This goal of this project lets you include local sources in your Nix projects, while taking gitignore files into account.

nix-env -iA niv -f https://github.com/nmattia/niv/tarball/master
niv init
niv add hercules-ci/gitignore.nix

Although Flakes usually process sources within the flake using the git fetcher, which takes care of ignoring in its own peculiar way, you can use gitignore.nix to filter sources outside of a flake. You can load flake-based expressions via builtins.getFlake (toString ./.) for example or via flake-compat.

# // flake.nix
{
  inputs.gitignore = {
    url = "github:hercules-ci/gitignore.nix";
    # Use the same nixpkgs
    inputs.nixpkgs.follows = "nixpkgs";
  };
  outputs = { self, /* other, inputs, */ gitignore }:
  let
    inherit (gitignore.lib) gitignoreSource;
  in {
    packages.x86_64.hello = mkDerivation {
      name = "hello";
      src = gitignoreSource ./vendored/hello;
    };
  };
}

let
  gitignoreSrc = pkgs.fetchFromGitHub { 
    owner = "hercules-ci";
    repo = "gitignore.nix";
    # put the latest commit sha of gitignore Nix library here:
    rev = "";
    # use what nix suggests in the mismatch message here:
    sha256 = "sha256:0000000000000000000000000000000000000000000000000000";
  };
  inherit (import gitignoreSrc { inherit (pkgs) lib; }) gitignoreSource;
in
  <your nix expression>

Or using only nixpkgs/lib and only evaluation-time fetching:

import (builtins.fetchTarball "https://github.com/hercules-ci/gitignore.nix/archive/000000000000000000000000000000000000000000000000000".tar.gz") {
  lib = import (builtins.fetchTarball "https://github.com/NixOS/nixpkgs/archive/000000000000000000000000000000000000000000000000000".tar.gz" + "/lib");
}

mkDerivation {
  name = "hello";
  src = gitignoreSource ./vendored/hello;
}

gitignoreSource :: path -> path

Returns result of cleanSourceWith, usable as a path but also composable.

gitignoreFilter :: path -> (path -> type -> bool)

f = gitignoreFilter path

Parentheses in the type emphasize that a partial application memoizes the git metadata. You can use Nixpkgs' cleanSourceWith to compose with other filters (by logical and) or to set a name.

path: a path being the root or a subdirectory of a local git repository

f: a function that returns false for files that should be ignored according to gitignore rules, but only for paths at or below path.

See gitignoreFilter for an example.

• Reads parent gitignores even if only pointed at a subdirectory
• Source hashes only change when output changes
• Not impacted by large or inaccessible ignored directories
• Composes with cleanSourceWith
• Reads user git configuration; no need to bother your team with your tool config.
• Also works with restrict-eval enabled (if avoiding fetchFromGitHub)
• No import from derivation ("IFD")
• Name and hash are not sensitive to checkout location

Caveats:

• fetchGit is not reproducible. It has at least one serious reproducibility problem that requires a breaking change to fix. Unlike fixed-output derivations, a built-in fetcher does not have a pinned implementation!
• fetchGit blocks the evaluator, just like import from derivation

Please open a PR if you've found another feature, determined any of the '?' or if you've found an inaccuracy.

Files not matched by gitignore rules will end up in the Nix store, which is readable by any process.

gitignore.nix does not yet understand git-crypt's metadata, so don't call gitignoreSource on directories containing such secrets or their parent directories. This also applies to many Nix functions (path, filterSource, cleanSource, etc) and Nix string interpolation.

This project isn't perfect (yet) so please submit test cases and fixes as pull requests. Before doing anything drastic, it's a good idea to open an issue first to discuss and optimize the approach.

A great shoutout to @siers for writing the intial test suite and rule translation code!