`e89ca39c2450`

8 files changed

modifiedCargo.tomldiff before after both

--- a/Cargo.toml
+++ b/Cargo.toml
@@ -23,3 +23,8 @@
 tokio = { version = "1.45.1", features = ["fs", "macros", "rt", "rt-multi-thread", "sync", "time"] }
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter", "fmt"] }
+
+[profile.dev]
+panic = "abort"
+[profile.release]
+panic = "abort"

modifiedcrates/fleet-base/src/fleetdata.rsdiff before after both

--- a/crates/fleet-base/src/fleetdata.rs
+++ b/crates/fleet-base/src/fleetdata.rs
@@ -121,12 +121,12 @@
 	})
 }
 
-#[derive(Serialize, Deserialize, Clone)]
+#[derive(Serialize, Deserialize, Clone, Debug)]
 pub struct FleetSecretPart {
 	pub raw: SecretData,
 }
 
-#[derive(Serialize, Deserialize, Clone)]
+#[derive(Serialize, Deserialize, Clone, Debug)]
 #[serde(rename_all = "camelCase")]
 #[must_use]
 pub struct FleetSecretData {
@@ -144,7 +144,7 @@
 	pub generation_data: Value,
 }
 
-#[derive(Serialize, Deserialize, Clone)]
+#[derive(Serialize, Deserialize, Clone, Debug)]
 #[serde(rename_all = "camelCase")]
 #[must_use]
 pub struct FleetSecretDistribution {

modifiedcrates/fleet-base/src/opts.rsdiff before after both

--- a/crates/fleet-base/src/opts.rs
+++ b/crates/fleet-base/src/opts.rs
@@ -22,7 +22,8 @@
 
 use crate::{
 	fleetdata::FleetData,
-	host::{Config, ConfigHost, FleetConfigInternals}, primops::init_primops,
+	host::{Config, ConfigHost, FleetConfigInternals},
+	primops::{PRIMOPS_DATA, init_primops},
 };
 
 #[derive(Clone)]
@@ -213,7 +214,7 @@
 			std::fs::read_to_string(&fleet_data_path).context("reading fleet state (fleet.nix)")?;
 		let data = Arc::new(Mutex::new(FleetData::from_str(&bytes)?));
 
-		init_primops(data.clone());
+		init_primops();
 
 		let mut fetch_settings = FetchSettings::new();
 		fetch_settings.set(c"warn-dirty", c"false");
@@ -264,8 +265,7 @@
 		if cfg!(debug_assertions) {
 			gc_now();
 		}
-
-		Ok(Config(Arc::new(FleetConfigInternals {
+		let config = Config(Arc::new(FleetConfigInternals {
 			directory,
 			data,
 			flake_outputs: flake,
@@ -275,6 +275,12 @@
 			default_pkgs,
 			nixpkgs,
 			localhost: self.localhost.to_owned(),
-		})))
+		}));
+
+		PRIMOPS_DATA
+			.set(config.clone())
+			.map_err(|_| ())
+			.expect("only one fleet config may exist per process");
+		Ok(config)
 	}
 }

modifiedcrates/fleet-base/src/primops.rsdiff before after both

--- a/crates/fleet-base/src/primops.rs
+++ b/crates/fleet-base/src/primops.rs
@@ -1,10 +1,15 @@
-use std::collections::HashMap;
-use std::sync::{Arc, Mutex};
+use std::cell::OnceCell;
+use std::collections::{BTreeMap, HashMap};
+use std::sync::{Arc, Mutex, OnceLock};
 
-use nix_eval::{NativeFn, Value};
-use tracing::info;
+use anyhow::{Context, bail};
+use itertools::Itertools;
+use nix_eval::{NativeFn, Value, nix_go, nix_go_json};
+use serde::Deserialize;
+use tracing::{info, warn};
 
 use crate::fleetdata::{FleetData, FleetSecrets};
+use crate::host::Config;
 
 #[derive(thiserror::Error, Debug)]
 enum Error {}
@@ -23,18 +28,76 @@
 
 struct FsSecretsBackend {}
 
-pub fn init_primops(secrets: Arc<Mutex<FleetData>>) {
+pub static PRIMOPS_DATA: OnceLock<Config> = OnceLock::new();
+
+#[derive(Deserialize, Debug)]
+struct GeneratorPart {
+	encrypted: bool,
+}
+
+pub fn init_primops() {
 	info!("initializing primops");
 	NativeFn::new(
 		c"__fleetEnsureHostSecret",
 		c"Ensure secret existence for a host, regenerating it in case of some mismatch",
 		[c"host", c"secret", c"generator"],
-		|[host, secret, generator]| {
-			todo!("ensure secret");
-			Ok(Value::new_attrs(HashMap::from_iter([(
-				"raw",
-				Value::new_str("rawData"),
-			)])))
+		|es, [host, secret, generator]| {
+			info!("get host");
+			let host = host.to_string()?;
+			info!("get secret");
+			let secret = secret.to_string()?;
+
+			info!("get config");
+			let config = PRIMOPS_DATA
+				.get()
+				.expect("primops data should be set on init");
+
+			info!("get pkgs");
+			let nixpkgs = &config.nixpkgs;
+			let default_pkgs = &config.default_pkgs;
+			let default_mk_secret_generators = nix_go!(default_pkgs.mkSecretGenerators);
+			let generators = nix_go!(default_mk_secret_generators(Obj {
+				recipients: <Vec<String>>::new(),
+			}));
+			let pkgs_and_generators = default_pkgs.clone().attrs_update(generators)?;
+
+			info!("call package");
+			let call_package = nix_go!(nixpkgs.lib.callPackageWith(pkgs_and_generators));
+			let default_generator = call_package
+				.call(generator.clone())
+				.context("calling callPackage with generator")?
+				.call(Value::new_attrs(HashMap::new()))
+				.context("providing extra callPackage args")?;
+
+			info!("get parts");
+			let mut parts: BTreeMap<String, GeneratorPart> = nix_go_json!(default_generator.parts);
+			info!("got parts: {parts:?}");
+
+			let Some(existing) = config
+				.host_secret(&host, &secret) else {
+				bail!("missing secret {secret} for host {host}; secret needs regeneration")
+			};
+
+			info!("got existing: {existing:?}");
+
+			let mut out = HashMap::new();
+
+			for (part_name, part) in &existing.secret.parts {
+				let Some(definition) = parts.remove(part_name) else {
+					warn!("secret {secret} part {part_name} is stored, but not defined in nixos config, it will not be passed to nix");
+					continue;
+				};
+				if definition.encrypted != part.raw.encrypted {
+					bail!("secret {secret} part {part_name} is supposed to be {}, but it is {}; secret needs regeneration", if definition.encrypted {"encrypted"} else {"unencrypted"}, if part.raw.encrypted {"encrypted"} else {"unencrypted"});
+				}
+				out.insert(part_name.as_str(), Value::new_attrs(HashMap::from_iter([("raw", Value::new_str(&part.raw.to_string()))])));
+			}
+			if !parts.is_empty(){
+				let defs = parts.keys().collect_vec();
+				bail!("secret parts are defined, but not stored: {defs:?}, secret needs regeneration")
+			}
+
+			Ok(Value::new_attrs(out))
 		},
 	)
 	.register();

