mirror of
https://github.com/rosenpass/rosenpass.git
synced 2025-12-05 20:40:02 -08:00
df60b0bfc3
In particular, replace the error prone sourceByRegex filter for the rosenpass derivation with a simple file suffix filter.
344 lines
12 KiB
Nix
344 lines
12 KiB
Nix
{
|
|
inputs = {
|
|
flake-utils.url = "github:numtide/flake-utils";
|
|
|
|
# for quicker rust builds
|
|
naersk.url = "github:nix-community/naersk";
|
|
naersk.inputs.nixpkgs.follows = "nixpkgs";
|
|
|
|
# for rust nightly with llvm-tools-preview
|
|
fenix.url = "github:nix-community/fenix";
|
|
fenix.inputs.nixpkgs.follows = "nixpkgs";
|
|
};
|
|
|
|
outputs = { self, nixpkgs, flake-utils, ... }@inputs:
|
|
nixpkgs.lib.foldl (a: b: nixpkgs.lib.recursiveUpdate a b) { } [
|
|
|
|
#
|
|
### Actual Rosenpass Package and Docker Container Images ###
|
|
#
|
|
(flake-utils.lib.eachSystem [
|
|
"x86_64-linux"
|
|
"aarch64-linux"
|
|
|
|
# unsuported best-effort
|
|
"i686-linux"
|
|
"x86_64-darwin"
|
|
"aarch64-darwin"
|
|
# "x86_64-windows"
|
|
]
|
|
(system:
|
|
let
|
|
lib = nixpkgs.lib;
|
|
|
|
# normal nixpkgs
|
|
pkgs = import nixpkgs {
|
|
inherit system;
|
|
|
|
# TODO remove overlay once a fix for
|
|
# https://github.com/NixOS/nixpkgs/issues/216904 got merged
|
|
overlays = [
|
|
(
|
|
final: prev: {
|
|
iproute2 = prev.iproute2.overrideAttrs (old:
|
|
let
|
|
isStatic = prev.stdenv.hostPlatform.isStatic;
|
|
in
|
|
{
|
|
makeFlags = old.makeFlags ++ prev.lib.optional isStatic [
|
|
"TC_CONFIG_NO_XT=y"
|
|
];
|
|
});
|
|
}
|
|
)
|
|
];
|
|
};
|
|
|
|
# parsed Cargo.toml
|
|
cargoToml = builtins.fromTOML (builtins.readFile ./rosenpass/Cargo.toml);
|
|
|
|
# source files relevant for rust
|
|
src = pkgs.lib.sources.sourceFilesBySuffices ./. [
|
|
".lock"
|
|
".rs"
|
|
".toml"
|
|
];
|
|
|
|
# builds a bin path for all dependencies for the `rp` shellscript
|
|
rpBinPath = p: with p; lib.makeBinPath [
|
|
coreutils
|
|
findutils
|
|
gawk
|
|
wireguard-tools
|
|
];
|
|
|
|
# a function to generate a nix derivation for rosenpass against any
|
|
# given set of nixpkgs
|
|
rpDerivation = p:
|
|
let
|
|
# whether we want to build a statically linked binary
|
|
isStatic = p.targetPlatform.isStatic;
|
|
|
|
# the rust target of `p`
|
|
target = p.rust.toRustTargetSpec p.targetPlatform;
|
|
|
|
# convert a string to shout case
|
|
shout = string: builtins.replaceStrings [ "-" ] [ "_" ] (pkgs.lib.toUpper string);
|
|
|
|
# suitable Rust toolchain
|
|
toolchain = with inputs.fenix.packages.${system}; combine [
|
|
stable.cargo
|
|
stable.rustc
|
|
targets.${target}.stable.rust-std
|
|
];
|
|
|
|
# naersk with a custom toolchain
|
|
naersk = pkgs.callPackage inputs.naersk {
|
|
cargo = toolchain;
|
|
rustc = toolchain;
|
|
};
|
|
|
|
# used to trick the build.rs into believing that CMake was ran **again**
|
|
fakecmake = pkgs.writeScriptBin "cmake" ''
|
|
#! ${pkgs.stdenv.shell} -e
|
|
true
|
|
'';
|
|
in
|
|
naersk.buildPackage
|
|
{
|
|
# metadata and source
|
|
name = cargoToml.package.name;
|
|
version = cargoToml.package.version;
|
|
inherit src;
|
|
|
|
cargoBuildOptions = x: x ++ [ "-p" "rosenpass" ];
|
|
cargoTestOptions = x: x ++ [ "-p" "rosenpass" ];
|
|
|
|
doCheck = true;
|
|
|
|
nativeBuildInputs = with pkgs; [
|
|
p.stdenv.cc
|
|
cmake # for oqs build in the oqs-sys crate
|
|
mandoc # for the built-in manual
|
|
makeWrapper # for the rp shellscript
|
|
pkg-config # let libsodium-sys-stable find libsodium
|
|
removeReferencesTo
|
|
rustPlatform.bindgenHook # for C-bindings in the crypto libs
|
|
];
|
|
buildInputs = with p; [ bash libsodium ];
|
|
|
|
override = x: {
|
|
preBuild =
|
|
# nix defaults to building for aarch64 _without_ the armv8-a crypto
|
|
# extensions, but liboqs depens on these
|
|
(lib.optionalString (system == "aarch64-linux") ''
|
|
NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -march=armv8-a+crypto"
|
|
''
|
|
);
|
|
|
|
# fortify is only compatible with dynamic linking
|
|
hardeningDisable = lib.optional isStatic "fortify";
|
|
};
