sane-scripts: port sane-wipe-browser to nix-shell & remove dead resholve code

2023-06-07 07:26:19 +00:00 · 2023-06-07 07:26:19 +00:00 · e1a18cdae1
commit e1a18cdae1
parent 2a1d87650b
2 changed files with 17 additions and 110 deletions
--- a/pkgs/additional/sane-scripts/default.nix
+++ b/pkgs/additional/sane-scripts/default.nix
@ -1,111 +1,13 @@
 { lib
 , pkgs
-, resholve
 , static-nix-shell
 , symlinkJoin
 }:

 let
-  shell-scripts = resholve.mkDerivation {
-    # resholve documentation:
-    # - nix: https://github.com/nixos/nixpkgs/blob/master/pkgs/development/misc/resholve/README.md
-    # - generic: https://github.com/abathur/resholve
-    pname = "sane-scripts";
-    version = "0.1.0";
-
-    src = ./src;
-
-    solutions = {
-      default = {
-        # note: `scripts` refers to the store path here
-        scripts = [ "bin/*" ];
-        interpreter = "${pkgs.bash}/bin/bash";
-        inputs = with pkgs; [
-          # string is interpreted as relative path from @OUT@.
-          # this lets our scripts reference eachother.
-          # see: <https://github.com/abathur/resholve/issues/26>
-          "bin"
-          coreutils-full
-          file
-          findutils
-          gnugrep
-          gnused
-          gocryptfs
-          ifuse
-          inetutils
-          iwd
-          jq
-          openssh
-          openssl
-          nix-shell-scripts.ip-check
-          nix-shell-scripts.mount-servo
-          rmlint
-          rsync
-          ssh-to-age
-          sops
-          sudo
-          systemd
-          util-linux
-          which
-        ];
-        keep = {
-          # we write here: keep it
-          "/tmp/rmlint.sh" = true;
-          # intentionally escapes (into user code)
-          "$external_cmd" = true;
-          "$maybe_sudo" = true;
-        };
-        fake = {
-          external = [
-            # https://github.com/abathur/resholve/issues/29
-            # "umount"
-            # "/run/wrappers/bin/sudo"
-            "sudo"
-          ];
-        };
-        fix = {
-          # this replaces umount with the non-setuid-wrapper umount.
-          # not sure if/where that lack of suid causes problems.
-          umount = true;
-        };
-        prologue = "${./resholve-prologue}";
-
-        # list of programs which *can* or *cannot* exec their arguments
-        execer = with pkgs; [
-          "cannot:${git}/bin/git"
-          "cannot:${gocryptfs}/bin/gocryptfs"
-          "cannot:${ifuse}/bin/ifuse"
-          "cannot:${iwd}/bin/iwctl"
-          "cannot:${openssh}/bin/ssh-keygen"
-          "cannot:${rmlint}/bin/rmlint"
-          "cannot:${rsync}/bin/rsync"
-          "cannot:${sops}/bin/sops"
-          "cannot:${ssh-to-age}/bin/ssh-to-age"
-          "cannot:${systemd}/bin/systemctl"
-        ];
-      };
-    };
-
-    patchPhase =
-      let
-        rmPy = builtins.concatStringsSep
-          "\n"
-          (lib.mapAttrsToList (name: pkg: "rm ${pkg.pname}") nix-shell-scripts)
-        ;
-      in ''
-        # remove python library files, and python binaries  (those are packaged further below)
-        rm -rf lib/
-        ${rmPy}
-      '';
-
-    installPhase = ''
-      mkdir -p $out/bin
-      cp -R * $out/bin/
-    '';
-  };
-
  nix-shell-scripts = {
    # anything added to this attrset gets symlink-joined into `sane-scripts`
+    # and is made available through `sane-scripts.passthru`
    backup-ls = static-nix-shell.mkBash {
      pname = "sane-backup-ls";
      src = ./src;
@ -203,8 +105,8 @@ let
      src = ./src;
      pkgs = [ "sane-scripts.private-unlock" ];
    };
-    private-unlock = static-nix-shell.mkBash {
-      pname = "sane-private-unlock";
+    private-init = static-nix-shell.mkBash {
+      pname = "sane-private-init";
      src = ./src;
      pkgs = [ "gocryptfs" ];
    };
@ -212,8 +114,8 @@ let
      pname = "sane-private-lock";
      src = ./src;
    };
-    private-init = static-nix-shell.mkBash {
-      pname = "sane-private-init";
+    private-unlock = static-nix-shell.mkBash {
+      pname = "sane-private-unlock";
      src = ./src;
      pkgs = [ "gocryptfs" ];
    };
@ -227,15 +129,15 @@ let
      src = ./src;
      pkgs = [ "systemd" ];
    };
+    reclaim-boot-space = static-nix-shell.mkPython3Bin {
+      pname = "sane-reclaim-boot-space";
+      src = ./src;
+    };
    reclaim-disk-space = static-nix-shell.mkBash {
      pname = "sane-reclaim-disk-space";
      src = ./src;
      pkgs = [ "nix" "rmlint" "util-linux" ];
    };
-    reclaim-boot-space = static-nix-shell.mkPython3Bin {
-      pname = "sane-reclaim-boot-space";
-      src = ./src;
-    };
    secrets-dump = static-nix-shell.mkBash {
      pname = "sane-secrets-dump";
      src = ./src;
@ -296,14 +198,18 @@ let
      src = ./src;
      pkgs = [ "coreutils-full" "file" ];
    };
+    wipe-browser = static-nix-shell.mkBash {
+      pname = "sane-wipe-browser";
+      src = ./src;
+    };
  };
 in
 symlinkJoin {
  name = "sane-scripts";
-  paths = [ shell-scripts ] ++ lib.attrValues nix-shell-scripts;
+  paths = lib.attrValues nix-shell-scripts;
  passthru = nix-shell-scripts;
  meta = {
-    description = "collection of scripts associated with uninsane systems";
+    description = "collection of scripts associated with sane systems";
    homepage = "https://git.uninsane.org";
    platforms = lib.platforms.all;
  };
--- a/pkgs/additional/sane-scripts/src/sane-wipe-browser
+++ b/pkgs/additional/sane-scripts/src/sane-wipe-browser
@ -1,4 +1,5 @@
-#!/usr/bin/env bash
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash
 # remove firefox/librewolf/chromium artifacts
 rm -rf \
  ~/.librewolf/default/* \