flake.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

{
  description = ''
    A tool to manage credentials and other secrets as mutable state within a NixOS environment,
    consisting of a Rust executable, NixOS configuration, and associated documentation.
    Published as part of the Small Tech Kit, ISL's public resource for small organizations
    that want to host their own infrastructure, but usable independently.
  '';

  inputs = {
    nixpkgs = {
      type = "github";
      owner = "NixOS";
      repo = "nixpkgs";
      ref = "nixos-25.05";
    };

    crane = {
      type = "github";
      owner = "ipetkov";
      repo = "crane";
    };
  };

  outputs = { self, nixpkgs, crane }:
  let supportedSystems = [ "aarch64-linux" "x86_64-linux" ];
      forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
      nixpkgsFor = forAllSystems (system: import nixpkgs { inherit system; });
  in {
    nixosModules.default = { ... }: {
      imports = [
        ./options.nix
      ];
    };

    packages = forAllSystems (system: let pkgs = nixpkgsFor.${system}; in {
      default = (crane.mkLib pkgs).buildPackage {
        src = ./.;
      };
    });

    devShells = forAllSystems (system: let pkgs = nixpkgsFor.${system}; in {
      default = pkgs.mkShell {
        nativeBuildInputs = with pkgs; [
          cargo
          rustc
        ];
      };
    });

    checks = forAllSystems (system:
        let pkgs = nixpkgsFor.${system};
            mkNixEvalCheck = name: input: expected: pkgs.stdenv.mkDerivation {
              name = "smalltech-nix-test-${name}";

              src = pkgs.symlinkJoin {
                name = "smalltech-nix-test-${name}-src";
                paths = [
                  (pkgs.writeTextDir "input" input)
                  (pkgs.writeTextDir "expected" "${expected}\n")
                ];
              };

              dontUnpack = true;

              nativeBuildInputs = with pkgs; [ diffutils nix ];

              buildPhase = ''
                mkdir nix-store
                ${pkgs.nix}/bin/nix \
                    --extra-experimental-features nix-command \
                    --store dummy:// \
                    eval --json --file $src/input > $out

                if ! ${pkgs.diffutils}/bin/diff $src/expected $out; then
                  echo
                  echo "This is a nix evaluation test case. The expected eval"
                  echo "output differed from the actual output. In an ideal"
                  echo "world, the above diff would help you understand why."
                  echo
                  false
                fi
              '';
            };
        in {
          nix-trivial = mkNixEvalCheck "trivial" "1 + 2" "3";

          rust = self.packages.${system}.default;
        });
  };
}