From b60c01f4405ec3b5cc4a740fe994c3b9f39cf01f Mon Sep 17 00:00:00 2001
From: Ophestra <cat@gensokyo.uk>
Date: Thu, 16 Jan 2025 17:32:52 +0900
Subject: [PATCH] fortify: switch to static linking

Signed-off-by: Ophestra <cat@gensokyo.uk>
---
 .gitea/workflows/{nix.yml => build.yml} |  26 ++--
 .gitea/workflows/release.yml            |  53 ++++----
 .gitea/workflows/test.yml               |  68 ++++------
 acl/c.go                                |   2 +-
 dist/release.sh                         |   3 +-
 flake.nix                               | 158 +++++++++++++++---------
 package.nix                             |  45 ++++---
 test.nix                                |   2 +-
 wl/c.go                                 |   3 +-
 xcb/c.go                                |   2 +-
 10 files changed, 196 insertions(+), 166 deletions(-)
 rename .gitea/workflows/{nix.yml => build.yml} (56%)

diff --git a/.gitea/workflows/nix.yml b/.gitea/workflows/build.yml
similarity index 56%
rename from .gitea/workflows/nix.yml
rename to .gitea/workflows/build.yml
index 36651a5..3b7cfe7 100644
--- a/.gitea/workflows/nix.yml
+++ b/.gitea/workflows/build.yml
@@ -1,12 +1,12 @@
-name: Nix
+name: Build
 
 on:
   - push
   - pull_request
 
 jobs:
-  tests:
-    name: NixOS tests
+  dist:
+    name: Create distribution
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -30,17 +30,21 @@ jobs:
       - name: Restore Nix store
         uses: nix-community/cache-nix-action@v5
         with:
-          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
-          restore-prefixes-first-match: nix-${{ runner.os }}-
+          primary-key: nix-small-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
+          restore-prefixes-first-match: nix-small-${{ runner.os }}-
 
-      - name: Run tests
-        run: |
-          nix --print-build-logs --experimental-features 'nix-command flakes' flake check --all-systems
-          nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.nixos-tests
+      - name: Build for test
+        id: build-test
+        run: >-
+          export FORTIFY_REV="$(git rev-parse --short HEAD)" &&
+          sed -i.old 's/version = /version = "0.0.0-'$FORTIFY_REV'"; # version = /' package.nix &&
+          nix build --print-out-paths --print-build-logs .#dist &&
+          mv package.nix.old package.nix &&
+          echo "rev=$FORTIFY_REV" >> $GITHUB_OUTPUT
 
-      - name: Upload test output
+      - name: Upload test build
         uses: actions/upload-artifact@v3
         with:
-          name: "result"
+          name: "fortify-${{ steps.build-test.outputs.rev }}"
           path: result/*
           retention-days: 1
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 545274d..40827d2 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -1,53 +1,52 @@
-name: Create distribution
+name: Release
 
 on:
   push:
     tags:
-      - '*'
+      - 'v*'
 
 jobs:
   release:
-    name: Release
+    name: Create release
     runs-on: ubuntu-latest
-    container:
-      image: node:16-bookworm-slim
     steps:
-      - name: Get dependencies
-        run: >-
-          echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list &&
-          apt-get update &&
-          apt-get install -y
-          acl
-          git
-          gcc
-          pkg-config
-          libwayland-dev
-          wayland-protocols/bookworm-backports
-          libxcb1-dev
-          libacl1-dev
-        if: ${{ runner.os == 'Linux' }}
-
       - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Setup go
         uses: https://github.com/actions/setup-go@v5
         with:
           go-version: '>=1.23.0'
 
-      - name: Go generate
+      - name: Install Nix
+        uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        with:
+          # explicitly enable sandbox
+          install_options: --daemon
+          extra_nix_config: |
+            sandbox = true
+            system-features = nixos-test benchmark big-parallel kvm
+          enable_kvm: true
+
+      - name: Ensure environment
         run: >-
-          go generate ./...
+          apt-get update && apt-get install -y sqlite3
+        if: ${{ runner.os == 'Linux' }}
+
+      - name: Restore Nix store
+        uses: nix-community/cache-nix-action@v5
+        with:
+          primary-key: nix-small-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
+          restore-prefixes-first-match: nix-small-${{ runner.os }}-
 
       - name: Build for release
-        run: FORTIFY_VERSION='${{ github.ref_name }}' ./dist/release.sh
+        id: build-test
+        run: nix build --print-out-paths --print-build-logs .#dist
 
