Export flake inputs/outputs to archive

Startercreating · April 23, 2025, 9:38pm

Hello,

We’re in need of exporting our flake inputs/outputs to some file (archive?) so that it can be scanned for viruses and later its sha compared to the sha of the same flake installed on another machine.

Is this something reasonable to do, if not, what alternatives would you suggest?

Looking into our flake metadata:

> nix flake metadata
...
Path:          /nix/store/3mp73g70p5g6f5f0ccnw86qqgrj8zp0i-source

We were trying to use the Nix store to export paths into a Nix Archive:

> nix-store --query --requisites /nix/store/3mp73g70p5g6f5f0ccnw86qqgrj8zp0i-source
/nix/store/3mp73g70p5g6f5f0ccnw86qqgrj8zp0i-source

> nix-store --export /nix/store/3mp73g70p5g6f5f0ccnw86qqgrj8zp0i-source > archive.nar

This appeared to only export the content of the Git repository in which the flake resides, but nothing regarding the flake’s inputs/outputs.

Has anyone done something similar or would have suggestions on how to achieve?

Thanks for the help!

robsliwi · April 24, 2025, 5:10am

What are you expecting in the end? Binaries, source code, both?

Nix itself is lazy evaluated. Think of nixpkgs, to pick a package from there only the picked package and it’s dependencies are resolved but the other 100000 packages are not even evaluated, touch, built or looked at.

Therefore your command did exactly what you told it to do: /nix/store/3mp73g70p5g6f5f0ccnw86qqgrj8zp0i-source got exported in an archive.

You could for instance try the same for a specific flake output (like a package or a NixOSconfiguration) and have a look what the archive contains.

TLATER · April 24, 2025, 5:39am

It should be noted that this is precisely the “flake” - flakes are just directories with a flake.nix in it, nothing more, nothing less.

Even if you resolved all inputs recursively, you’d still end up with just a bunch of source code. Without evaluating all these repositories and initiating a build of every single output there is simply no data to scan.

I appreciate that this is probably some box ticking exercise - I think looking at the exact wording of the box you need to tick would be helpful here. Perhaps shifting the time when you do your virus scan to just before deployment is an option - that’d make a lot more sense.

If you need to scan the binaries you produce as well, you’ll probably need to implement your own resolver for the build graph and put virus scan steps after every build. This shouldn’t involve flakes, though, it’d be better to do as a custom implementation of nix of some sort.

Startercreating · April 24, 2025, 2:15pm

What are you expecting in the end? Binaries, source code, both?

We’re hoping to have the binaries, to virus scan them. I mentioned inputs/outputs because we would need the binaries for both build time and runtime dependencies.

We’re using Devenv, I tried to export the devshell profile dependencies, which gave us a good amount of data (1.2GB) and that could probably satisfy the “box ticking”, cc @TLATER you are right!

nix-store --export $(nix-store --query --requisites --include-outputs /nix/store/6ir3260zj941z5vm1rk8mjsp55vdsvjf-project-devshell-profile) > archive.nar

We’re going to look into GitHub - tiiuae/sbomnix: A suite of utilities to help with software supply chain challenges on nix targets to see if it can help us generate more “formal” outputs for our team to scan.

Thanks for the response!