commit 376eabdac3c88b6993484bd344b28f966d35dbd4 · pyrox.dev/nixpkgs

+13

nixos/doc/manual/release-notes/rl-2105.xml

···

       100
       100
        
             Now nginx uses the zlib-ng library by default.

     

       101
       101
        
           </para>

     

       102
       102
        
          </listitem>

     

       103
       103
       +
          <listitem>

     

       104
       104
       +
           <para>

     

       105
       105
       +
            <link xlink:href="https://libreswan.org/">Libreswan</link> has been updated

     

       106
       106
       +
            to version 4.4. The package now includes example configurations and manual

     

       107
       107
       +
            pages by default. The NixOS module has been changed to use the upstream

     

       108
       108
       +
            systemd units and write the configuration in the <literal>/etc/ipsec.d/

     

       109
       109
       +
            </literal> directory. In addition, two new options have been added to

     

       110
       110
       +
            specify connection policies

     

       111
       111
       +
            (<xref linkend="opt-services.libreswan.policies"/>)

     

       112
       112
       +
            and disable send/receive redirects

     

       113
       113
       +
            (<xref linkend="opt-services.libreswan.disableRedirects"/>).

     

       114
       114
       +
           </para>

     

       115
       115
       +
          </listitem>

     

       103
       116
        
         </itemizedlist>

     

       104
       117
        
        </section>

     

       105
       118

+86 -55

nixos/modules/services/networking/libreswan.nix

···

       9
       9
        
         libexec = "${pkgs.libreswan}/libexec/ipsec";

     

       10
       10
        
         ipsec = "${pkgs.libreswan}/sbin/ipsec";

     

       11
       11
        
       

     

       12
       12
       -
         trim = chars: str: let

     

       13
       13
       -
             nonchars = filter (x : !(elem x.value chars))

     

       14
       14
       -
                         (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str));

     

       15
       15
       -
           in

     

       16
       16
       -
             if length nonchars == 0 then ""

     

       17
       17
       -
             else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str;

     

       12
       12
       +
         trim = chars: str:

     

       13
       13
       +
         let

     

       14
       14
       +
           nonchars = filter (x : !(elem x.value chars))

     

       15
       15
       +
                      (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str));

     

       16
       16
       +
         in

     

       17
       17
       +
           if length nonchars == 0 then ""

     

       18
       18
       +
           else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str;

     

       18
       19
        
         indent = str: concatStrings (concatMap (s: ["  " (trim [" " "\t"] s) "\n"]) (splitString "\n" str));

     

       19
       20
        
         configText = indent (toString cfg.configSetup);

     

       20
       21
        
         connectionText = concatStrings (mapAttrsToList (n: v:

     

       21
       22
        
           ''

     

       22
       23
        
             conn ${n}

     

       23
       24
        
             ${indent v}

     

       25
       25
       +
           '') cfg.connections);

     

       24
       26
        
       

     

       25
       25
       -
           '') cfg.connections);

     

       26
       26
       -
         configFile = pkgs.writeText "ipsec.conf"

     

       27
       27
       +
         configFile = pkgs.writeText "ipsec-nixos.conf"

     

       27
       28
        
           ''

     

       28
       29
        
             config setup

     

       29
       30
        
             ${configText}

     
···

       31
       32
        
             ${connectionText}

     

       32
       33
        
           '';

     

       33
       34
        
       

     

       35
       35
       +
         policyFiles = mapAttrs' (name: text:

     

       36
       36
       +
           { name = "ipsec.d/policies/${name}";

     

       37
       37
       +
             value.source = pkgs.writeText "ipsec-policy-${name}" text;

     

       38
       38
       +
           }) cfg.policies;

     

       39
       39
       +
       

     

       34
       40
        
       in

     

       35
       41
        
       

     

       36
       42
        
       {

     
···

       41
       47
        
       

     

       42
       48
        
           services.libreswan = {

     

       43
       49
        
       

     

       44
       44
       -
             enable = mkEnableOption "libreswan ipsec service";

     

       50
       50
       +
             enable = mkEnableOption "Libreswan IPsec service";

     

       45
       51
        
       

     

       46
       52
        
             configSetup = mkOption {

     

       47
       53
        
               type = types.lines;

     

       48
       54
        
               default = ''

     

       49
       55
        
                   protostack=netkey

     

       50
       50
       -
                   nat_traversal=yes

     

       51
       56
        
                   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

     

