3p/nixpkgs: add pomerium version bump

This commit is contained in:
Luke Granger-Brown 2021-12-07 18:42:50 +00:00
parent 7f360c6533
commit e2e91987bb
2 changed files with 421 additions and 0 deletions

View file

@ -0,0 +1,420 @@
From 786b4216c5481d8826c42defabed4721a74e1cd0 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Sat, 18 Sep 2021 02:55:10 +0000
Subject: [PATCH 1/4] gn1924: init at 2021-08-08, use generic derivation
generator
Split into "current" version, as used by most things (aka gn),
and "gn1924", which uses a more recent version of gn which is
incompatible with the currently packaged version of v8 in nixpkgs.
We can't win, but I need a newer version of gn for envoy.
Note that the newer gn matches the version in Chromium's DEPS for
v93.0.4577.82, the current Linux stable build as of September.
---
.../tools/build-managers/gn/default.nix | 58 +-----------------
.../tools/build-managers/gn/generic.nix | 60 +++++++++++++++++++
.../tools/build-managers/gn/rev1924.nix | 8 +++
3 files changed, 70 insertions(+), 56 deletions(-)
create mode 100644 pkgs/development/tools/build-managers/gn/generic.nix
create mode 100644 pkgs/development/tools/build-managers/gn/rev1924.nix
diff --git a/pkgs/development/tools/build-managers/gn/default.nix b/pkgs/development/tools/build-managers/gn/default.nix
index 3c0abb3edeab5..508a821d74950 100644
--- a/pkgs/development/tools/build-managers/gn/default.nix
+++ b/pkgs/development/tools/build-managers/gn/default.nix
@@ -1,64 +1,10 @@
-{ stdenv, lib, fetchgit, darwin, writeText
-, ninja, python3
-}:
+{ callPackage, ... } @ args:
-let
+callPackage ./generic.nix args {
# Note: Please use the recommended version for Chromium, e.g.:
# https://git.archlinux.org/svntogit/packages.git/tree/trunk/chromium-gn-version.sh?h=packages/gn
rev = "fd3d768bcfd44a8d9639fe278581bd9851d0ce3a";
revNum = "1718"; # git describe HEAD --match initial-commit | cut -d- -f3
version = "2020-03-09";
sha256 = "1asc14y8by7qcn10vbk467hvx93s30pif8r0brissl0sihsaqazr";
-
- revShort = builtins.substring 0 7 rev;
- lastCommitPosition = writeText "last_commit_position.h" ''
- #ifndef OUT_LAST_COMMIT_POSITION_H_
- #define OUT_LAST_COMMIT_POSITION_H_
-
- #define LAST_COMMIT_POSITION_NUM ${revNum}
- #define LAST_COMMIT_POSITION "${revNum} (${revShort})"
-
- #endif // OUT_LAST_COMMIT_POSITION_H_
- '';
-
-in stdenv.mkDerivation {
- pname = "gn-unstable";
- inherit version;
-
- src = fetchgit {
- # Note: The TAR-Archives (+archive/${rev}.tar.gz) are not deterministic!
- url = "https://gn.googlesource.com/gn";
- inherit rev sha256;
- };
-
- nativeBuildInputs = [ ninja python3 ];
- buildInputs = lib.optionals stdenv.isDarwin (with darwin; with apple_sdk.frameworks; [
- libobjc
- cctools
-
- # frameworks
- ApplicationServices
- Foundation
- AppKit
- ]);
-
- buildPhase = ''
- python build/gen.py --no-last-commit-position
- ln -s ${lastCommitPosition} out/last_commit_position.h
- ninja -j $NIX_BUILD_CORES -C out gn
- '';
-
- installPhase = ''
- install -vD out/gn "$out/bin/gn"
- '';
-
- setupHook = ./setup-hook.sh;
-
- meta = with lib; {
- description = "A meta-build system that generates build files for Ninja";
- homepage = "https://gn.googlesource.com/gn";
- license = licenses.bsd3;
- platforms = platforms.unix;
- maintainers = with maintainers; [ stesie matthewbauer primeos ];
- };
}
diff --git a/pkgs/development/tools/build-managers/gn/generic.nix b/pkgs/development/tools/build-managers/gn/generic.nix
new file mode 100644
index 0000000000000..4214bb822b994
--- /dev/null
+++ b/pkgs/development/tools/build-managers/gn/generic.nix
@@ -0,0 +1,60 @@
+{ stdenv, lib, fetchgit, darwin, writeText
+, ninja, python3
+, ...
