Incorporate Nix Friday Feedback

Author: David Arnold

default.nix

@@ -3,5 +3,8 @@
 }:
 import nixpkgs {
   inherit system;
-  overlays = [ (import ./overlay.nix) ];
+  overlays = [
+      (import ./overlay.nix)
+      (import ./extensions/overlay.nix)
+  ];
 }

devshell.toml

@@ -16,18 +16,6 @@ packages = [
 #
 # motd = ""
 
-# This setting helps to add a project's shared *development* root CA
-# to host's local trust stores by instrumenting the mkcert third party tool.
-# Defining this section also adds `mkcert` to the available packages.
-# Set to the path where mkcert-generated CAROOT files are expected to exist
-#
-# NOTES:
-# - be careful to only put *development* certificates under version control
-# - create those files with the devshell generated *-install-CA command
-# - optionally put this path under .gitignore, if you want users to
-#   generate certificates themselves on first clone (using *-install-CA)
-dev-ca-path = "./dev-ca"
-
 # Use this section to set environment variables to have in the environment.
 #
 # NOTE: all the values are escaped
@@ -67,10 +55,32 @@ name = "hub"
 package = "gitAndTools.hub"
 category = "utilites"
 
+
+# ============================================================================
+# Example of custom extensions NOT part of devshell, see also:
+# ============================================================================
+# ./default.nix
+# ./shell.nix
+# ./extensions/*
+# ============================================================================
+
+[extensions]
+# This setting helps to add a project's shared *development* root CA
+# to host's local trust stores by instrumenting the mkcert third party tool.
+# Defining this section also adds `mkcert` to the available packages.
+# Set to the path where mkcert-generated CAROOT files are expected to exist
+#
+# NOTES:
+# - be careful to only put *development* certificates under version control
+# - create those files with the devshell generated *-install-CA command
+# - optionally put this path under .gitignore, if you want users to
+#   generate certificates themselves on first clone (using *-install-CA)
+dev-ca-path = "./dev-ca"
+
 # These settings help to manage local DNS overrides via
 # instrumentation of the hostcl third party tool.
 # Defining this section also adds `hostctl` to the available packages.
-[static-dns]
+[extensions.static-dns]
 "test.domain.local" = "172.0.0.1"
 "shared.domain.link-local" = "169.254.0.5"
 

devshell/config.go

@@ -25,11 +25,9 @@ type config struct {
 	Name      string                 `toml:"name"`
 	Packages  []string               `toml:"packages"`
 	Motd      *string                `toml:"motd"`
-	DevCaPath *string                `toml:"dev-ca-path,omitempty"`
 	Env       map[string]interface{} `toml:"env"`
 	Bash      configBash             `toml:"bash,omitempty"`
 	Commands  []configCommand        `toml:"commands"`
-	StaticDNS map[string]interface{} `toml:"static-dns,omitempty"`
 }
 
 func configLoad(path string) (*config, error) {

docs/devshell.toml

@@ -16,18 +16,6 @@ packages = [
 #
 # motd = ""
 
-# This setting helps to add a project's shared *development* root CA
-# to host's local trust stores by instrumenting the mkcert third party tool.
-# Defining this section also adds `mkcert` to the available packages.
-# Set to the path where mkcert-generated CAROOT files are expected to exist
-#
-# NOTES:
-# - be careful to only put *development* certificates under version control
-# - create those files with the devshell generated *-install-CA command
-# - optionally put this path under .gitignore, if you want users to
-#   generate certificates themselves on first clone (using *-install-CA)
-# dev-ca-path = "./dev-ca"
-
 # Use this section to set environment variables to have in the environment.
 #
 # NOTE: all the values are escaped
@@ -67,9 +55,3 @@ name = "hub"
 package = "gitAndTools.hub"
 category = "utilites"
 
-# These settings help to manage local DNS overrides via
-# instrumentation of the hostcl third party tool.
-# Defining this section also adds `hostctl` to the available packages.
-[static-dns]
-"test.domain.local" = "172.0.0.1"
-"shared.domain.link-local" = "169.254.0.5"

docs/devshell.toml.md

@@ -24,18 +24,6 @@ packages = [
 #
 # motd = ""
 
