diff options
Diffstat (limited to 'nixpkgs/pkgs/servers/http/pomerium')
-rw-r--r-- | nixpkgs/pkgs/servers/http/pomerium/default.nix | 129 | ||||
-rw-r--r-- | nixpkgs/pkgs/servers/http/pomerium/external-envoy.diff | 48 | ||||
-rw-r--r-- | nixpkgs/pkgs/servers/http/pomerium/package.json | 61 | ||||
-rwxr-xr-x | nixpkgs/pkgs/servers/http/pomerium/updater.sh | 23 | ||||
-rw-r--r-- | nixpkgs/pkgs/servers/http/pomerium/yarn-hash | 1 |
5 files changed, 262 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/servers/http/pomerium/default.nix b/nixpkgs/pkgs/servers/http/pomerium/default.nix new file mode 100644 index 000000000000..248b7ae1f3e7 --- /dev/null +++ b/nixpkgs/pkgs/servers/http/pomerium/default.nix @@ -0,0 +1,129 @@ +{ buildGoModule +, fetchFromGitHub +, callPackage +, lib +, envoy +, mkYarnPackage +, fetchYarnDeps +, nixosTests +, pomerium-cli +}: + +let + inherit (lib) concatStringsSep concatMap id mapAttrsToList; +in +buildGoModule rec { + pname = "pomerium"; + version = "0.25.1"; + src = fetchFromGitHub { + owner = "pomerium"; + repo = "pomerium"; + rev = "v${version}"; + hash = "sha256-xVPyiwKtSBchXC0FhNegeJlUej877zwNvrlAhSy6dJE="; + }; + + vendorHash = "sha256-GdeZkKkENacc11FmEAFUfX9efInfhpv2Lz0/3CtixFQ="; + + ui = mkYarnPackage { + inherit version; + src = "${src}/ui"; + + packageJSON = ./package.json; + offlineCache = fetchYarnDeps { + yarnLock = "${src}/ui/yarn.lock"; + sha256 = lib.fileContents ./yarn-hash; + }; + + buildPhase = '' + runHook preBuild + yarn --offline build + runHook postBuild + ''; + + installPhase = '' + runHook preInstall + cp -R deps/pomerium/dist $out + runHook postInstall + ''; + + doDist = false; + }; + + subPackages = [ + "cmd/pomerium" + ]; + + # patch pomerium to allow use of external envoy + patches = [ ./external-envoy.diff ]; + + ldflags = let + # Set a variety of useful meta variables for stamping the build with. + setVars = { + "github.com/pomerium/pomerium/internal/version" = { + Version = "v${version}"; + BuildMeta = "nixpkgs"; + ProjectName = "pomerium"; + ProjectURL = "github.com/pomerium/pomerium"; + }; + "github.com/pomerium/pomerium/pkg/envoy" = { + OverrideEnvoyPath = "${envoy}/bin/envoy"; + }; + }; + concatStringsSpace = list: concatStringsSep " " list; + mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list); + varFlags = concatStringsSpace ( + mapAttrsToFlatList (package: packageVars: + mapAttrsToList (variable: value: + "-X ${package}.${variable}=${value}" + ) packageVars + ) setVars); + in [ + "${varFlags}" + ]; + + preBuild = '' + # Replace embedded envoy with nothing. + # We set OverrideEnvoyPath above, so rawBinary should never get looked at + # but we still need to set a checksum/version. + rm pkg/envoy/files/files_{darwin,linux}*.go + cat <<EOF >pkg/envoy/files/files_external.go + package files + + import _ "embed" // embed + + var rawBinary []byte + + //go:embed envoy.sha256 + var rawChecksum string + + //go:embed envoy.version + var rawVersion string + EOF + sha256sum '${envoy}/bin/envoy' > pkg/envoy/files/envoy.sha256 + echo '${envoy.version}' > pkg/envoy/files/envoy.version + + # put the built UI files where they will be picked up as part of binary build + cp -r ${ui}/* ui/dist + ''; + + installPhase = '' + install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium + ''; + + passthru = { + tests = { + inherit (nixosTests) pomerium; + inherit pomerium-cli; + }; + updateScript = ./updater.sh; + }; + + meta = with lib; { + homepage = "https://pomerium.io"; + description = "Authenticating reverse proxy"; + mainProgram = "pomerium"; + license = licenses.asl20; + maintainers = with maintainers; [ lukegb devusb ]; + platforms = [ "x86_64-linux" "aarch64-linux" ]; + }; +} diff --git a/nixpkgs/pkgs/servers/http/pomerium/external-envoy.diff b/nixpkgs/pkgs/servers/http/pomerium/external-envoy.diff new file mode 100644 index 000000000000..49f4985ad77c --- /dev/null +++ b/nixpkgs/pkgs/servers/http/pomerium/external-envoy.diff @@ -0,0 +1,48 @@ +diff --git a/pkg/envoy/envoy.go b/pkg/envoy/envoy.go +index e32cfc29..9d32c057 100644 +--- a/pkg/envoy/envoy.go ++++ b/pkg/envoy/envoy.go +@@ -8,9 +8,9 @@ import ( + "errors" + "fmt" + "io" ++ "io/fs" + "os" + "os/exec" +- "path" + "path/filepath" + "regexp" + "strconv" +@@ -36,8 +36,12 @@ import ( + + const ( + configFileName = "envoy-config.yaml" ++ workingDirectoryName = ".pomerium-envoy" ++ embeddedEnvoyPermissions fs.FileMode = 0o700 + ) + ++var OverrideEnvoyPath = "" ++ + type serverOptions struct { + services string + logLevel string +@@ -60,13 +64,16 @@ type Server struct { + + // NewServer creates a new server with traffic routed by envoy. + func NewServer(ctx context.Context, src config.Source, builder *envoyconfig.Builder) (*Server, error) { +- envoyPath, err := Extract() ++ envoyPath := OverrideEnvoyPath ++ wd := filepath.Join(os.TempDir(), workingDirectoryName) ++ ++ err := os.MkdirAll(wd, embeddedEnvoyPermissions) + if err != nil { +- return nil, fmt.Errorf("extracting envoy: %w", err) ++ return nil, fmt.Errorf("error creating temporary working directory for envoy: %w", err) + } + + srv := &Server{ +- wd: path.Dir(envoyPath), ++ wd: wd, + builder: builder, + grpcPort: src.GetConfig().GRPCPort, + httpPort: src.GetConfig().HTTPPort, diff --git a/nixpkgs/pkgs/servers/http/pomerium/package.json b/nixpkgs/pkgs/servers/http/pomerium/package.json new file mode 100644 index 000000000000..4f81e118d85a --- /dev/null +++ b/nixpkgs/pkgs/servers/http/pomerium/package.json @@ -0,0 +1,61 @@ +{ + "name": "pomerium", + "version": "1.0.0", + "main": "src/index.tsx", + "license": "Apache-2.0", + "scripts": { + "build": "ts-node ./scripts/esbuild.ts", + "format": "prettier --write .", + "lint": "eslint .", + "watch": "ts-node ./scripts/esbuild.ts --watch" + }, + "browserslist": { + "production": [ + ">0.2%", + "not dead", + "not op_mini all" + ], + "development": [ + "last 1 chrome version", + "last 1 firefox version", + "last 1 safari version" + ] + }, + "dependencies": { + "@babel/core": "^7.0.0", + "@emotion/react": "^11.7.1", + "@emotion/styled": "^11.11.0", + "@fontsource/dm-mono": "^5.0.14", + "@fontsource/dm-sans": "^5.0.13", + "@mui/icons-material": "^5.14.9", + "@mui/material": "^5.4.0", + "luxon": "^2.5.2", + "markdown-to-jsx": "^7.2.1", + "react": "^17.0.2", + "react-dom": "^17.0.2", + "react-feather": "^2.0.10" + }, + "devDependencies": { + "@trivago/prettier-plugin-sort-imports": "2.0.4", + "@types/luxon": "^2.0.9", + "@types/node": "^17.0.14", + "@types/react": "^17.0.34", + "@types/react-dom": "^17.0.11", + "@typescript-eslint/eslint-plugin": "^5.10.2", + "@typescript-eslint/parser": "^5.59.11", + "esbuild": "^0.13.12", + "eslint": "7.32.0", + "eslint-config-prettier": "^8.3.0", + "eslint-plugin-react": "^7.28.0", + "prettier": "^2.4.1", + "ts-node": "^10.9.1", + "typescript": "^5.1.3" + }, + "prettier": { + "importOrder": [ + "^[./]" + ], + "importOrderSeparation": true, + "importOrderSortSpecifiers": true + } +} diff --git a/nixpkgs/pkgs/servers/http/pomerium/updater.sh b/nixpkgs/pkgs/servers/http/pomerium/updater.sh new file mode 100755 index 000000000000..0df47268ca96 --- /dev/null +++ b/nixpkgs/pkgs/servers/http/pomerium/updater.sh @@ -0,0 +1,23 @@ +#! /usr/bin/env nix-shell +#! nix-shell -i bash -p gnugrep coreutils curl wget jq nix-update prefetch-yarn-deps + +set -euo pipefail +pushd "$(dirname "${BASH_SOURCE[0]}")" + +owner="pomerium" +repo="pomerium" +version=`curl -s "https://api.github.com/repos/$owner/$repo/tags" | jq -r .[0].name | grep -oP "^v\K.*"` +url="https://raw.githubusercontent.com/$owner/$repo/v$version/" + +if [[ "$UPDATE_NIX_OLD_VERSION" == "$version" ]]; then + echo "Already up to date!" + exit 0 +fi + +rm -f package.json yarn.lock +wget "$url/ui/yarn.lock" "$url/ui/package.json" +echo $(prefetch-yarn-deps) > yarn-hash +rm -f yarn.lock + +popd +nix-update pomerium --version $version diff --git a/nixpkgs/pkgs/servers/http/pomerium/yarn-hash b/nixpkgs/pkgs/servers/http/pomerium/yarn-hash new file mode 100644 index 000000000000..71760c6384c7 --- /dev/null +++ b/nixpkgs/pkgs/servers/http/pomerium/yarn-hash @@ -0,0 +1 @@ +1cjwkdvg9rfp55674gns44xwi32ws8z57sa4ffb0zzgdgy2yx2zm |