feat: update nixpkgs, drop nix to fix hydra restrict-eval restrictions

2024-02-01 10:46:03 +01:00 · 2024-02-01 10:46:03 +01:00 · 4221e1a7dc
parent e4a8bd4417
commit 4221e1a7dc
4 changed files with 28 additions and 69 deletions
--- a/flake.lock
+++ b/flake.lock
@ -225,7 +225,7 @@
        "crane": "crane_2",
        "devshell": "devshell_5",
        "drv-parts": "drv-parts_2",
-        "flake-compat": "flake-compat_3",
+        "flake-compat": "flake-compat_4",
        "flake-parts": "flake-parts_4",
        "flake-utils-pre-commit": "flake-utils-pre-commit_2",
        "ghc-utils": "ghc-utils_2",
@ -868,9 +868,7 @@
    },
    "hydra": {
      "inputs": {
-        "nix": [
-          "nix"
-        ],
+        "nix": "nix",
        "nixpkgs": "nixpkgs_6"
      },
      "locked": {
@ -1092,22 +1090,25 @@
    },
    "nix": {
      "inputs": {
-        "flake-compat": "flake-compat_5",
+        "flake-compat": "flake-compat_3",
        "lowdown-src": "lowdown-src",
-        "nixpkgs": "nixpkgs_11",
+        "nixpkgs": [
+          "hydra",
+          "nixpkgs"
+        ],
        "nixpkgs-regression": "nixpkgs-regression"
      },
      "locked": {
-        "lastModified": 1701122567,
-        "narHash": "sha256-iA8DqS+W2fWTfR+nNJSvMHqQ+4NpYMRT3b+2zS6JTvE=",
+        "lastModified": 1706208340,
+        "narHash": "sha256-wNyHUEIiKKVs6UXrUzhP7RSJQv0A8jckgcuylzftl8k=",
        "owner": "NixOS",
        "repo": "nix",
-        "rev": "50f8f1c8bc019a4c0fd098b9ac674b94cfc6af0d",
+        "rev": "2c4bb93ba5a97e7078896ebc36385ce172960e4e",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "2.19.2",
+        "ref": "2.19-maintenance",
        "repo": "nix",
        "type": "github"
      }
@ -1135,7 +1136,7 @@
      "inputs": {
        "flake-parts": "flake-parts_6",
        "nix-github-actions": "nix-github-actions_2",
-        "nixpkgs": "nixpkgs_13",
+        "nixpkgs": "nixpkgs_12",
        "treefmt-nix": "treefmt-nix_3"
      },
      "locked": {
@ -1428,7 +1429,7 @@
        "flake-compat": "flake-compat_6",
        "lib-aggregate": "lib-aggregate",
        "nix-eval-jobs": "nix-eval-jobs",
-        "nixpkgs": "nixpkgs_14"
+        "nixpkgs": "nixpkgs_13"
      },
      "locked": {
        "lastModified": 1705323114,
@ -1492,27 +1493,11 @@
    },
    "nixpkgs_11": {
      "locked": {
-        "lastModified": 1705033721,
-        "narHash": "sha256-K5eJHmL1/kev6WuqyqqbS1cdNnSidIZ3jeqJ7GbrYnQ=",
+        "lastModified": 1706550542,
+        "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a1982c92d8980a0114372973cbdfe0a307f1bdea",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-23.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_12": {
-      "locked": {
-        "lastModified": 1705133751,
-        "narHash": "sha256-rCIsyE80jgiOU78gCWN3A0wE0tR2GI5nH6MlS+HaaSQ=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "9b19f5e77dd906cb52dade0b7bd280339d2a1f3d",
+        "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652",
        "type": "github"
      },
      "original": {
@ -1521,7 +1506,7 @@
        "type": "indirect"
      }
    },
-    "nixpkgs_13": {
+    "nixpkgs_12": {
      "locked": {
        "lastModified": 1703134684,
        "narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=",
@ -1537,7 +1522,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_14": {
+    "nixpkgs_13": {
      "locked": {
        "lastModified": 1705133751,
        "narHash": "sha256-rCIsyE80jgiOU78gCWN3A0wE0tR2GI5nH6MlS+HaaSQ=",
@ -1553,7 +1538,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_15": {
+    "nixpkgs_14": {
      "locked": {
        "lastModified": 1704842529,
        "narHash": "sha256-OTeQA+F8d/Evad33JMfuXC89VMetQbsU4qcaePchGr4=",
@ -1569,7 +1554,7 @@
        "type": "github"
      }
    },
-    "nixpkgs_16": {
+    "nixpkgs_15": {
      "locked": {
        "lastModified": 1695644571,
        "narHash": "sha256-asS9dCCdlt1lPq0DLwkVBbVoEKuEuz+Zi3DG7pR/RxA=",
@ -1796,7 +1781,7 @@
    },
    "pre-commit-hooks-nix_2": {
      "inputs": {
-        "flake-compat": "flake-compat_4",
+        "flake-compat": "flake-compat_5",
        "flake-utils": "flake-utils_5",
        "gitignore": "gitignore_2",
        "nixpkgs": "nixpkgs_9",
@ -1821,7 +1806,7 @@
        "flake-compat": "flake-compat_7",
        "flake-utils": "flake-utils_7",
        "gitignore": "gitignore_3",
-        "nixpkgs": "nixpkgs_15",
+        "nixpkgs": "nixpkgs_14",
        "nixpkgs-stable": "nixpkgs-stable_3"
      },
      "locked": {
@ -1927,10 +1912,9 @@
        "hyprland-contrib": "hyprland-contrib",
        "jovian-nixos": "jovian-nixos",
        "mensa": "mensa",
-        "nix": "nix",
        "nix-colors": "nix-colors",
        "nixos-hardware": "nixos-hardware",
-        "nixpkgs": "nixpkgs_12",
+        "nixpkgs": "nixpkgs_11",
        "nixpkgs-wayland": "nixpkgs-wayland",
        "pre-commit-hooks-nix": "pre-commit-hooks-nix_3",
        "qmk-udev-rules": "qmk-udev-rules",
@ -2079,7 +2063,7 @@
    },
    "treefmt-nix_4": {
      "inputs": {
-        "nixpkgs": "nixpkgs_16"
+        "nixpkgs": "nixpkgs_15"
      },
      "locked": {
        "lastModified": 1704649711,
--- a/flake.nix
+++ b/flake.nix
@ -8,7 +8,6 @@
    pre-commit-hooks-nix.url = "github:cachix/pre-commit-hooks.nix";

    nixpkgs.url = "nixpkgs/nixos-unstable";
-    nix.url = "github:NixOS/nix/2.19.2";
    nixos-hardware.url = "github:NixOS/nixos-hardware";
    custom-udev-rules.url = "github:MalteT/custom-udev-rules";
    nix-colors.url = "github:Misterio77/nix-colors";
@ -38,7 +37,6 @@
    };
    hydra = {
      url = "github:NixOS/hydra";
-      inputs.nix.follows = "nix";
    };
    hyprland = {
      url = "github:hyprwm/Hyprland";
--- a/hosts/faunus-ater/modules/hydra.nix
+++ b/hosts/faunus-ater/modules/hydra.nix
@ -6,23 +6,9 @@
 }: {
  services.hydra = {
    enable = true;
-    package = pkgs.hydra.overrideAttrs (old: {
-      patches =
-        (
-          if old ? patches
-          then old.patches
-          else []
-        )
-        ++ [
-          ../../../patches/hydra-replace-restrict-with-pure-eval.patch
-        ];
-    });
    notificationSender = "hydra@hydra.tammena.me";
    hydraURL = "https://hydra.tammena.me";
    minimumDiskFree = 10;
-    extraConfig = ''
-      evaluator_restrict_eval = false
-    '';
    useSubstitutes = true;
  };

@ -61,6 +47,10 @@
      StrictHostKeyChecking accept-new
  '';

+  nix.extraOptions = ''
+    allowed-uris = https: github: gitlab:
+  '';
+
  systemd.services."hydra-initial-setup" = {
    description = "Setup hydra admin password once";
    serviceConfig = {
--- a/patches/hydra-replace-restrict-with-pure-eval.patch
+++ b/patches/hydra-replace-restrict-with-pure-eval.patch
@ -1,13 +0,0 @@
-diff --git a/src/hydra-eval-jobs/hydra-eval-jobs.cc b/src/hydra-eval-jobs/hydra-eval-jobs.cc
-index 2794cc62..bd6416e9 100644
--- a/src/hydra-eval-jobs/hydra-eval-jobs.cc
-+++ b/src/hydra-eval-jobs/hydra-eval-jobs.cc
-@@ -327,7 +327,7 @@ int main(int argc, char * * argv)
- 
-         /* Prevent access to paths outside of the Nix search path and
-            to the environment. */
-        evalSettings.restrictEval = true;
-+        evalSettings.restrictEval = config->getBoolOption("evaluator_restrict_eval", true);
- 
-         /* When building a flake, use pure evaluation (no access to
-            'getEnv', 'currentSystem' etc. */