feat(infra): Switch to lix

hive.nix

@@ -66,10 +66,24 @@ in
   };
 
   defaults =
-    { name, nodeMeta, ... }:
+    {
+      pkgs,
+      name,
+      nodeMeta,
+      ...
+    }:
     {
       # Import the default modules
-      imports = [ ./modules ];
+      imports = [
+        ./modules
+        (import "${sources.lix-module}/module.nix" {
+          lix = pkgs.applyPatches {
+            name = "lix-2.90.patched";
+            src = sources.lix;
+            patches = [ ./patches/00-disable-installChecks-lix.patch ];
+          };
+        })
+      ];
 
       # Include default secrets
       age-secrets.sources = [ ./machines/${name}/secrets ];

machines/web01/castopod-head-proxy.nix

@@ -1,33 +0,0 @@
-{ config, lib, ... }:
-let
-  cfg = config.services.castopod;
-  fpm = config.services.phpfpm.pools.castopod;
-in
-{
-  services.nginx = {
-    resolver.addresses = [ "127.0.0.53" ];
-    virtualHosts."${cfg.localDomain}" = {
-
-      locations."@force_get" = {
-        extraConfig = lib.mkForce ''
-          recursive_error_pages on;
-          proxy_method GET;
-          proxy_pass https://podcasts.dgnum.eu/$request_uri;
-        '';
-      };
-
-      locations."~ .php$" = {
-        extraConfig = lib.mkForce ''
-          error_page 550 = @force_get;
-          if ($request_method = HEAD) { return 550; }
-          fastcgi_intercept_errors on;
-          fastcgi_index index.php;
-          fastcgi_pass unix:${fpm.socket};
-          try_files $uri =404;
-          fastcgi_read_timeout 3600;
-          fastcgi_send_timeout 3600;
-        '';
-      };
-    };
-  };
-}

machines/web01/castopod.nix

@@ -8,7 +8,7 @@ in
       enable = true;
       localDomain = host;
       environmentFile = config.age.secrets.castopod-environment_file.path;
-      maxUploadSize = 512;
+      maxUploadSize = "512M";
       settings = {
         "email.fromEmail" = "noreply@infra.dgnum.eu";
         "email.SMTPHost" = "kurisu.lahfa.xyz";

machines/web01/crabfit/default.nix

@@ -1,4 +1,4 @@
-_:
+{ config, ... }:
 
 {
   imports = [ ./packages ];
@@ -8,9 +8,29 @@ _:
 
     api.host = "api.meet.dgnum.eu";
     frontend.host = "meet.dgnum.eu";
-
-    configureNginx = true;
   };
 
   dgn-backups.postgresDatabases = [ "crabfit" ];
+
+  services.nginx =
+    let
+      cfg = config.services.crabfit;
+    in
+    {
+      enable = true;
+
+      virtualHosts.${cfg.frontend.host} = {
+        enableACME = true;
+        forceSSL = true;
+
+        locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.frontend.port}";
+      };
+
+      virtualHosts.${cfg.api.host} = {
+        enableACME = true;
+        forceSSL = true;
+
+        locations."/".proxyPass = "http://127.0.0.1:${builtins.toString cfg.api.port}";
+      };
+    };
 }

meta/README.md

@@ -34,6 +34,21 @@ TODO.
 
 Machines can use different versions of NixOS, the supported and default ones are specified here.
 
+## How to add a new version
+
+- Switch to a new branch `nixos-$VERSION`
+- Run the following command
+
+```bash
+npins add channel nixos-$VERSION
+```
+
+- Edit `meta/nixpkgs.nix` and add `$VERSION` to the supported version.
+- Read the release notes and check for changes.
+- Update the nodes versions
+- Create a PR so that the CI check that it builds
+
+
 # Nodes
 
 The nodes are declared statically, several options can be configured:

meta/nixpkgs.nix

@@ -1,10 +1,11 @@
 {
   # Default version of nixpkgs to use
-  default = "23.11";
+  default = "24.05";
 
   # Supported nixpkgs versions
   supported = [
     "unstable"
     "23.11"
+    "24.05"
   ];
 }

meta/nodes.nix

@@ -27,7 +27,7 @@
     stateVersion = "23.05";
     vm-cluster = "Hyperviseur NPS";
 