modifiedcrates/nix-eval/src/lib.rsdiff before after both

1use std::borrow::Cow;2use std::cell::RefCell;3use std::ffi::{CStr, CString, c_char, c_int, c_uint, c_void};4use std::ptr::{null, null_mut};5use std::sync::LazyLock;6use std::{array, fmt, slice};7use std::{collections::HashMap, path::PathBuf};89use anyhow::{Context, anyhow, bail};10use itertools::Itertools;11use serde::Serialize;12use serde::de::DeserializeOwned;1314pub use anyhow::Result;15use tracing::instrument;1617use self::logging::{ErrorInfoBuilder, nix_logging_cxx};18use self::nix_cxx::set_fetcher_setting;19use self::nix_raw::{20	BindingsBuilder as c_bindings_builder, EvalState as c_eval_state, GC_SUCCESS,21	GC_allow_register_threads, GC_get_stack_base, GC_register_my_thread, GC_stack_base,22	GC_thread_is_registered, GC_unregister_my_thread, ListBuilder as c_list_builder, PrimOp,23	PrimOpFun, Store as c_store, StorePath as c_store_path, alloc_primop, alloc_value,24	bindings_builder_free, bindings_builder_insert, c_context, c_context_create, c_context_free,25	clear_err, copy_value, err_code, err_info_msg, err_msg, eval_state_build,26	eval_state_builder_load, eval_state_builder_new, eval_state_builder_set_eval_setting,27	expr_eval_from_string, fetchers_settings, fetchers_settings_free, fetchers_settings_new,28	flake_lock, flake_lock_flags, flake_lock_flags_free, flake_lock_flags_new, flake_reference,29	flake_reference_and_fragment_from_string, flake_reference_parse_flags,30	flake_reference_parse_flags_free, flake_reference_parse_flags_new,31	flake_reference_parse_flags_set_base_directory, flake_settings, flake_settings_free,32	flake_settings_new, gc_now as gc_now_raw, get_attr_byname, get_attr_name_byidx, get_attrs_size,33	get_list_byidx, get_list_size, get_string, get_type, has_attr_byname, init_bool, init_int,34	init_primop, init_string, libexpr_init, libstore_init, libutil_init, list_builder_free,35	list_builder_insert, locked_flake, locked_flake_free, locked_flake_get_output_attrs,36	make_attrs, make_bindings_builder, make_list, make_list_builder, realised_string,37	realised_string_free, realised_string_get_buffer_size, realised_string_get_buffer_start,38	realised_string_get_store_path, realised_string_get_store_path_count, register_primop,39	set_err_msg, setting_set, state_free, store_copy_closure, store_get_fs_closure, store_open,40	store_parse_path, store_path_free, store_path_name, string_realise, value, value_call,41	value_decref, value_incref,42};4344// Contains macros helpers45pub mod logging;46#[doc(hidden)]47pub mod macros;48pub mod util;4950#[allow(51	non_upper_case_globals,52	non_camel_case_types,53	non_snake_case,54	dead_code55)]56mod nix_raw {57	include!(concat!(env!("OUT_DIR"), "/bindings.rs"));58}59#[cxx::bridge]60pub mod nix_cxx {61	unsafe extern "C++" {62		type nix_fetchers_settings;63		include!("nix-eval/src/lib.hh");6465		unsafe fn set_fetcher_setting(66			settings: *mut nix_fetchers_settings,67			setting: *const c_char,68			value: *const c_char,69		);70	}71}7273#[derive(Debug, PartialEq, Eq)]74pub enum NixType {75	Thunk,76	Int,77	Float,78	Bool,79	String,80	Path,81	Null,82	Attrs,83	List,84	Function,85	External,86}87impl NixType {88	fn from_int(c: c_uint) -> Self {89		match c {90			0 => Self::Thunk,91			1 => Self::Int,92			2 => Self::Float,93			3 => Self::Bool,94			4 => Self::String,95			5 => Self::Path,96			6 => Self::Null,97			7 => Self::Attrs,98			8 => Self::List,99			9 => Self::Function,100			10 => Self::External,101			_ => unreachable!("unknown nix type: {c}"),102		}103	}104}105106enum FunctorKind {107	Function,108	Functor,109}110111#[derive(Debug)]112#[repr(i32)]113pub enum NixErrorKind {114	Unknown = 1,115	Overflow = 2,116	Key = 3,117	Generic = 4,118}119impl NixErrorKind {120	fn from_int(v: c_int) -> Option<Self> {121		Some(match v {122			0 => return None,123			-1 => Self::Unknown,124			-2 => Self::Overflow,125			-3 => Self::Key,126			-4 => Self::Generic,127			_ => {128				debug_assert!(false, "unexpected nix error kind: {v}");129				Self::Unknown130			}131		})132	}133}134135pub fn gc_now() {136	unsafe { gc_now_raw() };137}138139pub fn gc_register_my_thread() {140	assert_eq!(unsafe { GC_thread_is_registered() }, 0);141142	let mut sb = GC_stack_base {143		mem_base: null_mut(),144	};145	let r = unsafe { GC_get_stack_base(&mut sb) };146	if r as u32 != GC_SUCCESS {147		panic!("failed to get thread stack base");148	}149	unsafe { GC_register_my_thread(&sb) };150}151pub fn gc_unregister_my_thread() {152	assert_eq!(unsafe { GC_thread_is_registered() }, 1);153154	unsafe { GC_unregister_my_thread() };155}156157pub struct ThreadRegisterGuard {}158impl ThreadRegisterGuard {159	#[allow(clippy::new_without_default)]160	pub fn new() -> Self {161		gc_register_my_thread();162		Self {}163	}164}165impl Drop for ThreadRegisterGuard {166	fn drop(&mut self) {167		gc_unregister_my_thread();168	}169}170171#[repr(transparent)]172pub struct NixContext(*mut c_context);173impl NixContext {174	pub fn set_err(&mut self, err: NixErrorKind, msg: &CStr) {175		unsafe { set_err_msg(self.0, err as c_int, msg.as_ptr()) };176	}177	pub fn new() -> Self {178		let ctx = unsafe { c_context_create() };179		Self(ctx)180	}181	fn error_kind(&self) -> Option<NixErrorKind> {182		let code = unsafe { err_code(self.0) };183		NixErrorKind::from_int(code)184	}185	fn error<'t>(&self) -> Option<(Cow<'t, str>, Option<Box<ErrorInfoBuilder>>)> {186		if let NixErrorKind::Generic = self.error_kind()? {187			let ei = unsafe { logging::nix_logging_cxx::extract_error_info(self.0) };188			let mut err_out = String::new();189			unsafe {190				err_info_msg(191					null_mut(),192					self.0,193					Some(copy_nix_str),194					(&raw mut err_out).cast(),195				)196			};197			return Some((Cow::Owned(err_out), Some(ei)));198		};199200		// TODO: Can throw error (resulting in panic) if unable to retrieve error. Should be able to resolve by passing context as a first argument,201		// but it looks ugly202		let str = unsafe { err_msg(null_mut(), self.0, null_mut()) };203		Some((unsafe { CStr::from_ptr(str) }.to_string_lossy(), None))204	}205	fn clean_err(&mut self) {206		unsafe {207			clear_err(self.0);208		}209	}210211	fn bail_if_error(&self) -> Result<()> {212		if let Some((err, stack)) = self.error() {213			let mut e = Err(anyhow!("{err}"));214			if let Some(stack) = stack {215				for ele in stack.stack_frames {216					e = e.with_context(|| {217						if ele.pos.is_empty() {218							ele.msg219						} else {220							format!("{} at {}", ele.msg, ele.pos)221						}222					})223				}224			}225			return e.context("<nix frames>");226		};227		Ok(())228	}229230	fn run_in_context<T>(&mut self, f: impl FnOnce(*mut c_context) -> T) -> Result<T> {231		self.clean_err();232		let o = f(self.0);233		self.bail_if_error()?;234		self.clean_err();235		Ok(o)236	}237}238239impl Default for NixContext {240	fn default() -> Self {241		Self::new()242	}243}244impl Drop for NixContext {245	fn drop(&mut self) {246		unsafe {247			c_context_free(self.0);248		}249	}250}251struct GlobalState {252	// Store should be valid as long as EvalState is valid253	#[allow(dead_code)]254	store: Store,255	state: EvalState,256}257impl GlobalState {258	fn new() -> Result<Self> {259		let mut ctx = NixContext::new();260		let store = ctx261			.run_in_context(|c| unsafe { store_open(c, c"auto".as_ptr(), null_mut()) })262			.map(Store)?;263264		let builder = ctx.run_in_context(|c| unsafe { eval_state_builder_new(c, store.0) })?;265		ctx.run_in_context(|c| unsafe { eval_state_builder_load(c, builder) })?;266		ctx.run_in_context(|c| unsafe {267			eval_state_builder_set_eval_setting(268				c,269				builder,270				c"lazy-trees".as_ptr(),271				c"true".as_ptr(),272			)273		})?;274		ctx.run_in_context(|c| unsafe {275			eval_state_builder_set_eval_setting(276				c,277				builder,278				c"lazy-locks".as_ptr(),279				c"true".as_ptr(),280			)281		})?;282		let state = ctx283			.run_in_context(|c| unsafe { eval_state_build(c, builder) })284			.map(EvalState)?;285286		Ok(Self { store, state })287	}288}289290struct ThreadState {291	ctx: NixContext,292}293impl ThreadState {294	fn new() -> Result<Self> {295		let ctx = NixContext::new();296297		Ok(Self { ctx })298	}299}300301static GLOBAL_STATE: LazyLock<GlobalState> =302	LazyLock::new(|| GlobalState::new().expect("global state init shouldn't fail"));303304thread_local! {305	static THREAD_STATE: RefCell<ThreadState> = RefCell::new(ThreadState::new().expect("thread state init shouldn't fail"));306}307fn with_default_context<T>(f: impl FnOnce(*mut c_context, *mut c_eval_state) -> T) -> Result<T> {308	let global = &GLOBAL_STATE.state;309	let (ctx, state) = THREAD_STATE.with_borrow_mut(|w| (w.ctx.0, global.0));310	let mut ctx = NixContext(ctx);311	let v = ctx.run_in_context(|c| f(c, state));312	// It is reused for thread313	std::mem::forget(ctx);314	v315}316317pub fn set_setting(s: &CStr, v: &CStr) -> Result<()> {318	with_default_context(|c, _| unsafe { setting_set(c, s.as_ptr(), v.as_ptr()) }).map(|_| ())319}320321pub struct FetchSettings(*mut fetchers_settings);322impl FetchSettings {323	pub fn new() -> Self {324		Self::try_new().expect("allocation should not fail")325	}326	fn try_new() -> Result<Self> {327		with_default_context(|c, _| unsafe { fetchers_settings_new(c) }).map(Self)328	}329	pub fn set(&mut self, setting: &CStr, value: &CStr) {330		unsafe {331			set_fetcher_setting(self.0.cast(), setting.as_ptr(), value.as_ptr());332		};333	}334}335unsafe impl Send for FetchSettings {}336unsafe impl Sync for FetchSettings {}337338impl Default for FetchSettings {339	fn default() -> Self {340		Self::new()341	}342}343344impl Drop for FetchSettings {345	fn drop(&mut self) {346		unsafe { fetchers_settings_free(self.0) };347	}348}349pub struct FlakeSettings(*mut flake_settings);350impl FlakeSettings {351	pub fn new() -> Result<Self> {352		with_default_context(|c, _| unsafe { flake_settings_new(c) }).map(Self)353	}354}355unsafe impl Send for FlakeSettings {}356unsafe impl Sync for FlakeSettings {}357impl Drop for FlakeSettings {358	fn drop(&mut self) {359		unsafe {360			flake_settings_free(self.0);361		}362	}363}364365pub struct FlakeReferenceParseFlags(*mut flake_reference_parse_flags);366impl FlakeReferenceParseFlags {367	pub fn new(settings: &FlakeSettings) -> Result<Self> {368		with_default_context(|c, _| unsafe { flake_reference_parse_flags_new(c, settings.0) })369			.map(Self)370	}371	pub fn set_base_dir(&mut