frontend: add hermetic nix derivation in nix/frontend.nix
Phase 2 of #273. Adds `packages.${system}.frontend` to the flake — a `buildNpmPackage` derivation that consumes the lockfile committed in the previous step and produces two static dist trees under $out: $out/dashboard/ the hive-c0re dashboard SPA assets (index.html, app.js, dashboard.css, favicon.svg) $out/agent/ the per-agent default UI assets (index.html, app.js, stats.html, stats.js, agent.css, screen.html) The dashboard favicon lives outside the frontend src tree (branding/hyperhive.svg at the repo root). It's passed in as a callPackage argument so the hermetic build can grab it. `npmDepsHash` is set to `lib.fakeHash` — the build will fail on first attempt with the actual sha256 printed; copy that in. Use `nix run nixpkgs#prefetch-npm-deps -- frontend/package-lock.json` to recompute locally without a build round-trip (works from operator's host; iris's container can't recompute it without prefetch-npm-deps in PATH). The Rust crates and NixOS modules continue to use the legacy include_str! routes; cutover happens in Phase 4. Refs #273.
This commit is contained in:
iris
Mara
parent
9c7d4df08c
commit
c8af7bc70c
2 changed files with 67 additions and 1 deletions
60
nix/frontend.nix
Normal file
60
nix/frontend.nix
Normal file
|
|
@ -0,0 +1,60 @@
|
|||
{
|
||||
buildNpmPackage,
|
||||
lib,
|
||||
branding-svg,
|
||||
}:
|
||||
|
||||
# Hermetic build of the npm-managed frontend workspaces (see
|
||||
# `frontend/README.md`). Consumes `frontend/package-lock.json` as the
|
||||
# source of truth for dependency versions; `npmDepsHash` pins the
|
||||
# vendor-tarball hash so a stale lockfile fails the build instead of
|
||||
# silently fetching different upstream tarballs.
|
||||
#
|
||||
# Output layout (`$out`) — two subdirectories, one per surface, that
|
||||
# the Rust binaries serve via `tower_http::ServeDir`:
|
||||
#
|
||||
# $out/dashboard/ the hive-c0re dashboard SPA assets
|
||||
# index.html app.js app.js.map dashboard.css favicon.svg
|
||||
# $out/agent/ the per-agent default UI (layered with
|
||||
# hyperhive.frontend.extraFiles at activation time)
|
||||
# index.html app.js stats.html stats.js agent.css screen.html
|
||||
#
|
||||
# The dashboard favicon lives outside the npm tree (`branding/hyperhive
|
||||
# .svg` at the repo root) — we copy it in during the install phase so
|
||||
# the served prefix has everything in one place.
|
||||
|
||||
buildNpmPackage {
|
||||
pname = "hyperhive-frontend";
|
||||
version = "0.0.0";
|
||||
src = ../frontend;
|
||||
|
||||
# Computed from `frontend/package-lock.json`. The build will fail
|
||||
# with the actual hash printed on the first attempt; update this
|
||||
# whenever package-lock.json changes. Use
|
||||
# nix run nixpkgs#prefetch-npm-deps -- frontend/package-lock.json
|
||||
# locally to recompute without a build round-trip.
|
||||
npmDepsHash = lib.fakeHash;
|
||||
|
||||
# `npm run build` recurses into all workspaces (`--workspaces
|
||||
# --if-present`). The workspaces' build scripts each run their own
|
||||
# `build.mjs` (esbuild).
|
||||
npmBuildScript = "build";
|
||||
|
||||
# buildNpmPackage's default install phase copies the working dir into
|
||||
# $out, which is overkill — we only want the dist trees. Hand-roll
|
||||
# the install to keep $out tight.
|
||||
dontNpmInstall = true;
|
||||
installPhase = ''
|
||||
runHook preInstall
|
||||
mkdir -p $out/dashboard $out/agent
|
||||
cp -r packages/dashboard/dist/. $out/dashboard/
|
||||
cp -r packages/agent/dist/. $out/agent/
|
||||
cp ${branding-svg} $out/dashboard/favicon.svg
|
||||
runHook postInstall
|
||||
'';
|
||||
|
||||
meta = {
|
||||
description = "Bundled browser-facing assets for the hyperhive dashboard and per-agent UI";
|
||||
homepage = "https://git.berlin.ccc.de/vinzenz/hyperhive";
|
||||
};
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue