Credential-Manager/Git-Credential-Manager.csproj (in 1.21 sec). 251 ``` 252 253 - Next, use `nuget-to-json` tool provided in nixpkgs to generate a lockfile to `deps.json` from 254 the packages inside the `out` directory. 255 256 ```bash 257 $ nuget-to-json out > deps.json 258 ``` 259 - Which `nuget-to-json` will generate an output similar to below 260 ```json 261 [ 262 {

··· 35 } 36 ``` 37 38 + This will produce a dotnet installation that has the dotnet 8.0 9.0 sdk. The first sdk listed will have its cli utility present in the resulting environment. Example info output: 39 40 ```ShellSession 41 $ dotnet --info ··· 121 * `buildType` is used to change the type of build. Possible values are `Release`, `Debug`, etc. By default, this is set to `Release`. 122 * `selfContainedBuild` allows to enable the [self-contained](https://docs.microsoft.com/en-us/dotnet/core/deploying/#publish-self-contained) build flag. By default, it is set to false and generated applications have a dependency on the selected dotnet runtime. If enabled, the dotnet runtime is bundled into the executable and the built app has no dependency on .NET. 123 * `useAppHost` will enable creation of a binary executable that runs the .NET application using the specified root. More info in [Microsoft docs](https://learn.microsoft.com/en-us/dotnet/core/deploying/#publish-framework-dependent). Enabled by default. 124 + * `useDotnetFromEnv` will change the binary wrapper so that it uses the .NET from the environment. The runtime specified by `dotnet-runtime` is given as a fallback in case no .NET is installed in the user's environment. This is most useful for .NET global tools and LSP servers, which often extend the .NET CLI and their runtime should match the user's .NET runtime. 125 * `dotnet-sdk` is useful in cases where you need to change what dotnet SDK is being used. You can also set this to the result of `dotnetSdkPackages.combinePackages`, if the project uses multiple SDKs to build. 126 * `dotnet-runtime` is useful in cases where you need to change what dotnet runtime is being used. This can be either a regular dotnet runtime, or an aspnetcore. 127 * `testProjectFile` is useful in cases where the regular project file does not contain the unit tests. It gets restored and build, but not installed. You may need to regenerate your nuget lockfile after setting this. Note that if set, only tests from this project are executed. ··· 250 Restored /home/ggg/git-credential-manager/src/shared/Git-Credential-Manager/Git-Credential-Manager.csproj (in 1.21 sec). 251 ``` 252 253 + Next, use the `nuget-to-json` tool provided in Nixpkgs to generate a lockfile to `deps.json` from 254 the packages inside the `out` directory. 255 256 ```bash 257 $ nuget-to-json out > deps.json 258 ``` 259 + The `nuget-to-json` tool will generate an output similar to the one below 260 ```json 261 [ 262 {

+3 -3

doc/languages-frameworks/factor.section.md

··· 49 `work` is routed to `/var/lib/factor` and is not shipped nor referenced in the nix store, see the section on [scaffolding](#ssec-factor-scaffolding). 50 You should usually use `extra`, but you can use the other roots to overwrite built-in vocabularies. 51 Be aware that vocabularies in `core` are part of the Factor image which the development environment is run from. 52 - This means the code in those vocabularies is not loaded from the sources, such that you need to call `refresh-all` to re-compile and load the changed definitions. 53 In these instances, it is advised to override the `factor-unwrapped` package directly, which compiles and packages the core Factor libraries into the default Factor 54 image. 55 ··· 97 ``` 98 99 The vocabulary goes to `lib/factor/extra`, extra files, like licenses etc. would go to `share/` as usual and could be added to the output via a `postInstall` phase. 100 - In case the vocabulary binds to a shared library or calls a binary that needs to be present in the runtime environment of its users, add `extraPaths` and `extraLibs` attributes respectively. 101 They are then picked up by the `buildFactorApplication` function and added as runtime dependencies. 102 103 ## Building Applications {#ssec-factor-applications} ··· 175 }) 176 ``` 177 178 - The use of the `src.name` and`sourceRoot` attributes conveniently establish the necessary `painter` vocabulary directory that is needed for the deployment to work. 179 180 It requires the packager to specify the full set of binaries to be made available at runtime. 181 This enables the standard pattern for application packages to specify all runtime dependencies explicitly without the Factor runtime interfering.

··· 49 `work` is routed to `/var/lib/factor` and is not shipped nor referenced in the nix store, see the section on [scaffolding](#ssec-factor-scaffolding). 50 You should usually use `extra`, but you can use the other roots to overwrite built-in vocabularies. 51 Be aware that vocabularies in `core` are part of the Factor image which the development environment is run from. 52 + This means the code in those vocabularies is not loaded from the sources, such that you need to call `refresh-all` to recompile and load the changed definitions. 53 In these instances, it is advised to override the `factor-unwrapped` package directly, which compiles and packages the core Factor libraries into the default Factor 54 image. 55 ··· 97 ``` 98 99 The vocabulary goes to `lib/factor/extra`, extra files, like licenses etc. would go to `share/` as usual and could be added to the output via a `postInstall` phase. 100 + In case the vocabulary binds to a shared library or calls a binary that needs to be present in the runtime environment of its users, add `extraPaths` and `extraLibs` attributes, respectively. 101 They are then picked up by the `buildFactorApplication` function and added as runtime dependencies. 102 103 ## Building Applications {#ssec-factor-applications} ··· 175 }) 176 ``` 177 178 + The use of the `src.name` and `sourceRoot` attributes conveniently establish the necessary `painter` vocabulary directory that is needed for the deployment to work. 179 180 It requires the packager to specify the full set of binaries to be made available at runtime. 181 This enables the standard pattern for application packages to specify all runtime dependencies explicitly without the Factor runtime interfering.

+4 -4

doc/languages-frameworks/go.section.md

··· 67 You can read more about [vendoring in the Go documentation](https://go.dev/ref/mod#vendoring). 68 69 To obtain the hash, set `vendorHash = lib.fakeHash;` and run the build. ([more details here](#sec-source-hashes)). 70 - Another way is to use use `nix-prefetch` to obtain the hash. The following command gets the value of `vendorHash` for package `pet`: 71 72 73 ```sh ··· 108 ### `modPostBuild` {#var-go-modPostBuild} 109 110 Shell commands to run after the build of the goModules executes `go mod vendor`, and before calculating fixed output derivation's `vendorHash`. 111 - Note that if you change this attribute, you need to update `vendorHash` attribute. 112 113 114 ### `modRoot` {#var-go-modRoot} ··· 197 198 Beside `buildGoModule`, there are also versioned builders available that pin a specific Go version, like `buildGo124Module` for Go 1.24. 199 Similar, versioned toolchains are available, like `go_1_24` for Go 1.24. 200 - Both builder and toolchain of a certain version will be removed as soon as the Go version reaches end of life. 201 202 As toolchain updates in nixpkgs cause mass rebuilds and must go through the staging cycle, it can take a while until a new Go minor version is available to consumers of nixpkgs. 203 If you want quicker access to the latest minor, use `go_latest` toolchain and `buildGoLatestModule` builder. ··· 248 249 ### `env.CGO_ENABLED` {#var-go-CGO_ENABLED} 250 251 - When set to `0`, the [cgo](https://pkg.go.dev/cmd/cgo) command is disabled. As consequence, the build 252 program can't link against C libraries anymore, and the resulting binary is statically linked. 253 254 When building with CGO enabled, Go will likely link some packages from the Go standard library against C libraries,

··· 67 You can read more about [vendoring in the Go documentation](https://go.dev/ref/mod#vendoring). 68 69 To obtain the hash, set `vendorHash = lib.fakeHash;` and run the build. ([more details here](#sec-source-hashes)). 70 + Another way is to use `nix-prefetch` to obtain the hash. The following command gets the value of `vendorHash` for package `pet`: 71 72 73 ```sh ··· 108 ### `modPostBuild` {#var-go-modPostBuild} 109 110 Shell commands to run after the build of the goModules executes `go mod vendor`, and before calculating fixed output derivation's `vendorHash`. 111 + Note that if you change this attribute, you need to update the `vendorHash` attribute. 112 113 114 ### `modRoot` {#var-go-modRoot} ··· 197 198 Beside `buildGoModule`, there are also versioned builders available that pin a specific Go version, like `buildGo124Module` for Go 1.24. 199 Similar, versioned toolchains are available, like `go_1_24` for Go 1.24. 200 + Both builder and toolchain of a certain version will be removed as soon as the Go version reaches its end of life. 201 202 As toolchain updates in nixpkgs cause mass rebuilds and must go through the staging cycle, it can take a while until a new Go minor version is available to consumers of nixpkgs. 203 If you want quicker access to the latest minor, use `go_latest` toolchain and `buildGoLatestModule` builder. ··· 248 249 ### `env.CGO_ENABLED` {#var-go-CGO_ENABLED} 250 251 + When set to `0`, the [cgo](https://pkg.go.dev/cmd/cgo) command is disabled. As a consequence, the build 252 program can't link against C libraries anymore, and the resulting binary is statically linked. 253 254 When building with CGO enabled, Go will likely link some packages from the Go standard library against C libraries,

+2 -2

doc/languages-frameworks/gradle.section.md

··· 7 8 ## Building a Gradle package {#building-a-gradle-package} 9 10 - Here's how a typical derivation will look like: 11 12 ```nix 13 stdenv.mkDerivation (finalAttrs: { ··· 69 expression (for example, if your package isn't located in nixpkgs, or if 70 you want to override some of its attributes), you will usually have to 71 pass `pkg` instead of `pname` to `gradle.fetchDeps`. There are two ways 72 - of doing it. 73 74 The first is to add the derivation arguments required for getting the 75 package. Using the pdftk example above:

··· 7 8 ## Building a Gradle package {#building-a-gradle-package} 9 10 + Here's how a typical derivation will look: 11 12 ```nix 13 stdenv.mkDerivation (finalAttrs: { ··· 69 expression (for example, if your package isn't located in nixpkgs, or if 70 you want to override some of its attributes), you will usually have to 71 pass `pkg` instead of `pname` to `gradle.fetchDeps`. There are two ways 72 + of doing so. 73 74 The first is to add the derivation arguments required for getting the 75 package. Using the pdftk example above:

+11 -11

doc/languages-frameworks/haskell.section.md

··· 17 * `ghc` is the default version of GHC 18 * Language specific tools: `cabal-install`, `stack`, `hpack`, … 19 20 - Many “normal” user facing packages written in Haskell, like `niv` or `cachix`, 21 are also exposed at the top level, and there is nothing Haskell specific to 22 installing and using them. 23 ··· 57 Each of those compiler versions has a corresponding attribute set `packages` built with 58 it. However, the non-standard package sets are not tested regularly and, as a 59 result, contain fewer working packages. The corresponding package set for GHC 60 - 9.4.8 is `haskell.packages.ghc948`. In fact `haskellPackages` (at the time of writing) is just an alias 61 for `haskell.packages.ghc984`: 62 63 Every package set also re-exposes the GHC used to build its packages as `haskell.packages.*.ghc`. ··· 110 111 Normally when you build Haskell packages with `cabal-install`, `cabal-install` 112 does dependency resolution. It will look at all Haskell package versions known 113 - on Hackage and tries to pick for every (transitive) dependency of your build 114 exactly one version. Those versions need to satisfy all the version constraints 115 given in the `.cabal` file of your package and all its dependencies. 116 117 The [Haskell builder in nixpkgs](#haskell-mkderivation) does no such thing. 118 - It will take as input packages with names off the desired dependencies 119 and just check whether they fulfill the version bounds and fail if they don’t 120 (by default, see `jailbreak` to circumvent this). 121 ··· 131 ### Limitations {#haskell-limitations} 132 133 Our main objective with `haskellPackages` is to package Haskell software in 134 - nixpkgs. This entails some limitations, partially due to self-imposed 135 - restrictions of nixpkgs, partially in the name of maintainability: 136 137 * Only the packages built with the default compiler see extensive testing of the 138 whole package set. For other GHC versions only a few essential packages are ··· 184 185 ## `haskellPackages.mkDerivation` {#haskell-mkderivation} 186 187 - Every haskell package set has its own haskell-aware `mkDerivation` which is used 188 to build its packages. Generally you won't have to interact with this builder 189 since [cabal2nix](#haskell-cabal2nix) can generate packages 190 using it for an arbitrary cabal package definition. Still it is useful to know ··· 192 [override](#haskell-overriding-haskell-packages) a generated Nix expression. 193 194 `haskellPackages.mkDerivation` is a wrapper around `stdenv.mkDerivation` which 195 - re-defines the default phases to be haskell aware and handles dependency 196 specification, test suites, benchmarks etc. by compiling and invoking the 197 package's `Setup.hs`. It does *not* use or invoke the `cabal-install` binary, 198 but uses the underlying `Cabal` library instead. ··· 541 542 ## Development environments {#haskell-development-environments} 543 544 - In addition to building and installing Haskell software, nixpkgs can also 545 provide development environments for Haskell projects. This has the obvious 546 advantage that you benefit from `cache.nixos.org` and no longer need to compile 547 all project dependencies yourself. While it is often very useful, this is not ··· 720 721 ### haskell-language-server {#haskell-language-server} 722 723 - To use HLS in short: Install `pkgs.haskell-language-server` e.g. in 724 `nativeBuildInputs` in `shellFor` and use the `haskell-language-server-wrapper` 725 command to run it. See the [HLS user guide] on how to configure your text 726 editor to use HLS and how to test your setup. ··· 754 755 Be careful when installing HLS globally and using a pinned nixpkgs for a 756 Haskell project in a `nix-shell`. If the nixpkgs versions deviate to much 757 - (e.g., use different `glibc` versions) the `haskell-language-server-?.?.?` 758 executable will try to detect these situations and refuse to start. It is 759 recommended to obtain HLS via `nix-shell` from the nixpkgs version pinned in 760 there instead.

··· 17 * `ghc` is the default version of GHC 18 * Language specific tools: `cabal-install`, `stack`, `hpack`, … 19 20 + Many “normal” user-facing packages written in Haskell, like `niv` or `cachix`, 21 are also exposed at the top level, and there is nothing Haskell specific to 22 installing and using them. 23 ··· 57 Each of those compiler versions has a corresponding attribute set `packages` built with 58 it. However, the non-standard package sets are not tested regularly and, as a 59 result, contain fewer working packages. The corresponding package set for GHC 60 + 9.4.8 is `haskell.packages.ghc948`. In fact, `haskellPackages` (at the time of writing) is just an alias 61 for `haskell.packages.ghc984`: 62 63 Every package set also re-exposes the GHC used to build its packages as `haskell.packages.*.ghc`. ··· 110 111 Normally when you build Haskell packages with `cabal-install`, `cabal-install` 112 does dependency resolution. It will look at all Haskell package versions known 113 + on Hackage and try to pick for every (transitive) dependency of your build 114 exactly one version. Those versions need to satisfy all the version constraints 115 given in the `.cabal` file of your package and all its dependencies. 116 117 The [Haskell builder in nixpkgs](#haskell-mkderivation) does no such thing. 118 + It will take as input packages with names of the desired dependencies 119 and just check whether they fulfill the version bounds and fail if they don’t 120 (by default, see `jailbreak` to circumvent this). 121 ··· 131 ### Limitations {#haskell-limitations} 132 133 Our main objective with `haskellPackages` is to package Haskell software in 134 + Nixpkgs. This entails some limitations, partially due to self-imposed 135 + restrictions of Nixpkgs, partially in the name of maintainability: 136 137 * Only the packages built with the default compiler see extensive testing of the 138 whole package set. For other GHC versions only a few essential packages are ··· 184 185 ## `haskellPackages.mkDerivation` {#haskell-mkderivation} 186 187 + Every Haskell package set has its own Haskell-aware `mkDerivation` which is used 188 to build its packages. Generally you won't have to interact with this builder 189 since [cabal2nix](#haskell-cabal2nix) can generate packages 190 using it for an arbitrary cabal package definition. Still it is useful to know ··· 192 [override](#haskell-overriding-haskell-packages) a generated Nix expression. 193 194 `haskellPackages.mkDerivation` is a wrapper around `stdenv.mkDerivation` which 195 + re-defines the default phases to be Haskell-aware and handles dependency 196 specification, test suites, benchmarks etc. by compiling and invoking the 197 package's `Setup.hs`. It does *not* use or invoke the `cabal-install` binary, 198 but uses the underlying `Cabal` library instead. ··· 541 542 ## Development environments {#haskell-development-environments} 543 544 + In addition to building and installing Haskell software, Nixpkgs can also 545 provide development environments for Haskell projects. This has the obvious 546 advantage that you benefit from `cache.nixos.org` and no longer need to compile 547 all project dependencies yourself. While it is often very useful, this is not ··· 720 721 ### haskell-language-server {#haskell-language-server} 722 723 + To use HLS in short: Install `pkgs.haskell-language-server`, e.g. in 724 `nativeBuildInputs` in `shellFor` and use the `haskell-language-server-wrapper` 725 command to run it. See the [HLS user guide] on how to configure your text 726 editor to use HLS and how to test your setup. ··· 754 755 Be careful when installing HLS globally and using a pinned nixpkgs for a 756 Haskell project in a `nix-shell`. If the nixpkgs versions deviate to much 757 + (e.g., use different `glibc` versions) the `haskell-language-server-?.?.?` 758 executable will try to detect these situations and refuse to start. It is 759 recommended to obtain HLS via `nix-shell` from the nixpkgs version pinned in 760 there instead.

+2 -2

doc/languages-frameworks/hy.section.md

··· 12 13 ### Installation with packages {#installation-with-packages} 14 15 - Creating `hy` derivation with custom `python` packages is really simple and similar to the way that python does it. Attribute `hy` provides function `withPackages` that creates custom `hy` derivation with specified packages. 16 17 - For example if you want to create shell with `matplotlib` and `numpy`, you can do it like so: 18 19 ```ShellSession 20 $ nix-shell -p "hy.withPackages (ps: with ps; [ numpy matplotlib ])"

··· 12 13 ### Installation with packages {#installation-with-packages} 14 15 + Creating a `hy` derivation with custom `python` packages is really simple and similar to the way that python does it. The attribute `hy` provides the function `withPackages` that creates a custom `hy` derivation with specified packages. 16 17 + For example, if you want to create a shell with `matplotlib` and `numpy`, you can do it like so: 18 19 ```ShellSession 20 $ nix-shell -p "hy.withPackages (ps: with ps; [ numpy matplotlib ])"

+1 -1

doc/languages-frameworks/idris2.section.md

··· 24 lspLibPkg.library { withSource = true; } 25 ``` 26 27 - The above results in a derivation with the installed library results (with sourcecode). 28 29 A slightly more involved example of a fully packaged executable would be the [`idris2-lsp`](https://github.com/idris-community/idris2-lsp) which is an Idris2 language server that uses the `LSP-lib` found above. 30 ```nix

··· 24 lspLibPkg.library { withSource = true; } 25 ``` 26 27 + The above results in a derivation with the installed library results (with source code). 28 29 A slightly more involved example of a fully packaged executable would be the [`idris2-lsp`](https://github.com/idris-community/idris2-lsp) which is an Idris2 language server that uses the `LSP-lib` found above. 30 ```nix

+2 -2

doc/languages-frameworks/ios.section.md

··· 103 It also possible to adjust the `xcodebuild` parameters. This is only needed in 104 rare circumstances. In most cases the default values should suffice: 105 106 - * Specifies which `xcodebuild` target to build. By default it takes the target 107 that has the same name as the app. 108 * The `configuration` parameter can be overridden if desired. By default, it 109 will do a debug build for the simulator and a release build for real devices. ··· 120 121 * `certificateFile` refers to a P12 certificate file. 122 * `certificatePassword` specifies the password of the P12 certificate. 123 - * `provisioningProfile` refers to the provision profile needed to sign the app 124 * `signMethod` should refer to `ad-hoc` for signing the app with an ad-hoc 125 certificate, `enterprise` for enterprise certificates and `app-store` for App 126 store certificates.

··· 103 It also possible to adjust the `xcodebuild` parameters. This is only needed in 104 rare circumstances. In most cases the default values should suffice: 105 106 + * `target` specifies which `xcodebuild` target to build. By default it takes the target 107 that has the same name as the app. 108 * The `configuration` parameter can be overridden if desired. By default, it 109 will do a debug build for the simulator and a release build for real devices. ··· 120 121 * `certificateFile` refers to a P12 certificate file. 122 * `certificatePassword` specifies the password of the P12 certificate. 123 + * `provisioningProfile` refers to the provisioning profile needed to sign the app 124 * `signMethod` should refer to `ad-hoc` for signing the app with an ad-hoc 125 certificate, `enterprise` for enterprise certificates and `app-store` for App 126 store certificates.

