Add papi and nosv to cross-compilation CI

Reviewed-by: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>

m/common/base/users.nix

@@ -134,7 +134,7 @@
         home = "/home/Computational/varcila";
         description = "Vincent Arcila";
         group = "Computational";
-        hosts = [ "apex" "hut" "tent" "fox" ];
+        hosts = [ "apex" "hut" "tent" "fox" "owl1" "owl2" ];
         hashedPassword = "$6$oB0Tcn99DcM4Ch$Vn1A0ulLTn/8B2oFPi9wWl/NOsJzaFAWjqekwcuC9sMC7cgxEVb.Nk5XSzQ2xzYcNe5MLtmzkVYnRS1CqP39Y0";
         openssh.authorizedKeys.keys = [
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKGt0ESYxekBiHJQowmKpfdouw0hVm3N7tUMtAaeLejK vincent@varch"

m/hut/gitlab-runner.nix

@@ -61,6 +61,8 @@
         registrationFlags = [
           # Increase build log length to 64 MiB
           "--output-limit 65536"
+          # Allow the runner to be used in multiple projects
+          "--locked=false"
         ];
         preBuildScript = pkgs.writeScript "setup-container" ''
           mkdir -p -m 0755 /nix/var/log/nix/drvs

m/hut/monitoring.nix

@@ -5,7 +5,7 @@
     ../module/slurm-exporter.nix
     ../module/meteocat-exporter.nix
     ../module/upc-qaire-exporter.nix
-    ./gpfs-probe.nix
+    ./ssh-robot-probes.nix
     ../module/nix-daemon-exporter.nix
   ];
 
@@ -111,6 +111,7 @@
             "127.0.0.1:${toString config.services.prometheus.exporters.smartctl.port}"
             "127.0.0.1:9341" # Slurm exporter
             "127.0.0.1:9966" # GPFS custom exporter
+            "127.0.0.1:9967" # SLURM custom exporter
             "127.0.0.1:9999" # Nix-daemon custom exporter
             "127.0.0.1:9929" # Meteocat custom exporter
             "127.0.0.1:9928" # UPC Qaire custom exporter

m/hut/ompss2-timer.nix

@@ -29,6 +29,7 @@
     closing = pkgs.writeText "closing.txt"
     ''
       Subject: OmpSs-2 release enters closing period
+      To: star@bsc.es
 
       Hi,
 
@@ -42,6 +43,7 @@
     freeze = pkgs.writeText "freeze.txt"
     ''
       Subject: OmpSs-2 release enters freeze period
+      To: star@bsc.es
 
       Hi,
 
@@ -55,6 +57,7 @@
     release = pkgs.writeText "release.txt"
     ''
       Subject: OmpSs-2 release now
+      To: star@bsc.es
 
       Hi,
 
@@ -69,7 +72,7 @@
         script = ''
           set -eu
           set -o pipefail
-          cat ${mail} | ${config.security.wrapperDir}/sendmail star@bsc.es
+          cat ${mail} | ${config.security.wrapperDir}/sendmail -t star@bsc.es
         '';
         serviceConfig = {
           Type = "oneshot";

m/hut/sblame-probe.sh

@@ -0,0 +1,8 @@
+#!/bin/sh
+
+cat <<EOF
+HTTP/1.1 200 OK
+Content-Type: text/plain; version=0.0.4; charset=utf-8; escaping=values
+
+EOF
+ssh bsc015557@glogin2.bsc.es "timeout 3 command sblame -E"

m/hut/ssh-robot-probes.nix

@@ -6,6 +6,12 @@ let
       chmod +x $out
     ''
   ;
+  sblame-probe-script = pkgs.runCommand "sblame-probe.sh" { }
+    ''
+      cp ${./sblame-probe.sh} $out;
+      chmod +x $out
+    ''
+  ;
 in
 {
   # Use a new user to handle the SSH keys
@@ -28,4 +34,17 @@ in
       Group = "ssh-robot";
     };
   };
+
+  systemd.services.sblame-probe = {
+    description = "Daemon to report SLURM statistics via SSH";
+    path = [ pkgs.openssh pkgs.netcat ];
+    after = [ "network.target" ];
+    wantedBy = [ "default.target" ];
+    serviceConfig = {
+      Type = "simple";
+      ExecStart = "${pkgs.socat}/bin/socat TCP4-LISTEN:9967,fork EXEC:${sblame-probe-script}";
+      User = "ssh-robot";
+      Group = "ssh-robot";
+    };
+  };
 }

overlay.nix

@@ -39,9 +39,8 @@ let
     nanos6Debug = final.nanos6.override { enableDebug = true; };
     nixtools = callPackage ./pkgs/nixtools/default.nix { };
     nixgen = callPackage ./pkgs/nixgen/default.nix { };
-    # Broken because of pkgsStatic.libcap
+    nix-portable = callPackage ./pkgs/nix-portable/default.nix { };
-    # See: https://github.com/NixOS/nixpkgs/pull/268791
+    nix-wrap = callPackage ./pkgs/nix-wrap/default.nix { };
-    #nix-wrap = callPackage ./pkgs/nix-wrap/default.nix { };
     nodes = callPackage ./pkgs/nodes/default.nix { };
     nosv = callPackage ./pkgs/nosv/default.nix { };
     openmp = callPackage ./pkgs/llvm-ompss2/openmp.nix { monorepoSrc = final.clangOmpss2Unwrapped.src; version = final.clangOmpss2Unwrapped.version; };
@@ -49,6 +48,7 @@ let
     osumb = callPackage ./pkgs/osu/default.nix { };
     ovni = callPackage ./pkgs/ovni/default.nix { };
     ovniGit = final.ovni.override { useGit = true; };
+    papi = callPackage ./pkgs/papi/default.nix { papi = prev.papi; };
     paraverKernel = callPackage ./pkgs/paraver/kernel.nix { };
     prometheus-slurm-exporter = prev.callPackage ./pkgs/slurm-exporter/default.nix { };
     #pscom = callPackage ./pkgs/parastation/pscom.nix { }; # Unmaintaned

pkgs/amd-uprof/default.nix

@@ -1,8 +1,6 @@
 { stdenv
 , lib
-, curl
+, fetchurl
-, cacert
-, runCommandLocal
 , autoPatchelfHook
 , elfutils
 , glib
@@ -26,27 +24,24 @@ let
   tarball = "AMDuProf_Linux_x64_${version}.tar.bz2";
 
   # NOTE: Remember to update the radare2 patch below if AMDuProfPcm changes.
-  uprofSrc = runCommandLocal tarball {
+  src = fetchurl {
-    nativeBuildInputs = [ curl ];
+    url = "https://download.amd.com/developer/eula/uprof/uprof-5-1/${tarball}";
-    outputHash = "sha256-j9gxcBcIg6Zhc5FglUXf/VV9bKSo+PAKeootbN7ggYk=";
+    sha256 = "sha256-j9gxcBcIg6Zhc5FglUXf/VV9bKSo+PAKeootbN7ggYk=";
-    SSL_CERT_FILE="${cacert}/etc/ssl/certs/ca-bundle.crt";
+    curlOptsList = [
-  } ''
+      "-H" "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0"
-    curl \
+      "-H" "'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8'"
-    -o $out \
+      "-H" "Accept-Language: en-US,en;q=0.5"
-    'https://download.amd.com/developer/eula/uprof/uprof-5-1/${tarball}' \
+      "-H" "Accept-Encoding: gzip, deflate, br, zstd"
-    -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0' \
+      "-H" "Referer: https://www.amd.com/"
-    -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
+    ];
-    -H 'Accept-Language: en-US,en;q=0.5' \
+  };
-    -H 'Accept-Encoding: gzip, deflate, br, zstd' \
-    -H 'Referer: https://www.amd.com/' 2>&1 | tr '\r' '\n'
-  '';
 
