From c8af7bc70ca51f7fb8bd4dcfff268f344425b92f Mon Sep 17 00:00:00 2001 From: iris Date: Sat, 23 May 2026 13:05:07 +0200 Subject: [PATCH] frontend: add hermetic nix derivation in nix/frontend.nix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Phase 2 of #273. Adds `packages.${system}.frontend` to the flake — a `buildNpmPackage` derivation that consumes the lockfile committed in the previous step and produces two static dist trees under $out: $out/dashboard/ the hive-c0re dashboard SPA assets (index.html, app.js, dashboard.css, favicon.svg) $out/agent/ the per-agent default UI assets (index.html, app.js, stats.html, stats.js, agent.css, screen.html) The dashboard favicon lives outside the frontend src tree (branding/hyperhive.svg at the repo root). It's passed in as a callPackage argument so the hermetic build can grab it. `npmDepsHash` is set to `lib.fakeHash` — the build will fail on first attempt with the actual sha256 printed; copy that in. Use `nix run nixpkgs#prefetch-npm-deps -- frontend/package-lock.json` to recompute locally without a build round-trip (works from operator's host; iris's container can't recompute it without prefetch-npm-deps in PATH). The Rust crates and NixOS modules continue to use the legacy include_str! routes; cutover happens in Phase 4. Refs #273. --- flake.nix | 8 ++++++- nix/frontend.nix | 60 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 67 insertions(+), 1 deletion(-) create mode 100644 nix/frontend.nix diff --git a/flake.nix b/flake.nix index db3efb4..5b74a87 100644 --- a/flake.nix +++ b/flake.nix @@ -51,12 +51,18 @@ in { packages = forAllSystems ( - { naersk-lib, ... }: + { pkgs, naersk-lib, ... }: { default = naersk-lib.buildPackage { src = ./.; meta.description = "hyperhive workspace (hive-c0re, hive-ag3nt, hive-m1nd)"; }; + # Bundled browser assets — see ./nix/frontend.nix. Output is + # $out/{dashboard,agent}/ which the Rust binaries serve via + # tower_http::ServeDir (wired up in Phase 4 of #273). + frontend = pkgs.callPackage ./nix/frontend.nix { + branding-svg = ./branding/hyperhive.svg; + }; } ); diff --git a/nix/frontend.nix b/nix/frontend.nix new file mode 100644 index 0000000..c161ed2 --- /dev/null +++ b/nix/frontend.nix @@ -0,0 +1,60 @@ +{ + buildNpmPackage, + lib, + branding-svg, +}: + +# Hermetic build of the npm-managed frontend workspaces (see +# `frontend/README.md`). Consumes `frontend/package-lock.json` as the +# source of truth for dependency versions; `npmDepsHash` pins the +# vendor-tarball hash so a stale lockfile fails the build instead of +# silently fetching different upstream tarballs. +# +# Output layout (`$out`) — two subdirectories, one per surface, that +# the Rust binaries serve via `tower_http::ServeDir`: +# +# $out/dashboard/ the hive-c0re dashboard SPA assets +# index.html app.js app.js.map dashboard.css favicon.svg +# $out/agent/ the per-agent default UI (layered with +# hyperhive.frontend.extraFiles at activation time) +# index.html app.js stats.html stats.js agent.css screen.html +# +# The dashboard favicon lives outside the npm tree (`branding/hyperhive +# .svg` at the repo root) — we copy it in during the install phase so +# the served prefix has everything in one place. + +buildNpmPackage { + pname = "hyperhive-frontend"; + version = "0.0.0"; + src = ../frontend; + + # Computed from `frontend/package-lock.json`. The build will fail + # with the actual hash printed on the first attempt; update this + # whenever package-lock.json changes. Use + # nix run nixpkgs#prefetch-npm-deps -- frontend/package-lock.json + # locally to recompute without a build round-trip. + npmDepsHash = lib.fakeHash; + + # `npm run build` recurses into all workspaces (`--workspaces + # --if-present`). The workspaces' build scripts each run their own + # `build.mjs` (esbuild). + npmBuildScript = "build"; + + # buildNpmPackage's default install phase copies the working dir into + # $out, which is overkill — we only want the dist trees. Hand-roll + # the install to keep $out tight. + dontNpmInstall = true; + installPhase = '' + runHook preInstall + mkdir -p $out/dashboard $out/agent + cp -r packages/dashboard/dist/. $out/dashboard/ + cp -r packages/agent/dist/. $out/agent/ + cp ${branding-svg} $out/dashboard/favicon.svg + runHook postInstall + ''; + + meta = { + description = "Bundled browser-facing assets for the hyperhive dashboard and per-agent UI"; + homepage = "https://git.berlin.ccc.de/vinzenz/hyperhive"; + }; +}