From f9efdb389aad06b8fff35ffa70e175ab815be499 Mon Sep 17 00:00:00 2001 From: mangoiv Date: Wed, 7 Feb 2024 00:34:02 +0100 Subject: [PATCH] [chore] init hsec-cabal project - move to more declarative flake setup to avoid complexity - init the hsec-cabal cabal project - move the cabal.project file to `code` --- .envrc | 5 - .gitignore | 3 +- cabal.project | 6 - code/.envrc | 1 + code/cabal.project | 6 + code/cvss/cvss.cabal | 3 +- code/hsec-cabal/app/Main.hs | 6 + code/hsec-cabal/fourmolu.yaml | 12 ++ code/hsec-cabal/hsec-cabal.cabal | 73 ++++++++ code/hsec-cabal/src/Distribution/Audit.hs | 5 + .../src/Distribution/Audit/Option.hs | 18 ++ .../src/Security/Advisories/Cabal.hs | 1 + code/hsec-cabal/test/Main.hs | 4 + .../test/assets/test-a/src/MyLib.hs | 4 + .../test/assets/test-a/test-a.cabal | 25 +++ code/hsec-core/hsec-core.cabal | 21 +-- code/osv/osv.cabal | 41 ++-- flake.lock | 176 +++++++++++++++--- flake.nix | 169 ++++++++--------- 19 files changed, 411 insertions(+), 168 deletions(-) delete mode 100644 .envrc delete mode 100644 cabal.project create mode 100644 code/.envrc create mode 100644 code/cabal.project create mode 100644 code/hsec-cabal/app/Main.hs create mode 100644 code/hsec-cabal/fourmolu.yaml create mode 100644 code/hsec-cabal/hsec-cabal.cabal create mode 100644 code/hsec-cabal/src/Distribution/Audit.hs create mode 100644 code/hsec-cabal/src/Distribution/Audit/Option.hs create mode 100644 code/hsec-cabal/src/Security/Advisories/Cabal.hs create mode 100644 code/hsec-cabal/test/Main.hs create mode 100644 code/hsec-cabal/test/assets/test-a/src/MyLib.hs create mode 100644 code/hsec-cabal/test/assets/test-a/test-a.cabal diff --git a/.envrc b/.envrc deleted file mode 100644 index c0594df0..00000000 --- a/.envrc +++ /dev/null @@ -1,5 +0,0 @@ -use flake - -if [ -f .env ]; then - . .env -fi diff --git a/.gitignore b/.gitignore index 89117f34..35bad6d9 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ *~ dist-newstyle/ -result +result* .direnv .env +.pre-commit-config.yaml diff --git a/cabal.project b/cabal.project deleted file mode 100644 index 3f2ec970..00000000 --- a/cabal.project +++ /dev/null @@ -1,6 +0,0 @@ -packages: code/*/*.cabal - -package hsec-core -package hsec-tools -package cvss -package osv diff --git a/code/.envrc b/code/.envrc new file mode 100644 index 00000000..4743c14a --- /dev/null +++ b/code/.envrc @@ -0,0 +1 @@ +use flake .. -Lv diff --git a/code/cabal.project b/code/cabal.project new file mode 100644 index 00000000..3b40c7df --- /dev/null +++ b/code/cabal.project @@ -0,0 +1,6 @@ +packages: + ./hsec-core + ./hsec-tools + ./hsec-cabal + ./cvss + ./osv diff --git a/code/cvss/cvss.cabal b/code/cvss/cvss.cabal index f9d1fbb1..1890bae6 100644 --- a/code/cvss/cvss.cabal +++ b/code/cvss/cvss.cabal @@ -10,7 +10,8 @@ author: Tristan de Cacqueray maintainer: tdecacqu@redhat.com category: Data extra-doc-files: CHANGELOG.md -tested-with: GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.3 || ==9.8.1 +tested-with: + GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.3 || ==9.8.1 library exposed-modules: Security.CVSS diff --git a/code/hsec-cabal/app/Main.hs b/code/hsec-cabal/app/Main.hs new file mode 100644 index 00000000..acf6dfb5 --- /dev/null +++ b/code/hsec-cabal/app/Main.hs @@ -0,0 +1,6 @@ +module Main (main) where + +import Distribution.Audit (auditMain) + +main :: IO () +main = auditMain diff --git a/code/hsec-cabal/fourmolu.yaml b/code/hsec-cabal/fourmolu.yaml new file mode 100644 index 00000000..b6ae5621 --- /dev/null +++ b/code/hsec-cabal/fourmolu.yaml @@ -0,0 +1,12 @@ +indentation: 2 +function-arrows: leading +comma-style: leading +import-export-style: leading +indent-wheres: false +record-brace-space: true +newlines-between-decls: 1 +haddock-style: single-line +let-style: inline +in-style: right-align +respectful: false +single-constraint-parens: never diff --git a/code/hsec-cabal/hsec-cabal.cabal b/code/hsec-cabal/hsec-cabal.cabal new file mode 100644 index 00000000..049a0270 --- /dev/null +++ b/code/hsec-cabal/hsec-cabal.cabal @@ -0,0 +1,73 @@ +cabal-version: 2.4 +name: hsec-cabal +version: 0.1.0.0 + +-- A short (one-line) description of the package. +synopsis: Checking a cabal project for security advisories + +-- A longer description of the package. +description: + Tools for querying the haskell security advisories database against cabal projects. + +-- A URL where users can report bugs. +-- bug-reports: + +-- The license under which the package is released. +license: BSD-3-Clause +author: @MangoIV +maintainer: contact@mangoiv.com + +-- A copyright notice. +-- copyright: +category: Data +extra-doc-files: CHANGELOG.md +extra-source-files: +tested-with: + GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.3 || ==9.8.1 + +common common-all + ghc-options: + -Wall -Wcompat -Widentities -Wincomplete-record-updates + -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints + + default-extensions: + BlockArguments + DeriveGeneric + DerivingStrategies + +library + import: common-all + exposed-modules: + Distribution.Audit + Distribution.Audit.Option + Security.Advisories.Cabal + + build-depends: + , base <5 + , cabal-install + , Cabal-syntax + , hsec-core + , optparse-applicative + + hs-source-dirs: src + default-language: Haskell2010 + +executable cabal-audit + import: common-all + hs-source-dirs: app + main-is: Main.hs + other-modules: + build-depends: + , base <5 + , hsec-cabal + + default-language: Haskell2010 + +test-suite spec + import: common-all + type: exitcode-stdio-1.0 + hs-source-dirs: test + main-is: Main.hs + other-modules: + build-depends: base <5 + default-language: Haskell2010 diff --git a/code/hsec-cabal/src/Distribution/Audit.hs b/code/hsec-cabal/src/Distribution/Audit.hs new file mode 100644 index 00000000..8ccc8fa6 --- /dev/null +++ b/code/hsec-cabal/src/Distribution/Audit.hs @@ -0,0 +1,5 @@ +module Distribution.Audit (auditMain) where + +auditMain :: IO () +auditMain = do + putStrLn "unimplemented" diff --git a/code/hsec-cabal/src/Distribution/Audit/Option.hs b/code/hsec-cabal/src/Distribution/Audit/Option.hs new file mode 100644 index 00000000..211aa42d --- /dev/null +++ b/code/hsec-cabal/src/Distribution/Audit/Option.hs @@ -0,0 +1,18 @@ +-- TODO(mangoiv): implement a proper parser as well as proper options to +-- - use constraints from a cabal file +-- - use a cabal.freeze file +-- - solve and then use cabal.freeze obtained +module Distribution.Audit.Option + ( CabalAuditOptions (..) + , cabalAuditParser + ) +where + +import GHC.Generics (Generic) +import Options.Applicative (Parser) + +data CabalAuditOptions = MkCabalAuditOptions {} + deriving stock (Eq, Ord, Show, Generic) + +cabalAuditParser :: Parser CabalAuditOptions +cabalAuditParser = pure MkCabalAuditOptions diff --git a/code/hsec-cabal/src/Security/Advisories/Cabal.hs b/code/hsec-cabal/src/Security/Advisories/Cabal.hs new file mode 100644 index 00000000..d0124aee --- /dev/null +++ b/code/hsec-cabal/src/Security/Advisories/Cabal.hs @@ -0,0 +1 @@ +module Security.Advisories.Cabal where diff --git a/code/hsec-cabal/test/Main.hs b/code/hsec-cabal/test/Main.hs new file mode 100644 index 00000000..89ad4b3e --- /dev/null +++ b/code/hsec-cabal/test/Main.hs @@ -0,0 +1,4 @@ +module Main where + +main :: IO () +main = pure () diff --git a/code/hsec-cabal/test/assets/test-a/src/MyLib.hs b/code/hsec-cabal/test/assets/test-a/src/MyLib.hs new file mode 100644 index 00000000..e657c440 --- /dev/null +++ b/code/hsec-cabal/test/assets/test-a/src/MyLib.hs @@ -0,0 +1,4 @@ +module MyLib (someFunc) where + +someFunc :: IO () +someFunc = putStrLn "someFunc" diff --git a/code/hsec-cabal/test/assets/test-a/test-a.cabal b/code/hsec-cabal/test/assets/test-a/test-a.cabal new file mode 100644 index 00000000..6e6ea329 --- /dev/null +++ b/code/hsec-cabal/test/assets/test-a/test-a.cabal @@ -0,0 +1,25 @@ +cabal-version: 3.0 +name: test-a +version: 0.1.0.0 +license: MIT +license-file: LICENSE +author: mangoiv +maintainer: mail@mangoiv.com +category: Codec +build-type: Simple +extra-doc-files: CHANGELOG.md + +common warnings + ghc-options: -Wall + +library + import: warnings + exposed-modules: MyLib + + -- hakyll depends on pandoc which has a security report + build-depends: + , base + , hakyll + + hs-source-dirs: src + default-language: Haskell2010 diff --git a/code/hsec-core/hsec-core.cabal b/code/hsec-core/hsec-core.cabal index 2039abbc..a458c3c0 100644 --- a/code/hsec-core/hsec-core.cabal +++ b/code/hsec-core/hsec-core.cabal @@ -1,26 +1,25 @@ -cabal-version: 2.4 -name: hsec-core -version: 0.1.0.0 +cabal-version: 2.4 +name: hsec-core +version: 0.1.0.0 -- A short (one-line) description of the package. -synopsis: Core package representing Haskell advisories +synopsis: Core package representing Haskell advisories -- A longer description of the package. -description: Core package representing Haskell advisories. +description: Core package representing Haskell advisories. -- A URL where users can report bugs. -- bug-reports: -- The license under which the package is released. -license: BSD-3-Clause -author: David Christiansen -maintainer: david@davidchristiansen.dk +license: BSD-3-Clause +author: David Christiansen +maintainer: david@davidchristiansen.dk -- A copyright notice. -- copyright: -category: Data -extra-doc-files: CHANGELOG.md - +category: Data +extra-doc-files: CHANGELOG.md tested-with: GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.3 || ==9.8.1 diff --git a/code/osv/osv.cabal b/code/osv/osv.cabal index 5c5eea3f..c371814e 100644 --- a/code/osv/osv.cabal +++ b/code/osv/osv.cabal @@ -1,41 +1,36 @@ -cabal-version: 2.4 -name: osv -version: 0.1.0.0 +cabal-version: 2.4 +name: osv +version: 0.1.0.0 -- A short (one-line) description of the package. -synopsis: - Open Source Vulnerability format +synopsis: Open Source Vulnerability format -- A longer description of