pomerium: 0.14.7 -> 0.15.7

pkgs/development/tools/build-managers/gn/default.nix

@@ -1,64 +1,10 @@
-{ stdenv, lib, fetchgit, darwin, writeText
-, ninja, python3
-}:
+{ callPackage, ... } @ args:
 
-let
+callPackage ./generic.nix args {
   # Note: Please use the recommended version for Chromium, e.g.:
   # https://git.archlinux.org/svntogit/packages.git/tree/trunk/chromium-gn-version.sh?h=packages/gn
   rev = "fd3d768bcfd44a8d9639fe278581bd9851d0ce3a";
   revNum = "1718"; # git describe HEAD --match initial-commit | cut -d- -f3
   version = "2020-03-09";
   sha256 = "1asc14y8by7qcn10vbk467hvx93s30pif8r0brissl0sihsaqazr";
-
-  revShort = builtins.substring 0 7 rev;
-  lastCommitPosition = writeText "last_commit_position.h" ''
-    #ifndef OUT_LAST_COMMIT_POSITION_H_
-    #define OUT_LAST_COMMIT_POSITION_H_
-
-    #define LAST_COMMIT_POSITION_NUM ${revNum}
-    #define LAST_COMMIT_POSITION "${revNum} (${revShort})"
-
-    #endif  // OUT_LAST_COMMIT_POSITION_H_
-  '';
-
-in stdenv.mkDerivation {
-  pname = "gn-unstable";
-  inherit version;
-
-  src = fetchgit {
-    # Note: The TAR-Archives (+archive/${rev}.tar.gz) are not deterministic!
-    url = "https://gn.googlesource.com/gn";
-    inherit rev sha256;
-  };
-
-  nativeBuildInputs = [ ninja python3 ];
-  buildInputs = lib.optionals stdenv.isDarwin (with darwin; with apple_sdk.frameworks; [
-    libobjc
-    cctools
-
-    # frameworks
-    ApplicationServices
-    Foundation
-    AppKit
-  ]);
-
-  buildPhase = ''
-    python build/gen.py --no-last-commit-position
-    ln -s ${lastCommitPosition} out/last_commit_position.h
-    ninja -j $NIX_BUILD_CORES -C out gn
-  '';
-
-  installPhase = ''
-    install -vD out/gn "$out/bin/gn"
-  '';
-
-  setupHook = ./setup-hook.sh;
-
-  meta = with lib; {
-    description = "A meta-build system that generates build files for Ninja";
-    homepage = "https://gn.googlesource.com/gn";
-    license = licenses.bsd3;
-    platforms = platforms.unix;
-    maintainers = with maintainers; [ stesie matthewbauer primeos ];
-  };
 }

pkgs/development/tools/build-managers/gn/generic.nix

@@ -0,0 +1,60 @@
+{ stdenv, lib, fetchgit, darwin, writeText
+, ninja, python3
+, ...
+}:
+
+{ rev, revNum, version, sha256 }:
+
+let
+  revShort = builtins.substring 0 7 rev;
+  lastCommitPosition = writeText "last_commit_position.h" ''
+    #ifndef OUT_LAST_COMMIT_POSITION_H_
+    #define OUT_LAST_COMMIT_POSITION_H_
+
+    #define LAST_COMMIT_POSITION_NUM ${revNum}
+    #define LAST_COMMIT_POSITION "${revNum} (${revShort})"
+
+    #endif  // OUT_LAST_COMMIT_POSITION_H_
+  '';
+
+in stdenv.mkDerivation {
+  pname = "gn-unstable";
+  inherit version;
+
+  src = fetchgit {
+    # Note: The TAR-Archives (+archive/${rev}.tar.gz) are not deterministic!
+    url = "https://gn.googlesource.com/gn";
+    inherit rev sha256;
+  };
+
+  nativeBuildInputs = [ ninja python3 ];
+  buildInputs = lib.optionals stdenv.isDarwin (with darwin; with apple_sdk.frameworks; [
+    libobjc
+    cctools
+
+    # frameworks
+    ApplicationServices
+    Foundation
+    AppKit
+  ]);
+
+  buildPhase = ''
+    python build/gen.py --no-last-commit-position
+    ln -s ${lastCommitPosition} out/last_commit_position.h
+    ninja -j $NIX_BUILD_CORES -C out gn
+  '';
+
+  installPhase = ''
+    install -vD out/gn "$out/bin/gn"
+  '';
+
+  setupHook = ./setup-hook.sh;
+
+  meta = with lib; {
+    description = "A meta-build system that generates build files for Ninja";
+    homepage = "https://gn.googlesource.com/gn";
+    license = licenses.bsd3;
+    platforms = platforms.unix;
+    maintainers = with maintainers; [ stesie matthewbauer primeos ];
+  };
+}

