feat: add `insecure` battery (#438) · oeiuwq.com/den@8a34e92

+13

docs/src/content/docs/guides/batteries.mdx

··· 132 132 Works for any class (`nixos`, `darwin`, `homeManager`). The unfree predicate 133 133 builder is automatically included via `den.default`. 134 134 135 + ### `den.provides.insecure` 136 + 137 + Enables specific insecure packages by name: 138 + 139 + ```nix 140 + den.aspects.laptop.includes = [ 141 + (den.provides.insecure [ "foo-1.2.3" ]) 142 + ]; 143 + ``` 144 + 145 + Works for any class (`nixos`, `darwin`, `homeManager`). The insecure predicate 146 + builder is automatically included via `den.default`. 147 + 135 148 ### `den.provides.tty-autologin` 136 149 137 150 Enables automatic TTY1 login on NixOS:

+63

modules/aspects/provides/insecure/insecure-predicate-builder.nix

··· 1 + { den, lib, ... }: 2 + let 3 + inherit (den.lib) 4 + parametric 5 + ; 6 + 7 + description = '' 8 + This is a private aspect always included in den.default. 9 + 10 + It adds a module option that gathers all packages defined 11 + in den._.insecure usages and declares a 12 + nixpkgs.config.permittedInsecurePackages for each class. 13 + 14 + ''; 15 + 16 + insecureModule = 17 + { config, ... }@args: 18 + let 19 + # nixpkgs.config must not be set when useGlobalPkgs is true. 20 + globalPkgs = args.osConfig.home-manager.useGlobalPkgs or false; 21 + hasInsecure = config.permittedInsecurePackages.packages != [ ]; 22 + in 23 + { 24 + options.permittedInsecurePackages.packages = lib.mkOption { 25 + type = lib.types.listOf lib.types.str; 26 + defaultText = lib.literalExpression "[ ]"; 27 + default = [ ]; 28 + }; 29 + config.nixpkgs = lib.mkIf (hasInsecure && !globalPkgs) { 30 + config.permittedInsecurePackages = config.permittedInsecurePackages.packages; 31 + }; 32 + }; 33 + 34 + osAspect = 35 + { host }: 36 + { 37 + ${host.class}.imports = [ insecureModule ]; 38 + }; 39 + 40 + userAspect = 41 + { host, user }: 42 + lib.optionalAttrs (lib.elem "homeManager" user.classes) { 43 + homeManager.imports = [ insecureModule ]; 44 + }; 45 + 46 + homeAspect = 47 + { home }: 48 + { 49 + ${home.class}.imports = [ insecureModule ]; 50 + }; 51 + 52 + aspect = parametric.exactly { 53 + inherit description; 54 + includes = [ 55 + osAspect 56 + userAspect 57 + homeAspect 58 + ]; 59 + }; 60 + in 61 + { 62 + den.default.includes = [ aspect ]; 63 + }

+34

modules/aspects/provides/insecure/insecure.nix

··· 1 + let 2 + description = '' 3 + A class generic aspect that enables insecure packages by name and version. 4 + 5 + Works for any class (nixos/darwin/homeManager,etc) on any host/user/home context. 6 + 7 + ## Usage 8 + 9 + den.aspects.my-laptop.includes = [ (den._.insecure [ "example-insecure-package-1.0.0" ]) ]; 10 + 11 + It will dynamically provide a module for each class when accessed. 12 + ''; 13 + 14 + __functor = 15 + _self: allowed-names: 16 + { class, ... }: 17 + if 18 + (builtins.elem class [ 19 + "nixos" 20 + "darwin" 21 + "homeManager" 22 + ]) 23 + then 24 + { 25 + ${class}.permittedInsecurePackages.packages = allowed-names; 26 + } 27 + else 28 + { }; 29 + in 30 + { 31 + den.provides.insecure = { 32 + inherit description __functor; 33 + }; 34 + }

+2 -2

modules/aspects/provides/unfree/unfree-predicate-builder.nix

··· 9 9 This is a private aspect always included in den.default. 10 10 11 11 It adds a module option that gathers all packages defined 12 - in den._.unfree usages and declares a 12 + in den._.unfree usages and declares a 13 13 nixpkgs.config.allowUnfreePredicate for each class. 14 14 15 15 ''; ··· 19 19 let 20 20 # nixpkgs.config must not be set when useGlobalPkgs is true. 21 21 globalPkgs = args.osConfig.home-manager.useGlobalPkgs or false; 22 - hasUnfree = lib.length config.unfree.packages > 0; 22 + hasUnfree = config.unfree.packages != [ ]; 23 23 in 24 24 { 25 25 options.unfree.packages = lib.mkOption {

+33

templates/ci/modules/features/batteries/insecure.nix

··· 1 + { denTest, ... }: 2 + { 3 + flake.tests.insecure = { 4 + test-insecure-package-set-on-nixos = denTest ( 5 + { 6 + den, 7 + igloo, 8 + pkgs, 9 + ... 10 + }: 11 + 12 + let 13 + hello = ( 14 + pkgs.hello.overrideAttrs { 15 + version = "1.0.0"; 16 + meta.knownVulnerabilities = [ 17 + "foo" 18 + ]; 19 + } 20 + ); 21 + in 22 + { 23 + den.hosts.x86_64-linux.igloo.users.tux = { }; 24 + den.aspects.igloo = { 25 + includes = [ (den._.insecure [ "hello-1.0.0" ]) ]; 26 + environment.systemPackages = [ hello ]; 27 + }; 28 + expr = igloo.nixpkgs.config.permittedInsecurePackages; 29 + expected = [ "hello-1.0.0" ]; 30 + } 31 + ); 32 + }; 33 + }

Configure Feed

Configure Feed