sonarr: build from source

[tie]

Description of changes

This change refactors sonarr package (and its update script) to build the package from source. It also contains changes to the underlying .NET build infrastructure required for this package.

See also #278050 (comment)

Important

This change relies on the recent PRs for the .NET build infrastructure (for structured attributes and cross-compilation) and cannot be backported.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[bjornfor]

buildDotnetModule: do not run dotnet command using env

Why not? Why was using env added in the first place? (Might be a good idea to answer that in the commit message.)

[tie]

W.r.t .NET build infrastructure updates. Some packages failed to build their web UI likely because of #253156, but otherwise looks good.

---

Result of nixpkgs-review pr 291640 run on x86_64-linux 1

5 packages failed to build:

• audiobookshelf
• jellyfin
• kavita
• slskd
• sonarr

60 packages built:

• ArchiSteamFarm
• BeatSaberModManager
• alttpr-opentracker
• avalonia-ilspy
• azure-functions-core-tools
• boogie (dotnetPackages.Boogie)
• btcpayserver
• btcpayserver-altcoins
• cavalier
• celeste64
• certdump
• csharp-ls
• csharpier
• csharprepl
• dafny
• denaro
• depotdownloader
• discordchatexporter-cli
• eventstore
• fable
• fantomas
• formula
• fsautocomplete
• galaxy-buds-client
• git-credential-manager
• github-runner
• ilspycmd
• inklecate
• jackett
• knossosnet
• libation
• lubelogger
• marksman
• mqttmultimeter
• msbuild
• naps2
• nbxplorer
• netcoredbg
• networkminer
• nuget-to-nix
• omnisharp-roslyn
• openra
• opentabletdriver
• openutau
• osu-lazer
• parabolic
• pbm
• pinta
• ps3-disc-dumper
• pupdate
• roslyn
• roslyn-ls
• ryujinx
• scarab
• space-station-14-launcher
• tests.dotnet.project-references
• tone
• torrentstream
• wasabibackend
• xivlauncher

[SuperSandro2000]

Is there a particular reason you are targeting staging here?

[tie]

I was expecting more rebuilds from .NET changes 😅

[tie]

Result of nixpkgs-review pr 291640 run on x86_64-linux 1

64 packages built:

• ArchiSteamFarm
• BeatSaberModManager
• alttpr-opentracker
• audiobookshelf
• avalonia-ilspy
• azure-functions-core-tools
• boogie
• btcpayserver
• btcpayserver-altcoins
• cavalier
• celeste64
• certdump
• csharp-ls
• csharpier
• csharprepl
• dafny
• denaro
• depotdownloader
• discordchatexporter-cli
• eventstore
• fable
• fantomas
• formula
• fsautocomplete
• galaxy-buds-client
• git-credential-manager
• github-runner
• ilspycmd
• inklecate
• jackett
• jellyfin
• kavita
• knossosnet
• libation
• lubelogger
• marksman
• mqttmultimeter
• msbuild
• naps2
• nbxplorer
• netcoredbg
• networkminer
• nuget-to-nix
• omnisharp-roslyn
• openra
• opentabletdriver
• openutau
• osu-lazer
• parabolic
• pbm
• pinta
• ps3-disc-dumper
• pupdate
• roslyn
• roslyn-ls
• ryujinx
• scarab
• slskd
• sonarr
• space-station-14-launcher
• tone
• torrentstream
• wasabibackend
• xivlauncher

[purcell]

Not sure I can meaningfully review this, but as one of the sonarr maintainers this is a great step, and the specific changes to the Sonarr derivation look good to me.

[purcell]

I tried running this on MacOS but can't execute the resulting Sonarr executable, strangely:

❯ nix run 'github:tie/nixpkgs/sonarr-v4#sonarr'
zsh: killed     nix run 'github:tie/nixpkgs/sonarr-v4#sonarr'

or, more directly,

❯ /nix/store/m7ykc6igjqq9ivnb6rca0qlz8njr68fp-sonarr-4.0.1.929/bin/Sonarr
zsh: killed     /nix/store/m7ykc6igjqq9ivnb6rca0qlz8njr68fp-sonarr-4.0.1.929/bin/Sonarr

and there's a Console message saying

ASP: Security policy would not allow process: 65161, /nix/store/m7ykc6igjqq9ivnb6rca0qlz8njr68fp-sonarr-4.0.1.929/lib/sonarr/Sonarr

In contrast, this correctly starts the server:

❯ nix run 'github:NixOS/nixpkgs/nixpkgs-unstable#sonarr'

Perhaps there's a codesigning step missing for darwin, but I'mn not an expert on such things sorry.