-    nix-modules = [ "services/crabfit" ];
+    nixpkgs = "24.05";
   };
 
   compute01 = {
@@ -35,6 +35,7 @@
 
     stateVersion = "23.05";
     nix-modules = [ "services/stirling-pdf" ];
+    nixpkgs = "24.05";
   };
 
   geo01 = {
@@ -42,7 +43,7 @@
     deployment.tags = [ "geo" ];
 
     stateVersion = "24.05";
-    nixpkgs = "unstable";
+    nixpkgs = "24.05";
   };
 
   geo02 = {
@@ -50,12 +51,13 @@
     deployment.tags = [ "geo" ];
 
     stateVersion = "24.05";
-    nixpkgs = "unstable";
+    nixpkgs = "24.05";
   };
 
   storage01 = {
     site = "pav01";
     stateVersion = "23.11";
+    nixpkgs = "24.05";
 
     nix-modules = [ "services/forgejo-nix-runners" ];
   };
@@ -65,7 +67,7 @@
     deployment.targetHost = "vault01.hyp01.infra.dgnum.eu";
 
     stateVersion = "23.11";
-    nixpkgs = "unstable";
+    nixpkgs = "24.05";
 
     adminGroups = [ "fai" ];
   };
@@ -74,7 +76,7 @@
     site = "rat01";
 
     stateVersion = "24.05";
-    nixpkgs = "unstable";
+    nixpkgs = "24.05";
     vm-cluster = "Hyperviseur NPS";
   };
 

npins/sources.json

@@ -100,6 +100,28 @@
       "url": "https://github.com/JulienMalka/Linkal/archive/085630bf369b68d2264baca020efc94c877d78e6.tar.gz",
       "hash": "0m426vjk7mjyp1gd1dsnnn5xkplsqs0ksawbmhza6fycsmavc3cx"
     },
+    "lix": {
+      "type": "Git",
+      "repository": {
+        "type": "Git",
+        "url": "https://git.lix.systems/lix-project/lix.git"
+      },
+      "branch": "main",
+      "revision": "d00edfb28d0a52d9acd392c582a43f98e773cf4c",
+      "url": null,
+      "hash": "0gnvk11kblidk2fpb4fhglc4lwk5acjm4v68rj79z7pjr4sc5r7p"
+    },
+    "lix-module": {
+      "type": "Git",
+      "repository": {
+        "type": "Git",
+        "url": "https://git.lix.systems/lix-project/nixos-module.git"
+      },
+      "branch": "main",
+      "revision": "5d9d94089fb1ca96222a34bfe245ef5c5ebefd37",
+      "url": null,
+      "hash": "02dg1icyxamxblrvgxshadp2s8mx2ryjja7m9w26sgs07jl438zk"
+    },
     "metis": {
       "type": "Git",
       "repository": {
@@ -154,6 +176,12 @@
       "url": "https://releases.nixos.org/nixos/23.11/nixos-23.11.6981.27c13997bf45/nixexprs.tar.xz",
       "hash": "1s4wn0m6bdzxl4rcxzmyy2fdschrdj3nqy6zl85xynaxkb0n1gpj"
     },
+    "nixos-24.05": {
+      "type": "Channel",
+      "name": "nixos-24.05",
+      "url": "https://releases.nixos.org/nixos/24.05/nixos-24.05.1135.9b5328b7f761/nixexprs.tar.xz",
+      "hash": "0k8d0xvygkxzvs5ikcw8j0pnksvzdmxdl03i69mni3nxylszyxvl"
+    },
     "nixos-generators": {
       "type": "Git",
       "repository": {
@@ -226,4 +254,4 @@
     }
   },
   "version": 3
-}
+}

patches/00-disable-installChecks-lix.patch

@@ -0,0 +1,13 @@
+diff --git a/package.nix b/package.nix
+index 43b709023..b68857796 100644
+--- a/package.nix
++++ b/package.nix
+@@ -351,7 +351,7 @@ stdenv.mkDerivation (finalAttrs: {
+       echo "doc internal-api-docs $out/share/doc/nix/internal-api/html" >> "$out/nix-support/hydra-build-products"
+     '';
+ 
+-  doInstallCheck = finalAttrs.doCheck;
++  doInstallCheck = false;
+ 
+   mesonInstallCheckFlags = [
+     "--suite=installcheck"

patches/default.nix

@@ -6,6 +6,21 @@ let
 in
 
 {
+  "nixos-24.05" = [
+    # netbox qrcode plugin
+    {
+      _type = "commit";
+      sha = "ae4bf4c110378ebacb3989c9533726859cfebbfa";
+      hash = "sha256-SgHhW9HCkDQsxT3eG4P9q68c43e3sbDHRY9qs7oSt8o=";
+    }
+
+    netboxAgent
+
+    {
+      id = "275165";
+      hash = "sha256-9a26V3Pi8yLD3N9+mC1kvJoruxRTp/qOHapnt6VX7pw=";
+    }
+  ];
   "nixos-23.11" = [
     # netbox module
     {