clevis: 19 -> 20

pkgs/tools/security/clevis/default.nix → pkgs/by-name/cl/clevis/package.nix

@@ -1,6 +1,6 @@
 { lib
-, stdenv
 , asciidoc
+, bash
 , coreutils
 , cryptsetup
 , curl
@@ -9,56 +9,61 @@
 , gnused
 , jansson
 , jose
+, jq
 , libpwquality
 , luksmeta
 , makeWrapper
 , meson
 , ninja
+, nixosTests
 , pkg-config
+, stdenv
 , tpm2-tools
-, nixosTests
 }:
 
-stdenv.mkDerivation rec {
+stdenv.mkDerivation (finalAttrs: {
   pname = "clevis";
-  version = "19";
+  version = "20";
 
   src = fetchFromGitHub {
     owner = "latchset";
-    repo = pname;
-    rev = "refs/tags/v${version}";
-    hash = "sha256-3J3ti/jRiv+p3eVvJD7u0ko28rPd8Gte0mCJaVaqyOs=";
+    repo = "clevis";
+    rev = "refs/tags/v${finalAttrs.version}";
+    hash = "sha256-rBdZrnHPzRd9vbyl1h/Nb0cFAtIPUHSmxVoKrKuCrQ8=";
   };
 
+  outputs = [ "out" "man" ];
+
   patches = [
     # Replaces the clevis-decrypt 300s timeout to a 10s timeout
     # https://github.com/latchset/clevis/issues/289
-    ./tang-timeout.patch
+    ./001-tang-timeout.patch
   ];
 
   postPatch = ''
     for f in $(find src/ -type f); do
-      grep -q "/bin/cat" "$f" && substituteInPlace "$f" \
-        --replace '/bin/cat' '${coreutils}/bin/cat' || true
+      grep -q "/bin/cat" "$f" && \
+      substituteInPlace "$f" \
+        --replace-fail '/bin/cat' '${coreutils}/bin/cat' || true
     done
   '';
 
-  postInstall = ''
-    # We wrap the main clevis binary entrypoint but not the sub-binaries.
-    wrapProgram $out/bin/clevis \
-      --prefix PATH ':' "${lib.makeBinPath [tpm2-tools jose cryptsetup libpwquality luksmeta gnugrep gnused coreutils]}:${placeholder "out"}/bin"
-  '';
+  depsBuildBuild = [
+    pkg-config
+  ];
 
   nativeBuildInputs = [
     asciidoc
+    cryptsetup
+    jq
     makeWrapper
     meson
     ninja
     pkg-config
   ];
 
   buildInputs = [
-    cryptsetup
+    bash
     curl
     jansson
     jose
@@ -67,24 +72,43 @@ stdenv.mkDerivation rec {
     tpm2-tools
   ];
 
-  outputs = [
-    "out"
-    "man"
-  ];
+  strictDeps = true;
+
+  postFixup = let
+    binPath = lib.makeBinPath [
+      coreutils
+      cryptsetup
+      gnugrep
+      gnused
+      jose
+      libpwquality
+      luksmeta
+      tpm2-tools
+    ];
+    # We wrap the main clevis binary entrypoint - but not the sub-command
+    # binaries
+  in ''
+    patchShebangs --host $out/bin/clevis
+    wrapProgram $out/bin/clevis \
+      --prefix PATH ':' "${binPath}:${placeholder "out"}/bin"
+  '';
 
   passthru.tests = {
-    inherit (nixosTests.installer) clevisBcachefs clevisBcachefsFallback clevisLuks clevisLuksFallback clevisZfs clevisZfsFallback;
+    inherit (nixosTests.installer)
+      clevisBcachefs clevisBcachefsFallback clevisLuks clevisLuksFallback
+      clevisZfs clevisZfsFallback;
     clevisLuksSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuks;
     clevisLuksFallbackSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisLuksFallback;
     clevisZfsSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisZfs;
     clevisZfsFallbackSystemdStage1 = nixosTests.installer-systemd-stage-1.clevisZfsFallback;
   };
 
-  meta = with lib; {
+  meta = {
     description = "Automated Encryption Framework";
     homepage = "https://github.com/latchset/clevis";
-    changelog = "https://github.com/latchset/clevis/releases/tag/v${version}";
-    license = licenses.gpl3Plus;
-    maintainers = with maintainers; [ ];
+    changelog = "https://github.com/latchset/clevis/releases/tag/v${finalAttrs.version}";
+    license = with lib.licenses; [ gpl3Plus ];
+    mainProgram = "clevis";
+    maintainers = with lib.maintainers; [ AndersonTorres ];
   };
-}
+})

pkgs/top-level/all-packages.nix

@@ -4644,7 +4644,7 @@ with pkgs;
 
   clevercsv = with python3Packages; toPythonApplication clevercsv;
 
-  clevis = callPackage ../tools/security/clevis {
+  clevis = callPackage ../by-name/cl/clevis/package.nix {
     asciidoc = asciidoc-full;
   };