Merge pull request 'feat(nix): flake.nix exposing lib.mkWebapp' (#98 ) from feat/flake-mkwebapp into dev

Reviewed-on: #98
docs(nix): document lib.mkWebapp in branding/README + CLAUDE.md
2026-06-10 13:52:29 +00:00 · 2026-06-10 10:46:17 +02:00 · 2026-06-10 10:43:54 +02:00 · 2026-06-10 10:21:40 +02:00
4 changed files with 198 additions and 7 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -759,12 +759,15 @@ BRAND_DIR=branding/cfaun pnpm build:events
 instead of `@/assets/logo.png`. The latter still works for non-brand
 assets (`@/assets/bitcoin.svg`, etc.) — it's only the logo that moved.
-**NixOS deployment:** brand directories will eventually live in
+**NixOS deployment:** `flake.nix` exposes
-`deploy/server-deploy/hosts/<host>/branding/`, with each host's
+`lib.mkWebapp { pkgs, brandDir ? ./branding/default, app ? "main" }`.
-`services/webapp.nix` calling `inputs.webapp.lib.mkWebapp { brandDir =
+Server-deploy hosts call it from their `services/webapp.nix`:
-./../branding; }`. `flake.nix` exposing `lib.mkWebapp` is a follow-up
+`inputs.webapp.lib.mkWebapp { inherit pkgs; brandDir = ./../branding; app = "events"; }`.
-to this PR. Until it lands, server-deploy continues to build webapp
+Builder pins `pkgs.pnpm_10` regardless of consumer's nixpkgs (keeps
-through its existing path. See aiolabs/server-deploy#8.
+pnpmDeps hash stable downstream), uses `autoPatchelfHook` to handle
 prebuilt sharp binaries, and sets `CI=true` to bypass pnpm's
 interactive modules-purge prompt. Per-host migration tracked in
 aiolabs/server-deploy#8.
 ## Payment Rails Pattern
--- a/branding/README.md
+++ b/branding/README.md
@ -105,6 +105,33 @@ Outputs land in `public/icons/` (gitignored).
 ## Integration with NixOS deployment
-See [aiolabs/webapp#95](https://git.atitlan.io/aiolabs/webapp/issues/95) for the full architecture. In short: `deploy/server-deploy/hosts/<host>/branding/` will hold per-host brands, and each host's `services/webapp.nix` will call `inputs.webapp.lib.mkWebapp { brandDir = ./../branding; }` once `lib.mkWebapp` is exposed from `flake.nix` (separate follow-up issue).
+`flake.nix` exposes `lib.mkWebapp { pkgs, brandDir ? ./branding/default, app ? "main" }` for downstream consumers. Per-host wiring in `deploy/server-deploy/hosts/<host>/services/webapp.nix` looks like:
 ```nix
 { inputs, pkgs, ... }:
 {
  services.webapp.apps = {
    main   = inputs.webapp.lib.mkWebapp { inherit pkgs; brandDir = ./../branding; };
    events = inputs.webapp.lib.mkWebapp { inherit pkgs; brandDir = ./../branding; app = "events"; };
    wallet = inputs.webapp.lib.mkWebapp { inherit pkgs; brandDir = ./../branding; app = "wallet"; };
  };
 }
 ```
 `brandDir` is either a path inside this flake (`./branding/<name>`) or an external path (e.g. `./../branding` from server-deploy). Either way Nix copies it into the build sandbox.
 Builder details:
 - Uses `pkgs.pnpm_10` regardless of consumer's nixpkgs, so the pnpmDeps hash stays stable across downstream nixpkgs versions.
 - `pkgs.autoPatchelfHook` + `stdenv.cc.cc.lib` patch the prebuilt `@img/sharp-libvips-linux-*` binaries.
 - `CI=true` bypasses pnpm 10's interactive modules-purge prompt in the sandbox.
 The architectural payoff: brand and code become independent axes. Logo changes ship via server-deploy commits + redeploys — no webapp release, no `flake.lock` bump.
