Fediversity/flake.nix

{
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
    flake-parts.url = "github:hercules-ci/flake-parts";
    git-hooks.url = "github:cachix/git-hooks.nix";
    agenix.url = "github:ryantm/agenix";

    disko.url = "github:nix-community/disko";

    nixops4.url = "github:nixops4/nixops4";
    nixops4-nixos.url = "github:nixops4/nixops4-nixos";
  };

  outputs =
    inputs@{ flake-parts, ... }:
    flake-parts.lib.mkFlake { inherit inputs; } {
      systems = [
        "x86_64-linux"
        "aarch64-linux"
        "x86_64-darwin"
        "aarch64-darwin"
      ];

      imports = [
        inputs.git-hooks.flakeModule
        inputs.nixops4.modules.flake.default

        ./deployment/flake-part.nix
        ./infra/flake-part.nix
        ./services/flake-part.nix
      ];

      perSystem =
        {
          config,
          pkgs,
          inputs',
          ...
        }:
        {
          formatter = pkgs.nixfmt-rfc-style;

          pre-commit.settings.hooks =
            ## Not everybody might want pre-commit hooks, so we make them
            ## opt-in. Maybe one day we will decide to have them everywhere.
            let
              inherit (builtins) concatStringsSep;
              optin = [
                "deployment"
                "infra"
                "keys"
                "secrets"
                "services"
                "panel"
              ];
              files = "^((" + concatStringsSep "|" optin + ")/.*\\.nix|[^/]*\\.nix)$";
            in
            {
              nixfmt-rfc-style = {
                enable = true;
                inherit files;
              };
              deadnix = {
                enable = true;
                inherit files;
              };
              trim-trailing-whitespace = {
                enable = true;
                inherit files;
              };
            };

          devShells.default = pkgs.mkShell {
            packages = [
              pkgs.nil
              inputs'.agenix.packages.default
              inputs'.nixops4.packages.default
            ];
            shellHook = config.pre-commit.installationScript;
          };
        };
    };
}
Basic flake with pre-commit hooks 2024-11-13 22:41:34 +01:00			`{`
			`inputs = {`
Bump nixpkgs to 24.11 2024-11-26 12:59:21 +01:00			`nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";`
Basic flake with pre-commit hooks 2024-11-13 22:41:34 +01:00			`flake-parts.url = "github:hercules-ci/flake-parts";`
			`git-hooks.url = "github:cachix/git-hooks.nix";`
Add Agenix to the environment 2024-12-11 13:25:31 +01:00			`agenix.url = "github:ryantm/agenix";`
Integrate deployment as a flake part 2024-11-13 22:59:51 +01:00
			`disko.url = "github:nix-community/disko";`

			`nixops4.url = "github:nixops4/nixops4";`
Bump NixOps4 in particular, follow the split of `nixops4-nixos` to its own repository. 2025-01-31 14:11:46 +01:00			`nixops4-nixos.url = "github:nixops4/nixops4-nixos";`
Basic flake with pre-commit hooks 2024-11-13 22:41:34 +01:00			`};`

			`outputs =`
			`inputs@{ flake-parts, ... }:`
			`flake-parts.lib.mkFlake { inherit inputs; } {`
			`systems = [`
			`"x86_64-linux"`
			`"aarch64-linux"`
			`"x86_64-darwin"`
			`"aarch64-darwin"`
			`];`

Integrate services as a flake part 2024-11-14 01:10:00 +01:00			`imports = [`
			`inputs.git-hooks.flakeModule`
Bump NixOps4 in particular, follow the split of `nixops4-nixos` to its own repository. 2025-01-31 14:11:46 +01:00			`inputs.nixops4.modules.flake.default`
Integrate services as a flake part 2024-11-14 01:10:00 +01:00
Integrate deployment as a flake part 2024-11-13 22:59:51 +01:00			`./deployment/flake-part.nix`
Make a NixOps4 deployment for action runners 2024-11-17 01:02:23 +01:00			`./infra/flake-part.nix`
Integrate services as a flake part 2024-11-14 01:10:00 +01:00			`./services/flake-part.nix`
			`];`
Basic flake with pre-commit hooks 2024-11-13 22:41:34 +01:00
			`perSystem =`
Integrate deployment as a flake part 2024-11-13 22:59:51 +01:00			`{`
			`config,`
			`pkgs,`
			`inputs',`
			`...`
			`}:`
Basic flake with pre-commit hooks 2024-11-13 22:41:34 +01:00			`{`
			`formatter = pkgs.nixfmt-rfc-style;`