 in
   stdenv.mkDerivation {
     pname = "AMD-uProf";
-    inherit version;
+    inherit src version;
-    src = uprofSrc;
     dontStrip = true;
+    strictDeps = true;
     phases = [ "installPhase" "fixupPhase" ];
     nativeBuildInputs = [ autoPatchelfHook radare2 ];
     buildInputs = [

pkgs/amd-uprof/driver.nix

@@ -18,6 +18,7 @@ in stdenv.mkDerivation {
     set +x
   '';
   hardeningDisable = [ "pic" "format" ];
+  strictDeps = true;
   nativeBuildInputs = kernel.moduleBuildDependencies;
   patches = [ ./makefile.patch ./hrtimer.patch ./remove-wr-rdmsrq.patch ];
   makeFlags = [

pkgs/bench6/default.nix

@@ -59,6 +59,7 @@ stdenv.mkDerivation rec {
   ];
   hardeningDisable = [ "all" ];
   dontStrip = true;
+  strictDeps = true;
 
   meta = {
     homepage = "https://gitlab.pm.bsc.es/rarias/bench6";

pkgs/bigotes/default.nix

@@ -16,6 +16,8 @@ stdenv.mkDerivation {
   };
   nativeBuildInputs = [ cmake ];
 
+  strictDeps = true;
+
   meta = {
     homepage = "https://github.com/rodarima/bigotes";
     description = "Versatile benchmark tool";

pkgs/cudainfo/default.nix

@@ -10,11 +10,14 @@
 stdenv.mkDerivation (finalAttrs: {
   name = "cudainfo";
   src = ./.;
-  buildInputs = [
+  strictDeps = true;
+  nativeBuildInputs = [
     cudatoolkit # Required for nvcc
-    (lib.getOutput "static" cudaPackages.cuda_cudart) # Required for -lcudart_static
     autoAddDriverRunpath
   ];
+  buildInputs = [
+    (lib.getOutput "static" cudaPackages.cuda_cudart) # Required for -lcudart_static
+  ];
   installPhase = ''
     mkdir -p $out/bin
     cp -a cudainfo $out/bin
@@ -23,6 +26,7 @@ stdenv.mkDerivation (finalAttrs: {
     name = "cudainfo-test";
     requiredSystemFeatures = [ "cuda" ];
     dontBuild = true;
+    strictDeps = true;
     nativeCheckInputs = [
       finalAttrs.finalPackage # The cudainfo package from above
       strace # When it fails, it will show the trace

pkgs/extrae/default.nix

@@ -20,7 +20,7 @@
 #, python3Packages
 , installShellFiles
 , symlinkJoin
-, enablePapi ? stdenv.hostPlatform == stdenv.buildPlatform # Disabled when cross-compiling
+, enablePapi ? true
 }:
 
 let

pkgs/gpi-2/default.nix

@@ -33,6 +33,7 @@ stdenv.mkDerivation rec {
   };
 
   enableParallelBuilding = true;
+  strictDeps = true;
 
   patches = [ ./rdma-core.patch ./max-mem.patch ];
 

pkgs/intel-oneapi/2023.nix

@@ -128,6 +128,7 @@ let
 
     phases = [ "installPhase" "fixupPhase" ];
     dontStrip = true;
+    strictDeps = true;
     installPhase = ''
       mkdir -p $out/{bin,etc,lib,include}
       mkdir -p $out/share/man
@@ -179,6 +180,7 @@ let
     ];
     phases = [ "installPhase" "fixupPhase" ];
     dontStrip = true;
+    strictDeps = true;
 
     autoPatchelfIgnoreMissingDeps = [ "libhwloc.so.5" ];
 
@@ -222,6 +224,7 @@ let
     ];
     phases = [ "installPhase" "fixupPhase" ];
     dontStrip = true;
+    strictDeps = true;
 
     autoPatchelfIgnoreMissingDeps = [ "libsycl.so.6" ];
 
@@ -289,6 +292,7 @@ let
     phases = [ "installPhase" "fixupPhase" ];
 
     dontStrip = true;
+    strictDeps = true;
 
     installPhase = ''
       mkdir -p $out/{bin,lib,include}
@@ -377,6 +381,7 @@ let
     phases = [ "installPhase" "fixupPhase" ];
 
     dontStrip = true;
+    strictDeps = true;
 
     installPhase = ''
       mkdir -p $out/{bin,lib}

pkgs/llvm-ompss2/clang.nix

@@ -3,6 +3,7 @@
 , lib
 , fetchFromGitHub
 , cmake
+, ninja
 , bash
 , python3
 , perl
@@ -48,6 +49,7 @@ in stdenv.mkDerivation {
   inherit (source) src version;
 
   enableParallelBuilding = true;
+  strictDeps = true;
 
   passthru = {
     CC = "clang";
@@ -62,6 +64,7 @@ in stdenv.mkDerivation {
   nativeBuildInputs = [
     bash
     cmake
+    ninja
     elfutils
     llvmPackages_latest.lld
     pkg-config

pkgs/llvm-ompss2/openmp.nix

@@ -39,7 +39,9 @@ stdenv.mkDerivation rec {
     perl
     pkg-config
     python3
-  ] ++ lib.optionals enableNosv [
+  ];
+
+  buildInputs = lib.optionals enableNosv [
     nosv
   ] ++ lib.optionals enableOvni [
     ovni
@@ -54,6 +56,7 @@ stdenv.mkDerivation rec {
   dontStrip = enableDebug;
 
   separateDebugInfo = true;
+  strictDeps = true;
 
   cmakeFlags = [
     "-DLIBOMP_OMPD_SUPPORT=OFF"
@@ -71,6 +74,28 @@ stdenv.mkDerivation rec {
     rm -f $out/libllvmrt/libomp.*
   '';
 
+  doInstallCheck = true;
+  # There are not cmake flags to force nOS-V, it enables it when found through
+  # pkg-config. If enableNosv is set, but we fail to find it at build time,
+  # the build will succeed but won't use nOS-V (libompv won't be created).
+  # This is a sanity check to ensure that after install we have the proper
+  # files.
+  installCheckPhase =
+    if enableNosv then
+      ''
+        test -f $out/lib/libompv.so
+        test -f $out/libllvmrt/libompv.so
+        test ! -f $out/lib/libomp.so
+        test ! -f $out/libllvmrt/libomp.so
+      ''
+    else
+      ''
+        test -f $out/lib/libomp.so
+        test -f $out/libllvmrt/libomp.so
+        test ! -f $out/lib/libompv.so
+        test ! -f $out/libllvmrt/libompv.so
+      '';
+
   passthru = {
     inherit nosv;
   };

pkgs/lmbench/default.nix

@@ -27,6 +27,7 @@ stdenv.mkDerivation rec {
   hardeningDisable = [ "all" ];
 
   enableParallelBuilding = false;
+  strictDeps = true;
 
   preBuild = ''
     makeFlagsArray+=(

pkgs/meteocat-exporter/default.nix

@@ -9,6 +9,7 @@ python3Packages.buildPythonApplication {
   src = ./.;
 
   doCheck = false;
+  strictDeps = true;
 
   build-system = with python3Packages; [
     setuptools

pkgs/mpich/default.nix

@@ -53,6 +53,7 @@ in mpich.overrideAttrs (old: {
   '';
 
   hardeningDisable = [ "all" ];
+  strictDeps = true;
 
   meta = old.meta // {
     maintainers = old.meta.maintainers ++ (with lib.maintainers.bsc; [ rarias ]);

pkgs/nanos6/default.nix

@@ -16,7 +16,7 @@
 , jemallocNanos6 ? null
 , cachelineBytes ? 64
 , enableGlibcxxDebug ? false
-, enablePapi ? stdenv.hostPlatform == stdenv.buildPlatform # Disabled when cross-compiling
+, enablePapi ? true
 , useGit ? false
 , gitUrl ? "ssh://git@bscpm04.bsc.es/nanos6/nanos6"
 , gitBranch ? "master"
@@ -80,7 +80,8 @@ in
       (optional enableGlibcxxDebug "CXXFLAGS=-D_GLIBCXX_DEBUG") ++
       # Most nanos6 api symbols are resolved at runtime, so prefer
       # ifunc by default
-      (optional isCross "--with-symbol-resolution=ifunc");
+      (optional isCross "--with-symbol-resolution=ifunc") ++
+      (optional enablePapi "--with-papi=${papi}");
 
     postConfigure = lib.optionalString (!enableDebug) ''
       # Disable debug
@@ -95,16 +96,14 @@ in
     dontStrip = enableDebug;
     separateDebugInfo = true;
 
