clan/clan-infra
10
0
Fork 1
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

reformat with nixfmt

Browse Source
This commit is contained in:
Jörg Thalheim 2024-06-06 17:52:20 +02:00
parent ab6c39c77e
commit 4e182bec1d
33 changed files with 1269 additions and 1121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
devShells/flake-module.nix
View File

@ -1,14 +1,14 @@
{ {
perSystem = perSystem =
{ inputs' { inputs', pkgs, ... }:
, pkgs
, lib
, ...
}:
let let
convert2Tofu = provider: provider.override (prev: { convert2Tofu =
homepage = builtins.replaceStrings [ "registry.terraform.io/providers" ] [ "registry.opentofu.org" ] prev.homepage; provider:
}); provider.override (prev: {
homepage = builtins.replaceStrings [ "registry.terraform.io/providers" ] [
"registry.opentofu.org"
] prev.homepage;
});
in in
{ {
devShells.default = pkgs.mkShellNoCC { devShells.default = pkgs.mkShellNoCC {
@ -18,17 +18,18 @@
inputs'.clan-core.packages.clan-cli inputs'.clan-core.packages.clan-cli
(pkgs.opentofu.withPlugins (p: builtins.map convert2Tofu [ (pkgs.opentofu.withPlugins (
p.hetznerdns p:
p.hcloud builtins.map convert2Tofu [
p.null p.hetznerdns
p.external p.hcloud
p.local p.null
])) p.external
]; p.local
inputsFrom = [ ]
inputs'.clan-core.devShells.default ))
]; ];
inputsFrom = [ inputs'.clan-core.devShells.default ];
}; };
}; };
} }

86
flake.nix
View File

@ -37,39 +37,55 @@
buildbot-nix.inputs.treefmt-nix.follows = "treefmt-nix"; buildbot-nix.inputs.treefmt-nix.follows = "treefmt-nix";
}; };
outputs = inputs@{ flake-parts, ... }: outputs =
flake-parts.lib.mkFlake { inherit inputs; } ({ self, ... }: { inputs@{ flake-parts, ... }:
systems = [ flake-parts.lib.mkFlake { inherit inputs; } (
"x86_64-linux" { self, ... }:
"aarch64-linux" {
]; systems = [
imports = [ "x86_64-linux"
inputs.treefmt-nix.flakeModule "aarch64-linux"
./devShells/flake-module.nix ];
./targets/flake-module.nix imports = [
./modules/flake-module.nix inputs.treefmt-nix.flakeModule
./pkgs/flake-module.nix ./devShells/flake-module.nix
]; ./targets/flake-module.nix
perSystem = ({ lib, self', system, ... }: { ./modules/flake-module.nix
treefmt = { ./pkgs/flake-module.nix
projectRootFile = ".git/config"; ];
programs.hclfmt.enable = true; perSystem = (
programs.nixpkgs-fmt.enable = true; {
settings.formatter.nixpkgs-fmt.excludes = [ lib,
# generated files self',
"node-env.nix" system,
"node-packages.nix" ...
"composition.nix" }:
]; {
}; treefmt = {
checks = projectRootFile = ".git/config";
let programs.hclfmt.enable = true;
nixosMachines = lib.mapAttrs' (name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations); programs.nixfmt-rfc-style.enable = true;
packages = lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages; settings.formatter.nixfmt-rfc-style.excludes = [
devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells; # generated files
homeConfigurations = lib.mapAttrs' (name: config: lib.nameValuePair "home-manager-${name}" config.activation-script) (self'.legacyPackages.homeConfigurations or { }); "node-env.nix"
in "node-packages.nix"
nixosMachines // packages // devShells // homeConfigurations; "composition.nix"
}); ];
}); };
checks =
let
nixosMachines = lib.mapAttrs' (
name: config: lib.nameValuePair "nixos-${name}" config.config.system.build.toplevel
) ((lib.filterAttrs (_: config: config.pkgs.system == system)) self.nixosConfigurations);
packages = lib.mapAttrs' (n: lib.nameValuePair "package-${n}") self'.packages;
devShells = lib.mapAttrs' (n: lib.nameValuePair "devShell-${n}") self'.devShells;
homeConfigurations = lib.mapAttrs' (
name: config: lib.nameValuePair "home-manager-${name}" config.activation-script
) (self'.legacyPackages.homeConfigurations or { });
in
nixosMachines // packages // devShells // homeConfigurations;
}
);
}
);
} }

5
modules/admins.nix
View File

@ -41,7 +41,10 @@ in
extraGroups = [ "wheel" ]; extraGroups = [ "wheel" ];
shell = "/run/current-system/sw/bin/zsh"; shell = "/run/current-system/sw/bin/zsh";
uid = 1004; uid = 1004;
openssh.authorizedKeys.keys = [ admins.kenji admins.kenji-remote ]; openssh.authorizedKeys.keys = [
admins.kenji
admins.kenji-remote
];
}; };
johannes = { johannes = {
isNormalUser = true; isNormalUser = true;

3
modules/flake-module.nix
View File

@ -1,4 +1,5 @@
{ self, inputs, ... }: { { self, inputs, ... }:
{
flake.nixosModules = { flake.nixosModules = {
server.imports = [ server.imports = [
inputs.srvos.nixosModules.server inputs.srvos.nixosModules.server

27
modules/initrd-networking.nix
View File

@ -1,31 +1,22 @@
{ config { config, lib, ... }:
, lib let
, ...
}:
with lib; let
cfg = config.clan.networking; cfg = config.clan.networking;
in in
{ {
options = { options = {
clan.networking.ipv4.address = mkOption { clan.networking.ipv4.address = lib.mkOption { type = lib.types.str; };
type = types.str;
};
clan.networking.ipv4.cidr = mkOption { clan.networking.ipv4.cidr = lib.mkOption {
type = types.str; type = lib.types.str;
default = "26"; default = "26";
}; };
clan.networking.ipv4.gateway = mkOption { clan.networking.ipv4.gateway = lib.mkOption { type = lib.types.str; };
type = types.str;
};
clan.networking.ipv6.address = mkOption { clan.networking.ipv6.address = lib.mkOption { type = lib.types.str; };
type = types.str;
};
clan.networking.ipv6.cidr = mkOption { clan.networking.ipv6.cidr = lib.mkOption {
type = types.str; type = lib.types.str;
default = "64"; default = "64";
}; };
}; };

7
modules/web01/borgbackup.nix
View File

@ -1,9 +1,8 @@
{ config, ... }: { { config, ... }:
{
# 100GB storagebox is under the nix-community hetzner account # 100GB storagebox is under the nix-community hetzner account
systemd.services.borgbackup-job-clan-lol.serviceConfig.ReadWritePaths = [ systemd.services.borgbackup-job-clan-lol.serviceConfig.ReadWritePaths = [ "/var/log/telegraf" ];
"/var/log/telegraf"
];
# Run this from the hetzner network: # Run this from the hetzner network:
# ssh-keyscan -p 23 u359378.your-storagebox.de # ssh-keyscan -p 23 u359378.your-storagebox.de

12
modules/web01/clan-merge.nix
View File

@ -1,10 +1,18 @@
{ config, self, pkgs, ... }: { {
config,
self,
pkgs,
...
}:
{
# service to for automatic merge bot # service to for automatic merge bot
systemd.services.clan-merge = { systemd.services.clan-merge = {
description = "Merge clan.lol PRs automatically"; description = "Merge clan.lol PRs automatically";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; after = [ "network.target" ];
environment = { GITEA_TOKEN_FILE = "%d/GITEA_TOKEN_FILE"; }; environment = {
GITEA_TOKEN_FILE = "%d/GITEA_TOKEN_FILE";
};
serviceConfig = { serviceConfig = {
LoadCredential = [ "GITEA_TOKEN_FILE:${config.sops.secrets.merge-bot-gitea-token.path}" ]; LoadCredential = [ "GITEA_TOKEN_FILE:${config.sops.secrets.merge-bot-gitea-token.path}" ];
Restart = "on-failure"; Restart = "on-failure";

