diff options
Diffstat (limited to 'default.nix')
-rw-r--r-- | default.nix | 111 |
1 files changed, 111 insertions, 0 deletions
diff --git a/default.nix b/default.nix new file mode 100644 index 000000000000..7ccd7413dbd9 --- /dev/null +++ b/default.nix @@ -0,0 +1,111 @@ +# This file sets up the top-level package set by traversing the package tree +# (see //nix/readTree for details) and constructing a matching attribute set +# tree. + +{ nixpkgsBisectPath ? null, ... }@args: + +let + inherit (builtins) + filter + ; + + readTree = import ./nix/readTree {}; + + # Disallow access to //users from other depot parts. + usersFilter = readTree.restrictFolder { + folder = "users"; + reason = '' + Code under //users is not considered stable or dependable in the + wider depot context. If a project under //users is required by + something else, please move it to a different depot path. + ''; + + exceptions = [ + # whitby is allowed to access //users for several reasons: + # + # 1. User SSH keys are set in //users. + # 2. Some personal websites or demo projects are served from it. + [ "ops" "machines" "whitby" ] + + # Due to evaluation order this also affects these targets. + # TODO(tazjin): Can this one be removed somehow? + [ "ops" "nixos" ] + [ "ops" "machines" "all-systems" ] + ]; + }; + + # Disallow access to //corp from other depot parts. + corpFilter = readTree.restrictFolder { + folder = "corp"; + reason = '' + Code under //corp may use incompatible licensing terms with + other depot parts and should not be used anywhere else. + ''; + + exceptions = [ + # For the same reason as above, whitby is exempt to serve the + # corp website. + [ "ops" "machines" "whitby" ] + [ "ops" "nixos" ] + [ "ops" "machines" "all-systems" ] + ]; + }; + + readDepot = depotArgs: readTree { + args = depotArgs; + path = ./.; + filter = parts: args: corpFilter parts (usersFilter parts args); + scopedArgs = { + __findFile = _: _: throw "Do not import from NIX_PATH in the depot!"; + }; + }; + + # To determine build targets, we walk through the depot tree and + # fetch attributes that were imported by readTree and are buildable. + # + # Any build target that contains `meta.ci = false` will be skipped. + + # Is this tree node eligible for build inclusion? + eligible = node: (node ? outPath) && (node.meta.ci or true); + +in readTree.fix(self: (readDepot { + depot = self; + + # Pass third_party as 'pkgs' (for compatibility with external + # imports for certain subdirectories) + pkgs = self.third_party.nixpkgs; + + # Expose lib attribute to packages. + lib = self.third_party.nixpkgs.lib; + + # Pass arguments passed to the entire depot through, for packages + # that would like to add functionality based on this. + # + # Note that it is intended for exceptional circumstance, such as + # debugging by bisecting nixpkgs. + externalArgs = args; +}) // { + # Make the path to the depot available for things that might need it + # (e.g. NixOS module inclusions) + path = self.third_party.nixpkgs.lib.cleanSource ./.; + + # List of all buildable targets, for CI purposes. + # + # Note: To prevent infinite recursion, this *must* be a nested + # attribute set (which does not have a __readTree attribute). + ci.targets = readTree.gather eligible (self // { + # remove the pipelines themselves from the set over which to + # generate pipelines because that also leads to infinite + # recursion. + ops = self.ops // { pipelines = null; }; + + # remove nixpkgs from the set, for obvious reasons. + third_party = self.third_party // { nixpkgs = null; }; + }); + + # Derivation that gcroots all depot targets. + ci.gcroot = self.third_party.nixpkgs.symlinkJoin { + name = "depot-gcroot"; + paths = self.ci.targets; + }; +}) |