nixpkgs/pkgs/by-name/ni/nixos-rebuild-ng/package.nix

{
  lib,
  stdenv,
  callPackage,
  installShellFiles,
  mkShell,
  nix,
  python3,
  python3Packages,
  runCommand,
  scdoc,
  withNgSuffix ? true,
  withReexec ? false,
  withShellFiles ? true,
  # Very long tmp dirs lead to "too long for Unix domain socket"
  # SSH ControlPath errors. Especially macOS sets long TMPDIR paths.
  withTmpdir ? if stdenv.hostPlatform.isDarwin then "/tmp" else null,
  # passthru.tests
  nixosTests,
  nixVersions,
  lixPackageSets,
  nixos-rebuild-ng,
}:
let
  executable = if withNgSuffix then "nixos-rebuild-ng" else "nixos-rebuild";
in
python3Packages.buildPythonApplication rec {
  pname = "nixos-rebuild-ng";
  version = "0.0.0";
  src = ./src;
  pyproject = true;

  build-system = with python3Packages; [
    setuptools
  ];

  nativeBuildInputs = lib.optionals withShellFiles [
    installShellFiles
    python3Packages.shtab
    scdoc
  ];

  propagatedBuildInputs = [
    # Make sure that we use the Nix package we depend on, not something
    # else from the PATH for nix-{env,instantiate,build}. This is
    # important, because NixOS defaults the architecture of the rebuilt
    # system to the architecture of the nix-* binaries used. So if on an
    # amd64 system the user has an i686 Nix package in her PATH, then we
    # would silently downgrade the whole system to be i686 NixOS on the
    # next reboot.
    # The binary will be included in the wrapper for Python.
    (lib.getBin nix)
  ];

  postPatch = ''
    substituteInPlace nixos_rebuild/constants.py \
      --subst-var-by executable ${executable} \
      --subst-var-by withReexec ${lib.boolToString withReexec} \
      --subst-var-by withShellFiles ${lib.boolToString withShellFiles}

    substituteInPlace pyproject.toml \
      --replace-fail nixos-rebuild ${executable}
  '';

  postInstall = lib.optionalString withShellFiles ''
    scdoc < ${./nixos-rebuild.8.scd} > ${executable}.8
    installManPage ${executable}.8

    installShellCompletion --cmd ${executable} \
      --bash <(shtab --shell bash nixos_rebuild.get_main_parser) \
      --zsh <(shtab --shell zsh nixos_rebuild.get_main_parser)
  '';

  nativeCheckInputs = with python3Packages; [
    pytestCheckHook
  ];

  pytestFlags = [ "-vv" ];

  makeWrapperArgs = lib.optionals (withTmpdir != null) [
    "--set TMPDIR ${withTmpdir}"
  ];

  passthru =
    let
      python-with-pkgs = python3.withPackages (
        ps: with ps; [
          mypy
          pytest
          # this is to help development (e.g.: better diffs) inside devShell
          # only, do not use its helpers like `mocker`
          pytest-mock
          ruff
        ]
      );
    in
    {
      devShell = mkShell {
        packages = [ python-with-pkgs ];
        shellHook = ''
          cd pkgs/by-name/ni/nixos-rebuild-ng/src || true
        '';
      };

      tests = {
        with_reexec = nixos-rebuild-ng.override {
          withReexec = true;
          withNgSuffix = false;
        };
        with_nix_latest = nixos-rebuild-ng.override {
          nix = nixVersions.latest;
        };
        with_nix_stable = nixos-rebuild-ng.override {
          nix = nixVersions.stable;
        };
        with_nix_2_28 = nixos-rebuild-ng.override {
          # oldest supported version in nixpkgs
          nix = nixVersions.nix_2_28;
        };
        with_lix_latest = nixos-rebuild-ng.override {
          nix = lixPackageSets.latest.lix;
        };
        with_lix_stable = nixos-rebuild-ng.override {
          nix = lixPackageSets.stable.lix;
        };

        inherit (nixosTests)
          # FIXME: this test is disabled since it times out in @ofborg
          # nixos-rebuild-install-bootloader-ng
          nixos-rebuild-specialisations-ng
          nixos-rebuild-target-host-ng
          ;
        repl = callPackage ./tests/repl.nix { };
        # NOTE: this is a passthru test rather than a build-time test because we
        # want to keep the build closures small
        linters = runCommand "${pname}-linters" { nativeBuildInputs = [ python-with-pkgs ]; } ''
          export RUFF_CACHE_DIR="$(mktemp -d)"

          echo -e "\x1b[32m## run mypy\x1b[0m"
          mypy ${src}
          echo -e "\x1b[32m## run ruff\x1b[0m"
          ruff check ${src}
          echo -e "\x1b[32m## run ruff format\x1b[0m"
          ruff format --check ${src}

          touch $out
        '';
      };
    };

  meta = {
    description = "Rebuild your NixOS configuration and switch to it, on local hosts and remote";
    homepage = "https://github.com/NixOS/nixpkgs/tree/master/pkgs/by-name/ni/nixos-rebuild-ng";
    license = lib.licenses.mit;
    maintainers = [ ];
    teams = [ lib.teams.nixos-rebuild ];
    mainProgram = executable;
  };
}
nixos-rebuild-ng: init 2024-11-04 22:23:33 +00:00			`{`
			`lib,`
nixos-rebuild-ng: set TMPDIR in darwin 2024-12-10 10:24:18 +00:00			`stdenv,`
nixos-rebuild-ng: add repl test and fix issues 2024-12-09 14:34:25 +00:00			`callPackage,`
nixos-rebuild-ng: init 2024-11-04 22:23:33 +00:00			`installShellFiles,`
nixos-rebuild-ng: add devShell 2024-11-16 21:25:22 +00:00			`mkShell,`
nixos-rebuild-ng: init 2024-11-04 22:23:33 +00:00			`nix,`
			`python3,`
nixos-rebuild-ng: use python3Packages 2024-11-20 19:41:42 +00:00			`python3Packages,`
nixos-rebuild-ng: reduce build closure by moving checks to passthru.tests 2024-11-16 10:49:48 +00:00			`runCommand,`
nixos-rebuild-ng: add proper manpage using scd format 2024-12-04 12:52:02 +00:00			`scdoc,`
nixos-rebuild-ng: init 2024-11-04 22:23:33 +00:00			`withNgSuffix ? true,`
nixos-rebuild-ng: enable reexec if system.rebuild.enableNg is enabled 2024-12-09 12:10:13 +00:00			`withReexec ? false,`
nixos-rebuild-ng: enable shell files by default 2024-12-05 12:56:59 +00:00			`withShellFiles ? true,`
nixos-rebuild-ng: set TMPDIR in darwin 2024-12-10 10:24:18 +00:00			`# Very long tmp dirs lead to "too long for Unix domain socket"`
			`# SSH ControlPath errors. Especially macOS sets long TMPDIR paths.`
			`withTmpdir ? if stdenv.hostPlatform.isDarwin then "/tmp" else null,`
nixos-rebuild-ng: skip broken test for Nix < 2.18 The mock test for building with remote, but distinct target and build host checks a bunch of internals (how many shell commands are executed, which ones exactly) that are special cased on WITH_NIX_2_18, so the test breaks when that is false. I've opted to simply skip the test for now since the expected call list is very annoying to keep maintained and updated for multiple versions. This should fix NixOS configurations with config nix.package.version < 2.18. To keep it that way, I've added nixos-rebuild-ng with some nixVersions to passthru.tests that aren't likely to be removed in the short term. 2025-06-21 01:01:32 +02:00			`# passthru.tests`
			`nixosTests,`
			`nixVersions,`
nixos-rebuild-ng: add passthru.tests for lix Note that the code currently assumes that checking >= 2.18 on the version of an opaque package is enough which works for many things as it is the fork point of Lix. However, future changes may need to reevaluate whether it is enough for every check (should more conditional code be added). 2025-06-21 12:06:23 +02:00			`lixPackageSets,`
nixos-rebuild-ng: skip broken test for Nix < 2.18 The mock test for building with remote, but distinct target and build host checks a bunch of internals (how many shell commands are executed, which ones exactly) that are special cased on WITH_NIX_2_18, so the test breaks when that is false. I've opted to simply skip the test for now since the expected call list is very annoying to keep maintained and updated for multiple versions. This should fix NixOS configurations with config nix.package.version < 2.18. To keep it that way, I've added nixos-rebuild-ng with some nixVersions to passthru.tests that aren't likely to be removed in the short term. 2025-06-21 01:01:32 +02:00			`nixos-rebuild-ng,`
nixos-rebuild-ng: init 2024-11-04 22:23:33 +00:00			`}:`
nixos-rebuild-ng: add shell completion via shtab 2024-12-04 12:32:13 +00:00			`let`
			`executable = if withNgSuffix then "nixos-rebuild-ng" else "nixos-rebuild";`
			`in`
nixos-rebuild-ng: use python3Packages 2024-11-20 19:41:42 +00:00			`python3Packages.buildPythonApplication rec {`
nixos-rebuild-ng: init 2024-11-04 22:23:33 +00:00			`pname = "nixos-rebuild-ng";`
			`version = "0.0.0";`
			`src = ./src;`
			`pyproject = true;`

