Refactor flake modules (#1699)

This change is breaking for flake module users. Removes settings in the
configuration, e.g. use nixos.path instead of nixos.settings.path now.

Factors the logic behind installation-script out into
`installation-script.nix` and doesn't use submodules anymore to reduce
complexity.

Author: jaroeichler

flake-module.nix

@@ -3,42 +3,99 @@
   flake-parts-lib,
   ...
 }: {
-  options = {
-    perSystem = flake-parts-lib.mkPerSystemOption (
-      {
-        config,
-        options,
-        pkgs,
-        ...
-      }: let
-        cfg = config.nativelink;
-      in {
-        options = {
-          nativelink = {
-            pkgs = lib.mkOption {
-              type = lib.types.uniq (lib.types.lazyAttrsOf (lib.types.raw or lib.types.unspecified));
-              description = "Nixpkgs to use.";
-              default = pkgs;
-              defaultText = lib.literalMD "`pkgs` (module argument)";
-            };
-            settings = lib.mkOption {
-              type = lib.types.submoduleWith {
-                modules = [./modules/nativelink.nix];
-                specialArgs = {inherit (cfg) pkgs;};
-              };
-              default = {};
-              description = "Configuration for Bazel on Darwin.";
-            };
-            installationScript = lib.mkOption {
-              type = lib.types.str;
-              description = "Create nativelink.bazelrc.";
-              default = cfg.settings.installationScript;
-              defaultText = lib.literalMD "bazelrc content";
-              readOnly = true;
-            };
-          };
+  options.perSystem = flake-parts-lib.mkPerSystemOption (
+    {
+      config,
+      options,
+      pkgs,
+      ...
+    }: let
+      namespace = "nativelink";
+      cfg = config.${namespace};
+    in {
+      options.${namespace} = {
+        enable = lib.mkOption {
+          type = lib.types.bool;
+          default = true;
+        };
+        installationScript = lib.mkOption {
+          type = lib.types.str;
+          default = "";
+          description = lib.mkDoc ''
+            A bash snippet that creates a nixos.bazelrc file in the repository.
+          '';
+        };
+        api-key = lib.mkOption {
+          type = lib.types.str;
+          description = lib.mdDoc ''
+            The API key to connect to the NativeLink Cloud.
+
+            You should only use read-only keys here to prevent cache-poisoning and
+            malicious artifact extractions.
+
+            Defaults to NativeLink's shared read-only api key.
+          '';
+          default = "065f02f53f26a12331d5cfd00a778fb243bfb4e857b8fcd4c99273edfb15deae";
         };
-      }
-    );
-  };
+        endpoint = lib.mkOption {
+          type = lib.types.str;
+          description = lib.mdDoc ''
+            The NativeLink Cloud endpoint.
+
+            Defaults to NativeLink's shared cache.
+          '';
+          default = "grpcs://cas-tracemachina-shared.build-faster.nativelink.net";
+        };
+        prefix = lib.mkOption {
+          type = lib.types.str;
+          description = lib.mdDoc ''
+            An optional Bazel config prefix for the flags in `nativelink.bazelrc`.
+
+            If set, builds need to explicitly enable the nativelink config via
+            `--config=<prefix>`.
+
+            Defaults to an empty string, enabling the cache by default.
+          '';
+          default = "";
+        };
+      };
+
+      config.${namespace} = {
+        installationScript = let
+          bazelrcContent = lib.concatLines maybePrefixedConfig;
+
+          # These flags cause Bazel builds to connect to NativeLink's read-only cache.
+          #
+          # ```nix
+          # devShells.default = pkgs.mkShell {
+          #   shellHook = ''
+          #   # Generate the `lre.bazelrc` config file.
+          #   ${config.nativelink.installationScript}
+          #   '';
+          # };
+          # ```
+          defaultConfig = [
+            "--remote_cache=${cfg.endpoint}"
+            "--remote_header=x-nativelink-api-key=${cfg.api-key}"
+            "--remote_header=x-nativelink-project=nativelink-ci"
+            "--nogenerate_json_trace_profile"
+            "--remote_upload_local_results=false"
+            "--remote_cache_async"
+          ];
+
+          # If the `nativelink.prefix` is set to a nonempty string,
+          # prefix the Bazel build commands with that string. This will disable
+          # connecting to the nativelink-cloud by default and require adding
+          # `--config=<prefix>` to Bazel invocations.
+          maybePrefixedConfig =
+            if (cfg.prefix == "")
+            then map (x: "build " + x) defaultConfig
+            else map (x: "build:" + cfg.prefix + " " + x) defaultConfig;
+        in
+          import ./tools/installation-script.nix {
+            inherit bazelrcContent namespace pkgs;
+          };
+      };
+    }
+  );
 }

