hosts: use shadows

cluster/services/attic/server.nix

@@ -15,6 +15,7 @@ in
 
   services.atticd = {
     enable = true;
+    package = depot.inputs.attic.packages.attic-server;
 
     credentialsFile = secrets.serverToken.path;
 

cluster/services/idm/common.nix

@@ -0,0 +1,5 @@
+{ depot, ... }:
+
+{
+  services.kanidm.package = depot.packages.kanidm;
+}

cluster/services/idm/default.nix

@@ -22,8 +22,12 @@
       client-soda = [ "soda" ];
     };
     nixos = {
-      server = ./server.nix;
+      server = [
+        ./common.nix
+        ./server.nix
+      ];
       client = [
+        ./common.nix
         ./client.nix
         ./modules/idm-nss-ready.nix
         ./modules/idm-tmpfiles.nix

hosts/VEGAS/services/api/default.nix

@@ -1,40 +0,0 @@
-{ config, lib, depot, ... }:
-let
-  inherit (depot.lib.meta) domain;
-  apiAddr = "api.${domain}";
-  proxyTarget = config.links.api.url;
-  proxy = depot.lib.nginx.vhosts.proxy proxyTarget;
-in
-{
-  # n8n uses "Sustainable Use License"
-  nixpkgs.config.allowUnfree = true;
-
-  links.api.protocol = "http";
-
-  services.n8n = {
-    enable = true;
-    webhookUrl = "https://${apiAddr}";
-    settings = {
-      inherit (config.links.api) port;
-    };
-  };
-
-  systemd.services.n8n.environment = {
-      N8N_LISTEN_ADDRESS = "127.0.0.1";
-      N8N_ENDPOINT_WEBHOOK = "api";
-      N8N_ENDPOINT_WEBHOOK_TEST = "test";
-  };
-
-  services.nginx.virtualHosts."${apiAddr}" = lib.recursiveUpdate proxy {
-    locations."/api" = {
-      proxyPass = proxyTarget;
-      extraConfig = "auth_request off;";
-    };
-    locations."/test" = {
-      proxyPass = proxyTarget;
-      extraConfig = "auth_request off;";
-    };
-  };
-
-  services.oauth2-proxy.nginx.virtualHosts.${apiAddr} = { };
-}

hosts/VEGAS/system.nix

@@ -15,7 +15,6 @@
       depot.inputs.mms.module
 
       # Services
-      ./services/api
       ./services/backbone-routing
       ./services/bitwarden
       ./services/cdn-shield

hosts/nixos.nix

@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, withSystem, ... }:
 
 let
   inherit (lib) mapAttrs nixosSystem;
@@ -6,8 +6,12 @@ let
 
   mkNixOS = name: host: nixosSystem {
     specialArgs = config.lib.summon name lib.id;
-    inherit (host) system;
+    modules = [
-    modules = [ host.nixos ] ++ config.cluster.config.out.injectNixosConfig name;
+      host.nixos
+      (withSystem host.system ({ config, pkgs, ... }: {
+        nixpkgs.pkgs = pkgs // config.shadows;
+      }))
+    ] ++ config.cluster.config.out.injectNixosConfig name;
   };
 in {
   flake.nixosConfigurations = mapAttrs mkNixOS (gods.fromLight // gods.fromFlesh);

modules/autopatch/default.nix

@@ -1,18 +0,0 @@
-{
-  nixpkgs.overlays = [
-    (self: super:
-      (let
-        patched = import ../../packages/patched-derivations.nix super;
-      in {
-
-        inherit (patched)
-          kanidm
-          prometheus-jitsi-exporter
-        ;
-
-        jre_headless = patched.jre17_standard;
-
-      })
-    )
-  ];
-}

modules/nixpkgs-config/default.nix

@@ -0,0 +1,9 @@
+{ depot, lib, ... }:
+
+{
+  imports = [
+    depot.inputs.nixpkgs.nixosModules.readOnlyPkgs
+  ];
+
+  nixpkgs.overlays = lib.mkForce [];
+}

modules/part.nix

@@ -6,7 +6,6 @@ in
 
 {
   flake.nixosModules = with config.flake.nixosModules; {
-    autopatch = ./autopatch;
     ascensions = ./ascensions;
     consul-distributed-services = ./consul-distributed-services;
     consul-service-registry = ./consul-service-registry;
@@ -23,6 +22,7 @@ in
     networking = ./networking;
     nix-builder = ./nix-builder;
     nix-config-server = ./nix-config/server.nix;
+    nixpkgs-config = ./nixpkgs-config;
     nix-register-flakes = ./nix-register-flakes;
     patroni = ./patroni;
     port-magic = ./port-magic;
@@ -34,10 +34,10 @@ in
     tested = ./tested;
 
     machineBase = group [
-      autopatch
       enterprise
       maintenance
       minimal
+      nixpkgs-config
       port-magic
       ssh
       systemd-extras

packages/part.nix

@@ -9,6 +9,7 @@ in {
     ./projects.nix
     ./patched-inputs.nix
     ./catalog
+    ./shadows.nix
   ];
   perSystem = { pkgs, self', system, ... }: let
     patched-derivations = import ./patched-derivations.nix (pkgs // { flakePackages = self'.packages; });

packages/shadows.nix

@@ -0,0 +1,19 @@
+{ lib, ... }:
+
+{
+  perSystem = { inputs', self', ... }: {
+    # much like overlays, shadows can *shadow* packages in nixpkgs
+    # unlike overlays, shadows don't cause a nixpkgs re-evaluation
+    # this is a hack for dealing with poorly written NixOS modules
+    # that don't provide a `package` option to perform overrides
+
+    options.shadows = lib.mkOption {
+      type = with lib.types; lazyAttrsOf package;
+      default = {
+        inherit (self'.packages)
+          kanidm
+        ;
+      };
+    };
+  };
+}