nixos-rebuild-ng: use python3Packages 2024-11-20 19:41:42 +00:00			`build-system = with python3Packages; [`
nixos-rebuild-ng: init 2024-11-04 22:23:33 +00:00			`setuptools`
			`];`

nixos-rebuild-ng: simplify build options 2024-12-05 10:25:43 +00:00			`nativeBuildInputs = lib.optionals withShellFiles [`
			`installShellFiles`
			`python3Packages.shtab`
			`scdoc`
			`];`
nixos-rebuild-ng: init 2024-11-04 22:23:33 +00:00
			`propagatedBuildInputs = [`
			`# Make sure that we use the Nix package we depend on, not something`
			`# else from the PATH for nix-{env,instantiate,build}. This is`
			`# important, because NixOS defaults the architecture of the rebuilt`
			`# system to the architecture of the nix-* binaries used. So if on an`
			`# amd64 system the user has an i686 Nix package in her PATH, then we`
			`# would silently downgrade the whole system to be i686 NixOS on the`
			`# next reboot.`
			`# The binary will be included in the wrapper for Python.`
nixos-rebuild-ng: only propagate nix's `bin` output Prior to this the `dev` output was also propagated, when it's not actually used ```console $ nix-store --query --references /nix/store/ppw0flx4dbksxsnr84hq1gz4k0s0hpcq-nixos-rebuild-ng-0.0.0 /nix/store/11ciq72n4fdv8rw6wgjgasfv4mjs1jrw-bash-5.2p37 /nix/store/26yi95240650jxp5dj78xzch70i1kzlz-python3-3.12.9 /nix/store/xxh7mivp64xmzyw5wir2c2xbhy6cjzjd-nix-2.24.12 /nix/store/8jai5cxdfzgj9nsz4i26fh9sx5zsgilz-nix-2.24.12-dev /nix/store/ppw0flx4dbksxsnr84hq1gz4k0s0hpcq-nixos-rebuild-ng-0.0.0 ``` ```console $ nix why-depends --all --precise /nix/store/ppw0flx4dbksxsnr84hq1gz4k0s0hpcq-nixos-rebuild-ng-0.0.0 /nix/store/8jai5cxdfzgj9nsz4i26fh9sx5zsgilz-nix-2.24.12-dev /nix/store/ppw0flx4dbksxsnr84hq1gz4k0s0hpcq-nixos-rebuild-ng-0.0.0 └───nix-support/propagated-build-inputs: …/nix/store/8jai5cxdfzgj9nsz4i26fh9sx5zsgilz-nix-2.24.12-dev /nix/store/26yi… → /nix/store/8jai5cxdfzgj9nsz4i26fh9sx5zsgilz-nix-2.24.12-dev ``` ```console $ nvd diff /nix/store/ppw0flx4dbksxsnr84hq1gz4k0s0hpcq-nixos-rebuild-ng-0.0.0 /nix/store/fqm81bhggzkqh7033np2z0jr8c0qrpbw-nixos-rebuild-ng-0.0.0 <<< /nix/store/ppw0flx4dbksxsnr84hq1gz4k0s0hpcq-nixos-rebuild-ng-0.0.0 >>> /nix/store/fqm81bhggzkqh7033np2z0jr8c0qrpbw-nixos-rebuild-ng-0.0.0 Version changes: [C.] #1 boehm-gc 8.2.8, 8.2.8-dev -> 8.2.8 [C*] #2 nix 2.24.12, 2.24.12-dev, 2.24.12-man -> 2.24.12, 2.24.12-man Removed packages: [R.] #1 nlohmann_json 3.11.3 Closure size: 66 -> 63 (1 paths added, 4 paths removed, delta -3, disk usage -1.9MiB). ``` 2025-03-05 06:05:02 -05:00			`(lib.getBin nix)`
nixos-rebuild-ng: init 2024-11-04 22:23:33 +00:00			`];`

