nix: disable accept-flake-config to avoid ca-derivations schema crash

The previous ca-derivations attempt didn't actually fix the schema issue — Nix 2.34.7's v10 → v11 migration (which adds the Realisations table) doesn't fire cleanly even with the feature pre-enabled at install time. First nix develop against a flake that requests ca-derivations crashes with `Assertion 'stmt.stmt' failed in nix::SQLiteStmt::Use::Use`. Workaround: set accept-flake-config=false. Flake nixConfig blocks trying to add ca-derivations to our experimental-features get ignored. Realisation queries never fire. Builds use the default input-addressed path and work fine. Substituters are now in our base nix.conf (cache.nixos.org + cache.iog.io) so we don't lose the IOG binary cache by ignoring the flake's substituter additions. mlabs.cachix.org dropped — it's a private cache returning 401 to anonymous reads. Verified live: nix develop against github:Liqwid-Labs/agora proceeds past the previous crash point, pulling haskell-nix closure from cache.iog.io.
2026-05-06 21:24:35 -07:00 · 2026-05-06 21:24:35 -07:00 · 605844f5be
commit 605844f5be
parent 740b92c7f4
1 changed files with 20 additions and 4 deletions
--- a/24
+++ b/24
@ -312,15 +312,31 @@ USER crafter
 WORKDIR /home/crafter
 RUN mkdir -p /home/crafter/.config/nix \
    && printf '%s\n' \
-        'experimental-features = nix-command flakes ca-derivations' \
+        'experimental-features = nix-command flakes' \
        'sandbox = false' \
-        'accept-flake-config = true' \
-        'substituters = https://cache.nixos.org https://cache.iog.io https://mlabs.cachix.org' \
-        'trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ= mlabs.cachix.org-1:gStKdEqNKcrlSQw5iMW6wFCj3+b+1ASpBVY2SYuNV2M=' \
+        'accept-flake-config = false' \
+        'substituters = https://cache.nixos.org https://cache.iog.io' \
+        'trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= hydra.iohk.io:f/Ea+s+dFdN+3Y/G+FDgSq+a5NEWhJGzdjvKNGv0/EQ=' \
        > /home/crafter/.config/nix/nix.conf \
    && curl -fsSL https://nixos.org/nix/install -o /tmp/install-nix.sh \
    && sh /tmp/install-nix.sh --no-daemon --no-channel-add --no-modify-profile \
    && rm /tmp/install-nix.sh
+
+# Why accept-flake-config=false:
+#   Nix 2.34.7's schema-upgrade path from v10 to v11 (which adds the
+#   Realisations table that ca-derivations queries) doesn't fire
+#   cleanly, even with ca-derivations enabled at install time.
+#   Plutarch / Liqwid Agora / IOG flakes set
+#   `extra-experimental-features = [... "ca-derivations" ...]` in
+#   their nixConfig. With accept-flake-config=true that gets added
+#   to our experimental-features, then any flake operation crashes
+#   with `Assertion 'stmt.stmt' failed in nix::SQLiteStmt::Use::Use`.
+#   Disabling sidesteps the issue — ca-derivations is an optimization
+#   for content-addressed builds, not a hard requirement.
+#
+# Substituters set in our base nix.conf so we don't depend on the
+# flake's additions. mlabs.cachix.org dropped — it's a private cache
+# returning 401 to anonymous reads.
 ENV PATH=/home/crafter/.nix-profile/bin:$PATH

 # ============================================================