From 1b832c1f5b4b86c814aa435d04edb328d6b76d6f Mon Sep 17 00:00:00 2001 From: Valentin Gagarin Date: Thu, 12 Jun 2025 13:05:11 +0200 Subject: [PATCH] bypass native flake input for Nixpkgs (#374) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @Niols the sheer amount of hassle and noise indicates that it may be better to first split out a `flake.nix` just for the tests. And all this clutter doesn't even explain yet *why* we thought it needs to be there. closes #279. Co-authored-by: Nicolas “Niols” Jeannerod Reviewed-on: https://git.fediversity.eu/Fediversity/Fediversity/pulls/374 Reviewed-by: kiara Grouwstra Co-authored-by: Valentin Gagarin Co-committed-by: Valentin Gagarin --- deployment/check/basic/nixosTest.nix | 6 + deployment/check/common/deployerNode.nix | 4 + flake.lock | 19 +-- flake.nix | 136 ++++++++++-------- npins/sources.json | 16 +++ services/fediversity/pixelfed/default.nix | 6 - .../pixelfed/group-permissions.patch | 18 --- 7 files changed, 106 insertions(+), 99 deletions(-) delete mode 100644 services/fediversity/pixelfed/group-permissions.patch diff --git a/deployment/check/basic/nixosTest.nix b/deployment/check/basic/nixosTest.nix index 600baefb..fe9bda09 100644 --- a/deployment/check/basic/nixosTest.nix +++ b/deployment/check/basic/nixosTest.nix @@ -10,6 +10,12 @@ inputs.nixops4.packages.${pkgs.system}.default ]; + # FIXME: sad times + system.extraDependencies = with pkgs; [ + jq + jq.inputDerivation + ]; + system.extraDependenciesFromModule = { pkgs, ... }: { diff --git a/deployment/check/common/deployerNode.nix b/deployment/check/common/deployerNode.nix index 36f2897d..7236fc26 100644 --- a/deployment/check/common/deployerNode.nix +++ b/deployment/check/common/deployerNode.nix @@ -14,6 +14,8 @@ let types ; + sources = import ../../../npins; + in { imports = [ ./sharedOptions.nix ]; @@ -57,6 +59,8 @@ in "${inputs.nixops4-nixos}" "${inputs.nixpkgs}" + "${sources.flake-inputs}" + pkgs.stdenv pkgs.stdenvNoCC ] diff --git a/flake.lock b/flake.lock index 4eff9508..baf0a2bc 100644 --- a/flake.lock +++ b/flake.lock @@ -596,22 +596,6 @@ "type": "github" } }, - "nixpkgs_4": { - "locked": { - "lastModified": 1740463929, - "narHash": "sha256-4Xhu/3aUdCKeLfdteEHMegx5ooKQvwPHNkOgNCXQrvc=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "5d7db4668d7a0c6cc5fc8cf6ef33b008b2b1ed8b", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-24.11", - "repo": "nixpkgs", - "type": "github" - } - }, "parts": { "inputs": { "nixpkgs-lib": [ @@ -686,8 +670,7 @@ "nixops4-nixos", "nixops4" ], - "nixops4-nixos": "nixops4-nixos", - "nixpkgs": "nixpkgs_4" + "nixops4-nixos": "nixops4-nixos" } }, "rust-overlay": { diff --git a/flake.nix b/flake.nix index 6dd3d3df..e5b6a103 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,5 @@ { inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; # consumed by flake-parts flake-parts.url = "github:hercules-ci/flake-parts"; git-hooks.url = "github:cachix/git-hooks.nix"; nixops4.follows = "nixops4-nixos/nixops4"; @@ -8,65 +7,88 @@ }; outputs = - inputs@{ flake-parts, ... }: + inputs@{ self, flake-parts, ... }: let sources = import ./npins; + inherit (import sources.flake-inputs) import-flake; inherit (sources) git-hooks agenix; + # XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts + # XXX - this is just importing a flake + nixpkgs = import-flake { src = sources.nixpkgs; }; + # XXX - this overrides the inputs attached to `self` + inputs' = self.inputs // { + nixpkgs = nixpkgs; + }; + self' = self // { + inputs = inputs'; + }; in - flake-parts.lib.mkFlake { inherit inputs; } { - systems = [ - "x86_64-linux" - "aarch64-linux" - "x86_64-darwin" - "aarch64-darwin" - ]; - - imports = [ - (import "${git-hooks}/flake-module.nix") - inputs.nixops4.modules.flake.default - - ./deployment/flake-part.nix - ./infra/flake-part.nix - ]; - - perSystem = - { - pkgs, - lib, - inputs', - ... - }: - { - formatter = pkgs.nixfmt-rfc-style; - - pre-commit.settings.hooks = - let - ## Add a directory here if pre-commit hooks shouldn't apply to it. - optout = [ "npins" ]; - excludes = map (dir: "^${dir}/") optout; - addExcludes = lib.mapAttrs (_: c: c // { inherit excludes; }); - in - addExcludes { - nixfmt-rfc-style.enable = true; - deadnix.enable = true; - trim-trailing-whitespace.enable = true; - shellcheck.enable = true; - }; - - devShells.default = pkgs.mkShell { - packages = [ - pkgs.npins - pkgs.nil - (pkgs.callPackage "${agenix}/pkgs/agenix.nix" { }) - pkgs.openssh - pkgs.httpie - pkgs.jq - # exposing this env var as a hack to pass info in from form - (inputs'.nixops4.packages.default.overrideAttrs { - impureEnvVars = [ "DEPLOYMENT" ]; - }) - ]; - }; + # XXX - finally we override the overall set of `inputs` -- we need both: + # `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`. + flake-parts.lib.mkFlake + { + inputs = inputs // { + inherit nixpkgs; }; - }; + self = self'; + } + ( + { inputs, ... }: + { + systems = [ + "x86_64-linux" + "aarch64-linux" + "x86_64-darwin" + "aarch64-darwin" + ]; + + imports = [ + (import "${git-hooks}/flake-module.nix") + inputs.nixops4.modules.flake.default + + ./deployment/flake-part.nix + ./infra/flake-part.nix + ]; + + perSystem = + { + pkgs, + lib, + inputs', + ... + }: + { + formatter = pkgs.nixfmt-rfc-style; + + pre-commit.settings.hooks = + let + ## Add a directory here if pre-commit hooks shouldn't apply to it. + optout = [ "npins" ]; + excludes = map (dir: "^${dir}/") optout; + addExcludes = lib.mapAttrs (_: c: c // { inherit excludes; }); + in + addExcludes { + nixfmt-rfc-style.enable = true; + deadnix.enable = true; + trim-trailing-whitespace.enable = true; + shellcheck.enable = true; + }; + + devShells.default = pkgs.mkShell { + packages = [ + pkgs.npins + pkgs.nil + (pkgs.callPackage "${agenix}/pkgs/agenix.nix" { }) + pkgs.openssh + pkgs.httpie + pkgs.jq + # exposing this env var as a hack to pass info in from form + (inputs'.nixops4.packages.default.overrideAttrs { + impureEnvVars = [ "DEPLOYMENT" ]; + }) + ]; + }; + }; + } + ); } diff --git a/npins/sources.json b/npins/sources.json index 4971590b..657e8a3a 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -25,6 +25,22 @@ "url": null, "hash": "1w2gsy6qwxa5abkv8clb435237iifndcxq0s79wihqw11a5yb938" }, + "flake-inputs": { + "type": "GitRelease", + "repository": { + "type": "GitHub", + "owner": "fricklerhandwerk", + "repo": "flake-inputs" + }, + "pre_releases": false, + "version_upper_bound": null, + "release_prefix": null, + "submodules": false, + "version": "4.1", + "revision": "ad02792f7543754569fe2fd3d5787ee00ef40be2", + "url": "https://api.github.com/repos/fricklerhandwerk/flake-inputs/tarball/4.1", + "hash": "1j57avx2mqjnhrsgq3xl7ih8v7bdhz1kj3min6364f486ys048bm" + }, "flake-parts": { "type": "Git", "repository": { diff --git a/services/fediversity/pixelfed/default.nix b/services/fediversity/pixelfed/default.nix index d6328e3b..9080e6ba 100644 --- a/services/fediversity/pixelfed/default.nix +++ b/services/fediversity/pixelfed/default.nix @@ -56,12 +56,6 @@ in ) (mkIf config.fediversity.pixelfed.enable { - ## NOTE: Pixelfed as packaged in nixpkgs has a permission issue that prevents Nginx - ## from being able to serving the images. We fix it here, but this should be - ## upstreamed. See https://github.com/NixOS/nixpkgs/issues/235147 - services.pixelfed.package = pkgs.pixelfed.overrideAttrs (old: { - patches = (old.patches or [ ]) ++ [ ./group-permissions.patch ]; - }); users.users.nginx.extraGroups = [ "pixelfed" ]; services.pixelfed = { diff --git a/services/fediversity/pixelfed/group-permissions.patch b/services/fediversity/pixelfed/group-permissions.patch deleted file mode 100644 index d7dd442d..00000000 --- a/services/fediversity/pixelfed/group-permissions.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff --git a/config/filesystems.php b/config/filesystems.php -index 00254e93..fc1a58f3 100644 ---- a/config/filesystems.php -+++ b/config/filesystems.php -@@ -49,11 +49,11 @@ return [ - 'permissions' => [ - 'file' => [ - 'public' => 0644, -- 'private' => 0600, -+ 'private' => 0640, - ], - 'dir' => [ - 'public' => 0755, -- 'private' => 0700, -+ 'private' => 0750, - ], - ], - ],