sp-config/flake.nix

{
  description = "SelfPrivacy NixOS configuration flake";

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs";
    nixos-unstable.url = "github:nixos/nixpkgs/nixos-unstable";

    selfprivacy-api.url = "git+https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git";
    # make selfprivacy-api use the same shared nixpkgs
    selfprivacy-api.inputs.nixpkgs.follows = "nixpkgs";
  };

  outputs =
    {
      self,
      nixpkgs,
      nixos-unstable,
      selfprivacy-api,
    }:
    {
      nixosConfigurations-fun =
        {
          hardware-configuration,
          deployment,
          userdata,
          top-level-flake,
          sp-modules,
        }:
        {
          default = nixpkgs.lib.nixosSystem {
            modules =
              [
                hardware-configuration
                deployment
                ./configuration.nix
                ./auth/auth.nix
                {
                  nixpkgs.overlays = [
                    (_final: prev: {
                      inherit (nixos-unstable.legacyPackages.${prev.system})
                        kanidm
                        kanidm-provision
                        ;
                      selfprivacy_nix_2_26 = nixos-unstable.legacyPackages.${prev.system}.nixVersions.nix_2_26;
                    })
                  ];
                  disabledModules = [ "services/security/kanidm.nix" ];
                  imports = [ ./auth/kanidm.nix ];
                }
                selfprivacy-api.nixosModules.default
                (
                  { pkgs, lib, ... }:
                  {
                    environment.etc =
                      (lib.attrsets.mapAttrs' (name: sp-module: {
                        name = "sp-modules/${name}";
                        value.text = import ./lib/meta.nix { inherit pkgs sp-module; };
                      }) sp-modules)
                      // {
                        suggested-sp-modules.text = builtins.toJSON (builtins.attrNames (builtins.readDir ./sp-modules));
                      };
                  }
                )
                (
                  let
                    deepFilter =
                      ref: attrset:
                      builtins.foldl' (
                        acc: key:
                        if builtins.hasAttr key ref then
                          let
                            value = attrset.${key};
                            refValue = ref.${key};
                          in
                          acc
                          // {
                            ${key} =
                              if builtins.isAttrs value && builtins.isAttrs refValue then deepFilter refValue value else value;
                          }
                        else
                          acc
                      ) { } (builtins.attrNames attrset);
                  in
                  { options, ... }:
                  {
                    # pass userdata (parsed from JSON) options to selfprivacy module
                    selfprivacy = deepFilter options.selfprivacy userdata;

                    # embed top-level flake source folder into the build
                    environment.etc."selfprivacy/nixos-config-source".source = top-level-flake;

                    # for running "nix search nixpkgs", "nix shell nixpkgs#PKG... etc
                    nix.registry.nixpkgs.flake = nixpkgs;

                    # embed commit sha1 for `nixos-version --configuration-revision`
                    system.configurationRevision = self.rev or "@${self.lastModifiedDate}"; # for development
                    # TODO assertion to forbid dirty builds caused by top-level-flake

                    # reset contents of /etc/nixos to match running NixOS generation
                    system.activationScripts.selfprivacy-nixos-config-source = ''
                      rm -rf /etc/nixos/{*,.[!.]*}
                      cp -r --no-preserve=all ${top-level-flake}/ -T /etc/nixos/
                    '';
                  }
                )
              ]
              ++
              # add SP modules, but constrain available config attributes for each
              # (TODO revise evaluation performance of the code below)
              nixpkgs.lib.attrsets.mapAttrsToList (
                name: sp-module:
                args@{ config, pkgs, ... }:
                let
                  lib = nixpkgs.lib;
                  configPathsNeeded =
                    sp-module.configPathsNeeded or (abort "allowed config paths not set for module \"${name}\"");
                  constrainConfigArgs =
                    args'@{ pkgs, ... }:
                    args'
                    // {
                      config =
                        # TODO use lib.attrsets.mergeAttrsList from nixpkgs 23.05
                        (
                          builtins.foldl' lib.attrsets.recursiveUpdate { } (
                            map (p: lib.attrsets.setAttrByPath p (lib.attrsets.getAttrFromPath p config)) configPathsNeeded
                          )
                        );
                    };
                  constrainImportsArgsRecursive = lib.attrsets.mapAttrsRecursive (
                    p: v:
                    # TODO traverse only imports and imports of imports, etc
                    # without traversing all attributes
                    if lib.lists.last p == "imports" then
                      map (
                        m:
                        (
                          args'@{ pkgs, ... }:
                          constrainImportsArgsRecursive (
                            if builtins.isPath m then
                              import m (constrainConfigArgs args')
                            else if builtins.isFunction m then
                              m (constrainConfigArgs args')
                            else
                              m
                          )
                        )
                      ) v
                    else
                      v
                  );
                in
                constrainImportsArgsRecursive (sp-module.nixosModules.default (constrainConfigArgs args))
              ) sp-modules;
          };
        };
      formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;
    };
}
test 2023-07-15 16:52:46 +04:00			`{`
nixosConfiguration-fun takes a set as an argument This set must contain: - hardware-configuration - userdata (parsed) 2023-11-06 11:40:32 +04:00			`description = "SelfPrivacy NixOS configuration flake";`
test 2023-07-15 16:52:46 +04:00
			`inputs = {`
style: format tree 2025-06-18 19:53:44 +03:00			`nixpkgs.url = "github:nixos/nixpkgs";`
			`nixos-unstable.url = "github:nixos/nixpkgs/nixos-unstable";`
get rid of overlay for selfprivacy-graphql-api 2023-11-06 12:18:08 +04:00
style: format tree 2025-06-18 19:53:44 +03:00			`selfprivacy-api.url = "git+https://git.selfprivacy.org/SelfPrivacy/selfprivacy-rest-api.git";`
migrate selfprivacy-api NixOS module to selfprivacy API repository But do not treat it as a SP module. 2023-11-16 06:31:31 +04:00			`# make selfprivacy-api use the same shared nixpkgs`
			`selfprivacy-api.inputs.nixpkgs.follows = "nixpkgs";`
test 2023-07-15 16:52:46 +04:00			`};`

