cluster/prod(app): Migrate from niv to npins for pinned sources for cryptpad

6 files changed, 97 insertions, 222 deletions

diff --git a/cluster/prod/app/cryptpad/build/README.md b/cluster/prod/app/cryptpad/build/README.md
index 8e17406..13c6ea2 100644
--- a/cluster/prod/app/cryptpad/build/README.md
+++ b/cluster/prod/app/cryptpad/build/README.md
@@ -36,21 +36,17 @@ used by CryptPad, which can result to large Docker image (~2.6GiB)
 This behaviour is configurable by passing the `--arg withOnlyOffice false` flag to `nix-build` when building them.
 
 ## Updating the Deuxfleurs pinned nixpkgs
-The pinned sources files are generated with the [niv](https://github.com/nmattia/niv) tool.
+The pinned sources files are generated with the [npins](https://github.com/andir/npins) tool.
 
 To update the pinned nixpkgs, you simply run the following command:
 
 ```shell
-niv update
+npins update
 ```
 
-To modify the pinned nixpkgs, you can use the `niv modify` command, for example, to move to nixpkgs-unstable:
+To modify the pinned nixpkgs, remove it and re-add it using the new target, for exemple for `nixos-unstable`:
 
 ```shell
-niv modify nixpkgs -b nixos-unstable
+npins remove nixpkgs
+npins add --name nixpkgs channel nixos-unstable
 ```
-
-## Quirks
-
-- The CryptPad `package-lock.json` is included here because the upstream-provided one appeared to be desync'ed, so a
-    manual lockfile generation was needed
diff --git a/cluster/prod/app/cryptpad/build/deuxfleurs.nix b/cluster/prod/app/cryptpad/build/deuxfleurs.nix
index 5cb8b8e..b566dae 100644
--- a/cluster/prod/app/cryptpad/build/deuxfleurs.nix
+++ b/cluster/prod/app/cryptpad/build/deuxfleurs.nix
@@ -1,7 +1,7 @@
 { name ? "deuxfleurs/cryptpad"
 , tag ? "nix-latest"
 }: let
-  sources = import ./nix/sources.nix;
+  sources = import ./npins;
   pkgs = import sources.nixpkgs {};
 in rec {
   cryptpad = pkgs.callPackage ./default.nix {};
diff --git a/cluster/prod/app/cryptpad/build/nix/sources.json b/cluster/prod/app/cryptpad/build/nix/sources.json
deleted file mode 100644
index 4ef8a92..0000000
--- a/cluster/prod/app/cryptpad/build/nix/sources.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "nixpkgs": {
-        "branch": "nixos-23.11",
-        "description": "Nix Packages collection",
-        "homepage": null,
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "53a2c32bc66f5ae41a28d7a9a49d321172af621e",
-        "sha256": "0yqbwqbripb1bbhlwjfbqmg9qb0lai2fc0k1vfh674d6rrc8igwv",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/53a2c32bc66f5ae41a28d7a9a49d321172af621e.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
-    }
-}
diff --git a/cluster/prod/app/cryptpad/build/nix/sources.nix b/cluster/prod/app/cryptpad/build/nix/sources.nix
deleted file mode 100644
index 9e7db84..0000000
--- a/cluster/prod/app/cryptpad/build/nix/sources.nix
+++ /dev/null
@@ -1,198 +0,0 @@
-# This file has been generated by Niv.
-
-let
-
-  #
-  # The fetchers. fetch_<type> fetches specs of type <type>.
-  #
-
-  fetch_file = pkgs: name: spec:
-    let
-      name' = sanitizeName name + "-src";
-    in
-    if spec.builtin or true then
-      builtins_fetchurl { inherit (spec) url sha256; name = name'; }
-    else
-      pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
-
-  fetch_tarball = pkgs: name: spec:
-    let
-      name' = sanitizeName name + "-src";
-    in
-    if spec.builtin or true then
-      builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
-    else
-      pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
-
-  fetch_git = name: spec:
-    let
-      ref =
-        spec.ref or (
-          if spec ? branch then "refs/heads/${spec.branch}" else
-          if spec ? tag then "refs/tags/${spec.tag}" else
-          abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"
-        );
-      submodules = spec.submodules or false;
-      submoduleArg =
-        let
-          nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0;
-          emptyArgWithWarning =
-            if submodules
-            then
-              builtins.trace
-                (
-                  "The niv input \"${name}\" uses submodules "
