1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
{
lib,
asciidoc-full,
coreutils,
cryptsetup,
curl,
fetchFromGitHub,
gnugrep,
gnused,
jansson,
jose,
libpwquality,
luksmeta,
makeWrapper,
meson,
ninja,
nixosTests,
pkg-config,
stdenv,
tpm2-tools,
}:
stdenv.mkDerivation (finalAttrs: {
pname = "clevis";
version = "20";
src = fetchFromGitHub {
owner = "latchset";
repo = "clevis";
rev = "refs/tags/v${finalAttrs.version}";
hash = "sha256-rBdZrnHPzRd9vbyl1h/Nb0cFAtIPUHSmxVoKrKuCrQ8=";
};
patches = [
# Replaces the clevis-decrypt 300s timeout to a 10s timeout
# https://github.com/latchset/clevis/issues/289
./0000-tang-timeout.patch
];
nativeBuildInputs = [
asciidoc-full
makeWrapper
meson
ninja
pkg-config
];
buildInputs = [
cryptsetup
curl
jansson
jose
libpwquality
luksmeta
tpm2-tools
];
outputs = [
"out"
"man"
];
# TODO: investigate how to prepare the dependencies so that they can be found
# while setting strictDeps as true. This will require studying the dark
# corners of cross-compilation in Nixpkgs...
strictDeps = false;
# Since 2018-07-11, upstream relies on a hardcoded /bin/cat. See:
# https://github.com/latchset/clevis/issues/61
# https://github.com/latchset/clevis/pull/64
#
# So, we filter all src files that have the string "/bin/cat" and patch that
# string to an absolute path for our coreutils location.
# The xargs command is a little bit convoluted because a simpler version would
# be vulnerable to code injection. This hint is a courtesy of Stack Exchange:
# https://unix.stackexchange.com/a/267438
postPatch = ''
for f in $(find src/ -type f -print0 |\
xargs -0 -I@ sh -c 'grep -q "/bin/cat" "$1" && echo "$1"' sh @); do
substituteInPlace "$f" --replace-fail '/bin/cat' '${lib.getExe' coreutils "cat"}'
done
'';
# We wrap the main clevis binary entrypoint but not the sub-binaries.
postInstall =
let
includeIntoPath = [
coreutils
cryptsetup
gnugrep
gnused
jose
libpwquality
luksmeta
tpm2-tools
];
in
''
wrapProgram $out/bin/clevis \
--prefix PATH ':' "${lib.makeBinPath includeIntoPath}:${placeholder "out"}/bin"
'';
passthru.tests = {
inherit (nixosTests.installer)
clevisBcachefs
clevisBcachefsFallback
clevisLuks
clevisLuksFallback
clevisZfs
clevisZfsFallback
;
clevisLuksSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuks;
clevisLuksFallbackSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuksFallback;
clevisZfsSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisZfs;
clevisZfsFallbackSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisZfsFallback;
};
meta = {
homepage = "https://github.com/latchset/clevis";
description = "Automated Encryption Framework";
longDescription = ''
Clevis is a pluggable framework for automated decryption. It can be used
to provide automated decryption of data or even automated unlocking of
LUKS volumes.
'';
changelog = "https://github.com/latchset/clevis/releases/tag/v${finalAttrs.version}";
license = lib.licenses.gpl3Plus;
maintainers = with lib.maintainers; [ AndersonTorres ];
};
})
|
