wire-server-deploy/default.nix at master · wireapp/wire-server-deploy · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
{ system ? builtins.currentSystem }:

let
  sources = import ./nix/sources.nix;
  # for injecting old gnupg dependancy
  oldpkgs = import sources.oldpkgs {
    inherit system;
    config = { };
  };
  # extract the module for injecting
  gnupg1orig = oldpkgs.gnupg1orig;

  pkgs = import sources.nixpkgs {
    inherit system;
    config = {
      # there is a unfree package in current nixpkgs version that will refuse to evaluate
      # so allowUnfree has to be set
      # The package in question (vault-1.16.2) is not being used
      allowUnfree = true;
    };
    # layering is important here, the lowest takes precedance in case of overlaps
    overlays = [
      # custom overlay for injections
      (self: super: {
        gnupg1orig = gnupg1orig;
      })
      # main overlay
      (import ./nix/overlay.nix)
    ];
  };
  profileEnv = pkgs.writeTextFile {
    name = "profile-env";
    destination = "/.profile";
    # This gets sourced by direnv. Set NIX_PATH, so `nix-shell` uses the same nixpkgs as here.
    text = ''
      export NIX_PATH=nixpkgs=${toString pkgs.path}
    '';
  };


in
rec {
  inherit pkgs profileEnv;

  env = pkgs.buildEnv {
    name = "wire-server-deploy";
    paths = with pkgs; [
      customAnsible
      apacheHttpd
      awscli2
      gnumake
      gnupg1
      # injected dependacy gnupg1orig
      gnupg1orig

      kubernetes-tools

      # Note: This is overriden in nix/overlay.nix to have plugins. This is
      # required so that helmfile get's the correct version of helm in its PATH.
      kubernetes-helm
      helmfile
      openssl
      moreutils
      skopeo
      sops
      opentofu
      yq-go  # Use yq-go (v4+) explicitly instead of python-yq for consistent YAML processing
      create-container-dump
      list-helm-containers
      mirror-apt-jammy
      generate-gpg1-key
      create-build-entry
      # Linting
      shellcheck

      # general utilities for bash operations
      jq
      gnused
      curl
      gawk

      niv
      nix-prefetch-docker
    ] ++ [
      profileEnv
    ] ++ lib.optionals pkgs.stdenv.isLinux [
      pkgs.containerd


      # for RTP session debugging
      wireshark
      gnuplot
    ];
  };

  # The container we use for offline deploys. Where people probably do not have
  # nix + direnv :)
  container = pkgs.dockerTools.buildImage {
    name = "quay.io/wire/wire-server-deploy";
    fromImage = pkgs.dockerTools.pullImage (import ./nix/docker-alpine.nix);
    # we don't want git or ssh or anything in here, the ansible folder is
    # mounted into here.
    contents = [
      pkgs.cacert
      pkgs.coreutils
      pkgs.bashInteractive
      pkgs.openssh # ansible needs this too, even with paramiko
      pkgs.sshpass # needed for password login

      # The enivronment
      env
      # provide /usr/bin/env and /tmp in the container too :-)
      #(pkgs.runCommandNoCC "foo" {} "
      #  mkdir -p $out/usr/bin $out/tmp
      #  ln -sfn ${pkgs.coreutils}/bin/env $out/usr/bin/env
      #")
    ];
    config = {
      Volumes = {
        "/wire-server-deploy" = { };
      };
      WorkingDir = "/wire-server-deploy";
      Env = [
        "KUBECONFIG=/wire-server-deploy/ansible/inventory/offline/artifacts/admin.conf"
        "ANSIBLE_CONFIG=/wire-server-deploy/ansible/ansible.cfg"
        "LOCALHOST_PYTHON=${env}/bin/python"
      ];
    };
  };
}