Created
December 13, 2019 11:04
-
-
Save Profpatsch/bb3b54d01a97290ec8d6e1b7241a2dc9 to your computer and use it in GitHub Desktop.
shell.nix for a pass passwordstore (plus pre-commit hook to prevent leaking unencrypted secrets)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# sets up the environment in a way that adapts pass and git | |
# to work with the files in this repository instead of | |
# the global pass store. | |
let | |
pkgs = import <nixpkgs> {}; | |
repository-dir = toString ./.; | |
git-hook-dir = | |
let | |
# Checks that all files in this repository are application/pgp. | |
# This prevents us from accidentally commiting unencrypted files. | |
pre-commit-filter = pkgs.writers.writePython3 "pre-commit-hook-filter" { | |
flakeIgnore = [ "E501" "E302" "E305" ]; | |
} '' | |
import sys | |
import subprocess | |
errs = [] | |
startswith = [ | |
b".git", | |
b"README.md", | |
b".envrc", | |
b".gpg-id", | |
b"shell.nix" | |
] | |
def ignore(line): | |
for s in startswith: | |
if line.startswith(b"""${repository-dir}/""" + s): | |
return True | |
return False | |
for line in sys.stdin.buffer.read().split(b'\0'): | |
if line != b"" and not ignore(line): | |
out = subprocess.check_output([ | |
"${pkgs.file}/bin/file", | |
"--brief", | |
"--mime-type", | |
"--", | |
line | |
]).strip() | |
if out != b"application/pgp": | |
errs.append((line, out)) | |
if errs != []: | |
import pprint | |
print("Oh no, some files are not encrypted!", file=sys.stderr) | |
pprint.pprint(errs, stream=sys.stderr) | |
sys.exit(1) | |
''; | |
pre-commit = pkgs.writers.writeDash "pre-commit-hook" '' | |
${pkgs.lr}/bin/lr -0 -t 'type != d' ${pkgs.lib.escapeShellArg repository-dir} \ | |
| ${pre-commit-filter} | |
''; | |
in pkgs.runCommand "git-hooks" {} '' | |
mkdir $out | |
ln -s ${pre-commit} $out/pre-commit | |
''; | |
# Wrap git, so that it uses the pre-commit hook. | |
wrapped-git = pkgs.writers.writeDashBin "git" '' | |
PATH=${pkgs.git}/bin:$PATH | |
git \ | |
-c core.hooksPath=${pkgs.lib.escapeShellArg git-hook-dir} \ | |
"$@" | |
''; | |
in pkgs.runCommand "shell" { | |
# set the pass dir to the current working directory | |
PASSWORD_STORE_DIR = repository-dir; | |
shellHook = '' | |
PATH="${pkgs.lib.makeBinPath [ pkgs.pass wrapped-git ]}:$PATH" | |
''; | |
} '' | |
touch $out | |
'' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment