clevis: fix TPM2 encrypt/decrypt

This also fixes using the "clevis" entrypoint binary without making sure
that all the other tooling is in the PATH.

1 files changed, 17 insertions, 3 deletions

diff --git a/pkgs/tools/security/clevis/default.nix b/pkgs/tools/security/clevis/default.nix
index e5415f6d09b..753fd8a6395 100644
--- a/pkgs/tools/security/clevis/default.nix
+++ b/pkgs/tools/security/clevis/default.nix
@@ -1,5 +1,6 @@
 { lib, stdenv, fetchFromGitHub, meson, ninja, pkg-config, asciidoc
-, jansson, jose, cryptsetup, curl, libpwquality, luksmeta
+, makeWrapper, jansson, jose, cryptsetup, curl, libpwquality, luksmeta
+, coreutils, tpm2-tools
 }:
 
 stdenv.mkDerivation rec {
@@ -13,8 +14,21 @@ stdenv.mkDerivation rec {
     sha256 = "sha256-m1UhyjD5ydSgCTBu6sECLlxFx0rnQxFnBA7frbdUqU8=";
   };
 
-  nativeBuildInputs = [ meson ninja pkg-config asciidoc ];
-  buildInputs = [ jansson jose cryptsetup curl libpwquality luksmeta ];
+  postPatch = ''
+    for f in $(find src/ -type f); do
+      grep -q "/bin/cat" "$f" && substituteInPlace "$f" \
+        --replace '/bin/cat' '${coreutils}/bin/cat' || true
+    done
+  '';
+
+  postInstall = ''
+    # We wrap the main clevis binary entrypoint but not the sub-binaries.
+    wrapProgram $out/bin/clevis \
+      --prefix PATH ':' "${tpm2-tools}/bin:${jose}/bin:${placeholder "out"}/bin"
+  '';
+
+  nativeBuildInputs = [ meson ninja pkg-config asciidoc makeWrapper ];
+  buildInputs = [ jansson jose cryptsetup curl libpwquality luksmeta tpm2-tools ];
 
   outputs = [ "out" "man" ];