diff --git a/.envrc b/.envrc index 5caf4bb6..e60d2efe 100644 --- a/.envrc +++ b/.envrc @@ -9,4 +9,5 @@ source_env_if_exists .envrc.conf use flake "${FLAKE_ARGS[@]}" export FLAKE_OPTS=${FLAKE_OPTS:-"${FLAKE_ARGS[*]}"} -watch_file devShell.nix +watch_file outputs.nix +watch_file devShells.nix diff --git a/ci/fmt.nix b/ci/fmt.nix index 0f106fd8..2d30d861 100644 --- a/ci/fmt.nix +++ b/ci/fmt.nix @@ -1,7 +1,25 @@ { nix = { whitelist = [ + "systems/default.nix" + "systems/ct/default.nix" + "systems/ct/nixos.nix" + "systems/hakurei/default.nix" + "systems/kuwubernetes/default.nix" + "systems/kuwubernetes/nixos.nix" + "systems/mediabox/default.nix" "systems/mediabox/nixos.nix" + "systems/reimu/default.nix" + "systems/tei/default.nix" + "systems/tei/nixos.nix" + "systems/tei/cloudflared.nix" + "systems/tewi/default.nix" + "systems/tewi/nixos.nix" + "overlays/default.nix" + "devShells.nix" + "shell.nix" + "outputs.nix" + "tree.nix" ]; blacklistDirs = [ "overlays" diff --git a/devShell.nix b/devShell.nix deleted file mode 100644 index 3b956e43..00000000 --- a/devShell.nix +++ /dev/null @@ -1,116 +0,0 @@ -{ - inputs, - system, -}: let - inherit (inputs.self.legacyPackages.${system}) pkgs; - nf-actions = pkgs.writeShellScriptBin "nf-actions" '' - NF_CONFIG_FILES=($NF_CONFIG_ROOT/ci/{nodes,flake-cron}.nix) - for f in "''${NF_CONFIG_FILES[@]}"; do - echo $f - nix run --argstr config "$f" -f '${inputs.ci}' run.gh-actions-generate - done - ''; - nf-actions-test = pkgs.writeShellScriptBin "nf-actions-test" '' - set -eu - for host in hakurei reimu tei mediabox ct; do - nix run --argstr config "$NF_CONFIG_ROOT/ci/nodes.nix" -f '${inputs.ci}' job.$host.test - done - ''; - nf-update = pkgs.writeShellScriptBin "nf-update" '' - exec nix flake update "$@" - ''; - nf-deploy = pkgs.writeShellScriptBin "nf-deploy" '' - exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-deploy" -- "$@" - ''; - nf-setup-node = pkgs.writeShellScriptBin "nf-setup-node" '' - exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-setup-node" -- "$@" - ''; - nf-sops-keyscan = pkgs.writeShellScriptBin "nf-sops-keyscan" '' - exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-sops-keyscan" -- "$@" - ''; - nf-ssh = pkgs.writeShellScriptBin "nf-ssh" '' - exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-ssh" -- "$@" - ''; - nf-build = pkgs.writeShellScriptBin "nf-build" '' - exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-build" -- "$@" - ''; - nf-tarball = pkgs.writeShellScriptBin "nf-tarball" '' - exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-tarball" -- "$@" - ''; - nf-tf = pkgs.writeShellScriptBin "nf-tf" '' - cd "$NF_CONFIG_ROOT/tf" - if [[ $# -eq 0 ]]; then - exec nix shell ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#terraform" -c bash -c "terraform init && terraform plan" - else - exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#terraform" -- "$@" - fi - ''; - nf-lint-tf = pkgs.writeShellScriptBin "nf-lint-tf" '' - cd "$NF_CONFIG_ROOT/tf" - exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-lint-tf" -- "$@" - ''; - nf-lint-nix = pkgs.writeShellScriptBin "nf-lint-nix" '' - cd "$NF_CONFIG_ROOT" - exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-lint-nix" -- "$@" - ''; - nf-fmt-nix = pkgs.writeShellScriptBin "nf-fmt-nix" '' - cd "$NF_CONFIG_ROOT" - exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-fmt-nix" -- "$@" - ''; - nf-alejandra = pkgs.writeShellScriptBin "alejandra" '' - cd "$NF_CONFIG_ROOT" - exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-alejandra" -- "$@" - ''; - nf-statix = pkgs.writeShellScriptBin "statix" '' - cd "$NF_CONFIG_ROOT" - exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-statix" -- "$@" - ''; - nf-deadnix = pkgs.writeShellScriptBin "deadnix" '' - cd "$NF_CONFIG_ROOT" - exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#nf-deadnix" -- "$@" - ''; - nf-kustomize = pkgs.writeShellScriptBin "kustomize" '' - exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#pkgs.kustomize" -- "$@" - ''; - nf-argocd = pkgs.writeShellScriptBin "argocd" '' - exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#pkgs.argocd" -- "$@" - ''; - nf-deploy-rs = pkgs.writeShellScriptBin "deploy" '' - cd "$NF_CONFIG_ROOT" - exec nix shell ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#deploy-rs" -c deploy "$@" - ''; -in - pkgs.mkShell { - nativeBuildInputs = with pkgs; [ - inetutils - sops - nf-actions - nf-actions-test - nf-update - nf-deploy - nf-setup-node - nf-sops-keyscan - nf-ssh - nf-build - nf-tarball - nf-tf - nf-lint-tf - nf-lint-nix - nf-fmt-nix - nf-alejandra - nf-statix - nf-deadnix - nf-kustomize - nf-argocd - nf-deploy-rs - ]; - shellHook = '' - export NIX_BIN_DIR=$(dirname $(readlink -f $(type -P nix))) - export HOME_UID=$(id -u) - export HOME_USER=$(id -un) - export CI_PLATFORM="impure" - export NF_CONFIG_ROOT=''${NF_CONFIG_ROOT-${toString ./.}} - export NIX_PATH="$NIX_PATH:home=$NF_CONFIG_ROOT" - export NIX_SSHOPTS="''${NIX_SSHOPTS--p62954}" - ''; - } diff --git a/devShells.nix b/devShells.nix new file mode 100644 index 00000000..53341c8a --- /dev/null +++ b/devShells.nix @@ -0,0 +1,98 @@ +{ + inputs, + system, +}: let + inherit (inputs.self.legacyPackages.${system}) pkgs; + inherit (inputs.self.lib.nixlib) optionalString; + mkWrapper = { + name, + attr ? name, + subdir ? null, + }: + pkgs.writeShellScriptBin name '' + ${optionalString (subdir != null) ''cd "$NF_CONFIG_ROOT${subdir}"''} + exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#${attr}" -- "$@" + ''; + nf-actions = pkgs.writeShellScriptBin "nf-actions" '' + NF_CONFIG_FILES=($NF_CONFIG_ROOT/ci/{nodes,flake-cron}.nix) + for f in "''${NF_CONFIG_FILES[@]}"; do + echo $f + nix run --argstr config "$f" -f '${inputs.ci}' run.gh-actions-generate + done + ''; + nf-actions-test = pkgs.writeShellScriptBin "nf-actions-test" '' + set -eu + for host in hakurei reimu tei mediabox ct; do + nix run --argstr config "$NF_CONFIG_ROOT/ci/nodes.nix" -f '${inputs.ci}' job.$host.test + done + ''; + nf-update = pkgs.writeShellScriptBin "nf-update" '' + exec nix flake update "$@" + ''; + nf-tf = pkgs.writeShellScriptBin "nf-tf" '' + cd "$NF_CONFIG_ROOT/tf" + if [[ $# -eq 0 ]]; then + exec nix shell ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#terraform" -c bash -c "terraform init && terraform plan" + else + exec nix run ''${FLAKE_OPTS-} "$NF_CONFIG_ROOT#terraform" -- "$@" + fi + ''; + default = pkgs.mkShell { + nativeBuildInputs = with pkgs; [ + inetutils + sops + nf-actions + nf-actions-test + nf-update + nf-tf + (mkWrapper {name = "nf-deploy";}) + (mkWrapper {name = "nf-setup-node";}) + (mkWrapper {name = "nf-sops-keyscan";}) + (mkWrapper {name = "nf-ssh";}) + (mkWrapper {name = "nf-build";}) + (mkWrapper {name = "nf-tarball";}) + (mkWrapper { + name = "nf-lint-tf"; + subdir = "/tf"; + }) + (mkWrapper { + name = "nf-lint-nix"; + subdir = ""; + }) + (mkWrapper { + name = "nf-fmt-nix"; + subdir = ""; + }) + (mkWrapper {name = "nf-alejandra";}) + (mkWrapper { + name = "statix"; + attr = "nf-statix"; + }) + (mkWrapper { + name = "deadnix"; + attr = "nf-deadnix"; + }) + (mkWrapper { + name = "kustomize"; + attr = "pkgs.kustomize"; + }) + (mkWrapper { + name = "argocd"; + attr = "pkgs.argocd"; + }) + (mkWrapper { + name = "deploy"; + attr = "deploy-rs"; + }) + ]; + shellHook = '' + export NIX_BIN_DIR=$(dirname $(readlink -f $(type -P nix))) + export HOME_UID=$(id -u) + export HOME_USER=$(id -un) + export CI_PLATFORM="impure" + export NF_CONFIG_ROOT=''${NF_CONFIG_ROOT-${toString ./.}} + ''; + }; +in { + inherit default; +} diff --git a/flake.lock b/flake.lock index 5f87268f..fb0fb3b0 100644 --- a/flake.lock +++ b/flake.lock @@ -152,6 +152,18 @@ "type": "github" } }, + "nixpkgs-patch-k8s-pki": { + "flake": false, + "locked": { + "narHash": "sha256-Qz3TV1Z/pdKxLqOoV/bmprlmlAfJpTsHUCiWXVgoukw=", + "type": "file", + "url": "https://github.com/NixOS/nixpkgs/pull/275896/commits/9c870ac78f6157260ba1f96f9ce077ce84478532.patch" + }, + "original": { + "type": "file", + "url": "https://github.com/NixOS/nixpkgs/pull/275896/commits/9c870ac78f6157260ba1f96f9ce077ce84478532.patch" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1705957679, @@ -193,6 +205,7 @@ "flake-utils": "flake-utils", "flakelib": "flakelib", "nixpkgs": "nixpkgs", + "nixpkgs-patch-k8s-pki": "nixpkgs-patch-k8s-pki", "nur": "nur", "sops-nix": "sops-nix", "std": "std", diff --git a/flake.nix b/flake.nix index 31197035..23035011 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,11 @@ description = "kat's nixfiles"; inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs-patch-k8s-pki = { + # https://github.com/NixOS/nixpkgs/pull/275896 + url = "https://github.com/NixOS/nixpkgs/pull/275896/commits/9c870ac78f6157260ba1f96f9ce077ce84478532.patch"; + flake = false; + }; arcexprs = { url = "github:arcnmx/nixexprs/master"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/inputs.nix b/inputs.nix deleted file mode 100644 index 6ec446dc..00000000 --- a/inputs.nix +++ /dev/null @@ -1,10 +0,0 @@ -let - lock = builtins.fromJSON (builtins.readFile ./flake.lock); - flakeCompat = fetchTarball { - url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; - sha256 = lock.nodes.flake-compat.locked.narHash; - }; - nixfiles = import flakeCompat { - src = ./.; - }; -in nixfiles.defaultNix.inputs diff --git a/nixos/k8s.nix b/nixos/k8s.nix index 2e223802..8abd66cd 100644 --- a/nixos/k8s.nix +++ b/nixos/k8s.nix @@ -1,4 +1,6 @@ { + inputs, + system, config, pkgs, lib, @@ -10,6 +12,21 @@ kubeMasterHostname = "k8s.gensokyo.zone"; kubeMasterAPIServerPort = 6443; in { + # apply fix: https://github.com/NixOS/nixpkgs/pull/275896 + imports = let + pkiModulePath = "services/cluster/kubernetes/pki.nix"; + inherit (inputs.self.legacyPackages.