diff --git a/.gitignore b/.gitignore index cfe0956..6a84b32 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ result* /.direnv target +/.pre-commit-config.yaml diff --git a/flake.lock b/flake.lock index 49cf414..866e43b 100644 --- a/flake.lock +++ b/flake.lock @@ -59,6 +59,22 @@ "type": "github" } }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1668681692, + "narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "009399224d5e398d03b22badca40a37ac85412a1", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" @@ -92,6 +108,27 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "pre-commit-hooks-nix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1673039641, @@ -126,6 +163,22 @@ "type": "github" } }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1671271954, + "narHash": "sha256-cSvu+bnvN08sOlTBWbBrKaBHQZq8mvk8bgpt0ZJ2Snc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "d513b448cc2a6da2c8803e3c197c9fc7e67b19e3", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.05", + "repo": "nixpkgs", + "type": "github" + } + }, "nixpkgs-test": { "locked": { "lastModified": 1671812130, @@ -142,6 +195,32 @@ "type": "github" } }, + "pre-commit-hooks-nix": { + "inputs": { + "flake-compat": "flake-compat_3", + "flake-utils": [ + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1672912243, + "narHash": "sha256-QnQeKUjco2kO9J4rBqIBPp5XcOMblIMnmyhpjeaJBYc=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "a4548c09eac4afb592ab2614f4a150120b29584c", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, "root": { "inputs": { "crane": "crane", @@ -150,6 +229,7 @@ "flake-utils": "flake-utils", "nixpkgs": "nixpkgs", "nixpkgs-test": "nixpkgs-test", + "pre-commit-hooks-nix": "pre-commit-hooks-nix", "rust-overlay": "rust-overlay" } }, diff --git a/flake.nix b/flake.nix index c7e3324..7ad55c1 100644 --- a/flake.nix +++ b/flake.nix @@ -7,6 +7,12 @@ flake-parts.url = "github:hercules-ci/flake-parts"; + pre-commit-hooks-nix = { + url = "github:cachix/pre-commit-hooks.nix"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.flake-utils.follows = "flake-utils"; + }; + # We only have this input to pass it to other dependencies and # avoid having mulitple versions in our dependencies. flake-utils.url = "github:numtide/flake-utils"; @@ -35,6 +41,9 @@ imports = [ # Derive the output overlay automatically from all packages that we define. inputs.flake-parts.flakeModules.easyOverlay + + # Formatting and quality checks. + inputs.pre-commit-hooks-nix.flakeModule ]; flake.nixosModules.lanzaboote = moduleWithSystem ( @@ -45,7 +54,8 @@ ]; boot.lanzaboote.package = perSystem.config.packages.lanzatool; - }); + } + ); systems = [ "x86_64-linux" @@ -54,37 +64,38 @@ # "aarch64-linux" ]; - perSystem = { config, system, pkgs, ... }: let - pkgs = import nixpkgs { - system = system; - overlays = [ - rust-overlay.overlays.default - ]; - }; + perSystem = { config, system, pkgs, ... }: + let + pkgs = import nixpkgs { + system = system; + overlays = [ + rust-overlay.overlays.default + ]; + }; - testPkgs = import nixpkgs-test { system = "x86_64-linux"; }; + testPkgs = import nixpkgs-test { system = "x86_64-linux"; }; - inherit (pkgs) lib; + inherit (pkgs) lib; - rust-nightly = pkgs.rust-bin.fromRustupToolchainFile ./rust/lanzaboote/rust-toolchain.toml; - craneLib = crane.lib.x86_64-linux.overrideToolchain rust-nightly; + rust-nightly = pkgs.rust-bin.fromRustupToolchainFile ./rust/lanzaboote/rust-toolchain.toml; + craneLib = crane.lib.x86_64-linux.overrideToolchain rust-nightly; - # Build attributes for a Rust application. - buildRustApp = - { src - , target ? null - , doCheck ? true - , extraArgs ? { } - }: - let - commonArgs = { - inherit src; - CARGO_BUILD_TARGET = target; - inherit doCheck; - } // extraArgs; + # Build attributes for a Rust application. + buildRustApp = + { src + , target ? null + , doCheck ? true + , extraArgs ? { } + }: + let + commonArgs = { + inherit src; + CARGO_BUILD_TARGET = target; + inherit doCheck; + } // extraArgs; - cargoArtifacts = craneLib.buildDepsOnly commonArgs; - in + cargoArtifacts = craneLib.buildDepsOnly commonArgs; + in { package = craneLib.buildPackage (commonArgs // { inherit cargoArtifacts; @@ -96,82 +107,98 @@ }); }; - lanzabooteCrane = buildRustApp { - src = craneLib.cleanCargoSource ./rust/lanzaboote; - target = "x86_64-unknown-uefi"; - doCheck = false; - }; + lanzabooteCrane = buildRustApp { + src = craneLib.cleanCargoSource ./rust/lanzaboote; + target = "x86_64-unknown-uefi"; + doCheck = false; + }; - lanzaboote = lanzabooteCrane.package; + lanzaboote = lanzabooteCrane.package; - lanzatoolCrane = buildRustApp { - src = ./rust/lanzatool; - extraArgs = { - TEST_SYSTEMD = pkgs.systemd; - checkInputs = with pkgs; [ - binutils-unwrapped - sbsigntool + lanzatoolCrane = buildRustApp { + src = ./rust/lanzatool; + extraArgs = { + TEST_SYSTEMD = pkgs.systemd; + checkInputs = with pkgs; [ + binutils-unwrapped + sbsigntool + ]; + }; + }; + + lanzatool-unwrapped = lanzatoolCrane.package; + in + { + packages = { + inherit lanzaboote; + + lanzatool = pkgs.runCommand "lanzatool" + { + nativeBuildInputs = [ pkgs.makeWrapper ]; + } '' + mkdir -p $out/bin + + # Clean PATH to only contain what we need to do objcopy. Also + # tell lanzatool where to find our UEFI binaries. + makeWrapper ${lanzatool-unwrapped}/bin/lanzatool $out/bin/lanzatool \ + --set PATH ${lib.makeBinPath [ pkgs.binutils-unwrapped pkgs.sbsigntool ]} \ + --set RUST_BACKTRACE full \ + --set LANZABOOTE_STUB ${lanzaboote}/bin/lanzaboote.efi + ''; + }; + + overlayAttrs = { + inherit (config.packages) lanzatool; + }; + + checks = { + lanzatool-clippy = lanzatoolCrane.clippy; + lanzaboote-clippy = lanzabooteCrane.clippy; + } // (import ./nix/tests/lanzaboote.nix { + inherit pkgs testPkgs; + lanzabooteModule = self.nixosModules.lanzaboote; + }); + + pre-commit = { + check.enable = true; + + settings.hooks = { + nixpkgs-fmt.enable = true; + }; + }; + + devShells.default = pkgs.mkShell { + shellHook = '' + ${config.pre-commit.installationScript} + ''; + + packages = + let + uefi-run = pkgs.callPackage ./nix/packages/uefi-run.nix { + inherit craneLib; + }; + in + [ + uefi-run + pkgs.openssl + (pkgs.sbctl.override { + databasePath = "pki"; + }) + pkgs.sbsigntool + pkgs.efitools + pkgs.python39Packages.ovmfvartool + pkgs.qemu + pkgs.nixpkgs-fmt + pkgs.statix + ]; + + inputsFrom = [ + config.packages.lanzaboote + config.packages.lanzatool ]; + + TEST_SYSTEMD = pkgs.systemd; }; }; - - lanzatool-unwrapped = lanzatoolCrane.package; - in { - packages = { - inherit lanzaboote; - - lanzatool = pkgs.runCommand "lanzatool" { - nativeBuildInputs = [ pkgs.makeWrapper ]; - } '' - mkdir -p $out/bin - - # Clean PATH to only contain what we need to do objcopy. Also - # tell lanzatool where to find our UEFI binaries. - makeWrapper ${lanzatool-unwrapped}/bin/lanzatool $out/bin/lanzatool \ - --set PATH ${lib.makeBinPath [ pkgs.binutils-unwrapped pkgs.sbsigntool ]} \ - --set RUST_BACKTRACE full \ - --set LANZABOOTE_STUB ${lanzaboote}/bin/lanzaboote.efi - ''; - }; - - overlayAttrs = { - inherit (config.packages) lanzatool; - }; - - checks = { - lanzatool-clippy = lanzatoolCrane.clippy; - lanzaboote-clippy = lanzabooteCrane.clippy; - } // (import ./nix/tests/lanzaboote.nix { - inherit pkgs testPkgs; - lanzabooteModule = self.nixosModules.lanzaboote; - }); - - devShells.default = pkgs.mkShell { - packages = let - uefi-run = pkgs.callPackage ./nix/packages/uefi-run.nix { - inherit craneLib; - }; - in [ - uefi-run - pkgs.openssl - (pkgs.sbctl.override { - databasePath = "pki"; - }) - pkgs.sbsigntool - pkgs.efitools - pkgs.python39Packages.ovmfvartool - pkgs.qemu - pkgs.nixpkgs-fmt - pkgs.statix - ]; - - inputsFrom = [ - config.packages.lanzaboote - config.packages.lanzatool - ]; - - TEST_SYSTEMD = pkgs.systemd; - }; - }; }); }