Profpatsch/pass-shell.nix

## pass-shell.nix
# sets up the environment in a way that adapts pass and git
# to work with the files in this repository instead of
# the global pass store.
let
  pkgs = import <nixpkgs> {};

  repository-dir = toString ./.;

  git-hook-dir =
    let
      # Checks that all files in this repository are application/pgp.
      # This prevents us from accidentally commiting unencrypted files.
      pre-commit-filter = pkgs.writers.writePython3 "pre-commit-hook-filter" {
        flakeIgnore = [ "E501" "E302" "E305" ];
      } ''
        import sys
        import subprocess

        errs = []
        startswith = [
            b".git",
            b"README.md",
            b".envrc",
            b".gpg-id",
            b"shell.nix"
        ]

        def ignore(line):
            for s in startswith:
                if line.startswith(b"""${repository-dir}/""" + s):
                    return True
            return False

        for line in sys.stdin.buffer.read().split(b'\0'):
            if line != b"" and not ignore(line):
                out = subprocess.check_output([
                    "${pkgs.file}/bin/file",
                    "--brief",
                    "--mime-type",
                    "--",
                    line
                ]).strip()
                if out != b"application/pgp":
                    errs.append((line, out))
        if errs != []:
            import pprint
            print("Oh no, some files are not encrypted!", file=sys.stderr)
            pprint.pprint(errs, stream=sys.stderr)
            sys.exit(1)
      '';
      pre-commit = pkgs.writers.writeDash "pre-commit-hook" ''
        ${pkgs.lr}/bin/lr -0 -t 'type != d' ${pkgs.lib.escapeShellArg repository-dir} \
          | ${pre-commit-filter}
      '';
    in pkgs.runCommand "git-hooks" {} ''
      mkdir $out
      ln -s ${pre-commit} $out/pre-commit
    '';

  # Wrap git, so that it uses the pre-commit hook.
  wrapped-git = pkgs.writers.writeDashBin "git" ''
    PATH=${pkgs.git}/bin:$PATH
    git \
      -c core.hooksPath=${pkgs.lib.escapeShellArg git-hook-dir} \
      "$@"
  '';

in pkgs.runCommand "shell" {
  # set the pass dir to the current working directory
  PASSWORD_STORE_DIR = repository-dir;
  shellHook = ''
    PATH="${pkgs.lib.makeBinPath [ pkgs.pass wrapped-git ]}:$PATH"
  '';
} ''
  touch $out
''
	# sets up the environment in a way that adapts pass and git
	# to work with the files in this repository instead of
	# the global pass store.
	let
	pkgs = import <nixpkgs> {};

	repository-dir = toString ./.;

	git-hook-dir =
	let
	# Checks that all files in this repository are application/pgp.
	# This prevents us from accidentally commiting unencrypted files.
	pre-commit-filter = pkgs.writers.writePython3 "pre-commit-hook-filter" {
	flakeIgnore = [ "E501" "E302" "E305" ];
	} ''
	import sys
	import subprocess

	errs = []
	startswith = [
	b".git",
	b"README.md",
	b".envrc",
	b".gpg-id",
	b"shell.nix"
	]

	def ignore(line):
	for s in startswith:
	if line.startswith(b"""${repository-dir}/""" + s):
	return True
	return False

	for line in sys.stdin.buffer.read().split(b'\0'):
	if line != b"" and not ignore(line):
	out = subprocess.check_output([
	"${pkgs.file}/bin/file",
	"--brief",
	"--mime-type",
	"--",
	line
	]).strip()
	if out != b"application/pgp":
	errs.append((line, out))
	if errs != []:
	import pprint
	print("Oh no, some files are not encrypted!", file=sys.stderr)
	pprint.pprint(errs, stream=sys.stderr)
	sys.exit(1)
	'';
	pre-commit = pkgs.writers.writeDash "pre-commit-hook" ''
	${pkgs.lr}/bin/lr -0 -t 'type != d' ${pkgs.lib.escapeShellArg repository-dir} \
	\| ${pre-commit-filter}
	'';
	in pkgs.runCommand "git-hooks" {} ''
	mkdir $out
	ln -s ${pre-commit} $out/pre-commit
	'';

	# Wrap git, so that it uses the pre-commit hook.
	wrapped-git = pkgs.writers.writeDashBin "git" ''
	PATH=${pkgs.git}/bin:$PATH
	git \
	-c core.hooksPath=${pkgs.lib.escapeShellArg git-hook-dir} \
	"$@"
	'';

	in pkgs.runCommand "shell" {
	# set the pass dir to the current working directory
	PASSWORD_STORE_DIR = repository-dir;
	shellHook = ''
	PATH="${pkgs.lib.makeBinPath [ pkgs.pass wrapped-git ]}:$PATH"
	'';
	} ''
	touch $out
	''