maurer/sandstorm.nix Secret

## sandstorm.nix
{ stdenv, fetchurl, fetchFromGitHub, which, clang,
  libcap, linuxHeaders, libuv, imagemagick, discount, protobuf }:

# XXX WARNING XXX
# This package includes several others by source.
# * This should not be taken as a guideline of what to do in general packaging.
# * This package does not benefit from build caching.
# * This package needs versions updated separately in case of security issues.
# * Dependency build mechanisms cannot be easily overridden.

# In the long run, someone (possibly me (maurer)) should figure out how to
# convince sandstorm/ekam to build against provided libraries.

stdenv.mkDerivation rec {
  name = "sandstorm-${version}";
  version = "broken";
  capnproto = fetchFromGitHub {
    owner  = "sandstorm-io";
    repo   = "capnproto";
    rev    = "v0.5.3";
    sha256 = "0sx6b5pdp1r5m6hlcf5qp5pdpplh8z6842imgypbnq149lbgfl82";
  };
  ekam = fetchFromGitHub {
    owner  = "sandstorm-io";
    repo   = "ekam";
    rev    = "69255a4954aedad8ff9e576f402f2ebd33b58e6d";
    sha256 = "16bjpa6p57xiw2f6nkd2pljl8lnfhl1rjm8czhkns0wxzxbzigd1";
  };
  libseccomp = fetchFromGitHub {
    owner  = "seccomp";
    repo   = "libseccomp";
    rev    = "v2.2.3";
    sha256 = "0pl827qjls5b6kjj8qxxdwcn6rviqbm5xjqf0hgx6b04c836mswx";
  };
  libsodium = fetchFromGitHub {
    owner  = "jedisct1";
    repo   = "libsodium";
    rev    = "1.0.6";
    sha256 = "1qczdr4a78hnhb6zfc6lkz7iny89aqb4bi72gwbfqxvb56sh67yk";
  };
  es6-promise = fetchurl {
    url = "https://es6-promises.s3.amazonaws.com/es6-promise-2.0.1.min.js";
    sha256 = "173icn99hcfi9yigv6d35vrh0w7i3yyphd68avy19v8wdj8kwhjg";
  };
  sandstorm-rev = "v0.130";
  sandstorm-src = fetchFromGitHub {
    owner  = "sandstorm-io";
    repo   = "sandstorm";
    rev    = sandstorm-rev;
    sha256 = "1x7gqa3rspldhv5dw1p6rrsnwl3r644dyjnzq2a44f32s64lrq4m";
  };
  srcs = [ capnproto ekam libseccomp libsodium sandstorm-src ];
  buildInputs = [ libcap linuxHeaders clang which libuv imagemagick
                  discount protobuf ];
  sourceRoot = "sandstorm-${sandstorm-rev}-src";
  patches = [ ./dedep.patch ];
  postUnpack = ''
    # Load deps into deps folder.
    # Use cp instead of ln to avoid permission issues
    mkdir -p ${sourceRoot}/deps
    cp -r `realpath capnproto*`  ${sourceRoot}/deps/capnproto
    cp -r `realpath ekam*`       ${sourceRoot}/deps/ekam
    cp -r `realpath libseccomp*` ${sourceRoot}/deps/libseccomp
    cp -r `realpath libsodium*`  ${sourceRoot}/deps/libsodium
    # Files are created in here, we need to make sources writeable
    chmod -R u+rw ${sourceRoot}/deps
    mkdir -p tmp
    touch tmp/.deps
  '';
  postPatch = ''
    # We don't have traditional /usr/include
    sed -e 's#/usr/include/linux#${linuxHeaders}/include/linux#' \
      -i src/sandstorm/ip_tables.ekam-rule
    # We don't have a /bin/true
    sed -e 's#/bin/true#${stdenv}/bin/true#' \
      -i src/sandstorm/util-test.c++
  '';
  # Ekam uses "intercept.so", a trick for fake filesystems. NIX_ENFORCE_PURITY
  # prevents this, so we disable purity during building.
  buildPhase = ''
    NIX_ENFORCE_PURITY=0 make
  '';
}
	{ stdenv, fetchurl, fetchFromGitHub, which, clang,
	libcap, linuxHeaders, libuv, imagemagick, discount, protobuf }:

	# XXX WARNING XXX
	# This package includes several others by source.
	# * This should not be taken as a guideline of what to do in general packaging.
	# * This package does not benefit from build caching.
	# * This package needs versions updated separately in case of security issues.
	# * Dependency build mechanisms cannot be easily overridden.