self, dir: &str) -> Result<()> {372		with_default_context(|c, _| {373			unsafe {374				flake_reference_parse_flags_set_base_directory(375					c,376					self.0,377					dir.as_ptr().cast(),378					dir.len(),379				)380			};381		})382	}383}384impl Drop for FlakeReferenceParseFlags {385	fn drop(&mut self) {386		unsafe {387			flake_reference_parse_flags_free(self.0);388		}389	}390}391pub struct FlakeLockFlags(*mut flake_lock_flags);392impl FlakeLockFlags {393	pub fn new(settings: &FlakeSettings) -> Result<Self> {394		let o = with_default_context(|c, _| unsafe { flake_lock_flags_new(c, settings.0) })395			.map(Self)?;396		// with_default_context(|c, _| unsafe { flake_lock_flags_set_mode_virtual(c, o.0) })?;397398		Ok(o)399	}400}401impl Drop for FlakeLockFlags {402	fn drop(&mut self) {403		unsafe {404			flake_lock_flags_free(self.0);405		}406	}407}408409unsafe extern "C" fn copy_nix_str(start: *const c_char, n: c_uint, user_data: *mut c_void) {410	let s = unsafe { slice::from_raw_parts(start.cast::<u8>(), n as usize) };411	let s = std::str::from_utf8(s).expect("c string has invalid utf-8");412	unsafe { *user_data.cast::<String>() = s.to_owned() };413}414415struct Store(*mut c_store);416unsafe impl Send for Store {}417unsafe impl Sync for Store {}418419impl Store {420	fn parse_path(&self, path: &CStr) -> Result<StorePath> {421		with_default_context(|c, _| {422			StorePath(unsafe { store_parse_path(c, self.0, path.as_ptr()) })423		})424	}425}426427struct EvalState(*mut c_eval_state);428unsafe impl Send for EvalState {}429unsafe impl Sync for EvalState {}430431impl Drop for EvalState {432	fn drop(&mut self) {433		unsafe {434			state_free(self.0);435		}436	}437}438439pub struct FlakeReference(*mut flake_reference);440impl FlakeReference {441	#[instrument(name = "new-flake-reference", skip(flake, parse, fetch))]442	pub fn new(443		s: &str,444		flake: &FlakeSettings,445		parse: &FlakeReferenceParseFlags,446		fetch: &FetchSettings,447	) -> Result<(Self, String)> {448		let mut out = null_mut();449		let mut fragment = String::new();450		// let fetch_settings = fetcher_settings;451		with_default_context(|c, _| unsafe {452			flake_reference_and_fragment_from_string(453				c,454				fetch.0,455				flake.0,456				parse.0,457				s.as_ptr().cast(),458				s.len(),459				&mut out,460				Some(copy_nix_str),461				(&raw mut fragment).cast(),462			)463		})?;464		assert!(!out.is_null());465466		Ok((Self(out), fragment))467	}468	#[instrument(name = "lock-flake", skip(self, fetch, flake, lock))]469	pub fn lock(470		&mut self,471		fetch: &FetchSettings,472		flake: &FlakeSettings,473		lock: &FlakeLockFlags,474	) -> Result<LockedFlake> {475		with_default_context(|c, es| unsafe { flake_lock(c, fetch.0, flake.0, es, lock.0, self.0) })476			.map(LockedFlake)477	}478}479unsafe impl Send for FlakeReference {}480unsafe impl Sync for FlakeReference {}481482pub struct LockedFlake(*mut locked_flake);483impl LockedFlake {484	pub fn get_attrs(&self, settings: &mut FlakeSettings) -> Result<Value> {485		with_default_context(|c, es| unsafe {486			locked_flake_get_output_attrs(c, settings.0, es, self.0)487		})488		.map(Value)489	}490}491unsafe impl Send for LockedFlake {}492unsafe impl Sync for LockedFlake {}493impl Drop for LockedFlake {494	fn drop(&mut self) {495		unsafe {496			locked_flake_free(self.0);497		};498	}499}500501type FieldName = [u8; 64];502fn init_field_name(v: &str) -> FieldName {503	let mut f = [0; 64];504	assert!(v.len() < 64, "max field name is 63 chars");505	assert!(506		v.bytes().all(|v| v != 0),507		"nul bytes are unsupported in field name"508	);509	f[0..v.len()].copy_from_slice(v.as_bytes());510	f511}512513pub struct RealisedString(*mut realised_string);514impl fmt::Debug for RealisedString {515	fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {516		self.as_str().fmt(f)517	}518}519520impl RealisedString {521	pub fn as_str(&self) -> &str {522		let len = unsafe { realised_string_get_buffer_size(self.0) };523		let data: *const u8 = unsafe { realised_string_get_buffer_start(self.0) }.cast();524		let data = unsafe { slice::from_raw_parts(data, len) };525		std::str::from_utf8(data).expect("non-utf8 strings not supported")526	}527	pub fn path_count(&self) -> usize {528		unsafe { realised_string_get_store_path_count(self.0) }529	}530	pub fn path(&self, i: usize) -> String {531		assert!(i < self.path_count());532		let path = unsafe { realised_string_get_store_path(self.0, i) };533		let mut err_out = String::new();534		unsafe { store_path_name(path, Some(copy_nix_str), (&raw mut err_out).cast()) };535		err_out536	}537}538539unsafe impl Send for RealisedString {}540impl Drop for RealisedString {541	fn drop(&mut self) {542		unsafe { realised_string_free(self.0) }543	}544}545546#[repr(transparent)]547pub struct Value(*mut value);548549unsafe impl Send for Value {}550unsafe impl Sync for Value {}551552pub trait AsFieldName {553	fn as_field_name<T>(&self, v: impl FnOnce(FieldName) -> Result<T>) -> Result<T>;554	fn to_field_name(&self) -> Result<String>;555}556impl AsFieldName for Value {557	fn as_field_name<T>(&self, v: impl FnOnce(FieldName) -> Result<T>) -> Result<T> {558		let f = self.to_string()?;559		v(init_field_name(&f))560	}561	fn to_field_name(&self) -> Result<String> {562		self.to_string()563	}564}565impl<E> AsFieldName for E566where567	E: AsRef<str>,568{569	fn as_field_name<T>(&self, v: impl FnOnce(FieldName) -> Result<T>) -> Result<T> {570		let f = self.as_ref();571		v(init_field_name(f))572	}573	fn to_field_name(&self) -> Result<String> {574		Ok(self.as_ref().to_owned())575	}576}577578struct AttrsBuilder(*mut c_bindings_builder);579impl AttrsBuilder {580	fn new(capacity: usize) -> Self {581		with_default_context(|c, es| unsafe { make_bindings_builder(c, es, capacity) })582			.map(Self)583			.expect("alloc should not fail")584	}585	fn insert(&mut self, k: &impl AsFieldName, v: Value) {586		k.as_field_name(|name| {587			with_default_context(|c, _| unsafe {588				bindings_builder_insert(c, self.0, name.as_ptr().cast(), v.0);589				// bindings_builder_insert doesn't do incref590			})591		})592		.expect("builder insert shouldn't fail");593	}594}595impl Drop for AttrsBuilder {596	fn drop(&mut self) {597		unsafe { bindings_builder_free(self.0) };598	}599}600601struct ListBuilder(*mut c_list_builder, c_uint);602impl ListBuilder {603	fn new(capacity: usize) -> Self {604		with_default_context(|c, es| unsafe { make_list_builder(c, es, capacity) })605			.map(|l| Self(l, 0))606			.expect("alloc should not fail")607	}608}609impl ListBuilder {610	fn push(&mut self, v: Value) {611		with_default_context(|c, _| unsafe {612			list_builder_insert(613				c,614				self.0,615				{616					let v = self.1;617					self.1 += 1;618					v619				},620				v.0,621			)622		})623		.expect("list insert shouldn't fail");624	}625}626impl Drop for ListBuilder {627	fn drop(&mut self) {628		unsafe { list_builder_free(self.0) };629	}630}631632impl Value {633	pub fn new_primop(v: NativeFn) -> Self {634		let out = Self::new_uninit();635		with_default_context(|c, _| unsafe { init_primop(c, out.0, v.0) })636			.expect("primop initialization should not fail");637		out638	}639	pub fn new_attrs(v: HashMap<&str, Value>) -> Self {640		let out = Self::new_uninit();641		let mut b = AttrsBuilder::new(v.len());642		for (k, v) in v {643			b.insert(&k, v);644		}645		with_default_context(|c, _| unsafe { make_attrs(c, out.0, b.0) })646			.expect("attrs initialization should not fail");647648		out649	}650	fn new_list<T: Into<Self>>(v: Vec<T>) -> Self {651		let out = Self::new_uninit();652		let mut b = ListBuilder::new(v.len());653		for v in v {654			b.push(v.into());655		}656		with_default_context(|c, _| unsafe { make_list(c, b.0, out.0) })657			.expect("list initialization should not fail");658659		out660	}661	fn new_uninit() -> Self {662		let out = with_default_context(|c, es| unsafe { alloc_value(c, es) })663			.expect("value allocation should not fail");664		Self(out)665	}666	pub fn new_str(v: &str) -> Self {667		let s = CString::new(v).expect("string should not contain NULs");668		let out = Self::new_uninit();669		// String is copied, `s` is free to be dropped670		with_default_context(|c, _| unsafe { init_string(c, out.0, s.as_ptr()) })671			.expect("string initialization should not fail");672		out673	}674	pub fn new_int(i: i64) -> Self {675		let out = Self::new_uninit();676		with_default_context(|c, _| unsafe { init_int(c, out.0, i) })677			.expect("int initialization should not fail");678		out679	}680	pub fn new_bool(v: bool) -> Self {681		let out = Self::new_uninit();682		with_default_context(|c, _| unsafe { init_bool(c, out.0, v) })683			.expect("bool initialization should not fail");684		out685	}686	// TODO: As far as I can see, there is no way to get Thunks from nix public C api, so this function is useless687	// fn force(&mut self, st: &mut EvalState) -> Result<()> {688	// 	with_default_context(|c, _| unsafe { value_force(c, st.0, self.0) })?;689	// 	Ok(())690	// }691	pub fn type_of(&self) -> NixType {692		let ty = with_default_context(|c, _| unsafe { get_type(c, self.0) })693			.expect("get_type should not fail");694		NixType::from_int(ty)695	}696	fn builtin_to_string(&self) -> Result<Self> {697		let builtin = Self::eval("builtins.toString")?;698		builtin.call(self.clone())699	}700	pub fn to_string(&self) -> Result<String> {701		let mut str_out = String::new();702		with_default_context(|c, _| unsafe {703			get_string(c, self.0, Some(copy_nix_str), (&raw mut str_out).cast())704		})?;705706		Ok(str_out)707	}708	pub fn to_realised_string(&self) -> Result<RealisedString> {709		with_default_context(|c, es| unsafe { string_realise(c, es, self.0, false) })710			.map(RealisedString)711712		// let store_paths = unsafe { nix_raw::realised_string_get_store_path_count(str) };713		// for i in 0..store_paths {714		// 	let store_path = unsafe { nix_raw::realised_string_get_store_path(str, i) };715		// 	nix_raw::store_path_name(store_path, callback, user_data);716		// }717		// dbg!(store_paths);718		// todo!();719	}720721	pub fn has_field(&self, field: &str) -> Result<bool> {722		let f = init_field_name(field);723		with_default_context(|c, es| unsafe { has_attr_byname(c, self.0, es, f.as_ptr().cast()) })724	}725	// pub fn derivation_path(&self) {726	// 	nix_raw::real727	// }728	pub fn list_fields(&self) -> Result<Vec<String>> {729		if !matches!(self.type_of(), NixType::Attrs) {730			bail!