pkgs/openssh: consolidate and cleanup
This commit is contained in:
parent
facdb1398a
commit
0c83b0fc68
@ -3,6 +3,7 @@
|
||||
, options
|
||||
, pkgs
|
||||
, isUnstable
|
||||
, xinlib
|
||||
, ...
|
||||
}:
|
||||
let
|
||||
@ -15,7 +16,7 @@ let
|
||||
command="/run/current-system/sw/bin/xin-status",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9PIhQ+yWfBM2tEG+W8W8HXJXqISXif8BcPZHakKvLM xin-status
|
||||
'';
|
||||
gosignify = pkgs.callPackage ./pkgs/gosignify.nix { inherit isUnstable; };
|
||||
myOpenSSH = pkgs.callPackage ./pkgs/openssh { };
|
||||
myOpenSSH = pkgs.callPackage ./pkgs/openssh.nix { inherit config xinlib; };
|
||||
in
|
||||
{
|
||||
imports = [
|
||||
@ -198,7 +199,7 @@ in
|
||||
zsh.enable = true;
|
||||
gnupg.agent.enable = true;
|
||||
ssh = {
|
||||
package = myOpenSSH.openssh;
|
||||
package = myOpenSSH;
|
||||
agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
|
||||
knownHosts = {
|
||||
"[namish.otter-alligator.ts.net]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9jlU5XATs8N90mXuCqrflwOJ+s3s7LefDmFZBx8cCk";
|
||||
|
@ -1,18 +0,0 @@
|
||||
let
|
||||
openssh = _: super: {
|
||||
openssh = super.openssh.overrideAttrs (_: rec {
|
||||
version = "9.3p1";
|
||||
src = super.fetchurl {
|
||||
url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
|
||||
hash = "sha256-6bq6dwGnalHz2Fpiw4OjydzZf6kAuFm8fbEUwYaK+Kg=";
|
||||
};
|
||||
|
||||
patches = [
|
||||
./ssh-keysign-8.5.patch
|
||||
./dont_create_privsep_path.patch
|
||||
./locale_archive.patch
|
||||
];
|
||||
});
|
||||
};
|
||||
in
|
||||
openssh
|
@ -1,46 +1,56 @@
|
||||
{ pname
|
||||
, version
|
||||
, extraDesc ? ""
|
||||
, src
|
||||
, extraPatches ? [ ]
|
||||
, extraNativeBuildInputs ? [ ]
|
||||
, extraConfigureFlags ? [ ]
|
||||
, extraMeta ? { }
|
||||
{ autoreconfHook
|
||||
, config
|
||||
, etcDir ? "/etc/ssh"
|
||||
, fetchFromGitHub
|
||||
, hostname
|
||||
, lib
|
||||
, libedit
|
||||
, libfido2
|
||||
, libredirect
|
||||
, libressl
|
||||
, linkOpenssl ? true
|
||||
, pam
|
||||
, pkg-config
|
||||
, stdenv
|
||||
, withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl
|
||||
, withPAM ? stdenv.hostPlatform.isLinux
|
||||
, xinlib
|
||||
, zlib
|
||||
, ...
|
||||
}: { lib
|
||||
, stdenv
|
||||
, # This *is* correct, though unusual. as a way of getting krb5-config from the
|
||||
# package without splicing See: https://github.com/NixOS/nixpkgs/pull/107606
|
||||
pkgs
|
||||
, autoreconfHook
|
||||
, zlib
|
||||
, libressl
|
||||
, libedit
|
||||
, pkg-config
|
||||
, pam
|
||||
, libredirect
|
||||
, etcDir ? "/etc/ssh"
|
||||
, withKerberos ? true
|
||||
, libkrb5
|
||||
, libfido2
|
||||
, hostname
|
||||
, nixosTests
|
||||
, withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl
|
||||
, withPAM ? stdenv.hostPlatform.isLinux
|
||||
, linkOpenssl ? true
|
||||
,
|
||||
}:
|
||||
}:
|
||||
let
|
||||
inherit (builtins) readFile fromJSON;
|
||||
verStr = fromJSON (readFile ./openssh/version.json);
|
||||
hostStr = lib.strings.concatStrings [
|
||||
"CI not configured on '"
|
||||
config.networking.hostName
|
||||
"': skipping OpenSSH tests"
|
||||
];
|
||||
in
|
||||
stdenv.mkDerivation {
|
||||
inherit pname version src;
|
||||
pname = "openssh";
|
||||
inherit (verStr) version;
|
||||
|
||||
src = fetchFromGitHub {
|
||||
inherit (verStr) rev hash;
|
||||
owner = "openssh";
|
||||
repo = "openssh-portable";
|
||||
};
|
||||
|
||||
doCheck =
|
||||
if config.xinCI.enable
|
||||
then
|
||||
true
|
||||
else (lib.warn hostStr false);
|
||||
|
||||
patches =
|
||||
[
|
||||
./locale_archive.patch
|
||||
./openssh/locale_archive.patch
|
||||
./openssh/ssh-keysign-8.5.patch
|
||||
|
||||
# See discussion in https://github.com/NixOS/nixpkgs/pull/16966
|
||||
./dont_create_privsep_path.patch
|
||||
]
|
||||
++ extraPatches;
|
||||
./openssh/dont_create_privsep_path.patch
|
||||
];
|
||||
|
||||
postPatch =
|
||||
# On Hydra this makes installation fail (sometimes?),
|
||||
