nix-shell support and fix shebangs

.envrc

@@ -0,0 +1,9 @@
+# shellcheck disable=all
+
+export DIRENV_WARN_TIMEOUT=20s
+
+eval "$(devenv direnvrc)"
+
+# The use_devenv function supports passing flags to the devenv command
+# For example: use devenv --impure --option services.postgres.enable:bool true
+use devenv

.gitignore

@@ -18,3 +18,16 @@ secrets/*/dev/*
 
 # used in move_stable script
 move_stable_repositories
+
+# Devenv
+.devenv*
+devenv.local.nix
+
+# direnv
+.direnv
+
+# Ansible collections from remote sources
+.ansible
+
+# Python dependencies installed from devenv.sh
+.venv

devenv.lock

@@ -0,0 +1,103 @@
+{
+  "nodes": {
+    "devenv": {
+      "locked": {
+        "dir": "src/modules",
+        "lastModified": 1752456450,
+        "owner": "cachix",
+        "repo": "devenv",
+        "rev": "e2a9d0dd4cf87a1801c6d9e0d7a57bdd6de26ace",
+        "type": "github"
+      },
+      "original": {
+        "dir": "src/modules",
+        "owner": "cachix",
+        "repo": "devenv",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1747046372,
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1750779888,
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1751984180,
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "9807714d6944a957c2e036f84b0ff8caf9930bc0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "devenv": "devenv",
+        "git-hooks": "git-hooks",
+        "nixpkgs": "nixpkgs",
+        "pre-commit-hooks": [
+          "git-hooks"
+        ]
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

devenv.nix

@@ -0,0 +1,30 @@
+{ pkgs, lib, config, inputs, ... }:
+
+{
+  packages = [
+    pkgs.openshift
+
+    pkgs.ansible
+    pkgs.ansible-navigator
+  ];
+
+  languages.python = {
+    enable = true;
+
+    venv = {
+      enable = true;
+      requirements = ''
+        # Needed for k8s ansible module
+        kubernetes
+
+        # Needed for changelog script
+        click
+        GitPython
+        ogr
+
+        # Needed for move-stable script
+        copr
+      '';
+    };
+  };
+}

devenv.yaml

@@ -0,0 +1,5 @@
+inputs:
+  nixpkgs:
+    # [TODO] Ideally swap to the cachix/rolling once Ansible issues are resolved.
+    # url: github:cachix/devenv-nixpkgs/rolling
+    url: github:nixos/nixpkgs/nixos-unstable

docs/deployment/continuous-deployment.md

@@ -31,11 +31,9 @@ It has several significant benefits:
 ## Manual production re-deployment
 
 1. Trigger `:prod` images builds
-
    - Run [scripts/move_stable.py](https://github.com/packit/deployment/blob/main/scripts/move_stable.py) to move `stable` branches to a newer commit.
 
 2. Import images -> re-deploy
-
    - If you don't want to wait for [it to be done automatically](#continuous-deployment), you can
      [do that manually](#manually-import-a-newer-image) once the images are built (check Actions in each repo).
 

docs/deployment/nix.md

@@ -0,0 +1,59 @@
+---
+title: Nix & devenv support
+author: mfocko
+---
+
+# Nix & devenv support
+
+:::tip tl;dr
+
+Ideal for atomic linux distributions and macOS setup.
+
+There's one file (`devenv.nix`) containing everything that's needed to set up an
+environment for the project (`packit/deployment` in this case). All tools and
+deps are kept only for this project, i.e., they don't pollute the host system.
+
+Since Nix and devenv.sh support pinning, it is also possible to acquire
+a reproducible environment.
+
+[`direnv`](https://devenv.sh/automatic-shell-activation/) makes sure the development environment is set up upon entering the repo.
+
+:::
+
+## What is [Nix](https://nixos.org/)?
+
+From the homepage:
+
+> Nix is a tool that takes a unique approach to package management and system
+> configuration. Learn how to make reproducible, declarative and reliable systems.
+
+Basically you have global environment and smaller `nix-shell`s that are usually
+tied to git repos (or any other directory). You aim for as small base environment
+as possible, i.e., you don't want to keep all utilities / dependencies everywhere.
+
+One benefit, in comparison to containers, lies in the fact that the packages are
+defined by hash, name and version which allows them to be stored in a global
+location (usually `/nix`). Including packages in “environments” is done by
+adjusting `$PATH` (and related) variable.
+
+## What is [devenv.sh](https://devenv.sh/)?
+
+Builds on top of the _Nix_ and _nix-shell_ themselves. Is a bit more robust,
+cause it also allows specifying environment variables, defining tasks, services,
+and processes. For example it allows you to automatically spin up `nginx` or
+`postgres` server once you enter the repo.
+
+## Getting started
+
+Feel free to follow the [devenv.sh' “Getting Started”](https://devenv.sh/getting-started/).
+
+1. You need to have _Nix_ set up. (single-user / non-daemon setup is recommended
+   for users with SELinux enabled)
+2. Install the _devenv.sh_ itself.
+3. Have _direnv_ present (since it automatically loads the environment upon
+   entering the directory with _devenv.sh_).
+
+## Caveats
+
+Bitwarden CLI is currently broken on macOS, therefore it's not included in the
+devenv.sh' config.

docs/deployment/resource-requirements.md

@@ -83,14 +83,12 @@ resource requirements.
 1. Request adjustments of the quotas such that we can have some buffer (database
    migrations, higher load on service, etc.), but also could **permanently**
    scale up the workers if we find service to be more reliable that way
-
    - Based on the calculations above, 2× the current quotas on memory would be
      sufficient, but if we were to scale the workers up too (and account for
      possible adjustments, e.g., Redict) we should probably go for 3×
 
 1. Migrate tokman to different toolchain, it's a small self-contained app, so it
    is easy to migrate to either Rust or Go that should leave smaller footprint.
-
    - Opened an issue for testing out running without Tokman deployment
      https://github.com/packit/tokman/issues/72
 

docs/deployment/specifics/packit-service.md

@@ -60,7 +60,6 @@ To make it work, you need to:
 - Since our infrastructure does not support shared volumes, we need to attach
   one volume with a cache to each worker and one to each corresponding sandbox
   pod.
-
   - In the case of workers, this is done during the deployment.
   - For sandboxes, there is an option in the service config (the environment
     variable needs to differ for each worker and is set during startup of the

docs/deployment/specifics/redict.md

@@ -8,7 +8,6 @@ We have tested a seamless migration from Redis to Redict on our production
 deployment. To reproduce:
 
 1. We have deployed Redict to our production cluster.
-
    - Defaults have been changed to:
 
      ```yaml
@@ -34,7 +33,6 @@ deployment. To reproduce:
 
 3. After the data exchange is done, change **all** references in variables to
    redis to point to the new hostname, in this case `redis → redict`.
-
    - Run
 
      ```

scripts/download_secrets.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/bash
+#!/bin/bash
 
 set -eu
 

scripts/render_secrets_from_templates.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/bash
+#!/bin/bash
 
 # Mimic what we do during deployment when we render secret files
 # from their templates before we create k8s secrets from them.

scripts/update_bw_secret.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/bash
+#!/bin/bash
 
 # Script to update the attachment of a secret item in Bitwarden
 #

scripts/update_oc_secret.sh

@@ -1,4 +1,4 @@
-#!/usr/bin/bash
+#!/bin/bash
 
 # This quick script updates a data field of an OpenShift secret with the
 # content of a file.