From 08568fc0c091d5659629ff16edba0fed37b3fbdd Mon Sep 17 00:00:00 2001 From: Padreug Date: Wed, 10 Jun 2026 10:20:41 +0200 Subject: [PATCH 1/3] feat(nix): add flake.nix exposing lib.mkWebapp MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Establishes the nix build path so deploy/server-deploy can call inputs.webapp.lib.mkWebapp { brandDir, app } per-host instead of running its own derivation. lib.mkWebapp { pkgs, brandDir ? ./branding/default, app ? "main" } returns a stdenv.mkDerivation that: - Uses pnpmConfigHook + fetchPnpmDeps (fetcherVersion = 3) to install node_modules from a hash-pinned snapshot, offline. - Wires brandDir into the BRAND_DIR env var so vite-branding.ts and pwa-assets.config.ts resolve the right brand. - Sets BRAND_APP from `app` so per-standalone overrides (branding//icons//logo.*) work. - autoPatchelfHook + stdenv.cc.cc.lib patch the prebuilt @img/sharp-libvips-linux-x64 binaries to run under the nix sandbox. - Runs `pnpm run build` for the hub or `pnpm run build:` for a standalone, then copies the resulting dist/ or dist-/ into $out. Per-system exposure: - packages. for each of main/events/wallet/chat/market/forum/ tasks/restaurant/libra — exercises the builder under CI. - packages.default = packages.main. Closes aiolabs/webapp#97. Server-deploy hosts can now migrate via aiolabs/server-deploy#8. Co-Authored-By: Claude Opus 4.7 (1M context) --- flake.lock | 61 ++++++++++++++++++++++++++++++++++++ flake.nix | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 151 insertions(+) create mode 100644 flake.lock create mode 100644 flake.nix diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..8f6b10e --- /dev/null +++ b/flake.lock @@ -0,0 +1,61 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1780749050, + "narHash": "sha256-3av0pIjlOWQ6rDbNOmpUSvbNnJkGORQKKjb4LtCZsIY=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "a799d3e3886da994fa307f817a6bc705ae538eeb", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..97afeed --- /dev/null +++ b/flake.nix @@ -0,0 +1,90 @@ +{ + description = "AIO webapp — modular Vue 3 + Vite shell with Lightning + Nostr standalones"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + flake-utils.url = "github:numtide/flake-utils"; + }; + + outputs = { self, nixpkgs, flake-utils }: + let + apps = [ "main" "events" "wallet" "chat" "market" "forum" "tasks" "restaurant" "libra" ]; + + mkWebapp = { pkgs, brandDir ? ./branding/default, app ? "main" }: + let + buildScript = if app == "main" then "build" else "build:${app}"; + outDir = if app == "main" then "dist" else "dist-${app}"; + in + pkgs.stdenv.mkDerivation (finalAttrs: { + pname = "aio-webapp-${app}"; + version = "0.0.0"; + + src = ./.; + + pnpmDeps = pkgs.fetchPnpmDeps { + inherit (finalAttrs) pname version src; + fetcherVersion = 3; + hash = "sha256-GZuH5ndka9PEHjC00g+kUJW515Zj/+xW6DZQAaK8G4k="; + }; + + nativeBuildInputs = [ + pkgs.nodejs + pkgs.pnpm + pkgs.pnpmConfigHook + pkgs.autoPatchelfHook + ]; + + # sharp's prebuilt libvips binaries (under @img/sharp-libvips-*) + # are dynamically linked; autoPatchelfHook needs the runtime libs. + buildInputs = [ + pkgs.stdenv.cc.cc.lib + ]; + + # Brand kit env knobs read by vite-branding.ts and + # pwa-assets.config.ts. brandDir is either ./branding/default + # (a path inside this flake's source) or an external path that + # nix has copied into the build sandbox. + env = { + BRAND_DIR = "${brandDir}"; + BRAND_APP = if app == "main" then "" else app; + }; + + buildPhase = '' + runHook preBuild + pnpm run ${buildScript} + runHook postBuild + ''; + + installPhase = '' + runHook preInstall + mkdir -p $out + cp -r ${outDir} $out/ + runHook postInstall + ''; + + meta = with pkgs.lib; { + description = "AIO webapp${if app == "main" then "" else " (${app} standalone)"}"; + homepage = "https://git.atitlan.io/aiolabs/webapp"; + license = licenses.mit; + platforms = platforms.linux; + }; + }); + in + { + # System-agnostic builder. Downstream NixOS hosts call this from + # their services/webapp.nix with their own brandDir. + lib.mkWebapp = mkWebapp; + } + // flake-utils.lib.eachDefaultSystem (system: + let + pkgs = import nixpkgs { inherit system; }; + # One package per standalone, all using the aiolabs default brand. + # `nix build .