+2 -2

doc/languages-frameworks/java.section.md

··· 42 Using it, however, does not always guarantee reproducibility. 43 44 JAR files that are intended to be used by other packages should be 45 - installed in `$out/share/java`. JDKs have a stdenv setup hook that add 46 any JARs in the `share/java` directories of the build inputs to the 47 `CLASSPATH` environment variable. For instance, if the package `libfoo` 48 installs a JAR named `foo.jar` in its `share/java` directory, and ··· 84 Java distributions typically no longer ship with a general-purpose JRE: 85 instead, they allow generating a JRE with only the modules required for 86 your application(s). Because we can't predict what modules will be 87 - needed on a general-purpose system, the default jre package is the full 88 JDK. When building a minimal system/image, you can override the 89 `modules` parameter on `jre_minimal` to build a JRE with only the 90 modules relevant for you:

··· 42 Using it, however, does not always guarantee reproducibility. 43 44 JAR files that are intended to be used by other packages should be 45 + installed in `$out/share/java`. JDKs have a `stdenv` setup hook that adds 46 any JARs in the `share/java` directories of the build inputs to the 47 `CLASSPATH` environment variable. For instance, if the package `libfoo` 48 installs a JAR named `foo.jar` in its `share/java` directory, and ··· 84 Java distributions typically no longer ship with a general-purpose JRE: 85 instead, they allow generating a JRE with only the modules required for 86 your application(s). Because we can't predict what modules will be 87 + needed on a general-purpose system, the default `jre` package is the full 88 JDK. When building a minimal system/image, you can override the 89 `modules` parameter on `jre_minimal` to build a JRE with only the 90 modules relevant for you:

+24 -24

doc/languages-frameworks/javascript.section.md

··· 2 3 ## Introduction {#javascript-introduction} 4 5 - This contains instructions on how to package javascript applications. 6 7 The various tools available will be listed in the [tools-overview](#javascript-tools-overview). 8 Some general principles for packaging will follow. 9 - Finally some tool specific instructions will be given. 10 11 ## Getting unstuck / finding code examples {#javascript-finding-examples} 12 13 - If you find you are lacking inspiration for packaging javascript applications, the links below might prove useful. 14 Searching online for prior art can be helpful if you are running into solved problems. 15 16 ### Github {#javascript-finding-examples-github} ··· 43 Guidelines of package managers, recommend to commit those lock files to the repos. 44 If a particular lock file is present, it is a strong indication of which package manager is used upstream. 45 46 - It's better to try to use a Nix tool that understand the lock file. 47 - Using a different tool might give you hard to understand error because different packages have been installed. 48 An example of problems that could arise can be found [here](https://github.com/NixOS/nixpkgs/pull/126629). 49 Upstream use npm, but this is an attempt to package it with `yarn2nix` (that uses yarn.lock). 50 51 - Using a different tool forces to commit a lock file to the repository. 52 - Those files are fairly large, so when packaging for nixpkgs, this approach does not scale well. 53 54 Exceptions to this rule are: 55 56 - - When you encounter one of the bugs from a Nix tool. In each of the tool specific instructions, known problems will be detailed. If you have a problem with a particular tool, then it's best to try another tool, even if this means you will have to recreate a lock file and commit it to nixpkgs. In general `yarn2nix` has less known problems and so a simple search in nixpkgs will reveal many yarn.lock files committed. 57 - Some lock files contain particular version of a package that has been pulled off npm for some reason. In that case, you can recreate upstream lock (by removing the original and `npm install`, `yarn`, ...) and commit this to nixpkgs. 58 - The only tool that supports workspaces (a feature of npm that helps manage sub-directories with different package.json from a single top level package.json) is `yarn2nix`. If upstream has workspaces you should try `yarn2nix`. 59 ··· 61 62 Exceptions to this rule are: 63 64 - - Sometimes the upstream repo assumes some dependencies be installed globally. In that case you can add them manually to the upstream package.json (`yarn add xxx` or `npm install xxx`, ...). Dependencies that are installed locally can be executed with `npx` for CLI tools. (e.g. `npx postcss ...`, this is how you can call those dependencies in the phases). 65 - Sometimes there is a version conflict between some dependency requirements. In that case you can fix a version by removing the `^`. 66 - Sometimes the script defined in the package.json does not work as is. Some scripts for example use CLI tools that might not be available, or cd in directory with a different package.json (for workspaces notably). In that case, it's perfectly fine to look at what the particular script is doing and break this down in the phases. In the build script you can see `build:*` calling in turns several other build scripts like `build:ui` or `build:server`. If one of those fails, you can try to separate those into, 67 ··· 99 100 The [pkgs/development/node-packages](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/node-packages) folder contains a generated collection of [npm packages](https://npmjs.com/) that can be installed with the Nix package manager. 101 102 - As a rule of thumb, the package set should only provide _end user_ software packages, such as command-line utilities. 103 Libraries should only be added to the package set if there is a non-npm package that requires it. 104 105 When it is desired to use npm libraries in a development project, use the `node2nix` generator directly on the `package.json` configuration file of the project. ··· 132 } 133 ``` 134 135 - ### Adding and Updating Javascript packages in nixpkgs {#javascript-adding-or-updating-packages} 136 137 - To add a package from npm to nixpkgs: 138 139 1. Modify [pkgs/development/node-packages/node-packages.json](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/node-packages/node-packages.json) to add, update or remove package entries to have it included in `nodePackages` and `nodePackages_latest`. 140 2. Run the script: ··· 161 162 For more information about the generation process, consult the [README.md](https://github.com/svanderburg/node2nix) file of the `node2nix` tool. 163 164 - To update npm packages in nixpkgs, run the same `generate.sh` script: 165 166 ```sh 167 ./pkgs/development/node-packages/generate.sh ··· 182 git config --global url."https://github.com/".insteadOf git://github.com/ 183 ``` 184 185 - ## Tool specific instructions {#javascript-tool-specific} 186 187 ### buildNpmPackage {#javascript-buildNpmPackage} 188 ··· 381 will create a development shell where a `node_modules` directory is created & packages symlinked to the Nix store when activated. 382 383 :::{.note} 384 - Commands like `npm install` & `npm add` that writes packages & executables needs to be used with `--package-lock-only`. 385 386 This means `npm` installs dependencies by writing into `package-lock.json` without modifying the `node_modules` folder. Installation happens through reloading the devShell. 387 This might be best practice since it gives the `nix shell` virtually exclusive ownership over your `node_modules` folder. ··· 416 417 Pnpm is available as the top-level package `pnpm`. Additionally, there are variants pinned to certain major versions, like `pnpm_8` and `pnpm_9`, which support different sets of lock file versions. 418 419 - When packaging an application that includes a `pnpm-lock.yaml`, you need to fetch the pnpm store for that project using a fixed-output-derivation. The functions `pnpm_8.fetchDeps` and `pnpm_9.fetchDeps` can create this pnpm store derivation. In conjunction, the setup hooks `pnpm_8.configHook` and `pnpm_9.configHook` will prepare the build environment to install the prefetched dependencies store. Here is an example for a package that contains a `package.json` and a `pnpm-lock.yaml` files using the above `pnpm_` attributes: 420 421 ```nix 422 { ··· 447 }) 448 ``` 449 450 - NOTE: It is highly recommended to use a pinned version of pnpm (i.e. `pnpm_8` or `pnpm_9`), to increase future reproducibility. It might also be required to use an older version, if the package needs support for a certain lock file version. 451 452 - In case you are patching `package.json` or `pnpm-lock.yaml`, make sure to pass `finalAttrs.patches` to the function as well (i.e. `inherit (finalAttrs) patches`. 453 454 `pnpm.configHook` supports adding additional `pnpm install` flags via `pnpmInstallFlags` which can be set to a Nix string array: 455 ··· 520 The above would make `pnpm.fetchDeps` call only install dependencies for the `@astrojs/language-server` workspace package. 521 Note that you do not need to set `sourceRoot` to make this work. 522 523 - Usually in such cases, you'd want to use `pnpm --filter=<pnpm workspace name> build` to build your project, as `npmHooks.npmBuildHook` probably won't work. A `buildPhase` based on the following example will probably fit most workspace projects: 524 525 ```nix 526 { ··· 687 688 ##### mkYarnPackage {#javascript-yarn2nix-mkYarnPackage} 689 690 - `mkYarnPackage` will by default try to generate a binary. For package only generating static assets (Svelte, Vue, React, WebPack, ...), you will need to explicitly override the build step with your instructions. 691 692 It's important to use the `--offline` flag. For example if you script is `"build": "something"` in `package.json` use: 693 ··· 711 { doDist = false; } 712 ``` 713 714 - The configure phase can sometimes fail because it makes many assumptions which may not always apply. One common override is: 715 716 ```nix 717 { ··· 743 ##### mkYarnModules {#javascript-yarn2nix-mkYarnModules} 744 745 This will generate a derivation including the `node_modules` directory. 746 - If you have to build a derivation for an integrated web framework (rails, phoenix..), this is probably the easiest way. 747 748 #### Overriding dependency behavior {#javascript-mkYarnPackage-overriding-dependencies} 749 ··· 866 Internally, this uses a patched version of Yarn to ensure git dependencies are re-packed and any attempted downloads fail immediately. 867 868 ##### Patching upstream `package.json` or `yarn.lock` files {#javascript-yarnBerry-patching} 869 - In case patching the upstream `package.json` or `yarn.lock` is needed, it's important to pass `finalAttrs.patches` to `fetchYarnBerryDeps` as well, so the patched variants are picked up (i.e. `inherit (finalAttrs) patches`. 870 871 ##### Missing hashes in the `yarn.lock` file {#javascript-yarnBerry-missing-hashes} 872 Unfortunately, `yarn.lock` files do not include hashes for optional/platform-specific dependencies. This is [by design](https://github.com/yarnpkg/berry/issues/6759). ··· 908 ## Outside Nixpkgs {#javascript-outside-nixpkgs} 909 910 There are some other tools available, which are written in the Nix language. 911 - These that can't be used inside Nixpkgs because they require [Import From Derivation](#ssec-import-from-derivation), which is not allowed in Nixpkgs. 912 913 If you are packaging something outside Nixpkgs, consider the following: 914

··· 2 3 ## Introduction {#javascript-introduction} 4 5 + This contains instructions on how to package JavaScript applications. 6 7 The various tools available will be listed in the [tools-overview](#javascript-tools-overview). 8 Some general principles for packaging will follow. 9 + Finally, some tool-specific instructions will be given. 10 11 ## Getting unstuck / finding code examples {#javascript-finding-examples} 12 13 + If you find you are lacking inspiration for packaging JavaScript applications, the links below might prove useful. 14 Searching online for prior art can be helpful if you are running into solved problems. 15 16 ### Github {#javascript-finding-examples-github} ··· 43 Guidelines of package managers, recommend to commit those lock files to the repos. 44 If a particular lock file is present, it is a strong indication of which package manager is used upstream. 45 46 + It's better to try to use a Nix tool that understands the lock file. 47 + Using a different tool might give you a hard-to-understand error because different packages have been installed. 48 An example of problems that could arise can be found [here](https://github.com/NixOS/nixpkgs/pull/126629). 49 Upstream use npm, but this is an attempt to package it with `yarn2nix` (that uses yarn.lock). 50 51 + Using a different tool forces you to commit a lock file to the repository. 52 + These files are fairly large, so when packaging for nixpkgs, this approach does not scale well. 53 54 Exceptions to this rule are: 55 56 + - When you encounter one of the bugs from a Nix tool. In each of the tool-specific instructions, known problems will be detailed. If you have a problem with a particular tool, then it's best to try another tool, even if this means you will have to re-create a lock file and commit it to Nixpkgs. In general `yarn2nix` has fewer known problems, and so a simple search in Nixpkgs will reveal many `yarn.lock` files committed. 57 - Some lock files contain particular version of a package that has been pulled off npm for some reason. In that case, you can recreate upstream lock (by removing the original and `npm install`, `yarn`, ...) and commit this to nixpkgs. 58 - The only tool that supports workspaces (a feature of npm that helps manage sub-directories with different package.json from a single top level package.json) is `yarn2nix`. If upstream has workspaces you should try `yarn2nix`. 59 ··· 61 62 Exceptions to this rule are: 63 64 + - Sometimes the upstream repo assumes some dependencies should be installed globally. In that case, you can add them manually to the upstream `package.json` (`yarn add xxx` or `npm install xxx`, ...). Dependencies that are installed locally can be executed with `npx` for CLI tools (e.g. `npx postcss ...`, this is how you can call those dependencies in the phases). 65 - Sometimes there is a version conflict between some dependency requirements. In that case you can fix a version by removing the `^`. 66 - Sometimes the script defined in the package.json does not work as is. Some scripts for example use CLI tools that might not be available, or cd in directory with a different package.json (for workspaces notably). In that case, it's perfectly fine to look at what the particular script is doing and break this down in the phases. In the build script you can see `build:*` calling in turns several other build scripts like `build:ui` or `build:server`. If one of those fails, you can try to separate those into, 67 ··· 99 100 The [pkgs/development/node-packages](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/node-packages) folder contains a generated collection of [npm packages](https://npmjs.com/) that can be installed with the Nix package manager. 101 102 + As a rule of thumb, the package set should only provide _end-user_ software packages, such as command-line utilities. 103 Libraries should only be added to the package set if there is a non-npm package that requires it. 104 105 When it is desired to use npm libraries in a development project, use the `node2nix` generator directly on the `package.json` configuration file of the project. ··· 132 } 133 ``` 134 135 + ### Adding and updating JavaScript packages in Nixpkgs {#javascript-adding-or-updating-packages} 136 137 + To add a package from npm to Nixpkgs: 138 139 1. Modify [pkgs/development/node-packages/node-packages.json](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/node-packages/node-packages.json) to add, update or remove package entries to have it included in `nodePackages` and `nodePackages_latest`. 140 2. Run the script: ··· 161 162 For more information about the generation process, consult the [README.md](https://github.com/svanderburg/node2nix) file of the `node2nix` tool. 163 164 + To update npm packages in Nixpkgs, run the same `generate.sh` script: 165 166 ```sh 167 ./pkgs/development/node-packages/generate.sh ··· 182 git config --global url."https://github.com/".insteadOf git://github.com/ 183 ``` 184 185 + ## Tool-specific instructions {#javascript-tool-specific} 186 187 ### buildNpmPackage {#javascript-buildNpmPackage} 188 ··· 381 will create a development shell where a `node_modules` directory is created & packages symlinked to the Nix store when activated. 382 383 :::{.note} 384 + Commands like `npm install` & `npm add` that write packages & executables need to be used with `--package-lock-only`. 385 386 This means `npm` installs dependencies by writing into `package-lock.json` without modifying the `node_modules` folder. Installation happens through reloading the devShell. 387 This might be best practice since it gives the `nix shell` virtually exclusive ownership over your `node_modules` folder. ··· 416 417 Pnpm is available as the top-level package `pnpm`. Additionally, there are variants pinned to certain major versions, like `pnpm_8` and `pnpm_9`, which support different sets of lock file versions. 418 419 + When packaging an application that includes a `pnpm-lock.yaml`, you need to fetch the pnpm store for that project using a fixed-output-derivation. The functions `pnpm_8.fetchDeps` and `pnpm_9.fetchDeps` can create this pnpm store derivation. In conjunction, the setup hooks `pnpm_8.configHook` and `pnpm_9.configHook` will prepare the build environment to install the pre-fetched dependencies store. Here is an example for a package that contains `package.json` and a `pnpm-lock.yaml` files using the above `pnpm_` attributes: 420 421 ```nix 422 { ··· 447 }) 448 ``` 449 450 + NOTE: It is highly recommended to use a pinned version of pnpm (i.e., `pnpm_8` or `pnpm_9`), to increase future reproducibility. It might also be required to use an older version if the package needs support for a certain lock file version. 451 452 + In case you are patching `package.json` or `pnpm-lock.yaml`, make sure to pass `finalAttrs.patches` to the function as well (i.e., `inherit (finalAttrs) patches`. 453 454 `pnpm.configHook` supports adding additional `pnpm install` flags via `pnpmInstallFlags` which can be set to a Nix string array: 455 ··· 520 The above would make `pnpm.fetchDeps` call only install dependencies for the `@astrojs/language-server` workspace package. 521 Note that you do not need to set `sourceRoot` to make this work. 522 523 + Usually, in such cases, you'd want to use `pnpm --filter=<pnpm workspace name> build` to build your project, as `npmHooks.npmBuildHook` probably won't work. A `buildPhase` based on the following example will probably fit most workspace projects: 524 525 ```nix 526 { ··· 687 688 ##### mkYarnPackage {#javascript-yarn2nix-mkYarnPackage} 689 690 + `mkYarnPackage` will by default try to generate a binary. For packages only generating static assets (Svelte, Vue, React, Webpack, ...), you will need to explicitly override the build step with your instructions. 691 692 It's important to use the `--offline` flag. For example if you script is `"build": "something"` in `package.json` use: 693 ··· 711 { doDist = false; } 712 ``` 713 714 + The configure phase can sometimes fail because it makes many assumptions that may not always apply. One common override is: 715 716 ```nix 717 { ··· 743 ##### mkYarnModules {#javascript-yarn2nix-mkYarnModules} 744 745 This will generate a derivation including the `node_modules` directory. 746 + If you have to build a derivation for an integrated web framework (Rails, Phoenix, etc.), this is probably the easiest way. 747 748 #### Overriding dependency behavior {#javascript-mkYarnPackage-overriding-dependencies} 749 ··· 866 Internally, this uses a patched version of Yarn to ensure git dependencies are re-packed and any attempted downloads fail immediately. 867 868 ##### Patching upstream `package.json` or `yarn.lock` files {#javascript-yarnBerry-patching} 869 + In case patching the upstream `package.json` or `yarn.lock` is needed, it's important to pass `finalAttrs.patches` to `fetchYarnBerryDeps` as well, so the patched variants are picked up (i.e., `inherit (finalAttrs) patches`. 870 871 ##### Missing hashes in the `yarn.lock` file {#javascript-yarnBerry-missing-hashes} 872 Unfortunately, `yarn.lock` files do not include hashes for optional/platform-specific dependencies. This is [by design](https://github.com/yarnpkg/berry/issues/6759). ··· 908 ## Outside Nixpkgs {#javascript-outside-nixpkgs} 909 910 There are some other tools available, which are written in the Nix language. 911 + These can't be used inside Nixpkgs because they require [Import From Derivation](#ssec-import-from-derivation), which is not allowed in Nixpkgs. 912 913 If you are packaging something outside Nixpkgs, consider the following: 914

+1 -1

doc/languages-frameworks/julia.section.md

··· 75 different CPUs. 76 77 Why? Julia will detect the CPU microarchitecture of the build machine and include this information in the precompiled 78 - `*.ji` files. Starting in 1.10 Julia became more strict about checking the CPU target compatibility, so it may reject 79 your precompiled files if they were compiled on a different machine. 80 A good option to provide wide compatibility is to set this to `"generic"`, although this may reduce performance. 81 You can also set a semicolon-separated list of multiple different targets. See the Julia documentation for details.

··· 75 different CPUs. 76 77 Why? Julia will detect the CPU microarchitecture of the build machine and include this information in the precompiled 78 + `*.ji` files. Starting in 1.10, Julia became more strict about checking the CPU target compatibility, so it may reject 79 your precompiled files if they were compiled on a different machine. 80 A good option to provide wide compatibility is to set this to `"generic"`, although this may reduce performance. 81 You can also set a semicolon-separated list of multiple different targets. See the Julia documentation for details.

+4 -4

doc/languages-frameworks/lisp.section.md

··· 20 [runnable wrappers](#lisp-building-wrappers), with a pinned and pre-built 21 [ASDF FASL](#lisp-loading-asdf) available in the `ASDF` environment variable, 22 and `CL_SOURCE_REGISTRY`/`ASDF_OUTPUT_TRANSLATIONS` configured to 23 - [find the desired systems on runtime](#lisp-loading-systems). 24 25 In addition, Lisps have the `withOverrides` function, which can be used to 26 [substitute](#lisp-including-external-pkg-in-scope) any package in the scope of ··· 223 224 The reason is that ASDF searches for a secondary system in the `.asd` of the 225 parent package. Thus, having them separate would cause either one of them not to 226 - load cleanly, because one will contains FASLs of itself but not the other, and 227 vice versa. 228 229 To package slashy systems, use `overrideLispAttrs`, like so: ··· 240 241 Note that sometimes the slashy systems might not only have more dependencies 242 than the main one, but create a circular dependency between `.asd` 243 - files. Unfortunately, in this case an adhoc solution becomes necessary. 244 245 ## Building Wrappers {#lisp-building-wrappers} 246 ··· 262 263 ### Loading ASDF {#lisp-loading-asdf} 264 265 - For best results, avoid calling `(require 'asdf)` When using the 266 library-generated wrappers. 267 268 Use `(load (ext:getenv "ASDF"))` instead, supplying your implementation's way of

··· 20 [runnable wrappers](#lisp-building-wrappers), with a pinned and pre-built 21 [ASDF FASL](#lisp-loading-asdf) available in the `ASDF` environment variable, 22 and `CL_SOURCE_REGISTRY`/`ASDF_OUTPUT_TRANSLATIONS` configured to 23 + [find the desired systems at runtime](#lisp-loading-systems). 24 25 In addition, Lisps have the `withOverrides` function, which can be used to 26 [substitute](#lisp-including-external-pkg-in-scope) any package in the scope of ··· 223 224 The reason is that ASDF searches for a secondary system in the `.asd` of the 225 parent package. Thus, having them separate would cause either one of them not to 226 + load cleanly, because one will contain FASLs of itself but not the other, and 227 vice versa. 228 229 To package slashy systems, use `overrideLispAttrs`, like so: ··· 240 241 Note that sometimes the slashy systems might not only have more dependencies 242 than the main one, but create a circular dependency between `.asd` 243 + files. Unfortunately, in this case an ad-hoc solution becomes necessary. 244 245 ## Building Wrappers {#lisp-building-wrappers} 246 ··· 262 263 ### Loading ASDF {#lisp-loading-asdf} 264 265 + For best results, avoid calling `(require 'asdf)` when using the 266 library-generated wrappers. 267 268 Use `(load (ext:getenv "ASDF"))` instead, supplying your implementation's way of

+2 -2

doc/languages-frameworks/maven.section.md

··· 1 # Maven {#maven} 2 3 - Maven is a well-known build tool for the Java ecosystem however it has some challenges when integrating into the Nix build system. 4 5 The following provides a list of common patterns with how to package a Maven project (or any JVM language that can export to Maven) as a Nix package. 6 ··· 354 │   │   ├── classworlds-1.1.jar 355 ``` 356 357 - If your package uses _SNAPSHOT_ dependencies or _version ranges_; there is a strong likelihood that over-time your output hash will change since the resolved dependencies may change. Hence this method is less recommended then using `buildMaven`. 358 359 ### Building a JAR {#building-a-jar} 360

··· 1 # Maven {#maven} 2 3 + Maven is a well-known build tool for the Java ecosystem; however, it has some challenges when integrating into the Nix build system. 4 5 The following provides a list of common patterns with how to package a Maven project (or any JVM language that can export to Maven) as a Nix package. 6 ··· 354 │   │   ├── classworlds-1.1.jar 355 ``` 356 357 + If your package uses _SNAPSHOT_ dependencies or _version ranges_; there is a strong likelihood that over time, your output hash will change since the resolved dependencies may change. Hence this method is less recommended than using `buildMaven`. 358 359 ### Building a JAR {#building-a-jar} 360

+10 -10

doc/languages-frameworks/neovim.section.md

··· 1 # Neovim {#neovim} 2 3 - Install `neovim-unwrapped` to get a barebone neovim to configure imperatively. 4 This is the closest to what you encounter on other distributions. 5 6 - `neovim` is a wrapper around neovim with some extra configuration to for 7 - instance set the various language providers like python. 8 The wrapper can be further configured to include your favorite plugins and 9 configurations for a reproducible neovim across machines. 10 See the next section for more details. ··· 52 ``` 53 54 You can use the new unstable wrapper but the interface may change: 55 - - `autoconfigure`: certain plugins need a custom configuration to work with nix. 56 For instance, `sqlite-lua` needs `g:sqlite_clib_path` to be set to work. Nixpkgs historically patched these in the plugins with several drawbacks: harder maintenance and making upstream work harder. Per convention, these mandatory bits of configuration are bookmarked in nixpkgs in `passthru.initLua`. Enabling `autoconfigure` automatically adds the snippets required for the plugins to work. 57 - `autowrapRuntimeDeps`: Appends plugin's runtime dependencies to `PATH`. For instance, `rest.nvim` requires `curl` to work. Enabling `autowrapRuntimeDeps` adds it to the `PATH` visible by your Neovim wrapper (but not your global `PATH`). 58 - `luaRcContent`: Extra lua code to add to the generated `init.lua`. ··· 107 108 #### LuaRocks based plugins {#neovim-luarocks-based-plugins} 109 110 - In order to automatically handle plugin dependencies, several neovim plugins 111 upload their package to [LuaRocks](https://www.luarocks.org). This means less work for nixpkgs maintainers in the long term as dependencies get updated automatically. 112 - This means several neovim plugins are first packaged as nixpkgs [lua 113 packages](#packaging-a-library-on-luarocks), and converted via `buildNeovimPlugin` in 114 - a vim plugin. This conversion is necessary because neovim expects lua folders to be 115 - top-level while luarocks installs them in various subfolders by default. 116 117 For instance: 118 ```nix ··· 152 ### Testing Neovim plugins {#testing-neovim-plugins} 153 154 #### neovimRequireCheck {#testing-neovim-plugins-neovim-require-check} 155 - `neovimRequireCheck` is a simple test which checks if Neovim can requires lua modules without errors. This is often enough to catch missing dependencies. 156 157 It accepts a single string for a module, or a list of module strings to test. 158 - `nvimRequireCheck = MODULE;` ··· 171 }; 172 } 173 ``` 174 - Some plugins will have lua modules that require a user configuration to function properly or can contain optional lua modules that we dont want to test requiring. 175 We can skip specific modules using `nvimSkipModules`. Similar to `nvimRequireCheck`, it accepts a list of strings. 176 - `nvimSkipModules = [ MODULE1 MODULE2 ];` 177

··· 1 # Neovim {#neovim} 2 3 + Install `neovim-unwrapped` to get a bare-bones Neovim to configure imperatively. 4 This is the closest to what you encounter on other distributions. 5 6 + `neovim` is a wrapper around Neovim with some extra configuration, for 7 + instance, to set the various language providers like Python. 8 The wrapper can be further configured to include your favorite plugins and 9 configurations for a reproducible neovim across machines. 10 See the next section for more details. ··· 52 ``` 53 54 You can use the new unstable wrapper but the interface may change: 55 + - `autoconfigure`: certain plugins need a custom configuration to work with Nix. 56 For instance, `sqlite-lua` needs `g:sqlite_clib_path` to be set to work. Nixpkgs historically patched these in the plugins with several drawbacks: harder maintenance and making upstream work harder. Per convention, these mandatory bits of configuration are bookmarked in nixpkgs in `passthru.initLua`. Enabling `autoconfigure` automatically adds the snippets required for the plugins to work. 57 - `autowrapRuntimeDeps`: Appends plugin's runtime dependencies to `PATH`. For instance, `rest.nvim` requires `curl` to work. Enabling `autowrapRuntimeDeps` adds it to the `PATH` visible by your Neovim wrapper (but not your global `PATH`). 58 - `luaRcContent`: Extra lua code to add to the generated `init.lua`. ··· 107 108 #### LuaRocks based plugins {#neovim-luarocks-based-plugins} 109 110 + In order to automatically handle plugin dependencies, several Neovim plugins 111 upload their package to [LuaRocks](https://www.luarocks.org). This means less work for nixpkgs maintainers in the long term as dependencies get updated automatically. 112 + This means several Neovim plugins are first packaged as nixpkgs [lua 113 packages](#packaging-a-library-on-luarocks), and converted via `buildNeovimPlugin` in 114 + a vim plugin. This conversion is necessary because Neovim expects lua folders to be 115 + top-level while LuaRocks installs them in various subfolders by default. 116 117 For instance: 118 ```nix ··· 152 ### Testing Neovim plugins {#testing-neovim-plugins} 153 154 #### neovimRequireCheck {#testing-neovim-plugins-neovim-require-check} 155 + `neovimRequireCheck` is a simple test which checks if Neovim can require lua modules without errors. This is often enough to catch missing dependencies. 156 157 It accepts a single string for a module, or a list of module strings to test. 158 - `nvimRequireCheck = MODULE;` ··· 171 }; 172 } 173 ``` 174 + Some plugins will have lua modules that require a user configuration to function properly or can contain optional lua modules that we don't want to test by requiring. 175 We can skip specific modules using `nvimSkipModules`. Similar to `nvimRequireCheck`, it accepts a list of strings. 176 - `nvimSkipModules = [ MODULE1 MODULE2 ];` 177

+1 -1

doc/languages-frameworks/ocaml.section.md

··· 52 53 - It sets the optional `doCheck` attribute such that tests will be run with 54 `dune runtest -p angstrom` after the build (`dune build -p angstrom`) is 55 - complete, but only if the Ocaml version is at at least `"4.05"`. 56 57 - It uses the package `ocaml-syntax-shims` as a build input, `alcotest` and 58 `ppx_let` as check inputs (because they are needed to run the tests), and

··· 52 53 - It sets the optional `doCheck` attribute such that tests will be run with 54 `dune runtest -p angstrom` after the build (`dune build -p angstrom`) is 55 + complete, but only if the OCaml version is at at least `"4.05"`. 56 57 - It uses the package `ocaml-syntax-shims` as a build input, `alcotest` and 58 `ppx_let` as check inputs (because they are needed to run the tests), and

+4 -4

doc/languages-frameworks/octave.section.md

··· 16 Nixpkgs provides a function `buildOctavePackage`, a generic package builder function for any Octave package that complies with the Octave's current packaging format. 17 18 All Octave packages are defined in [pkgs/top-level/octave-packages.nix](https://github.com/NixOS/nixpkgs/blob/master/pkgs/top-level/octave-packages.nix) rather than `pkgs/all-packages.nix`. 19 - Each package is defined in their own file in the [pkgs/development/octave-modules](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/octave-modules) directory. 20 Octave packages are made available through `all-packages.nix` through both the attribute `octavePackages` and `octave.pkgs`. 21 You can test building an Octave package as follows: 22 ··· 54 55 1. Sets the environment variable `OCTAVE_HISTFILE` to `/dev/null` during package compilation so that the commands run through the Octave interpreter directly are not logged. 56 2. Skips the configuration step, because the packages are stored as gzipped tarballs, which Octave itself handles directly. 57 - 3. Change the hierarchy of the tarball so that only a single directory is at the top-most level of the tarball. 58 4. Use Octave itself to run the `pkg build` command, which unzips the tarball, extracts the necessary files written in Octave, and compiles any code written in C++ or Fortran, and places the fully compiled artifact in `$out`. 59 60 `buildOctavePackage` is built on top of `stdenv` in a standard way, allowing most things to be customized. ··· 80 81 By default, the `buildOctavePackage` function does _not_ install the requested package into Octave for use. 82 The function will only build the requested package. 83 - This is due to Octave maintaining an text-based database about which packages are installed where. 84 To this end, when all the requested packages have been built, the Octave package and all its add-on packages are put together into an environment, similar to Python. 85 86 1. First, all the Octave binaries are wrapped with the environment variable `OCTAVE_SITE_INITFILE` set to a file in `$out`, which is required for Octave to be able to find the non-standard package database location. ··· 88 3. The path down to the default install location of Octave packages is recreated so that Nix-operated Octave can install the packages. 89 4. Install the packages into the `$out` environment while writing package entries to the database file. 90 This database file is unique for each different (according to Nix) environment invocation. 91 - 5. Rewrite the Octave-wide startup file to read from the list of packages installed in that particular environment. 92 6. Wrap any programs that are required by the Octave packages so that they work with all the paths defined within the environment.

··· 16 Nixpkgs provides a function `buildOctavePackage`, a generic package builder function for any Octave package that complies with the Octave's current packaging format. 17 18 All Octave packages are defined in [pkgs/top-level/octave-packages.nix](https://github.com/NixOS/nixpkgs/blob/master/pkgs/top-level/octave-packages.nix) rather than `pkgs/all-packages.nix`. 19 + Each package is defined in its own file in the [pkgs/development/octave-modules](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/octave-modules) directory. 20 Octave packages are made available through `all-packages.nix` through both the attribute `octavePackages` and `octave.pkgs`. 21 You can test building an Octave package as follows: 22 ··· 54 55 1. Sets the environment variable `OCTAVE_HISTFILE` to `/dev/null` during package compilation so that the commands run through the Octave interpreter directly are not logged. 56 2. Skips the configuration step, because the packages are stored as gzipped tarballs, which Octave itself handles directly. 57 + 3. Changes the hierarchy of the tarball so that only a single directory is at the top-most level of the tarball. 58 4. Use Octave itself to run the `pkg build` command, which unzips the tarball, extracts the necessary files written in Octave, and compiles any code written in C++ or Fortran, and places the fully compiled artifact in `$out`. 59 60 `buildOctavePackage` is built on top of `stdenv` in a standard way, allowing most things to be customized. ··· 80 81 By default, the `buildOctavePackage` function does _not_ install the requested package into Octave for use. 82 The function will only build the requested package. 83 + This is due to Octave maintaining a text-based database about which packages are installed where. 84 To this end, when all the requested packages have been built, the Octave package and all its add-on packages are put together into an environment, similar to Python. 85 86 1. First, all the Octave binaries are wrapped with the environment variable `OCTAVE_SITE_INITFILE` set to a file in `$out`, which is required for Octave to be able to find the non-standard package database location. ··· 88 3. The path down to the default install location of Octave packages is recreated so that Nix-operated Octave can install the packages. 89 4. Install the packages into the `$out` environment while writing package entries to the database file. 90 This database file is unique for each different (according to Nix) environment invocation. 91 + 5. Rewrites the Octave-wide startup file to read from the list of packages installed in that particular environment. 92 6. Wrap any programs that are required by the Octave packages so that they work with all the paths defined within the environment.

+1 -1

doc/languages-frameworks/php.section.md

··· 201 it deals with "packages" or libraries, but it manages them on a per-project 202 basis, installing them in a directory (e.g. `vendor`) inside your project. By 203 default, it does not install anything globally. This idea is not new and 204 - Composer is strongly inspired by node's `npm` and ruby's `bundler`. 205 206 Currently, there is no other PHP tool that offers the same functionality as 207 Composer. Consequently, incorporating a helper in Nix to facilitate building

··· 201 it deals with "packages" or libraries, but it manages them on a per-project 202 basis, installing them in a directory (e.g. `vendor`) inside your project. By 203 default, it does not install anything globally. This idea is not new and 204 + Composer is strongly inspired by Node's `npm` and Ruby's `bundler`. 205 206 Currently, there is no other PHP tool that offers the same functionality as 207 Composer. Consequently, incorporating a helper in Nix to facilitate building

+1 -1

doc/languages-frameworks/pkg-config.section.md

··· 9 Packages should set `meta.pkgConfigModules` with the list of package config modules they provide. 10 They should also use `testers.hasPkgConfigModules` to check that the final built package matches that list, 11 and optionally check that the pkgconf modules' version metadata matches the derivation's. 12 - Additionally, the [`validatePkgConfig` setup hook](https://nixos.org/manual/nixpkgs/stable/#validatepkgconfig), will do extra checks on to-be-installed pkg-config modules. 13 14 A good example of all these things is miniz: 15

··· 9 Packages should set `meta.pkgConfigModules` with the list of package config modules they provide. 10 They should also use `testers.hasPkgConfigModules` to check that the final built package matches that list, 11 and optionally check that the pkgconf modules' version metadata matches the derivation's. 12 + Additionally, the [`validatePkgConfig` setup hook](https://nixos.org/manual/nixpkgs/stable/#validatepkgconfig) will do extra checks on to-be-installed pkg-config modules. 13 14 A good example of all these things is miniz: 15

+5 -5

doc/languages-frameworks/python.section.md

··· 565 Several versions of the Python interpreter are available on Nix, as well as a 566 high amount of packages. The attribute `python3` refers to the default 567 interpreter, which is currently CPython 3.13. The attribute `python` refers to 568 - CPython 2.7 for backwards-compatibility. It is also possible to refer to 569 - specific versions, e.g. `python313` refers to CPython 3.13, and `pypy` refers to 570 the default PyPy interpreter. 571 572 Python is used a lot, and in different ways. This affects also how it is ··· 725 726 If the dependencies are not available on the host where `foo.py` is executed, it 727 will build or download them from a Nix binary cache prior to starting up, prior 728 - that it is executed on a machine with a multi-user nix installation. 729 730 This provides a way to ship a self bootstrapping Python script, akin to a 731 statically linked binary, where it can be run on any machine (provided nix is ··· 733 system. 734 735 By default it is pulling the import checkout of Nixpkgs itself from our nix 736 - channel, which is nice as it cache aligns with our other package builds, but we 737 can make it fully reproducible by pinning the `nixpkgs` import: 738 739 ```python ··· 816 817 This will create a unified environment that has not just our Python interpreter 818 and its Python dependencies, but also tools like `black` or `mypy` and libraries 819 - like `libffi` the `openssl` in scope. This is generic and can span any number of 820 tools or languages across the Nixpkgs ecosystem. 821 822 ##### Installing environments globally on the system {#installing-environments-globally-on-the-system}

··· 565 Several versions of the Python interpreter are available on Nix, as well as a 566 high amount of packages. The attribute `python3` refers to the default 567 interpreter, which is currently CPython 3.13. The attribute `python` refers to 568 + CPython 2.7 for backwards compatibility. It is also possible to refer to 569 + specific versions, e.g., `python313` refers to CPython 3.13, and `pypy` refers to 570 the default PyPy interpreter. 571 572 Python is used a lot, and in different ways. This affects also how it is ··· 725 726 If the dependencies are not available on the host where `foo.py` is executed, it 727 will build or download them from a Nix binary cache prior to starting up, prior 728 + that it is executed on a machine with a multi-user Nix installation. 729 730 This provides a way to ship a self bootstrapping Python script, akin to a 731 statically linked binary, where it can be run on any machine (provided nix is ··· 733 system. 734 735 By default it is pulling the import checkout of Nixpkgs itself from our nix 736 + channel, which is nice as it cache-aligns with our other package builds, but we 737 can make it fully reproducible by pinning the `nixpkgs` import: 738 739 ```python ··· 816 817 This will create a unified environment that has not just our Python interpreter 818 and its Python dependencies, but also tools like `black` or `mypy` and libraries 819 + like `libffi` and `openssl` in scope. This is generic and can span any number of 820 tools or languages across the Nixpkgs ecosystem. 821 822 ##### Installing environments globally on the system {#installing-environments-globally-on-the-system}

+2 -2

doc/languages-frameworks/qt.section.md

··· 1 # Qt {#sec-language-qt} 2 3 - Writing Nix expressions for Qt libraries and applications is largely similar as for other C++ software. 4 This section assumes some knowledge of the latter. 5 6 The major caveat with Qt applications is that Qt uses a plugin system to load additional modules at runtime. ··· 43 44 ## Locating additional runtime dependencies {#qt-runtime-dependencies} 45 46 - Add entries to `qtWrapperArgs` are to modify the wrappers created by 47 `wrapQtAppsHook`: 48 49 ```nix

··· 1 # Qt {#sec-language-qt} 2 3 + Writing Nix expressions for Qt libraries and applications is largely similar to that for other C++ software. 4 This section assumes some knowledge of the latter. 5 6 The major caveat with Qt applications is that Qt uses a plugin system to load additional modules at runtime. ··· 43 44 ## Locating additional runtime dependencies {#qt-runtime-dependencies} 45 46 + Add entries to `qtWrapperArgs` to modify the wrappers created by 47 `wrapQtAppsHook`: 48 49 ```nix

+3 -3

doc/languages-frameworks/ruby.section.md

··· 263 264 Now that you know how to get a working Ruby environment with Nix, it's time to go forward and start actually developing with Ruby. We will first have a look at how Ruby gems are packaged on Nix. Then, we will look at how you can use development mode with your code. 265 266 - All gems in the standard set are automatically generated from a single `Gemfile`. The dependency resolution is done with `bundler` and makes it more likely that all gems are compatible to each other. 267 268 In order to add a new gem to nixpkgs, you can put it into the `/pkgs/development/ruby-modules/with-packages/Gemfile` and run `./maintainers/scripts/update-ruby-packages`. 269 ··· 275 276 ### Packaging applications {#packaging-applications} 277 278 - A common task is to add a ruby executable to nixpkgs, popular examples would be `chef`, `jekyll`, or `sass`. A good way to do that is to use the `bundlerApp` function, that allows you to make a package that only exposes the listed executables, otherwise the package may cause conflicts through common paths like `bin/rake` or `bin/bundler` that aren't meant to be used. 279 280 The absolute easiest way to do that is to write a `Gemfile` along these lines: 281 ··· 303 304 #### Packaging executables that require wrapping {#packaging-executables-that-require-wrapping} 305 306 - Sometimes your app will depend on other executables at runtime, and tries to find it through the `PATH` environment variable. 307 308 In this case, you can provide a `postBuild` hook to `bundlerApp` that wraps the gem in another script that prefixes the `PATH`. 309

··· 263 264 Now that you know how to get a working Ruby environment with Nix, it's time to go forward and start actually developing with Ruby. We will first have a look at how Ruby gems are packaged on Nix. Then, we will look at how you can use development mode with your code. 265 266 + All gems in the standard set are automatically generated from a single `Gemfile`. The dependency resolution is done with `bundler` and makes it more likely that all gems are compatible with each other. 267 268 In order to add a new gem to nixpkgs, you can put it into the `/pkgs/development/ruby-modules/with-packages/Gemfile` and run `./maintainers/scripts/update-ruby-packages`. 269 ··· 275 276 ### Packaging applications {#packaging-applications} 277 278 + A common task is to add a Ruby executable to Nixpkgs; popular examples would be `chef`, `jekyll`, or `sass`. A good way to do that is to use the `bundlerApp` function, that allows you to make a package that only exposes the listed executables. Otherwise, the package may cause conflicts through common paths like `bin/rake` or `bin/bundler` that aren't meant to be used. 279 280 The absolute easiest way to do that is to write a `Gemfile` along these lines: 281 ··· 303 304 #### Packaging executables that require wrapping {#packaging-executables-that-require-wrapping} 305 306 + Sometimes your app will depend on other executables at runtime and try to find them through the `PATH` environment variable. 307 308 In this case, you can provide a `postBuild` hook to `bundlerApp` that wraps the gem in another script that prefixes the `PATH`. 309

+8 -8

doc/languages-frameworks/rust.section.md

··· 1 # Rust {#rust} 2 3 - To install the rust compiler and cargo put 4 5 ```nix 6 { ··· 14 into your `configuration.nix` or bring them into scope with `nix-shell -p rustc cargo`. 15 16 For other versions such as daily builds (beta and nightly), 17 - use either `rustup` from nixpkgs (which will manage the rust installation in your home directory), 18 or use [community maintained Rust toolchains](#using-community-maintained-rust-toolchains). 19 20 ## `buildRustPackage`: Compiling Rust applications with Cargo {#compiling-rust-applications-with-cargo} ··· 65 { cargoHash = "sha256-l1vL2ZdtDRxSGvP0X/l3nMw8+6WF67KPutJEzUROjg8="; } 66 ``` 67 68 - If this method does not work, you can resort to copying the `Cargo.lock` file into nixpkgs 69 and importing it as described in the [next section](#importing-a-cargo.lock-file). 70 71 - Both types of hashes are permitted when contributing to nixpkgs. The 72 Cargo hash is obtained by inserting a fake checksum into the 73 expression and building the package once. The correct checksum can 74 then be taken from the failed build. A fake hash can be used for ··· 249 ### Cross compilation {#cross-compilation} 250 251 By default, Rust packages are compiled for the host platform, just like any 252 - other package is. The `--target` passed to rust tools is computed from this. 253 By default, it takes the `stdenv.hostPlatform.config` and replaces components 254 where they are known to differ. But there are ways to customize the argument: 255 ··· 417 ### Building a crate with an absent or out-of-date Cargo.lock file {#building-a-crate-with-an-absent-or-out-of-date-cargo.lock-file} 418 419 `buildRustPackage` needs a `Cargo.lock` file to get all dependencies in the 420 - source code in a reproducible way. If it is missing or out-of-date one can use 421 the `cargoPatches` attribute to update or add it. 422 423 ```nix ··· 907 ## Using community maintained Rust toolchains {#using-community-maintained-rust-toolchains} 908 909 ::: {.note} 910 - The following projects cannot be used within Nixpkgs since [Import From Derivation](https://nixos.org/manual/nix/unstable/language/import-from-derivation) (IFD) is disallowed in Nixpkgs. 911 To package things that require Rust nightly, `RUSTC_BOOTSTRAP = true;` can sometimes be used as a hack. 912 ::: 913 ··· 920 Oxalica's overlay allows you to select a particular Rust version without you providing a hash or a flake input, 921 but comes with a larger git repository than fenix. 922 923 - Fenix also provides rust-analyzer nightly in addition to the Rust toolchains. 924 925 Both oxalica's overlay and fenix better integrate with nix and cache optimizations. 926 Because of this and ergonomics, either of those community projects

