From d40464063f4f5acde560faf0df4e891702a58f2b Mon Sep 17 00:00:00 2001
From: Steffen Beyer <steffen@beyer.io>
Date: Tue, 31 Mar 2026 19:09:46 +0200
Subject: [PATCH] Split generic Mix deps fetching from Tribes prep

---
 tribes/packages/mix.scm    | 105 ++++++++++++++++++
 tribes/packages/source.scm | 215 ++++++++++++++-----------------------
 2 files changed, 184 insertions(+), 136 deletions(-)
 create mode 100644 tribes/packages/mix.scm

diff --git a/tribes/packages/mix.scm b/tribes/packages/mix.scm
new file mode 100644
index 0000000..9b06821
--- /dev/null
+++ b/tribes/packages/mix.scm
@@ -0,0 +1,105 @@
+(define-module (tribes packages mix)
+  #:use-module (guix base32)
+  #:use-module (guix gexp)
+  #:use-module (guix packages)
+  #:use-module (gnu packages admin)
+  #:use-module (gnu packages bash)
+  #:use-module (gnu packages base)
+  #:use-module (gnu packages erlang)
+  #:use-module (gnu packages nss)
+  #:use-module (gnu packages version-control)
+  #:use-module (tribes packages otp)
+  #:export (fetch-mix-deps))
+
+(define* (fetch-mix-deps source
+                         #:key
+                         (name "mix-deps")
+                         version
+                         sha256
+                         (mix-env "prod")
+                         (mix-target "host"))
+  "Return a fixed-output store item that vendors the Mix dependency tree for
+SOURCE according to mix.lock."
+  (computed-file
+   (string-append name "-" version)
+   (with-imported-modules '((guix build utils))
+     #~(begin
+         (use-modules (guix build utils))
+
+         (define out #$output)
+         (define work (string-append (getcwd) "/build"))
+         (define app-dir (string-append work "/app"))
+         (define deps-dir (string-append work "/deps"))
+         (define certs-dir
+           #$(file-append nss-certs "/etc/ssl/certs"))
+         (define cert-file
+           (string-append work "/ca-certificates.crt"))
+         (define path
+           (string-join
+            (list #$(file-append elixir-otp28 "/bin")
+                  #$(file-append elixir-hex-otp28 "/bin")
+                  #$(file-append rebar3 "/bin")
+                  #$(file-append bash-minimal "/bin")
+                  #$(file-append coreutils "/bin")
+                  #$(file-append findutils "/bin")
+                  #$(file-append git-minimal "/bin")
+                  (or (getenv "PATH") ""))
+            ":"))
+
+         (mkdir-p work)
+         (copy-recursively #+source app-dir #:follow-symlinks? #t)
+         (invoke #$(file-append coreutils "/bin/chmod") "-R" "u+w" app-dir)
+         (invoke #$(file-append bash-minimal "/bin/sh")
+                 "-c"
+                 (string-append
+                  #$(file-append coreutils "/bin/cat")
+                  " "
+                  certs-dir
+                  "/*.pem > "
+                  cert-file))
+
+         (setenv "PATH" path)
+         (setenv "HOME" (string-append work "/home"))
+         (setenv "MIX_HOME" (string-append work "/mix"))
+         (setenv "HEX_HOME" (string-append work "/hex"))
+         (setenv "MIX_DEPS_PATH" deps-dir)
+         (setenv "MIX_ENV" #$mix-env)
+         (setenv "MIX_TARGET" #$mix-target)
+         (setenv "MIX_OS_CONCURRENCY_LOCK" "0")
+         (setenv "MIX_REBAR3" #$(file-append rebar3 "/bin/rebar3"))
+         (setenv "REBAR_GLOBAL_CONFIG_DIR" (string-append work "/rebar3"))
+         (setenv "REBAR_CACHE_DIR" (string-append work "/rebar3.cache"))
+         (setenv "LANG" "C.UTF-8")
+         (setenv "LC_CTYPE" "C.UTF-8")
+         (setenv "ELIXIR_ERL_OPTIONS" "+fnu")
+         (setenv "SSL_CERT_DIR" certs-dir)
+         (setenv "SSL_CERT_FILE" cert-file)
+         (setenv "HEX_CACERTS_PATH" cert-file)
+         (setenv "HEX_HTTP_CONCURRENCY" "1")
+         (setenv "HEX_HTTP_TIMEOUT" "120")
+         (mkdir-p (getenv "HOME"))
+         (mkdir-p (getenv "MIX_HOME"))
+         (mkdir-p (getenv "HEX_HOME"))
+
+         (with-directory-excursion app-dir
+           (invoke "mix" "deps.get" "--only" #$mix-env))
+
+         (mkdir-p out)
+         (copy-recursively deps-dir out #:follow-symlinks? #t)
+         ;; Match nixpkgs fetchMixDeps behavior for SCM deps: keep .git/HEAD so
+         ;; Mix still considers the checkout available, but discard the rest of
+         ;; the repository metadata from the fixed-output tree.
+         (invoke #$(file-append findutils "/bin/find")
+                 out
+                 "-path" "*/.git/*"
+                 "-a" "!" "-name" "HEAD"
+                 "-exec"
+                 #$(file-append coreutils "/bin/rm") "-rf"
+                 "{}"
+                 "+")))
+   #:options
+   `(#:hash ,(base32 sha256)
+     #:hash-algo sha256
+     #:recursive? #t
+     #:leaked-env-vars ("http_proxy" "https_proxy"
+                        "LC_ALL" "LC_MESSAGES" "LANG" "COLUMNS"))))
diff --git a/tribes/packages/source.scm b/tribes/packages/source.scm
index ee23175..d86dfc6 100644
--- a/tribes/packages/source.scm
+++ b/tribes/packages/source.scm
@@ -19,6 +19,7 @@
   #:use-module (gnu packages perl)
   #:use-module (gnu packages pkg-config)
   #:use-module (gnu packages version-control)
+  #:use-module ((tribes packages mix) #:prefix mix:)
   #:use-module (tribes packages otp)
   #:use-module (srfi srfi-1)
   #:use-module (srfi srfi-13)
@@ -26,9 +27,15 @@
             tribes-source-package
             tribes-source-directory->local-file))
 
