From 7bd273b15f345cea11d958b3ccecaba463c18893 Mon Sep 17 00:00:00 2001 From: guangtao Date: Tue, 21 Nov 2023 01:27:24 -0800 Subject: [PATCH] feat(apparmor): add hardening binary temp --- .envrc | 15 +- .github/workflows/checks.yaml | 23 +- .gitignore | 7 +- cells/applications/apparmor/default.nix | 5 - cells/kernels/overlays.nix | 20 - cells/main/devshells/default.nix | 16 - cells/main/entrypoints/default.nix | 26 - flake.lock | 892 +++--------------------- flake.nix | 39 +- nix/lock/flake.lock | 704 +++++++++++++++++++ nix/lock/flake.nix | 28 + nix/std/cells/repo/nixago.nix | 24 + nix/std/cells/repo/pops.nix | 39 ++ nix/std/cells/repo/shells/default.nix | 19 + nix/std/cells/repo/tasks/default.nix | 24 + nix/std/flake.lock | 684 ++++++++++++++++++ nix/std/flake.nix | 60 ++ src/__init.nix | 13 + src/apparmor/_temp.nix | 19 + src/apparmor/default.nix | 19 + treefmt.toml | 30 - 21 files changed, 1751 insertions(+), 955 deletions(-) delete mode 100644 cells/applications/apparmor/default.nix delete mode 100644 cells/kernels/overlays.nix delete mode 100644 cells/main/devshells/default.nix delete mode 100644 cells/main/entrypoints/default.nix create mode 100644 nix/lock/flake.lock create mode 100644 nix/lock/flake.nix create mode 100644 nix/std/cells/repo/nixago.nix create mode 100644 nix/std/cells/repo/pops.nix create mode 100644 nix/std/cells/repo/shells/default.nix create mode 100644 nix/std/cells/repo/tasks/default.nix create mode 100644 nix/std/flake.lock create mode 100644 nix/std/flake.nix create mode 100644 src/__init.nix create mode 100644 src/apparmor/_temp.nix create mode 100644 src/apparmor/default.nix delete mode 100644 treefmt.toml diff --git a/.envrc b/.envrc index 0ec69fd..4e4e801 100644 --- a/.envrc +++ b/.envrc @@ -1,7 +1,10 @@ -watch_file flake.nix flake.lock \ - cells/* +# Disable the automatic menu displaying on every environment reload. +# export DEVSHELL_NO_MOTD=1 +watch_file flakes.nix flake.lock +watch_file local/flake.nix local/flake.lock +# shellcheck disable=SC1090 +source "$(fetchurl "https://raw.githubusercontent.com/gtrunsec/direnv/main/lib" "sha256-tuMA8WGkwcYq9V3MtlN6xdVvKd2YkdEpdK4ZyAN6VDM=")" -source_url \ - "https://raw.githubusercontent.com/divnix/std/main/direnv_lib.sh" \ - "sha256-stD11PJwf0kM3nR1r8p6lhx9EjakVYV6wBoO7xTvGMg=" -use std cells //main/devshells:default +registry="$PRJ_ROOT/nix/std#__std" + +use envreload //repo/shells/default diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 1f4d742..e3166e3 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -8,24 +8,13 @@ jobs: nix-build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: fetch-depth: 0 - - uses: cachix/install-nix-action@v17 - with: - install_url: https://github.com/numtide/nix-unstable-installer/releases/download/nix-2.8.0pre20220415_b135de2/install - extra_nix_config: | - experimental-features = nix-command flakes - system-features = nixos-test benchmark big-parallel kvm recursive-nix - - - name: Run Flake Show - run: nix -Lv flake show - - name: Build Doc - run: nix develop --show-trace --command -- mkdoc + - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/magic-nix-cache-action@main - - name: Deploy - uses: JamesIves/github-pages-deploy-action@v4.4.0 - with: - branch: gh-pages - folder: ./docs/publish/public + - name: Devshell + run: | + nix develop ./nix/std --command echo hardenedlinux diff --git a/.gitignore b/.gitignore index a8e886a..c8285bb 100644 --- a/.gitignore +++ b/.gitignore @@ -3,5 +3,10 @@ *.log tmp/ - +/.data .std + +# nixago: ignore-linked-files +/.conform.yaml +/treefmt.toml +/lefthook.yml \ No newline at end of file diff --git a/cells/applications/apparmor/default.nix b/cells/applications/apparmor/default.nix deleted file mode 100644 index 896b56a..0000000 --- a/cells/applications/apparmor/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ inputs, cell }: - -{ - -} diff --git a/cells/kernels/overlays.nix b/cells/kernels/overlays.nix deleted file mode 100644 index 08cc485..0000000 --- a/cells/kernels/overlays.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ - inputs, - cell, -}: { - patchedKernel = { - kernel, - lib, - ... - }: - kernel.override { - kernelPatches = lib.lists.unique [ - { - name = "example-config"; - patch = null; - extraConfig = '' - ''; - } - ]; - }; -} diff --git a/cells/main/devshells/default.nix b/cells/main/devshells/default.nix deleted file mode 100644 index 5911d84..0000000 --- a/cells/main/devshells/default.nix +++ /dev/null @@ -1,16 +0,0 @@ -{ - inputs, - cell, -}: let - l = nixpkgs.lib // builtins; - inherit (inputs) nixpkgs std; -in - l.mapAttrs (_: std.std.lib.mkShell) { - default = {...}: { - name = "HardenedNixOS"; - imports = [ - inputs.cells-lab.main.devshellProfiles.default - inputs.cells-lab.main.devshellProfiles.docs - ]; - }; - } diff --git a/cells/main/entrypoints/default.nix b/cells/main/entrypoints/default.nix deleted file mode 100644 index b22d032..0000000 --- a/cells/main/entrypoints/default.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ - inputs, - cell, -}: let - inherit (inputs.cells-lab._writers.library) writeShellApplication; - inherit (inputs) self nixpkgs std; -in { - mkdoc = let - org-roam-book = inputs.org-roam-book-template.packages.${nixpkgs.system}.default.override { - org = "${(std.incl self [ - (self + /docs/org) - ])}/docs/org"; - }; - in - writeShellApplication { - name = "mkdoc"; - runtimeInputs = [nixpkgs.hugo]; - text = '' - rsync -avzh ${org-roam-book}/* docs/publish - cd docs/publish && cp ../config.toml . - hugo - cp -rf --no-preserve=mode,ownership public/posts/index.html ./public/ - "$@" - ''; - }; -} diff --git a/flake.lock b/flake.lock index 9b763bb..762a67b 100644 --- a/flake.lock +++ b/flake.lock @@ -1,580 +1,160 @@ { "nodes": { - "cells-lab": { - "inputs": { - "data-merge": "data-merge", - "kroki-preprocessor": "kroki-preprocessor", - "latest": "latest", - "nixos": "nixos", - "nixpkgs": "nixpkgs_3", - "org-roam-book-template": "org-roam-book-template", - "std": "std_2", - "yants": [ - "cells-lab", - "std", - "yants" - ] - }, - "locked": { - "lastModified": 1659241050, - "narHash": "sha256-/iJv/36gOBlj14jbQ3VifW0/lYT72E1ImeYyVzvK2jU=", - "owner": "GTrunSec", - "repo": "cells-lab", - "rev": "96bb694fcf0c46142f79720fc59269de7a79997d", - "type": "github" - }, - "original": { - "owner": "GTrunSec", - "repo": "cells-lab", - "type": "github" - } - }, - "cortex": { - "flake": false, - "locked": { - "lastModified": 1643528409, - "narHash": "sha256-ldmenmCzCEuuBlMtaQYe79vYbcTORgkCXgYgGkOzkL8=", - "owner": "gtrunsec", - "repo": "cortex", - "rev": "ad9a963534e5be323a33eaf0f9aa3e914cca8093", - "type": "github" - }, - "original": { - "owner": "gtrunsec", - "repo": "cortex", - "type": "github" - } - }, - "cortex_2": { - "flake": false, - "locked": { - "lastModified": 1643528409, - "narHash": "sha256-ldmenmCzCEuuBlMtaQYe79vYbcTORgkCXgYgGkOzkL8=", - "owner": "gtrunsec", - "repo": "cortex", - "rev": "ad9a963534e5be323a33eaf0f9aa3e914cca8093", - "type": "github" - }, - "original": { - "owner": "gtrunsec", - "repo": "cortex", - "type": "github" - } - }, - "data-merge": { + "POP": { "inputs": { + "flake-compat": [ + "omnibus", + "flops" + ], "nixlib": "nixlib", - "yants": [ - "cells-lab", - "std", - "yants" + "nixpkgs": [ + "omnibus", + "flops" ] }, "locked": { - "lastModified": 1655854240, - "narHash": "sha256-j74ixD7Y0bF3h0fBJFKPR9botlrMu0fgG/YsiUKybko=", + "lastModified": 1655410953, + "narHash": "sha256-Er0zdhu7QwpWvVKfauqZqTnxDz6THTWOTVWLoz+Opmw=", "owner": "divnix", - "repo": "data-merge", - "rev": "0bbe0a68d4ee090b8bbad0c5e1e85060d2bdfe98", + "repo": "POP", + "rev": "8babe4c9126298d05ebb5ab04727d741b51c022e", "type": "github" }, "original": { "owner": "divnix", - "repo": "data-merge", + "repo": "POP", "type": "github" } }, - "data-merge_2": { - "inputs": { - "nixlib": [ - "cells-lab", - "std", - "nixpkgs" - ], - "yants": [ - "cells-lab", - "std", - "yants" - ] - }, + "call-flake": { "locked": { - "lastModified": 1655854240, - "narHash": "sha256-j74ixD7Y0bF3h0fBJFKPR9botlrMu0fgG/YsiUKybko=", + "lastModified": 1697332845, + "narHash": "sha256-bmhE1TmrJG4ba93l9WQTLuYM53kwGQAjYHRvHOeuxWU=", "owner": "divnix", - "repo": "data-merge", - "rev": "0bbe0a68d4ee090b8bbad0c5e1e85060d2bdfe98", + "repo": "call-flake", + "rev": "088f8589c7f3ee59bea1858a89f5125d284c3c4a", "type": "github" }, "original": { "owner": "divnix", - "repo": "data-merge", + "repo": "call-flake", "type": "github" } }, - "data-merge_3": { + "dmerge": { "inputs": { + "haumea": [ + "omnibus", + "flops", + "haumea" + ], "nixlib": [ - "std", - "nixpkgs" + "omnibus", + "flops", + "nixlib" ], "yants": [ - "std", + "omnibus", + "flops", "yants" ] }, "locked": { - "lastModified": 1655854240, - "narHash": "sha256-j74ixD7Y0bF3h0fBJFKPR9botlrMu0fgG/YsiUKybko=", + "lastModified": 1686862774, + "narHash": "sha256-ojGtRQ9pIOUrxsQEuEPerUkqIJEuod9hIflfNkY+9CE=", "owner": "divnix", - "repo": "data-merge", - "rev": "0bbe0a68d4ee090b8bbad0c5e1e85060d2bdfe98", + "repo": "dmerge", + "rev": "9f7f7a8349d33d7bd02e0f2b484b1f076e503a96", "type": "github" }, "original": { "owner": "divnix", - "repo": "data-merge", + "repo": "dmerge", "type": "github" } }, - "devshell": { + "flops": { "inputs": { - "flake-utils": "flake-utils", - "nixpkgs": [ - "cells-lab", - "kroki-preprocessor", - "std", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1650900878, - "narHash": "sha256-qhNncMBSa9STnhiLfELEQpYC1L4GrYHNIzyCZ/pilsI=", - "owner": "numtide", - "repo": "devshell", - "rev": "d97df53b5ddaa1cfbea7cddbd207eb2634304733", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "devshell", - "type": "github" - } - }, - "devshell_2": { - "inputs": { - "flake-utils": [ - "cells-lab", - "std", - "flake-utils" - ], - "nixpkgs": [ - "cells-lab", - "std", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1658746384, - "narHash": "sha256-CCJcoMOcXyZFrV1ag4XMTpAPjLWb4Anbv+ktXFI1ry0=", - "owner": "numtide", - "repo": "devshell", - "rev": "0ffc7937bb5e8141af03d462b468bd071eb18e1b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "devshell", - "type": "github" - } - }, - "devshell_3": { - "inputs": { - "flake-utils": [ - "std", - "flake-utils" - ], - "nixpkgs": [ - "std", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1658746384, - "narHash": "sha256-CCJcoMOcXyZFrV1ag4XMTpAPjLWb4Anbv+ktXFI1ry0=", - "owner": "numtide", - "repo": "devshell", - "rev": "0ffc7937bb5e8141af03d462b468bd071eb18e1b", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "devshell", - "type": "github" - } - }, - "emacs-overlay": { - "inputs": { - "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_4" - }, - "locked": { - "lastModified": 1653452277, - "narHash": "sha256-brrORMUToSSoFGfSeVAJ7cRq+e03lWBztSPRqgbkRtg=", - "owner": "nix-community", - "repo": "emacs-overlay", - "rev": "2a9b6c9109e73e7c2c3b5de32577a1365926524c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "emacs-overlay", - "type": "github" - } - }, - "emacs-overlay_2": { - "inputs": { - "flake-utils": "flake-utils_5", - "nixpkgs": "nixpkgs_6" - }, - "locked": { - "lastModified": 1653452277, - "narHash": "sha256-brrORMUToSSoFGfSeVAJ7cRq+e03lWBztSPRqgbkRtg=", - "owner": "nix-community", - "repo": "emacs-overlay", - "rev": "2a9b6c9109e73e7c2c3b5de32577a1365926524c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "emacs-overlay", - "type": "github" - } - }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1650374568, - "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "b4a34015c698c7793d592d66adbab377907a2be8", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_2": { - "flake": false, - "locked": { - "lastModified": 1650374568, - "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "b4a34015c698c7793d592d66adbab377907a2be8", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-utils": { - "locked": { - "lastModified": 1642700792, - "narHash": "sha256-XqHrk7hFb+zBvRg6Ghl+AZDq03ov6OshJLiSWOoX5es=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "846b2ae0fc4cc943637d3d1def4454213e203cba", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_2": { - "locked": { - "lastModified": 1652776076, - "narHash": "sha256-gzTw/v1vj4dOVbpBSJX4J0DwUR6LIyXo7/SuuTJp1kM=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "04c1b180862888302ddfb2e3ad9eaa63afc60cf8", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_3": { - "locked": { - "lastModified": 1652557277, - "narHash": "sha256-jSes9DaIVMdmwBB78KkFUVrlDzawmD62vrUg0GS2500=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "12806d31a381e7cd169a6bac35590e7b36dc5fe5", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_4": { - "locked": { - "lastModified": 1656928814, - "narHash": "sha256-RIFfgBuKz6Hp89yRr7+NR5tzIAbn52h8vT6vXkYjZoM=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "7e2a3b3dfd9af950a856d66b0a7d01e3c18aa249", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_5": { - "locked": { - "lastModified": 1652776076, - "narHash": "sha256-gzTw/v1vj4dOVbpBSJX4J0DwUR6LIyXo7/SuuTJp1kM=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "04c1b180862888302ddfb2e3ad9eaa63afc60cf8", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_6": { - "locked": { - "lastModified": 1652557277, - "narHash": "sha256-jSes9DaIVMdmwBB78KkFUVrlDzawmD62vrUg0GS2500=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "12806d31a381e7cd169a6bac35590e7b36dc5fe5", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_7": { - "locked": { - "lastModified": 1656928814, - "narHash": "sha256-RIFfgBuKz6Hp89yRr7+NR5tzIAbn52h8vT6vXkYjZoM=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "7e2a3b3dfd9af950a856d66b0a7d01e3c18aa249", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "kroki-preprocessor": { - "inputs": { - "nixpkgs": "nixpkgs", - "std": "std" - }, - "locked": { - "lastModified": 1655687430, - "narHash": "sha256-09lvyK6vlyZckdiySPLnPNtW/uLsdnYpNixVCS8L3f0=", - "owner": "input-output-hk", - "repo": "mdbook-kroki-preprocessor", - "rev": "6d6ece622dbf0f8e3b3ede12f833f67796a4af13", - "type": "github" - }, - "original": { - "owner": "input-output-hk", - "repo": "mdbook-kroki-preprocessor", - "type": "github" - } - }, - "latest": { - "locked": { - "lastModified": 