From 6074811a51b5a649e5e20b3f44ebfc032d7a87bf Mon Sep 17 00:00:00 2001
From: Anderson Torres <torres.anderson.85@protonmail.com>
Date: Fri, 8 Mar 2024 13:17:16 -0300
Subject: [PATCH 01/13] clevis: migrate to by-name
---
.../clevis/default.nix => by-name/cl/clevis/package.nix} | 0
pkgs/{tools/security => by-name/cl}/clevis/tang-timeout.patch | 0
pkgs/top-level/all-packages.nix | 2 +-
3 files changed, 1 insertion(+), 1 deletion(-)
rename pkgs/{tools/security/clevis/default.nix => by-name/cl/clevis/package.nix} (100%)
rename pkgs/{tools/security => by-name/cl}/clevis/tang-timeout.patch (100%)
diff --git a/pkgs/tools/security/clevis/default.nix b/pkgs/by-name/cl/clevis/package.nix
similarity index 100%
rename from pkgs/tools/security/clevis/default.nix
rename to pkgs/by-name/cl/clevis/package.nix
diff --git a/pkgs/tools/security/clevis/tang-timeout.patch b/pkgs/by-name/cl/clevis/tang-timeout.patch
similarity index 100%
rename from pkgs/tools/security/clevis/tang-timeout.patch
rename to pkgs/by-name/cl/clevis/tang-timeout.patch
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 413d54d74751..7947ab8908a8 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -4496,7 +4496,7 @@ with pkgs;
clevercsv = with python3Packages; toPythonApplication clevercsv;
- clevis = callPackage ../tools/security/clevis {
+ clevis = callPackage ../by-name/cl/clevis/package.nix {
asciidoc = asciidoc-full;
};
From 10450ed8b2c9db545933ebec4b7d46dbed91b4c2 Mon Sep 17 00:00:00 2001
From: Anderson Torres <torres.anderson.85@protonmail.com>
Date: Mon, 22 Jul 2024 21:05:59 -0300
Subject: [PATCH 02/13] clevis: adopted by AndersonTorres
---
pkgs/by-name/cl/clevis/package.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pkgs/by-name/cl/clevis/package.nix b/pkgs/by-name/cl/clevis/package.nix
index fa1be45a5b99..c287948f6a50 100644
--- a/pkgs/by-name/cl/clevis/package.nix
+++ b/pkgs/by-name/cl/clevis/package.nix
@@ -85,6 +85,6 @@ stdenv.mkDerivation rec {
homepage = "https://github.com/latchset/clevis";
changelog = "https://github.com/latchset/clevis/releases/tag/v${version}";
license = licenses.gpl3Plus;
- maintainers = with maintainers; [ ];
+ maintainers = with maintainers; [ AndersonTorres ];
};
}
From 6c8a2301776eaa2dc9e569158dbdc8d72d160867 Mon Sep 17 00:00:00 2001
From: Anderson Torres <torres.anderson.85@protonmail.com>
Date: Tue, 23 Jul 2024 23:35:08 -0300
Subject: [PATCH 03/13] clevis: rework - input set
---
pkgs/by-name/cl/clevis/package.nix | 39 +++++++++++++++---------------
1 file changed, 20 insertions(+), 19 deletions(-)
diff --git a/pkgs/by-name/cl/clevis/package.nix b/pkgs/by-name/cl/clevis/package.nix
index c287948f6a50..5462ba55ef47 100644
--- a/pkgs/by-name/cl/clevis/package.nix
+++ b/pkgs/by-name/cl/clevis/package.nix
@@ -1,22 +1,23 @@
-{ lib
-, stdenv
-, asciidoc
-, coreutils
-, cryptsetup
-, curl
-, fetchFromGitHub
-, gnugrep
-, gnused
-, jansson
-, jose
-, libpwquality
-, luksmeta
-, makeWrapper
-, meson
-, ninja
-, pkg-config
-, tpm2-tools
-, nixosTests
+{
+ lib,
+ asciidoc,
+ coreutils,
+ cryptsetup,
+ curl,
+ fetchFromGitHub,
+ gnugrep,
+ gnused,
+ jansson,
+ jose,
+ libpwquality,
+ luksmeta,
+ makeWrapper,
+ meson,
+ ninja,