       - name: Release
         id: use-go-action
         uses: https://gitea.com/actions/release-action@main
         with:
           files: |-
-            dist/fortify-**
+            result/fortify-**
           api_key: '${{secrets.RELEASE_TOKEN}}'
diff --git a/.gitea/workflows/test.yml b/.gitea/workflows/test.yml
index 9add0f4..4d7a871 100644
--- a/.gitea/workflows/test.yml
+++ b/.gitea/workflows/test.yml
@@ -1,62 +1,46 @@
-name: Tests
+name: Test
 
 on:
   - push
   - pull_request
 
 jobs:
-  test:
-    name: Go tests
+  tests:
+    name: Run NixOS test
     runs-on: ubuntu-latest
-    container:
-      image: node:16-bookworm-slim
     steps:
-      - name: Enable backports
-        run: >-
-          echo 'deb http://deb.debian.org/debian bookworm-backports main' >> /etc/apt/sources.list.d/backports.list
-        if: ${{ runner.os == 'Linux' }}
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
+        with:
+          # explicitly enable sandbox
+          install_options: --daemon
+          extra_nix_config: |
+            sandbox = true
+            system-features = nixos-test benchmark big-parallel kvm
+          enable_kvm: true
 
       - name: Ensure environment
         run: >-
-          apt-get update && apt-get install -y curl wget sudo libxml2
+          apt-get update && apt-get install -y sqlite3
         if: ${{ runner.os == 'Linux' }}
 
-      - name: Get dependencies
-        uses: awalsh128/cache-apt-pkgs-action@latest
+      - name: Restore Nix store
+        uses: nix-community/cache-nix-action@v5
         with:
-          packages: acl git gcc pkg-config libwayland-dev wayland-protocols/bookworm-backports libxcb1-dev libacl1-dev
-          version: 1.0
-          #execute_install_scripts: true
-        if: ${{ runner.os == 'Linux' }}
-
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Setup go
-        uses: https://github.com/actions/setup-go@v5
-        with:
-          go-version: '>=1.23.0'
-
-      - name: Go generate
-        run: >-
-          go generate ./...
+          primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix') }}
+          restore-prefixes-first-match: nix-${{ runner.os }}-
 
       - name: Run tests
-        run: >-
-          go test ./...
+        run: |
+          nix --print-build-logs --experimental-features 'nix-command flakes' flake check --all-systems
+          nix build --out-link "result" --print-out-paths --print-build-logs .#checks.x86_64-linux.nixos-tests
 
-      - name: Build for test
-        id: build-test
-        run: >-
-          FORTIFY_VERSION="$(git rev-parse --short HEAD)"
-          bash -c './dist/release.sh &&
-          echo "rev=$FORTIFY_VERSION" >> $GITHUB_OUTPUT'
-
-      - name: Upload test build
+      - name: Upload test output
         uses: actions/upload-artifact@v3
         with:
-          name: "fortify-${{ steps.build-test.outputs.rev }}"
-          path: dist/fortify-*
+          name: "result"
+          path: result/*
           retention-days: 1
diff --git a/acl/c.go b/acl/c.go
index 4bbc549..7609e14 100644
--- a/acl/c.go
+++ b/acl/c.go
@@ -9,7 +9,7 @@ import (
 )
 
 /*
-#cgo linux pkg-config: libacl
+#cgo linux pkg-config: --static libacl
 
 #include <stdlib.h>
 #include <sys/acl.h>
diff --git a/dist/release.sh b/dist/release.sh
index 9d2ca3f..15d7d9f 100755
--- a/dist/release.sh
+++ b/dist/release.sh
@@ -8,7 +8,8 @@ mkdir -p "${out}"
 cp -v "README.md" "dist/fsurc.default" "dist/install.sh" "${out}"
 cp -rv "comp" "${out}"
 