+}:
+
+{ rev, revNum, version, sha256 }:
+
+let
+ revShort = builtins.substring 0 7 rev;
+ lastCommitPosition = writeText "last_commit_position.h" ''
+ #ifndef OUT_LAST_COMMIT_POSITION_H_
+ #define OUT_LAST_COMMIT_POSITION_H_
+
+ #define LAST_COMMIT_POSITION_NUM ${revNum}
+ #define LAST_COMMIT_POSITION "${revNum} (${revShort})"
+
+ #endif // OUT_LAST_COMMIT_POSITION_H_
+ '';
+
+in stdenv.mkDerivation {
+ pname = "gn-unstable";
+ inherit version;
+
+ src = fetchgit {
+ # Note: The TAR-Archives (+archive/${rev}.tar.gz) are not deterministic!
+ url = "https://gn.googlesource.com/gn";
+ inherit rev sha256;
+ };
+
+ nativeBuildInputs = [ ninja python3 ];
+ buildInputs = lib.optionals stdenv.isDarwin (with darwin; with apple_sdk.frameworks; [
+ libobjc
+ cctools
+
+ # frameworks
+ ApplicationServices
+ Foundation
+ AppKit
+ ]);
+
+ buildPhase = ''
+ python build/gen.py --no-last-commit-position
+ ln -s ${lastCommitPosition} out/last_commit_position.h
+ ninja -j $NIX_BUILD_CORES -C out gn
+ '';
+
+ installPhase = ''
+ install -vD out/gn "$out/bin/gn"
+ '';
+
+ setupHook = ./setup-hook.sh;
+
+ meta = with lib; {
+ description = "A meta-build system that generates build files for Ninja";
+ homepage = "https://gn.googlesource.com/gn";
+ license = licenses.bsd3;
+ platforms = platforms.unix;
+ maintainers = with maintainers; [ stesie matthewbauer primeos ];
+ };
+}
diff --git a/pkgs/development/tools/build-managers/gn/rev1924.nix b/pkgs/development/tools/build-managers/gn/rev1924.nix
new file mode 100644
index 0000000000000..1b17328f2e095
--- /dev/null
+++ b/pkgs/development/tools/build-managers/gn/rev1924.nix
@@ -0,0 +1,8 @@
+{ callPackage, ... } @ args:
+
+callPackage ./generic.nix args {
+ rev = "24e2f7df92641de0351a96096fb2c490b2436bb8";
+ revNum = "1924"; # git describe HEAD --match initial-commit | cut -d- -f3
+ version = "2021-08-08";
+ sha256 = "1lwkyhfhw0zd7daqz466n7x5cddf0danr799h4jg3s0yvd4galjl";
+}
From 637d735ad55d3d69bab6a4360327db8f988b86bb Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Sat, 18 Sep 2021 02:56:17 +0000
Subject: [PATCH 2/4] envoy: 1.17.3 -> 1.19.1
This now uses gn1924 to allow v8 to build properly.
---
pkgs/servers/http/envoy/default.nix | 14 ++++----------
pkgs/top-level/all-packages.nix | 2 ++
2 files changed, 6 insertions(+), 10 deletions(-)
diff --git a/pkgs/servers/http/envoy/default.nix b/pkgs/servers/http/envoy/default.nix
index d26782560a470..c81d79dbb24be 100644
--- a/pkgs/servers/http/envoy/default.nix
+++ b/pkgs/servers/http/envoy/default.nix
@@ -17,8 +17,8 @@ let
# However, the version string is more useful for end-users.
# These are contained in a attrset of their own to make it obvious that
# people should update both.
- version = "1.17.3";
- commit = "46bf743b97d0d3f01ff437b2f10cc0bd9cdfe6e4";
+ version = "1.19.1";
+ commit = "a2a1e3eed4214a38608ec223859fcfa8fb679b14";
};
in
buildBazelPackage rec {
@@ -28,7 +28,7 @@ buildBazelPackage rec {
owner = "envoyproxy";
repo = "envoy";
rev = srcVer.commit;
- hash = "sha256:09zzr4h3zjsb2rkxrvlazpx0jy33yn9j65ilxiqbvv0ckaralqfc";
+ hash = "sha256:1v1hv4blrppnhllsxd9d3k2wl6nhd59r4ydljy389na3bb41jwf9";
extraPostFetch = ''
chmod -R +w $out
@@ -58,7 +58,7 @@ buildBazelPackage rec {
];
fetchAttrs = {
- sha256 = "sha256:1cy2b73x8jzczq9z9c1kl7zrg5iasvsakb50zxn4mswpmajkbj5h";
+ sha256 = "sha256:0vnl0gq6nhvyzz39jg1bvvna0xyhxalg71bp1jbxib7ql026004r";
dontUseCmakeConfigure = true;
dontUseGnConfigure = true;
preInstall = ''
@@ -75,12 +75,6 @@ buildBazelPackage rec {
$bazelOut/external/local_config_sh/BUILD
rm -r $bazelOut/external/go_sdk
- # Replace some wheels which are only used for tests with empty files;
- # they're nondeterministically built and packed.
