bazel: always use nix

.bazelrc

@@ -40,9 +40,8 @@ common:linux_amd64_static --platforms @zig_sdk//libc_aware/platform:linux_amd64_
 common:linux_arm64_static --platforms @zig_sdk//libc_aware/platform:linux_arm64_musl
 
 # bazel configs to explicitly target NixOS
-common:nix --host_platform=@io_tweag_rules_nixpkgs//nixpkgs/platforms:host
-common:nix --crosstool_top=@local_config_cc//:toolchain
-common:nix --action_env=BAZEL_NIX_HOST_PLATFORM=1
+common --host_platform=@io_tweag_rules_nixpkgs//nixpkgs/platforms:host
+common --crosstool_top=@local_config_cc//:toolchain
 
 # bazel config to explicitly disable stamping (hide version information at build time)
 common:nostamp --nostamp --workspace_status_command=

.github/workflows/build-os-image.yml

@@ -172,9 +172,9 @@ jobs:
           TARGET: //image/system:${{ matrix.csp }}_${{ matrix.attestation_variant }}_${{ needs.build-settings.outputs.stream }}
         run: |
           echo "::group::Build"
-          bazel build --host_platform=@rules_nixpkgs_core//platforms:host "${TARGET}"
+          bazel build "${TARGET}"
           {
-            echo "image-dir=$(bazel cquery --host_platform=@rules_nixpkgs_core//platforms:host --output=files "$TARGET")"
+            echo "image-dir=$(bazel cquery --output=files "$TARGET")"
           } | tee -a "$GITHUB_OUTPUT"
           echo "::endgroup::"
 

WORKSPACE.bazel

@@ -13,7 +13,7 @@ load("@io_tweag_rules_nixpkgs//nixpkgs:repositories.bzl", "rules_nixpkgs_depende
 
 rules_nixpkgs_dependencies()
 
-load("@io_tweag_rules_nixpkgs//nixpkgs:nixpkgs.bzl", "nixpkgs_flake_package", "nixpkgs_git_repository", "nixpkgs_package", "nixpkgs_python_configure")
+load("@io_tweag_rules_nixpkgs//nixpkgs:nixpkgs.bzl", "nixpkgs_cc_configure", "nixpkgs_flake_package", "nixpkgs_git_repository", "nixpkgs_package", "nixpkgs_python_configure")
 
 nixpkgs_git_repository(
     name = "nixpkgs",
@@ -38,32 +38,27 @@ nixpkgs_package(
     repository = "@nixpkgs",
 )
 
-load("//bazel/mkosi:mkosi_configure.bzl", "find_system_mkosi")
+load("//bazel/mkosi:mkosi_configure.bzl", "register_mkosi")
 
-find_system_mkosi(name = "constellation_mkosi")
+register_mkosi(
+    name = "mkosi_nix_toolchain",
+)
 
 # Python toolchain
 load("//bazel/toolchains:python_deps.bzl", "python_deps")
 
 python_deps()
 
-load("@rules_python//python:repositories.bzl", "py_repositories", "python_register_toolchains")
+load("@rules_python//python:repositories.bzl", "py_repositories")
 
 py_repositories()
 
-# if nix is installed, use nixpkgs python toolchain...
 nixpkgs_python_configure(
     fail_not_supported = False,
-    python3_attribute_path = "python311.withPackages(ps: with ps; [ numpy ])",
+    python3_attribute_path = "python311",
     repository = "@nixpkgs",
 )
 
-# ... otherwise, fall back to rules_python toolchain
-python_register_toolchains(
-    name = "python3_11",
-    python_version = "3.11",
-)
-
 # Go toolchain
 load("//bazel/toolchains:go_rules_deps.bzl", "go_deps")
 
@@ -78,19 +73,13 @@ load("@io_bazel_rules_go//go:deps.bzl", "go_rules_dependencies")
 
 go_rules_dependencies()
 
-local_repository(
-    name = "nixos-support",
-    path = "bazel/nixos-support",
+load("@io_tweag_rules_nixpkgs//nixpkgs:toolchains/go.bzl", "nixpkgs_go_configure")
+
+nixpkgs_go_configure(
+    attribute_path = "go_1_21",
+    repository = "@nixpkgs",
 )
 
