This commit is contained in:
Aaron Bieber 2023-09-03 19:58:14 -06:00
parent 47a31a9e37
commit 71f0da0fb9
No known key found for this signature in database
3 changed files with 81 additions and 67 deletions

View File

@ -6,7 +6,7 @@
xinlib,
...
}: let
inherit (xinlib) prIsOpen;
#inherit (xinlib) prIsOpen;
jobs = [
{
name = "xin-ci-update";

View File

@ -44,16 +44,16 @@ in {
config = lib.mkIf cfg.enable {
users.groups.${cfg.group} = {};
users.users.${cfg.user} = {
inherit (cfg) group;
description = "veilid-server user";
isSystemUser = true;
home = cfg.dataDir;
createHome = true;
group = cfg.group;
};
networking.firewall = lib.mkIf cfg.openFirewall {
allowedTCPPorts = [ 5150 ];
allowedUDPPorts = [ 5150 ];
allowedTCPPorts = [5150];
allowedUDPPorts = [5150];
};
systemd.services.veilid-server = {

View File

@ -1,44 +1,46 @@
{ pname
, version
, extraDesc ? ""
, src
, extraPatches ? []
, extraNativeBuildInputs ? []
, extraConfigureFlags ? []
, extraMeta ? {}
{
pname,
version,
extraDesc ? "",
src,
extraPatches ? [],
extraNativeBuildInputs ? [],
extraConfigureFlags ? [],
extraMeta ? {},
}: {
lib,
stdenv,
# This *is* correct, though unusual. as a way of getting krb5-config from the
# package without splicing See: https://github.com/NixOS/nixpkgs/pull/107606
pkgs,
autoreconfHook,
zlib,
libressl,
libedit,
pkg-config,
pam,
libredirect,
etcDir ? "/etc/ssh",
withKerberos ? true,
libkrb5,
libfido2,
hostname,
nixosTests,
withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl,
withPAM ? stdenv.hostPlatform.isLinux,
linkOpenssl ? true,
}:
{ lib, stdenv
# This *is* correct, though unusual. as a way of getting krb5-config from the
# package without splicing See: https://github.com/NixOS/nixpkgs/pull/107606
, pkgs
, autoreconfHook
, zlib
, libressl
, libedit
, pkg-config
, pam
, libredirect
, etcDir ? "/etc/ssh"
, withKerberos ? true
, libkrb5
, libfido2
, hostname
, nixosTests
, withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl
, withPAM ? stdenv.hostPlatform.isLinux
, linkOpenssl ? true
}:
stdenv.mkDerivation {
inherit pname version src;
patches = [
patches =
[
./locale_archive.patch
# See discussion in https://github.com/NixOS/nixpkgs/pull/16966
./dont_create_privsep_path.patch
] ++ extraPatches;
]
++ extraPatches;
postPatch =
# On Hydra this makes installation fail (sometimes?),
@ -48,13 +50,15 @@ stdenv.mkDerivation {
'';
strictDeps = true;
nativeBuildInputs = [ autoreconfHook pkg-config ]
nativeBuildInputs =
[autoreconfHook pkg-config]
# This is not the same as the libkrb5 from the inputs! pkgs.libkrb5 is
# needed here to access krb5-config in order to cross compile. See:
# https://github.com/NixOS/nixpkgs/pull/107606
++ lib.optional withKerberos pkgs.libkrb5
++ extraNativeBuildInputs;
buildInputs = [ zlib libressl libedit ]
buildInputs =
[zlib libressl libedit]
++ lib.optional withFIDO libfido2
++ lib.optional withKerberos libkrb5
++ lib.optional withPAM pam;
@ -67,7 +71,8 @@ stdenv.mkDerivation {
# I set --disable-strip because later we strip anyway. And it fails to strip
# properly when cross building.
configureFlags = [
configureFlags =
[
"--sbindir=\${out}/bin"
"--localstatedir=/var"
"--with-pid-dir=/run"
@ -75,24 +80,30 @@ stdenv.mkDerivation {
"--with-libedit=yes"
"--disable-strip"
(lib.withFeature withPAM "pam")
] ++ lib.optional (etcDir != null) "--sysconfdir=${etcDir}"
]
++ lib.optional (etcDir != null) "--sysconfdir=${etcDir}"
++ lib.optional withFIDO "--with-security-key-builtin=yes"
++ lib.optional withKerberos (assert libkrb5 != null; "--with-kerberos5=${libkrb5}")
++ lib.optional stdenv.isDarwin "--disable-libutil"
++ lib.optional (!linkOpenssl) "--without-openssl"
++ extraConfigureFlags;
${if stdenv.hostPlatform.isStatic then "NIX_LDFLAGS" else null}= [ "-laudit" ] ++ lib.optionals withKerberos [ "-lkeyutils" ];
${
if stdenv.hostPlatform.isStatic
then "NIX_LDFLAGS"
else null
} =
["-laudit"] ++ lib.optionals withKerberos ["-lkeyutils"];
buildFlags = [ "SSH_KEYSIGN=ssh-keysign" ];
buildFlags = ["SSH_KEYSIGN=ssh-keysign"];
enableParallelBuilding = true;
hardeningEnable = [ "pie" ];
hardeningEnable = ["pie"];
doCheck = true;
enableParallelChecking = false;
nativeCheckInputs = [ libressl ] ++ lib.optional (!stdenv.isDarwin) hostname;
nativeCheckInputs = [libressl] ++ lib.optional (!stdenv.isDarwin) hostname;
preCheck = lib.optionalString (stdenv.hostPlatform == stdenv.buildPlatform) ''
# construct a dummy HOME
export HOME=$(realpath ../dummy-home)
@ -140,11 +151,12 @@ stdenv.mkDerivation {
# integration tests hard to get working on darwin with its shaky
# sandbox
# t-exec tests fail on musl
checkTarget = lib.optional (!stdenv.isDarwin && !stdenv.hostPlatform.isMusl) "t-exec"
checkTarget =
lib.optional (!stdenv.isDarwin && !stdenv.hostPlatform.isMusl) "t-exec"
# other tests are less demanding of the environment
++ [ "unit" "file-tests" "interop-tests" ];
++ ["unit" "file-tests" "interop-tests"];
installTargets = [ "install-nokeys" ];
installTargets = ["install-nokeys"];
installFlags = [
"sysconfdir=\${out}/etc/ssh"
];
@ -153,13 +165,15 @@ stdenv.mkDerivation {
borgbackup-integration = nixosTests.borgbackup;
};
meta = with lib; {
meta = with lib;
{
description = "An implementation of the SSH protocol${extraDesc}";
homepage = "https://www.openssh.com/";
changelog = "https://www.openssh.com/releasenotes.html";
license = licenses.bsd2;
platforms = platforms.unix ++ platforms.windows;
maintainers = (extraMeta.maintainers or []) ++ (with maintainers; [ eelco aneeshusa ]);
maintainers = (extraMeta.maintainers or []) ++ (with maintainers; [eelco aneeshusa]);
mainProgram = "ssh";
} // extraMeta;
}
// extraMeta;
}