From edaaa0c0ab2761711c3b9217a2c7396a56d6a54e Mon Sep 17 00:00:00 2001 From: Scott Worley Date: Tue, 11 Aug 2020 13:09:30 -0700 Subject: [PATCH 1/1] Use local pkgs instead of overlays --- default.nix | 13 +++++++++---- modules/auto-upgrade.nix | 4 ++-- overlays/keyedgpg.nix | 31 ------------------------------- pkgs/homeless-gpg.nix | 8 ++++++++ pkgs/keyed-gpg.nix | 23 +++++++++++++++++++++++ 5 files changed, 42 insertions(+), 37 deletions(-) delete mode 100644 overlays/keyedgpg.nix create mode 100644 pkgs/homeless-gpg.nix create mode 100644 pkgs/keyed-gpg.nix diff --git a/default.nix b/default.nix index 8dd9a56..1413fef 100644 --- a/default.nix +++ b/default.nix @@ -1,5 +1,10 @@ -# When installed as a channel, this is not an environment. -# -# This file exists to stop getAllExprs() in nix/src/nix-env/nix-env.cc from recursing around in here and getting confused. +{ pkgs ? import { }, }: -{} +pkgs.lib.makeScope pkgs.newScope (self: + with self; { + + homeless-gpg = callPackage ./pkgs/homeless-gpg.nix { }; + + keyed-gpg = callPackage ./pkgs/keyed-gpg.nix { }; + + }) diff --git a/modules/auto-upgrade.nix b/modules/auto-upgrade.nix index fbc8b93..54a3083 100644 --- a/modules/auto-upgrade.nix +++ b/modules/auto-upgrade.nix @@ -1,6 +1,7 @@ { config, lib, pkgs, ... }: with lib; let + local-pkgs = import ../. { inherit pkgs; }; cfg = config.system.autoUpgradeWithPinch; pull-repo-script = pkgs.writeShellScript "pull-repo" '' set -eo pipefail @@ -50,7 +51,7 @@ let if [[ "$(prop requireSignature)" == true ]]; then ${pkgs.polite-merge}/bin/polite-merge \ - -c gpg.program=${escapeShellArg (pkgs.keyedgpg cfg.signingKeys)} \ + -c gpg.program=${escapeShellArg (local-pkgs.keyed-gpg cfg.signingKeys)} \ merge --ff-only --verify-signatures else ${pkgs.polite-merge}/bin/polite-merge merge --ff-only @@ -269,7 +270,6 @@ in { ''; nixpkgs.overlays = [ - (import ../overlays/keyedgpg.nix) (import ../overlays/pinch.nix) (import ../overlays/polite-merge.nix) (self: super: { diff --git a/overlays/keyedgpg.nix b/overlays/keyedgpg.nix deleted file mode 100644 index a78062f..0000000 --- a/overlays/keyedgpg.nix +++ /dev/null @@ -1,31 +0,0 @@ -# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys -# Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc' - -self: super: -let - homelessGPG = super.writeShellScript "homeless-gpg" '' - set -eo pipefail - - export GNUPGHOME=$(${self.coreutils}/bin/mktemp -d) - trap '${self.coreutils}/bin/rm -r "$GNUPGHOME"' EXIT - ${self.gnupg}/bin/gpg --no-default-keyring "$@" - ''; -in { - keyedgpg = keyfiles: super.writeShellScript "keyed-gpg" '' - set -eo pipefail - - keyring=$(${self.coreutils}/bin/mktemp) - cleanup() { ${self.coreutils}/bin/rm "$keyring"; } - trap cleanup EXIT - ${homelessGPG} --keyring="$keyring" --import ${self.lib.escapeShellArgs keyfiles} - - trusted_key_args=() - while read keyid;do - trusted_key_args+=( --trusted-key "$keyid" ) - done < <( - ${homelessGPG} --with-colons --show-keys ${self.lib.escapeShellArgs keyfiles} | - ${self.gawk}/bin/awk -F: '$1 == "pub" { print $5 }') - - ${homelessGPG} --keyring="$keyring" "''${trusted_key_args[@]}" "$@" - ''; -} diff --git a/pkgs/homeless-gpg.nix b/pkgs/homeless-gpg.nix new file mode 100644 index 0000000..221193f --- /dev/null +++ b/pkgs/homeless-gpg.nix @@ -0,0 +1,8 @@ +{ coreutils, gnupg, writeShellScript }: +writeShellScript "homeless-gpg" '' + set -eo pipefail + + export GNUPGHOME=$(${coreutils}/bin/mktemp -d) + trap '${coreutils}/bin/rm -r "$GNUPGHOME"' EXIT + ${gnupg}/bin/gpg --no-default-keyring "$@" +'' diff --git a/pkgs/keyed-gpg.nix b/pkgs/keyed-gpg.nix new file mode 100644 index 0000000..b675822 --- /dev/null +++ b/pkgs/keyed-gpg.nix @@ -0,0 +1,23 @@ +# Following the instructions at https://tribut.de/blog/git-commit-signatures-trusted-keys +# Use with git with -c gpg.program='keyedgpg /path/to/keyfile.asc' + +{ coreutils, gawk, homeless-gpg, lib, writeShellScript, }: +keyfiles: +writeShellScript "keyed-gpg" '' + set -eo pipefail + + keyring=$(${coreutils}/bin/mktemp) + cleanup() { ${coreutils}/bin/rm "$keyring"; } + trap cleanup EXIT + ${homeless-gpg} --keyring="$keyring" --import ${lib.escapeShellArgs keyfiles} + + trusted_key_args=() + while read keyid;do + trusted_key_args+=( --trusted-key "$keyid" ) + done < <( + ${homeless-gpg} --with-colons --show-keys ${lib.escapeShellArgs keyfiles} | + ${gawk}/bin/awk -F: '$1 == "pub" { print $5 }') + + ${homeless-gpg} --keyring="$keyring" "''${trusted_key_args[@]}" "$@" +'' + -- 2.44.1