       52
       57
        
               '';

     

       53
       58
        
               example = ''

     

       54
       59
        
                   secretsfile=/root/ipsec.secrets

     

       55
       60
        
                   protostack=netkey

     

       56
       56
       -
                   nat_traversal=yes

     

       57
       61
        
                   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

     

       58
       62
        
               '';

     

       59
       59
       -
               description = "Options to go in the 'config setup' section of the libreswan ipsec configuration";

     

       63
       63
       +
               description = "Options to go in the 'config setup' section of the Libreswan IPsec configuration";

     

       60
       64
        
             };

     

       61
       65
        
       

     

       62
       66
        
             connections = mkOption {

     

       63
       67
        
               type = types.attrsOf types.lines;

     

       64
       68
        
               default = {};

     

       65
       65
       -
               example = {

     

       66
       66
       -
                 myconnection = ''

     

       67
       67
       -
                   auto=add

     

       68
       68
       -
                   left=%defaultroute

     

       69
       69
       -
                   leftid=@user

     

       69
       69
       +
               example = literalExample ''

     

       70
       70
       +
                 { myconnection = '''

     

       71
       71
       +
                     auto=add

     

       72
       72
       +
                     left=%defaultroute

     

       73
       73
       +
                     leftid=@user

     

       74
       74
       +
       

     

       75
       75
       +
                     right=my.vpn.com

     

       76
       76
       +
       

     

       77
       77
       +
                     ikev2=no

     

       78
       78
       +
                     ikelifetime=8h

     

       79
       79
       +
                   ''';

     

       80
       80
       +
                 }

     

       81
       81
       +
               '';

     

       82
       82
       +
               description = "A set of connections to define for the Libreswan IPsec service";

     

       83
       83
       +
             };

     

       84
       84
       +
       

     

       85
       85
       +
             policies = mkOption {

     

       86
       86
       +
               type = types.attrsOf types.lines;

     

       87
       87
       +
               default = {};

     

       88
       88
       +
               example = literalExample ''

     

       89
       89
       +
                 { private-or-clear = '''

     

       90
       90
       +
                     # Attempt opportunistic IPsec for the entire Internet

     

       91
       91
       +
                     0.0.0.0/0

     

       92
       92
       +
                     ::/0

     

       93
       93
       +
                   ''';

     

       94
       94
       +
                 }

     

       95
       95
       +
               '';

     

       96
       96
       +
               description = ''

     

       97
       97
       +
                 A set of policies to apply to the IPsec connections.

     

       70
       98
        
       

     

       71
       71
       -
                   right=my.vpn.com

     

       99
       99
       +
                 <note><para>

     

       100
       100
       +
                   The policy name must match the one of connection it needs to apply to.

     

       101
       101
       +
                 </para></note>

     

       102
       102
       +
               '';

     

       103
       103
       +
             };

     

       72
       104
        
       

     

       73
       73
       -
                   ikev2=no

     

       74
       74
       -
                   ikelifetime=8h

     

       75
       75
       -
                 '';

     

       76
       76
       -
               };

     

       77
       77
       -
               description = "A set of connections to define for the libreswan ipsec service";

     

       105
       105
       +
             disableRedirects = mkOption {

     

       106
       106
       +
               type = types.bool;

     

       107
       107
       +
               default = true;

     

       108
       108
       +
               description = ''

     

       109
       109
       +
                 Whether to disable send and accept redirects for all nework interfaces.

     

       110
       110
       +
                 See the Libreswan <link xlink:href="https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F">

     

       111
       111
       +
                 FAQ</link> page for why this is recommended.

     

       112
       112
       +
               '';

     

       78
       113
        
             };

     

       114
       114
       +
       

     

       79
       115
        
           };

     

       80
       116
        
       

     

       81
       117
        
         };

     
···

       85
       121
        
       

     

       86
       122
        
         config = mkIf cfg.enable {

     

       87
       123
        
       

     

       124
       124
       +
           # Install package, systemd units, etc.