style: format tree 2025-06-18 19:53:44 +03:00			`outputs =`
			`{`
			`self,`
			`nixpkgs,`
			`nixos-unstable,`
			`selfprivacy-api,`
			`}:`
			`{`
			`nixosConfigurations-fun =`
			`{`
			`hardware-configuration,`
			`deployment,`
			`userdata,`
			`top-level-flake,`
			`sp-modules,`
			`}:`
			`{`
			`default = nixpkgs.lib.nixosSystem {`
			`modules =`
			`[`
			`hardware-configuration`
			`deployment`
			`./configuration.nix`
			`./auth/auth.nix`
			`{`
			`nixpkgs.overlays = [`
			`(_final: prev: {`
auth: remove possibility to use kanidm 1.4.6 2025-04-22 17:34:30 +04:00			`inherit (nixos-unstable.legacyPackages.${prev.system})`
			`kanidm`
			`kanidm-provision`
			`;`
fix: switch to nix 2.26 so we can update to 25.05 without issues 2025-06-18 20:00:38 +03:00			`selfprivacy_nix_2_26 = nixos-unstable.legacyPackages.${prev.system}.nixVersions.nix_2_26;`
style: format tree 2025-06-18 19:53:44 +03:00			`})`
			`];`
			`disabledModules = [ "services/security/kanidm.nix" ];`
			`imports = [ ./auth/kanidm.nix ];`
			`}`
			`selfprivacy-api.nixosModules.default`
			`(`
			`{ pkgs, lib, ... }:`
			`{`
			`environment.etc =`
			`(lib.attrsets.mapAttrs' (name: sp-module: {`
			`name = "sp-modules/${name}";`
			`value.text = import ./lib/meta.nix { inherit pkgs sp-module; };`
			`}) sp-modules)`
			`// {`
			`suggested-sp-modules.text = builtins.toJSON (builtins.attrNames (builtins.readDir ./sp-modules));`
			`};`
			`}`
auth: selfprivacy.sso.useKanidm_1_4 2025-04-18 21:06:18 +04:00			`)`
style: format tree 2025-06-18 19:53:44 +03:00			`(`
			`let`
			`deepFilter =`
			`ref: attrset:`
			`builtins.foldl' (`
			`acc: key:`
			`if builtins.hasAttr key ref then`
			`let`
			`value = attrset.${key};`
			`refValue = ref.${key};`
			`in`
			`acc`
			`// {`
			`${key} =`
			`if builtins.isAttrs value && builtins.isAttrs refValue then deepFilter refValue value else value;`
			`}`
			`else`
			`acc`
			`) { } (builtins.attrNames attrset);`
			`in`
			`{ options, ... }:`
			`{`
			`# pass userdata (parsed from JSON) options to selfprivacy module`
			`selfprivacy = deepFilter options.selfprivacy userdata;`
get rid of files.nix; ACME/credentialsFile and other cleanup 2023-12-16 09:39:22 +04:00
style: format tree 2025-06-18 19:53:44 +03:00			`# embed top-level flake source folder into the build`
			`environment.etc."selfprivacy/nixos-config-source".source = top-level-flake;`
get rid of files.nix; ACME/credentialsFile and other cleanup 2023-12-16 09:39:22 +04:00
style: format tree 2025-06-18 19:53:44 +03:00			`# for running "nix search nixpkgs", "nix shell nixpkgs#PKG... etc`
			`nix.registry.nixpkgs.flake = nixpkgs;`
get rid of files.nix; ACME/credentialsFile and other cleanup 2023-12-16 09:39:22 +04:00
style: format tree 2025-06-18 19:53:44 +03:00			# embed commit sha1 for `nixos-version --configuration-revision`
			`system.configurationRevision = self.rev or "@${self.lastModifiedDate}"; # for development`
			`# TODO assertion to forbid dirty builds caused by top-level-flake`
get rid of files.nix; ACME/credentialsFile and other cleanup 2023-12-16 09:39:22 +04:00
style: format tree 2025-06-18 19:53:44 +03:00			`# reset contents of /etc/nixos to match running NixOS generation`
			`system.activationScripts.selfprivacy-nixos-config-source = ''`
			`rm -rf /etc/nixos/{,.[!.]}`
			`cp -r --no-preserve=all ${top-level-flake}/ -T /etc/nixos/`
			`'';`
			`}`
			`)`
			`]`
			`++`
			`# add SP modules, but constrain available config attributes for each`
			`# (TODO revise evaluation performance of the code below)`
			`nixpkgs.lib.attrsets.mapAttrsToList (`
			`name: sp-module:`
			`args@{ config, pkgs, ... }:`
			`let`
			`lib = nixpkgs.lib;`
			`configPathsNeeded =`
			`sp-module.configPathsNeeded or (abort "allowed config paths not set for module \"${name}\"");`
			`constrainConfigArgs =`
			`args'@{ pkgs, ... }:`
			`args'`
			`// {`
			`config =`
			`# TODO use lib.attrsets.mergeAttrsList from nixpkgs 23.05`
			`(`
			`builtins.foldl' lib.attrsets.recursiveUpdate { } (`
			`map (p: lib.attrsets.setAttrByPath p (lib.attrsets.getAttrFromPath p config)) configPathsNeeded`
			`)`
			`);`
			`};`
			`constrainImportsArgsRecursive = lib.attrsets.mapAttrsRecursive (`
			`p: v:`
TODO notes: flake: config contrain algorithm 2023-11-15 20:18:45 +04:00			`# TODO traverse only imports and imports of imports, etc`
			`# without traversing all attributes`
style: format tree 2025-06-18 19:53:44 +03:00			`if lib.lists.last p == "imports" then`
			`map (`
			`m:`
			`(`
			`args'@{ pkgs, ... }:`
			`constrainImportsArgsRecursive (`
			`if builtins.isPath m then`
			`import m (constrainConfigArgs args')`
			`else if builtins.isFunction m then`
			`m (constrainConfigArgs args')`
fix config attributes contrain mechanism for SP modules Now it should work for all nested imports too. `imports` are traversed recursively to redefine each imported module function with altered one, constraining its config attribute (respecting config-paths-needed.json). 2023-11-15 04:15:50 +04:00			`else`
style: format tree 2025-06-18 19:53:44 +03:00			`m`
			`)`
fix config attributes contrain mechanism for SP modules Now it should work for all nested imports too. `imports` are traversed recursively to redefine each imported module function with altered one, constraining its config attribute (respecting config-paths-needed.json). 2023-11-15 04:15:50 +04:00			`)`
style: format tree 2025-06-18 19:53:44 +03:00			`) v`
			`else`
			`v`
			`);`
			`in`
			`constrainImportsArgsRecursive (sp-module.nixosModules.default (constrainConfigArgs args))`
			`) sp-modules;`
			`};`
test 2023-07-15 16:52:46 +04:00			`};`
style: Use RFC formatter 2025-05-02 15:27:17 +03:00			`formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;`
style: format tree 2025-06-18 19:53:44 +03:00			`};`
test 2023-07-15 16:52:46 +04:00			`}`