Add flake to the repository

[PgBiel]

This repository will be the new home for Typst's flake, and this PR aims to bring the existing flake from the main Typst repo here.

The goal here is to ensure the flake can still be used for its usual purposes, as much as possible: compile Typst and pop dev shells.
In this sense, the idea is that one can override this Flake's inputs to specify a particular Typst commit to compile, using either --override-input on the CLI or inputs.typst.inputs.typst.url = "..." when importing this Flake as an input of another.

The goal is to also add CI so the flake is properly tested as Typst evolves. However, the flake itself will only be updated on each Typst release (or if some fix is needed).

There are still some questions to solve before merging this PR, as noted in the comments.

[PgBiel]

Would appreciate some input from Nix folks, cc @drupol

[PgBiel]

For some reason, at least on my NixOS build, the compiled binary doesn't run (with nix run .) without vendoring OpenSSL, despite the inputs, library path etc. This problem didn't seem to happen on the original flake. Can I consider this expected? Should I remove the vendoring?

[drupol]

I strongly believe we should avoid vendoring any libraries especially something as critical as openssl. If a dependency relies on this, it likely indicates an underlying issue there. That’s what we should focus on fixing, rather than carrying the problem downstream.

[PgBiel]

typst-cli made the option of relying on openSSL for (IIRC) ureq due to bugs in rusttls. It can be optionally vendored.

Thing is that it was working fine without vendoring in the original colocated flake, but now I can't get it to work...

Does nix run . -- --help work for you if you remove cargoExtraArgs = "--locked --features vendor-openssl"?

[drupol]

I can build it, but I can't run it:

❯ ./result/bin/typst --version
./result/bin/typst: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory

[PgBiel]

Do we have any ideas on how to make that work? 🤔

It seems that the official binaries enable vendor-openssl by default for portability reasons (https://github.com/typst/typst/blob/7fb4aa0aec314bb8ef99b8096d8d65a8e63b17e6/.github/workflows/release.yml#L55).

So I suppose we can blame NixOS for not providing the dynamic library by default for Nix reasons. But even still, I thought nix run would automatically update the execution environment based on the build inputs. Guess it doesn't...

[PgBiel]

One thought I had was to make the vendor openssl feature a derivation parameter which can be overridden with an override function of some sort.

[drupol]

I don't have an immediate solution to this, perhaps asking a piece of advice to the Rust maintainers in Nixpkgs?

[istudyatuni]

About openssl

It seems the problem is that the crane is not adding LD_LIBRARY_PATH to the binary, unlike rustPlatform.buildRustPackage. Immediate solution for crane:

patch

diff --git a/flake.nix b/flake.nix
index 07fb0dd5b4..ca559b44c4 100644
--- a/flake.nix
+++ b/flake.nix
@@ -88,13 +88,12 @@

             nativeBuildInputs = [
               pkgs.pkg-config
-              pkgs.openssl.dev
-              pkgs.perl # Necessary to build and vendor OpenSSL
+              pkgs.makeWrapper
             ];

             LD_LIBRARY_PATH = lib.makeLibraryPath [ pkgs.openssl ];

-            cargoExtraArgs = "--locked --features vendor-openssl";
+            cargoExtraArgs = "--locked";
           };

           # Derivation with just the dependencies, so we don't have to keep
@@ -111,6 +110,7 @@
               ];

               postInstall = ''
+                wrapProgram "$out/bin/typst" --prefix LD_LIBRARY_PATH : "${commonCraneArgs.LD_LIBRARY_PATH}"
                 installManPage crates/typst-cli/artifacts/*.1
                 installShellCompletion \
                   crates/typst-cli/artifacts/typst.{bash,fish} \

Output of strings ./result/bin/typst|rg openssl:

for crane (without patch)

/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-vendor-cargo-deps/c19b7c6f923b580ac259164a89f2577984ad5ab09ee9d583b888f934adbbe8d0/openssl-0.10.72/src/error.rs
/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-vendor-cargo-deps/c19b7c6f923b580ac259164a89f2577984ad5ab09ee9d583b888f934adbbe8d0/openssl-0.10.72/src/ssl/bio.rs
/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-vendor-cargo-deps/c19b7c6f923b580ac259164a89f2577984ad5ab09ee9d583b888f934adbbe8d0/openssl-0.10.72/src/x509/mod.rs
/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-vendor-cargo-deps/c19b7c6f923b580ac259164a89f2577984ad5ab09ee9d583b888f934adbbe8d0/native-tls-0.2.13/src/imp/openssl.rs
/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-vendor-cargo-deps/c19b7c6f923b580ac259164a89f2577984ad5ab09ee9d583b888f934adbbe8d0/openssl-sys-0.9.107/src/lib.rs
/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-vendor-cargo-deps/c19b7c6f923b580ac259164a89f2577984ad5ab09ee9d583b888f934adbbe8d0/openssl-0.10.72/src/ssl/mod.rs
/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-vendor-cargo-deps/c19b7c6f923b580ac259164a89f2577984ad5ab09ee9d583b888f934adbbe8d0/openssl-0.10.72/src/bio.rs
[ ... ]

for rustPlatform.buildRustPackage

First line contains paths to libs:

/nix/store/xzhbzgxyzw8vpkx0pxvwsh64v4536isz-openssl-3.5.1/lib:/nix/store/8p33is69mjdw3bi1wmi8v2zpsxir8nwd-glibc-2.40-66/lib:/nix/store/ysdkxvcvy2sy36sqigkyqanixm76z2xh-gcc-14.3.0-lib/lib
/build/typst-0.14.0-vendor/native-tls-0.2.13/src/imp/openssl.rs
/build/typst-0.14.0-vendor/openssl-0.10.72/src/bio.rs
/build/typst-0.14.0-vendor/openssl-0.10.72/src/error.rs
/build/typst-0.14.0-vendor/openssl-0.10.72/src/x509/mod.rs
/build/typst-0.14.0-vendor/openssl-0.10.72/src/ssl/mod.rs
/build/typst-0.14.0-vendor/openssl-sys-0.9.107/src/lib.rs
/build/typst-0.14.0-vendor/openssl-0.10.72/src/ssl/bio.rs
[ ... ]

[PgBiel]

@istudyatuni thanks for the investigation. Though this was not necessary before.

I believe this PR nailed the cause and the correct fix: typst/typst#7600

[Andrew15-5]

I have at least one problem with this, so I opened #3. Though the second one would be to use alejandra formatter instead.