#` exercises the builder for sanity / CI. + appPackages = pkgs.lib.genAttrs apps (app: mkWebapp { inherit pkgs app; }); + in + { + packages = appPackages // { + default = appPackages.main; + }; + }); +} From 14283f62e050eac8f11a9c0943a22afe80fc5971 Mon Sep 17 00:00:00 2001 From: Padreug Date: Wed, 10 Jun 2026 10:43:54 +0200 Subject: [PATCH 2/3] fix(nix): pin pnpm_10 and set CI=true for downstream consumers Two issues found when calling lib.mkWebapp from an external nixpkgs (server-deploy's scenario): - pnpm 10 in the sandbox aborts with ERR_PNPM_ABORTED_REMOVE_MODULES_DIR_NO_TTY when it sees a modules-purge prompt without a TTY. CI=true is pnpm's documented bypass; harmless on builds that don't need it. - Pinning pkgs.pnpm leaves it floating with the consumer's nixpkgs (flake's nixos-unstable has pnpm 11.5.1, system nixpkgs has 10.33, etc.). pnpmDeps hash is per-pnpm-version so a floating pnpm means consumers hit hash mismatches. Pinning pkgs.pnpm_10 locks to the same major series that produced the lockfile (package.json's packageManager: pnpm@10.33.0) while still allowing minor drift inside major-10. New pnpmDeps hash reflects pnpm_10's snapshot format. Verified end-to-end: `nix build --impure --expr '...lib.mkWebapp { brandDir = /tmp/fixture; app = "events"; }'` with an external pkgs produces a Sortir-branded dist-events (manifest name "Sortir", theme #dc2626, bg #fff5f5, HTML title "Sortir"). Co-Authored-By: Claude Opus 4.7 (1M context) --- flake.nix | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/flake.nix b/flake.nix index 97afeed..b937be4 100644 --- a/flake.nix +++ b/flake.nix @@ -21,15 +21,22 @@ src = ./.; + # Pin pnpm major version (10.x) regardless of consumer's nixpkgs + # so the pnpmDeps hash stays stable for downstream callers that + # bring their own pkgs. package.json's packageManager field + # declares pnpm@10.33.0; pnpm_10 satisfies that. + pnpm = pkgs.pnpm_10; + pnpmDeps = pkgs.fetchPnpmDeps { inherit (finalAttrs) pname version src; + inherit (finalAttrs) pnpm; fetcherVersion = 3; - hash = "sha256-GZuH5ndka9PEHjC00g+kUJW515Zj/+xW6DZQAaK8G4k="; + hash = "sha256-FUN2lMHsaBTkk1tljDysYZAoQD+5MIBIEvGnRUWiF4s="; }; nativeBuildInputs = [ pkgs.nodejs - pkgs.pnpm + finalAttrs.pnpm pkgs.pnpmConfigHook pkgs.autoPatchelfHook ]; @@ -47,6 +54,9 @@ env = { BRAND_DIR = "${brandDir}"; BRAND_APP = if app == "main" then "" else app; + # Avoid pnpm 10's interactive modules-purge prompt in the + # sandbox (ERR_PNPM_ABORTED_REMOVE_MODULES_DIR_NO_TTY). + CI = "true"; }; buildPhase = '' From 0ede6f70dbf1ae39f99cd9c04a5e460412bb6cff Mon Sep 17 00:00:00 2001 From: Padreug Date: Wed, 10 Jun 2026 10:46:17 +0200 Subject: [PATCH 3/3] docs(nix): document lib.mkWebapp in branding/README + CLAUDE.