1659225244, - "narHash": "sha256-VRXvDEFR+V28+TFWzwSVqog4l45sGNc8gfckPZVp2Sc=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "6d1f689374e40db874f08ce5903298d1c14b2724", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "master", - "repo": "nixpkgs", - "type": "github" - } - }, - "mdbook-kroki-preprocessor": { - "flake": false, - "locked": { - "lastModified": 1655670640, - "narHash": "sha256-JjqdxftHBjABTkOpFl3cWUJtc/KGwkQ3NRWGLjH2oUs=", - "owner": "JoelCourtney", - "repo": "mdbook-kroki-preprocessor", - "rev": "bb6e607437ecc3f22fd9036acee6b797a5b45dbc", - "type": "github" - }, - "original": { - "owner": "JoelCourtney", - "repo": "mdbook-kroki-preprocessor", - "type": "github" - } - }, - "mdbook-kroki-preprocessor_2": { - "flake": false, - "locked": { - "lastModified": 1655670640, - "narHash": "sha256-JjqdxftHBjABTkOpFl3cWUJtc/KGwkQ3NRWGLjH2oUs=", - "owner": "JoelCourtney", - "repo": "mdbook-kroki-preprocessor", - "rev": "bb6e607437ecc3f22fd9036acee6b797a5b45dbc", - "type": "github" + "POP": "POP", + "call-flake": "call-flake", + "dmerge": "dmerge", + "haumea": "haumea", + "nixlib": "nixlib_2", + "yants": "yants" }, - "original": { - "owner": "JoelCourtney", - "repo": "mdbook-kroki-preprocessor", - "type": "github" - } - }, - "nix-filter": { "locked": { - "lastModified": 1649838635, - "narHash": "sha256-P1h48+l9vUvMz4JwHBgkTXiX6mE8oYR75vBVUbe6Cuc=", - "owner": "numtide", - "repo": "nix-filter", - "rev": "40a58baa248a8b335e2d66ca258a74248af9d834", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "nix-filter", - "type": "github" - } - }, - "nix-filter_2": { - "locked": { - "lastModified": 1649838635, - "narHash": "sha256-P1h48+l9vUvMz4JwHBgkTXiX6mE8oYR75vBVUbe6Cuc=", - "owner": "numtide", - "repo": "nix-filter", - "rev": "40a58baa248a8b335e2d66ca258a74248af9d834", + "lastModified": 1700393419, + "narHash": "sha256-X1KmAkI5eJ4S2Apny1jQc8fjk8Ao567Bz4GUYk3tAA4=", + "owner": "gtrunsec", + "repo": "flops", + "rev": "576a1ca5d0a3b005583bb25e76268f96b24a2fe2", "type": "github" }, "original": { - "owner": "numtide", - "repo": "nix-filter", + "owner": "gtrunsec", + "repo": "flops", "type": "github" } }, - "nixago": { + "haumea": { "inputs": { - "flake-utils": [ - "cells-lab", - "std", - "flake-utils" - ], - "nixago-exts": "nixago-exts", "nixpkgs": [ - "cells-lab", - "std", - "nixpkgs" + "omnibus", + "flops", + "nixlib" ] }, "locked": { - "lastModified": 1659153038, - "narHash": "sha256-g4npRU8YBR7CAqMF0SyXtkHnoY9q+NcxvZwcc6UvLBc=", + "lastModified": 1697205539, + "narHash": "sha256-gHEy0Q+eEQJkWl6/DpFxXPOlTx/lMU7Pvs/bwoq4OhI=", "owner": "nix-community", - "repo": "nixago", - "rev": "608abdd0fe6729d1f7244e03f1a7f8a5d6408898", + "repo": "haumea", + "rev": "fc119c500189f739fec7ad33d111f9c92910eccf", "type": "github" }, "original": { "owner": "nix-community", - "repo": "nixago", + "repo": "haumea", "type": "github" } }, - "nixago-exts": { + "nixlib": { "locked": { - "lastModified": 1625557891, - "narHash": "sha256-O8/MWsPBGhhyPoPLHZAuoZiiHo9q6FLlEeIDEXuj6T4=", - "owner": "divnix", - "repo": "blank", - "rev": "5a5d2684073d9f563072ed07c871d577a6c614a8", - "type": "github" - }, - "original": { + "lastModified": 1653180592, + "narHash": "sha256-sVGwmxTj7CY1D4ioy7E+iJE+1/yHqQlxjnTpar3ap/E=", "owner": "nix-community", - "repo": "nixago-extensions", - "type": "github" - } - }, - "nixago-exts_2": { - "locked": { - "lastModified": 1625557891, - "narHash": "sha256-O8/MWsPBGhhyPoPLHZAuoZiiHo9q6FLlEeIDEXuj6T4=", - "owner": "divnix", - "repo": "blank", - "rev": "5a5d2684073d9f563072ed07c871d577a6c614a8", + "repo": "nixpkgs.lib", + "rev": "42c5f5785b70cd64b4afd830dc31d0b08461abd5", "type": "github" }, "original": { "owner": "nix-community", - "repo": "nixago-extensions", + "repo": "nixpkgs.lib", "type": "github" } }, - "nixago_2": { - "inputs": { - "flake-utils": [ - "std", - "flake-utils" - ], - "nixago-exts": "nixago-exts_2", - "nixpkgs": [ - "std", - "nixpkgs" - ] - }, + "nixlib_2": { "locked": { - "lastModified": 1659153038, - "narHash": "sha256-g4npRU8YBR7CAqMF0SyXtkHnoY9q+NcxvZwcc6UvLBc=", + "lastModified": 1698540503, + "narHash": "sha256-YN6DJQc7SMe6ep9FhD2BGl92bo24NPNRWjADEJE4xeU=", "owner": "nix-community", - "repo": "nixago", - "rev": "608abdd0fe6729d1f7244e03f1a7f8a5d6408898", + "repo": "nixpkgs.lib", + "rev": "ce2acb20a405bf6f910081c2adc988bbc8100e4c", "type": "github" }, "original": { "owner": "nix-community", - "repo": "nixago", + "repo": "nixpkgs.lib", "type": "github" } }, - "nixlib": { + "nixpkgs": { "locked": { - "lastModified": 1658624354, - "narHash": "sha256-1mCjgw0VmWgsxq1w0Bd6yFsGQSp68q7iZO3EjzaZ6/Y=", + "lastModified": 1660438583, + "narHash": "sha256-rJUTYxFKlWUJI3njAwEc1pKAVooAViZGJvsgqfh/q/E=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "96a5084b9466c58b4a940d8c2eb104f8301f8045", + "rev": "bbd8f7cd87d0b29294ef3072ffdbd61d60f05da4", "type": "github" }, "original": { @@ -583,342 +163,44 @@ "type": "github" } }, - "nixos": { - "locked": { - "lastModified": 1659052185, - "narHash": "sha256-TUbwbzCbprtWB9EtXPM52cWuKETuCV3H+cMXjLRbwTw=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "9370544d849be8a07193e7611d02e6f6f1b10768", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixos-22.05", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1652059086, - "narHash": "sha256-CjHSbr6LSFkN4YBdTB6+8ZQmSqhsbiXqAeQ9hQJ/gBI=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "934e076a441e318897aa17540f6cf7caadc69028", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_2": { - "locked": { - "lastModified": 1650469885, - "narHash": "sha256-BuILRZ6pzMnGey8/irbjGq1oo3vIvZa1pitSdZCmIXA=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "df78cc4e2a46fca75d14508a5d2ed3494add28ff", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { - "locked": { - "lastModified": 1659190188, - "narHash": "sha256-LudYrDFPFaQMW0l68TYkPWRPKmqpxIFU1nWfylIp9AQ=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "a3fddd46a7f3418d7e3940ded94701aba569161d", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_4": { - "locked": { - "lastModified": 1653326962, - "narHash": "sha256-W8feCYqKTsMre4nAEpv5Kx1PVFC+hao/LwqtB2Wci/8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "41cc1d5d9584103be4108c1815c350e07c807036", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "nixpkgs_5": { - "locked": { - "lastModified": 1659254610, - "narHash": "sha256-ee5W5MLWZ3kdx5hwOUs6trOJit+GeTDfG+Lg3rANKoc=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "67f49b2a3854e8b5e3f9df4422225daa0985f451", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_6": { - "locked": { - "lastModified": 1653326962, - "narHash": "sha256-W8feCYqKTsMre4nAEpv5Kx1PVFC+hao/LwqtB2Wci/8=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "41cc1d5d9584103be4108c1815c350e07c807036", - "type": "github" - }, - "original": { - "id": "nixpkgs", - "type": "indirect" - } - }, - "org-roam-book-template": { - "inputs": { - "cortex": "cortex", - "emacs-overlay": "emacs-overlay", - "flake-compat": "flake-compat", - "flake-utils": "flake-utils_3", - "nix-filter": "nix-filter", - "nixpkgs": [ - "cells-lab", - "nixpkgs" - ], - "ox-hugo": "ox-hugo" - }, - "locked": { - "lastModified": 