From 241e2080f274ea59d093573dd452da27e0edc1b7 Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Thu, 22 Jun 2023 11:01:41 +0800
Subject: [PATCH] config: make configurable nixpkgs channel for images

Now we can finally easily declare the nixpkgs channel for individual
images. This is nice once I've expanded the images for other purposes
such as physical hosts (for homelabbing).

Unfortunately, this is where I realized that stable channels are not
exactly "Debian-stable" and the best way to handle security is to have
an update cadence that is relatively quick.
---
 flake.lock     | 70 +++++++++++++++++++++++++++++++++++++-------------
 flake.nix      |  8 +++++-
 images.toml    |  1 +
 lib/images.nix |  4 +--
 4 files changed, 62 insertions(+), 21 deletions(-)

diff --git a/flake.lock b/flake.lock
index 8ccfecd2..b4cecb87 100644
--- a/flake.lock
+++ b/flake.lock
@@ -687,6 +687,54 @@
         "type": "github"
       }
     },
+    "nixos-stable": {
+      "locked": {
+        "lastModified": 1687288566,
+        "narHash": "sha256-VckkiJ88Gzdc2cstm0z5eFcrHbvkm4VjxavHBGssvZI=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "b6c73c5fe53bb3afbf65e870541e0645e9145171",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixos-unstable": {
+      "locked": {
+        "lastModified": 1686960236,
+        "narHash": "sha256-AYCC9rXNLpUWzD9hm+askOfpliLEC9kwAo7ITJc4HIw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "04af42f3b31dba0ef742d254456dc4c14eedac86",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixos-unstable-small": {
+      "locked": {
+        "lastModified": 1687369486,
+        "narHash": "sha256-BFXrDo7yuLamfbi53voC2TrHHTKEr/LJ0P+qSP51xkg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "8b0f22dc5155e8a6d329520c27751dfb0f821d63",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1665763903,
@@ -771,22 +819,6 @@
       }
     },
     "nixpkgs-stable_2": {
-      "locked": {
-        "lastModified": 1686921029,
-        "narHash": "sha256-J1bX9plPCFhTSh6E3TWn9XSxggBh/zDD4xigyaIQBy8=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "c7ff1b9b95620ce8728c0d7bd501c458e6da9e04",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-23.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs-stable_3": {
       "locked": {
         "lastModified": 1687031877,
         "narHash": "sha256-yMFcVeI+kZ6KD2QBrFPNsvBrLq2Gt//D0baHByMrjFY=",
@@ -933,8 +965,10 @@
         "nix-colors": "nix-colors",
         "nix-ld": "nix-ld",
         "nixos-generators": "nixos-generators",
+        "nixos-stable": "nixos-stable",
+        "nixos-unstable": "nixos-unstable",
+        "nixos-unstable-small": "nixos-unstable-small",
         "nixpkgs": "nixpkgs_4",
-        "nixpkgs-stable": "nixpkgs-stable_2",
         "nur": "nur",
         "rust-overlay": "rust-overlay_2",
         "sops-nix": "sops-nix"
@@ -988,7 +1022,7 @@
         "nixpkgs": [
           "nixpkgs"
         ],
-        "nixpkgs-stable": "nixpkgs-stable_3"
+        "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
         "lastModified": 1687058111,
diff --git a/flake.nix b/flake.nix
index bc3e6746..58c57487 100644
--- a/flake.nix
+++ b/flake.nix
@@ -13,7 +13,12 @@
     # `nixpkgs-unstable` branch could be faster delivering updates, it is
     # looser when it comes to stability for the entirety of this configuration.
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
-    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-23.05";
+
+    # Here are the nixpkgs variants used for creating the system configuration
+    # in `mkHost`.
+    nixos-stable.url = "github:NixOS/nixpkgs/nixos-23.05";
+    nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixos-unstable-small.url = "github:NixOS/nixpkgs/nixos-unstable-small";
 
     # We're using these libraries for other functions.
     flake-utils.url = "github:numtide/flake-utils";
@@ -297,6 +302,7 @@
           mkHost {
             inherit extraModules extraArgs;
             system = metadata.system or defaultSystem;
+            nixpkgs-channel = metadata.nixpkgs-channel or "nixpkgs";
           })
         images;
 
diff --git a/images.toml b/images.toml
index 6498b4d7..5e54a71f 100644
--- a/images.toml
+++ b/images.toml
@@ -25,6 +25,7 @@ format = "vm"
 [bootstrap]
 system = "x86_64-linux"
 format = "install-iso"
+nixpkgs-channel = "nixos-unstable-small"
 
 [graphical-installer]
 system = "x86_64-linux"
diff --git a/lib/images.nix b/lib/images.nix
index a6140539..d2958a9c 100644
--- a/lib/images.nix
+++ b/lib/images.nix
@@ -7,8 +7,8 @@ let
 in
 {
   # A wrapper around the NixOS configuration function.
-  mkHost = { system, extraModules ? [ ], extraArgs ? { } }:
-    (lib.makeOverridable inputs.nixpkgs.lib.nixosSystem) {
+  mkHost = { system, extraModules ? [ ], extraArgs ? { }, nixpkgs-channel ? "nixpkgs" }:
+    (lib.makeOverridable inputs."${nixpkgs-channel}".lib.nixosSystem) {
       # The system of the NixOS system.
       inherit system lib;
       specialArgs = extraArgs;