 For local sanity:
 ```bash
 nix build .#main          # hub with aiolabs default brand
 nix build .#events        # events standalone with aiolabs default
 # events with a custom brand (the impure way, ad-hoc):
 nix build --impure --expr 'let pkgs = import <nixpkgs> {}; flake = builtins.getFlake (toString ./.); in flake.lib.mkWebapp { inherit pkgs; brandDir = /path/to/brand; app = "events"; }'
 ```
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,61 @@
 {
  "nodes": {
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1780749050,
        "narHash": "sha256-3av0pIjlOWQ6rDbNOmpUSvbNnJkGORQKKjb4LtCZsIY=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "a799d3e3886da994fa307f817a6bc705ae538eeb",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": "nixpkgs"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,100 @@
 {
  description = "AIO webapp — modular Vue 3 + Vite shell with Lightning + Nostr standalones";
  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    flake-utils.url = "github:numtide/flake-utils";
  };
  outputs = { self, nixpkgs, flake-utils }:
    let
      apps = [ "main" "events" "wallet" "chat" "market" "forum" "tasks" "restaurant" "libra" ];
      mkWebapp = { pkgs, brandDir ? ./branding/default, app ? "main" }:
        let
          buildScript = if app == "main" then "build" else "build:${app}";
          outDir = if app == "main" then "dist" else "dist-${app}";
        in
        pkgs.stdenv.mkDerivation (finalAttrs: {
          pname = "aio-webapp-${app}";
          version = "0.0.0";
          src = ./.;
          # Pin pnpm major version (10.x) regardless of consumer's nixpkgs
          # so the pnpmDeps hash stays stable for downstream callers that
          # bring their own pkgs. package.json's packageManager field
          # declares pnpm@10.33.0; pnpm_10 satisfies that.
          pnpm = pkgs.pnpm_10;
          pnpmDeps = pkgs.fetchPnpmDeps {
            inherit (finalAttrs) pname version src;
            inherit (finalAttrs) pnpm;
            fetcherVersion = 3;
            hash = "sha256-FUN2lMHsaBTkk1tljDysYZAoQD+5MIBIEvGnRUWiF4s=";
          };
          nativeBuildInputs = [
            pkgs.nodejs
            finalAttrs.pnpm
            pkgs.pnpmConfigHook
            pkgs.autoPatchelfHook
          ];
          # sharp's prebuilt libvips binaries (under @img/sharp-libvips-*)
          # are dynamically linked; autoPatchelfHook needs the runtime libs.
          buildInputs = [
            pkgs.stdenv.cc.cc.lib
          ];
          # Brand kit env knobs read by vite-branding.ts and
          # pwa-assets.config.ts. brandDir is either ./branding/default
          # (a path inside this flake's source) or an external path that
          # nix has copied into the build sandbox.
          env = {
            BRAND_DIR = "${brandDir}";
            BRAND_APP = if app == "main" then "" else app;
            # Avoid pnpm 10's interactive modules-purge prompt in the
            # sandbox (ERR_PNPM_ABORTED_REMOVE_MODULES_DIR_NO_TTY).
            CI = "true";
          };
          buildPhase = ''
            runHook preBuild
            pnpm run ${buildScript}
            runHook postBuild
          '';
          installPhase = ''
            runHook preInstall
            mkdir -p $out
            cp -r ${outDir} $out/
            runHook postInstall
          '';
          meta = with pkgs.lib; {
            description = "AIO webapp${if app == "main" then "" else " (${app} standalone)"}";
            homepage = "https://git.atitlan.io/aiolabs/webapp";
            license = licenses.mit;
            platforms = platforms.linux;
          };
        });
    in
    {
      # System-agnostic builder. Downstream NixOS hosts call this from
      # their services/webapp.nix with their own brandDir.
      lib.mkWebapp = mkWebapp;
    }
    // flake-utils.lib.eachDefaultSystem (system:
      let
        pkgs = import nixpkgs { inherit system; };