1653465413, - "narHash": "sha256-4jAVzlhd5CZJoTYa/H/9VFPs6rPfO37RKT6DuwDGW3Q=", - "owner": "gtrunsec", - "repo": "org-roam-book-template", - "rev": "36172583dee5ee8427e7945fab122cd740d553e3", - "type": "github" - }, - "original": { - "owner": "gtrunsec", - "repo": "org-roam-book-template", - "type": "github" - } - }, - "org-roam-book-template_2": { + "omnibus": { "inputs": { - "cortex": "cortex_2", - "emacs-overlay": "emacs-overlay_2", - "flake-compat": "flake-compat_2", - "flake-utils": "flake-utils_6", - "nix-filter": "nix-filter_2", - "nixpkgs": [ - "nixpkgs" - ], - "ox-hugo": "ox-hugo_2" + "flops": "flops" }, "locked": { - "lastModified": 1653465413, - "narHash": "sha256-4jAVzlhd5CZJoTYa/H/9VFPs6rPfO37RKT6DuwDGW3Q=", + "lastModified": 1700471681, + "narHash": "sha256-FF1MiWMKZWTTjwtgCQy5Fbv/bFsVmjsIX9MY2y3IQSc=", "owner": "gtrunsec", - "repo": "org-roam-book-template", - "rev": "36172583dee5ee8427e7945fab122cd740d553e3", + "repo": "omnibus", + "rev": "216e428e311fd5c1fab7bdca46703aee2076985a", "type": "github" }, "original": { "owner": "gtrunsec", - "repo": "org-roam-book-template", - "type": "github" - } - }, - "ox-hugo": { - "flake": false, - "locked": { - "lastModified": 1653335734, - "narHash": "sha256-yMhuo+bof6zmEezDkyaG3MxxpOebaIvSuXL1VZwRCgE=", - "owner": "kaushalmodi", - "repo": "ox-hugo", - "rev": "eac4b45955e552de515eed7bc269e26a557a40e3", - "type": "github" - }, - "original": { - "owner": "kaushalmodi", - "repo": "ox-hugo", - "type": "github" - } - }, - "ox-hugo_2": { - "flake": false, - "locked": { - "lastModified": 1653335734, - "narHash": "sha256-yMhuo+bof6zmEezDkyaG3MxxpOebaIvSuXL1VZwRCgE=", - "owner": "kaushalmodi", - "repo": "ox-hugo", - "rev": "eac4b45955e552de515eed7bc269e26a557a40e3", - "type": "github" - }, - "original": { - "owner": "kaushalmodi", - "repo": "ox-hugo", + "repo": "omnibus", "type": "github" } }, "root": { "inputs": { - "cells-lab": "cells-lab", - "nixpkgs": "nixpkgs_5", - "org-roam-book-template": "org-roam-book-template_2", - "std": "std_3" - } - }, - "std": { - "inputs": { - "devshell": "devshell", - "nixpkgs": "nixpkgs_2", - "yants": "yants" - }, - "locked": { - "lastModified": 1651690129, - "narHash": "sha256-M3zYXGhio1uOoA9vudLlNOHI2pKyA4Zlfy1ZiGoShto=", - "owner": "divnix", - "repo": "std", - "rev": "a65cbc4adddc95118331e178a3f3b88f03a0b50b", - "type": "github" - }, - "original": { - "owner": "divnix", - "repo": "std", - "type": "github" - } - }, - "std_2": { - "inputs": { - "data-merge": "data-merge_2", - "devshell": "devshell_2", - "flake-utils": "flake-utils_4", - "mdbook-kroki-preprocessor": "mdbook-kroki-preprocessor", - "nixago": "nixago", - "nixpkgs": [ - "cells-lab", - "nixpkgs" - ], - "yants": "yants_2" - }, - "locked": { - "lastModified": 1659158987, - "narHash": "sha256-BSj2UPi8iYo38dkzN9KXOq4K4GOPQX3xe/UQNuccOnI=", - "owner": "divnix", - "repo": "std", - "rev": "541532874f49eee88e73a077a265ae7dfeb39bfa", - "type": "github" - }, - "original": { - "owner": "divnix", - "repo": "std", - "type": "github" - } - }, - "std_3": { - "inputs": { - "data-merge": "data-merge_3", - "devshell": "devshell_3", - "flake-utils": "flake-utils_7", - "mdbook-kroki-preprocessor": "mdbook-kroki-preprocessor_2", - "nixago": "nixago_2", - "nixpkgs": [ - "nixpkgs" - ], - "yants": "yants_3" - }, - "locked": { - "lastModified": 1659301347, - "narHash": "sha256-qI3tH5Hd7nB9P5KO8/i6+KQJpVOjxR6BOyQR4XTHk/c=", - "owner": "divnix", - "repo": "std", - "rev": "caa3c2ed85b7a5877c9be8340fcaf549566f2973", - "type": "github" - }, - "original": { - "owner": "divnix", - "repo": "std", - "type": "github" + "omnibus": "omnibus" } }, "yants": { "inputs": { - "nixpkgs": [ - "cells-lab", - "kroki-preprocessor", - "std", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1645126146, - "narHash": "sha256-XQ1eg4gzXoc7Tl8iXak1uCt3KnsTyxqPtLE+vOoDnrQ=", - "owner": "divnix", - "repo": "yants", - "rev": "77df2be1b3cce9f571c6cf451f786b266a6869cc", - "type": "github" - }, - "original": { - "owner": "divnix", - "repo": "yants", - "type": "github" - } - }, - "yants_2": { - "inputs": { - "nixpkgs": [ - "cells-lab", - "std", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1645126146, - "narHash": "sha256-XQ1eg4gzXoc7Tl8iXak1uCt3KnsTyxqPtLE+vOoDnrQ=", - "owner": "divnix", - "repo": "yants", - "rev": "77df2be1b3cce9f571c6cf451f786b266a6869cc", - "type": "github" - }, - "original": { - "owner": "divnix", - "repo": "yants", - "type": "github" - } - }, - "yants_3": { - "inputs": { - "nixpkgs": [ - "std", - "nixpkgs" - ] + "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1645126146, - "narHash": "sha256-XQ1eg4gzXoc7Tl8iXak1uCt3KnsTyxqPtLE+vOoDnrQ=", + "lastModified": 1699522279, + "narHash": "sha256-ILTqQyhVsouZDfbhEVFJI6b3NDZIQQRluL2dk3bee+Y=", "owner": "divnix", "repo": "yants", - "rev": "77df2be1b3cce9f571c6cf451f786b266a6869cc", + "rev": "cde27c2821d925245303650c2914d4b7d3a435cd", "type": "github" }, "original": { "owner": "divnix", + "ref": "refs/pull/5/head", "repo": "yants", "type": "github" } diff --git a/flake.nix b/flake.nix index ed89dea..e8ad8d8 100644 --- a/flake.nix +++ b/flake.nix @@ -1,34 +1,15 @@ { - inputs = { - std.url = "github:divnix/std"; - std.inputs.nixpkgs.follows = "nixpkgs"; - - nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; + description = "HardenedNixOS"; - org-roam-book-template.url = "github:gtrunsec/org-roam-book-template"; - org-roam-book-template.inputs.nixpkgs.follows = "nixpkgs"; - - cells-lab.url = "github:GTrunSec/cells-lab"; + inputs = { + omnibus.url = "github:gtrunsec/omnibus"; }; - outputs = {std, ...} @ inputs: - std.growOn { - inherit inputs; - cellsFrom = ./cells; - organelles = [ - (std.installables "packages") - - (std.functions "devshellProfiles") - (std.devshells "devshells") - - (std.runnables "entrypoints") - - (std.functions "library") - - (std.functions "overlays") - (std.functions "apparmor") - ]; - } { - devShells = inputs.std.harvest inputs.self ["main" "devshells"]; - }; + outputs = + { self, omnibus }@inputs: + let + src = import ./src/__init.nix {inherit inputs omnibus;}; + inherit (omnibus.lib) mapPopsExports; + in + mapPopsExports src // { pops = src; }; } diff --git a/nix/lock/flake.lock b/nix/lock/flake.lock new file mode 100644 index 0000000..a365e19 --- /dev/null +++ b/nix/lock/flake.lock @@ -0,0 +1,704 @@ +{ + "nodes": { + "advisory-db": { + "flake": false, + "locked": { + "lastModified": 1688825073, + "narHash": "sha256-fK2huTDGHJc/oZjZWhMZMAt1nQSuuY6p41Y2pudtJdM=", + "owner": "rustsec", + "repo": "advisory-db", + "rev": "5ceeefcbbabf4b510ef8ede121d6dc57d1a1f7f8", + "type": "github" + }, + "original": { + "owner": "rustsec", + "repo": "advisory-db", + "type": "github" + } + }, + "attack-control-framework-mappings": { + "flake": false, + "locked": { + "lastModified": 1696427438, + "narHash": "sha256-6sp73lT3+8UhFWmAUBV7x9FMHAQGY2xyZKCo7XoSD84=", + "owner": "center-for-threat-informed-defense", + "repo": "attack-control-framework-mappings", + "rev": "30c5dbf0f22f0fde2d690ffba3aa51934c12d9df", + "type": "github" + }, + "original": { + "owner": "center-for-threat-informed-defense", + "repo": "attack-control-framework-mappings", + "type": "github" + } + }, + "attack-flow": { + "flake": false, + "locked": { + "lastModified": 