+ nixosTests,
+ pkg-config,
+ stdenv,
+ tpm2-tools,
}:
stdenv.mkDerivation rec {
From aa773426af2e1f2c26d50dd6c90b570a4abb3233 Mon Sep 17 00:00:00 2001
From: Anderson Torres <torres.anderson.85@protonmail.com>
Date: Tue, 23 Jul 2024 23:36:07 -0300
Subject: [PATCH 04/13] clevis: rework - rename patch
---
.../cl/clevis/{tang-timeout.patch => 0000-tang-timeout.patch} | 0
pkgs/by-name/cl/clevis/package.nix | 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename pkgs/by-name/cl/clevis/{tang-timeout.patch => 0000-tang-timeout.patch} (100%)
diff --git a/pkgs/by-name/cl/clevis/tang-timeout.patch b/pkgs/by-name/cl/clevis/0000-tang-timeout.patch
similarity index 100%
rename from pkgs/by-name/cl/clevis/tang-timeout.patch
rename to pkgs/by-name/cl/clevis/0000-tang-timeout.patch
diff --git a/pkgs/by-name/cl/clevis/package.nix b/pkgs/by-name/cl/clevis/package.nix
index 5462ba55ef47..6ba0a7285f62 100644
--- a/pkgs/by-name/cl/clevis/package.nix
+++ b/pkgs/by-name/cl/clevis/package.nix
@@ -34,7 +34,7 @@ stdenv.mkDerivation rec {
patches = [
# Replaces the clevis-decrypt 300s timeout to a 10s timeout
# https://github.com/latchset/clevis/issues/289
- ./tang-timeout.patch
+ ./0000-tang-timeout.patch
];
postPatch = ''
From 42196a912d5591142ac6ea68ac6656bc42513927 Mon Sep 17 00:00:00 2001
From: Anderson Torres <torres.anderson.85@protonmail.com>
Date: Wed, 24 Jul 2024 09:48:01 -0300
Subject: [PATCH 05/13] clevis: rework - get rid of nested with
---
pkgs/by-name/cl/clevis/package.nix | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/pkgs/by-name/cl/clevis/package.nix b/pkgs/by-name/cl/clevis/package.nix
index 6ba0a7285f62..b6a84e4f58f2 100644
--- a/pkgs/by-name/cl/clevis/package.nix
+++ b/pkgs/by-name/cl/clevis/package.nix
@@ -81,11 +81,11 @@ stdenv.mkDerivation rec {
clevisZfsFallbackSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisZfsFallback;
};
- meta = with lib; {
- description = "Automated Encryption Framework";
+ meta = {
homepage = "https://github.com/latchset/clevis";
+ description = "Automated Encryption Framework";
changelog = "https://github.com/latchset/clevis/releases/tag/v${version}";
- license = licenses.gpl3Plus;
- maintainers = with maintainers; [ AndersonTorres ];
+ license = lib.licenses.gpl3Plus;
+ maintainers = with lib.maintainers; [ AndersonTorres ];
};
}
From 409f10ea7852dda56ff4257c03865b940794188b Mon Sep 17 00:00:00 2001
From: Anderson Torres <torres.anderson.85@protonmail.com>
Date: Wed, 24 Jul 2024 09:48:55 -0300
Subject: [PATCH 06/13] clevis: rework - meta.longDescription
---
pkgs/by-name/cl/clevis/package.nix | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/pkgs/by-name/cl/clevis/package.nix b/pkgs/by-name/cl/clevis/package.nix
index b6a84e4f58f2..59bee8fc959f 100644
--- a/pkgs/by-name/cl/clevis/package.nix
+++ b/pkgs/by-name/cl/clevis/package.nix
@@ -84,6 +84,11 @@ stdenv.mkDerivation rec {
meta = {
homepage = "https://github.com/latchset/clevis";
description = "Automated Encryption Framework";
+ longDescription = ''
+ Clevis is a pluggable framework for automated decryption. It can be used
+ to provide automated decryption of data or even automated unlocking of
+ LUKS volumes.
