nixpkgs/pkgs/servers/http/pomerium/default.nix
2024-08-23 21:40:47 +01:00

138 lines
3.3 KiB
Nix

{ buildGoModule
, fetchFromGitHub
, fetchpatch
, callPackage
, lib
, envoy
, mkYarnPackage
, fetchYarnDeps
, nixosTests
, pomerium-cli
}:
let
inherit (lib) concatStringsSep concatMap id mapAttrsToList;
in
buildGoModule rec {
pname = "pomerium";
version = "0.25.2";
src = fetchFromGitHub {
owner = "pomerium";
repo = "pomerium";
rev = "v${version}";
hash = "sha256-JateIiVao5IiPXmphA5+PlzB2XtP6zRR4rURqXSqJ6Q=";
};
vendorHash = "sha256-GdeZkKkENacc11FmEAFUfX9efInfhpv2Lz0/3CtixFQ=";
ui = mkYarnPackage {
inherit version;
src = "${src}/ui";
packageJSON = ./package.json;
offlineCache = fetchYarnDeps {
yarnLock = "${src}/ui/yarn.lock";
sha256 = lib.fileContents ./yarn-hash;
};
buildPhase = ''
runHook preBuild
yarn --offline build
runHook postBuild
'';
installPhase = ''
runHook preInstall
cp -R deps/pomerium/dist $out
runHook postInstall
'';
doDist = false;
};
subPackages = [
"cmd/pomerium"
];
# patch pomerium to allow use of external envoy
patches = [
./external-envoy.diff
(fetchpatch {
name = "CVE-2024-39315.patch";
url = "https://github.com/pomerium/pomerium/commit/4c7c4320afb2ced70ba19b46de1ac4383f3daa48.patch";
hash = "sha256-Hn8jGdPSJnq0I3mhtNFIc4AfpXYVSj3FK2FKR5XUbVM=";
})
];
ldflags = let
# Set a variety of useful meta variables for stamping the build with.
setVars = {
"github.com/pomerium/pomerium/internal/version" = {
Version = "v${version}";
BuildMeta = "nixpkgs";
ProjectName = "pomerium";
ProjectURL = "github.com/pomerium/pomerium";
};
"github.com/pomerium/pomerium/pkg/envoy" = {
OverrideEnvoyPath = "${envoy}/bin/envoy";
};
};
concatStringsSpace = list: concatStringsSep " " list;
mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list);
varFlags = concatStringsSpace (
mapAttrsToFlatList (package: packageVars:
mapAttrsToList (variable: value:
"-X ${package}.${variable}=${value}"
) packageVars
) setVars);
in [
"${varFlags}"
];
preBuild = ''
# Replace embedded envoy with nothing.
# We set OverrideEnvoyPath above, so rawBinary should never get looked at
# but we still need to set a checksum/version.
rm pkg/envoy/files/files_{darwin,linux}*.go
cat <<EOF >pkg/envoy/files/files_external.go
package files
import _ "embed" // embed
var rawBinary []byte
//go:embed envoy.sha256
var rawChecksum string
//go:embed envoy.version
var rawVersion string
EOF
sha256sum '${envoy}/bin/envoy' > pkg/envoy/files/envoy.sha256
echo '${envoy.version}' > pkg/envoy/files/envoy.version
# put the built UI files where they will be picked up as part of binary build
cp -r ${ui}/* ui/dist
'';
installPhase = ''
install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium
'';
passthru = {
tests = {
inherit (nixosTests) pomerium;
inherit pomerium-cli;
};
updateScript = ./updater.sh;
};
meta = with lib; {
homepage = "https://pomerium.io";
description = "Authenticating reverse proxy";
mainProgram = "pomerium";
license = licenses.asl20;
maintainers = with maintainers; [ lukegb devusb ];
platforms = [ "x86_64-linux" "aarch64-linux" ];
};
}