From c1c379848a19a31de8febb1385c7b9e4d2a474a3 Mon Sep 17 00:00:00 2001
From: Vincent Ambo <tazjin@google.com>
Date: Fri, 15 Nov 2019 15:26:08 +0000
Subject: chore(nix): Move files around to conform to new read-tree layout

Broadly speaking, the following things are included:

* there is now a uniform `args` struct that is passed to all
  derivations, package headers have been changed appropriately
* overrides are now loaded from a separate `override` folder just
  using read-tree.nix
* third-party packages have moved into the `third_party` attribute set
---
 tools/bin/__dispatch.sh    |  6 +++---
 tools/blog_cli/default.nix |  4 ++--
 tools/kms_pass/default.nix | 22 +++++++++++-----------
 3 files changed, 16 insertions(+), 16 deletions(-)

(limited to 'tools')

diff --git a/tools/bin/__dispatch.sh b/tools/bin/__dispatch.sh
index 20848bd5118c..c22b0339fd9e 100755
--- a/tools/bin/__dispatch.sh
+++ b/tools/bin/__dispatch.sh
@@ -11,19 +11,19 @@ readonly TARGET_TOOL=$(basename $0)
 
 case "${TARGET_TOOL}" in
   terraform)
-    attr="terraform-gcp"
+    attr="third_party.terraform-gcp"
     ;;
   kontemplate)
     attr="kontemplate"
     ;;
   blog_cli)
-    attr="tazjin.blog_cli"
+    attr="tools.blog_cli"
     ;;
   stern)
     attr="stern"
     ;;
   pass)
-    attr="tazjin.kms_pass"
+    attr="tools.kms_pass"
     ;;
   *)
     echo "The tool '${TARGET_TOOL}' is currently not installed in this repository."
diff --git a/tools/blog_cli/default.nix b/tools/blog_cli/default.nix
index c755d273a2b0..8113c933601e 100644
--- a/tools/blog_cli/default.nix
+++ b/tools/blog_cli/default.nix
@@ -1,6 +1,6 @@
-{ buildGoPackage }:
+{ pkgs, ... }:
 
-buildGoPackage {
+pkgs.buildGoPackage {
   name = "blog_cli";
   goPackagePath = "github.com/tazjin/personal/blog_cli";
   src = ./.;
diff --git a/tools/kms_pass/default.nix b/tools/kms_pass/default.nix
index fbc17650a948..113db30224de 100644
--- a/tools/kms_pass/default.nix
+++ b/tools/kms_pass/default.nix
@@ -6,10 +6,10 @@
 #
 # Only the 'show' and 'insert' commands are supported.
 
-{ google-cloud-sdk, tree, writeShellScriptBin
-, project, region, keyring, key }:
+{ pkgs, kms, ... }:
 
-writeShellScriptBin "pass" ''
+let inherit (pkgs) google-cloud-sdk tree writeShellScriptBin;
+in writeShellScriptBin "pass" ''
   set -eo pipefail
 
   CMD="$1"
@@ -34,20 +34,20 @@ writeShellScriptBin "pass" ''
     show)
       secret_check
       ${google-cloud-sdk}/bin/gcloud kms decrypt \
-        --project ${project} \
-        --location ${region} \
-        --keyring ${keyring} \
-        --key ${key} \
+        --project ${kms.project} \
+        --location ${kms.region} \
+        --keyring ${kms.keyring} \
+        --key ${kms.key} \
         --ciphertext-file $SECRET_PATH \
         --plaintext-file -
       ;;
     insert)
       secret_check
       ${google-cloud-sdk}/bin/gcloud kms encrypt \
-        --project ${project} \
-        --location ${region} \
-        --keyring ${keyring} \
-        --key ${key} \
+        --project ${kms.project} \
+        --location ${kms.region} \
+        --keyring ${kms.keyring} \
+        --key ${kms.key} \
         --ciphertext-file $SECRET_PATH \
         --plaintext-file -
       echo "Inserted secret '$SECRET'"
-- 
cgit 1.4.1


From 45d63bce1728589836079ecbce83c08f8220845a Mon Sep 17 00:00:00 2001
From: Vincent Ambo <tazjin@google.com>
Date: Fri, 15 Nov 2019 23:25:41 +0000
Subject: feat(nix): Filter projects that should be built by CI

Instead of specifying CI projects manually, this filters them to move
the CI configuration into the derivations `meta` attributes.
---
 default.nix                  | 33 ++++++++++++++----------
 services/tazblog/default.nix |  1 +
 tools/blog_cli/default.nix   |  2 ++
 tools/kms_pass.nix           | 60 ++++++++++++++++++++++++++++++++++++++++++++
 tools/kms_pass/default.nix   | 60 --------------------------------------------
 5 files changed, 83 insertions(+), 73 deletions(-)
 create mode 100644 tools/kms_pass.nix
 delete mode 100644 tools/kms_pass/default.nix

(limited to 'tools')

diff --git a/default.nix b/default.nix
index 789098667a11..d7ef5b72bcfc 100644
--- a/default.nix
+++ b/default.nix
@@ -16,7 +16,16 @@ let
   };
   readTree = import ./read-tree.nix;
 
-  localPkgs = self: super:
+  # Derivations that have `meta.enableCI` set to `true` should be
+  # built by the CI system on every commit. This code implements
+  # filtering of all derivations in the local sets against this
+  # condition.
+  filterCI = lib: pkgs: let
+    inherit (lib) collect isDerivation filterAttrsRecursive;
+    ciCondition = _: x: (!isDerivation x) || ((x ? meta.enableCI) && (x.meta.enableCI));
+  in collect isDerivation (filterAttrsRecursive ciCondition pkgs);
+
+  repoPkgs = self: super:
     let config = {
       pkgs = self;
       upstream = super;
@@ -32,19 +41,17 @@ let
       services = readTree ./services config;
       tools = readTree ./tools config;
       third_party = readTree ./third_party config;
-    } // (readTree ./overrides config);
-
-  #   # All projects that should be built by CI should be added here:
-  #   ciProjects = [
-  #     self.kontemplate
-  #     self.nixery
-  #     self.ormolu
-  #     self.terraform-gcp
-  #   ] ++ filter (d: d ? meta.broken && !d.meta.broken) (attrValues self.tazjin);
-  # };
-
+    }
+    # Load overrides into the top-level:
+    // (readTree ./overrides config)
+    # Collect all projects that should be built by CI
+    // {
+      ciProjects = (filterCI super.lib self.services)
+        ++ (filterCI super.lib self.tools)
+        ++ (filterCI super.lib self.third_party);
+    };
 in { ... } @ args: import stableSrc (args // {
-    overlays = [ localPkgs ];
+    overlays = [ repoPkgs ];
     config.allowUnfree = true;
     config.allowBroken = true;
 })
diff --git a/services/tazblog/default.nix b/services/tazblog/default.nix
index 2e75c3c2dce1..4d9608838d7c 100644
--- a/services/tazblog/default.nix
+++ b/services/tazblog/default.nix
@@ -14,4 +14,5 @@ let
   '';
 in wrapper.overrideAttrs(_: {
   allowSubstitutes = true;
+  meta.enableCI = true;
 })
diff --git a/tools/blog_cli/default.nix b/tools/blog_cli/default.nix
index 8113c933601e..717daec86b9f 100644
--- a/tools/blog_cli/default.nix
+++ b/tools/blog_cli/default.nix
@@ -5,4 +5,6 @@ pkgs.buildGoPackage {
   goPackagePath = "github.com/tazjin/personal/blog_cli";
   src = ./.;
   goDeps = ./deps.nix;
+
+  meta.enableCI = true;
 }
diff --git a/tools/kms_pass.nix b/tools/kms_pass.nix