+    strictDeps = true;
+
     nativeBuildInputs = [
       autoconf
       automake
       libtool
       pkg-config
-
+    ];
-      # TODO: papi_version is needed for configure:
-      # ./configure: line 27378: papi_version: command not found
-      # This probably breaks cross-compilation
-    ] ++ lib.optionals enablePapi [ papi ];
 
     buildInputs = [
       boost

pkgs/nanos6/jemalloc.nix

@@ -5,6 +5,7 @@ jemalloc.overrideAttrs (old: {
     "--with-jemalloc-prefix=nanos6_je_"
     "--enable-stats"
   ];
+  enableParallelBuilding = true;
   hardeningDisable = [ "all" ];
   meta = old.meta // {
     description = old.meta.description + " (for Nanos6)";

pkgs/nix-portable/default.nix

@@ -0,0 +1,650 @@
+with builtins;
+{
+  nix,
+  unzip,
+  zip,
+  unixtools,
+  stdenv,
+  buildPackages,
+  upx,
+
+  bootstrapPrograms ? [
+    "gitMinimal"
+    "netcat-openbsd"
+    "openssh"
+    "bashInteractive"
+  ],
+
+  cacert ? pkgs.cacert,
+  compression ? "zstd -19 -T0",
+  lib ? pkgs.lib,
+  pkgs ? import <nixpkgs> {},
+  # hardcode executable to run. Useful when creating a bundle.
+  bundledPackage ? null,
+
+  nixStatic,
+  busyboxStatic ? pkgs.pkgsStatic.busybox,
+  bwrapStatic ? pkgs.pkgsStatic.bubblewrap,
+  zstdStatic ? pkgs.pkgsStatic.zstd,
+
+  perlBuildBuild ? pkgs.pkgsBuildBuild.perl,
+}@inp:
+with lib;
+let
+
+  perl = perlBuildBuild;
+
+  pname =
+    if bundledPackage == null
+    then "nix-portable"
+    else lib.getName bundledPackage;
+
+  bundledExe = lib.getExe bundledPackage;
+
+  nixpkgsSrc = pkgs.path;
+
+  maketar = targets:
+    let
+      closureInfo = buildPackages.closureInfo { rootPaths = targets; };
+    in
+    stdenv.mkDerivation {
+      name = "nix-portable-store-tarball";
+      nativeBuildInputs = [ perl zstd ];
+      exportReferencesGraph = map (x: [("closure-" + baseNameOf x) x]) targets;
+      buildCommand = ''
+        storePaths=$(cat ${closureInfo}/store-paths)
+        mkdir $out
+        echo $storePaths > $out/index
+        cp -r ${closureInfo} $out/closureInfo
+
+        tar -cf - \
+          --owner=0 --group=0 --mode=u+rw,uga+r \
+          --hard-dereference \
+          $storePaths | ${compression} > $out/tar
+      '';
+    };
+
+  packStaticBin = binPath: let
+      binName = (last (splitString "/" binPath)); in
+    pkgs.runCommand
+    binName
+    { nativeBuildInputs = [ upx ]; }
+    ''
+      mkdir -p $out/bin
+      theBinPath=${binPath}
+
+      if [[ -L "$theBinPath" ]]; then
+        theBinPath=$(readlink -f "$theBinPath")
+      fi
+
+      upx -9 -o $out/bin/${binName} $theBinPath
+    '';
+
+  installBin = pkg: bin: ''
+    unzip -qqoj "\$self" ${ lib.removePrefix "/" "${pkg}/bin/${bin}"} -d \$dir/bin
+    chmod +wx \$dir/bin/${bin};
+  '';
+
+  installDynamic = pkgname: let
+    out = pkgs.${pkgname}.out;
+  in ''
+    if [ ! -e \$store${lib.removePrefix "/nix/store" pkgs.${pkgname}.out} ] ; then
+      debug "Installing ${pkgname}"
+      \$run \$store${lib.removePrefix "/nix/store" nix}/bin/nix build --impure --no-link --expr "
+        (import ${nixpkgsSrc} {}).${pkgname}.out
+      "
+    else
+      debug "${pkgname} already installed"
+    fi
+
+    export PATH="${out}/bin:\$PATH"
+  '';
+
+  caBundleZstd = pkgs.runCommand "cacerts" {} "cat ${cacert}/etc/ssl/certs/ca-bundle.crt | ${zstd}/bin/zstd -19 > $out";
+
+  bwrap = packStaticBin "${bwrapStatic}/bin/bwrap";
+  nixStatic = packStaticBin "${inp.nixStatic}/bin/nix";
+  zstd = packStaticBin "${zstdStatic}/bin/zstd";
+
+  # the default nix store contents to extract when first used
+  storeTar = maketar ([ cacert nix nixpkgsSrc ] ++ lib.optional (bundledPackage != null) bundledPackage);
+
+
+  # The runtime script which unpacks the necessary files to $HOME/.nix-portable
+  # and then executes nix via bwrap
+  # Some shell expressions will be evaluated at build time and some at run time.
+  # Variables/expressions escaped via `\$` will be evaluated at run time
+  runtimeScript = ''
+    #!/usr/bin/env bash
+
+    set -eo pipefail
+
+    start=\$(date +%s%N)  # start time in nanoseconds
+
+    # dump environment on exit if debug is enabled
+    if [ -n "\$NP_DEBUG" ] && [ "\$NP_DEBUG" -ge 1 ]; then
+      trap "declare -p > \''${TMPDIR:-/tmp}/np_env" EXIT
+    fi
+
+    set -e
+    if [ -n "\$NP_DEBUG" ] && [ "\$NP_DEBUG" -ge 2 ]; then
+      set -x
+    fi
+
+    # &3 is our error out which we either forward to &2 or to /dev/null
+    # depending on the setting
+    if [ -n "\$NP_DEBUG" ] && [ "\$NP_DEBUG" -ge 1 ]; then
+      debug(){
+        echo \$@ || true
+      }
+      exec 3>&2
+    else
+      debug(){
+        true
+      }
+      exec 3>/dev/null
+    fi
+
+    # to reference this script's file
+    self="\$(realpath \''${BASH_SOURCE[0]})"
+
+    # fingerprint will be inserted by builder
+    fingerprint="_FINGERPRINT_PLACEHOLDER_"
+
+    # user specified location for program files and nix store
+    [ -z "\$NP_LOCATION" ] && NP_LOCATION="\$HOME"
+    NP_LOCATION="\$(readlink -f "\$NP_LOCATION")"
+    dir="\$NP_LOCATION/.nix-portable"
+
+    # Create NP_LOCATION and remove sgid bit
+    mkdir -p \$dir
+    if [ ! -z "\$BSC_MACHINE" ]; then
+      # Attempt to avoid issues with sgid folders
+      chmod g-s \$dir
+      chgrp bsc \$dir
+    fi
+
+    store="\$dir/nix/store"
+    # create /nix/var/nix to prevent nix from falling back to chroot store.
+    mkdir -p \$dir/{bin,nix/var/nix,nix/store}
+
+    # create minimal drv file for nix to spawn a nix shell
+    echo 'builtins.derivation {name="foo"; builder="/bin/sh"; args = ["-c" "echo hello \> \\\$out"]; system=builtins.currentSystem;}' > "\$dir/mini-drv.nix"
+
+    # the fingerprint being present inside a file indicates that
+    # this version of nix-portable has already been initialized