3
modules/web01/default.nix
View File

@ -1,4 +1,5 @@
{ self, ... }: { { self, ... }:
{
imports = [ imports = [
./borgbackup.nix ./borgbackup.nix
./clan-merge.nix ./clan-merge.nix

379
modules/web01/gitea/actions-runner.nix
View File

@ -1,8 +1,26 @@
{ config, self, pkgs, lib, ... }: {
config,
self,
pkgs,
lib,
...
}:
let let
storeDeps = pkgs.runCommand "store-deps" { } '' storeDeps = pkgs.runCommand "store-deps" { } ''
mkdir -p $out/bin mkdir -p $out/bin
for dir in ${toString [ pkgs.coreutils pkgs.findutils pkgs.gnugrep pkgs.gawk pkgs.git pkgs.nix pkgs.bash pkgs.jq pkgs.nodejs ]}; do for dir in ${
toString [
pkgs.coreutils
pkgs.findutils
pkgs.gnugrep
pkgs.gawk
pkgs.git
pkgs.nix
pkgs.bash
pkgs.jq
pkgs.nodejs
]
}; do
for bin in "$dir"/bin/*; do for bin in "$dir"/bin/*; do
ln -s "$bin" "$out/bin/$(basename "$bin")" ln -s "$bin" "$out/bin/$(basename "$bin")"
done done
@ -14,87 +32,95 @@ let
''; '';
numInstances = 2; numInstances = 2;
in in
lib.mkMerge [{ lib.mkMerge [
# everything here has no dependencies on the store
systemd.services.gitea-runner-nix-image = {
wantedBy = [ "multi-user.target" ];
after = [ "podman.service" ];
requires = [ "podman.service" ];
path = [ config.virtualisation.podman.package pkgs.gnutar pkgs.shadow pkgs.getent ];
# we also include etc here because the cleanup job also wants the nixuser to be present
script = ''
set -eux -o pipefail
mkdir -p etc/nix
# Create an unpriveleged user that we can use also without the run-as-user.sh script
touch etc/passwd etc/group
groupid=$(cut -d: -f3 < <(getent group nixuser))
userid=$(cut -d: -f3 < <(getent passwd nixuser))
groupadd --prefix $(pwd) --gid "$groupid" nixuser
emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
cat <<NIX_CONFIG > etc/nix/nix.conf
accept-flake-config = true
experimental-features = nix-command flakes
NIX_CONFIG
cat <<NSSWITCH > etc/nsswitch.conf
passwd: files mymachines systemd
group: files mymachines systemd
shadow: files
hosts: files mymachines dns myhostname
networks: files
ethers: files
services: files
protocols: files
rpc: files
NSSWITCH
# list the content as it will be imported into the container
tar -cv . | tar -tvf -
tar -cv . | podman import - gitea-runner-nix
'';
serviceConfig = {
RuntimeDirectory = "gitea-runner-nix-image";
WorkingDirectory = "/run/gitea-runner-nix-image";
Type = "oneshot";
RemainAfterExit = true;
};
};
users.users.nixuser = {
group = "nixuser";
description = "Used for running nix ci jobs";
home = "/var/empty";
isSystemUser = true;
};
users.groups.nixuser = { };
}
{ {
systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}-token") numInstances) (name: { # everything here has no dependencies on the store
systemd.services.gitea-runner-nix-image = {
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
after = [ "gitea.service" ]; after = [ "podman.service" ];
environment = { requires = [ "podman.service" ];
GITEA_CUSTOM = "/var/lib/gitea/custom"; path = [
GITEA_WORK_DIR = "/var/lib/gitea"; config.virtualisation.podman.package
}; pkgs.gnutar
pkgs.shadow
pkgs.getent
];
# we also include etc here because the cleanup job also wants the nixuser to be present
script = '' script = ''
set -euo pipefail set -eux -o pipefail
token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token) mkdir -p etc/nix
echo "TOKEN=$token" > /var/lib/gitea-registration/${name}
# Create an unpriveleged user that we can use also without the run-as-user.sh script
touch etc/passwd etc/group
groupid=$(cut -d: -f3 < <(getent group nixuser))
userid=$(cut -d: -f3 < <(getent passwd nixuser))
groupadd --prefix $(pwd) --gid "$groupid" nixuser
emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
cat <<NIX_CONFIG > etc/nix/nix.conf
accept-flake-config = true
experimental-features = nix-command flakes
NIX_CONFIG
cat <<NSSWITCH > etc/nsswitch.conf
passwd: files mymachines systemd
group: files mymachines systemd
shadow: files
hosts: files mymachines dns myhostname
networks: files
ethers: files
services: files
protocols: files
rpc: files
NSSWITCH
# list the content as it will be imported into the container
tar -cv . | tar -tvf -
tar -cv . | podman import - gitea-runner-nix
''; '';
unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/${name}" ];
serviceConfig = { serviceConfig = {
User = "gitea"; RuntimeDirectory = "gitea-runner-nix-image";
Group = "gitea"; WorkingDirectory = "/run/gitea-runner-nix-image";
StateDirectory = "gitea-registration";
Type = "oneshot"; Type = "oneshot";
RemainAfterExit = true; RemainAfterExit = true;
}; };
}); };
users.users.nixuser = {
group = "nixuser";
description = "Used for running nix ci jobs";
home = "/var/empty";
isSystemUser = true;
};
users.groups.nixuser = { };
}
{
systemd.services =
lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}-token") numInstances)
(name: {
wantedBy = [ "multi-user.target" ];
after = [ "gitea.service" ];
environment = {
GITEA_CUSTOM = "/var/lib/gitea/custom";
GITEA_WORK_DIR = "/var/lib/gitea";
};
script = ''
set -euo pipefail
token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token)
echo "TOKEN=$token" > /var/lib/gitea-registration/${name}
'';
unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/${name}" ];
serviceConfig = {
User = "gitea";
Group = "gitea";
StateDirectory = "gitea-registration";
Type = "oneshot";
RemainAfterExit = true;
};
});
# Format of the token file: # Format of the token file:
virtualisation = { virtualisation = {
@ -111,106 +137,119 @@ lib.mkMerge [{
virtualisation.containers.containersConf.settings = { virtualisation.containers.containersConf.settings = {
# podman seems to not work with systemd-resolved # podman seems to not work with systemd-resolved
containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ]; containers.dns_servers = [
"8.8.8.8"
"8.8.4.4"
];
}; };
} }
{ {
systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances) (name: { systemd.services =
after = [ lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances)
"${name}-token.service" (name: {
"gitea-runner-nix-image.service" after = [
]; "${name}-token.service"
requires = [ "gitea-runner-nix-image.service"
"${name}-token.service" ];
"gitea-runner-nix-image.service" requires = [
]; "${name}-token.service"
"gitea-runner-nix-image.service"
];
# TODO: systemd confinment # TODO: systemd confinment
serviceConfig = { serviceConfig = {
# Hardening (may overlap with DynamicUser=) # Hardening (may overlap with DynamicUser=)
# The following options are only for optimizing output of systemd-analyze # The following options are only for optimizing output of systemd-analyze
AmbientCapabilities = ""; AmbientCapabilities = "";
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
# ProtectClock= adds DeviceAllow=char-rtc r # ProtectClock= adds DeviceAllow=char-rtc r
DeviceAllow = ""; DeviceAllow = "";
NoNewPrivileges = true; NoNewPrivileges = true;
PrivateDevices = true; PrivateDevices = true;
PrivateMounts = true; PrivateMounts = true;
PrivateTmp = true; PrivateTmp = true;
PrivateUsers = true; PrivateUsers = true;
ProtectClock = true; ProtectClock = true;
ProtectControlGroups = true; ProtectControlGroups = true;
ProtectHome = true; ProtectHome = true;
ProtectHostname = true; ProtectHostname = true;
ProtectKernelLogs = true; ProtectKernelLogs = true;
ProtectKernelModules = true; ProtectKernelModules = true;
ProtectKernelTunables = true; ProtectKernelTunables = true;
ProtectSystem = "strict"; ProtectSystem = "strict";
RemoveIPC = true; RemoveIPC = true;
RestrictNamespaces = true; RestrictNamespaces = true;
RestrictRealtime = true; RestrictRealtime = true;
RestrictSUIDSGID = true; RestrictSUIDSGID = true;
UMask = "0066"; UMask = "0066";
ProtectProc = "invisible"; ProtectProc = "invisible";
SystemCallFilter = [ SystemCallFilter = [
"~@clock" "~@clock"
"~@cpu-emulation" "~@cpu-emulation"
"~@module" "~@module"
"~@mount" "~@mount"
"~@obsolete" "~@obsolete"
"~@raw-io" "~@raw-io"
"~@reboot" "~@reboot"
"~@swap" "~@swap"
# needed by go? # needed by go?
#"~@resources" #"~@resources"
"~@privileged" "~@privileged"
"~capset" "~capset"
"~setdomainname" "~setdomainname"
"~sethostname" "~sethostname"
]; ];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ]; RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
"AF_NETLINK"
];
# Needs network access # Needs network access
PrivateNetwork = false; PrivateNetwork = false;
# Cannot be true due to Node # Cannot be true due to Node
MemoryDenyWriteExecute = false; MemoryDenyWriteExecute = false;
# The more restrictive "pid" option makes `nix` commands in CI emit # The more restrictive "pid" option makes `nix` commands in CI emit
# "GC Warning: Couldn't read /proc/stat" # "GC Warning: Couldn't read /proc/stat"
# You may want to set this to "pid" if not using `nix` commands # You may want to set this to "pid" if not using `nix` commands
ProcSubset = "all"; ProcSubset = "all";
# Coverage programs for compiled code such as `cargo-tarpaulin` disable # Coverage programs for compiled code such as `cargo-tarpaulin` disable
# ASLR (address space layout randomization) which requires the # ASLR (address space layout randomization) which requires the
# `personality` syscall # `personality` syscall
# You may want to set this to `true` if not using coverage tooling on # You may want to set this to `true` if not using coverage tooling on
# compiled code # compiled code
LockPersonality = false; LockPersonality = false;
# Note that this has some interactions with the User setting; so you may # Note that this has some interactions with the User setting; so you may
# want to consult the systemd docs if using both. # want to consult the systemd docs if using both.
DynamicUser = true; DynamicUser = true;
}; };
}); });
services.gitea-actions-runner.instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) (name: { services.gitea-actions-runner.instances =
enable = true; lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances)
name = "nix-runner"; (name: {
# take the git root url from the gitea config enable = true;
# only possible if you've also configured your gitea though the same nix config name = "nix-runner";
# otherwise you need to set it manually # take the git root url from the gitea config
url = config.services.gitea.settings.server.ROOT_URL; # only possible if you've also configured your gitea though the same nix config
# use your favourite nix secret manager to get a path for this # otherwise you need to set it manually
tokenFile = "/var/lib/gitea-registration/gitea-runner-${name}-token"; url = config.services.gitea.settings.server.ROOT_URL;
labels = [ "nix:docker://gitea-runner-nix" ]; # use your favourite nix secret manager to get a path for this
settings = { tokenFile = "/var/lib/gitea-registration/gitea-runner-${name}-token";
container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm"; labels = [ "nix:docker://gitea-runner-nix" ];
# the default network that also respects our dns server settings settings = {
container.network = "host"; container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
container.valid_volumes = [ # the default network that also respects our dns server settings
"/nix" container.network = "host";
"${storeDeps}/bin" container.valid_volumes = [
"${storeDeps}/etc/ssl" "/nix"
]; "${storeDeps}/bin"
}; "${storeDeps}/etc/ssl"
}); ];
}] };
});
}
]

