Loading pkgs/tools/security/clevis/tang-timeout.patch→pkgs/by-name/cl/clevis/0000-tang-timeout.patch +0 −0 File moved. View file pkgs/tools/security/clevis/default.nix→pkgs/by-name/cl/clevis/package.nix +130 −0 Original line number Diff line number Diff line { lib , stdenv , asciidoc , coreutils , cryptsetup , curl , fetchFromGitHub , gnugrep , gnused , jansson , jose , libpwquality , luksmeta , makeWrapper , meson , ninja , pkg-config , tpm2-tools , nixosTests { lib, asciidoc-full, coreutils, cryptsetup, curl, fetchFromGitHub, gnugrep, gnused, jansson, jose, libpwquality, luksmeta, makeWrapper, meson, ninja, nixosTests, pkg-config, stdenv, tpm2-tools, }: stdenv.mkDerivation rec { stdenv.mkDerivation (finalAttrs: { pname = "clevis"; version = "19"; version = "20"; src = fetchFromGitHub { owner = "latchset"; repo = pname; rev = "refs/tags/v${version}"; hash = "sha256-3J3ti/jRiv+p3eVvJD7u0ko28rPd8Gte0mCJaVaqyOs="; repo = "clevis"; rev = "refs/tags/v${finalAttrs.version}"; hash = "sha256-rBdZrnHPzRd9vbyl1h/Nb0cFAtIPUHSmxVoKrKuCrQ8="; }; patches = [ # Replaces the clevis-decrypt 300s timeout to a 10s timeout # https://github.com/latchset/clevis/issues/289 ./tang-timeout.patch ./0000-tang-timeout.patch ]; postPatch = '' for f in $(find src/ -type f); do grep -q "/bin/cat" "$f" && substituteInPlace "$f" \ --replace '/bin/cat' '${coreutils}/bin/cat' || true done ''; postInstall = '' # We wrap the main clevis binary entrypoint but not the sub-binaries. wrapProgram $out/bin/clevis \ --prefix PATH ':' "${lib.makeBinPath [tpm2-tools jose cryptsetup libpwquality luksmeta gnugrep gnused coreutils]}:${placeholder "out"}/bin" ''; nativeBuildInputs = [ asciidoc asciidoc-full makeWrapper meson ninja Loading @@ -72,19 +60,71 @@ stdenv.mkDerivation rec { "man" ]; # TODO: investigate how to prepare the dependencies so that they can be found # while setting strictDeps as true. This will require studying the dark # corners of cross-compilation in Nixpkgs... strictDeps = false; # Since 2018-07-11, upstream relies on a hardcoded /bin/cat. See: # https://github.com/latchset/clevis/issues/61 # https://github.com/latchset/clevis/pull/64 # # So, we filter all src files that have the string "/bin/cat" and patch that # string to an absolute path for our coreutils location. # The xargs command is a little bit convoluted because a simpler version would # be vulnerable to code injection. This hint is a courtesy of Stack Exchange: # https://unix.stackexchange.com/a/267438 postPatch = '' for f in $(find src/ -type f -print0 |\ xargs -0 -I@ sh -c 'grep -q "/bin/cat" "$1" && echo "$1"' sh @); do substituteInPlace "$f" --replace-fail '/bin/cat' '${lib.getExe' coreutils "cat"}' done ''; # We wrap the main clevis binary entrypoint but not the sub-binaries. postInstall = let includeIntoPath = [ coreutils cryptsetup gnugrep gnused jose libpwquality luksmeta tpm2-tools ]; in '' wrapProgram $out/bin/clevis \ --prefix PATH ':' "${lib.makeBinPath includeIntoPath}:${placeholder "out"}/bin" ''; passthru.tests = { inherit (nixosTests.installer) clevisBcachefs clevisBcachefsFallback clevisLuks clevisLuksFallback clevisZfs clevisZfsFallback; inherit (nixosTests.installer) clevisBcachefs clevisBcachefsFallback clevisLuks clevisLuksFallback clevisZfs clevisZfsFallback ; clevisLuksSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuks; clevisLuksFallbackSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuksFallback; clevisZfsSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisZfs; clevisZfsFallbackSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisZfsFallback; }; meta = with lib; { description = "Automated Encryption Framework"; meta = { homepage = "https://github.com/latchset/clevis"; changelog = "https://github.com/latchset/clevis/releases/tag/v${version}"; license = licenses.gpl3Plus; maintainers = with maintainers; [ ]; description = "Automated Encryption Framework"; longDescription = '' Clevis is a pluggable framework for automated decryption. It can be used to provide automated decryption of data or even automated unlocking of LUKS volumes. ''; changelog = "https://github.com/latchset/clevis/releases/tag/v${finalAttrs.version}"; license = lib.licenses.gpl3Plus; maintainers = with lib.maintainers; [ AndersonTorres ]; }; } }) pkgs/top-level/all-packages.nix +0 −4 Original line number Diff line number Diff line Loading @@ -4498,10 +4498,6 @@ with pkgs; clevercsv = with python3Packages; toPythonApplication clevercsv; clevis = callPackage ../tools/security/clevis { asciidoc = asciidoc-full; }; cli53 = callPackage ../tools/admin/cli53 { }; cli-visualizer = callPackage ../applications/misc/cli-visualizer { }; Loading
