grafana: build frontend from source

Up until now, the frontend was taken from `srcStatic`, i.e. prebuilt
from upstream. I recall at least three cases[1][2][3] where we got a hash
mismatch eventually.

Rather than spending time finding out whether or not it's a supply-chain
attack or just a build issue, I decided to implement a source-build now
with the following benefits:

* It's now actually possible to apply patches for Grafana's frontend.
* We rely a little less on third-party build systems.

Of course, patching potential vulnerabilities in transitive frontend
dependencies is still hard (let alone discovering that this package is
affected!), but that's a fundamental issue we have in nixpkgs and I
won't invent a half-baked solution just for this package, I still
consider this a step into the right direction.

The build itself mainly orients on the `yarn` commands used in the
upstream Makefile[4]. However, we can't use `fetchYarnDeps` here because
yarn v2 (a.k.a. `berry`) is in use which is why the same was done as in
`hedgedoc`, writing a custom FoD that downloads all dependencies and
writes the offline cache into `$out`[5].

Additionally there are two more notable differences to upstream:

* We patch out every dependency to `@grafana/e2e` and `cypress`. The
  first is a dependency on the latter in another version and the latter
  downloads random blobs from the Internet in postInstall. Since it's a
  testing framework (and the `e2e` package apparently a testing
  library), I decided it's not worth the effort and patched it out
  everywhere.

* There was a `zoneinfo.zip` in `$out/share/grafana/tools` that was
  installed from `srcStatic`. This only seems to be used on Windows[6]
  and that's not supported by this package, so I decided to drop it.

[1] https://github.com/NixOS/nixpkgs/pull/251479
[2] https://github.com/NixOS/nixpkgs/pull/130201
[3] https://github.com/NixOS/nixpkgs/pull/104794
[4] https://github.com/grafana/grafana/blob/v10.3.1/Makefile
[5] https://github.com/NixOS/nixpkgs/pull/245170
[6] https://github.com/grafana/grafana/blob/v10.3.1/pkg/setting/setting.go#L1012-L1014

pkgs/servers/monitoring/grafana/default.nix

@@ -1,5 +1,35 @@
-{ lib, buildGoModule, fetchurl, fetchFromGitHub, nixosTests, tzdata, wire }:
+{ lib, stdenv, buildGoModule, fetchFromGitHub
+, tzdata, wire
+, yarn, nodejs, cacert
+, jq, moreutils
+, nix-update-script, nixosTests
+}:
 
+let
+  # We need dev dependencies to run webpack, but patch away
+  # `cypress` (and @grafana/e2e which has a direct dependency on cypress).
+  # This attempts to download random blobs from the Internet in
+  # postInstall. Also, it's just a testing framework, so not worth the hassle.
+  patchAwayGrafanaE2E = ''
+    find . -name package.json | while IFS=$'\n' read -r pkg_json; do
+      <"$pkg_json" jq '. + {
+        "devDependencies": .devDependencies | del(."@grafana/e2e") | del(.cypress)
+      }' | sponge "$pkg_json"
+    done
+    rm -r packages/grafana-e2e
+  '';
+
+  # Injects a `t.Skip()` into a given test since
+  # there's apparently no other way to skip tests here.
+  skipTest = lineOffset: testCase: file:
+    let
+      jumpAndAppend = lib.concatStringsSep ";" (lib.replicate (lineOffset - 1) "n" ++ [ "a" ]);
+    in ''
+      sed -i -e '/${testCase}/{
+      ${jumpAndAppend} t.Skip();
+      }' ${file}
+    '';
+in
 buildGoModule rec {
   pname = "grafana";
   version = "10.2.3";
@@ -13,25 +43,38 @@ buildGoModule rec {
     hash = "sha256-F61RtPEjQ4uFVcJLG04CD4//w8X7uJinxzYyoW/MosA=";
   };
 
-  srcStatic = fetchurl {
-    url = "https://dl.grafana.com/oss/release/grafana-${version}.linux-amd64.tar.gz";
-    hash = "sha256-xoZgaml1SB9PEI3kTE3zRlJR5O4tog58bua2blvc8to=";
+  offlineCache = stdenv.mkDerivation {
+    name = "${pname}-${version}-yarn-offline-cache";
+    inherit src;
+    nativeBuildInputs = [
+      yarn nodejs cacert
+      jq moreutils
+    ];
+    buildPhase = ''
+      ${patchAwayGrafanaE2E}
+      export HOME="$(mktemp -d)"
+      yarn config set enableTelemetry 0
+      yarn config set cacheFolder $out
+      yarn config set --json supportedArchitectures.os '[ "linux" ]'
+      yarn config set --json supportedArchitectures.cpu '["arm", "arm64", "ia32", "x64"]'
+      yarn
+    '';
+    dontConfigure = true;
+    dontInstall = true;
+    dontFixup = true;
+    outputHashMode = "recursive";
+    outputHash = "sha256-cD9Y72OWSj7zwhhAcrZouLpEFFwURSsWgDFRjwMQAxI=";
   };
 
   vendorHash = "sha256-rQOnuh6t+cUqyAAnUhGgxMaW88pawnauAGQd6w0T57Q=";
 
-  nativeBuildInputs = [ wire ];
+  nativeBuildInputs = [ wire yarn jq moreutils ];
 
-  postConfigure = let
-    skipTest = lineOffset: testCase: file:
-      let
-        jumpAndAppend = lib.concatStringsSep ";" (lib.replicate (lineOffset - 1) "n" ++ [ "a" ]);
-      in ''
-        sed -i -e '/${testCase}/{
-        ${jumpAndAppend} t.Skip();
-        }' ${file}
-      '';
-  in ''
+  postPatch = ''
+    ${patchAwayGrafanaE2E}
+  '';
+
+  postConfigure = ''
     # Generate DI code that's required to compile the package.
     # From https://github.com/grafana/grafana/blob/v8.2.3/Makefile#L33-L35
     wire gen -tags oss ./pkg/server
@@ -69,6 +112,18 @@ buildGoModule rec {
     # grafana> 2023/08/24 08:30:23 failed to copy objects, err: Post "https://storage.googleapis.com/upload/storage/v1/b/grafana-testing-repo/o?alt=json&name=test-path%2Fbuild%2FTestCopyLocalDir2194093976%2F001%2Ffile2.txt&prettyPrint=false&projection=full&uploadType=multipart": dial tcp: lookup storage.googleapis.com on [::1]:53: read udp [::1]:36436->[::1]:53: read: connection refused
     # grafana> panic: test timed out after 10m0s
     rm pkg/build/gcloud/storage/gsutil_test.go
+
+    # Setup node_modules
+    export HOME="$(mktemp -d)"
+    yarn config set enableTelemetry 0
+    yarn config set cacheFolder $offlineCache
+    yarn --immutable-cache
+  '';
+
+  postBuild = ''
+    # After having built all the Go code, run the JS builders now.
+    yarn run build
+    yarn run plugins:build-bundled
   '';
 
   ldflags = [
@@ -86,16 +141,13 @@ buildGoModule rec {
   '';
 
   postInstall = ''
-    tar -xvf $srcStatic
     mkdir -p $out/share/grafana
-    mv grafana-*/{public,conf,tools} $out/share/grafana/
-
-    cp ./conf/defaults.ini $out/share/grafana/conf/
+    cp -r public conf $out/share/grafana/
   '';
 
   passthru = {
     tests = { inherit (nixosTests) grafana; };
-    updateScript = ./update.sh;
+    updateScript = nix-update-script { };
   };
 
   meta = with lib; {

pkgs/servers/monitoring/grafana/update.sh

@@ -1,40 +0,0 @@
-#!/usr/bin/env nix-shell
-#!nix-shell -i bash -p curl common-updater-scripts jq nix nix-prefetch-scripts moreutils
-
-set -euxo pipefail
-
-FILE="$(nix-instantiate --eval -E 'with import ./. {}; (builtins.unsafeGetAttrPos "version" grafana).file' | tr -d '"')"
-replaceHash() {
-  old="${1?old hash missing}"
-  new="${2?new hash missing}"
-  awk -v OLD="$old" -v NEW="$new" '{
-    if (i=index($0, OLD)) {
-      $0 = substr($0, 1, i-1) NEW substr($0, i+length(OLD));
-    }
-    print $0;
-  }' "$FILE" | sponge "$FILE"
-}
-extractVendorHash() {
-  original="${1?original hash missing}"
-  result="$(nix-build -A grafana.goModules 2>&1 | tail -n3 | grep 'got:' | cut -d: -f2- | xargs echo || true)"
-  [ -z "$result" ] && { echo "$original"; } || { echo "$result"; }
-}
-
-oldVersion="$(nix-instantiate --eval -E "with import ./. {}; lib.getVersion grafana" | tr -d '"')"
-latest="$(curl https://api.github.com/repos/grafana/grafana/releases/latest | jq '.tag_name' -r | tr -d 'v')"
-
-targetVersion="${1:-$latest}"
-if [ ! "${oldVersion}" = "${targetVersion}" ]; then
-  update-source-version grafana "${targetVersion#v}"
-  oldStaticHash="$(nix-instantiate --eval -A grafana.srcStatic.outputHash | tr -d '"')"
-  newStaticHash="$(nix-prefetch-url "https://dl.grafana.com/oss/release/grafana-${targetVersion#v}.linux-amd64.tar.gz")"
-  newStaticHash="$(nix hash to-sri --type sha256 $newStaticHash)"
-  replaceHash "$oldStaticHash" "$newStaticHash"
-  goHash="$(nix-instantiate --eval -A grafana.vendorHash | tr -d '"')"
-  emptyHash="$(nix-instantiate --eval -A lib.fakeHash | tr -d '"')"
-  replaceHash "$goHash" "$emptyHash"
-  replaceHash "$emptyHash" "$(extractVendorHash "$goHash")"
-  nix-build -A grafana
-else
-  echo "grafana is already up-to-date"
-fi