misc CI improvements, build macOS binaries, flake improvements/fixes

Signed-off-by: strawberry <strawberry@puppygock.gay>

.github/workflows/ci.yml

@@ -16,7 +16,6 @@ on:
           - 'docker/**'
         branches:
             - main
-            - change-ci-cache
         tags:
           - '*'
     # Allows you to run this workflow manually from the Actions tab
@@ -24,7 +23,7 @@ on:
 
 concurrency:
     group: ${{ github.head_ref || github.ref_name }}
-    cancel-in-progress: true
+    cancel-in-progress: false
 
 env:
     # sccache only on main repo
@@ -51,8 +50,11 @@ env:
     # Get error output from nix that we can actually use, and use our binary caches for the earlier CI steps
     NIX_CONFIG: |
       show-trace = true
-      extra-substituters = https://attic.kennel.juneis.dog/conduit https://attic.kennel.juneis.dog/conduwuit https://cache.lix.systems https://conduwuit.cachix.org
+      extra-substituters = https://attic.kennel.juneis.dog/conduwuit https://attic.kennel.juneis.dog/conduit https://cache.lix.systems https://conduwuit.cachix.org https://aseipp-nix-cache.freetls.fastly.net
       extra-trusted-public-keys = conduit:eEKoUwlQGDdYmAI/Q/0slVlegqh/QmAvQd7HBSm21Wk= conduwuit:BbycGUgTISsltcmH0qNjFR9dbrQNYgdIAcmViSGoVTE= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o= conduwuit.cachix.org-1:MFRm6jcnfTf0jSAbmvLfhO3KBMt4px+1xaereWXp8Xg=
+      experimental-features = nix-command flakes
+      extra-experimental-features = nix-command flakes
+      accept-flake-config = true
     # complement uses libolm
     NIXPKGS_ALLOW_INSECURE: 1
 
@@ -64,12 +66,23 @@ jobs:
     tests:
         name: Test
         runs-on: ubuntu-latest
-        env:
-          CARGO_PROFILE: "test"
         steps:
             - name: Free Disk Space (Ubuntu)
               uses: jlumbroso/free-disk-space@main
 
+            - name: Free up more runner space
+              run: |
+                set +o pipefail
+                # large docker images
+                sudo docker image prune --all --force || true
+                # large packages
+                sudo apt-get purge -y '^llvm-.*' 'php.*' '^mongodb-.*' '^mysql-.*' azure-cli google-cloud-cli google-chrome-stable firefox powershell microsoft-edge-stable || true
+                sudo apt-get autoremove -y
+                sudo apt-get clean
+                # large folders
+                sudo rm -rf /var/lib/apt/lists/* /usr/local/games /usr/local/sqlpackage /usr/local/.ghcup /usr/local/share/powershell /usr/local/share/edge_driver /usr/local/share/gecko_driver /usr/local/share/chromium /usr/local/share/chromedriver-linux64 /usr/local/share/vcpkg /usr/local/lib/python* /usr/local/lib/node_modules /usr/local/julia* /opt/mssql-tools /etc/skel /usr/share/vim /usr/share/postgresql /usr/share/man /usr/share/apache-maven-* /usr/share/R /usr/share/alsa /usr/share/miniconda /usr/share/grub /usr/share/gradle-* /usr/share/locale /usr/share/texinfo /usr/share/kotlinc /usr/share/swift /usr/share/doc /usr/share/az_9.3.0 /usr/share/sbt /usr/share/ri /usr/share/icons /usr/share/java /usr/share/fonts /usr/lib/google-cloud-sdk /usr/lib/jvm /usr/lib/mono /usr/lib/R /usr/lib/postgresql /usr/lib/heroku /usr/lib/gcc
+                set -o pipefail
+
             - name: Sync repository
               uses: actions/checkout@v4
 
@@ -85,7 +98,7 @@ jobs:
                     exit 1
                   fi
 
-            - uses: nixbuild/nix-quick-install-action@v28
+            - uses: nixbuild/nix-quick-install-action@master
 
             - name: Restore and cache Nix store
               uses: nix-community/cache-nix-action@v5.1.0
@@ -117,8 +130,11 @@ jobs:
             - name: Apply Nix binary cache configuration
               run: |
                   sudo tee -a "${XDG_CONFIG_HOME:-$HOME/.config}/nix/nix.conf" > /dev/null <<EOF
-                  extra-substituters = https://attic.kennel.juneis.dog/conduit https://attic.kennel.juneis.dog/conduwuit https://cache.lix.systems https://conduwuit.cachix.org
+                  extra-substituters = https://attic.kennel.juneis.dog/conduwuit https://attic.kennel.juneis.dog/conduit https://cache.lix.systems https://conduwuit.cachix.org https://aseipp-nix-cache.freetls.fastly.net
                   extra-trusted-public-keys = conduit:eEKoUwlQGDdYmAI/Q/0slVlegqh/QmAvQd7HBSm21Wk= conduwuit:BbycGUgTISsltcmH0qNjFR9dbrQNYgdIAcmViSGoVTE= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o= conduwuit.cachix.org-1:MFRm6jcnfTf0jSAbmvLfhO3KBMt4px+1xaereWXp8Xg=
+                  experimental-features = nix-command flakes
+                  extra-experimental-features = nix-command flakes
+                  accept-flake-config = true
                   EOF
 
             - name: Use alternative Nix binary caches if specified
@@ -132,9 +148,9 @@ jobs:
             - name: Prepare build environment
               run: |
                   echo 'source $HOME/.nix-profile/share/nix-direnv/direnvrc' > "$HOME/.direnvrc"
-                  nix profile install --impure --inputs-from . nixpkgs#direnv nixpkgs#nix-direnv
+                  nix profile install --inputs-from . nixpkgs#direnv nixpkgs#nix-direnv
                   direnv allow
-                  nix develop .#all-features --command true --impure
+                  nix develop .#all-features --command true
 
             - name: Cache CI dependencies
               run: |
@@ -151,10 +167,14 @@ jobs:
                 cache-all-crates: "true"
 
             - name: Run CI tests
+              env:
+                CARGO_PROFILE: "test"
               run: |
                   direnv exec . engage > >(tee -a test_output.log)
 
             - name: Run Complement tests
+              env:
+                CARGO_PROFILE: "test"
               run: |
                   # the nix devshell sets $COMPLEMENT_SRC, so "/dev/null" is no-op
                   direnv exec . bin/complement "/dev/null" complement_test_logs.jsonl complement_test_results.jsonl > >(tee -a test_output.log)
@@ -202,7 +222,7 @@ jobs:
                       echo '```' >> $GITHUB_STEP_SUMMARY
                   fi
 
-            - name: Run cargo clean test artifacts
+            - name: Run cargo clean test artifacts to free up space
               run: |
                   cargo clean --profile test
 
@@ -254,8 +274,11 @@ jobs:
             - name: Apply Nix binary cache configuration
               run: |
                   sudo tee -a "${XDG_CONFIG_HOME:-$HOME/.config}/nix/nix.conf" > /dev/null <<EOF
-                  extra-substituters = https://attic.kennel.juneis.dog/conduit https://attic.kennel.juneis.dog/conduwuit https://cache.lix.systems https://conduwuit.cachix.org
+                  extra-substituters = https://attic.kennel.juneis.dog/conduwuit https://attic.kennel.juneis.dog/conduit https://cache.lix.systems https://conduwuit.cachix.org https://aseipp-nix-cache.freetls.fastly.net
                   extra-trusted-public-keys = conduit:eEKoUwlQGDdYmAI/Q/0slVlegqh/QmAvQd7HBSm21Wk= conduwuit:BbycGUgTISsltcmH0qNjFR9dbrQNYgdIAcmViSGoVTE= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o= conduwuit.cachix.org-1:MFRm6jcnfTf0jSAbmvLfhO3KBMt4px+1xaereWXp8Xg=
+                  experimental-features = nix-command flakes
+                  extra-experimental-features = nix-command flakes
+                  accept-flake-config = true
                   EOF
 
             - name: Use alternative Nix binary caches if specified
@@ -401,6 +424,71 @@ jobs:
                   if-no-files-found: error
                   compression-level: 0
 
+    build_mac_binaries:
+        name: Build MacOS Binaries
+        strategy:
+          matrix:
+            os: [macos-latest, macos-13]
+        runs-on: ${{ matrix.os }}
+        steps:
+            - name: Sync repository
+              uses: actions/checkout@v4
+            - name: Tag comparison check
+              if: ${{ startsWith(github.ref, 'refs/tags/v') && !endsWith(github.ref, '-rc') }}
+              run: |
+                  # Tag mismatch with latest repo tag check to prevent potential downgrades
+                  LATEST_TAG=$(git describe --tags `git rev-list --tags --max-count=1`)
+                  if [ $LATEST_TAG != ${{ github.ref_name }} ]; then
+                    echo '# WARNING: Attempting to run this workflow for a tag that is not the latest repo tag. Aborting.'
+                    echo '# WARNING: Attempting to run this workflow for a tag that is not the latest repo tag. Aborting.' >> $GITHUB_STEP_SUMMARY
+                    exit 1
+                  fi
+            # use sccache for Rust
+            - name: Run sccache-cache
+              if: (github.event.pull_request.draft != true) && (vars.DOCKER_USERNAME != '') && (vars.GITLAB_USERNAME != '') && (vars.SCCACHE_ENDPOINT != '') && (github.event.pull_request.user.login != 'renovate[bot]')
+              uses: mozilla-actions/sccache-action@main
+            # use rust-cache
+            - uses: Swatinem/rust-cache@v2
+              with:
+                cache-all-crates: "true"
+            # Nix can't do portable macOS builds yet
+            - name: Build macOS x86_64 binary
+              if: ${{ matrix.os == 'macos-13' }}
+              run: |
+                  CONDUWUIT_VERSION_EXTRA="$(git rev-parse --short HEAD)" cargo build --release
+                  cp -v -f target/release/conduit conduwuit-macos-x86_64
+                  otool -L conduwuit-macos-x86_64
+            # quick smoke test of the x86_64 macOS binary
+            - name: Run x86_64 macOS release binary
+              if: ${{ matrix.os == 'macos-13' }}
+              run: |
+                  ./conduwuit-macos-x86_64 --version
+            - name: Build macOS arm64 binary
+              if: ${{ matrix.os == 'macos-latest' }}
+              run: |
+                  CONDUWUIT_VERSION_EXTRA="$(git rev-parse --short HEAD)" cargo build --release
+                  cp -v -f target/release/conduit conduwuit-macos-arm64
+                  otool -L conduwuit-macos-arm64
+            # quick smoke test of the arm64 macOS binary
+            - name: Run arm64 macOS release binary
+              if: ${{ matrix.os == 'macos-latest' }}
+              run: |
+                  ./conduwuit-macos-arm64 --version
+            - name: Upload macOS x86_64 binary
+              if: ${{ matrix.os == 'macos-13' }}
+              uses: actions/upload-artifact@v4
+              with:
+                  name: conduwuit-macos-x86_64
+                  path: conduwuit-macos-x86_64
+                  if-no-files-found: error
+            - name: Upload macOS arm64 binary
+              if: ${{ matrix.os == 'macos-latest' }}
+              uses: actions/upload-artifact@v4
+              with:
+                  name: conduwuit-macos-arm64
+                  path: conduwuit-macos-arm64
+                  if-no-files-found: error
+
     docker:
         name: Docker publish
         runs-on: ubuntu-latest

.github/workflows/documentation.yml

@@ -24,8 +24,11 @@ env:
   # Get error output from nix that we can actually use, and use our binary caches for the earlier CI steps
   NIX_CONFIG: |
     show-trace = true
-    extra-substituters = https://attic.kennel.juneis.dog/conduit https://attic.kennel.juneis.dog/conduwuit https://cache.lix.systems https://conduwuit.cachix.org
+    extra-substituters = extra-substituters = https://attic.kennel.juneis.dog/conduwuit https://attic.kennel.juneis.dog/conduit https://cache.lix.systems https://conduwuit.cachix.org https://aseipp-nix-cache.freetls.fastly.net
     extra-trusted-public-keys = conduit:eEKoUwlQGDdYmAI/Q/0slVlegqh/QmAvQd7HBSm21Wk= conduwuit:BbycGUgTISsltcmH0qNjFR9dbrQNYgdIAcmViSGoVTE= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o= conduwuit.cachix.org-1:MFRm6jcnfTf0jSAbmvLfhO3KBMt4px+1xaereWXp8Xg=
+    experimental-features = nix-command flakes
+    extra-experimental-features = nix-command flakes
+    accept-flake-config = true
 
 # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
 # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
@@ -89,8 +92,11 @@ jobs:
       - name: Apply Nix binary cache configuration
         run: |
             sudo tee -a "${XDG_CONFIG_HOME:-$HOME/.config}/nix/nix.conf" > /dev/null <<EOF
-            extra-substituters = https://attic.kennel.juneis.dog/conduit https://attic.kennel.juneis.dog/conduwuit https://cache.lix.systems https://conduwuit.cachix.org
+            extra-substituters = https://attic.kennel.juneis.dog/conduwuit https://attic.kennel.juneis.dog/conduit https://cache.lix.systems https://conduwuit.cachix.org https://aseipp-nix-cache.freetls.fastly.net
             extra-trusted-public-keys = conduit:eEKoUwlQGDdYmAI/Q/0slVlegqh/QmAvQd7HBSm21Wk= conduwuit:BbycGUgTISsltcmH0qNjFR9dbrQNYgdIAcmViSGoVTE= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o= conduwuit.cachix.org-1:MFRm6jcnfTf0jSAbmvLfhO3KBMt4px+1xaereWXp8Xg=
+            experimental-features = nix-command flakes
+            extra-experimental-features = nix-command flakes
+            accept-flake-config = true
             EOF
 
       - name: Use alternative Nix binary caches if specified

.github/workflows/trivy.yml

@@ -26,7 +26,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Run Trivy code and vulnerability scanner on repo
-        uses: aquasecurity/trivy-action@0.24.0
+        uses: aquasecurity/trivy-action@0.28.0
         with:
           scan-type: repo
           format: sarif
@@ -34,7 +34,7 @@ jobs:
           severity: CRITICAL,HIGH,MEDIUM,LOW
 
       - name: Run Trivy code and vulnerability scanner on filesystem
-        uses: aquasecurity/trivy-action@0.24.0
+        uses: aquasecurity/trivy-action@0.28.0
         with:
           scan-type: fs
           format: sarif

.gitlab-ci.yml

@@ -10,6 +10,13 @@ variables:
   FF_USE_FASTZIP: true
   # Print progress reports for cache and artifact transfers
   TRANSFER_METER_FREQUENCY: 5s
+  NIX_CONFIG: |
+    show-trace = true
+    extra-substituters = https://attic.kennel.juneis.dog/conduit https://attic.kennel.juneis.dog/conduwuit https://cache.lix.systems https://conduwuit.cachix.org
+    extra-trusted-public-keys = conduit:eEKoUwlQGDdYmAI/Q/0slVlegqh/QmAvQd7HBSm21Wk= conduwuit:BbycGUgTISsltcmH0qNjFR9dbrQNYgdIAcmViSGoVTE= cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o= conduwuit.cachix.org-1:MFRm6jcnfTf0jSAbmvLfhO3KBMt4px+1xaereWXp8Xg=
+    experimental-features = nix-command flakes
+    extra-experimental-features = nix-command flakes
+    accept-flake-config = true
 
 # Avoid duplicate pipelines
 # See: https://docs.gitlab.com/ee/ci/yaml/workflow.html#switch-between-branch-pipelines-and-merge-request-pipelines
@@ -23,6 +30,9 @@ workflow:
 before_script:
   # Enable nix-command and flakes
   - if command -v nix > /dev/null; then echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf; fi
+  - if command -v nix > /dev/null; then echo "extra-experimental-features = nix-command flakes" >> /etc/nix/nix.conf; fi
+  # Accept flake config from "untrusted" users
+  - if command -v nix > /dev/null; then echo "accept-flake-config = true" >> /etc/nix/nix.conf; fi
 
   # Add conduwuit binary cache
   - if command -v nix > /dev/null; then echo "extra-substituters = https://attic.kennel.juneis.dog/conduwuit" >> /etc/nix/nix.conf; fi
@@ -47,6 +57,8 @@ before_script:
   - if command -v nix > /dev/null; then echo "extra-substituters = https://nix-community.cachix.org" >> /etc/nix/nix.conf; fi
   - if command -v nix > /dev/null; then echo "extra-trusted-public-keys = nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" >> /etc/nix/nix.conf; fi
 
+  - if command -v nix > /dev/null; then echo "extra-substituters = https://aseipp-nix-cache.freetls.fastly.net" >> /etc/nix/nix.conf; fi
+
   # Install direnv and nix-direnv
   - if command -v nix > /dev/null; then nix-env -iA nixpkgs.direnv nixpkgs.nix-direnv; fi
 

bin/complement

@@ -15,7 +15,7 @@ LOG_FILE="$2"
 # A `.jsonl` file to write test results to
 RESULTS_FILE="$3"
 
-OCI_IMAGE="complement-conduit:main"
+OCI_IMAGE="complement-conduwuit:main"
 
 # Complement tests that are skipped due to flakiness/reliability issues
 SKIPPED_COMPLEMENT_TESTS='-skip=TestClientSpacesSummary.*|TestJoinFederatedRoomFromApplicationServiceBridgeUser.*|TestJumpToDateEndpoint.*'

bin/nix-build-and-cache

@@ -26,7 +26,12 @@ just() {
         "$ATTIC_TOKEN"
 
     # Find all output paths of the installables and their build dependencies
-    readarray -t derivations < <(nix path-info --derivation "$@")
+    #readarray -t derivations < <(nix path-info --derivation "$@")
+    derivations=()
+    while IFS=$'\n' read derivation; do
+        derivations+=("$derivation")
+    done < <(nix path-info --derivation "$@")
+
     cache=()
     for derivation in "${derivations[@]}"; do
         cache+=(
@@ -77,8 +82,8 @@ ci() {
         --inputs-from "$toplevel"
 
         # Keep sorted
-        "$toplevel#devShells.x86_64-linux.default"
+        #"$toplevel#devShells.x86_64-linux.default"
-        "$toplevel#devShells.x86_64-linux.all-features"
+        #"$toplevel#devShells.x86_64-linux.all-features"
         attic#default
         cachix#default
         nixpkgs#direnv

flake.nix

@@ -38,6 +38,14 @@
         inherit inputs;
         main = self.callPackage ./nix/pkgs/main {};
         oci-image = self.callPackage ./nix/pkgs/oci-image {};
+        tini = pkgs.tini.overrideAttrs {
+            # newer clang/gcc is unhappy with tini-static: <https://3.dog/~strawberry/pb/c8y4>
+            patches = [ (pkgs.fetchpatch {
+                url = "https://patch-diff.githubusercontent.com/raw/krallin/tini/pull/224.patch";
+                hash = "sha256-4bTfAhRyIT71VALhHY13hUgbjLEUyvgkIJMt3w9ag3k=";
+              })
+            ];
+        };
         liburing = pkgs.liburing.overrideAttrs {
           # Tests weren't building
           outputs = [ "out" "dev" "man" ];
@@ -88,6 +96,16 @@
 
       scopeHost = mkScope pkgsHost;
       scopeHostStatic = mkScope pkgsHostStatic;
+      scopeCrossLinux = mkScope pkgsHost.pkgsLinux.pkgsStatic;
+      mkCrossScope = crossSystem:
+        let pkgsCrossStatic = (import inputs.nixpkgs {
+          inherit system;
+          crossSystem = {
+           config = crossSystem;
+          };
+        }).pkgsStatic;
+         in
+        mkScope pkgsCrossStatic;
 
       mkDevShell = scope: scope.pkgs.mkShell {
         env = scope.main.env // {
@@ -118,7 +136,6 @@
         ++ (with pkgsHost.pkgs; [
           engage
           cargo-audit
-          liburing
 
           # Required by hardened-malloc.rs dep
           binutils
@@ -149,12 +166,21 @@
 
           # needed so we can get rid of gcc and other unused deps that bloat OCI images
           removeReferencesTo
-        ])
+        ]
+        # liburing is Linux-exclusive
+        ++ lib.optional stdenv.hostPlatform.isLinux liburing
+        # needed to build Rust applications on macOS
+        ++ lib.optionals stdenv.hostPlatform.isDarwin [
+            # https://github.com/NixOS/nixpkgs/issues/206242
+            # ld: library not found for -liconv
+            libiconv
+            # https://stackoverflow.com/questions/69869574/properly-adding-darwin-apple-sdk-to-a-nix-shell
+            # https://discourse.nixos.org/t/compile-a-rust-binary-on-macos-dbcrossbar/8612
+            pkgsBuildHost.darwin.apple_sdk.frameworks.Security
+            ])
         ++ scope.main.buildInputs
         ++ scope.main.propagatedBuildInputs
         ++ scope.main.nativeBuildInputs;
-
-        meta.broken = scope.main.meta.broken;
       };
     in
     {
@@ -228,6 +254,8 @@
 
         complement = scopeHost.complement;
         static-complement = scopeHostStatic.complement;
+        # macOS containers don't exist, so the complement images must be forced to linux
+        linux-complement = (mkCrossScope "${pkgsHost.hostPlatform.qemuArch}-linux-musl").complement;
       }
       //
       builtins.listToAttrs
@@ -236,14 +264,7 @@
             (crossSystem:
               let
                 binaryName = "static-${crossSystem}";
-                pkgsCrossStatic =
+                scopeCrossStatic = mkCrossScope crossSystem;
-                  (import inputs.nixpkgs {
-                    inherit system;
-                    crossSystem = {
-                      config = crossSystem;
-                    };
-                  }).pkgsStatic;
-                scopeCrossStatic = mkScope pkgsCrossStatic;
               in
               [
                 # An output for a statically-linked binary
@@ -373,11 +394,20 @@
                     };
                   };
                 }
+
+                # An output for a complement OCI image for the specified platform
+                {
+                  name = "complement-${crossSystem}";
+                  value = scopeCrossStatic.complement;
+                }
               ]
             )
             [
-              "x86_64-unknown-linux-musl"
+              #"x86_64-apple-darwin"
-              "aarch64-unknown-linux-musl"
+              #"aarch64-apple-darwin"
+              "x86_64-linux-gnu"
+              "x86_64-linux-musl"
+              "aarch64-linux-musl"
             ]
           )
         );

nix/pkgs/complement/default.nix

@@ -18,6 +18,15 @@ let
     all_features = true;
     disable_release_max_log_level = true;
     disable_features = [
+        # no reason to use jemalloc for complement, just has compatibility/build issues
+        "jemalloc"
+        # console/CLI stuff isn't used or relevant for complement
+        "console"
+        "tokio_console"
+        # sentry telemetry isn't useful for complement, disabled by default anyways
+        "sentry_telemetry"
+        # the containers don't use or need systemd signal support
+        "systemd"
         # this is non-functional on nix for some reason
         "hardened_malloc"
         # dont include experimental features
@@ -57,7 +66,7 @@ let
 in
 
 dockerTools.buildImage {
-  name = "complement-${main.pname}";
+  name = "complement-conduwuit";
   tag = "main";
 
   copyToRoot = buildEnv {
@@ -78,7 +87,7 @@ dockerTools.buildImage {
       "${lib.getExe start}"
     ];
 
-    Entrypoint = if !stdenv.isDarwin
+    Entrypoint = if !stdenv.hostPlatform.isDarwin
       # Use the `tini` init system so that signals (e.g. ctrl+c/SIGINT)
       # are handled as expected
       then [ "${lib.getExe' tini "tini"}" "--" ]

nix/pkgs/main/cross-compilation-env.nix

@@ -1,5 +1,6 @@
 { lib
 , pkgsBuildHost
+, pkgsBuildTarget
 , rust
 , stdenv
 }:
@@ -35,7 +36,7 @@ lib.optionalAttrs stdenv.hostPlatform.isStatic {
             # including it here. Linkers are weird.
             (stdenv.hostPlatform.isAarch64 || stdenv.hostPlatform.isx86_64)
               && stdenv.hostPlatform.isStatic
-              && !stdenv.isDarwin
+              && !stdenv.hostPlatform.isDarwin
               && !stdenv.cc.bintools.isLLVM
           )
           [
@@ -52,11 +53,12 @@ lib.optionalAttrs stdenv.hostPlatform.isStatic {
 # even covers the case of build scripts that need native code compiled and
 # run on the build platform (I think).
 #
-# [0]: https://github.com/NixOS/nixpkgs/blob/5cdb38bb16c6d0a38779db14fcc766bc1b2394d6/pkgs/build-support/rust/lib/default.nix#L57-L80
+# [0]: https://github.com/NixOS/nixpkgs/blob/nixpkgs-unstable/pkgs/build-support/rust/lib/default.nix#L48-L68
 //
 (
   let
     inherit (rust.lib) envVars;
+    shouldUseLLD = platform: platform.isAarch64 && platform.isStatic && !stdenv.hostPlatform.isDarwin;
   in
   lib.optionalAttrs
     (stdenv.targetPlatform.rust.rustcTarget
@@ -64,23 +66,30 @@ lib.optionalAttrs stdenv.hostPlatform.isStatic {
     (
       let
         inherit (stdenv.targetPlatform.rust) cargoEnvVarTarget;
+        linkerForTarget = if shouldUseLLD stdenv.targetPlatform
+          && !stdenv.cc.bintools.isLLVM # whether stdenv's linker is lld already
+          then "${pkgsBuildTarget.llvmPackages.bintools}/bin/${stdenv.cc.targetPrefix}ld.lld"
+          else envVars.ccForTarget;
       in
       {
         "CC_${cargoEnvVarTarget}" = envVars.ccForTarget;
         "CXX_${cargoEnvVarTarget}" = envVars.cxxForTarget;
-        "CARGO_TARGET_${cargoEnvVarTarget}_LINKER" =
+        "CARGO_TARGET_${cargoEnvVarTarget}_LINKER" = linkerForTarget;
-          envVars.linkerForTarget;
       }
     )
   //
   (
     let
       inherit (stdenv.hostPlatform.rust) cargoEnvVarTarget rustcTarget;
+      linkerForHost = if shouldUseLLD stdenv.targetPlatform
+        && !stdenv.cc.bintools.isLLVM
+        then "${pkgsBuildHost.llvmPackages.bintools}/bin/${stdenv.cc.targetPrefix}ld.lld"
+        else envVars.ccForHost;
     in
     {
       "CC_${cargoEnvVarTarget}" = envVars.ccForHost;
       "CXX_${cargoEnvVarTarget}" = envVars.cxxForHost;
-      "CARGO_TARGET_${cargoEnvVarTarget}_LINKER" = envVars.linkerForHost;
+      "CARGO_TARGET_${cargoEnvVarTarget}_LINKER" = linkerForHost;
       CARGO_BUILD_TARGET = rustcTarget;
     }
   )
@@ -92,7 +101,7 @@ lib.optionalAttrs stdenv.hostPlatform.isStatic {
     {
       "CC_${cargoEnvVarTarget}" = envVars.ccForBuild;
       "CXX_${cargoEnvVarTarget}" = envVars.cxxForBuild;
-      "CARGO_TARGET_${cargoEnvVarTarget}_LINKER" = envVars.linkerForBuild;
+      "CARGO_TARGET_${cargoEnvVarTarget}_LINKER" = envVars.ccForBuild;
       HOST_CC = "${pkgsBuildHost.stdenv.cc}/bin/cc";
       HOST_CXX = "${pkgsBuildHost.stdenv.cc}/bin/c++";
     }

nix/pkgs/main/default.nix

@@ -6,6 +6,7 @@
 , libiconv
 , liburing
 , pkgsBuildHost
+, pkgsBuildTarget
 , rocksdb
 , removeReferencesTo
 , rust
@@ -40,7 +41,7 @@ features'' = lib.subtractLists disable_features' features';
 
 featureEnabled = feature : builtins.elem feature features'';
 
-enableLiburing = featureEnabled "io_uring" && !stdenv.isDarwin;
+enableLiburing = featureEnabled "io_uring" && !stdenv.hostPlatform.isDarwin;
 
 # This derivation will set the JEMALLOC_OVERRIDE variable, causing the
 # tikv-jemalloc-sys crate to use the nixpkgs jemalloc instead of building it's
@@ -72,16 +73,12 @@ buildDepsOnlyEnv =
       # jemalloc symbols are prefixed.
       #
       # [1]: https://github.com/tikv/jemallocator/blob/ab0676d77e81268cd09b059260c75b38dbef2d51/jemalloc-sys/src/env.rs#L17
-      enableJemalloc = featureEnabled "jemalloc" && !stdenv.isDarwin;
+      enableJemalloc = featureEnabled "jemalloc" && !stdenv.hostPlatform.isDarwin;
 
       # for some reason enableLiburing in nixpkgs rocksdb is default true
       # which breaks Darwin entirely
       enableLiburing = enableLiburing;
     }).overrideAttrs (old: {
-      # TODO: static rocksdb fails to build on darwin, also see <https://github.com/NixOS/nixpkgs/issues/320448>
-      # build log at <https://girlboss.ceo/~strawberry/pb/JjGH>
-      meta.broken = stdenv.hostPlatform.isStatic && stdenv.isDarwin;
-
       enableLiburing = enableLiburing;
     });
   in
@@ -99,6 +96,7 @@ buildDepsOnlyEnv =
     inherit
       lib
       pkgsBuildHost
+      pkgsBuildTarget
       rust
       stdenv;
   });
@@ -137,7 +135,16 @@ commonAttrs = {
     dontStrip = profile == "dev" || profile == "test";
     dontPatchELF = profile == "dev" || profile == "test";
 
-    buildInputs = lib.optional (featureEnabled "jemalloc") rust-jemalloc-sys';
+    buildInputs = lib.optional (featureEnabled "jemalloc") rust-jemalloc-sys'
+    # needed to build Rust applications on macOS
+    ++ lib.optionals stdenv.hostPlatform.isDarwin [
+        # https://github.com/NixOS/nixpkgs/issues/206242
+        # ld: library not found for -liconv
+        libiconv
+        # https://stackoverflow.com/questions/69869574/properly-adding-darwin-apple-sdk-to-a-nix-shell
+        # https://discourse.nixos.org/t/compile-a-rust-binary-on-macos-dbcrossbar/8612
+        pkgsBuildHost.darwin.apple_sdk.frameworks.Security
+      ];
 
     nativeBuildInputs = [
       # bindgen needs the build platform's libclang. Apparently due to "splicing
@@ -154,8 +161,10 @@ commonAttrs = {
       # needed so we can get rid of gcc and other unused deps that bloat OCI images
       removeReferencesTo
   ]
-  ++ lib.optionals stdenv.isDarwin [
+  # needed to build Rust applications on macOS
+  ++ lib.optionals stdenv.hostPlatform.isDarwin [
       # https://github.com/NixOS/nixpkgs/issues/206242
+      # ld: library not found for -liconv
       libiconv
 
       # https://stackoverflow.com/questions/69869574/properly-adding-darwin-apple-sdk-to-a-nix-shell
@@ -167,7 +176,7 @@ commonAttrs = {
     #
     # <https://github.com/input-output-hk/haskell.nix/issues/829>
     postInstall = with pkgsBuildHost; ''
-        find "$out" -type f -exec remove-references-to -t ${stdenv.cc} -t ${gcc} -t ${libgcc} -t ${linuxHeaders} -t ${libidn2} -t ${libunistring} '{}' +
+        find "$out" -type f -exec remove-references-to -t ${stdenv.cc} -t ${gcc} -t ${rustc.unwrapped} -t ${rustc} -t ${libidn2} -t ${libunistring} '{}' +
     '';
  };
 in

nix/pkgs/oci-image/default.nix

@@ -16,7 +16,7 @@ dockerTools.buildLayeredImage {
     dockerTools.caCertificates
   ];
   config = {
-    Entrypoint = if !stdenv.isDarwin
+    Entrypoint = if !stdenv.hostPlatform.isDarwin
       # Use the `tini` init system so that signals (e.g. ctrl+c/SIGINT)
       # are handled as expected
       then [ "${lib.getExe' tini "tini"}" "--" ]