From 378a16d621561352c7446e64eabf24c7649b9009 Mon Sep 17 00:00:00 2001 From: Padreug Date: Wed, 10 Jun 2026 16:19:04 +0200 Subject: [PATCH] fix(nix): pin pnpm bits to flake's own nixpkgs, not consumer's MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit mkWebapp was passing the consumer's `pkgs.pnpm_10` into fetchPnpmDeps, which means the pnpmDeps snapshot is byte-for-byte different across consumers using different nixpkgs minor versions (flake's nixos-unstable has pnpm_10@10.34.0, server-deploy's nixpkgs may have a different 10.x). The pinned hash matches one snapshot exactly, so the wrong consumer gets: ERR_PNPM_NO_OFFLINE_TARBALL @vite-pwa/assets-generator-1.0.2.tgz at deploy time. Fix: derive a `flakePkgs` from THIS flake's pinned nixpkgs (via `flakePkgsFor`) and source pnpm, pnpmConfigHook, fetchPnpmDeps, nodejs, autoPatchelfHook, stdenv, and stdc++ from it. The consumer's `pkgs` argument is now used only for its system attribute. Net effect: the pnpmDeps snapshot is now reproducible regardless of who's calling mkWebapp. The pinned hash sha256-FUN2lMHsaBTkk1tljDysYZAoQD+5MIBIEvGnRUWiF4s= remains valid (it was computed against the flake's own nixpkgs originally). Verified: - `nix build .#main` — produces same dist/ as before (uses flake pkgs internally either way) - `nix build --impure --expr '...lib.mkWebapp { pkgs = ; ... }'` — now succeeds with the system's nixpkgs, where it would fail before with NO_OFFLINE_TARBALL on @vite-pwa/assets-generator Co-Authored-By: Claude Opus 4.7 (1M context) --- flake.nix | 32 ++++++++++++++++++++------------ 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/flake.nix b/flake.nix index b937be4..588438c 100644 --- a/flake.nix +++ b/flake.nix @@ -10,24 +10,32 @@ let apps = [ "main" "events" "wallet" "chat" "market" "forum" "tasks" "restaurant" "libra" ]; + # Use this flake's pinned nixpkgs for the build, regardless of which + # nixpkgs the consumer's `pkgs` is from. Without this, the pnpmDeps + # hash drifts as soon as a consumer's nixpkgs has a different + # pnpm_10 minor version (snapshots are byte-for-byte different per + # pnpm version). Only `pkgs`'s system attribute is honored. + flakePkgsFor = pkgs: import nixpkgs { + inherit (pkgs.stdenv.hostPlatform) system; + }; + mkWebapp = { pkgs, brandDir ? ./branding/default, app ? "main" }: let buildScript = if app == "main" then "build" else "build:${app}"; outDir = if app == "main" then "dist" else "dist-${app}"; + flakePkgs = flakePkgsFor pkgs; in - pkgs.stdenv.mkDerivation (finalAttrs: { + flakePkgs.stdenv.mkDerivation (finalAttrs: { pname = "aio-webapp-${app}"; version = "0.0.0"; src = ./.; - # Pin pnpm major version (10.x) regardless of consumer's nixpkgs - # so the pnpmDeps hash stays stable for downstream callers that - # bring their own pkgs. package.json's packageManager field - # declares pnpm@10.33.0; pnpm_10 satisfies that. - pnpm = pkgs.pnpm_10; + # pnpm comes from THIS flake's pinned nixpkgs (via flakePkgs), + # never the consumer's, so the pnpmDeps snapshot is stable. + pnpm = flakePkgs.pnpm_10; - pnpmDeps = pkgs.fetchPnpmDeps { + pnpmDeps = flakePkgs.fetchPnpmDeps { inherit (finalAttrs) pname version src; inherit (finalAttrs) pnpm; fetcherVersion = 3; @@ -35,16 +43,16 @@ }; nativeBuildInputs = [ - pkgs.nodejs + flakePkgs.nodejs finalAttrs.pnpm - pkgs.pnpmConfigHook - pkgs.autoPatchelfHook + flakePkgs.pnpmConfigHook + flakePkgs.autoPatchelfHook ]; # sharp's prebuilt libvips binaries (under @img/sharp-libvips-*) # are dynamically linked; autoPatchelfHook needs the runtime libs. buildInputs = [ - pkgs.stdenv.cc.cc.lib + flakePkgs.stdenv.cc.cc.lib ]; # Brand kit env knobs read by vite-branding.ts and @@ -72,7 +80,7 @@ runHook postInstall ''; - meta = with pkgs.lib; { + meta = with flakePkgs.lib; { description = "AIO webapp${if app == "main" then "" else " (${app} standalone)"}"; homepage = "https://git.atitlan.io/aiolabs/webapp"; license = licenses.mit; -- 2.53.0