pkgs/by-name/cl/clevis/package.nix at python-updates

tjh.dev / nixpkgs
fork atom
nixpkgs mirror (for testing) github.com/NixOS/nixpkgs
nix
fork atom
nixpkgs / pkgs / by-name / cl / clevis / package.nix
at python-updates 130 lines 3.3 kB view raw
wrap content
  1{
  2  lib,
  3  asciidoc-full,
  4  coreutils,
  5  cryptsetup,
  6  curl,
  7  fetchFromGitHub,
  8  gnugrep,
  9  gnused,
 10  jansson,
 11  jose,
 12  libpwquality,
 13  luksmeta,
 14  makeWrapper,
 15  meson,
 16  ninja,
 17  nixosTests,
 18  pkg-config,
 19  stdenv,
 20  tpm2-tools,
 21}:
 22
 23stdenv.mkDerivation (finalAttrs: {
 24  pname = "clevis";
 25  version = "21";
 26
 27  src = fetchFromGitHub {
 28    owner = "latchset";
 29    repo = "clevis";
 30    tag = "v${finalAttrs.version}";
 31    hash = "sha256-2vDQP+yvH4v46fLEWG/37r5cYP3OeDfJz71cDHEGiUg=";
 32  };
 33
 34  patches = [
 35    # Replaces the clevis-decrypt 300s timeout to a 10s timeout
 36    # https://github.com/latchset/clevis/issues/289
 37    ./0000-tang-timeout.patch
 38  ];
 39
 40  nativeBuildInputs = [
 41    asciidoc-full
 42    makeWrapper
 43    meson
 44    ninja
 45    pkg-config
 46  ];
 47
 48  buildInputs = [
 49    cryptsetup
 50    curl
 51    jansson
 52    jose
 53    libpwquality
 54    luksmeta
 55    tpm2-tools
 56  ];
 57
 58  outputs = [
 59    "out"
 60    "man"
 61  ];
 62
 63  # TODO: investigate how to prepare the dependencies so that they can be found
 64  # while setting strictDeps as true. This will require studying the dark
 65  # corners of cross-compilation in Nixpkgs...
 66  strictDeps = false;
 67
 68  # Since 2018-07-11, upstream relies on a hardcoded /bin/cat. See:
 69  # https://github.com/latchset/clevis/issues/61
 70  # https://github.com/latchset/clevis/pull/64
 71  #
 72  # So, we filter all src files that have the string "/bin/cat" and patch that
 73  # string to an absolute path for our coreutils location.
 74  # The xargs command is a little bit convoluted because a simpler version would
 75  # be vulnerable to code injection. This hint is a courtesy of Stack Exchange:
 76  # https://unix.stackexchange.com/a/267438
 77  postPatch = ''
 78    for f in $(find src/ -type f -print0 |\
 79                 xargs -0 -I@ sh -c 'grep -q "/bin/cat" "$1" && echo "$1"' sh @); do
 80      substituteInPlace "$f" --replace-fail '/bin/cat' '${lib.getExe' coreutils "cat"}'
 81    done
 82  '';
 83
 84  # We wrap the main clevis binary entrypoint but not the sub-binaries.
 85  postInstall =
 86    let
 87      includeIntoPath = [
 88        coreutils
 89        cryptsetup
 90        gnugrep
 91        gnused
 92        jose
 93        libpwquality
 94        luksmeta
 95        tpm2-tools
 96      ];
 97    in
 98    ''
 99      wrapProgram $out/bin/clevis \
100        --prefix PATH ':' "${lib.makeBinPath includeIntoPath}:${placeholder "out"}/bin"
101    '';
102
103  passthru.tests = {
104    inherit (nixosTests.installer)
105      clevisBcachefs
106      clevisBcachefsFallback
107      clevisLuks
108      clevisLuksFallback
109      clevisZfs
110      clevisZfsFallback
111      ;
112    clevisLuksSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuks;
113    clevisLuksFallbackSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuksFallback;
114    clevisZfsSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisZfs;
115    clevisZfsFallbackSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisZfsFallback;
116  };
117
118  meta = {
119    homepage = "https://github.com/latchset/clevis";
120    description = "Automated Encryption Framework";
121    longDescription = ''
122      Clevis is a pluggable framework for automated decryption. It can be used
123      to provide automated decryption of data or even automated unlocking of
124      LUKS volumes.
125    '';
126    changelog = "https://github.com/latchset/clevis/releases/tag/v${finalAttrs.version}";
127    license = lib.licenses.gpl3Plus;
128    maintainers = [ ];
129  };
130})