sane-scripts: port sane-wipe-browser to nix-shell & remove dead resholve code
This commit is contained in:
parent
2a1d87650b
commit
e1a18cdae1
|
@ -1,111 +1,13 @@
|
||||||
{ lib
|
{ lib
|
||||||
, pkgs
|
, pkgs
|
||||||
, resholve
|
|
||||||
, static-nix-shell
|
, static-nix-shell
|
||||||
, symlinkJoin
|
, symlinkJoin
|
||||||
}:
|
}:
|
||||||
|
|
||||||
let
|
let
|
||||||
shell-scripts = resholve.mkDerivation {
|
|
||||||
# resholve documentation:
|
|
||||||
# - nix: https://github.com/nixos/nixpkgs/blob/master/pkgs/development/misc/resholve/README.md
|
|
||||||
# - generic: https://github.com/abathur/resholve
|
|
||||||
pname = "sane-scripts";
|
|
||||||
version = "0.1.0";
|
|
||||||
|
|
||||||
src = ./src;
|
|
||||||
|
|
||||||
solutions = {
|
|
||||||
default = {
|
|
||||||
# note: `scripts` refers to the store path here
|
|
||||||
scripts = [ "bin/*" ];
|
|
||||||
interpreter = "${pkgs.bash}/bin/bash";
|
|
||||||
inputs = with pkgs; [
|
|
||||||
# string is interpreted as relative path from @OUT@.
|
|
||||||
# this lets our scripts reference eachother.
|
|
||||||
# see: <https://github.com/abathur/resholve/issues/26>
|
|
||||||
"bin"
|
|
||||||
coreutils-full
|
|
||||||
file
|
|
||||||
findutils
|
|
||||||
gnugrep
|
|
||||||
gnused
|
|
||||||
gocryptfs
|
|
||||||
ifuse
|
|
||||||
inetutils
|
|
||||||
iwd
|
|
||||||
jq
|
|
||||||
openssh
|
|
||||||
openssl
|
|
||||||
nix-shell-scripts.ip-check
|
|
||||||
nix-shell-scripts.mount-servo
|
|
||||||
rmlint
|
|
||||||
rsync
|
|
||||||
ssh-to-age
|
|
||||||
sops
|
|
||||||
sudo
|
|
||||||
systemd
|
|
||||||
util-linux
|
|
||||||
which
|
|
||||||
];
|
|
||||||
keep = {
|
|
||||||
# we write here: keep it
|
|
||||||
"/tmp/rmlint.sh" = true;
|
|
||||||
# intentionally escapes (into user code)
|
|
||||||
"$external_cmd" = true;
|
|
||||||
"$maybe_sudo" = true;
|
|
||||||
};
|
|
||||||
fake = {
|
|
||||||
external = [
|
|
||||||
# https://github.com/abathur/resholve/issues/29
|
|
||||||
# "umount"
|
|
||||||
# "/run/wrappers/bin/sudo"
|
|
||||||
"sudo"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
fix = {
|
|
||||||
# this replaces umount with the non-setuid-wrapper umount.
|
|
||||||
# not sure if/where that lack of suid causes problems.
|
|
||||||
umount = true;
|
|
||||||
};
|
|
||||||
prologue = "${./resholve-prologue}";
|
|
||||||
|
|
||||||
# list of programs which *can* or *cannot* exec their arguments
|
|
||||||
execer = with pkgs; [
|
|
||||||
"cannot:${git}/bin/git"
|
|
||||||
"cannot:${gocryptfs}/bin/gocryptfs"
|
|
||||||
"cannot:${ifuse}/bin/ifuse"
|
|
||||||
"cannot:${iwd}/bin/iwctl"
|
|
||||||
"cannot:${openssh}/bin/ssh-keygen"
|
|
||||||
"cannot:${rmlint}/bin/rmlint"
|
|
||||||
"cannot:${rsync}/bin/rsync"
|
|
||||||
"cannot:${sops}/bin/sops"
|
|
||||||
"cannot:${ssh-to-age}/bin/ssh-to-age"
|
|
||||||
"cannot:${systemd}/bin/systemctl"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
patchPhase =
|
|
||||||
let
|
|
||||||
rmPy = builtins.concatStringsSep
|
|
||||||
"\n"
|
|
||||||
(lib.mapAttrsToList (name: pkg: "rm ${pkg.pname}") nix-shell-scripts)
|
|
||||||
;
|
|
||||||
in ''
|
|
||||||
# remove python library files, and python binaries (those are packaged further below)
|
|
||||||
rm -rf lib/
|
|
||||||
${rmPy}
|
|
||||||
'';
|
|
||||||
|
|
||||||
installPhase = ''
|
|
||||||
mkdir -p $out/bin
|
|
||||||
cp -R * $out/bin/
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
nix-shell-scripts = {
|
nix-shell-scripts = {
|
||||||
# anything added to this attrset gets symlink-joined into `sane-scripts`
|