pkgs/development/tools/build-managers/gn/rev1924.nix

@@ -0,0 +1,8 @@
+{ callPackage, ... } @ args:
+
+callPackage ./generic.nix args {
+  rev = "24e2f7df92641de0351a96096fb2c490b2436bb8";
+  revNum = "1924"; # git describe HEAD --match initial-commit | cut -d- -f3
+  version = "2021-08-08";
+  sha256 = "1lwkyhfhw0zd7daqz466n7x5cddf0danr799h4jg3s0yvd4galjl";
+}

pkgs/servers/http/envoy/default.nix

@@ -17,8 +17,8 @@ let
     # However, the version string is more useful for end-users.
     # These are contained in a attrset of their own to make it obvious that
     # people should update both.
-    version = "1.17.3";
-    commit = "46bf743b97d0d3f01ff437b2f10cc0bd9cdfe6e4";
+    version = "1.19.1";
+    commit = "a2a1e3eed4214a38608ec223859fcfa8fb679b14";
   };
 in
 buildBazelPackage rec {
@@ -28,7 +28,7 @@ buildBazelPackage rec {
     owner = "envoyproxy";
     repo = "envoy";
     rev = srcVer.commit;
-    hash = "sha256:09zzr4h3zjsb2rkxrvlazpx0jy33yn9j65ilxiqbvv0ckaralqfc";
+    hash = "sha256:1v1hv4blrppnhllsxd9d3k2wl6nhd59r4ydljy389na3bb41jwf9";
 
     extraPostFetch = ''
       chmod -R +w $out
@@ -58,7 +58,7 @@ buildBazelPackage rec {
   ];
 
   fetchAttrs = {
-    sha256 = "sha256:1cy2b73x8jzczq9z9c1kl7zrg5iasvsakb50zxn4mswpmajkbj5h";
+    sha256 = "sha256:0vnl0gq6nhvyzz39jg1bvvna0xyhxalg71bp1jbxib7ql026004r";
     dontUseCmakeConfigure = true;
     dontUseGnConfigure = true;
     preInstall = ''
@@ -75,12 +75,6 @@ buildBazelPackage rec {
         $bazelOut/external/local_config_sh/BUILD
       rm -r $bazelOut/external/go_sdk
 
-      # Replace some wheels which are only used for tests with empty files;
-      # they're nondeterministically built and packed.
-      >$bazelOut/external/config_validation_pip3/PyYAML-5.3.1-cp38-cp38-linux_x86_64.whl
-      >$bazelOut/external/protodoc_pip3/PyYAML-5.3.1-cp38-cp38-linux_x86_64.whl
-      >$bazelOut/external/thrift_pip3/thrift-0.13.0-cp38-cp38-linux_x86_64.whl
-
       # Remove Unix timestamps from go cache.
       rm -rf $bazelOut/external/bazel_gazelle_go_repository_cache/{gocache,pkg/mod/cache,pkg/sumdb}
     '';

pkgs/servers/http/pomerium/default.nix

@@ -7,19 +7,19 @@
 }:
 
 let
-  inherit (lib) concatStringsSep mapAttrsToList;
+  inherit (lib) concatStringsSep concatMap id mapAttrsToList;
 in
 buildGoModule rec {
   pname = "pomerium";
-  version = "0.14.7";
+  version = "0.15.7";
   src = fetchFromGitHub {
     owner = "pomerium";
     repo = "pomerium";
     rev = "v${version}";
-    hash = "sha256:1jb96jk5qmary4fi1z9zwmppdyskj0qb6qii8s8mwazjjxqj1z2s";
+    hash = "sha256:0adlk4ylny1z43x1dw3ny0s1932vhb61hpf5wdz4r65y8k9qyfgr";
   };
 