     

       88
       125
        
           environment.systemPackages = [ pkgs.libreswan pkgs.iproute2 ];

     

       126
       126
       +
           systemd.packages = [ pkgs.libreswan ];

     

       127
       127
       +
           systemd.tmpfiles.packages = [ pkgs.libreswan ];

     

       128
       128
       +
       

     

       129
       129
       +
           # Install configuration files

     

       130
       130
       +
           environment.etc = {

     

       131
       131
       +
             "ipsec.secrets".source = "${pkgs.libreswan}/etc/ipsec.secrets";

     

       132
       132
       +
             "ipsec.conf".source = "${pkgs.libreswan}/etc/ipsec.conf";

     

       133
       133
       +
             "ipsec.d/01-nixos.conf".source = configFile;

     

       134
       134
       +
           } // policyFiles;

     

       135
       135
       +
       

     

       136
       136
       +
           # Create NSS database directory

     

       137
       137
       +
           systemd.tmpfiles.rules = [ "d /var/lib/ipsec/nss 755 root root -" ];

     

       89
       138
        
       

     

       90
       139
        
           systemd.services.ipsec = {

     

       91
       140
        
             description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec";

     

       92
       92
       -
             path = [

     

       93
       93
       -
               "${pkgs.libreswan}"

     

       94
       94
       -
               "${pkgs.iproute2}"

     

       95
       95
       -
               "${pkgs.procps}"

     

       96
       96
       -
               "${pkgs.nssTools}"

     

       97
       97
       -
               "${pkgs.iptables}"

     

       98
       98
       -
               "${pkgs.nettools}"

     

       99
       99
       -
             ];

     

       100
       100
       -
       

     

       101
       101
       -
             wants = [ "network-online.target" ];

     

       102
       102
       -
             after = [ "network-online.target" ];

     

       103
       141
        
             wantedBy = [ "multi-user.target" ];

     

       104
       104
       -
       

     

       105
       105
       -
             serviceConfig = {

     

       106
       106
       -
               Type = "simple";

     

       107
       107
       -
               Restart = "always";

     

       108
       108
       -
               EnvironmentFile = "-${pkgs.libreswan}/etc/sysconfig/pluto";

     

       109
       109
       -
               ExecStartPre = [

     

       110
       110
       -
                 "${libexec}/addconn --config ${configFile} --checkconfig"

     

       111
       111
       -
                 "${libexec}/_stackmanager start"

     

       112
       112
       -
                 "${ipsec} --checknss"

     

       113
       113
       -
                 "${ipsec} --checknflog"

     

       114
       114
       -
               ];

     

       115
       115
       -
               ExecStart = "${libexec}/pluto --config ${configFile} --nofork \$PLUTO_OPTIONS";

     

       116
       116
       -
               ExecStop = "${libexec}/whack --shutdown";

     

       117
       117
       -
               ExecStopPost = [

     

       118
       118
       -
                 "${pkgs.iproute2}/bin/ip xfrm policy flush"

     

       119
       119
       -
                 "${pkgs.iproute2}/bin/ip xfrm state flush"

     

       120
       120
       -
                 "${ipsec} --stopnflog"

     

       121
       121
       -
               ];

     

       122
       122
       -
               ExecReload = "${libexec}/whack --listen";

     

       123
       123
       -
             };

     

       124
       124
       -
       

     

       142
       142
       +
             restartTriggers = [ configFile ] ++ mapAttrsToList (n: v: v.source) policyFiles;

     

       143
       143
       +
             path = with pkgs; [

     

       144
       144
       +
               libreswan

     

       145
       145
       +
               iproute2

     

       146
       146
       +
               procps

     

       147
       147
       +
               nssTools

     

       148
       148
       +
               iptables

     

       149
       149
       +
               nettools

     

       150
       150
       +
             ];

     

       151
       151
       +
             preStart = optionalString cfg.disableRedirects ''

     

       152
       152
       +
               # Disable send/receive redirects

     

       153
       153
       +
               echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects

     

       154
       154
       +
               echo 0 | tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects

     

       155
       155
       +
             '';

     

       125
       156
        
           };

     

       126
       157
        
       

     

       127
       158
        
         };

nixos/tests/all-tests.nix

···

       217
       217
        
         latestKernel.login = handleTest ./login.nix { latestKernel = true; };

     

       218
       218
        
         leaps = handleTest ./leaps.nix {};

     

       219
       219
        
         lidarr = handleTest ./lidarr.nix {};

     

       220
       220
       +
         libreswan = handleTest ./libreswan.nix {};

     

       220
       221
        
         lightdm = handleTest ./lightdm.nix {};

     

       221
       222
        
         limesurvey = handleTest ./limesurvey.nix {};

     

       222
       223
        
         locate = handleTest ./locate.nix {};

+134

nixos/tests/libreswan.nix

···

       1
       1
       +
       # This test sets up a host-to-host IPsec VPN between Alice and Bob, each on its

     

       2
       2
       +
       # own network and with Eve as the only route between each other. We check that

     

       3
       3
       +
       # Eve can eavesdrop the plaintext traffic between Alice and Bob, but once they

     

       4
       4
       +
       # enable the secure tunnel Eve's spying becomes ineffective.

