pyrox.dev
1{ config, lib, pkgs, ... }:
2
3with lib;
4
5let
6 cfg = config.services.globalprotect;
7
8 execStart =
9 if cfg.csdWrapper == null then
10 "${pkgs.globalprotect-openconnect}/bin/gpservice"
11 else
12 "${pkgs.globalprotect-openconnect}/bin/gpservice --csd-wrapper=${cfg.csdWrapper}";
13in
14
15{
16 options.services.globalprotect = {
17 enable = mkEnableOption (lib.mdDoc "globalprotect");
18
19 settings = mkOption {
20 description = lib.mdDoc ''
21 GlobalProtect-openconnect configuration. For more information, visit
22 <https://github.com/yuezk/GlobalProtect-openconnect/wiki/Configuration>.
23 '';
24 default = { };
25 example = {
26 "vpn1.company.com" = {
27 openconnect-args = "--script=/path/to/vpnc-script";
28 };
29 };
30 type = types.attrs;
31 };
32
33 csdWrapper = mkOption {
34 description = lib.mdDoc ''
35 A script that will produce a Host Integrity Protection (HIP) report,
36 as described at <https://www.infradead.org/openconnect/hip.html>
37 '';
38 default = null;
39 example = literalExpression ''"''${pkgs.openconnect}/libexec/openconnect/hipreport.sh"'';
40 type = types.nullOr types.path;
41 };
42 };
43
44 config = mkIf cfg.enable {
45 services.dbus.packages = [ pkgs.globalprotect-openconnect ];
46
47 environment.etc."gpservice/gp.conf".text = lib.generators.toINI { } cfg.settings;
48
49 systemd.services.gpservice = {
50 description = "GlobalProtect openconnect DBus service";
51 serviceConfig = {
52 Type = "dbus";
53 BusName = "com.yuezk.qt.GPService";
54 ExecStart = execStart;
55 };
56 wantedBy = [ "multi-user.target" ];
57 after = [ "network.target" ];
58 };
59 };
60}