Ophestra Umiker
7b6052a473
Nix build environment does not support ACLs in any filesystem. This allows acl tests to run. Signed-off-by: Ophestra Umiker <cat@ophivana.moe>
153 lines
3.8 KiB
Nix
153 lines
3.8 KiB
Nix
{
|
|
description = "fortify sandbox tool and nixos module";
|
|
|
|
inputs = {
|
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11-small";
|
|
|
|
home-manager = {
|
|
url = "github:nix-community/home-manager/release-24.11";
|
|
inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
};
|
|
|
|
outputs =
|
|
{
|
|
self,
|
|
nixpkgs,
|
|
home-manager,
|
|
}:
|
|
let
|
|
supportedSystems = [
|
|
"aarch64-linux"
|
|
"i686-linux"
|
|
"x86_64-linux"
|
|
];
|
|
|
|
forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
|
|
nixpkgsFor = forAllSystems (system: import nixpkgs { inherit system; });
|
|
in
|
|
{
|
|
nixosModules.fortify = import ./nixos.nix;
|
|
|
|
checks = forAllSystems (
|
|
system:
|
|
let
|
|
pkgs = nixpkgsFor.${system};
|
|
|
|
inherit (pkgs)
|
|
runCommandLocal
|
|
callPackage
|
|
nixfmt-rfc-style
|
|
deadnix
|
|
statix
|
|
;
|
|
in
|
|
{
|
|
check-formatting =
|
|
runCommandLocal "check-formatting" { nativeBuildInputs = [ nixfmt-rfc-style ]; }
|
|
''
|
|
cd ${./.}
|
|
|
|
echo "running nixfmt..."
|
|
nixfmt --check .
|
|
|
|
touch $out
|
|
'';
|
|
|
|
check-lint =
|
|
runCommandLocal "check-lint"
|
|
{
|
|
nativeBuildInputs = [
|
|
deadnix
|
|
statix
|
|
];
|
|
}
|
|
''
|
|
cd ${./.}
|
|
|
|
echo "running deadnix..."
|
|
deadnix --fail
|
|
|
|
echo "running statix..."
|
|
statix check .
|
|
|
|
touch $out
|
|
'';
|
|
|
|
nixos-tests = callPackage ./test.nix { inherit system self home-manager; };
|
|
}
|
|
);
|
|
|
|
packages = forAllSystems (
|
|
system:
|
|
let
|
|
pkgs = nixpkgsFor.${system};
|
|
in
|
|
{
|
|
default = self.packages.${system}.fortify;
|
|
|
|
fortify = pkgs.callPackage ./package.nix { };
|
|
}
|
|
);
|
|
|
|
devShells = forAllSystems (system: {
|
|
default = nixpkgsFor.${system}.mkShell {
|
|
buildInputs = with nixpkgsFor.${system}; self.packages.${system}.fortify.buildInputs;
|
|
};
|
|
|
|
fhs = nixpkgsFor.${system}.buildFHSEnv {
|
|
pname = "fortify-fhs";
|
|
inherit (self.packages.${system}.fortify) version;
|
|
targetPkgs =
|
|
pkgs: with pkgs; [
|
|
go
|
|
gcc
|
|
pkg-config
|
|
acl
|
|
wayland
|
|
wayland-scanner
|
|
wayland-protocols
|
|
xorg.libxcb
|
|
];
|
|
extraOutputsToInstall = [ "dev" ];
|
|
profile = ''
|
|
export PKG_CONFIG_PATH="/usr/share/pkgconfig:$PKG_CONFIG_PATH"
|
|
'';
|
|
};
|
|
|
|
withPackage = nixpkgsFor.${system}.mkShell {
|
|
buildInputs =
|
|
with nixpkgsFor.${system};
|
|
self.packages.${system}.fortify.buildInputs ++ [ self.packages.${system}.fortify ];
|
|
};
|
|
|
|
generateDoc =
|
|
let
|
|
pkgs = nixpkgsFor.${system};
|
|
inherit (pkgs) lib;
|
|
|
|
doc =
|
|
let
|
|
eval = lib.evalModules {
|
|
specialArgs = {
|
|
inherit pkgs;
|
|
};
|
|
modules = [ ./options.nix ];
|
|
};
|
|
cleanEval = lib.filterAttrsRecursive (n: _: n != "_module") eval;
|
|
in
|
|
pkgs.nixosOptionsDoc { inherit (cleanEval) options; };
|
|
docText = pkgs.runCommand "fortify-module-docs.md" { } ''
|
|
cat ${doc.optionsCommonMark} > $out
|
|
sed -i '/*Declared by:*/,+1 d' $out
|
|
'';
|
|
in
|
|
nixpkgsFor.${system}.mkShell {
|
|
shellHook = ''
|
|
exec cat ${docText} > options.md
|
|
'';
|
|
};
|
|
});
|
|
};
|
|
}
|