+ '';
changelog = "https://github.com/latchset/clevis/releases/tag/v${version}";
license = lib.licenses.gpl3Plus;
maintainers = with lib.maintainers; [ AndersonTorres ];
From 9957f043cc071b89c23b8ea853090b7a75382a1e Mon Sep 17 00:00:00 2001
From: Anderson Torres <torres.anderson.85@protonmail.com>
Date: Tue, 23 Jul 2024 23:37:57 -0300
Subject: [PATCH 07/13] clevis: rework - finalAttrs
---
pkgs/by-name/cl/clevis/package.nix | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/pkgs/by-name/cl/clevis/package.nix b/pkgs/by-name/cl/clevis/package.nix
index 59bee8fc959f..e6793dc2566c 100644
--- a/pkgs/by-name/cl/clevis/package.nix
+++ b/pkgs/by-name/cl/clevis/package.nix
@@ -20,14 +20,14 @@
tpm2-tools,
}:
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
pname = "clevis";
version = "19";
src = fetchFromGitHub {
owner = "latchset";
- repo = pname;
- rev = "refs/tags/v${version}";
+ repo = "clevis";
+ rev = "refs/tags/v${finalAttrs.version}";
hash = "sha256-3J3ti/jRiv+p3eVvJD7u0ko28rPd8Gte0mCJaVaqyOs=";
};
@@ -89,8 +89,8 @@ stdenv.mkDerivation rec {
to provide automated decryption of data or even automated unlocking of
LUKS volumes.
'';
- changelog = "https://github.com/latchset/clevis/releases/tag/v${version}";
+ changelog = "https://github.com/latchset/clevis/releases/tag/v${finalAttrs.version}";
license = lib.licenses.gpl3Plus;
maintainers = with lib.maintainers; [ AndersonTorres ];
};
-}
+})
From 09fd98c43361d5dca7f8eb51848b18b1cfce5e6b Mon Sep 17 00:00:00 2001
From: Anderson Torres <torres.anderson.85@protonmail.com>
Date: Tue, 23 Jul 2024 23:42:55 -0300
Subject: [PATCH 08/13] clevis: rework - move and format postPatch and
postInstall
Gather the shell script snippets to their own place.
---
pkgs/by-name/cl/clevis/package.nix | 39 ++++++++++++++++++++----------
1 file changed, 26 insertions(+), 13 deletions(-)
diff --git a/pkgs/by-name/cl/clevis/package.nix b/pkgs/by-name/cl/clevis/package.nix
index e6793dc2566c..3d0128fd1f94 100644
--- a/pkgs/by-name/cl/clevis/package.nix
+++ b/pkgs/by-name/cl/clevis/package.nix
@@ -37,19 +37,6 @@ stdenv.mkDerivation (finalAttrs: {
./0000-tang-timeout.patch
];
- postPatch = ''
- for f in $(find src/ -type f); do
- grep -q "/bin/cat" "$f" && substituteInPlace "$f" \
- --replace '/bin/cat' '${coreutils}/bin/cat' || true
- done
- '';
-
- postInstall = ''
- # We wrap the main clevis binary entrypoint but not the sub-binaries.
- wrapProgram $out/bin/clevis \
- --prefix PATH ':' "${lib.makeBinPath [tpm2-tools jose cryptsetup libpwquality luksmeta gnugrep gnused coreutils]}:${placeholder "out"}/bin"
- '';
-
nativeBuildInputs = [
asciidoc
makeWrapper
@@ -73,6 +60,32 @@ stdenv.mkDerivation (finalAttrs: {
"man"
];
+ postPatch = ''
+ for f in $(find src/ -type f); do
+ grep -q "/bin/cat" "$f" && substituteInPlace "$f" \
+ --replace-fail '/bin/cat' '${lib.getExe' coreutils "cat"}' || true
+ done
+ '';
+
+ # We wrap the main clevis binary entrypoint but not the sub-binaries.