the package. -description: - Open Source Vulnerability format. +description: Open Source Vulnerability format. -- A URL where users can report bugs. -- bug-reports: -- The license under which the package is released. -license: BSD-3-Clause -author: David Christiansen -maintainer: david@davidchristiansen.dk +license: BSD-3-Clause +author: David Christiansen +maintainer: david@davidchristiansen.dk -- A copyright notice. -- copyright: -category: Data -extra-doc-files: CHANGELOG.md - +category: Data +extra-doc-files: CHANGELOG.md tested-with: GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.3 || ==9.8.1 library - exposed-modules: - Security.OSV - + exposed-modules: Security.OSV build-depends: - , aeson >=2.0.1.0 && <3 - , base >=4.14 && <4.20 + , aeson >=2.0.1.0 && <3 + , base >=4.14 && <4.20 , cvss - , text >=1.2 && <3 - , time >=1.9 && <1.14 + , text >=1.2 && <3 + , time >=1.9 && <1.14 hs-source-dirs: src default-language: Haskell2010 @@ -48,10 +43,10 @@ test-suite spec hs-source-dirs: test main-is: Spec.hs build-depends: - , base <5 + , base <5 , osv - , tasty <1.5 - , tasty-hunit <0.11 + , tasty <1.5 + , tasty-hunit <0.11 default-language: Haskell2010 ghc-options: diff --git a/flake.lock b/flake.lock index 1f3a183b..ef2fe8d7 100644 --- a/flake.lock +++ b/flake.lock @@ -1,15 +1,31 @@ { "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1696426674, + "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, "flake-utils": { "inputs": { "systems": "systems" }, "locked": { - "lastModified": 1689068808, - "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=", + "lastModified": 1701680307, + "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=", "owner": "numtide", "repo": "flake-utils", - "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4", + "rev": "4022d587cbbfd70fe950c1e2083a02621806a725", "type": "github" }, "original": { @@ -18,27 +34,154 @@ "type": "github" } }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "pre-commit-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1703887061, + "narHash": "sha256-gGPa9qWNc6eCXT/+Z5/zMkyYOuRZqeFZBDbopNZQkuY=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "43e1aa1308018f37118e34d3a9cb4f5e75dc11d5", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "haskell-flake": { + "locked": { + "lastModified": 1707242163, + "narHash": "sha256-w+cBynh7yqnpVtFdu1SEZxPgtlz/nWnv47D5crnPXHM=", + "owner": "srid", + "repo": "haskell-flake", + "rev": "f9d17c3aa68e65529f424816c8b9346ae602d1de", + "type": "github" + }, + "original": { + "owner": "srid", + "repo": "haskell-flake", + "type": "github" + } + }, "nixpkgs": { "locked": { - "lastModified": 1689679375, - "narHash": "sha256-LHUC52WvyVDi9PwyL1QCpaxYWBqp4ir4iL6zgOkmcb8=", + "lastModified": 1707205916, + "narHash": "sha256-fmRJilYGlB7VCt3XsdYxrA0u8e/K84O5xYucerUY0iM=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "8cc79aa39bbc6eaedaf286ae655b224c71e02907", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-lib": { + "locked": { + "dir": "lib", + "lastModified": 1706550542, + "narHash": "sha256-UcsnCG6wx++23yeER4Hg18CXWbgNpqNXcHIo5/1Y+hc=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "684c17c429c42515bafb3ad775d2a710947f3d67", + "rev": "97b17f32362e475016f942bbdfda4a4a72a8a652", "type": "github" }, "original": { + "dir": "lib", "owner": "NixOS", "ref": "nixos-unstable", "repo": "nixpkgs", "type": "github" } }, - "root": { + "nixpkgs-stable": { + "locked": { + "lastModified": 