4 files changed, 111 insertions, 27 deletions
diff --git a/pkgs/by-name/lf/lf-make-map/src/mapping/interactive.rs b/pkgs/by-name/lf/lf-make-map/src/mapping/interactive.rs
index 31324e1d..b8ac27d2 100644
--- a/pkgs/by-name/lf/lf-make-map/src/mapping/interactive.rs
+++ b/pkgs/by-name/lf/lf-make-map/src/mapping/interactive.rs
@@ -8,7 +8,7 @@
 // You should have received a copy of the License along with this program.
 // If not, see <https://www.gnu.org/licenses/gpl-3.0.txt>.
 
-use std::{io::stdout, path::PathBuf};
+use std::{io::stderr, path::PathBuf};
 
 use anyhow::Result;
 use crossterm::{
@@ -35,7 +35,7 @@ impl MappingsTrie {
     pub fn interactive_start(&self, home_path: PathBuf) -> Result<()> {
         terminal::enable_raw_mode()?;
         execute!(
-            stdout(),
+            stderr(),
             EnterAlternateScreen,
             PushKeyboardEnhancementFlags(KeyboardEnhancementFlags::DISAMBIGUATE_ESCAPE_CODES),
             MoveToRow(0)
@@ -43,7 +43,7 @@ impl MappingsTrie {
 
         let output = self.interactive_start_inner(home_path);
 
-        execute!(stdout(), LeaveAlternateScreen, PopKeyboardEnhancementFlags)?;
+        execute!(stderr(), LeaveAlternateScreen, PopKeyboardEnhancementFlags)?;
         terminal::disable_raw_mode()?;
 
         match output? {
@@ -59,18 +59,16 @@ impl MappingsTrie {
     fn interactive_start_inner(&self, home_path: PathBuf) -> Result<Status> {
         macro_rules! done {
             ($state:ident, $last_length:ident) => {{
-                let value = self
-                    .0
-                    .get(&$state)
-                    .expect("Is some")
-                    .value()
-                    .expect("is some");
+                let value = match self.0.get(&$state).expect("Is some").value() {
+                    Some(value) => value,
+                    None => return Ok(Status::Stop),
+                };
 
                 let path = home_path.join(&value.path);
 
                 terminal::disable_raw_mode()?;
                 execute!(
-                    stdout(),
+                    stderr(),
                     MoveUp($last_length as u16),
                     Clear(ClearType::FromCursorDown),
                     Print(format!("{}\n", path.display()))
@@ -101,7 +99,7 @@ impl MappingsTrie {
                 terminal::disable_raw_mode()?;
                 let string = trie.to_string();
                 execute!(
-                    stdout(),
+                    stderr(),
                     MoveUp(last_length as u16),
                     Clear(ClearType::FromCursorDown),
                     Print(format!(
diff --git a/pkgs/by-name/ta/tails-iso/files.json b/pkgs/by-name/ta/tails-iso/files.json
new file mode 100644
index 00000000..0e42badf
--- /dev/null
+++ b/pkgs/by-name/ta/tails-iso/files.json
@@ -0,0 +1,7 @@
+{
+  "version": "7.8.1",
+  "files": {
+    "iso.sig": "sha256-DQm+EHe0KllmzLQzGU61cqaRDNjhU3KUCtDzHKDwWck=",
+    "iso": "sha256-Y4Sch1ZgWUODi9rxcXimVrFvicXPCN6SgLvINvJGcvw="
+  }
+}
diff --git a/modules/by-name/bo/boot/tails_iso.nix b/pkgs/by-name/ta/tails-iso/package.nix
index ec2b740b..87bfd0b2 100644
--- a/modules/by-name/bo/boot/tails_iso.nix
+++ b/pkgs/by-name/ta/tails-iso/package.nix
@@ -7,21 +7,28 @@
 #
 # You should have received a copy of the License along with this program.
 # If not, see <https://www.gnu.org/licenses/gpl-3.0.txt>.
-{pkgs ? (builtins.getFlake "nixpkgs").legacyPackages."x86_64-linux"}: let
-  checked_iso = pkgs.stdenv.mkDerivation (finalAttrs: {
-    pname = "tails-iso";
-    version = "amd64-7.8";
+{
+  stdenv,
+  fetchurl,
+  sequoia-sq,
+  libarchive, # for bsdtar
+}: let
+  files = builtins.fromJSON (builtins.readFile (./files.json));
+
+  checked_iso = stdenv.mkDerivation (finalAttrs: {
+    pname = "raw-tails-iso";
+    version = "amd64-${files.version}";
 
