mirror of
https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config.git
synced 2024-11-25 12:31:27 +00:00
docs: provide and document a quick way to apply a change to nixpkgs (#90)
Only one way is documented, when a typical overlay for a single package is used, which brings its own dependencies from a given nixpkgs commit. Co-authored-by: Alexander Tomokhov <alexoundos@gmail.com> Reviewed-on: https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config/pulls/90 Reviewed-by: Inex Code <inex.code@selfprivacy.org> Co-authored-by: Alexander Tomokhov <alexoundos@selfprivacy.org> Co-committed-by: Alexander Tomokhov <alexoundos@selfprivacy.org>
This commit is contained in:
parent
2b93bca958
commit
cfbc5ce7fa
14
README.md
14
README.md
|
@ -93,3 +93,17 @@ On [selfprivacy-nixos-infect](https://git.selfprivacy.org/SelfPrivacy/selfprivac
|
||||||
```bash
|
```bash
|
||||||
readonly CONFIG_URL="https://git.selfprivacy.org/api/v1/repos/SelfPrivacy/selfprivacy-nixos-template/archive/HASH.tar.gz"
|
readonly CONFIG_URL="https://git.selfprivacy.org/api/v1/repos/SelfPrivacy/selfprivacy-nixos-template/archive/HASH.tar.gz"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## How to apply a change (e.g. CVE fix) to nixpkgs
|
||||||
|
|
||||||
|
### if you can determine which nixpkgs package is affected
|
||||||
|
|
||||||
|
- without building from source _(after nixpkgs binary cache is ready)_ - it will use all dependencies from the nixpkgs commit, where the patch is committed:
|
||||||
|
|
||||||
|
1. Find a nixpkgs commit, which contains the patched files. It doesn't have to be (but it can be) the commit where the actual patch was introduced, it can be a more recent commit.
|
||||||
|
2. In [`overlay.nix`](overlay.nix) file write a line inside the existing curly brackets following the following pattern:
|
||||||
|
```nix
|
||||||
|
PACKAGE_NAME = (builtins.getFlake "github:nixos/nixpkgs/NIXPKGS_COMMIT_SHA1").legacyPackages.${system}.PACKAGE_NAME;
|
||||||
|
```
|
||||||
|
Substitute `PACKAGE_NAME` and `NIXPKGS_COMMIT_SHA1` with affected package name and nixpkgs commit SHA1 (found at step 1), respectively.
|
||||||
|
3. Commit the [`overlay.nix`](overlay.nix) changes. Configuration is ready to be built.
|
||||||
|
|
|
@ -149,6 +149,9 @@ in
|
||||||
# allowed-uris = [];
|
# allowed-uris = [];
|
||||||
allow-dirty = false;
|
allow-dirty = false;
|
||||||
};
|
};
|
||||||
|
nixpkgs.overlays = [
|
||||||
|
(import ./overlay.nix config.nixpkgs.hostPlatform.system)
|
||||||
|
];
|
||||||
services.journald.extraConfig = "SystemMaxUse=500M";
|
services.journald.extraConfig = "SystemMaxUse=500M";
|
||||||
boot.kernel.sysctl = {
|
boot.kernel.sysctl = {
|
||||||
"net.ipv4.ip_forward" = 1; # TODO why is it here by default, for VPN only?
|
"net.ipv4.ip_forward" = 1; # TODO why is it here by default, for VPN only?
|
||||||
|
|
|
@ -33,7 +33,7 @@
|
||||||
environment.etc."selfprivacy/nixos-config-source".source =
|
environment.etc."selfprivacy/nixos-config-source".source =
|
||||||
top-level-flake;
|
top-level-flake;
|
||||||
|
|
||||||
# for running "nix search nixpkgs", etc
|
# for running "nix search nixpkgs", "nix shell nixpkgs#PKG... etc
|
||||||
nix.registry.nixpkgs.flake = nixpkgs;
|
nix.registry.nixpkgs.flake = nixpkgs;
|
||||||
|
|
||||||
# embed commit sha1 for `nixos-version --configuration-revision`
|
# embed commit sha1 for `nixos-version --configuration-revision`
|
||||||
|
@ -49,7 +49,7 @@
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
++
|
++
|
||||||
# add SP modules, but contrain available config attributes for each
|
# add SP modules, but constrain available config attributes for each
|
||||||
# (TODO revise evaluation performance of the code below)
|
# (TODO revise evaluation performance of the code below)
|
||||||
nixpkgs.lib.attrsets.mapAttrsToList
|
nixpkgs.lib.attrsets.mapAttrsToList
|
||||||
(name: sp-module: args@{ config, pkgs, ... }:
|
(name: sp-module: args@{ config, pkgs, ... }:
|
||||||
|
|
10
overlay.nix
Normal file
10
overlay.nix
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
system:
|
||||||
|
_final: _prev:
|
||||||
|
{
|
||||||
|
# Here is a template to bring a specific package from a given nixpkgs commit:
|
||||||
|
# PACKAGE_NAME = (builtins.getFlake "github:nixos/nixpkgs/NIXPKGS_COMMIT_SHA1").legacyPackages.${system}.PACKAGE_NAME;
|
||||||
|
# Substitute `PACKAGE_NAME` and `NIXPKGS_COMMIT_SHA1` accordingly.
|
||||||
|
# If a package already exists it is overlaid (previous one gets inaccessible).
|
||||||
|
# roundcube CVE fix example (from nixpkgs PR (https://github.com/NixOS/nixpkgs/pull/332654)):
|
||||||
|
# roundcube = (builtins.getFlake "github:nixos/nixpkgs/9e2f16514b23963621325d93920c9f896ec54ca3").legacyPackages.${system}.roundcube;
|
||||||
|
}
|
Loading…
Reference in a new issue