How to create a custom nixpkg for a Haskell application
December 17, 2017
Package a custom Haskell application as a nix package to simplify and automate both deploys and rollbacks.
Every nix package is immutable and identified (at least in part) by a hash:
The inputs used to compute the hash are all attributes of the derivation … These typically include the sources, the build commands, the compilers used by the build, library dependencies, and so on. This is recursive: for instance, the sources of the compiler also affect the hash.
This makes deploys and rollbacks safe to automate. Instead of a
deploy that overwrites the “global variable”
/usr/local/bin/eventarelli-api with a new executable, nix overwrites
it with a symlink that points to the newly-built and immutable
executable in /nix/store. A rollback points the symlink to the
previous version.
Steps
Software used for this HOWTO:
- nix-build (Nix) 1.11.15
- nix channel https://nixos.org/channels/nixpkgs-17.09-darwin
Step 1: Install nixpkgs
- Follow steps at https://nixos.org/nix/download.html
- Add 17.09 channel to your user environment:
OSX:
$ nix-channel add https://nixos.org/channels/nixpkgs-17.09-darwin
GNU/Linux:
$ nix-channel add https://nixos.org/channels/nixpkgs-17.09
Step 2: Install cabal2nix
$ nix-env -i cabal2nix
installing ‘cabal2nix-2.6’
these paths will be fetched (0.00 MiB download, 0.00 MiB unpacked):
/nix/store/5qsfk8sm53bkzb29mdj0z92hzdpl955h-cabal2nix-2.6-doc
fetching path ‘/nix/store/5qsfk8sm53bkzb29mdj0z92hzdpl955h-cabal2nix-2.6-doc’…
*** Downloading ‘https://cache.nixos.org/nar/0zw5lhqzz21cyf7l6cs211alv211ykngjx11ngk0y8yd37gr0ih9.nar.xz’ (signed by ‘cache.nixos.org-1’) to ‘/nix/store/5qsfk8sm53bkzb29mdj0z92hzdpl955h-cabal2nix-2.6-doc’…
…
building path(s) ‘/nix/store/33jqmv0asmxk3sy84f5h86fikm95l9yj-user-environment’
created 251 symlinks in user environment
$
Step 3: Generate nix expressions for the package.
This step is taken directly from section 9.5.3 How to create Nix builds for your own private Haskell packages of the Nixpkgs Contributors Guide (Version 17.09.2378.af7e47921c4).
Convert dependencies in cabal file to a nix expression:
$ cabal2nix . > eventarelli-api.nix
$ cat eventarelli-api.nix
{ mkDerivation, aeson, base, bytestring, data-default-class, hspec
, http-types, mime-types, monad-control, mtl, mustache, QuickCheck
, random, scotty, sqlite-simple, stdenv, tagsoup, text, time
, timezone-olson, timezone-series, utf8-string, wai, wai-extra
, warp, warp-tls
}:
mkDerivation {
pname = "eventarelli-api";
version = "1.1.0";
src = ./.;
isLibrary = true;
isExecutable = true;
libraryHaskellDepends = [
aeson base bytestring mustache sqlite-simple tagsoup text time
timezone-olson timezone-series utf8-string
];
executableHaskellDepends = [
aeson base bytestring data-default-class http-types mime-types
monad-control mtl mustache random scotty sqlite-simple text time
timezone-olson timezone-series utf8-string wai wai-extra warp
warp-tls
];
testHaskellDepends = [
base hspec mtl QuickCheck sqlite-simple time timezone-olson
timezone-series
];
description = "Backend for Eventarelli web site";
license = stdenv.lib.licenses.unfree;
}
$
$ cat > default.nix
{ nixpkgs ? import {}, compiler ? "ghc802" }:
nixpkgs.pkgs.haskell.packages.${compiler}.callPackage ./eventarelli-api.nix { }
$
$
$ cat > shell.nix
{ nixpkgs ? import {}, compiler ? "ghc802" }:
(import ./default.nix { inherit nixpkgs compiler; }).env
$
Step 4: Build the package
Per nixpkgs manual, we are ready to build:
At this point, you can run nix-build to have Nix compile your project and install it into a Nix store path. The local directory will contain a symlink called result after nix-build returns that points into that location.
