nixos/direnv: fix silent option... again

[Gerg-L]

wrapping direnv with DIRENV_CONFIG was working... until it stopped.

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 25.05 Release Notes (or backporting 24.11 and 25.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[eclairevoyant]

Why would it suddenly stop working? Is makeBinaryWrapper broken? Does it work with makeShellWrapper?

And, could we also add a test for this?

[Gerg-L]

Why would it suddenly stop working?

not a clue, direnv wasn't updated, nix-direnv wasn't updated, the module wasn't touched...

[eclairevoyant]

Oh, I see the problem.
You wrapped the direnv that gets added to environment.systemPackages - but config.programs.direnv.package is used in multiple places, including the shell hook.

So now there's two direnvs floating around, the shell hook is unwrapped but the direnv on PATH is wrapped. Actually it's surprising it even worked before.

Rather than overriding cfg.package in-place, we should have a finalPackage (perhaps even exposed as a readonly option) that's set to the overridden cfg.package, then use that throughout the direnv module. (Or the baseline package expression should add the wrapper. Not sure if that's detrimental for non-NixOS users? But it'd save the finalPackage boilerplate.)

[Gerg-L]

@eclairevoyant pushed you suggested changes, still isn't working.

i think we have to set DIRENV_CONFIG in environment.variables

[Gerg-L]

i kept the finalPackage machinery, set environment.variables.DIRENV_CONFIG

[lyynd]

So I was investigating this on my own because I didn't find this PR. finalPackage does not work because the code inside the hook still references original unwrapped direnv. I don't know if there is a way to wrap a binary and rewrite all the references to self inside it.

[eclairevoyant]

That's basically what I said in #402399 (comment), unless you're saying something else.

Or maybe better as a question: what code are you referring to?

[lyynd]

The output of direnv hook fish for example contains reference (path) to direnv itself. But this is the path of the original package, not the wrapped one, because (I assume) wrapProgram does not rewrite paths inside the binary.
It never worked for me on fish and bash after the change which added the wrapper, but xonsh works right now (because it does not use the hooks from direnv).

[eclairevoyant]

Oh, okay, what I was saying was different then. It seems like it's because of using symlinkJoin instead of (say) an override, which would preserve the store path and ensure it points to the wrapped binary. So going back to what you pointed out regarding replacing all the references to the unwrapped store path, adding a sed to postBuild might work, I'll play around with that.

[eclairevoyant]

Hmm actually I guess the problem will still arise because the wrapped program would call the unwrapped one, thereby introducing unwrapped code as part of the hook? We'd need some sort of "wrap-propagation" which I can't think of a clean way to do. I guess wrapping is just the wrong approach, and we should stick with the PR as written here.

EDIT: even finalPackage may not even work, I'm not sure how to test it.

[lyynd]

@eclairevoyant I tried and you are right, the problem is that we use symlinkJoin. If we do it like this:

finalPackage = cfg.package.overrideAttrs (old : {
  postBuild = (old.postBuild or "") + ''
    wrapProgram "$out/bin/direnv" \
      --set-default 'DIRENV_CONFIG' '/etc/direnv'
    rm -rf "$out/share/fish"
  '';
});

Then it correctly uses the final build path in direnv hook.

[Gerg-L]

Direnv is a fairly small build, so the reduced environmental pollution is probably worth the build, I'll test it then change this PR tonight

[lyynd]

Oh, I see, the problem with this is that direnv will need to be rebuilt.
I tried doing substituteInPlace with symlinkJoin, but it seems it does not work on binaries (which is a bit unexpected).

[Gerg-L]

overrideAttrs+ makeWrapper is not working in my testing

[lyynd]

Strange. I did this inside nixos-rebuild repl:

:b pkgs.direnv.overrideAttrs (old : {
  postBuild = (old.postBuild or "") + ''
    wrapProgram "$out/bin/direnv" \
      --set-default 'DIRENV_CONFIG' '/etc/direnv'
    rm -rf "$out/share/fish"
  '';
})

The resulting package has the correct direnv in direnv hook fish (itself) and direnv status shows that DIRENV_CONFIG is set correctly.

[lyynd]

By the way, I think that the approach that is currently in this PR should be merged, because it works (unlike what is in master right now) and improvements can be made after that.

[eclairevoyant]

True, but I think none of us (?) are committers

[eclairevoyant]

Some interesting ideas for future PRs in #404692 btw

[lyynd]

You are right, DIRENV_CONFIG is not being set with what I wrote, it was set from my global environment. Sorry for misleading. I don't know why wrapping in postBuild does not work, it doesn't in postInstall either.

[voronind-com]

I have this issue on a freshly updated 25.05.
Are there plans to port this to the release branch?

Edit: I can confirm that using this fix worked for me on 25.05.

[nixpkgs-ci]

Successfully created backport PR for release-25.05:

• [Backport release-25.05] nixos/direnv: fix silent option... again #410604