mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-26 00:43:20 +00:00
138 lines
3.3 KiB
Nix
138 lines
3.3 KiB
Nix
{ buildGoModule
|
|
, fetchFromGitHub
|
|
, fetchpatch
|
|
, callPackage
|
|
, lib
|
|
, envoy
|
|
, mkYarnPackage
|
|
, fetchYarnDeps
|
|
, nixosTests
|
|
, pomerium-cli
|
|
}:
|
|
|
|
let
|
|
inherit (lib) concatStringsSep concatMap id mapAttrsToList;
|
|
in
|
|
buildGoModule rec {
|
|
pname = "pomerium";
|
|
version = "0.25.2";
|
|
src = fetchFromGitHub {
|
|
owner = "pomerium";
|
|
repo = "pomerium";
|
|
rev = "v${version}";
|
|
hash = "sha256-JateIiVao5IiPXmphA5+PlzB2XtP6zRR4rURqXSqJ6Q=";
|
|
};
|
|
|
|
vendorHash = "sha256-GdeZkKkENacc11FmEAFUfX9efInfhpv2Lz0/3CtixFQ=";
|
|
|
|
ui = mkYarnPackage {
|
|
inherit version;
|
|
src = "${src}/ui";
|
|
|
|
packageJSON = ./package.json;
|
|
offlineCache = fetchYarnDeps {
|
|
yarnLock = "${src}/ui/yarn.lock";
|
|
sha256 = lib.fileContents ./yarn-hash;
|
|
};
|
|
|
|
buildPhase = ''
|
|
runHook preBuild
|
|
yarn --offline build
|
|
runHook postBuild
|
|
'';
|
|
|
|
installPhase = ''
|
|
runHook preInstall
|
|
cp -R deps/pomerium/dist $out
|
|
runHook postInstall
|
|
'';
|
|
|
|
doDist = false;
|
|
};
|
|
|
|
subPackages = [
|
|
"cmd/pomerium"
|
|
];
|
|
|
|
# patch pomerium to allow use of external envoy
|
|
patches = [
|
|
./external-envoy.diff
|
|
(fetchpatch {
|
|
name = "CVE-2024-39315.patch";
|
|
url = "https://github.com/pomerium/pomerium/commit/4c7c4320afb2ced70ba19b46de1ac4383f3daa48.patch";
|
|
hash = "sha256-Hn8jGdPSJnq0I3mhtNFIc4AfpXYVSj3FK2FKR5XUbVM=";
|
|
})
|
|
];
|
|
|
|
ldflags = let
|
|
# Set a variety of useful meta variables for stamping the build with.
|
|
setVars = {
|
|
"github.com/pomerium/pomerium/internal/version" = {
|
|
Version = "v${version}";
|
|
BuildMeta = "nixpkgs";
|
|
ProjectName = "pomerium";
|
|
ProjectURL = "github.com/pomerium/pomerium";
|
|
};
|
|
"github.com/pomerium/pomerium/pkg/envoy" = {
|
|
OverrideEnvoyPath = "${envoy}/bin/envoy";
|
|
};
|
|
};
|
|
concatStringsSpace = list: concatStringsSep " " list;
|
|
mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list);
|
|
varFlags = concatStringsSpace (
|
|
mapAttrsToFlatList (package: packageVars:
|
|
mapAttrsToList (variable: value:
|
|
"-X ${package}.${variable}=${value}"
|
|
) packageVars
|
|
) setVars);
|
|
in [
|
|
"${varFlags}"
|
|
];
|
|
|
|
preBuild = ''
|
|
# Replace embedded envoy with nothing.
|
|
# We set OverrideEnvoyPath above, so rawBinary should never get looked at
|
|
# but we still need to set a checksum/version.
|
|
rm pkg/envoy/files/files_{darwin,linux}*.go
|
|
cat <<EOF >pkg/envoy/files/files_external.go
|
|
package files
|
|
|
|
import _ "embed" // embed
|
|
|
|
var rawBinary []byte
|
|
|
|
//go:embed envoy.sha256
|
|
var rawChecksum string
|
|
|
|
//go:embed envoy.version
|
|
var rawVersion string
|
|
EOF
|
|
sha256sum '${envoy}/bin/envoy' > pkg/envoy/files/envoy.sha256
|
|
echo '${envoy.version}' > pkg/envoy/files/envoy.version
|
|
|
|
# put the built UI files where they will be picked up as part of binary build
|
|
cp -r ${ui}/* ui/dist
|
|
'';
|
|
|
|
installPhase = ''
|
|
install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium
|
|
'';
|
|
|
|
passthru = {
|
|
tests = {
|
|
inherit (nixosTests) pomerium;
|
|
inherit pomerium-cli;
|
|
};
|
|
updateScript = ./updater.sh;
|
|
};
|
|
|
|
meta = with lib; {
|
|
homepage = "https://pomerium.io";
|
|
description = "Authenticating reverse proxy";
|
|
mainProgram = "pomerium";
|
|
license = licenses.asl20;
|
|
maintainers = with maintainers; [ lukegb devusb ];
|
|
platforms = [ "x86_64-linux" "aarch64-linux" ];
|
|
};
|
|
}
|