tjh.dev
1{ stdenv
2, lib
3, fetchFromGitHub
4, buildGoModule
5, coreutils
6, pcsclite
7, PCSC
8, pkg-config
9, hsmSupport ? true
10, nixosTests
11}:
12
13buildGoModule rec {
14 pname = "step-ca";
15 version = "0.24.2";
16
17 src = fetchFromGitHub {
18 owner = "smallstep";
19 repo = "certificates";
20 rev = "refs/tags/v${version}";
21 hash = "sha256-499gPucDfABpajrPPLLyPLwFSlPsY+m4hUvaur39+ug=";
22 };
23
24 vendorHash = "sha256-aqDjL0bPRmEGmYU0XERvfxhk2IKWhs/GDCvh/PecIBw=";
25
26 ldflags = [ "-buildid=" ];
27
28 nativeBuildInputs = lib.optionals hsmSupport [ pkg-config ];
29
30 buildInputs =
31 lib.optionals (hsmSupport && stdenv.isLinux) [ pcsclite ]
32 ++ lib.optionals (hsmSupport && stdenv.isDarwin) [ PCSC ];
33
34 postPatch = ''
35 substituteInPlace systemd/step-ca.service --replace "/bin/kill" "${coreutils}/bin/kill"
36 '';
37
38 preBuild = ''
39 ${lib.optionalString (!hsmSupport) "export CGO_ENABLED=0"}
40 '';
41
42 postInstall = ''
43 install -Dm444 -t $out/lib/systemd/system systemd/step-ca.service
44 '';
45
46 # Tests start http servers which need to bind to local addresses:
47 # panic: httptest: failed to listen on a port: listen tcp6 [::1]:0: bind: operation not permitted
48 __darwinAllowLocalNetworking = true;
49 # Tests need to run in a reproducible order, otherwise they run unreliably on
50 # (at least) x86_64-linux.
51 checkFlags = [ "-p 1" ];
52
53 passthru.tests.step-ca = nixosTests.step-ca;
54
55 meta = with lib; {
56 description = "A private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH";
57 homepage = "https://smallstep.com/certificates/";
58 changelog = "https://github.com/smallstep/certificates/releases/tag/v${version}";
59 license = licenses.asl20;
60 maintainers = with maintainers; [ cmcdragonkai mohe2015 techknowlogick ];
61 };
62}