From 9c29a82b46724d0b0f4cc13201f9763d3e913e55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Sun, 10 Apr 2022 20:57:52 +0200
Subject: [PATCH] switch to flake
---
.envrc | 2 +-
flake.lock | 239 +++++++++++++++++++++++++++++++++++++
flake.nix | 62 ++++++++++
nix/overlays.nix | 25 ----
services/hydra/default.nix | 9 ++
shell.nix | 25 ++--
tasks.py | 5 +-
7 files changed, 327 insertions(+), 40 deletions(-)
create mode 100644 flake.lock
create mode 100644 flake.nix
diff --git a/.envrc b/.envrc
index 1d953f4..3550a30 100644
--- a/.envrc
+++ b/.envrc
@@ -1 +1 @@
-use nix
+use flake
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..1c2dfc6
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,239 @@
+{
+ "nodes": {
+ "flake-compat": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1627913399,
+ "narHash": "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko=",
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "rev": "12c64ca55c1014cdc1b16ed5a804aa8576601ff2",
+ "type": "github"
+ },
+ "original": {
+ "owner": "edolstra",
+ "repo": "flake-compat",
+ "type": "github"
+ }
+ },
+ "hercules-ci-effects": {
+ "inputs": {
+ "nixpkgs": "nixpkgs"
+ },
+ "locked": {
+ "lastModified": 1649324058,
+ "narHash": "sha256-6U/SIhp/8Ht402Ip7pu7qQ7azquwYVCVbZfcv5M+4so=",
+ "owner": "hercules-ci",
+ "repo": "hercules-ci-effects",
+ "rev": "14dcd541e4d5315deb3f6941cd5b293945c14584",
+ "type": "github"
+ },
+ "original": {
+ "owner": "hercules-ci",
+ "repo": "hercules-ci-effects",
+ "type": "github"
+ }
+ },
+ "marvin-mk2": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1613145327,
+ "narHash": "sha256-pP4QuZ/aTOBOJv04AVDXU00l1mgl2I832/InM/3z0js=",
+ "owner": "timokau",
+ "repo": "marvin-mk2",
+ "rev": "b3dd8c02a5c01dcf0e9cc8789846a0ec980f534b",
+ "type": "github"
+ },
+ "original": {
+ "owner": "timokau",
+ "repo": "marvin-mk2",
+ "type": "github"
+ }
+ },
+ "mmdoc": {
+ "inputs": {
+ "nixpkgs": [
+ "nixpkgs-update",
+ "nixpkgs"
+ ],
+ "nixpkgs-for-manual": "nixpkgs-for-manual"
+ },
+ "locked": {
+ "lastModified": 1648942939,
+ "narHash": "sha256-IvXTQcv32LptJGxHjffji1f0XyG+wh566YJuS5dEcoo=",
+ "owner": "ryantm",
+ "repo": "mmdoc",
+ "rev": "a308fd7ef02241216aac5dfa2c584b37fca3c26a",
+ "type": "github"
+ },
+ "original": {
+ "owner": "ryantm",
+ "repo": "mmdoc",
+ "type": "github"
+ }
+ },
+ "nixpkgs": {
+ "locked": {
+ "lastModified": 1647297614,
+ "narHash": "sha256-ulGq3W5XsrBMU/u5k9d4oPy65pQTkunR4HKKtTq0RwY=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "73ad5f9e147c0d2a2061f1d4bd91e05078dc0b58",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixos-unstable",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs-for-manual": {
+ "locked": {
+ "lastModified": 1644686402,
+ "narHash": "sha256-qxQKjsj51pIQ6qJrLOw93m9z+vJCngpRLfPgp2Ib28Q=",
+ "owner": "ryantm",
+ "repo": "nixpkgs",
+ "rev": "78d909765da7e23d5d5d59993bca0ee6a9e3d3ba",
+ "type": "github"
+ },
+ "original": {
+ "owner": "ryantm",
+ "ref": "minman",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs-update": {
+ "inputs": {
+ "flake-compat": "flake-compat",
+ "mmdoc": "mmdoc",
+ "nixpkgs": "nixpkgs_3"
+ },
+ "locked": {
+ "lastModified": 1649619611,
+ "narHash": "sha256-WNMY7ey/B3ZVRpEK0K9cUOxgYSbhPCrZ5jbPwlkT/Y8=",
+ "owner": "Mic92",
+ "repo": "nixpkgs-update",
+ "rev": "982fddd51a19251b57ec98c8c5018d3f220b426f",
+ "type": "github"
+ },
+ "original": {
+ "owner": "Mic92",
+ "ref": "build-fixes",
+ "repo": "nixpkgs-update",
+ "type": "github"
+ }
