removing the dependency on hexchen's nixfiles #6

Merged

Ghost merged 0 commits from removing-nix-hexchen into main 2024-02-20 15:12:58 +00:00

Conversation 6 Commits - Files Changed -

stuebinm commented 2024-01-31 23:00:11 +00:00

Owner

since we're working pretty much out-of-sync these days and people keep being confused about where certain settings are set, it might be useful to consider moving the parts we use to be in-tree / thinking about how that may look.

For now this bundles three modules (encboot, boundmounts, and nopersist), and is otherwise a no-op as far as nix is concerned (modulo the auto-deployed docs & /etc/haccfiles, which copy our repo). See individual commits for details.

(cc @hexchen obviously, if you have opinions on this)

since we're working pretty much out-of-sync these days and people keep being confused about where certain settings are set, it might be useful to consider moving the parts we use to be in-tree / thinking about how that may look. For now this bundles three modules (encboot, boundmounts, and nopersist), and is otherwise a no-op as far as nix is concerned (modulo the auto-deployed docs & /etc/haccfiles, which copy our repo). See individual commits for details. (cc @hexchen obviously, if you have opinions on this)

stuebinm commented 2024-01-31 23:01:04 +00:00

Poster

Owner

oh also, i noticed that https://gitlab.com/hexchen/nixfiles does not contain a license (but our repo does), so that's a thing to consider as well.

oh also, i noticed that https://gitlab.com/hexchen/nixfiles does not contain a license (but our repo does), so that's a thing to consider as well.

stuebinm force-pushed removing-nix-hexchen from 3fd4079265 to b31d180144 2024-01-31 23:10:51 +00:00 Compare

moira commented 2024-02-05 20:57:19 +00:00

Owner

On first sight this looks good to me.

As for the license, maybe contact @hexchen directly, though I doubt she would have a problem with out usage or license.

On first sight this looks good to me. As for the license, maybe contact @hexchen directly, though I doubt she would have a problem with out usage or license.

stuebinm force-pushed removing-nix-hexchen from b31d180144 to 958c5840b7 2024-02-12 17:21:46 +00:00 Compare

hexchen commented 2024-02-16 22:51:40 +00:00

Owner

I'm perfectly fine with you using my code, including releasing it into public domain under the unlicense license. I'd prefer a slightly more restrictive license personally, but honestly; who cares.

For legal reasons: I agree with the relicensing of my code to the Unlicense, as can be found on https://unlicense.org/.

I'm perfectly fine with you using my code, including releasing it into public domain under the unlicense license. I'd prefer a slightly more restrictive license personally, but honestly; who cares. For legal reasons: I agree with the relicensing of my code to the Unlicense, as can be found on https://unlicense.org/.

👍 1 ❤️ 1

hexchen commented 2024-02-16 22:52:29 +00:00

Owner

As for the whole "out of sync" issue: yeah, forking my code sounds like a good idea.

As for the whole "out of sync" issue: yeah, forking my code sounds like a good idea.

stuebinm force-pushed removing-nix-hexchen from 958c5840b7 to 0f678c5e80 2024-02-17 00:04:52 +00:00 Compare

stuebinm added 2 commits 2024-02-18 12:48:38 +00:00

62917423e3 render nftables's ruleset ...

This does the same as the last commit did for the nftnat module, but for
the more general nftables module. Note the weird whatspace again.

ea230c34b0 remove nix-hexchen from flake inputs ...

fun fact: this commit delets more lines (in flake.lock) than were
removed during the previous commits (to vendor nix-hexchen's modules
into our repo)

stuebinm commented 2024-02-18 12:56:56 +00:00

Poster

Owner

okay, so the pure work of having a buildable haccfiles without depending on hexchen's nixfiles is done, and so far a no-op (module changes to the repo itself, which show up on our docs page):

❯ nix-diff result result-new
- result:{out}
+ result-new:{out}
• The input derivation named `etc` differs
  - /nix/store/0py77xgp7impa4bnvm8nyilsdpl9yyii-etc.drv:{out}
  + /nix/store/bz1daqwzphvxlv8xx6sxs5j5iwmng0c0-etc.drv:{out}
  • The input source named `source` differs
  • The input derivation named `system-units` differs
    - /nix/store/4xxjdyifjfw2b82jv9ha736cdxmf2hhy-system-units.drv:{out}
    + /nix/store/vdqi4hjcc650ls4q5rz5xs74ad66lgr5-system-units.drv:{out}
    • The input derivation named `unit-nginx.service` differs
      - /nix/store/bsig4k1hnrj9j44ijd0drip3ck5q8qid-unit-nginx.service.drv:{out}
      + /nix/store/dwnaaxhdfpghwnn6jzas39zaqi2nxsrl-unit-nginx.service.drv:{out}
      • The input derivation named `nginx.conf` differs
        - /nix/store/m74ybywirjmnj72ylmy6jzpfhajqmj03-nginx.conf.drv:{out}
        + /nix/store/hkbc4jbpyvgh5c2lbdan146kf40g4as3-nginx.conf.drv:{out}
        • The input derivation named `docs.hacc.space-static` differs
          - /nix/store/9iwawazcaa09gsqai1znzhqmrm99978g-docs.hacc.space-static.drv:{out}
          + /nix/store/rkp81vd19ajklr29x4cv3ssshcplh9nm-docs.hacc.space-static.drv:{out}
          (...)
        • Skipping environment comparison
      • The input derivation named `unit-script-nginx-pre-start` differs
        - /nix/store/qhpjmiqah5kb4i7hvakg6lafsix4br2p-unit-script-nginx-pre-start.drv:{out}
        + /nix/store/2518yg1nzblxzkwy9swhsz2n5w3r73w7-unit-script-nginx-pre-start.drv:{out}
        • The input derivation named `nginx.conf` differs
          • These two derivations have already been compared
        • Skipping environment comparison
      • Skipping environment comparison
    • Skipping environment comparison
  • Skipping environment comparison
• Skipping environment comparison

This also results in some uncomfortable-looking code in parsons/nftables.nix, since I preserved whitespace exactly as it was.

We can now deploy this as-is, or first think about if we want to add at least a little abstraction back in (e.g. currently the firewall.allowedTCPPorts options do nothing; these are hardcoded in the nftables ruleset). Alternatively, it seems upstream nixpkgs now has an nftables module with at least a couple more options than a few years ago, which I guess we could also try and use.

okay, so the pure work of having a buildable haccfiles without depending on hexchen's nixfiles is done, and so far a no-op (module changes to the repo itself, which show up on our docs page): ~~~ ❯ nix-diff result result-new - result:{out} + result-new:{out} • The input derivation named `etc` differs - /nix/store/0py77xgp7impa4bnvm8nyilsdpl9yyii-etc.drv:{out} + /nix/store/bz1daqwzphvxlv8xx6sxs5j5iwmng0c0-etc.drv:{out} • The input source named `source` differs • The input derivation named `system-units` differs - /nix/store/4xxjdyifjfw2b82jv9ha736cdxmf2hhy-system-units.drv:{out} + /nix/store/vdqi4hjcc650ls4q5rz5xs74ad66lgr5-system-units.drv:{out} • The input derivation named `unit-nginx.service` differs - /nix/store/bsig4k1hnrj9j44ijd0drip3ck5q8qid-unit-nginx.service.drv:{out} + /nix/store/dwnaaxhdfpghwnn6jzas39zaqi2nxsrl-unit-nginx.service.drv:{out} • The input derivation named `nginx.conf` differs - /nix/store/m74ybywirjmnj72ylmy6jzpfhajqmj03-nginx.conf.drv:{out} + /nix/store/hkbc4jbpyvgh5c2lbdan146kf40g4as3-nginx.conf.drv:{out} • The input derivation named `docs.hacc.space-static` differs - /nix/store/9iwawazcaa09gsqai1znzhqmrm99978g-docs.hacc.space-static.drv:{out} + /nix/store/rkp81vd19ajklr29x4cv3ssshcplh9nm-docs.hacc.space-static.drv:{out} (...) • Skipping environment comparison • The input derivation named `unit-script-nginx-pre-start` differs - /nix/store/qhpjmiqah5kb4i7hvakg6lafsix4br2p-unit-script-nginx-pre-start.drv:{out} + /nix/store/2518yg1nzblxzkwy9swhsz2n5w3r73w7-unit-script-nginx-pre-start.drv:{out} • The input derivation named `nginx.conf` differs • These two derivations have already been compared • Skipping environment comparison • Skipping environment comparison • Skipping environment comparison • Skipping environment comparison • Skipping environment comparison ~~~ This also results in some uncomfortable-looking code in `parsons/nftables.nix`, since I preserved whitespace exactly as it was. We can now deploy this as-is, or first think about if we want to add at least a little abstraction back in (e.g. currently the firewall.allowedTCPPorts options do nothing; these are hardcoded in the nftables ruleset). Alternatively, it seems upstream nixpkgs now has an [nftables module](https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/networking/nftables.nix) with at least a couple more options than a few years ago, which I guess we could also try and use.

stuebinm changed title from WIP: removing the dependency on hexchen's nixfiles to removing the dependency on hexchen's nixfiles 2024-02-20 15:13:40 +00:00

stuebinm closed this pull request 2024-02-20 15:14:06 +00:00

stuebinm commented 2024-02-20 15:17:42 +00:00

Poster

Owner

heh, turns out you can't just merge things manually & push them and expect forgejo to pick up on it. so instead this is now in a weird place & i did some database foo to at least make it look correct at a first glance. oh well.

heh, turns out you can't just merge things manually & push them and expect forgejo to pick up on it. so instead this is now in a weird place & i did some database foo to at least make it look correct at a first glance. oh well.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No Label

Milestone

Clear milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

3 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: hacc/haccfiles#6

There is no content yet.