nixos/security/wrappers: check that sources exist

lol

Add a shell script that checks if the paths of all wrapped programs
actually exist to catch mistakes. This only checks for Nix store paths,
which are always expected to exist at build time.

rnhmjoj 4 years ago 7d8b303e 22004f7e

+29 -1

1 changed file

expand all

nixos

modules

security

wrappers

default.nix

+29 -1

nixos/modules/security/wrappers/default.nix

··· 226 226 ]}" 227 227 ''; 228 228 229 - ###### setcap activation script 229 + ###### wrappers activation script 230 230 system.activationScripts.wrappers = 231 231 lib.stringAfter [ "specialfs" "users" ] 232 232 '' ··· 257 257 ln --symbolic $wrapperDir ${wrapperDir} 258 258 fi 259 259 ''; 260 + 261 + ###### wrappers consistency checks 262 + system.extraDependencies = lib.singleton (pkgs.runCommandLocal 263 + "ensure-all-wrappers-paths-exist" { } 264 + '' 265 + # make sure we produce output 266 + mkdir -p $out 267 + 268 + echo -n "Checking that Nix store paths of all wrapped programs exist... " 269 + 270 + declare -A wrappers 271 + ${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: 272 + "wrappers['${n}']='${v.source}'") wrappers)} 273 + 274 + for name in "''${!wrappers[@]}"; do 275 + path="''${wrappers[$name]}" 276 + if [[ "$path" =~ /nix/store ]] && [ ! -e "$path" ]; then 277 + test -t 1 && echo -ne '\033[1;31m' 278 + echo "FAIL" 279 + echo "The path $path does not exist!" 280 + echo 'Please, check the value of `security.wrappers."'$name'".source`.' 281 + test -t 1 && echo -ne '\033[0m' 282 + exit 1 283 + fi 284 + done 285 + 286 + echo "OK" 287 + ''); 260 288 }; 261 289 }