-
-
Notifications
You must be signed in to change notification settings - Fork 366
/
repository.nix
157 lines (132 loc) · 4.58 KB
/
repository.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
{ pkgs, diskImageFun, debianDistro, debianCodename, debianPackages
, extraPackages ? []
}:
let
reprepro = pkgs.stdenv.mkDerivation rec {
name = "reprepro-${version}";
version = "4.16.0";
src = pkgs.fetchurl {
url = "https://alioth.debian.org/frs/download.php/file/"
+ "4109/reprepro_${version}.orig.tar.gz";
sha256 = "14gmk16k9n04xda4446ydfj8cr5pmzsmm4il8ysf69ivybiwmlpx";
};
buildInputs = with pkgs; [ makeWrapper db gpgme libarchive bzip2 xz zlib ];
postInstall = ''
wrapProgram "$out/bin/reprepro" --prefix PATH : "${pkgs.gnupg}/bin"
'';
};
repoKeys = pkgs.vmTools.runInLinuxVM (pkgs.stdenv.mkDerivation {
name = "snakeoil-repository-keys";
outputs = [ "out" "publicKey" "publicKeyId" "secretKeyId" ];
buildCommand = ''
export GNUPGHOME="$out"
mkdir -p "$GNUPGHOME"
rm -f /dev/random
ln -s urandom /dev/random
mknod /dev/console c 5 1
cat > template <<EOF
%echo Generating a repository signing key
%transient-key
%no-protection
Key-Type: DSA
Key-Usage: sign
Name-Real: Snake Oil
Name-Email: snake@oil
Expire-Date: 0
%commit
%echo Repository key created
EOF
${pkgs.gnupg}/bin/gpg2 --batch --gen-key template
${pkgs.gnupg}/bin/gpg2 --list-secret-keys --with-colons | \
grep '^sec:' | cut -d: -f5 > "$secretKeyId"
${pkgs.gnupg}/bin/gpg2 --list-public-keys --with-colons | \
grep '^pub:' | cut -d: -f5 > "$publicKeyId"
${pkgs.gnupg}/bin/gpg2 --export \
"$(< "$publicKeyId")" \
> "$publicKey"
'';
});
keyringPackage = pkgs.vmTools.runInLinuxImage (pkgs.stdenv.mkDerivation {
name = "snakeoil-archive-keyring.deb";
diskImage = diskImageFun {
extraPackages = [ "build-essential" "gnupg" "apt" "debhelper" ];
};
GNUPGHOME = repoKeys;
buildCommand = ''
mkdir snakeoil-archive-keyring
cd snakeoil-archive-keyring
cat "${repoKeys.publicKey}" > snakeoil-archive-keyring.gpg
mkdir -p debian/source
echo 9 > debian/compat
echo '3.0 (native)' > debian/source/format
cp "${pkgs.writeText "install" ''
snakeoil-archive-keyring.gpg /usr/share/keyrings
snakeoil-archive-keyring.gpg /etc/apt/trusted.gpg.d
''}" debian/install
cp "${pkgs.writeScript "rules" ''
#!/usr/bin/make -f
%:
${"\t"}dh $@
''}" debian/rules
cp "${pkgs.writeText "changelog" ''
snakeoil-archive-keyring (1-1) unstable; urgency=low
* Dummy changelog for snakeoil key.
-- Snake Oil <snake@oil> Thu, 01 Jan 1970 00:00:01 +0000
''}" debian/changelog
cp "${pkgs.writeText "control" ''
Source: snakeoil-archive-keyring
Section: misc
Priority: optional
Maintainer: Snake Oil <snake@oil>
Build-Depends: debhelper (>= 9), gnupg, apt
Standards-Version: 3.9.6
Package: snakeoil-archive-keyring
Architecture: all
Depends: ''${misc:Depends}
Description: Snakeoil archive signing key
''}" debian/control
dpkg-buildpackage -b
rmdir "$out" || :
mv -vT ../*.deb "$out" # */
'';
});
repository = pkgs.stdenv.mkDerivation {
name = "apt-repository";
toInclude = let
expr = pkgs.vmTools.debClosureGenerator {
packages = debianDistro.packages ++ debianPackages;
inherit (debianDistro) name urlPrefix;
packagesLists = [ debianDistro.packagesList ];
};
in import expr {
inherit (pkgs) fetchurl;
};
GNUPGHOME = repoKeys;
buildCommand = ''
mkdir -p "$out"/{conf,dists,incoming,indices,logs,pool,project,tmp}
cat > "$out/conf/distributions" <<RELEASE
Origin: Debian
Label: Debian
Codename: ${debianCodename}
Architectures: amd64
Components: main
Description: Debian package cache
SignWith: $(< "${repoKeys.secretKeyId}")
RELEASE
# Create APT repository
echo -n "Creating APT repository..." >&2
for debfile in $toInclude ${keyringPackage} ${toString extraPackages}; do
REPREPRO_BASE_DIR="$out" ${reprepro}/bin/reprepro includedeb \
"${debianCodename}" "$debfile" > /dev/null
done
echo " done." >&2
'';
passthru.serve = pkgs.writeScript "serve-debian-repo" ''
#!${pkgs.stdenv.shell}
exec ${pkgs.thttpd}/sbin/thttpd -d "${repository}" \
-l /dev/null \
-i "$(pwd)/repo.pid"
'';
passthru.publicKey = repoKeys.publicKey;
};
in repository