	# In the long run, someone (possibly me (maurer)) should figure out how to
	# convince sandstorm/ekam to build against provided libraries.

	stdenv.mkDerivation rec {
	name = "sandstorm-${version}";
	version = "broken";
	capnproto = fetchFromGitHub {
	owner = "sandstorm-io";
	repo = "capnproto";
	rev = "v0.5.3";
	sha256 = "0sx6b5pdp1r5m6hlcf5qp5pdpplh8z6842imgypbnq149lbgfl82";
	};
	ekam = fetchFromGitHub {
	owner = "sandstorm-io";
	repo = "ekam";
	rev = "69255a4954aedad8ff9e576f402f2ebd33b58e6d";
	sha256 = "16bjpa6p57xiw2f6nkd2pljl8lnfhl1rjm8czhkns0wxzxbzigd1";
	};
	libseccomp = fetchFromGitHub {
	owner = "seccomp";
	repo = "libseccomp";
	rev = "v2.2.3";
	sha256 = "0pl827qjls5b6kjj8qxxdwcn6rviqbm5xjqf0hgx6b04c836mswx";
	};
	libsodium = fetchFromGitHub {
	owner = "jedisct1";
	repo = "libsodium";
	rev = "1.0.6";
	sha256 = "1qczdr4a78hnhb6zfc6lkz7iny89aqb4bi72gwbfqxvb56sh67yk";
	};
	es6-promise = fetchurl {
	url = "https://es6-promises.s3.amazonaws.com/es6-promise-2.0.1.min.js";
	sha256 = "173icn99hcfi9yigv6d35vrh0w7i3yyphd68avy19v8wdj8kwhjg";
	};
	sandstorm-rev = "v0.130";
	sandstorm-src = fetchFromGitHub {
	owner = "sandstorm-io";
	repo = "sandstorm";
	rev = sandstorm-rev;
	sha256 = "1x7gqa3rspldhv5dw1p6rrsnwl3r644dyjnzq2a44f32s64lrq4m";
	};
	srcs = [ capnproto ekam libseccomp libsodium sandstorm-src ];
	buildInputs = [ libcap linuxHeaders clang which libuv imagemagick
	discount protobuf ];
	sourceRoot = "sandstorm-${sandstorm-rev}-src";
	patches = [ ./dedep.patch ];
	postUnpack = ''
	# Load deps into deps folder.
	# Use cp instead of ln to avoid permission issues
	mkdir -p ${sourceRoot}/deps
	cp -r `realpath capnproto*` ${sourceRoot}/deps/capnproto
	cp -r `realpath ekam*` ${sourceRoot}/deps/ekam
	cp -r `realpath libseccomp*` ${sourceRoot}/deps/libseccomp
	cp -r `realpath libsodium*` ${sourceRoot}/deps/libsodium
	# Files are created in here, we need to make sources writeable
	chmod -R u+rw ${sourceRoot}/deps
	mkdir -p tmp
	touch tmp/.deps
	'';
	postPatch = ''
	# We don't have traditional /usr/include
	sed -e 's#/usr/include/linux#${linuxHeaders}/include/linux#' \
	-i src/sandstorm/ip_tables.ekam-rule
	# We don't have a /bin/true
	sed -e 's#/bin/true#${stdenv}/bin/true#' \
	-i src/sandstorm/util-test.c++
	'';
	# Ekam uses "intercept.so", a trick for fake filesystems. NIX_ENFORCE_PURITY
	# prevents this, so we disable purity during building.
	buildPhase = ''
	NIX_ENFORCE_PURITY=0 make
	'';
	}