pyrox.dev
1{
2 config,
3 lib,
4 pkgs,
5 ...
6}:
7let
8 cfg = config.services.globalprotect;
9
10 execStart =
11 if cfg.csdWrapper == null then
12 "${pkgs.globalprotect-openconnect}/bin/gpservice"
13 else
14 "${pkgs.globalprotect-openconnect}/bin/gpservice --csd-wrapper=${cfg.csdWrapper}";
15in
16
17{
18 options.services.globalprotect = {
19 enable = lib.mkEnableOption "globalprotect";
20
21 settings = lib.mkOption {
22 description = ''
23 GlobalProtect-openconnect configuration. For more information, visit
24 <https://github.com/yuezk/GlobalProtect-openconnect/wiki/Configuration>.
25 '';
26 default = { };
27 example = {
28 "vpn1.company.com" = {
29 openconnect-args = "--script=/path/to/vpnc-script";
30 };
31 };
32 type = lib.types.attrs;
33 };
34
35 csdWrapper = lib.mkOption {
36 description = ''
37 A script that will produce a Host Integrity Protection (HIP) report,
38 as described at <https://www.infradead.org/openconnect/hip.html>
39 '';
40 default = null;
41 example = lib.literalExpression ''"''${pkgs.openconnect}/libexec/openconnect/hipreport.sh"'';
42 type = lib.types.nullOr lib.types.path;
43 };
44 };
45
46 config = lib.mkIf cfg.enable {
47 services.dbus.packages = [ pkgs.globalprotect-openconnect ];
48
49 environment.etc."gpservice/gp.conf".text = lib.generators.toINI { } cfg.settings;
50
51 systemd.services.gpservice = {
52 description = "GlobalProtect openconnect DBus service";
53 serviceConfig = {
54 Type = "dbus";
55 BusName = "com.yuezk.qt.GPService";
56 ExecStart = execStart;
57 };
58 wantedBy = [ "multi-user.target" ];
59 after = [ "network.target" ];
60 };
61 };
62}