-load("@nixos-support//:nixos-support.bzl", "gen_imports")
-
-gen_imports()
-
-load("@nixos_support//:imports.bzl", "cc_toolchain", "go_toolchain")
-
-go_toolchain()
-
 load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies")
 
 gazelle_dependencies(go_repository_default_config = "//:WORKSPACE.bazel")
@@ -152,7 +141,21 @@ load("@hermetic_cc_toolchain//toolchain:defs.bzl", zig_toolchains = "toolchains"
 
 zig_toolchains()
 
-cc_toolchain()
+nixpkgs_cc_configure(repository = "@nixpkgs")
+
+register_toolchains(
+    "@zig_sdk//libc_aware/toolchain:linux_amd64_gnu.2.23",
+    "@zig_sdk//libc_aware/toolchain:linux_arm64_gnu.2.23",
+    "@zig_sdk//libc_aware/toolchain:linux_amd64_musl",
+    "@zig_sdk//libc_aware/toolchain:linux_arm64_musl",
+    "@zig_sdk//toolchain:linux_amd64_gnu.2.23",
+    "@zig_sdk//toolchain:linux_arm64_gnu.2.23",
+    "@zig_sdk//toolchain:linux_amd64_musl",
+    "@zig_sdk//toolchain:linux_arm64_musl",
+    "@zig_sdk//toolchain:darwin_amd64",
+    "@zig_sdk//toolchain:darwin_arm64",
+    "@zig_sdk//toolchain:windows_amd64",
+)
 
 load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 

bazel/ci/BUILD.bazel

@@ -410,18 +410,12 @@ repo_command(
 
 sh_template(
     name = "proto_targets_check",
-    data = select({
-        "@rules_nixpkgs_core//constraints:support_nix": [
-            "@diffutils//:bin/diff",
-        ],
-        "//conditions:default": [],
-    }),
-    env = select({
-        "@rules_nixpkgs_core//constraints:support_nix": {
-            "DIFF": "$(rootpath @diffutils//:bin/diff)",
-        },
-        "//conditions:default": {},
-    }),
+    data = [
+        "@diffutils//:bin/diff",
+    ],
+    env = {
+        "DIFF": "$(rootpath @diffutils//:bin/diff)",
+    },
     substitutions = {
         "@@PROTO_TARGETS@@": " ".join(proto_targets()),
     },

bazel/mkosi/BUILD.bazel

@@ -5,9 +5,6 @@ Type: @constellation//bazel/mkosi:toolchain_type
 Toolchains:
 - mkosi_missing_toolchain: provides a fallback toolchain for exec platforms
   where mkosi might not be available.
-
-- mkosi_auto_toolchain: a toolchain that uses the installed mkosi. See
-  mkosi_configure.bzl%find_system_mkosi for usage.
 """
 
 load(":toolchain.bzl", "is_mkosi_available", "mkosi_make_variables", "mkosi_toolchain")

bazel/mkosi/BUILD.tpl

@@ -1,13 +0,0 @@
-# This content is generated by {GENERATOR}
-load("@constellation//bazel/mkosi:toolchain.bzl", "mkosi_toolchain")
-
-mkosi_toolchain(
-    name = "mkosi_auto",
-    path = "{MKOSI_PATH}",
-)
-
-toolchain(
-    name = "mkosi_auto_toolchain",
-    toolchain = ":mkosi_auto",
-    toolchain_type = "@constellation//bazel/mkosi:toolchain_type",
-)

bazel/mkosi/mkosi_configure.bzl

@@ -1,43 +1,7 @@
-"""Repository rule to autoconfigure a toolchain using the system mkosi."""
+"""Repository rule to configure a toolchain using nixpkgs mkosi."""
 
-def _write_build(rctx, path):
-    if not path:
-        path = ""
-    rctx.template(
-        "BUILD",
-        Label("//bazel/mkosi:BUILD.tpl"),
-        substitutions = {
-            "{GENERATOR}": "@constellation//bazel/mkosi/mkosi_configure.bzl%find_system_mkosi",
-            "{MKOSI_PATH}": str(path),
-        },
-        executable = False,
-    )
-
-def _find_system_mkosi_impl(rctx):
-    mkosi_path = rctx.which("mkosi")
-    if rctx.attr.verbose:
-        if mkosi_path:
-            print("Found mkosi at '%s'" % mkosi_path)  # buildifier: disable=print
-        else:
-            print("No system mkosi found.")  # buildifier: disable=print
-    _write_build(rctx = rctx, path = mkosi_path)
-
-_find_system_mkosi = repository_rule(
-    implementation = _find_system_mkosi_impl,
-    doc = """Create a repository that defines an mkosi toolchain based on the system mkosi.""",
-    local = True,
-    environ = ["PATH"],
-    attrs = {
-        "verbose": attr.bool(
-            doc = "If true, print status messages.",
-        ),
-    },
-)
-
-def find_system_mkosi(name, verbose = False):
-    _find_system_mkosi(name = name, verbose = verbose)
+def register_mkosi(name):
     native.register_toolchains(
         "@constellation//bazel/mkosi:mkosi_nix_toolchain",
-        "@%s//:mkosi_auto_toolchain" % name,
         "@constellation//bazel/mkosi:mkosi_missing_toolchain",
     )

bazel/nixos-support/nixos-support.bzl

@@ -1,69 +0,0 @@
-""" A repository rule use either nixpkgs or download a go toolchain / SDK """
-
-def _has_nix(ctx):
-    return ctx.os.environ.get("BAZEL_NIX_HOST_PLATFORM", "0") == "1"
-
-def _gen_imports_impl(ctx):
-    ctx.file("BUILD", "")
-
-    imports_for_nix = """
-load("@io_tweag_rules_nixpkgs//nixpkgs:nixpkgs.bzl", "nixpkgs_cc_configure")
-load("@io_tweag_rules_nixpkgs//nixpkgs:toolchains/go.bzl", "nixpkgs_go_configure")
-
-def go_toolchain():
-    nixpkgs_go_configure(
-        repository = "@nixpkgs",
-        attribute_path = "go_1_21",
-    )
-
-def cc_toolchain():
-    nixpkgs_cc_configure(repository = "@nixpkgs")
-    native.register_toolchains(
-        "@zig_sdk//libc_aware/toolchain:linux_amd64_gnu.2.23",
-        "@zig_sdk//libc_aware/toolchain:linux_arm64_gnu.2.23",
-        "@zig_sdk//libc_aware/toolchain:linux_amd64_musl",
-        "@zig_sdk//libc_aware/toolchain:linux_arm64_musl",
-        "@zig_sdk//toolchain:linux_amd64_gnu.2.23",
-        "@zig_sdk//toolchain:linux_arm64_gnu.2.23",
-        "@zig_sdk//toolchain:linux_amd64_musl",
-        "@zig_sdk//toolchain:linux_arm64_musl",
-        "@zig_sdk//toolchain:darwin_amd64",
-        "@zig_sdk//toolchain:darwin_arm64",
-        "@zig_sdk//toolchain:windows_amd64",
-    )
-    """
-    imports_for_non_nix = """
-load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains")
-
-def go_toolchain():
-    go_register_toolchains(version = "1.21.1")
-
-def cc_toolchain():
-    native.register_toolchains(
-        "@zig_sdk//libc_aware/toolchain:linux_amd64_gnu.2.23",
-        "@zig_sdk//libc_aware/toolchain:linux_arm64_gnu.2.23",
-        "@zig_sdk//libc_aware/toolchain:linux_amd64_musl",
-        "@zig_sdk//libc_aware/toolchain:linux_arm64_musl",
-        "@zig_sdk//toolchain:linux_amd64_gnu.2.23",
-        "@zig_sdk//toolchain:linux_arm64_gnu.2.23",
-        "@zig_sdk//toolchain:linux_amd64_musl",
-        "@zig_sdk//toolchain:linux_arm64_musl",
-        "@zig_sdk//toolchain:darwin_amd64",
-        "@zig_sdk//toolchain:darwin_arm64",
-        "@zig_sdk//toolchain:windows_amd64",
-    )
-    """
-
-    if _has_nix(ctx):
-        ctx.file("imports.bzl", imports_for_nix)
-    else:
-        ctx.file("imports.bzl", imports_for_non_nix)
-
-_gen_imports = repository_rule(
-    implementation = _gen_imports_impl,
-)
-
-def gen_imports():
-    _gen_imports(
-        name = "nixos_support",
-    )

