haccfiles/flake.nix

{
  description = "hacc infra stuff";

  inputs = {
    nixpkgs.url = "nixpkgs/nixos-24.11-small";
    nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";
    nixpkgs-oldstable.url = "github:/NixOS/nixpkgs?rev=c4aec3c021620d98861639946123214207e98344";

    nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";
    tracktrain.url = "git+https://stuebinm.eu/git/tracktrain?ref=main";
    tracktrain.flake = false;

    deploy-rs.url = "github:serokell/deploy-rs";
    deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
    sops-nix.url = "github:Mic92/sops-nix";
    sops-nix.inputs.nixpkgs.follows = "nixpkgs-unstable";
    
    # these exist mostly to make the flake.lock somewhat more human-friendly
    # note that in theory doing this might break things, but it seems fairly unlikely
    nixos-mailserver.inputs = {
      nixpkgs.follows = "nixpkgs-unstable";
      nixpkgs_24-11.follows = "nixpkgs";
      flake-compat.follows = "/deploy-rs/flake-compat";
    };
  };

  outputs = { self, nixpkgs, deploy-rs, sops-nix, ... }@inputs:
    let modules = {
          bindMounts = import ./modules/bindmounts.nix;
          nopersist = import ./modules/nopersist.nix;
          encboot = import ./modules/encboot.nix;
        };
        profiles = {
          container = import ./modules/container-profile.nix;
        };
        pkgs = import ./pkgs {
          sources = inputs;
          system = "x86_64-linux";
          config.allowUnfree = true;
        };
    in {
      nixosConfigurations.parsons = nixpkgs.lib.nixosSystem {
        system = "x86_64-linux";
        modules = [
          ./parsons/configuration.nix
          ./modules/buildinfo.nix
          ./modules/containers.nix
          sops-nix.nixosModules.sops
          { nixpkgs.pkgs = pkgs; }
        ];
        specialArgs = {
          sources = inputs;
          inherit modules profiles;
          inherit (nixpkgs.lib) nixosSystem;
        };
      };

      deploy.nodes.parsons = {
        hostname = "parsons";
        profiles.system = {
          user = "root";
          autoRollback = false;
          path = deploy-rs.lib.x86_64-linux.activate.nixos
            self.nixosConfigurations.parsons;
        };
      };

      # This is highly advised, and will prevent many possible mistakes
      checks = builtins.mapAttrs
        (system: deployLib: deployLib.deployChecks self.deploy)
        deploy-rs.lib;

      apps.x86_64-linux =
        let
	  mkApp = pkg: {
	    type = "app";
	    program = pkgs.lib.getExe pkg;
	  };
          websites = pkgs.lib.mapAttrs (name: mkApp) 
	    self.nixosConfigurations.parsons.config.hacc.websites.builders;
        in
          { docs = websites."docs.hacc.space"; } // websites;

      packages.x86_64-linux = {
        inherit (pkgs) mattermost hacc-scripts;
      };
    };

}
shoehorn nix-hexchen-style config into flakes this replaces niv with nix flakes, attempting to preserve the old structure as much as possible. Notable caveats: - I'm not sure if flake inputs expose version information anywhere, so the version in pkgs/mattermost/default.nix is now hardcoded. Confusingly, this appears to trigger a rebuild. Maybe I've missed something. - a lot of the old-style host.nix & deploy.nix machinery in nix-hexchen does not work with flakes, and their newer replacements are not exposed by upstream; I've put basic imitations of the relevant parts in this repo - (in particular, directories in hosts/ won't become deployable configs automatically) - parts of the code are now probably more complicated than they'd have to be - old variables names were preserved; confusingly, this means the flake inputs are still called "sources" 2022-11-13 22:45:50 +01:00			`{`
			`description = "hacc infra stuff";`