-# This setting helps to add a project's shared *development* root CA
-# to host's local trust stores by instrumenting the mkcert third party tool.
-# Defining this section also adds `mkcert` to the available packages.
-# Set to the path where mkcert-generated CAROOT files are expected to exist
-#
-# NOTES:
-# - be careful to only put *development* certificates under version control
-# - create those files with the devshell generated *-install-CA command
-# - optionally put this path under .gitignore, if you want users to
-#   generate certificates themselves on first clone (using *-install-CA)
-# dev-ca-path = "./dev-ca"
-
 # Use this section to set environment variables to have in the environment.
 #
 # NOTE: all the values are escaped
@@ -74,13 +62,6 @@ help = "github utility"
 name = "hub"
 package = "gitAndTools.hub"
 category = "utilities"
-
-# These settings help to manage local DNS overrides via
-# instrumentation of the hostcl third party tool.
-# Defining this section also adds `hostctl` to the available packages.
-[static-dns]
-"test.domain.local" = "172.0.0.1"
-"shared.domain.link-local" = "169.254.0.5"
 ```
 
 ## Schema
@@ -104,8 +85,6 @@ The name field is optional and defaults to `devshell`.
 
 ### The `motd` field
 
-### The `dev-ca-path` field
-
 ### The `env` section
 
 ### The `bash.extra` field
@@ -119,5 +98,3 @@ The name field is optional and defaults to `devshell`.
 * `name`:
 * `package`:
 
-### The `static-dns` section
-

hostctl/default.nix extensions/hostctl/default.nixhostctl/default.nix renamed to extensions/hostctl/default.nix

@@ -0,0 +1,118 @@
+{ lib, pkgs, config, ... }:
+with lib;
+let
+  inherit (config)
+    name
+    ;
+  inherit (config.extensions)
+    static-dns
+    dev-ca-path
+    ;
+
+  installProjectCA = {
+    name = "ca-install";
+    help = "install dev CA";
+    category = "host state";
+    package = pkgs.mkcert;
+    command = ''
+      echo "$(tput bold)Installing the ${name}'s dev CA into local trust stores via mkcert command ...$(tput sgr0)"
+      export CAROOT=${dev-ca-path}
+      ${pkgs.mkcert}/bin/mkcert -install
+    '';
+  };
+  uninstallProjectCA = {
+    name = "ca-uninstall";
+    help = "uninstall dev CA";
+    category = "host state";
+    package = pkgs.mkcert;
+    command = ''
+      echo "$(tput bold)Purging the ${name}'s dev CA from local trust stores via mkcert command ...$(tput sgr0)"
+      export CAROOT=${dev-ca-path}
+      ${pkgs.mkcert}/bin/mkcert -uninstall
+    '';
+  };
+
+  etcHosts = pkgs.writeText "${name}-etchosts"
+    (lib.concatStringsSep "\n"
+      (lib.mapAttrsToList (name: value: value + " " + name) static-dns)
+    );
+  # since this temporarily modifies /etc/hosts, use of sudo can't be avoided
+  fqdnsActivate = {
+    name = "dns-activate";
+    category = "host state";
+    help = "activate pre-configured static dns";
+    package = pkgs.hostctl;
+    command = ''
+      echo "$(tput bold)Installing ${name}'s static local DNS resolution via hostctl command ...$(tput sgr0)"
+      sudo ${pkgs.hostctl}/bin/hostctl add ${name} --from ${etcHosts}
+    '';
+  };
+  fqdnsDeactivate = {
+    name = "dns-deactivate";
+    category = "host state";
+    help = "deactivate pre-configured static dns";
+    package = pkgs.hostctl;
+    command = ''
+      echo "$(tput bold)Purging ${name}'s static local DNS resolution via hostctl command ...$(tput sgr0)"
+      sudo ${pkgs.hostctl}/bin/hostctl remove ${name}
+    '';
+  };
+  extensionOptions = {
+    dev-ca-path = mkOption {
+      type = types.str;
+      default = "";
+      description = ''
+        Path to a development CA.
+
+        Users can load/unload this dev CA easily and cleanly into their local
+        trust stores via a wrapper around mkcert third party tool so that browsers
+        and other tools would accept issued certificates under this CA as valid.
+
+        Use cases:
+         - Ship static dev certificates under version control and make them trusted
+           on user machines: add the rootCA under version control alongside the
+           your dev certificates.
+         - Provide users with easy and reliable CA bootstrapping through the mkcert
+           command: exempt this path from version control via .gitignore and have
+           users  easily and reliably bootstrap a dev CA infrastructure on first use.
+      '';
+    };
+    static-dns = mkOption {
+      type = types.attrs;
+      default = { };
+      description = ''
+        A list of static DNS entries, for which to enable instrumentation.
+
+        Users can enable/disable listed static DNS easily and cleanly
+        via a wrapper around the hostctl third party tool.
+      '';
+      example = {
+        "test.domain.local" = "172.0.0.1";
+        "shared.domain.link-local" = "169.254.0.5";
+      };
+    };
+  };
+in
+{
+  options = {
+    extensions = mkOption {
+      type = types.submodule { options = extensionOptions; };
+      default = [ ];
+      description = ''
+        Custom extensions to devshell.
+      '';
+    };
+  };
+  config = {
+    commands =
+      (
+        if static-dns == null || static-dns == "" then [ ]
+        else [ fqdnsActivate fqdnsDeactivate ]
+      ) ++
+      (
+        if dev-ca-path == null || dev-ca-path == "" then [ ]
+        else [ installProjectCA uninstallProjectCA ]
+      );
+  };
+}
+

extensions/options.nix

@@ -0,0 +1,5 @@
+final: prev:
+{
+  hostctl = prev.callPackage ./hostctl { };
+}
+