aiolabs/nsecbunkerd
8
0
Fork 0
Code Issues 12 Pull requests Projects Releases Packages Wiki Activity Actions
nsecbunkerd/package.nix
Padreug 131f689c6f
Some checks failed
Docker image / build-and-push-image (push) Has been cancelled
Details
deps: bump prisma 5.4.1 → 6.19.3 (nix build fix) 
Required to keep the nix package buildable: nixpkgs unstable no longer
ships prisma-engines 5.x — the unsuffixed `prisma-engines` attr now
aliases 7.x (no libquery_engine.node), and the only versioned attrs are
`prisma-engines_6` (6.19.3) and `prisma-engines_7`. Bump both
`@prisma/client` and `prisma` to ^6.19.0 so the client matches the only
engine we can pin to.

Also:
- package.nix takes `prisma-engines_6` directly. flake.nix passes
  `pkgs.prisma-engines_6 or pkgs.prisma-engines` so the package still
  builds on nixos-25.05 (where prisma-engines is 6.7.0 unsuffixed).
- Drop PRISMA_INTROSPECTION_ENGINE_BINARY — prisma 6 collapsed the
  introspection engine into schema-engine, the binary no longer ships.

Schema is unchanged so existing fresh installs migrate identically.
Existing dev instances with a prisma_5-tracked _prisma_migrations table
will need a one-time `prisma migrate resolve` step on first boot under
the new client; deploy targets are all fresh installs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-03 15:04:40 +02:00

146 lines
4.6 KiB
Nix
Raw Permalink Blame History

{
lib,
stdenv,
pnpm_9,
nodejs_20,
makeWrapper,
# Pin to prisma-engines_6 (6.19.3) — package.json's `@prisma/client` +
# `prisma` are at ^6.19.0. The unversioned `prisma-engines` attr is now
# 7.x in nixpkgs which doesn't ship libquery_engine.node, so we'd fail
# at postinstall.
prisma-engines_6,
openssl,
sqlite,
python311,
pkg-config,
node-gyp,
}:
let
prisma-engines = prisma-engines_6;
# The NDK 2.8.1 → 3.0.3 bump (commit 041f431) regenerated pnpm-lock.yaml
# at lockfile v9 and pinned NDK as `"3.0.3"`. Lockfile + manifest agree
# post-bump, so the historical patch-back-to-caret-form is no longer
# required. Leave the no-op shim in place as a structural anchor; if a
# future bump regenerates the lockfile under a non-caret manifest spec
# again, this is the seam where the realignment goes.
patchNdk = "";
prismaEnv = {
PRISMA_SCHEMA_ENGINE_BINARY = lib.getExe' prisma-engines "schema-engine";
PRISMA_QUERY_ENGINE_BINARY = lib.getExe' prisma-engines "query-engine";
PRISMA_QUERY_ENGINE_LIBRARY = "${prisma-engines}/lib/libquery_engine.node";
# Prisma 6 collapsed introspection-engine into schema-engine — the
# binary no longer ships in prisma-engines_6. The env var is still
# honored if present (drops gracefully), but pointing it at a path
# that doesn't exist would fail at startup.
PRISMA_FMT_BINARY = lib.getExe' prisma-engines "prisma-fmt";
PRISMA_CLIENT_ENGINE_TYPE = "binary";
};
in
stdenv.mkDerivation (finalAttrs: {
pname = "nsecbunkerd";
version = "0.10.5";
src = ./.;
pnpmDeps = pnpm_9.fetchDeps {
inherit (finalAttrs) pname version src;
fetcherVersion = 2;
prePnpmInstall = patchNdk;
hash = "sha256-DkFzzsQTuptRR8+rWfr9RGC+5XjSQrZlsZtspWfBW8w=";
};
postPatch = patchNdk;
nativeBuildInputs = [
pnpm_9.configHook
pnpm_9
nodejs_20
makeWrapper
node-gyp
python311
pkg-config
];
buildInputs = [
openssl
sqlite
];
env = prismaEnv;
buildPhase = ''
runHook preBuild
export npm_config_nodedir=${nodejs_20}
pnpm config set nodedir ${nodejs_20}
# configHook ran with --ignore-scripts; re-run install to trigger
# native-module postinstall (bcrypt). --offline keeps it inside the
# store seeded by configHook.
pnpm install --force --offline --frozen-lockfile --reporter=append-only
pnpm prisma generate
pnpm build
# Do NOT `pnpm prune --prod` here the prisma CLI lives in
# devDependencies and `scripts/start.js` invokes it at boot via
# `npx prisma migrate deploy`. Without the CLI, the migration step
# silently fails (npx falls back to downloading prisma fresh, which
# OOMs on most containers) and the SQLite db stays empty. See
# `aiolabs/nsecbunkerd#7` diagnosis 2026-05-27.
find node_modules -xtype l -delete
runHook postBuild
'';
installPhase = ''
runHook preInstall
mkdir -p $out/{bin,share/nsecbunkerd}
# scripts/ MUST be copied it contains the start.js launcher that
# runs `prisma migrate deploy` before spawning the daemon. The
# upstream packaging (and the upstream Dockerfile) bypassed this by
# invoking dist/index.js directly, leaving migrations unapplied.
cp -r dist node_modules prisma scripts templates package.json \
$out/share/nsecbunkerd/
# Wrapper invokes scripts/start.js, which runs `prisma migrate deploy`
# then spawns dist/index.js. start.js resolves sibling paths from
# __dirname, so the caller (systemd unit, docker compose, etc.) can
# set its own WorkingDirectory for the writable state dir without
# interfering with how the launcher finds its own package files.
# NSEC_BUNKER_CONFIG_DIR can override the config directory location;
# by default it's `./config` relative to cwd.
makeWrapper ${lib.getExe nodejs_20} $out/bin/nsecbunkerd \
--add-flags $out/share/nsecbunkerd/scripts/start.js \
--set NODE_ENV production \
--prefix PATH : ${lib.makeBinPath [ openssl nodejs_20 ]} \
${
lib.concatStringsSep " \\\n " (
lib.mapAttrsToList (n: v: "--set ${n} ${lib.escapeShellArg v}") prismaEnv
)
}
makeWrapper ${lib.getExe nodejs_20} $out/bin/nsecbunker-client \
--chdir $out/share/nsecbunkerd \
--add-flags $out/share/nsecbunkerd/dist/client/client.js \
--set NODE_ENV production
runHook postInstall
'';
passthru = {
inherit prisma-engines;
};
meta = {
description = "Nostr remote signing daemon (NIP-46)";
homepage = "https://github.com/kind-0/nsecbunkerd";
license = lib.licenses.mit;
mainProgram = "nsecbunkerd";
platforms = lib.platforms.linux;
};
})
Reference in a new issue View git blame Copy permalink