Matrix AI public Nix package and module distribution flake.
This repository exists to provide one coherent producer interface for Matrix AI Nix consumers.
Without this layer, teams consume many independent flakes directly and drift over time on pins, output shapes, and composition behavior. Here, curation is intentionally centralized so downstream repositories can depend on one stable contract instead of many floating contracts.
In short:
- this repo owns what is distributed and how it is composed,
- downstream repos own environment-specific rollout and runtime operations.
Technical contract summary:
- public API is the
outputsshape inflake.nix, - canonical constructor path is
lib.mkPkgs, - constrained
builtins.getFlakeis allowed only under policy (path allowlist, commit pinning, and check enforcement).
Allowlist metadata is maintained in checks/policy-pin-allowlist.nix, while enforcement logic lives in checks/policy-pin.nix.
The public contract is the outputs shape in flake.nix.
| Output | Purpose |
|---|---|
lib |
Public helper scope from lib/default.nix; includes upstream nixpkgs.lib under lib.lib and constructor helpers such as lib.mkPkgs. |
overlays.default |
Canonical project overlay from overlays/default.nix. |
legacyPackages.${system} |
Compatibility package set produced via lib.mkPkgs. |
packages.${system} |
Curated flat top-level installables projection from pkgs/default.nix (exportTopLevel). |
templates.default |
Minimal OSS starter template (alias of templates.oss). |
templates.oss |
Minimal OSS starter template using flake-parts and nixpkgs-matrixai.lib.mkPkgs. |
nixosModules.default |
Public NixOS module entrypoint. |
homeModules.default |
Public Home Manager module entrypoint. |
checks.${system} |
Local contract/policy/smoke gates consumed by nix flake check. |
devShells.${system}.default |
Developer shell for local repository maintenance workflows. |
Current policy is explicit single-system materialization (x86_64-linux).
Initialize a new project using the exported starter:
nix flake init -t github:MatrixAI/nixpkgs-matrixai#ossEquivalent alias:
nix flake init -t github:MatrixAI/nixpkgs-matrixai#defaultThe template emits one minimal flake.nix that:
- uses flake-parts,
- imports
nixpkgs-matrixaifrom GitHub, - constructs
pkgsthroughnixpkgs-matrixai.lib.mkPkgs, - defines a small
devShellconsumingnixpkgs-matrixaipackages.
lib.mkPkgs is the canonical constructor for downstream composition.
Overlay ordering in lib/mkPkgs.nix is:
- upstream nixpkgs constructor,
- project default overlay,
- caller-provided overlays.
Implementation shape:
mkPkgsUpstream {
inherit system config;
overlays = [ overlay ] ++ overlays;
}pkgs/default.nix is the package registry and projection hub:
registry.topLevelmaps top-level package names to package files,registry.scopesmaps scoped package sets (currentlypython3Packages),exportTopLevelprojects flat installables topackages.${system},overlaywires top-level + scoped entries intooverlays.default/legacyPackages.${system}.
nix build 'github:MatrixAI/nixpkgs-matrixai#packages.x86_64-linux.matrixai-public-hello'
nix build 'github:MatrixAI/nixpkgs-matrixai#legacyPackages.x86_64-linux.matrixai-public-hello'Enter the repository maintenance shell:
nix developThe shell is intentionally curated for this repository’s maintenance workflows and includes tools like nix, git, jq, GNU text/core utilities, curl, and wget.
Use these as the standard local gates:
nix flake show path:. --no-write-lock-file
nix flake check path:. --no-write-lock-fileCurrent checks:
checks.${system}.contract-outputschecks.${system}.contract-packageschecks.${system}.contract-moduleschecks.${system}.policy-pinchecks.${system}.smoke-hello
Use:
./scripts/nixpkgs-pin-policy.sh info
./scripts/nixpkgs-pin-policy.sh info --tracking-ref refs/heads/nixos-unstable
./scripts/nixpkgs-pin-policy.sh update <commit-sha>update rewrites the managed nixpkgs block in flake.nix, refreshes flake.lock, and verifies rev consistency.
External builtins.getFlake usage is allowlisted and enforced by checks.${system}.policy-pin.
Allowlist metadata lives in:
checks/policy-pin-allowlist.nix
These scripts improve maintainer decision-making inside this repository. They are ergonomics helpers, not the contract authority (the contract authority remains flake outputs and checks).
- External pin lifecycle visibility:
./scripts/external-pin-lifecycle.sh info
./scripts/external-pin-lifecycle.sh info --tracking-ref refs/heads/mainReports include:
- allowlisted entry metadata,
- pinned commit date,
- pin age in days,
- review cadence and due state,
- tracking branch head SHA visibility.
- Package version intelligence for policy decisions:
./scripts/package-version-intel.sh current vscodium
./scripts/package-version-intel.sh compare vscodium --candidate-ref refs/heads/nixos-unstable
./scripts/package-version-intel.sh compare matrixai-public-hello --system x86_64-linux --candidate-ref <commit-sha>Reports include current pinned metadata and candidate metadata (version, pname, name) plus a simple changed/unchanged status.
- Add or update package definitions under
pkgs/top-levelorpkgs/development/python-modules. - Register package paths in
pkgs/default.nixunder:registry.topLevel, orregistry.scopes.<scopeName>.
- Validate both surfaces:
packages.${system}viaexportTopLevel,legacyPackages.${system}via overlay composition.
Useful checks:
nix flake show path:. --no-write-lock-file
nix build '.#packages.x86_64-linux.matrixai-public-hello'
nix build '.#legacyPackages.x86_64-linux.matrixai-public-hello'Current module files are intentionally minimal placeholders:
modules/nixos/default.nixmodules/home/default.nix
Stable exported entrypoints:
nixosModules.defaulthomeModules.default
When iterating with nixpkgs-matrixai-private, run from the private checkout:
nix flake check --override-input nixpkgs-matrixai ../nixpkgs-matrixaiFor lock-based validation in private:
nix flake update nixpkgs-matrixai
nix flake check