pkgs/sternenseemann: add release tarball tooling

The following nix functions allow easily creating derivations for
building a signed releases directory for project(s) to be served via
e. g. HTTP.

* buildGitTarball: builds a reproducible .tar.gz for a given git
  revision or tag (similar to git archive, but we don't actually
  reuse it in favor of fetchgit).
* bundleSignedReleases: symlinks tarballs generated using
  buildGitTarball and accompanying (manually provided) signatures into a
  directory and verifies the signatures to ensure buildGitTarball is
  donig what it's supposed to.

1 files changed, 41 insertions, 0 deletions

diff --git a/pkgs/sternenseemann/build-git-tarball/default.nix b/pkgs/sternenseemann/build-git-tarball/default.nix
new file mode 100644
index 00000000..816ad9e2
--- /dev/null
+++ b/pkgs/sternenseemann/build-git-tarball/default.nix
@@ -0,0 +1,41 @@
+# Build a reproducible tar.gz from a git revision or tag
+{ lib
+, fetchgit
+, runCommandNoCC
+, gnutar
+, gzip
+, getBins
+}:
+
+{ url
+, sha256
+, pname
+, subDir ? ""
+, ...
+}@args:
+
+assert lib.assertMsg (args ? rev || args ? tag) "Need either rev or tag";
+
+let
+  bins = getBins gzip [ "gzip" ]
+      // getBins gnutar [ "tar" ]
+      ;
+
+  shortRev = args.tag or args.rev;
+  realRev =
+    if args ? tag
+    then "refs/tags/${args.tag}"
+    else args.rev;
+
+  source = fetchgit {
+    inherit url sha256;
+    rev = realRev;
+  };
+
+  basename = "${pname}-${shortRev}";
+in
+
+runCommandNoCC "${basename}.tar.gz" {} ''
+  cd ${source}${subDir}
+  ${bins.tar} -c ./ --transform 's/^\./${basename}/' | ${bins.gzip} > $out
+''