${system}) patchedNixpkgs; + in [ + (_: { + imports = [ + (patchedNixpkgs + "/nixos/modules/${pkiModulePath}") + ]; + disabledModules = [ + pkiModulePath + ]; + }) + ]; + # packages for administration tasks environment.systemPackages = with pkgs; [ kompose diff --git a/outputs.nix b/outputs.nix index c3c13af4..18ae1bbd 100644 --- a/outputs.nix +++ b/outputs.nix @@ -1,34 +1,58 @@ {inputs}: let - patchedInputs = import ./patchedInputs.nix {inherit inputs;}; - inherit - (import ./overlays { - inputs = patchedInputs; - }) - pkgs - ; - inherit (inputs.nixpkgs) lib; tree = import ./tree.nix { - inherit pkgs; - inputs = patchedInputs; + inherit inputs; }; systems = import ./systems { - inherit inputs lib std pkgs; + inherit inputs; tree = tree.impure; }; outputs = inputs.flake-utils.lib.eachDefaultSystem - (system: rec { - devShells.default = import ./devShell.nix {inherit system inputs;}; - packages = import ./packages {inherit system inputs lib;}; - legacyPackages.pkgs = pkgs.${system}; + (system: let + legacyPackages = inputs.self.legacyPackages.${system}; + inherit (legacyPackages) pkgs; + in { + devShells = import ./devShells.nix {inherit system inputs;}; + packages = import ./packages {inherit system inputs;}; + legacyPackages = { + inherit (import ./overlays {inherit system inputs;}) pkgs; + patchedNixpkgs = pkgs.applyPatches { + name = "nixpkgs"; + src = inputs.nixpkgs; + patches = [ + inputs.nixpkgs-patch-k8s-pki + ]; + }; + deploy-rs = let + deployLib = + inputs.deploy-rs.lib.${system} + or rec { + activate = throw "deploy-rs.lib.${system} unsupported"; + setActivate = activate; + deployChecks = _: {}; + }; + deploy-rs = + inputs.deploy-rs.packages.${system}.default + or pkgs.${system}.deploy-rs.deploy-rs + or pkgs.${system}.deploy-rs + or { + name = "deploy-rs"; + outPath = throw "deploy-rs.packages.${system} unsupported"; + meta = {}; + }; + in { + inherit (deploy-rs) name outPath meta; + inherit (deployLib) activate setActivate deployChecks; + }; + }; + checks = legacyPackages.deploy-rs.deployChecks inputs.self.deploy; }); - std = import ./std.nix {inherit inputs;}; - inherit (std) set; - checks = set.map (_: deployLib: deployLib.deployChecks inputs.self.deploy) inputs.deploy-rs.lib; -in - { - inherit tree std lib checks; - inputs = patchedInputs; - } - // systems - // outputs +in { + inherit (outputs) devShells legacyPackages packages checks; + inherit (systems) deploy nixosConfigurations; + lib = { + std = import ./std.nix {inherit inputs;}; + nixlib = inputs.nixpkgs.lib; + inherit tree; + }; +} diff --git a/overlays/default.nix b/overlays/default.nix index 9ab02bb0..6b987e90 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -1,5 +1,4 @@ -{inputs, ...} @ args: -inputs.flake-utils.lib.eachDefaultSystem (system: { +{inputs, system}: { pkgs = import inputs.nixpkgs { inherit system; overlays = @@ -27,4 +26,4 @@ inputs.flake-utils.lib.eachDefaultSystem (system: { ]; }; }; -}) +} diff --git a/packages/default.nix b/packages/default.nix index baa236ad..c507b5ca 100644 --- a/packages/default.nix +++ b/packages/default.nix @@ -1,8 +1,8 @@ { system, inputs, - lib, }: let + lib = inputs.self.lib.nixlib; inherit (lib.meta) getExe; inherit (inputs.std.lib) string list; packages = inputs.self.packages.${system}; diff --git a/patchedInputs.nix b/patchedInputs.nix deleted file mode 100644 index 29172dd9..00000000 --- a/patchedInputs.