nixos-rebuild-ng: add proper manpage using scd format 2024-12-04 12:52:02 +00:00			`postPatch = ''`
nixos-rebuild-ng: change copy closure logic when copying from_host -> to_host - If user is using Nix 2.18+ (the default), we will switch to use `nix copy` since it supports using `--from` and `--to` at the same time - If user is using older versions of Nix, we will call `nix-copy-closure` twice, once with `--from` and another with `--to` The reason for this change is because the previous logic, that SSH'd to from_host to copy to to_host using `nix-copy-closure --to` means that `from_host` needs to have credentials to communicate with `to_host`, that is not always possible nor expected. It breaks even in simple cases like `--from` and `--to` is the same host because it is not common for a host to SSH'd itself. This also makes the behavior more consistent, since `--from` and `--to` is interpreted from the eval host point of view EXCEPT when they're used together. This may of course break in the cases where this old behavior was assumed, e.g.: deploying with a bastion host. I am not sure how common this was, and I think this change in behavior should enable more cases than break, but let's see. For that particular case, running `nixos-rebuild-ng` inside SSH command (e.g.: `ssh build_host -- nixos-rebuild-ng switch --target-host target_host`) should do the trick. 2024-12-12 17:33:40 +00:00			`substituteInPlace nixos_rebuild/constants.py \`
nixos-rebuild-ng: show help when manpage is disabled 2024-12-06 10:56:00 +00:00			`--subst-var-by executable ${executable} \`
nixos-rebuild-ng: enable reexec if system.rebuild.enableNg is enabled 2024-12-09 12:10:13 +00:00			`--subst-var-by withReexec ${lib.boolToString withReexec} \`
nixos-rebuild-ng: show help when manpage is disabled 2024-12-06 10:56:00 +00:00			`--subst-var-by withShellFiles ${lib.boolToString withShellFiles}`

nixos-rebuild-ng: simplify build options 2024-12-05 10:25:43 +00:00			`substituteInPlace pyproject.toml \`
nixos-rebuild-ng: fix linter failures 2024-12-07 11:38:03 +00:00			`--replace-fail nixos-rebuild ${executable}`
nixos-rebuild-ng: add proper manpage using scd format 2024-12-04 12:52:02 +00:00			`'';`

nixos-rebuild-ng: simplify build options 2024-12-05 10:25:43 +00:00			`postInstall = lib.optionalString withShellFiles ''`
			`scdoc < ${./nixos-rebuild.8.scd} > ${executable}.8`
			`installManPage ${executable}.8`

			`installShellCompletion --cmd ${executable} \`
			`--bash <(shtab --shell bash nixos_rebuild.get_main_parser) \`
			`--zsh <(shtab --shell zsh nixos_rebuild.get_main_parser)`
			`'';`
nixos-rebuild-ng: init 2024-11-04 22:23:33 +00:00
nixos-rebuild-ng: use python3Packages 2024-11-20 19:41:42 +00:00			`nativeCheckInputs = with python3Packages; [`
nixos-rebuild-ng: init 2024-11-04 22:23:33 +00:00			`pytestCheckHook`
			`];`

treewide: pytestFlagsArray -> pytestFlags and join flag and option argument This treewide change targets Python packages that specifies pytest flags with pytestFlagsArray, and whose flags cannot be consructed by other pytestCheckHook-honoured arguments. Use the __structuredAttrs-agnostic argument pytestFlags instead of the deprecated pytestFlagsArray. For flags with option arguments, join each flag and their option argument into a single command-line argument following POSIX Utility Argument Syntax[1] for easier overriding (remove/replace). Examples: * [ "-W" "ignore:message:WarningClass" ] -> [ "-Wignore:message:WarningClass" ] * [ "--reruns" "3" ] -> [ "--reruns=3" ] [1]: https://pubs.opengroup.org/onlinepubs/009695399/basedefs/xbd_chap12.html 2025-05-01 03:46:26 +08:00			`pytestFlags = [ "-vv" ];`
nixos-rebuild-ng: init 2024-11-04 22:23:33 +00:00
nixos-rebuild-ng: set TMPDIR in darwin 2024-12-10 10:24:18 +00:00			`makeWrapperArgs = lib.optionals (withTmpdir != null) [`
			`"--set TMPDIR ${withTmpdir}"`
			`];`

nixos-rebuild-ng: add devShell 2024-11-16 21:25:22 +00:00			`passthru =`
			`let`
			`python-with-pkgs = python3.withPackages (`
			`ps: with ps; [`
			`mypy`
			`pytest`
nixos-rebuild-ng: add pytest-mock in devShell It is included to help debugging only, so its helpers shouldn't be used in tests. 2025-02-13 21:30:17 +00:00			`# this is to help development (e.g.: better diffs) inside devShell`
			# only, do not use its helpers like `mocker`
nixos-rebuild-ng: add pytest-mock 2025-02-13 21:27:19 +00:00			`pytest-mock`
nixos-rebuild-ng: add devShell 2024-11-16 21:25:22 +00:00			`ruff`
			`]`
			`);`
			`in`
			`{`
			`devShell = mkShell {`
			`packages = [ python-with-pkgs ];`
			`shellHook = ''`
			`cd pkgs/by-name/ni/nixos-rebuild-ng/src \|\| true`
			`'';`
			`};`
nixos-rebuild-ng: reduce build closure by moving checks to passthru.tests 2024-11-16 10:49:48 +00:00
nixos-rebuild-ng: add repl test and fix issues 2024-12-09 14:34:25 +00:00			`tests = {`
nixos-rebuild-ng: add test when `withReexec`/`withNgSuffix` is used This is to make sure that we don't introduce regressions in those code paths. 2025-06-27 11:45:21 +01:00			`with_reexec = nixos-rebuild-ng.override {`
			`withReexec = true;`
			`withNgSuffix = false;`
			`};`
nixos-rebuild-ng: skip broken test for Nix < 2.18 The mock test for building with remote, but distinct target and build host checks a bunch of internals (how many shell commands are executed, which ones exactly) that are special cased on WITH_NIX_2_18, so the test breaks when that is false. I've opted to simply skip the test for now since the expected call list is very annoying to keep maintained and updated for multiple versions. This should fix NixOS configurations with config nix.package.version < 2.18. To keep it that way, I've added nixos-rebuild-ng with some nixVersions to passthru.tests that aren't likely to be removed in the short term. 2025-06-21 01:01:32 +02:00			`with_nix_latest = nixos-rebuild-ng.override {`
			`nix = nixVersions.latest;`
			`};`
			`with_nix_stable = nixos-rebuild-ng.override {`
			`nix = nixVersions.stable;`
			`};`
nixos-rebuild: bump oldest supported nix version to 2_28 We want to get rid of nix 2.24 piece-by-piece 2025-08-14 10:46:01 +02:00			`with_nix_2_28 = nixos-rebuild-ng.override {`
nix_2_3: drop This has been marked insecure a while ago, as some CVEs have not been backported. Even if some CVEs are fixed, we'd need all of them to be, to get it back into the cache. Not having it in the cache means, we can not test it in CI. This means we can't make sure to actually support this version to evaluate Nixpkgs. 2025-07-24 16:08:14 +02:00			`# oldest supported version in nixpkgs`
nixos-rebuild: bump oldest supported nix version to 2_28 We want to get rid of nix 2.24 piece-by-piece 2025-08-14 10:46:01 +02:00			`nix = nixVersions.nix_2_28;`