("invalid type: expected attrs");731		}732733		let len = with_default_context(|c, _| unsafe { get_attrs_size(c, self.0) })?;734		let mut out = Vec::with_capacity(len as usize);735736		for i in 0..len {737			let name =738				with_default_context(|c, es| unsafe { get_attr_name_byidx(c, self.0, es, i) })?;739			let c = unsafe { CStr::from_ptr(name) };740			out.push(c.to_str().expect("nix field names are utf-8").to_owned());741		}742		Ok(out)743	}744	pub fn get_elem(&self, v: usize) -> Result<Self> {745		if !matches!(self.type_of(), NixType::List) {746			bail!("invalid type: expected list");747		}748		let len = with_default_context(|c, _| unsafe { get_list_size(c, self.0) })? as usize;749		if v >= len {750			bail!("oob list get: {v} >= {len}");751		}752753		with_default_context(|c, es| unsafe { get_list_byidx(c, self.0, es, v as u32) }).map(Self)754	}755	pub fn attrs_update(self, other: Value /*, ignore_errors: bool*/) -> Result<Self> {756		let attrs_update_fn = Self::eval("a: b: a // b")?;757758		attrs_update_fn759			.call(self)?760			.call(other)761			.context("attrs update")762	}763	pub fn get_field(&self, name: impl AsFieldName) -> Result<Self> {764		if !matches!(self.type_of(), NixType::Attrs) {765			bail!("invalid type: expected attrs");766		}767768		name.as_field_name(|name| {769			with_default_context(|c, es| unsafe {770				get_attr_byname(c, self.0, es, name.as_ptr().cast())771			})772			.map(Self)773		})774		.with_context(|| format!("getting field {:?}", name.to_field_name()))775	}776	pub fn call(&self, v: Value) -> Result<Self> {777		let kind = self778			.functor_kind()779			.ok_or_else(|| anyhow!("can only call function or functor"))?;780781		let function = match kind {782			FunctorKind::Function => self.clone(),783			FunctorKind::Functor => {784				let f = self785					.get_field("__functor")786					.context("getting functor value")?;787				assert_eq!(788					f.type_of(),789					NixType::Function,790					"invalid functor encountered"791				);792				f793			}794		};795796		let out = Value::new_uninit();797		with_default_context(|c, es| unsafe { value_call(c, es, function.0, v.0, out.0) })?;798799		Ok(out)800	}801	pub fn eval(v: &str) -> Result<Self> {802		let s = CString::new(v).expect("expression shouldn't have internal NULs");803		let out = Self::new_uninit();804		with_default_context(|c, es| unsafe {805			expr_eval_from_string(c, es, s.as_ptr(), c"/root".as_ptr(), out.0)806		})?;807		Ok(out)808	}809	pub fn build(&self, output: &str) -> Result<PathBuf> {810		if !self.is_derivation() {811			bail!("expected derivation to build")812		}813		let output_name = self814			.get_field("outputName")815			.context("getting output name field")?816			.to_string()?;817		let v = if output_name != output {818			let out = self.get_field(output).context("getting target output")?;819			if !out.is_derivation() {820				bail!("unknown output: {output}");821			}822			out823		} else {824			self.clone()825		};826		// to_string here blocks until the path is built827		let s = v.builtin_to_string()?;828		let rs = s.to_realised_string()?;829		let drv_path = rs.as_str().to_owned();830		Ok(PathBuf::from(drv_path))831	}832	pub fn as_json<T: DeserializeOwned>(&self) -> Result<T> {833		let to_json = Self::eval("builtins.toJSON")?;834		let s = to_json.call(self.clone())?.to_string()?;835		Ok(serde_json::from_str(&s)?)836	}837	pub fn serialized<T: Serialize>(v: &T) -> Result<Self> {838		Self::eval(&nixlike::serialize(v)?)839	}840841	// Convert to string/evaluate derivations/etc842	// fn to_string_weak(&self) -> Result<String> {843	// 	// TODO: For now, it works exactly like to_string, see the comment for fn force()844	// 	self.to_string()845	// }846847	fn is_derivation(&self) -> bool {848		if !matches!(self.type_of(), NixType::Attrs) {849			return false;850		}851		let Some(ty) = self.get_field("type").ok() else {852			return false;853		};854		matches!(ty.to_string().as_deref(), Ok("derivation"))855	}856	fn functor_kind(&self) -> Option<FunctorKind> {857		match self.type_of() {858			NixType::Attrs => self859				.has_field("__functor")860				.expect("has_field shouldn't fail for attrs")861				.then_some(FunctorKind::Functor),862			NixType::Function => Some(FunctorKind::Function),863			_ => None,864		}865	}866	pub fn is_function(&self) -> bool {867		self.functor_kind().is_some()868	}869	pub fn is_null(&self) -> bool {870		matches!(self.type_of(), NixType::Null)871	}872}873874impl From<String> for Value {875	fn from(value: String) -> Self {876		Value::new_str(&value)877	}878}879impl From<bool> for Value {880	fn from(value: bool) -> Self {881		Value::new_bool(value)882	}883}884impl From<&str> for Value {885	fn from(value: &str) -> Self {886		Value::new_str(value)887	}888}889impl<T> From<Vec<T>> for Value890where891	T: Into<Value>,892{893	fn from(value: Vec<T>) -> Self {894		Value::new_list(value)895	}896}897898impl Clone for Value {899	fn clone(&self) -> Self {900		with_default_context(|c, _| unsafe { value_incref(c, self.0) })901			.expect("value incref should not fail");902		Self(self.0)903	}904}905impl Drop for Value {906	fn drop(&mut self) {907		with_default_context(|c, _| unsafe { value_decref(c, self.0) })908			.expect("value drop should not fail");909	}910}911912pub fn init_libraries() {913	unsafe { GC_allow_register_threads() };914915	let mut ctx = NixContext::new();916	ctx.run_in_context(|c| unsafe { libutil_init(c) })917		.expect("util init should not fail");918	ctx.run_in_context(|c| unsafe { libstore_init(c) })919		.expect("store init should not fail");920	ctx.run_in_context(|c| unsafe { libexpr_init(c) })921		.expect("expr init should not fail");922923	nix_logging_cxx::apply_tracing_logger();924}925926unsafe extern "C" fn nix_primop_closure_adapter<const N: usize>(927	user_data: *mut c_void,928	context: *mut c_context,929	state: *mut nix_raw::EvalState,930	args: *mut *mut value,931	ret: *mut value,932) {933	let user_closure: &UserClosure<N> = unsafe { &*user_data.cast_const().cast() };934	let args: [&Value; N] = array::from_fn(|i| {935		let v: &Value = unsafe { &*args.add(i).cast_const().cast() };936		v937	});938	let ctx: &mut NixContext = unsafe { &mut *context.cast() };939940	match user_closure(args) {941		Ok(v) => {942			unsafe { copy_value(context, ret, v.0) };943		}944		Err(e) => {945			ctx.set_err(946				NixErrorKind::Unknown,947				&CString::new(e.to_string()).expect("error should not contain internal nuls"),948			);949		}950	}951}952953type UserClosure<const N: usize> = Box<dyn Fn([&Value; N]) -> Result<Value>>;954955pub struct NativeFn(*mut PrimOp);956impl NativeFn {957	pub fn new<const N: usize>(958		name: &'static CStr,959		doc: &'static CStr,960		args: [&'static CStr; N],961		f: impl Fn([&Value; N]) -> Result<Value> + 'static,962	) -> Self {963		// Double-boxing to make it thin pointer, as vtable gets outside of first Box964		let closure: Box<UserClosure<N>> = Box::new(Box::new(f));965		let f: PrimOpFun = Some(nix_primop_closure_adapter::<N>);966		let mut args = args.into_iter().map(|v| v.as_ptr()).collect_vec();967		args.push(null());968		let args = args.as_mut_ptr();969		let primop = unsafe {970			alloc_primop(971				null_mut(),972				f,973				N as i32,974				name.as_ptr(),975				args,976				doc.as_ptr(),977				Box::into_raw(closure).cast(),978			)979		};980981		assert!(!primop.is_null(), "primop allocation should not fail");982983		Self(primop)984	}985	pub fn register(self) {986		unsafe { register_primop(null_mut(), self.0) };987	}988}989990struct StorePath(*mut c_store_path);991impl StorePath {}992993impl Drop for StorePath {994	fn drop(&mut self) {995		unsafe { store_path_free(self.0) }996	}997}998999#[test_log::test]1000fn test_native() -> Result<()> {1001	init_libraries();1002	NativeFn::new(1003		c"__uppercaseSuffix2",1004		c"make string uppercase and add suffix",1005		[c"str", c"suffix"],1006		|[str, suffix]: [&Value; 2]| {1007			let str = str.to_string()?;1008			let suffix = suffix.to_string()?;1009			Ok(Value::new_str(&format!("{}{suffix}", str.to_uppercase())))1010		},1011	)1012	.register();10131014	let mut fetch_settings = FetchSettings::new();1015	fetch_settings.set(c"warn-dirty", c"false");10161017	let manifest = format!("git+file://{}/../../", env!("CARGO_MANIFEST_DIR"));1018	let flake = FlakeSettings::new()?;1019	let parse = FlakeReferenceParseFlags::new(&flake)?;1020	let (mut r, _) = FlakeReference::new(&manifest, &flake, &parse, &fetch_settings)?;1021	let lock = FlakeLockFlags::new(&flake)?;1022	let locked = r.lock(&fetch_settings, &flake, &lock)?;1023	let attrs = locked.get_attrs(&mut FlakeSettings::new()?)?;10241025	let builtins = Value::eval("builtins")?;1026	assert_eq!(builtins.type_of(), NixType::Attrs);10271028	assert_eq!(attrs.type_of(), NixType::Attrs);1029	let test_data = nix_go!(attrs.testData);10301031	let test_string: String = nix_go_json!(test_data.testString);1032	assert_eq!(test_string, "hello");10331034	let s = nix_go!(attrs.packages["x86_64-linux"].fleet.drvPath);1035	let s = CString::new(s.to_string()?).expect("path str is cstring");10361037	let uppercase_suffix = Value::new_primop(NativeFn::new(1038		c"uppercase_suffix",1039		c"make string uppercase and add suffix",1040		[c"str", c"suffix"],1041		|[str, suffix]: [&Value; 2]| {1042			let str = str.to_string()?;1043			let suffix = suffix.to_string()?;1044			Ok(Value::new_str(&format!("{}{suffix}", str.to_uppercase())))1045		},1046	));10471048	let test_result: String = nix_go_json!(test_data.testPrimop(uppercase_suffix));1049	assert_eq!(test_result, "PREFIX_BODY_SUFFIX");1050	let test_result: String = nix_go_json!(builtins.uppercaseSuffix2("test")("suffix"));1051	assert_eq!(test_result, "TESTsuffix");10521053	let nix_ctx = NixContext::new();1054	let store = GLOBAL_STATE.store.parse_path(s.as_c_str())?;10551056	// nix_raw::store_get_fs_closure(1);10571058	Ok(())1059}10601061// pub struct GcAlloc;1062// unsafe impl GlobalAlloc for GcAlloc {1063// 	unsafe fn alloc(&self, l: Layout) -> *mut u8 {1064// 		let ptr = unsafe { GC_malloc(l.size()) };1065// 		ptr.cast()1066// 	}1067// 	unsafe fn dealloc(&self, ptr: *mut u8, _: Layout) {1068// 		// unsafe { GC_free(ptr.cast()) };1069// 	}1070//1071// 	unsafe fn realloc(&self, ptr: *mut u8, _: Layout, new_size: usize) -> *mut u8 {1072// 		let ptr = unsafe { GC_realloc(ptr.cast(), new_size) };1073// 		ptr.cast()1074// 	}1075// }1076//1077// #[global_allocator]1078// static GC: GcAlloc = GcAlloc;