			`inputs = {`
NixOS 24.11 in summary: - update inputs - copy a fix for the nopersist module from hexchen's nixfiles https://gitlab.com/hexchen/nixfiles/-/commit/d0b3a042ff9653cd3d39bf2427895ee310f8a661 - remove an already-outdated override in pkgs - update zola's config for the docs.hacc.space website 2024-12-04 00:34:55 +01:00			`nixpkgs.url = "nixpkgs/nixos-24.11-small";`
switch to nixpkgs-small channels these get more frequent updates, but we might (sometimes) wind up having to build stuff ourselves that hydra hasn't gotten to yet. 2024-04-09 01:20:24 +02:00			`nixpkgs-unstable.url = "nixpkgs/nixos-unstable-small";`
keep using the old uffd's pythonPackages, lol 2023-09-27 17:14:05 +02:00			`nixpkgs-oldstable.url = "github:/NixOS/nixpkgs?rev=c4aec3c021620d98861639946123214207e98344";`
updates, but pin older nix-hexchen 2023-11-01 18:36:54 +01:00
NixOS 24.11 in summary: - update inputs - copy a fix for the nopersist module from hexchen's nixfiles https://gitlab.com/hexchen/nixfiles/-/commit/d0b3a042ff9653cd3d39bf2427895ee310f8a661 - remove an already-outdated override in pkgs - update zola's config for the docs.hacc.space website 2024-12-04 00:34:55 +01:00			`nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/master";`
init tracktrain 2023-01-22 02:25:07 +01:00			`tracktrain.url = "git+https://stuebinm.eu/git/tracktrain?ref=main";`
			`tracktrain.flake = false;`
flake: add deploy-rs 2022-11-13 23:04:55 +01:00
			`deploy-rs.url = "github:serokell/deploy-rs";`
			`deploy-rs.inputs.nixpkgs.follows = "nixpkgs";`
sops-nix proof of concept this is currently deployed and appears to be working. please everyone have a look at it & then decide if we want to use this for the other secrets as well. 2023-04-19 20:08:45 +02:00			`sops-nix.url = "github:Mic92/sops-nix";`
inputs: make sops-nix/nixpkgs follow nixpkgs-unstable deduplicates our nixpkgs instances a little 2024-07-15 15:25:33 +02:00			`sops-nix.inputs.nixpkgs.follows = "nixpkgs-unstable";`
reduce lockfile size 2022-11-25 22:48:27 +01:00
			`# these exist mostly to make the flake.lock somewhat more human-friendly`
			`# note that in theory doing this might break things, but it seems fairly unlikely`
			`nixos-mailserver.inputs = {`
update to nixos 24.05 2024-06-19 20:51:44 +02:00			`nixpkgs.follows = "nixpkgs-unstable";`
flake: add a new follow override for the mailserver 2024-12-23 18:22:17 +01:00			`nixpkgs_24-11.follows = "nixpkgs";`
initial work for 23.05 in theory this might be ready to deploy. Potential hazards & things to know when actually doing so: 1. the mysql version used by mattermost was updated (the old uses an openssl which is marked insecure). Might have to migrate a database 2. lots of settings now use RFC 42-style settings, which might contain new typos 3. this updates uffd (& changes the patches we apply). Since version dependencies of uffd are basically "whatever debian has" we have never bothered to match them, but afaik have also never updated uffd since the initial deploy some years ago. No guarantee it still works. 4. tracktrain depends on haskellPackages.conferer-warp, which is currently marked broken. There is no reason for this (it builds fine). Until fixed upstream, build with NIXPKGS_ALLOW_BROKEN=1. cf. https://github.com/NixOS/nixpkgs/pull/234784; waiting for a merge of haskell-updates into 23.05 2023-06-06 02:04:11 +02:00			`flake-compat.follows = "/deploy-rs/flake-compat";`
reduce lockfile size 2022-11-25 22:48:27 +01:00			`};`
shoehorn nix-hexchen-style config into flakes this replaces niv with nix flakes, attempting to preserve the old structure as much as possible. Notable caveats: - I'm not sure if flake inputs expose version information anywhere, so the version in pkgs/mattermost/default.nix is now hardcoded. Confusingly, this appears to trigger a rebuild. Maybe I've missed something. - a lot of the old-style host.nix & deploy.nix machinery in nix-hexchen does not work with flakes, and their newer replacements are not exposed by upstream; I've put basic imitations of the relevant parts in this repo - (in particular, directories in hosts/ won't become deployable configs automatically) - parts of the code are now probably more complicated than they'd have to be - old variables names were preserved; confusingly, this means the flake inputs are still called "sources" 2022-11-13 22:45:50 +01:00			`};`