+ postInstall =
+ let
+ includeIntoPath = [
+ coreutils
+ cryptsetup
+ gnugrep
+ gnused
+ jose
+ libpwquality
+ luksmeta
+ tpm2-tools
+ ];
+ in
+ ''
+ wrapProgram $out/bin/clevis \
+ --prefix PATH ':' "${lib.makeBinPath includeIntoPath}:${placeholder "out"}/bin"
+ '';
+
passthru.tests = {
inherit (nixosTests.installer) clevisBcachefs clevisBcachefsFallback clevisLuks clevisLuksFallback clevisZfs clevisZfsFallback;
clevisLuksSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuks;
From 51b194729db79b960bf2173d883884d3df5897ba Mon Sep 17 00:00:00 2001
From: Anderson Torres <torres.anderson.85@protonmail.com>
Date: Sun, 14 Jul 2024 02:01:00 -0300
Subject: [PATCH 09/13] clevis: tidy up postPatch script
By fixing an idea from doronbehar.
---
pkgs/by-name/cl/clevis/package.nix | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/pkgs/by-name/cl/clevis/package.nix b/pkgs/by-name/cl/clevis/package.nix
index 3d0128fd1f94..20882af076c1 100644
--- a/pkgs/by-name/cl/clevis/package.nix
+++ b/pkgs/by-name/cl/clevis/package.nix
@@ -60,10 +60,19 @@ stdenv.mkDerivation (finalAttrs: {
"man"
];
+ # Since 2018-07-11, upstream relies on a hardcoded /bin/cat. See:
+ # https://github.com/latchset/clevis/issues/61
+ # https://github.com/latchset/clevis/pull/64
+ #
+ # So, we filter all src files that have the string "/bin/cat" and patch that
+ # string to an absolute path for our coreutils location.
+ # The xargs command is a little bit convoluted because a simpler version would
+ # be vulnerable to code injection. This hint is a courtesy of Stack Exchange:
+ # https://unix.stackexchange.com/a/267438
postPatch = ''
- for f in $(find src/ -type f); do
- grep -q "/bin/cat" "$f" && substituteInPlace "$f" \
- --replace-fail '/bin/cat' '${lib.getExe' coreutils "cat"}' || true
+ for f in $(find src/ -type f -print0 |\
+ xargs -0 -I@ sh -c 'grep -q "/bin/cat" "$1" && echo "$1"' sh @); do
+ substituteInPlace "$f" --replace-fail '/bin/cat' '${lib.getExe' coreutils "cat"}'
done
'';
From 152a6e0f8ce262d267deb75fbfd7fe94dc137beb Mon Sep 17 00:00:00 2001
From: Anderson Torres <torres.anderson.85@protonmail.com>
Date: Wed, 24 Jul 2024 10:40:37 -0300
Subject: [PATCH 10/13] clevis: set strictDeps as false
---
pkgs/by-name/cl/clevis/package.nix | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/pkgs/by-name/cl/clevis/package.nix b/pkgs/by-name/cl/clevis/package.nix
index 20882af076c1..0642db7cd239 100644
--- a/pkgs/by-name/cl/clevis/package.nix
+++ b/pkgs/by-name/cl/clevis/package.nix
@@ -60,6 +60,11 @@ stdenv.mkDerivation (finalAttrs: {
"man"
];
+ # TODO: investigate how to prepare the dependencies so that they can be found
+ # while setting strictDeps as true. This will require studying the dark
+ # corners of cross-compilation in Nixpkgs...
+ strictDeps = false;
+
# Since 2018-07-11, upstream relies on a hardcoded /bin/cat. See:
# https://github.com/latchset/clevis/issues/61
# https://github.com/latchset/clevis/pull/64
From 7f1971f9fb71dab7769a431325aa395e279342d0 Mon Sep 17 00:00:00 2001
From: Anderson Torres <torres.anderson.85@protonmail.com>
Date: Mon, 22 Jul 2024 21:02:46 -0300
Subject: [PATCH 11/13] clevis: internalize asciidoc-full
There is few to no reason (besides breaking API) in not doing this.
