forked from hacc/haccfiles
in theory this might be ready to deploy. Potential hazards & things to know when actually doing so: 1. the mysql version used by mattermost was updated (the old uses an openssl which is marked insecure). Might have to migrate a database 2. lots of settings now use RFC 42-style settings, which might contain new typos 3. this updates uffd (& changes the patches we apply). Since version dependencies of uffd are basically "whatever debian has" we have never bothered to match them, but afaik have also never updated uffd since the initial deploy some years ago. No guarantee it still works. 4. tracktrain depends on haskellPackages.conferer-warp, which is currently marked broken. There is no reason for this (it builds fine). Until fixed upstream, build with NIXPKGS_ALLOW_BROKEN=1. cf. https://github.com/NixOS/nixpkgs/pull/234784; waiting for a merge of haskell-updates into 23.05
103 lines
3.7 KiB
Nix
103 lines
3.7 KiB
Nix
{
|
|
description = "hacc infra stuff";
|
|
|
|
inputs = {
|
|
mattermost-webapp.url = "https://releases.mattermost.com/7.8.11/mattermost-7.8.11-linux-amd64.tar.gz";
|
|
mattermost-webapp.flake = false;
|
|
mattermost-server.url = "github:mattermost/mattermost-server?ref=v7.8.11";
|
|
mattermost-server.flake = false;
|
|
|
|
nixpkgs.url = "nixpkgs/nixos-23.05";
|
|
nixpkgs-unstable.url = "nixpkgs/nixpkgs-unstable";
|
|
nix-hexchen.url = "gitlab:hexchen/nixfiles";
|
|
nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-23.05";
|
|
tracktrain.url = "git+https://stuebinm.eu/git/tracktrain?ref=main";
|
|
tracktrain.flake = false;
|
|
|
|
deploy-rs.url = "github:serokell/deploy-rs";
|
|
deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
|
|
sops-nix.url = "github:Mic92/sops-nix";
|
|
sops-nix.inputs.nixpkgs.follows = "nixpkgs-unstable";
|
|
sops-nix.inputs.nixpkgs-stable.follows = "nixpkgs";
|
|
|
|
# these exist mostly to make the flake.lock somewhat more human-friendly
|
|
# note that in theory doing this might break things, but it seems fairly unlikely
|
|
nix-hexchen.inputs = {
|
|
nixos-mailserver.follows = "nixos-mailserver";
|
|
nixpkgs.follows = "nixpkgs-unstable";
|
|
deploy-rs.follows = "deploy-rs";
|
|
doom-emacs.follows = "nix-hexchen/nix-doom-emacs/doom-emacs";
|
|
emacs-overlay.follows = "nix-hexchen/nix-doom-emacs/emacs-overlay";
|
|
flake-utils.follows = "/deploy-rs/utils";
|
|
flake-compat.follows = "/deploy-rs/flake-compat";
|
|
sops-nix.follows = "sops-nix";
|
|
};
|
|
nixos-mailserver.inputs = {
|
|
"nixpkgs-23_05".follows = "nixpkgs";
|
|
nixpkgs.follows = "nixpkgs-unstable";
|
|
utils.follows = "/deploy-rs/utils";
|
|
flake-compat.follows = "/deploy-rs/flake-compat";
|
|
};
|
|
};
|
|
|
|
outputs = { self, nixpkgs, nix-hexchen, deploy-rs, sops-nix, ... }@inputs:
|
|
let modules = nix-hexchen.nixosModules;
|
|
profiles = nix-hexchen.nixosModules.profiles // {
|
|
container = import ./modules/container-profile.nix;
|
|
};
|
|
pkgs = import ./pkgs {
|
|
sources = inputs;
|
|
system = "x86_64-linux";
|
|
};
|
|
evalConfig = config: (nixpkgs.lib.nixosSystem {
|
|
system = "x86_64-linux";
|
|
modules = [
|
|
config
|
|
nix-hexchen.nixosModules.network.nftables
|
|
{ nixpkgs.pkgs = pkgs; }
|
|
];
|
|
specialArgs = {
|
|
inherit modules profiles evalConfig;
|
|
sources = inputs;
|
|
};
|
|
}).config.system.build.toplevel;
|
|
in {
|
|
# do this by hand instead of via nix-hexchen/lib/hosts.nix, since that one
|
|
# apparently can't support pkgs depending on flake inputs
|
|
nixosConfigurations.parsons = nixpkgs.lib.nixosSystem {
|
|
system = "x86_64-linux";
|
|
modules = [
|
|
./hosts/parsons/configuration.nix
|
|
sops-nix.nixosModules.sops
|
|
{ nixpkgs.pkgs = pkgs; }
|
|
{ environment.etc."haccfiles".source = self.outPath; }
|
|
];
|
|
specialArgs = {
|
|
# with a few exceptions, the flake inputs can be used the same
|
|
# as the niv-style (import nix/sources.nix {})
|
|
sources = inputs;
|
|
inherit modules profiles evalConfig;
|
|
};
|
|
};
|
|
|
|
deploy.nodes.parsons = {
|
|
hostname = "parsons";
|
|
profiles.system = {
|
|
user = "root";
|
|
autoRollback = false;
|
|
path = deploy-rs.lib.x86_64-linux.activate.nixos
|
|
self.nixosConfigurations.parsons;
|
|
};
|
|
};
|
|
|
|
# This is highly advised, and will prevent many possible mistakes
|
|
checks = builtins.mapAttrs
|
|
(system: deployLib: deployLib.deployChecks self.deploy)
|
|
deploy-rs.lib;
|
|
|
|
packages.x86_64-linux =
|
|
self.nixosConfigurations.parsons.config.hacc.websites.builders;
|
|
};
|
|
|
|
}
|