default.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141

# This file sets up the top-level package set by traversing the package tree
# (see //nix/readTree for details) and constructing a matching attribute set
# tree.

{ nixpkgsBisectPath ? null
, parentTargetMap ? null
, nixpkgsConfig ? { }
, localSystem ? builtins.currentSystem
, crossSystem ? null
, ...
}@args:

let
  inherit (builtins)
    filter
    ;

  readTree = import ./nix/readTree { };

  # Disallow access to //users from other depot parts.
  usersFilter = readTree.restrictFolder {
    folder = "users";
    reason = ''
      Code under //users is not considered stable or dependable in the
      wider depot context. If a project under //users is required by
      something else, please move it to a different depot path.
    '';

    exceptions = [
      # whitby is allowed to access //users for several reasons:
      #
      # 1. User SSH keys are set in //users.
      # 2. Some personal websites or demo projects are served from it.
      [ "ops" "machines" "whitby" ]

      # Due to evaluation order this also affects these targets.
      # TODO(tazjin): Can this one be removed somehow?
      [ "ops" "nixos" ]
      [ "ops" "machines" "all-systems" ]
    ];
  };

  # Disallow access to //corp from other depot parts.
  corpFilter = readTree.restrictFolder {
    folder = "corp";
    reason = ''
      Code under //corp may use incompatible licensing terms with
      other depot parts and should not be used anywhere else.
    '';

    exceptions = [
      # For the same reason as above, whitby is exempt to serve the
      # corp website.
      [ "ops" "machines" "whitby" ]
      [ "ops" "nixos" ]
      [ "ops" "machines" "all-systems" ]
    ];
  };

  readDepot = depotArgs: readTree {
    args = depotArgs;
    path = ./.;
    filter = parts: args: corpFilter parts (usersFilter parts args);
    scopedArgs = {
      __findFile = _: _: throw "Do not import from NIX_PATH in the depot!";
      builtins = builtins // {
        currentSystem = throw "Use localSystem from the readTree args instead of builtins.currentSystem!";
      };
    };
  };

  # To determine build targets, we walk through the depot tree and
  # fetch attributes that were imported by readTree and are buildable.
  #
  # Any build target that contains `meta.ci.skip = true` or is marked
  # broken will be skipped.
  # Is this tree node eligible for build inclusion?
  eligible = node: (node ? outPath) && !(node.meta.ci.skip or (node.meta.broken or false));

in
readTree.fix (self: (readDepot {
  inherit localSystem crossSystem;
  depot = self;

  # Pass third_party as 'pkgs' (for compatibility with external
  # imports for certain subdirectories)
  pkgs = self.third_party.nixpkgs;

  # Expose lib attribute to packages.
  lib = self.third_party.nixpkgs.lib;

  # Pass arguments passed to the entire depot through, for packages
  # that would like to add functionality based on this.
  #
  # Note that it is intended for exceptional circumstance, such as
  # debugging by bisecting nixpkgs.
  externalArgs = args;
}) // {
  # Make the path to the depot available for things that might need it
  # (e.g. NixOS module inclusions)
  path = self.third_party.nixpkgs.lib.cleanSourceWith {
    name = "depot";
    src = ./.;
    filter = self.third_party.nixpkgs.lib.cleanSourceFilter;
  };

  # Additionally targets can be excluded from CI by adding them to the
  # list below.
  ci.excluded = [
    # xanthous and related targets are disabled until cl/9186 is submitted
    self.users.aspen.xanthous
    self.users.aspen.system.system.mugwumpSystem

    # Temporarily disabled after cl/11289. Hopefully these failures are transient
    # and will disappear with the next channel bump.
    self.users.wpcarro.nixos.avaSystem
    self.users.wpcarro.nixos.kyokoSystem
    self.users.wpcarro.nixos.marcusSystem
    self.users.wpcarro.nixos.tarascoSystem
  ];

  # List of all buildable targets, for CI purposes.
  #
  # Note: To prevent infinite recursion, this *must* be a nested
  # attribute set (which does not have a __readTree attribute).
  ci.targets = readTree.gather
    (t: (eligible t) && (!builtins.elem t self.ci.excluded))
    (self // {
      # remove the pipelines themselves from the set over which to
      # generate pipelines because that also leads to infinite
      # recursion.
      ops = self.ops // { pipelines = null; };
    });

  # Derivation that gcroots all depot targets.
  ci.gcroot = with self.third_party.nixpkgs; writeText "depot-gcroot"
    (builtins.concatStringsSep "\n"
      (lib.flatten
        (map (p: map (o: p.${o}) p.outputs or [ ]) # list all outputs of each drv
          self.ci.targets)));
})