From 150afcb24029418f77b00b5910b0a9447fa71e24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 15 May 2022 07:48:48 +0200 Subject: [PATCH 1/5] move all nix expressions to pkgs --- default.nix | 40 ++++++--------------------- flake.nix | 2 +- pkgs/cross-build.nix | 14 ++++++++++ pkgs/lint.nix | 13 +++++++++ pkgs/sops-pgp-hook-test.nix | 11 ++++++++ unit-tests.nix => pkgs/unit-tests.nix | 2 +- 6 files changed, 48 insertions(+), 34 deletions(-) create mode 100644 pkgs/cross-build.nix create mode 100644 pkgs/lint.nix create mode 100644 pkgs/sops-pgp-hook-test.nix rename unit-tests.nix => pkgs/unit-tests.nix (94%) diff --git a/default.nix b/default.nix index 22de563..4252a3e 100644 --- a/default.nix +++ b/default.nix @@ -16,42 +16,18 @@ in rec { inherit (pkgs) ssh-to-pgp; # used in the CI only - sops-pgp-hook-test = pkgs.buildGoModule { - name = "sops-pgp-hook-test"; - src = ./.; + sops-pgp-hook-test = pkgs.callPackage ./pkgs/sops-pgp-hook-test.nix { inherit vendorSha256; - buildPhase = '' - go test -c ./pkgs/sops-pgp-hook - install -D sops-pgp-hook.test $out/bin/sops-pgp-hook.test - ''; }; - unit-tests = pkgs.callPackage ./unit-tests.nix {}; + unit-tests = pkgs.callPackage ./pkgs/unit-tests.nix {}; } // (pkgs.lib.optionalAttrs pkgs.stdenv.isLinux { inherit sops-install-secrets; - lint = sops-install-secrets.overrideAttrs (old: { - name = "golangci-lint"; - nativeBuildInputs = old.nativeBuildInputs ++ [ pkgs.golangci-lint ]; - buildPhase = '' - HOME=$TMPDIR golangci-lint run --timeout 360s - ''; - doCheck = false; - installPhase = '' - touch $out $unittest - ''; - fixupPhase = ":"; - }); + lint = pkgs.callPackage ./pkgs/lint.nix { + inherit sops-install-secrets; + }; - cross-build = sops-install-secrets.overrideAttrs (old: { - name = "cross-build"; - nativeBuildInputs = old.nativeBuildInputs ++ [ pkgs.gox ]; - buildPhase = '' - (cd pkgs/sops-install-secrets && gox -os linux) - ''; - doCheck = false; - installPhase = '' - touch $out $unittest - ''; - fixupPhase = ":"; - }); + cross-build = pkgs.callPackage ./pkgs/cross-build.nix { + inherit sops-install-secrets; + }; }) diff --git a/flake.nix b/flake.nix index 5991bff..a1c819c 100644 --- a/flake.nix +++ b/flake.nix @@ -40,7 +40,7 @@ nixpkgs.legacyPackages.${system}.callPackage ./shell.nix {} ); devShells = forAllSystems (system: { - unit-tests = nixpkgs.legacyPackages.${system}.callPackage ./unit-tests.nix {}; + unit-tests = nixpkgs.legacyPackages.${system}.callPackage ./pkgs/unit-tests.nix {}; }); }; } diff --git a/pkgs/cross-build.nix b/pkgs/cross-build.nix new file mode 100644 index 0000000..5ad27b9 --- /dev/null +++ b/pkgs/cross-build.nix @@ -0,0 +1,14 @@ +{ sops-install-secrets, gox }: + +sops-install-secrets.overrideAttrs (old: { + name = "cross-build"; + nativeBuildInputs = old.nativeBuildInputs ++ [ gox ]; + buildPhase = '' + (cd pkgs/sops-install-secrets && gox -os linux) + ''; + doCheck = false; + installPhase = '' + touch $out $unittest + ''; + fixupPhase = ":"; +}) diff --git a/pkgs/lint.nix b/pkgs/lint.nix new file mode 100644 index 0000000..f14d1d8 --- /dev/null +++ b/pkgs/lint.nix @@ -0,0 +1,13 @@ +{ sops-install-secrets, golangci-lint }: +sops-install-secrets.overrideAttrs (old: { + name = "golangci-lint"; + nativeBuildInputs = old.nativeBuildInputs ++ [ golangci-lint ]; + buildPhase = '' + HOME=$TMPDIR golangci-lint run --timeout 360s + ''; + doCheck = false; + installPhase = '' + touch $out $unittest + ''; + fixupPhase = ":"; +}) diff --git a/pkgs/sops-pgp-hook-test.nix b/pkgs/sops-pgp-hook-test.nix new file mode 100644 index 0000000..75f809d --- /dev/null +++ b/pkgs/sops-pgp-hook-test.nix @@ -0,0 +1,11 @@ +{ buildGoModule, vendorSha256 }: + +buildGoModule { + name = "sops-pgp-hook-test"; + src = ../.; + inherit vendorSha256; + buildPhase = '' + go test -c ./pkgs/sops-pgp-hook + install -D sops-pgp-hook.test $out/bin/sops-pgp-hook.test + ''; +} diff --git a/unit-tests.nix b/pkgs/unit-tests.nix similarity index 94% rename from unit-tests.nix rename to pkgs/unit-tests.nix index 20029a7..e0c9f8b 100644 --- a/unit-tests.nix +++ b/pkgs/unit-tests.nix @@ -1,7 +1,7 @@ { pkgs ? import {} }: let - sopsPkgs = import ./. { inherit pkgs; }; + sopsPkgs = import ../. { inherit pkgs; }; in pkgs.stdenv.mkDerivation { name = "env"; nativeBuildInputs = with pkgs; [ From 530098c90284893a2fa6148f02fbdc548ac716d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 15 May 2022 07:48:56 +0200 Subject: [PATCH 2/5] drop release.nix --- release.nix | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 release.nix diff --git a/release.nix b/release.nix deleted file mode 100644 index 451d933..0000000 --- a/release.nix +++ /dev/null @@ -1,13 +0,0 @@ -# This file filters out all the broken packages from your package set. -# It's what gets built by CI, so if you correctly mark broken packages as -# broken your CI will not try to build them and the non-broken packages will -# be added to the cache. -{ pkgs ? import {} }: - -pkgs.lib.filter (p: - (builtins.isAttrs p) - && !