Since Lix is now in nixpkgs-unstable-small, I think it's a good time to
use it. This does mean that we now pull in our nix implementation from
an unstable channel, but overall I'm more confident in the Lix team's
ability to not break things than I am in the Nix team's ability to
backport (& then actually release) security updates.
(once Lix is on a stable channel, we can switch back to using it from there)
in theory this might be ready to deploy. Potential hazards & things to
know when actually doing so:
1. the mysql version used by mattermost was updated (the old uses an
openssl which is marked insecure). Might have to migrate a database
2. lots of settings now use RFC 42-style settings, which might contain
new typos
3. this updates uffd (& changes the patches we apply). Since version
dependencies of uffd are basically "whatever debian has" we have
never bothered to match them, but afaik have also never updated uffd
since the initial deploy some years ago. No guarantee it still
works.
4. tracktrain depends on haskellPackages.conferer-warp, which is
currently marked broken. There is no reason for this (it builds
fine). Until fixed upstream, build with NIXPKGS_ALLOW_BROKEN=1.
cf. https://github.com/NixOS/nixpkgs/pull/234784; waiting for a
merge of haskell-updates into 23.05
this replaces niv with nix flakes, attempting to preserve the old
structure as much as possible. Notable caveats:
- I'm not sure if flake inputs expose version information anywhere, so
the version in pkgs/mattermost/default.nix is now hardcoded.
Confusingly, this appears to trigger a rebuild. Maybe I've missed something.
- a lot of the old-style host.nix & deploy.nix machinery in nix-hexchen
does not work with flakes, and their newer replacements are not exposed
by upstream; I've put basic imitations of the relevant parts in this repo
- (in particular, directories in hosts/ won't become deployable configs
automatically)
- parts of the code are now probably more complicated than they'd have to be
- old variables names were preserved; confusingly, this means the flake
inputs are still called "sources"
lots of fancy new stuff, but most importantly: we no longer import all
of my user config, just the very base.
none of that fancy stuff is active right now, this should mostly be a
no-op unless we do the same restructure that i have just done in my
nixfiles here as well.
This is a partial revert, reintroducing hexchen to the project.
As it turns out, I am still quite invested in the project and require
frequent access to the nix-based infrastructure.
I am no longer comfortable with putting resources into this project and
therefore request to be removed from all infrastructure. I am still
happy to help out with software I set up, but I will no longer actively
maintain any services. As far as possible, I will remove myself from all
access groups or other privileged positions related to this project.
Essentially, I'm stepping down as a maintainer. I still reserve the
right to make changes via the established change processes (Merge
Requests as well as Issues in the meta-repositories), but I will no
longer make direct changes to infrastructure without going through those
review processes.