# anything added to this attrset gets symlink-joined into `sane-scripts`
|
||||||
|
# and is made available through `sane-scripts.passthru`
|
||||||
backup-ls = static-nix-shell.mkBash {
|
backup-ls = static-nix-shell.mkBash {
|
||||||
pname = "sane-backup-ls";
|
pname = "sane-backup-ls";
|
||||||
src = ./src;
|
src = ./src;
|
||||||
|
@ -203,8 +105,8 @@ let
|
||||||
src = ./src;
|
src = ./src;
|
||||||
pkgs = [ "sane-scripts.private-unlock" ];
|
pkgs = [ "sane-scripts.private-unlock" ];
|
||||||
};
|
};
|
||||||
private-unlock = static-nix-shell.mkBash {
|
private-init = static-nix-shell.mkBash {
|
||||||
pname = "sane-private-unlock";
|
pname = "sane-private-init";
|
||||||
src = ./src;
|
src = ./src;
|
||||||
pkgs = [ "gocryptfs" ];
|
pkgs = [ "gocryptfs" ];
|
||||||
};
|
};
|
||||||
|
@ -212,8 +114,8 @@ let
|
||||||
pname = "sane-private-lock";
|
pname = "sane-private-lock";
|
||||||
src = ./src;
|
src = ./src;
|
||||||
};
|
};
|
||||||
private-init = static-nix-shell.mkBash {
|
private-unlock = static-nix-shell.mkBash {
|
||||||
pname = "sane-private-init";
|
pname = "sane-private-unlock";
|
||||||
src = ./src;
|
src = ./src;
|
||||||
pkgs = [ "gocryptfs" ];
|
pkgs = [ "gocryptfs" ];
|
||||||
};
|
};
|
||||||
|
@ -227,15 +129,15 @@ let
|
||||||
src = ./src;
|
src = ./src;
|
||||||
pkgs = [ "systemd" ];
|
pkgs = [ "systemd" ];
|
||||||
};
|
};
|
||||||
|
reclaim-boot-space = static-nix-shell.mkPython3Bin {
|
||||||
|
pname = "sane-reclaim-boot-space";
|
||||||
|
src = ./src;
|
||||||
|
};
|
||||||
reclaim-disk-space = static-nix-shell.mkBash {
|
reclaim-disk-space = static-nix-shell.mkBash {
|
||||||
pname = "sane-reclaim-disk-space";
|
pname = "sane-reclaim-disk-space";
|
||||||
src = ./src;
|
src = ./src;
|
||||||
pkgs = [ "nix" "rmlint" "util-linux" ];
|
pkgs = [ "nix" "rmlint" "util-linux" ];
|
||||||
};
|
};
|
||||||
reclaim-boot-space = static-nix-shell.mkPython3Bin {
|
|
||||||
pname = "sane-reclaim-boot-space";
|
|
||||||
src = ./src;
|
|
||||||
};
|
|
||||||
secrets-dump = static-nix-shell.mkBash {
|
secrets-dump = static-nix-shell.mkBash {
|
||||||
pname = "sane-secrets-dump";
|
pname = "sane-secrets-dump";
|
||||||
src = ./src;
|
src = ./src;
|
||||||
|
@ -296,14 +198,18 @@ let
|
||||||
src = ./src;
|
src = ./src;
|
||||||
pkgs = [ "coreutils-full" "file" ];
|
pkgs = [ "coreutils-full" "file" ];
|
||||||
};
|
};
|
||||||
|
wipe-browser = static-nix-shell.mkBash {
|
||||||
|
pname = "sane-wipe-browser";
|
||||||
|
src = ./src;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
in
|
in
|
||||||
symlinkJoin {
|
symlinkJoin {
|
||||||
name = "sane-scripts";
|
name = "sane-scripts";
|
||||||
paths = [ shell-scripts ] ++ lib.attrValues nix-shell-scripts;
|
paths = lib.attrValues nix-shell-scripts;
|
||||||
passthru = nix-shell-scripts;
|
passthru = nix-shell-scripts;
|
||||||
meta = {
|
meta = {
|
||||||
description = "collection of scripts associated with uninsane systems";
|
description = "collection of scripts associated with sane systems";
|
||||||
homepage = "https://git.uninsane.org";
|
homepage = "https://git.uninsane.org";
|
||||||
platforms = lib.platforms.all;
|
platforms = lib.platforms.all;
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
#!/usr/bin/env bash
|
#!/usr/bin/env nix-shell
|
||||||
|
#!nix-shell -i bash
|
||||||
# remove firefox/librewolf/chromium artifacts
|
# remove firefox/librewolf/chromium artifacts
|
||||||
rm -rf \
|
rm -rf \
|
||||||
~/.librewolf/default/* \
|
~/.librewolf/default/* \
|
||||||
|
|
Loading…
Reference in New Issue
Block a user