+    if test -e \$dir/conf/fingerprint && [ "\$(cat \$dir/conf/fingerprint)" == "\$fingerprint" ]; then
+      newNPVersion=false
+    else
+      newNPVersion=true
+    fi
+
+    # Nix portable ships its own nix.conf
+    export NIX_CONF_DIR=\$dir/conf/
+
+    NP_CONF_SANDBOX=\''${NP_CONF_SANDBOX:-false}
+    NP_CONF_STORE=\''${NP_CONF_STORE:-auto}
+
+
+    recreate_nix_conf(){
+      mkdir -p "\$NIX_CONF_DIR"
+      rm -f "\$NIX_CONF_DIR/nix.conf"
+
+      # static config
+      echo "build-users-group = " >> \$dir/conf/nix.conf
+      echo "experimental-features = nix-command flakes" >> \$dir/conf/nix.conf
+      echo "ignored-acls = security.selinux system.nfs4_acl" >> \$dir/conf/nix.conf
+      echo "sandbox-paths = /bin/sh=\$dir/busybox/bin/busybox" >> \$dir/conf/nix.conf
+      echo "extra-substituters = https://jungle.bsc.es/cache">> \$dir/conf/nix.conf
+      echo "extra-trusted-public-keys = jungle.bsc.es:pEc7MlAT0HEwLQYPtpkPLwRsGf80ZI26aj29zMw/HH0=" >> \$dir/conf/nix.conf
+
+      echo "extra-system-features = sys-devices" >> \$dir/conf/nix.conf
+      echo "extra-sandbox-paths = /sys/devices/system/cpu=/sys/devices/system/cpu /sys/devices/system/node=/sys/devices/system/node" >> \$dir/conf/nix.conf
+      echo "extra-trusted-users = @bsc" >> \$dir/conf/nix.conf
+
+
+      # configurable config
+      echo "sandbox = \$NP_CONF_SANDBOX" >> \$dir/conf/nix.conf
+      echo "store = \$NP_CONF_STORE" >> \$dir/conf/nix.conf
+    }
+
+
+    ### install files
+
+    PATH_OLD="\$PATH"
+
+    # as soon as busybox is unpacked, restrict PATH to busybox to ensure reproducibility of this script
+    # only unpack binaries if necessary
+    if [ "\$newNPVersion" == "false" ]; then
+
+      debug "binaries already installed"
+      # our busybox does not run on termux, therefore we suffix the PATH only on termux
+      export PATH="\''${TERMUX_VERSION:+\$PATH:}\$dir/busybox/bin"
+
+    else
+
+      debug "installing files"
+
+      mkdir -p \$dir/emptyroot
+
+      # install busybox
+      mkdir -p \$dir/busybox/bin
+      (base64 -d> "\$dir/busybox/bin/busybox" && chmod +x "\$dir/busybox/bin/busybox") << END
+    $(cat ${busyboxStatic}/bin/busybox | base64)
+    END
+      busyBins="${toString (attrNames (filterAttrs (d: type: type == "symlink") (readDir "${busyboxStatic}/bin")))}"
+      for bin in \$busyBins; do
+        [ ! -e "\$dir/busybox/bin/\$bin" ] && ln -s busybox "\$dir/busybox/bin/\$bin"
+      done
+
+      # our busybox does not run on termux, therefore we suffix the PATH only on termux
+      export PATH="\''${TERMUX_VERSION:+\$PATH:}\$dir/busybox/bin"
+
+      # install other binaries
+      ${installBin zstd "zstd"}
+      ${installBin bwrap "bwrap"}
+      ${installBin nixStatic "nix"}
+
+      # install ssl cert bundle
+      unzip -poj "\$self" ${ lib.removePrefix "/" "${caBundleZstd}"} | \$dir/bin/zstd -d > \$dir/ca-bundle.crt
+
+      recreate_nix_conf
+    fi
+
+    # Override $SHELL with nix bashInteractive
+    export SHELL="${pkgs.bashInteractive.out}/bin/bash"
+    export PS1="\n\[\033[1;32m\][\[\e]0;\u@\h: \w\a\]\u@\h:\w]\$\[\033[0m\] "
+
+    # unset bash function aliases
+    unset -f which ml module
+
+    ### setup SSL
+    # find ssl certs or use from nixpkgs
+    debug "figuring out ssl certs"
+    if [ -z "\$SSL_CERT_FILE" ]; then
+      debug "SSL_CERT_FILE not defined. trying to find certs automatically"
+      if [ -e /etc/ssl/certs/ca-bundle.crt ]; then
+        export SSL_CERT_FILE=\$(realpath /etc/ssl/certs/ca-bundle.crt)
+        debug "found /etc/ssl/certs/ca-bundle.crt with real path \$SSL_CERT_FILE"
+      elif [ -e /etc/ssl/certs/ca-certificates.crt ]; then
+        export SSL_CERT_FILE=\$(realpath /etc/ssl/certs/ca-certificates.crt)
+        debug "found /etc/ssl/certs/ca-certificates.crt with real path \$SSL_CERT_FILE"
+      elif [ ! -e /etc/ssl/certs ]; then
+        debug "/etc/ssl/certs does not exist. Will use certs from nixpkgs."
+        export SSL_CERT_FILE=\$dir/ca-bundle.crt
+      else
+        debug "certs seem to reside in /etc/ssl/certs. No need to set up anything"
+      fi
+    fi
+    if [ -n "\$SSL_CERT_FILE" ]; then
+      sslBind="\$(realpath \$SSL_CERT_FILE) \$dir/ca-bundle.crt"
+      export SSL_CERT_FILE="\$dir/ca-bundle.crt"
+    else
+      sslBind="/etc/ssl /etc/ssl"
+    fi
+
+    if [ -n "\$NP_GIT" ]; then
+      echo "WARN: NP_GIT is not supported, using nix version instead"
+    fi
+
+
+
+    storePathOfFile(){
+      file=\$(realpath \$1)
+      sPath="\$(echo \$file | awk -F "/" 'BEGIN{OFS="/";}{print \$2,\$3,\$4}')"
+      echo "/\$sPath"
+    }
+
+
+    collectBinds(){
+      pathsTopLevel="/boot /run /sys \$PWD /gpfs /tmp /scratch"
+
+      toBind=""
+      for p in \$pathsTopLevel; do
+        if [ -e "\$p" ]; then
+          real=\$(realpath \$p)
+          if [ -e "\$real" ]; then
+            if [[ "\$real" == /nix/store/* ]]; then
+              storePath=\$(storePathOfFile \$real)
+              toBind="\$toBind \$storePath \$storePath"
+            else
+              toBind="\$toBind \$real \$p"
+            fi
+          fi
+        fi
+      done
+
+
+      # TODO: add /var/run/dbus/system_bus_socket
+      paths="/etc/host.conf /etc/hosts /etc/hosts.equiv /etc/mtab /etc/netgroup /etc/networks /etc/passwd /etc/group /etc/nsswitch.conf /etc/resolv.conf /etc/localtime \$HOME"
+
+      for p in \$paths; do
+        if [ -e "\$p" ]; then
+          real=\$(realpath \$p)
+          if [ -e "\$real" ]; then
+            if [[ "\$real" == /nix/store/* ]]; then
+              storePath=\$(storePathOfFile \$real)
+              toBind="\$toBind \$storePath \$storePath"
+            else
+              toBind="\$toBind \$real \$real"
+            fi
+          fi
+        fi
+      done
+
+      # provide /bin/sh via the shipped busybox
