forked from Deuxfleurs/nixcfg
Compare commits
5 commits
f55891ba21
...
09c3d618e6
Author | SHA1 | Date | |
---|---|---|---|
09c3d618e6 | |||
ebfdc6d1a3 | |||
3e0df95fe9 | |||
602c003e1e | |||
e746768de1 |
11 changed files with 116 additions and 6238 deletions
|
@ -36,21 +36,17 @@ used by CryptPad, which can result to large Docker image (~2.6GiB)
|
|||
This behaviour is configurable by passing the `--arg withOnlyOffice false` flag to `nix-build` when building them.
|
||||
|
||||
## Updating the Deuxfleurs pinned nixpkgs
|
||||
The pinned sources files are generated with the [niv](https://github.com/nmattia/niv) tool.
|
||||
The pinned sources files are generated with the [npins](https://github.com/andir/npins) tool.
|
||||
|
||||
To update the pinned nixpkgs, you simply run the following command:
|
||||
|
||||
```shell
|
||||
niv update
|
||||
npins update
|
||||
```
|
||||
|
||||
To modify the pinned nixpkgs, you can use the `niv modify` command, for example, to move to nixpkgs-unstable:
|
||||
To modify the pinned nixpkgs, remove it and re-add it using the new target, for exemple for `nixos-unstable`:
|
||||
|
||||
```shell
|
||||
niv modify nixpkgs -b nixos-unstable
|
||||
npins remove nixpkgs
|
||||
npins add --name nixpkgs channel nixos-unstable
|
||||
```
|
||||
|
||||
## Quirks
|
||||
|
||||
- The CryptPad `package-lock.json` is included here because the upstream-provided one appeared to be desync'ed, so a
|
||||
manual lockfile generation was needed
|
||||
|
|
|
@ -30,8 +30,8 @@
|
|||
hash = "sha256-BZdExj2q/bqUD3k9uluOot2dlrWKA+vpad49EdgXKww=";
|
||||
};
|
||||
v7 = {
|
||||
rev = "9d8b914a81f0f9e5d0bc3f0fc631adf4b6d480e7";
|
||||
hash = "sha256-M+rPJ/Xo2olhqB5ViynGRaesMLLfG/1ltUoLnepMPnM=";
|
||||
rev = "ba82142ff242ce385804bcb4287126de52d329f3";
|
||||
hash = "sha256-3WX3dTWJoeApon1AH3XplBIvEosVNzchkjgi2C808B4=";
|
||||
};
|
||||
};
|
||||
mkOnlyOffice = {
|
||||
|
@ -61,16 +61,16 @@
|
|||
});
|
||||
in buildNpmPackage rec {
|
||||
pname = "cryptpad";
|
||||
version = "2024.3.0";
|
||||
version = "2024.3.1";
|
||||
|
||||
src = fetchFromGitHub {
|
||||
owner = "cryptpad";
|
||||
repo = "cryptpad";
|
||||
rev = version;
|
||||
hash = "sha256-VUW6KvoSatk1/hlzklMQYlSNVH/tdbH+yU4ONUQ0JSQ=";
|
||||
hash = "sha256-kXghuktaKicFOz98Siy/OjJ9rlgy6C2BTKkD2OFLE+k=";
|
||||
};
|
||||
|
||||
npmDepsHash = "sha256-tvTkoxxioPuNoe8KIuXSP7QQbvcpxMnygsMmzKBQIY0=";
|
||||
npmDepsHash = "sha256-fjImdtv0bwgdDvl/BXV0DesreOAW2u8HsNqJ13hrJMw=";
|
||||
|
||||
inherit nodejs;
|
||||
|
||||
|
@ -81,10 +81,6 @@ in buildNpmPackage rec {
|
|||
makeCacheWritable = true;
|
||||
dontFixup = true;
|
||||
|
||||
postPatch = ''
|
||||
cp -T ${./package-lock.json} package-lock.json
|
||||
'';
|
||||
|
||||
preBuild = ''
|
||||
npm run install:components
|
||||
'' + lib.optionalString withOnlyOffice ''
|
||||
|
@ -112,7 +108,11 @@ in buildNpmPackage rec {
|
|||
'';
|
||||
|
||||
meta = {
|
||||
description = "Collaborative office suite, end-to-end encrypted and open-source.";
|
||||