     srcs = [
-      (pkgs.fetchurl {
+      (fetchurl {
         url = "https://tails.net/torrents/files/tails-${finalAttrs.version}.iso.sig";
-        hash = "sha256-58vDQdXQYYqeVUHzupmDPtVVpSrxtT25+gwHe2OfvkA=";
+        hash = files.files."iso.sig";
       })
-      (pkgs.fetchurl {
+      (fetchurl {
         url = "https://download.tails.net/tails/stable/tails-${finalAttrs.version}/tails-${finalAttrs.version}.iso";
-        hash = "sha256-ewLHQ+3iI3aHgvKdBgysQ9QAudQ7AM83WP+VdYFmxt0=";
+        hash = files.files."iso";
       })
-      (pkgs.fetchurl {
+      (fetchurl {
         url = "https://tails.net/tails-signing.key";
         hash = "sha256-OwdqyM7o7K6F5Km0U1RU3hzsnaT+Yw0sjQk/thMeq1k=";
       })
@@ -30,7 +37,7 @@
     dontUnpack = true;
 
     nativeBuildInputs = [
-      pkgs.sequoia-sq
+      sequoia-sq
     ];
 
     buildPhase =
@@ -53,15 +60,16 @@
     '';
   });
 in
-  pkgs.stdenv.mkDerivation {
-    name = "live_iso_boot_entry";
+  stdenv.mkDerivation {
+    pname = "tails-iso-package";
+    inherit (checked_iso) version;
 
     src = checked_iso;
 
     dontUnpack = true;
 
-    nativeBuildInputs = with pkgs; [
-      libarchive # for bsdtar
+    nativeBuildInputs = [
+      libarchive
     ];
 
     buildPhase = ''
@@ -69,10 +77,15 @@ in
       bsdtar -xf "$src" -C iso
     '';
 
+    passthru = {
+      inherit (files) version;
+    };
+
     installPhase = ''
-      install -D ./iso/live/initrd.img "$out/live/initramfs-linux.img"
+      install -D "$src" "$out/tails.iso"
       install -D ./iso/live/vmlinuz "$out/live/vmlinuz-linux"
+      install -D ./iso/live/initrd.img "$out/live/initrd.img"
 
-      install -D "$src" "$out/tails.iso"
+      chmod --recursive -x $out/tails.iso $out/live/*
     '';
   }
diff --git a/pkgs/by-name/ta/tails-iso/update.sh b/pkgs/by-name/ta/tails-iso/update.sh
new file mode 100755
index 00000000..5a2a81cd
--- /dev/null
+++ b/pkgs/by-name/ta/tails-iso/update.sh
@@ -0,0 +1,66 @@
+#! /usr/bin/env sh
+
+set -e
+
+tmpHomePath="$(mktemp -d "${TMPDIR:-/tmp}/nix-prefetch-url-XXXXXXXXXX")"
+cleanup() {
+    chmod -R u+w "$tmpHomePath"
+    rm -rf "$tmpHomePath"
+}
+trap cleanup EXIT
+
+info() {
+    echo "$1" 1>&2
+}
+
+# Returns a name based on the url and reference
+#
+# This function needs to be in sync with nix's fetchgit implementation
+# of urlToName() to re-use the same nix store paths.
+url_to_name() {
+    url=$1
+
+    basename "$url" .git | cut -d: -f2
+}
+
+get_sha256() {
+    url="$1"
+    storePathName="$(url_to_name "$url")"
+    hashType="sha256"
+
+    tmpOut="$tmpHomePath/$storePathName"
+    info "Prefetching '$url'..."
+
+    curl --follow "$url" >"$tmpOut"
+
+    # Compute the hash.
+    hash=$(nix-hash --flat --type "$hashType" --sri "$tmpOut")
+
+    # Add the downloaded file to the Nix store.
+    finalPath=$(nix-store --add-fixed "$hashType" "$tmpOut")
+
+    info "  -> Downloaded to '$finalPath'"
+    echo "$hash"
+}
+
+old_version="$(jq .version --raw-output <./files.json)"
+new_version="$(curl --follow https://download.tails.net/tails/stable/ 2>/dev/null | html2text -links | grep --regexp='\s*[0-9]\. tails-amd64-' | sed 's/\s*[0-9]\. tails-amd64-\(.*\)\//\1/')"
+
+if [ "$old_version" = "$new_version" ]; then
+    # No need to update.
+    info exit 0
+fi
+
+final_version="amd64-$new_version"
+
+cat <<EOF | jq . | tee ./files.json
+{
+    "version": "$new_version",
+    "files": {
+        "iso.sig": "$(get_sha256 "https://tails.net/torrents/files/tails-$final_version.iso.sig")",
+        "iso": "$(get_sha256 "https://download.tails.net/tails/stable/tails-$final_version/tails-$final_version.iso")"
+    }
+}
+EOF
+
+# vim: ft=sh