22
modules/web01/gitea/default.nix
View File

@ -1,12 +1,22 @@
{ config, pkgs, lib, self, ... }: {
pkgs,
lib,
self,
config,
...
}:
let let
# make the logs for this host "public" so that they show up in e.g. metrics # make the logs for this host "public" so that they show up in e.g. metrics
publog = vhost: lib.attrsets.unionOfDisjoint vhost { publog =
extraConfig = (vhost.extraConfig or "") + '' vhost:
access_log /var/log/nginx/public.log vcombined; lib.attrsets.unionOfDisjoint vhost {
''; extraConfig =
}; (vhost.extraConfig or "")
+ ''
access_log /var/log/nginx/public.log vcombined;
'';
};
in in
{ {

3
modules/web01/gitea/postgresql.nix
View File

@ -1,4 +1,5 @@
{ pkgs, ... }: { { pkgs, ... }:
{
services.postgresql.enable = true; services.postgresql.enable = true;
services.postgresql.package = pkgs.postgresql_14; services.postgresql.package = pkgs.postgresql_14;
services.postgresql.settings = { services.postgresql.settings = {

14
modules/web01/goaccess.nix
View File

@ -1,4 +1,4 @@
{ stdenv, lib, pkgs, ... }: { pkgs, ... }:
let let
domain = "metrics.clan.lol"; domain = "metrics.clan.lol";
@ -38,14 +38,13 @@ in
"d ${pub_goaccess} 0755 goaccess nginx -" "d ${pub_goaccess} 0755 goaccess nginx -"
]; ];
# --browsers-file=/etc/goaccess/browsers.list # --browsers-file=/etc/goaccess/browsers.list
# https://raw.githubusercontent.com/allinurl/goaccess/master/config/browsers.list # https://raw.githubusercontent.com/allinurl/goaccess/master/config/browsers.list
systemd.services.goaccess = { systemd.services.goaccess = {
description = "GoAccess server monitoring"; description = "GoAccess server monitoring";
preStart = '' preStart = ''
rm -f ${pub_goaccess}/index.html rm -f ${pub_goaccess}/index.html
''; '';
serviceConfig = { serviceConfig = {
User = "goaccess"; User = "goaccess";
Group = "nginx"; Group = "nginx";
@ -83,7 +82,11 @@ in
ProtectSystem = "strict"; ProtectSystem = "strict";
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io"; SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io";
ReadOnlyPaths = "/"; ReadOnlyPaths = "/";
ReadWritePaths = [ "/proc/self" "${pub_goaccess}" "${priv_goaccess}" ]; ReadWritePaths = [
"/proc/self"
"${pub_goaccess}"
"${priv_goaccess}"
];
PrivateDevices = "yes"; PrivateDevices = "yes";
ProtectKernelModules = "yes"; ProtectKernelModules = "yes";
ProtectKernelTunables = "yes"; ProtectKernelTunables = "yes";
@ -92,7 +95,6 @@ in
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
}; };
services.nginx.virtualHosts."${domain}" = { services.nginx.virtualHosts."${domain}" = {
addSSL = true; addSSL = true;
enableACME = true; enableACME = true;