··· 1 # Rust {#rust} 2 3 + To install the Rust compiler and cargo, put 4 5 ```nix 6 { ··· 14 into your `configuration.nix` or bring them into scope with `nix-shell -p rustc cargo`. 15 16 For other versions such as daily builds (beta and nightly), 17 + use either `rustup` from Nixpkgs (which will manage the rust installation in your home directory), 18 or use [community maintained Rust toolchains](#using-community-maintained-rust-toolchains). 19 20 ## `buildRustPackage`: Compiling Rust applications with Cargo {#compiling-rust-applications-with-cargo} ··· 65 { cargoHash = "sha256-l1vL2ZdtDRxSGvP0X/l3nMw8+6WF67KPutJEzUROjg8="; } 66 ``` 67 68 + If this method does not work, you can resort to copying the `Cargo.lock` file into Nixpkgs 69 and importing it as described in the [next section](#importing-a-cargo.lock-file). 70 71 + Both types of hashes are permitted when contributing to Nixpkgs. The 72 Cargo hash is obtained by inserting a fake checksum into the 73 expression and building the package once. The correct checksum can 74 then be taken from the failed build. A fake hash can be used for ··· 249 ### Cross compilation {#cross-compilation} 250 251 By default, Rust packages are compiled for the host platform, just like any 252 + other package is. The `--target` passed to Rust tools is computed from this. 253 By default, it takes the `stdenv.hostPlatform.config` and replaces components 254 where they are known to differ. But there are ways to customize the argument: 255 ··· 417 ### Building a crate with an absent or out-of-date Cargo.lock file {#building-a-crate-with-an-absent-or-out-of-date-cargo.lock-file} 418 419 `buildRustPackage` needs a `Cargo.lock` file to get all dependencies in the 420 + source code in a reproducible way. If it is missing or out of date, one can use 421 the `cargoPatches` attribute to update or add it. 422 423 ```nix ··· 907 ## Using community maintained Rust toolchains {#using-community-maintained-rust-toolchains} 908 909 ::: {.note} 910 + The following projects cannot be used within Nixpkgs, since [Import From Derivation](https://nixos.org/manual/nix/unstable/language/import-from-derivation) (IFD) is disallowed in Nixpkgs. 911 To package things that require Rust nightly, `RUSTC_BOOTSTRAP = true;` can sometimes be used as a hack. 912 ::: 913 ··· 920 Oxalica's overlay allows you to select a particular Rust version without you providing a hash or a flake input, 921 but comes with a larger git repository than fenix. 922 923 + Fenix also provides `rust-analyzer` nightly in addition to the Rust toolchains. 924 925 Both oxalica's overlay and fenix better integrate with nix and cache optimizations. 926 Because of this and ergonomics, either of those community projects

+1 -1

doc/languages-frameworks/scheme.section.md

··· 11 in a derivation's `buildInputs`, work inside of `nix-shell`, and 12 are tested using [Chez](https://www.scheme.com/) & 13 [Chibi](https://synthcode.com/wiki/chibi-scheme) 14 - Scheme during build time. 15 16 Including a package as a build input is done in the typical Nix fashion. 17 For example, to include

··· 11 in a derivation's `buildInputs`, work inside of `nix-shell`, and 12 are tested using [Chez](https://www.scheme.com/) & 13 [Chibi](https://synthcode.com/wiki/chibi-scheme) 14 + Scheme at build time. 15 16 Including a package as a build input is done in the typical Nix fashion. 17 For example, to include

+3 -3

doc/languages-frameworks/swift.section.md

··· 34 (Where `linux` and `x86_64` are from lowercase `uname -sm`.) 35 - For convenience, Nixpkgs also adds `lib/swift` to the search path. 36 This can save a bit of work packaging Swift modules, because many Nix builds 37 - will produce output for just one target any way. 38 39 ## Core libraries {#ssec-swift-core-libraries} 40 41 In addition to the standard library, the Swift toolchain contains some 42 additional 'core libraries' that, on Apple platforms, are normally distributed 43 - as part of the OS or Xcode. These are packaged separately in Nixpkgs, and can 44 be found (for use in `buildInputs`) as: 45 46 - `swiftPackages.Dispatch` ··· 189 190 The `swift` package has a separate `lib` output containing just the Swift 191 standard library, to prevent Swift applications needing a dependency on the 192 - full Swift compiler at run-time. Linking with the Nixpkgs Swift toolchain 193 already ensures binaries correctly reference the `lib` output. 194 195 Sometimes, Swift is used only to compile part of a mixed codebase, and the

··· 34 (Where `linux` and `x86_64` are from lowercase `uname -sm`.) 35 - For convenience, Nixpkgs also adds `lib/swift` to the search path. 36 This can save a bit of work packaging Swift modules, because many Nix builds 37 + will produce output for just one target anyway. 38 39 ## Core libraries {#ssec-swift-core-libraries} 40 41 In addition to the standard library, the Swift toolchain contains some 42 additional 'core libraries' that, on Apple platforms, are normally distributed 43 + as part of the OS or Xcode. These are packaged separately in Nixpkgs and can 44 be found (for use in `buildInputs`) as: 45 46 - `swiftPackages.Dispatch` ··· 189 190 The `swift` package has a separate `lib` output containing just the Swift 191 standard library, to prevent Swift applications needing a dependency on the 192 + full Swift compiler at runtime. Linking with the Nixpkgs Swift toolchain 193 already ensures binaries correctly reference the `lib` output. 194 195 Sometimes, Swift is used only to compile part of a mixed codebase, and the

+2 -2

doc/languages-frameworks/texlive.section.md

··· 48 ``` 49 This can be applied before or after calling `withPackages`. 50 51 - The function currently support the parameters `withDocs`, `withSources`, and `requireTeXPackages`. 52 53 ## User's guide {#sec-language-texlive-user-guide} 54 ··· 89 nix-repl> texlive.collection-[TAB] 90 ``` 91 92 - - Note that the wrapper assumes that the result has a chance to be useful. For example, the core executables should be present, as well as some core data files. The supported way of ensuring this is by including some scheme, for example `scheme-basic`, into the combination. 93 94 - TeX Live packages are also available under `texlive.pkgs` as derivations with outputs `out`, `tex`, `texdoc`, `texsource`, `tlpkg`, `man`, `info`. They cannot be installed outside of `texlive.combine` but are available for other uses. To repackage a font, for instance, use 95

··· 48 ``` 49 This can be applied before or after calling `withPackages`. 50 51 + The function currently supports the parameters `withDocs`, `withSources`, and `requireTeXPackages`. 52 53 ## User's guide {#sec-language-texlive-user-guide} 54 ··· 89 nix-repl> texlive.collection-[TAB] 90 ``` 91 92 + - Note that the wrapper assumes that the result has a chance to be useful. For example, the core executables should be present, as well as some core data files. The supported way of ensuring this is by including some scheme, for example, `scheme-basic`, into the combination. 93 94 - TeX Live packages are also available under `texlive.pkgs` as derivations with outputs `out`, `tex`, `texdoc`, `texsource`, `tlpkg`, `man`, `info`. They cannot be installed outside of `texlive.combine` but are available for other uses. To repackage a font, for instance, use 95

+1 -1

doc/languages-frameworks/vim.section.md

··· 192 nix-shell -p vimPluginsUpdater --run 'vim-plugins-updater update "nvim-treesitter" "LazyVim"' 193 ``` 194 195 - ## How to maintain an out-of-tree overlay of vim plugins ? {#vim-out-of-tree-overlays} 196 197 You can use the updater script to generate basic packages out of a custom vim 198 plugin list:

··· 192 nix-shell -p vimPluginsUpdater --run 'vim-plugins-updater update "nvim-treesitter" "LazyVim"' 193 ``` 194 195 + ## How to maintain an out-of-tree overlay of vim plugins? {#vim-out-of-tree-overlays} 196 197 You can use the updater script to generate basic packages out of a custom vim 198 plugin list:

+1 -1

doc/packages/cataclysm-dda.section.md

··· 8 an alias to `cataclysmDDA.stable.tiles`. 9 10 If you like access to a development build of your favorite git revision, 11 - override `cataclysm-dda-git` (or `cataclysmDDA.git.curses` if you like curses 12 build): 13 14 ```nix

··· 8 an alias to `cataclysmDDA.stable.tiles`. 9 10 If you like access to a development build of your favorite git revision, 11 + override `cataclysm-dda-git` (or `cataclysmDDA.git.curses` if you like the curses 12 build): 13 14 ```nix

+2 -2

doc/packages/citrix.section.md

··· 8 9 ## Citrix Self-service {#sec-citrix-selfservice} 10 11 - The [self-service](https://support.citrix.com/article/CTX200337) is an application managing Citrix desktops and applications. Please note that this feature only works with at least citrix_workspace_20_06_0 and later versions. 12 13 In order to set this up, you first have to [download the `.cr` file from the Netscaler Gateway](https://its.uiowa.edu/support/article/102186). After that, you can configure the `selfservice` like this: 14 ··· 19 20 ## Custom certificates {#sec-citrix-custom-certs} 21 22 - The `Citrix Workspace App` in `nixpkgs` trusts several certificates [from the Mozilla database](https://curl.haxx.se/docs/caextract.html) by default. However, several companies using Citrix might require their own corporate certificate. On distros with imperative packaging, these certs can be stored easily in [`$ICAROOT`](https://citrix.github.io/receiver-for-linux-command-reference/), however this directory is a store path in `nixpkgs`. In order to work around this issue, the package provides a simple mechanism to add custom certificates without rebuilding the entire package using `symlinkJoin`: 23 24 ```nix 25 with import <nixpkgs> { config.allowUnfree = true; };

··· 8 9 ## Citrix Self-service {#sec-citrix-selfservice} 10 11 + The [self-service](https://support.citrix.com/article/CTX200337) is an application for managing Citrix desktops and applications. Please note that this feature only works with at least `citrix_workspace_20_06_0` and later versions. 12 13 In order to set this up, you first have to [download the `.cr` file from the Netscaler Gateway](https://its.uiowa.edu/support/article/102186). After that, you can configure the `selfservice` like this: 14 ··· 19 20 ## Custom certificates {#sec-citrix-custom-certs} 21 22 + The `Citrix Workspace App` in `nixpkgs` trusts several certificates [from the Mozilla database](https://curl.haxx.se/docs/caextract.html) by default. However, several companies using Citrix might require their own corporate certificate. On distros with imperative packaging, these certs can be stored easily in [`$ICAROOT`](https://citrix.github.io/receiver-for-linux-command-reference/), however, this directory is a store path in `nixpkgs`. In order to work around this issue, the package provides a simple mechanism to add custom certificates without rebuilding the entire package using `symlinkJoin`: 23 24 ```nix 25 with import <nixpkgs> { config.allowUnfree = true; };

+1 -1

doc/packages/dlib.section.md

··· 6 7 Especially older CPUs don't support [AVX](https://en.wikipedia.org/wiki/Advanced_Vector_Extensions) (Advanced Vector Extensions) instructions that are used by DLib to optimize their algorithms. 8 9 - On the affected hardware errors like `Illegal instruction` will occur. In those cases AVX support needs to be disabled: 10 11 ```nix 12 self: super: { dlib = super.dlib.override { avxSupport = false; }; }

··· 6 7 Especially older CPUs don't support [AVX](https://en.wikipedia.org/wiki/Advanced_Vector_Extensions) (Advanced Vector Extensions) instructions that are used by DLib to optimize their algorithms. 8 9 + On the affected hardware, errors like `Illegal instruction` will occur. In those cases, AVX support needs to be disabled: 10 11 ```nix 12 self: super: { dlib = super.dlib.override { avxSupport = false; }; }

+4 -4

doc/packages/eclipse.section.md

··· 2 3 The Nix expressions related to the Eclipse platform and IDE are in [`pkgs/applications/editors/eclipse`](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/editors/eclipse). 4 5 - Nixpkgs provides a number of packages that will install Eclipse in its various forms. These range from the bare-bones Eclipse Platform to the more fully featured Eclipse SDK or Scala-IDE packages and multiple version are often available. It is possible to list available Eclipse packages by issuing the command: 6 7 ```ShellSession 8 $ nix-env -f '<nixpkgs>' -qaP -A eclipses --description 9 ``` 10 11 - Once an Eclipse variant is installed, it can be run using the `eclipse` command, as expected. From within Eclipse, it is then possible to install plugins in the usual manner by either manually specifying an Eclipse update site or by installing the Marketplace Client plugin and using it to discover and install other plugins. This installation method provides an Eclipse installation that closely resemble a manually installed Eclipse. 12 13 - If you prefer to install plugins in a more declarative manner, then Nixpkgs also offer a number of Eclipse plugins that can be installed in an _Eclipse environment_. This type of environment is created using the function `eclipseWithPlugins` found inside the `nixpkgs.eclipses` attribute set. This function takes as argument `{ eclipse, plugins ? [], jvmArgs ? [] }` where `eclipse` is a one of the Eclipse packages described above, `plugins` is a list of plugin derivations, and `jvmArgs` is a list of arguments given to the JVM running the Eclipse. For example, say you wish to install the latest Eclipse Platform with the popular Eclipse Color Theme plugin and also allow Eclipse to use more RAM. You could then add: 14 15 ```nix 16 { ··· 26 } 27 ``` 28 29 - to your Nixpkgs configuration (`~/.config/nixpkgs/config.nix`) and install it by running `nix-env -f '<nixpkgs>' -iA myEclipse` and afterward run Eclipse as usual. It is possible to find out which plugins are available for installation using `eclipseWithPlugins` by running: 30 31 ```ShellSession 32 $ nix-env -f '<nixpkgs>' -qaP -A eclipses.plugins --description

··· 2 3 The Nix expressions related to the Eclipse platform and IDE are in [`pkgs/applications/editors/eclipse`](https://github.com/NixOS/nixpkgs/blob/master/pkgs/applications/editors/eclipse). 4 5 + Nixpkgs provides several packages that will install Eclipse in its various forms. These range from the bare-bones Eclipse Platform to the more fully featured Eclipse SDK or Scala-IDE packages, and multiple versions are often available. It is possible to list available Eclipse packages by issuing the command: 6 7 ```ShellSession 8 $ nix-env -f '<nixpkgs>' -qaP -A eclipses --description 9 ``` 10 11 + Once an Eclipse variant is installed, it can be run using the `eclipse` command, as expected. From within Eclipse, it is then possible to install plugins in the usual manner by either manually specifying an Eclipse update site or by installing the Marketplace Client plugin and using it to discover and install other plugins. This installation method provides an Eclipse installation that closely resembles a manually installed Eclipse. 12 13 + If you prefer to install plugins in a more declarative manner, then Nixpkgs also offers several Eclipse plugins that can be installed in an _Eclipse environment_. This type of environment is created using the function `eclipseWithPlugins` found inside the `nixpkgs.eclipses` attribute set. This function takes as an argument `{ eclipse, plugins ? [], jvmArgs ? [] }` where `eclipse` is one of the Eclipse packages described above, `plugins` is a list of plugin derivations, and `jvmArgs` is a list of arguments given to the JVM running Eclipse. For example, say you wish to install the latest Eclipse Platform with the popular Eclipse Color Theme plugin and also allow Eclipse to use more RAM. You could then add: 14 15 ```nix 16 { ··· 26 } 27 ``` 28 29 + to your Nixpkgs configuration (`~/.config/nixpkgs/config.nix`) and install it by running `nix-env -f '<nixpkgs>' -iA myEclipse` and afterward running Eclipse as usual. It is possible to find out which plugins are available for installation using `eclipseWithPlugins` by running: 30 31 ```ShellSession 32 $ nix-env -f '<nixpkgs>' -qaP -A eclipses.plugins --description

+2 -2

doc/packages/emacs.section.md

··· 2 3 ## Configuring Emacs {#sec-emacs-config} 4 5 - The Emacs package comes with some extra helpers to make it easier to configure. `emacs.pkgs.withPackages` allows you to manage packages from ELPA. This means that you will not have to install that packages from within Emacs. For instance, if you wanted to use `company` `counsel`, `flycheck`, `ivy`, `magit`, `projectile`, and `use-package` you could use this as a `~/.config/nixpkgs/config.nix` override: 6 7 ```nix 8 { ··· 24 } 25 ``` 26 27 - You can install it like any other packages via `nix-env -iA myEmacs`. However, this will only install those packages. It will not `configure` them for us. To do this, we need to provide a configuration file. Luckily, it is possible to do this from within Nix! By modifying the above example, we can make Emacs load a custom config file. The key is to create a package that provides a `default.el` file in `/share/emacs/site-start/`. Emacs knows to load this file automatically when it starts. 28 29 ```nix 30 {

··· 2 3 ## Configuring Emacs {#sec-emacs-config} 4 5 + The Emacs package comes with some extra helpers to make it easier to configure. `emacs.pkgs.withPackages` allows you to manage packages from ELPA. This means that you will not have to install those packages from within Emacs. For instance, if you wanted to use `company`, `counsel`, `flycheck`, `ivy`, `magit`, `projectile`, and `use-package`, you could use this as a `~/.config/nixpkgs/config.nix` override: 6 7 ```nix 8 { ··· 24 } 25 ``` 26 27 + You can install it like any other package via `nix-env -iA myEmacs`. However, this will only install those packages. It will not `configure` them for us. To do this, we need to provide a configuration file. Luckily, it is possible to do this from within Nix! By modifying the above example, we can make Emacs load a custom config file. The key is to create a package that provides a `default.el` file in `/share/emacs/site-start/`. Emacs knows to load this file automatically when it starts. 28 29 ```nix 30 {

+2 -2

doc/packages/etc-files.section.md

··· 2 3 Certain calls in glibc require access to runtime files found in `/etc` such as `/etc/protocols` or `/etc/services` -- [getprotobyname](https://linux.die.net/man/3/getprotobyname) is one such function. 4 5 - On non-NixOS distributions these files are typically provided by packages (i.e., [netbase](https://packages.debian.org/sid/netbase)) if not already pre-installed in your distribution. This can cause non-reproducibility for code if they rely on these files being present. 6 7 If [iana-etc](https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.iana-etc.x86_64-linux) is part of your `buildInputs`, then it will set the environment variables `NIX_ETC_PROTOCOLS` and `NIX_ETC_SERVICES` to the corresponding files in the package through a setup hook. 8 ··· 15 NIX_ETC_PROTOCOLS=/nix/store/aj866hr8fad8flnggwdhrldm0g799ccz-iana-etc-20210225/etc/protocols 16 ``` 17 18 - Nixpkg's version of [glibc](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/libraries/glibc/default.nix) has been patched to check for the existence of these environment variables. If the environment variables are *not* set, then it will attempt to find the files at the default location within `/etc`.

··· 2 3 Certain calls in glibc require access to runtime files found in `/etc` such as `/etc/protocols` or `/etc/services` -- [getprotobyname](https://linux.die.net/man/3/getprotobyname) is one such function. 4 5 + On non-NixOS distributions, these files are typically provided by packages (i.e., [netbase](https://packages.debian.org/sid/netbase)) if not already pre-installed in your distribution. This can cause non-reproducibility for code if they rely on these files being present. 6 7 If [iana-etc](https://hydra.nixos.org/job/nixos/trunk-combined/nixpkgs.iana-etc.x86_64-linux) is part of your `buildInputs`, then it will set the environment variables `NIX_ETC_PROTOCOLS` and `NIX_ETC_SERVICES` to the corresponding files in the package through a setup hook. 8 ··· 15 NIX_ETC_PROTOCOLS=/nix/store/aj866hr8fad8flnggwdhrldm0g799ccz-iana-etc-20210225/etc/protocols 16 ``` 17 18 + Nixpkgs's version of [glibc](https://github.com/NixOS/nixpkgs/blob/master/pkgs/development/libraries/glibc/default.nix) has been patched to check for the existence of these environment variables. If the environment variables are *not* set, then it will attempt to find the files at the default location within `/etc`.

+1 -1

doc/packages/firefox.section.md

··· 50 Nix installed add-ons do not have a valid signature, which is why signature verification is disabled. This does not compromise security because downloaded add-ons are checksummed and manual add-ons can't be installed. Also, make sure that the `name` field of `fetchFirefoxAddon` is unique. If you remove an add-on from the `nixExtensions` array, rebuild and start Firefox: the removed add-on will be completely removed with all of its settings. 51 52 ## Troubleshooting {#sec-firefox-troubleshooting} 53 - If add-ons are marked as broken or the signature is invalid, make sure you have Firefox ESR installed. Normal Firefox does not provide the ability anymore to disable signature verification for add-ons thus nix add-ons get disabled by the normal Firefox binary. 54 55 If add-ons do not appear installed despite being defined in your nix configuration file, reset the local add-on state of your Firefox profile by clicking `Help -> More Troubleshooting Information -> Refresh Firefox`. This can happen if you switch from manual add-on mode to nix add-on mode and then back to manual mode and then again to nix add-on mode.

