use lib.makeScope and files to organize packages

Some of the improvements here include:

* rocksdb can actually use jemalloc now instead of just pulling in a
  second rocksdb for no reason
* "complement-runtime" factored back out into shell file
* complement image no longer uses `mkDerivation` for `copyToRoot`
  because that's what `buildEnv` is for
* complement image no longer sets `SERVER_NAME`, complement already does
  that
* all packages were factored out into `callPackage`-able files for use
  with a custom `lib.makeScope pkgs.newScope`
* new version of `mkPackage` has options that are easier to use and
  override such as `features`

nix/pkgs/complement/config.toml

@@ -0,0 +1,19 @@
+[global]
+address = "0.0.0.0"
+allow_device_name_federation = true
+allow_guest_registration = true
+allow_public_room_directory_over_federation = true
+allow_public_room_directory_without_auth = true
+allow_registration = true
+allow_unstable_room_versions = true
+database_backend = "rocksdb"
+database_path = "/database"
+log = "trace"
+port = [8008, 8448]
+trusted_servers = []
+yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse = true
+
+[global.tls]
+certs = "/certificate.crt"
+dual_protocol = true
+key = "/private_key.key"

nix/pkgs/complement/default.nix

@@ -0,0 +1,92 @@
+# Dependencies
+{ bashInteractive
+, buildEnv
+, coreutils
+, dockerTools
+, gawk
+, lib
+, main
+, openssl
+, stdenv
+, tini
+, writeShellScriptBin
+}:
+
+let
+  main' = main.override {
+    profile = "dev";
+    features = ["axum_dual_protocol"];
+  };
+
+  start = writeShellScriptBin "start" ''
+    set -euxo pipefail
+
+    ${lib.getExe openssl} genrsa -out private_key.key 2048
+    ${lib.getExe openssl} req \
+      -new \
+      -sha256 \
+      -key private_key.key \
+      -subj "/C=US/ST=CA/O=MyOrg, Inc./CN=$SERVER_NAME" \
+      -out signing_request.csr
+    cp ${./v3.ext} v3.ext
+    echo "DNS.1 = $SERVER_NAME" >> v3.ext
+    echo "IP.1 = $(${lib.getExe gawk} 'END{print $1}' /etc/hosts)" \
+      >> v3.ext
+    ${lib.getExe openssl} x509 \
+      -req \
+      -extfile v3.ext \
+      -in signing_request.csr \
+      -CA /complement/ca/ca.crt \
+      -CAkey /complement/ca/ca.key \
+      -CAcreateserial \
+      -out certificate.crt \
+      -days 1 \
+      -sha256
+
+    ${lib.getExe' coreutils "env"} \
+      CONDUIT_SERVER_NAME="$SERVER_NAME" \
+      CONDUIT_WELL_KNOWN_SERVER="$SERVER_NAME:8448" \
+      CONDUIT_WELL_KNOWN_SERVER="$SERVER_NAME:8008" \
+      ${lib.getExe main'}
+  '';
+in
+
+dockerTools.buildImage {
+  name = "complement-${main.pname}";
+  tag = "dev";
+
+  copyToRoot = buildEnv {
+    name = "root";
+    pathsToLink = [
+      "/bin"
+    ];
+    paths = [
+      bashInteractive
+      coreutils
+      main'
+      start
+    ];
+  };
+
+  config = {
+    Cmd = [
+      "${lib.getExe start}"
+    ];
+
+    Entrypoint = if !stdenv.isDarwin
+      # Use the `tini` init system so that signals (e.g. ctrl+c/SIGINT)
+      # are handled as expected
+      then [ "${lib.getExe' tini "tini"}" "--" ]
+      else [];
+
+    Env = [
+      "SSL_CERT_FILE=/complement/ca/ca.crt"
+      "CONDUIT_CONFIG=${./config.toml}"
+    ];
+
+    ExposedPorts = {
+      "8008/tcp" = {};
+      "8448/tcp" = {};
+    };
+  };
+}

nix/pkgs/complement/v3.ext

@@ -0,0 +1,6 @@
+authorityKeyIdentifier=keyid,issuer
+basicConstraints=CA:FALSE
+keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
+subjectAltName = @alt_names
+
+[alt_names]