Add flake.nix to SRI

[Shourya742]

Add a flake.nix file to the repository to standardize and simplify the development environment setup using Nix flakes. This will ensure consistent dependency management, reproducible builds, and alignment across different systems and contributors. By introducing flake.nix, we can provide a unified configuration for tools, Rust toolchains, and any project-specific dependencies, streamlining the onboarding process and minimizing environment-related issues. The flake should define the required Rust version (aligned with rust-toolchain.toml) and any additional tools or components needed for development, testing, and CI pipelines.

[plebhash]

as a nix user, I find this idea quite interesting, but I feel this requires a bit more brainstorming

---

first and foremost, we cannot force any SRI contributors to start using nix... it has a steep learning curve and it can actually slow down productivity for those who are not used to it

therefore, it's very important to have the following restrictions in mind:

• any kind of critical workflow must remain as unopinionated as possible, only having nix as a convenient alternative for the contributors that decide to adopt it
• maintenance of *.nix files must be a burden for the nix-using contributors, not otherwise
• the trade-offs for maintenance must be justified... otherwise, we might find ourselves spending a lot of time on something just "because it's cool" without any real productivity benefits

---

second, the original proposal feels very broad and generic, and a few questions come to mind:

• what are the concrete problems that we're trying to tackle?
• why a flake.nix, and not a simple shell.nix?

---

again, as a nix user I like the idea and I'm not opposing it

but overall if we were to go in this direction, it's important to have a solid rationale!

[plebhash]

and any additional tools or components needed for development, testing, and CI pipelines.

CI pipelines is one example of something from @Shourya742 original proposal that I feel would not be a good idea

as much as I agree it would be extremely powerful to build a nix-based CI, that would become a blocker for non-nix-using contributors to maintain the CI

as stated above, we cannot force everyone to become nix users, and therefore the CI must remain as un-opinionated as possible

[plebhash]

streamlining the onboarding process

another example of something that would not be desirable

we must not use nix as an assumption or pre-requisite for onboarding

[plebhash]

@Georges760 I see you liked this issue, and you also mentioned you use a shell.nix for SRI development on your local setup

can you share your shell.nix and provide more insights on how nix is improving your workflow?

why are you using it? which problems are you solving?

[Georges760]

why are you using it?

because I switched to NixOS

which problems are you solving?

not having to install system-wide any toolchain/tools specific version for a specific project that may conflict with other toolchain/tools version for other project, it is very very efficient on that regard

[Georges760]

• de-offs

Of course, here is my shell.nix :

{ pkgs ? import <nixpkgs> {} }:
  let
    overrides = (builtins.fromTOML (builtins.readFile ./rust-toolchain.toml));
    libPath = with pkgs; lib.makeLibraryPath [
      # load external libraries that you need in your rust project here
    ];
in
  pkgs.mkShell rec {
    buildInputs = with pkgs; [
      clang
      cmake
      openssl
      # Replace llvmPackages with llvmPackages_X, where X is the latest LLVM version (at the time of writing, 16)
      llvmPackages.bintools
      pkg-config
      rustup
    ];
    RUSTC_VERSION = overrides.toolchain.channel;
    # https://github.com/rust-lang/rust-bindgen#environment-variables
    LIBCLANG_PATH = pkgs.lib.makeLibraryPath [ pkgs.llvmPackages_latest.libclang.lib ];
    shellHook = ''
      export PATH=$PATH:''${CARGO_HOME:-~/.cargo}/bin
      export PATH=$PATH:''${RUSTUP_HOME:-~/.rustup}/toolchains/$RUSTC_VERSION-x86_64-unknown-linux-gnu/bin/
      '';
    # Add precompiled library to rustc search path
    RUSTFLAGS = (builtins.map (a: ''-L ${a}/lib'') [
      # add libraries here (e.g. pkgs.libvmi)
    ]);
    PKG_CONFIG_PATH = "${pkgs.openssl.dev}/lib/pkgconfig";
    LD_LIBRARY_PATH = libPath;
    # Add glibc, clang, glib, and other headers to bindgen search path
    BINDGEN_EXTRA_CLANG_ARGS =
    # Includes normal include path
    (builtins.map (a: ''-I"${a}/include"'') [
      # add dev libraries here (e.g. pkgs.libvmi.dev)
      pkgs.glibc.dev
    ])
    # Includes with special directory paths
    ++ [
      ''-I"${pkgs.llvmPackages_latest.libclang.lib}/lib/clang/${pkgs.llvmPackages_latest.libclang.version}/include"''
      ''-I"${pkgs.glib.dev}/include/glib-2.0"''
      ''-I${pkgs.glib.out}/lib/glib-2.0/include/''
    ];
  }

It is a little bit messy, as I am on NixOS for few month only, and still learning it.

