Add pretalx service, refactor flake

Co-authored-by: Ivan Mincik <ivan.mincik@gmail.com> Co-authored-by: Auguste Baum <auguste.apple@gmail.com> Co-authored-by: Ondrej Kubanek <kubanek0ondrej@gmail.com> Co-authored-by: Andres Navarro <contact@andresnav.com>
ngi-nix · Aug 22, 2023 · 40303c1 · 40303c1
1 parent 971a217
commit 40303c1
Show file tree

Hide file tree

Showing 19 changed files with 539 additions and 286 deletions.
diff --git a/configs/all-configurations.nix b/configs/all-configurations.nix
@@ -1,3 +1,15 @@
-{pkgs}: {
+{
   liberaforms-container = import ./liberaforms/container.nix;
+  pretalx-postgresql = {
+    imports = [
+      ./pretalx/pretalx.nix
+      ./pretalx/postgresql.nix
+    ];
+  };
+  pretalx-mysql = {
+    imports = [
+      ./pretalx/pretalx.nix
+      ./pretalx/mysql.nix
+    ];
+  };
 }
diff --git a/configs/liberaforms/container.nix b/configs/liberaforms/container.nix
@@ -1,10 +1,4 @@
-{
-  pkgs,
-  lib,
-  ...
-}: {
-  imports = [../../modules/liberaforms.nix];
-
+{...}: {
   boot.isContainer = true;
 
   networking.useDHCP = false;
@@ -26,4 +20,6 @@
   };
 
   system.stateVersion = "22.11";
+
+  nixpkgs.hostPlatform = "x86_64-linux";
 }
diff --git a/configs/pretalx/mysql.nix b/configs/pretalx/mysql.nix
@@ -0,0 +1,24 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  services = {
+    pretalx.database = {
+      backend = "mysql";
+      host = "/var/run/mysqld/mysqld.sock";
+    };
+
+    mysql = {
+      enable = true;
+      package = pkgs.mysql;
+      ensureUsers = [
+        {
+          name = config.services.pretalx.database.user;
+          ensurePermissions."${config.services.pretalx.database.name}.*" = "ALL PRIVILEGES";
+        }
+      ];
+      ensureDatabases = [config.services.pretalx.database.name];
+    };
+  };
+}
diff --git a/configs/pretalx/postgresql.nix b/configs/pretalx/postgresql.nix
@@ -0,0 +1,17 @@
+{config, ...}: {
+  services = {
+    pretalx.database.backend = "postgresql";
+
+    postgresql = {
+      enable = true;
+      authentication = "local all all trust";
+      ensureUsers = [
+        {
+          name = config.services.pretalx.database.user;
+          ensurePermissions."DATABASE \"${config.services.pretalx.database.name}\"" = "ALL PRIVILEGES";
+        }
+      ];
+      ensureDatabases = [config.services.pretalx.database.name];
+    };
+  };
+}
diff --git a/configs/pretalx/pretalx.nix b/configs/pretalx/pretalx.nix
@@ -0,0 +1,72 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  nixpkgs.hostPlatform = "x86_64-linux";
+
+  networking.firewall.allowedTCPPorts = [config.services.nginx.defaultHTTPListenPort];
+
+  sops.secrets = let
+    pretalxSecret = {
+      # For a production configuration also `sopsFile` is required.
+      # See <https://github.com/Mic92/sops-nix>.
+      owner = config.services.pretalx.user;
+      group = config.services.pretalx.group;
+    };
+  in {
+    "pretalx/database/password" = pretalxSecret;
+    "pretalx/redis/location" = pretalxSecret;
+    "pretalx/init/admin/password" = pretalxSecret;
+    "pretalx/celery/backend" = pretalxSecret;
+    "pretalx/celery/broker" = pretalxSecret;
+  };
+
+  services = {
+    pretalx = {
+      enable = true;
+      package = pkgs.pretalx;
+      nginx = {
+        # For a production configuration use this attribute set to configure the virtual host for pretalx.
+      };
+      database = {
+        user = "pretalx";
+        passwordFile = config.sops.secrets."pretalx/database/password".path;
+      };
+      redis = {
+        enable = true;
+        locationFile = config.sops.secrets."pretalx/redis/location".path;
+      };
+      celery = {
+        enable = true;
+        backendFile = config.sops.secrets."pretalx/celery/backend".path;
+        brokerFile = config.sops.secrets."pretalx/celery/broker".path;
+      };
+
+      init = {
+        admin = {
+          email = "pretalx@localhost";
+          passwordFile = config.sops.secrets."pretalx/init/admin/password".path;
+        };
+        organiser = {
+          name = "NGI Packages";
+          slug = "ngipkgs";
+        };
+      };
+      mail.enable = false;
+    };
+
+    redis.servers."pretalx" = {
+      enable = true;
+      user = config.services.pretalx.user;
+    };
+
+    nginx = {
+      enable = true;
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
+    };
+  };
+}
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -4,78 +4,117 @@
   inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
   inputs.nix-php-composer-builder.url = "github:loophp/nix-php-composer-builder";
   inputs.flake-utils.url = "github:numtide/flake-utils";
-  # Set the defaultSystem list for flake-utils to only x86_64-linux
+  # Set default system to `x86_64-linux`,
+  # as we currently only support Linux.
+  # See <https://github.com/ngi-nix/ngipkgs/issues/24> for plans to support Darwin.
   inputs.systems.url = "github:nix-systems/x86_64-linux";
   inputs.flake-utils.inputs.systems.follows = "systems";
   inputs.treefmt-nix.url = "github:numtide/treefmt-nix";
   inputs.treefmt-nix.inputs.nixpkgs.follows = "nixpkgs";
+  inputs.sops-nix.url = "github:Mic92/sops-nix";
+  inputs.sops-nix.inputs.nixpkgs.follows = "nixpkgs";
 
   outputs = {
     self,
     nixpkgs,
     nix-php-composer-builder,
     flake-utils,
     treefmt-nix,
+    sops-nix,
     ...
-  }: let
-    buildOutputs = system: let
-      pkgs = import nixpkgs {
-        inherit system;
-        overlays = [
-          nix-php-composer-builder.overlays.default
-        ];
-      };
-      treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
-    in {
-      packages = import ./all-packages.nix {
-        inherit (pkgs) newScope;
-      };
-      nixosModules = {
-        modules = import ./modules/all-modules.nix;
-        ngipkgs = {...}: {
-          # Inject an additional argument into the module system evaluation.
-          # This way our package set can be accessed separately and we don't have
-          # to muck around with overlays (which don't work with flakes as you'd expect)
-          _module.args.ngipkgs = self.packages.${system};
+  }:
+    with builtins; let
+      importPackages = pkgs:
+        import ./all-packages.nix {
+          inherit (pkgs) newScope;
         };
-      };
 
-      formatter = treefmtEval.config.build.wrapper;
-    };
+      importNixpkgs = system: overlays:
+        import nixpkgs {
+          inherit system overlays;
+        };
 
-    checkOutputs = system: let
-      pkgs = nixpkgs.legacyPackages.${system} // self.packages.${system};
-      treefmtEval = treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
-      ngipkgsModule = self.nixosModules.${system}.ngipkgs;
-    in {
-      # Configurations have to go in checkOutputs (ie, avoid `eachDefaultSystem`) to generate
-      # a single attribute name for nixos-container deployments (`<config-name>`), because
-      # nixos-container can't parse dot-separated sequence attribute paths (`x86_64-linux.<config-name>`).
-      nixosConfigurations = let
-        all-configurations = import ./configs/all-configurations.nix {inherit pkgs;};
-        inject-ngipkgs = k: v: pkgs.nixos ({...}: {imports = [ngipkgsModule v];});
-      in
-        builtins.mapAttrs inject-ngipkgs all-configurations;
+      importNixosConfigurations = import ./configs/all-configurations.nix;
 
-      # To generate a Hydra jobset for CI builds of all packages
-      # https://hydra.ngi0.nixos.org/jobset/ngipkgs/main
-      hydraJobs = {
-        packages.${system} = self.packages.${system};
-      };
+      loadTreefmt = pkgs: treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
 