1698770870, + "narHash": "sha256-qvggqyQRSvZCq1fwY1trorgmAmbbQ7C4smG5Doq4HE4=", + "owner": "center-for-threat-informed-defense", + "repo": "attack-flow", + "rev": "4225fea8fa3dd77629e251410616a0655bd6c106", + "type": "github" + }, + "original": { + "owner": "center-for-threat-informed-defense", + "repo": "attack-flow", + "type": "github" + } + }, + "crane": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": "flake-utils", + "nixpkgs": [ + "nickel", + "nixpkgs" + ], + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1695511445, + "narHash": "sha256-mnE14re43v3/Jc50Jv0BKPMtEk7FEtDSligP6B5HwlI=", + "owner": "ipetkov", + "repo": "crane", + "rev": "3de322e06fc88ada5e3589dc8a375b73e749f512", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "crane_2": { + "inputs": { + "flake-compat": "flake-compat_4", + "flake-utils": "flake-utils_3", + "nixpkgs": [ + "nickel", + "topiary", + "nixpkgs" + ], + "rust-overlay": "rust-overlay_3" + }, + "locked": { + "lastModified": 1688772518, + "narHash": "sha256-ol7gZxwvgLnxNSZwFTDJJ49xVY5teaSvF7lzlo3YQfM=", + "owner": "ipetkov", + "repo": "crane", + "rev": "8b08e96c9af8c6e3a2b69af5a7fa168750fcf88e", + "type": "github" + }, + "original": { + "owner": "ipetkov", + "repo": "crane", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_3": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_4": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_3": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1687709756, + "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "inputs": { + "systems": "systems_4" + }, + "locked": { + "lastModified": 1687709756, + "narHash": "sha256-Y5wKlQSkgEK2weWdOu4J3riRd+kV/VCgHsqLNTTWQ/0=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "dbabf0ca0c0c4bce6ea5eaf65af5cb694d2082c7", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_5": { + "inputs": { + "systems": "systems_5" + }, + "locked": { + "lastModified": 1681202837, + "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "cfacdce06f30d2b68473a46042957675eebb3401", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "nickel", + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1660459072, + "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "lowdown-src": { + "flake": false, + "locked": { + "lastModified": 1633514407, + "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=", + "owner": "kristapsdz", + "repo": "lowdown", + "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8", + "type": "github" + }, + "original": { + "owner": "kristapsdz", + "repo": "lowdown", + "type": "github" + } + }, + "nickel": { + "inputs": { + "crane": "crane", + "flake-utils": "flake-utils_2", + "nix-input": "nix-input", + "nixpkgs": "nixpkgs_2", + "pre-commit-hooks": "pre-commit-hooks", + "rust-overlay": "rust-overlay_2", + "topiary": "topiary" + }, + "locked": { + "lastModified": 1700158255, + "narHash": "sha256-j4Tnhef9C+cXQb82bazpYbI4lNE+aTXcb6FrKkcn76o=", + "owner": "tweag", + "repo": "nickel", + "rev": "8d7725da772599a65874a827aa02feb8306852ed", + "type": "github" + }, + "original": { + "owner": "tweag", + "repo": "nickel", + "type": "github" + } + }, + "nix-filter": { + "locked": { + "lastModified": 1687178632, + "narHash": "sha256-HS7YR5erss0JCaUijPeyg2XrisEb959FIct3n2TMGbE=", + "owner": "numtide", + "repo": "nix-filter", + "rev": "d90c75e8319d0dd9be67d933d8eb9d0894ec9174", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "nix-filter", + "type": "github" + } + }, + "nix-input": { + "inputs": { + "flake-compat": "flake-compat_2", + "lowdown-src": "lowdown-src", + "nixpkgs": "nixpkgs", + "nixpkgs-regression": "nixpkgs-regression" + }, + "locked": { + "lastModified": 1694598107, + "narHash": "sha256-JEJSU2O+getWkc+Ql6Dsp72ZGihyZ2Ba7fMdv+ma4TQ=", + "owner": "nixos", + "repo": "nix", + "rev": "b99fdcf8dbb38ec0be0e82f65d1d138ec9e89dda", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nix", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1695830400, + "narHash": "sha256-gToZXQVr0G/1WriO83olnqrLSHF2Jb8BPcmCt497ro0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8a86b98f0ba1c405358f1b71ff8b5e1d317f5db2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-22.11-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-regression": { + "locked": { + "lastModified": 1643052045, + "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1685801374, + "narHash": "sha256-otaSUoFEMM+LjBI1XL/xGB5ao6IwnZOXc47qhIgJe8U=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "c37ca420157f4abc31e26f436c1145f8951ff373", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1693565476, + "narHash": "sha256-ya00zHt7YbPo3ve/wNZ/6nts61xt7wK/APa6aZAfey0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "aa8aa7e2ea35ce655297e8322dc82bf77a31d04b", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "ref": "nixos-unstable", + "type": "indirect" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1681358109, + "narHash": "sha256-eKyxW4OohHQx9Urxi7TQlFBTDWII+F+x2hklDOQPB50=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "96ba1c52e54e74c3197f4d43026b3f3d92e83ff9", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "ocsf": { + "flake": false, + "locked": { + "lastModified": 1699563345, + "narHash": "sha256-w9sBLowd5xNUfcRS6TO0W2s5cW5IhiI3kJJ7UP0jtvU=", + "owner": "ocsf", + "repo": "ocsf-schema", + "rev": "22c324330aae83829367a8ebba8dbd6c1d557b7f", + "type": "github" + }, + "original": { + "owner": "ocsf", + "repo": "ocsf-schema", + "type": "github" + } + }, + "ocsf-benthos": { + "flake": false, + "locked": { + "lastModified": 1694618962, + "narHash": "sha256-XlAl9Vddy+heDwxfF9UhMdHsn5jNwt5QQipWmWHAfeE=", + "owner": "ocsf", + "repo": "ocsf-benthos", + "rev": "5fe81dc623777c41a98092fab4715733ee842080", + "type": "github" + }, + "original": { + "owner": "ocsf", + "repo": "ocsf-benthos", + "type": "github" + } + }, + "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat_3", + "flake-utils": [ + "nickel", + "flake-utils" + ], + "gitignore": "gitignore", + "nixpkgs": [ + "nickel", + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1695576016, + "narHash": "sha256-71KxwRhTfVuh7kNrg3/edNjYVg9DCyKZl2QIKbhRggg=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "cb770e93516a1609652fa8e945a0f310e98f10c0", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "root": { + "inputs": { + "attack-control-framework-mappings": "attack-control-framework-mappings", + "attack-flow": "attack-flow", + "nickel": "nickel", + "ocsf": "ocsf", + "ocsf-benthos": "ocsf-benthos" + } + }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "nickel", + "crane", + "flake-utils" + ], + "nixpkgs": [ + "nickel", + "crane", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1695003086, + "narHash": "sha256-d1/ZKuBRpxifmUf7FaedCqhy0lyVbqj44Oc2s+P5bdA=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "b87a14abea512d956f0b89d0d8a1e9b41f3e20ff", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_2": { + "inputs": { + "flake-utils": [ + "nickel", + "flake-utils" + ], + "nixpkgs": [ + "nickel", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1696039808, + "narHash": "sha256-7TbAr9LskWG6ISPhUdyp6zHboT7FsFrME5QsWKybPTA=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "a4c3c904ab29e04a20d3a6da6626d66030385773", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_3": { + "inputs": { + "flake-utils": [ + "nickel", + "topiary", + "crane", + "flake-utils" + ], + "nixpkgs": [ + "nickel", + "topiary", + "crane", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1688351637, + "narHash": "sha256-CLTufJ29VxNOIZ8UTg0lepsn3X03AmopmaLTTeHDCL4=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "f9b92316727af9e6c7fee4a761242f7f46880329", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_4": { + "inputs": { + "flake-utils": "flake-utils_5", + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1689042658, + "narHash": "sha256-p7cQAFNt5kX19sZvK74CmY0nTrtujpZg6sZUiV1ntAk=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "d7181bb2237035df17cab9295c95f987f5c527e6", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_5": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "topiary": { + "inputs": { + "advisory-db": "advisory-db", + "crane": "crane_2", + "flake-utils": "flake-utils_4", + "nix-filter": "nix-filter", + "nixpkgs": [ + "nickel", + "nixpkgs" + ], + "rust-overlay": "rust-overlay_4" + }, + "locked": { + "lastModified": 1695289853, + "narHash": "sha256-EgDFjJeGJb36je/be7DXvzvpBYDUaupOiQxtL7bN/+Q=", + "owner": "tweag", + "repo": "topiary", + "rev": "8299a04bf83c4a2774cbbff7a036c022efa939b3", + "type": "github" + }, + "original": { + "owner": "tweag", + "repo": "topiary", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/lock/flake.nix b/nix/lock/flake.nix new file mode 100644 index 0000000..9e54a64 --- /dev/null +++ b/nix/lock/flake.nix @@ -0,0 +1,28 @@ +{ + inputs = { + ocsf-benthos.url = "github:ocsf/ocsf-benthos"; + ocsf-benthos.flake = false; + + nickel.url = "github:tweag/nickel"; + }; + + # description = "Collection of attack frameworks and resources"; + inputs = { + attack-control-framework-mappings = { + url = "github:center-for-threat-informed-defense/attack-control-framework-mappings"; + flake = false; + }; + + attack-flow = { + url = "github:center-for-threat-informed-defense/attack-flow"; + flake = false; + }; + }; + + # description = "Cybersecurity Schema Framework"; + inputs = { + ocsf.url = "github:ocsf/ocsf-schema"; + ocsf.flake = false; + }; + outputs = _: { }; +} diff --git a/nix/std/cells/repo/nixago.nix b/nix/std/cells/repo/nixago.nix new file mode 100644 index 0000000..8df3bd0 --- /dev/null +++ b/nix/std/cells/repo/nixago.nix @@ -0,0 +1,24 @@ +{ inputs, cell }: +with inputs.std.inputs.dmerge; +let + cfg = { + inherit (cell.pops.configs.exports.default) treefmt lefthook conform; + }; + inherit (cell.pops.configs.exports.stdNixago) treefmt lefthook conform; +in +{ + lefthook = { + inherit (lefthook) default; + }; + treefmt = { + default = (treefmt.default cfg.treefmt.nickel); + }; + conform = rec { + default = conform.default custom; + custom = { + data = { + commit.conventional.scopes = append [ ".*." ]; + }; + }; + }; +} diff --git a/nix/std/cells/repo/pops.nix b/nix/std/cells/repo/pops.nix new file mode 100644 index 0000000..a0c52d0 --- /dev/null +++ b/nix/std/cells/repo/pops.nix @@ -0,0 +1,39 @@ +{ inputs, cell }: +let + inherit (inputs) nixpkgs; + inputs' = (inputs.omnibus.pops.flake.setSystem nixpkgs.system).inputs; + inherit (inputs.omnibus.pops.self.load.inputs) POP flops; +in +{ + devshellProfiles = + (inputs.omnibus.pops.devshellProfiles.addLoadExtender { + load.inputs.inputs = { + inherit (inputs) nickel; + }; + }).addExporter + ( + POP.extendPop flops.haumea.pops.exporter ( + _self: _super: { + exports = rec { + inherit (inputs.omnibus.lib.mapPopsExports pops) self; + pops.self = + (self.layouts.default.addLoadExtender { + load.inputs = { + # extend the inputs of the default layout + # inherit inputs cell; + }; + }); + }; + } + ) + ); + configs = inputs.omnibus.pops.configs { + inputs = { + inputs = { + inherit (inputs') nixfmt topiary nur; + inherit (inputs) std; + inherit nixpkgs; + }; + }; + }; +} diff --git a/nix/std/cells/repo/shells/default.nix b/nix/std/cells/repo/shells/default.nix new file mode 100644 index 0000000..9f8cebe --- /dev/null +++ b/nix/std/cells/repo/shells/default.nix @@ -0,0 +1,19 @@ +{ inputs, cell }: +let + l = nixpkgs.lib // builtins; + inherit (inputs) nixpkgs std; +in +l.mapAttrs (_: std.lib.dev.mkShell) { + default = + { ... }: + { + name = "HardenedNixOS DevShell"; + imports = [ cell.pops.devshellProfiles.exports.default.nickel ]; + + nixago = [ + cell.nixago.treefmt.default + cell.nixago.lefthook.default + cell.nixago.conform.default + ]; + }; +} diff --git a/nix/std/cells/repo/tasks/default.nix b/nix/std/cells/repo/tasks/default.nix new file mode 100644 index 0000000..16bac75 --- /dev/null +++ b/nix/std/cells/repo/tasks/default.nix @@ -0,0 +1,24 @@ +{ inputs, cell }: +let + inherit (inputs.std-ext.writers.lib) writeShellApplication; + inherit (inputs) self nixpkgs std; +in +{ + mkdoc = + let + org-roam-book = + inputs.org-roam-book-template.packages.${nixpkgs.system}.default.override + { org = "${(std.incl self [ (self + /docs/org) ])}/docs/org"; }; + in + writeShellApplication { + name = "mkdoc"; + runtimeInputs = [ nixpkgs.hugo ]; + text = '' + rsync -avzh ${org-roam-book}/* docs/publish + cd docs/publish && cp ../config.toml . + hugo + cp -rf --no-preserve=mode,ownership public/posts/index.html ./public/ + "$@" + ''; + }; +} diff --git a/nix/std/flake.lock b/nix/std/flake.lock new file mode 100644 index 0000000..abea094 --- /dev/null +++ b/nix/std/flake.lock @@ -0,0 +1,684 @@ +{ + "nodes": { + "POP": { + "inputs": { + "flake-compat": [ + "omnibus", + "flops" + ], + "nixlib": "nixlib", + "nixpkgs": [ + "omnibus", + "flops" + ] + }, + "locked": { + "lastModified": 1655410953, + "narHash": "sha256-Er0zdhu7QwpWvVKfauqZqTnxDz6THTWOTVWLoz+Opmw=", + "owner": "divnix", + "repo": "POP", + "rev": "8babe4c9126298d05ebb5ab04727d741b51c022e", + "type": "github" + }, + "original": { + "owner": "divnix", + "repo": "POP", + "type": "github" + } + }, + "blank": { + "locked": { + "lastModified": 1625557891, + "narHash": "sha256-O8/MWsPBGhhyPoPLHZAuoZiiHo9q6FLlEeIDEXuj6T4=", + "owner": "divnix", + "repo": "blank", + "rev": "5a5d2684073d9f563072ed07c871d577a6c614a8", + "type": "github" + }, + "original": { + "owner": "divnix", + "repo": "blank", + "type": "github" + } + }, + "call-flake": { + "locked": { + "lastModified": 1697332845, + "narHash": "sha256-bmhE1TmrJG4ba93l9WQTLuYM53kwGQAjYHRvHOeuxWU=", + "owner": "divnix", + "repo": "call-flake", + "rev": "088f8589c7f3ee59bea1858a89f5125d284c3c4a", + "type": "github" + }, + "original": { + "owner": "divnix", + "repo": "call-flake", + "type": "github" + } + }, + "call-flake_2": { + "locked": { + "lastModified": 