HaskellStack devshell fails to build on macOS with sandbox

[YorikSar]

HaskellStack devshell depends on many paths which triggers this failure on macOS with sandbox:

trace: warning: Lockfile contents are outdated. Please run "nix run .#regenerate-lockfile" to update them.

shell-env> sandbox-exec: pattern serialization length 67255 exceeds maximum (65535)
error: builder for '/nix/store/4vlmff67wdm337d3ldw3rn2cx4nrqjpn-shell-env.drv' failed with exit code 65;
       last 1 log lines:
       > sandbox-exec: pattern serialization length 67255 exceeds maximum (65535)
       For full logs, run 'nix-store -l /nix/store/4vlmff67wdm337d3ldw3rn2cx4nrqjpn-shell-env.drv'.

Full log from `nix run .\#run-test -- template HaskellStack`

 % nix run .\#run-test -- template HaskellStack                                                                                                                                                                                     ~/workspaces/nixel/nickel-nix
+ pushd_temp
++ mktemp -d
+ WORKDIR=/var/folders/sh/4h8107813mxf50n2rn118p400000gq/T/tmp.H8w7TXbyW3
+ trap clean EXIT
+ pushd /var/folders/sh/4h8107813mxf50n2rn118p400000gq/T/tmp.H8w7TXbyW3
/var/folders/sh/4h8107813mxf50n2rn118p400000gq/T/tmp.H8w7TXbyW3 ~/workspaces/nixel/nickel-nix
+ nix flake new --template path:/Users/tweag/workspaces/nixel/nickel-nix example --accept-flake-config
wrote: /private/var/folders/sh/4h8107813mxf50n2rn118p400000gq/T/tmp.H8w7TXbyW3/example/nickel.lock.ncl
wrote: /private/var/folders/sh/4h8107813mxf50n2rn118p400000gq/T/tmp.H8w7TXbyW3/example/flake.nix
wrote: /private/var/folders/sh/4h8107813mxf50n2rn118p400000gq/T/tmp.H8w7TXbyW3/example/project.ncl


    You have just created an Organist-powered development shell.

      · Enter the environment with nix develop
      · Tweak it by modifying project.ncl

    Hint: To be able to leverage the Nickel language server for instant feedback on your configuration, run nix run .#regenerate-lockfile first.

+ pushd ./example
/var/folders/sh/4h8107813mxf50n2rn118p400000gq/T/tmp.H8w7TXbyW3/example /var/folders/sh/4h8107813mxf50n2rn118p400000gq/T/tmp.H8w7TXbyW3 ~/workspaces/nixel/nickel-nix
+ sed -i 's/shells\.Bash/shells.HaskellStack/' project.ncl
+ prepare_shell
++ nix flake metadata --json --inputs-from path:/Users/tweag/workspaces/nixel/nickel-nix nixpkgs
++ nix eval --impure --raw --expr '(builtins.fromJSON (builtins.readFile "/dev/stdin")).path'
+ NIXPKGS_PATH=/nix/store/35dcag44a0ymww0vy0s4jjgxwpv9g62d-source
+ nix flake update --override-input organist path:/Users/tweag/workspaces/nixel/nickel-nix --override-input nixpkgs path:/nix/store/35dcag44a0ymww0vy0s4jjgxwpv9g62d-source --accept-flake-config
warning: creating lock file '/private/var/folders/sh/4h8107813mxf50n2rn118p400000gq/T/tmp.H8w7TXbyW3/example/flake.lock'
++ cat nickel.lock.ncl
+ STORED_LOCKFILE_CONTENTS='{
  organist = import "../../lib/organist.ncl",
}'
++ nickel export --format raw
+ TEST_SCRIPT='set -euxo pipefail
exec 1>&2
haskell-language-server --version
nickel --version
ormolu --version'
+ echo 'Running with incorrect nickel.lock.ncl'
Running with incorrect nickel.lock.ncl
+ nix develop --accept-flake-config --print-build-logs --command bash
trace: warning: Lockfile contents are outdated. Please run "nix run .#regenerate-lockfile" to update them.

shell-env> sandbox-exec: pattern serialization length 67255 exceeds maximum (65535)
error: builder for '/nix/store/4vlmff67wdm337d3ldw3rn2cx4nrqjpn-shell-env.drv' failed with exit code 65;
       last 1 log lines:
       > sandbox-exec: pattern serialization length 67255 exceeds maximum (65535)
       For full logs, run 'nix-store -l /nix/store/4vlmff67wdm337d3ldw3rn2cx4nrqjpn-shell-env.drv'.
++ clean
++ rm -rf /var/folders/sh/4h8107813mxf50n2rn118p400000gq/T/tmp.H8w7TXbyW3

If I build this path with --keep-failed, the sandbox definition is even bigger:

% ll /private/tmp/nix-build-shell-env.drv-0/.sandbox.sb                                                                                                                                                                                            ~/workspaces/nixel/nickel-nix
-rw-r--r--  1 _nixbld1  nixbld    87K Nov 23 16:00 /private/tmp/nix-build-shell-env.drv-0/.sandbox.sb

Here it is in full: .sandbox.sb

[YorikSar]

I've noticed 449 lines pointing to *-doc paths which we probably could skip. Removing all of them trims the size of the file down to 51K.