homepage = "https://cryptpad.org";
|
||||
changelog = "https://github.com/cryptpad/cryptpad/releases/tag/${version}";
|
||||
license = lib.licenses.agpl3Plus;
|
||||
platforms = lib.platforms.all;
|
||||
mainProgram = "cryptpad-server";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ name ? "deuxfleurs/cryptpad"
|
||||
, tag ? "nix-latest"
|
||||
}: let
|
||||
sources = import ./nix/sources.nix;
|
||||
sources = import ./npins;
|
||||
pkgs = import sources.nixpkgs {};
|
||||
in rec {
|
||||
cryptpad = pkgs.callPackage ./default.nix {};
|
||||
|
|
|
@ -1,14 +0,0 @@
|
|||
{
|
||||
"nixpkgs": {
|
||||
"branch": "nixos-23.11",
|
||||
"description": "Nix Packages collection",
|
||||
"homepage": null,
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "53a2c32bc66f5ae41a28d7a9a49d321172af621e",
|
||||
"sha256": "0yqbwqbripb1bbhlwjfbqmg9qb0lai2fc0k1vfh674d6rrc8igwv",
|
||||
"type": "tarball",
|
||||
"url": "https://github.com/NixOS/nixpkgs/archive/53a2c32bc66f5ae41a28d7a9a49d321172af621e.tar.gz",
|
||||
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
|
||||
}
|
||||
}
|
|
@ -1,198 +0,0 @@
|
|||
# This file has been generated by Niv.
|
||||
|
||||
let
|
||||
|
||||
#
|
||||
# The fetchers. fetch_<type> fetches specs of type <type>.
|
||||
#
|
||||
|
||||
fetch_file = pkgs: name: spec:
|
||||
let
|
||||
name' = sanitizeName name + "-src";
|
||||
in
|
||||
if spec.builtin or true then
|
||||
builtins_fetchurl { inherit (spec) url sha256; name = name'; }
|
||||
else
|
||||
pkgs.fetchurl { inherit (spec) url sha256; name = name'; };
|
||||
|
||||
fetch_tarball = pkgs: name: spec:
|
||||
let
|
||||
name' = sanitizeName name + "-src";
|
||||
in
|
||||
if spec.builtin or true then
|
||||
builtins_fetchTarball { name = name'; inherit (spec) url sha256; }
|
||||
else
|
||||
pkgs.fetchzip { name = name'; inherit (spec) url sha256; };
|
||||
|
||||
fetch_git = name: spec:
|
||||
let
|
||||
ref =
|
||||
spec.ref or (
|
||||
if spec ? branch then "refs/heads/${spec.branch}" else
|
||||
if spec ? tag then "refs/tags/${spec.tag}" else
|
||||
abort "In git source '${name}': Please specify `ref`, `tag` or `branch`!"
|
||||
);
|
||||
submodules = spec.submodules or false;
|
||||
submoduleArg =
|
||||
let
|
||||
nixSupportsSubmodules = builtins.compareVersions builtins.nixVersion "2.4" >= 0;
|
||||
emptyArgWithWarning =
|
||||
if submodules
|
||||
then
|
||||
builtins.trace
|
||||
(
|
||||
"The niv input \"${name}\" uses submodules "
|
||||
+ "but your nix's (${builtins.nixVersion}) builtins.fetchGit "
|
||||
+ "does not support them"
|
||||
)
|
||||
{ }
|
||||
else { };
|
||||
in
|
||||
if nixSupportsSubmodules
|
||||
then { inherit submodules; }
|
||||
else emptyArgWithWarning;
|
||||
in
|
||||
builtins.fetchGit
|
||||
({ url = spec.repo; inherit (spec) rev; inherit ref; } // submoduleArg);
|
||||
|
||||
fetch_local = spec: spec.path;
|
||||
|
||||
fetch_builtin-tarball = name: throw
|
||||
''[${name}] The niv type "builtin-tarball" is deprecated. You should instead use `builtin = true`.
|
||||
$ niv modify ${name} -a type=tarball -a builtin=true'';
|
||||
|
||||
fetch_builtin-url = name: throw
|
||||
''[${name}] The niv type "builtin-url" will soon be deprecated. You should instead use `builtin = true`.
|
||||
$ niv modify ${name} -a type=file -a builtin=true'';
|
||||
|
||||
#
|
||||
# Various helpers
|
||||
#
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/pull/83241/files#diff-c6f540a4f3bfa4b0e8b6bafd4cd54e8bR695
|
||||
sanitizeName = name:
|
||||
(
|
||||
concatMapStrings (s: if builtins.isList s then "-" else s)
|
||||
(
|
||||
builtins.split "[^[:alnum:]+._?=-]+"
|
||||
((x: builtins.elemAt (builtins.match "\\.*(.*)" x) 0) name)
|
||||
)
|
||||
);
|
||||
|
||||
# The set of packages used when specs are fetched using non-builtins.
|
||||
mkPkgs = sources: system:
|
||||
let
|
||||
sourcesNixpkgs =
|
||||
import (builtins_fetchTarball { inherit (sources.nixpkgs) url sha256; }) { inherit system; };
|
||||
hasNixpkgsPath = builtins.any (x: x.prefix == "nixpkgs") builtins.nixPath;
|
||||
hasThisAsNixpkgsPath = <nixpkgs> == ./.;
|
||||
in
|
||||
if builtins.hasAttr "nixpkgs" sources
|
||||
then sourcesNixpkgs
|
||||
else if hasNixpkgsPath && ! hasThisAsNixpkgsPath then
|
||||
import <nixpkgs> { }
|
||||
else
|
||||
abort
|
||||
''
|
||||
Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
|
||||
add a package called "nixpkgs" to your sources.json.
|
||||
'';
|
||||
|
||||
# The actual fetching function.
|
||||
fetch = pkgs: name: spec:
|
||||
|
||||
if ! builtins.hasAttr "type" spec then
|
||||
abort "ERROR: niv spec ${name} does not have a 'type' attribute"
|
||||
else if spec.type == "file" then fetch_file pkgs name spec
|
||||
else if spec.type == "tarball" then fetch_tarball pkgs name spec
|
||||
else if spec.type == "git" then fetch_git name spec
|
||||
else if spec.type == "local" then fetch_local spec
|
||||
else if spec.type == "builtin-tarball" then fetch_builtin-tarball name
|
||||
else if spec.type == "builtin-url" then fetch_builtin-url name
|
||||
else
|
||||
abort "ERROR: niv spec ${name} has unknown type ${builtins.toJSON spec.type}";
|
||||
|
||||
# If the environment variable NIV_OVERRIDE_${name} is set, then use
|
||||
# the path directly as opposed to the fetched source.
|
||||
replace = name: drv:
|
||||
let
|
||||
saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
|
||||
ersatz = builtins.getEnv "NIV_OVERRIDE_${saneName}";
|
||||
in
|
||||
if ersatz == "" then drv else
|
||||
# this turns the string into an actual Nix path (for both absolute and
|
||||
# relative paths)
|
||||
if builtins.substring 0 1 ersatz == "/" then /. + ersatz else /. + builtins.getEnv "PWD" + "/${ersatz}";
|
||||
|
||||
# Ports of functions for older nix versions
|
||||
|
||||
# a Nix version of mapAttrs if the built-in doesn't exist
|
||||
mapAttrs = builtins.mapAttrs or (
|
||||
f: set: with builtins;
|
||||
listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set))
|
||||
);
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
|
||||
range = first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
|
||||
stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
|
||||
stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
|
||||
concatMapStrings = f: list: concatStrings (map f list);
|
||||
concatStrings = builtins.concatStringsSep "";
|
||||
|
||||
# https://github.com/NixOS/nixpkgs/blob/8a9f58a375c401b96da862d969f66429def1d118/lib/attrsets.nix#L331
|
||||
optionalAttrs = cond: as: if cond then as else { };
|
||||
|
||||
# fetchTarball version that is compatible between all the versions of Nix
|
||||
builtins_fetchTarball = { url, name ? null, sha256 }@attrs:
|
||||
let
|
||||
inherit (builtins) lessThan nixVersion fetchTarball;
|
||||
in
|
||||
if lessThan nixVersion "1.12" then
|
||||
fetchTarball ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
|
||||
else
|
||||
fetchTarball attrs;
|
||||
|
||||
# fetchurl version that is compatible between all the versions of Nix
|
||||
builtins_fetchurl = { url, name ? null, sha256 }@attrs:
|
||||
let
|
||||
inherit (builtins) lessThan nixVersion fetchurl;
|
||||
in
|
||||
if lessThan nixVersion "1.12" then
|
||||
fetchurl ({ inherit url; } // (optionalAttrs (name != null) { inherit name; }))
|
||||
else
|
||||
fetchurl attrs;
|
||||
|
||||
# Create the final "sources" from the config
|
||||
mkSources = config:
|
||||
mapAttrs
|
||||
(
|
||||
name: spec:
|
||||
if builtins.hasAttr "outPath" spec
|
||||
then
|
||||
abort
|
||||
"The values in sources.json should not have an 'outPath' attribute"
|
||||
else
|
||||
spec // { outPath = replace name (fetch config.pkgs name spec); }
|
||||
)
|
||||
config.sources;
|
||||
|
||||
# The "config" used by the fetchers
|
||||
mkConfig =
|
||||
{ sourcesFile ? if builtins.pathExists ./sources.json then ./sources.json else null
|
||||
, sources ? if sourcesFile == null then { } else builtins.fromJSON (builtins.readFile sourcesFile)
|
||||
, system ? builtins.currentSystem
|
||||
, pkgs ? mkPkgs sources system
|
||||
}: {
|
||||
# The sources, i.e. the attribute set of spec name to spec
|
||||
inherit sources;
|
||||
|
||||
# The "pkgs" (evaluated nixpkgs) to use for e.g. non-builtin fetchers
|
||||
inherit pkgs;
|
||||
};
|
||||
|
||||
in
|
||||
mkSources (mkConfig { }) // { __functor = _: settings: mkSources (mkConfig settings); }
|
80
cluster/prod/app/cryptpad/build/npins/default.nix
Normal file
80
cluster/prod/app/cryptpad/build/npins/default.nix
Normal file
|
@ -0,0 +1,80 @@
|
|||
# Generated by npins. Do not modify; will be overwritten regularly
|
||||
let
|
||||
data = builtins.fromJSON (builtins.readFile ./sources.json);
|
||||
version = data.version;
|
||||
|
||||
mkSource =
|
||||
spec:
|
||||
assert spec ? type;
|
||||
let
|
||||
path =
|
||||
if spec.type == "Git" then
|
||||
mkGitSource spec
|
||||
else if spec.type == "GitRelease" then
|
||||
mkGitSource spec
|
||||
else if spec.type == "PyPi" then
|
||||
mkPyPiSource spec
|
||||
else if spec.type == "Channel" then
|
||||
mkChannelSource spec
|
||||
else
|
||||
builtins.throw "Unknown source type ${spec.type}";
|
||||
in
|
||||
spec // { outPath = path; };
|
||||
|
||||
mkGitSource =
|
||||
{
|
||||
repository,
|
||||
revision,
|
||||
url ? null,
|
||||
hash,
|
||||
branch ? null,
|
||||
...