- >$bazelOut/external/config_validation_pip3/PyYAML-5.3.1-cp38-cp38-linux_x86_64.whl
- >$bazelOut/external/protodoc_pip3/PyYAML-5.3.1-cp38-cp38-linux_x86_64.whl
- >$bazelOut/external/thrift_pip3/thrift-0.13.0-cp38-cp38-linux_x86_64.whl
-
# Remove Unix timestamps from go cache.
rm -rf $bazelOut/external/bazel_gazelle_go_repository_cache/{gocache,pkg/mod/cache,pkg/sumdb}
'';
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 542235a61f109..3cfdd5f4edb85 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -14956,6 +14956,7 @@ with pkgs;
nimbo = with python3Packages; callPackage ../applications/misc/nimbo { };
gn = callPackage ../development/tools/build-managers/gn { };
+ gn1924 = callPackage ../development/tools/build-managers/gn/rev1924.nix { };
nixbang = callPackage ../development/tools/misc/nixbang {
pythonPackages = python3Packages;
@@ -20738,6 +20739,7 @@ with pkgs;
envoy = callPackage ../servers/http/envoy {
go = go_1_15;
jdk = openjdk11;
+ gn = gn1924;
};
etcd = callPackage ../servers/etcd { };
From 4099f938597110708889eed18e81511fdfecc1db Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Sat, 18 Sep 2021 02:57:32 +0000
Subject: [PATCH 3/4] pomerium: 0.14.7 -> 0.15.7
---
pkgs/servers/http/pomerium/default.nix | 39 +++++++++++++-------------
1 file changed, 20 insertions(+), 19 deletions(-)
diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix
index 7b28200b284e6..9f24d64ae6ca8 100644
--- a/pkgs/servers/http/pomerium/default.nix
+++ b/pkgs/servers/http/pomerium/default.nix
@@ -11,15 +11,15 @@ let
in
buildGoModule rec {
pname = "pomerium";
- version = "0.14.7";
+ version = "0.15.7";
src = fetchFromGitHub {
owner = "pomerium";
repo = "pomerium";
rev = "v${version}";
- hash = "sha256:1jb96jk5qmary4fi1z9zwmppdyskj0qb6qii8s8mwazjjxqj1z2s";
+ hash = "sha256:0adlk4ylny1z43x1dw3ny0s1932vhb61hpf5wdz4r65y8k9qyfgr";
};
- vendorSha256 = "sha256:1daabi9qc9nx8bafn26iw6rv4vx2xpd0nnk06265aqaksx26db0s";
+ vendorSha256 = "sha256:1fszfbra84pcs8v1h2kf7iy603vf9v2ysg6il76aqmqrxmb1p7nv";
subPackages = [
"cmd/pomerium"
"cmd/pomerium-cli"
@@ -38,24 +38,25 @@ buildGoModule rec {
"${varFlags}"
];
- nativeBuildInputs = [
- zip
- ];
+ preBuild = ''
+ rm internal/envoy/files/files_{darwin,linux}*.go
+ cat <<EOF >internal/envoy/files/files_generic.go
+ package files
+
+ import _ "embed" // embed
+
+ //go:embed envoy
+ var rawBinary []byte
- # Pomerium expects to have envoy append to it in a zip.
- # We use a store-only (-0) zip, so that the Nix scanner can find any store references we had in the envoy binary.
