wip

acmcsufoss · Apr 17, 2024 · 0fa065f · 0fa065f
1 parent 61db07c
commit 0fa065f
Show file tree

Hide file tree

Showing 11 changed files with 96 additions and 118 deletions.
diff --git a/default.nix b/default.nix
diff --git a/flake.nix b/flake.nix
@@ -29,23 +29,64 @@
 
 	flake-utils.lib.eachDefaultSystem (system:
 		let
-			pkgs = nixpkgs.legacyPackages.${system};
 			overlays = self.overlays.${system};
 		in
 		{
+			devShells = let
+				pkgs = import nixpkgs {
+					inherit system;
+					overlays = [
+						overlays.buildTools
+					];
+					config = {
+						# Allow unfree packages for Terraform.
+						allowUnfree = true;
+					};
+				};
+			in
+			{
+				default = pkgs.mkShell {
+					name = "acm-aws-shell";
+
+					packages = with pkgs; [
+						terraform
+						awscli2
+						nix-update
+						jq
+						niv
+						git
+						git-crypt
+						openssl
+						yamllint
+						expect
+						shellcheck
+					] ++ [
+						# Fix Nix Flake's weird scoping issue.
+						pkgs.gomod2nix
+					];
+
+					# Enforce purity by unsetting NIX_PATH.
+					# This messes up any code that uses Nix channels.
+					NIX_PATH = "";
+				};
+			};
+
 			overlays = {
 				# Overlay for the build tools that our packages use.
 				buildTools = final: prev: {
 					#
 					# Build tools
 					#
 					inherit (gomod2nix.legacyPackages.${system})
-						mkGoEnv buildGoApplication;
+						mkGoEnv buildGoApplication gomod2nix;
+
 					inherit (poetry2nix.lib.mkPoetry2Nix { pkgs = prev; })
 						mkPoetryApplication;
+
 					inherit (nix-npm-buildpackage.legacyPackages.${system})
 						buildNpmPackage
 						buildYarnPackage;
+
 					buildDenoPackage = final.callPackage ./nix/packaging/deno.nix { };
 					buildJavaPackage = final.callPackage ./nix/packaging/java.nix { };
 					buildGradlePackage = final.callPackage ./nix/packaging/gradle.nix { };
@@ -74,8 +115,40 @@
 			};
 
 			nixosConfigurations = {
-				cirno = import ./servers/cirno inputs;
-				cs306 = import ./servers/cs306 inputs;
+				cirno = self.lib.nixosSystem {
+					system = "x86_64-linux";
+					configuration = ./servers/cirno/configuration.nix;
+				};
+				cs306 = self.lib.nixosSystem {
+					system = "x86_64-linux";
+					configuration = ./servers/cs306/configuration.nix;
+				};
+			};
+
+			lib = {
+				# All nixosConfigurations should have this in their specialArgs.
+				nixosArgs = { system }: inputs // {
+					# Import Niv sources directly into the arguments for convenience.
+					sources = import ./nix/sources.nix {
+						inherit system;
+						pkgs = nixpkgs.legacyPackages.${system};
+					};
+					# TODO: migrate away from Nix store-based secrets.
+					# See https://github.com/acmcsufoss/acm-aws/issues/34.
+					secretsPath = secret: self + "/secrets/" + secret;
+				};
+
+				mkNixosSystem = { system, configurationFile }:
+					nixpkgs.lib.nixosSystem {
+						inherit system;
+						modules = [
+							./servers/base.nix
+							configurationFile
+						];
+						specialArgs = self.lib.nixosArgs {
+							inherit system;
+						};
+					};
 			};
 		}
 	);

diff --git a/nix/sources.json b/nix/sources.json
@@ -157,19 +157,6 @@
         "url": "https://github.com/serokell/nix-npm-buildpackage/archive/200e47aabd2b55993561c47e8390c89bdeb18b8a.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     },
-    "nixpkgs": {
-        "branch": "nixos-23.11",
-        "description": "Nix Packages collection",
-        "homepage": "",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "b94a96839afcc56de3551aa7472b8d9a3e77e05d",
-        "sha256": "1j5vs24bgy2arl342lrh3znc1pdz68kcjp2rpgy3sccpd9sibqqn",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/b94a96839afcc56de3551aa7472b8d9a3e77e05d.tar.gz",
-        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz",
-        "version": "nixos-unstable"
-    },
     "nixpkgs_newer": {
         "branch": "nixpkgs-unstable",
         "description": "Nix Packages collection",

diff --git a/servers/cirno/default.nix b/servers/cirno/default.nix
diff --git a/servers/cirno/services.nix b/servers/cirno/services.nix
@@ -1,22 +1,18 @@
-{ config, lib, pkgs, ... }:
-
-let
-	sources = import <acm-aws/nix/sources.nix>;
-in
+{ config, lib, pkgs, self, ... }:
 