1704874635, + "narHash": "sha256-YWuCrtsty5vVZvu+7BchAxmcYzTMfolSPP5io8+WYCg=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "3dc440faeee9e889fe2d1b4d25ad0f430d449356", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1704842529, + "narHash": "sha256-OTeQA+F8d/Evad33JMfuXC89VMetQbsU4qcaePchGr4=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "eabe8d3eface69f5bb16c18f8662a702f50c20d5", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "parts": { "inputs": { + "nixpkgs-lib": "nixpkgs-lib" + }, + "locked": { + "lastModified": 1706830856, + "narHash": "sha256-a0NYyp+h9hlb7ddVz4LUn1vT/PLwqfrWYcHMvFB1xYg=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "b253292d9c0a5ead9bc98c4e9a26c6312e27d69f", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, + "pre-commit-hooks": { + "inputs": { + "flake-compat": "flake-compat", "flake-utils": "flake-utils", + "gitignore": "gitignore", + "nixpkgs": "nixpkgs_2", + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1706424699, + "narHash": "sha256-Q3RBuOpZNH2eFA1e+IHgZLAOqDD9SKhJ/sszrL8bQD4=", + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "rev": "7c54e08a689b53c8a1e5d70169f2ec9e2a68ffaf", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "pre-commit-hooks.nix", + "type": "github" + } + }, + "root": { + "inputs": { + "haskell-flake": "haskell-flake", "nixpkgs": "nixpkgs", - "toml-parser": "toml-parser" + "parts": "parts", + "pre-commit-hooks": "pre-commit-hooks" } }, "systems": { @@ -55,23 +198,6 @@ "repo": "default", "type": "github" } - }, - "toml-parser": { - "flake": false, - "locked": { - "lastModified": 1689547204, - "narHash": "sha256-b953MDru/A80AQiejwiBojJlab0Kr9fGODtVUpOIQMc=", - "owner": "glguy", - "repo": "toml-parser", - "rev": "eb7222d9d71aa00d0a37f85ff4cdef89d1ba743d", - "type": "github" - }, - "original": { - "owner": "glguy", - "repo": "toml-parser", - "rev": "eb7222d9d71aa00d0a37f85ff4cdef89d1ba743d", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 391c820f..621dc275 100644 --- a/flake.nix +++ b/flake.nix @@ -1,108 +1,85 @@ { - description = "hsec-tools"; - + nixConfig.allow-import-from-derivation = true; + description = "hsec-flake"; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - flake-utils.url = "github:numtide/flake-utils"; - toml-parser = { - url = "github:glguy/toml-parser/eb7222d9d71aa00d0a37f85ff4cdef89d1ba743d"; # v1.3.0.0 - flake = false; - }; + nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable"; + parts.url = "github:hercules-ci/flake-parts"; + haskell-flake.url = "github:srid/haskell-flake"; + pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix"; }; + outputs = inputs: + inputs.parts.lib.mkFlake { inherit inputs; } { + systems = [ "x86_64-linux" ]; + imports = [ + inputs.haskell-flake.flakeModule + inputs.pre-commit-hooks.flakeModule + ]; - outputs = { self, nixpkgs, flake-utils, toml-parser }: - flake-utils.lib.eachDefaultSystem (system: - let - overlays = [ ]; - pkgs = - import nixpkgs { inherit system overlays; config.allowBroken = true; }; - jailbreakUnbreak = pkg: - pkgs.haskell.lib.doJailbreak (pkgs.haskell.lib.dontCheck (pkgs.haskell.lib.unmarkBroken