185 lines
4.5 KiB
Nix
185 lines
4.5 KiB
Nix
# SPDX-FileCopyrightText: 2024 Maurice Debray <maurice.debray@dgnum.eu>
|
|
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
|
|
#
|
|
# SPDX-License-Identifier: EUPL-1.2
|
|
|
|
{
|
|
sources ? import ./npins,
|
|
pkgs ? import sources.nixpkgs { },
|
|
}:
|
|
|
|
let
|
|
inherit (pkgs.lib)
|
|
isFunction
|
|
mapAttrs
|
|
mapAttrs'
|
|
nameValuePair
|
|
removeSuffix
|
|
;
|
|
|
|
nix-reuse = import sources.nix-reuse { inherit pkgs; };
|
|
|
|
git-checks = (import sources.git-hooks).run {
|
|
src = ./.;
|
|
|
|
hooks = {
|
|
statix = {
|
|
enable = true;
|
|
stages = [ "pre-push" ];
|
|
settings.ignore = [
|
|
"**/lon.nix"
|
|
"**/npins"
|
|
];
|
|
};
|
|
|
|
deadnix = {
|
|
enable = true;
|
|
stages = [ "pre-push" ];
|
|
};
|
|
|
|
nixfmt-rfc-style = {
|
|
enable = true;
|
|
stages = [ "pre-push" ];
|
|
package = pkgs.nixfmt-rfc-style;
|
|
};
|
|
|
|
reuse = nix-reuse.hook {
|
|
enable = true;
|
|
stages = [ "pre-push" ];
|
|
};
|
|
|
|
commitizen.enable = true;
|
|
};
|
|
};
|
|
|
|
reuse = nix-reuse.install {
|
|
defaultLicense = "EUPL-1.2";
|
|
defaultCopyright = "La Délégation Générale Numérique <contact@dgnum.eu>";
|
|
|
|
downloadLicenses = true;
|
|
generatedPaths = [
|
|
"**/.envrc"
|
|
"**/Cargo.lock"
|
|
"**/_hardware-configuration.nix"
|
|
".gitignore"
|
|
"REUSE.toml"
|
|
"shell.nix"
|
|
];
|
|
|
|
annotations = [
|
|
# Auto-generated workflow files using nix-actions
|
|
{ path = [ ".forgejo/workflows/*" ]; }
|
|
|
|
# Secrets
|
|
{
|
|
path = [
|
|
"machines/**/secrets/*"
|
|
"modules/nixos/dgn-backups/keys/*"
|
|
"modules/nixos/dgn-netbox-agent/secrets/netbox-agent"
|
|
"modules/nixos/dgn-notify/mail"
|
|
"modules/nixos/dgn-records/__arkheon-token_file"
|
|
];
|
|
license = "CC-BY-NC-ND-4.0";
|
|
}
|
|
|
|
# Patches
|
|
{
|
|
path = [
|
|
"machines/nixos/compute01/librenms/kanidm.patch"
|
|
"machines/nixos/compute01/stirling-pdf/*.patch"
|
|
"machines/nixos/vault01/k-radius/packages/01-python_path.patch"
|
|
"machines/nixos/web01/crabfit/*.patch"
|
|
"machines/nixos/web02/cas-eleves/01-pytest-cas.patch"
|
|
"patches/lix/01-disable-installChecks.patch"
|
|
"patches/nixpkgs/03-crabfit-karla.patch"
|
|
"patches/nixpkgs/04-crabfit-karla.patch"
|
|
"patches/nixpkgs/05-netbird-relay.patch"
|
|
];
|
|
copyright = "2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>";
|
|
}
|
|
{
|
|
path = [ "patches/nixpkgs/06-netbox-qrcode.patch" ];
|
|
copyright = "2024 Maurice Debray <maurice.debray@dgnum.eu>";
|
|
}
|
|
|
|
# colmena wrapper
|
|
{
|
|
path = "lib/colmena/*";
|
|
license = "MIT";
|
|
}
|
|
|
|
# npins generated files
|
|
{
|
|
path = "**/npins/*";
|
|
license = "EUPL-1.2";
|
|
copyright = "The [npins](https://github.com/andir/npins) contributors";
|
|
}
|
|
];
|
|
};
|
|
|
|
workflows = (import sources.nix-actions { inherit pkgs; }).install {
|
|
src = ./.;
|
|
|
|
workflows = mapAttrs' (
|
|
name: _:
|
|
nameValuePair (removeSuffix ".nix" name) (
|
|
let
|
|
w = import ./workflows/${name};
|
|
in
|
|
if isFunction w then w { inherit (pkgs) lib; } else w
|
|
)
|
|
) (builtins.readDir ./workflows);
|
|
};
|
|
|
|
scripts = import ./scripts { inherit pkgs sources; };
|
|
in
|
|
|
|
{
|
|
nodes = builtins.mapAttrs (
|
|
host: { site, ... }: "${host}.${site}.infra.dgnum.eu"
|
|
) (import ./meta/nodes.nix);
|
|
|
|
dns = import ./meta/dns.nix;
|
|
|
|
mkCacheSettings = import ./machines/nixos/storage01/tvix-cache/cache-settings.nix;
|
|
|
|
devShell = pkgs.mkShell {
|
|
name = "dgnum-infra";
|
|
|
|
packages = [
|
|
(pkgs.nixos-generators.overrideAttrs (_: {
|
|
version = "1.8.0-unstable";
|
|
src = sources.nixos-generators;
|
|
}))
|
|
pkgs.npins
|
|
|
|
# SSO testing
|
|
pkgs.kanidm
|
|
pkgs.freeradius
|
|
pkgs.picocom # for serial access
|
|
|
|
(pkgs.callPackage ./lib/colmena {
|
|
colmena = pkgs.callPackage "${sources.colmena}/package.nix" { };
|
|
})
|
|
(pkgs.callPackage "${sources.agenix}/pkgs/agenix.nix" { })
|
|
(pkgs.callPackage "${sources.lon}/nix/packages/lon.nix" { })
|
|
] ++ git-checks.enabledPackages ++ (builtins.attrValues scripts);
|
|
|
|
shellHook = ''
|
|
${git-checks.shellHook}
|
|
${workflows.shellHook}
|
|
${reuse.shellHook}
|
|
'';
|
|
|
|
preferLocalBuild = true;
|
|
|
|
###
|
|
# Alternative shells
|
|
|
|
passthru = mapAttrs (name: value: pkgs.mkShell (value // { inherit name; })) {
|
|
pre-commit.shellHook = git-checks.shellHook;
|
|
check-workflows.shellHook = workflows.shellHook;
|
|
eval-nodes.packages = [ scripts.cache-node ];
|
|
};
|
|
};
|
|
}
|