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - inputs, - system ? builtins.currentSystem or "x86_64-linux", - ... -}: let - pkgs = import inputs.nixpkgs { - inherit system; - config.allowUnfree = true; - }; -in - inputs - // { - nixpkgs = pkgs.applyPatches { - name = "nixpkgs"; - src = inputs.nixpkgs; - patches = [ - # https://github.com/NixOS/nixpkgs/pull/275896 - (pkgs.fetchpatch { - url = "https://github.com/NixOS/nixpkgs/pull/275896.patch"; - sha256 = "sha256-boJLCdgamzX0fhLifdsxsFF/f7oXZwWJ7+WAkcA2GBg="; - }) - ]; - } // { - inherit (inputs.nixpkgs) sourceInfo; - }; - } diff --git a/shell.nix b/shell.nix index 28bf91f1..ca1ef57c 100644 --- a/shell.nix +++ b/shell.nix @@ -1 +1 @@ -import ./devShell.nix { inputs = import ./inputs.nix; system = builtins.currentSystem; } +(import ./.).devShells.${builtins.currentSystem or "x86_64-linux"}.default diff --git a/systems/default.nix b/systems/default.nix index 102f3943..10d14d26 100644 --- a/systems/default.nix +++ b/systems/default.nix @@ -1,15 +1,12 @@ { inputs, tree, - pkgs, - lib, - std, - system ? builtins.currentSystem or "x86_64-linux", - ... }: let # The purpose of this file is to set up the host module which allows assigning of the system, e.g. aarch64-linux and the builder used with less pain. + lib = inputs.self.lib.nixlib; inherit (lib.modules) evalModules mkOptionDefault; - inherit (std) string types optional set list; + inherit (inputs.self.lib) std; + inherit (std) string set; defaultSpecialArgs = { inherit inputs std; meta = tree; @@ -21,7 +18,7 @@ }: { options = let inherit (lib.types) str listOf attrs unspecified attrsOf nullOr; - jsonType = (pkgs.${system}.formats.json {}).type; + jsonAttrsType = inputs.arcexprs.lib.json.types.attrs; inherit (lib.options) mkOption; in { arch = mkOption { @@ -54,21 +51,26 @@ internal = true; }; deploy = mkOption { - type = nullOr jsonType; + type = nullOr jsonAttrsType; }; }; config = { - deploy = { + deploy = let + nixos = inputs.self.nixosConfigurations.${machine}; + in { sshUser = mkOptionDefault "root"; user = mkOptionDefault "root"; - sshOpts = mkOptionDefault ["-p" "${builtins.toString (builtins.head inputs.self.nixosConfigurations.${machine}.config.services.openssh.ports)}"]; + sshOpts = mkOptionDefault ["-p" "${builtins.toString (builtins.head nixos.config.services.openssh.ports)}"]; autoRollback = mkOptionDefault true; magicRollback = mkOptionDefault true; fastConnection = mkOptionDefault false; hostname = mkOptionDefault "${machine}.local.gensokyo.zone"; profiles.system = { user = "root"; - path = inputs.deploy-rs.lib.${system}.activate.nixos inputs.self.nixosConfigurations.${machine}; + path = let + inherit (inputs.self.legacyPackages.${config.system}.deploy-rs) activate; + in + activate.nixos nixos; }; }; system = let @@ -141,12 +143,13 @@ (set.map (_: c: c) tree.systems); processHost = name: cfg: let host = cfg.config; - in set.optional (host.type != null) { - deploy.nodes.${name} = host.deploy; + in + set.optional (host.type != null) { + deploy.nodes.${name} = host.deploy; - "${host.folder}Configurations".${name} = host.builder { - inherit (host) system modules specialArgs; + "${host.folder}Configurations".${name} = host.builder { + inherit (host) system modules specialArgs; + }; }; - }; in set.merge (set.mapToValues processHost hostConfigs) diff --git a/tree.nix b/tree.nix index ba61eb56..67e8f807 100644 --- a/tree.nix +++ b/tree.nix @@ -1,20 +1,24 @@ -{inputs, ...}: (inputs.tree.tree { +{inputs}: (inputs.tree.tree { inherit inputs; folder = ./.; config = { "/" = { excludes = [ "tf" - "inputs" "default" - "patchedInputs" + "devShells" "outputs" "tree" "flake" - "meta" + "std" "inputs" ]; }; + packages = { + excludes = [ + "default" + ]; + }; systems = { excludes = [ "default"