··· 50 Nix installed add-ons do not have a valid signature, which is why signature verification is disabled. This does not compromise security because downloaded add-ons are checksummed and manual add-ons can't be installed. Also, make sure that the `name` field of `fetchFirefoxAddon` is unique. If you remove an add-on from the `nixExtensions` array, rebuild and start Firefox: the removed add-on will be completely removed with all of its settings. 51 52 ## Troubleshooting {#sec-firefox-troubleshooting} 53 + If add-ons are marked as broken or the signature is invalid, make sure you have Firefox ESR installed. Normal Firefox does not provide the ability anymore to disable signature verification for add-ons; thus, Nix add-ons get disabled by the normal Firefox binary. 54 55 If add-ons do not appear installed despite being defined in your nix configuration file, reset the local add-on state of your Firefox profile by clicking `Help -> More Troubleshooting Information -> Refresh Firefox`. This can happen if you switch from manual add-on mode to nix add-on mode and then back to manual mode and then again to nix add-on mode.

+1 -1

doc/packages/fish.section.md

··· 12 When the `programs.fish.enable` and 13 `programs.fish.vendor.{completions,config,functions}.enable` options from the 14 NixOS Fish module are set to true, those paths are symlinked in the current 15 - system environment and automatically loaded by Fish. 16 17 18 ## Packaging Fish plugins {#sec-fish-plugins-pkg}

··· 12 When the `programs.fish.enable` and 13 `programs.fish.vendor.{completions,config,functions}.enable` options from the 14 NixOS Fish module are set to true, those paths are symlinked in the current 15 + system environment and are automatically loaded by Fish. 16 17 18 ## Packaging Fish plugins {#sec-fish-plugins-pkg}

+3 -3

doc/packages/fuse.section.md

··· 4 [FUSE](https://www.kernel.org/doc/html/latest/filesystems/fuse.html) to provide 5 support for additional filesystems not supported by the kernel. 6 7 - In general, FUSE software are primarily developed for Linux but many of them can 8 also run on macOS. Nixpkgs supports FUSE packages on macOS, but it requires 9 [macFUSE](https://osxfuse.github.io) to be installed outside of Nix. macFUSE 10 - currently isn't packaged in Nixpkgs mainly because it includes a kernel 11 extension, which isn't supported by Nix outside of NixOS. 12 13 If a package fails to run on macOS with an error message similar to the ··· 24 checking for fuse.h... no 25 configure: error: No fuse.h found. 26 27 - This happens on autoconf based projects that use `AC_CHECK_HEADERS` or 28 `AC_CHECK_LIBS` to detect libfuse, and will occur even when the `fuse` package 29 is included in `buildInputs`. It happens because libfuse headers throw an error 30 on macOS if the `FUSE_USE_VERSION` macro is undefined. Many projects do define

··· 4 [FUSE](https://www.kernel.org/doc/html/latest/filesystems/fuse.html) to provide 5 support for additional filesystems not supported by the kernel. 6 7 + In general, FUSE software is primarily developed for Linux but many of them can 8 also run on macOS. Nixpkgs supports FUSE packages on macOS, but it requires 9 [macFUSE](https://osxfuse.github.io) to be installed outside of Nix. macFUSE 10 + currently isn't packaged in Nixpkgs, mainly because it includes a kernel 11 extension, which isn't supported by Nix outside of NixOS. 12 13 If a package fails to run on macOS with an error message similar to the ··· 24 checking for fuse.h... no 25 configure: error: No fuse.h found. 26 27 + This happens on autoconf-based projects that use `AC_CHECK_HEADERS` or 28 `AC_CHECK_LIBS` to detect libfuse, and will occur even when the `fuse` package 29 is included in `buildInputs`. It happens because libfuse headers throw an error 30 on macOS if the `FUSE_USE_VERSION` macro is undefined. Many projects do define

+1 -1

doc/packages/inkscape.section.md

··· 20 [nix-shell:~]$ inkscape 21 ``` 22 23 - All available extension can be enabled by passing `inkscapeExtensions = null;`. 24 25 ::: {.note} 26 Loading the Inkscape extensions stand-alone (without using `override`) does not affect Inkscape at all.

··· 20 [nix-shell:~]$ inkscape 21 ``` 22 23 + All available extensions can be enabled by passing `inkscapeExtensions = null;`. 24 25 ::: {.note} 26 Loading the Inkscape extensions stand-alone (without using `override`) does not affect Inkscape at all.

+1 -1

doc/packages/locales.section.md

··· 1 # Locales {#locales} 2 3 - To allow simultaneous use of packages linked against different versions of `glibc` with different locale archive formats, Nixpkgs patches `glibc` to rely on `LOCALE_ARCHIVE` environment variable. 4 5 On non-NixOS distributions, this variable is obviously not set. This can cause regressions in language support or even crashes in some Nixpkgs-provided programs. The simplest way to mitigate this problem is exporting the `LOCALE_ARCHIVE` variable pointing to `${glibcLocales}/lib/locale/locale-archive`. The drawback (and the reason this is not the default) is the relatively large (a hundred MiB) size of the full set of locales. It is possible to build a custom set of locales by overriding parameters `allLocales` and `locales` of the package.

··· 1 # Locales {#locales} 2 3 + To allow simultaneous use of packages linked against different versions of `glibc` with different locale archive formats, Nixpkgs patches `glibc` to rely on the `LOCALE_ARCHIVE` environment variable. 4 5 On non-NixOS distributions, this variable is obviously not set. This can cause regressions in language support or even crashes in some Nixpkgs-provided programs. The simplest way to mitigate this problem is exporting the `LOCALE_ARCHIVE` variable pointing to `${glibcLocales}/lib/locale/locale-archive`. The drawback (and the reason this is not the default) is the relatively large (a hundred MiB) size of the full set of locales. It is possible to build a custom set of locales by overriding parameters `allLocales` and `locales` of the package.

+1 -1

doc/packages/nginx.section.md

··· 8 9 Fortunately, HTTP supports an alternative (and more effective) caching mechanism: the [`ETag`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag) response header. The value of the `ETag` header specifies some identifier for the particular content that the server is sending (e.g., a hash). When a client makes a second request for the same resource, it sends that value back in an `If-None-Match` header. If the ETag value is unchanged, then the server does not need to resend the content. 10 11 - The nginx package in Nixpkgs is patched such that when nginx serves a file out of `/nix/store`, the hash in the store path is used as the `ETag` header in the HTTP response, thus providing proper caching functionality. With NixOS 24.05 and later, the `ETag` additionally includes the response content length, to ensure files served with static compression do not share `ETag`s with their uncompressed version. This `ETag` functionality is enabled automatically; you do not need to do modify any configuration to get this behavior.

··· 8 9 Fortunately, HTTP supports an alternative (and more effective) caching mechanism: the [`ETag`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/ETag) response header. The value of the `ETag` header specifies some identifier for the particular content that the server is sending (e.g., a hash). When a client makes a second request for the same resource, it sends that value back in an `If-None-Match` header. If the ETag value is unchanged, then the server does not need to resend the content. 10 11 + The nginx package in Nixpkgs is patched such that when nginx serves a file out of `/nix/store`, the hash in the store path is used as the `ETag` header in the HTTP response, thus providing proper caching functionality. With NixOS 24.05 and later, the `ETag` additionally includes the response content length, to ensure files served with static compression do not share `ETag`s with their uncompressed version. This `ETag` functionality is enabled automatically; you do not need to modify any configuration to get this behavior.

+1 -1

doc/packages/python-tree-sitter.section.md

··· 52 print(tree.root_node) 53 ``` 54 55 - The `tree_sitter_rust.language()` function references the Rust grammar loaded in the Nix shell. The resulting tree allows you to inspect the structure of the code programmatically. 56

··· 52 print(tree.root_node) 53 ``` 54 55 + The `tree_sitter_rust.language()` function references the Rust grammar loaded in the Nix shell. The resulting tree allows you to programmatically inspect the structure of the code. 56

+1 -1

doc/packages/shell-helpers.section.md

··· 1 # Interactive shell helpers {#sec-shell-helpers} 2 3 - Some packages provide the shell integration to be more useful. But unlike other systems, nix doesn't have a standard `share` directory location. This is why a bunch `PACKAGE-share` scripts are shipped that print the location of the corresponding shared folder. Current list of such packages is as following: 4 5 - `fzf` : `fzf-share` 6

··· 1 # Interactive shell helpers {#sec-shell-helpers} 2 3 + Some packages provide shell integration to be more useful. But unlike other systems, nix doesn't have a standard `share` directory location. This is why a bunch of `PACKAGE-share` scripts are shipped that print the location of the corresponding shared folder. The current list of such packages is as follows: 4 5 - `fzf` : `fzf-share` 6

+2 -2

doc/packages/steam.section.md

··· 2 3 ## Steam in Nix {#sec-steam-nix} 4 5 - Steam is distributed as a `.deb` file, for now only as an i686 package (the amd64 package only has documentation). When unpacked, it has a script called `steam` that in Ubuntu (their target distro) would go to `/usr/bin`. When run for the first time, this script copies some files to the user's home, which include another script that is the ultimate responsible for launching the steam binary, which is also in `$HOME`. 6 7 Nix problems and constraints: 8 ··· 11 - The `steam.sh` script in `$HOME` cannot be patched, as it is checked and rewritten by steam. 12 - The steam binary cannot be patched, it's also checked. 13 14 - The current approach to deploy Steam in NixOS is composing a FHS-compatible chroot environment, as documented [here](https://sandervanderburg.blogspot.com/2013/09/composing-fhs-compatible-chroot.html). This allows us to have binaries in the expected paths without disrupting the system, and to avoid patching them to work in a non FHS environment. 15 16 ## How to play {#sec-steam-play} 17

··· 2 3 ## Steam in Nix {#sec-steam-nix} 4 5 + Steam is distributed as a `.deb` file, for now only as an i686 package (the amd64 package only has documentation). When unpacked, it has a script called `steam` that in Ubuntu (their target distro) would go to `/usr/bin`. When run for the first time, this script copies some files to the user's home, which include another script that is ultimately responsible for launching the steam binary, which is also in `$HOME`. 6 7 Nix problems and constraints: 8 ··· 11 - The `steam.sh` script in `$HOME` cannot be patched, as it is checked and rewritten by steam. 12 - The steam binary cannot be patched, it's also checked. 13 14 + The current approach to deploy Steam in NixOS is composing a FHS-compatible chroot environment, as documented [here](https://sandervanderburg.blogspot.com/2013/09/composing-fhs-compatible-chroot.html). This allows us to have binaries in the expected paths without disrupting the system and to avoid patching them to work in a non-FHS environment. 15 16 ## How to play {#sec-steam-play} 17

+2 -2

doc/packages/urxvt.section.md

··· 70 71 ## Packaging urxvt plugins {#sec-urxvt-pkg} 72 73 - Urxvt plugins resides in `pkgs/applications/misc/rxvt-unicode-plugins`. To add a new plugin, create an expression in a subdirectory and add the package to the set in `pkgs/applications/misc/rxvt-unicode-plugins/default.nix`. 74 75 - A plugin can be any kind of derivation, the only requirement is that it should always install perl scripts in `$out/lib/urxvt/perl`. Look for existing plugins for examples. 76 77 If the plugin is itself a Perl package that needs to be imported from other plugins or scripts, add the following passthrough: 78

··· 70 71 ## Packaging urxvt plugins {#sec-urxvt-pkg} 72 73 + Urxvt plugins reside in `pkgs/applications/misc/rxvt-unicode-plugins`. To add a new plugin, create an expression in a subdirectory and add the package to the set in `pkgs/applications/misc/rxvt-unicode-plugins/default.nix`. 74 75 + A plugin can be any kind of derivation; the only requirement is that it should always install perl scripts in `$out/lib/urxvt/perl`. Look for existing plugins for examples. 76 77 If the plugin is itself a Perl package that needs to be imported from other plugins or scripts, add the following passthrough: 78

+3 -3

doc/packages/vcpkg.section.md

··· 1 # VCPKG {#sec-vcpkg} 2 3 - The `vcpkg-tool` package has a wrapper around the `vcpkg` executable to avoid writing to the nix store. 4 The wrapper will also be present in `vcpkg`, unless you specify `vcpkg.override { vcpkg-tool = vcpkg-tool-unwrapped; }` 5 6 - The wrapper has been made in a way so that it will provide default cli arguments, but tries not to interfere if the user provides the same arguments. 7 The arguments also have corresponding environment variables that can be used as an alternative way of overriding these paths. 8 9 Run the wrapper with the environment variable `NIX_VCPKG_DEBUG_PRINT_ENVVARS=true` to get a full list of corresponding environment variables. 10 11 ## Nix specific environment variables {#sec-vcpkg-nix-envvars} 12 13 - The wrapper also provides some new nix-specific environment variables that lets you control some of the wrapper functionality. 14 15 - `NIX_VCPKG_WRITABLE_PATH = <path>` 16

··· 1 # VCPKG {#sec-vcpkg} 2 3 + The `vcpkg-tool` package has a wrapper around the `vcpkg` executable to avoid writing to the nix store. 4 The wrapper will also be present in `vcpkg`, unless you specify `vcpkg.override { vcpkg-tool = vcpkg-tool-unwrapped; }` 5 6 + The wrapper has been made in a way so that it will provide default cli arguments but tries not to interfere if the user provides the same arguments. 7 The arguments also have corresponding environment variables that can be used as an alternative way of overriding these paths. 8 9 Run the wrapper with the environment variable `NIX_VCPKG_DEBUG_PRINT_ENVVARS=true` to get a full list of corresponding environment variables. 10 11 ## Nix specific environment variables {#sec-vcpkg-nix-envvars} 12 13 + The wrapper also provides some new nix-specific environment variables that let you control some of the wrapper functionality. 14 15 - `NIX_VCPKG_WRITABLE_PATH = <path>` 16

+1 -1

doc/packages/weechat.section.md

··· 20 21 The plugins currently available are `python`, `perl`, `ruby`, `guile`, `tcl` and `lua`. 22 23 - The Python and Perl plugins allows the addition of extra libraries. For instance, the `inotify.py` script in `weechat-scripts` requires D-Bus or libnotify, and the `fish.py` script requires `pycrypto`. To use these scripts, use the plugin's `withPackages` attribute: 24 25 ```nix 26 weechat.override {

··· 20 21 The plugins currently available are `python`, `perl`, `ruby`, `guile`, `tcl` and `lua`. 22 23 + The Python and Perl plugins allow the addition of extra libraries. For instance, the `inotify.py` script in `weechat-scripts` requires D-Bus or libnotify, and the `fish.py` script requires `pycrypto`. To use these scripts, use the plugin's `withPackages` attribute: 24 25 ```nix 26 weechat.override {

+1 -1

doc/packages/xorg.section.md

··· 1 # X.org {#sec-xorg} 2 3 - The Nix expressions for the X.org packages reside in `pkgs/servers/x11/xorg/default.nix`. This file is automatically generated from lists of tarballs in an X.org release. As such it should not be modified directly; rather, you should modify the lists, the generator script or the file `pkgs/servers/x11/xorg/overrides.nix`, in which you can override or add to the derivations produced by the generator. 4 5 ## Katamari Tarballs {#katamari-tarballs} 6

··· 1 # X.org {#sec-xorg} 2 3 + The Nix expressions for the X.org packages reside in `pkgs/servers/x11/xorg/default.nix`. This file is automatically generated from lists of tarballs in an X.org release. As such, it should not be modified directly; rather, you should modify the lists, the generator script, or the file `pkgs/servers/x11/xorg/overrides.nix`, in which you can override or add to the derivations produced by the generator. 4 5 ## Katamari Tarballs {#katamari-tarballs} 6

+2 -2

doc/preface.chapter.md

··· 7 package manager on most GNU/Linux distributions as well as [NixOS](https://nixos.org/nixos). 8 9 This document is the user [_reference_](https://nix.dev/contributing/documentation/diataxis#reference) manual for Nixpkgs. 10 - It describes entire public interface of Nixpkgs in a concise and orderly manner, and all relevant behaviors, with examples and cross-references. 11 12 To discover other kinds of documentation: 13 - [nix.dev](https://nix.dev/): Tutorials and guides for getting things done with Nix ··· 30 `nixpkgs-unstable`. Users of NixOS generally use one of the `nixos-*` channels, 31 e.g. `nixos-22.11`, which includes all packages and modules for the stable NixOS 32 22.11. Stable NixOS releases are generally only given 33 - security updates. More up to date packages and modules are available via the 34 `nixos-unstable` channel. 35 36 Both `nixos-unstable` and `nixpkgs-unstable` follow the `master` branch of the

··· 7 package manager on most GNU/Linux distributions as well as [NixOS](https://nixos.org/nixos). 8 9 This document is the user [_reference_](https://nix.dev/contributing/documentation/diataxis#reference) manual for Nixpkgs. 10 + It describes the entire public interface of Nixpkgs in a concise and orderly manner, and all relevant behaviors, with examples and cross-references. 11 12 To discover other kinds of documentation: 13 - [nix.dev](https://nix.dev/): Tutorials and guides for getting things done with Nix ··· 30 `nixpkgs-unstable`. Users of NixOS generally use one of the `nixos-*` channels, 31 e.g. `nixos-22.11`, which includes all packages and modules for the stable NixOS 32 22.11. Stable NixOS releases are generally only given 33 + security updates. More up-to-date packages and modules are available via the 34 `nixos-unstable` channel. 35 36 Both `nixos-unstable` and `nixpkgs-unstable` follow the `master` branch of the

+1 -1

doc/release-notes/release-notes.md

··· 1 # Release Notes {#chap-release-notes} 2 3 - This section lists the release notes for each stable version of Nixpkgs and current unstable revision. 4 5 ```{=include=} sections 6 rl-2511.section.md

··· 1 # Release Notes {#chap-release-notes} 2 3 + This section lists the release notes for each stable version of Nixpkgs and the current unstable revision. 4 5 ```{=include=} sections 6 rl-2511.section.md

+15 -15

doc/release-notes/rl-2505.section.md

··· 36 37 - Emacs has been updated to 30.1. 38 This introduces some backwards‐incompatible changes; see the NEWS for details. 39 - NEWS can been viewed from Emacs by typing `C-h n`, or by clicking `Help->Emacs News` from the menu bar. 40 It can also be browsed [online](https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30). 41 42 - The `intel` video driver for X.org (from the xf86-video-intel package, which was previously removed because it was non-functional) has been fixed and the driver has been re-introduced. ··· 79 rather than a port. See [Migrating from version 1.x](https://github.com/roehling/postsrsd/blob/2.0.10/README.rst#migrating-from-version-1x) and [Postfix Setup](https://github.com/roehling/postsrsd?tab=readme-ov-file#postfix-setup) for details. 80 81 - `renovate` was updated to v39. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/39.0.0) for breaking changes. 82 - Like upstream's docker images, renovate now runs on NodeJS 22. 83 84 - - The hand written `perlPackages.SearchXapian` bindings have been dropped in favor of the (mostly compatible) 85 `perlPackages.Xapian`. 86 87 - `varnish` was updated from 7.5.0 to 7.7.0, see [Varnish 7.6.0 upgrade guide](https://varnish-cache.org/docs/7.6/whats-new/upgrading-7.6.html) and ··· 161 Cargo 1.84.0 changed the format of `cargo vendor` output, which invalidated all existing `rustPlatform.fetchCargoTarball` hashes. 162 To preserve Nix’s invariants, it has been replaced with `rustPlatform.fetchCargoVendor`, an independent implementation prioritizing format stability. 163 `rustPlatform.buildRustPackage` now uses `rustPlatform.fetchCargoVendor` by default; a hash mismatch error is expected in third‐party Rust packages when updating to Nixpkgs 25.05. 164 - Packages wishing to maintain compatibility with Nixpkgs 24.11 must set `useFetchCargoVendor` to `true` explicitly. 165 `rustPlatform.importCargoLock` may also be appropriate in some circumstances. 166 167 - `cassandra_3_0` and `cassandra_3_11` have been removed as they have reached end-of-life. Please update to `cassandra_4`. See the [changelog](https://github.com/apache/cassandra/blob/cassandra-4.0.17/NEWS.txt) for more information about the upgrade process. ··· 198 the [release announcement](https://kafka.apache.org/blog#apache_kafka_400_release_announcement) 199 for more details. 200 201 - - `ast-grep` remove `sg` command to prevent conflict with `sg` command from shadow-utils. If you need legacy sg command compatibility with old code, you can use `ast-grep.override { enableLegacySg = true; }` 202 203 - rename package `wtf` to `wtfutil`. 204 ··· 206 207 - `wastebin` has been updated to 3.0.0. See the [Changelog](https://github.com/matze/wastebin/blob/master/CHANGELOG.md#300) for breaking changes to the configuration. 208 209 - - `binwalk` was updated to 3.1.0, which has been rewritten in rust. The python module is no longer available. 210 See the release notes of [3.1.0](https://github.com/ReFirmLabs/binwalk/releases/tag/v3.1.0) for more information. 211 212 - `pkgs.nextcloud28` and `pkgs.nextcloud29` have been removed since they are out of support upstream. ··· 231 - `buildGoModule` now supports a `goSum` attribute (`null` by default) to optionally provide a path to `go.sum` and correctly enabling rebuilds when the file changes. 232 233 - The newly added aliases `go_latest` and `buildGoLatestModule` are now available and can be use to prevent packages like `gopls` from breaking whenever the default toolchain minor version is lagging behind. 234 - It can also be used _outside of nixpkgs_ to get fast access to new Go minor versions without having to wait for a staging cycle that will update the default builder/toolchain. 235 236 - - A [policy documenting the details of Go toolchain and builder upgrades](https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/go/README.md#go-toolchainbuilder-upgrade-policy) in nixpkgs, as well as rules related to using non-default builders like `buildGo1xxModule` and `buildGoLatestModule` has been added in-tree. 237 238 - top-level `playwright` now refers to the github Microsoft/playwright package 239 instead of the python tester launcher. You can still refer to the python ··· 265 - `ps3-disc-dumper` was updated to 4.2.5, which removed the CLI project and now exclusively offers the GUI 266 267 - `kmonad` is now hardened by default using common `systemd` settings. 268 - If KMonad is used to execute shell commands, hardening may make some of them fail. In that case, you can disable hardening using {option}`services.kmonad.keyboards.<name>.enableHardening` option. 269 270 - `isd` was updated from 0.2.0 to 0.5.1, the new version may crash with a previously generated config, try moving or deleting `~/.config/isd/schema.json`. 271 ··· 307 308 - `dwarf-fortress-packages` now only contains one minor version for each major version since version 0.44. Saves should still be compatible, but you may have to change which minor version you were using if it was one other than the newest. 309 310 - - `tpm2-pkcs11` now is compiled without abrmd (Access Broker and Resource Manager Daemon) support by default, preferring the kernel resource manager. Use `tpm2-pkcs11.abrmd` if you would like a version with abrmd support. Note that the NixOS module picks the correct one automatically based on `security.tpm2.abrmd`. 311 312 - `zig_0_9` and `zig_0_10` have been removed, you should upgrade to `zig_0_13` (also available as just `zig`), `zig_0_12` or `zig_0_11` instead. 313 ··· 434 [Prisma ORM upgrade guide](https://www.prisma.io/docs/orm/more/upgrade-guides/upgrading-versions/upgrading-to-prisma-6) 435 for more information. 436 437 - - `dependency-track` no longer bundes the UI inside the jar. This bundling 438 functionality is deprecated by upstream and causes UI assets not being served 439 after weeks of runtime. 440 ··· 445 446 - `confluent-cli` was updated from 3.60.0 to 4.16.0, which includes several breaking changes as detailed in [Confluent's release notes](https://docs.confluent.io/confluent-cli/current/release-notes.html). 447 448 - - `siduck76-st` has been renamed to `st-snazzy`, like the project's [flake](https://github.com/siduck/st/blob/main/flake.nix). 449 450 - `python3Packages.jax` now directly depends on `python3Packages.jaxlib`. 451 As a result, packages that depend on jax no longer need to include jaxlib to their dependencies. 452 - There is also a breaking change in the handling of CUDA. Instead of using a CUDA compatible jaxlib 453 as before, you can use plugins like `python3Packages.jax-cuda12-plugin`. 454 455 - Added `allowVariants` to gate availability of package sets like `pkgsLLVM`, `pkgsMusl`, `pkgsZig`, etc. This was done in an effort to ··· 532 533 - The `stackclashprotection` hardening flag has been enabled by default on compilers that support it. 534 535 - - In `dovecot` package removed hard coding path to module directory. 536 537 - `authelia` version 4.39.0 has made some changes which deprecate older configurations. 538 They are still expected to be working until future version 5.0.0, but will generate warnings in logs. ··· 540 541 - `hddfancontrol` has been updated to major release 2. See the [migration guide](https://github.com/desbma/hddfancontrol/tree/master?tab=readme-ov-file#migrating-from-v1x), as there are breaking changes. 542 543 - - `nextcloud-news-updater` is unmaintained and was removed from nixpkgs. 544 545 - KDE Partition Manager `partitionmanager`'s support for ReiserFS is removed. 546 ReiserFS has not been actively maintained for many years. It has been marked as obsolete since Linux 6.6, and

··· 36 37 - Emacs has been updated to 30.1. 38 This introduces some backwards‐incompatible changes; see the NEWS for details. 39 + NEWS can be viewed from Emacs by typing `C-h n`, or by clicking `Help->Emacs News` from the menu bar. 40 It can also be browsed [online](https://git.savannah.gnu.org/cgit/emacs.git/tree/etc/NEWS?h=emacs-30). 41 42 - The `intel` video driver for X.org (from the xf86-video-intel package, which was previously removed because it was non-functional) has been fixed and the driver has been re-introduced. ··· 79 rather than a port. See [Migrating from version 1.x](https://github.com/roehling/postsrsd/blob/2.0.10/README.rst#migrating-from-version-1x) and [Postfix Setup](https://github.com/roehling/postsrsd?tab=readme-ov-file#postfix-setup) for details. 80 81 - `renovate` was updated to v39. See the [upstream release notes](https://github.com/renovatebot/renovate/releases/tag/39.0.0) for breaking changes. 82 + Like upstream's Docker images, renovate now runs on NodeJS 22. 83 84 + - The handwritten `perlPackages.SearchXapian` bindings have been dropped in favor of the (mostly compatible) 85 `perlPackages.Xapian`. 86 87 - `varnish` was updated from 7.5.0 to 7.7.0, see [Varnish 7.6.0 upgrade guide](https://varnish-cache.org/docs/7.6/whats-new/upgrading-7.6.html) and ··· 161 Cargo 1.84.0 changed the format of `cargo vendor` output, which invalidated all existing `rustPlatform.fetchCargoTarball` hashes. 162 To preserve Nix’s invariants, it has been replaced with `rustPlatform.fetchCargoVendor`, an independent implementation prioritizing format stability. 163 `rustPlatform.buildRustPackage` now uses `rustPlatform.fetchCargoVendor` by default; a hash mismatch error is expected in third‐party Rust packages when updating to Nixpkgs 25.05. 164 + Packages wishing to maintain compatibility with Nixpkgs 24.11 must explicitly set `useFetchCargoVendor` to `true`. 165 `rustPlatform.importCargoLock` may also be appropriate in some circumstances. 166 167 - `cassandra_3_0` and `cassandra_3_11` have been removed as they have reached end-of-life. Please update to `cassandra_4`. See the [changelog](https://github.com/apache/cassandra/blob/cassandra-4.0.17/NEWS.txt) for more information about the upgrade process. ··· 198 the [release announcement](https://kafka.apache.org/blog#apache_kafka_400_release_announcement) 199 for more details. 200 201 + - `ast-grep` removes the `sg` command to prevent conflict with the `sg` command from shadow-utils. If you need legacy sg command compatibility with old code, you can use `ast-grep.override { enableLegacySg = true; }` 202 203 - rename package `wtf` to `wtfutil`. 204 ··· 206 207 - `wastebin` has been updated to 3.0.0. See the [Changelog](https://github.com/matze/wastebin/blob/master/CHANGELOG.md#300) for breaking changes to the configuration. 208 209 + - `binwalk` was updated to 3.1.0, which has been rewritten in Rust. The Python module is no longer available. 210 See the release notes of [3.1.0](https://github.com/ReFirmLabs/binwalk/releases/tag/v3.1.0) for more information. 211 212 - `pkgs.nextcloud28` and `pkgs.nextcloud29` have been removed since they are out of support upstream. ··· 231 - `buildGoModule` now supports a `goSum` attribute (`null` by default) to optionally provide a path to `go.sum` and correctly enabling rebuilds when the file changes. 232 233 - The newly added aliases `go_latest` and `buildGoLatestModule` are now available and can be use to prevent packages like `gopls` from breaking whenever the default toolchain minor version is lagging behind. 234 + It can also be used _outside of Nixpkgs_ to get fast access to new Go minor versions without having to wait for a staging cycle that will update the default builder/toolchain. 235 236 + - A [policy documenting the details of Go toolchain and builder upgrades](https://github.com/NixOS/nixpkgs/blob/master/pkgs/build-support/go/README.md#go-toolchainbuilder-upgrade-policy) in Nixpkgs, as well as rules related to using non-default builders like `buildGo1xxModule` and `buildGoLatestModule` has been added in-tree. 237 238 - top-level `playwright` now refers to the github Microsoft/playwright package 239 instead of the python tester launcher. You can still refer to the python ··· 265 - `ps3-disc-dumper` was updated to 4.2.5, which removed the CLI project and now exclusively offers the GUI 266 267 - `kmonad` is now hardened by default using common `systemd` settings. 268 + If KMonad is used to execute shell commands, hardening may make some of them fail. In that case, you can disable hardening using the {option}`services.kmonad.keyboards.<name>.enableHardening` option. 269 270 - `isd` was updated from 0.2.0 to 0.5.1, the new version may crash with a previously generated config, try moving or deleting `~/.config/isd/schema.json`. 271 ··· 307 308 - `dwarf-fortress-packages` now only contains one minor version for each major version since version 0.44. Saves should still be compatible, but you may have to change which minor version you were using if it was one other than the newest. 309 310 + - `tpm2-pkcs11` now is compiled without `abrmd` (Access Broker and Resource Manager Daemon) support by default, preferring the kernel resource manager. Use `tpm2-pkcs11.abrmd` if you would like a version with `abrmd` support. Note that the NixOS module picks the correct one automatically based on `security.tpm2.abrmd`. 311 312 - `zig_0_9` and `zig_0_10` have been removed, you should upgrade to `zig_0_13` (also available as just `zig`), `zig_0_12` or `zig_0_11` instead. 313 ··· 434 [Prisma ORM upgrade guide](https://www.prisma.io/docs/orm/more/upgrade-guides/upgrading-versions/upgrading-to-prisma-6) 435 for more information. 436 437 + - `dependency-track` no longer bundles the UI inside the jar. This bundling 438 functionality is deprecated by upstream and causes UI assets not being served 439 after weeks of runtime. 440 ··· 445 446 - `confluent-cli` was updated from 3.60.0 to 4.16.0, which includes several breaking changes as detailed in [Confluent's release notes](https://docs.confluent.io/confluent-cli/current/release-notes.html). 447 448 + - `siduck76-st` has been renamed to `st-snazzy`, like the project's [flake](https://github.com/siduck/st/blob/main/flake.nix). An alias for the old name has been added. 449 450 - `python3Packages.jax` now directly depends on `python3Packages.jaxlib`. 451 As a result, packages that depend on jax no longer need to include jaxlib to their dependencies. 452 + There is also a breaking change in the handling of CUDA. Instead of using a CUDA-compatible jaxlib 453 as before, you can use plugins like `python3Packages.jax-cuda12-plugin`. 454 455 - Added `allowVariants` to gate availability of package sets like `pkgsLLVM`, `pkgsMusl`, `pkgsZig`, etc. This was done in an effort to ··· 532 533 - The `stackclashprotection` hardening flag has been enabled by default on compilers that support it. 534 535 + - In `dovecot` package, the hardcoded path to the module directory has been removed. 536 537 - `authelia` version 4.39.0 has made some changes which deprecate older configurations. 538 They are still expected to be working until future version 5.0.0, but will generate warnings in logs. ··· 540 541 - `hddfancontrol` has been updated to major release 2. See the [migration guide](https://github.com/desbma/hddfancontrol/tree/master?tab=readme-ov-file#migrating-from-v1x), as there are breaking changes. 542 543 + - `nextcloud-news-updater` is unmaintained and was removed from Nixpkgs. 544 545 - KDE Partition Manager `partitionmanager`'s support for ReiserFS is removed. 546 ReiserFS has not been actively maintained for many years. It has been marked as obsolete since Linux 6.6, and

+6 -5

doc/release-notes/rl-2511.section.md

··· 28 - `gentium` package now provides `Gentium-*.ttf` files, and not `GentiumPlus-*.ttf` files like before. The font identifiers `Gentium Plus*` are available in the `gentium-plus` package, and if you want to use the more recently updated package `gentium` [by sil](https://software.sil.org/gentium/), you should update your configuration files to use the `Gentium` font identifier. 29 - `space-orbit` package has been removed due to lack of upstream maintenance. Debian upstream stopped tracking it in 2011. 30 31 - - Derivations setting both `separateDebugInfo` and one of `allowedReferences`, `allowedRequistes`, `disallowedReferences` or `disallowedRequisites` must now set `__structuredAttrs` to `true`. The effect of reference whitelisting or blacklisting will be disabled on the `debug` output created by `separateDebugInfo`. 0 32 - `victoriametrics` no longer contains VictoriaLogs components. These have been separated into the new package `victorialogs`. 33 34 - - `mx-puppet-discord` was removed from nixpkgs along with its NixOS module as it was unmaintained and was the only user of sha1 hashes in tree. 35 36 - `kbd` package's `outputs` now include a `man` and `scripts` outputs. The `unicode_start` and `unicode_stop` Bash scripts are now part of the `scripts` output, allowing most usages of the `kbd` package to not pull in `bash`. 37 ··· 88 89 - `telegram-desktop` packages now uses `Telegram` for its binary. The previous name was `telegram-desktop`. This is due to [an upstream decision](https://github.com/telegramdesktop/tdesktop/commit/56ff5808a3d766f892bc3c3305afb106b629ef6f) to make the name consistent with other platforms. 90 91 - - `podofo` has been updated from `0.9.8` to `1.0.0`. These releases are by nature very incompatable due to major api changes. The legacy versions can be found under `podofo_0_10` and `podofo_0_9`. 92 Changelog: https://github.com/podofo/podofo/blob/1.0.0/CHANGELOG.md, API-Migration-Guide: https://github.com/podofo/podofo/blob/1.0.0/API-MIGRATION.md. 93 94 - NetBox was updated to `>= 4.3.0`. Have a look at the breaking changes ··· 99 100 - `rocmPackages.triton` has been removed in favor of `python3Packages.triton`. 101 102 - - `go-mockery` has been updated to v3. For migration instructions see the [upstream documentation](https://vektra.github.io/mockery/latest/v3/). If v2 is still required `go-mockery_v2` has been added but will be removed on or before 2029-12-31 in-line with it's [upstream support lifecycle](https://vektra.github.io/mockery/ 103 104 - [private-gpt](https://github.com/zylon-ai/private-gpt) service has been removed by lack of maintenance upstream. 105 ··· 152 153 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> 154 155 - - `mealie` has been updated to 3.0.2: This update introduces breaking changes in some API endpoints (see the [release changelog](https://github.com/mealie-recipes/mealie/releases/tag/v3.0.0)) 156 157 ### Breaking changes {#sec-nixpkgs-release-25.11-lib-breaking} 158

··· 28 - `gentium` package now provides `Gentium-*.ttf` files, and not `GentiumPlus-*.ttf` files like before. The font identifiers `Gentium Plus*` are available in the `gentium-plus` package, and if you want to use the more recently updated package `gentium` [by sil](https://software.sil.org/gentium/), you should update your configuration files to use the `Gentium` font identifier. 29 - `space-orbit` package has been removed due to lack of upstream maintenance. Debian upstream stopped tracking it in 2011. 30 31 + - Derivations setting both `separateDebugInfo` and one of `allowedReferences`, `allowedRequisites`, `disallowedReferences` or `disallowedRequisites` must now set `__structuredAttrs` to `true`. The effect of reference whitelisting or blacklisting will be disabled on the `debug` output created by `separateDebugInfo`. 32 + 33 - `victoriametrics` no longer contains VictoriaLogs components. These have been separated into the new package `victorialogs`. 34 35 + - `mx-puppet-discord` was removed from Nixpkgs along with its NixOS module as it was unmaintained and was the only user of sha1 hashes in tree. 36 37 - `kbd` package's `outputs` now include a `man` and `scripts` outputs. The `unicode_start` and `unicode_stop` Bash scripts are now part of the `scripts` output, allowing most usages of the `kbd` package to not pull in `bash`. 38 ··· 89 90 - `telegram-desktop` packages now uses `Telegram` for its binary. The previous name was `telegram-desktop`. This is due to [an upstream decision](https://github.com/telegramdesktop/tdesktop/commit/56ff5808a3d766f892bc3c3305afb106b629ef6f) to make the name consistent with other platforms. 91 92 + - `podofo` has been updated from `0.9.8` to `1.0.0`. These releases are by nature very incompatible due to major API changes. The legacy versions can be found under `podofo_0_10` and `podofo_0_9`. 93 Changelog: https://github.com/podofo/podofo/blob/1.0.0/CHANGELOG.md, API-Migration-Guide: https://github.com/podofo/podofo/blob/1.0.0/API-MIGRATION.md. 94 95 - NetBox was updated to `>= 4.3.0`. Have a look at the breaking changes ··· 100 101 - `rocmPackages.triton` has been removed in favor of `python3Packages.triton`. 102 103 + - `go-mockery` has been updated to v3. For migration instructions see the [upstream documentation](https://vektra.github.io/mockery/latest/v3/). If v2 is still required `go-mockery_v2` has been added but will be removed on or before 2029-12-31 in-line with its [upstream support lifecycle](https://vektra.github.io/mockery/) 104 105 - [private-gpt](https://github.com/zylon-ai/private-gpt) service has been removed by lack of maintenance upstream. 106 ··· 153 154 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> 155 156 + - `mealie` has been updated to 3.0.2: This update introduces breaking changes in some API endpoints (see the [release changelog](https://github.com/mealie-recipes/mealie/releases/tag/v3.0.0)). 157 158 ### Breaking changes {#sec-nixpkgs-release-25.11-lib-breaking} 159

+3 -3

doc/stdenv/cross-compilation.chapter.md

··· 12 13 Nixpkgs follows the [conventions of GNU autoconf](https://gcc.gnu.org/onlinedocs/gccint/Configure-Terms.html). We distinguish between 3 types of platforms when building a derivation: _build_, _host_, and _target_. In summary, _build_ is the platform on which a package is being built, _host_ is the platform on which it will run. The third attribute, _target_, is relevant only for certain specific compilers and build tools. 14 15 - In Nixpkgs, these three platforms are defined as attribute sets under the names `buildPlatform`, `hostPlatform`, and `targetPlatform`. They are always defined as attributes in the standard environment. That means one can access them like: 16 17 ```nix 18 { ··· 52 53 `config` 54 55 - : This is a 3- or 4- component shorthand for the platform. Examples of this would be `x86_64-unknown-linux-gnu` and `aarch64-apple-darwin14`. This is a standard format called the "LLVM target triple", as they are pioneered by LLVM. In the 4-part form, this corresponds to `[cpu]-[vendor]-[os]-[abi]`. This format is strictly more informative than the "Nix host double", as the previous format could analogously be termed. This needs a better name than `config`! 56 57 `parsed` 58 ··· 200 `cannot find -lc: No such file or directory` 201 202 ::: {.note} 203 - At the time of writing it is assumed the issue only happens on `glibc` because it splits the static libraries in to a different output. 204 205 ::: {.note} 206 You may want to look in to using `stdenvAdapters.makeStatic` or `pkgsStatic` or a `isStatic = true` platform.

··· 12 13 Nixpkgs follows the [conventions of GNU autoconf](https://gcc.gnu.org/onlinedocs/gccint/Configure-Terms.html). We distinguish between 3 types of platforms when building a derivation: _build_, _host_, and _target_. In summary, _build_ is the platform on which a package is being built, _host_ is the platform on which it will run. The third attribute, _target_, is relevant only for certain specific compilers and build tools. 14 15 + In Nixpkgs, these three platforms are defined as attribute sets under the names `buildPlatform`, `hostPlatform`, and `targetPlatform`. They are always defined as attributes in the standard environment. That means one can access them like this: 16 17 ```nix 18 { ··· 52 53 `config` 54 55 + : This is a 3- or 4- component shorthand for the platform. Examples of this would be `x86_64-unknown-linux-gnu` and `aarch64-apple-darwin14`. This is a standard format called the "LLVM target triple", as it was pioneered by LLVM. In the 4-part form, this corresponds to `[cpu]-[vendor]-[os]-[abi]`. This format is strictly more informative than the "Nix host double", as the previous format could analogously be termed. This needs a better name than `config`! 56 57 `parsed` 58 ··· 200 `cannot find -lc: No such file or directory` 201 202 ::: {.note} 203 + At the time of writing, it is assumed the issue only happens on `glibc` because it splits the static libraries into a different output. 204 205 ::: {.note} 206 You may want to look in to using `stdenvAdapters.makeStatic` or `pkgsStatic` or a `isStatic = true` platform.

+2 -2

doc/stdenv/passthru.chapter.md

··· 83 - They can be run and debugged without rebuilding the package, which is useful if that takes a long time 84 - They don't add overhead to each build, as opposed checks added to the [`installCheckPhase`](#ssec-installCheck-phase), such as [`versionCheckHook`](#versioncheckhook). 85 86 - It is also possible to use `passthru.tests` to test the version with [`testVersion`](#tester-testVersion), but since that is pretty trivial and recommended thing to do, we recommend using [`versionCheckHook`](#versioncheckhook) for that, which has the following advantages over `passthru.tests`: 87 88 - If the `versionCheckPhase` (the phase defined by [`versionCheckHook`](#versioncheckhook)) fails, it triggers a failure which can't be ignored if you use the package, or if you find out about it in a [`nixpkgs-review`](https://github.com/Mic92/nixpkgs-review) report. 89 - Sometimes packages become silently broken - meaning they fail to launch but their build passes because they don't perform any tests in the `checkPhase`. If you use this tool infrequently, such a silent breakage may rot in your system / profile configuration, and you will not notice the failure until you will want to use this package. Testing such basic functionality ensures you have to deal with the failure when you update your system / profile. 90 - - When you open a PR, [ofborg](https://github.com/NixOS/ofborg)'s CI _will_ run `passthru.tests` of [packages that are directly changed by your PR (according to your commits' messages)](https://github.com/NixOS/ofborg?tab=readme-ov-file#automatic-building), but if you'd want to use the [`@ofborg build`](https://github.com/NixOS/ofborg?tab=readme-ov-file#build) command for dependent packages, you won't have to specify in addition the `.tests` attribute of the packages you want to build, and no body will be able to avoid these tests. 91 92 <!-- NOTE(@fricklerhandwerk): one may argue whether that testing guide should rather be in the user's manual --> 93 For more on how to write and run package tests for Nixpkgs, see the [testing section in the package contributor guide](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests).