-                  + "but your nix's (${builtins.nixVersion}) builtins.fetchGit "
-                  + "does not support them"
-                )
-                { }
-            else { };
-        in
-        if nixSupportsSubmodules
-        then { inherit submodules; }
-        else emptyArgWithWarning;
-    in
-    builtins.fetchGit
-      ({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg);
-
-  fetch_local = spec: spec.path;
-
-  fetch_builtin-tarball = name: throw
-    ''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
-        $ niv modify ${name} -a type=tarball -a builtin=true'';
-
-  fetch_builtin-url = name: throw
-    ''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
-        $ niv modify ${name} -a type=file -a builtin=true'';
-
-  #
-  # Various helpers
-  #
-
-  # https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
-  sanitizeName = name:
-    (
-      concatMapStrings (s: if builtins.isList s then "-" else s)
-        (
-          builtins.split "[^[:alnum:]+._?=-]+"
-            ((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
-        )
-    );
-
-  # The set of packages used when specs are fetched using non-builtins.
-  mkPkgs = sources: system:
-    let
-      sourcesNixpkgs =
-        import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; };
-      hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
-      hasThisAsNixpkgsPath = <nixpkgs> == ./.;
-    in
-    if builtins.hasAttr "nixpkgs" sources
-    then sourcesNixpkgs
-    else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
-      import <nixpkgs> { }
-    else
-      abort
-        ''
-          Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
-          add a package called "nixpkgs" to your sources.json.
-        '';
-
-  # The actual fetching function.
-  fetch = pkgs: name: spec:
-
-    if ! builtins.hasAttr "type" spec then
-      abort "ERROR: niv spec ${name} does not have a 'type' attribute"
-    else if spec.type == "file" then fetch_file pkgs name spec
-    else if spec.type == "tarball" then fetch_tarball pkgs name spec
-    else if spec.type == "git" then fetch_git name spec
-    else if spec.type == "local" then fetch_local spec
-    else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
-    else if spec.type == "builtin-url" then fetch_builtin-url name
-    else
-      abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
-
-  # If the environment variable NIV_OVERRIDE_${name} is set, then use
-  # the path directly as opposed to the fetched source.
-  replace = name: drv:
-    let
-      saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
-      ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
-    in
-    if ersatz == "" then drv else
-      # this turns the string into an actual Nix path (for both absolute and
-      # relative paths)
-    if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
-
-  # Ports of functions for older nix versions
-
-  # a Nix version of mapAttrs if the built-in doesn't exist
-  mapAttrs = builtins.mapAttrs or (
-    f: set: with builtins;
-    listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
-  );
-
-  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
-  range = first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
-
-  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
-  stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
-
-  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
-  stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
-  concatMapStrings = f: list: concatStrings (map f list);
-  concatStrings = builtins.concatStringsSep "";
-
-  # https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
-  optionalAttrs = cond: as: if cond then as else { };
-
-  # fetchTarball version that is compatible between all the versions of Nix
-  builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
-    let
-      inherit (builtins) lessThan nixVersion fetchTarball;
-    in
-    if lessThan nixVersion "1.12" then
-      fetchTarball ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
-    else
-      fetchTarball attrs;
-
-  # fetchurl version that is compatible between all the versions of Nix