[plebhash]

thanks for sharing @Georges760, it's interesting to get some insight into how some contributors are leveraging nix for their workflows

I assume your shell.nix shared above also has some things for building bitcoin core (e.g.: cmake, openssl, pkg-config)?

I don't have any guesses for what clang and llvmPackages.bintools could be used for

which brings me to another question: are you using this file for other development workflows, or exclusively for SRI?

in case we decided to move forward with adding some .nix files to this repo (be it shell.nix or flake.nix), it would be important to have a very limited scope to SRI-related things only

(but this is just a general comment, I see you mentioned the shell.nix is a bit messy as you're still learning it)

[Georges760]

that's true, I kind of grown my shell.nix file while using it on different Rust crate dev.

the cmake/clang/bintools/openssl where added when I had to deal with some crates that either do some FFI/bindgen stuff or depend on FFI/bindgen crates, so not strictly during my contribution on SRI/no_std effort on protocols/sv2 because none of them does or depend on FFI/bindgen. But there are many other crates in SRI thay may do or depend on FFI/bindgen, so we may need them at some point.

FYI, the base instruction I used for my shell.nix was there : https://nixos.wiki/wiki/Rust
A flake.nix based solution is also proposed.

And up to now, I only used shell.nix, but I would love to switch to flakes soon.

[jbesraa]

may I ask why are you using nix? what kind of problems it solved for you while working on SRI?

[plebhash]

I'm going to answer your question with a broader context by sharing my nix journey. And then I'll add another comment about SRI specifically.

Before starting blockchain development, I used to do system integration for embedded systems, where highly deterministic and reproductible builds were a very important factor. In that universe, we start from source code and cross-compile package distributions for multiple target platforms, which sometimes have exotic architectures and toolchain management can be a pain in the ass if you're not using the right tools.

So in 2021, while in a previous shitcoin job, I went down the nix rabbit hole. The project I was working on had a nix culture, which motivated me to start learning. There was nothing too powerful though, it mostly revolved around using some basic shell.nix files for deterministic toolchain management.

I briefly attempted to switch over to nixOS but the learning curve was bringing my productivity down, so I switched back to ubuntu. Later in 2023 I started using a MacBook as my main workstation, which allowed me to give nixOS another try as my secondary workstation (which wouldn't block my productivity). That helped me slowly evolve into more average to advanced knowledge of nix.

As I gave up on shitcoin life, the Bitcoin ecosystem further motivated me to continue exploring this universe. A few projects come to mind in this context:

• nix-bitcoin: which today I use as the main tool for my sovereign deployment of bitcoind and clightning nodes, plus some extras (e.g.: local mempool explorer, RTL, etc).
• btc++ nix edition: in 2023 there was an entire btc++ event dedicated for the nix topic, with many interesting talks.
• Bitcoin Core Guix: Guix is actually the equivalent GNU alternative to nix (think emacs vs vim). Bitcoin Core uses Guix to enforce a highly deterministic (aka "bootstrappable") build pipeline, which is arguably one of the best ways to defend against supply-chain attacks.

I know that at some point in time @Fi3 used also Guix for some parts of his development workflow for SRI. If you grep for guix on the repo you can find some historic traces of that time. Unfortunately at this point I'm kind of married to nix (emacs vs vim 😛) so I never really explored the SRI Guix stuff in depth.

Finally, in 2024 I started making some contributions to the nix/bitcoin ecosystem, namely:

• nix-bitcoin-core-archive: which is a repo I initially started with the silly idea of building old releases of Bitcoin Core. But nowadays, I mostly use as a convenient way to build forks, most notably the Sv2 Patch by Sjors, but also including other ones like Braidpool's CPUnet and benthecarman's MutinyNet.
• lianad on nixpkgs: I wanted to use Liana wallet on my sovereign nix-bitcoin setup, but only the GUI version was available, and my setup is headless. So I made this PR to also include the CLI version.
• libmultiprocess on nixpkgs: this is actually on my backlog/todo list. libmultiprocess is being developed by chaincode labs and it's being used as the main component for the new IPC approach of Bitcoin Core (which will eventually be used for Sv2 TP). While I was in India exploring the IPC-based Sv2 TP with @Shourya742, I tried to add a build of Sjors' IPC-based Sv2 TP branch on into my nix-bitcoin-core-archive and realized I was blocked by this libmultiprocess+nixpkgs pre-requisite. If I get this PR merged I feel this will be my most meaningful contribution to the nix/bitcoin ecosystem 🏆