-;; Recursive sha256 of the deps tree produced by `mix deps.get --only prod`
+;; Recursive sha256 of the raw deps tree produced by `mix deps.get --only prod`
 ;; from the current Tribes mix.lock, with git metadata stripped except for
 ;; .git/HEAD in SCM dependencies.
+(define %tribes-raw-mix-deps-sha256
+  "0mv4jva8zkx8cq1b84hn65bl913nnhkvf25g6fi93z3jm35jy0pc")
+
+;; Recursive sha256 of the Tribes-specific prepared deps tree, after injecting
+;; the upstream secp256k1 source into the Hex package and patching its build
+;; recipe to avoid build-time network access.
 (define %tribes-mix-deps-sha256
   "0ksjnc9gnjijp1nbz3jlvl9kz8w7hx1a0ssms1dvd15rr25gn0d4")
 
@@ -97,126 +104,68 @@ checkout."
                     (lambda (file stat)
                       (tribes-source-select? directory file stat))))))
 
-(define* (fetch-mix-deps source
-                         #:key
-                         (name "tribes-mix-deps")
-                         (version "0.2.0")
-                         (sha256 %tribes-mix-deps-sha256)
-                         (mix-env "prod")
-                         (mix-target "host")
-                         (home-page "https://git.teralink.net/tribes/tribes.git")
-                         (synopsis "Vendored Mix dependency tree")
-                         (description
-                          "Mix dependency tree fetched from the Tribes source
-using the committed mix.lock."))
-  "Return a fixed-output store item that vendors the Mix dependency tree for
-SOURCE according to mix.lock."
-  (computed-file
-   (string-append name "-" version)
-   (with-imported-modules '((guix build utils))
-     #~(begin
-         (use-modules (guix build utils))
+(define fetch-mix-deps mix:fetch-mix-deps)
 
-         (define out #$output)
-         (define work (string-append (getcwd) "/build"))
-         (define app-dir (string-append work "/tribes"))
-         (define deps-dir (string-append app-dir "/deps"))
-         (define certs-dir
-           #$(file-append nss-certs "/etc/ssl/certs"))
-         (define cert-file
-           (string-append work "/ca-certificates.crt"))
-         (define path
-           (string-join
-            (list #$(file-append elixir-otp28 "/bin")
-                  #$(file-append elixir-hex-otp28 "/bin")
-                  #$(file-append rebar3 "/bin")
-                  #$(file-append bash-minimal "/bin")
-                  #$(file-append coreutils "/bin")
-                  #$(file-append findutils "/bin")
-                  #$(file-append git-minimal "/bin")
-                  (or (getenv "PATH") ""))
-            ":"))
+(define* (tribes-mix-deps source
+                          #:key
+                          (name "tribes-mix-deps")
+                          (version "0.2.0")
+                          (sha256 %tribes-mix-deps-sha256)
+                          (raw-sha256 %tribes-raw-mix-deps-sha256)
+                          (mix-env "prod")
+                          (mix-target "host"))
+  "Return the Tribes Mix dependency tree, prepared from the raw lockfile
+resolution by injecting extra pre-fetched sources needed for offline builds."
+  (let ((raw-mix-deps
+         (fetch-mix-deps source
+                         #:name (string-append name "-raw")
+                         #:version version
+                         #:sha256 raw-sha256
+                         #:mix-env mix-env
+                         #:mix-target mix-target)))
+    (computed-file
+     (string-append name "-" version)
+     (with-imported-modules '((guix build utils))
+       #~(begin
+           (use-modules (guix build utils))
 
