From: Scott Worley Date: Tue, 11 Aug 2020 20:09:30 +0000 (-0700) Subject: Use local pkgs instead of overlays X-Git-Url: http://git.scottworley.com/auto-upgrade-with-pinch/commitdiff_plain/edaaa0c0ab2761711c3b9217a2c7396a56d6a54e?ds=inline Use local pkgs instead of overlays --- diff --git a/default.nix b/default.nix index 8dd9a56..1413fef 100644 --- a/default.nix +++ b/default.nix @@ -1,5 +1,10 @@ -# When installed as a channel, this is not an environment. -# -# This file exists to stop getAllExprs() in nix/src/nix-env/nix-env.cc from recursing around in here and getting confused. +{ pkgs ? import { }, }: -{} +pkgs.lib.makeScope pkgs.newScope (self: + with self; { + + homeless-gpg = callPackage ./pkgs/homeless-gpg.nix { }; + + keyed-gpg = callPackage ./pkgs/keyed-gpg.nix { }; + + }) diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix index fbc8b93..54a3083 100644 --- a/modules/auto-upgrade.nix +++ b/modules/auto-upgrade.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: with lib; let + local-pkgs = import ../. { inherit pkgs; }; cfg = config.system.autoUpgradeWithPinch; pull-repo-script = pkgs.writeShellScript "pull-repo" '' set -eo pipefail @@ -50,7 +51,7 @@ let if [[ "$(prop requireSignature)" == true ]]; then ${pkgs.polite-merge}/bin/polite-merge \ - -c gpg.program=${escapeShellArg (pkgs.keyedgpg cfg.signingKeys)} \ + -c gpg.program=${escapeShellArg (local-pkgs.keyed-gpg cfg.signingKeys)} \ merge --ff-only --verify-signatures else ${pkgs.polite-merge}/bin/polite-merge merge --ff-only @@ -269,7 +270,6 @@ in { ''; nixpkgs.overlays = [ - (import ../overlays/keyedgpg.nix) (import ../overlays/pinch.nix) (import ../overlays/polite-merge.nix) (self: super: { diff --git a/overlays/keyedgpg.nix b/overlays/keyedgpg.nix deleted file mode 100644 index a78062f..0000000 --- a/overlays/keyedgpg.nix +++ /dev/null @@ -1,31 +0,0 @@ -# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys -# Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc' - -self: super: -let - homelessGPG = super.writeShellScript "homeless-gpg" '' - set -eo pipefail - - export GNUPGHOME=$(${self.coreutils}/bin/mktemp -d) - trap '${self.coreutils}/bin/rm -r "$GNUPGHOME"' EXIT - ${self.gnupg}/bin/gpg --no-default-keyring "$@" - ''; -in { - keyedgpg = keyfiles: super.writeShellScript "keyed-gpg" '' - set -eo pipefail - - keyring=$(${self.coreutils}/bin/mktemp) - cleanup() { ${self.coreutils}/bin/rm "$keyring"; } - trap cleanup EXIT - ${homelessGPG} --keyring="$keyring" --import ${self.lib.escapeShellArgs keyfiles} - - trusted_key_args=() - while read keyid;do - trusted_key_args+=( --trusted-key "$keyid" ) - done < <( - ${homelessGPG} --with-colons --show-keys ${self.lib.escapeShellArgs keyfiles} | - ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }') - - ${homelessGPG} --keyring="$keyring" "''${trusted_key_args[@]}" "$@" - ''; -} diff --git a/pkgs/homeless-gpg.nix b/pkgs/homeless-gpg.nix new file mode 100644 index 0000000..221193f --- /dev/null +++ b/pkgs/homeless-gpg.nix @@ -0,0 +1,8 @@ +{ coreutils, gnupg, writeShellScript }: +writeShellScript "homeless-gpg" '' + set -eo pipefail + + export GNUPGHOME=$(${coreutils}/bin/mktemp -d) + trap '${coreutils}/bin/rm -r "$GNUPGHOME"' EXIT + ${gnupg}/bin/gpg --no-default-keyring "$@" +'' diff --git a/pkgs/keyed-gpg.nix b/pkgs/keyed-gpg.nix new file mode 100644 index 0000000..b675822 --- /dev/null +++ b/pkgs/keyed-gpg.nix @@ -0,0 +1,23 @@ +# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys +# Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc' + +{ coreutils, gawk, homeless-gpg, lib, writeShellScript, }: +keyfiles: +writeShellScript "keyed-gpg" '' + set -eo pipefail + + keyring=$(${coreutils}/bin/mktemp) + cleanup() { ${coreutils}/bin/rm "$keyring"; } + trap cleanup EXIT + ${homeless-gpg} --keyring="$keyring" --import ${lib.escapeShellArgs keyfiles} + + trusted_key_args=() + while read keyid;do + trusted_key_args+=( --trusted-key "$keyid" ) + done < <( + ${homeless-gpg} --with-colons --show-keys ${lib.escapeShellArgs keyfiles} | + ${gawk}/bin/awk -F: '$1 == "pub" { print $5 }') + + ${homeless-gpg} --keyring="$keyring" "''${trusted_key_args[@]}" "$@" +'' +