docs: provide and document a quick way to apply a change to nixpkgs (#90)

Only one way is documented, when a typical overlay for a single package is used, which brings its own dependencies from a given nixpkgs commit.

Co-authored-by: Alexander Tomokhov <alexoundos@gmail.com>
Reviewed-on: https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config/pulls/90
Reviewed-by: Inex Code <inex.code@selfprivacy.org>
Co-authored-by: Alexander Tomokhov <alexoundos@selfprivacy.org>
Co-committed-by: Alexander Tomokhov <alexoundos@selfprivacy.org>
This commit is contained in:
Alexander Tomokhov 2024-08-16 13:55:12 +03:00 committed by Inex Code
parent 2b93bca958
commit cfbc5ce7fa
4 changed files with 29 additions and 2 deletions

View file

@ -93,3 +93,17 @@ On [selfprivacy-nixos-infect](https://git.selfprivacy.org/SelfPrivacy/selfprivac
```bash ```bash
readonly CONFIG_URL="https://git.selfprivacy.org/api/v1/repos/SelfPrivacy/selfprivacy-nixos-template/archive/HASH.tar.gz" readonly CONFIG_URL="https://git.selfprivacy.org/api/v1/repos/SelfPrivacy/selfprivacy-nixos-template/archive/HASH.tar.gz"
``` ```
## How to apply a change (e.g. CVE fix) to nixpkgs
### if you can determine which nixpkgs package is affected
- without building from source _(after nixpkgs binary cache is ready)_ - it will use all dependencies from the nixpkgs commit, where the patch is committed:
1. Find a nixpkgs commit, which contains the patched files. It doesn't have to be (but it can be) the commit where the actual patch was introduced, it can be a more recent commit.
2. In [`overlay.nix`](overlay.nix) file write a line inside the existing curly brackets following the following pattern:
```nix
PACKAGE_NAME = (builtins.getFlake "github:nixos/nixpkgs/NIXPKGS_COMMIT_SHA1").legacyPackages.${system}.PACKAGE_NAME;
```
Substitute `PACKAGE_NAME` and `NIXPKGS_COMMIT_SHA1` with affected package name and nixpkgs commit SHA1 (found at step 1), respectively.
3. Commit the [`overlay.nix`](overlay.nix) changes. Configuration is ready to be built.

View file

@ -149,6 +149,9 @@ in
# allowed-uris = []; # allowed-uris = [];
allow-dirty = false; allow-dirty = false;
}; };
nixpkgs.overlays = [
(import ./overlay.nix config.nixpkgs.hostPlatform.system)
];
services.journald.extraConfig = "SystemMaxUse=500M"; services.journald.extraConfig = "SystemMaxUse=500M";
boot.kernel.sysctl = { boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1; # TODO why is it here by default, for VPN only? "net.ipv4.ip_forward" = 1; # TODO why is it here by default, for VPN only?

View file

@ -33,7 +33,7 @@
environment.etc."selfprivacy/nixos-config-source".source = environment.etc."selfprivacy/nixos-config-source".source =
top-level-flake; top-level-flake;
# for running "nix search nixpkgs", etc # for running "nix search nixpkgs", "nix shell nixpkgs#PKG... etc
nix.registry.nixpkgs.flake = nixpkgs; nix.registry.nixpkgs.flake = nixpkgs;
# embed commit sha1 for `nixos-version --configuration-revision` # embed commit sha1 for `nixos-version --configuration-revision`
@ -49,7 +49,7 @@
} }
] ]
++ ++
# add SP modules, but contrain available config attributes for each # add SP modules, but constrain available config attributes for each
# (TODO revise evaluation performance of the code below) # (TODO revise evaluation performance of the code below)
nixpkgs.lib.attrsets.mapAttrsToList nixpkgs.lib.attrsets.mapAttrsToList
(name: sp-module: args@{ config, pkgs, ... }: (name: sp-module: args@{ config, pkgs, ... }:

10
overlay.nix Normal file
View file

@ -0,0 +1,10 @@
system:
_final: _prev:
{
# Here is a template to bring a specific package from a given nixpkgs commit:
# PACKAGE_NAME = (builtins.getFlake "github:nixos/nixpkgs/NIXPKGS_COMMIT_SHA1").legacyPackages.${system}.PACKAGE_NAME;
# Substitute `PACKAGE_NAME` and `NIXPKGS_COMMIT_SHA1` accordingly.
# If a package already exists it is overlaid (previous one gets inaccessible).
# roundcube CVE fix example (from nixpkgs PR (https://github.com/NixOS/nixpkgs/pull/332654)):
# roundcube = (builtins.getFlake "github:nixos/nixpkgs/9e2f16514b23963621325d93920c9f896ec54ca3").legacyPackages.${system}.roundcube;
}