nlewo · nlewo · Feb 5, 2025 · Feb 4, 2025 · Feb 4, 2025 · Feb 4, 2025
diff --git a/docs/generated-module-options.md b/docs/generated-module-options.md
@@ -16,6 +16,24 @@ boolean
 
 
 
+## services\.comin\.package
+
+
+
+The comin package to use\.
+
+
+
+*Type:*
+null or package
+
+
+
+*Default:*
+` "pkgs.comin or comin.packages.\${system}.default or null" `
+
+
+
 ## services\.comin\.debug
 
 Whether to run comin in debug mode\. Be careful, secrets are shown!\.

diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -1,70 +1,33 @@
 {
   description = "Comin - GitOps for NixOS Machines";
 
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+
   outputs = { self, nixpkgs }:
   let
     systems = [ "aarch64-linux" "x86_64-linux" ];
     forAllSystems = nixpkgs.lib.genAttrs systems;
-    nixpkgsFor = forAllSystems (system: import nixpkgs {
-      inherit system;
-      overlays = [ self.overlays.default ];
-    });
+    nixpkgsFor = forAllSystems (system: nixpkgs.legacyPackages.${system});
     optionsDocFor = forAllSystems (system:
       import ./nix/module-options-doc.nix (nixpkgsFor."${system}")
     );
   in {
-    overlays.default = final: prev: let
-      # - safe.directory: this is to allow comin to fetch local repositories belonging
-      #   to other users. Otherwise, comin fails with:
-      #   Pull from remote 'local' failed: unknown error: fatal: detected dubious ownership in repository
-      # - core.hooksPath: to avoid Git executing hooks from a repository belonging to another user
-      gitConfigFile = final.writeTextFile {
-        name = "git.config";
-        text = ''
-          [safe]
-             directory = *
-          [core]
-             hooksPath = /dev/null
-        '';
-      };
-    in {
-      comin = final.buildGoModule rec {
-        pname = "comin";
-        version = "0.6.0";
-        nativeCheckInputs = [ final.git ];
-        src = final.lib.fileset.toSource {
-          root = ./.;
-          fileset = final.lib.fileset.unions [
-            ./cmd
-            ./internal
-            ./go.mod
-            ./go.sum
-            ./main.go
-          ];
-        };
-        vendorHash = "sha256-VP8y/iSBIXZFfSmhHsXkp6RxP+2DovX3PbEDtMUMyYE=";
-        ldflags = [
-          "-X github.com/nlewo/comin/cmd.version=${version}"
-        ];
-        buildInputs = [ final.makeWrapper ];
-        postInstall = ''
-          # This is because Nix needs Git at runtime by the go-git library
-          wrapProgram $out/bin/comin --set GIT_CONFIG_SYSTEM ${gitConfigFile} --prefix PATH : ${final.git}/bin
-        '';
-      };
+    overlays.default = final: prev: {
+      comin = final.callPackage ./nix/package.nix { };
     };
 
     packages = forAllSystems (system: {
-      default = nixpkgsFor."${system}".comin;
+      comin = nixpkgsFor."${system}".callPackage ./nix/package.nix { };
+      default = self.packages."${system}".comin;
       generate-module-options = optionsDocFor."${system}".optionsDocCommonMarkGenerator;
     });
     checks = forAllSystems (system: {
       module-options-doc = optionsDocFor."${system}".checkOptionsDocCommonMark;
       # I don't understand why nix flake check does't build packages.default
-      package = nixpkgsFor."${system}".comin;
+      package = self.packages."${system}".comin;
     });
 
