From 605844f5bed9ec1ef1aaa88f2a56d453cf209915 Mon Sep 17 00:00:00 2001 From: Kayos Date: Wed, 6 May 2026 21:24:35 -0700 Subject: [PATCH] nix: disable accept-flake-config to avoid ca-derivations schema crash MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous ca-derivations attempt didn't actually fix the schema issue — Nix 2.34.7's v10 → v11 migration (which adds the Realisations table) doesn't fire cleanly even with the feature pre-enabled at install time. First nix develop against a flake that requests ca-derivations crashes with `Assertion 'stmt.stmt' failed in nix::SQLiteStmt::Use::Use`. Workaround: set accept-flake-config=false. Flake nixConfig blocks trying to add ca-derivations to our experimental-features get ignored. Realisation queries never fire. Builds use the default input-addressed path and work fine. Substituters are now in our base nix.conf (cache.nixos.org + cache.iog.io) so we don't lose the IOG binary cache by ignoring the flake's substituter additions. mlabs.cachix.org dropped — it's a private cache returning 401 to anonymous reads. Verified live: nix develop against github:Liqwid-Labs/agora proceeds past the previous crash point, pulling haskell-nix closure from cache.iog.io. --- Dockerfile | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3c36a1e..9798fc9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -312,15 +312,31 @@ USER crafter WORKDIR /home/crafter RUN mkdir -p /home/crafter/.config/nix \ && printf '%s\n' \ - 'experimental-features = nix-command flakes ca-derivations' \ + 'experimental-features = nix-command flakes' \ 'sandbox = false' \ - 'accept-flake-config = true' \ - 'substituters = https://cache.nixos.org https://cache.iog.io https://mlabs.cachix.org' \ - 'trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= mlabs.cachix.org-1:gStKdEqNKcrlSQw5iMW6wFCj3+b+1ASpBVY2SYuNV2M=' \ + 'accept-flake-config = false' \ + 'substituters = https://cache.nixos.org https://cache.iog.io' \ + 'trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=' \ > /home/crafter/.config/nix/nix.conf \ && curl -fsSL https://nixos.org/nix/install -o /tmp/install-nix.sh \ && sh /tmp/install-nix.sh --no-daemon --no-channel-add --no-modify-profile \ && rm /tmp/install-nix.sh + +# Why accept-flake-config=false: +# Nix 2.34.7's schema-upgrade path from v10 to v11 (which adds the +# Realisations table that ca-derivations queries) doesn't fire +# cleanly, even with ca-derivations enabled at install time. +# Plutarch / Liqwid Agora / IOG flakes set +# `extra-experimental-features = [... "ca-derivations" ...]` in +# their nixConfig. With accept-flake-config=true that gets added +# to our experimental-features, then any flake operation crashes +# with `Assertion 'stmt.stmt' failed in nix::SQLiteStmt::Use::Use`. +# Disabling sidesteps the issue — ca-derivations is an optimization +# for content-addressed builds, not a hard requirement. +# +# Substituters set in our base nix.conf so we don't depend on the +# flake's additions. mlabs.cachix.org dropped — it's a private cache +# returning 401 to anonymous reads. ENV PATH=/home/crafter/.nix-profile/bin:$PATH # ============================================================