{ description = '' A tool to manage credentials and other secrets as mutable state within a NixOS environment, consisting of a Rust executable, NixOS configuration, and associated documentation. Published as part of the Small Tech Kit, ISL's public resource for small organizations that want to host their own infrastructure, but usable independently. ''; inputs = { nixpkgs = { type = "github"; owner = "NixOS"; repo = "nixpkgs"; ref = "nixos-25.05"; }; # Crane is a library used to manage Rust builds from nix. # # It doesn't take any inputs itself (the mkLib call, below, uses # dependency injection, which removes that need), so we don't have to set # up any "follows" relations. crane = { type = "github"; owner = "ipetkov"; repo = "crane"; }; # The Rust overlay is a nix "overlay" which provides different versions of # the Rust compiler toolchain. We need a feature from the nightly versions # of the Rust compiler, so we can't use the stable builds that nixpkgs # provides. There are quite a few projects out there that package Rust # toolchains for nix, but this one interacts well with Crane, so it's the # one we use. # # This one does take nixpkgs as a flake input, so we set up the "follows" # relation to avoid having two distinct versions of nixpkgs in use, which # would be expensive at best and cause version-skew errors at worst. rust-overlay = { type = "github"; owner = "oxalica"; repo = "rust-overlay"; inputs.nixpkgs.follows = "nixpkgs"; }; }; outputs = { self, nixpkgs, crane, rust-overlay }: let supportedSystems = [ "aarch64-linux" "x86_64-linux" ]; forAllSystems = nixpkgs.lib.genAttrs supportedSystems; nixpkgsFor = forAllSystems (system: import nixpkgs { inherit system; # We apply the Rust overlay to the entire package set, but it will # use a stable version of Rust for most packages, except where we # explicitly override that behavior. # # This may result in increased build times since the upstream cache of # pre-built nix packages is less likely to have things. Unfortunately, # there's not a convenient or concise way to use an overlay # selectively; this is one reason to not use overlays when more modern # styles of nix architecture are available. There just isn't a way to # avoid that with our requirements right now. # # Hopefully, we can remove the overlay (but keep Crane) when the # nightly features we use have all reached stable status. Please try # hard to avoid adding dependencies on new nightly-only Rust features. overlays = [ (import rust-overlay) ]; }); # Since we rely on a Rust nightly feature (see the features annotation # at the top of main.rs), we need to invoke Crane with a nightly version # of the Rust compiler. There are many possible ways to achieve that, # most with roughly the same result. # # One thing to note is that, by using Crane's overrideToolchain feature # here, we make sure we're only using nightly Rust for our own package. # Using it for the entire distro would be easy to do by accident, and # would be terrible for build times and upgrade reliability. toolchainFor = pkgs: pkgs.rust-bin.selectLatestNightlyWith (toolchain: toolchain.default); craneLibFor = pkgs: (crane.mkLib pkgs).overrideToolchain toolchainFor; in { nixosModules.default = { ... }: { imports = [ # Please note that checks.nix also directly references options.nix, # so if you add anything else to these imports, also add it in # checks.nix. ./options.nix ]; }; packages = forAllSystems (system: let pkgs = nixpkgsFor.${system}; in { default = (craneLibFor pkgs).buildPackage { src = ./.; }; }); devShells = forAllSystems (system: let pkgs = nixpkgsFor.${system}; in { default = pkgs.mkShell { nativeBuildInputs = with pkgs; [ (toolchainFor pkgs) ]; }; }); # The checks are quite verbose, so they're in a separate file. checks = forAllSystems (system: let pkgs = nixpkgsFor.${system}; in import ./checks.nix { inherit pkgs self system; }); }; }