diff --git a/.github/workflows/nodes.yml b/.github/workflows/nodes.yml index 8422ac5b..3b0d4a80 100644 --- a/.github/workflows/nodes.yml +++ b/.github/workflows/nodes.yml @@ -28,6 +28,68 @@ jobs: args: -u .github/workflows/nodes.yml .ci/workflow.yml attrs: nixpkgs.diffutils command: diff + ct: + name: nodes-ct + runs-on: ubuntu-latest + steps: + - id: checkout + name: git clone + uses: actions/checkout@v3 + with: + submodules: false + - id: nix-install + name: nix install + uses: arcnmx/ci/actions/nix/install@v0.6 + - id: ci-setup + name: nix setup + uses: arcnmx/ci/actions/nix/run@v0.6 + with: + attrs: ci.job.ct.run.bootstrap + quiet: false + - id: architectures + name: prepare for emulated builds + run: 'sudo $(which archbinfmt) + + ' + - id: ci-dirty + name: nix test dirty + uses: arcnmx/ci/actions/nix/run@v0.6 + with: + attrs: ci.job.ct.run.test + command: ci-build-dirty + quiet: false + stdout: ${{ runner.temp }}/ci.build.dirty + - id: ci-test + name: nix test build + uses: arcnmx/ci/actions/nix/run@v0.6 + with: + attrs: ci.job.ct.run.test + command: ci-build-realise + ignore-exit-code: true + quiet: false + stdin: ${{ runner.temp }}/ci.build.dirty + - env: + CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }} + id: ci-summary + name: nix test results + uses: arcnmx/ci/actions/nix/run@v0.6 + with: + attrs: ci.job.ct.run.test + command: ci-build-summarise + quiet: false + stdin: ${{ runner.temp }}/ci.build.dirty + stdout: ${{ runner.temp }}/ci.build.cache + - env: + CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }} + id: ci-cache + if: always() + name: nix test cache + uses: arcnmx/ci/actions/nix/run@v0.6 + with: + attrs: ci.job.ct.run.test + command: ci-build-cache + quiet: false + stdin: ${{ runner.temp }}/ci.build.cache hakurei: name: nodes-hakurei runs-on: ubuntu-latest @@ -152,68 +214,6 @@ jobs: command: ci-build-cache quiet: false stdin: ${{ runner.temp }}/ci.build.cache - reisen-ct: - name: nodes-reisen-ct - runs-on: ubuntu-latest - steps: - - id: checkout - name: git clone - uses: actions/checkout@v3 - with: - submodules: false - - id: nix-install - name: nix install - uses: arcnmx/ci/actions/nix/install@v0.6 - - id: ci-setup - name: nix setup - uses: arcnmx/ci/actions/nix/run@v0.6 - with: - attrs: ci.job.reisen-ct.run.bootstrap - quiet: false - - id: architectures - name: prepare for emulated builds - run: 'sudo $(which archbinfmt) - - ' - - id: ci-dirty - name: nix test dirty - uses: arcnmx/ci/actions/nix/run@v0.6 - with: - attrs: ci.job.reisen-ct.run.test - command: ci-build-dirty - quiet: false - stdout: ${{ runner.temp }}/ci.build.dirty - - id: ci-test - name: nix test build - uses: arcnmx/ci/actions/nix/run@v0.6 - with: - attrs: ci.job.reisen-ct.run.test - command: ci-build-realise - ignore-exit-code: true - quiet: false - stdin: ${{ runner.temp }}/ci.build.dirty - - env: - CI_EXIT_CODE: ${{ steps.ci-test.outputs.exit-code }} - id: ci-summary - name: nix test results - uses: arcnmx/ci/actions/nix/run@v0.6 - with: - attrs: ci.job.reisen-ct.run.test - command: ci-build-summarise - quiet: false - stdin: ${{ runner.temp }}/ci.build.dirty - stdout: ${{ runner.temp }}/ci.build.cache - - env: - CACHIX_SIGNING_KEY: ${{ secrets.CACHIX_SIGNING_KEY }} - id: ci-cache - if: always() - name: nix test cache - uses: arcnmx/ci/actions/nix/run@v0.6 - with: - attrs: ci.job.reisen-ct.run.test - command: ci-build-cache - quiet: false - stdin: ${{ runner.temp }}/ci.build.cache tei: name: nodes-tei runs-on: ubuntu-latest diff --git a/ci/deploy.sh b/ci/deploy.sh index f8e581d2..cdda3558 100755 --- a/ci/deploy.sh +++ b/ci/deploy.sh @@ -4,7 +4,7 @@ set -eu NF_CONFIG_ROOT=${NF_CONFIG_ROOT-.} NF_HOST=${NF_HOST-tewi} -NIXOS_TOPLEVEL=network.nodes.$NF_HOST.system.build.toplevel +NIXOS_TOPLEVEL=nixosConfigurations.$NF_HOST.config.system.build.toplevel NF_ADDR=${NF_ADDR-${NF_HOST}.local} if [[ $NF_ADDR = tewi.local ]]; then @@ -19,7 +19,7 @@ fi if [[ $1 = tarball ]]; then shift set -- build "$@" - NIXOS_TOPLEVEL=network.nodes.$NF_HOST.system.build.tarball + NIXOS_TOPLEVEL=nixosConfigurations.$NF_HOST.config.system.build.tarball fi if [[ $1 = build ]]; then diff --git a/ci/flake-cron.nix b/ci/flake-cron.nix index 37853b46..8dd7d404 100644 --- a/ci/flake-cron.nix +++ b/ci/flake-cron.nix @@ -98,14 +98,14 @@ in { command = let filteredHosts = [ "hakurei" "tei" "mediabox" ]; gcBetweenHosts = false; - nodeBuildString = concatMapStringsSep " && " (node: "nix build -Lf . network.nodes.${node}.system.build.toplevel -o result-${node}" + optionalString gcBetweenHosts " && nix-collect-garbage -d") filteredHosts; + nodeBuildString = concatMapStringsSep " && " (node: "nix build -Lf . nixosConfigurations.${node}.config.system.build.toplevel -o result-${node}" + optionalString gcBetweenHosts " && nix-collect-garbage -d") filteredHosts; in '' # ${toString builtins.currentTime} nix flake update if git status --porcelain | grep -qF flake.lock; then git -P diff flake.lock - echo "checking that network.nodes.still build..." >&2 + echo "checking that nodes still build..." >&2 if ${nodeBuildString}; then if [[ -n $CACHIX_SIGNING_KEY ]]; then cachix push gensokyo-infrastructure result*/ & diff --git a/ci/nodes.nix b/ci/nodes.nix index 3ad5c4c3..9827736e 100644 --- a/ci/nodes.nix +++ b/ci/nodes.nix @@ -60,10 +60,10 @@ with lib; { }; jobs = let - enabledHosts = ["hakurei" "tei" "mediabox" "reisen-ct"]; + enabledHosts = ["hakurei" "tei" "mediabox" "ct"]; in mapAttrs' (k: nameValuePair "${k}") (genAttrs enabledHosts (host: { - tasks.${host}.inputs = channels.nixfiles.nixosConfigurations.${host}.system.build.toplevel; + tasks.${host}.inputs = channels.nixfiles.nixosConfigurations.${host}.config.system.build.toplevel; })); ci.gh-actions.checkoutOptions.submodules = false; diff --git a/devShell.nix b/devShell.nix index 21fcd6fd..bf574d8b 100644 --- a/devShell.nix +++ b/devShell.nix @@ -2,8 +2,7 @@ inputs, system, }: let - meta = import ./outputs.nix {inherit inputs;}; - pkgs = meta.legacyPackages.${system}; + pkgs = inputs.nixpkgs.legacyPackages.