nix: do not force static linking on nix

In a typical Nix or NixOS-based setup, the entire /nix/store directory is available to the sandbox. Signed-off-by: Ophestra <cat@gensokyo.uk>
2025-01-17 22:56:16 +09:00 · 2025-01-17 22:56:16 +09:00 · c4de450217
commit c4de450217
parent b60c01f440
2 changed files with 29 additions and 8 deletions
--- a/flake.nix
+++ b/flake.nix
@ -166,8 +166,28 @@
                go
                gcc
              ]
-              ++ fortify.buildInputs
-              ++ fortify.nativeBuildInputs;
+              # buildInputs
+              ++ (
+                with pkgsStatic;
+                [
+                  musl
+                  libffi
+                  acl
+                  wayland
+                  wayland-protocols
+                ]
+                ++ (with xorg; [
+                  libxcb
+                  libXau
+                  libXdmcp
+                ])
+              )
+              # nativeBuildInputs
+              ++ [
+                pkg-config
+                wayland-scanner
+                makeBinaryWrapper
+              ];
          };

          fhs = fhs.env;
--- a/package.nix
+++ b/package.nix
@ -1,11 +1,16 @@
 {
  lib,
  buildGoModule,
+  makeBinaryWrapper,
  xdg-dbus-proxy,
  bubblewrap,
-  pkgsStatic,
  pkg-config,
+  libffi,
+  acl,
+  wayland,
+  wayland-protocols,
  wayland-scanner,
+  xorg,
 }:

 buildGoModule rec {
@ -27,7 +32,6 @@ buildGoModule rec {
      )
      [
        "-s -w"
-        "-extldflags '-static'"
        "-X main.Fmain=${placeholder "out"}/libexec/fortify"
        "-X main.Fshim=${placeholder "out"}/libexec/fshim"
      ]
@ -42,10 +46,7 @@ buildGoModule rec {
  GO_TEST_SKIP_ACL = 1;

  buildInputs =
-    # cannot find a cleaner way to do this
-    with pkgsStatic;
    [
-      musl
      libffi
      acl
      wayland
@ -60,7 +61,7 @@ buildGoModule rec {
  nativeBuildInputs = [
    pkg-config
    wayland-scanner
-    pkgsStatic.makeBinaryWrapper
+    makeBinaryWrapper
  ];

  preConfigure = ''