remove nix-hexchen from flake inputs fun fact: this commit delets more lines (in flake.lock) than were removed during the previous commits (to vendor nix-hexchen's modules into our repo) 2024-02-18 13:45:32 +01:00			`outputs = { self, nixpkgs, deploy-rs, sops-nix, ... }@inputs:`
			`let modules = {`
bundle hexchen's nopersist & bindmount moduls the bind mount module has been tweaked in a couple ways: - rename hexchen.* to hacc.* - rename bindmount to bindMount to make it consistent with usage in the nixpkgs container module - add a hacc.bindToPersist option as shorthand for prepending /perist to a path via bind mount the nopersist module has been shortened a little by moving service-specific things which are used once out into the individual service files, and removing those which we don't need at all (this also means we get to loose a mkForce or two in case of mismatches between hexchen's and our current config). 2024-01-31 23:30:06 +01:00			`bindMounts = import ./modules/bindmounts.nix;`
			`nopersist = import ./modules/nopersist.nix;`
bundle encboot this does nothing but move the module & rename the hexchen.* options to hacc.* 2024-01-31 23:47:02 +01:00			`encboot = import ./modules/encboot.nix;`
bundle hexchen's nopersist & bindmount moduls the bind mount module has been tweaked in a couple ways: - rename hexchen.* to hacc.* - rename bindmount to bindMount to make it consistent with usage in the nixpkgs container module - add a hacc.bindToPersist option as shorthand for prepending /perist to a path via bind mount the nopersist module has been shortened a little by moving service-specific things which are used once out into the individual service files, and removing those which we don't need at all (this also means we get to loose a mkForce or two in case of mismatches between hexchen's and our current config). 2024-01-31 23:30:06 +01:00			`};`
remove nix-hexchen from flake inputs fun fact: this commit delets more lines (in flake.lock) than were removed during the previous commits (to vendor nix-hexchen's modules into our repo) 2024-02-18 13:45:32 +01:00			`profiles = {`
nicer container configs today i woke up to the realisation that there's an extremely obvious way to make these nicer, & then i did exactly that. For some reason I did not think of this when originally removing the dependency to nix-hexchen's evalConfig. unfortunately, this is not /quite/ a no-op. The only actual change is different whitespace in some of the semantically-equivalent coredns-configs that got unified. 2023-02-18 14:45:14 +01:00			`container = import ./modules/container-profile.nix;`
			`};`
shoehorn nix-hexchen-style config into flakes this replaces niv with nix flakes, attempting to preserve the old structure as much as possible. Notable caveats: - I'm not sure if flake inputs expose version information anywhere, so the version in pkgs/mattermost/default.nix is now hardcoded. Confusingly, this appears to trigger a rebuild. Maybe I've missed something. - a lot of the old-style host.nix & deploy.nix machinery in nix-hexchen does not work with flakes, and their newer replacements are not exposed by upstream; I've put basic imitations of the relevant parts in this repo - (in particular, directories in hosts/ won't become deployable configs automatically) - parts of the code are now probably more complicated than they'd have to be - old variables names were preserved; confusingly, this means the flake inputs are still called "sources" 2022-11-13 22:45:50 +01:00			`pkgs = import ./pkgs {`
			`sources = inputs;`
			`system = "x86_64-linux";`
initial work towards nixos 23.11 Note: this updates all postgres instances, since postgresql_11 no longer exists. 2023-11-30 17:43:48 +01:00			`config.allowUnfree = true;`
shoehorn nix-hexchen-style config into flakes this replaces niv with nix flakes, attempting to preserve the old structure as much as possible. Notable caveats: - I'm not sure if flake inputs expose version information anywhere, so the version in pkgs/mattermost/default.nix is now hardcoded. Confusingly, this appears to trigger a rebuild. Maybe I've missed something. - a lot of the old-style host.nix & deploy.nix machinery in nix-hexchen does not work with flakes, and their newer replacements are not exposed by upstream; I've put basic imitations of the relevant parts in this repo - (in particular, directories in hosts/ won't become deployable configs automatically) - parts of the code are now probably more complicated than they'd have to be - old variables names were preserved; confusingly, this means the flake inputs are still called "sources" 2022-11-13 22:45:50 +01:00			`};`
			`in {`
			`nixosConfigurations.parsons = nixpkgs.lib.nixosSystem {`
			`system = "x86_64-linux";`
			`modules = [`
meta: new structure we decided to: - get rid of unused packages - simpify the directory layout since we only have one host anyways - move our docs (such as they are) in-tree 2024-01-11 22:53:02 +01:00			`./parsons/configuration.nix`
meta: add build info to motd / system label, remove /etc/haccfiles 2024-04-06 23:05:17 +02:00			`./modules/buildinfo.nix`
modules/containers: a hacc-specific containers module this started with emily pointing out to me that it's possible to generate IP addresses for containers in Nix (hence no need to worry about ever having collisions, as we had before), but then I thought, hey, while I'm at it, I can also write a little container module so we have a little less repetition in our configs in general (and a more reasonable place for our custom evalConfig than just keeping it around in flake.nix). See the option descriptions in modules/containers.nix for further details. Apart from giving all containers a new IP address (and also shiny new IPv6 addresses), this should be a no-op for the actual built system. 2024-04-19 19:11:03 +02:00			`./modules/containers.nix`
sops-nix proof of concept this is currently deployed and appears to be working. please everyone have a look at it & then decide if we want to use this for the other secrets as well. 2023-04-19 20:08:45 +02:00			`sops-nix.nixosModules.sops`
shoehorn nix-hexchen-style config into flakes this replaces niv with nix flakes, attempting to preserve the old structure as much as possible. Notable caveats: - I'm not sure if flake inputs expose version information anywhere, so the version in pkgs/mattermost/default.nix is now hardcoded. Confusingly, this appears to trigger a rebuild. Maybe I've missed something. - a lot of the old-style host.nix & deploy.nix machinery in nix-hexchen does not work with flakes, and their newer replacements are not exposed by upstream; I've put basic imitations of the relevant parts in this repo - (in particular, directories in hosts/ won't become deployable configs automatically) - parts of the code are now probably more complicated than they'd have to be - old variables names were preserved; confusingly, this means the flake inputs are still called "sources" 2022-11-13 22:45:50 +01:00			`{ nixpkgs.pkgs = pkgs; }`
			`];`
			`specialArgs = {`
			`sources = inputs;`
modules/containers: a hacc-specific containers module this started with emily pointing out to me that it's possible to generate IP addresses for containers in Nix (hence no need to worry about ever having collisions, as we had before), but then I thought, hey, while I'm at it, I can also write a little container module so we have a little less repetition in our configs in general (and a more reasonable place for our custom evalConfig than just keeping it around in flake.nix). See the option descriptions in modules/containers.nix for further details. Apart from giving all containers a new IP address (and also shiny new IPv6 addresses), this should be a no-op for the actual built system. 2024-04-19 19:11:03 +02:00			`inherit modules profiles;`
			`inherit (nixpkgs.lib) nixosSystem;`
shoehorn nix-hexchen-style config into flakes this replaces niv with nix flakes, attempting to preserve the old structure as much as possible. Notable caveats: - I'm not sure if flake inputs expose version information anywhere, so the version in pkgs/mattermost/default.nix is now hardcoded. Confusingly, this appears to trigger a rebuild. Maybe I've missed something. - a lot of the old-style host.nix & deploy.nix machinery in nix-hexchen does not work with flakes, and their newer replacements are not exposed by upstream; I've put basic imitations of the relevant parts in this repo - (in particular, directories in hosts/ won't become deployable configs automatically) - parts of the code are now probably more complicated than they'd have to be - old variables names were preserved; confusingly, this means the flake inputs are still called "sources" 2022-11-13 22:45:50 +01:00			`};`
			`};`
flake: add deploy-rs 2022-11-13 23:04:55 +01:00
			`deploy.nodes.parsons = {`
			`hostname = "parsons";`
			`profiles.system = {`
			`user = "root";`
deploy-rs: disable auto-rollback by default (as per Moira's request) 2022-11-15 15:19:36 +01:00			`autoRollback = false;`
flake: add deploy-rs 2022-11-13 23:04:55 +01:00			`path = deploy-rs.lib.x86_64-linux.activate.nixos`
			`self.nixosConfigurations.parsons;`
			`};`
			`};`

