diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..c4b17d7 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +use_flake diff --git a/.github/workflows/flake-check.yml b/.github/workflows/flake-check.yml new file mode 100644 index 0000000..01e3d7c --- /dev/null +++ b/.github/workflows/flake-check.yml @@ -0,0 +1,16 @@ +name: "Lint" + +on: + push: + pull_request: + +jobs: + checks: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: cachix/install-nix-action@v25 + with: + nix_path: nixpkgs=channel:nixpkgs-unstable + - run: | + nix flake check -L diff --git a/.gitignore b/.gitignore index d980299..d999d6e 100644 --- a/.gitignore +++ b/.gitignore @@ -11,3 +11,6 @@ result # Colmena --keep-result roots directory .gcroots + +# pre-commit +.pre-commit-config.yaml diff --git a/build/datadog/hydra.nix b/build/datadog/hydra.nix index 0e5c4ed..70a5a69 100644 --- a/build/datadog/hydra.nix +++ b/build/datadog/hydra.nix @@ -1,4 +1,4 @@ -{config, pkgs, ...}: +{ pkgs, ...}: { systemd.services.dd-agent.environment.PYTHONPATH = "${pkgs.pythonPackages.requests}/lib/python2.7/site-packages"; environment.etc = diff --git a/build/diffoscope.nix b/build/diffoscope.nix index afe0e61..ebb7f04 100644 --- a/build/diffoscope.nix +++ b/build/diffoscope.nix @@ -1,6 +1,4 @@ -{ config, pkgs, ... }: - -with pkgs.lib; +{ pkgs, ... }: let diff --git a/build/flake.nix b/build/flake.nix index f546973..fb02118 100644 --- a/build/flake.nix +++ b/build/flake.nix @@ -26,10 +26,8 @@ inputs.rfc39.url = "github:NixOS/rfc39"; inputs.rfc39.inputs.nixpkgs.follows = "nixpkgs"; - outputs = flakes @ { self, agenix, colmena, disko, hydra, hydra-scale-equinix-metal, nix, nixpkgs, nixos-channel-scripts, nix-netboot-serve, rfc39 }: + outputs = { self, agenix, colmena, disko, hydra, hydra-scale-equinix-metal, nix, nixpkgs, nixos-channel-scripts, nix-netboot-serve, rfc39 }: let - inherit (nixpkgs) lib; - flakesModule = { imports = [ agenix.nixosModules.age @@ -87,13 +85,13 @@ deployment = { targetHost = "${name}.nixos.org"; }; - }) (self.nixosConfigurations); + }) self.nixosConfigurations; # TODO: flake-utils.lib.eachDefaultSystem devShell.x86_64-linux = let pkgs = import nixpkgs { system = "x86_64-linux"; }; in pkgs.mkShell { - buildInputs = with pkgs; [ + buildInputs = [ agenix.packages.x86_64-linux.agenix colmena.packages.x86_64-linux.colmena ]; diff --git a/build/hydra-proxy.nix b/build/hydra-proxy.nix index 5c1ab01..3ac1752 100644 --- a/build/hydra-proxy.nix +++ b/build/hydra-proxy.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ...}: +{ config, ...}: { services.nginx = { diff --git a/build/hydra-scaler.nix b/build/hydra-scaler.nix index 126d6e9..444f86d 100644 --- a/build/hydra-scaler.nix +++ b/build/hydra-scaler.nix @@ -1,5 +1,3 @@ -{ config, pkgs, lib, ... }: - { services.hydra-scale-equinix-metal = { enable = true; @@ -8,7 +6,7 @@ secretFile = "/root/keys/hydra-scale-equinix-metal-env"; interval = ["*:0/5"]; config = let - netboot_base = https://netboot.nixos.org/dispatch/hydra/hydra.nixos.org/equinix-metal-builders/main; + netboot_base = "https://netboot.nixos.org/dispatch/hydra/hydra.nixos.org/equinix-metal-builders/main"; in { metro = "any"; tags = ["hydra"]; @@ -24,7 +22,7 @@ # The netboot URL for arm64 big-parallel is: https://netboot.nixos.org/dispatch/hydra/hydra.nixos.org/equinix-metal-builders/main/c3-large-arm--big-parallel ("Always PXE" enabled, "hydra" tag) # The netboot URL for arm64 small is: https://netboot.nixos.org/dispatch/hydra/hydra.nixos.org/equinix-metal-builders/main/c3-large-arm ("Always PXE" enabled, "hydra" tag) - x86_64-linux = rec { + x86_64-linux = { bigparallel = { divisor = 16; minimum = 1; diff --git a/build/hydra.nix b/build/hydra.nix index fc84fe6..6383f9f 100644 --- a/build/hydra.nix +++ b/build/hydra.nix @@ -62,7 +62,7 @@ in ''; # Work around https://github.com/NixOS/hydra/issues/1337 - services.hydra-dev.package = pkgs.hydra.overrideAttrs(final: prev: { + services.hydra-dev.package = pkgs.hydra.overrideAttrs(_: prev: { postPatch = '' ${prev.postPatch or ""} rm src/lib/Hydra/Plugin/DeclarativeJobsets.pm diff --git a/build/packet-importer.nix b/build/packet-importer.nix index 098872a..4c19d62 100644 --- a/build/packet-importer.nix +++ b/build/packet-importer.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, ... }: +{ pkgs, ... }: let importer = pkgs.callPackage ../hydra-packet-importer { }; in diff --git a/build/pluto/prometheus/default.nix b/build/pluto/prometheus/default.nix index 0189a89..a83d4dc 100644 --- a/build/pluto/prometheus/default.nix +++ b/build/pluto/prometheus/default.nix @@ -1,7 +1,3 @@ -{ config -, ... -}: - { imports = [ ./alertmanager.nix diff --git a/build/rhea/configuration.nix b/build/rhea/configuration.nix index 8920d64..cda57ec 100644 --- a/build/rhea/configuration.nix +++ b/build/rhea/configuration.nix @@ -1,4 +1,4 @@ -{ nodes, config, lib, pkgs, ... }: +{ pkgs, ... }: { imports = [ ./hardware-configuration.nix @@ -44,9 +44,6 @@ nix.extraOptions = "gc-keep-outputs = false"; - #services.postfix.enable = true; - #services.postfix.hostname = "hydra.nixos.org"; - # Don't rate-limit the journal. services.journald.rateLimitBurst = 0; diff --git a/build/rhea/hardware-configuration.nix b/build/rhea/hardware-configuration.nix index 8ab25e0..687ecac 100644 --- a/build/rhea/hardware-configuration.nix +++ b/build/rhea/hardware-configuration.nix @@ -1,4 +1,4 @@ -{ config, lib, pkgs, modulesPath, ... }: +{ config, lib, modulesPath, ... }: { imports = diff --git a/channels.nix b/channels.nix index b31776b..bf79c46 100644 --- a/channels.nix +++ b/channels.nix @@ -88,5 +88,5 @@ rec { }; }; - channels-with-urls = (builtins.mapAttrs (name: about: about.job) channels); + channels-with-urls = builtins.mapAttrs (_: about: about.job) channels; } diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..8620541 --- /dev/null +++ b/flake.lock @@ -0,0 +1,123 @@ +{ + "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1705309234, + "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "git-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1718879355, + "narHash": "sha256-RTyqP4fBX2MdhNuMP+fnR3lIwbdtXhyj7w7fwtvgspc=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "8cd35b9496d21a6c55164d8547d9d5280162b07a", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1707845630, + "narHash": "sha256-JXgesioAuZKSbfjTg9qxewBVBb/wbSw9b4nZomZrj28=", + "owner": "NIxOS", + "repo": "nixpkgs", + "rev": "dd7b7a8f7b2943862403e40972e67823058f3525", + "type": "github" + }, + "original": { + "owner": "NIxOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "git-hooks": "git-hooks", + "nixpkgs": "nixpkgs" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..5877d45 --- /dev/null +++ b/flake.nix @@ -0,0 +1,33 @@ +{ + description = "NixOS Infra"; + + inputs = { + nixpkgs.url = "github:NIxOS/nixpkgs"; + git-hooks = { + url = "github:cachix/git-hooks.nix"; + inputs = { + nixpkgs.follows = "nixpkgs"; + nixpkgs-stable.follows = "nixpkgs"; + }; + }; + flake-utils.url = "github:numtide/flake-utils"; + }; + + outputs = { self, nixpkgs, git-hooks, flake-utils }: + flake-utils.lib.eachSystem [ "aarch64-linux" "x86_64-linux" ] (system: { + checks = { + pre-commit = git-hooks.lib.${system}.run { + src = ./.; + hooks = { + deadnix.enable = true; + statix.enable = true; + }; + }; + }; + devShells.default = nixpkgs.legacyPackages.