pkg)); - - cvss = pkgs.haskellPackages.callCabal2nix "cvss" ./code/cvss { }; - osv = pkgs.haskellPackages.callCabal2nix "osv" ./code/osv { inherit cvss; }; - hsec-core = pkgs.haskellPackages.callCabal2nix "hsec-core" ./code/hsec-core { - inherit cvss osv; - Cabal-syntax = pkgs.haskellPackages.Cabal-syntax_3_8_1_0; - }; + perSystem = + { config + , pkgs + , ... + }: { + pre-commit = { + check.enable = true; + settings.hooks = { + cabal-fmt.enable = true; + hlint.enable = true; - hsec-tools = returnShellEnv: - pkgs.haskellPackages.developPackage { - inherit returnShellEnv; - name = "hsec-tools"; - root = ./code/hsec-tools; - withHoogle = false; - overrides = self: super: { - inherit cvss hsec-core osv; - Cabal-syntax = super.Cabal-syntax_3_8_1_0; - toml-parser = jailbreakUnbreak (super.callCabal2nix "toml-parser" toml-parser { }); + nixpkgs-fmt.enable = true; + statix.enable = true; + deadnix.enable = true; }; - - modifier = drv: - if returnShellEnv - then - pkgs.haskell.lib.addBuildTools drv - (with pkgs.haskellPackages; - [ - cabal-fmt - cabal-install - ghcid - haskell-language-server - pkgs.nixpkgs-fmt - ]) - else drv; }; - - gitconfig = - pkgs.writeTextFile { - name = ".gitconfig"; - text = '' - [safe] - directory = * - ''; - destination = "/.gitconfig"; # should match 'config.WorkDir' + haskellProjects.default = { + packages = { }; + settings = { }; + projectRoot = ./code; + devShell.mkShellArgs.shellHook = config.pre-commit.installationScript; }; - in - { - packages.cvss = cvss; - packages.osv = osv; - packages.hsec-core = hsec-core; - packages.hsec-tools = pkgs.haskell.lib.justStaticExecutables (hsec-tools false); - packages.hsec-tools-image = - pkgs.dockerTools.buildImage { - name = "haskell/hsec-tools"; - tag = "latest"; - copyToRoot = pkgs.buildEnv { - name = "image-root"; - paths = [ - self.packages.${system}.hsec-tools - pkgs.gitMinimal.out - gitconfig - ]; - pathsToLink = [ "/bin" "/" ]; - }; - runAsRoot = "rm -Rf /share"; - config = { - Cmd = [ "/bin/hsec-tools" ]; - Env = [ - "LOCALE_ARCHIVE=${pkgs.glibcLocalesUtf8}/lib/locale/locale-archive" - "LC_TIME=en_US.UTF-8" - "LANG=en_US.UTF-8" - "LANGUAGE=en" - "LC_ALL=en_US.UTF-8" - "GIT_DISCOVERY_ACROSS_FILESYSTEM=1" - ]; - Volumes = { - "/repo" = { }; + packages.hsec-tools-image = + let + gitconfig = + pkgs.writeTextFile { + name = ".gitconfig"; + text = '' + [safe] + directory = * + ''; + destination = "/.gitconfig"; # should match 'config.WorkDir' + }; + in + pkgs.dockerTools.buildImage { + name = "haskell/hsec-tools"; + tag = "latest"; + + copyToRoot = pkgs.buildEnv { + name = "image-root"; + paths = [ + config.packages.hsec-tools + pkgs.gitMinimal.out + gitconfig + ]; + pathsToLink = [ "/bin" "/" ]; + }; + runAsRoot = "rm -Rf /share"; + config = { + Cmd = [ "/bin/hsec-tools" ]; + Env = [ + "LOCALE_ARCHIVE=${pkgs.glibcLocalesUtf8}/lib/locale/locale-archive" + "LC_TIME=en_US.UTF-8" + "LANG=en_US.UTF-8" + "LANGUAGE=en" + "LC_ALL=en_US.UTF-8" + "GIT_DISCOVERY_ACROSS_FILESYSTEM=1" + ]; + Volumes = { + "/repo" = { }; + }; + WorkDir = "/"; }; - WorkDir = "/"; }; - }; - # Used by `nix build` & `nix run` (prod exe) - defaultPackage = self.packages.${system}.hsec-tools; - - # Used by `nix develop` (dev shell) - devShell = hsec-tools true; - }); + }; + }; }