			`# This is highly advised, and will prevent many possible mistakes`
			`checks = builtins.mapAttrs`
			`(system: deployLib: deployLib.deployChecks self.deploy)`
			`deploy-rs.lib;`
make working on websites nicer (since every time we have to change anything on these I get annoyed at having to remember how to build these. Now you can just use `nix run`!) 2023-02-24 17:33:48 +01:00
flake.nix: move websites from packages.* to apps.* this should not change their behaviour with "nix run", which was the reason for putting them there in the first place (however, it does remove the ability to build them with "nix build", but afaik this has never been used by anyone). This means the packages.* output is now left unused, so we can use it instead for things that actually are programs which want to expose (see the next commit after this one for an example). 2024-08-30 17:52:57 +02:00			`apps.x86_64-linux =`
meta: new structure we decided to: - get rid of unused packages - simpify the directory layout since we only have one host anyways - move our docs (such as they are) in-tree 2024-01-11 22:53:02 +01:00			`let`
flake.nix: move websites from packages.* to apps.* this should not change their behaviour with "nix run", which was the reason for putting them there in the first place (however, it does remove the ability to build them with "nix build", but afaik this has never been used by anyone). This means the packages.* output is now left unused, so we can use it instead for things that actually are programs which want to expose (see the next commit after this one for an example). 2024-08-30 17:52:57 +02:00			`mkApp = pkg: {`
			`type = "app";`
			`program = pkgs.lib.getExe pkg;`
			`};`
			`websites = pkgs.lib.mapAttrs (name: mkApp)`
			`self.nixosConfigurations.parsons.config.hacc.websites.builders;`
meta: new structure we decided to: - get rid of unused packages - simpify the directory layout since we only have one host anyways - move our docs (such as they are) in-tree 2024-01-11 22:53:02 +01:00			`in`
			`{ docs = websites."docs.hacc.space"; } // websites;`
flake.nix: expose mattermost under packages.* this makes it easier to update, e.g. by doing "nix-update -F mattermost". 2024-08-30 17:56:10 +02:00
			`packages.x86_64-linux = {`
pkgs/scripts: move auamost into hacc-scripts we've had this for ages, and since I started with the new scripts directory under pkgs (and anticipated we'll write more), it seems like a good idea to move that script there and have them all in one place. Certainly better than having it as one extremely long string inside Nix. 2024-11-11 01:12:22 +01:00			`inherit (pkgs) mattermost hacc-scripts;`
flake.nix: expose mattermost under packages.* this makes it easier to update, e.g. by doing "nix-update -F mattermost". 2024-08-30 17:56:10 +02:00			`};`
shoehorn nix-hexchen-style config into flakes this replaces niv with nix flakes, attempting to preserve the old structure as much as possible. Notable caveats: - I'm not sure if flake inputs expose version information anywhere, so the version in pkgs/mattermost/default.nix is now hardcoded. Confusingly, this appears to trigger a rebuild. Maybe I've missed something. - a lot of the old-style host.nix & deploy.nix machinery in nix-hexchen does not work with flakes, and their newer replacements are not exposed by upstream; I've put basic imitations of the relevant parts in this repo - (in particular, directories in hosts/ won't become deployable configs automatically) - parts of the code are now probably more complicated than they'd have to be - old variables names were preserved; confusingly, this means the flake inputs are still called "sources" 2022-11-13 22:45:50 +01:00			`};`
flake: add deploy-rs 2022-11-13 23:04:55 +01:00
shoehorn nix-hexchen-style config into flakes this replaces niv with nix flakes, attempting to preserve the old structure as much as possible. Notable caveats: - I'm not sure if flake inputs expose version information anywhere, so the version in pkgs/mattermost/default.nix is now hardcoded. Confusingly, this appears to trigger a rebuild. Maybe I've missed something. - a lot of the old-style host.nix & deploy.nix machinery in nix-hexchen does not work with flakes, and their newer replacements are not exposed by upstream; I've put basic imitations of the relevant parts in this repo - (in particular, directories in hosts/ won't become deployable configs automatically) - parts of the code are now probably more complicated than they'd have to be - old variables names were preserved; confusingly, this means the flake inputs are still called "sources" 2022-11-13 22:45:50 +01:00			`}`
No results found.