+      toBind="\$toBind \$dir/busybox/bin/busybox /bin/sh"
+      toBind="\$toBind \$dir/busybox/bin/busybox /usr/bin/env"
+
+      # on termux, make sure termux packages still work inside the nix-portable environment
+      if [ -n "\$TERMUX_VERSION" ]; then
+        # binds required so termux native packages still run inside the nix-portable sandbox
+        # TODO: this doesn't quite work yet. debug and fix
+        toBind="\$toBind /system/lib64/libc.so /system/lib64/libc.so"
+        toBind="\$toBind /system/lib64/ld-android.so /system/lib64/ld-android.so"
+        toBind="\$toBind /system/lib64/libdl.so /system/lib64/libdl.so"
+        toBind="\$toBind /system/bin /system/bin"
+        toBind="\$toBind /system/lib64 /system/lib64"
+        toBind="\$toBind /apex/com.android.runtime/bin /apex/com.android.runtime/bin"
+        toBind="\$toBind /linkerconfig/ld.config.txt /linkerconfig/ld.config.txt"
+        toBind="\$toBind \$dir/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt"
+        toBind="\$toBind \$(realpath \$HOME/../usr/etc/resolv.conf) /etc/resolv.conf"
+      fi
+
+    }
+
+
+    makeBindArgs(){
+      arg=\$1; shift
+      sep=\$1; shift
+      binds=""
+      while :; do
+        if [ -n "\$1" ]; then
+          from="\$1"; shift
+          to="\$1"; shift || { echo "no bind destination provided for \$from!"; exit 3; }
+          binds="\$binds \$arg \$from\$sep\$to";
+        else
+          break
+        fi
+      done
+    }
+
+
+
+    ### select container runtime
+    debug "figuring out which runtime to use"
+    [ -z "\$NP_BWRAP" ] && NP_BWRAP=\$dir/bin/bwrap
+    debug "bwrap executable: \$NP_BWRAP"
+    [ -z "\$NP_NIX" ] && NP_NIX=\$dir/bin/nix
+    debug "nix executable: \$NP_NIX"
+    debug "testing all available runtimes..."
+    if [ -z "\$NP_RUNTIME" ]; then
+      # read last automatic selected runtime from disk
+      if [ "\$newNPVersion" == "true" ]; then
+        debug "removing cached auto selected runtime"
+        rm -f "\$dir/conf/last_auto_runtime"
+      fi
+      if [ -f "\$dir/conf/last_auto_runtime" ]; then
+        last_auto_runtime="\$(cat "\$dir/conf/last_auto_runtime")"
+      else
+        last_auto_runtime=
+      fi
+      debug "last auto selected runtime: \$last_auto_runtime"
+      if [ "\$last_auto_runtime" != "" ]; then
+        NP_RUNTIME="\$last_auto_runtime"
+      # check if nix --store works
+      elif \\
+          debug "testing nix --store" \\
+          && mkdir -p \$dir/tmp/ \\
+          && touch \$dir/tmp/testfile \\
+          && "\$NP_NIX" --store "\$dir/tmp/__store" shell -f "\$dir/mini-drv.nix" -c "\$dir/bin/nix" store add-file --store "\$dir/tmp/__store" "\$dir/tmp/testfile" >/dev/null 2>&3; then
+        chmod -R +w \$dir/tmp/__store
+        rm -r \$dir/tmp/__store
+        debug "nix --store works on this system -> will use nix as runtime"
+        NP_RUNTIME=nix
+      # check if bwrap works properly
+      elif \\
+          debug "nix --store failed -> testing bwrap" \\
+          && \$NP_BWRAP --bind \$dir/emptyroot / --bind \$dir/ /nix --bind \$dir/busybox/bin/busybox "\$dir/true" "\$dir/true" 2>&3 ; then
+        debug "bwrap seems to work on this system -> will use bwrap"
+        NP_RUNTIME=bwrap
+      else
+        debug "bwrap doesn't work on this system -> will use proot"
+        NP_RUNTIME=proot
+      fi
+      echo -n "\$NP_RUNTIME" > "\$dir/conf/last_auto_runtime"
+    else
+      debug "runtime selected via NP_RUNTIME: \$NP_RUNTIME"
+    fi
+    debug "NP_RUNTIME: \$NP_RUNTIME"
+    if [ "\$NP_RUNTIME" == "nix" ]; then
+      run="\$NP_NIX shell -f \$dir/mini-drv.nix -c"
+      export PATH="\$PATH:\$store${lib.removePrefix "/nix/store" nix}/bin"
+      NP_CONF_STORE="\$dir"
+      recreate_nix_conf
+    elif [ "\$NP_RUNTIME" == "bwrap" ]; then
+      collectBinds
+      makeBindArgs --bind " " \$toBind \$sslBind
+      run="\$NP_BWRAP \$BWRAP_ARGS \\
+        --bind \$dir/emptyroot /\\
+        --dev-bind /dev /dev\\
+        --proc /proc\\
+        --bind \$dir/nix /nix\\
+        \$binds"
+        # --bind \$dir/busybox/bin/busybox /bin/sh\\
+    else
+      # proot
+      echo Unsupported runtime: $NP_RUNTIME
+      exit 1
+    fi
+    debug "base command will be: \$run"
+
+
+
+    ### setup environment
+    export NIX_PATH="\$dir/channels:nixpkgs=\$dir/channels/nixpkgs"
+    mkdir -p \$dir/channels
+    [ -h \$dir/channels/nixpkgs ] || ln -s ${nixpkgsSrc} \$dir/channels/nixpkgs
+
+
+    ### install nix store
+    # Install all the nix store paths necessary for the current nix-portable version
+    # We only unpack missing store paths from the tar archive.
+    index="$(cat ${storeTar}/index)"
+
+    export missing=\$(
+      for path in \$index; do
+        basepath=\$(basename \$path)
+        if [ ! -e \$store/\$basepath ]; then
+          echo "nix/store/\$basepath"
+        fi
+      done
+    )
+
+    if [ -n "\$missing" ]; then
+      debug "extracting missing store paths"
+      (
+        mkdir -p \$dir/tmp \$store/
+        rm -rf \$dir/tmp/*
+        cd \$dir/tmp
+        unzip -qqp "\$self" ${ lib.removePrefix "/" "${storeTar}/tar"} \
+          | \$dir/bin/zstd -d \
+          | tar -x \$missing --strip-components 2
+        mv \$dir/tmp/* \$store/
+      )
+      rm -rf \$dir/tmp
+    fi
+
+    if [ -n "\$missing" ]; then
+      debug "registering new store paths to DB"
+      reg="$(cat ${storeTar}/closureInfo/registration)"
+      cmd="\$run \$store${lib.removePrefix "/nix/store" nix}/bin/nix-store --load-db"
+      debug "running command: \$cmd"
+      echo "\$reg" | \$cmd
+    fi
+
+
+    ### select executable
+    # the executable can either be selected by
+    # - executing './nix-portable BIN_NAME',
+    # - symlinking to nix-portable, in which case the name of the symlink selects the nix executable
