lanzaboote/flake.nix at master · nix-community/lanzaboote · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
{
  description = "Secure Boot for NixOS";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";

    # Not used in the flake itself. Only used to make the source available for
    # the project.
    pre-commit = {
      url = "github:cachix/pre-commit-hooks.nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    crane = {
      url = "github:ipetkov/crane";
    };

    rust-overlay = {
      url = "github:oxalica/rust-overlay";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };

  outputs =
    {
      self,
      nixpkgs,
      crane,
      rust-overlay,
      ...
    }:
    let
      eachSystem = nixpkgs.lib.genAttrs [
        "x86_64-linux"
        # Not tested in CI. Best effort support.
        "aarch64-linux"
      ];

      # Instantiate only once for each system.
      #
      # Still allow flakes users to override dependencies in the normal flake
      # way.
      lanzaboote = eachSystem (
        system:
        let
          pkgs = nixpkgs.legacyPackages.${system};
        in
        import ./. {
          inherit system pkgs rust-overlay;
          crane = crane.mkLib pkgs;
        }
      );
    in
    {
      nixosModules = {
        default = self.nixosModules.lanzaboote;
        lanzaboote = (
          { pkgs, lib, ... }:
          {
            imports = [
              ./nix/modules/lanzaboote.nix
            ];

            boot.lanzaboote.package =
              let
                system = pkgs.stdenv.hostPlatform.system;
              in
              lib.mkDefault self.packages.${system}.lzbt;
          }
        );
      };

      packages = eachSystem (
        system: builtins.removeAttrs lanzaboote.${system}.packages [ "recurseForDerivations" ]
      );

      # Temporarily include the checks in the flake so that CI picks them up.
      checks = eachSystem (
        system:
        let
          checks = lanzaboote.${system}.checks;
        in
        {
          tool = checks.stub.package;
          toolClippy = checks.stub.clippy;
          toolRustfmt = checks.stub.rustfmt;

          stub = checks.stub.package;
          stubClippy = checks.stub.clippy;
          stubRustfmt = checks.stub.rustfmt;

          docsHtml = checks.docs.html;
          docsOptions = checks.docs.options;

          inherit (checks) pre-commit;
        }
        // builtins.removeAttrs checks.tests [ "recurseForDerivations" ]
      );

    };
}