From c3fa5989225fa3ea2d21de3e1b2117890a615c1a Mon Sep 17 00:00:00 2001
From: GTrunSec <gtrunsec@hardenedlinux.org>
Date: Thu, 13 May 2021 01:18:12 -0700
Subject: [PATCH] enhance nix-shell and add CI

---
 .envrc                                |  2 ++
 .github/workflows/nix-flake.yml       | 19 +++++++++++++++
 .travis.yml                           |  3 ---
 flake.lock                            | 33 +++++++++++++++++++++++++++
 flake.nix                             | 21 +++++++++++++----
 modules/testing/runtime/nixos-k8s.nix | 32 +++++++++++++-------------
 shell.nix                             | 30 +++++++++++-------------
 7 files changed, 99 insertions(+), 41 deletions(-)
 create mode 100644 .envrc
 create mode 100644 .github/workflows/nix-flake.yml
 delete mode 100644 .travis.yml

diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..946748d
--- /dev/null
+++ b/.envrc
@@ -0,0 +1,2 @@
+watch_file devshell.toml flake.nix
+use flake || use nix
diff --git a/.github/workflows/nix-flake.yml b/.github/workflows/nix-flake.yml
new file mode 100644
index 0000000..e8bb9f9
--- /dev/null
+++ b/.github/workflows/nix-flake.yml
@@ -0,0 +1,19 @@
+name: CI
+on:
+  pull_request:
+  push:
+jobs:
+  tests:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2.3.4
+    - uses: cachix/install-nix-action@v13
+      with:
+        install_url: https://github.com/numtide/nix-flakes-installer/releases/download/nix-2.4pre20210429_d15a196/install
+
+    - run: echo "experimental-features = nix-command flakes" | sudo tee -a /etc/nix/nix.conf
+    - name: Run Nix Flake Check
+      run: nix flake check
+
+    - name: Check Nix parsing
+      run: nix-shell --command "evalnix"
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index af76291..0000000
--- a/.travis.yml
+++ /dev/null
@@ -1,3 +0,0 @@
-language: nix
-script:
-- nix eval -f ./ci.nix --arg release.e2e false test-check
diff --git a/flake.lock b/flake.lock
index 347390f..0d5cc97 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,36 @@
 {
   "nodes": {
+    "devshell-flake": {
+      "locked": {
+        "lastModified": 1620641550,
+        "narHash": "sha256-o359KdI/LNiPL6EbirONff2MOvZHtZr9MgYx3R9oVFk=",
+        "owner": "numtide",
+        "repo": "devshell",
+        "rev": "a47493423092f6c4c0a7eb605a7cd515a77db4a8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "devshell",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1606424373,
+        "narHash": "sha256-oq8d4//CJOrVj+EcOaSXvMebvuTkmBJuT5tzlfewUnQ=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "99f1c2157fba4bfe6211a321fd0ee43199025dbf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "locked": {
         "lastModified": 1605370193,
@@ -32,6 +63,8 @@
     },
     "root": {
       "inputs": {
+        "devshell-flake": "devshell-flake",
+        "flake-compat": "flake-compat",
         "flake-utils": "flake-utils",
         "nixpkgs": "nixpkgs"
       }
diff --git a/flake.nix b/flake.nix
index a94efea..97d6b60 100644
--- a/flake.nix
+++ b/flake.nix
@@ -4,10 +4,12 @@
   inputs = {
     flake-utils.url = "github:numtide/flake-utils";
     nixpkgs.url = "github:NixOS/nixpkgs";
+    devshell-flake.url = "github:numtide/devshell";
+    flake-compat = { url = "github:edolstra/flake-compat"; flake = false; };
   };
 