 {
 	services.diamondburned.caddy = {
 		enable = true;
 		configFile = ./Caddyfile;
-		environment = import <acm-aws/secrets/caddy-env.nix>;
+		environment = import (self + "/secrets/caddy-env.nix");
 	};
 
 	systemd.services.acmregister = {
 		enable = true;
 		description = "ACM member registration Discord bot";
 		after = [ "network-online.target" ];
 		wantedBy = [ "multi-user.target" ];
-		environment = import ./secrets/acmregister-env.nix;
+		environment = import (self + "/secrets/acmregister-env.nix");
 		serviceConfig = {
 			Type = "simple";
 			ExecStart = "${pkgs.acmregister}/bin/acmregister";

diff --git a/servers/cirno/telemetry.nix b/servers/cirno/telemetry.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, self, ... }:
 
 {
 	# Enable netdata, which is a lightweight alternative to Grafana.
@@ -21,7 +21,7 @@
 			"stream.conf" = pkgs.writeText "stream.conf" ''
 				[stream]
 					enabled = yes
-					api key = ${builtins.readFile <acm-aws/secrets/netdata-key>}
+					api key = ${builtins.readFile (self + "/secrets/netdata-key")}
 					destination = cs306:19999
 			'';
 		};

diff --git a/servers/cs306/caddy/default.nix b/servers/cs306/caddy/default.nix
@@ -1,7 +1,7 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, secretsPath, ... }:
 
 let
-	environment = import <acm-aws/secrets/caddy-env.nix>;
+	environment = import (secretsPath "caddy-env.nix");
 
 	preprocessedCaddyfile = pkgs.runCommandLocal "Caddyfile-preprocessed" {} ''
 		cp ${./Caddyfile} $out

diff --git a/servers/cs306/default.nix b/servers/cs306/default.nix
diff --git a/servers/cs306/services.nix b/servers/cs306/services.nix
@@ -1,27 +1,23 @@
-{ config, lib, pkgs, ... }:
-
-let
-	sources = import <acm-aws/nix/sources.nix>;
-in
+{ config, lib, pkgs, self, sources, ... }:
 
 {
 	services.managed.enable = true;
 
 	services.managed.services = with lib; {
 		triggers = {
 			command = getExe pkgs.triggers;
-			environment = import <acm-aws/secrets/triggers-env.nix>;
+			environment = import (self + "/secrets/triggers-env.nix");
 		};
 
 		pomo = {
 			command = getExe pkgs.pomo;
-			environment = import <acm-aws/secrets/pomo.nix>;
+			environment = import (self + "/secrets/pomo.nix");
 			serviceConfig.StartLimitInterval = "0"; # Permit unlimited restarts.
 		};
 
 		acm-nixie = {
 			command = getExe pkgs.acm-nixie;
-			environment = import <acm-aws/secrets/acm-nixie-env.nix>;
+			environment = import (self + "/secrets/acm-nixie-env.nix");
 		};
 
 		crying-counter = {
@@ -40,22 +36,22 @@ in
 
 				${getExe pkgs.crying-counter}
 			'';
-			environment = import <acm-aws/secrets/crying-counter-env.nix>;
+			environment = import (self + "/secrets/crying-counter-env.nix");
 		};
 
 		discord-conversation-summary-bot = {
 			command = getExe pkgs.discord_conversation_summary_bot;
 			workingDirectory = pkgs.writeTextDir
 				"config.json"
-				(builtins.readFile <acm-aws/secrets/discord_conversation_summary_bot.json>);
+				(builtins.readFile (self + "/secrets/discord_conversation_summary_bot.json"));
 		};
 
 		discord-ical-srv = {
 			command = [
 				(getExe pkgs.discord-ical-srv)
 				"-l" "unix:///run/discord-ical-srv/http.sock"
 			];
-			environment = import <acm-aws/secrets/discord-ical-srv-env.nix>;
+			environment = import (self + "/secrets/discord-ical-srv-env.nix");
 		};
 
 		discord-ical-reminder = {
@@ -64,7 +60,7 @@ in
 				"-c"
 				"${pkgs.writeText
 					"discord-ical-reminder.json"
-					(builtins.toJSON (import <acm-aws/secrets/ical-reminders.nix>))}"
+					(builtins.toJSON (import (self + "/secrets/ical-reminders.nix")))}"
 			];
 		};
 
@@ -107,7 +103,7 @@ in
 	systemd.services.sendlimiter =
 		let
 			extraArgs = [];
-			secrets = import <acm-aws/secrets/sendlimiter.nix>;
+			secrets = import (self + "/secrets/sendlimiter.nix");
 			args = lib.concatStringsSep
 				" "
 				(map lib.escapeShellArg (extraArgs ++ secrets.channelIDs));
@@ -129,6 +125,6 @@ in
 
 	services.dischord = {
 		enable = true;
-		config = builtins.readFile <acm-aws/secrets/dischord-config.toml>;
+		config = builtins.readFile (self + "/secrets/dischord-config.toml");
 	};
 }
diff --git a/servers/cs306/telemetry.nix b/servers/cs306/telemetry.nix
@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, self, secretsPath, ... }:
 
 let
 	tailnet = builtins.getEnv "TAILNET_NAME";
@@ -39,7 +39,7 @@ assert lib.assertMsg
 					enabled = yes
 					enable compression = yes
 
-				[${builtins.readFile <acm-aws/secrets/netdata-key>}]
+				[${builtins.readFile (secretsPath "netdata-key")}]
 					enabled = yes
 					allow from = 100.*
 					default memory mode = dbengine

diff --git a/shell.nix b/shell.nix