2 files changed, 47 insertions, 0 deletions

diff --git a/lib/hooks/pre-commit b/lib/hooks/pre-commit

index e69de29..bcd164c 100755
--- a/lib/hooks/pre-commit
+++ b/lib/hooks/pre-commit
@@ -0,0 +1,23 @@
+#!/usr/bin/env sh
+
+# full paths from the repo root separated by newlines
+MUST_NOT_CHANGE='hardware-configuration.nix
+key2.json'
+
+if git rev-parse --verify HEAD >/dev/null 2>&1
+then
+  against=HEAD
+else
+  # Initial commit: diff against an empty tree object
+  against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
+fi
+
+exec 1>&2
+
+if git diff --cached --name-only $against | grep --quiet --line-regexp --fixed-strings "$MUST_NOT_CHANGE"
+then
+  echo Commit would modify one or more files that must not change.
+  exit 1
+else
+  exit 0
+fi
\ No newline at end of file
diff --git a/lib/hooks/pre-receive b/lib/hooks/pre-receive
new file mode 100644

index 0000000..61a04dd
--- /dev/null
+++ b/lib/hooks/pre-receive
@@ -0,0 +1,24 @@
+#!/usr/bin/env sh
+
+# full paths from the repo root separated by newlines
+MUST_NOT_CHANGE='hardware-configuration.nix
+key2.json'
+
+z40=0000000000000000000000000000000000000000
+
+while read old_value new_value ref_name
+do
+  if [ "$old_value" = $z40 ]; then
+    # New branch: diff against an empty tree object
+    against=4b825dc642cb6eb9a060e54bf8d69288fbee4904
+  else
+    against=$old_value
+  fi
+
+  if git diff --name-only $against..$new_value |
+     grep --quiet --line-regexp --fixed-strings "$MUST_NOT_CHANGE"
+  then
+    echo "$ref_name" may commit key, rejected ... >&2
+    exit 1
+  fi
+done
\ No newline at end of file