-  builtins_fetchurl = { url, name ? null, sha256 }@attrs:
-    let
-      inherit (builtins) lessThan nixVersion fetchurl;
-    in
-    if lessThan nixVersion "1.12" then
-      fetchurl ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
-    else
-      fetchurl attrs;
-
-  # Create the final "sources" from the config
-  mkSources = config:
-    mapAttrs
-      (
-        name: spec:
-          if builtins.hasAttr "outPath" spec
-          then
-            abort
-              "The values in sources.json should not have an 'outPath' attribute"
-          else
-            spec // { outPath = replace name (fetch config.pkgs name spec); }
-      )
-      config.sources;
-
-  # The "config" used by the fetchers
-  mkConfig =
-    { sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
-    , sources ? if sourcesFile == null then { } else builtins.fromJSON (builtins.readFile sourcesFile)
-    , system ? builtins.currentSystem
-    , pkgs ? mkPkgs sources system
-    }: {
-      # The sources, i.e. the attribute set of spec name to spec
-      inherit sources;
-
-      # The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
-      inherit pkgs;
-    };
-
-in
-mkSources (mkConfig { }) // { __functor = _: settings: mkSources (mkConfig settings); }
diff --git a/cluster/prod/app/cryptpad/build/npins/default.nix b/cluster/prod/app/cryptpad/build/npins/default.nix
new file mode 100644
index 0000000..5e7d086
--- /dev/null
+++ b/cluster/prod/app/cryptpad/build/npins/default.nix
@@ -0,0 +1,80 @@
+# Generated by npins. Do not modify; will be overwritten regularly
+let
+  data = builtins.fromJSON (builtins.readFile ./sources.json);
+  version = data.version;
+
+  mkSource =
+    spec:
+    assert spec ? type;
+    let
+      path =
+        if spec.type == "Git" then
+          mkGitSource spec
+        else if spec.type == "GitRelease" then
+          mkGitSource spec
+        else if spec.type == "PyPi" then
+          mkPyPiSource spec
+        else if spec.type == "Channel" then
+          mkChannelSource spec
+        else
+          builtins.throw "Unknown source type ${spec.type}";
+    in
+    spec // { outPath = path; };
+
+  mkGitSource =
+    {
+      repository,
+      revision,
+      url ? null,
+      hash,
+      branch ? null,
+      ...
+    }:
+    assert repository ? type;
+    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
+    # In the latter case, there we will always be an url to the tarball
+    if url != null then
+      (builtins.fetchTarball {
+        inherit url;
+        sha256 = hash; # FIXME: check nix version & use SRI hashes
+      })
+    else
+      assert repository.type == "Git";
+      let
+        urlToName =
+          url: rev:
+          let
+            matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url;
+
+            short = builtins.substring 0 7 rev;
+
+            appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
+          in
+          "${if matched == null then "source" else builtins.head matched}${appendShort}";
+        name = urlToName repository.url revision;
+      in
+      builtins.fetchGit {
+        url = repository.url;
+        rev = revision;
+        inherit name;
+        # hash = hash;
+      };
+
+  mkPyPiSource =
+    { url, hash, ... }:
+    builtins.fetchurl {
+      inherit url;
+      sha256 = hash;
+    };
+
+  mkChannelSource =
+    { url, hash, ... }:
+    builtins.fetchTarball {
+      inherit url;
+      sha256 = hash;
+    };
+in
+if version == 3 then
+  builtins.mapAttrs (_: mkSource) data.pins
+else
+  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
diff --git a/cluster/prod/app/cryptpad/build/npins/sources.json b/cluster/prod/app/cryptpad/build/npins/sources.json
new file mode 100644
index 0000000..3e8d5df
--- /dev/null
+++ b/cluster/prod/app/cryptpad/build/npins/sources.json
@@ -0,0 +1,11 @@
+{
+  "pins": {
+    "nixpkgs": {
+      "type": "Channel",
+      "name": "nixos-23.11",
+      "url": "https://releases.nixos.org/nixos/23.11/nixos-23.11.7237.46397778ef1f/nixexprs.tar.xz",
+      "hash": "00cy8q07diavxb91g7pxl0gqc68s3hzimsggjc9rqyf99h1q9d3r"
+    }
+  },
+  "version": 3
+}
\ No newline at end of file