dev-docs/workflows/build-develop-deploy.md

@@ -7,35 +7,21 @@ Prerequisites:
 * 20GB (minimum), better 40 GB disk space (required if you want to cross compile for all platforms)
 * [Latest version of Go](https://go.dev/doc/install).
 * Unless you use Nix / NixOS: [Bazelisk installed as `bazel` in your path](https://github.com/bazelbuild/bazelisk/releases).
-* We recommend Nix installed via [determinate systems installer](https://github.com/DeterminateSystems/nix-installer) (or NixOS as host system).
+* We require Nix to be installed. It is recommended to install nix using the [determinate systems installer](https://github.com/DeterminateSystems/nix-installer) (or to use NixOS as host system).
 * [Docker](https://docs.docker.com/engine/install/). Can be installed with these commands on Ubuntu 22.04: `sudo apt update && sudo apt install docker.io`. As the build spawns docker containers your user account either needs to be in the `docker` group (Add with `sudo usermod -a -G docker $USER`) or you have to run builds with `sudo`. When using `sudo` remember that your root user might (depending on your distro and local config) not have the go binary in it's PATH. The current PATH can be forwarded to the root env with `sudo env PATH=$PATH <cmd>`.
 
 ## Prequisites
 
 ### Linux
 
-* Packages on NixOS or with Nix installed (use flake.nix in this repo):
+* If you don't want to perform any setup, you can get a shell with Bazel and all required dependencies by running:
 
   ```sh
-  # add "common --config=nix" to your .bazeloverwriterc if you want to get nix compatible toolchains
-  echo "common --config=nix" >> .bazeloverwriterc
   # better would be: nix develop -i
   # but this doesn't play nice with bashrc, colored output and non-hermetic tools
   nix develop
   ```
 
-* Packages on Ubuntu:
-
-  ```sh
-  sudo apt install build-essential cmake libssl-dev pkg-config libcryptsetup12 libcryptsetup-dev
-  ```
-
-* Packages on Fedora:
-
-  ```sh
-  sudo dnf install @development-tools pkg-config cmake openssl-devel cryptsetup-libs cryptsetup-devel
-  ```
-
 ### Mac
 
 * To fix unsupported shell options used in some build script:

image/README.md

@@ -1,9 +1,8 @@
 ## Setup
 
-Ensure you have Nix installed. This is recommended in general but a requirement for the following steps.
+Ensure you have Nix installed. This is a requirement for the following steps.
 Consult the [developer docs](/dev-docs/workflows/build-develop-deploy.md) for more info.
-At the very least, `nix` should be in your PATH and either `common --config=nix`
-has to be set in the `.bazelrc` or you need to append `--config=nix` to each Bazel command.
+At the very least, `nix` should be in your PATH.
 
 ## Build
 

image/measured-boot/cmd/BUILD.bazel

@@ -16,19 +16,13 @@ go_library(
 go_binary(
     name = "cmd",
     # keep
-    data = select({
-        "@rules_nixpkgs_core//constraints:support_nix": [
-            "@systemd//:bin/systemd-dissect",
-        ],
-        "//conditions:default": [],
-    }),
+    data = [
+        "@systemd//:bin/systemd-dissect",
+    ],
     embed = [":cmd_lib"],
     # keep
-    env = select({
-        "@rules_nixpkgs_core//constraints:support_nix": {
-            "DISSECT_TOOLCHAIN": "$(rootpath @systemd//:bin/systemd-dissect)",
-        },
-        "//conditions:default": {},
-    }),
+    env = {
+        "DISSECT_TOOLCHAIN": "$(rootpath @systemd//:bin/systemd-dissect)",
+    },
     visibility = ["//visibility:public"],
 )