| blob | f37c05f93fbb0819b9f11c9595f35d88144b7398 |
1 {
2 lib,
3 stdenv,
4 fetchFromGitHub,
5 buildGoModule,
6 coreutils,
7 pcsclite,
8 PCSC,
9 pkg-config,
10 hsmSupport ? true,
11 nixosTests,
12 }:
14 buildGoModule rec {
15 pname = "step-ca";
16 version = "0.27.2";
18 src = fetchFromGitHub {
19 owner = "smallstep";
20 repo = "certificates";
21 rev = "refs/tags/v${version}";
22 hash = "sha256-byVWNab6Q3yryluhMomzLkRNfXQ/68pAq+YGFjbvX1o=";
23 };
25 vendorHash = "sha256-gQEGCbVgtKIaUgBkfpVwLXoUg1EUhaQFn9JZvV5Rjhc=";
27 ldflags = [
28 "-w"
29 "-X main.Version=${version}"
30 ];
32 nativeBuildInputs = lib.optionals hsmSupport [ pkg-config ];
34 buildInputs =
35 lib.optionals (hsmSupport && stdenv.hostPlatform.isLinux) [ pcsclite ]
36 ++ lib.optionals (hsmSupport && stdenv.hostPlatform.isDarwin) [ PCSC ];
38 postPatch = ''
39 substituteInPlace systemd/step-ca.service --replace "/bin/kill" "${coreutils}/bin/kill"
40 '';
42 preBuild = ''
43 ${lib.optionalString (!hsmSupport) "export CGO_ENABLED=0"}
44 '';
46 postInstall = ''
47 install -Dm444 -t $out/lib/systemd/system systemd/step-ca.service
48 '';
50 preCheck = ''
51 export HOME=$(mktemp -d)
52 '';
54 # Tests start http servers which need to bind to local addresses:
55 # panic: httptest: failed to listen on a port: listen tcp6 [::1]:0: bind: operation not permitted
56 __darwinAllowLocalNetworking = true;
58 # Tests need to run in a reproducible order, otherwise they run unreliably on
59 # (at least) x86_64-linux.
60 checkFlags = [ "-p 1" ];
62 passthru.tests.step-ca = nixosTests.step-ca;
64 meta = with lib; {
65 description = "Private certificate authority (X.509 & SSH) & ACME server for secure automated certificate management, so you can use TLS everywhere & SSO for SSH";
66 homepage = "https://smallstep.com/certificates/";
67 changelog = "https://github.com/smallstep/certificates/releases/tag/v${version}";
68 license = licenses.asl20;
69 maintainers = with maintainers; [
70 cmcdragonkai
71 techknowlogick
72 ];
73 };
74 }