11
modules/web01/harmonia.nix
View File

@ -1,17 +1,18 @@
{ config, pkgs, ... }: { { config, pkgs, ... }:
{
services.harmonia.enable = true; services.harmonia.enable = true;
# $ nix-store --generate-binary-cache-key cache.yourdomain.tld-1 harmonia.secret harmonia.pub # $ nix-store --generate-binary-cache-key cache.yourdomain.tld-1 harmonia.secret harmonia.pub
services.harmonia.signKeyPath = config.sops.secrets.harmonia-secret.path; services.harmonia.signKeyPath = config.sops.secrets.harmonia-secret.path;
services.nginx = { services.nginx = {
package = pkgs.nginxStable.override { package = pkgs.nginxStable.override { modules = [ pkgs.nginxModules.zstd ]; };
modules = [ pkgs.nginxModules.zstd ];
};
}; };
# trust our own cache # trust our own cache
nix.settings.trusted-substituters = [ "https://cache.clan.lol" ]; nix.settings.trusted-substituters = [ "https://cache.clan.lol" ];
nix.settings.trusted-public-keys = [ "cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28=" ]; nix.settings.trusted-public-keys = [
"cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28="
];
services.nginx.virtualHosts."cache.clan.lol" = { services.nginx.virtualHosts."cache.clan.lol" = {
forceSSL = true; forceSSL = true;

18
modules/web01/homepage.nix
View File

@ -1,4 +1,4 @@
{ config, lib, pkgs, self, ... }: { config, ... }:
{ {
security.acme.defaults.email = "admins@clan.lol"; security.acme.defaults.email = "admins@clan.lol";
@ -6,13 +6,11 @@
# www user to push website artifacts via ssh # www user to push website artifacts via ssh
users.users.www = { users.users.www = {
openssh.authorizedKeys.keys = openssh.authorizedKeys.keys = config.users.users.root.openssh.authorizedKeys.keys ++ [
config.users.users.root.openssh.authorizedKeys.keys # ssh-homepage-key
++ [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxZ3Av30M6Sh6NU1mnCskB16bYtNP8vskc/+ud0AU1C ssh-homepage-key"
# ssh-homepage-key "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBuYyfSuETSrwqCsWHeeClqjcsFlMEmiJN6Rr8/DwrU0 gitea-ci"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMxZ3Av30M6Sh6NU1mnCskB16bYtNP8vskc/+ud0AU1C ssh-homepage-key" ];
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBuYyfSuETSrwqCsWHeeClqjcsFlMEmiJN6Rr8/DwrU0 gitea-ci"
];
isSystemUser = true; isSystemUser = true;
shell = "/run/current-system/sw/bin/bash"; shell = "/run/current-system/sw/bin/bash";
group = "www"; group = "www";
@ -20,9 +18,7 @@
users.groups.www = { }; users.groups.www = { };
# ensure /var/www can be accessed by nginx and www user # ensure /var/www can be accessed by nginx and www user
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [ "d /var/www 0755 www nginx" ];
"d /var/www 0755 www nginx"
];
services.nginx = { services.nginx = {

20
modules/web01/jobs.nix
View File

@ -1,4 +1,10 @@
{ config, self, pkgs, lib, ... }: {
config,
self,
pkgs,
lib,
...
}:
let let
configForJob = name: { configForJob = name: {
systemd.timers.${name} = { systemd.timers.${name} = {
@ -46,9 +52,11 @@ let
}; };
in in
{ {
config = lib.mkMerge (map configForJob [ config = lib.mkMerge (
"job-flake-update-clan-core" map configForJob [
"job-flake-update-clan-homepage" "job-flake-update-clan-core"
"job-flake-update-clan-infra" "job-flake-update-clan-homepage"
]); "job-flake-update-clan-infra"
]
);
} }

11
modules/zfs-crypto-raid.nix
View File

@ -1,4 +1,3 @@
{ self, ... }:
let let
mirrorBoot = idx: { mirrorBoot = idx: {
type = "disk"; type = "disk";
@ -41,8 +40,14 @@ in
efiSupport = true; efiSupport = true;
efiInstallAsRemovable = true; efiInstallAsRemovable = true;
mirroredBoots = [ mirroredBoots = [
{ path = "/boot0"; devices = [ "nodev" ]; } {
{ path = "/boot1"; devices = [ "nodev" ]; } path = "/boot0";
devices = [ "nodev" ];
}
{
path = "/boot1";
devices = [ "nodev" ];
}
]; ];
}; };

27
pkgs/action-create-pr/default.nix
View File

@ -1,10 +1,19 @@
{ bash {
, coreutils bash,
, git coreutils,
, tea git,
, openssh tea,
, writePureShellScriptBin openssh,
writePureShellScriptBin,
}: }:
writePureShellScriptBin "action-create-pr" [ bash coreutils git tea openssh ] '' writePureShellScriptBin "action-create-pr"
bash ${./script.sh} "$@" [
'' bash
coreutils
git
tea
openssh
]
''
bash ${./script.sh} "$@"
''

21
pkgs/action-ensure-tea-login/default.nix
View File

@ -1,8 +1,15 @@
{ bash {
, coreutils bash,
, tea coreutils,
, writePureShellScriptBin tea,
writePureShellScriptBin,
}: }:
writePureShellScriptBin "action-ensure-tea-login" [ bash coreutils tea ] '' writePureShellScriptBin "action-ensure-tea-login"
bash ${./script.sh} [
'' bash
coreutils
tea
]
''
bash ${./script.sh}
''

41
pkgs/action-flake-update-pr-clan/default.nix
View File

@ -1,20 +1,23 @@
{ bash {
, coreutils bash,
, git coreutils,
, openssh git,
, action-ensure-tea-login openssh,
, action-create-pr action-ensure-tea-login,
, action-flake-update action-create-pr,
, writePureShellScriptBin action-flake-update,
writePureShellScriptBin,
}: }:
writePureShellScriptBin "action-flake-update-pr-clan" [ writePureShellScriptBin "action-flake-update-pr-clan"
bash [
coreutils bash
git coreutils
openssh git
action-ensure-tea-login openssh
action-create-pr action-ensure-tea-login
action-flake-update action-create-pr
] '' action-flake-update
bash ${./script.sh} ]
'' ''
bash ${./script.sh}
''

24
pkgs/action-flake-update/default.nix
View File

@ -1,9 +1,17 @@
{ bash {
, coreutils bash,
, git coreutils,
, nix git,
, writePureShellScriptBin nix,
writePureShellScriptBin,
}: }:
writePureShellScriptBin "action-flake-update" [ bash coreutils git nix ] '' writePureShellScriptBin "action-flake-update"
bash ${./script.sh} [
'' bash
coreutils
git
nix
]
''
bash ${./script.sh}
''

4
pkgs/clan-merge/clan_merge/__init__.py
View File

@ -1,7 +1,7 @@
import argparse import argparse
import json import json
import urllib.request
import urllib.error import urllib.error
import urllib.request
from os import environ from os import environ
from typing import Optional from typing import Optional
@ -38,6 +38,7 @@ def is_ci_green(pr: dict) -> bool:
return False return False
return True return True
def is_org_member(user: str, token: str) -> bool: def is_org_member(user: str, token: str) -> bool:
url = "https://git.clan.lol/api/v1/orgs/clan/members/" + user + f"?token={token}" url = "https://git.clan.lol/api/v1/orgs/clan/members/" + user + f"?token={token}"
try: try:
@ -50,7 +51,6 @@ def is_org_member(user: str, token: str) -> bool:
raise raise
def merge_allowed(pr: dict, bot_name: str, token: str) -> bool: def merge_allowed(pr: dict, bot_name: str, token: str) -> bool:
assignees = pr["assignees"] if pr["assignees"] else [] assignees = pr["assignees"] if pr["assignees"] else []
if ( if (

