security/fortify
2
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 35 Wiki Activity

nix: clean up flake outputs
All checks were successful
Test / Create distribution (push) Successful in 25s
Details
Test / Fpkg (push) Successful in 32s
Details
Test / Fortify (push) Successful in 2m0s
Details
Test / Data race detector (push) Successful in 2m32s
Details
Test / Flake checks (push) Successful in 48s
Details

Browse Source 
Signed-off-by: Ophestra <cat@gensokyo.uk>
This commit is contained in:
Ophestra 2025-03-17 09:49:18 +09:00
parent 24618ab9a1
commit 3385538142
Signed by: cat
SSH Key Fingerprint: SHA256:gQ67O0enBZ7UdZypgtspB2FDM1g3GVw8nX0XSdcFw8Q
5 changed files with 55 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
flake.nix
View File

@ -27,7 +27,7 @@
nixpkgsFor = forAllSystems (system: import nixpkgs { inherit system; }); nixpkgsFor = forAllSystems (system: import nixpkgs { inherit system; });
in in
{ {
nixosModules.fortify = import ./nixos.nix; nixosModules.fortify = import ./nixos.nix self.packages;
buildPackage = forAllSystems ( buildPackage = forAllSystems (
system: system:
@ -105,9 +105,21 @@
default = fortify; default = fortify;
fortify = pkgs.pkgsStatic.callPackage ./package.nix { fortify = pkgs.pkgsStatic.callPackage ./package.nix {
inherit (pkgs) inherit (pkgs)
# passthru.buildInputs
go
gcc
# nativeBuildInputs
pkg-config
wayland-scanner
makeBinaryWrapper
# appPackages
glibc
bubblewrap bubblewrap
xdg-dbus-proxy xdg-dbus-proxy
glibc
# fpkg
zstd zstd
gnutar gnutar
coreutils coreutils
@ -115,7 +127,7 @@
}; };
fsu = pkgs.callPackage ./cmd/fsu/package.nix { inherit (self.packages.${system}) fortify; }; fsu = pkgs.callPackage ./cmd/fsu/package.nix { inherit (self.packages.${system}) fortify; };
dist = pkgs.runCommand "${fortify.name}-dist" { inherit (self.devShells.${system}.default) buildInputs; } '' dist = pkgs.runCommand "${fortify.name}-dist" { buildInputs = fortify.targetPkgs ++ [ pkgs.pkgsStatic.musl ]; } ''
# go requires XDG_CACHE_HOME for the build cache # go requires XDG_CACHE_HOME for the build cache
export XDG_CACHE_HOME="$(mktemp -d)" export XDG_CACHE_HOME="$(mktemp -d)"
@ -128,93 +140,21 @@
export FORTIFY_VERSION="v${fortify.version}" export FORTIFY_VERSION="v${fortify.version}"
./dist/release.sh && mkdir $out && cp -v "dist/fortify-$FORTIFY_VERSION.tar.gz"* $out ./dist/release.sh && mkdir $out && cp -v "dist/fortify-$FORTIFY_VERSION.tar.gz"* $out
''; '';
fhs = pkgs.buildFHSEnv {
pname = "fortify-fhs";
inherit (fortify) version;
targetPkgs =
pkgs:
with pkgs;
[
go
gcc
pkg-config
wayland-scanner
]
++ (
with pkgs.pkgsStatic;
[
musl
libffi
libseccomp
acl
wayland
wayland-protocols
]
++ (with xorg; [
libxcb
libXau
libXdmcp
xorgproto
])
);
extraOutputsToInstall = [ "dev" ];
profile = ''
export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
'';
};
} }
); );
devShells = forAllSystems ( devShells = forAllSystems (
system: system:
let let
inherit (self.packages.${system}) fortify fhs; inherit (self.packages.${system}) fortify;
pkgs = nixpkgsFor.${system}; pkgs = nixpkgsFor.${system};
in in
{ {
default = pkgs.mkShell { default = pkgs.mkShell { buildInputs = fortify.targetPkgs; };
buildInputs = withPackage = pkgs.mkShell { buildInputs = [ fortify ] ++ fortify.targetPkgs; };
with pkgs;
[
go
gcc
]
# buildInputs
++ (
with pkgsStatic;
[
musl
libffi
libseccomp
acl
wayland
wayland-protocols
]
++ (with xorg; [
libxcb
libXau
libXdmcp
])
)
# nativeBuildInputs
++ [
pkg-config
wayland-scanner
makeBinaryWrapper
];
};
fhs = fhs.env;
withPackage = nixpkgsFor.${system}.mkShell {
buildInputs = [ self.packages.${system}.fortify ] ++ self.devShells.${system}.default.buildInputs;
};
generateDoc = generateDoc =
let let
pkgs = nixpkgsFor.${system};
inherit (pkgs) lib; inherit (pkgs) lib;
doc = doc =
@ -223,7 +163,7 @@
specialArgs = { specialArgs = {
inherit pkgs; inherit pkgs;
}; };
modules = [ ./options.nix ]; modules = [ (import ./options.nix self.packages) ];
}; };
cleanEval = lib.filterAttrsRecursive (n: _: n != "_module") eval; cleanEval = lib.filterAttrsRecursive (n: _: n != "_module") eval;
in in
@ -233,7 +173,7 @@
sed -i '/*Declared by:*/,+1 d' $out sed -i '/*Declared by:*/,+1 d' $out
''; '';
in in
nixpkgsFor.${system}.mkShell { pkgs.mkShell {
shellHook = '' shellHook = ''
exec cat ${docText} > options.md exec cat ${docText} > options.md
''; '';