+    # Alternatively the executable can be hardcoded by specifying the argument 'executable' of nix-portable's default.nix file.
+    executable="${if bundledPackage == null then "" else bundledExe}"
+    if [ "\$executable" != "" ]; then
+      bin="\$executable"
+      debug "executable is hardcoded to: \$bin"
+
+    elif [[ "\$(basename \$0)" == nix-portable* ]]; then\
+      if [ -z "\$1" ]; then
+        echo "Error: please specify the nix binary to execute"
+        echo "Alternatively symlink against \$0"
+        exit 1
+      elif [ "\$1" == "debug" ]; then
+        bin="\$(which \$2)"
+        shift; shift
+      else
+        bin="\$store${lib.removePrefix "/nix/store" nix}/bin/\$1"
+        shift
+      fi
+    # for binary selection via symlink
+    else
+      bin="\$store${lib.removePrefix "/nix/store" nix}/bin/\$(basename \$0)"
+    fi
+
+
+
+    ### check which runtime has been used previously
+    if [ -f "\$dir/conf/last_runtime" ]; then
+      lastRuntime=\$(cat "\$dir/conf/last_runtime")
+    else
+      lastRuntime=
+    fi
+
+
+
+    ### check if nix is functional with or without sandbox
+    # sandbox-fallback is not reliable: https://github.com/NixOS/nix/issues/4719
+    if [ "\$newNPVersion" == "true" ] || [ "\$lastRuntime" != "\$NP_RUNTIME" ]; then
+      nixBin="\$(dirname \$bin)/nix"
+      debug "Testing if nix can build stuff without sandbox"
+      if ! \$run "\$nixBin" build --no-link -f "\$dir/mini-drv.nix" --option sandbox false >&3 2>&3; then
+        echo "Fatal error: nix is unable to build packages"
+        exit 1
+      fi
+
+      debug "Testing if nix sandbox is functional"
+      if ! \$run "\$nixBin" build --no-link -f "\$dir/mini-drv.nix" --option sandbox true >&3 2>&3; then
+        debug "Sandbox doesn't work -> disabling sandbox"
+        NP_CONF_SANDBOX=false
+        recreate_nix_conf
+      else
+        debug "Sandboxed builds work -> enabling sandbox"
+        NP_CONF_SANDBOX=true
+        recreate_nix_conf
+      fi
+
+    fi
+
+
+    ### save fingerprint and lastRuntime
+    if [ "\$newNPVersion" == "true" ]; then
+      echo -n "\$fingerprint" > "\$dir/conf/fingerprint"
+    fi
+    if [ "\$lastRuntime" != \$NP_RUNTIME ]; then
+      echo -n \$NP_RUNTIME > "\$dir/conf/last_runtime"
+    fi
+
+
+
+    ### set PATH
+    export PATH="\$dir/busybox/bin"
+    export PATH="\$PATH:\$store${lib.removePrefix "/nix/store" nix}/bin"
+
+    ### install programs via nix
+    ${concatMapStringsSep "\n" installDynamic bootstrapPrograms}
+
+    ### print elapsed time
+    end=\$(date +%s%N)  # end time in nanoseconds
+    # time elapsed in millis with two decimal places
+
+    # print stats about initialization time of nix-portable
+    # skipt for termux, as it doesn't have bc installed
+    if [ -z "\$TERMUX_VERSION" ]; then
+      elapsed=\$(echo "scale=2; (\$end - \$start)/1000000" | bc)
+      debug "Time to initialize nix-portable: \$elapsed millis"
+    fi
+
+
+    ### run commands
+    [ -z "\$NP_RUN" ] && NP_RUN="\$run"
+    if [ "\$NP_RUNTIME" == "proot" ]; then
+      debug "running command: \$NP_RUN \$bin \$@"
+      exec \$NP_RUN \$bin "\$@"
+    else
+      cmd="\$NP_RUN \$bin \$@"
+      debug "running command: \$cmd"
+      exec \$NP_RUN \$bin "\$@"
+    fi
+    exit
+  '';
+
+  runtimeScriptEscaped = replaceStrings ["\""] ["\\\""] runtimeScript;
+
+  nixPortable = pkgs.runCommand pname {
+    nativeBuildInputs = [unixtools.xxd unzip];
+
+    meta = {
+      homepage = "https://github.com/DavHau/nix-portable";
+      description = "Nix - Static, Permissionless, Installation-free, Pre-configured for mn5";
+      maintainers = with lib.maintainers.bsc; [ abonerib ];
+      platforms = lib.platforms.linux;
+      license = lib.licenses.mit;
+    };
+  } ''
+    mkdir -p $out/bin
+    echo "${runtimeScriptEscaped}" > $out/bin/nix-portable.zip
+    xxd $out/bin/nix-portable.zip | tail
+
+    sizeA=$(printf "%08x" `stat -c "%s" $out/bin/nix-portable.zip` | tac -rs ..)
+    echo 504b 0304 0000 0000 0000 0000 0000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
+    echo 0000 0000 0000 0000 0000 0200 0000 4242 | xxd -r -p >> $out/bin/nix-portable.zip
+
+    sizeB=$(printf "%08x" `stat -c "%s" $out/bin/nix-portable.zip` | tac -rs ..)
+    echo 504b 0102 0000 0000 0000 0000 0000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
+    echo 0000 0000 0000 0000 0000 0000 0200 0000 | xxd -r -p >> $out/bin/nix-portable.zip
+    echo 0000 0000 0000 0000 0000 $sizeA 4242 | xxd -r -p >> $out/bin/nix-portable.zip
+
+    echo 504b 0506 0000 0000 0000 0100 3000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
+    echo $sizeB 0000 0000 0000 0000 0000 0000 | xxd -r -p >> $out/bin/nix-portable.zip
+
+    unzip -vl $out/bin/nix-portable.zip
+
+    zip="${zip}/bin/zip -0"
+    $zip $out/bin/nix-portable.zip ${bwrap}/bin/bwrap
+    $zip $out/bin/nix-portable.zip ${nixStatic}/bin/nix
+    $zip $out/bin/nix-portable.zip ${zstd}/bin/zstd
+    $zip $out/bin/nix-portable.zip ${storeTar}/tar
+    $zip $out/bin/nix-portable.zip ${caBundleZstd}
+
+    # create fingerprint
+    fp=$(sha256sum $out/bin/nix-portable.zip | cut -d " "  -f 1)
+    sed -i "s/_FINGERPRINT_PLACEHOLDER_/$fp/g" $out/bin/nix-portable.zip
+    # fix broken zip header due to manual modification
+    ${zip}/bin/zip -F $out/bin/nix-portable.zip --out $out/bin/nix-portable-fixed.zip
+
+    rm $out/bin/nix-portable.zip
+    executable=${if bundledPackage == null then "" else bundledExe}
+    if [ "$executable" == "" ]; then
+      target="$out/bin/nix-portable"
+    else
+      target="$out/bin/$(basename "$executable")"
+    fi
+    mv $out/bin/nix-portable-fixed.zip "$target"
+    chmod +x "$target"
+  '';
+in
+nixPortable.overrideAttrs (prev: {
+  passthru = (prev.passthru or {}) // {
+    inherit bwrap;
+  };
+})