flake.nix

@@ -381,7 +381,7 @@
             nightly-rust = pkgs.rust-bin.nightly.${pkgs.lre.nightly-rust.meta.version};
           };
         };
-        lre.settings = {
+        lre = {
           Env = with pkgs.lre;
             if pkgs.stdenv.isDarwin
             then lre-rs.meta.Env # C++ doesn't support Darwin yet.
@@ -391,7 +391,7 @@
             then "macos"
             else "linux";
         };
-        nixos.settings.path = with pkgs; [
+        nixos.path = with pkgs; [
           "/run/current-system/sw/bin"
           "${binutils.bintools}/bin"
           "${uutils-coreutils-noprefix}/bin"
@@ -470,20 +470,21 @@
               # development shell.
               ${config.pre-commit.installationScript}
 
-              # Generate lre.bazelrc which configures LRE toolchains when
+              # Generate local-remote-execution.bazelrc which configures LRE toolchains when
               # running in the nix environment.
               ${config.lre.installationScript}
 
               # Generate nativelink.bazelrc which gives Bazel invocations access
               # to NativeLink's read-only cache.
               ${config.nativelink.installationScript}
 
-              # If on NixOS, generate nixos.bazelrc which adds the required
+              # If on NixOS, generate nixos.bazelrc, which adds the required
               # NixOS binary paths to the bazel environment.
-              if [ -e /etc/nixos ]; then
-                ${config.nixos.installationScript}
-                export CC=customClang
-              fi
+              ${config.nixos.installationScript}
+
+              # If on Darwin, generate darwin.bazelrc, which configures darwin
+              # libs and frameworks.
+              ${config.darwin.installationScript}
 
               # The Bazel and Cargo builds in nix require a Clang toolchain.
               # TODO(aaronmondal): The Bazel build currently uses the
@@ -497,11 +498,6 @@
               export PATH=$HOME/.deno/bin:$PATH
               deno types > web/platform/utils/deno.d.ts
             ''
-            + pkgs.lib.optionalString pkgs.stdenv.isDarwin ''
-              # On Darwin generate darwin.bazelrc which configures
-              # darwin libs & frameworks when running in the nix environment.
-              ${config.darwin.installationScript}
-            ''
             # TODO(aaronmondal): Generalize this.
             + pkgs.lib.optionalString (system == "x86_64-linux") ''
               export CC_x86_64_unknown_linux_gnu=customClang

local-remote-execution/README.md

@@ -106,7 +106,7 @@ an optional `prefix` input to configure the generated `lre.bazelrc`:
 
 ```nix
 # This is a top-level field, next to `packages` and `apps`, and `devShells`
-lre.settings = {
+lre = {
   # In this example we import the lre-cc environment from nativelink and make it
   # available locally.
   inherit (lre-cc.meta) Env;
@@ -270,8 +270,8 @@ invoke a build against the cluster:
 CACHE=$(kubectl get gtw cache -o=jsonpath='{.status.addresses[0].value}')
 SCHEDULER=$(kubectl get gtw scheduler -o=jsonpath='{.status.addresses[0].value}')
 
-# Note: If you omit setting a `prefix` the `lre.settings` you
-#       can omit `--config=lre` here as LRE will be enabled by default.
+# Note: If you don't set `lre.prefix`, you can omit `--config=lre` here as
+# LRE will be enabled by default.
 bazel build \
     --config=lre \
     --remote_instance_name=main \
@@ -300,8 +300,8 @@ bazel clean
 
 CACHE=$(kubectl get gtw cache -o=jsonpath='{.status.addresses[0].value}')
 
-# Note: If you omit setting a `prefix` the `lre.settings` you
-#       can omit `--config=lre` here as LRE will be enabled by default.
+# Note: If you don't set `lre.prefix`, you can omit `--config=lre` here as
+# LRE will be enabled by default.
 bazel build \
     --config=lre \
     --remote_instance_name=main \