- postBuild = ''
- # Append Envoy
- pushd $NIX_BUILD_TOP
- mkdir -p envoy
- cd envoy
- cp ${envoy}/bin/envoy envoy
- zip -0 envoy.zip envoy
- popd
+ //go:embed envoy.sha256
+ var rawChecksum string
- mv $GOPATH/bin/pomerium $GOPATH/bin/pomerium.old
- cat $GOPATH/bin/pomerium.old $NIX_BUILD_TOP/envoy/envoy.zip >$GOPATH/bin/pomerium
- zip --adjust-sfx $GOPATH/bin/pomerium
+ //go:embed envoy.version
+ var rawVersion string
+ EOF
+ cp ${envoy}/bin/envoy internal/envoy/files/envoy
+ sha256sum ${envoy}/bin/envoy > internal/envoy/files/envoy.sha256
+ echo ${envoy.version} > internal/envoy/files/envoy.version
'';
# We also need to set dontStrip to avoid having the envoy ZIP stripped off the end.
From 74560e35e5c8ada70bb170be352d8996160f7be3 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Tue, 7 Dec 2021 15:04:09 +0000
Subject: [PATCH 4/4] pomerium: use on-disk envoy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
We can set an override path for Envoy's binary location now, so
do that instead of the previous thing of embedding the binary.
Note that we still need to include the SHA256/version of the binary
we're referring to, but Through The Power Of Nix™ we can do that
with relative ease.
---
pkgs/servers/http/pomerium/default.nix | 36 ++++++++++++++++----------
1 file changed, 23 insertions(+), 13 deletions(-)
diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix
index 9f24d64ae6ca8..cbf2fe1943542 100644
--- a/pkgs/servers/http/pomerium/default.nix
+++ b/pkgs/servers/http/pomerium/default.nix
@@ -7,7 +7,7 @@
}:
let
- inherit (lib) concatStringsSep mapAttrsToList;
+ inherit (lib) concatStringsSep concatMap id mapAttrsToList;
in
buildGoModule rec {
pname = "pomerium";
@@ -28,24 +28,38 @@ buildGoModule rec {
ldflags = let
# Set a variety of useful meta variables for stamping the build with.
setVars = {
- Version = "v${version}";
- BuildMeta = "nixpkgs";
- ProjectName = "pomerium";
- ProjectURL = "github.com/pomerium/pomerium";
+ "github.com/pomerium/pomerium/internal/version" = {
+ Version = "v${version}";
+ BuildMeta = "nixpkgs";
+ ProjectName = "pomerium";
+ ProjectURL = "github.com/pomerium/pomerium";
+ };
+ "github.com/pomerium/pomerium/internal/envoy" = {
+ OverrideEnvoyPath = "${envoy}/bin/envoy";
+ };
};
- varFlags = concatStringsSep " " (mapAttrsToList (name: value: "-X github.com/pomerium/pomerium/internal/version.${name}=${value}") setVars);
+ concatStringsSpace = list: concatStringsSep " " list;
+ mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list);
+ varFlags = concatStringsSpace (
+ mapAttrsToFlatList (package: packageVars:
+ mapAttrsToList (variable: value:
+ "-X ${package}.${variable}=${value}"
+ ) packageVars
+ ) setVars);
in [
"${varFlags}"
];
preBuild = ''
+ # Replace embedded envoy with nothing.
+ # We set OverrideEnvoyPath above, so rawBinary should never get looked at
+ # but we still need to set a checksum/version.
rm internal/envoy/files/files_{darwin,linux}*.go
cat <<EOF >internal/envoy/files/files_generic.go
package files
import _ "embed" // embed
- //go:embed envoy
var rawBinary []byte
//go:embed envoy.sha256
@@ -54,14 +68,10 @@ buildGoModule rec {
//go:embed envoy.version
var rawVersion string
EOF
- cp ${envoy}/bin/envoy internal/envoy/files/envoy
- sha256sum ${envoy}/bin/envoy > internal/envoy/files/envoy.sha256
- echo ${envoy.version} > internal/envoy/files/envoy.version
+ sha256sum '${envoy}/bin/envoy' > internal/envoy/files/envoy.sha256
+ echo '${envoy.version}' > internal/envoy/files/envoy.version
'';
- # We also need to set dontStrip to avoid having the envoy ZIP stripped off the end.
- dontStrip = true;
-
installPhase = ''
install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium
install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli

View file

@ -2,3 +2,4 @@ patch-cherrypy.patch
pomerium-fix.patch pomerium-fix.patch
pomerium-fix2.patch pomerium-fix2.patch
0001-nixos-systemd-boot-create-boot-entries-for-specialis.patch 0001-nixos-systemd-boot-create-boot-entries-for-specialis.patch
pr138359-pomerium-bump.patch