[plebhash]

now, brainstorming a bit on how nix could be leveraged to boost productivity on SRI development:

aside from the low-hanging-fruit of deterministic toolchain management, I can also imagine some interesting workflows for live testing setups

for example, whenever I want to test SRI on a live setup (meaning: some TP connected to testnet4, signet or mainnet, plus roles), I always do the deployment manually.

it's kind of a boring task where I manually open multiple terminals and start the different processes.

this is also assuming I already have a built TP (which I usually do via nix-bitcoin-core-archive)... but in case it's a fresh setup, I also have to build that TP first

a flake.nix could be leveraged to automate this workflow (via shellHook), where simply running nix develop would provide shell tools to automate the entire process of building a TP, syncing the TP to the desired network, and then starting the different roles supporting multiple configurations (e.g.: Pool+tProxy, Pool+JDS+JDC+tProxy, etc) to be specified by the user

one could argue that this can also be automated by simple shell scripting, but that's the beauty of nix: all the dependency management (e.g.: cmake, pkg-config, rustup, cargo, etc) would be constrained to this nix environment, and it would deterministically work on macOS, linux, x86-64, aarch64 and whatever flavors we wanted to support

obviously this would not be a replacement for our Integration Tests, which are crucial for CI automation of pure-Rust testing in regtest setups

but sometimes live setups are still useful (and even important), for example if we want to make tests with beefy hashpower from real ASICs

[Georges760]

may I ask why are you using nix? what kind of problems it solved for you while working on SRI?

I was bored to lose (again) my whole ubuntu system at a "dist-upgrade", so wanted to test NixOS. I kind of like it now, begining was difficult (like Rust) but once everything is running, it is very convenient to maintain.

[plebhash]

another relevant point is that using nixOS is not a pre-requisite for using nix

it can still be installed into regular linux distributions and macOS

nixOS is simply an entire linux distribution based on this tool

[Georges760]

very true

[plebhash]

my rant above actually made me realize something that is kind of adjacent to this discussion:

do we want to maintain the legacy Guix things on the SRI repo?

here's a quick search for guix string on the repo:

$ rg guix
examples/interop-cpp-no-cargo/run-with-guix-build.sh
12:./guix-build/build.sh

test/interop.cpp
1:#include <guix-example.h>
20:        printf("guix-example ok\n");

examples/interop-cpp-no-cargo/guix-build/build.sh
3:guix environment \
4:        -m ./guix-build/example.scm \
11:        -- /build/guix-build/in_container_build.sh

examples/interop-cpp-no-cargo/README.md
6:`./run-with-guix-build.sh` will build the example with guix and run it

examples/interop-cpp/README.md
13:This crate also provide an [example](./template-provider/example-of-guix-build) of how to build
14:the `sv2-ffi` as a static library using guix.
191:[here](./template-provider/example-of-guix-build/build.sh).
196:2. Calls g++ in a guix container defined [here](./template-provider/example-of-guix-build/example.scm)
200:[guix cargo build system](`https://github.com/guix-mirror/guix/blob/13c4a377f5a2e1240790679f3d5643385b6d7635/guix/build-system/cargo.scm`).
205:`sv2_ffi` is a library crate and the guix default behavior is to not install the Rust library such that the

examples/interop-cpp/template-provider/example-of-guix-build/build.sh
15:guix environment \

examples/interop-cpp/template-provider/in_container_build.sh
11: -o /example/example-of-guix-build/a.out

examples/interop-cpp/template-provider/example-of-guix-build/example.scm
2:  (guix search-paths)
3:  (guix store)
4:  (guix utils)
5:  (guix derivations)
6:  (guix packages)
7:  (guix build-system)
8:  (guix build-system gnu)
35:  `((guix build cargo-utils)
40:  `((guix build cargo-build-system)
41:    (guix build json)
48:                      (vendor-dir "guix-vendor")
55:                      (phases '(@ (guix build cargo-build-system)
62:                      (modules '((guix build cargo-build-system)
63:                                 (guix build utils))))
129:Forked from ((guix packages) transitive-inputs) since this extraction
258:  (guix licenses)
259:  ;(guix build-system cargo2)
260:  (guix build-system copy)
261:  (guix download)
262:  (guix packages)

[plebhash]

@Fi3 any compelling reason to keep this around?

[plebhash]

@Fi3 over Discord:

we had guix cause is was needed to build SRI in core
that's it
since we decided to not use SRI in core is unmaintained
I don't know if you can builld the actual stack on guix
if I have to guess I would say no