-      # For .github/workflows/ci.yaml to *build* all packages, because
-      # `nix flake check` only evaluates packages, but it builds checks.
-      checks.${system} =
-        self.packages.${system}
+      # Attribute set containing all modules obtained via `inputs` and defined in this flake towards definition of `nixosConfigurations` and `nixosTests`.
+      extendedModules =
+        self.nixosModules
         // {
-          formatting = treefmtEval.config.build.check self;
-          test-pretalx =
-            pkgs.nixosTest
-            (import ./tests/pretalx/pretalx.nix {
-              inherit ngipkgsModule pkgs;
-            });
+          sops-nix = sops-nix.nixosModules.default;
         };
-    };
-  in
-    (flake-utils.lib.eachDefaultSystem buildOutputs) // (checkOutputs "x86_64-linux");
+
+      # Compute outputs that are invariant in the system architecture.
+      allSystemsOutputs = system: let
+        pkgs = importNixpkgs system [
+          nix-php-composer-builder.overlays.default
+        ];
+        treefmtEval = loadTreefmt pkgs;
+      in {
+        packages = importPackages pkgs;
+        formatter = treefmtEval.config.build.wrapper;
+      };
+    in
+      # We merge three attribute sets to construct all outputs:
+      #  1. Outputs that are invariant in the system architecture
+      #     via `flake-utils.lib.eachDefaultSystem`.
+      #  2. Outputs that are specific to a system architecture
+      #     (as of 2023-08-22, only `x86_64-linux`).
+      #  3. Outputs that are not tied to any system at all.
+      #
+      # 1.
+      (flake-utils.lib.eachDefaultSystem allSystemsOutputs)
+      #
+      # 2.
+      // (let
+        linuxSystem = "x86_64-linux";
+        pkgs = importNixpkgs linuxSystem [self.overlays.default];
+        treefmtEval = loadTreefmt pkgs;
+      in {
+        # Github Actions executes `nix flake check` therefore this output
+        # should only contain derivations that can built within CI.
+        # See `.github/workflows/ci.yaml`.
+        checks.${linuxSystem} =
+          # For `nix flake check` to *build* all packages, because by default
+          # `nix flake check` only evaluates packages and does not build them.
+          self.packages.${linuxSystem}
+          // {
+            formatting = treefmtEval.config.build.check self;
+          };
+
+        # To generate a Hydra jobset for CI builds of all packages.
+        # See <https://hydra.ngi0.nixos.org/jobset/ngipkgs/main>.
+        hydraJobs.packages.${linuxSystem} = self.packages.${linuxSystem};
+
+        # `nixosTests` is a non-standard name for a flake output.
+        # See <https://github.com/ngi-nix/ngipkgs/issues/28>.
+        nixosTests.${linuxSystem} = mapAttrs (_: pkgs.nixosTest) (import ./tests/all-tests.nix {
+          modules = extendedModules;
+          configurations = importNixosConfigurations;
+        });
+      })
+      #
+      # 3.
+      // {
+        nixosConfigurations =
+          mapAttrs (
+            _: config:
+              nixpkgs.lib.nixosSystem {
+                modules = [config] ++ nixpkgs.lib.attrValues extendedModules;
+              }
+          )
+          importNixosConfigurations;
+
+        nixosModules =
+          (import ./modules/all-modules.nix)
+          // {
+            # The default module adds the default overlay on top of nixpkgs.
+            # This is so that `ngipkgs` can be used alongside `nixpkgs` in a configuration.
+            default.nixpkgs.overlays = [self.overlays.default];
+          };
+
+        # Overlays a package set (e.g. nixpkgs) with the packages defined in this flake.
+        overlays.default = _: importPackages;
+      };
 }
diff --git a/maintainers/maintainers-list.nix b/maintainers/maintainers-list.nix
@@ -6,7 +6,7 @@
     name = "Auguste Baum";
   };
   kubaneko = {
-    email = "ondrej@email.invalid"; # TODO
+    email = "kubanek0ondrej@gmail.com";
     github = "kubaneko";
     githubId = 71923533;
     name = "Ondřej Kubánek";