1use std::borrow::Cow;2use std::cell::RefCell;3use std::ffi::{CStr, CString, c_char, c_int, c_uint, c_void};4use std::ptr::{null, null_mut};5use std::sync::LazyLock;6use std::{array, fmt, slice};7use std::{collections::HashMap, path::PathBuf};89use anyhow::{Context, anyhow, bail};10use itertools::Itertools;11use serde::Serialize;12use serde::de::DeserializeOwned;1314pub use anyhow::Result;15use tracing::{info, instrument, warn};1617use self::logging::{ErrorInfoBuilder, nix_logging_cxx};18use self::nix_cxx::set_fetcher_setting;19use self::nix_raw::{20	BindingsBuilder as c_bindings_builder, EvalState as c_eval_state, GC_SUCCESS,21	GC_allow_register_threads, GC_get_stack_base, GC_register_my_thread, GC_stack_base,22	GC_thread_is_registered, GC_unregister_my_thread, ListBuilder as c_list_builder, PrimOp,23	PrimOpFun, Store as c_store, StorePath as c_store_path, alloc_primop, alloc_value,24	bindings_builder_free, bindings_builder_insert, c_context, c_context_create, c_context_free,25	clear_err, copy_value, err_NIX_ERR_KEY, err_NIX_ERR_NIX_ERROR, err_NIX_ERR_OVERFLOW,26	err_NIX_ERR_UNKNOWN, err_code, err_info_msg, err_msg, eval_state_build,27	eval_state_builder_load, eval_state_builder_new, eval_state_builder_set_eval_setting,28	expr_eval_from_string, fetchers_settings, fetchers_settings_free, fetchers_settings_new,29	flake_lock, flake_lock_flags, flake_lock_flags_free, flake_lock_flags_new, flake_reference,30	flake_reference_and_fragment_from_string, flake_reference_parse_flags,31	flake_reference_parse_flags_free, flake_reference_parse_flags_new,32	flake_reference_parse_flags_set_base_directory, flake_settings, flake_settings_free,33	flake_settings_new, gc_now as gc_now_raw, get_attr_byname, get_attr_name_byidx, get_attrs_size,34	get_list_byidx, get_list_size, get_string, get_type, has_attr_byname, init_bool, init_int,35	init_primop, init_string, libexpr_init, libstore_init, libutil_init, list_builder_free,36	list_builder_insert, locked_flake, locked_flake_free, locked_flake_get_output_attrs,37	make_attrs, make_bindings_builder, make_list, make_list_builder, realised_string,38	realised_string_free, realised_string_get_buffer_size, realised_string_get_buffer_start,39	realised_string_get_store_path, realised_string_get_store_path_count, register_primop,40	set_err_msg, setting_set, state_free, store_open, store_parse_path, store_path_free,41	store_path_name, string_realise, value, value_call, value_decref, value_force, value_incref,42};4344// Contains macros helpers45pub mod logging;46#[doc(hidden)]47pub mod macros;48pub mod util;4950#[allow(51	non_upper_case_globals,52	non_camel_case_types,53	non_snake_case,54	dead_code55)]56mod nix_raw {57	include!(concat!(env!("OUT_DIR"), "/bindings.rs"));58}59#[cxx::bridge]60pub mod nix_cxx {61	unsafe extern "C++" {62		type nix_fetchers_settings;63		include!("nix-eval/src/lib.hh");6465		#[allow(clippy::missing_safety_doc)]66		unsafe fn set_fetcher_setting(67			settings: *mut nix_fetchers_settings,68			setting: *const c_char,69			value: *const c_char,70		);71	}72}7374#[derive(Debug, PartialEq, Eq)]75pub enum NixType {76	Thunk,77	Int,78	Float,79	Bool,80	String,81	Path,82	Null,83	Attrs,84	List,85	Function,86	External,87}88impl NixType {89	fn from_int(c: c_uint) -> Self {90		match c {91			0 => Self::Thunk,92			1 => Self::Int,93			2 => Self::Float,94			3 => Self::Bool,95			4 => Self::String,96			5 => Self::Path,97			6 => Self::Null,98			7 => Self::Attrs,99			8 => Self::List,100			9 => Self::Function,101			10 => Self::External,102			_ => unreachable!("unknown nix type: {c}"),103		}104	}105}106107enum FunctorKind {108	Function,109	Functor,110}111112#[derive(Debug)]113#[repr(i32)]114pub enum NixErrorKind {115	Unknown = err_NIX_ERR_UNKNOWN,116	Overflow = err_NIX_ERR_OVERFLOW,117	Key = err_NIX_ERR_KEY,118	Generic = err_NIX_ERR_NIX_ERROR,119}120impl NixErrorKind {121	fn from_int(v: c_int) -> Option<Self> {122		Some(match v {123			0 => return None,124			nix_raw::err_NIX_ERR_UNKNOWN => Self::Unknown,125			nix_raw::err_NIX_ERR_OVERFLOW => Self::Overflow,126			nix_raw::err_NIX_ERR_KEY => Self::Key,127			nix_raw::err_NIX_ERR_NIX_ERROR => Self::Generic,128			_ => {129				debug_assert!(false, "unexpected nix error kind: {v}");130				Self::Unknown131			}132		})133	}134}135136pub fn gc_now() {137	unsafe { gc_now_raw() };138}139140pub fn gc_register_my_thread() {141	assert_eq!(unsafe { GC_thread_is_registered() }, 0);142143	let mut sb = GC_stack_base {144		mem_base: null_mut(),145	};146	let r = unsafe { GC_get_stack_base(&mut sb) };147	if r as u32 != GC_SUCCESS {148		panic!("failed to get thread stack base");149	}150	unsafe { GC_register_my_thread(&sb) };151}152pub fn gc_unregister_my_thread() {153	assert_eq!(unsafe { GC_thread_is_registered() }, 1);154155	unsafe { GC_unregister_my_thread() };156}157158pub struct ThreadRegisterGuard {}159impl ThreadRegisterGuard {160	#[allow(clippy::new_without_default)]161	pub fn new() -> Self {162		gc_register_my_thread();163		Self {}164	}165}166impl Drop for ThreadRegisterGuard {167	fn drop(&mut self) {168		gc_unregister_my_thread();169	}170}171172#[repr(transparent)]173pub struct NixContext(*mut c_context);174impl NixContext {175	pub fn set_err(&mut self, err: NixErrorKind, msg: &CStr) {176		unsafe { set_err_msg(self.0, err as c_int, msg.as_ptr()) };177	}178	pub fn new() -> Self {179		let ctx = unsafe { c_context_create() };180		Self(ctx)181	}182	fn error_kind(&self) -> Option<NixErrorKind> {183		let code = unsafe { err_code(self.0) };184		NixErrorKind::from_int(code)185	}186	fn error<'t>(&self) -> Option<(Cow<'t, str>, Option<Box<ErrorInfoBuilder>>)> {187		if let NixErrorKind::Generic = self.error_kind()? {188			let ei = unsafe { logging::nix_logging_cxx::extract_error_info(self.0) };189			let mut err_out = String::new();190			unsafe {191				err_info_msg(192					null_mut(),193					self.0,194					Some(copy_nix_str),195					(&raw mut err_out).cast(),196				)197			};198			return Some((Cow::Owned(err_out), Some(ei)));199		};200201		// TODO: Can throw error (resulting in panic) if unable to retrieve error. Should be able to resolve by passing context as a first argument,202		// but it looks ugly203		let str = unsafe { err_msg(null_mut(), self.0, null_mut()) };204		Some((unsafe { CStr::from_ptr(str) }.to_string_lossy(), None))205	}206	fn clean_err(&mut self) {207		unsafe {208			clear_err(self.0);209		}210	}211212	fn bail_if_error(&self) -> Result<()> {213		if let Some((err, stack)) = self.error() {214			let mut e = Err(anyhow!("{err}"));215			if let Some(stack) = stack {216				for ele in stack.stack_frames {217					e = e.with_context(|| {218						if ele.pos.is_empty() {219							ele.msg220						} else {221							format!("{} at {}", ele.msg, ele.pos)222						}223					})224				}225			}226			return e.context("<nix frames>");227		};228		Ok(())229	}230231	fn run_in_context<T>(&mut self, f: impl FnOnce(*mut c_context) -> T) -> Result<T> {232		self.clean_err();233		let o = f(self.0);234		self.bail_if_error()?;235		self.clean_err();236		Ok(o)237	}238}239240impl Default for NixContext {241	fn default() -> Self {242		Self::new()243	}244}245impl Drop for NixContext {246	fn drop(&mut self) {247		unsafe {248			c_context_free(self.0);249		}250	}251}252struct GlobalState {253	// Store should be valid as long as EvalState is valid254	#[allow(dead_code)]255	store: Store,256	state: EvalState,257}258impl GlobalState {259	fn new() -> Result<Self> {260		let mut ctx = NixContext::new();261		let store = ctx262			.run_in_context(|c| unsafe { store_open(c, c"auto".as_ptr(), null_mut()) })263			.map(Store)?;264265		let builder = ctx.run_in_context(|c| unsafe { eval_state_builder_new(c, store.0) })?;266		ctx.run_in_context(|c| unsafe { eval_state_builder_load(c, builder) })?;267		ctx.run_in_context(|c| unsafe {268			eval_state_builder_set_eval_setting(269				c,270				builder,271				c"lazy-trees".as_ptr(),272				c"true".as_ptr(),273			)274		})?;275		ctx.run_in_context(|c| unsafe {276			eval_state_builder_set_eval_setting(277				c,278				builder,279				c"lazy-locks".as_ptr(),280				c"true".as_ptr(),281			)282		})?;283		let state = ctx284			.run_in_context(|c| unsafe { eval_state_build(c, builder) })285			.map(EvalState)?;286287		Ok(Self { store, state })288	}289}290291struct ThreadState {292	ctx: NixContext,293}294impl ThreadState {295	fn new() -> Result<Self> {296		let ctx = NixContext::new();297298		Ok(Self { ctx })299	}300}301302static GLOBAL_STATE: LazyLock<GlobalState> = LazyLock::new(|| {303	info!("initializing nix global state");304	GlobalState::new().expect("global state init shouldn't fail")305});306307thread_local! {308	static THREAD_STATE: RefCell<ThreadState> = RefCell::new(ThreadState::new().expect("thread state init shouldn't fail"));309}310fn with_default_context<T>(f: impl FnOnce(*mut c_context, *mut c_eval_state) -> T) -> Result<T> {311	let global = &GLOBAL_STATE.state;312	let (ctx, state) = THREAD_STATE.with_borrow_mut(|w| (w.ctx.0, global.0));313	let mut ctx = NixContext(ctx);314	let v = ctx.run_in_context(|c| f(c, state));315	// It is reused for thread316	std::mem::forget(ctx);317	v318}319320pub fn set_setting(s: &CStr, v: &CStr) -> Result<()> {321	with_default_context(|c, _| unsafe { setting_set(c, s.as_ptr(), v.as_ptr()) }).map(|_| ())322}323324pub struct FetchSettings(*mut fetchers_settings);325impl FetchSettings {326	pub fn new() -> Self {327		Self::try_new().expect("allocation should not fail")328	}329	fn try_new() -> Result<Self> {330		with_default_context(|c, _| unsafe { fetchers_settings_new(c) }).map(Self)331	}332	pub fn set(&mut self, setting: &CStr, value: &CStr) {333		unsafe {334			set_fetcher_setting(self.0.cast(), setting.as_ptr(), value.as_ptr());335		};336	}337}338unsafe impl Send for FetchSettings {}339unsafe impl Sync for FetchSettings {}340341impl Default for FetchSettings {342	fn default() -> Self {343		Self::new()344	}345}346347impl Drop for FetchSettings {348	fn drop(&mut self) {349		unsafe { fetchers_settings_free(self.0) };350	}351}352pub struct FlakeSettings(*mut flake_settings);353impl FlakeSettings {354	pub fn new() -> Result<Self> {355		with_default_context(|c, _| unsafe { flake_settings_new(c) }).map(Self)356	}357}358unsafe impl Send for FlakeSettings {}359unsafe impl Sync for FlakeSettings {}360impl Drop for FlakeSettings {361	fn drop(&mut self) {362		unsafe {363			flake_settings_free(self.0);364		}365	}366}367368pub struct FlakeReferenceParseFlags(*mut flake_reference_parse_flags);369impl FlakeReferenceParseFlags {370	pub fn new(settings: &FlakeSettings) -> Result<Self> {371		with_default_context(|c, _| unsafe { flake_reference_parse_flags_new(c, settings.0) })372			.map(Self)373	}374	pub fn set_base_dir(&mut self, dir: &str) -> Result<()> {375		with_default_context(|c, _| {376			unsafe {377				flake_reference_parse_flags_set_base_directory(378					