     

       5
       5
       +
       

     

       6
       6
       +
       import ./make-test-python.nix ({ lib, pkgs, ... }:

     

       7
       7
       +
       

     

       8
       8
       +
       let

     

       9
       9
       +
       

     

       10
       10
       +
         # IPsec tunnel between Alice and Bob

     

       11
       11
       +
         tunnelConfig = {

     

       12
       12
       +
           services.libreswan.enable = true;

     

       13
       13
       +
           services.libreswan.connections.tunnel =

     

       14
       14
       +
             ''

     

       15
       15
       +
               leftid=@alice

     

       16
       16
       +
               left=fd::a

     

       17
       17
       +
               rightid=@bob

     

       18
       18
       +
               right=fd::b

     

       19
       19
       +
               authby=secret

     

       20
       20
       +
               auto=add

     

       21
       21
       +
             '';

     

       22
       22
       +
           environment.etc."ipsec.d/tunnel.secrets" =

     

       23
       23
       +
             { text = ''@alice @bob : PSK "j1JbIi9WY07rxwcNQ6nbyThKCf9DGxWOyokXIQcAQUnafsNTUJxfsxwk9WYK8fHj"'';

     

       24
       24
       +
               mode = "600";

     

       25
       25
       +
             };

     

       26
       26
       +
         };

     

       27
       27
       +
       

     

       28
       28
       +
         # Common network setup

     

       29
       29
       +
         baseNetwork = {

     

       30
       30
       +
           # shared hosts file

     

       31
       31
       +
           extraHosts = lib.mkVMOverride ''

     

       32
       32
       +
             fd::a alice

     

       33
       33
       +
             fd::b bob

     

       34
       34
       +
             fd::e eve

     

       35
       35
       +
           '';

     

       36
       36
       +
           # remove all automatic addresses

     

       37
       37
       +
           useDHCP = false;

     

       38
       38
       +
           interfaces.eth1.ipv4.addresses = lib.mkVMOverride [];

     

       39
       39
       +
           interfaces.eth2.ipv4.addresses = lib.mkVMOverride [];

     

       40
       40
       +
           # open a port for testing

     

       41
       41
       +
           firewall.allowedUDPPorts = [ 1234 ];

     

       42
       42
       +
         };

     

       43
       43
       +
       

     

       44
       44
       +
         # Adds an address and route from a to b via Eve

     

       45
       45
       +
         addRoute = a: b: {

     

       46
       46
       +
           interfaces.eth1.ipv6.addresses =

     

       47
       47
       +
             [ { address = a; prefixLength = 64; } ];

     

       48
       48
       +
           interfaces.eth1.ipv6.routes =

     

       49
       49
       +
             [ { address = b; prefixLength = 128; via = "fd::e"; } ];

     

       50
       50
       +
         };

     

       51
       51
       +
       

     

       52
       52
       +
       in

     

       53
       53
       +
       

     

       54
       54
       +
       {

     

       55
       55
       +
         name = "libreswan";

     

       56
       56
       +
         meta = with lib.maintainers; {

     

       57
       57
       +
           maintainers = [ rnhmjoj ];

     

       58
       58
       +
         };

     

       59
       59
       +
       

     

       60
       60
       +
         # Our protagonist

     

       61
       61
       +
         nodes.alice = { ... }: {

     

       62
       62
       +
           virtualisation.vlans = [ 1 ];

     

       63
       63
       +
           networking = baseNetwork // addRoute "fd::a" "fd::b";

     

       64
       64
       +
         } // tunnelConfig;

     

       65
       65
       +
       

     

       66
       66
       +
         # Her best friend

     

       67
       67
       +
         nodes.bob = { ... }: {

     

       68
       68
       +
           virtualisation.vlans = [ 2 ];

     

       69
       69
       +
           networking = baseNetwork // addRoute "fd::b" "fd::a";

     

       70
       70
       +
         } // tunnelConfig;

     

       71
       71
       +
       

     