|
|
|
|
overrideMain = x: {
|
|
# CMake detects that it was served a _foreign_ target dir, and CMake
|
|
# would be executed again upon the second build step of naersk.
|
|
# By adding our specially optimized CMake version, we reduce the cost
|
|
# of recompilation by 99 % while, while avoiding any CMake errors.
|
|
nativeBuildInputs = [ (lib.hiPrio fakecmake) ] ++ x.nativeBuildInputs;
|
|
|
|
# make sure that libc is linked, under musl this is not the case per
|
|
# default
|
|
preBuild = (lib.optionalString isStatic ''
|
|
NIX_CFLAGS_COMPILE="$NIX_CFLAGS_COMPILE -lc"
|
|
'');
|
|
|
|
preInstall = ''
|
|
install -D ${./rp} $out/bin/rp
|
|
wrapProgram $out/bin/rp --prefix PATH : "${ rpBinPath p }"
|
|
'';
|
|
};
|
|
|
|
# We want to build for a specific target...
|
|
CARGO_BUILD_TARGET = target;
|
|
|
|
# ... which might require a non-default linker:
|
|
"CARGO_TARGET_${shout target}_LINKER" =
|
|
let
|
|
inherit (p.stdenv) cc;
|
|
in
|
|
"${cc}/bin/${cc.targetPrefix}cc";
|
|
|
|
meta = with pkgs.lib;
|
|
{
|
|
inherit (cargoToml.package) description homepage;
|
|
license = with licenses; [ mit asl20 ];
|
|
maintainers = [ maintainers.wucke13 ];
|
|
platforms = platforms.all;
|
|
};
|
|
} // (lib.mkIf isStatic {
|
|
# otherwise pkg-config tries to link non-existent dynamic libs
|
|
# documented here: https://docs.rs/pkg-config/latest/pkg_config/
|
|
PKG_CONFIG_ALL_STATIC = true;
|
|
|
|
# tell rust to build everything statically linked
|
|
CARGO_BUILD_RUSTFLAGS = "-C target-feature=+crt-static";
|
|
});
|
|
# a function to generate a docker image based of rosenpass
|
|
rosenpassOCI = name: pkgs.dockerTools.buildImage rec {
|
|
inherit name;
|
|
copyToRoot = pkgs.buildEnv {
|
|
name = "image-root";
|
|
paths = [ self.packages.${system}.${name} ];
|
|
pathsToLink = [ "/bin" ];
|
|
};
|
|
config.Cmd = [ "/bin/rosenpass" ];
|
|
};
|
|
in
|
|
rec {
|
|
packages = rec {
|
|
default = rosenpass;
|
|
rosenpass = rpDerivation pkgs;
|
|
rosenpass-oci-image = rosenpassOCI "rosenpass";
|
|
|
|
# derivation for the release
|
|
release-package =
|
|
let
|
|
version = cargoToml.package.version;
|
|
package =
|
|
if pkgs.hostPlatform.isLinux then
|
|
packages.rosenpass-static
|
|
else packages.rosenpass;
|
|
oci-image =
|
|
if pkgs.hostPlatform.isLinux then
|
|
packages.rosenpass-static-oci-image
|
|
else packages.rosenpass-oci-image;
|
|
in
|
|
pkgs.runCommandNoCC "lace-result" { }
|
|
''
|
|
mkdir {bin,$out}
|
|
cp ${./.}/rp bin/
|
|
tar -cvf $out/rosenpass-${system}-${version}.tar bin/rp \
|
|
-C ${package} bin/rosenpass
|
|
cp ${oci-image} \
|
|
$out/rosenpass-oci-image-${system}-${version}.tar.gz
|
|
'';
|
|
} // (if pkgs.stdenv.isLinux then rec {
|
|
rosenpass-static = rpDerivation pkgs.pkgsStatic;
|
|
rosenpass-static-oci-image = rosenpassOCI "rosenpass-static";
|
|
} else { });
|
|
}
|
|
))
|
|
|
|
#
|
|
### Linux specifics ###
|
|
#
|
|
(flake-utils.lib.eachSystem [ "x86_64-linux" "aarch64-linux" ] (system:
|