··· 83 - They can be run and debugged without rebuilding the package, which is useful if that takes a long time 84 - They don't add overhead to each build, as opposed checks added to the [`installCheckPhase`](#ssec-installCheck-phase), such as [`versionCheckHook`](#versioncheckhook). 85 86 + It is also possible to use `passthru.tests` to test the version with [`testVersion`](#tester-testVersion), but since that is a pretty trivial and recommended thing to do, we recommend using [`versionCheckHook`](#versioncheckhook) for that, which has the following advantages over `passthru.tests`: 87 88 - If the `versionCheckPhase` (the phase defined by [`versionCheckHook`](#versioncheckhook)) fails, it triggers a failure which can't be ignored if you use the package, or if you find out about it in a [`nixpkgs-review`](https://github.com/Mic92/nixpkgs-review) report. 89 - Sometimes packages become silently broken - meaning they fail to launch but their build passes because they don't perform any tests in the `checkPhase`. If you use this tool infrequently, such a silent breakage may rot in your system / profile configuration, and you will not notice the failure until you will want to use this package. Testing such basic functionality ensures you have to deal with the failure when you update your system / profile. 90 + - When you open a PR, [ofborg](https://github.com/NixOS/ofborg)'s CI _will_ run `passthru.tests` of [packages that are directly changed by your PR (according to your commits' messages)](https://github.com/NixOS/ofborg?tab=readme-ov-file#automatic-building), but if you'd want to use the [`@ofborg build`](https://github.com/NixOS/ofborg?tab=readme-ov-file#build) command for dependent packages, you won't have to specify in addition the `.tests` attribute of the packages you want to build, and nobody will be able to avoid these tests. 91 92 <!-- NOTE(@fricklerhandwerk): one may argue whether that testing guide should rather be in the user's manual --> 93 For more on how to write and run package tests for Nixpkgs, see the [testing section in the package contributor guide](https://github.com/NixOS/nixpkgs/blob/master/pkgs/README.md#package-tests).

+4 -4

doc/stdenv/stdenv.chapter.md

··· 336 | `host --> target` | `buildInputs` | `0, 1` | libraries | 337 | `target --> target` | `depsTargetTarget` | `1, 1` | stdlibs to run on target | 338 339 - Algorithmically, we traverse propagated inputs, accumulating every propagated dependency’s propagated dependencies and adjusting them to account for the “shift in perspective” described by the current dependency’s platform offsets. This results is sort of a transitive closure of the dependency relation, with the offsets being approximately summed when two dependency links are combined. We also prune transitive dependencies whose combined offsets go out-of-bounds, which can be viewed as a filter over that transitive closure removing dependencies that are blatantly absurd. 340 341 We can define the process precisely with [Natural Deduction](https://en.wikipedia.org/wiki/Natural_deduction) using the inference rules below. This probably seems a bit obtuse, but so is the bash code that actually implements it! [^footnote-stdenv-find-inputs-location] They’re confusing in very different ways so… hopefully if something doesn’t make sense in one presentation, it will in the other! 342 ··· 437 438 ##### `nativeBuildInputs` {#var-stdenv-nativeBuildInputs} 439 440 - A list of dependencies whose host platform is the new derivation’s build platform, and target platform is the new derivation’s host platform. These are programs and libraries used at build-time that, if they are a compiler or similar tool, produce code to run at run-time—i.e. tools used to build the new derivation. If the dependency doesn’t care about the target platform (i.e. isn’t a compiler or similar tool), put it here, rather than in `depsBuildBuild` or `depsBuildTarget`. This could be called `depsBuildHost` but `nativeBuildInputs` is used for historical continuity. 441 442 Since these packages are able to be run at build-time, they are added to the `PATH`, as described above. But since these packages are only guaranteed to be able to run then, they shouldn’t persist as run-time dependencies. This isn’t currently enforced, but could be in the future. 443 ··· 734 735 ##### `dontAddStaticConfigureFlags` {#var-stdenv-dontAddStaticConfigureFlags} 736 737 - By default, when building statically, stdenv will try to add build system appropriate configure flags to try to enable static builds. 738 739 If this is undesirable, set this variable to true. 740 ··· 1529 1530 ### Hardening flags enabled by default {#sec-hardening-flags-enabled-by-default} 1531 1532 - The following flags are enabled by default and might require disabling with `hardeningDisable` if the program to package is incompatible. 1533 1534 #### `format` {#format} 1535

··· 336 | `host --> target` | `buildInputs` | `0, 1` | libraries | 337 | `target --> target` | `depsTargetTarget` | `1, 1` | stdlibs to run on target | 338 339 + Algorithmically, we traverse propagated inputs, accumulating every propagated dependency’s propagated dependencies and adjusting them to account for the “shift in perspective” described by the current dependency’s platform offsets. This results in a sort of transitive closure of the dependency relation, with the offsets being approximately summed when two dependency links are combined. We also prune transitive dependencies whose combined offsets go out-of-bounds, which can be viewed as a filter over that transitive closure removing dependencies that are blatantly absurd. 340 341 We can define the process precisely with [Natural Deduction](https://en.wikipedia.org/wiki/Natural_deduction) using the inference rules below. This probably seems a bit obtuse, but so is the bash code that actually implements it! [^footnote-stdenv-find-inputs-location] They’re confusing in very different ways so… hopefully if something doesn’t make sense in one presentation, it will in the other! 342 ··· 437 438 ##### `nativeBuildInputs` {#var-stdenv-nativeBuildInputs} 439 440 + A list of dependencies whose host platform is the new derivation’s build platform, and target platform is the new derivation’s host platform. These are programs and libraries used at build-time that, if they are a compiler or similar tool, produce code to run at run-time—i.e. tools used to build the new derivation. If the dependency doesn’t care about the target platform (i.e. isn’t a compiler or similar tool), put it here, rather than in `depsBuildBuild` or `depsBuildTarget`. This could be called `depsBuildHost`, but `nativeBuildInputs` is used for historical continuity. 441 442 Since these packages are able to be run at build-time, they are added to the `PATH`, as described above. But since these packages are only guaranteed to be able to run then, they shouldn’t persist as run-time dependencies. This isn’t currently enforced, but could be in the future. 443 ··· 734 735 ##### `dontAddStaticConfigureFlags` {#var-stdenv-dontAddStaticConfigureFlags} 736 737 + By default, when building statically, `stdenv` will try to add build system appropriate configure flags to try to enable static builds. 738 739 If this is undesirable, set this variable to true. 740 ··· 1529 1530 ### Hardening flags enabled by default {#sec-hardening-flags-enabled-by-default} 1531 1532 + The following flags are enabled by default and might require disabling with `hardeningDisable` if the program to be packaged is incompatible. 1533 1534 #### `format` {#format} 1535

+1 -1

doc/toolchains/llvm.chapter.md

··· 22 } 23 ``` 24 25 - Note that we set `linker` to `lld`. This is because LLVM has its own linker called "lld". By setting it, we utilize Clang and lld within this new instance of Nixpkgs. There is a shorthand method for building everything with LLVM: `pkgsLLVM`. This is easier to use with `nix-build` (or `nix build`): 26 27 ```bash 28 nix-build -A pkgsLLVM.hello

··· 22 } 23 ``` 24 25 + Note that we set `linker` to `lld`. This is because LLVM has its own linker, called "lld". By setting it, we utilize Clang and lld within this new instance of Nixpkgs. There is a shorthand method for building everything with LLVM: `pkgsLLVM`. This is easier to use with `nix-build` (or `nix build`): 26 27 ```bash 28 nix-build -A pkgsLLVM.hello

+3 -3

doc/using/configuration.chapter.md

··· 9 10 - The package's `meta.license` is set to a license which is considered to be unfree. 11 12 - - The package has known security vulnerabilities but has not or can not be updated for some reason, and a list of issues has been entered in to the package's `meta.knownVulnerabilities`. 13 14 Each of these criteria can be altered in the Nixpkgs configuration. 15 ··· 87 { allowUnfreePredicate = (pkg: false); } 88 ``` 89 90 - For a more useful example, try the following. This configuration only allows unfree packages named roon-server and visual studio code: 91 92 ```nix 93 { ··· 241 } 242 ``` 243 244 - `pathsToLink` tells Nixpkgs to only link the paths listed which gets rid of the extra stuff in the profile. `/bin` and `/share` are good defaults for a user environment, getting rid of the clutter. If you are running on Nix on MacOS, you may want to add another path as well, `/Applications`, that makes GUI apps available. 245 246 ### Getting documentation {#sec-getting-documentation} 247

··· 9 10 - The package's `meta.license` is set to a license which is considered to be unfree. 11 12 + - The package has known security vulnerabilities but has not or can not be updated for some reason, and a list of issues has been entered into the package's `meta.knownVulnerabilities`. 13 14 Each of these criteria can be altered in the Nixpkgs configuration. 15 ··· 87 { allowUnfreePredicate = (pkg: false); } 88 ``` 89 90 + For a more useful example, try the following. This configuration only allows unfree packages named roon-server and Visual Studio Code: 91 92 ```nix 93 { ··· 241 } 242 ``` 243 244 + `pathsToLink` tells Nixpkgs to only link the paths listed which gets rid of the extra stuff in the profile. `/bin` and `/share` are good defaults for a user environment, getting rid of the clutter. If you are running on Nix on macOS, you may want to add another path as well, `/Applications`, that makes GUI apps available. 245 246 ### Getting documentation {#sec-getting-documentation} 247

+2 -2

doc/using/overrides.chapter.md

··· 56 57 ## &lt;pkg&gt;.overrideAttrs {#sec-pkg-overrideAttrs} 58 59 - The function `overrideAttrs` allows overriding the attribute set passed to a `stdenv.mkDerivation` call, producing a new derivation based on the original one. This function is available on all derivations produced by the `stdenv.mkDerivation` function, which is most packages in the nixpkgs expression `pkgs`. 60 61 Example usages: 62 ··· 98 Do not use this function in Nixpkgs as it evaluates a derivation before modifying it, which breaks package abstraction. In addition, this evaluation-per-function application incurs a performance penalty, which can become a problem if many overrides are used. It is only intended for ad-hoc customisation, such as in `~/.config/nixpkgs/config.nix`. 99 ::: 100 101 - The function `overrideDerivation` creates a new derivation based on an existing one by overriding the original's attributes with the attribute set produced by the specified function. This function is available on all derivations defined using the `makeOverridable` function. Most standard derivation-producing functions, such as `stdenv.mkDerivation`, are defined using this function, which means most packages in the nixpkgs expression, `pkgs`, have this function. 102 103 Example usage: 104

··· 56 57 ## &lt;pkg&gt;.overrideAttrs {#sec-pkg-overrideAttrs} 58 59 + The function `overrideAttrs` allows overriding the attribute set passed to a `stdenv.mkDerivation` call, producing a new derivation based on the original one. This function is available on all derivations produced by the `stdenv.mkDerivation` function, which is most packages in the Nixpkgs expression `pkgs`. 60 61 Example usages: 62 ··· 98 Do not use this function in Nixpkgs as it evaluates a derivation before modifying it, which breaks package abstraction. In addition, this evaluation-per-function application incurs a performance penalty, which can become a problem if many overrides are used. It is only intended for ad-hoc customisation, such as in `~/.config/nixpkgs/config.nix`. 99 ::: 100 101 + The function `overrideDerivation` creates a new derivation based on an existing one by overriding the original's attributes with the attribute set produced by the specified function. This function is available on all derivations defined using the `makeOverridable` function. Most standard derivation-producing functions, such as `stdenv.mkDerivation`, are defined using this function, which means most packages in the Nixpkgs expression, `pkgs`, have this function. 102 103 Example usage: 104

+1 -1

nixos/doc/manual/configuration/declarative-packages.section.md

··· 35 36 Note: the `nixos` prefix tells us that we want to get the package from 37 the `nixos` channel and works only in CLI tools. In declarative 38 - configuration use `pkgs` prefix (variable). 39 40 To "uninstall" a package, remove it from 41 [](#opt-environment.systemPackages) and run `nixos-rebuild switch`.

··· 35 36 Note: the `nixos` prefix tells us that we want to get the package from 37 the `nixos` channel and works only in CLI tools. In declarative 38 + configuration, use `pkgs` prefix (variable). 39 40 To "uninstall" a package, remove it from 41 [](#opt-environment.systemPackages) and run `nixos-rebuild switch`.

+1 -1

nixos/doc/manual/configuration/kubernetes.chapter.md

··· 53 ::: {.note} 54 It is mandatory to configure: 55 [](#opt-services.kubernetes.masterAddress). 56 - The masterAddress must be resolveable and routeable by all cluster nodes. 57 In single node clusters, this can be set to `localhost`. 58 ::: 59

··· 53 ::: {.note} 54 It is mandatory to configure: 55 [](#opt-services.kubernetes.masterAddress). 56 + The masterAddress must be resolvable and routable by all cluster nodes. 57 In single node clusters, this can be set to `localhost`. 58 ::: 59

+1 -1

nixos/doc/manual/configuration/profiles.chapter.md

··· 14 Even if some of these profiles seem only useful in the context of 15 install media, many are actually intended to be used in real installs. 16 17 - What follows is a brief explanation on the purpose and use-case for each 18 profile. Detailing each option configured by each one is out of scope. 19 20 ```{=include=} sections

··· 14 Even if some of these profiles seem only useful in the context of 15 install media, many are actually intended to be used in real installs. 16 17 + What follows is a brief explanation of the purpose and use-case for each 18 profile. Detailing each option configured by each one is out of scope. 19 20 ```{=include=} sections

+3 -3

pkgs/README.md

··· 1116 ### New packages 1117 1118 New packages are a common type of pull requests. 1119 - These pull requests consists in adding a new nix-expression for a package. 1120 1121 Review process: 1122 ··· 1131 - Maintainers must be set. 1132 This can be the package submitter or a community member that accepts taking up maintainership of the package. 1133 - The `meta.mainProgram` must be set if a main executable exists. 1134 - - Ensure any special packaging choices and required context are documented in i.e. the name of a patch or in a comment. 1135 - If a special version of a package is pinned, document why, so others know if/when it can be unpinned. 1136 - If any (especially opinionated) patch or `substituteInPlace` is applied, document why. 1137 - If any non-default build flags are set, document why. ··· 1204 1205 [github.com/NixOS/nixpkgs/issues?q=is:issue+is:open+"Vulnerability+roundup"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+%22Vulnerability+roundup%22) 1206 1207 - Each issue correspond to a vulnerable version of a package; As a consequence: 1208 1209 - One issue can contain several CVEs; 1210 - One CVE can be shared across several issues;

··· 1116 ### New packages 1117 1118 New packages are a common type of pull requests. 1119 + These pull requests consist in adding a new nix-expression for a package. 1120 1121 Review process: 1122 ··· 1131 - Maintainers must be set. 1132 This can be the package submitter or a community member that accepts taking up maintainership of the package. 1133 - The `meta.mainProgram` must be set if a main executable exists. 1134 + - Ensure any special packaging choices and required context are documented in, i.e., the name of a patch or in a comment. 1135 - If a special version of a package is pinned, document why, so others know if/when it can be unpinned. 1136 - If any (especially opinionated) patch or `substituteInPlace` is applied, document why. 1137 - If any non-default build flags are set, document why. ··· 1204 1205 [github.com/NixOS/nixpkgs/issues?q=is:issue+is:open+"Vulnerability+roundup"](https://github.com/NixOS/nixpkgs/issues?q=is%3Aissue+is%3Aopen+%22Vulnerability+roundup%22) 1206 1207 + Each issue corresponds to a vulnerable version of a package; as a consequence: 1208 1209 - One issue can contain several CVEs; 1210 - One CVE can be shared across several issues;

+1 -1

pkgs/applications/networking/browsers/chromium/README.md

··· 11 - `ungoogled-chromium`: A patch set for Chromium, that has its own entry in Chromium's `upstream-info.nix`. 12 - `chromedriver`: Updated via Chromium's `upstream-info.nix` and not built 13 from source. Must match Chromium's major version. 14 - - `electron-source`: Various version of electron that are built from source using Chromium's 15 `-unwrapped` derivation, due to electron being based on Chromium. 16 17 # Upstream links

··· 11 - `ungoogled-chromium`: A patch set for Chromium, that has its own entry in Chromium's `upstream-info.nix`. 12 - `chromedriver`: Updated via Chromium's `upstream-info.nix` and not built 13 from source. Must match Chromium's major version. 14 + - `electron-source`: Various versions of electron that are built from source using Chromium's 15 `-unwrapped` derivation, due to electron being based on Chromium. 16 17 # Upstream links

+1 -1

pkgs/applications/networking/cluster/k3s/README.md

··· 1 # K3s 2 3 - K3s is a simplified [Kubernetes](https://wiki.nixos.org/wiki/Kubernetes) version that bundles Kubernetes cluster components into a few small binaries optimized for Edge and IoT devices. 4 5 ## Usage 6

··· 1 # K3s 2 3 + K3s is a simplified [Kubernetes](https://wiki.nixos.org/wiki/Kubernetes) version that bundles Kubernetes cluster components into a few small binaries optimized for Edge and IoT devices. 4 5 ## Usage 6

+1 -1

pkgs/applications/networking/cluster/rke2/README.md

··· 24 Nixpkgs follows active minor version release channels (typically 4 at a time) and sets aliases for 25 `rke2_stable` and `rke2_latest` accordingly. 26 27 - Patch releases should be backported to to the latest stable release branch, however, new minor 28 versions are not backported. 29 30 For further information visit the

··· 24 Nixpkgs follows active minor version release channels (typically 4 at a time) and sets aliases for 25 `rke2_stable` and `rke2_latest` accordingly. 26 27 + Patch releases should be backported to the latest stable release branch; however, new minor 28 versions are not backported. 29 30 For further information visit the

+1 -1

pkgs/build-support/go/README.md

··· 39 40 When an end-of-life toolchain is removed, builders that pin the EOL version (according to 3.) will automatically be bumped to the then oldest pinned builder (e.g. Go 1.22 is EOL, `buildGo122Module` is bumped to `buildGo123Module`). 41 42 - If the package won't build with anymore with that builder, the package is marked broken. 43 It is the package maintainers responsibility to fix the package and get it working with a supported Go toolchain. 44 45 [1]: http://go.dev/doc/go1compat

··· 39 40 When an end-of-life toolchain is removed, builders that pin the EOL version (according to 3.) will automatically be bumped to the then oldest pinned builder (e.g. Go 1.22 is EOL, `buildGo122Module` is bumped to `buildGo123Module`). 41 42 + If the package won't build with that builder anymore, the package is marked broken. 43 It is the package maintainers responsibility to fix the package and get it working with a supported Go toolchain. 44 45 [1]: http://go.dev/doc/go1compat

+1 -1

pkgs/by-name/README.md

··· 110 111 ## Limitations 112 113 - There's some limitations as to which packages can be defined using this structure: 114 115 - Only packages defined using `pkgs.callPackage`. 116 This excludes packages defined using `pkgs.python3Packages.callPackage ...`.

··· 110 111 ## Limitations 112 113 + There are some limitations as to which packages can be defined using this structure: 114 115 - Only packages defined using `pkgs.callPackage`. 116 This excludes packages defined using `pkgs.python3Packages.callPackage ...`.