[tie]

@purcell, weird, I can’t reproduce this in macOS VM (but then I guess it may have relaxed security constraints). Do other .NET packages work for you (e.g. jellyfin)?

[purcell]

weird, I can’t reproduce this in macOS VM (but then I guess it may have relaxed security constraints).

I have SIP enabled, which would be the MacOS default, and I have the sandbox enabled too.

Do other .NET packages work for you (e.g. jellyfin)?

Yes, nix run 'github:NixOS/nixpkgs#jellyfin' executes fine.

[tie]

@purcell, looks like something related to .NET is actually broken in upstream Nixpkgs, not sure why binary cache is fine though.

System information

; nix show-config sandbox
true
; git rev-parse HEAD
bd5ddf2c6bfafff031edf80221e1ee94e86ca10a
; git status
On branch master
Your branch is up to date with 'origin/master'.

nothing to commit, working tree clean
; system_profiler SPSoftwareDataType
Software:

    System Software Overview:

      System Version: macOS 14.2.1 (23C71)
      Kernel Version: Darwin 23.2.0
      Boot Volume: Macintosh HD
      Boot Mode: Normal
      Computer Name: ryu
      User Name: Ivan Trubach (tie)
      Secure Virtual Memory: Enabled
      System Integrity Protection: Enabled

; nix build --verbose --file . jellyfin
this path will be fetched (10.93 MiB download, 43.05 MiB unpacked):
  /nix/store/znamd3abcaszf0p8xdin9g8y16jk1nsg-jellyfin-10.8.13
copying path '/nix/store/znamd3abcaszf0p8xdin9g8y16jk1nsg-jellyfin-10.8.13' from 'https://cache.nixos.org'...
; ./result/bin/jellyfin --help

Works when jellyfin is fetched from binary cache.

But then

; nix build --file . --rebuild jellyfin
error: derivation '/nix/store/1ljiqchsj7flkgzsc0063n54nb40av9k-jellyfin-10.8.13.drv' may not be deterministic: output '/nix/store/znamd3abcaszf0p8xdin9g8y16jk1nsg-jellyfin-10.8.13' differs

and to confirm:

; nix store delete /nix/store/znamd3abcaszf0p8xdin9g8y16jk1nsg-jellyfin-10.8.13
1 store paths deleted, 43.02 MiB freed
; nix build --file . --offline jellyfin
; ./result/bin/jellyfin 
zsh: killed     ./result/bin/jellyfin

Edit: works fine when rebuilding with sandbox disabled. I guess macOS builders don’t have sandbox enabled? That would be weird but not unexpected.

[purcell]

Ugh, that's unfortunate. But good investigation skills! Any idea what we could do to escalate this or find out more?

[tie]

Result of nixpkgs-review pr 291640 run on aarch64-linux 1

1 package blacklisted:

• nixos-install-tools

1 package built:

• sonarr

[tie]

@purcell, this should be ready for review and without .NET infrastructure changes. Note that these were merged separately (huge thanks to .NET build infrastructure maintainers for fast review cycles) and are required for this PR. That is, Sonarr version updates for the stable release channel would have to be done separately (see also note in the PR description).

[purcell]

Sounds great to me, and I very much support this, but I'm a bit too slammed currently to spin it up locally for testing.

[purcell]

Thank goodness you're adding yourself as a maintainer for this, because maintaining this new version of the derivation is likely beyond my wizard level.

[tie]

Yes, I’m, unfortunately, stuck with Sonarr 😅
It’s sad that it’s not fully self-hostable (it requires skyhook.sonarr.tv to be up and reachable for operation), but there are no other alternatives with comparable feature set, so it’s an important piece of infrastructure for me.

I don’t think there would be any non-trivial maintenance with source build aside from occasionally bumping .NET version, but feel free to ping me if there are any issues (besides, ofborg will ping me anyway).

[corngood]

I'm happy to help with general dotnet source-build stuff too.

[corngood]

Sounds great to me, and I very much support this, but I'm a bit too slammed currently to spin it up locally for testing.

@purcell I'd like your approval before merging. Should we wait for you to test it?

[purcell]

I built and ran this without issues on aarch64-darwin, and given the state of the CI for this PR, I'm going to approve it and suggest we merge.

[purcell]

Thanks @tie! (and @corngood for the merge)