Build improvements

.gitignore

@@ -1,7 +1,7 @@
 # Build output
-/.stack-work
+/dist-newstyle
 *.deb
 /package/vaultenv-*-linux-musl
 
-# auto-generated files
-*.cabal
+# Nix result symlinks
+result*

default.nix

@@ -1,12 +1,14 @@
 let
-  pkgs = import ./nix/nixpkgs.nix;
+  pkgs = import ./nix/nixpkgs.nix {};
+  ghc = pkgs.haskellPackages.ghcWithPackages (import ./nix/haskell-dependencies.nix);
 in
   pkgs.buildEnv {
     name = "vaultenv-devenv";
     paths = [
-      pkgs.stack
+      ghc
+      pkgs.cabal-install
+      pkgs.cachix
       pkgs.vault
-	  pkgs.cachix
     ];
   }
 

nix/haskell-dependencies.nix

@@ -0,0 +1,28 @@
+haskellPackages:
+  with haskellPackages;
+    [
+      QuickCheck
+      aeson
+      async
+      base
+      bytestring
+      connection
+      containers
+      directory
+      directory
+      dotenv
+      hspec
+      hspec-discover
+      hspec-expectations
+      http-client
+      http-conduit
+      megaparsec
+      optparse-applicative
+      optparse-applicative
+      parser-combinators
+      retry
+      text
+      unix
+      unordered-containers
+      utf8-string
+    ]

nix/nixpkgs.nix

@@ -1,13 +1,10 @@
-# Pin the version of nixpkgs to the one from `static-haskell-nix`.
-# This ensures that we only have a single version of nixpkgs. This
-# makes reasoning about the environment a lot easier. We don't want
-# to maintain our own nixpkgs distribution with the patches from the
-# `static-haskell-nix` project.
-#
-# Normally, we wouldn't do something like this, but in this instance
-# we really want a static binary.
 let
-  static-haskell-nix = import ./static-haskell-nix.nix;
-  pkgs = import "${static-haskell-nix}/nixpkgs.nix";
+  # Nixpkgs unstable on 2020-02-02. This is the same Nixpkgs as the one that
+  # static-haskell-nix uses. We use the same one to get cache hits.
+  rev = "0c960262d159d3a884dadc3d4e4b131557dad116";
+  tarball = fetchTarball {
+    url = "https://github.com/NixOS/nixpkgs/archive/${rev}.tar.gz";
+    sha256 = "sha256:0d7ms4dxbxvd6f8zrgymr6njvka54fppph1mrjjlcan7y0dhi5rb";
+  };
 in
-  pkgs
+  import tarball

nix/static-haskell-nix.nix

@@ -1,9 +1,10 @@
-# Pin static-haskell-nix version.
 let
-  static-haskell-nix-rev = "ff7715e0e13fb3f615e64a8d8c2e43faa4429b0f";
-  static-haskell-nix = builtins.fetchTarball {
-    url = "https://github.com/nh2/static-haskell-nix/archive/${static-haskell-nix-rev}.tar.gz";
-    sha256 = "sha256:17ir87i7sah9nixvh25qhzh19bqv3vgnfg4nfy4wv631q4gfj7fb";
+  # `master` on 2020-02-02.
+  rev = "c360f2a15f6947b411ecbd7ebaea925f6dbd68df";
+  tarball = fetchTarball {
+    url = "https://github.com/nh2/static-haskell-nix/archive/${rev}.tar.gz";
+    sha256 = "sha256:0y6ppiagh6dbvdhhnrq572xnw2yzn6d0gcmajrfdgdfwhsl21g95";
   };
 in
-  static-haskell-nix
+  # The logic we care about lives in this Nix file.
+  import "${tarball}/survey/default.nix"

nix/vaultenv.nix

@@ -0,0 +1,51 @@
+{ haskellPackages
+, mkDerivation
+, lib
+, pkgs
+, Cabal
+, static ? false
+}:
+
+mkDerivation {
+  pname = "vaultenv";
+  version = "0.13.1";
+
+  src =
+    lib.cleanSourceWith {
+      filter = path: type:
+        (lib.hasSuffix ".cabal" path || lib.hasSuffix ".hs" path || lib.hasSuffix ".secrets" path || type == "directory") &&
+        lib.cleanSourceFilter path type;
+      src = ../.;
+    };
+
+  # Explicitly depend a version of Cabal the library. Otherwise we can't
+  # pick up the right version when building the static library.
+  setupHaskellDepends = [ Cabal ];
+
+  # All these dependencies are concatenated into a global package-db.
+  # We don't need to be more granular here.
+  executableHaskellDepends = import ./haskell-dependencies.nix haskellPackages;
+
+  # We just want the executable. We're not interested in all the other
+  # stuff.
+  isExecutable = true;
+  enableSharedExecutables = false;
+  enableLibraryProfiling = false;
+  isLibrary = false;
+  doHaddock = false;
+  postFixup = "rm -rf $out/lib $out/nix-support $out/share/doc";
+
+  configureFlags = if static then [
+    # This flag requires we use the Cabal version from static-haskell-nix.
+    # It's patched in and sets some required GHC options. The regular cabal
+    # + static linking options for GHC don't work together with MUSL.
+    "--enable-executable-static"
+
+    # Unused when building against integer-simple.
+    "--extra-lib-dirs=${pkgs.gmp6.override { withStatic = true; }}/lib"
+
+    "--extra-lib-dirs=${pkgs.ncurses.override { enableStatic = true; }}/lib"
+  ] else [];
+
+  license = lib.licenses.bsd3;
+}

