bypass native flake input for Nixpkgs (#374)

@Niols the sheer amount of hassle and noise indicates that it may be better to first split out a `flake.nix` just for the tests. And all this clutter doesn't even explain yet *why* we thought it needs to be there. closes #279. Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Reviewed-on: Fediversity/Fediversity#374 Reviewed-by: kiara Grouwstra <kiara@procolix.eu> Co-authored-by: Valentin Gagarin <valentin.gagarin@tweag.io> Co-committed-by: Valentin Gagarin <valentin.gagarin@tweag.io>
2025-06-12 13:05:11 +02:00 · 2025-06-12 13:05:11 +02:00 · 1b832c1f5b
commit 1b832c1f5b
parent 69b2e535fe
7 changed files with 106 additions and 99 deletions
--- a/deployment/check/basic/nixosTest.nix
+++ b/deployment/check/basic/nixosTest.nix
@ -10,6 +10,12 @@
        inputs.nixops4.packages.${pkgs.system}.default
      ];

+      # FIXME: sad times
+      system.extraDependencies = with pkgs; [
+        jq
+        jq.inputDerivation
+      ];
+
      system.extraDependenciesFromModule =
        { pkgs, ... }:
        {
--- a/deployment/check/common/deployerNode.nix
+++ b/deployment/check/common/deployerNode.nix
@ -14,6 +14,8 @@ let
    types
    ;

+  sources = import ../../../npins;
+
 in
 {
  imports = [ ./sharedOptions.nix ];
@ -57,6 +59,8 @@ in
        "${inputs.nixops4-nixos}"
        "${inputs.nixpkgs}"

+        "${sources.flake-inputs}"
+
        pkgs.stdenv
        pkgs.stdenvNoCC
      ]
--- a/flake.lock
+++ b/flake.lock
@ -596,22 +596,6 @@
        "type": "github"
      }
    },
-    "nixpkgs_4": {
-      "locked": {
-        "lastModified": 1740463929,
-        "narHash": "sha256-4Xhu/3aUdCKeLfdteEHMegx5ooKQvwPHNkOgNCXQrvc=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "5d7db4668d7a0c6cc5fc8cf6ef33b008b2b1ed8b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-24.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "parts": {
      "inputs": {
        "nixpkgs-lib": [
@ -686,8 +670,7 @@
          "nixops4-nixos",
          "nixops4"
        ],
-        "nixops4-nixos": "nixops4-nixos",
-        "nixpkgs": "nixpkgs_4"
+        "nixops4-nixos": "nixops4-nixos"
      }
    },
    "rust-overlay": {
--- a/flake.nix
+++ b/flake.nix
@ -1,6 +1,5 @@
 {
  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; # consumed by flake-parts
    flake-parts.url = "github:hercules-ci/flake-parts";
    git-hooks.url = "github:cachix/git-hooks.nix";
    nixops4.follows = "nixops4-nixos/nixops4";
@ -8,12 +7,34 @@
  };

  outputs =
-    inputs@{ flake-parts, ... }:
+    inputs@{ self, flake-parts, ... }:
    let
      sources = import ./npins;
+      inherit (import sources.flake-inputs) import-flake;
      inherit (sources) git-hooks agenix;
+      # XXX(@fricklerhandwerk): this atrocity is required to splice in a foreign Nixpkgs via flake-parts
+      # XXX - this is just importing a flake
+      nixpkgs = import-flake { src = sources.nixpkgs; };
+      # XXX - this overrides the inputs attached to `self`
+      inputs' = self.inputs // {
+        nixpkgs = nixpkgs;
+      };
+      self' = self // {
+        inputs = inputs';
+      };
    in
-    flake-parts.lib.mkFlake { inherit inputs; } {
+    # XXX - finally we override the overall set of `inputs` -- we need both:
+    #       `flake-parts obtains `nixpkgs` from `self.inputs` and not from `inputs`.
+    flake-parts.lib.mkFlake
+      {
+        inputs = inputs // {
+          inherit nixpkgs;
+        };
+        self = self';
+      }
+      (
+        { inputs, ... }:
+        {
          systems = [
            "x86_64-linux"
            "aarch64-linux"
@ -68,5 +89,6 @@
                ];
              };
            };
-    };
+        }
+      );
 }
--- a/npins/sources.json
+++ b/npins/sources.json
@ -25,6 +25,22 @@
      "url": null,
      "hash": "1w2gsy6qwxa5abkv8clb435237iifndcxq0s79wihqw11a5yb938"
    },
+    "flake-inputs": {
+      "type": "GitRelease",
+      "repository": {
+        "type": "GitHub",
+        "owner": "fricklerhandwerk",
+        "repo": "flake-inputs"
+      },
+      "pre_releases": false,
+      "version_upper_bound": null,
+      "release_prefix": null,
+      "submodules": false,
+      "version": "4.1",
+      "revision": "ad02792f7543754569fe2fd3d5787ee00ef40be2",
+      "url": "https://api.github.com/repos/fricklerhandwerk/flake-inputs/tarball/4.1",
+      "hash": "1j57avx2mqjnhrsgq3xl7ih8v7bdhz1kj3min6364f486ys048bm"
+    },
    "flake-parts": {
      "type": "Git",
      "repository": {
--- a/services/fediversity/pixelfed/default.nix
+++ b/services/fediversity/pixelfed/default.nix
@ -56,12 +56,6 @@ in
    )

    (mkIf config.fediversity.pixelfed.enable {
-      ## NOTE: Pixelfed as packaged in nixpkgs has a permission issue that prevents Nginx
-      ## from being able to serving the images. We fix it here, but this should be
-      ## upstreamed. See https://github.com/NixOS/nixpkgs/issues/235147
-      services.pixelfed.package = pkgs.pixelfed.overrideAttrs (old: {
-        patches = (old.patches or [ ]) ++ [ ./group-permissions.patch ];
-      });
      users.users.nginx.extraGroups = [ "pixelfed" ];

      services.pixelfed = {
--- a/services/fediversity/pixelfed/group-permissions.patch
+++ b/services/fediversity/pixelfed/group-permissions.patch
@ -1,18 +0,0 @@
-diff --git a/config/filesystems.php b/config/filesystems.php
-index 00254e93..fc1a58f3 100644
--- a/config/filesystems.php
-+++ b/config/filesystems.php
-@@ -49,11 +49,11 @@ return [
-             'permissions' => [
-                 'file' => [
-                     'public' => 0644,
-                    'private' => 0600,
-+                    'private' => 0640,
-                 ],
-                 'dir' => [
-                     'public' => 0755,
-                    'private' => 0700,
-+                    'private' => 0750,
-                 ],
-             ],
-         ],