$ export NIX_PATH=nixpkgs=/Users/mark/.nix-defexpr/channels/nixpkgs-17.09-darwin
$ nix-build
error: Package ‘eventarelli-api-1.1.0’ in /Users/mark/src/mycode/eventarelli/eventarelli/api/eventarelli-api.nix:8 has an unfree license (‘unfree’), refusing to evaluate.
a) For ‘nixos-rebuild‘ you can set
{ nixpkgs.config.allowUnfree = true; }
in configuration.nix to override this.
b) For ‘nix-env‘, ‘nix-build‘, ‘nix-shell‘ or any other Nix command you can add
{ allowUnfree = true; }
to ~/.config/nixpkgs/config.nix.
$ find $HOME -maxdepth 2 -type f | grep config.nix
/Users/mark/.nixpkgs/config.nix
$ vi /Users/mark/.nixpkgs/config.nix
$ cat /Users/mark/.nixpkgs/config.nix
{
allowBroken = true;
pkgs = {
vim = {
python = true;
};
};
allowUnfree = true;
}
$ nix-build
these derivations will be built:
/nix/store/74wxmnrac9d777h5asj6fpvv5hkis7sb-remove-references-to.drv
/nix/store/5kwhv5qn0qq9bjn4agqw51pmy1nsckgg-eventarelli-api-1.1.0.drv
these paths will be fetched (264.60 MiB download, 2159.94 MiB unpacked):
/nix/store/009s1l4g2f3cc9ndb27j5inplry6xd6r-async-2.1.1.1-doc
/nix/store/06mi088axz39hn09llyciciwm9wf6ri5-regex-posix-0.95.2-doc
/nix/store/0bg4sdpkngwfpyrqq55jjkmd3k8s9qb6-libyaml-0.1.7
…
Creating package registration file:
/nix/store/4asrshpg52rh9dnrissailjs4xwyl9x1-eventarelli-api-1.1.0/lib/ghc-8.0.2/package.conf.d/eventarelli-api-1.1.0.conf
post-installation fix up
stripping (with flags -S) in /nix/store/4asrshpg52rh9dnrissailjs4xwyl9x1-eventarelli-api-1.1.0/lib /nix/store/4asrshpg52rh9dnrissailjs4xwyl9x1-eventarelli-api-1.1.0/bin
patching script interpreter paths in /nix/store/4asrshpg52rh9dnrissailjs4xwyl9x1-eventarelli-api-1.1.0
patching script interpreter paths in /nix/store/ghvid80b6q5hygh4a6sav2fm7lmvamwr-eventarelli-api-1.1.0-doc
/nix/store/4asrshpg52rh9dnrissailjs4xwyl9x1-eventarelli-api-1.1.0
$
Step 5: Install the package
Immutability:
$ rm -rf result
$ stack clean
$ nix-build
/nix/store/4asrshpg52rh9dnrissailjs4xwyl9x1-eventarelli-api-1.1.0
$
Note that if we hadn’t deleted the result directory,
we would have rebuild a different hash (i.e., another version of
the application) nix expression generated by cabal2nix
has the line src=./.;.
Ok, let’s install it:
$ rm result
$ nix-env -f default.nix -i eventarelli-api
installing ‘eventarelli-api-1.1.0’
building path(s) ‘/nix/store/qzhcw2ypa4h1ll62qf3d77ivgbgk7gha-user-environment’
created 259 symlinks in user environment
$
And run it:
$ eventarelli-api
eventarelli-api: error: export ELMARELLI_TEMPLATES=
CallStack (from HasCallStack):
error, called at src/Main.hs:78:16 in main:Main
$
Poking around
Where is executable?
$ which eventarelli-api
/Users/mark/.nix-profile/bin/eventarelli-api
$ ls -l $(which eventarelli-api)
lrwxr-xr-x 1 root wheel 85 Dec 31 1969 /Users/mark/.nix-profile/bin/eventarelli-api -> /nix/store/4asrshpg52rh9dnrissailjs4xwyl9x1-eventarelli-api-1.1.0/bin/eventarelli-api
$
What is in /nix/store for the app?
$ tree -d -L 3 /nix/store/4asrshpg52rh9dnrissailjs4xwyl9x1-eventarelli-api-1.1.0/
/nix/store/4asrshpg52rh9dnrissailjs4xwyl9x1-eventarelli-api-1.1.0/
├── bin
├── lib
│ ├── ghc-8.0.2
│ │ ├── eventarelli-api-1.1.0
│ │ ├── package.conf.d
│ │ └── x86_64-osx-ghc-8.0.2
│ └── links
└── nix-support
Lots of stuff! In fact: du -sh says 7.4M of stuff in 39 different files.
The ghc-8.0.2 directory holds outputs from ghc. This makes up 37 of the files.
$ tree /nix/store/4asrshpg52rh9dnrissailjs4xwyl9x1-eventarelli-api-1.1.0/lib/ghc-8.0.2 | head
/nix/store/4asrshpg52rh9dnrissailjs4xwyl9x1-eventarelli-api-1.1.0/lib/ghc-8.0.2
├── eventarelli-api-1.1.0
│ ├── Aggregates
│ │ ├── Fan.dyn_hi
│ │ ├── Fan.hi
│ │ ├── Schedule.dyn_hi
│ │ ├── Schedule.hi
│ │ ├── Venue.dyn_hi
│ │ └── Venue.hi
│ ├── Commands.dyn_hi
The lib/links directory holds a ton of symbolic links (149 to be exact).
$ ls -l |head -2 | tail -1
lrwxr-xr-x 1 root wheel 149 Dec 31 1969 libHSHUnit-1.5.0.0-DvjF79OHhCC7SzfeEty4OI-ghc8.0.2.dylib -> /nix/store/7r29b8b1xf7h6pfxh0r1b2n5grg9bm0d-HUnit-1.5.0.0/lib/ghc-8.0.2/x86_64-osx-ghc-8.0.2/libHSHUnit-1.5.0.0-DvjF79OHhCC7SzfeEty4OI-ghc8.0.2.dylib
$
My app depends on HUnit, and the version it uses is /nix/store/7r29b8b1xf7h6pfxh0r1b2n5grg9bm0d-HUnit-1.5.0.0.
If this dependency was upgraded, it would be a different immutable package and my application hash would be different. But my the previous
version of my app would still be there under /nix/store.
Notes
Haskell nix-build: lints and generates Haddock documentation
By default, the nix build produces both hlint output as well as documentation. I had never bothered to look at those with stack build, and it was a pleasant surprise to see that output from the build.
Nix: this post just scratches the surface of what nix can do
The original nixos paper from 2010 is good read and explains the step from nixpkgs to nixos. You can find it at https://nixos.org/~eelco/pubs/nixos-jfp-final.pdf.
There’s lots more interesting stuff with nix. For example,
- nix-shell: configure a shell with a different set of installed packages than your user environment. One for python 2.7 and another for python 3.0 for example.
- nixos: takes immutable-packages concepts and extends it to declaratively configure users, daemon configuration, and daemon’s that run at system startup. As with packages, this configuration is immutable and you can rollback to a previous configuration.
- nixops: one more step up in abstraction; declaratively configure a system (or systems) and deploy that configuration to
a hosting providerthe cloud; supports:- Amazon EC2 instances and other resources (such as S3 buckets, EC2 key pairs, elastic IPs, etc.)
- Google Cloud Engine instances and other resources (such as networks, firewalls, IPs, disks, etc.)
- Azure resources
- VirtualBox virtual machines Note: I could not get the VirtualBox deploy to work on OSX.
- Datadog resources
- Hetzner machines
- NixOS containers
- Any machine already running NixOS.
What not to do with nix!
As always, this blog does not document all the mistakes I made along the way; it flows from one successful step to the next. Of course, the real world is not like that.
One of the biggest mistakes I made was to manually delete some
directories under /nix/store.
Don’t do that.
Nix stores a database of packages that have been used, and although I can grep with the best of them, I could not find where it was keeping a reference to the hash I had deleted from the store.
So I popped on #nixos channel and learned the right way to delete
packages is to use nix’s garbage collection, available with the
nix-store --gc command.
It works like this:
- it only deletes unused packages
- a package is used if a profile refers to it
You can list what profiles nix-store uses by
$ nix-store --gc --print-roots
/Users/mark/src/mycode/eventarelli/eventarelli-deploy/elmarelli-api/result -> /nix/store/z8iikvbgxclxfa213h5p32ph8qk8dlci-elmarelli-api-1.1.0
/nix/var/nix/profiles/default-1-link -> /nix/store/asgx51wzbswgg1j506pg7sq4jyclv0qn-user-environment
/nix/var/nix/profiles/default-2-link -> /nix/store/4yj1xa5dbdy1ccdhnqpma16hfi6aly10-user-environment
/nix/var/nix/profiles/per-user/mark/channels-1-link -> /nix/store/p4y8j01s28xy9z8yqschnwl0gnkbvyql-user-environment
/nix/var/nix/profiles/per-user/mark/channels-2-link -> /nix/store/cfdi9c63z5c82k002xjb937f4gl3mnv7-user-environment
/nix/var/nix/profiles/per-user/mark/profile-1-link -> /nix/store/a8jn4axpj24sa43zmi1f9gc1g9in0jr1-user-environment
/nix/var/nix/profiles/per-user/mark/profile-10-link -> /nix/store/b54m0gp0dp5n5xdai0vh570rd98q06k9-user-environment
/nix/var/nix/profiles/per-user/mark/profile-11-link -> /nix/store/mrj4nb5nsp3lvijiazccp73mjzjn3ffy-user-environment
/nix/var/nix/profiles/per-user/mark/profile-12-link -> /nix/store/qzhcw2ypa4h1ll62qf3d77ivgbgk7gha-user-environment
/nix/var/nix/profiles/per-user/mark/profile-13-link -> /nix/store/mrj4nb5nsp3lvijiazccp73mjzjn3ffy-user-environment
/nix/var/nix/profiles/per-user/mark/profile-2-link -> /nix/store/wv3qbp2jhxi21wgfz8bjir37hwydkm2k-user-environment
/nix/var/nix/profiles/per-user/mark/profile-3-link -> /nix/store/kli1w7b79j4rwc1rdbrrlnw9lcm0jhpi-user-environment
/nix/var/nix/profiles/per-user/mark/profile-4-link -> /nix/store/9i0i0j8lxc4541i09njhzfzbdmcck4fq-user-environment
/nix/var/nix/profiles/per-user/mark/profile-5-link -> /nix/store/nkq331785flvbydry3f66j9l69qz9yyf-user-environment
/nix/var/nix/profiles/per-user/mark/profile-6-link -> /nix/store/wvm0s8qv3a76kr44qxgn49v6n5df2sda-user-environment
/nix/var/nix/profiles/per-user/mark/profile-7-link -> /nix/store/33jqmv0asmxk3sy84f5h86fikm95l9yj-user-environment
/nix/var/nix/profiles/per-user/mark/profile-8-link -> /nix/store/6j9kadfschyvsqxnkx4x7k575wvqdqiv-user-environment
/nix/var/nix/profiles/per-user/mark/profile-9-link -> /nix/store/xmz347y7r53hz2j8v8gx1ayipl0481cs-user-environment
/nix/var/nix/profiles/per-user/root/channels-1-link -> /nix/store/y9bzakg6jiac6nz6z79njcyqwfy1cjp9-user-environment
/nix/var/nix/profiles/per-user/root/channels-2-link -> /nix/store/p4y8j01s28xy9z8yqschnwl0gnkbvyql-user-environment
$
This is getting into the innards of how nix works; every time you change your list of installed packages, nix generates a new profile for your user.
To garbage collect a package, you must delete any profile that refers to that package. You can either do this manually; for example,
$ rm /nix/var/nix/profiles/per-user/mark/profile-8-link
or use the nix-collect-garbage utility; for example:
$ nix-collect-garbage --delete-older-than 30d
removing old generations of profile /nix/var/nix/profiles/per-user/mark/profile
removing generation 3
removing generation 2
removing generation 1
removing old generations of profile /nix/var/nix/profiles/per-user/mark/channels
finding garbage collector roots…
deleting garbage…
deleting ‘/nix/store/f9hcj6p17kxx1rd3p4979ky3y85zc30y-user-environment.drv’
deleting ‘/nix/store/kli1w7b79j4rwc1rdbrrlnw9lcm0jhpi-user-environment’
deleting ‘/nix/store/y6vkk87yg28rx8mmvafy7fz964kpn1fr-env-manifest.nix’
deleting ‘/nix/store/ssnz2ngjrz0dcaax2f5sgsm099avd4sp-user-environment.drv’
deleting ‘/nix/store/wv3qbp2jhxi21wgfz8bjir37hwydkm2k-user-environment’
deleting ‘/nix/store/hcg4wdyaj75msjdl90zv3sf2jma4ir9k-user-environment.drv’
deleting ‘/nix/store/a8jn4axpj24sa43zmi1f9gc1g9in0jr1-user-environment’
deleting ‘/nix/store/4jh7mj8a7qq2ywb5cl4yprli56fjxipl-env-manifest.nix’
deleting ‘/nix/store/x316m7rgs38306sdyx7ypy4mhkcjm116-env-manifest.nix’
deleting ‘/nix/store/trash’
deleting unused links…
note: currently hard linking saves 0.00 MiB
9 store paths deleted, 0.02 MiB freed
$
Another way to fix things, which I figured out before getting on chat, was to run nix-build --repair as root.