diff --git a/pkgs/tools/networking/boundary/default.nix b/pkgs/tools/networking/boundary/default.nix new file mode 100644 index 000000000000..878b1ed65c1c --- /dev/null +++ b/pkgs/tools/networking/boundary/default.nix @@ -0,0 +1,52 @@ +{ stdenv, lib, fetchzip }: + +let + inherit (stdenv.hostPlatform) system; + suffix = { + x86_64-linux = "linux_amd64"; + aarch64-linux = "linux_arm64"; + x86_64-darwin = "darwin_amd64"; + }."${system}" or (throw "Unsupported system: ${system}"); + fetchsrc = version: sha256: fetchzip { + url = "https://releases.hashicorp.com/boundary/${version}/boundary_${version}_${suffix}.zip"; + sha256 = sha256."${system}"; + }; +in +stdenv.mkDerivation rec { + pname = "boundary"; + version = "0.1.4"; + + src = fetchsrc version { + x86_64-linux = "sha256-+YGXSyaGhfNk+T5P7wCqsNEYwpV/Oet7kOM8OPC1A6I="; + aarch64-linux = "sha256-tikxRBF2Y+urv7S1EUu2d60twZWox1pI96yYX357r8o="; + x86_64-darwin = "sha256-N+6iiybnWZkruhUe9TRcGaq5xES/iHzlEVGcghT4EUc="; + }; + + dontConfigure = true; + dontBuild = true; + + installPhase = '' + install -D boundary $out/bin/boundary + ''; + + dontPatchELF = true; + dontPatchShebangs = true; + + meta = with lib; { + homepage = "https://boundaryproject.io/"; + changelog = "https://github.com/hashicorp/boundary/blob/v${version}/CHANGELOG.md"; + description = "Enables identity-based access management for dynamic infrastructure"; + longDescription = '' + Boundary provides a secure way to access hosts and critical systems + without having to manage credentials or expose your network, and is + entirely open source. + + Boundary is designed to be straightforward to understand, highly scalable, + and resilient. It can run in clouds, on-prem, secure enclaves and more, + and does not require an agent to be installed on every end host. + ''; + license = licenses.mpl20; + maintainers = with maintainers; [ jk ]; + platforms = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" ]; + }; +} diff --git a/pkgs/tools/networking/boundary/update.sh b/pkgs/tools/networking/boundary/update.sh new file mode 100755 index 000000000000..437339307104 --- /dev/null +++ b/pkgs/tools/networking/boundary/update.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env nix-shell +#!nix-shell -i bash -p curl gnused gawk nix-prefetch + +set -euo pipefail + +ROOT="$(dirname "$(readlink -f "$0")")" +NIX_DRV="$ROOT/default.nix" +if [ ! -f "$NIX_DRV" ]; then + echo "ERROR: cannot find default.nix in $ROOT" + exit 1 +fi + +fetch_arch() { + VER="$1"; ARCH="$2" + URL="https://releases.hashicorp.com/boundary/${VER}/boundary_${VER}_${ARCH}.zip" + nix-prefetch "{ stdenv, fetchzip }: +stdenv.mkDerivation rec { + pname = \"boundary\"; version = \"${VER}\"; + src = fetchzip { url = \"$URL\"; }; +} +" +} + +replace_sha() { + sed -i "s#$1 = \"sha256-.\{44\}\"#$1 = \"$2\"#" "$NIX_DRV" +} + +# https://releases.hashicorp.com/boundary/0.1.4/boundary_0.1.4_linux_amd64.zip +BOUNDARY_VER=$(curl -Ls -w "%{url_effective}" -o /dev/null https://github.com/hashicorp/boundary/releases/latest | awk -F'/' '{print $NF}' | sed 's/v//') + +BOUNDARY_LINUX_X64_SHA256=$(fetch_arch "$BOUNDARY_VER" "linux_amd64") +BOUNDARY_DARWIN_X64_SHA256=$(fetch_arch "$BOUNDARY_VER" "darwin_amd64") +BOUNDARY_LINUX_AARCH64_SHA256=$(fetch_arch "$BOUNDARY_VER" "linux_arm64") + +sed -i "s/version = \".*\"/version = \"$BOUNDARY_VER\"/" "$NIX_DRV" + +replace_sha "x86_64-linux" "$BOUNDARY_LINUX_X64_SHA256" +replace_sha "x86_64-darwin" "$BOUNDARY_DARWIN_X64_SHA256" +replace_sha "aarch64-linux" "$BOUNDARY_LINUX_AARCH64_SHA256" diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 76d429fc8205..ccb5e4a7d0e4 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -1033,6 +1033,8 @@ in boxes = callPackage ../tools/text/boxes { }; + boundary = callPackage ../tools/networking/boundary { }; + chamber = callPackage ../tools/admin/chamber { }; charm = callPackage ../applications/misc/charm { };