pkgs/nix-wrap/default.nix

@@ -14,7 +14,7 @@ let
   nixConfDir = "share";
   nix_wrap_sh = writeText "nix-wrap.sh" ''
     #!/usr/bin/env bash
-    #
+
     busybox_bin="${nixPrefix}${busybox}/bin"
     bubblewrap_bin="${nixPrefix}/${bubblewrap}/bin"
 
@@ -69,7 +69,6 @@ stdenv.mkDerivation rec {
   name = "nix-wrap";
   buildInputs = [
     bashInteractive
-    busybox
     nix
   ];
   src = null;
@@ -92,7 +91,6 @@ stdenv.mkDerivation rec {
     homepage = null;
     description = "nix bubblewrap wrapper";
     maintainers = [ ];
-    broken = true;
     platforms = lib.platforms.linux;
     license = lib.licenses.mit;
   };

pkgs/nixgen/default.nix

@@ -8,6 +8,7 @@ stdenv.mkDerivation {
   version = "0.0.1";
   src = ./nixgen;
   dontUnpack = true;
+  strictDeps = true;
   phases = [ "installPhase" ];
   installPhase = ''
     mkdir -p $out/bin

pkgs/nixtools/default.nix

@@ -16,6 +16,7 @@ stdenv.mkDerivation rec {
   makeFlags = [ "DESTDIR=$(out)" ];
   preBuild = "env";
   dontPatchShebangs = true;
+  strictDeps = true;
 
   meta = {
     homepage = "https://gitlab.pm.bsc.es/rarias/nixtools";

pkgs/nodes/default.nix

@@ -48,6 +48,7 @@ in
     enableParallelBuilding = true;
     dontStrip = true;
     separateDebugInfo = true;
+    strictDeps = true;
 
     configureFlags = [
       "--with-nosv=${nosv}"

pkgs/nosv/default.nix

@@ -7,7 +7,7 @@
 , numactl
 , hwloc
 , papi
-, enablePapi ? stdenv.hostPlatform == stdenv.buildPlatform # Disabled when cross-compiling
+, enablePapi ? true
 , cacheline ? 64 # bits
 , ovni ? null
 , useGit ? false
@@ -40,16 +40,17 @@ let
 
   source = if (useGit) then git else release;
 in
-  stdenv.mkDerivation rec {
+  stdenv.mkDerivation {
     pname = "nosv";
     inherit (source) src version;
     hardeningDisable = [ "all" ];
     dontStrip = true;
     separateDebugInfo = true;
+    strictDeps = true;
     configureFlags = [
       "--with-ovni=${ovni}"
       "CACHELINE_WIDTH=${toString cacheline}"
-    ];
+    ] ++ lib.optionals enablePapi [ "--with-papi=${papi}" ];
     nativeBuildInputs = [
       autoreconfHook
       pkg-config
@@ -59,6 +60,7 @@ in
       hwloc
       ovni
     ] ++ lib.optionals enablePapi [ papi ];
+    patches = [ ./fix-papi.patch ];
 
     meta = {
       homepage = "https://gitlab.bsc.es/nos-v/nos-v";
@@ -66,5 +68,6 @@ in
       maintainers = with lib.maintainers.bsc; [ abonerib rarias ];
       platforms = lib.platforms.linux;
       license = lib.licenses.gpl3Plus;
+      cross = true;
     };
   }

pkgs/nosv/fix-papi.patch

@@ -0,0 +1,136 @@
+Commit ID: c09633f172ce4075e0a05a33f6dcbe8e03e1202a
+Change ID: onmwypnnrysktutwsvotqovzponvwrxs
+Bookmarks: fix/papi fix/papi@git fix/papi@origin
+Author   : Aleix Boné <aleix.boneribo@bsc.es> (2025-12-10 11:14:14)
+Committer: Aleix Boné <aleix.boneribo@bsc.es> (2025-12-12 12:56:48)
+
+    Improve PAPI m4 module for cross compilation
+
+diff --git a/m4/papi.m4 b/m4/papi.m4
+index de90584870..8398f856f5 100644
+--- a/m4/papi.m4
++++ b/m4/papi.m4
+@@ -1,6 +1,6 @@
+ #	This file is part of Nanos6 and is licensed under the terms contained in the COPYING file.
+ #
+-#	Copyright (C) 2021-2022 Barcelona Supercomputing Center (BSC)
++#	Copyright (C) 2021-2025 Barcelona Supercomputing Center (BSC)
+ 
+ AC_DEFUN([AC_CHECK_PAPI],
+ 	[
+@@ -8,34 +8,38 @@
+ 			[papi],
+ 			[AS_HELP_STRING([--with-papi=prefix], [specify the installation prefix of PAPI])],
+ 			[ ac_cv_use_papi_prefix=$withval ],
+-			[ ac_cv_use_papi_prefix="" ]
++			[ ac_cv_use_papi_prefix="check" ]
+ 		)
+ 
+ 		if test x"${ac_cv_use_papi_prefix}" = x"no"; then
+ 			AC_MSG_CHECKING([the PAPI installation prefix])
+ 			AC_MSG_RESULT([${ac_cv_use_papi_prefix}])
+ 			ac_use_papi=no
+-		elif test x"${ac_cv_use_papi_prefix}" != x"" ; then
+-			AC_MSG_CHECKING([the PAPI installation prefix])
+-			AC_MSG_RESULT([${ac_cv_use_papi_prefix}])
+-			papi_LIBS="-L${ac_cv_use_papi_prefix}/lib -lpapi -Wl,-rpath,${ac_cv_use_papi_prefix}/lib"
+-			papi_CFLAGS="-I$ac_cv_use_papi_prefix/include"
+-			ac_use_papi=yes
+-		else
++		elif test x"${ac_cv_use_papi_prefix}" = x""; then
++			AC_MSG_RESULT([invalid prefix])
++			AC_MSG_ERROR([papi prefix specified but empty])
++		elif test x"${ac_cv_use_papi_prefix}" = x"yes" -o x"${ac_cv_use_papi_prefix}" = x"check"; then
+ 			PKG_CHECK_MODULES(
+ 				[papi],
+-				[papi],
++				[papi >= 5.6.0],
+ 				[
+ 					AC_MSG_CHECKING([the PAPI installation prefix])
+ 					AC_MSG_RESULT([retrieved from pkg-config])
+ 					papi_CFLAGS="${papi_CFLAGS}"
+ 					ac_use_papi=yes
++					ac_papi_version_correct=yes
+ 				], [
+ 					AC_MSG_CHECKING([the PAPI installation prefix])
+ 					AC_MSG_RESULT([not available])
+ 					ac_use_papi=no
+ 				]
+ 			)
++		else
++			AC_MSG_CHECKING([the PAPI installation prefix])
++			AC_MSG_RESULT([${ac_cv_use_papi_prefix}])
++			papi_LIBS="-L${ac_cv_use_papi_prefix}/lib -lpapi -Wl,-rpath,${ac_cv_use_papi_prefix}/lib"
++			papi_CFLAGS="-I$ac_cv_use_papi_prefix/include"
++			ac_use_papi=yes
+ 		fi
+ 
+ 		if test x"${ac_use_papi}" = x"yes" ; then
+@@ -53,10 +57,10 @@
+ 					ac_use_papi=yes
+ 				],
+ 				[
+-					if test x"${ac_cv_use_papi_prefix}" != x"" ; then
+-						AC_MSG_ERROR([PAPI cannot be found.])
++					if test x"${ac_cv_use_papi_prefix}" = x"yes" ; then
++						AC_MSG_ERROR([PAPI >= 5.6.0 cannot be found.])
+ 					else
+-						AC_MSG_WARN([PAPI cannot be found.])
++						AC_MSG_WARN([PAPI >= 5.6.0 not available.])
+ 					fi
+ 					ac_use_papi=no
+ 				]
+@@ -64,30 +68,38 @@
+ 
+ 			CFLAGS="${ac_save_CFLAGS}"
+ 			LIBS="${ac_save_LIBS}"
++		elif test x"${ac_cv_use_papi_prefix}" = x"yes" ; then
++			AC_MSG_ERROR([PAPI >= 5.6.0 cannot be found.])
+ 		fi
+ 
+-		if test x"${ac_use_papi}" = x"yes" ; then
+-			if test x"${ac_cv_use_papi_prefix}" != x"" ; then
++		if test x"${ac_use_papi}" = x"yes" -a x"${ac_papi_version_correct}" != x"yes" ; then
++			if test x"${ac_cv_use_papi_prefix}" != x"yes" -a x"${ac_cv_use_papi_prefix}" != x"check" ; then
+ 				papiBinary=${ac_cv_use_papi_prefix}/bin/papi_version
+ 			else
+ 				papiBinary=papi_version
+ 			fi
+-			papiVersion=`$papiBinary | sed 's/[[^0-9.]]*\([[0-9.]]*\).*/\1/'`
+ 
+-			AX_COMPARE_VERSION(
+-				[[${papiVersion}]],
+-				[[ge]],
+-				[[5.6.0]],
+-				[[ac_papi_version_correct=yes]],
+-				[[ac_papi_version_correct=no]]
+-			)
+ 
+-			if test x"${ac_papi_version_correct}" != x"yes" ; then
+-				AC_MSG_ERROR([PAPI version must be >= 5.6.0.])
+-				ac_use_papi=no
++			if test x"$cross_compiling" = x"yes" ; then
++				AC_MSG_WARN([Cross-compiling detected, skipping PAPI version check])
+ 			else
+-				AC_MSG_CHECKING([if the PAPI version >= 5.6.0.])
+-				AC_MSG_RESULT([${ac_papi_version_correct}])
++				papiVersion=`$papiBinary | sed 's/[[^0-9.]]*\([[0-9.]]*\).*/\1/'`
++
++				AX_COMPARE_VERSION(
++					[[${papiVersion}]],
++					[[ge]],
++					[[5.6.0]],
++					[[ac_papi_version_correct=yes]],
++					[[ac_papi_version_correct=no]]
++				)
++
++				if test x"${ac_papi_version_correct}" != x"yes" ; then
++					AC_MSG_ERROR([PAPI version must be >= 5.6.0.])
++					ac_use_papi=no
++				else
++					AC_MSG_CHECKING([if the PAPI version >= 5.6.0.])
++					AC_MSG_RESULT([${ac_papi_version_correct}])
++				fi
+ 			fi
+ 		fi
+ 