-  vendorSha256 = "sha256:1daabi9qc9nx8bafn26iw6rv4vx2xpd0nnk06265aqaksx26db0s";
+  vendorSha256 = "sha256:1fszfbra84pcs8v1h2kf7iy603vf9v2ysg6il76aqmqrxmb1p7nv";
   subPackages = [
     "cmd/pomerium"
     "cmd/pomerium-cli"
@@ -28,38 +28,49 @@ buildGoModule rec {
   ldflags = let
     # Set a variety of useful meta variables for stamping the build with.
     setVars = {
-      Version = "v${version}";
-      BuildMeta = "nixpkgs";
-      ProjectName = "pomerium";
-      ProjectURL = "github.com/pomerium/pomerium";
+      "github.com/pomerium/pomerium/internal/version" = {
+        Version = "v${version}";
+        BuildMeta = "nixpkgs";
+        ProjectName = "pomerium";
+        ProjectURL = "github.com/pomerium/pomerium";
+      };
+      "github.com/pomerium/pomerium/internal/envoy" = {
+        OverrideEnvoyPath = "${envoy}/bin/envoy";
+      };
     };
-    varFlags = concatStringsSep " " (mapAttrsToList (name: value: "-X github.com/pomerium/pomerium/internal/version.${name}=${value}") setVars);
+    concatStringsSpace = list: concatStringsSep " " list;
+    mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list);
+    varFlags = concatStringsSpace (
+      mapAttrsToFlatList (package: packageVars:
+        mapAttrsToList (variable: value:
+          "-X ${package}.${variable}=${value}"
+        ) packageVars
+      ) setVars);
   in [
     "${varFlags}"
   ];
 
-  nativeBuildInputs = [
-    zip
-  ];
+  preBuild = ''
+    # Replace embedded envoy with nothing.
+    # We set OverrideEnvoyPath above, so rawBinary should never get looked at
+    # but we still need to set a checksum/version.
+    rm internal/envoy/files/files_{darwin,linux}*.go
+    cat <<EOF >internal/envoy/files/files_generic.go
+    package files
 
-  # Pomerium expects to have envoy append to it in a zip.
-  # We use a store-only (-0) zip, so that the Nix scanner can find any store references we had in the envoy binary.
-  postBuild = ''
-    # Append Envoy
-    pushd $NIX_BUILD_TOP
-    mkdir -p envoy
-    cd envoy
-    cp ${envoy}/bin/envoy envoy
-    zip -0 envoy.zip envoy
-    popd
+    import _ "embed" // embed
 
-    mv $GOPATH/bin/pomerium $GOPATH/bin/pomerium.old
-    cat $GOPATH/bin/pomerium.old $NIX_BUILD_TOP/envoy/envoy.zip >$GOPATH/bin/pomerium
-    zip --adjust-sfx $GOPATH/bin/pomerium
-  '';
+    var rawBinary []byte
 
-  # We also need to set dontStrip to avoid having the envoy ZIP stripped off the end.
-  dontStrip = true;
+    //go:embed envoy.sha256
+    var rawChecksum string
+
+    //go:embed envoy.version
+    var rawVersion string
+    EOF
+    sha256sum '${envoy}/bin/envoy' > internal/envoy/files/envoy.sha256
+    echo '${envoy.version}' > internal/envoy/files/envoy.version
+  '';
 
   installPhase = ''
     install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium

pkgs/top-level/all-packages.nix

@@ -14956,6 +14956,7 @@ with pkgs;
   nimbo = with python3Packages; callPackage ../applications/misc/nimbo { };
 
   gn = callPackage ../development/tools/build-managers/gn { };
+  gn1924 = callPackage ../development/tools/build-managers/gn/rev1924.nix { };
 
   nixbang = callPackage ../development/tools/misc/nixbang {
     pythonPackages = python3Packages;
@@ -20738,6 +20739,7 @@ with pkgs;
   envoy = callPackage ../servers/http/envoy {
     go = go_1_15;
     jdk = openjdk11;
+    gn = gn1924;
   };
 
   etcd = callPackage ../servers/etcd { };