vinzenz/hyperhive
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
hyperhive/nix/frontend.nix
iris c8af7bc70c frontend: add hermetic nix derivation in nix/frontend.nix 
Phase 2 of #273. Adds `packages.${system}.frontend` to the flake —
a `buildNpmPackage` derivation that consumes the lockfile committed
in the previous step and produces two static dist trees under $out:

  $out/dashboard/   the hive-c0re dashboard SPA assets
                     (index.html, app.js, dashboard.css, favicon.svg)
  $out/agent/       the per-agent default UI assets
                     (index.html, app.js, stats.html, stats.js,
                      agent.css, screen.html)

The dashboard favicon lives outside the frontend src tree
(branding/hyperhive.svg at the repo root). It's passed in as a
callPackage argument so the hermetic build can grab it.

`npmDepsHash` is set to `lib.fakeHash` — the build will fail on
first attempt with the actual sha256 printed; copy that in. Use
`nix run nixpkgs#prefetch-npm-deps -- frontend/package-lock.json`
to recompute locally without a build round-trip (works from
operator's host; iris's container can't recompute it without
prefetch-npm-deps in PATH).

The Rust crates and NixOS modules continue to use the legacy
include_str! routes; cutover happens in Phase 4.

Refs #273.
2026-05-23 14:51:01 +02:00

60 lines
2.2 KiB
Nix
Raw Blame History

{
buildNpmPackage,
lib,
branding-svg,
}:
# Hermetic build of the npm-managed frontend workspaces (see
# `frontend/README.md`). Consumes `frontend/package-lock.json` as the
# source of truth for dependency versions; `npmDepsHash` pins the
# vendor-tarball hash so a stale lockfile fails the build instead of
# silently fetching different upstream tarballs.
#
# Output layout (`$out`) — two subdirectories, one per surface, that
# the Rust binaries serve via `tower_http::ServeDir`:
#
# $out/dashboard/ the hive-c0re dashboard SPA assets
# index.html app.js app.js.map dashboard.css favicon.svg
# $out/agent/ the per-agent default UI (layered with
# hyperhive.frontend.extraFiles at activation time)
# index.html app.js stats.html stats.js agent.css screen.html
#
# The dashboard favicon lives outside the npm tree (`branding/hyperhive
# .svg` at the repo root) — we copy it in during the install phase so
# the served prefix has everything in one place.
buildNpmPackage {
pname = "hyperhive-frontend";
version = "0.0.0";
src = ../frontend;
# Computed from `frontend/package-lock.json`. The build will fail
# with the actual hash printed on the first attempt; update this
# whenever package-lock.json changes. Use
# nix run nixpkgs#prefetch-npm-deps -- frontend/package-lock.json
# locally to recompute without a build round-trip.
npmDepsHash = lib.fakeHash;
# `npm run build` recurses into all workspaces (`--workspaces
# --if-present`). The workspaces' build scripts each run their own
# `build.mjs` (esbuild).
npmBuildScript = "build";
# buildNpmPackage's default install phase copies the working dir into
# $out, which is overkill — we only want the dist trees. Hand-roll
# the install to keep $out tight.
dontNpmInstall = true;
installPhase = ''
runHook preInstall
mkdir -p $out/dashboard $out/agent
cp -r packages/dashboard/dist/. $out/dashboard/
cp -r packages/agent/dist/. $out/agent/
cp ${branding-svg} $out/dashboard/favicon.svg
runHook postInstall
'';
meta = {
description = "Bundled browser-facing assets for the hyperhive dashboard and per-agent UI";
homepage = "https://git.berlin.ccc.de/vinzenz/hyperhive";
};
}
Reference in a new issue View git blame Copy permalink