.github/Makefile/flake: update nix flake support (#16636)

Cleanup nix support, make flake easier to read with nix-systems.
This also harmonizes with golinks flake setup and reduces an input
dependency by 1.

Update deps test to ensure the vendor hash stays harmonized
with go.mod.

Update make tidy to ensure vendor hash stays current.

Overlay the current version of golang, tailscale runs
recent releases faster than nixpkgs can update them into
the unstable branch.

Updates #16637

Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>

.github/workflows/test.yml

@@ -720,10 +720,10 @@ jobs:
     - name: check that 'go mod tidy' is clean
       working-directory: src
       run: |
-        ./tool/go mod tidy
+        make tidy
         echo
         echo
-        git diff --name-only --exit-code || (echo "Please run 'go mod tidy'."; exit 1)
+        git diff --name-only --exit-code || (echo "Please run 'make tidy'"; exit 1)
 
   licenses:
     runs-on: ubuntu-24.04

Makefile

@@ -8,8 +8,9 @@ PLATFORM ?= "flyio" ## flyio==linux/amd64. Set to "" to build all platforms.
 vet: ## Run go vet
 	./tool/go vet ./...
 
-tidy: ## Run go mod tidy
+tidy: ## Run go mod tidy and update nix flake hashes
 	./tool/go mod tidy
+	./update-flake.sh
 
 lint: ## Run golangci-lint
 	./tool/go run github.com/golangci/golangci-lint/cmd/golangci-lint run

flake.lock

@@ -16,24 +16,6 @@
         "type": "github"
       }
     },
-    "flake-utils": {
-      "inputs": {
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1753151930,
@@ -53,8 +35,8 @@
     "root": {
       "inputs": {
         "flake-compat": "flake-compat",
-        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs",
-        "nixpkgs": "nixpkgs"
+        "systems": "systems"
       }
     },
     "systems": {

flake.nix

@@ -32,7 +32,7 @@
 {
   inputs = {
     nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
-    flake-utils.url = "github:numtide/flake-utils";
+    systems.url = "github:nix-systems/default";
     # Used by shell.nix as a compat shim.
     flake-compat = {
       url = "github:edolstra/flake-compat";
@@ -43,13 +43,29 @@
   outputs = {
     self,
     nixpkgs,
-    flake-utils,
+    systems,
     flake-compat,
   }: let
-    # tailscaleRev is the git commit at which this flake was imported,
+    go124Version = "1.24.6";
-    # or the empty string when building from a local checkout of the
+    goHash = "sha256-4ctVgqq1iGaLwEwH3hhogHD2uMmyqvNh+CHhm9R8/b0=";
-    # tailscale repo.
+    eachSystem = f:
+      nixpkgs.lib.genAttrs (import systems) (system:
+        f (import nixpkgs {
+          system = system;
+          overlays = [
+            (final: prev: {
+              go_1_24 = prev.go_1_24.overrideAttrs {
+                version = go124Version;
+                src = prev.fetchurl {
+                  url = "https://go.dev/dl/go${go124Version}.src.tar.gz";
+                  hash = goHash;
+                };
+              };
+            })
+          ];
+        }));
     tailscaleRev = self.rev or "";
+  in {
     # tailscale takes a nixpkgs package set, and builds Tailscale from
     # the same commit as this flake. IOW, it provides "tailscale built
     # from HEAD", where HEAD is "whatever commit you imported the
@@ -67,16 +83,20 @@
     # So really, this flake is for tailscale devs to dogfood with, if
     # you're an end user you should be prepared for this flake to not
     # build periodically.
-    tailscale = pkgs:
+    packages = eachSystem (pkgs: rec {
-      pkgs.buildGo124Module rec {
+      default = pkgs.buildGo124Module {
         name = "tailscale";
-
+        pname = "tailscale";
         src = ./.;
         vendorHash = pkgs.lib.fileContents ./go.mod.sri;
-        nativeBuildInputs = pkgs.lib.optionals pkgs.stdenv.isLinux [pkgs.makeWrapper];
+        nativeBuildInputs = [pkgs.makeWrapper pkgs.installShellFiles];
         ldflags = ["-X tailscale.com/version.gitCommitStamp=${tailscaleRev}"];
         env.CGO_ENABLED = 0;
-        subPackages = ["cmd/tailscale" "cmd/tailscaled"];
+        subPackages = [
+          "cmd/tailscale"
+          "cmd/tailscaled"
+          "cmd/tsidp"
+        ];
         doCheck = false;
 
         # NOTE: We strip the ${PORT} and $FLAGS because they are unset in the
@@ -84,7 +104,8 @@
         # point, there should be a NixOS module that allows configuration of these
         # things, but for now, we hardcode the default of port 41641 (taken from
         # ./cmd/tailscaled/tailscaled.defaults).
-        postInstall = pkgs.lib.optionalString pkgs.stdenv.isLinux ''
+        postInstall =
+          pkgs.lib.optionalString pkgs.stdenv.isLinux ''
             wrapProgram $out/bin/tailscaled --prefix PATH : ${pkgs.lib.makeBinPath [pkgs.iproute2 pkgs.iptables pkgs.getent pkgs.shadow]}
             wrapProgram $out/bin/tailscale --suffix PATH : ${pkgs.lib.makeBinPath [pkgs.procps]}
 
@@ -96,20 +117,18 @@
               ./cmd/tailscaled/tailscaled.service
 
             install -D -m0444 -t $out/lib/systemd/system ./cmd/tailscaled/tailscaled.service
+          ''
+          + pkgs.lib.optionalString (pkgs.stdenv.buildPlatform.canExecute pkgs.stdenv.hostPlatform) ''
+            installShellCompletion --cmd tailscale \
+              --bash <($out/bin/tailscale completion bash) \
+              --fish <($out/bin/tailscale completion fish) \
+              --zsh <($out/bin/tailscale completion zsh)
           '';
       };
+      tailscale = default;
+    });
 
-    # This whole blob makes the tailscale package available for all
+    devShells = eachSystem (pkgs: {
-    # OS/CPU combos that nix supports, as well as a dev shell so that
-    # "nix develop" and "nix-shell" give you a dev env.
-    flakeForSystem = nixpkgs: system: let
-      pkgs = nixpkgs.legacyPackages.${system};
-      ts = tailscale pkgs;
-    in {
-      packages = {
-        default = ts;
-        tailscale = ts;
-      };
       devShell = pkgs.mkShell {
         packages = with pkgs; [
           curl
@@ -126,9 +145,8 @@
           e2fsprogs
         ];
       };
+    });
   };
-  in
-    flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system);
 }
-# nix-direnv cache busting line: sha256-4QTSspHLYJfzlontQ7msXyOB5gzq7ZwSvWmKuYY5klA=
+# nix-direnv cache busting line: sha256-Ue1rD4m+rg/J84XhpNZAa3ni/r5FVQZTh6wZcbp7GsE=
 

go.mod.sri

@@ -1 +1 @@
-sha256-4QTSspHLYJfzlontQ7msXyOB5gzq7ZwSvWmKuYY5klA=
+sha256-Ue1rD4m+rg/J84XhpNZAa3ni/r5FVQZTh6wZcbp7GsE=

shell.nix

@@ -16,4 +16,4 @@
 ) {
   src =  ./.;
 }).shellNix
-# nix-direnv cache busting line: sha256-4QTSspHLYJfzlontQ7msXyOB5gzq7ZwSvWmKuYY5klA=
+# nix-direnv cache busting line: sha256-Ue1rD4m+rg/J84XhpNZAa3ni/r5FVQZTh6wZcbp7GsE=