((builtins.hasAttr "meta" p) - && (((builtins.hasAttr "broken" p.meta) && (p.meta.broken)) - || (builtins.hasAttr "available" p.meta && !p.meta.available)) - && !((builtins.hasAttr "disabled" p) && (p.disabled)))) - (pkgs.lib.collect (pkgs.lib.isDerivation) (import ./default.nix { inherit pkgs; })) From a7512754f024c9e7e01b236c3ce5355a9179a9cc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 15 May 2022 08:07:37 +0200 Subject: [PATCH 3/5] fix build for 21.11 --- default.nix | 2 ++ 1 file changed, 2 insertions(+) diff --git a/default.nix b/default.nix index 4252a3e..5720b8c 100644 --- a/default.nix +++ b/default.nix @@ -1,7 +1,9 @@ { pkgs ? import {} }: let vendorSha256 = "sha256-nqA2zzCsWXCllpsss0tjjo4ivi3MVuEM3W6dEZc5KAc="; + buildGoModule = if pkgs.lib.versionOlder pkgs.go.version "1.17" then pkgs.buildGo117Module else pkgs.buildGoModule; sops-install-secrets = pkgs.callPackage ./pkgs/sops-install-secrets { + inherit buildGoModule; inherit vendorSha256; }; in rec { From 7e5c8249e27427235aa82e6086f9cdbd21194a48 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 15 May 2022 08:07:55 +0200 Subject: [PATCH 4/5] shell.nix: add nixFlakes version --- shell.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/shell.nix b/shell.nix index 4438e14..adaff38 100644 --- a/shell.nix +++ b/shell.nix @@ -6,7 +6,7 @@ pkgs.mkShell { delve gnupg utillinux - nix + nixFlakes golangci-lint ]; # delve does not compile with hardening enabled From c8e0dd83f8dc72ef7497fa87c1c3c0f7a108053b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= Date: Sun, 15 May 2022 08:09:09 +0200 Subject: [PATCH 5/5] also build ci for 21.11 --- flake.lock | 25 +++++++++++++++++++++---- flake.nix | 15 ++++++++++++--- 2 files changed, 33 insertions(+), 7 deletions(-) diff --git a/flake.lock b/flake.lock index 3f1e19c..c3762e6 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1652252629, - "narHash": "sha256-SvT64apetqc8P5nYp1/fOZvUmHUPdPFUZbhSpKy+1aI=", + "lastModified": 1652541622, + "narHash": "sha256-Z9BuUCS0IocoRahFvFDJNU5Q+xM5/lS8Ng4JJFH3+UU=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d2fc6856824cb87742177eefc8dd534bdb6c3439", + "rev": "f7a22851667ac89ac1863ede0d8c386fc6eb12a0", "type": "github" }, "original": { @@ -16,9 +16,26 @@ "type": "github" } }, + "nixpkgs-21_11": { + "locked": { + "lastModified": 1652559422, + "narHash": "sha256-jPVTNImBTUIFdtur+d4IVot6eXmsvtOcBm0TzxmhWPk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8b3398bc7587ebb79f93dfeea1b8c574d3c6dba1", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-21.11", + "repo": "nixpkgs", + "type": "github" + } + }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "nixpkgs": "nixpkgs", + "nixpkgs-21_11": "nixpkgs-21_11" } } }, diff --git a/flake.nix b/flake.nix index a1c819c..fb63bcf 100644 --- a/flake.nix +++ b/flake.nix @@ -1,11 +1,13 @@ { description = "Integrates sops into nixos"; inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + inputs.nixpkgs-21_11.url = "github:NixOS/nixpkgs/release-21.11"; nixConfig.extra-substituters = ["https://cache.garnix.io"]; nixConfig.extra-trusted-public-keys = ["cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="]; outputs = { self, nixpkgs, + nixpkgs-21_11 }: let systems = [ "x86_64-linux" @@ -17,6 +19,7 @@ "armv7l-linux" ]; forAllSystems = f: nixpkgs.lib.genAttrs systems (system: f system); + suffix-21_11 = attrs: nixpkgs.lib.mapAttrs' (name: value: nixpkgs.lib.nameValuePair (name + "-21_11") value) attrs; in { overlay = final: prev: let localPkgs = import ./default.nix {pkgs = final;}; @@ -31,9 +34,15 @@ import ./default.nix { pkgs = import nixpkgs {inherit system;}; }); - checks = - nixpkgs.lib.genAttrs ["x86_64-linux" "aarch64-linux"] - (system: self.packages.${system}.sops-install-secrets.tests); + checks = nixpkgs.lib.genAttrs ["x86_64-linux" "aarch64-linux"] + (system: let + tests = self.packages.${system}.sops-install-secrets.tests; + packages-21_11 = import ./default.nix { + pkgs = import nixpkgs-21_11 {inherit system;}; + }; + tests-21_11 = packages-21_11.sops-install-secrets.tests; + in tests // (suffix-21_11 tests-21_11) // (suffix-21_11 packages-21_11)); + defaultPackage = forAllSystems (system: self.packages.${system}.sops-init-gpg-key); devShell = forAllSystems ( system: