From 08676fb81d9a4cf914c097061dc5b223f923f375 Mon Sep 17 00:00:00 2001 From: kat witch Date: Sun, 21 Nov 2021 22:32:02 +0000 Subject: [PATCH] Flakes: Trusted separation --- .envrc | 4 + empty/.keep | 0 flake.lock | 15 +- flake.nix | 2 +- inputs.nix | 25 +- trusted/flake.lock | 679 +++++++++++++++++++++++++++++++++++++++++++++ trusted/flake.nix | 14 + 7 files changed, 720 insertions(+), 19 deletions(-) create mode 100644 empty/.keep create mode 100644 trusted/flake.lock create mode 100644 trusted/flake.nix diff --git a/.envrc b/.envrc index 1d953f4b..aa21f582 100644 --- a/.envrc +++ b/.envrc @@ -1 +1,5 @@ +if [[ $(id -un) = kat ]]; then + export TRUSTED=1 +fi + use nix diff --git a/empty/.keep b/empty/.keep new file mode 100644 index 00000000..e69de29b diff --git a/flake.lock b/flake.lock index 2e70eed8..526eda29 100644 --- a/flake.lock +++ b/flake.lock @@ -642,18 +642,13 @@ "trusted": { "flake": false, "locked": { - "lastModified": 1637526942, - "narHash": "sha256-XzWMFgRPY5sQwUO01kZLRAvfFPekp7jXJIAqNiQ8wxs=", - "ref": "main", - "rev": "bc613f9528ecf35f0bfbd83ab299f88d7c44f4a0", - "revCount": 87, - "type": "git", - "url": "ssh://git@github.com/kittywitch/nixfiles-trusted" + "narHash": "sha256-pQpattmS9VmO3ZIQUFn66az8GSmB4IvYhTTCFn6SUmo=", + "path": "./empty/.", + "type": "path" }, "original": { - "ref": "main", - "type": "git", - "url": "ssh://git@github.com/kittywitch/nixfiles-trusted" + "path": "./empty/.", + "type": "path" } } }, diff --git a/flake.nix b/flake.nix index 0d3c954b..eb6e5965 100644 --- a/flake.nix +++ b/flake.nix @@ -30,7 +30,7 @@ }; flake-utils.url = "github:numtide/flake-utils"; trusted = { - url = "git+ssh://git@github.com/kittywitch/nixfiles-trusted?ref=main"; + url = "path:./empty/."; flake = false; }; flake-compat = { diff --git a/inputs.nix b/inputs.nix index 3e1a6ca4..b7d46bb7 100644 --- a/inputs.nix +++ b/inputs.nix @@ -1,9 +1,18 @@ -(import ( - let - lock = builtins.fromJSON (builtins.readFile ./flake.lock); - in fetchTarball { +let + lock = builtins.fromJSON (builtins.readFile ./flake.lock); + lockTrusted = builtins.fromJSON (builtins.readFile ./trusted/flake.lock); + flakeCompat = fetchTarball { url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz"; - sha256 = lock.nodes.flake-compat.locked.narHash; } -) { - src = ./.; -}).defaultNix.inputs + sha256 = lock.nodes.flake-compat.locked.narHash; + }; + trusted = import flakeCompat { + src = ./trusted; + }; + nixfiles = import flakeCompat { + src = ./.; + }; +in nixfiles.defaultNix.inputs // { + trusted = if builtins.getEnv "TRUSTED" != "" + then trusted.defaultNix.inputs.trusted + else ./empty; +} diff --git a/trusted/flake.lock b/trusted/flake.lock new file mode 100644 index 00000000..fff4f389 --- /dev/null +++ b/trusted/flake.lock @@ -0,0 +1,679 @@ +{ + "nodes": { + "anicca": { + "flake": false, + "locked": { + "lastModified": 1630289335, + "narHash": "sha256-4qkDeukQTwRsctM+VkQb8svxCsY03dZgBI6bHWr6xpo=", + "owner": "kittywitch", + "repo": "anicca", + "rev": "c890bd08f4e34a655ef5ff7561aa74cdc8d85a0a", + "type": "github" + }, + "original": { + "owner": "kittywitch", + "ref": "main", + "repo": "anicca", + "type": "github" + } + }, + "arcexprs": { + "flake": false, + "locked": { + "lastModified": 1637367152, + "narHash": "sha256-6M3dJuONcD9INaBxFlx6U/nd057PD8/NlMN1jacsJE0=", + "owner": "arcnmx", + "repo": "nixexprs", + "rev": "2e83baee2826fe6576304a1a70ada5b642abb1a9", + "type": "github" + }, + "original": { + "owner": "arcnmx", + "ref": "master", + "repo": "nixexprs", + "type": "github" + } + }, + "ci": { + "flake": false, + "locked": { + "lastModified": 1636054324, + "narHash": "sha256-gNC+hYvnTHcUb/7VXJkFMrD4hTPJqcBnuRxEApHH0I4=", + "owner": "arcnmx", + "repo": "ci", + "rev": "fa2cbfb784af2c89cb9af1961bda142ea6e37268", + "type": "github" + }, + "original": { + "owner": "arcnmx", + "ref": "nix2.4", + "repo": "ci", + "type": "github" + } + }, + "doom-emacs": { + "flake": false, + "locked": { + "lastModified": 1626604817, + "narHash": "sha256-z+dvjB02cHU+VQ5EMkzqSdX817PZar9AkmmfK27q0vo=", + "owner": "hlissner", + "repo": "doom-emacs", + "rev": "46732c0adaef147144418f9f284ca6b1183ab96f", + "type": "github" + }, + "original": { + "owner": "hlissner", + "ref": "develop", + "repo": "doom-emacs", + "type": "github" + } + }, + "doom-snippets": { + "flake": false, + "locked": { + "lastModified": 1625547004, + "narHash": "sha256-V+ytAjB4ZZ+5dJJAu1OY7SbnqrokX5PVBWs0AsgQ8Vs=", + "owner": "hlissner", + "repo": "doom-snippets", + "rev": "5c0eb5bd70f035cefb981c2ce64f4367498bdda6", + "type": "github" + }, + "original": { + "owner": "hlissner", + "repo": "doom-snippets", + "type": "github" + } + }, + "emacs-overlay": { + "locked": { + "lastModified": 1637515331, + "narHash": "sha256-fLfycI+PrBeRaP8CRdlxj3Kkqib+YlPdQIFCUAoj56w=", + "owner": "nix-community", + "repo": "emacs-overlay", + "rev": "86ceb863bc9cca9150666acce49ee2fe50e73cb0", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "emacs-overlay", + "type": "github" + } + }, + "emacs-overlay_2": { + "flake": false, + "locked": { + "lastModified": 1630603742, + "narHash": "sha256-fYX5y18aHZTnYdBizeeW43NOFvCoT3iXk52dLtS43Gs=", + "owner": "nix-community", + "repo": "emacs-overlay", + "rev": "9c69c4d0ef9d8ed0c5a54697e359d7f3a51fcbb1", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "emacs-overlay", + "type": "github" + } + }, + "emacs-so-long": { + "flake": false, + "locked": { + "lastModified": 1575031854, + "narHash": "sha256-xIa5zO0ZaToDrec1OFjBK6l39AbA4l/CE4LInVu2hi0=", + "owner": "hlissner", + "repo": "emacs-so-long", + "rev": "ed666b0716f60e8988c455804de24b55919e71ca", + "type": "github" + }, + "original": { + "owner": "hlissner", + "repo": "emacs-so-long", + "type": "github" + } + }, + "evil-markdown": { + "flake": false, + "locked": { + "lastModified": 1626852210, + "narHash": "sha256-HBBuZ1VWIn6kwK5CtGIvHM1+9eiNiKPH0GUsyvpUVN8=", + "owner": "Somelauw", + "repo": "evil-markdown", + "rev": "8e6cc68af83914b2fa9fd3a3b8472573dbcef477", + "type": "github" + }, + "original": { + "owner": "Somelauw", + "repo": "evil-markdown", + "type": "github" + } + }, + "evil-org-mode": { + "flake": false, + "locked": { + "lastModified": 1607203864, + "narHash": "sha256-JxwqVYDN6OIJEH15MVI6XOZAPtUWUhJQWHyzcrUvrFg=", + "owner": "hlissner", + "repo": "evil-org-mode", + "rev": "a9706da260c45b98601bcd72b1d2c0a24a017700", + "type": "github" + }, + "original": { + "owner": "hlissner", + "repo": "evil-org-mode", + "type": "github" + } + }, + "evil-quick-diff": { + "flake": false, + "locked": { + "lastModified": 1575189609, + "narHash": "sha256-oGzl1ayW9rIuq0haoiFS7RZsS8NFMdEA7K1BSozgnJU=", + "owner": "rgrinberg", + "repo": "evil-quick-diff", + "rev": "69c883720b30a892c63bc89f49d4f0e8b8028908", + "type": "github" + }, + "original": { + "owner": "rgrinberg", + "repo": "evil-quick-diff", + "type": "github" + } + }, + "explain-pause-mode": { + "flake": false, + "locked": { + "lastModified": 1595842060, + "narHash": "sha256-++znrjiDSx+cy4okFBBXUBkRFdtnE2x+trkmqjB3Njs=", + "owner": "lastquestion", + "repo": "explain-pause-mode", + "rev": "2356c8c3639cbeeb9751744dbe737267849b4b51", + "type": "github" + }, + "original": { + "owner": "lastquestion", + "repo": "explain-pause-mode", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1627913399, + "narHash": "sha256-hY8g6H2KFL8ownSiFeMOjwPC8P0ueXpCVEbxgda3pko=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "12c64ca55c1014cdc1b16ed5a804aa8576601ff2", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1637014545, + "narHash": "sha256-26IZAc5yzlD9FlDT54io1oqG/bBoyka+FJk5guaX4x4=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "bba5dcc8e0b20ab664967ad83d24d64cb64ec4f4", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "locked": { + "lastModified": 1614513358, + "narHash": "sha256-LakhOx3S1dRjnh0b5Dg3mbZyH0ToC9I8Y2wKSkBaTzU=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5466c5bbece17adaab2d82fae80b46e807611bf3", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "locked": { + "lastModified": 1629481132, + "narHash": "sha256-JHgasjPR0/J1J3DRm4KxM4zTyAj4IOJY8vIl75v/kPI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "997f7efcb746a9c140ce1f13c72263189225f482", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1637481586, + "narHash": "sha256-cvgegmCRfNFuA/vPseMcSptmlNqD2nC0lLI9BQWU46A=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "1abd311eef125e7b64dff723f198d15e5aca2dd4", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "home-manager", + "type": "github" + } + }, + "impermanence": { + "locked": { + "lastModified": 1637278200, + "narHash": "sha256-nwPBJpjHU8J0hhZ6l4Ytvi3qhcxXJVy4jOWurmzSv3A=", + "owner": "nix-community", + "repo": "impermanence", + "rev": "0616c64b0ebcf08cc74db7820e74b807274246f6", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "impermanence", + "type": "github" + } + }, + "katexprs": { + "flake": false, + "locked": { + "lastModified": 1637526127, + "narHash": "sha256-il4PL9sS1buJ7SSw2SgOloR6+4US92bKJEt1+gJbrOw=", + "owner": "kittywitch", + "repo": "nixexprs", + "rev": "46734151d4071718ca1ff1dda289dbb6ff17d8af", + "type": "github" + }, + "original": { + "owner": "kittywitch", + "ref": "main", + "repo": "nixexprs", + "type": "github" + } + }, + "nix-dns": { + "inputs": { + "flake-utils": "flake-utils_2", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1635273082, + "narHash": "sha256-EHiDP2jEa7Ai5ZwIf5uld9RVFcV77+2SUxjQXwJsJa0=", + "owner": "kirelagin", + "repo": "nix-dns", + "rev": "c7b9645da9c0ddce4f9de4ef27ec01bb8108039a", + "type": "github" + }, + "original": { + "owner": "kirelagin", + "ref": "master", + "repo": "nix-dns", + "type": "github" + } + }, + "nix-doom-emacs": { + "inputs": { + "doom-emacs": "doom-emacs", + "doom-snippets": "doom-snippets", + "emacs-overlay": "emacs-overlay_2", + "emacs-so-long": "emacs-so-long", + "evil-markdown": "evil-markdown", + "evil-org-mode": "evil-org-mode", + "evil-quick-diff": "evil-quick-diff", + "explain-pause-mode": "explain-pause-mode", + "flake-utils": "flake-utils_3", + "nix-straight": "nix-straight", + "nixpkgs": "nixpkgs_3", + "nose": "nose", + "ob-racket": "ob-racket", + "org": "org", + "org-contrib": "org-contrib", + "org-yt": "org-yt", + "php-extras": "php-extras", + "revealjs": "revealjs", + "rotate-text": "rotate-text", + "straight": "straight" + }, + "locked": { + "lastModified": 1631192516, + "narHash": "sha256-HaS2f8N7uGBz8bGAiC7y9xkWzsrtThpudcoaTsh5OkE=", + "owner": "vlaci", + "repo": "nix-doom-emacs", + "rev": "33064319607745856f488a998ca3db8ffcede865", + "type": "github" + }, + "original": { + "owner": "vlaci", + "ref": "develop", + "repo": "nix-doom-emacs", + "type": "github" + } + }, + "nix-straight": { + "flake": false, + "locked": { + "lastModified": 