about summary refs log tree commit diff
path: root/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'default.nix')
-rw-r--r--default.nix124
1 files changed, 101 insertions, 23 deletions
diff --git a/default.nix b/default.nix
index bb8c557cdc81..7ccd7413dbd9 100644
--- a/default.nix
+++ b/default.nix
@@ -1,33 +1,111 @@
-{ ... }:
+# This file sets up the top-level package set by traversing the package tree
+# (see //nix/readTree for details) and constructing a matching attribute set
+# tree.
+
+{ nixpkgsBisectPath ? null, ... }@args:
 
 let
-  inherit (builtins) fetchGit readDir path;
-  inherit (pkgs.lib) filterAttrs mapAttrs;
-  inherit (pkgs.lib.strings) hasPrefix;
+  inherit (builtins)
+    filter
+    ;
+
+  readTree = import ./nix/readTree {};
+
+  # Disallow access to //users from other depot parts.
+  usersFilter = readTree.restrictFolder {
+    folder = "users";
+    reason = ''
+      Code under //users is not considered stable or dependable in the
+      wider depot context. If a project under //users is required by
+      something else, please move it to a different depot path.
+    '';
+
+    exceptions = [
+      # whitby is allowed to access //users for several reasons:
+      #
+      # 1. User SSH keys are set in //users.
+      # 2. Some personal websites or demo projects are served from it.
+      [ "ops" "machines" "whitby" ]
+
+      # Due to evaluation order this also affects these targets.
+      # TODO(tazjin): Can this one be removed somehow?
+      [ "ops" "nixos" ]
+      [ "ops" "machines" "all-systems" ]
+    ];
+  };
+
+  # Disallow access to //corp from other depot parts.
+  corpFilter = readTree.restrictFolder {
+    folder = "corp";
+    reason = ''
+      Code under //corp may use incompatible licensing terms with
+      other depot parts and should not be used anywhere else.
+    '';
 
-  briefcasePath = path {
+    exceptions = [
+      # For the same reason as above, whitby is exempt to serve the
+      # corp website.
+      [ "ops" "machines" "whitby" ]
+      [ "ops" "nixos" ]
+      [ "ops" "machines" "all-systems" ]
+    ];
+  };
+
+  readDepot = depotArgs: readTree {
+    args = depotArgs;
     path = ./.;
-    name = "briefcase";
+    filter = parts: args: corpFilter parts (usersFilter parts args);
+    scopedArgs = {
+      __findFile = _: _: throw "Do not import from NIX_PATH in the depot!";
+    };
   };
 
-  depot = import (fetchGit {
-    url = "https://cl.tvl.fyi/depot";
-    rev = "2f7b688389058b454ee12adc4b6b47740298f53b";
-  }) {};
+  # To determine build targets, we walk through the depot tree and
+  # fetch attributes that were imported by readTree and are buildable.
+  #
+  # Any build target that contains `meta.ci = false` will be skipped.
+
+  # Is this tree node eligible for build inclusion?
+  eligible = node: (node ? outPath) && (node.meta.ci or true);
+
+in readTree.fix(self: (readDepot {
+  depot = self;
+
+  # Pass third_party as 'pkgs' (for compatibility with external
+  # imports for certain subdirectories)
+  pkgs = self.third_party.nixpkgs;
+
+  # Expose lib attribute to packages.
+  lib = self.third_party.nixpkgs.lib;
+
+  # Pass arguments passed to the entire depot through, for packages
+  # that would like to add functionality based on this.
+  #
+  # Note that it is intended for exceptional circumstance, such as
+  # debugging by bisecting nixpkgs.
+  externalArgs = args;
+}) // {
+  # Make the path to the depot available for things that might need it
+  # (e.g. NixOS module inclusions)
+  path = self.third_party.nixpkgs.lib.cleanSource ./.;
 
-  pkgs = import (fetchGit {
-    url = "https://github.com/NixOS/nixpkgs-channels";
-    ref = "nixos-20.03";
-    rev = "afa9ca61924f05aacfe495a7ad0fd84709d236cc";
-  }) {};
+  # List of all buildable targets, for CI purposes.
+  #
+  # Note: To prevent infinite recursion, this *must* be a nested
+  # attribute set (which does not have a __readTree attribute).
+  ci.targets = readTree.gather eligible (self // {
+    # remove the pipelines themselves from the set over which to
+    # generate pipelines because that also leads to infinite
+    # recursion.
+    ops = self.ops // { pipelines = null; };
 
-  briefcase = import briefcasePath {};
+    # remove nixpkgs from the set, for obvious reasons.
+    third_party = self.third_party // { nixpkgs = null; };
+  });
 
-  readTree = depot.nix.readTree {
-    inherit depot pkgs briefcase;
+  # Derivation that gcroots all depot targets.
+  ci.gcroot = self.third_party.nixpkgs.symlinkJoin {
+    name = "depot-gcroot";
+    paths = self.ci.targets;
   };
-in mapAttrs
-  (name: _: readTree (./. + "/${name}"))
-  (filterAttrs
-    (name: type: type == "directory" && !hasPrefix "." name)
-    (readDir briefcasePath))
+})
generated by cgit-pink 1.4.1 (git 2.44.2) at 2024-08-20T23ยท54+0000