@ -51,16 +61,10 @@ stdenv.mkDerivation {
|
||||
|
||||
strictDeps = true;
|
||||
nativeBuildInputs =
|
||||
[ autoreconfHook pkg-config ]
|
||||
# This is not the same as the libkrb5 from the inputs! pkgs.libkrb5 is
|
||||
# needed here to access krb5-config in order to cross compile. See:
|
||||
# https://github.com/NixOS/nixpkgs/pull/107606
|
||||
++ lib.optional withKerberos pkgs.libkrb5
|
||||
++ extraNativeBuildInputs;
|
||||
[ autoreconfHook pkg-config ];
|
||||
buildInputs =
|
||||
[ zlib libressl libedit ]
|
||||
++ lib.optional withFIDO libfido2
|
||||
++ lib.optional withKerberos libkrb5
|
||||
++ lib.optional withPAM pam;
|
||||
|
||||
preConfigure = ''
|
||||
@ -83,17 +87,15 @@ stdenv.mkDerivation {
|
||||
]
|
||||
++ lib.optional (etcDir != null) "--sysconfdir=${etcDir}"
|
||||
++ lib.optional withFIDO "--with-security-key-builtin=yes"
|
||||
++ lib.optional withKerberos (assert libkrb5 != null; "--with-kerberos5=${libkrb5}")
|
||||
++ lib.optional stdenv.isDarwin "--disable-libutil"
|
||||
++ lib.optional (!linkOpenssl) "--without-openssl"
|
||||
++ extraConfigureFlags;
|
||||
++ lib.optional (!linkOpenssl) "--without-openssl";
|
||||
|
||||
${
|
||||
if stdenv.hostPlatform.isStatic
|
||||
then "NIX_LDFLAGS"
|
||||
else null
|
||||
} =
|
||||
[ "-laudit" ] ++ lib.optionals withKerberos [ "-lkeyutils" ];
|
||||
if stdenv.hostPlatform.isStatic then
|
||||
"NIX_LDFLAGS"
|
||||
else
|
||||
null
|
||||
} = [ "-laudit" ];
|
||||
|
||||
buildFlags = [ "SSH_KEYSIGN=ssh-keysign" ];
|
||||
|
||||
@ -147,32 +149,21 @@ stdenv.mkDerivation {
|
||||
# set up NIX_REDIRECTS for direct invocations
|
||||
set -a; source ~/.ssh/environment.base; set +a
|
||||
'';
|
||||
# integration tests hard to get working on darwin with its shaky
|
||||
# sandbox
|
||||
# t-exec tests fail on musl
|
||||
checkTarget =
|
||||
lib.optional (!stdenv.isDarwin && !stdenv.hostPlatform.isMusl) "t-exec"
|
||||
# other tests are less demanding of the environment
|
||||
++ [ "unit" "file-tests" "interop-tests" ];
|
||||
|
||||
checkTarget = [ "t-exec" "unit" "file-tests" "interop-tests" ];
|
||||
|
||||
installTargets = [ "install-nokeys" ];
|
||||
installFlags = [
|
||||
"sysconfdir=\${out}/etc/ssh"
|
||||
];
|
||||
|
||||
passthru.tests = {
|
||||
borgbackup-integration = nixosTests.borgbackup;
|
||||
meta = with lib; {
|
||||
description = "An implementation of the SSH protocol";
|
||||
homepage = "https://www.openssh.com/";
|
||||
changelog = "https://www.openssh.com/releasenotes.html";
|
||||
license = licenses.bsd2;
|
||||
platforms = platforms.unix ++ platforms.windows;
|
||||
maintainers = with maintainers; [ qbit ];
|
||||
mainProgram = "ssh";
|
||||
};
|
||||
|
||||
meta = with lib;
|
||||
{
|
||||
description = "An implementation of the SSH protocol${extraDesc}";
|
||||
homepage = "https://www.openssh.com/";
|
||||
changelog = "https://www.openssh.com/releasenotes.html";
|
||||
license = licenses.bsd2;
|
||||
platforms = platforms.unix ++ platforms.windows;
|
||||
maintainers = (extraMeta.maintainers or [ ]) ++ (with maintainers; [ eelco aneeshusa ]);
|
||||
mainProgram = "ssh";
|
||||
}
|
||||
// extraMeta;
|
||||
}
|
@ -1,33 +0,0 @@
|
||||
{ callPackage
|
||||
, lib
|
||||
, fetchFromGitHub
|
||||
, config
|
||||
,
|
||||
}:
|
||||
let
|
||||
inherit (builtins) readFile fromJSON;
|
||||
common = opts: callPackage (import ./common.nix opts) { };
|
||||
verStr = fromJSON (readFile ./version.json);
|
||||
in
|
||||
{
|
||||
openssh = common {
|
||||
pname = "openssh";
|
||||
inherit config;
|
||||
inherit (verStr) version;
|
||||
|
||||
src = fetchFromGitHub {
|
||||
inherit (verStr) rev hash;
|
||||
owner = "openssh";
|
||||
repo = "openssh-portable";
|
||||
};
|
||||
|
||||
doCheck =
|
||||
if config.xinCI.enable
|
||||
then
|
||||
true
|
||||
else false;
|
||||
|
||||
extraPatches = [ ./ssh-keysign-8.5.patch ];
|
||||
extraMeta.maintainers = with lib.maintainers; [ qbit ];
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue
Block a user