1628630968, + "narHash": "sha256-eh5QpnX3F8/0iKv1BvyU3KyZ/ksLlRegcd5c41pm/L8=", + "owner": "vlaci", + "repo": "nix-straight.el", + "rev": "e3f8aaff9ba889c6f2ee6c6d349736d21f21c685", + "type": "github" + }, + "original": { + "owner": "vlaci", + "repo": "nix-straight.el", + "type": "github" + } + }, + "nixfiles": { + "inputs": { + "anicca": "anicca", + "arcexprs": "arcexprs", + "ci": "ci", + "emacs-overlay": "emacs-overlay", + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "home-manager": "home-manager", + "impermanence": "impermanence", + "katexprs": "katexprs", + "nix-dns": "nix-dns", + "nix-doom-emacs": "nix-doom-emacs", + "nixpkgs": "nixpkgs_4", + "nur": "nur", + "tf-nix": "tf-nix", + "trusted": [ + "trusted" + ] + }, + "locked": { + "narHash": "sha256-Z68NMWdO7K2nPjE5bibyB6WNDtLsiSsJXq8KiHCrTdg=", + "path": "/nix/store/7vz35n7kdr2fidzxjywdp7k70g8agn7j-source", + "type": "path" + }, + "original": { + "path": "/nix/store/7vz35n7kdr2fidzxjywdp7k70g8agn7j-source", + "type": "path" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1637523980, + "narHash": "sha256-nBbVQHJtR7a+Ctyo67aGc1lwUsoeMhK9PVTh6pB+aYk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "4f871e232b8827b0b1d22bc40bc1b0dfa4473156", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1616989418, + "narHash": "sha256-LcOn5wHR/1JwClfY/Ai/b+pSRY+d23QtIPQHwPAyHHI=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "9d8e05e088ad91b7c62886a2175f38bfa443db2c", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1630140382, + "narHash": "sha256-ntXepAHFlAEtaYIU5EzckRUODeeMgpu1u2Yug+4LFNc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "08ef0f28e3a41424b92ba1d203de64257a9fca6a", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixpkgs-unstable", + "type": "indirect" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1637155076, + "narHash": "sha256-26ZPNiuzlsnXpt55Q44+yzXvp385aNAfevzVEKbrU5Q=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "715f63411952c86c8f57ab9e3e3cb866a015b5f2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nose": { + "flake": false, + "locked": { + "lastModified": 1400604510, + "narHash": "sha256-daEi8Kta1oGaDEmUUDDQMahTTPOpvNpDKk22rlr7cB0=", + "owner": "emacsattic", + "repo": "nose", + "rev": "f8528297519eba911696c4e68fa88892de9a7b72", + "type": "github" + }, + "original": { + "owner": "emacsattic", + "repo": "nose", + "type": "github" + } + }, + "nur": { + "locked": { + "lastModified": 1637520800, + "narHash": "sha256-GjX0uYY/xQcPM8YBDVJgYNNp1plFWwzAQbzBwJ0HX5g=", + "owner": "nix-community", + "repo": "nur", + "rev": "fc0758e2f8aa4dac7c4ab42860f07487b1dcadea", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "master", + "repo": "nur", + "type": "github" + } + }, + "ob-racket": { + "flake": false, + "locked": { + "lastModified": 1584656173, + "narHash": "sha256-rBUYDDCXb+3D4xTPQo9UocbTPZ32kWV1Uya/1DmZknU=", + "owner": "xchrishawk", + "repo": "ob-racket", + "rev": "83457ec9e1e96a29fd2086ed19432b9d75787673", + "type": "github" + }, + "original": { + "owner": "xchrishawk", + "repo": "ob-racket", + "type": "github" + } + }, + "org": { + "flake": false, + "locked": { + "lastModified": 1629714870, + "narHash": "sha256-D6gUJtzZMpyJBNNn5EKWDCbDDgIXzxMx54fpcQ3DM2o=", + "owner": "emacs-straight", + "repo": "org-mode", + "rev": "a3ba79cd3a120235dae524f49945fbe99df923cf", + "type": "github" + }, + "original": { + "owner": "emacs-straight", + "repo": "org-mode", + "type": "github" + } + }, + "org-contrib": { + "flake": false, + "locked": { + "lastModified": 