diff --git a/.envrc b/.envrc index 3550a30f..1d953f4b 100644 --- a/.envrc +++ b/.envrc @@ -1 +1 @@ -use flake +use nix diff --git a/default.nix b/default.nix new file mode 100644 index 00000000..a40feab8 --- /dev/null +++ b/default.nix @@ -0,0 +1,33 @@ +let + sources = import ./nix; + system = builtins.currentSystem; + pkgs = import sources.nixpkgs { + inherit system; + config = { }; + overlays = [ ]; + }; + nixpkgs = sources.nixpkgs; + nixhelm = sources.nixhelm; + nixidy = import sources.nixidy { inherit nixpkgs; }; + kube = pkgs.callPackage "${sources.nix-kube-gen}/lib/default.nix" { inherit pkgs; }; +in +nixidy.lib.mkEnvs { + libOverlay = self: super: { + apps = import ./modules/lib.nix { inherit pkgs kube; }; + }; + modules = [ + ( + { lib, ... }: + { + nixidy.charts = lib.helm.mkChartAttrs "${nixhelm}/charts"; + } + ) + ./modules + ./apps + ./policies + ]; + envs = { + prod.modules = [ ./envs/prod.nix ]; + staging.modules = [ ./envs/staging.nix ]; + }; +} diff --git a/flake.lock b/flake.lock index 181d1c3d..0dc2350e 100644 --- a/flake.lock +++ b/flake.lock @@ -325,16 +325,16 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1728908720, - "narHash": "sha256-0fNVuZdg7vNn47NBcStHzVzWfpSM2cdh7k2kiTcUal8=", - "owner": "juselius", + "lastModified": 1728815994, + "narHash": "sha256-uF6HAoDMAX0cZbKH27k/0UpIteQMhyLkP1rYKUfj5ys=", + "owner": "arnarg", "repo": "nixidy", - "rev": "21cee93f73c29eff44c37dbc90ba68d217258b9d", + "rev": "6e20193c95a0aaca444289d7c69f4eb329d25234", "type": "github" }, "original": { - "owner": "juselius", - "ref": "special-args", + "owner": "arnarg", + "ref": "HEAD", "repo": "nixidy", "type": "github" } diff --git a/flake.nix b/flake.nix index e205c345..ba16ecfb 100644 --- a/flake.nix +++ b/flake.nix @@ -6,7 +6,8 @@ flake-utils.url = "github:numtide/flake-utils"; nixidy = { - url = "github:juselius/nixidy?ref=special-args"; + url = "github:juselius/nixidy?ref=HEAD"; + # url = "github:juselius/nixidy?ref=special-args"; # url = "/home/jonas/src/OceanBox/nixidy"; # inputs.nixpkgs.follows = "nixpkgs"; }; diff --git a/generate.nix b/generate.nix new file mode 100644 index 00000000..63b657b6 --- /dev/null +++ b/generate.nix @@ -0,0 +1,44 @@ +let + sources = import ./nix; + system = builtins.currentSystem; + pkgs = import sources.nixpkgs { + inherit system; + config = { }; + overlays = [ ]; + }; + nixpkgs = sources.nixpkgs; + nixidy = import sources.nixidy { inherit nixpkgs; }; +in +{ + cilium = nixidy.generators.fromCRD { + name = "cilium"; + src = pkgs.fetchFromGitHub { + owner = "cilium"; + repo = "cilium"; + rev = "v1.16.0"; + hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E="; + }; + crds = [ + "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml" + "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml" + ]; + }; + kyverno = nixidy.generators.fromCRD { + name = "kyverno"; + src = pkgs.fetchFromGitHub { + owner = "kyverno"; + repo = "kyverno"; + rev = "v1.12.6"; + hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M="; + }; + crds = [ + "config/crds/kyverno/kyverno.io_cleanuppolicies.yaml" + "config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml" + "config/crds/kyverno/kyverno.io_clusterpolicies.yaml" + "config/crds/kyverno/kyverno.io_globalcontextentries.yaml" + "config/crds/kyverno/kyverno.io_policies.yaml" + "config/crds/kyverno/kyverno.io_policyexceptions.yaml" + "config/crds/kyverno/kyverno.io_updaterequests.yaml" + ]; + }; +} diff --git a/nix/default.nix b/nix/default.nix new file mode 100644 index 00000000..5e7d086e --- /dev/null +++ b/nix/default.nix @@ -0,0 +1,80 @@ +# Generated by npins. Do not modify; will be overwritten regularly +let + data = builtins.fromJSON (builtins.readFile ./sources.json); + version = data.version; + + mkSource = + spec: + assert spec ? type; + let + path = + if spec.type == "Git" then + mkGitSource spec + else if spec.type == "GitRelease" then + mkGitSource spec + else if spec.type == "PyPi" then + mkPyPiSource spec + else if spec.type == "Channel" then + mkChannelSource spec + else + builtins.throw "Unknown source type ${spec.type}"; + in + spec // { outPath = path; }; + + mkGitSource = + { + repository, + revision, + url ? null, + hash, + branch ? null, + ... + }: + assert repository ? type; + # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository + # In the latter case, there we will always be an url to the tarball + if url != null then + (builtins.fetchTarball { + inherit url; + sha256 = hash; # FIXME: check nix version & use SRI hashes + }) + else + assert repository.type == "Git"; + let + urlToName = + url: rev: + let + matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url; + + short = builtins.substring 0 7 rev; + + appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else ""; + in + "${if matched == null then "source" else builtins.head matched}${appendShort}"; + name = urlToName repository.url revision; + in + builtins.fetchGit { + url = repository.url; + rev = revision; + inherit name; + # hash = hash; + }; + + mkPyPiSource = + { url, hash, ... }: + builtins.fetchurl { + inherit url; + sha256 = hash; + }; + + mkChannelSource = + { url, hash, ... }: + builtins.fetchTarball { + inherit url; + sha256 = hash; + }; +in +if version == 3 then + builtins.mapAttrs (_: mkSource) data.pins +else + throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`" diff --git a/nix/sources.json b/nix/sources.json new file mode 100644 index 00000000..de5928b7 --- /dev/null +++ b/nix/sources.json @@ -0,0 +1,47 @@ +{ + "pins": { + "nix-kube-gen": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "farcaller", + "repo": "nix-kube-generators" + }, + "branch": "master", + "revision": "2be4f3cb99e179d9f94e6c8723862421437f8efb", + "url": "https://github.com/farcaller/nix-kube-generators/archive/2be4f3cb99e179d9f94e6c8723862421437f8efb.tar.gz", + "hash": "0pgpr0szig7plmj7i4hjfkpcm4vgy0ingqr115wqjzbx5yjc6c7j" + }, + "nixhelm": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "farcaller", + "repo": "nixhelm" + }, + "branch": "master", + "revision": "cafa44fc8c2ad34baf6e5f1bdea3eb3a587a1f6d", + "url": "https://github.com/farcaller/nixhelm/archive/cafa44fc8c2ad34baf6e5f1bdea3eb3a587a1f6d.tar.gz", + "hash": "1waplza2c0wgq23v41ladfgqdq2wrbw889c973cm439940zj4mj1" + }, + "nixidy": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "arnarg", + "repo": "nixidy" + }, + "branch": "main", + "revision": "d28f45aea4d7b93928f1ea94f22a03a3f6dc25f6", + "url": "https://github.com/arnarg/nixidy/archive/d28f45aea4d7b93928f1ea94f22a03a3f6dc25f6.tar.gz", + "hash": "0ijxdh2432wvwyff1f5yfrjn93lzayrswi1bkasjpwaps9v6ld4r" + }, + "nixpkgs": { + "type": "Channel", + "name": "nixpkgs-unstable", + "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre699031.2d2a9ddbe3f2/nixexprs.tar.xz", + "hash": "1vx044c8gdg1c8zmabzbi9xrgjgaz2bfqbl47xsgh517f580bycx" + } + }, + "version": 3 +} diff --git a/shell.nix b/shell.nix new file mode 100644 index 00000000..bc4c835c --- /dev/null +++ b/shell.nix @@ -0,0 +1,24 @@ +let + sources = import ./nix; + system = builtins.currentSystem; + pkgs = import sources.nixpkgs { + inherit system; + config = { }; + overlays = [ ]; + }; + nixpkgs = sources.nixpkgs; + nixidy = import sources.nixidy { inherit nixpkgs; }; +in +{ + shell = pkgs.mkShellNoCC { + name = "clstr"; + nativeBuildInputs = with pkgs; [ + nixidy.nixidy + npins + nixfmt-rfc-style + just + fzf + ]; + NPINS_DIRECTORY = "nix"; + }; +}