${system}; nf-actions = pkgs.writeShellScriptBin "nf-actions" '' NF_CONFIG_FILES=($NF_CONFIG_ROOT/ci/{nodes,flake-cron}.nix) for f in "''${NF_CONFIG_FILES[@]}"; do @@ -13,7 +12,7 @@ ''; nf-actions-test = pkgs.writeShellScriptBin "nf-actions-test" '' set -eu - for host in hakurei tei mediabox reisen-ct; do + for host in hakurei tei mediabox ct; do nix run --argstr config "$NF_CONFIG_ROOT/ci/nodes.nix" -f '${inputs.ci}' job.$host.test done ''; diff --git a/flake.lock b/flake.lock index b7321291..b2b7aa67 100644 --- a/flake.lock +++ b/flake.lock @@ -1,7 +1,11 @@ { "nodes": { "arcexprs": { - "flake": false, + "inputs": { + "nixpkgs": [ + "nixpkgs" + ] + }, "locked": { "lastModified": 1706385294, "narHash": "sha256-mGqas+TDp2DtR7ufx10SDlKnL+aRZ/jhbkGYlF8NLO4=", diff --git a/flake.nix b/flake.nix index 9ef3df92..17ad6ece 100644 --- a/flake.nix +++ b/flake.nix @@ -4,7 +4,7 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; arcexprs = { url = "github:arcnmx/nixexprs/master"; - flake = false; + inputs.nixpkgs.follows = "nixpkgs"; }; std = { url = "github:chessai/nix-std"; diff --git a/modules/meta/access.nix b/modules/meta/access.nix new file mode 100644 index 00000000..4e2e1051 --- /dev/null +++ b/modules/meta/access.nix @@ -0,0 +1,32 @@ +{ + config, + access, + ... +}: let + nixosModule = { + config, + ... + }: { + config = { + _module.args.access = access // { + systemFor = hostName: if hostName == config.networking.hostName + then config + else access.systemFor hostName; + systemForOrNull = hostName: if hostName == config.networking.hostName + then config + else access.systemForOrNull hostName; + }; + }; + }; +in { + config = { + network.nixos.extraModules = [ + nixosModule + ]; + + _module.args.access = { + systemFor = hostName: config.network.nodes.${hostName}; + systemForOrNull = hostName: config.network.nodes.${hostName} or null; + }; + }; +} diff --git a/modules/nixos/access.nix b/modules/nixos/access.nix index c60d7a9f..429ea8be 100644 --- a/modules/nixos/access.nix +++ b/modules/nixos/access.nix @@ -1,4 +1,5 @@ { + inputs, config, lib, ... @@ -95,4 +96,16 @@ in { ]; }; }; + + config._module.args.access = let + systemFor = hostName: inputs.self.nixosConfigurations.${hostName}.config; + systemForOrNull = hostName: inputs.self.nixosConfigurations.${hostName}.config or null; + in { + systemFor = hostName: if hostName == config.networking.hostName + then config + else systemFor hostName; + systemForOrNull = hostName: if hostName == config.networking.hostName + then config + else systemForOrNull hostName; + }; } diff --git a/nixos/base/nixpkgs.nix b/nixos/base/nixpkgs.nix index 880105c5..20644316 100644 --- a/nixos/base/nixpkgs.nix +++ b/nixos/base/nixpkgs.nix @@ -1,5 +1,17 @@ -_: { +{ + inputs, + ... +}: { nixpkgs = { - config.allowUnfree = true; + overlays = [ + (import ../../overlays/local) + inputs.arcexprs.overlays.default + ]; + config = { + allowUnfree = true; + permittedInsecurePackages = [ + "openssl-1.1.1w" + ]; + }; }; } diff --git a/outputs.nix b/outputs.nix index 5340a259..5009ef19 100644 --- a/outputs.nix +++ b/outputs.nix @@ -20,6 +20,11 @@ (system: rec { devShells.default = import ./devShell.nix {inherit system inputs;}; }); + packages = + inputs.flake-utils.lib.eachDefaultSystem + (system: rec { + packages = import ./packages {inherit system inputs lib;}; + }); std = import ./std.nix {inherit inputs;}; inherit (std) set; checks = set.map (_: deployLib: deployLib.deployChecks inputs.self.deploy) inputs.deploy-rs.lib; @@ -31,3 +36,4 @@ in } // systems // shells + // packages diff --git a/overlays/default.nix b/overlays/default.nix index 06238e3a..9ab02bb0 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -8,16 +8,14 @@ inputs.flake-utils.lib.eachDefaultSystem (system: { (import ./local) (import ./lib) inputs.deploy-rs.overlay + inputs.arcexprs.overlays.default (final: prev: { jemalloc = if final.hostPlatform != "aarch64-darwin" then prev.jemalloc else null; }) - ] - ++ (map (path: import "${path}/overlay.nix") [ - inputs.arcexprs - ]); + ]; config = { allowUnfree = true; allowBroken = true; diff --git a/packages/default.nix b/packages/default.nix new file mode 100644 index 00000000..f4f69f4d --- /dev/null +++ b/packages/default.nix @@ -0,0 +1,64 @@ +{ + system, + inputs, + lib, +}: let + inherit (lib.options) mkOption; + inherit (lib.types) attrsOf package; + inherit (lib.meta) getExe; + inherit (lib.strings) concatStringsSep concatMapStringsSep; + packages = inputs.self.packages.${system}; + pkgs = inputs.nixpkgs.legacyPackages.${system}; + fmt = import ../ci/fmt.nix; + output = { + inherit (pkgs.buildPackages) + terraform tflint + alejandra deadnix statix + ; + nf-deploy = pkgs.writeShellScriptBin "nf-deploy" '' + exec ${pkgs.runtimeShell} ${../ci/deploy.sh} "$@" + ''; + nf-statix = pkgs.writeShellScriptBin "nf-statix" '' + if [[ $# -eq 0 ]]; then + set -- check + fi + + if [[ ''${1-} = check ]]; then + shift + set -- check --config ${../ci/statix.toml} "$@" + fi + + exec ${getExe packages.statix} "$@" + ''; + nf-deadnix = let + inherit (fmt.nix) blacklistDirs; + excludes = "${getExe pkgs.buildPackages.findutils} ${concatStringsSep " " blacklistDirs} -type f"; + in pkgs.writeShellScriptBin "nf-deadnix" '' + exec ${getExe packages.deadnix} "$@" \ + --no-lambda-arg \ + --exclude $(${excludes}) + ''; + nf-alejandra = let + inherit (fmt.nix) blacklistDirs; + excludes = concatMapStringsSep " " (dir: "--exclude ${dir}") blacklistDirs; + in pkgs.writeShellScriptBin "nf-alejandra" '' + exec ${getExe packages.alejandra} \ + ${excludes} \ + "$@" + ''; + nf-lint-tf = pkgs.writeShellScriptBin "nf-lint-tf" '' + ${getExe packages.terraform} fmt "$@" && + ${packages.tflint}/bin/tflint + ''; + nf-lint-nix = pkgs.writeShellScriptBin "nf-lint-nix" '' + ${getExe packages.nf-statix} check "$@" && + ${getExe packages.nf-deadnix} -f "$@" + ''; + nf-fmt-nix = let + inherit (fmt.nix) whitelist; + includes = concatStringsSep " " whitelist; + in pkgs.writeShellScriptBin "nf-fmt-nix" '' + exec ${getExe packages.nf-alejandra} ${includes} "$@" + ''; + }; +in output diff --git a/readme.md b/readme.md index e519d8a3..de6af0dd 100644 --- a/readme.md +++ b/readme.md @@ -51,5 +51,5 @@ vim .sops.yaml ### Template ```shell -NF_HOST=reisen-ct nf-deploy tarball +NF_HOST=ct nf-deploy tarball ```