+1 -1

pkgs/by-name/az/azure-cli/README.md

··· 87 88 Check if the desired functionality was added. 89 90 - You can check if the extensions was recognized by running: 91 92 ```sh 93 ./result/bin/az extension list

··· 87 88 Check if the desired functionality was added. 89 90 + You can check if the extensions were recognized by running: 91 92 ```sh 93 ./result/bin/az extension list

+1 -1

pkgs/by-name/fr/freecad/README.md

··· 1 This package supports the following parameters: 2 3 - withWayland (default: true): when false, set QT_QPA_PLATFORM to xcb 4 - - spaceNavSupport (enabled by default on linux): whether to enable 5 [spacenavd support](https://spacenav.sourceforge.net/) 6 - ifcSupport (default: false): whether to enable ifc support through 7 ifcopenshell

··· 1 This package supports the following parameters: 2 3 - withWayland (default: true): when false, set QT_QPA_PLATFORM to xcb 4 + - spaceNavSupport (enabled by default on Linux): whether to enable 5 [spacenavd support](https://spacenav.sourceforge.net/) 6 - ifcSupport (default: false): whether to enable ifc support through 7 ifcopenshell

+1 -1

pkgs/by-name/ka/kanidm/README.md

··· 34 35 ## Remove release 36 37 - Kanidm versions are supported for 30 days after the release of new versions. Following the example above, 1.5.x superseding 1.4.x in 30 days, do the following near the end of the 30 day window 38 39 1. Update `pkgs/by-name/ka/kanidm/1_4.nix` by adding `unsupported = true;` 40 1. Update `pkgs/top-level/release.nix` and add `kanidm_1_4-1.4.6` and `kanidmWithSecretProvisioning_1_4-1.4.6` to `permittedInsecurePackages`

··· 34 35 ## Remove release 36 37 + Kanidm versions are supported for 30 days after the release of new versions. Following the example above, 1.5.x superseding 1.4.x in 30 days, do the following near the end of the 30-day window 38 39 1. Update `pkgs/by-name/ka/kanidm/1_4.nix` by adding `unsupported = true;` 40 1. Update `pkgs/top-level/release.nix` and add `kanidm_1_4-1.4.6` and `kanidmWithSecretProvisioning_1_4-1.4.6` to `permittedInsecurePackages`

+5 -5

pkgs/by-name/ni/nixos-rebuild-ng/README.md

··· 7 8 The current state of `nixos-rebuild` is dire: it is one of the most critical 9 pieces of code we have in NixOS, but it has tons of issues: 10 - - The code is written in Bash, and while this by itself is not necessary bad, 11 it means that it is difficult to do refactorings due to the lack of tooling 12 for the language 13 - The code itself is a hacky mess. Changing even one line of code can cause ··· 18 builds Flakes inside a temporary directory and reads the resulting symlink 19 since the code seems to predate `--print-out-paths` flag 20 21 - Given all of those above, improvements in the `nixos-rebuild` are difficult to 22 do. A full rewrite is probably the easier way to improve the situation since 23 this can be done in a separate package that will not break anyone. So this is 24 an attempt of the rewrite. ··· 44 ``` 45 46 The command above will build, run the unit tests and linters, and also check if 47 - the code is formatted. However, sometimes is more convenient to run just a few 48 tests to debug, in this case you can run: 49 50 ```console ··· 97 please open an issue 98 - We do some additional validation of flags, like exiting with an error when 99 `--build-host` or `--target-host` is used with `repl`, since the user could 100 - assume that the `repl` would be run remotely while it always run the local 101 machine. `nixos-rebuild` silently ignored those flags, so this 102 [may cause some issues](https://github.com/NixOS/nixpkgs/pull/363922) for 103 wrappers ··· 108 may be difficult to fix, so right now I only recommend using 109 `nixos-rebuild-ng` if you are testing in a VM or in a filesystem with 110 snapshots like BTRFS or ZFS. Those bugs are unlikely to be unfixable but the 111 - errors can be difficult to understand. If you want to go anyway, 112 `nix-collect-garbage -d` and `nix store repair` are your friends 113 114 ## TODON'T

··· 7 8 The current state of `nixos-rebuild` is dire: it is one of the most critical 9 pieces of code we have in NixOS, but it has tons of issues: 10 + - The code is written in Bash, and while this by itself is not necessarily bad, 11 it means that it is difficult to do refactorings due to the lack of tooling 12 for the language 13 - The code itself is a hacky mess. Changing even one line of code can cause ··· 18 builds Flakes inside a temporary directory and reads the resulting symlink 19 since the code seems to predate `--print-out-paths` flag 20 21 + Given all of the above, improvements in the `nixos-rebuild` are difficult to 22 do. A full rewrite is probably the easier way to improve the situation since 23 this can be done in a separate package that will not break anyone. So this is 24 an attempt of the rewrite. ··· 44 ``` 45 46 The command above will build, run the unit tests and linters, and also check if 47 + the code is formatted. However, sometimes it's more convenient to run just a few 48 tests to debug, in this case you can run: 49 50 ```console ··· 97 please open an issue 98 - We do some additional validation of flags, like exiting with an error when 99 `--build-host` or `--target-host` is used with `repl`, since the user could 100 + assume that the `repl` would be run remotely while it always runs the local 101 machine. `nixos-rebuild` silently ignored those flags, so this 102 [may cause some issues](https://github.com/NixOS/nixpkgs/pull/363922) for 103 wrappers ··· 108 may be difficult to fix, so right now I only recommend using 109 `nixos-rebuild-ng` if you are testing in a VM or in a filesystem with 110 snapshots like BTRFS or ZFS. Those bugs are unlikely to be unfixable but the 111 + errors can be difficult to understand. If you want to go on, 112 `nix-collect-garbage -d` and `nix store repair` are your friends 113 114 ## TODON'T

+1 -1

pkgs/by-name/ni/nixos-render-docs/README.md

··· 40 - It would also require keeping an impure or otherwise continuously updated reference to those other revisions. 41 - The static mapping acts like a semi-automatically updated cache that we drag along with version history. 42 - Other setups, such as a dedicated service to cache a history of moved content, are more complicated and would still be impure. 43 - - Checking in large amounts of data that is touched often, bears a risk of more merge conflicts or related build failures. 44 45 The solution picked here is to have a static mapping of the historical locations checked into the Git tree, such that it can be read during the build process. 46 This also ensures that an improper redirect mapping will cause `nixos-render-docs` to fail the build and thus enforce that redirects stay up-to-date with every commit.

··· 40 - It would also require keeping an impure or otherwise continuously updated reference to those other revisions. 41 - The static mapping acts like a semi-automatically updated cache that we drag along with version history. 42 - Other setups, such as a dedicated service to cache a history of moved content, are more complicated and would still be impure. 43 + - Checking in large amounts of data that is touched often bears a risk of more merge conflicts or related build failures. 44 45 The solution picked here is to have a static mapping of the historical locations checked into the Git tree, such that it can be read during the build process. 46 This also ensures that an improper redirect mapping will cause `nixos-render-docs` to fail the build and thus enforce that redirects stay up-to-date with every commit.

+1 -1

pkgs/by-name/sw/switch-to-configuration-ng/README.md

··· 1 # switch-to-configuration-ng 2 3 - This program implements the switching/updating of NixOS systems. It starts with the exising running configuration at `/run/current-system` and handles the migration to a new configuration, built from a NixOS configuration's `config.system.build.toplevel` derivation. 4 5 For more information on what happens during a switch, see [what-happens-during-a-system-switch](../../../../nixos/doc/manual/development/what-happens-during-a-system-switch.chapter.md). 6

··· 1 # switch-to-configuration-ng 2 3 + This program implements the switching/updating of NixOS systems. It starts with the existing running configuration at `/run/current-system` and handles the migration to a new configuration, built from a NixOS configuration's `config.system.build.toplevel` derivation. 4 5 For more information on what happens during a switch, see [what-happens-during-a-system-switch](../../../../nixos/doc/manual/development/what-happens-during-a-system-switch.chapter.md). 6

+1 -1

pkgs/development/compilers/elm/README.md

··· 12 (versions.dat). 13 14 The makeDotElm function lets us retrieve these dependencies in the 15 - standard nix way. we have to copy them in (rather than symlink) and 16 make them writable because the elm compiler writes other .dat files 17 alongside the source code. versions.dat was produced during an 18 impure build of this same code; the build complains that it can't

··· 12 (versions.dat). 13 14 The makeDotElm function lets us retrieve these dependencies in the 15 + standard nix way. We have to copy them in (rather than symlink) and 16 make them writable because the elm compiler writes other .dat files 17 alongside the source code. versions.dat was produced during an 18 impure build of this same code; the build complains that it can't

+1 -1

pkgs/development/compilers/julia/README.md

··· 9 [julia]: https://julialang.org 10 11 For Nixpkgs, the manual is as always your primary reference, and for the Julia 12 - side of things you probably want to familiarise yourself with the [README 13 ][readme], [build instructions][build], and [release process][release_process]. 14 Remember that these can change between Julia releases, especially if the LTS and 15 release branches have deviated greatly. A lot of the build process is

··· 9 [julia]: https://julialang.org 10 11 For Nixpkgs, the manual is as always your primary reference, and for the Julia 12 + side of things, you probably want to familiarise yourself with the [README 13 ][readme], [build instructions][build], and [release process][release_process]. 14 Remember that these can change between Julia releases, especially if the LTS and 15 release branches have deviated greatly. A lot of the build process is

+3 -3

pkgs/development/compilers/llvm/README.md

··· 2 3 - Run `update-git.py`. 4 This will set the github revision and sha256 for `llvmPackages_git.llvm` to whatever the latest chromium build is using. 5 - For a more recent, commit run `nix-prefetch-github` and change the rev and sha256 accordingly. 6 7 - That was the easy part. 8 The hard part is updating the patch files. ··· 50 which can be an easily missed reason for failures. 51 For cases where the hunk is no longer needed you can simply remove it from the patch. 52 53 - This is fine for small corrections, but when more serious changes are needed its better to use git. 54 55 1. Clone the LLVM monorepo at https://github.com/llvm/llvm-project/ 56 ··· 68 69 Use CMake's [`GNUInstallDirs`](https://cmake.org/cmake/help/latest/module/GNUInstallDirs.html) to support multiple outputs. 70 71 - Previously, LLVM Just hard-coded `bin`, `include`, and `lib${LLVM_TARGET_PREFIX}`. 72 We are making it use these variables. 73 74 For the older LLVM versions, these patches live in https://github.com/Ericson2314/llvm-project branches `split-prefix`.

··· 2 3 - Run `update-git.py`. 4 This will set the github revision and sha256 for `llvmPackages_git.llvm` to whatever the latest chromium build is using. 5 + For a more recent commit, run `nix-prefetch-github` and change the rev and sha256 accordingly. 6 7 - That was the easy part. 8 The hard part is updating the patch files. ··· 50 which can be an easily missed reason for failures. 51 For cases where the hunk is no longer needed you can simply remove it from the patch. 52 53 + This is fine for small corrections, but when more serious changes are needed, it's better to use git. 54 55 1. Clone the LLVM monorepo at https://github.com/llvm/llvm-project/ 56 ··· 68 69 Use CMake's [`GNUInstallDirs`](https://cmake.org/cmake/help/latest/module/GNUInstallDirs.html) to support multiple outputs. 70 71 + Previously, LLVM just hard-coded `bin`, `include`, and `lib${LLVM_TARGET_PREFIX}`. 72 We are making it use these variables. 73 74 For the older LLVM versions, these patches live in https://github.com/Ericson2314/llvm-project branches `split-prefix`.

+9 -9

pkgs/development/cuda-modules/README.md

··· 1 - # Cuda modules 2 3 > [!NOTE] 4 > This document is meant to help CUDA maintainers understand the structure of ··· 43 44 ## Distinguished packages 45 46 - ### Cuda compatibility 47 48 - [Cuda Compatibility](https://docs.nvidia.com/deploy/cuda-compatibility/), 49 available as `cudaPackages.cuda_compat`, is a component which makes it possible 50 to run applications built against a newer CUDA toolkit (for example CUDA 12) on 51 a machine with an older CUDA driver (for example CUDA 11), which isn't possible 52 - out of the box. At the time of writing, Cuda Compatibility is only available on 53 the Nvidia Jetson architecture, but Nvidia might release support for more 54 architectures in the future. 55 56 - As Cuda Compatibility strictly increases the range of supported applications, we 57 try our best to enable it by default on supported platforms. 58 59 #### Functioning ··· 64 `cuda_compat` isn't a complete drop-in replacement for the driver (and that's 65 the point, otherwise, it would just be a newer driver). 66 67 - Nvidia's recommendation is to set `LD_LIBRARY_PATH` to points to `cuda_compat`'s 68 driver. This is fine for a manual, one-shot usage, but in general setting 69 `LD_LIBRARY_PATH` is a red flag. This is global state which short-circuits most 70 - of other dynamic libraries resolution mechanisms and can break things in 71 non-obvious ways, especially with other Nix-built software. 72 73 - #### Cuda compat with Nix 74 75 Since `cuda_compat` is a known derivation, the easy way to do this in Nix would 76 be to add `cuda_compat` as a dependency of CUDA libraries and applications and 77 - let Nix does its magic by filling the `DT_RUNPATH` fields. However, 78 `cuda_compat` itself depends on `libnvrm_mem` and `libnvrm_gpu` which are loaded 79 dynamically at runtime from `/run/opengl-driver`. This doesn't please the Nix 80 sandbox when building, which can't find those (a second minor issue is that

··· 1 + # CUDA Modules 2 3 > [!NOTE] 4 > This document is meant to help CUDA maintainers understand the structure of ··· 43 44 ## Distinguished packages 45 46 + ### CUDA Compatibility 47 48 + [CUDA Compatibility](https://docs.nvidia.com/deploy/cuda-compatibility/), 49 available as `cudaPackages.cuda_compat`, is a component which makes it possible 50 to run applications built against a newer CUDA toolkit (for example CUDA 12) on 51 a machine with an older CUDA driver (for example CUDA 11), which isn't possible 52 + out of the box. At the time of writing, CUDA Compatibility is only available on 53 the Nvidia Jetson architecture, but Nvidia might release support for more 54 architectures in the future. 55 56 + As CUDA Compatibility strictly increases the range of supported applications, we 57 try our best to enable it by default on supported platforms. 58 59 #### Functioning ··· 64 `cuda_compat` isn't a complete drop-in replacement for the driver (and that's 65 the point, otherwise, it would just be a newer driver). 66 67 + Nvidia's recommendation is to set `LD_LIBRARY_PATH` to point to `cuda_compat`'s 68 driver. This is fine for a manual, one-shot usage, but in general setting 69 `LD_LIBRARY_PATH` is a red flag. This is global state which short-circuits most 70 + of other dynamic library resolution mechanisms and can break things in 71 non-obvious ways, especially with other Nix-built software. 72 73 + #### CUDA Compat with Nix 74 75 Since `cuda_compat` is a known derivation, the easy way to do this in Nix would 76 be to add `cuda_compat` as a dependency of CUDA libraries and applications and 77 + let Nix do its magic by filling the `DT_RUNPATH` fields. However, 78 `cuda_compat` itself depends on `libnvrm_mem` and `libnvrm_gpu` which are loaded 79 dynamically at runtime from `/run/opengl-driver`. This doesn't please the Nix 80 sandbox when building, which can't find those (a second minor issue is that

+1 -1

pkgs/development/mobile/androidenv/README.md

··· 4 5 # How to run tests 6 7 - You may need to make yourself familiar with [package tests](../../../README.md#package-tests), and [Writing larger package tests](../../../README.md#writing-larger-package-tests), then run tests locally with: 8 9 ```shell 10 $ export NIXPKGS_ALLOW_UNFREE=1

··· 4 5 # How to run tests 6 7 + You may need to make yourself familiar with [package tests](../../../README.md#package-tests) and [Writing larger package tests](../../../README.md#writing-larger-package-tests), then run tests locally with: 8 9 ```shell 10 $ export NIXPKGS_ALLOW_UNFREE=1

+8 -8

pkgs/development/tools/build-managers/gradle/README.md

··· 3 ## Introduction 4 5 Gradle build scripts are written in a DSL, computing the list of Gradle 6 - dependencies is a turing-complete task, not just in theory but in 7 practice. Fetching all of the dependencies often requires building some 8 native code, running some commands to check the host platform, or just 9 fetching some files using either JVM code or commands like `curl` or ··· 22 Obviously, this is horrible for reproducibility. Additionally, Gradle 23 doesn't offer a way to export the list of dependency URLs and hashes (it 24 does in a way, but it's far from being complete, and as such is useless 25 - for nixpkgs). Even if did, it would be annoying to use considering 26 fetching non-Gradle dependencies in Gradle scripts is commonplace. 27 28 That's why the setup hook uses mitm-cache, a program designed for ··· 89 and finally download `b.jar.sha1`, locate it in its cache, and then 90 *not* download `b.jar`. This means `b.jar` won't be stored in the MITM 91 cache. Then, consider that on a later invocation, the fetching order 92 - changed, whether it was because of a running on different system, 93 changed behavior after a Gradle update, or any other source of 94 nondeterminism - `b.jar` is fetched before `a.jar`. Gradle will first 95 fetch `b.jar.sha1`, not find it in its cache, attempt to fetch `b.jar`, ··· 103 via CLI arguments. 104 105 **Caveat**: Gradle .module files also contain file hashes, in md5, sha1, 106 - sha256, sha512 formats. It posed no problem as of yet, but it might in 107 the future. If it does pose problems, the deps derivation code can be 108 extended to find all checksums in .module files and copy existing files 109 there if their hash matches. ··· 173 The mitm-cache lockfile format is described in the [mitm-cache 174 README](https://github.com/chayleaf/mitm-cache#readme). 175 176 - The nixpkgs Gradle lockfile format is more complicated: 177 178 ```json 179 { 180 - "!comment": "This is a nixpkgs Gradle dependency lockfile. For more details, refer to the Gradle section in the nixpkgs manual.", 181 "!version": 1, 182 "https://oss.sonatype.org/content/repositories/snapshots/com/badlogicgames/gdx-controllers": { 183 "gdx-controllers#gdx-controllers-core/2.2.4-20231021.200112-6/SNAPSHOT": { ··· 223 discern where the repo base ends and the group ID begins). 224 225 `compress-deps-json.py` converts the JSON from mitm-cache format into 226 - nixpkgs Gradle lockfile format. `fetch.nix` does the opposite. 227 228 ## Security Considerations 229 ··· 242 doesn't match) 243 244 Please be mindful of the above when working on Gradle support for 245 - nixpkgs.

··· 3 ## Introduction 4 5 Gradle build scripts are written in a DSL, computing the list of Gradle 6 + dependencies is a Turing-complete task, not just in theory but also in 7 practice. Fetching all of the dependencies often requires building some 8 native code, running some commands to check the host platform, or just 9 fetching some files using either JVM code or commands like `curl` or ··· 22 Obviously, this is horrible for reproducibility. Additionally, Gradle 23 doesn't offer a way to export the list of dependency URLs and hashes (it 24 does in a way, but it's far from being complete, and as such is useless 25 + for Nixpkgs). Even if it did, it would be annoying to use considering 26 fetching non-Gradle dependencies in Gradle scripts is commonplace. 27 28 That's why the setup hook uses mitm-cache, a program designed for ··· 89 and finally download `b.jar.sha1`, locate it in its cache, and then 90 *not* download `b.jar`. This means `b.jar` won't be stored in the MITM 91 cache. Then, consider that on a later invocation, the fetching order 92 + changed, whether it was because of running on a different system, 93 changed behavior after a Gradle update, or any other source of 94 nondeterminism - `b.jar` is fetched before `a.jar`. Gradle will first 95 fetch `b.jar.sha1`, not find it in its cache, attempt to fetch `b.jar`, ··· 103 via CLI arguments. 104 105 **Caveat**: Gradle .module files also contain file hashes, in md5, sha1, 106 + sha256, sha512 formats. It has posed no problem as of yet, but it might in 107 the future. If it does pose problems, the deps derivation code can be 108 extended to find all checksums in .module files and copy existing files 109 there if their hash matches. ··· 173 The mitm-cache lockfile format is described in the [mitm-cache 174 README](https://github.com/chayleaf/mitm-cache#readme). 175 176 + The Nixpkgs Gradle lockfile format is more complicated: 177 178 ```json 179 { 180 + "!comment": "This is a Nixpkgs Gradle dependency lockfile. For more details, refer to the Gradle section in the Nixpkgs manual.", 181 "!version": 1, 182 "https://oss.sonatype.org/content/repositories/snapshots/com/badlogicgames/gdx-controllers": { 183 "gdx-controllers#gdx-controllers-core/2.2.4-20231021.200112-6/SNAPSHOT": { ··· 223 discern where the repo base ends and the group ID begins). 224 225 `compress-deps-json.py` converts the JSON from mitm-cache format into 226 + Nixpkgs Gradle lockfile format. `fetch.nix` does the opposite. 227 228 ## Security Considerations 229 ··· 242 doesn't match) 243 244 Please be mindful of the above when working on Gradle support for 245 + Nixpkgs.

+1 -1

pkgs/stdenv/darwin/README.md

··· 15 There are effectively two steps when updating the standard environment: 16 17 1. Update the definition of llvmPackages in `all-packages.nix` for Darwin to match the value of 18 - llvmPackages.latest in `all-packages.nix`. Timing-wise, this done currently using the spring 19 release of LLVM and once llvmPackages.latest has been updated to match. If the LLVM project 20 has announced a release schedule of patch updates, wait until those are in nixpkgs. Otherwise, 21 the LLVM updates will have to go through staging instead of being merged into master; and

··· 15 There are effectively two steps when updating the standard environment: 16 17 1. Update the definition of llvmPackages in `all-packages.nix` for Darwin to match the value of 18 + llvmPackages.latest in `all-packages.nix`. Timing-wise, this is done currently using the spring 19 release of LLVM and once llvmPackages.latest has been updated to match. If the LLVM project 20 has announced a release schedule of patch updates, wait until those are in nixpkgs. Otherwise, 21 the LLVM updates will have to go through staging instead of being merged into master; and

+1 -1

pkgs/tools/package-management/nix/README.md

··· 32 33 If you're updating `nixVersions.stable`, follow all the steps mentioned above, but use the **staging** branch for your pull request (or **staging-next** after coordinating with the people in matrix `#staging:nixos.org`) 34 This is necessary because, at the end of the staging-next cycle, the NixOS tests are built through the [staging-next-small](https://hydra.nixos.org/jobset/nixos/staging-next-small) jobset. 35 - Especially nixos installer test are important to look at here. 36 37 There is a script to update minor versions: 38

··· 32 33 If you're updating `nixVersions.stable`, follow all the steps mentioned above, but use the **staging** branch for your pull request (or **staging-next** after coordinating with the people in matrix `#staging:nixos.org`) 34 This is necessary because, at the end of the staging-next cycle, the NixOS tests are built through the [staging-next-small](https://hydra.nixos.org/jobset/nixos/staging-next-small) jobset. 35 + Especially NixOS installer tests are important to look at here. 36 37 There is a script to update minor versions: 38

+1 -1

pkgs/tools/package-management/nix/modular/README.md

··· 13 14 ### `workDir` attribute 15 16 - The Nixpkgs for Nix does inherit the `workDir` attribute that determines the location of the subproject to build. 17 It is compared to this directory to produce the correct relative path, similar to upstream.

··· 13 14 ### `workDir` attribute 15 16 + The Nixpkgs for Nix inherits the `workDir` attribute that determines the location of the subproject to build. 17 It is compared to this directory to produce the correct relative path, similar to upstream.