stuebinm
62917423e3
This does the same as the last commit did for the nftnat module, but for the more general nftables module. Note the weird whatspace again.
108 lines
3.8 KiB
Nix
108 lines
3.8 KiB
Nix
{
|
|
description = "hacc infra stuff";
|
|
|
|
inputs = {
|
|
mattermost-webapp.url = "https://releases.mattermost.com/8.1.10/mattermost-8.1.10-linux-amd64.tar.gz";
|
|
mattermost-webapp.flake = false;
|
|
mattermost-server.url = "github:mattermost/mattermost-server?ref=v8.1.10";
|
|
mattermost-server.flake = false;
|
|
|
|
nixpkgs.url = "nixpkgs/nixos-23.11";
|
|
nixpkgs-oldstable.url = "github:/NixOS/nixpkgs?rev=c4aec3c021620d98861639946123214207e98344";
|
|
nix-hexchen.url = "gitlab:hexchen/nixfiles";
|
|
|
|
nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.11";
|
|
tracktrain.url = "git+https://stuebinm.eu/git/tracktrain?ref=main";
|
|
tracktrain.flake = false;
|
|
|
|
deploy-rs.url = "github:serokell/deploy-rs";
|
|
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
|
|
deploy-rs.inputs.flake-compat.follows = "nix-hexchen/apple-silicon/flake-compat";
|
|
sops-nix.url = "github:Mic92/sops-nix";
|
|
sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs";
|
|
|
|
# these exist mostly to make the flake.lock somewhat more human-friendly
|
|
# note that in theory doing this might break things, but it seems fairly unlikely
|
|
nix-hexchen.inputs = {
|
|
nixos-mailserver.follows = "nixos-mailserver";
|
|
flake-utils.follows = "/deploy-rs/utils";
|
|
flake-compat.follows = "nix-hexchen/apple-silicon/flake-compat";
|
|
sops-nix.follows = "sops-nix";
|
|
};
|
|
nixos-mailserver.inputs = {
|
|
"nixpkgs-23_05".follows = "nixpkgs";
|
|
utils.follows = "/deploy-rs/utils";
|
|
flake-compat.follows = "/deploy-rs/flake-compat";
|
|
};
|
|
};
|
|
|
|
outputs = { self, nixpkgs, nix-hexchen, deploy-rs, sops-nix, ... }@inputs:
|
|
let modules = nix-hexchen.nixosModules // {
|
|
bindMounts = import ./modules/bindmounts.nix;
|
|
nopersist = import ./modules/nopersist.nix;
|
|
encboot = import ./modules/encboot.nix;
|
|
};
|
|
profiles = nix-hexchen.nixosModules.profiles // {
|
|
container = import ./modules/container-profile.nix;
|
|
};
|
|
pkgs = import ./pkgs {
|
|
sources = inputs;
|
|
system = "x86_64-linux";
|
|
config.allowUnfree = true;
|
|
};
|
|
evalConfig = config: (nixpkgs.lib.nixosSystem {
|
|
system = "x86_64-linux";
|
|
modules = [
|
|
config
|
|
{
|
|
nixpkgs.pkgs = pkgs.lib.mkForce pkgs;
|
|
imports = [ modules.nopersist profiles.container];
|
|
}
|
|
];
|
|
specialArgs = {
|
|
# modules still needed because a profile in nix-hexchen uses it
|
|
inherit modules evalConfig;
|
|
sources = inputs;
|
|
};
|
|
}).config.system.build.toplevel;
|
|
in {
|
|
# do this by hand instead of via nix-hexchen/lib/hosts.nix, since that one
|
|
# apparently can't support pkgs depending on flake inputs
|
|
nixosConfigurations.parsons = nixpkgs.lib.nixosSystem {
|
|
system = "x86_64-linux";
|
|
modules = [
|
|
./parsons/configuration.nix
|
|
sops-nix.nixosModules.sops
|
|
{ nixpkgs.pkgs = pkgs; }
|
|
{ environment.etc."haccfiles".source = self.outPath; }
|
|
];
|
|
specialArgs = {
|
|
sources = inputs;
|
|
inherit modules evalConfig;
|
|
};
|
|
};
|
|
|
|
deploy.nodes.parsons = {
|
|
hostname = "parsons";
|
|
profiles.system = {
|
|
user = "root";
|
|
autoRollback = false;
|
|
path = deploy-rs.lib.x86_64-linux.activate.nixos
|
|
self.nixosConfigurations.parsons;
|
|
};
|
|
};
|
|
|
|
# This is highly advised, and will prevent many possible mistakes
|
|
checks = builtins.mapAttrs
|
|
(system: deployLib: deployLib.deployChecks self.deploy)
|
|
deploy-rs.lib;
|
|
|
|
packages.x86_64-linux =
|
|
let
|
|
websites = self.nixosConfigurations.parsons.config.hacc.websites.builders;
|
|
in
|
|
{ docs = websites."docs.hacc.space"; } // websites;
|
|
};
|
|
|
|
}
|