|
let
|
|
pkgs = import nixpkgs {
|
|
inherit system;
|
|
};
|
|
packages = self.packages.${system};
|
|
in
|
|
{
|
|
#
|
|
### Whitepaper ###
|
|
#
|
|
packages.whitepaper =
|
|
let
|
|
tlsetup = (pkgs.texlive.combine {
|
|
inherit (pkgs.texlive) scheme-basic acmart amsfonts ccicons
|
|
csquotes csvsimple doclicense fancyvrb fontspec gobble
|
|
koma-script ifmtarg latexmk lm markdown mathtools minted noto
|
|
nunito pgf soul unicode-math lualatex-math paralist
|
|
gitinfo2 eso-pic biblatex biblatex-trad biblatex-software
|
|
xkeyval xurl xifthen biber;
|
|
});
|
|
in
|
|
pkgs.stdenvNoCC.mkDerivation {
|
|
name = "whitepaper";
|
|
src = ./papers;
|
|
nativeBuildInputs = with pkgs; [
|
|
ncurses # tput
|
|
python3Packages.pygments
|
|
tlsetup # custom tex live scheme
|
|
which
|
|
];
|
|
buildPhase = ''
|
|
export HOME=$(mktemp -d)
|
|
export OSFONTDIR="$(kpsewhich --var-value TEXMF)/fonts/{opentype/public/nunito,truetype/google/noto}"
|
|
latexmk -r tex/CI.rc
|
|
'';
|
|
installPhase = ''
|
|
mkdir -p $out
|
|
mv *.pdf readme.md $out/
|
|
'';
|
|
};
|
|
|
|
|
|
#
|
|
### Proof and Proof Tools ###
|
|
#
|
|
packages.proverif-patched = pkgs.proverif.overrideAttrs (old: {
|
|
postInstall = ''
|
|
install -D -t $out/lib cryptoverif.pvl
|
|
'';
|
|
});
|
|
packages.proof-proverif = pkgs.stdenv.mkDerivation {
|
|
name = "rosenpass-proverif-proof";
|
|
version = "unstable";
|
|
src = pkgs.lib.sources.sourceByRegex ./. [
|
|
"analyze.sh"
|
|
"marzipan(/marzipan.awk)?"
|
|
"analysis(/.*)?"
|
|
];
|
|
nativeBuildInputs = [ pkgs.proverif pkgs.graphviz ];
|
|
CRYPTOVERIF_LIB = packages.proverif-patched + "/lib/cryptoverif.pvl";
|
|
installPhase = ''
|
|
mkdir -p $out
|
|
bash analyze.sh -color -html $out
|
|
'';
|
|
};
|
|
|
|
|
|
#
|
|
### Devshells ###
|
|
#
|
|
devShells.default = pkgs.mkShell {
|
|
inherit (packages.proof-proverif) CRYPTOVERIF_LIB;
|
|
inputsFrom = [ packages.default ];
|
|
nativeBuildInputs = with pkgs; [
|
|
cmake # override the fakecmake from the main step above
|
|
cargo-release
|
|
clippy
|
|
nodePackages.prettier
|
|
rustfmt
|
|
packages.proverif-patched
|
|
];
|
|
};
|
|
devShells.coverage = pkgs.mkShell {
|
|
inputsFrom = [ packages.default ];
|
|
nativeBuildInputs = with pkgs; [ inputs.fenix.packages.${system}.complete.toolchain cargo-llvm-cov ];
|
|
};
|
|
|
|
|
|
checks = {
|
|
cargo-fmt = pkgs.runCommand "check-cargo-fmt"
|
|
{ inherit (self.devShells.${system}.default) nativeBuildInputs buildInputs; } ''
|
|
cargo fmt --manifest-path=${./.}/Cargo.toml --check && touch $out
|
|
'';
|
|
nixpkgs-fmt = pkgs.runCommand "check-nixpkgs-fmt"
|
|
{ nativeBuildInputs = [ pkgs.nixpkgs-fmt ]; } ''
|
|
nixpkgs-fmt --check ${./.} && touch $out
|
|
'';
|
|
prettier-check = pkgs.runCommand "check-with-prettier"
|
|
{ nativeBuildInputs = [ pkgs.nodePackages.prettier ]; } ''
|
|
cd ${./.} && prettier --check . && touch $out
|
|
'';
|
|
};
|
|
|
|
formatter = pkgs.nixpkgs-fmt;
|
|
}))
|
|
];
|
|
}
|