]> git.scottworley.com Git - auto-upgrade-with-pinch/commitdiff
projects / auto-upgrade-with-pinch / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (from parent 1: eff66a9)
Use local pkgs instead of overlays
authorScott Worley <scottworley@scottworley.com>
Tue, 11 Aug 2020 20:09:30 +0000 (13:09 -0700)
committerScott Worley <scottworley@scottworley.com>
Tue, 11 Aug 2020 20:10:37 +0000 (13:10 -0700)
default.nix patch | blob | blame | history
modules/auto-upgrade.nix patch | blob | blame | history
overlays/keyedgpg.nix [deleted file] patch | blob | blame | history
pkgs/homeless-gpg.nix [new file with mode: 0644] patch | blob
pkgs/keyed-gpg.nix [new file with mode: 0644] patch | blob

diff --git a/default.nix b/default.nix
index 8dd9a56fb06a7cf1aec68e6d624d3c36179697f5..1413fef74a3415f38f53b3b8035e679dc207ad02 100644 (file)
--- a/default.nix
+++ b/default.nix
@@ -1,5 +1,10 @@
-# When installed as a channel, this is not an environment.
-#
-# This file exists to stop getAllExprs() in nix/src/nix-env/nix-env.cc from recursing around in here and getting confused.
+{ pkgs ? import <nixpkgs> { }, }:
 
 
-{}
+pkgs.lib.makeScope pkgs.newScope (self:
+  with self; {
+
+    homeless-gpg = callPackage ./pkgs/homeless-gpg.nix { };
+
+    keyed-gpg = callPackage ./pkgs/keyed-gpg.nix { };
+
+  })
diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix
index fbc8b938a16f6fd434eea1ba11b53797d441a972..54a30835d490a8215af0875868b921eac59d7abd 100644 (file)
--- a/modules/auto-upgrade.nix
+++ b/modules/auto-upgrade.nix
@@ -1,6 +1,7 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
 { config, lib, pkgs, ... }:
 with lib;
 let
+  local-pkgs = import ../. { inherit pkgs; };
   cfg = config.system.autoUpgradeWithPinch;
   pull-repo-script = pkgs.writeShellScript "pull-repo" ''
     set -eo pipefail
   cfg = config.system.autoUpgradeWithPinch;
   pull-repo-script = pkgs.writeShellScript "pull-repo" ''
     set -eo pipefail
@@ -50,7 +51,7 @@ let
 
     if [[ "$(prop requireSignature)" == true ]]; then
       ${pkgs.polite-merge}/bin/polite-merge \
 
     if [[ "$(prop requireSignature)" == true ]]; then
       ${pkgs.polite-merge}/bin/polite-merge \
-        -c gpg.program=${escapeShellArg (pkgs.keyedgpg cfg.signingKeys)} \
+        -c gpg.program=${escapeShellArg (local-pkgs.keyed-gpg cfg.signingKeys)} \
         merge --ff-only --verify-signatures
     else
       ${pkgs.polite-merge}/bin/polite-merge merge --ff-only
         merge --ff-only --verify-signatures
     else
       ${pkgs.polite-merge}/bin/polite-merge merge --ff-only
@@ -269,7 +270,6 @@ in {
     '';
 
     nixpkgs.overlays = [
     '';
 
     nixpkgs.overlays = [
-      (import ../overlays/keyedgpg.nix)
       (import ../overlays/pinch.nix)
       (import ../overlays/polite-merge.nix)
       (self: super: {
       (import ../overlays/pinch.nix)
       (import ../overlays/polite-merge.nix)
       (self: super: {
diff --git a/overlays/keyedgpg.nix b/overlays/keyedgpg.nix
deleted file mode 100644 (file)
index a78062f..0000000
--- a/overlays/keyedgpg.nix
+++ /dev/null
@@ -1,31 +0,0 @@
-# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
-# Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc'
-
-self: super:
-let
-  homelessGPG = super.writeShellScript "homeless-gpg" ''
-    set -eo pipefail
-
-    export GNUPGHOME=$(${self.coreutils}/bin/mktemp -d)
-    trap '${self.coreutils}/bin/rm -r "$GNUPGHOME"' EXIT
-    ${self.gnupg}/bin/gpg --no-default-keyring "$@"
-  '';
-in {
-  keyedgpg = keyfiles: super.writeShellScript "keyed-gpg" ''
-    set -eo pipefail
-
-    keyring=$(${self.coreutils}/bin/mktemp)
-    cleanup() { ${self.coreutils}/bin/rm "$keyring"; }
-    trap cleanup EXIT
-    ${homelessGPG} --keyring="$keyring" --import ${self.lib.escapeShellArgs keyfiles}
-
-    trusted_key_args=()
-    while read keyid;do
-      trusted_key_args+=( --trusted-key "$keyid" )
-    done < <(
-      ${homelessGPG} --with-colons --show-keys ${self.lib.escapeShellArgs keyfiles} |
-        ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }')
-
-    ${homelessGPG} --keyring="$keyring" "''${trusted_key_args[@]}" "$@"
-  '';
-}
diff --git a/pkgs/homeless-gpg.nix b/pkgs/homeless-gpg.nix
new file mode 100644 (file)
index 0000000..221193f
--- /dev/null
+++ b/pkgs/homeless-gpg.nix
@@ -0,0 +1,8 @@
+{ coreutils, gnupg, writeShellScript }:
+writeShellScript "homeless-gpg" ''
+  set -eo pipefail
+
+  export GNUPGHOME=$(${coreutils}/bin/mktemp -d)
+  trap '${coreutils}/bin/rm -r "$GNUPGHOME"' EXIT
+  ${gnupg}/bin/gpg --no-default-keyring "$@"
+''
diff --git a/pkgs/keyed-gpg.nix b/pkgs/keyed-gpg.nix
new file mode 100644 (file)
index 0000000..b675822
--- /dev/null
+++ b/pkgs/keyed-gpg.nix
@@ -0,0 +1,23 @@
+# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys
+# Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc'
+
+{ coreutils, gawk, homeless-gpg, lib, writeShellScript, }:
+keyfiles:
+writeShellScript "keyed-gpg" ''
+  set -eo pipefail
+
+  keyring=$(${coreutils}/bin/mktemp)
+  cleanup() { ${coreutils}/bin/rm "$keyring"; }
+  trap cleanup EXIT
+  ${homeless-gpg} --keyring="$keyring" --import ${lib.escapeShellArgs keyfiles}
+
+  trusted_key_args=()
+  while read keyid;do
+    trusted_key_args+=( --trusted-key "$keyid" )
+  done < <(
+    ${homeless-gpg} --with-colons --show-keys ${lib.escapeShellArgs keyfiles} |
+      ${gawk}/bin/awk -F: '$1 == "pub" { print $5 }')
+
+  ${homeless-gpg} --keyring="$keyring" "''${trusted_key_args[@]}" "$@"
+''
+
Automatic NixOS upgrades with pinch