3
nixos.nix
View File

@ -1,3 +1,4 @@
packages:
{ {
lib, lib,
pkgs, pkgs,
@ -26,7 +27,7 @@ let
in in
{ {
imports = [ ./options.nix ]; imports = [ (import ./options.nix packages) ];
config = mkIf cfg.enable { config = mkIf cfg.enable {
security.wrappers.fsu = { security.wrappers.fsu = {

15
options.nix
View File

@ -1,17 +1,8 @@
packages:
{ lib, pkgs, ... }: { lib, pkgs, ... }:
let let
inherit (lib) types mkOption mkEnableOption; inherit (lib) types mkOption mkEnableOption;
fortify = pkgs.pkgsStatic.callPackage ./package.nix {
inherit (pkgs)
bubblewrap
xdg-dbus-proxy
glibc
zstd
gnutar
coreutils
;
};
in in
{ {
@ -21,13 +12,13 @@ in
package = mkOption { package = mkOption {
type = types.package; type = types.package;
default = fortify; default = packages.${pkgs.system}.fortify;
description = "The fortify package to use."; description = "The fortify package to use.";
}; };
fsuPackage = mkOption { fsuPackage = mkOption {
type = types.package; type = types.package;
default = pkgs.callPackage ./cmd/fsu/package.nix { inherit fortify; }; default = packages.${pkgs.system}.fsu;
description = "The fsu package to use."; description = "The fsu package to use.";
}; };

13
package.nix
View File

@ -19,6 +19,10 @@
gnutar, gnutar,
coreutils, coreutils,
# for passthru.buildInputs
go,
gcc,
glibc, # for ldd glibc, # for ldd
withStatic ? stdenv.hostPlatform.isStatic, withStatic ? stdenv.hostPlatform.isStatic,
}: }:
@ -108,4 +112,13 @@ buildGoModule rec {
) )
} }
''; '';
passthru.targetPkgs =
[
go
gcc
xorg.xorgproto
]
++ buildInputs
++ nativeBuildInputs;
} }

18
test/default.nix
View File

@ -1,6 +1,7 @@
{ {
lib, lib,
nixosTest, nixosTest,
buildFHSEnv,
writeShellScriptBin, writeShellScriptBin,
system, system,
@ -12,6 +13,21 @@ nixosTest {
name = "fortify" + (if withRace then "-race" else ""); name = "fortify" + (if withRace then "-race" else "");
nodes.machine = nodes.machine =
{ options, pkgs, ... }: { options, pkgs, ... }:
let
fhs =
let
fortify = options.environment.fortify.package.default;
in
buildFHSEnv {
pname = "fortify-fhs";
inherit (fortify) version;
targetPkgs = _: fortify.targetPkgs;
extraOutputsToInstall = [ "dev" ];
profile = ''
export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
'';
};
in
{ {
environment.systemPackages = [ environment.systemPackages = [
# For go tests: # For go tests:
@ -21,7 +37,7 @@ nixosTest {
cp -r "${self.packages.${system}.fortify.src}" "$WORK" cp -r "${self.packages.${system}.fortify.src}" "$WORK"
chmod -R +w "$WORK" chmod -R +w "$WORK"
cd "$WORK" cd "$WORK"
${self.packages.${system}.fhs}/bin/fortify-fhs -c \ ${fhs}/bin/fortify-fhs -c \
'go generate ./... && go test ${if withRace then "-race" else "-count 16"} ./... && touch /tmp/go-test-ok' 'go generate ./... && go test ${if withRace then "-race" else "-count 16"} ./... && touch /tmp/go-test-ok'
'') '')
]; ];