24
pkgs/clan-merge/default.nix
View File

@ -1,9 +1,9 @@
{ pkgs ? import <nixpkgs> { } {
, lib ? pkgs.lib pkgs ? import <nixpkgs> { },
, python3 ? pkgs.python3 lib ? pkgs.lib,
, ruff ? pkgs.ruff python3 ? pkgs.python3,
, runCommand ? pkgs.runCommand ruff ? pkgs.ruff,
, runCommand ? pkgs.runCommand,
}: }:
let let
pyproject = builtins.fromTOML (builtins.readFile ./pyproject.toml); pyproject = builtins.fromTOML (builtins.readFile ./pyproject.toml);
@ -32,13 +32,11 @@ let
package = python3.pkgs.buildPythonPackage { package = python3.pkgs.buildPythonPackage {
inherit name src; inherit name src;
format = "pyproject"; format = "pyproject";
nativeBuildInputs = [ nativeBuildInputs = [ python3.pkgs.setuptools ];
python3.pkgs.setuptools propagatedBuildInputs = dependencies ++ [ ];
]; passthru.tests = {
propagatedBuildInputs = inherit check;
dependencies };
++ [ ];
passthru.tests = { inherit check; };
passthru.devDependencies = devDependencies; passthru.devDependencies = devDependencies;
}; };

3
pkgs/clan-merge/flake-module.nix
View File

@ -1,5 +1,6 @@
{ {
perSystem = { pkgs, ... }: perSystem =
{ pkgs, ... }:
let let
package = pkgs.callPackage ./default.nix { inherit pkgs; }; package = pkgs.callPackage ./default.nix { inherit pkgs; };
in in

15
pkgs/clan-merge/shell.nix
View File

@ -1,16 +1,11 @@
{ pkgs ? import <nixpkgs> { } }: {
pkgs ? import <nixpkgs> { },
}:
let let
inherit (pkgs) lib python3; inherit (pkgs) lib python3;
package = import ./default.nix { package = import ./default.nix { inherit lib pkgs python3; };
inherit lib pkgs python3;
};
pythonWithDeps = python3.withPackages ( pythonWithDeps = python3.withPackages (
ps: ps: package.propagatedBuildInputs ++ package.devDependencies ++ [ ps.pip ]
package.propagatedBuildInputs
++ package.devDependencies
++ [
ps.pip
]
); );
checkScript = pkgs.writeScriptBin "check" '' checkScript = pkgs.writeScriptBin "check" ''
nix build -f . tests -L "$@" nix build -f . tests -L "$@"

4
pkgs/clan-merge/tests/test_cli.py
View File

@ -112,4 +112,6 @@ def test_list_prs_to_merge(monkeypatch: pytest.MonkeyPatch) -> None:
assignees=[dict(login=bot_name)], assignees=[dict(login=bot_name)],
), ),
] ]
assert clan_merge.list_prs_to_merge(prs, bot_name=bot_name, gitea_token="test") == [prs[0]] assert clan_merge.list_prs_to_merge(prs, bot_name=bot_name, gitea_token="test") == [
prs[0]
]

63
pkgs/flake-module.nix
View File

@ -1,33 +1,38 @@
{ {
imports = [ imports = [ ./clan-merge/flake-module.nix ];
./clan-merge/flake-module.nix perSystem =
]; { pkgs, config, ... }:
perSystem = { pkgs, config, ... }: { {
packages = packages =
let let
writers = pkgs.callPackage ./writers.nix { }; writers = pkgs.callPackage ./writers.nix { };
in in
{ {
inherit (pkgs.callPackage ./renovate { }) renovate; inherit (pkgs.callPackage ./renovate { }) renovate;
gitea = pkgs.callPackage ./gitea { }; gitea = pkgs.callPackage ./gitea { };
action-create-pr = pkgs.callPackage ./action-create-pr { action-create-pr = pkgs.callPackage ./action-create-pr {
inherit (writers) writePureShellScriptBin; inherit (writers) writePureShellScriptBin;
};
action-ensure-tea-login = pkgs.callPackage ./action-ensure-tea-login {
inherit (writers) writePureShellScriptBin;
};
action-flake-update = pkgs.callPackage ./action-flake-update {
inherit (writers) writePureShellScriptBin;
};
action-flake-update-pr-clan = pkgs.callPackage ./action-flake-update-pr-clan {
inherit (writers) writePureShellScriptBin;
inherit (config.packages) action-ensure-tea-login action-create-pr action-flake-update;
};
inherit
(pkgs.callPackages ./job-flake-updates {
inherit (writers) writePureShellScriptBin;
inherit (config.packages) action-flake-update-pr-clan;
})
job-flake-update-clan-core
job-flake-update-clan-homepage
job-flake-update-clan-infra
;
}; };
action-ensure-tea-login = pkgs.callPackage ./action-ensure-tea-login { };
inherit (writers) writePureShellScriptBin;
};
action-flake-update = pkgs.callPackage ./action-flake-update {
inherit (writers) writePureShellScriptBin;
};
action-flake-update-pr-clan = pkgs.callPackage ./action-flake-update-pr-clan {
inherit (writers) writePureShellScriptBin;
inherit (config.packages) action-ensure-tea-login action-create-pr action-flake-update;
};
inherit (pkgs.callPackages ./job-flake-updates {
inherit (writers) writePureShellScriptBin;
inherit (config.packages) action-flake-update-pr-clan;
}) job-flake-update-clan-core job-flake-update-clan-homepage job-flake-update-clan-infra;
};
};
} }

16
pkgs/job-flake-updates/default.nix
View File

@ -1,13 +1,13 @@
{ action-flake-update-pr-clan { action-flake-update-pr-clan, writePureShellScriptBin }:
, writePureShellScriptBin
}:
let let
job-flake-update = repo: writePureShellScriptBin "job-flake-update-${repo}" [ action-flake-update-pr-clan ] '' job-flake-update =
export REPO="gitea@git.clan.lol:clan/${repo}.git" repo:
export KEEP_VARS="REPO''${KEEP_VARS:+ $KEEP_VARS}" writePureShellScriptBin "job-flake-update-${repo}" [ action-flake-update-pr-clan ] ''
export REPO="gitea@git.clan.lol:clan/${repo}.git"
export KEEP_VARS="REPO''${KEEP_VARS:+ $KEEP_VARS}"
action-flake-update-pr-clan action-flake-update-pr-clan
''; '';
in in
{ {
job-flake-update-clan-core = job-flake-update "clan-core"; job-flake-update-clan-core = job-flake-update "clan-core";

