the package writeShellScript can be used to add shell scripts to nix expressions

  someBuildHelper = { name, sha256 }:
    stdenv.mkDerivation {
      inherit name;
      outputHashMode = "recursive";
      outputHashAlgo = "sha256";
      outputHash = sha256;
      builder = writeShellScript "builder.sh" ''
        echo "hi, my name is ''${0}" # escape bash variable
        echo "hi, my hash is ${sha256}" # use nix variable
        echo "hello world" >output.txt
      '';
    };

External builder.sh script

Longer bash scripts are usually stored as external script files, and called from Nix:

# default.nix
{
  outputTxtDrv = stdenv.mkDerivation rec {
    name = "output.txt";
    # disable unpackPhase etc
    phases = "buildPhase";
    builder = ./builder.sh;
    nativeBuildInputs = [ coreutils jq ];
    PATH = lib.makeBinPath nativeBuildInputs;
    # only strings can be passed to builder
    someString = "hello";
    someNumber = builtins.toString 42;
    someJson = builtins.toJSON { dst = "world"; };
  };
}
# builder.sh
echo "$someString $(echo "$someJson" | jq -r '.dst') $someNumber" >$out

See also

runCommand + builder.sh

Instead of stdenv.mkDerivation, we can also use runCommand to call an external bash script:

# default.nix
{
  outputTxtDrv = runCommand "output.txt" {
    nativeBuildInputs = [ coreutils jq ];
    # only strings can be passed to builder
    someString = "hello";
    someNumber = builtins.toString 42;
    someJson = builtins.toJSON { dst = "world"; };
  } (builtins.readFile ./builder.sh);
}

Packaging

example:

# nix-build -E 'with import <nixpkgs> { }; callPackage ./default.nix { }'

{ stdenv
, lib
, fetchFromGitHub
, bash
, subversion
, makeWrapper
}:
  stdenv.mkDerivation {
    pname = "github-downloader";
    version = "08049f6";
    src = fetchFromGitHub {
      # https://github.com/Decad/github-downloader
      owner = "Decad";
      repo = "github-downloader";
      rev = "08049f6183e559a9a97b1d144c070a36118cca97";
      sha256 = "073jkky5svrb7hmbx3ycgzpb37hdap7nd9i0id5b5yxlcnf7930r";
    };
    buildInputs = [ bash subversion ];
    nativeBuildInputs = [ makeWrapper ];
    installPhase = ''
      mkdir -p $out/bin
      cp github-downloader.sh $out/bin/github-downloader.sh
      wrapProgram $out/bin/github-downloader.sh \
        --prefix PATH : ${lib.makeBinPath [ bash subversion ]}
    '';
  }

wrapProgram will move the original script to .github-downloader.sh-wrapped

Command not found

for example, the script throws the error svn: command not found, because the dependency subversion is missing.

when a command is missing, you can use nix-locate to find the package name. for example, the stat command:

$ nix-locate bin/stat | grep 'bin/stat$'
coreutils.out                                         0 s /nix/store/vr96j3cxj75xsczl8pzrgsv1k57hcxyp-coreutils-8.31/bin/stat

Debugging embedded scripts

When a bash script fails, it prints only an error message, but no code location.

To trace commands and line numbers, we can use

# test-trace.nix
{ runCommand, coreutils }:
  runCommand "output.txt" {
    nativeBuildInputs = [ coreutils ];
  } ''
    # line 5 in nix file = line 1 in bash script -> offset 4
    PS4='+ Line $(expr $LINENO + 4): '
    set -o xtrace # print commands

    echo hello >$out # line 9 in nix file

    set +o xtrace # hide commands
  ''
$ nix-build -E 'with import <nixpkgs> { }; callPackage ./test-trace.nix { }'
this derivation will be built:
  /nix/store/2v5biwny8plpyk2bv6cfr41ppp0a1i4k-output.txt.drv
building '/nix/store/2v5biwny8plpyk2bv6cfr41ppp0a1i4k-output.txt.drv'...
++ Line 9: echo hello
++ Line 11: set +o xtrace
/nix/store/ppidmnpd5m762x9kqj8jd3g7df7dknrz-output.txt

Posix Shell

some environments (like OpenWRT, via busybox) offer only a "limited" shell (sh instead of bash).

on nixos, posix shells are provided by the packages dash and posh

See also