-         (mkdir-p work)
-         (copy-recursively #+source app-dir #:follow-symlinks? #t)
-         (invoke #$(file-append coreutils "/bin/chmod") "-R" "u+w" app-dir)
-         (call-with-output-file cert-file
-           (lambda (port)
-             (for-each
-              (lambda (pem)
-                (call-with-input-file pem
-                  (lambda (input)
-                    (dump-port input port))))
-              (sort (find-files certs-dir "\\.pem$") string<?))))
+           (define out #$output)
+           (define deps-dir (string-append (getcwd) "/deps"))
 
-         (setenv "PATH" path)
-         (setenv "HOME" (string-append work "/home"))
-         (setenv "MIX_HOME" (string-append work "/mix"))
-         (setenv "HEX_HOME" (string-append work "/hex"))
-         (setenv "MIX_DEPS_PATH" deps-dir)
-         (setenv "MIX_ENV" #$mix-env)
-         (setenv "MIX_TARGET" #$mix-target)
-         (setenv "MIX_OS_CONCURRENCY_LOCK" "0")
-         (setenv "MIX_REBAR3" #$(file-append rebar3 "/bin/rebar3"))
-         (setenv "REBAR_GLOBAL_CONFIG_DIR" (string-append work "/rebar3"))
-         (setenv "REBAR_CACHE_DIR" (string-append work "/rebar3.cache"))
-         (setenv "LANG" "C.UTF-8")
-         (setenv "LC_CTYPE" "C.UTF-8")
-         (setenv "ELIXIR_ERL_OPTIONS" "+fnu")
-         (setenv "SSL_CERT_DIR" certs-dir)
-         (setenv "SSL_CERT_FILE" cert-file)
-         (setenv "HEX_CACERTS_PATH" cert-file)
-         (setenv "HEX_HTTP_CONCURRENCY" "1")
-         (setenv "HEX_HTTP_TIMEOUT" "120")
-         (mkdir-p (getenv "HOME"))
-         (mkdir-p (getenv "MIX_HOME"))
-         (mkdir-p (getenv "HEX_HOME"))
+           (copy-recursively #+raw-mix-deps deps-dir #:follow-symlinks? #t)
+           (invoke #$(file-append coreutils "/bin/chmod") "-R" "u+w" deps-dir)
 
-         (with-directory-excursion app-dir
-           (invoke "mix" "deps.get" "--only" #$mix-env))
+           (let* ((libsecp-dir (string-append deps-dir "/lib_secp256k1"))
+                  (libsecp-src-dir (string-append libsecp-dir "/c_src/secp256k1"))
+                  (libsecp-makefile (string-append libsecp-dir "/Makefile"))
+                  (libsecp-fetched-stamp (string-append libsecp-src-dir "/.fetched")))
+             (when (file-exists? libsecp-dir)
+               (mkdir-p (string-append libsecp-dir "/c_src"))
+               (when (file-exists? libsecp-src-dir)
+                 (delete-file-recursively libsecp-src-dir))
+               (copy-recursively #+%libsecp256k1-upstream-source
+                                 libsecp-src-dir
+                                 #:follow-symlinks? #t)
+               (invoke #$(file-append coreutils "/bin/chmod")
+                       "-R" "u+w"
+                       libsecp-dir)
+               (when (file-exists? libsecp-makefile)
+                 ;; Avoid depending on preserved executable bits or /bin/sh in the
+                 ;; generated Autoconf script.
+                 (substitute* libsecp-makefile
+                   (("\\./autogen\\.sh") "sh ./autogen.sh")
+                   (("\\./configure") "sh ./configure")))
+               (call-with-output-file libsecp-fetched-stamp
+                 (lambda (_port) #t))))
 