release.nix

@@ -0,0 +1,89 @@
+# This file wires up the different vaultenv releases that are available.
+let
+  pkgs = import ./nix/nixpkgs.nix {};
+
+  static = import ./nix/static-haskell-nix.nix {
+    integer-simple = true;
+    approach = "pkgsMusl";
+  };
+
+  static-gmp = import ./nix/static-haskell-nix.nix {
+    integer-simple = false;
+    approach = "pkgsMusl";
+  };
+
+  mkDeb = version: drv:
+    pkgs.stdenv.mkDerivation {
+      pname = "vaultenv";
+      inherit version;
+
+      buildInputs = [pkgs.dpkg pkgs.fakeroot];
+
+      phases = ["buildPhase" "installPhase"];
+
+      buildPhase = ''
+        mkdir --parents vaultenv/{DEBIAN,usr/bin,etc/secrets.d}
+        cp --archive ${drv}/bin/vaultenv vaultenv/usr/bin/vaultenv
+
+        cat > vaultenv/DEBIAN/control <<EOF
+        Package: vaultenv
+        Version: ${version}
+        Priority: optional
+        Architecture: amd64
+        Maintainer: Channable DevOps <ops@channable.com>
+        Description: Launch processes with secrets from Vault
+        EOF
+
+        # Make files writable for root but for no one else.
+        chmod --recursive u+w vaultenv
+        chmod --recursive go-w vaultenv
+
+        # Files should be owned by root, not by nixbld.
+        fakeroot dpkg-deb --build vaultenv
+      '';
+
+      installPhase = ''
+        mkdir "$out"
+        mv vaultenv.deb "$out/vaultenv-${version}.deb"
+      '';
+    };
+in
+  rec {
+    # Normal cabal build where Nix handles dependencies.
+    vaultenv = pkgs.haskellPackages.callPackage ./nix/vaultenv.nix {};
+
+    # NB: For both of these packages, we pass arguments explicitly instead
+    # of using `callPackage`. `callPackage` from `static-haskell-nix` does not
+    # appear to work.
+
+    # There is still something wrong with this derivation. I get errors in
+    # the tests of the TLS library.
+    vaultenv-static = (import ./nix/vaultenv.nix {
+      haskellPackages = static.haskellPackages;
+      static = true;
+      lib = static.lib;
+      pkgs = static.pkgs;
+      mkDerivation = static.haskellPackages.mkDerivation;
+      Cabal = static.haskellPackages.Cabal;
+    });
+
+    # Static binary including GMP. We cannot distribute this because vaultenv is
+    # not LGPL licensed. We can build it for ourselves though. We want this,
+    # because `integer-gmp` is a lot faster to use for TLS connections than
+    # `integer-simple`. This is useful when you start vaultenv a lot. Most users
+    # shouldn't need this.
+    vaultenv-static-gmp = (import ./nix/vaultenv.nix {
+      haskellPackages = static-gmp.haskellPackages;
+      static = true;
+      lib = static-gmp.lib;
+      pkgs = static-gmp.pkgs;
+      mkDerivation = static-gmp.haskellPackages.mkDerivation;
+
+      # We need to explicitly pass the Cabal version from static-haskell-nix
+      # because it includes some relevant patches.
+      Cabal = static-gmp.haskellPackages.Cabal;
+    });
+
+    vaultenv-static-deb = mkDeb "0.13.1" vaultenv-static;
+    vaultenv-static-gmp-deb = mkDeb "0.13.1" vaultenv-static-gmp;
+  }

src/Config.hs

@@ -29,10 +29,10 @@ import Data.Either (lefts, rights, isLeft)
 import Data.Version (showVersion)
 import Options.Applicative (value, long, auto, option, metavar, help, flag,
                             str, argument, many)
--- Cabal generates the @Paths_vaultenv_real@ module, which contains a @version@
+-- Cabal generates the @Paths_vaultenv@ module, which contains a @version@
 -- binding with the value out of the Cabal file. This feature is documented at:
 -- https://www.haskell.org/cabal/users-guide/developing-packages.html#accessing-data-files-from-package-code
-import Paths_vaultenv_real (version)
+import Paths_vaultenv (version)
 import System.IO.Error (catchIOError)
 import System.Exit (die)