Update all 3p/sources as we do normally except
- agenix which is still pinned to 0.15.0
- nixpkgs (unstable) which we bump to the HEAD of the staging-next
  branch. This branch includes the downgrade of xz from 5.6.1 to
  5.4.6 (d6dc19adbd). It
  also includes the second haskell-updates rotation with GHC 9.6.4
  which contains a few build fixes that seem to be required to get
  our Haskell targets to work.
Note that this only reverts xz to a version that doesn't contain the now
known backdoor (CVE-2024-3094) which may or may not actually affect
NixOS. Additionally reverting to a version before the malicious
contributor's involvement may be difficult, but prudent:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068024
Changes required by the updates:
- //3p/overlays/haskell:
  - Update ihp-hsx to latest master to fix build with Stackage LTS 22.
  - Update tmp-postgres to latest master to work around failure with
    ansi-wl-pprint >= 1.
  - Patch punycode for mtl >= 2.3.
- //users/Profpatsch:
  - Clean up some warnings, mostly about unused dependencies
  - my-prelude: Fix build with ghc-boot-9.6.4
  - cas-serve: Use crypton over unmaintained cryptonite
  - ical-smolify: skip in ci, iCalendar would require heavy patching to
    work with Stackage LTS 22.
- //users/{wpcarro,aspen,flokli}:
  Disable home-manager / nixos configuration builds that seem to have
  transient failures that should disappear as we move away from
  staging-next and closer to an actual channel release.
Change-Id: I5cca48e101041c3aedc1d9932dbca2cac885fcc1
Reviewed-on: https://cl.tvl.fyi/c/depot/+/11289
Tested-by: BuildkiteCI
Autosubmit: sterni <sternenseemann@systemli.org>
Reviewed-by: sterni <sternenseemann@systemli.org>
Reviewed-by: tazjin <tazjin@tvl.su>
		
	
			
		
			
				
	
	
		
			147 lines
		
	
	
	
		
			4.8 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
			
		
		
	
	
			147 lines
		
	
	
	
		
			4.8 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
| # This file sets up the top-level package set by traversing the package tree
 | |
| # (see //nix/readTree for details) and constructing a matching attribute set
 | |
| # tree.
 | |
| 
 | |
| { nixpkgsBisectPath ? null
 | |
| , parentTargetMap ? null
 | |
| , nixpkgsConfig ? { }
 | |
| , localSystem ? builtins.currentSystem
 | |
| , crossSystem ? null
 | |
| , ...
 | |
| }@args:
 | |
| 
 | |
| let
 | |
|   inherit (builtins)
 | |
|     filter
 | |
|     ;
 | |
| 
 | |
|   readTree = import ./nix/readTree { };
 | |
| 
 | |
|   # Disallow access to //users from other depot parts.
 | |
|   usersFilter = readTree.restrictFolder {
 | |
|     folder = "users";
 | |
|     reason = ''
 | |
|       Code under //users is not considered stable or dependable in the
 | |
|       wider depot context. If a project under //users is required by
 | |
|       something else, please move it to a different depot path.
 | |
|     '';
 | |
| 
 | |
|     exceptions = [
 | |
|       # whitby is allowed to access //users for several reasons:
 | |
|       #
 | |
|       # 1. User SSH keys are set in //users.
 | |
|       # 2. Some personal websites or demo projects are served from it.
 | |
|       [ "ops" "machines" "whitby" ]
 | |
| 
 | |
|       # Due to evaluation order this also affects these targets.
 | |
|       # TODO(tazjin): Can this one be removed somehow?
 | |
|       [ "ops" "nixos" ]
 | |
|       [ "ops" "machines" "all-systems" ]
 | |
|     ];
 | |
|   };
 | |
| 
 | |
|   # Disallow access to //corp from other depot parts.
 | |
|   corpFilter = readTree.restrictFolder {
 | |
|     folder = "corp";
 | |
|     reason = ''
 | |
|       Code under //corp may use incompatible licensing terms with
 | |
|       other depot parts and should not be used anywhere else.
 | |
|     '';
 | |
| 
 | |
|     exceptions = [
 | |
|       # For the same reason as above, whitby is exempt to serve the
 | |
|       # corp website.
 | |
|       [ "ops" "machines" "whitby" ]
 | |
|       [ "ops" "nixos" ]
 | |
|       [ "ops" "machines" "all-systems" ]
 | |
|     ];
 | |
|   };
 | |
| 
 | |
|   readDepot = depotArgs: readTree {
 | |
|     args = depotArgs;
 | |
|     path = ./.;
 | |
|     filter = parts: args: corpFilter parts (usersFilter parts args);
 | |
|     scopedArgs = {
 | |
|       __findFile = _: _: throw "Do not import from NIX_PATH in the depot!";
 | |
|       builtins = builtins // {
 | |
|         currentSystem = throw "Use localSystem from the readTree args instead of builtins.currentSystem!";
 | |
|       };
 | |
|     };
 | |
|   };
 | |
| 
 | |
|   # To determine build targets, we walk through the depot tree and
 | |
|   # fetch attributes that were imported by readTree and are buildable.
 | |
|   #
 | |
|   # Any build target that contains `meta.ci.skip = true` or is marked
 | |
|   # broken will be skipped.
 | |
|   # Is this tree node eligible for build inclusion?
 | |
|   eligible = node: (node ? outPath) && !(node.meta.ci.skip or (node.meta.broken or false));
 | |
| 
 | |
| in
 | |
| readTree.fix (self: (readDepot {
 | |
|   inherit localSystem crossSystem;
 | |
|   depot = self;
 | |
| 
 | |
|   # Pass third_party as 'pkgs' (for compatibility with external
 | |
|   # imports for certain subdirectories)
 | |
|   pkgs = self.third_party.nixpkgs;
 | |
| 
 | |
|   # Expose lib attribute to packages.
 | |
|   lib = self.third_party.nixpkgs.lib;
 | |
| 
 | |
|   # Pass arguments passed to the entire depot through, for packages
 | |
|   # that would like to add functionality based on this.
 | |
|   #
 | |
|   # Note that it is intended for exceptional circumstance, such as
 | |
|   # debugging by bisecting nixpkgs.
 | |
|   externalArgs = args;
 | |
| }) // {
 | |
|   # Make the path to the depot available for things that might need it
 | |
|   # (e.g. NixOS module inclusions)
 | |
|   path = self.third_party.nixpkgs.lib.cleanSourceWith {
 | |
|     name = "depot";
 | |
|     src = ./.;
 | |
|     filter = self.third_party.nixpkgs.lib.cleanSourceFilter;
 | |
|   };
 | |
| 
 | |
|   # Additionally targets can be excluded from CI by adding them to the
 | |
|   # list below.
 | |
|   ci.excluded = [
 | |
|     # xanthous and related targets are disabled until cl/9186 is submitted
 | |
|     self.users.aspen.xanthous
 | |
|     self.users.aspen.system.system.mugwumpSystem
 | |
| 
 | |
|     # Temporarily disabled after cl/11289. Hopefully these failures are transient
 | |
|     # and will disappear with the next channel bump.
 | |
|     self.users.aspen.system.home.ogopogoHome
 | |
|     self.users.aspen.system.home.luscaHome
 | |
|     self.users.aspen.system.home.yerenHome
 | |
|     self.users.aspen.system.system.roswellSystem
 | |
|     self.users.flokli.nixos.archeologyEc2System
 | |
|     self.users.flokli.nixos.deploy-archeology-ec2
 | |
|     self.users.wpcarro.nixos.avaSystem
 | |
|     self.users.wpcarro.nixos.kyokoSystem
 | |
|     self.users.wpcarro.nixos.marcusSystem
 | |
|     self.users.wpcarro.nixos.tarascoSystem
 | |
|   ];
 | |
| 
 | |
|   # List of all buildable targets, for CI purposes.
 | |
|   #
 | |
|   # Note: To prevent infinite recursion, this *must* be a nested
 | |
|   # attribute set (which does not have a __readTree attribute).
 | |
|   ci.targets = readTree.gather
 | |
|     (t: (eligible t) && (!builtins.elem t self.ci.excluded))
 | |
|     (self // {
 | |
|       # remove the pipelines themselves from the set over which to
 | |
|       # generate pipelines because that also leads to infinite
 | |
|       # recursion.
 | |
|       ops = self.ops // { pipelines = null; };
 | |
|     });
 | |
| 
 | |
|   # Derivation that gcroots all depot targets.
 | |
|   ci.gcroot = with self.third_party.nixpkgs; writeText "depot-gcroot"
 | |
|     (builtins.concatStringsSep "\n"
 | |
|       (lib.flatten
 | |
|         (map (p: map (o: p.${o}) p.outputs or [ ]) # list all outputs of each drv
 | |
|           self.ci.targets)));
 | |
| })
 |