-go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w
+go generate ./...
+go build -trimpath -v -o "${out}/bin/" -ldflags "-s -w -buildid= -extldflags '-static'
   -X git.gensokyo.uk/security/fortify/internal.Version=${VERSION}
   -X git.gensokyo.uk/security/fortify/internal.Fortify=/usr/bin/fortify
   -X git.gensokyo.uk/security/fortify/internal.Fsu=/usr/bin/fsu
diff --git a/flake.nix b/flake.nix
index 7e156a3..0277975 100644
--- a/flake.nix
+++ b/flake.nix
@@ -95,72 +95,114 @@
       packages = forAllSystems (
         system:
         let
+          inherit (self.packages.${system}) fortify;
           pkgs = nixpkgsFor.${system};
         in
         {
           default = self.packages.${system}.fortify;
-
           fortify = pkgs.callPackage ./package.nix { };
+
+          dist =
+            pkgs.runCommand "${fortify.name}-dist" { inherit (self.devShells.${system}.default) buildInputs; }
+              ''
+                # go requires XDG_CACHE_HOME for the build cache
+                export XDG_CACHE_HOME="$(mktemp -d)"
+
+                # get a different workdir as go does not like /build
+                cd $(mktemp -d) && cp -r ${fortify.src}/. . && chmod -R +w .
+
+                export FORTIFY_VERSION="v${fortify.version}"
+                ./dist/release.sh && mkdir $out && cp -v "dist/fortify-$FORTIFY_VERSION.tar.gz"* $out
+              '';
+
+          fhs = pkgs.buildFHSEnv {
+            pname = "fortify-fhs";
+            inherit (fortify) version;
+            targetPkgs =
+              pkgs:
+              with pkgs;
+              [
+                go
+                gcc
+                pkg-config
+                wayland-scanner
+              ]
+              ++ (
+                with pkgs.pkgsStatic;
+                [
+                  musl
+                  libffi
+                  acl
+                  wayland
+                  wayland-protocols
+                ]
+                ++ (with xorg; [
+                  libxcb
+                  libXau
+                  libXdmcp
+
+                  xorgproto
+                ])
+              );
+            extraOutputsToInstall = [ "dev" ];
+            profile = ''
+              export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
+            '';
+          };
         }
       );
 
-      devShells = forAllSystems (system: {
-        default = nixpkgsFor.${system}.mkShell {
-          buildInputs = with nixpkgsFor.${system}; self.packages.${system}.fortify.buildInputs;
-        };
-
-        fhs = nixpkgsFor.${system}.buildFHSEnv {
-          pname = "fortify-fhs";
-          inherit (self.packages.${system}.fortify) version;
-          targetPkgs =
-            pkgs: with pkgs; [
-              go
-              gcc
-              pkg-config
-              acl
-              wayland
-              wayland-scanner
-              wayland-protocols
-              xorg.libxcb
-            ];
-          extraOutputsToInstall = [ "dev" ];
-          profile = ''
-            export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
-          '';
-        };
-
-        withPackage = nixpkgsFor.${system}.mkShell {
-          buildInputs =
-            with nixpkgsFor.${system};
-            self.packages.${system}.fortify.buildInputs ++ [ self.packages.${system}.fortify ];
-        };
-
-        generateDoc =
-          let
-            pkgs = nixpkgsFor.${system};
-            inherit (pkgs) lib;
-
-            doc =
-              let
-                eval = lib.evalModules {
-                  specialArgs = {
-                    inherit pkgs;
-                  };
-                  modules = [ ./options.nix ];
-                };
-                cleanEval = lib.filterAttrsRecursive (n: _: n != "_module") eval;
-              in
-              pkgs.nixosOptionsDoc { inherit (cleanEval) options; };
-            docText = pkgs.runCommand "fortify-module-docs.md" { } ''
-              cat ${doc.optionsCommonMark} > $out
-              sed -i '/*Declared by:*/,+1 d' $out
-            '';
-          in
-          nixpkgsFor.${system}.mkShell {
-            shellHook = ''
-              exec cat ${docText} > options.md
-            '';
+      devShells = forAllSystems (
+        system:
+        let
+          inherit (self.packages.${system}) fortify fhs;
+          pkgs = nixpkgsFor.${system};
+        in
+        {
+          default = pkgs.mkShell {
+            buildInputs =
+              with pkgs;
+              [
+                go
+                gcc
+              ]
+              ++ fortify.buildInputs
+              ++ fortify.nativeBuildInputs;
           };
-      });
+
+          fhs = fhs.env;
+
+          withPackage = nixpkgsFor.${system}.mkShell {
+            buildInputs = [ self.packages.${system}.fortify ] ++ self.devShells.${system}.default.buildInputs;
+          };
+
+          generateDoc =
+            let
+              pkgs = nixpkgsFor.${system};
+              inherit (pkgs) lib;
+
+              doc =
+                let
+                  eval = lib.evalModules {
+                    specialArgs = {
+                      inherit pkgs;
+                    };
+                    modules = [ ./options.nix ];
+                  };
+                  cleanEval = lib.filterAttrsRecursive (n: _: n != "_module") eval;
+                in
+                pkgs.nixosOptionsDoc { inherit (cleanEval) options; };
+              docText = pkgs.runCommand "fortify-module-docs.md" { } ''
+                cat ${doc.optionsCommonMark} > $out
+                sed -i '/*Declared by:*/,+1 d' $out
+              '';
+            in
+            nixpkgsFor.${system}.mkShell {
+              shellHook = ''
+                exec cat ${docText} > options.md
+              '';
+            };
+        }
+      );
     };
 }
diff --git a/package.nix b/package.nix
index 51e29c6..85a3859 100644
--- a/package.nix
+++ b/package.nix
@@ -1,15 +1,11 @@
 {
   lib,
   buildGoModule,
-  makeBinaryWrapper,
   xdg-dbus-proxy,
   bubblewrap,
+  pkgsStatic,
   pkg-config,
-  acl,
-  wayland,
   wayland-scanner,
-  wayland-protocols,
-  xorg,
 }:
 