1691284812, + "narHash": "sha256-bmhE1TmrJG4ba93l9WQTLuYM53kwGQAjYHRvHOeuxWU=", + "owner": "divnix", + "repo": "call-flake", + "rev": "0510cb1562720ae66cb5010c56b856142b837a3f", + "type": "github" + }, + "original": { + "owner": "divnix", + "repo": "call-flake", + "type": "github" + } + }, + "call-flake_3": { + "locked": { + "lastModified": 1687380775, + "narHash": "sha256-bmhE1TmrJG4ba93l9WQTLuYM53kwGQAjYHRvHOeuxWU=", + "owner": "divnix", + "repo": "call-flake", + "rev": "74061f6c241227cd05e79b702db9a300a2e4131a", + "type": "github" + }, + "original": { + "owner": "divnix", + "repo": "call-flake", + "type": "github" + } + }, + "devshell": { + "inputs": { + "nixpkgs": [ + "omnibusStd", + "nixpkgs" + ], + "systems": "systems" + }, + "locked": { + "lastModified": 1698410321, + "narHash": "sha256-MphuSlgpmKwtJncGMohryHiK55J1n6WzVQ/OAfmfoMc=", + "owner": "numtide", + "repo": "devshell", + "rev": "1aed986e3c81a4f6698e85a7452cbfcc4b31a36e", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "devshell", + "type": "github" + } + }, + "dmerge": { + "inputs": { + "haumea": [ + "omnibus", + "flops", + "haumea" + ], + "nixlib": [ + "omnibus", + "flops", + "nixlib" + ], + "yants": [ + "omnibus", + "flops", + "yants" + ] + }, + "locked": { + "lastModified": 1686862774, + "narHash": "sha256-ojGtRQ9pIOUrxsQEuEPerUkqIJEuod9hIflfNkY+9CE=", + "owner": "divnix", + "repo": "dmerge", + "rev": "9f7f7a8349d33d7bd02e0f2b484b1f076e503a96", + "type": "github" + }, + "original": { + "owner": "divnix", + "repo": "dmerge", + "type": "github" + } + }, + "dmerge_2": { + "inputs": { + "haumea": [ + "omnibusStd", + "std", + "haumea" + ], + "nixlib": [ + "omnibusStd", + "std", + "lib" + ], + "yants": [ + "omnibusStd", + "std", + "yants" + ] + }, + "locked": { + "lastModified": 1686862774, + "narHash": "sha256-ojGtRQ9pIOUrxsQEuEPerUkqIJEuod9hIflfNkY+9CE=", + "owner": "divnix", + "repo": "dmerge", + "rev": "9f7f7a8349d33d7bd02e0f2b484b1f076e503a96", + "type": "github" + }, + "original": { + "owner": "divnix", + "ref": "0.2.1", + "repo": "dmerge", + "type": "github" + } + }, + "flake-utils": { + "locked": { + "lastModified": 1653893745, + "narHash": "sha256-0jntwV3Z8//YwuOjzhV2sgJJPt+HY6KhU7VZUL0fKZQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "1ed9fb1935d260de5fe1c2f7ee0ebaae17ed2fa1", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flops": { + "inputs": { + "POP": "POP", + "call-flake": "call-flake", + "dmerge": "dmerge", + "haumea": "haumea", + "nixlib": "nixlib_2", + "yants": "yants" + }, + "locked": { + "lastModified": 1699522347, + "narHash": "sha256-HSUXcWzEjBfLf5JjUmx17TwL1PKOo99D5aJehui9OuI=", + "owner": "gtrunsec", + "repo": "flops", + "rev": "64d6f3a0af57c0325afd5f60eac7f027859028f8", + "type": "github" + }, + "original": { + "owner": "gtrunsec", + "repo": "flops", + "type": "github" + } + }, + "haumea": { + "inputs": { + "nixpkgs": [ + "omnibus", + "flops", + "nixlib" + ] + }, + "locked": { + "lastModified": 1697205539, + "narHash": "sha256-gHEy0Q+eEQJkWl6/DpFxXPOlTx/lMU7Pvs/bwoq4OhI=", + "owner": "nix-community", + "repo": "haumea", + "rev": "fc119c500189f739fec7ad33d111f9c92910eccf", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "haumea", + "type": "github" + } + }, + "haumea_2": { + "inputs": { + "nixpkgs": [ + "omnibusStd", + "namaka", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1685133229, + "narHash": "sha256-FePm/Gi9PBSNwiDFq3N+DWdfxFq0UKsVVTJS3cQPn94=", + "owner": "nix-community", + "repo": "haumea", + "rev": "34dd58385092a23018748b50f9b23de6266dffc2", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.2.2", + "repo": "haumea", + "type": "github" + } + }, + "haumea_3": { + "inputs": { + "nixpkgs": [ + "omnibusStd", + "std", + "lib" + ] + }, + "locked": { + "lastModified": 1685133229, + "narHash": "sha256-FePm/Gi9PBSNwiDFq3N+DWdfxFq0UKsVVTJS3cQPn94=", + "owner": "nix-community", + "repo": "haumea", + "rev": "34dd58385092a23018748b50f9b23de6266dffc2", + "type": "github" + }, + "original": { + "owner": "nix-community", + "ref": "v0.2.2", + "repo": "haumea", + "type": "github" + } + }, + "incl": { + "inputs": { + "nixlib": [ + "omnibusStd", + "std", + "lib" + ] + }, + "locked": { + "lastModified": 1669263024, + "narHash": "sha256-E/+23NKtxAqYG/0ydYgxlgarKnxmDbg6rCMWnOBqn9Q=", + "owner": "divnix", + "repo": "incl", + "rev": "ce7bebaee048e4cd7ebdb4cee7885e00c4e2abca", + "type": "github" + }, + "original": { + "owner": "divnix", + "repo": "incl", + "type": "github" + } + }, + "lib": { + "locked": { + "lastModified": 1694306727, + "narHash": "sha256-26fkTOJOI65NOTNKFvtcJF9mzzf/kK9swHzfYt1Dl6Q=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "c30b6a84c0b84ec7aecbe74466033facc9ed103f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "namaka": { + "inputs": { + "haumea": "haumea_2", + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1696528717, + "narHash": "sha256-y9iQPJuIhUHojV/5yiYV68a9DaRSbHxMR2QbSdNtb/I=", + "owner": "nix-community", + "repo": "namaka", + "rev": "30a62e16535c85aa2ada2929ab7998dc2d3e5a7b", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "namaka", + "type": "github" + } + }, + "nixago": { + "inputs": { + "flake-utils": "flake-utils", + "nixago-exts": [ + "omnibusStd" + ], + "nixpkgs": [ + "omnibusStd", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1687381756, + "narHash": "sha256-IUMIlYfrvj7Yli4H2vvyig8HEPpfCeMaE6+kBGPzFyk=", + "owner": "nix-community", + "repo": "nixago", + "rev": "dacceb10cace103b3e66552ec9719fa0d33c0dc9", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixago", + "type": "github" + } + }, + "nixlib": { + "locked": { + "lastModified": 1653180592, + "narHash": "sha256-sVGwmxTj7CY1D4ioy7E+iJE+1/yHqQlxjnTpar3ap/E=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "42c5f5785b70cd64b4afd830dc31d0b08461abd5", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixlib_2": { + "locked": { + "lastModified": 1698540503, + "narHash": "sha256-YN6DJQc7SMe6ep9FhD2BGl92bo24NPNRWjADEJE4xeU=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "ce2acb20a405bf6f910081c2adc988bbc8100e4c", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1660438583, + "narHash": "sha256-rJUTYxFKlWUJI3njAwEc1pKAVooAViZGJvsgqfh/q/E=", + "owner": "nix-community", + "repo": "nixpkgs.lib", + "rev": "bbd8f7cd87d0b29294ef3072ffdbd61d60f05da4", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "nixpkgs.lib", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1688590700, + "narHash": "sha256-ZF055rIUP89cVwiLpG5xkJzx00gEuuGFF60Bs/LM3wc=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "f292b4964cb71f9dfbbd30dc9f511d6165cd109b", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1699343069, + "narHash": "sha256-s7BBhyLA6MI6FuJgs4F/SgpntHBzz40/qV0xLPW6A1Q=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ec750fd01963ab6b20ee1f0cb488754e8036d89d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nosys": { + "locked": { + "lastModified": 1668010795, + "narHash": "sha256-JBDVBnos8g0toU7EhIIqQ1If5m/nyBqtHhL3sicdPwI=", + "owner": "divnix", + "repo": "nosys", + "rev": "feade0141487801c71ff55623b421ed535dbdefa", + "type": "github" + }, + "original": { + "owner": "divnix", + "repo": "nosys", + "type": "github" + } + }, + "omnibus": { + "inputs": { + "flops": "flops" + }, + "locked": { + "lastModified": 