|
||||
}:
|
||||
assert repository ? type;
|
||||
# At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
|
||||
# In the latter case, there we will always be an url to the tarball
|
||||
if url != null then
|
||||
(builtins.fetchTarball {
|
||||
inherit url;
|
||||
sha256 = hash; # FIXME: check nix version & use SRI hashes
|
||||
})
|
||||
else
|
||||
assert repository.type == "Git";
|
||||
let
|
||||
urlToName =
|
||||
url: rev:
|
||||
let
|
||||
matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url;
|
||||
|
||||
short = builtins.substring 0 7 rev;
|
||||
|
||||
appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
|
||||
in
|
||||
"${if matched == null then "source" else builtins.head matched}${appendShort}";
|
||||
name = urlToName repository.url revision;
|
||||
in
|
||||
builtins.fetchGit {
|
||||
url = repository.url;
|
||||
rev = revision;
|
||||
inherit name;
|
||||
# hash = hash;
|
||||
};
|
||||
|
||||
mkPyPiSource =
|
||||
{ url, hash, ... }:
|
||||
builtins.fetchurl {
|
||||
inherit url;
|
||||
sha256 = hash;
|
||||
};
|
||||
|
||||
mkChannelSource =
|
||||
{ url, hash, ... }:
|
||||
builtins.fetchTarball {
|
||||
inherit url;
|
||||
sha256 = hash;
|
||||
};
|
||||
in
|
||||
if version == 3 then
|
||||
builtins.mapAttrs (_: mkSource) data.pins
|
||||
else
|
||||
throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
|
11
cluster/prod/app/cryptpad/build/npins/sources.json
Normal file
11
cluster/prod/app/cryptpad/build/npins/sources.json
Normal file
|
@ -0,0 +1,11 @@
|
|||
{
|
||||
"pins": {
|
||||
"nixpkgs": {
|
||||
"type": "Channel",
|
||||
"name": "nixos-23.11",
|
||||
"url": "https://releases.nixos.org/nixos/23.11/nixos-23.11.7237.46397778ef1f/nixexprs.tar.xz",
|
||||
"hash": "00cy8q07diavxb91g7pxl0gqc68s3hzimsggjc9rqyf99h1q9d3r"
|
||||
}
|
||||
},
|
||||
"version": 3
|
||||
}
|
6000
cluster/prod/app/cryptpad/build/package-lock.json
generated
6000
cluster/prod/app/cryptpad/build/package-lock.json
generated
File diff suppressed because it is too large
Load diff
|
@ -26,7 +26,7 @@ job "garage" {
|
|||
task "server" {
|
||||
driver = "docker"
|
||||
config {
|
||||
image = "dxflrs/garage:v1.0.0-rc1"
|
||||
image = "superboum/garage:v1.0.0-rc1-hotfix-red-ftr-wquorum"
|
||||
command = "/garage"
|
||||
args = [ "server" ]
|
||||
network_mode = "host"
|
||||
|
|
|
@ -222,11 +222,14 @@ EOF
|
|||
]
|
||||
}
|
||||
|
||||
env {
|
||||
# Our container can autodetect the public IP with the ifconfig.me service
|
||||
# However we would like to avoid relying on a 3rd party service for production use
|
||||
# That's why I am setting the public IP address statically here VVVV
|
||||
JITSI_NAT_PUBLIC_IP = "${meta.public_ipv4}"
|
||||
template {
|
||||
data = <<EOH
|
||||
{{ with $a := env "attr.unique.hostname" | printf "diplonat/autodiscovery/ipv4/%s" | key | parseJSON }}
|
||||
JITSI_NAT_PUBLIC_IP = {{ $a.address }}
|
||||
{{ end }}
|
||||
EOH
|
||||
destination = "secrets/jitsi-videobridge.env"
|
||||
env = true
|
||||
}
|
||||
|
||||
template {
|
||||
|
|
|
@ -4,5 +4,5 @@
|
|||
deuxfleurs.siteName = "neptune";
|
||||
deuxfleurs.staticIPv4.defaultGateway = "192.168.1.254";
|
||||
deuxfleurs.cnameTarget = "neptune.site.deuxfleurs.fr.";
|
||||
deuxfleurs.publicIPv4 = "77.207.15.215";
|
||||
deuxfleurs.publicIPv4 = "82.67.87.112";
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue