pkgs/openssh: consolidate and cleanup

This commit is contained in:
Aaron Bieber 2024-03-08 09:59:09 -07:00
parent facdb1398a
commit 0c83b0fc68
No known key found for this signature in database
4 changed files with 66 additions and 125 deletions

View File

@ -3,6 +3,7 @@
, options
, pkgs
, isUnstable
, xinlib
, ...
}:
let
@ -15,7 +16,7 @@ let
command="/run/current-system/sw/bin/xin-status",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE9PIhQ+yWfBM2tEG+W8W8HXJXqISXif8BcPZHakKvLM xin-status
'';
gosignify = pkgs.callPackage ./pkgs/gosignify.nix { inherit isUnstable; };
myOpenSSH = pkgs.callPackage ./pkgs/openssh { };
myOpenSSH = pkgs.callPackage ./pkgs/openssh.nix { inherit config xinlib; };
in
{
imports = [
@ -198,7 +199,7 @@ in
zsh.enable = true;
gnupg.agent.enable = true;
ssh = {
package = myOpenSSH.openssh;
package = myOpenSSH;
agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
knownHosts = {
"[namish.otter-alligator.ts.net]:2222".publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9jlU5XATs8N90mXuCqrflwOJ+s3s7LefDmFZBx8cCk";

View File

@ -1,18 +0,0 @@
let
openssh = _: super: {
openssh = super.openssh.overrideAttrs (_: rec {
version = "9.3p1";
src = super.fetchurl {
url = "mirror://openbsd/OpenSSH/portable/openssh-${version}.tar.gz";
hash = "sha256-6bq6dwGnalHz2Fpiw4OjydzZf6kAuFm8fbEUwYaK+Kg=";
};
patches = [
./ssh-keysign-8.5.patch
./dont_create_privsep_path.patch
./locale_archive.patch
];
});
};
in
openssh

View File

@ -1,46 +1,56 @@
{ pname
, version
, extraDesc ? ""
, src
, extraPatches ? [ ]
, extraNativeBuildInputs ? [ ]
, extraConfigureFlags ? [ ]
, extraMeta ? { }
{ autoreconfHook
, config
, etcDir ? "/etc/ssh"
, fetchFromGitHub
, hostname
, lib
, libedit
, libfido2
, libredirect
, libressl
, linkOpenssl ? true
, pam
, pkg-config
, stdenv
, withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl
, withPAM ? stdenv.hostPlatform.isLinux
, xinlib
, zlib
, ...
}: { lib
, stdenv
, # This *is* correct, though unusual. as a way of getting krb5-config from the
# package without splicing See: https://github.com/NixOS/nixpkgs/pull/107606
pkgs
, autoreconfHook
, zlib
, libressl
, libedit
, pkg-config
, pam
, libredirect
, etcDir ? "/etc/ssh"
, withKerberos ? true
, libkrb5
, libfido2
, hostname
, nixosTests
, withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl
, withPAM ? stdenv.hostPlatform.isLinux
, linkOpenssl ? true
,
}:
}:
let
inherit (builtins) readFile fromJSON;
verStr = fromJSON (readFile ./openssh/version.json);
hostStr = lib.strings.concatStrings [
"CI not configured on '"
config.networking.hostName
"': skipping OpenSSH tests"
];
in
stdenv.mkDerivation {
inherit pname version src;
pname = "openssh";
inherit (verStr) version;
src = fetchFromGitHub {
inherit (verStr) rev hash;
owner = "openssh";
repo = "openssh-portable";
};
doCheck =
if config.xinCI.enable
then
true
else (lib.warn hostStr false);
patches =
[
./locale_archive.patch
./openssh/locale_archive.patch
./openssh/ssh-keysign-8.5.patch
# See discussion in https://github.com/NixOS/nixpkgs/pull/16966
./dont_create_privsep_path.patch
]
++ extraPatches;
./openssh/dont_create_privsep_path.patch
];
postPatch =
# On Hydra this makes installation fail (sometimes?),
@ -51,16 +61,10 @@ stdenv.mkDerivation {
strictDeps = true;
nativeBuildInputs =
[ autoreconfHook pkg-config ]
# This is not the same as the libkrb5 from the inputs! pkgs.libkrb5 is
# needed here to access krb5-config in order to cross compile. See:
# https://github.com/NixOS/nixpkgs/pull/107606
++ lib.optional withKerberos pkgs.libkrb5
++ extraNativeBuildInputs;
[ autoreconfHook pkg-config ];
buildInputs =
[ zlib libressl libedit ]
++ lib.optional withFIDO libfido2
++ lib.optional withKerberos libkrb5
++ lib.optional withPAM pam;
preConfigure = ''
@ -83,17 +87,15 @@ stdenv.mkDerivation {
]
++ lib.optional (etcDir != null) "--sysconfdir=${etcDir}"
++ lib.optional withFIDO "--with-security-key-builtin=yes"
++ lib.optional withKerberos (assert libkrb5 != null; "--with-kerberos5=${libkrb5}")
++ lib.optional stdenv.isDarwin "--disable-libutil"
++ lib.optional (!linkOpenssl) "--without-openssl"
++ extraConfigureFlags;
++ lib.optional (!linkOpenssl) "--without-openssl";
${
if stdenv.hostPlatform.isStatic
then "NIX_LDFLAGS"
else null
} =
[ "-laudit" ] ++ lib.optionals withKerberos [ "-lkeyutils" ];
if stdenv.hostPlatform.isStatic then
"NIX_LDFLAGS"
else
null
} = [ "-laudit" ];
buildFlags = [ "SSH_KEYSIGN=ssh-keysign" ];
@ -147,32 +149,21 @@ stdenv.mkDerivation {
# set up NIX_REDIRECTS for direct invocations
set -a; source ~/.ssh/environment.base; set +a
'';
# integration tests hard to get working on darwin with its shaky
# sandbox
# t-exec tests fail on musl
checkTarget =
lib.optional (!stdenv.isDarwin && !stdenv.hostPlatform.isMusl) "t-exec"
# other tests are less demanding of the environment
++ [ "unit" "file-tests" "interop-tests" ];
checkTarget = [ "t-exec" "unit" "file-tests" "interop-tests" ];
installTargets = [ "install-nokeys" ];
installFlags = [
"sysconfdir=\${out}/etc/ssh"
];
passthru.tests = {
borgbackup-integration = nixosTests.borgbackup;
meta = with lib; {
description = "An implementation of the SSH protocol";
homepage = "https://www.openssh.com/";
changelog = "https://www.openssh.com/releasenotes.html";
license = licenses.bsd2;
platforms = platforms.unix ++ platforms.windows;
maintainers = with maintainers; [ qbit ];
mainProgram = "ssh";
};
meta = with lib;
{
description = "An implementation of the SSH protocol${extraDesc}";
homepage = "https://www.openssh.com/";
changelog = "https://www.openssh.com/releasenotes.html";
license = licenses.bsd2;
platforms = platforms.unix ++ platforms.windows;
maintainers = (extraMeta.maintainers or [ ]) ++ (with maintainers; [ eelco aneeshusa ]);
mainProgram = "ssh";
}
// extraMeta;
}

View File

@ -1,33 +0,0 @@
{ callPackage
, lib
, fetchFromGitHub
, config
,
}:
let
inherit (builtins) readFile fromJSON;
common = opts: callPackage (import ./common.nix opts) { };
verStr = fromJSON (readFile ./version.json);
in
{
openssh = common {
pname = "openssh";
inherit config;
inherit (verStr) version;
src = fetchFromGitHub {
inherit (verStr) rev hash;
owner = "openssh";
repo = "openssh-portable";
};
doCheck =
if config.xinCI.enable
then
true
else false;
extraPatches = [ ./ssh-keysign-8.5.patch ];
extraMeta.maintainers = with lib.maintainers; [ qbit ];
};
}