From 8bf162820b291cc3889fd05f4ba7cd4fcbc1d15d Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Sun, 23 Feb 2025 18:13:06 +0900
Subject: [PATCH] nix: separate fsu from package

This appears to be the only way to build them with different configuration. This enables static linking in the main package.

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 cmd/fsu/package.nix       | 19 +++++++++++++
 flake.nix                 |  9 +++++-
 nixos.nix                 |  2 +-
 options.nix               | 11 ++++++-
 package.nix               | 29 +++++++++++++------
 tests/fortify/default.nix | 60 ++++++++++++++++++---------------------
 6 files changed, 87 insertions(+), 43 deletions(-)
 create mode 100644 cmd/fsu/package.nix

diff --git a/cmd/fsu/package.nix b/cmd/fsu/package.nix
new file mode 100644
index 0000000..e7a7a1e
--- /dev/null
+++ b/cmd/fsu/package.nix
@@ -0,0 +1,19 @@
+{
+  buildGoModule,
+  fortify ? abort "fortify package required",
+}:
+
+buildGoModule {
+  pname = "${fortify.pname}-fsu";
+  inherit (fortify) version;
+
+  src = ./.;
+  inherit (fortify) vendorHash;
+  CGO_ENABLED = 0;
+
+  preBuild = ''
+    go mod init fsu >& /dev/null
+  '';
+
+  ldflags = [ "-X main.Fmain=${fortify}/libexec/fortify" ];
+}
diff --git a/flake.nix b/flake.nix
index c87f004..ac37474 100644
--- a/flake.nix
+++ b/flake.nix
@@ -87,6 +87,10 @@
               '';
 
           fortify = callPackage ./tests/fortify { inherit system self; };
+          race = callPackage ./tests/fortify {
+            inherit system self;
+            withRace = true;
+          };
         }
       );
 
@@ -98,7 +102,10 @@
         in
         {
           default = self.packages.${system}.fortify;
-          fortify = pkgs.callPackage ./package.nix { };
+          fortify = pkgs.pkgsStatic.callPackage ./package.nix {
+            inherit (pkgs) bubblewrap xdg-dbus-proxy glibc;
+          };
+          fsu = pkgs.callPackage ./cmd/fsu/package.nix { inherit (self.packages.${system}) fortify; };
 
           dist =
             pkgs.runCommand "${fortify.name}-dist" { inherit (self.devShells.${system}.default) buildInputs; }
diff --git a/nixos.nix b/nixos.nix
index 103ff6e..e41648a 100644
--- a/nixos.nix
+++ b/nixos.nix
@@ -30,7 +30,7 @@ in
 
   config = mkIf cfg.enable {
     security.wrappers.fsu = {
-      source = "${cfg.package}/libexec/fsu";
+      source = "${cfg.fsuPackage}/bin/fsu";
       setuid = true;
       owner = "root";
       setgid = true;
diff --git a/options.nix b/options.nix
index 4da0f34..5bea338 100644
--- a/options.nix
+++ b/options.nix
@@ -2,6 +2,9 @@
 
 let
   inherit (lib) types mkOption mkEnableOption;
+  fortify = pkgs.pkgsStatic.callPackage ./package.nix {
+    inherit (pkgs) bubblewrap xdg-dbus-proxy glibc;
+  };
 in
 
 {
@@ -11,10 +14,16 @@ in
 
       package = mkOption {
         type = types.package;
-        default = pkgs.callPackage ./package.nix { };
+        default = fortify;
         description = "The fortify package to use.";
       };
 
+      fsuPackage = mkOption {
+        type = types.package;
+        default = pkgs.callPackage ./cmd/fsu/package.nix { inherit fortify; };
+        description = "The fsu package to use.";
+      };
+
       users = mkOption {
         type =
           let
diff --git a/package.nix b/package.nix
index 697203b..90624f9 100644
--- a/package.nix
+++ b/package.nix
@@ -1,5 +1,6 @@
 {
   lib,
+  stdenv,
   buildGoModule,
   makeBinaryWrapper,
   xdg-dbus-proxy,
@@ -12,6 +13,9 @@
   wayland-protocols,
   wayland-scanner,
   xorg,
+
+  glibc, # for ldd
+  withStatic ? stdenv.hostPlatform.isStatic,
 }:
 
 buildGoModule rec {
@@ -19,9 +23,12 @@ buildGoModule rec {
   version = "0.2.17";
 
   src = builtins.path {
-    name = "fortify-src";
+    name = "${pname}-src";
     path = lib.cleanSource ./.;
-    filter = path: type: !(type != "directory" && lib.hasSuffix ".nix" path);
+    filter =
+      path: type:
+      !(type == "regular" && lib.hasSuffix ".nix" path)
+      && !(type == "directory" && lib.hasSuffix "/cmd/fsu" path);
   };
   vendorHash = null;
 