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit branding/README's "Integration with NixOS deployment" section now describes the actual lib.mkWebapp API + the per-host call site, with a ready-to-paste server-deploy snippet. Also documents the pnpm_10 pin, sharp/autoPatchelfHook handling, and CI=true bypass — anchors that surface in error logs and benefit from being grep-able. CLAUDE.md's NixOS deployment paragraph stops calling lib.mkWebapp a future TODO and points at the API directly. Adds a `nix build` recipe (default + impure brand override) for local sanity-checking. Part of aiolabs/webapp#97. Co-Authored-By: Claude Opus 4.7 (1M context) --- CLAUDE.md | 15 +++++++++------ branding/README.md | 29 ++++++++++++++++++++++++++++- 2 files changed, 37 insertions(+), 7 deletions(-) diff --git a/CLAUDE.md b/CLAUDE.md index 8008bc2..1ab8ab6 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -759,12 +759,15 @@ BRAND_DIR=branding/cfaun pnpm build:events instead of `@/assets/logo.png`. The latter still works for non-brand assets (`@/assets/bitcoin.svg`, etc.) — it's only the logo that moved. -**NixOS deployment:** brand directories will eventually live in -`deploy/server-deploy/hosts//branding/`, with each host's -`services/webapp.nix` calling `inputs.webapp.lib.mkWebapp { brandDir = -./../branding; }`. `flake.nix` exposing `lib.mkWebapp` is a follow-up -to this PR. Until it lands, server-deploy continues to build webapp -through its existing path. See aiolabs/server-deploy#8. +**NixOS deployment:** `flake.nix` exposes +`lib.mkWebapp { pkgs, brandDir ? ./branding/default, app ? "main" }`. +Server-deploy hosts call it from their `services/webapp.nix`: +`inputs.webapp.lib.mkWebapp { inherit pkgs; brandDir = ./../branding; app = "events"; }`. +Builder pins `pkgs.pnpm_10` regardless of consumer's nixpkgs (keeps +pnpmDeps hash stable downstream), uses `autoPatchelfHook` to handle +prebuilt sharp binaries, and sets `CI=true` to bypass pnpm's +interactive modules-purge prompt. Per-host migration tracked in +aiolabs/server-deploy#8. ## Payment Rails Pattern diff --git a/branding/README.md b/branding/README.md index 37bb1ce..b84ba6c 100644 --- a/branding/README.md +++ b/branding/README.md @@ -105,6 +105,33 @@ Outputs land in `public/icons/` (gitignored). ## Integration with NixOS deployment -See [aiolabs/webapp#95](https://git.atitlan.io/aiolabs/webapp/issues/95) for the full architecture. In short: `deploy/server-deploy/hosts//branding/` will hold per-host brands, and each host's `services/webapp.nix` will call `inputs.webapp.lib.mkWebapp { brandDir = ./../branding; }` once `lib.mkWebapp` is exposed from `flake.nix` (separate follow-up issue). +`flake.nix` exposes `lib.mkWebapp { pkgs, brandDir ? ./branding/default, app ? "main" }` for downstream consumers. Per-host wiring in `deploy/server-deploy/hosts//services/webapp.nix` looks like: + +```nix +{ inputs, pkgs, ... }: +{ + services.webapp.apps = { + main = inputs.webapp.lib.mkWebapp { inherit pkgs; brandDir = ./../branding; }; + events = inputs.webapp.lib.mkWebapp { inherit pkgs; brandDir = ./../branding; app = "events"; }; + wallet = inputs.webapp.lib.mkWebapp { inherit pkgs; brandDir = ./../branding; app = "wallet"; }; + }; +} +``` + +`brandDir` is either a path inside this flake (`./branding/`) or an external path (e.g. `./../branding` from server-deploy). Either way Nix copies it into the build sandbox. + +Builder details: +- Uses `pkgs.pnpm_10` regardless of consumer's nixpkgs, so the pnpmDeps hash stays stable across downstream nixpkgs versions. +- `pkgs.autoPatchelfHook` + `stdenv.cc.cc.lib` patch the prebuilt `@img/sharp-libvips-linux-*` binaries. +- `CI=true` bypasses pnpm 10's interactive modules-purge prompt in the sandbox. The architectural payoff: brand and code become independent axes. Logo changes ship via server-deploy commits + redeploys — no webapp release, no `flake.lock` bump. + +For local sanity: + +```bash +nix build .#main # hub with aiolabs default brand +nix build .#events # events standalone with aiolabs default +# events with a custom brand (the impure way, ad-hoc): +nix build --impure --expr 'let pkgs = import {}; flake = builtins.getFlake (toString ./.); in flake.lib.mkWebapp { inherit pkgs; brandDir = /path/to/brand; app = "events"; }' +```