-         (let* ((libsecp-dir (string-append deps-dir "/lib_secp256k1"))
-                (libsecp-src-dir (string-append libsecp-dir "/c_src/secp256k1"))
-                (libsecp-makefile (string-append libsecp-dir "/Makefile"))
-                (libsecp-fetched-stamp (string-append libsecp-src-dir "/.fetched")))
-           (when (file-exists? libsecp-dir)
-             (mkdir-p (string-append libsecp-dir "/c_src"))
-             (when (file-exists? libsecp-src-dir)
-               (delete-file-recursively libsecp-src-dir))
-             (copy-recursively #+%libsecp256k1-upstream-source
-                               libsecp-src-dir
-                               #:follow-symlinks? #t)
-             (invoke #$(file-append coreutils "/bin/chmod")
-                     "-R" "u+w"
-                     libsecp-dir)
-             (when (file-exists? libsecp-makefile)
-               ;; Avoid depending on preserved executable bits or /bin/sh in the
-               ;; generated Autoconf script.
-               (substitute* libsecp-makefile
-                 (("\\./autogen\\.sh") "sh ./autogen.sh")
-                 (("\\./configure") "sh ./configure")))
-             (call-with-output-file libsecp-fetched-stamp
-               (lambda (_port) #t))))
-
-         (mkdir-p out)
-         (copy-recursively deps-dir out #:follow-symlinks? #t)
-         ;; Match nixpkgs fetchMixDeps behavior for git deps: keep .git/HEAD so
-         ;; Mix still considers the checkout available, but discard the rest of
-         ;; the repository metadata from the fixed-output tree.
-         (invoke #$(file-append findutils "/bin/find")
-                 out
-                 "-path" "*/.git/*"
-                 "-a" "!" "-name" "HEAD"
-                 "-exec"
-                 #$(file-append coreutils "/bin/rm") "-rf"
-                 "{}"
-                 "+")))
-   #:options
-   `(#:hash ,(base32 sha256)
-     #:hash-algo sha256
-     #:recursive? #t
-     #:leaked-env-vars ("http_proxy" "https_proxy"
-                        "LC_ALL" "LC_MESSAGES" "LANG" "COLUMNS"))))
+           (mkdir-p out)
+           (copy-recursively deps-dir out #:follow-symlinks? #t)))
+     #:options
+     `(#:hash ,(base32 sha256)
+       #:hash-algo sha256
+       #:recursive? #t
+       #:leaked-env-vars ("http_proxy" "https_proxy"
+                          "LC_ALL" "LC_MESSAGES" "LANG" "COLUMNS")))))
 
 (define* (tribes-source-package source
                                 #:key
@@ -233,10 +182,10 @@ production Elixir release using a vendored Mix dependency tree."))
 using MIX-DEPS as the pre-fetched Mix dependency tree resolved from mix.lock."
   (let ((mix-deps-source
          (or mix-deps
-             (fetch-mix-deps source
-                             #:name (string-append name "-mix-deps")
-                             #:version version
-                             #:sha256 mix-deps-sha256))))
+             (tribes-mix-deps source
+                              #:name (string-append name "-mix-deps")
+                              #:version version
+                              #:sha256 mix-deps-sha256))))
     (package
       (name name)
       (version version)
@@ -266,16 +215,10 @@ using MIX-DEPS as the pre-fetched Mix dependency tree resolved from mix.lock."
              rebar3))
       (arguments
        (list
-        #:modules '((guix build utils)
-                    (ice-9 ftw)
-                    (ice-9 textual-ports)
-                    (srfi srfi-1))
+        #:modules '((guix build utils))
         #:builder
         #~(begin
-            (use-modules (guix build utils)
-                         (ice-9 ftw)
-                         (ice-9 textual-ports)
-                         (srfi srfi-1))
+            (use-modules (guix build utils))
 
             (define out #$output)
             (define work (string-append (getcwd) "/build"))
@@ -324,14 +267,14 @@ using MIX-DEPS as the pre-fetched Mix dependency tree resolved from mix.lock."
             (mkdir-p work)
             (copy-recursively #+source app-dir #:follow-symlinks? #t)
             (copy-recursively #+mix-deps-source deps-dir #:follow-symlinks? #t)
-            (call-with-output-file cert-file
-              (lambda (port)
-                (for-each
-                 (lambda (pem)
-                   (call-with-input-file pem
-                     (lambda (input)
-                       (dump-port input port))))
-                 (sort (find-files certs-dir "\\.pem$") string<?))))
+            (invoke #$(file-append bash-minimal "/bin/sh")
+                    "-c"
+                    (string-append
+                     #$(file-append coreutils "/bin/cat")
+                     " "
+                     certs-dir
+                     "/*.pem > "
+                     cert-file))
             (invoke #$(file-append coreutils "/bin/chmod")
                     "-R" "u+w"
                     app-dir