1623339452, + "narHash": "sha256-E3pioqkmAKQm5N7YsgJZil0/ozkdRE7//tE9FGbrluM=", + "ref": "master", + "rev": "fc81309cf6756607a836f93049a9393c2967c4e0", + "revCount": 2599, + "type": "git", + "url": "https://git.sr.ht/~bzg/org-contrib" + }, + "original": { + "type": "git", + "url": "https://git.sr.ht/~bzg/org-contrib" + } + }, + "org-yt": { + "flake": false, + "locked": { + "lastModified": 1527381913, + "narHash": "sha256-dzQ6B7ryzatHCTLyEnRSbWO0VUiX/FHYnpHTs74aVUs=", + "owner": "TobiasZawada", + "repo": "org-yt", + "rev": "40cc1ac76d741055cbefa13860d9f070a7ade001", + "type": "github" + }, + "original": { + "owner": "TobiasZawada", + "repo": "org-yt", + "type": "github" + } + }, + "php-extras": { + "flake": false, + "locked": { + "lastModified": 1573312690, + "narHash": "sha256-r4WyVbzvT0ra4Z6JywNBOw5RxOEYd6Qe2IpebHXkj1U=", + "owner": "arnested", + "repo": "php-extras", + "rev": "d410c5af663c30c01d461ac476d1cbfbacb49367", + "type": "github" + }, + "original": { + "owner": "arnested", + "repo": "php-extras", + "type": "github" + } + }, + "revealjs": { + "flake": false, + "locked": { + "lastModified": 1630050533, + "narHash": "sha256-gi+vC71xsKXN06QzwohNhFt07+7g6OqjsThXHwrZ5Q0=", + "owner": "hakimel", + "repo": "reveal.js", + "rev": "01d8d669bc2b681b595262ccbe27293eec2fcb44", + "type": "github" + }, + "original": { + "owner": "hakimel", + "repo": "reveal.js", + "type": "github" + } + }, + "root": { + "inputs": { + "nixfiles": "nixfiles", + "trusted": "trusted" + } + }, + "rotate-text": { + "flake": false, + "locked": { + "lastModified": 1322962747, + "narHash": "sha256-SOeOgSlcEIsKhUiYDJv0p+mLUb420s9E2BmvZQvZ0wk=", + "owner": "debug-ito", + "repo": "rotate-text.el", + "rev": "48f193697db996855aee1ad2bc99b38c6646fe76", + "type": "github" + }, + "original": { + "owner": "debug-ito", + "repo": "rotate-text.el", + "type": "github" + } + }, + "straight": { + "flake": false, + "locked": { + "lastModified": 1623633709, + "narHash": "sha256-taLIYnjs9sD8N8PuGO2F7l+O69u0dNPunwzFVTlXjUM=", + "owner": "raxod502", + "repo": "straight.el", + "rev": "1e27b0590df77a5d478970ca58fd6606971692f5", + "type": "github" + }, + "original": { + "owner": "raxod502", + "repo": "straight.el", + "type": "github" + } + }, + "tf-nix": { + "flake": false, + "locked": { + "lastModified": 1637365821, + "narHash": "sha256-wtZ8C8KdnLKku4Wu8mmff6lKJ7043YnJAipCRp860X0=", + "owner": "arcnmx", + "repo": "tf-nix", + "rev": "2e8642b7be0b63807d73a168ea880521de1e83b6", + "type": "github" + }, + "original": { + "owner": "arcnmx", + "ref": "master", + "repo": "tf-nix", + "type": "github" + } + }, + "trusted": { + "flake": false, + "locked": { + "lastModified": 1637526942, + "narHash": "sha256-XzWMFgRPY5sQwUO01kZLRAvfFPekp7jXJIAqNiQ8wxs=", + "ref": "main", + "rev": "bc613f9528ecf35f0bfbd83ab299f88d7c44f4a0", + "revCount": 87, + "type": "git", + "url": "ssh://git@github.com/kittywitch/nixfiles-trusted" + }, + "original": { + "ref": "main", + "type": "git", + "url": "ssh://git@github.com/kittywitch/nixfiles-trusted" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/trusted/flake.nix b/trusted/flake.nix new file mode 100644 index 00000000..b3638153 --- /dev/null +++ b/trusted/flake.nix @@ -0,0 +1,14 @@ +{ + inputs = { + trusted = { + url = "git+ssh://git@github.com/kittywitch/nixfiles-trusted?ref=main"; + flake = false; + }; + nixfiles = { + url = "../."; + inputs.trusted.follows = "trusted"; + }; + }; + outputs = { self, trusted, nixfiles, ... }: let + in nixfiles; +}