-    nixosModules.comin = import ./nix/module.nix self.overlays.default;
+    nixosModules.comin = nixpkgs.lib.modules.importApply ./nix/module.nix { inherit self; };
     devShells.x86_64-linux.default = let
       pkgs = nixpkgs.legacyPackages.x86_64-linux;
     in pkgs.mkShell {

diff --git a/nix/module-options.nix b/nix/module-options.nix
@@ -8,6 +8,9 @@
           Whether to run the comin service.
         '';
       };
+      package = lib.mkPackageOption pkgs "comin" { nullable = true; } // {
+        defaultText = "pkgs.comin or comin.packages.\${system}.default or null";
+      };
       hostname = mkOption {
         type = str;
         default = config.networking.hostName;
@@ -47,7 +50,7 @@
             openFirewall = mkOption {
               type = types.bool;
               default = false;
-              description = lib.mdDoc ''
+              description = ''
                 Open port in firewall for incoming connections to the Prometheus exporter.
               '';
             };

diff --git a/nix/module.nix b/nix/module.nix
@@ -1,4 +1,4 @@
-overlay: { config, pkgs, lib, ... }:
+self: { config, pkgs, lib, ... }:
 let
   cfg = config;
   yaml = pkgs.formats.yaml { };
@@ -13,12 +13,22 @@ let
     };
   };
   cominConfigYaml = yaml.generate "comin.yaml" cominConfig;
+
+  inherit (pkgs.stdenv.hostPlatform) system;
+  inherit (cfg.services.comin) package;
 in {
   imports = [ ./module-options.nix ];
   config = lib.mkIf cfg.services.comin.enable {
-    nixpkgs.overlays = [ overlay ];
-    environment.systemPackages = [ pkgs.comin ];
+    assertions = [
+      { assertion = package != null; message = "`services.comin.package` cannot be null."; }
+      # If the package is null and our `system` isn't supported by the Flake, it's probably safe to show this error message
+      { assertion = package == null -> lib.elem system (lib.attrNames self.packages); message = "comin: ${system} is not supported by the Flake."; }
+    ];
+
+    environment.systemPackages = [ package ];
     networking.firewall.allowedTCPPorts = lib.optional cfg.services.comin.exporter.openFirewall cfg.services.comin.exporter.port;
+    # Use package from overlay first, then Flake package if available
+    services.comin.package = lib.mkDefault pkgs.comin or self.packages.${system}.comin or null;
     systemd.services.comin = {
       wantedBy = [ "multi-user.target" ];
       path = [ config.nix.package ];
@@ -27,7 +37,7 @@ in {
       restartIfChanged = false;
       serviceConfig = {
         ExecStart =
-          "${pkgs.comin}/bin/comin "
+          (lib.getExe package)
           + (lib.optionalString cfg.services.comin.debug "--debug ")
           + " run "
           + "--config ${cominConfigYaml}";

diff --git a/nix/package.nix b/nix/package.nix
@@ -0,0 +1,52 @@
+{
+  lib,
+  buildGoModule,
+  git,
+  makeWrapper,
+  writeTextFile,
+}:
+
+let
+  # - safe.directory: this is to allow comin to fetch local repositories belonging
+  #   to other users. Otherwise, comin fails with:
+  #   Pull from remote 'local' failed: unknown error: fatal: detected dubious ownership in repository
+  # - core.hooksPath: to avoid Git executing hooks from a repository belonging to another user
+  gitConfigFile = writeTextFile {
+    name = "git.config";
+    text = ''
+      [safe]
+         directory = *
+      [core]
+         hooksPath = /dev/null
+    '';
+  };
+in
+
+buildGoModule rec {
+  pname = "comin";
+  version = "0.6.0";
+  nativeCheckInputs = [ git ];
+  src = lib.fileset.toSource {
+    root = ../.;
+    fileset = lib.fileset.unions [
+      ../cmd
+      ../internal
+      ../go.mod
+      ../go.sum
+      ../main.go
+    ];
+  };
+  vendorHash = "sha256-VP8y/iSBIXZFfSmhHsXkp6RxP+2DovX3PbEDtMUMyYE=";
+  ldflags = [
+    "-X github.com/nlewo/comin/cmd.version=${version}"
+  ];
+  buildInputs = [ makeWrapper ];
+  postInstall = ''
+    # This is because Nix needs Git at runtime by the go-git library
+    wrapProgram $out/bin/comin --set GIT_CONFIG_SYSTEM ${gitConfigFile} --prefix PATH : ${git}/bin
+  '';
+
+  meta = {
+    mainProgram = "comin";
+  };
+}