25
pkgs/renovate/composition.nix
View File

@ -1,17 +1,32 @@
# This file has been generated by node2nix 1.11.1. Do not edit! # This file has been generated by node2nix 1.11.1. Do not edit!
{pkgs ? import <nixpkgs> { {
inherit system; pkgs ? import <nixpkgs> { inherit system; },
}, system ? builtins.currentSystem, nodejs ? pkgs."nodejs_18"}: system ? builtins.currentSystem,
nodejs ? pkgs."nodejs_18",
}:
let let
nodeEnv = import ./node-env.nix { nodeEnv = import ./node-env.nix {
inherit (pkgs) stdenv lib python2 runCommand writeTextFile writeShellScript; inherit (pkgs)
stdenv
lib
python2
runCommand
writeTextFile
writeShellScript
;
inherit pkgs nodejs; inherit pkgs nodejs;
libtool = if pkgs.stdenv.isDarwin then pkgs.darwin.cctools else null; libtool = if pkgs.stdenv.isDarwin then pkgs.darwin.cctools else null;
}; };
in in
import ./node-packages.nix { import ./node-packages.nix {
inherit (pkgs) fetchurl nix-gitignore stdenv lib fetchgit; inherit (pkgs)
fetchurl
nix-gitignore
stdenv
lib
fetchgit
;
inherit nodeEnv; inherit nodeEnv;
} }

7
pkgs/renovate/default.nix
View File

@ -1,4 +1,9 @@
{ pkgs, system, nodejs-18_x, makeWrapper }: {
pkgs,
system,
nodejs-18_x,
makeWrapper,
}:
let let
nodePackages = import ./composition.nix { nodePackages = import ./composition.nix {
inherit pkgs system; inherit pkgs system;

