switch to flake

.envrc

@@ -1 +1 @@
-use nix
+use flake

flake.lock

@@ -0,0 +1,239 @@
+{
+  "nodes": {
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1627913399,
+        "narHash": "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "12c64ca55c1014cdc1b16ed5a804aa8576601ff2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "hercules-ci-effects": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1649324058,
+        "narHash": "sha256-6U/SIhp/8Ht402Ip7pu7qQ7azquwYVCVbZfcv5M+4so=",
+        "owner": "hercules-ci",
+        "repo": "hercules-ci-effects",
+        "rev": "14dcd541e4d5315deb3f6941cd5b293945c14584",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "hercules-ci-effects",
+        "type": "github"
+      }
+    },
+    "marvin-mk2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1613145327,
+        "narHash": "sha256-pP4QuZ/aTOBOJv04AVDXU00l1mgl2I832/InM/3z0js=",
+        "owner": "timokau",
+        "repo": "marvin-mk2",
+        "rev": "b3dd8c02a5c01dcf0e9cc8789846a0ec980f534b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "timokau",
+        "repo": "marvin-mk2",
+        "type": "github"
+      }
+    },
+    "mmdoc": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-update",
+          "nixpkgs"
+        ],
+        "nixpkgs-for-manual": "nixpkgs-for-manual"
+      },
+      "locked": {
+        "lastModified": 1648942939,
+        "narHash": "sha256-IvXTQcv32LptJGxHjffji1f0XyG+wh566YJuS5dEcoo=",
+        "owner": "ryantm",
+        "repo": "mmdoc",
+        "rev": "a308fd7ef02241216aac5dfa2c584b37fca3c26a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "mmdoc",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1647297614,
+        "narHash": "sha256-ulGq3W5XsrBMU/u5k9d4oPy65pQTkunR4HKKtTq0RwY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "73ad5f9e147c0d2a2061f1d4bd91e05078dc0b58",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-for-manual": {
+      "locked": {
+        "lastModified": 1644686402,
+        "narHash": "sha256-qxQKjsj51pIQ6qJrLOw93m9z+vJCngpRLfPgp2Ib28Q=",
+        "owner": "ryantm",
+        "repo": "nixpkgs",
+        "rev": "78d909765da7e23d5d5d59993bca0ee6a9e3d3ba",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "ref": "minman",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-update": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "mmdoc": "mmdoc",
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1649619611,
+        "narHash": "sha256-WNMY7ey/B3ZVRpEK0K9cUOxgYSbhPCrZ5jbPwlkT/Y8=",
+        "owner": "Mic92",
+        "repo": "nixpkgs-update",
+        "rev": "982fddd51a19251b57ec98c8c5018d3f220b426f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "ref": "build-fixes",
+        "repo": "nixpkgs-update",
+        "type": "github"
+      }
+    },
+    "nixpkgs-update-github-releases": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1580759633,
+        "narHash": "sha256-BILWeSDxOY8S5eRz5eXnRj48xzrzQJ6v6Bv0hVtvNGg=",
+        "owner": "ryantm",
+        "repo": "nixpkgs-update-github-releases",
+        "rev": "e31b003d8edd400d06b718c717c19532585389f9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "nixpkgs-update-github-releases",
+        "type": "github"
+      }
+    },
+    "nixpkgs-update-pypi-releases": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1628829542,
+        "narHash": "sha256-KcCJgTuBh9HITE2mpSHQA36BiFtGW7sLWKVS29biwgM=",
+        "owner": "ryantm",
+        "repo": "nixpkgs-update-pypi-releases",
+        "rev": "56afe60a7fd7ee7f5dac5feeea8a983aba759997",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "nixpkgs-update-pypi-releases",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1649549506,
+        "narHash": "sha256-flgjQ/ZTxobJJS3QWmecyfkYO5j+/WC0IKzyWvK/fs0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "665bb90fc3f6c39cfb290ecc100b3433082e5d64",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1629859457,
+        "narHash": "sha256-JlAU1EboVCOJeMXNLJusf+0vnx++xK1Y4DW5y80zMfY=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "12613bf6d91543db59de89e231eafab72f4dc2e8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1638097282,
+        "narHash": "sha256-EXCzj9b8X/lqDPJapxZThIOKL5ASbpsJZ+8L1LnY1ig=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "78cb77b29d37a9663e05b61abb4fa09465da4b70",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "hercules-ci-effects": "hercules-ci-effects",
+        "marvin-mk2": "marvin-mk2",
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-update": "nixpkgs-update",
+        "nixpkgs-update-github-releases": "nixpkgs-update-github-releases",
+        "nixpkgs-update-pypi-releases": "nixpkgs-update-pypi-releases",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_4"
+      },
+      "locked": {
+        "lastModified": 1647279403,
+        "narHash": "sha256-ZsHfMah9+TElcjaENsaOIFHBNNtSbXmyLFVbiJiAECs=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "c01f48b055ac776f9831c9d4a0fff83e3b74dbe3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,62 @@
+{
+  description = "NixOS configuration of our builders";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+    #nixpkgs-update.url = "github:ryantm/nixpkgs-update";
+    nixpkgs-update.url = "github:Mic92/nixpkgs-update/build-fixes";
+    nixpkgs-update-github-releases.url = "github:ryantm/nixpkgs-update-github-releases";
+    nixpkgs-update-github-releases.flake = false;
+    nixpkgs-update-pypi-releases.url = "github:ryantm/nixpkgs-update-pypi-releases";
+    nixpkgs-update-pypi-releases.flake = false;
+    sops-nix.url = "github:Mic92/sops-nix";
+    hercules-ci-effects.url = "github:hercules-ci/hercules-ci-effects";
+    marvin-mk2.url = "github:timokau/marvin-mk2";
+    marvin-mk2.flake = false;
+  };
+
+  outputs = { self
+            , nixpkgs
+            , nixpkgs-update
+            , nixpkgs-update-github-releases
+            , nixpkgs-update-pypi-releases
+            , sops-nix
+            , hercules-ci-effects
+            , marvin-mk2
+            }: {
+    devShell.x86_64-linux = let
+      pkgs = nixpkgs.legacyPackages.x86_64-linux;
+    in pkgs.callPackage ./shell.nix {
+      inherit (sops-nix.packages.x86_64-linux) sops-import-keys-hook;
+    };
+    nixosConfigurations = {
+      build01 = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./build01/configuration.nix
+        ];
+      };
+
+      build02 = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./build02/configuration.nix
+        ];
+      };
+
+      build03 = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [
+          ./build03/configuration.nix
+        ];
+      };
+
+      build04 = nixpkgs.lib.nixosSystem {
+        system = "aarch64-linux";
+        modules = [
+          ./build04/configuration.nix
+        ];
+      };
+    };
+  };
+}

nix/overlays.nix

@@ -1,25 +0,0 @@
-let
-  nix-community-infra = pkgs: rec {
-    inherit (pkgs)
-      git-crypt
-      niv
-      sops
-      rsync
-      sources;
-    inherit (pkgs.python3.pkgs) invoke;
-
-    terraform = pkgs.terraform.withPlugins (
-      p: [
-        p.cloudflare
-        p.null
-        p.external
-      ]
-    );
-  };
-
-in
-[
-  (self: super: { sources = import ./sources.nix; })
-  (self: super: { nix-community-infra = nix-community-infra super; })
-  (self: super: (import "${super.sources.hercules-ci-effects}/overlay.nix") self super)
-]

services/hydra/default.nix

@@ -92,6 +92,15 @@ in
       ];
     };
 
+    services.hydra.package = pkgs.hydra-unstable.overrideAttrs (old: {
+      patches = old.patches ++ [
+        (pkgs.fetchpatch {
+          url = "https://github.com/NixOS/hydra/commit/089da272c76a8e562239b64cb71fb5b43716efa5.patch";
+          sha256 = "sha256-yRa/Qvyr6Ed7qdaly+DCanWbBYN8JoJhUd5JJkKwpas=";
+        })
+      ];
+    });
+
     sops.secrets.nix-community-cachix = {
       owner = "hydra-queue-runner";
       sopsFile = ../../roles/nix-community-cache.yaml;

shell.nix

@@ -1,24 +1,29 @@
-{ system ? builtins.currentSystem }:
-let
-  sources = import ./nix/sources.nix;
-  pkgs = import ./nix { inherit system; };
-in
-pkgs.mkShell {
-  NIX_PATH = "nixpkgs=${toString pkgs.path}";
+{ pkgs ? import <nixpkgs> {}
+, sops-import-keys-hook
+}:
 
+with pkgs;
+mkShell {
   sopsPGPKeyDirs = [
     "./keys"
   ];
 
-  buildInputs = with pkgs.nix-community-infra; [
+  buildInputs = with pkgs; [
     git-crypt
     niv
     terraform
+    (terraform.withPlugins (
+      p: [
+        p.cloudflare
+        p.null
+        p.external
+      ]
+    ))
     sops
-    invoke
+    python3.pkgs.invoke
     rsync
 
-    (pkgs.callPackage sources.sops-nix {}).sops-import-keys-hook
+    sops-import-keys-hook
   ];
 
   # terraform cloud without the remote execution part

tasks.py

@@ -22,12 +22,9 @@ def deploy_nixos(hosts: List[DeployHost]) -> None:
             f"rsync {' --exclude '.join([''] + RSYNC_EXCLUDES)} -vaF --delete -e ssh . {h.user}@{h.host}:/etc/nixos"
         )
 
-        config = (
-            f"/etc/nixos/{h.host.replace('.nix-community.org', '')}/configuration.nix"
-        )
         # FIXME: build03 has itself as a builder and deadlocks building packages.
         h.run(
-            f"nixos-rebuild switch --builders '' -I nixos-config={config} -I nixpkgs=$(nix-instantiate --eval -E '(import /etc/nixos/nix {{}}).path')"
+            f"nixos-rebuild switch --builders ''"
         )
 
     g.run_function(deploy)