+ },
+ "nixpkgs-update-github-releases": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1580759633,
+ "narHash": "sha256-BILWeSDxOY8S5eRz5eXnRj48xzrzQJ6v6Bv0hVtvNGg=",
+ "owner": "ryantm",
+ "repo": "nixpkgs-update-github-releases",
+ "rev": "e31b003d8edd400d06b718c717c19532585389f9",
+ "type": "github"
+ },
+ "original": {
+ "owner": "ryantm",
+ "repo": "nixpkgs-update-github-releases",
+ "type": "github"
+ }
+ },
+ "nixpkgs-update-pypi-releases": {
+ "flake": false,
+ "locked": {
+ "lastModified": 1628829542,
+ "narHash": "sha256-KcCJgTuBh9HITE2mpSHQA36BiFtGW7sLWKVS29biwgM=",
+ "owner": "ryantm",
+ "repo": "nixpkgs-update-pypi-releases",
+ "rev": "56afe60a7fd7ee7f5dac5feeea8a983aba759997",
+ "type": "github"
+ },
+ "original": {
+ "owner": "ryantm",
+ "repo": "nixpkgs-update-pypi-releases",
+ "type": "github"
+ }
+ },
+ "nixpkgs_2": {
+ "locked": {
+ "lastModified": 1649549506,
+ "narHash": "sha256-flgjQ/ZTxobJJS3QWmecyfkYO5j+/WC0IKzyWvK/fs0=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "665bb90fc3f6c39cfb290ecc100b3433082e5d64",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixos-unstable-small",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs_3": {
+ "locked": {
+ "lastModified": 1629859457,
+ "narHash": "sha256-JlAU1EboVCOJeMXNLJusf+0vnx++xK1Y4DW5y80zMfY=",
+ "owner": "nixos",
+ "repo": "nixpkgs",
+ "rev": "12613bf6d91543db59de89e231eafab72f4dc2e8",
+ "type": "github"
+ },
+ "original": {
+ "owner": "nixos",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "nixpkgs_4": {
+ "locked": {
+ "lastModified": 1638097282,
+ "narHash": "sha256-EXCzj9b8X/lqDPJapxZThIOKL5ASbpsJZ+8L1LnY1ig=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "78cb77b29d37a9663e05b61abb4fa09465da4b70",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixpkgs-unstable",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
+ "root": {
+ "inputs": {
+ "hercules-ci-effects": "hercules-ci-effects",
+ "marvin-mk2": "marvin-mk2",
+ "nixpkgs": "nixpkgs_2",
+ "nixpkgs-update": "nixpkgs-update",
+ "nixpkgs-update-github-releases": "nixpkgs-update-github-releases",
+ "nixpkgs-update-pypi-releases": "nixpkgs-update-pypi-releases",
+ "sops-nix": "sops-nix"
+ }
+ },
+ "sops-nix": {
+ "inputs": {
+ "nixpkgs": "nixpkgs_4"
+ },
+ "locked": {
+ "lastModified": 1647279403,
+ "narHash": "sha256-ZsHfMah9+TElcjaENsaOIFHBNNtSbXmyLFVbiJiAECs=",
+ "owner": "Mic92",
+ "repo": "sops-nix",
+ "rev": "c01f48b055ac776f9831c9d4a0fff83e3b74dbe3",
+ "type": "github"
+ },
+ "original": {
+ "owner": "Mic92",
+ "repo": "sops-nix",
+ "type": "github"
+ }
+ }
+ },
+ "root": "root",
+ "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..5f12488
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,62 @@
+{
+ description = "NixOS configuration of our builders";
+
+ inputs = {
+ nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+ #nixpkgs-update.url = "github:ryantm/nixpkgs-update";
+ nixpkgs-update.url = "github:Mic92/nixpkgs-update/build-fixes";
+ nixpkgs-update-github-releases.url = "github:ryantm/nixpkgs-update-github-releases";
+ nixpkgs-update-github-releases.flake = false;
+ nixpkgs-update-pypi-releases.url = "github:ryantm/nixpkgs-update-pypi-releases";
+ nixpkgs-update-pypi-releases.flake = false;
+ sops-nix.url = "github:Mic92/sops-nix";
+ hercules-ci-effects.url = "github:hercules-ci/hercules-ci-effects";
+ marvin-mk2.url = "github:timokau/marvin-mk2";
+ marvin-mk2.flake = false;
+ };
+
+ outputs = { self
+ , nixpkgs
+ , nixpkgs-update
+ , nixpkgs-update-github-releases
+ , nixpkgs-update-pypi-releases
+ , sops-nix
+ , hercules-ci-effects
+ , marvin-mk2
+ }: {
+ devShell.x86_64-linux = let
+ pkgs = nixpkgs.legacyPackages.x86_64-linux;
+ in pkgs.callPackage ./shell.nix {
+ inherit (sops-nix.packages.x86_64-linux) sops-import-keys-hook;
+ };
+ nixosConfigurations = {
+ build01 = nixpkgs.lib.nixosSystem {
+ system = "x86_64-linux";
+ modules = [
+ ./build01/configuration.nix
+ ];
+ };
+
+ build02 = nixpkgs.lib.nixosSystem {
+ system = "x86_64-linux";
+ modules = [
+ ./build02/configuration.nix
+ ];
+ };
+
+ build03 = nixpkgs.lib.nixosSystem {
+ system = "x86_64-linux";
+ modules = [
+ ./build03/configuration.nix
+ ];
+ };
+
+ build04 = nixpkgs.lib.nixosSystem {
+ system = "aarch64-linux";
+ modules = [
+ ./build04/configuration.nix
+ ];
+ };
+ };
+ };
+}
diff --git a/nix/overlays.nix b/nix/overlays.nix
index b699bcb..e69de29 100644
--- a/nix/overlays.nix
+++ b/nix/overlays.nix
@@ -1,25 +0,0 @@
-let
- nix-community-infra = pkgs: rec {
- inherit (pkgs)
- git-crypt
- niv
- sops
- rsync
- sources;
- inherit (pkgs.python3.pkgs) invoke;
-
- terraform = pkgs.terraform.withPlugins (
- p: [
- p.cloudflare
- p.null
- p.external
- ]
- );
- };
-
-in
-[
- (self: super: { sources = import ./sources.nix; })
- (self: super: { nix-community-infra = nix-community-infra super; })
- (self: super: (import "${super.sources.hercules-ci-effects}/overlay.nix") self super)
-]
diff --git a/services/hydra/default.nix b/services/hydra/default.nix
index 1f0e102..b489759 100644
--- a/services/hydra/default.nix
+++ b/services/hydra/default.nix
@@ -92,6 +92,15 @@ in
];
};
+ services.hydra.package = pkgs.hydra-unstable.overrideAttrs (old: {
+ patches = old.patches ++ [
+ (pkgs.fetchpatch {
+ url = "https://github.com/NixOS/hydra/commit/089da272c76a8e562239b64cb71fb5b43716efa5.patch";
+ sha256 = "sha256-yRa/Qvyr6Ed7qdaly+DCanWbBYN8JoJhUd5JJkKwpas=";
+ })
+ ];
+ });
+
sops.secrets.nix-community-cachix = {
owner = "hydra-queue-runner";
sopsFile = ../../roles/nix-community-cache.yaml;
diff --git a/shell.nix b/shell.nix
index b6184de..00e7b8b 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,24 +1,29 @@
-{ system ? builtins.currentSystem }:
-let
- sources = import ./nix/sources.nix;
- pkgs = import ./nix { inherit system; };
-in
-pkgs.mkShell {
- NIX_PATH = "nixpkgs=${toString pkgs.path}";
+{ pkgs ? import <nixpkgs> {}
+, sops-import-keys-hook
+}:
+with pkgs;
+mkShell {
sopsPGPKeyDirs = [
"./keys"
];
- buildInputs = with pkgs.nix-community-infra; [
+ buildInputs = with pkgs; [
git-crypt
niv
terraform
+ (terraform.withPlugins (
+ p: [
+ p.cloudflare
+ p.null
+ p.external
+ ]
+ ))
sops
- invoke
+ python3.pkgs.invoke
rsync
- (pkgs.callPackage sources.sops-nix {}).sops-import-keys-hook
+ sops-import-keys-hook
];
# terraform cloud without the remote execution part
diff --git a/tasks.py b/tasks.py
index deca48c..6cf0eec 100644
--- a/tasks.py
+++ b/tasks.py
@@ -22,12 +22,9 @@ def deploy_nixos(hosts: List[DeployHost]) -> None:
f"rsync {' --exclude '.join([''] + RSYNC_EXCLUDES)} -vaF --delete -e ssh . {h.user}@{h.host}:/etc/nixos"
)
- config = (
- f"/etc/nixos/{h.host.replace('.nix-community.org', '')}/configuration.nix"
- )
# FIXME: build03 has itself as a builder and deadlocks building packages.
h.run(
- f"nixos-rebuild switch --builders '' -I nixos-config={config} -I nixpkgs=$(nix-instantiate --eval -E '(import /etc/nixos/nix {{}}).path')"
+ f"nixos-rebuild switch --builders ''"
)
g.run_function(deploy)