c,379					self.0,380					dir.as_ptr().cast(),381					dir.len(),382				)383			};384		})385	}386}387impl Drop for FlakeReferenceParseFlags {388	fn drop(&mut self) {389		unsafe {390			flake_reference_parse_flags_free(self.0);391		}392	}393}394pub struct FlakeLockFlags(*mut flake_lock_flags);395impl FlakeLockFlags {396	pub fn new(settings: &FlakeSettings) -> Result<Self> {397		let o = with_default_context(|c, _| unsafe { flake_lock_flags_new(c, settings.0) })398			.map(Self)?;399		// with_default_context(|c, _| unsafe { flake_lock_flags_set_mode_virtual(c, o.0) })?;400401		Ok(o)402	}403}404impl Drop for FlakeLockFlags {405	fn drop(&mut self) {406		unsafe {407			flake_lock_flags_free(self.0);408		}409	}410}411412unsafe extern "C" fn copy_nix_str(start: *const c_char, n: c_uint, user_data: *mut c_void) {413	let s = unsafe { slice::from_raw_parts(start.cast::<u8>(), n as usize) };414	let s = std::str::from_utf8(s).expect("c string has invalid utf-8");415	unsafe { *user_data.cast::<String>() = s.to_owned() };416}417418struct Store(*mut c_store);419unsafe impl Send for Store {}420unsafe impl Sync for Store {}421422impl Store {423	fn parse_path(&self, path: &CStr) -> Result<StorePath> {424		with_default_context(|c, _| {425			StorePath(unsafe { store_parse_path(c, self.0, path.as_ptr()) })426		})427	}428}429430#[repr(transparent)]431pub struct EvalState(*mut c_eval_state);432unsafe impl Send for EvalState {}433unsafe impl Sync for EvalState {}434435impl Drop for EvalState {436	fn drop(&mut self) {437		unsafe {438			state_free(self.0);439		}440	}441}442443pub struct FlakeReference(*mut flake_reference);444impl FlakeReference {445	#[instrument(name = "new-flake-reference", skip(flake, parse, fetch))]446	pub fn new(447		s: &str,448		flake: &FlakeSettings,449		parse: &FlakeReferenceParseFlags,450		fetch: &FetchSettings,451	) -> Result<(Self, String)> {452		let mut out = null_mut();453		let mut fragment = String::new();454		// let fetch_settings = fetcher_settings;455		with_default_context(|c, _| unsafe {456			flake_reference_and_fragment_from_string(457				c,458				fetch.0,459				flake.0,460				parse.0,461				s.as_ptr().cast(),462				s.len(),463				&mut out,464				Some(copy_nix_str),465				(&raw mut fragment).cast(),466			)467		})?;468		assert!(!out.is_null());469470		Ok((Self(out), fragment))471	}472	#[instrument(name = "lock-flake", skip(self, fetch, flake, lock))]473	pub fn lock(474		&mut self,475		fetch: &FetchSettings,476		flake: &FlakeSettings,477		lock: &FlakeLockFlags,478	) -> Result<LockedFlake> {479		with_default_context(|c, es| unsafe { flake_lock(c, fetch.0, flake.0, es, lock.0, self.0) })480			.map(LockedFlake)481	}482}483unsafe impl Send for FlakeReference {}484unsafe impl Sync for FlakeReference {}485486pub struct LockedFlake(*mut locked_flake);487impl LockedFlake {488	pub fn get_attrs(&self, settings: &mut FlakeSettings) -> Result<Value> {489		with_default_context(|c, es| unsafe {490			locked_flake_get_output_attrs(c, settings.0, es, self.0)491		})492		.map(Value)493	}494}495unsafe impl Send for LockedFlake {}496unsafe impl Sync for LockedFlake {}497impl Drop for LockedFlake {498	fn drop(&mut self) {499		unsafe {500			locked_flake_free(self.0);501		};502	}503}504505type FieldName = [u8; 64];506fn init_field_name(v: &str) -> FieldName {507	let mut f = [0; 64];508	assert!(v.len() < 64, "max field name is 63 chars");509	assert!(510		v.bytes().all(|v| v != 0),511		"nul bytes are unsupported in field name"512	);513	f[0..v.len()].copy_from_slice(v.as_bytes());514	f515}516517pub struct RealisedString(*mut realised_string);518impl fmt::Debug for RealisedString {519	fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {520		self.as_str().fmt(f)521	}522}523524impl RealisedString {525	pub fn as_str(&self) -> &str {526		let len = unsafe { realised_string_get_buffer_size(self.0) };527		let data: *const u8 = unsafe { realised_string_get_buffer_start(self.0) }.cast();528		let data = unsafe { slice::from_raw_parts(data, len) };529		std::str::from_utf8(data).expect("non-utf8 strings not supported")530	}531	pub fn path_count(&self) -> usize {532		unsafe { realised_string_get_store_path_count(self.0) }533	}534	pub fn path(&self, i: usize) -> String {535		assert!(i < self.path_count());536		let path = unsafe { realised_string_get_store_path(self.0, i) };537		let mut err_out = String::new();538		unsafe { store_path_name(path, Some(copy_nix_str), (&raw mut err_out).cast()) };539		err_out540	}541}542543unsafe impl Send for RealisedString {}544impl Drop for RealisedString {545	fn drop(&mut self) {546		unsafe { realised_string_free(self.0) }547	}548}549550#[repr(transparent)]551pub struct Value(*mut value);552553unsafe impl Send for Value {}554unsafe impl Sync for Value {}555556pub trait AsFieldName {557	fn as_field_name<T>(&self, v: impl FnOnce(FieldName) -> Result<T>) -> Result<T>;558	fn to_field_name(&self) -> Result<String>;559}560impl AsFieldName for Value {561	fn as_field_name<T>(&self, v: impl FnOnce(FieldName) -> Result<T>) -> Result<T> {562		let f = self.to_string()?;563		v(init_field_name(&f))564	}565	fn to_field_name(&self) -> Result<String> {566		self.to_string()567	}568}569impl<E> AsFieldName for E570where571	E: AsRef<str>,572{573	fn as_field_name<T>(&self, v: impl FnOnce(FieldName) -> Result<T>) -> Result<T> {574		let f = self.as_ref();575		v(init_field_name(f))576	}577	fn to_field_name(&self) -> Result<String> {578		Ok(self.as_ref().to_owned())579	}580}581582struct AttrsBuilder(*mut c_bindings_builder);583impl AttrsBuilder {584	fn new(capacity: usize) -> Self {585		with_default_context(|c, es| unsafe { make_bindings_builder(c, es, capacity) })586			.map(Self)587			.expect("alloc should not fail")588	}589	fn insert(&mut self, k: &impl AsFieldName, v: Value) {590		k.as_field_name(|name| {591			with_default_context(|c, _| unsafe {592				bindings_builder_insert(c, self.0, name.as_ptr().cast(), v.0);593				// bindings_builder_insert doesn't do incref594			})595		})596		.expect("builder insert shouldn't fail");597	}598}599impl Drop for AttrsBuilder {600	fn drop(&mut self) {601		unsafe { bindings_builder_free(self.0) };602	}603}604605struct ListBuilder(*mut c_list_builder, c_uint);606impl ListBuilder {607	fn new(capacity: usize) -> Self {608		with_default_context(|c, es| unsafe { make_list_builder(c, es, capacity) })609			.map(|l| Self(l, 0))610			.expect("alloc should not fail")611	}612}613impl ListBuilder {614	fn push(&mut self, v: Value) {615		with_default_context(|c, _| unsafe {616			list_builder_insert(617				c,618				self.0,619				{620					let v = self.1;621					self.1 += 1;622					v623				},624				v.0,625			)626		})627		.expect("list insert shouldn't fail");628	}629}630impl Drop for ListBuilder {631	fn drop(&mut self) {632		unsafe { list_builder_free(self.0) };633	}634}635636impl Value {637	pub fn new_primop(v: NativeFn) -> Self {638		let out = Self::new_uninit();639		with_default_context(|c, _| unsafe { init_primop(c, out.0, v.0) })640			.expect("primop initialization should not fail");641		out642	}643	pub fn new_attrs(v: HashMap<&str, Value>) -> Self {644		let out = Self::new_uninit();645		let mut b = AttrsBuilder::new(v.len());646		for (k, v) in v {647			b.insert(&k, v);648		}649		with_default_context(|c, _| unsafe { make_attrs(c, out.0, b.0) })650			.expect("attrs initialization should not fail");651652		out653	}654	fn new_list<T: Into<Self>>(v: Vec<T>) -> Self {655		let out = Self::new_uninit();656		let mut b = ListBuilder::new(v.len());657		for v in v {658			b.push(v.into());659		}660		with_default_context(|c, _| unsafe { make_list(c, b.0, out.0) })661			.expect("list initialization should not fail");662663		out664	}665	fn new_uninit() -> Self {666		let out = with_default_context(|c, es| unsafe { alloc_value(c, es) })667			.expect("value allocation should not fail");668		Self(out)669	}670	pub fn new_str(v: &str) -> Self {671		let s = CString::new(v).expect("string should not contain NULs");672		let out = Self::new_uninit();673		// String is copied, `s` is free to be dropped674		with_default_context(|c, _| unsafe { init_string(c, out.0, s.as_ptr()) })675			.expect("string initialization should not fail");676		out677	}678	pub fn new_int(i: i64) -> Self {679		let out = Self::new_uninit();680		with_default_context(|c, _| unsafe { init_int(c, out.0, i) })681			.expect("int initialization should not fail");682		out683	}684	pub fn new_bool(v: bool) -> Self {685		let out = Self::new_uninit();686		with_default_context(|c, _| unsafe { init_bool(c, out.0, v) })687			.expect("bool initialization should not fail");688		out689	}690	// TODO: As far as I can see, there is no way to get Thunks from nix public C api, so this function is useless691	// fn force(&mut self, st: &mut EvalState) -> Result<()> {692	// 	with_default_context(|c, _| unsafe { value_force(c, st.0, self.0) })?;693	// 	Ok(())694	// }695	pub fn type_of(&self) -> NixType {696		let ty = with_default_context(|c, _| unsafe { get_type(c, self.0) })697			.expect("get_type should not fail");698		NixType::from_int(ty)699	}700	fn builtin_to_string(&self) -> Result<Self> {701		let builtin = Self::eval("builtins.toString")?;702		builtin.call(self.clone())703	}704	fn force(&mut self, s: *mut nix_raw::EvalState) -> Result<()> {705		with_default_context(|c, _| unsafe { value_force(c, s, self.0) })?;706		Ok(())707	}708	pub fn to_string(&self) -> Result<String> {709		let ty = self.type_of();710		if !matches!(ty, NixType::String) {711			bail!("unexpected type: {ty:?}, expected string");712		}713		let mut str_out = String::new();714		with_default_context(|c, _| unsafe {715			get_string(c, self.0, Some(copy_nix_str), (&raw mut str_out).cast())716		})?;717718		Ok(str_out)719	}720	pub fn to_realised_string(&self) -> Result<RealisedString> {721		with_default_context(|c, es| unsafe { string_realise(c, es, self.0, false) })722			.map(RealisedString)723724		// let store_paths = unsafe { nix_raw::realised_string_get_store_path_count(str) };725		// for i in 0..store_paths {726		// 	let store_path = unsafe { nix_raw::realised_string_get_store_path(str, i) };727		// 	nix_raw::store_path_name(store_path, callback, user_data);728		// }729		// dbg!(store_paths);730		// todo!();731	}732733	pub fn has_field(&self, field: &str) -> Result<bool> {734		let f = init_field_name(field);735		with_default_context(|c, es| unsafe { has_attr_byname(c, self.0, es, f.as_ptr().cast()) })736	}737	// pub fn derivation_path(&self) {738	// 	nix_raw::real739	// }740	pub fn list_fields(&self) -> Result<Vec<String>> {741		if !matches!(self.type_of(), NixType::Attrs) {742			bail!