 buildGoModule rec {
@@ -27,19 +23,13 @@ buildGoModule rec {
     lib.attrsets.foldlAttrs
       (
         ldflags: name: value:
-        ldflags
-        ++ [
-          "-X"
-          "git.gensokyo.uk/security/fortify/internal.${name}=${value}"
-        ]
+        ldflags ++ [ "-X git.gensokyo.uk/security/fortify/internal.${name}=${value}" ]
       )
       [
-        "-s"
-        "-w"
-        "-X"
-        "main.Fmain=${placeholder "out"}/libexec/fortify"
-        "-X"
-        "main.Fshim=${placeholder "out"}/libexec/fshim"
+        "-s -w"
+        "-extldflags '-static'"
+        "-X main.Fmain=${placeholder "out"}/libexec/fortify"
+        "-X main.Fshim=${placeholder "out"}/libexec/fshim"
       ]
       {
         Version = "v${version}";
@@ -51,17 +41,26 @@ buildGoModule rec {
   # nix build environment does not allow acls
   GO_TEST_SKIP_ACL = 1;
 
-  buildInputs = [
-    acl
-    wayland
-    wayland-protocols
-    xorg.libxcb
-  ];
+  buildInputs =
+    # cannot find a cleaner way to do this
+    with pkgsStatic;
+    [
+      musl
+      libffi
+      acl
+      wayland
+      wayland-protocols
+    ]
+    ++ (with xorg; [
+      libxcb
+      libXau
+      libXdmcp
+    ]);
 
   nativeBuildInputs = [
     pkg-config
     wayland-scanner
-    makeBinaryWrapper
+    pkgsStatic.makeBinaryWrapper
   ];
 
   preConfigure = ''
diff --git a/test.nix b/test.nix
index d25a187..837927a 100644
--- a/test.nix
+++ b/test.nix
@@ -51,7 +51,7 @@ nixosTest {
           mako
 
           # For go tests:
-          self.devShells.${system}.fhs
+          self.packages.${system}.fhs
         ];
 
         variables = {
diff --git a/wl/c.go b/wl/c.go
index 97c641b..b571e06 100644
--- a/wl/c.go
+++ b/wl/c.go
@@ -4,12 +4,13 @@ package wl
 //go:generate sh -c "wayland-scanner private-code `pkg-config --variable=datarootdir wayland-protocols`/wayland-protocols/staging/security-context/security-context-v1.xml security-context-v1-protocol.c"
 
 /*
-#cgo linux pkg-config: wayland-client
+#cgo linux pkg-config: --static wayland-client
 #cgo freebsd openbsd LDFLAGS: -lwayland-client
 
 #include <stdint.h>
 #include <stdlib.h>
 #include <stdio.h>
+#include <string.h>
 
 #include <unistd.h>
 #include <sys/socket.h>
diff --git a/xcb/c.go b/xcb/c.go
index 3138c1d..f2703f9 100644
--- a/xcb/c.go
+++ b/xcb/c.go
@@ -6,7 +6,7 @@ import (
 )
 
 /*
-#cgo linux pkg-config: xcb
+#cgo linux pkg-config: --static xcb
 
 #include <stdlib.h>
 #include <xcb/xcb.h>