-  outputs = { self, nixpkgs, flake-utils }:
-    { nixosModules = import ./modules; }
+  outputs = { self, nixpkgs, flake-utils, devshell-flake, flake-compat }:
+    { modules = import ./modules; }
     //
     (flake-utils.lib.eachDefaultSystem
       (system:
@@ -16,12 +18,20 @@
             inherit system;
             overlays = [
               self.overlay
+              devshell-flake.overlay
             ];
-            config = { };
+            config = {
+              allowUnsupportedSystem = true;
+            };
           };
         in
         rec {
-          devShell = import ./shell.nix { inherit system pkgs; };
+          devShell = with pkgs; devshell.mkShell
+            {
+              imports = [
+                (devshell.importTOML ./devshell.toml)
+              ];
+            };
 
           packages = flake-utils.lib.flattenTree {
             inherit (pkgs)
@@ -41,7 +51,8 @@
           nixosPath = "${nixpkgs}/nixos";
         };
         # up to date versions of their nixpkgs equivalents
-        kubernetes = prev.callPackage ./pkgs/applications/networking/cluster/kubernetes { };
+        kubernetes = prev.callPackage ./pkgs/applications/networking/cluster/kubernetes
+          { };
         kubectl = prev.callPackage ./pkgs/applications/networking/cluster/kubectl { };
       };
     };
diff --git a/modules/testing/runtime/nixos-k8s.nix b/modules/testing/runtime/nixos-k8s.nix
index 3072265..f5bc8e1 100644
--- a/modules/testing/runtime/nixos-k8s.nix
+++ b/modules/testing/runtime/nixos-k8s.nix
@@ -1,7 +1,6 @@
 # nixos-k8s implements nixos kubernetes testing runtime
 
-{
-  nixosPath
+{ nixosPath
 , config
 , pkgs
 , lib
@@ -16,12 +15,12 @@ let
   kubeconfig = "/etc/${config.services.kubernetes.pki.etcClusterAdminKubeconfig}";
 
   # how we differ from the standard configuration of mkKubernetesBaseTest
-  extraConfiguration = { config, pkgs, lib, nodes, ...}: {
+  extraConfiguration = { config, pkgs, lib, nodes, ... }: {
     virtualisation.memorySize = mkDefault 2048;
     networking = {
-      nameservers = ["10.0.0.254"];
+      nameservers = [ "10.0.0.254" ];
       firewall = {
-        trustedInterfaces = ["docker0" "cni0"];
+        trustedInterfaces = [ "docker0" "cni0" ];
       };
     };
     services.kubernetes = {
@@ -45,16 +44,17 @@ let
             }];
           };
         }];
-    };
-    systemd.extraConfig = "DefaultLimitNOFILE=1048576";
-    systemd.services.copy-certs = {
-      description = "Share k8s certificates with host";
-      script = "cp -rf /var/lib/kubernetes/secrets /tmp/xchg/";
-      after = [ "kubernetes.target" ];
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = true;
+      };
+      systemd.extraConfig = "DefaultLimitNOFILE=1048576";
+      systemd.services.copy-certs = {
+        description = "Share k8s certificates with host";
+        script = "cp -rf /var/lib/kubernetes/secrets /tmp/xchg/";
+        after = [ "kubernetes.target" ];
+        wantedBy = [ "multi-user.target" ];
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
       };
     };
   };
@@ -70,7 +70,7 @@ let
       inherit (config) name;
       test = script;
     };
-  
+
 
 in
 {
diff --git a/shell.nix b/shell.nix
index dc1f54c..9eb132a 100644
--- a/shell.nix
+++ b/shell.nix
@@ -1,17 +1,13 @@
-{
-  system ? builtins.currentSystem,
-  pkgs,
-}:
-let
-  devshellGitRev = "709fe4d04a9101c9d224ad83f73416dce71baf21";
-
-  devshellSrc = fetchTarball {
-    url = "https://github.com/numtide/devshell/archive/${devshellGitRev}.tar.gz";
-    sha256 = "1px9cqfshfqs1b7ypyxch3s3ymr4xgycy1krrcg7b97rmmszvsqr";
-  };
-
-  devshell = import devshellSrc { inherit system pkgs; };
-
-in
-devshell.fromTOML ./devshell.toml
-
+(import
+  (
+    let
+      lock = builtins.fromJSON (builtins.readFile ./flake.lock);
+    in
+    fetchTarball {
+      url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
+      sha256 = lock.nodes.flake-compat.locked.narHash;
+    }
+  )
+  {
+    src = ./.;
+  }).shellNix