feat: add flake.nix for Linux development and Nix packaging#2561
feat: add flake.nix for Linux development and Nix packaging#2561Flexksx wants to merge 5 commits into
Conversation
Adds a Nix flake that provides: - packages.default: moon binary built with rustPlatform.buildRustPackage, pinned to the exact Rust 1.96.0 toolchain via rust-overlay. - devShells.default: full dev environment (rustToolchain, protobuf, openssl, just, cargo-nextest) matching what CI uses. Targets x86_64-linux and aarch64-linux. OPENSSL_NO_VENDOR=1 is set to avoid compiling vendored OpenSSL — reqwest's native-tls-vendored feature is present for musl targets only; on glibc Linux we rely on system openssl via pkg-config. protobuf is added to nativeBuildInputs because crates/daemon-proto/build.rs invokes protoc via tonic-prost-build at compile time. Also adds .github/workflows/nix.yml to keep the flake buildable on every relevant change. Closes: helps close the version gap between nixpkgs (1.35.5) and the current release (2.3.2). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds Nix Flake-based packaging/dev shell and a GitHub Actions workflow to validate the flake and build the default package in CI.
Changes:
- Introduce
flake.nixto build the Rust CLI viabuildRustPackageand provide a dev shell. - Add GitHub Actions workflow to run
nix flake checkandnix buildon relevant changes.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| flake.nix | Defines flake inputs/outputs: Rust package build + devShell with Rust toolchain and native deps. |
| .github/workflows/nix.yml | Adds CI job to check the flake and build the default package on PRs/pushes. |
- Remove all comments - Add installShellFiles + postInstall for bash/fish/zsh completions - Add writableTmpDirAsHomeHook (moon accesses HOME during postInstall) - Add RUSTFLAGS="-C strip=symbols" to match nixpkgs build flags - Drop cargoBuildFlags; default-members in Cargo.toml already scopes to moon_cli - Set doCheck = false; tests require internet and tool installation - Mirror env block style from nixpkgs package.nix Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
magic-nix-cache-action requires FlakeHub registration. Use plain actions/cache on /nix/store keyed on flake.lock + Cargo.lock instead. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
| env = { | ||
| RUSTFLAGS = "-C strip=symbols"; | ||
| OPENSSL_NO_VENDOR = 1; | ||
| }; |
| }).buildRustPackage { | ||
| pname = "moon"; | ||
| version = "2.3.2"; | ||
| src = ./.; | ||
|
|
||
| cargoLock.lockFile = ./Cargo.lock; | ||
|
|
| - uses: actions/cache@v4 | ||
| with: | ||
| path: /nix/store | ||
| key: nix-${{ runner.os }}-${{ hashFiles('flake.lock', 'Cargo.lock') }} | ||
| restore-keys: nix-${{ runner.os }}- |
|
@Flexksx I'm not familiar with nix, what does this do exactly? Allow people to use moon in their nix environment? |
|
@milesj hi!
Yes, that's the biggest reason Nix lets you package packages in a way that keeps them isolated, so I could have 2 different projects using And each project would have its own isolated I just recently stumbled across So for my project, I had to configure nix in a way that would build it from a specific, newer commit in the repo. So adding a Also having a |
Merging this PR will not alter performance
|
Summary
flake.nixexposingpackages.default(themoon+moonxbinaries) anddevShells.defaultfor Linux developmentx86_64-linuxandaarch64-linuxrust-overlayreadingrust-toolchain.toml.github/workflows/nix.ymlas a guardrail — runsnix flake checkandnix buildon every relevant changeMotivation
The nixpkgs derivation for moon is currently at 1.41.8, while the project is at 2.3.2. A flake shipped with the repo lets Nix users pin directly to any commit or release without waiting for a nixpkgs update:
```bash
nix run github:moonrepo/moon -- --version
nix develop github:moonrepo/moon
```
Technical notes
OPENSSL_NO_VENDOR = 1—reqwestenablesnative-tls-vendoredfor musl targets. On glibc Linux this forces pkg-config lookup of the system openssl instead of compiling it from source.protobufinnativeBuildInputs—crates/daemon-proto/build.rsinvokesprotocviatonic-prost-buildat compile time. This dependency was added after the nixpkgs derivation was last updated.cargoLock.lockFile— the project has no git-sourced Cargo dependencies, so nooutputHashesare needed.doCheck = false— tests download Node, Bun, Deno, etc. at runtime and cannot pass in the Nix sandbox.Test plan
nix flake check --no-buildpasses locally.drvonx86_64-linuxnix build .#defaultsucceeds in CI (workflow added in this PR)