        # One package per standalone, all using the aiolabs default brand.
        # `nix build .#<app>` exercises the builder for sanity / CI.
        appPackages = pkgs.lib.genAttrs apps (app: mkWebapp { inherit pkgs app; });
      in
      {
        packages = appPackages // {
          default = appPackages.main;
        };
      });
 }
Author	SHA1	Message	Date
padreug	b0ee932e77	Merge pull request 'feat(nix): flake.nix exposing lib.mkWebapp' (#98 ) from feat/flake-mkwebapp into dev Reviewed-on: #98	2026-06-10 13:52:29 +00:00
Padreug	0ede6f70db	docs(nix): document lib.mkWebapp in branding/README + CLAUDE.md branding/README's "Integration with NixOS deployment" section now describes the actual lib.mkWebapp API + the per-host call site, with a ready-to-paste server-deploy snippet. Also documents the pnpm_10 pin, sharp/autoPatchelfHook handling, and CI=true bypass — anchors that surface in error logs and benefit from being grep-able. CLAUDE.md's NixOS deployment paragraph stops calling lib.mkWebapp a future TODO and points at the API directly. Adds a `nix build` recipe (default + impure brand override) for local sanity-checking. Part of aiolabs/webapp#97. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-10 10:46:17 +02:00
Padreug	14283f62e0	fix(nix): pin pnpm_10 and set CI=true for downstream consumers Two issues found when calling lib.mkWebapp from an external nixpkgs (server-deploy's scenario): - pnpm 10 in the sandbox aborts with ERR_PNPM_ABORTED_REMOVE_MODULES_DIR_NO_TTY when it sees a modules-purge prompt without a TTY. CI=true is pnpm's documented bypass; harmless on builds that don't need it. - Pinning pkgs.pnpm leaves it floating with the consumer's nixpkgs (flake's nixos-unstable has pnpm 11.5.1, system nixpkgs has 10.33, etc.). pnpmDeps hash is per-pnpm-version so a floating pnpm means consumers hit hash mismatches. Pinning pkgs.pnpm_10 locks to the same major series that produced the lockfile (package.json's packageManager: pnpm@10.33.0) while still allowing minor drift inside major-10. New pnpmDeps hash reflects pnpm_10's snapshot format. Verified end-to-end: `nix build --impure --expr '...lib.mkWebapp { brandDir = /tmp/fixture; app = "events"; }'` with an external pkgs produces a Sortir-branded dist-events (manifest name "Sortir", theme #dc2626, bg #fff5f5, HTML title "Sortir"). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-10 10:43:54 +02:00
Padreug	08568fc0c0	feat(nix): add flake.nix exposing lib.mkWebapp Establishes the nix build path so deploy/server-deploy can call inputs.webapp.lib.mkWebapp { brandDir, app } per-host instead of running its own derivation. lib.mkWebapp { pkgs, brandDir ? ./branding/default, app ? "main" } returns a stdenv.mkDerivation that: - Uses pnpmConfigHook + fetchPnpmDeps (fetcherVersion = 3) to install node_modules from a hash-pinned snapshot, offline. - Wires brandDir into the BRAND_DIR env var so vite-branding.ts and pwa-assets.config.ts resolve the right brand. - Sets BRAND_APP from `app` so per-standalone overrides (branding/<dep>/icons/<app>/logo.*) work. - autoPatchelfHook + stdenv.cc.cc.lib patch the prebuilt @img/sharp-libvips-linux-x64 binaries to run under the nix sandbox. - Runs `pnpm run build` for the hub or `pnpm run build:<app>` for a standalone, then copies the resulting dist/ or dist-<app>/ into $out. Per-system exposure: - packages.<app> for each of main/events/wallet/chat/market/forum/ tasks/restaurant/libra — exercises the builder under CI. - packages.default = packages.main. Closes aiolabs/webapp#97. Server-deploy hosts can now migrate via aiolabs/server-deploy#8. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-10 10:21:40 +02:00