---
pkgs/by-name/cl/clevis/package.nix | 4 ++--
pkgs/top-level/all-packages.nix | 4 ----
2 files changed, 2 insertions(+), 6 deletions(-)
diff --git a/pkgs/by-name/cl/clevis/package.nix b/pkgs/by-name/cl/clevis/package.nix
index 0642db7cd239..e67c97166432 100644
--- a/pkgs/by-name/cl/clevis/package.nix
+++ b/pkgs/by-name/cl/clevis/package.nix
@@ -1,6 +1,6 @@
{
lib,
- asciidoc,
+ asciidoc-full,
coreutils,
cryptsetup,
curl,
@@ -38,7 +38,7 @@ stdenv.mkDerivation (finalAttrs: {
];
nativeBuildInputs = [
- asciidoc
+ asciidoc-full
makeWrapper
meson
ninja
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 7947ab8908a8..444d6ce8b0b6 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -4496,10 +4496,6 @@ with pkgs;
clevercsv = with python3Packages; toPythonApplication clevercsv;
- clevis = callPackage ../by-name/cl/clevis/package.nix {
- asciidoc = asciidoc-full;
- };
-
cli53 = callPackage ../tools/admin/cli53 { };
cli-visualizer = callPackage ../applications/misc/cli-visualizer { };
From c9d01a593d27449caa9acc1b992f89f3da2e5de3 Mon Sep 17 00:00:00 2001
From: Anderson Torres <torres.anderson.85@protonmail.com>
Date: Tue, 23 Jul 2024 23:51:36 -0300
Subject: [PATCH 12/13] clevis: nixfmt-rfc-style
To make CI happy.
Mental note: do not use `-w80`
---
pkgs/by-name/cl/clevis/package.nix | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/pkgs/by-name/cl/clevis/package.nix b/pkgs/by-name/cl/clevis/package.nix
index e67c97166432..92fa31083b24 100644
--- a/pkgs/by-name/cl/clevis/package.nix
+++ b/pkgs/by-name/cl/clevis/package.nix
@@ -101,7 +101,14 @@ stdenv.mkDerivation (finalAttrs: {
'';
passthru.tests = {
- inherit (nixosTests.installer) clevisBcachefs clevisBcachefsFallback clevisLuks clevisLuksFallback clevisZfs clevisZfsFallback;
+ inherit (nixosTests.installer)
+ clevisBcachefs
+ clevisBcachefsFallback
+ clevisLuks
+ clevisLuksFallback
+ clevisZfs
+ clevisZfsFallback
+ ;
clevisLuksSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuks;
clevisLuksFallbackSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuksFallback;
clevisZfsSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisZfs;
From 45131772f94c12c436d20ddd32bf6614a36dbe64 Mon Sep 17 00:00:00 2001
From: Anderson Torres <torres.anderson.85@protonmail.com>
Date: Mon, 22 Jul 2024 00:02:34 -0300
Subject: [PATCH 13/13] clevis: 19 -> 20
---
pkgs/by-name/cl/clevis/package.nix | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pkgs/by-name/cl/clevis/package.nix b/pkgs/by-name/cl/clevis/package.nix
index 92fa31083b24..ac1a1b1be918 100644
--- a/pkgs/by-name/cl/clevis/package.nix
+++ b/pkgs/by-name/cl/clevis/package.nix
@@ -22,13 +22,13 @@
stdenv.mkDerivation (finalAttrs: {
pname = "clevis";
- version = "19";
+ version = "20";
src = fetchFromGitHub {
owner = "latchset";
repo = "clevis";
rev = "refs/tags/v${finalAttrs.version}";
- hash = "sha256-3J3ti/jRiv+p3eVvJD7u0ko28rPd8Gte0mCJaVaqyOs=";
+ hash = "sha256-rBdZrnHPzRd9vbyl1h/Nb0cFAtIPUHSmxVoKrKuCrQ8=";
};
patches = [