144 lines
3.2 KiB
Nix
144 lines
3.2 KiB
Nix
{
|
|
buildGo123Module,
|
|
fetchFromGitHub,
|
|
lib,
|
|
envoy,
|
|
mkYarnPackage,
|
|
fetchYarnDeps,
|
|
nixosTests,
|
|
pomerium-cli,
|
|
}:
|
|
|
|
let
|
|
inherit (lib)
|
|
concatStringsSep
|
|
concatMap
|
|
id
|
|
mapAttrsToList
|
|
;
|
|
in
|
|
buildGo123Module rec {
|
|
pname = "pomerium";
|
|
version = "0.28.0";
|
|
src = fetchFromGitHub {
|
|
owner = "pomerium";
|
|
repo = "pomerium";
|
|
rev = "v${version}";
|
|
hash = "sha256-Uj/mVklFRaoDNQjCFS5NW/AhSU+7V1XxPiZBAUuly7s=";
|
|
};
|
|
|
|
vendorHash = "sha256-s6EZUZoGNBpy5RaLAPiCCCVFli+YzZ0PHJ/aH3s4APA=";
|
|
|
|
ui = mkYarnPackage {
|
|
inherit version;
|
|
src = "${src}/ui";
|
|
|
|
packageJSON = ./package.json;
|
|
offlineCache = fetchYarnDeps {
|
|
yarnLock = "${src}/ui/yarn.lock";
|
|
sha256 = lib.fileContents ./yarn-hash;
|
|
};
|
|
|
|
buildPhase = ''
|
|
runHook preBuild
|
|
yarn --offline build
|
|
runHook postBuild
|
|
'';
|
|
|
|
installPhase = ''
|
|
runHook preInstall
|
|
cp -R deps/pomerium/dist $out
|
|
runHook postInstall
|
|
'';
|
|
|
|
doDist = false;
|
|
};
|
|
|
|
subPackages = [
|
|
"cmd/pomerium"
|
|
];
|
|
|
|
# patch pomerium to allow use of external envoy
|
|
patches = [
|
|
./0001-envoy-allow-specification-of-external-binary.patch
|
|
];
|
|
|
|
ldflags =
|
|
let
|
|
# Set a variety of useful meta variables for stamping the build with.
|
|
setVars = {
|
|
"github.com/pomerium/pomerium/internal/version" = {
|
|
Version = "v${version}";
|
|
BuildMeta = "nixpkgs";
|
|
ProjectName = "pomerium";
|
|
ProjectURL = "github.com/pomerium/pomerium";
|
|
};
|
|
"github.com/pomerium/pomerium/pkg/envoy" = {
|
|
OverrideEnvoyPath = "${envoy}/bin/envoy";
|
|
};
|
|
};
|
|
concatStringsSpace = list: concatStringsSep " " list;
|
|
mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list);
|
|
varFlags = concatStringsSpace (
|
|
mapAttrsToFlatList (
|
|
package: packageVars:
|
|
mapAttrsToList (variable: value: "-X ${package}.${variable}=${value}") packageVars
|
|
) setVars
|
|
);
|
|
in
|
|
[
|
|
"${varFlags}"
|
|
];
|
|
|
|
preBuild = ''
|
|
# Replace embedded envoy with nothing.
|
|
# We set OverrideEnvoyPath above, so rawBinary should never get looked at
|
|
# but we still need to set a checksum/version.
|
|
rm pkg/envoy/files/files_{darwin,linux}*.go
|
|
cat <<EOF >pkg/envoy/files/files_external.go
|
|
package files
|
|
|
|
import _ "embed" // embed
|
|
|
|
var rawBinary []byte
|
|
|
|
//go:embed envoy.sha256
|
|
var rawChecksum string
|
|
|
|
//go:embed envoy.version
|
|
var rawVersion string
|
|
EOF
|
|
sha256sum '${envoy}/bin/envoy' > pkg/envoy/files/envoy.sha256
|
|
echo '${envoy.version}' > pkg/envoy/files/envoy.version
|
|
|
|
# put the built UI files where they will be picked up as part of binary build
|
|
cp -r ${ui}/* ui/dist
|
|
'';
|
|
|
|
installPhase = ''
|
|
install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium
|
|
'';
|
|
|
|
passthru = {
|
|
tests = {
|
|
inherit (nixosTests) pomerium;
|
|
inherit pomerium-cli;
|
|
};
|
|
updateScript = ./updater.sh;
|
|
};
|
|
|
|
meta = with lib; {
|
|
homepage = "https://pomerium.io";
|
|
description = "Authenticating reverse proxy";
|
|
mainProgram = "pomerium";
|
|
license = licenses.asl20;
|
|
maintainers = with maintainers; [
|
|
lukegb
|
|
devusb
|
|
];
|
|
platforms = [
|
|
"x86_64-linux"
|
|
"aarch64-linux"
|
|
];
|
|
};
|
|
}
|