new file mode 100644
index 000000000000..7005697daaf8
--- /dev/null
+++ b/tools/kms_pass.nix
@@ -0,0 +1,60 @@
+# This tool mimics a subset of the interface of 'pass', but uses
+# Google Cloud KMS for encryption.
+#
+# It is intended to be compatible with how 'kontemplate' invokes
+# 'pass.'
+#
+# Only the 'show' and 'insert' commands are supported.
+
+{ pkgs, kms, ... }:
+
+let inherit (pkgs) google-cloud-sdk tree writeShellScriptBin;
+in (writeShellScriptBin "pass" ''
+  set -eo pipefail
+
+  CMD="$1"
+  readonly SECRET=$2
+  readonly SECRET_PATH="$SECRETS_DIR/$SECRET"
+
+  function secret_check {
+    if [[ -z $SECRET ]]; then
+      echo 'Secret must be specified'
+      exit 1
+    fi
+  }
+
+  if [[ -z $CMD ]]; then
+    CMD="ls"
+  fi
+
+  case "$CMD" in
+    ls)
+       ${tree}/bin/tree $SECRETS_DIR
+       ;;
+    show)
+      secret_check
+      ${google-cloud-sdk}/bin/gcloud kms decrypt \
+        --project ${kms.project} \
+        --location ${kms.region} \
+        --keyring ${kms.keyring} \
+        --key ${kms.key} \
+        --ciphertext-file $SECRET_PATH \
+        --plaintext-file -
+      ;;
+    insert)
+      secret_check
+      ${google-cloud-sdk}/bin/gcloud kms encrypt \
+        --project ${kms.project} \
+        --location ${kms.region} \
+        --keyring ${kms.keyring} \
+        --key ${kms.key} \
+        --ciphertext-file $SECRET_PATH \
+        --plaintext-file -
+      echo "Inserted secret '$SECRET'"
+      ;;
+    *)
+      echo "Usage: pass show/insert <secret>"
+      exit 1
+      ;;
+  esac
+'') // { meta.enableCI = true; }
diff --git a/tools/kms_pass/default.nix b/tools/kms_pass/default.nix
deleted file mode 100644
index 113db30224de..000000000000
--- a/tools/kms_pass/default.nix
+++ /dev/null
@@ -1,60 +0,0 @@
-# This tool mimics a subset of the interface of 'pass', but uses
-# Google Cloud KMS for encryption.
-#
-# It is intended to be compatible with how 'kontemplate' invokes
-# 'pass.'
-#
-# Only the 'show' and 'insert' commands are supported.
-
-{ pkgs, kms, ... }:
-
-let inherit (pkgs) google-cloud-sdk tree writeShellScriptBin;
-in writeShellScriptBin "pass" ''
-  set -eo pipefail
-
-  CMD="$1"
-  readonly SECRET=$2
-  readonly SECRET_PATH="$SECRETS_DIR/$SECRET"
-
-  function secret_check {
-    if [[ -z $SECRET ]]; then
-      echo 'Secret must be specified'
-      exit 1
-    fi
-  }
-
-  if [[ -z $CMD ]]; then
-    CMD="ls"
-  fi
-
-  case "$CMD" in
-    ls)
-       ${tree}/bin/tree $SECRETS_DIR
-       ;;
-    show)
-      secret_check
-      ${google-cloud-sdk}/bin/gcloud kms decrypt \
-        --project ${kms.project} \
-        --location ${kms.region} \
-        --keyring ${kms.keyring} \
-        --key ${kms.key} \
-        --ciphertext-file $SECRET_PATH \
-        --plaintext-file -
-      ;;
-    insert)
-      secret_check
-      ${google-cloud-sdk}/bin/gcloud kms encrypt \
-        --project ${kms.project} \
-        --location ${kms.region} \
-        --keyring ${kms.keyring} \
-        --key ${kms.key} \
-        --ciphertext-file $SECRET_PATH \
-        --plaintext-file -
-      echo "Inserted secret '$SECRET'"
-      ;;
-    *)
-      echo "Usage: pass show/insert <secret>"
-      exit 1
-      ;;
-  esac
-''
-- 
cgit 1.4.1