pkgs/tools/security/clevis/tang-timeout.patch→pkgs/by-name/cl/clevis/0000-tang-timeout.patch +0 −0 File moved. View file
pkgs/tools/security/clevis/default.nix→pkgs/by-name/cl/clevis/package.nix +130 −0 Original line number Diff line number Diff line { lib , stdenv , asciidoc , coreutils , cryptsetup , curl , fetchFromGitHub , gnugrep , gnused , jansson , jose , libpwquality , luksmeta , makeWrapper , meson , ninja , pkg-config , tpm2-tools , nixosTests { lib, asciidoc-full, coreutils, cryptsetup, curl, fetchFromGitHub, gnugrep, gnused, jansson, jose, libpwquality, luksmeta, makeWrapper, meson, ninja, nixosTests, pkg-config, stdenv, tpm2-tools, }: stdenv.mkDerivation rec { stdenv.mkDerivation (finalAttrs: { pname = "clevis"; version = "19"; version = "20"; src = fetchFromGitHub { owner = "latchset"; repo = pname; rev = "refs/tags/v${version}"; hash = "sha256-3J3ti/jRiv+p3eVvJD7u0ko28rPd8Gte0mCJaVaqyOs="; repo = "clevis"; rev = "refs/tags/v${finalAttrs.version}"; hash = "sha256-rBdZrnHPzRd9vbyl1h/Nb0cFAtIPUHSmxVoKrKuCrQ8="; }; patches = [ # Replaces the clevis-decrypt 300s timeout to a 10s timeout # https://github.com/latchset/clevis/issues/289 ./tang-timeout.patch ./0000-tang-timeout.patch ]; postPatch = '' for f in $(find src/ -type f); do grep -q "/bin/cat" "$f" && substituteInPlace "$f" \ --replace '/bin/cat' '${coreutils}/bin/cat' || true done ''; postInstall = '' # We wrap the main clevis binary entrypoint but not the sub-binaries. wrapProgram $out/bin/clevis \ --prefix PATH ':' "${lib.makeBinPath [tpm2-tools jose cryptsetup libpwquality luksmeta gnugrep gnused coreutils]}:${placeholder "out"}/bin" ''; nativeBuildInputs = [ asciidoc asciidoc-full makeWrapper meson ninja Loading @@ -72,19 +60,71 @@ stdenv.mkDerivation rec { "man" ]; # TODO: investigate how to prepare the dependencies so that they can be found # while setting strictDeps as true. This will require studying the dark # corners of cross-compilation in Nixpkgs... strictDeps = false; # Since 2018-07-11, upstream relies on a hardcoded /bin/cat. See: # https://github.com/latchset/clevis/issues/61 # https://github.com/latchset/clevis/pull/64 # # So, we filter all src files that have the string "/bin/cat" and patch that # string to an absolute path for our coreutils location. # The xargs command is a little bit convoluted because a simpler version would # be vulnerable to code injection. This hint is a courtesy of Stack Exchange: # https://unix.stackexchange.com/a/267438 postPatch = '' for f in $(find src/ -type f -print0 |\ xargs -0 -I@ sh -c 'grep -q "/bin/cat" "$1" && echo "$1"' sh @); do substituteInPlace "$f" --replace-fail '/bin/cat' '${lib.getExe' coreutils "cat"}' done ''; # We wrap the main clevis binary entrypoint but not the sub-binaries. postInstall = let includeIntoPath = [ coreutils cryptsetup gnugrep gnused jose libpwquality luksmeta tpm2-tools ]; in '' wrapProgram $out/bin/clevis \ --prefix PATH ':' "${lib.makeBinPath includeIntoPath}:${placeholder "out"}/bin" ''; passthru.tests = { inherit (nixosTests.installer) clevisBcachefs clevisBcachefsFallback clevisLuks clevisLuksFallback clevisZfs clevisZfsFallback; inherit (nixosTests.installer) clevisBcachefs clevisBcachefsFallback clevisLuks clevisLuksFallback clevisZfs clevisZfsFallback ; clevisLuksSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuks; clevisLuksFallbackSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuksFallback; clevisZfsSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisZfs; clevisZfsFallbackSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisZfsFallback; }; meta = with lib; { description = "Automated Encryption Framework"; meta = { homepage = "https://github.com/latchset/clevis"; changelog = "https://github.com/latchset/clevis/releases/tag/v${version}"; license = licenses.gpl3Plus; maintainers = with maintainers; [ ]; description = "Automated Encryption Framework"; longDescription = '' Clevis is a pluggable framework for automated decryption. It can be used to provide automated decryption of data or even automated unlocking of LUKS volumes. ''; changelog = "https://github.com/latchset/clevis/releases/tag/v${finalAttrs.version}"; license = lib.licenses.gpl3Plus; maintainers = with lib.maintainers; [ AndersonTorres ]; }; } })
pkgs/top-level/all-packages.nix +0 −4 Original line number Diff line number Diff line Loading @@ -4498,10 +4498,6 @@ with pkgs; clevercsv = with python3Packages; toPythonApplication clevercsv; clevis = callPackage ../tools/security/clevis { asciidoc = asciidoc-full; }; cli53 = callPackage ../tools/admin/cli53 { }; cli-visualizer = callPackage ../applications/misc/cli-visualizer { };
