I need to install teleport client v16. The current teleport package is marked as broken in nixpkgs due to some rust dependency issue with web assembly that I’d love to fix but fail to understand.
I know the cli tool I need is available at https://cdn.teleport.dev/teleport-16.1.0.pkg and I want to know if it is possible to install this from nix config directly. Sadly because the pkg keyword is used heavily in nix configs I can’t find any reference on how to do this by googling, everything points back to nix pkgs only.
If it does work, you can do the same in .nix package (fetchurl, unpackPhase, copy binaries into place in installPhase).
There seems to be a few examples in nixpkgs:
Thank you for your support. I tried something similar, but since I’m only interested in the cli which is also available as separate macos .pkg I did this first to test
xar -xf ./tsh-16.1.0.pkg
zcat ./Payload | cpio -i #yielded a tsh.app folder
./tsh.app/Contents/MacOS/tsh version
So I’m gonna add that in my config now following the examples you pointed out.
It is my personal opinion to use the right tool for the right job. Nix doesn’t need to do all software management on macOS / WSL2. I am replacing Homebrew with Nix, tweaking some macOS settings with Darwin and using Home Manager to build out the users default configuration out of the box. It’s mostly devs who are running Nix because I am managing their dev environments from their default latest and greatest to their old environments for old projects that won’t build using the newer tools. Nix excels at solving this problem. I’ve got things working so well that a dev merely clones a project repo and changes directories to the project directory. It auto-executes the flake.nix and installs everything needed to build the project. When the dev exits the project directory it unloads the environment. This allows for multiple incompatible tools to load and run independently without conflicts.
There are some open source macOS Apps in nixpkgs. I found iTerm2 for example. Looking at the source they are advising that you disable automatic updates in iTerm2 and that some things might not work in Nix. Apple packages are signed with developer signatures and may also have been whitelisted against malware with another type of signature. It is smoother to just install native macOS apps using native macOS tooling such as MDM - Mobile Device Management or manually by hand if you must.
Teleport is a commercial native macOS app (cross-platform). While you can use Nix to accomplish the goal of installing this macOS pkg. You may be better off managing native Mac software with an MDM - Mobile Device Manager. Assuming you have a fleet of Macs to support. JAMF Pro (SaaS / on-prem) is quite good and there’s a low cost solution known as JAMF Now for small organizations. There is also Apple Business Essentials which has some form of a simple MDM integrated. The Apple packages also produce installation receipts logging what they installed, etc. I use this for Nix packages, nvd. If it’s just you and maybe a few others. Well then it might be worth it to look at some of the open source MDM solutions, one of which is MicroMDM. But the commerical MDM’s have better documentation, more features, and support when things go wrong.
The commands below show how it is done without an MDM. You could certainly script this and execute with Nix or you could script it in bash and be perfectly fine.
Watch out for DMG (Disk Images) that include a pkg file. I’ve run into installations that have hidden dotfiles and directories inside the disk image that you can’t see by default. Things like a license file or a config file with defaults already configured, or some bash scripts the pkg may reference. The pkg may break if it can’t find these files because you removed the pkg from the DMG and deployed the package. Normally those things should be bundled in the pkg but someone added them after the fact for one reason or another and then decided to hide them from users in the DMG.
There’s a free utility called Suspicious Package which can open a macOS pkg file and show all the files, paths, and scripts that will run when the pkg is run by the installer. It’s great for auditing an installer to ensure there isn’t any suspicious payloads. It’s useful to reverse engineer an installer you are intending to tear apart and redo. Suspicious Package see their other tools, also very useful.
Which version of teleport are you running? I need to run tsh v16 (just the cli is enough) and I have an Apple Silicon Mac. As I showed here, it is marked as broken for versions > 15.
I also tried allowing broken packages but that failed as well.
Thank you very much for your thorough answer. I am just trying to setup my own work macbook environment with nix. Among several other clis now I have to use tsh as well.
I did try what @ghpzin suggested, but indeed raw copy pasting to /user/local/bin is not enough due to developer signatures I guess… The cli can’t be run from there because it gets immediately killed. I tried some first result suggestions from googling but nothing worked.
Funny enough running it from other paths works, I guess I can try using a softlink or finish writing the derivation. Haven’t had time to finish investigating the issue.
I will take a look at your way of doing it with hdiutil or the Suspicious Package tool you mentioned.
As I showed here, it is marked as broken for versions > 15.
While it is marked as broken for versions 15 and up if the machine’s CPU architecture has certain attributes (which to my knowledge, Mac hardware does not), I can confirm that the 24.05 version (Teleport v15) still builds fine, as the broken thing was not backported.
Ideally, the Teleport derivation would provide a way to only build tsh (which doesn’t use any WASM as far as I know), but we don’t have that at the moment. If you are willing to .overrideAttrs some stuff on the derivation, you should be able to achieve that.
Some people still use Homebrew for Casks which are native Mac Apps. ITerm2 is one. But this App is obscure enough to not be packaged outside the DMG/pkg the vendor provides.
Suspicious Package only opens a pkg file so you can see exactly what it will install, where it will install and any pre/post scripts to run before or after the package. It doesn’t install the pkg.
Hey, I’m one of the packagers of teleport. I’m not entirely sure of the reasons with rust/wasm that it was marked as broken for Darwin but I changed it so that versions without wasm (14and less) were marked as ok for Darwin. Fwiw I’ve been using tsh 14 to connect to a teleport 16 server, so that might be an option for you.
Edit: this is a good time for me to go check to see if the recent wasm changes resolve the reason why teleport was originally marked as broken.
I’m afraid I don’t know enough about wasm to fix this.
Hey, I’m one of the packagers of teleport. I’m not entirely sure of the reasons with rust/wasm that it was marked as broken for Darwin but I changed it so that versions without wasm (14and less) were marked as ok for Darwin. Fwiw I’ve been using tsh 14 to connect to a teleport 16 server, so that might be an option for you.