${system}.mkShell { + buildInputs = self.checks.${system}.pre-commit.enabledPackages; + inherit (self.checks.${system}.pre-commit) shellHook; + }; + } + ); +} diff --git a/lib/service-order.nix b/lib/service-order.nix index f4a124d..6698193 100644 --- a/lib/service-order.nix +++ b/lib/service-order.nix @@ -2,7 +2,6 @@ # # Given a set of services, make them run one at a time in a specific # order, on a timer. -{ lib }: { # Given a list of systemd service, give each one an After # attribute, so they start in a specific order. The returned diff --git a/macs/nix-darwin.nix b/macs/nix-darwin.nix index 5b181e3..cc8c8d4 100644 --- a/macs/nix-darwin.nix +++ b/macs/nix-darwin.nix @@ -55,9 +55,9 @@ in ''; environment.etc."per-user/root/ssh/authorized_keys".text = concatStringsSep "\n" - ([ + [ (authorizedNixStoreKey sshKeys.hydra-queue-runner) - ]); + ]; system.activationScripts.postActivation.text = '' diff --git a/non-critical-infra/flake.nix b/non-critical-infra/flake.nix index 5e7380b..e10c038 100644 --- a/non-critical-infra/flake.nix +++ b/non-critical-infra/flake.nix @@ -40,13 +40,13 @@ outputs = { self, nixpkgs, flake-utils, colmena, disko, srvos, first-time-contribution-tagger, sops-nix, ... }@inputs: let importConfig = path: (lib.mapAttrs (name: value: import (path + "/${name}/default.nix")) (lib.filterAttrs (_: v: v == "directory") (builtins.readDir path))); - lib = nixpkgs.lib; + inherit (nixpkgs) lib; in { nixosConfigurations = builtins.mapAttrs (name: value: nixpkgs.lib.nixosSystem { - lib = lib; + inherit lib; system = "x86_64-linux"; specialArgs = { inherit inputs; diff --git a/non-critical-infra/modules/postfix.nix b/non-critical-infra/modules/postfix.nix index 950cec0..eaeb0ee 100644 --- a/non-critical-infra/modules/postfix.nix +++ b/non-critical-infra/modules/postfix.nix @@ -10,18 +10,18 @@ enable = true; domains = config.networking.fqdn; selector = "mail"; - user = config.services.postfix.user; - group = config.services.postfix.group; + inherit (config.services.postfix) + user + group + ; keyPath = "/run/opendkim-keys"; }; systemd.services.opendkim.serviceConfig = { ExecStartPre = [ - ( - "+${pkgs.writeShellScript "opendkim-keys" '' - install -o ${config.services.postfix.user} -g ${config.services.postfix.group} -D -m0700 ${config.sops.secrets.opendkim-private-key.path} /run/opendkim-keys/${config.services.opendkim.selector}.private - ''}" - ) + "+${pkgs.writeShellScript "opendkim-keys" '' + install -o ${config.services.postfix.user} -g ${config.services.postfix.group} -D -m0700 ${config.sops.secrets.opendkim-private-key.path} /run/opendkim-keys/${config.services.opendkim.selector}.private + ''}" ]; }; diff --git a/statix.toml b/statix.toml new file mode 100644 index 0000000..f127427 --- /dev/null +++ b/statix.toml @@ -0,0 +1,6 @@ +disabled = [ + "repeated_keys" +] +nix_version = '2.4' +ignore = ['.direnv'] + diff --git a/survey/flake.nix b/survey/flake.nix index 28f5e52..7b7c55e 100644 --- a/survey/flake.nix +++ b/survey/flake.nix @@ -10,9 +10,9 @@ # https://github.com/NixOS/nixpkgs/pull/157832 inputs.nixpkgs.url = "github:garbas/nixpkgs/update-limesurvey"; - outputs = flakes @ { self, nixpkgs }: + outputs = { self, nixpkgs }: let - customOverlay = final: prev: { + customOverlay = _: prev: { limesurvey = prev.limesurvey.overrideAttrs (old: { installPhase = old.installPhase + '' mkdir -p $out/share/limesurvey/upload/themes/survey/generalfiles/ @@ -27,7 +27,7 @@ [ "${nixpkgs}/nixos/modules/virtualisation/amazon-image.nix" ../modules/common.nix - ({ config, pkgs, lib, ... }: + ({ pkgs, lib, ... }: { ec2.hvm = true;