dev/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #294314 from atorres1985-contrib/clevis

Browse Source 
clevis: 19 -> 20
This commit is contained in:
Doron Behar 2024-07-24 19:48:33 +03:00 committed by GitHub
commit 4b012654a9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 130 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
pkgs/tools/security/clevis/tang-timeout.patch → pkgs/by-name/cl/clevis/0000-tang-timeout.patch
View File

130
pkgs/by-name/cl/clevis/package.nix Normal file
View File

@ -0,0 +1,130 @@
{
lib,
asciidoc-full,
coreutils,
cryptsetup,
curl,
fetchFromGitHub,
gnugrep,
gnused,
jansson,
jose,
libpwquality,
luksmeta,
makeWrapper,
meson,
ninja,
nixosTests,
pkg-config,
stdenv,
tpm2-tools,
}:
stdenv.mkDerivation (finalAttrs: {
pname = "clevis";
version = "20";
src = fetchFromGitHub {
owner = "latchset";
repo = "clevis";
rev = "refs/tags/v${finalAttrs.version}";
hash = "sha256-rBdZrnHPzRd9vbyl1h/Nb0cFAtIPUHSmxVoKrKuCrQ8=";
};
patches = [
# Replaces the clevis-decrypt 300s timeout to a 10s timeout
# https://github.com/latchset/clevis/issues/289
./0000-tang-timeout.patch
];
nativeBuildInputs = [
asciidoc-full
makeWrapper
meson
ninja
pkg-config
];
buildInputs = [
cryptsetup
curl
jansson
jose
libpwquality
luksmeta
tpm2-tools
];
outputs = [
"out"
"man"
];
# TODO: investigate how to prepare the dependencies so that they can be found
# while setting strictDeps as true. This will require studying the dark
# corners of cross-compilation in Nixpkgs...
strictDeps = false;
# Since 2018-07-11, upstream relies on a hardcoded /bin/cat. See:
# https://github.com/latchset/clevis/issues/61
# https://github.com/latchset/clevis/pull/64
#
# So, we filter all src files that have the string "/bin/cat" and patch that
# string to an absolute path for our coreutils location.
# The xargs command is a little bit convoluted because a simpler version would
# be vulnerable to code injection. This hint is a courtesy of Stack Exchange:
# https://unix.stackexchange.com/a/267438
postPatch = ''
for f in $(find src/ -type f -print0 |\
xargs -0 -I@ sh -c 'grep -q "/bin/cat" "$1" && echo "$1"' sh @); do
substituteInPlace "$f" --replace-fail '/bin/cat' '${lib.getExe' coreutils "cat"}'
done
'';
# We wrap the main clevis binary entrypoint but not the sub-binaries.
postInstall =
let
includeIntoPath = [
coreutils
cryptsetup
gnugrep
gnused
jose
libpwquality
luksmeta
tpm2-tools
];
in
''
wrapProgram $out/bin/clevis \
--prefix PATH ':' "${lib.makeBinPath includeIntoPath}:${placeholder "out"}/bin"
'';
passthru.tests = {
inherit (nixosTests.installer)
clevisBcachefs
clevisBcachefsFallback
clevisLuks
clevisLuksFallback
clevisZfs
clevisZfsFallback
;
clevisLuksSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuks;
clevisLuksFallbackSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuksFallback;
clevisZfsSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisZfs;
clevisZfsFallbackSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisZfsFallback;
};
meta = {
homepage = "https://github.com/latchset/clevis";
description = "Automated Encryption Framework";
longDescription = ''
Clevis is a pluggable framework for automated decryption. It can be used
to provide automated decryption of data or even automated unlocking of
LUKS volumes.
'';
changelog = "https://github.com/latchset/clevis/releases/tag/v${finalAttrs.version}";
license = lib.licenses.gpl3Plus;
maintainers = with lib.maintainers; [ AndersonTorres ];
};
})

90
pkgs/tools/security/clevis/default.nix
View File

@ -1,90 +0,0 @@
{ lib
, stdenv
, asciidoc
, coreutils
, cryptsetup
, curl
, fetchFromGitHub
, gnugrep
, gnused
, jansson
, jose
, libpwquality
, luksmeta
, makeWrapper
, meson
, ninja
, pkg-config
, tpm2-tools
, nixosTests
}:
stdenv.mkDerivation rec {
pname = "clevis";
version = "19";
src = fetchFromGitHub {
owner = "latchset";
repo = pname;
rev = "refs/tags/v${version}";
hash = "sha256-3J3ti/jRiv+p3eVvJD7u0ko28rPd8Gte0mCJaVaqyOs=";
};
patches = [
# Replaces the clevis-decrypt 300s timeout to a 10s timeout
# https://github.com/latchset/clevis/issues/289
./tang-timeout.patch
];
postPatch = ''
for f in $(find src/ -type f); do
grep -q "/bin/cat" "$f" && substituteInPlace "$f" \
--replace '/bin/cat' '${coreutils}/bin/cat' || true
done
'';
postInstall = ''
# We wrap the main clevis binary entrypoint but not the sub-binaries.
wrapProgram $out/bin/clevis \
--prefix PATH ':' "${lib.makeBinPath [tpm2-tools jose cryptsetup libpwquality luksmeta gnugrep gnused coreutils]}:${placeholder "out"}/bin"
'';
nativeBuildInputs = [
asciidoc
makeWrapper
meson
ninja
pkg-config
];
buildInputs = [
cryptsetup
curl
jansson
jose
libpwquality
luksmeta
tpm2-tools
];
outputs = [
"out"
"man"
];
passthru.tests = {
inherit (nixosTests.installer) clevisBcachefs clevisBcachefsFallback clevisLuks clevisLuksFallback clevisZfs clevisZfsFallback;
clevisLuksSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuks;
clevisLuksFallbackSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuksFallback;
clevisZfsSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisZfs;
clevisZfsFallbackSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisZfsFallback;
};
meta = with lib; {
description = "Automated Encryption Framework";
homepage = "https://github.com/latchset/clevis";
changelog = "https://github.com/latchset/clevis/releases/tag/v${version}";
license = licenses.gpl3Plus;
maintainers = with maintainers; [ ];
};
}

4
pkgs/top-level/all-packages.nix
View File

@ -4498,10 +4498,6 @@ with pkgs;
clevercsv = with python3Packages; toPythonApplication clevercsv;
clevis = callPackage ../tools/security/clevis {
asciidoc = asciidoc-full;
};
cli53 = callPackage ../tools/admin/cli53 { };
cli-visualizer = callPackage ../applications/misc/cli-visualizer { };