495
pkgs/renovate/node-env.nix
View File

@ -1,6 +1,16 @@
# This file originates from node2nix # This file originates from node2nix
{lib, stdenv, nodejs, python2, pkgs, libtool, runCommand, writeTextFile, writeShellScript}: {
lib,
stdenv,
nodejs,
python2,
pkgs,
libtool,
runCommand,
writeTextFile,
writeShellScript,
}:
let let
# Workaround to cope with utillinux in Nixpkgs 20.09 and util-linux in Nixpkgs master # Workaround to cope with utillinux in Nixpkgs 20.09 and util-linux in Nixpkgs master
@ -9,7 +19,7 @@ let
python = if nodejs ? python then nodejs.python else python2; python = if nodejs ? python then nodejs.python else python2;
# Create a tar wrapper that filters all the 'Ignoring unknown extended header keyword' noise # Create a tar wrapper that filters all the 'Ignoring unknown extended header keyword' noise
tarWrapper = runCommand "tarWrapper" {} '' tarWrapper = runCommand "tarWrapper" { } ''
mkdir -p $out/bin mkdir -p $out/bin
cat > $out/bin/tar <<EOF cat > $out/bin/tar <<EOF
@ -22,7 +32,12 @@ let
# Function that generates a TGZ file from a NPM project # Function that generates a TGZ file from a NPM project
buildNodeSourceDist = buildNodeSourceDist =
{ name, version, src, ... }: {
name,
version,
src,
...
}:
stdenv.mkDerivation { stdenv.mkDerivation {
name = "node-tarball-${name}-${version}"; name = "node-tarball-${name}-${version}";
@ -90,26 +105,31 @@ let
# Bundle the dependencies of the package # Bundle the dependencies of the package
# #
# Only include dependencies if they don't exist. They may also be bundled in the package. # Only include dependencies if they don't exist. They may also be bundled in the package.
includeDependencies = {dependencies}: includeDependencies =
lib.optionalString (dependencies != []) ( { dependencies }:
lib.optionalString (dependencies != [ ]) (
'' ''
mkdir -p node_modules mkdir -p node_modules
cd node_modules cd node_modules
'' ''
+ (lib.concatMapStrings (dependency: + (lib.concatMapStrings (dependency: ''
'' if [ ! -e "${dependency.packageName}" ]; then
if [ ! -e "${dependency.packageName}" ]; then ${composePackage dependency}
${composePackage dependency} fi
fi '') dependencies)
''
) dependencies)
+ '' + ''
cd .. cd ..
'' ''
); );
# Recursively composes the dependencies of a package # Recursively composes the dependencies of a package
composePackage = { name, packageName, src, dependencies ? [], ... }@args: composePackage =
{
packageName,
src,
dependencies ? [ ],
...
}:
builtins.addErrorContext "while evaluating node package '${packageName}'" '' builtins.addErrorContext "while evaluating node package '${packageName}'" ''
installPackage "${packageName}" "${src}" installPackage "${packageName}" "${src}"
${includeDependencies { inherit dependencies; }} ${includeDependencies { inherit dependencies; }}
@ -117,7 +137,8 @@ let
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."} ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
''; '';
pinpointDependencies = {dependencies, production}: pinpointDependencies =
{ dependencies, production }:
let let
pinpointDependenciesFromPackageJSON = writeTextFile { pinpointDependenciesFromPackageJSON = writeTextFile {
name = "pinpointDependencies.js"; name = "pinpointDependencies.js";
@ -179,22 +200,27 @@ let
'' ''
node ${pinpointDependenciesFromPackageJSON} ${if production then "production" else "development"} node ${pinpointDependenciesFromPackageJSON} ${if production then "production" else "development"}
${lib.optionalString (dependencies != []) ${lib.optionalString (dependencies != [ ]) ''
'' if [ -d node_modules ]
if [ -d node_modules ] then
then cd node_modules
cd node_modules ${lib.concatMapStrings (dependency: pinpointDependenciesOfPackage dependency) dependencies}
${lib.concatMapStrings (dependency: pinpointDependenciesOfPackage dependency) dependencies} cd ..
cd .. fi
fi ''}
''}
''; '';
# Recursively traverses all dependencies of a package and pinpoints all # Recursively traverses all dependencies of a package and pinpoints all
# dependencies in the package.json file to the versions that are actually # dependencies in the package.json file to the versions that are actually
# being used. # being used.
pinpointDependenciesOfPackage = { packageName, dependencies ? [], production ? true, ... }@args: pinpointDependenciesOfPackage =
{
packageName,
dependencies ? [ ],
production ? true,
...
}:
'' ''
if [ -d "${packageName}" ] if [ -d "${packageName}" ]
then then
@ -207,7 +233,7 @@ let
# Extract the Node.js source code which is used to compile packages with # Extract the Node.js source code which is used to compile packages with
# native bindings # native bindings
nodeSources = runCommand "node-sources" {} '' nodeSources = runCommand "node-sources" { } ''
tar --no-same-owner --no-same-permissions -xf ${nodejs.src} tar --no-same-owner --no-same-permissions -xf ${nodejs.src}
mv node-* $out mv node-* $out
''; '';
@ -414,186 +440,236 @@ let
''; '';
}; };
prepareAndInvokeNPM = {packageName, bypassCache, reconstructLock, npmFlags, production}: prepareAndInvokeNPM =
{
packageName,
bypassCache,
reconstructLock,
npmFlags,
production,
}:
let let
forceOfflineFlag = if bypassCache then "--offline" else "--registry http://www.example.com"; forceOfflineFlag = if bypassCache then "--offline" else "--registry http://www.example.com";
in in
'' ''
# Pinpoint the versions of all dependencies to the ones that are actually being used # Pinpoint the versions of all dependencies to the ones that are actually being used
echo "pinpointing versions of dependencies..." echo "pinpointing versions of dependencies..."
source $pinpointDependenciesScriptPath source $pinpointDependenciesScriptPath
# Patch the shebangs of the bundled modules to prevent them from # Patch the shebangs of the bundled modules to prevent them from
# calling executables outside the Nix store as much as possible # calling executables outside the Nix store as much as possible
patchShebangs . patchShebangs .
# Deploy the Node.js package by running npm install. Since the # Deploy the Node.js package by running npm install. Since the
# dependencies have been provided already by ourselves, it should not # dependencies have been provided already by ourselves, it should not
# attempt to install them again, which is good, because we want to make # attempt to install them again, which is good, because we want to make
# it Nix's responsibility. If it needs to install any dependencies # it Nix's responsibility. If it needs to install any dependencies
# anyway (e.g. because the dependency parameters are # anyway (e.g. because the dependency parameters are
# incomplete/incorrect), it fails. # incomplete/incorrect), it fails.
# #
# The other responsibilities of NPM are kept -- version checks, build # The other responsibilities of NPM are kept -- version checks, build
# steps, postprocessing etc. # steps, postprocessing etc.
export HOME=$TMPDIR export HOME=$TMPDIR
cd "${packageName}" cd "${packageName}"
runHook preRebuild runHook preRebuild
${lib.optionalString bypassCache '' ${lib.optionalString bypassCache ''
${lib.optionalString reconstructLock '' ${lib.optionalString reconstructLock ''
if [ -f package-lock.json ] if [ -f package-lock.json ]
then then
echo "WARNING: Reconstruct lock option enabled, but a lock file already exists!" echo "WARNING: Reconstruct lock option enabled, but a lock file already exists!"
echo "This will most likely result in version mismatches! We will remove the lock file and regenerate it!" echo "This will most likely result in version mismatches! We will remove the lock file and regenerate it!"
rm package-lock.json rm package-lock.json
else else
echo "No package-lock.json file found, reconstructing..." echo "No package-lock.json file found, reconstructing..."
fi fi
node ${reconstructPackageLock} node ${reconstructPackageLock}
''}
node ${addIntegrityFieldsScript}
''} ''}
npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} rebuild node ${addIntegrityFieldsScript}
''}
runHook postRebuild npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${lib.optionalString production "--production"} rebuild
if [ "''${dontNpmInstall-}" != "1" ] runHook postRebuild
then
# NPM tries to download packages even when they already exist if npm-shrinkwrap is used.
rm -f npm-shrinkwrap.json
npm ${forceOfflineFlag} --nodedir=${nodeSources} --no-bin-links --ignore-scripts ${npmFlags} ${lib.optionalString production "--production"} install if [ "''${dontNpmInstall-}" != "1" ]
fi then
# NPM tries to download packages even when they already exist if npm-shrinkwrap is used.
rm -f npm-shrinkwrap.json
# Link executables defined in package.json npm ${forceOfflineFlag} --nodedir=${nodeSources} --no-bin-links --ignore-scripts ${npmFlags} ${lib.optionalString production "--production"} install
node ${linkBinsScript} fi
# Link executables defined in package.json
node ${linkBinsScript}
''; '';
# Builds and composes an NPM package including all its dependencies # Builds and composes an NPM package including all its dependencies
buildNodePackage = buildNodePackage =
{ name {
, packageName name,
, version ? null packageName,
, dependencies ? [] version ? null,
, buildInputs ? [] buildInputs ? [ ],
, production ? true production ? true,
, npmFlags ? "" npmFlags ? "",
, dontNpmInstall ? false dontNpmInstall ? false,
, bypassCache ? false bypassCache ? false,
, reconstructLock ? false reconstructLock ? false,
, preRebuild ? "" preRebuild ? "",
, dontStrip ? true dontStrip ? true,
, unpackPhase ? "true" unpackPhase ? "true",
, buildPhase ? "true" buildPhase ? "true",
, meta ? {} meta ? { },
, ... }@args: ...
}@args:
let let
extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" "dontStrip" "dontNpmInstall" "preRebuild" "unpackPhase" "buildPhase" "meta" ]; extraArgs = removeAttrs args [
"name"
"dependencies"
"buildInputs"
"dontStrip"
"dontNpmInstall"
"preRebuild"
"unpackPhase"
"buildPhase"
"meta"
];
in in
stdenv.mkDerivation ({ stdenv.mkDerivation (
name = "${name}${if version == null then "" else "-${version}"}"; {
buildInputs = [ tarWrapper python nodejs ] name = "${name}${if version == null then "" else "-${version}"}";
++ lib.optional (stdenv.isLinux) utillinux buildInputs =
++ lib.optional (stdenv.isDarwin) libtool [
++ buildInputs; tarWrapper
python
nodejs
]
++ lib.optional (stdenv.isLinux) utillinux ++ lib.optional (stdenv.isDarwin) libtool ++ buildInputs;
inherit nodejs; inherit nodejs;
inherit dontStrip; # Stripping may fail a build for some package deployments inherit dontStrip; # Stripping may fail a build for some package deployments
inherit dontNpmInstall preRebuild unpackPhase buildPhase; inherit
dontNpmInstall
preRebuild
unpackPhase
buildPhase
;
compositionScript = composePackage args; compositionScript = composePackage args;
pinpointDependenciesScript = pinpointDependenciesOfPackage args; pinpointDependenciesScript = pinpointDependenciesOfPackage args;
passAsFile = [ "compositionScript" "pinpointDependenciesScript" ]; passAsFile = [
"compositionScript"
"pinpointDependenciesScript"
];
installPhase = '' installPhase = ''
source ${installPackage} source ${installPackage}
# Create and enter a root node_modules/ folder # Create and enter a root node_modules/ folder
mkdir -p $out/lib/node_modules mkdir -p $out/lib/node_modules
cd $out/lib/node_modules cd $out/lib/node_modules
# Compose the package and all its dependencies # Compose the package and all its dependencies
source $compositionScriptPath source $compositionScriptPath
${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }} ${prepareAndInvokeNPM {
inherit
packageName
bypassCache
reconstructLock
npmFlags
production
;
}}
# Create symlink to the deployed executable folder, if applicable # Create symlink to the deployed executable folder, if applicable
if [ -d "$out/lib/node_modules/.bin" ] if [ -d "$out/lib/node_modules/.bin" ]
then then
ln -s $out/lib/node_modules/.bin $out/bin ln -s $out/lib/node_modules/.bin $out/bin
# Fixup all executables # Fixup all executables
ls $out/bin/* | while read i ls $out/bin/* | while read i
do do
file="$(readlink -f "$i")" file="$(readlink -f "$i")"
chmod u+rwx "$file" chmod u+rwx "$file"
if isScript "$file" if isScript "$file"
then then
sed -i 's/\r$//' "$file" # convert crlf to lf sed -i 's/\r$//' "$file" # convert crlf to lf
fi fi
done done
fi fi
# Create symlinks to the deployed manual page folders, if applicable # Create symlinks to the deployed manual page folders, if applicable
if [ -d "$out/lib/node_modules/${packageName}/man" ] if [ -d "$out/lib/node_modules/${packageName}/man" ]
then then
mkdir -p $out/share mkdir -p $out/share
for dir in "$out/lib/node_modules/${packageName}/man/"* for dir in "$out/lib/node_modules/${packageName}/man/"*
do do
mkdir -p $out/share/man/$(basename "$dir") mkdir -p $out/share/man/$(basename "$dir")
for page in "$dir"/* for page in "$dir"/*
do do
ln -s $page $out/share/man/$(basename "$dir") ln -s $page $out/share/man/$(basename "$dir")
done done
done done
fi fi
# Run post install hook, if provided # Run post install hook, if provided
runHook postInstall runHook postInstall
''; '';
meta = { meta = {
# default to Node.js' platforms # default to Node.js' platforms
platforms = nodejs.meta.platforms; platforms = nodejs.meta.platforms;
} // meta; } // meta;
} // extraArgs); }
// extraArgs
);
# Builds a node environment (a node_modules folder and a set of binaries) # Builds a node environment (a node_modules folder and a set of binaries)
buildNodeDependencies = buildNodeDependencies =
{ name {
, packageName name,
, version ? null packageName,
, src version ? null,
, dependencies ? [] src,
, buildInputs ? [] dependencies ? [ ],
, production ? true buildInputs ? [ ],
, npmFlags ? "" production ? true,
, dontNpmInstall ? false npmFlags ? "",
, bypassCache ? false dontNpmInstall ? false,
, reconstructLock ? false bypassCache ? false,
, dontStrip ? true reconstructLock ? false,
, unpackPhase ? "true" dontStrip ? true,
, buildPhase ? "true" unpackPhase ? "true",
, ... }@args: buildPhase ? "true",
...
}@args:
let let
extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" ]; extraArgs = removeAttrs args [
"name"
"dependencies"
"buildInputs"
];
in in
stdenv.mkDerivation ({ stdenv.mkDerivation (
{
name = "node-dependencies-${name}${if version == null then "" else "-${version}"}"; name = "node-dependencies-${name}${if version == null then "" else "-${version}"}";
buildInputs = [ tarWrapper python nodejs ] buildInputs =
++ lib.optional (stdenv.isLinux) utillinux [
++ lib.optional (stdenv.isDarwin) libtool tarWrapper
++ buildInputs; python
nodejs
]
++ lib.optional (stdenv.isLinux) utillinux ++ lib.optional (stdenv.isDarwin) libtool ++ buildInputs;
inherit dontStrip; # Stripping may fail a build for some package deployments inherit dontStrip; # Stripping may fail a build for some package deployments
inherit dontNpmInstall unpackPhase buildPhase; inherit dontNpmInstall unpackPhase buildPhase;
@ -601,7 +677,10 @@ let
includeScript = includeDependencies { inherit dependencies; }; includeScript = includeDependencies { inherit dependencies; };
pinpointDependenciesScript = pinpointDependenciesOfPackage args; pinpointDependenciesScript = pinpointDependenciesOfPackage args;
passAsFile = [ "includeScript" "pinpointDependenciesScript" ]; passAsFile = [
"includeScript"
"pinpointDependenciesScript"
];
installPhase = '' installPhase = ''
source ${installPackage} source ${installPackage}
@ -626,7 +705,15 @@ let
cd .. cd ..
${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."} ${lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }} ${prepareAndInvokeNPM {
inherit
packageName
bypassCache
reconstructLock
npmFlags
production
;
}}
# Expose the executables that were installed # Expose the executables that were installed
cd .. cd ..
@ -635,51 +722,59 @@ let
mv ${packageName} lib mv ${packageName} lib
ln -s $out/lib/node_modules/.bin $out/bin ln -s $out/lib/node_modules/.bin $out/bin
''; '';
} // extraArgs); }
// extraArgs
);
# Builds a development shell # Builds a development shell
buildNodeShell = buildNodeShell =
{ name {
, packageName name,
, version ? null version ? null,
, src dependencies ? [ ],
, dependencies ? [] buildInputs ? [ ],
, buildInputs ? [] ...
, production ? true }@args:
, npmFlags ? ""
, dontNpmInstall ? false
, bypassCache ? false
, reconstructLock ? false
, dontStrip ? true
, unpackPhase ? "true"
, buildPhase ? "true"
, ... }@args:
let let
nodeDependencies = buildNodeDependencies args; nodeDependencies = buildNodeDependencies args;
extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" "dontStrip" "dontNpmInstall" "unpackPhase" "buildPhase" ]; extraArgs = removeAttrs args [
"name"
"dependencies"
"buildInputs"
"dontStrip"
"dontNpmInstall"
"unpackPhase"
"buildPhase"
];
in in
stdenv.mkDerivation ({ stdenv.mkDerivation (
name = "node-shell-${name}${if version == null then "" else "-${version}"}"; {
name = "node-shell-${name}${if version == null then "" else "-${version}"}";
buildInputs = [ python nodejs ] ++ lib.optional (stdenv.isLinux) utillinux ++ buildInputs; buildInputs = [
buildCommand = '' python
mkdir -p $out/bin nodejs
cat > $out/bin/shell <<EOF ] ++ lib.optional (stdenv.isLinux) utillinux ++ buildInputs;
#! ${stdenv.shell} -e buildCommand = ''
$shellHook mkdir -p $out/bin
exec ${stdenv.shell} cat > $out/bin/shell <<EOF
EOF #! ${stdenv.shell} -e
chmod +x $out/bin/shell $shellHook
''; exec ${stdenv.shell}
EOF
chmod +x $out/bin/shell
'';
# Provide the dependencies in a development shell through the NODE_PATH environment variable # Provide the dependencies in a development shell through the NODE_PATH environment variable
inherit nodeDependencies; inherit nodeDependencies;
shellHook = lib.optionalString (dependencies != []) '' shellHook = lib.optionalString (dependencies != [ ]) ''
export NODE_PATH=${nodeDependencies}/lib/node_modules export NODE_PATH=${nodeDependencies}/lib/node_modules
export PATH="${nodeDependencies}/bin:$PATH" export PATH="${nodeDependencies}/bin:$PATH"
''; '';
} // extraArgs); }
// extraArgs
);
in in
{ {
buildNodeSourceDist = lib.makeOverridable buildNodeSourceDist; buildNodeSourceDist = lib.makeOverridable buildNodeSourceDist;

925
pkgs/renovate/node-packages.nix
View File

File diff suppressed because it is too large Load Diff

30
pkgs/writers.nix
View File

@ -1,12 +1,13 @@
{ lib {
, bash lib,
, coreutils bash,
, gawk coreutils,
, path gawk,
, # nixpkgs path path,
writeScript # nixpkgs path
, writeScriptBin writeScript,
, ... writeScriptBin,
...
}: }:
let let
# Create a script that runs in a `pure` environment, in the sense that: # Create a script that runs in a `pure` environment, in the sense that:
@ -18,12 +19,12 @@ let
# - all environment variables are unset, except: # - all environment variables are unset, except:
# - the ones listed in `keepVars` defined in ./default.nix # - the ones listed in `keepVars` defined in ./default.nix
# - the ones listed via the `KEEP_VARS` variable # - the ones listed via the `KEEP_VARS` variable
writePureShellScript = PATH: script: writePureShellScript = PATH: script: writeScript "script.sh" (mkScript PATH script);
writeScript "script.sh" (mkScript PATH script);
# Creates a script in a `bin/` directory in the output; suitable for use with `lib.makeBinPath`, etc. # Creates a script in a `bin/` directory in the output; suitable for use with `lib.makeBinPath`, etc.
# See {option}`writers.writePureShellScript` # See {option}`writers.writePureShellScript`
writePureShellScriptBin = binName: PATH: script: writePureShellScriptBin =
binName: PATH: script:
writeScriptBin binName (mkScript PATH script); writeScriptBin binName (mkScript PATH script);
mkScript = PATH: scriptText: '' mkScript = PATH: scriptText: ''
@ -91,8 +92,5 @@ let
''; '';
in in
{ {
inherit inherit writePureShellScript writePureShellScriptBin;
writePureShellScript
writePureShellScriptBin
;
} }

8
targets/flake-module.nix
View File

@ -4,13 +4,11 @@
meta.name = "infra"; meta.name = "infra";
directory = self; directory = self;
# Make flake available in modules # Make flake available in modules
specialArgs = { specialArgs.self = {
self = { inherit (self) inputs nixosModules packages;
inherit (self) inputs nixosModules packages;
};
}; };
machines = { machines = {
web01 = { modulesPath, ... }: { web01 = {
imports = [ (./web01/configuration.nix) ]; imports = [ (./web01/configuration.nix) ];
}; };
}; };