("invalid type: expected attrs");743		}744745		let len = with_default_context(|c, _| unsafe { get_attrs_size(c, self.0) })?;746		let mut out = Vec::with_capacity(len as usize);747748		for i in 0..len {749			let name =750				with_default_context(|c, es| unsafe { get_attr_name_byidx(c, self.0, es, i) })?;751			let c = unsafe { CStr::from_ptr(name) };752			out.push(c.to_str().expect("nix field names are utf-8").to_owned());753		}754		Ok(out)755	}756	pub fn get_elem(&self, v: usize) -> Result<Self> {757		if !matches!(self.type_of(), NixType::List) {758			bail!("invalid type: expected list");759		}760		let len = with_default_context(|c, _| unsafe { get_list_size(c, self.0) })? as usize;761		if v >= len {762			bail!("oob list get: {v} >= {len}");763		}764765		with_default_context(|c, es| unsafe { get_list_byidx(c, self.0, es, v as u32) }).map(Self)766	}767	pub fn attrs_update(self, other: Value /*, ignore_errors: bool*/) -> Result<Self> {768		let attrs_update_fn = Self::eval("a: b: a // b")?;769770		attrs_update_fn771			.call(self)?772			.call(other)773			.context("attrs update")774	}775	pub fn get_field(&self, name: impl AsFieldName) -> Result<Self> {776		if !matches!(self.type_of(), NixType::Attrs) {777			bail!("invalid type: expected attrs");778		}779780		name.as_field_name(|name| {781			with_default_context(|c, es| unsafe {782				get_attr_byname(c, self.0, es, name.as_ptr().cast())783			})784			.map(Self)785		})786		.with_context(|| format!("getting field {:?}", name.to_field_name()))787	}788	pub fn call(&self, v: Value) -> Result<Self> {789		let kind = self790			.functor_kind()791			.ok_or_else(|| anyhow!("can only call function or functor"))?;792793		let function = match kind {794			FunctorKind::Function => self.clone(),795			FunctorKind::Functor => {796				let f = self797					.get_field("__functor")798					.context("getting functor value")?;799				assert_eq!(800					f.type_of(),801					NixType::Function,802					"invalid functor encountered"803				);804				f805			}806		};807808		let out = Value::new_uninit();809		with_default_context(|c, es| unsafe { value_call(c, es, function.0, v.0, out.0) })?;810811		Ok(out)812	}813	pub fn eval(v: &str) -> Result<Self> {814		let s = CString::new(v).expect("expression shouldn't have internal NULs");815		let out = Self::new_uninit();816		with_default_context(|c, es| unsafe {817			expr_eval_from_string(c, es, s.as_ptr(), c"/root".as_ptr(), out.0)818		})?;819		Ok(out)820	}821	pub fn build(&self, output: &str) -> Result<PathBuf> {822		if !self.is_derivation() {823			bail!("expected derivation to build")824		}825		let output_name = self826			.get_field("outputName")827			.context("getting output name field")?828			.to_string()?;829		let v = if output_name != output {830			let out = self.get_field(output).context("getting target output")?;831			if !out.is_derivation() {832				bail!("unknown output: {output}");833			}834			out835		} else {836			self.clone()837		};838		// to_string here blocks until the path is built839		let s = v.builtin_to_string()?;840		let rs = s.to_realised_string()?;841		let drv_path = rs.as_str().to_owned();842		Ok(PathBuf::from(drv_path))843	}844	pub fn as_json<T: DeserializeOwned>(&self) -> Result<T> {845		let to_json = Self::eval("builtins.toJSON")?;846		let s = to_json.call(self.clone())?.to_string()?;847		Ok(serde_json::from_str(&s)?)848	}849	pub fn serialized<T: Serialize>(v: &T) -> Result<Self> {850		Self::eval(&nixlike::serialize(v)?)851	}852853	// Convert to string/evaluate derivations/etc854	// fn to_string_weak(&self) -> Result<String> {855	// 	// TODO: For now, it works exactly like to_string, see the comment for fn force()856	// 	self.to_string()857	// }858859	fn is_derivation(&self) -> bool {860		if !matches!(self.type_of(), NixType::Attrs) {861			return false;862		}863		let Some(ty) = self.get_field("type").ok() else {864			return false;865		};866		matches!(ty.to_string().as_deref(), Ok("derivation"))867	}868	fn functor_kind(&self) -> Option<FunctorKind> {869		match self.type_of() {870			NixType::Attrs => self871				.has_field("__functor")872				.expect("has_field shouldn't fail for attrs")873				.then_some(FunctorKind::Functor),874			NixType::Function => Some(FunctorKind::Function),875			_ => None,876		}877	}878	pub fn is_function(&self) -> bool {879		self.functor_kind().is_some()880	}881	pub fn is_null(&self) -> bool {882		matches!(self.type_of(), NixType::Null)883	}884}885886impl From<String> for Value {887	fn from(value: String) -> Self {888		Value::new_str(&value)889	}890}891impl From<bool> for Value {892	fn from(value: bool) -> Self {893		Value::new_bool(value)894	}895}896impl From<&str> for Value {897	fn from(value: &str) -> Self {898		Value::new_str(value)899	}900}901impl<T> From<Vec<T>> for Value902where903	T: Into<Value>,904{905	fn from(value: Vec<T>) -> Self {906		Value::new_list(value)907	}908}909910impl Clone for Value {911	fn clone(&self) -> Self {912		with_default_context(|c, _| unsafe { value_incref(c, self.0) })913			.expect("value incref should not fail");914		Self(self.0)915	}916}917impl Drop for Value {918	fn drop(&mut self) {919		with_default_context(|c, _| unsafe { value_decref(c, self.0) })920			.expect("value drop should not fail");921	}922}923924pub fn init_libraries() {925	unsafe { GC_allow_register_threads() };926927	let mut ctx = NixContext::new();928	ctx.run_in_context(|c| unsafe { libutil_init(c) })929		.expect("util init should not fail");930	ctx.run_in_context(|c| unsafe { libstore_init(c) })931		.expect("store init should not fail");932	ctx.run_in_context(|c| unsafe { libexpr_init(c) })933		.expect("expr init should not fail");934935	nix_logging_cxx::apply_tracing_logger();936}937938unsafe extern "C" fn nix_primop_closure_adapter<const N: usize>(939	user_data: *mut c_void,940	context: *mut c_context,941	state: *mut nix_raw::EvalState,942	args: *mut *mut value,943	ret: *mut value,944) {945	let user_closure: &UserClosure<N> = unsafe { &*user_data.cast_const().cast() };946	let mut e = None;947	let args: [&Value; N] = array::from_fn(|i| {948		let v: &mut Value = unsafe { &mut *args.add(i).cast() };949950		info!("forcing arg");951		if matches!(v.type_of(), NixType::Thunk)952			&& let Err(err) = v.force(state)953		{954			e = Some(err);955		};956		v as &Value957	});958	info!("args forced");959	let ctx: &mut NixContext = unsafe { &mut *context.cast() };960961	if let Some(e) = e {962		warn!("set err = {e}");963		unsafe { init_int(context, ret, 0) };964		return ctx.set_err(965			NixErrorKind::Unknown,966			&CString::new(e.to_string()).expect("forcing argument value failed"),967		);968	}969970	let state: &EvalState = unsafe { std::mem::transmute(&state) };971972	match user_closure(state, args) {973		Ok(v) => {974			unsafe { copy_value(context, ret, v.0) };975		}976		Err(e) => {977			unsafe { init_int(context, ret, 0) };978			warn!("set err = {e:#?}");979			ctx.set_err(980				NixErrorKind::Unknown,981				&CString::new(e.to_string()).expect("error should not contain internal nuls"),982			);983		}984	}985}986987type UserClosure<const N: usize> = Box<dyn Fn(&EvalState, [&Value; N]) -> Result<Value>>;988989pub struct NativeFn(*mut PrimOp);990impl NativeFn {991	pub fn new<const N: usize>(992		name: &'static CStr,993		doc: &'static CStr,994		args: [&'static CStr; N],995		f: impl Fn(&EvalState, [&Value; N]) -> Result<Value> + 'static,996	) -> Self {997		// Double-boxing to make it thin pointer, as vtable gets outside of first Box998		let closure: Box<UserClosure<N>> = Box::new(Box::new(f));999		let f: PrimOpFun = Some(nix_primop_closure_adapter::<N>);1000		let mut args = args.into_iter().map(|v| v.as_ptr()).collect_vec();1001		args.push(null());1002		let args = args.as_mut_ptr();1003		let primop = unsafe {1004			alloc_primop(1005				null_mut(),1006				f,1007				N as i32,1008				name.as_ptr(),1009				args,1010				doc.as_ptr(),1011				Box::into_raw(closure).cast(),1012			)1013		};10141015		assert!(!primop.is_null(), "primop allocation should not fail");10161017		Self(primop)1018	}1019	pub fn register(self) {1020		unsafe { register_primop(null_mut(), self.0) };1021	}1022}10231024struct StorePath(*mut c_store_path);1025impl StorePath {}10261027impl Drop for StorePath {1028	fn drop(&mut self) {1029		unsafe { store_path_free(self.0) }1030	}1031}10321033#[test_log::test]1034fn test_native() -> Result<()> {1035	init_libraries();1036	NativeFn::new(1037		c"__uppercaseSuffix2",1038		c"make string uppercase and add suffix",1039		[c"str", c"suffix"],1040		|_, [str, suffix]: [&Value; 2]| {1041			let str = str.to_string()?;1042			let suffix = suffix.to_string()?;1043			Ok(Value::new_str(&format!("{}{suffix}", str.to_uppercase())))1044		},1045	)1046	.register();10471048	let mut fetch_settings = FetchSettings::new();1049	fetch_settings.set(c"warn-dirty", c"false");10501051	let manifest = format!("git+file://{}/../../", env!("CARGO_MANIFEST_DIR"));1052	let flake = FlakeSettings::new()?;1053	let parse = FlakeReferenceParseFlags::new(&flake)?;1054	let (mut r, _) = FlakeReference::new(&manifest, &flake, &parse, &fetch_settings)?;1055	let lock = FlakeLockFlags::new(&flake)?;1056	let locked = r.lock(&fetch_settings, &flake, &lock)?;1057	let attrs = locked.get_attrs(&mut FlakeSettings::new()?)?;10581059	let builtins = Value::eval("builtins")?;1060	assert_eq!(builtins.type_of(), NixType::Attrs);10611062	assert_eq!(attrs.type_of(), NixType::Attrs);1063	let test_data = nix_go!(attrs.testData);10641065	let test_string: String = nix_go_json!(test_data.testString);1066	assert_eq!(test_string, "hello");10671068	let s = nix_go!(attrs.packages["x86_64-linux"].fleet.drvPath);1069	let s = CString::new(s.to_string()?).expect("path str is cstring");10701071	let uppercase_suffix = Value::new_primop(NativeFn::new(1072		c"uppercase_suffix",1073		c"make string uppercase and add suffix",1074		[c"str", c"suffix"],1075		|es, [str, suffix]: [&Value; 2]| {1076			let str = str.to_string()?;1077			let suffix = suffix.to_string()?;1078			Ok(Value::new_str(&format!("{}{suffix}", str.to_uppercase())))1079		},1080	));10811082	let test_result: String = nix_go_json!(test_data.testPrimop(uppercase_suffix));1083	assert_eq!(test_result, "PREFIX_BODY_SUFFIX");1084	let test_result: String = nix_go_json!(builtins.uppercaseSuffix2("test")("suffix"));1085	assert_eq!(test_result, "TESTsuffix");10861087	let nix_ctx = NixContext::new();1088	let store = GLOBAL_STATE.store.parse_path(s.as_c_str())?;10891090	// nix_raw::store_get_fs_closure(1);10911092	Ok(())1093}10941095// pub struct GcAlloc;1096// unsafe impl GlobalAlloc for GcAlloc {1097// 	unsafe fn alloc(&self, l: Layout) -> *mut u8 {1098// 		let ptr = unsafe { GC_malloc(l.size()) };1099// 		ptr.cast()1100// 	}1101// 	unsafe fn dealloc(&self, ptr: *mut u8, _: Layout) {1102// 		// unsafe { GC_free(ptr.cast()) };1103// 	}1104//1105// 	unsafe fn realloc(&self, ptr: *mut u8, _: Layout, new_size: usize) -> *mut u8 {1106// 		let ptr = unsafe { GC_realloc(ptr.cast(), new_size) };1107// 		ptr.cast()1108// 	}1109// }1110//1111// #[global_allocator]1112// static GC: GcAlloc = GcAlloc;

