---
title: swift2nix: Run Swift inside Nix builds
date: 2020-10-05
layout: post
lang: en
ref: swift2nix-run-swift-inside-nix-builds
category: swift2nix
---

While working on a Swift project, I didn't find any tool that would allow Swift
to run inside [Nix][nix] builds. Even thought you *can* run Swift, the real
problem arises when using the package manager. It has many of the same problems
that other package managers have when trying to integrate with Nix, more on this
below.

I wrote a simple little tool called [swift2nix][swift2nix] that allows you trick
Swift's package manager into assuming everything is set up. Here's the example
from swift2nix's README file:

```
let
  niv-sources = import ./nix/sources.nix;
  pkgs = import niv-sources.nixpkgs { };
  src = pkgs.nix-gitignore.gitignoreSource [ ] ./.;
  swift2nix = pkgs.callPackage niv-sources.swift2nix {
    package-resolved = ./Package.resolved;
  };
in pkgs.stdenv.mkDerivation {
  inherit src;
  name = "swift-test";
  buildInputs = with pkgs; [ swift ];
  phases = [ "unpackPhase" "buildPhase" ];
  buildPhase = ''
    # Setup dependencies path to satisfy SwiftPM
    mkdir .build
    ln -s ${swift2nix.env.dependencies-state-json} .build/dependencies-state.json
    ln -s ${swift2nix.env.checkouts} .build/checkouts

    # Run the tests
    swift test
    touch $out
  '';
}
```

The key parts are lines 15~17: we just fake enough files inside `.build/` that
Swift believes it has already downloaded and checked-out all dependencies, and
just moves on to building them.

I've worked on it just enough to make it usable for myself, so beware of
unimplemented cases.

[nix]: https://nixos.org/
[swift2nix]: https://git.euandreh.xyz/swift2nix/about/
[actual-code]: https://git.euandreh.xyz/swift2nix/tree/default.nix?id=2af83ffe43fac631a8297ffaa8be3ff93b2b9e7c

## Design

What swift2nix does is just provide you with the bare minimum that Swift
requires, and readily get out of the way:

1. I explicitly did not want to generated a `Package.nix` file, since
   `Package.resolved` already exists and contains the required information;
2. I didn't want to have an "easy" interface right out of the gate, after
   fighting with "*2nix" tools that focus too much on that.

The final [actual code][actual-code] was so small (46 lines) that it made me
think about package managers, "*2nix" tools and some problems with many of them.

## Problems with package managers

I'm going to talk about solely language package managers. Think npm and cargo,
not apt-get.

Package managers want to do too much, or assume too much, or just want to take
control of the entire build of the dependencies.

This is a recurrent problem in package managers, but I don't see it as an
inherit one. There's nothing about a "package manager" that prevents it from
*declaring* what it expects to encounter and in which format. The *declaring*
part is important: it should be a file with data, not code, otherwise you're
back in the same problem (JSON, TOML, edn, etc.). Those work in any language,
and they can cooperate happily. That's not the same as a lockfile: those are
just pinned versions of packages in the dependency tree.

There's no need for this expectation to be standartized, or be made compatible
across languages. That would lead to a poor format that no package manager
really likes. Instead, If every package manager could say out loud what it wants
to see exactly, than more tools like swift2nix could exist, and they would be
more reliable.

This could even work fully offline, and be simply a mapping from the lockfile
(the `Package.resolved` in Swift's case) to the filesystem representation. For
Swift, the `.build/dependencies-state.json` comes very close, but it is internal
to the package manager.

Even though this pain only exists when trying to use Swift inside Nix, it sheds
light into this common implicit coupling that package managers have. They
usually have fuzzy boundaries and tight coupling between:

1. resolving the dependency tree and using some heuristic to pick a package
   version;
2. generating a lockfile with the exact pinned versions;
3. downloading the dependencies present on the lockfile into some local folder;
4. arranging the dependencies in a meaniful way for itself;
5. work using the dependencies while *assuming* that step 4 was done.

When you run `npm install` in a repository with no lockfile, it does 1~4. If you
do the same with `cargo build`, it does 1~5. That's too much: many of those
assumptions are implicit and internal to the package manager, and if you ever
need to rearrange them, you're on your own. Even though you can perform some of
those steps, you can't compose or rearrange them.

Instead a much saner approach could be:

1. this stays the same;
2. this also stays the same;
3. be able to generate some JSON which represents the local expected filesystem
   layout with dependencies (i.e. exposing what the package manager expects to
   find), let's call it `local-registry.json`;
4. if a `local-registry.json` was provided, do a build using that. Otherwise
   generate its own, by downloading the dependencies, arranging them, etc.

The point is just making what the package manager requires visible to the
outside world via some declarative data. If this data wasn't provided, it can
move on to doing its own automagic things.

## Problems with "*2nix" tools

I have to admit: I'm unhappy with most of they.

They conflate "using Nix" with "replicating every command of the package manager
inside Nix".

The avoidance of an "easy" interface that I mentioned above comes from me
fighting with some of the "*2nix" tools much like I have to fight with package
managers: I don't want to offload all build responsabilities to the "*2nix"
tool, I just want to let it download some of the dependencies and get out of the
way.

This is something that [node2nix][node2nix] does right. It allows you to build
the Node.js environment to satisfy NPM, and you can keep using NPM for
everything else:

```shell
ln -s ${node2nix-package.shell.nodeDependencies}/lib/node_modules ./node_modules
```

Its natural to want to put as much things into Nix as possible to benefit from
Nix's advantages. Isn't that how NixOS itself was born?

But a "*2nix" tool should leverage Nix, not be coupled with it. The above
example lets you run any arbitrary NPM command while profiting from isolation
and reproducibility that Nix provides. It is even less brittle: any changes to
how NPM runs some things will be future-compatible, since node2nix isn't trying
to replicate what NPM does, or fiddling with NPM's internal.

**A "*2nix" tool should build the environment, preferebly from the lockfile
directly and offload everything else to the package manager.**

swift2nix itself could provide an "easy" interface, something that allows you to
write:

```shell
nix-build -A swift2nix.release
nix-build -A swift2nix.test
```

The implementation of those would be obvious: create a new
`pkgs.stdenv.mkDerivation` and call `swift build -c release` and `swift test`
while using `swift2nix.env` under the hood.

[node2nix]: https://github.com/svanderburg/node2nix

## Conclusion

Package managers should provide exact dependencies via a data representation,
i.e. lockfiles, and expose via another data representation how they expect those
dependencies to appear on the filesystem, i.e. `local-registry.json`. This
allows package managers to provide an API so that external tools can create
mirrors, offline builds, other registries, isolated builds, etc.

"*2nix" tools should build simple functions that leverage that
`local-registry.json`[^local-registry] data and offload all the rest back to the
package manager itself. This allows the "*2nix" to not keep chasing the package
manager evolution, always trying to duplicate its behaviour.

[^local-registry]: This `local-registry.json` file doesn't have to be checked-in
    the repository at all. It could be always generated on the fly, much like
    how Swift's `dependencies-state.json` is.