-
Notifications
You must be signed in to change notification settings - Fork 2
/
flake.nix
103 lines (97 loc) · 3.65 KB
/
flake.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
{
nixConfig.allow-import-from-derivation = true;
description = "cabal-audit's flake";
inputs = {
# flake inputs
nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
# flake parts
parts.url = "github:hercules-ci/flake-parts";
pre-commit-hooks.url = "github:cachix/git-hooks.nix";
devshell.url = "github:numtide/devshell";
# end flake parts
# end flake inputs
};
outputs = inputs:
inputs.parts.lib.mkFlake {inherit inputs;} {
systems = ["x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin"];
imports = [inputs.pre-commit-hooks.flakeModule inputs.devshell.flakeModule];
perSystem = {
config,
pkgs,
lib,
...
}: let
hlib = pkgs.haskell.lib.compose;
hspkgs = pkgs.haskell.packages.ghc98.override {
overrides = import ./nix/haskell-overlay.nix {inherit hlib;};
};
in {
# this flake module adds two things
# 1. the pre-commit script which is automatically run when committing
# which checks formatting and lints of both Haskell and nix files
# the automatically run check can be bypassed with -n or --no-verify
# 2. an attribute in the checks.<system> attrset which can be run with
# nix flake check which checks the same lints as the pre-commit hook
pre-commit = {
check.enable = true;
settings.hooks = {
cabal-fmt.enable = true;
fourmolu.enable = true;
hlint.enable = true;
alejandra.enable = true;
statix.enable = true;
deadnix.enable = true;
};
};
devShells.plain-haskell = import ./nix/haskell-shell.nix {inherit hspkgs;};
# https://flake.parts/options/devshell for more information; one of the advantages is
# the beautiful menu this provides where one can add commands that are offered and loaded
# as part of the devShell
devshells.default = {
commands = [
{
name = "lint";
help = "run formatting and linting of haskell and nix files in the entire repository";
command = "pre-commit run --all";
}
{
name = "regen-nix";
help = "regenerate nix derivations for haskell packages";
command =
builtins.readFile (lib.getExe config.packages.regen-nix);
}
];
devshell = {
name = "cabal-audit";
packagesFrom = [config.devShells.plain-haskell];
packages = [pkgs.cabal2nix pkgs.alejandra];
startup.pre-commit.text = config.pre-commit.installationScript;
};
};
packages = {
inherit (hspkgs) cabal-audit;
inherit (pkgs) groff;
default = config.packages.cabal-audit;
cabal-audit-static = pkgs.pkgsStatic.callPackage ./nix/static.nix {};
regen-nix = pkgs.writeShellApplication {
name = "regen-cabal-audit-nix";
runtimeInputs = [pkgs.cabal2nix pkgs.alejandra];
text = let
v = "add617d5026bd31cad2bdbe8259b5f67381db246";
cmd = pkg: ''
cabal2nix https://github.com/haskell/security-advisories.git \
--revision ${v} \
--subpath code/${pkg}/ > ./${pkg}.nix
'';
in ''
pushd "$PRJ_ROOT"/nix
${lib.concatStrings (map cmd ["osv" "cvss" "hsec-core" "hsec-tools"])}
cabal2nix ../. > ./cabal-audit.nix
alejandra ./.
popd
'';
};
};
};
};
}