@@ -31,17 +38,22 @@ buildGoModule rec {
         ldflags: name: value:
         ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ]
       )
-      [
-        "-s -w"
-        "-X main.Fmain=${placeholder "out"}/libexec/fortify"
-      ]
+      (
+        [
+          "-s -w"
+        ]
+        ++ lib.optionals withStatic [
+          "-linkmode external"
+          "-extldflags \"-static\""
+        ]
+      )
       {
         Version = "v${version}";
         Fsu = "/run/wrappers/bin/fsu";
       };
 
   # nix build environment does not allow acls
-  GO_TEST_SKIP_ACL = 1;
+  env.GO_TEST_SKIP_ACL = 1;
 
   buildInputs =
     [
@@ -64,7 +76,7 @@ buildGoModule rec {
   ];
 
   preBuild = ''
-    HOME=$(mktemp -d) go generate ./...
+    HOME="$(mktemp -d)" PATH="${pkg-config}/bin:$PATH" go generate ./...
   '';
 
   postInstall = ''
@@ -76,6 +88,7 @@ buildGoModule rec {
     makeBinaryWrapper "$out/libexec/fortify" "$out/bin/fortify" \
       --inherit-argv0 --prefix PATH : ${
         lib.makeBinPath [
+          glibc
           bubblewrap
           xdg-dbus-proxy
         ]
diff --git a/tests/fortify/default.nix b/tests/fortify/default.nix
index 4487941..4342567 100644
--- a/tests/fortify/default.nix
+++ b/tests/fortify/default.nix
@@ -1,44 +1,40 @@
 {
-  system,
-  self,
+  lib,
   nixosTest,
   writeShellScriptBin,
+
+  system,
+  self,
+  withRace ? false,
 }:
 
 nixosTest {
-  name = "fortify";
-  nodes.machine = {
-    environment.systemPackages = [
-      # For go tests:
-      self.packages.${system}.fhs
-      (writeShellScriptBin "fortify-src" "echo -n ${self.packages.${system}.fortify.src}")
-    ];
+  name = "fortify" + (if withRace then "-race" else "");
+  nodes.machine =
+    { options, pkgs, ... }:
+    {
+      environment.systemPackages = [
+        # For go tests:
+        self.packages.${system}.fhs
+        (writeShellScriptBin "fortify-src" "echo -n ${self.packages.${system}.fortify.src}")
+      ];
 
-    # Run with Go race detector:
-    environment.fortify.package =
-      let
-        inherit (self.packages.${system}) fortify;
-      in
-      fortify.overrideAttrs (previousAttrs: {
-        GOFLAGS = previousAttrs.GOFLAGS ++ [ "-race" ];
+      # Run with Go race detector:
+      environment.fortify = lib.mkIf withRace rec {
+        # race detector does not support static linking
+        package = (pkgs.callPackage ../../package.nix { }).overrideAttrs (previousAttrs: {
+          GOFLAGS = previousAttrs.GOFLAGS ++ [ "-race" ];
+        });
+        fsuPackage = options.environment.fortify.fsuPackage.default.override { fortify = package; };
+      };
 
-        # fsu does not like cgo
-        disallowedReferences = previousAttrs.disallowedReferences ++ [ fortify ];
-        postInstall =
-          previousAttrs.postInstall
-          + ''
-            cp -a "${fortify}/libexec/fsu" "$out/libexec/fsu"
-            sed -i 's:${fortify}:${placeholder "out"}:' "$out/libexec/fsu"
-          '';
-      });
+      imports = [
+        ./configuration.nix
 
-    imports = [
-      ./configuration.nix
-
-      self.nixosModules.fortify
-      self.inputs.home-manager.nixosModules.home-manager
-    ];
-  };
+        self.nixosModules.fortify
+        self.inputs.home-manager.nixosModules.home-manager
+      ];
+    };
 
   # adapted from nixos sway integration tests