modifiedcrates/nix-eval/src/macros.rsdiff before after both

--- a/crates/nix-eval/src/macros.rs
+++ b/crates/nix-eval/src/macros.rs
@@ -16,7 +16,12 @@
 		$(nix_expr_inner!(@obj($o) $($tt)*);)?
 	}};
 	(@obj($o:ident)) => {{}};
-	(Obj { $($tt:tt)* }) => {{
+	(Obj { }) => {{
+		use $crate::{nix_expr_inner};
+		let out = std::collections::hash_map::HashMap::new();
+		Value::new_attrs(out)
+	}};
+	(Obj { $($tt:tt)+ }) => {{
 		use $crate::{nix_expr_inner};
 		let mut out = std::collections::hash_map::HashMap::new();
 		nix_expr_inner!(@obj(out) $($tt)*);

modifiedlib/default.nixdiff before after both

--- a/lib/default.nix
+++ b/lib/default.nix
@@ -149,6 +149,23 @@
         }
       );
 
+    mkAskPass =
+      { prompt ? "Secret value", part ? "secret" }:
+      (
+        {
+          kdePackages,
+          mkImpureSecretGenerator,
+        }:
+        mkImpureSecretGenerator {
+          # TODO: Escape prompt?
+          script = ''
+            ${kdePackages.kdialog}/bin/kdialog --inputbox "${prompt}" | gh private -o $out/${part}
+          '';
+
+          parts.${part}.encrypted = true;
+        }
+      );
+
     /**
       Generate a random RSA keypair
 
@@ -251,6 +268,7 @@
     mkBytes
     mkHexBytes
     mkBase64Bytes
+    mkAskPass
     ;
 
   strings =

modifiedmodules/nixos/secrets.nixdiff before after both

--- a/modules/nixos/secrets.nix
+++ b/modules/nixos/secrets.nix
@@ -19,7 +19,6 @@
     submodule
     str
     attrsOf
-    nullOr
     unspecified
     uniq
     functionTo
@@ -77,13 +76,12 @@
     {
       options = {
         parts = mkOption {
-          type = attrsOf (secretPartType secretName);
+          type = uniq (attrsOf (secretPartType secretName));
           description = "Definition of secret parts";
         };
         generator = mkOption {
-          type = uniq (nullOr (functionTo package));
+          type = uniq (functionTo package);
           description = "Derivation to evaluate for secret generation";
-          default = null;
         };
         mode = mkOption {
           type = str;
@@ -103,14 +101,25 @@
         };
       };
       config = {
-        parts = builtins.fleetEnsureHostSecret sysConfig.networking.hostName secretName config.generator;
+        # C api is broken in regard to thunks
+        # https://github.com/NixOS/nix/issues/12800
+        parts = let 
+          hostName = sysConfig.networking.hostName;
+          generator = config.generator;
+        in builtins.deepSeq [
+          hostName
+          secretName
+          generator
+        ] (builtins.fleetEnsureHostSecret
+          hostName
+          secretName
+          generator);
       };
     }
   );
-  secretsData = (mapAttrs (_: s: s.definition) config.secrets);
   secretsFile = pkgs.writeTextFile {
     name = "secrets.json";
-    text = toJSON secretsData;
+    text = toJSON config.system.secretsData;
   };
   useSysusers =
     (config.systemd ? sysusers && config.systemd.sysusers.enable)
@@ -121,17 +130,20 @@
     secrets = mkOption {
       type = attrsOf secretType;
       default = { };
-      apply = v: (mapAttrs (_: secret: secret.parts // { definition = secret; }) v);
+      apply = mapAttrs (_: secret: secret.parts // {definition = secret;});
       description = "Host-local secrets";
     };
     system.secretsData = mkOption {
       type = unspecified;
-      default = { };
+      default = mapAttrs (_: s:
+        (removeAttrs s.definition ["generator"]) // {
+          parts = mapAttrs (_: part: removeAttrs part ["data"]) s.definition.parts;
+        }
+      ) config.secrets;
       description = "secrets.json contents";
     };
   };
   config = {
-    system = { inherit secretsData; };
     environment.systemPackages = [ pkgs.fleet-install-secrets ];
 
     systemd.services.fleet-install-secrets = mkIf useSysusers {