			`pre-commit.settings.hooks =`
			`## Not everybody might want pre-commit hooks, so we make them`
			`## opt-in. Maybe one day we will decide to have them everywhere.`
			`let`
			`inherit (builtins) concatStringsSep;`
Opt-in to formatting for the `services/` subdirectory 2024-11-14 09:49:49 +01:00			`optin = [`
			`"deployment"`
Format and clean dead code in `infra/` (#12) Reviewed-on: https://git.fediversity.eu/Fediversity/Fediversity/pulls/12 Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Co-committed-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> 2024-11-18 12:09:30 +01:00			`"infra"`
Keys in separate files in own directory 2024-12-12 10:39:49 +01:00			`"keys"`
Set up a first secret 2024-12-11 13:26:38 +01:00			`"secrets"`
Opt-in to formatting for the `services/` subdirectory 2024-11-14 09:49:49 +01:00			`"services"`
scaffold Django web service This setup is greatly inspired by the one used for [0], although with notable modifications, such as: - a SASS preprocessor and CSS compressor - more streamlined NixOS integration tests - cleaned up service configuration - a few notes on how to do things better in the future [0]: https://github.com/Nix-Security-WG/nix-security-tracker/ Apart from cloning the Nix setup, there were additional steps: - Create an empty `src` directory, since the package requires it - In the development shell, run `django-admin startproject panel src` Note that while you can already do ```bash manage migrate manage runserver ``` the NixOS integration tests will fail, since `settings.py` needs careful massaging to expose knobs that can be turned from our systemd wrapper. The required changes are introduced in the next commit to make them observable. Noteworthy related work: - https://github.com/sephii/django.nix Rather mature setup with a clean interface, uses Caddy as reverse proxy. - https://git.dgnum.eu/mdebray/djangonix A work-in-progress attempt to capture more moving parts through the module system, in particular secrets. - https://github.com/DavHau/django-nixos Out of date and somewhat simplistic, but serves as a reasonable example for what can be done I chose the variant I'm intimately familiar with in order to be able to pass on knowledge or help with maintenance. But for the future I strongly recommend picking the good bits from the other implementations that control complexity in static configuration parts through Nix expressions. 2025-02-12 23:51:55 +01:00			`"panel"`
Opt-in to formatting for the `services/` subdirectory 2024-11-14 09:49:49 +01:00			`];`
Basic flake with pre-commit hooks 2024-11-13 22:41:34 +01:00			`files = "^((" + concatStringsSep "\|" optin + ")/.\\.nix\|[^/]\\.nix)$";`
			`in`
			`{`
			`nixfmt-rfc-style = {`
			`enable = true;`
			`inherit files;`
			`};`
			`deadnix = {`
			`enable = true;`
			`inherit files;`
			`};`
Enable trimming of trailing whitespace as a pre-commit hook 2024-11-20 13:07:03 +01:00			`trim-trailing-whitespace = {`
			`enable = true;`
			`inherit files;`
			`};`
Basic flake with pre-commit hooks 2024-11-13 22:41:34 +01:00			`};`

Integrate services as a flake part 2024-11-14 01:10:00 +01:00			`devShells.default = pkgs.mkShell {`
Integrate deployment as a flake part 2024-11-13 22:59:51 +01:00			`packages = [`
			`pkgs.nil`
Add Agenix to the environment 2024-12-11 13:25:31 +01:00			`inputs'.agenix.packages.default`
Integrate deployment as a flake part 2024-11-13 22:59:51 +01:00			`inputs'.nixops4.packages.default`
			`];`
Integrate services as a flake part 2024-11-14 01:10:00 +01:00			`shellHook = config.pre-commit.installationScript;`
			`};`
Basic flake with pre-commit hooks 2024-11-13 22:41:34 +01:00			`};`
			`};`
			`}`