nixos-rebuild-ng: skip broken test for Nix < 2.18 The mock test for building with remote, but distinct target and build host checks a bunch of internals (how many shell commands are executed, which ones exactly) that are special cased on WITH_NIX_2_18, so the test breaks when that is false. I've opted to simply skip the test for now since the expected call list is very annoying to keep maintained and updated for multiple versions. This should fix NixOS configurations with config nix.package.version < 2.18. To keep it that way, I've added nixos-rebuild-ng with some nixVersions to passthru.tests that aren't likely to be removed in the short term. 2025-06-21 01:01:32 +02:00			`};`
nixos-rebuild-ng: add passthru.tests for lix Note that the code currently assumes that checking >= 2.18 on the version of an opaque package is enough which works for many things as it is the fork point of Lix. However, future changes may need to reevaluate whether it is enough for every check (should more conditional code be added). 2025-06-21 12:06:23 +02:00			`with_lix_latest = nixos-rebuild-ng.override {`
			`nix = lixPackageSets.latest.lix;`
			`};`
			`with_lix_stable = nixos-rebuild-ng.override {`
			`nix = lixPackageSets.stable.lix;`
			`};`
nixos-rebuild-ng: skip broken test for Nix < 2.18 The mock test for building with remote, but distinct target and build host checks a bunch of internals (how many shell commands are executed, which ones exactly) that are special cased on WITH_NIX_2_18, so the test breaks when that is false. I've opted to simply skip the test for now since the expected call list is very annoying to keep maintained and updated for multiple versions. This should fix NixOS configurations with config nix.package.version < 2.18. To keep it that way, I've added nixos-rebuild-ng with some nixVersions to passthru.tests that aren't likely to be removed in the short term. 2025-06-21 01:01:32 +02:00
nixos/tests: add nixos-rebuild-target-host-ng 2024-12-10 12:50:12 +00:00			`inherit (nixosTests)`
nixos-rebuild-ng: disable test that times out in @ofborg 2025-06-28 21:13:50 +01:00			`# FIXME: this test is disabled since it times out in @ofborg`
			`# nixos-rebuild-install-bootloader-ng`
nixos/tests: add nixos-rebuild-target-host-ng 2024-12-10 12:50:12 +00:00			`nixos-rebuild-specialisations-ng`
			`nixos-rebuild-target-host-ng`
			`;`
nixos-rebuild-ng: add repl test and fix issues 2024-12-09 14:34:25 +00:00			`repl = callPackage ./tests/repl.nix { };`
			`# NOTE: this is a passthru test rather than a build-time test because we`
			`# want to keep the build closures small`
			`linters = runCommand "${pname}-linters" { nativeBuildInputs = [ python-with-pkgs ]; } ''`
			`export RUFF_CACHE_DIR="$(mktemp -d)"`
nixos-rebuild-ng: reduce build closure by moving checks to passthru.tests 2024-11-16 10:49:48 +00:00
nixos-rebuild-ng: add repl test and fix issues 2024-12-09 14:34:25 +00:00			`echo -e "\x1b[32m## run mypy\x1b[0m"`
			`mypy ${src}`
			`echo -e "\x1b[32m## run ruff\x1b[0m"`
			`ruff check ${src}`
			`echo -e "\x1b[32m## run ruff format\x1b[0m"`
			`ruff format --check ${src}`
nixos-rebuild-ng: add devShell 2024-11-16 21:25:22 +00:00
nixos-rebuild-ng: add repl test and fix issues 2024-12-09 14:34:25 +00:00			`touch $out`
			`'';`
			`};`
nixos-rebuild-ng: add devShell 2024-11-16 21:25:22 +00:00			`};`
nixos-rebuild-ng: init 2024-11-04 22:23:33 +00:00
			`meta = {`
			`description = "Rebuild your NixOS configuration and switch to it, on local hosts and remote";`
			`homepage = "https://github.com/NixOS/nixpkgs/tree/master/pkgs/by-name/ni/nixos-rebuild-ng";`
			`license = lib.licenses.mit;`
maintainers/team-list: add nixos-rebuild team 2025-06-10 18:47:48 +01:00			`maintainers = [ ];`
			`teams = [ lib.teams.nixos-rebuild ];`
nixos-rebuild-ng: add shell completion via shtab 2024-12-04 12:32:13 +00:00			`mainProgram = executable;`
nixos-rebuild-ng: init 2024-11-04 22:23:33 +00:00			`};`
			`}`