bypass native flake input for Nixpkgs (#374)

@Niols the sheer amount of hassle and noise indicates that it may be better to first split out a `flake.nix` just for the tests. And all this clutter doesn't even explain yet *why* we thought it needs to be there.

closes #279.

Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com>
Reviewed-on: Fediversity/Fediversity#374
Reviewed-by: kiara Grouwstra <kiara@procolix.eu>
Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io>
Co-committed-by: Valentin Gagarin <valentin.gagarin@tweag.io>

deployment/check/basic/nixosTest.nix

@@ -10,6 +10,12 @@
         inputs.nixops4.packages.${pkgs.system}.default
       ];
 
+      # FIXME: sad times
+      system.extraDependencies = with pkgs; [
+        jq
+        jq.inputDerivation
+      ];
+
       system.extraDependenciesFromModule =
         { pkgs, ... }:
         {

deployment/check/common/deployerNode.nix

@@ -14,6 +14,8 @@ let
     types
     ;
 
+  sources = import ../../../npins;
+
 in
 {
   imports = [ ./sharedOptions.nix ];
@@ -57,6 +59,8 @@ in
         "${inputs.nixops4-nixos}"
         "${inputs.nixpkgs}"
 
+        "${sources.flake-inputs}"
+
         pkgs.stdenv
         pkgs.stdenvNoCC
       ]

flake.lock

@@ -596,22 +596,6 @@
         "type": "github"
       }
     },
-    "nixpkgs_4": {
-      "locked": {
-        "lastModified": 1740463929,
-        "narHash": "sha256-4Xhu/3aUdCKeLfdteEHMegx5ooKQvwPHNkOgNCXQrvc=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "5d7db4668d7a0c6cc5fc8cf6ef33b008b2b1ed8b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-24.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
     "parts": {
       "inputs": {
         "nixpkgs-lib": [
@@ -686,8 +670,7 @@
           "nixops4-nixos",
           "nixops4"
         ],
-        "nixops4-nixos": "nixops4-nixos",
+        "nixops4-nixos": "nixops4-nixos"
-        "nixpkgs": "nixpkgs_4"
       }
     },
     "rust-overlay": {

flake.nix

@@ -1,6 +1,5 @@
 {
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; # consumed by flake-parts
     flake-parts.url = "github:hercules-ci/flake-parts";
     git-hooks.url = "github:cachix/git-hooks.nix";
     nixops4.follows = "nixops4-nixos/nixops4";
@@ -8,12 +7,34 @@
   };
 
   outputs =
-    inputs@{ flake-parts, ... }:
+    inputs@{ self, flake-parts, ... }:
     let
       sources = import ./npins;
+      inherit (import sources.flake-inputs) import-flake;
       inherit (sources) git-hooks agenix;
+      # XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
+      # XXX - this is just importing a flake
+      nixpkgs = import-flake { src = sources.nixpkgs; };
+      # XXX - this overrides the inputs attached to `self`
+      inputs' = self.inputs // {
+        nixpkgs = nixpkgs;
+      };
+      self' = self // {
+        inputs = inputs';
+      };
     in
-    flake-parts.lib.mkFlake { inherit inputs; } {
+    # XXX - finally we override the overall set of `inputs` -- we need both:
+    #       `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`.
+    flake-parts.lib.mkFlake
+      {
+        inputs = inputs // {
+          inherit nixpkgs;
+        };
+        self = self';
+      }
+      (
+        { inputs, ... }:
+        {
           systems = [
             "x86_64-linux"
             "aarch64-linux"
@@ -68,5 +89,6 @@
                 ];
               };
             };
-    };
+        }
+      );
 }

npins/sources.json

@@ -25,6 +25,22 @@
       "url": null,
       "hash": "1w2gsy6qwxa5abkv8clb435237iifndcxq0s79wihqw11a5yb938"
     },
+    "flake-inputs": {
+      "type": "GitRelease",
+      "repository": {
+        "type": "GitHub",
+        "owner": "fricklerhandwerk",
+        "repo": "flake-inputs"
+      },
+      "pre_releases": false,
+      "version_upper_bound": null,
+      "release_prefix": null,
+      "submodules": false,
+      "version": "4.1",
+      "revision": "ad02792f7543754569fe2fd3d5787ee00ef40be2",
+      "url": "https://api.github.com/repos/fricklerhandwerk/flake-inputs/tarball/4.1",
+      "hash": "1j57avx2mqjnhrsgq3xl7ih8v7bdhz1kj3min6364f486ys048bm"
+    },
     "flake-parts": {
       "type": "Git",
       "repository": {

services/fediversity/pixelfed/default.nix

@@ -56,12 +56,6 @@ in
     )
 
     (mkIf config.fediversity.pixelfed.enable {
-      ## NOTE: Pixelfed as packaged in nixpkgs has a permission issue that prevents Nginx
-      ## from being able to serving the images. We fix it here, but this should be
-      ## upstreamed. See https://github.com/NixOS/nixpkgs/issues/235147
-      services.pixelfed.package = pkgs.pixelfed.overrideAttrs (old: {
-        patches = (old.patches or [ ]) ++ [ ./group-permissions.patch ];
-      });
       users.users.nginx.extraGroups = [ "pixelfed" ];
 
       services.pixelfed = {

services/fediversity/pixelfed/group-permissions.patch

@@ -1,18 +0,0 @@
-diff --git a/config/filesystems.php b/config/filesystems.php
-index 00254e93..fc1a58f3 100644
---- a/config/filesystems.php
-+++ b/config/filesystems.php
-@@ -49,11 +49,11 @@ return [
-             'permissions' => [
-                 'file' => [
-                     'public' => 0644,
--                    'private' => 0600,
-+                    'private' => 0640,
-                 ],
-                 'dir' => [
-                     'public' => 0755,
--                    'private' => 0700,
-+                    'private' => 0750,
-                 ],
-             ],
-         ],