1699697584, + "narHash": "sha256-NnT6WKmhoQ1kjtuagLeOY3KEwkwQE1WmpWVzEE5KQos=", + "owner": "gtrunsec", + "repo": "omnibus", + "rev": "644636d7a98b3e73be7cc2907c30862d77be351e", + "type": "github" + }, + "original": { + "owner": "gtrunsec", + "repo": "omnibus", + "type": "github" + } + }, + "omnibusStd": { + "inputs": { + "call-flake": "call-flake_2", + "devshell": "devshell", + "haumea": [ + "omnibusStd", + "namaka", + "haumea" + ], + "namaka": "namaka", + "nixago": "nixago", + "nixpkgs": "nixpkgs_3", + "std": "std" + }, + "locked": { + "dir": "local", + "lastModified": 1699690357, + "narHash": "sha256-yd1uYmru+l/ArhQHd+ZBl5Vga97S//1sFSo4g/ZOoxc=", + "owner": "gtrunsec", + "repo": "omnibus", + "rev": "ad8a19f143dfa8c89d587628114dce022ec34478", + "type": "github" + }, + "original": { + "dir": "local", + "owner": "gtrunsec", + "repo": "omnibus", + "type": "github" + } + }, + "paisano": { + "inputs": { + "call-flake": "call-flake_3", + "nixpkgs": [ + "omnibusStd", + "std", + "nixpkgs" + ], + "nosys": "nosys", + "yants": [ + "omnibusStd", + "std", + "yants" + ] + }, + "locked": { + "lastModified": 1693982790, + "narHash": "sha256-WTZYlqGUjzzz/PSzcvjEZz2kkwYSXObjeQVrFBaqa2Y=", + "owner": "paisano-nix", + "repo": "core", + "rev": "3e897a19418361ece34841105122ed4f9379ca96", + "type": "github" + }, + "original": { + "owner": "paisano-nix", + "repo": "core", + "type": "github" + } + }, + "paisano-tui": { + "flake": false, + "locked": { + "lastModified": 1694014205, + "narHash": "sha256-u0+T6vMznzfjDMUd01ZXQsrQPMEhMjrQwUPTFsPBR1k=", + "owner": "paisano-nix", + "repo": "tui", + "rev": "587ab9fd07bd969d59df73bfe527b5f8a4e752d1", + "type": "github" + }, + "original": { + "owner": "paisano-nix", + "ref": "0.2.0", + "repo": "tui", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": [ + "omnibusStd", + "nixpkgs" + ], + "omnibus": "omnibus", + "omnibusStd": "omnibusStd", + "std": [ + "omnibusStd", + "std" + ] + } + }, + "std": { + "inputs": { + "arion": [ + "omnibusStd", + "std", + "blank" + ], + "blank": "blank", + "devshell": [ + "omnibusStd", + "devshell" + ], + "dmerge": "dmerge_2", + "haumea": "haumea_3", + "incl": "incl", + "lib": "lib", + "makes": [ + "omnibusStd", + "std", + "blank" + ], + "microvm": [ + "omnibusStd", + "std", + "blank" + ], + "n2c": [ + "omnibusStd", + "std", + "blank" + ], + "nixago": [ + "omnibusStd", + "nixago" + ], + "nixpkgs": [ + "omnibusStd", + "nixpkgs" + ], + "paisano": "paisano", + "paisano-tui": "paisano-tui", + "terranix": [ + "omnibusStd", + "std", + "blank" + ], + "yants": "yants_2" + }, + "locked": { + "lastModified": 1699009342, + "narHash": "sha256-ch4MN4mFBBzPmEra5u9Tqj3JyWpt7cTA4z1jkY8DsfQ=", + "owner": "divnix", + "repo": "std", + "rev": "403fd2a949c60fc358be4f7d7ecfb435960b8464", + "type": "github" + }, + "original": { + "owner": "divnix", + "repo": "std", + "type": "github" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "yants": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1699522279, + "narHash": "sha256-ILTqQyhVsouZDfbhEVFJI6b3NDZIQQRluL2dk3bee+Y=", + "owner": "divnix", + "repo": "yants", + "rev": "cde27c2821d925245303650c2914d4b7d3a435cd", + "type": "github" + }, + "original": { + "owner": "divnix", + "ref": "refs/pull/5/head", + "repo": "yants", + "type": "github" + } + }, + "yants_2": { + "inputs": { + "nixpkgs": [ + "omnibusStd", + "std", + "lib" + ] + }, + "locked": { + "lastModified": 1686863218, + "narHash": "sha256-kooxYm3/3ornWtVBNHM3Zh020gACUyFX2G0VQXnB+mk=", + "owner": "divnix", + "repo": "yants", + "rev": "8f0da0dba57149676aa4817ec0c880fbde7a648d", + "type": "github" + }, + "original": { + "owner": "divnix", + "repo": "yants", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/std/flake.nix b/nix/std/flake.nix new file mode 100644 index 0000000..c007a8d --- /dev/null +++ b/nix/std/flake.nix @@ -0,0 +1,60 @@ +{ + nixConfig = { + extra-substituters = [ + "https://tweag-topiary.cachix.org" + "https://tweag-nickel.cachix.org" + "https://organist.cachix.org" + ]; + extra-trusted-public-keys = [ + "tweag-topiary.cachix.org-1:8TKqya43LAfj4qNHnljLpuBnxAY/YwEBfzo3kzXxNY0=" + "tweag-nickel.cachix.org-1:GIthuiK4LRgnW64ALYEoioVUQBWs0jexyoYVeLDBwRA=" + "organist.cachix.org-1:GB9gOx3rbGl7YEh6DwOscD1+E/Gc5ZCnzqwObNH2Faw=" + ]; + }; + + inputs = { + nixpkgs.follows = "omnibusStd/nixpkgs"; + omnibusStd.url = "github:gtrunsec/omnibus/?dir=local"; + omnibus.url = "github:gtrunsec/omnibus"; + std.follows = "omnibusStd/std"; + }; + outputs = + { std, omnibus, ... }@inputs: + std.growOn + { + inputs = inputs // ((omnibus.pops.flake.setInitInputs ../lock).inputs); + cellsFrom = ./cells; + + cellBlocks = with std.blockTypes; [ + (installables "packages") + + (functions "shellsProfiles") + (devshells "shells") + + (runnables "entrypoints") + (runnables "scripts") + (runnables "tasks") + + (functions "lib") + + (functions "packages") + + (functions "pops") + + (data "config") + (files "configFiles") + + (data "jsonschemas") + + (files "schemas") + + (nixago "nixago") + ]; + } + { + devShells = inputs.std.harvest inputs.self [ + "repo" + "shells" + ]; + }; +} diff --git a/src/__init.nix b/src/__init.nix new file mode 100644 index 0000000..83fae86 --- /dev/null +++ b/src/__init.nix @@ -0,0 +1,13 @@ +{ omnibus, inputs }: +{ + nixosProfiles = { + apparmor = omnibus.pops.nixosProfiles.addLoadExtender { + load = { + src = ./apparmor; + inputs = { + inherit inputs; + }; + }; + }; + }; +} diff --git a/src/apparmor/_temp.nix b/src/apparmor/_temp.nix new file mode 100644 index 0000000..1d76785 --- /dev/null +++ b/src/apparmor/_temp.nix @@ -0,0 +1,19 @@ +_: +{pkgs}: +{ + bin = + { name, package, extraRules ? "" }: + { + "bin-${name}".profile = '' + include + ${package}/bin/${name} { + # include + # include + # include + include "${pkgs.apparmorRulesFromClosure { inherit name; } package}" + r ${package}/bin/${name}, + } + ${extraRules} + ''; + }; +} diff --git a/src/apparmor/default.nix b/src/apparmor/default.nix new file mode 100644 index 0000000..7b5844a --- /dev/null +++ b/src/apparmor/default.nix @@ -0,0 +1,19 @@ +{ + lib, + super, + pkgs, +}: +let + temp = super.temp { inherit pkgs; }; + binary_example = temp.bin { + name = "binary_example"; + package = pkgs.binary_example; + extraRules = ""; + }; +in +{ + security.apparmor = { + enable = lib.mkDefault true; + # policies = { inherit binary_example; }; + }; +} diff --git a/treefmt.toml b/treefmt.toml deleted file mode 100644 index bc24004..0000000 --- a/treefmt.toml +++ /dev/null @@ -1,30 +0,0 @@ -[formatter.nix] -command = "alejandra" -includes = ["*.nix"] -excludes = [""] - -[formatter.prettier] -command = "prettier" -options = ["--plugin", "prettier-plugin-toml", "--write"] -includes = ["*.md", "*.yaml", "*.toml", "*.json"] -excludes = [ - "./cells/_templates/_packages/*", - "Manifest.toml", - "Project.toml", - "./cells/secrets/*" -] - -[formatter.black] -command = "black" -includes = ["*.py"] - -[formatter.shell] -command = "shfmt" -options = [ - "-i", - "2", # indent 2 - "-s", # simplify the code - "-w", # write back to the file - -] -includes = ["*.sh"]