pkgs/osu/default.nix

@@ -24,6 +24,7 @@ stdenv.mkDerivation rec {
 
   doCheck = true;
   enableParallelBuilding = true;
+  strictDeps = true;
   nativeBuildInputs = [ mpiAll ];
   buildInputs = [ mpiAll ];
   hardeningDisable = [ "all" ];

pkgs/ovni/default.nix

@@ -40,6 +40,7 @@ in
     inherit (source) src version;
     dontStrip = true;
     separateDebugInfo = true;
+    strictDeps = true;
     postPatch = ''
       patchShebangs --build test/
     '';

pkgs/papi/default.nix

@@ -0,0 +1,31 @@
+{
+  stdenv,
+  papi,
+}:
+
+if stdenv.hostPlatform == stdenv.buildPlatform then
+  papi
+else
+  papi.overrideAttrs (old: {
+    configureFlags = (old.configureFlags or [ ]) ++ [
+      # Only perf-events works when cross compiling, since for the rest, papi's
+      # configure.in uses `test -f` which is not allowed when cross-compiling.
+      # FIXME: patch configure.in to skip the faulty checks when cross-compiling
+      "--disable-perf-event-uncore"
+      "--with-sysdetect=no"
+
+      # Flags below are adapted from "cross compile sample" in papi's
+      # src/configure.in. (--host is already set by nix). Verified to
+      # cross-compile in both riscv64 and aarch64-multiplatform targets.
+      "--with-ffsll"
+      "--with-tls=__thread"
+      "--with-virtualtimer=clock_thread_cputime_id"
+      "--with-walltimer=clock_realtime"
+      "--with-perf-events"
+      "--with-CPU=${stdenv.hostPlatform.uname.processor}"
+      "--with-arch=${stdenv.hostPlatform.uname.processor}"
+    ];
+    patches = (old.patches or [ ]) ++ [ ./fix-ar-cross.patch ];
+
+    meta = old.meta // { cross = true; };
+  })

pkgs/papi/fix-ar-cross.patch

@@ -0,0 +1,19 @@
+diff --git a/sde_lib/Makefile b/sde_lib/Makefile
+index 8518f92..90a9953 100644
+--- a/sde_lib/Makefile
++++ b/sde_lib/Makefile
+@@ -1,4 +1,5 @@
+ CC ?= gcc
++AR ?= ar
+ SDE_INC = -I. -I..
+ SDE_LD = -ldl -pthread
+ CFLAGS += -Wextra -Wall -O2
+@@ -18,7 +19,7 @@ dynamic: $(DOBJS)
+ 	rm -f *_d.o
+ 
+ static: $(SOBJS)
+-	ar rs libsde.a $(SOBJS)
++	$(AR) rs libsde.a $(SOBJS)
+ 	rm -f *_s.o
+ 
+ clean:

pkgs/paraver/default.nix

@@ -47,6 +47,7 @@ stdenv.mkDerivation rec {
 
   dontStrip = true;
   enableParallelBuilding = true;
+  strictDeps = true;
 
   preConfigure = ''
     export CFLAGS="-O3"

pkgs/paraver/kernel.nix

@@ -34,6 +34,7 @@ stdenv.mkDerivation rec {
   enableParallelBuilding = true;
 
   dontStrip = true;
+  strictDeps = true;
 
   preConfigure = ''
     export CFLAGS="-O3 -DPARALLEL_ENABLED"

pkgs/slurm-exporter/default.nix

@@ -13,6 +13,7 @@ buildGoModule rec {
 
   vendorHash = "sha256-A1dd9T9SIEHDCiVT2UwV6T02BSLh9ej6LC/2l54hgwI=";
   doCheck = false;
+  strictDeps = true;
 
   meta = with lib; {
     description = "Prometheus SLURM Exporter";

pkgs/sonar/default.nix

@@ -18,6 +18,7 @@ stdenv.mkDerivation rec {
   };
   hardeningDisable = [ "all" ];
   dontStrip = true;
+  strictDeps = true;
   configureFlags = [ "--with-ovni=${ovni}" ];
 
   nativeBuildInputs = [

pkgs/tagaspi/default.nix

@@ -17,6 +17,7 @@ stdenv.mkDerivation rec {
   pname = "tagaspi";
   enableParallelBuilding = true;
   separateDebugInfo = true;
+  strictDeps = true;
 
   version = "2.0";
   src = fetchFromGitHub {

pkgs/tampi/default.nix

@@ -45,6 +45,7 @@ in stdenv.mkDerivation {
   inherit (source) src version;
   enableParallelBuilding = true;
   separateDebugInfo = true;
+  strictDeps = true;
 
   nativeBuildInputs = [
     autoconf

pkgs/upc-qaire-exporter/default.nix

@@ -9,6 +9,7 @@ python3Packages.buildPythonApplication {
   src = ./.;
 
   doCheck = false;
+  strictDeps = true;
 
   build-system = with python3Packages; [
     setuptools

test/compilers/clang-openmp-ld.nix

@@ -23,9 +23,6 @@ in stdenv.mkDerivation {
   dontUnpack = true;
   dontConfigure = true;
 
-  # nOS-V requires access to /sys/devices to request NUMA information
-  requiredSystemFeatures = [ "sys-devices" ];
-
   buildInputs = [ openmp ];
 
   buildPhase = ''