       72
       72
       +
         # The malicious network operator

     

       73
       73
       +
         nodes.eve = { ... }: {

     

       74
       74
       +
           virtualisation.vlans = [ 1 2 ];

     

       75
       75
       +
           networking = lib.mkMerge

     

       76
       76
       +
             [ baseNetwork

     

       77
       77
       +
               { interfaces.br0.ipv6.addresses =

     

       78
       78
       +
                   [ { address = "fd::e"; prefixLength = 64; } ];

     

       79
       79
       +
                 bridges.br0.interfaces = [ "eth1" "eth2" ];

     

       80
       80
       +
               }

     

       81
       81
       +
             ];

     

       82
       82
       +
           environment.systemPackages = [ pkgs.tcpdump ];

     

       83
       83
       +
           boot.kernel.sysctl."net.ipv6.conf.all.forwarding" = true;

     

       84
       84
       +
         };

     

       85
       85
       +
       

     

       86
       86
       +
         testScript =

     

       87
       87
       +
           ''

     

       88
       88
       +
             def alice_to_bob(msg: str):

     

       89
       89
       +
                 """

     

       90
       90
       +
                 Sends a message as Alice to Bob

     

       91
       91
       +
                 """

     

       92
       92
       +
                 bob.execute("nc -lu ::0 1234 >/tmp/msg &")

     

       93
       93
       +
                 alice.sleep(1)

     

       94
       94
       +
                 alice.succeed(f"echo '{msg}' | nc -uw 0 bob 1234")

     

       95
       95
       +
                 bob.succeed(f"grep '{msg}' /tmp/msg")

     

       96
       96
       +
       

     

       97
       97
       +
       

     

       98
       98
       +
             def eavesdrop():

     

       99
       99
       +
                 """

     

       100
       100
       +
                 Starts eavesdropping on Alice and Bob

     

       101
       101
       +
                 """

     

       102
       102
       +
                 match = "src host alice and dst host bob"

     

       103
       103
       +
                 eve.execute(f"tcpdump -i br0 -c 1 -Avv {match} >/tmp/log &")

     

       104
       104
       +
       

     

       105
       105
       +
       

     

       106
       106
       +
             start_all()

     

       107
       107
       +
       

     

       108
       108
       +
             with subtest("Network is up"):

     

       109
       109
       +
                 alice.wait_until_succeeds("ping -c1 bob")

     

       110
       110
       +
       

     

       111
       111
       +
             with subtest("Eve can eavesdrop cleartext traffic"):

     

       112
       112
       +
                 eavesdrop()

     

       113
       113
       +
                 alice_to_bob("I secretly love turnip")

     

       114
       114
       +
                 eve.sleep(1)

     

       115
       115
       +
                 eve.succeed("grep turnip /tmp/log")

     

       116
       116
       +
       

     

       117
       117
       +
             with subtest("Libreswan is ready"):

     

       118
       118
       +
                 alice.wait_for_unit("ipsec")

     

       119
       119
       +
                 bob.wait_for_unit("ipsec")

     

       120
       120
       +
                 alice.succeed("ipsec verify 1>&2")

     

       121
       121
       +
       

     

       122
       122
       +
             with subtest("Alice and Bob can start the tunnel"):

     

       123
       123
       +
                 alice.execute("ipsec auto --start tunnel &")

     

       124
       124
       +
                 bob.succeed("ipsec auto --start tunnel")

     

       125
       125
       +
                 # apparently this is needed to "wake" the tunnel

     

       126
       126
       +
                 bob.execute("ping -c1 alice")

     

       127
       127
       +
       

     

       128
       128
       +
             with subtest("Eve no longer can eavesdrop"):

     

       129
       129
       +
                 eavesdrop()

     

       130
       130
       +
                 alice_to_bob("Just kidding, I actually like rhubarb")

     

       131
       131
       +
                 eve.sleep(1)

     

       132
       132
       +
                 eve.fail("grep rhubarb /tmp/log")

     

       133
       133
       +
           '';

     

       134
       134
       +
       })

+96 -48

pkgs/tools/networking/libreswan/default.nix

···

       1
       1
       -
       { lib, stdenv, fetchurl, makeWrapper,

     

       2
       2
       -
         pkg-config, systemd, gmp, unbound, bison, flex, pam, libevent, libcap_ng, curl, nspr,

     

       3
       3
       -
         bash, iproute2, iptables, procps, coreutils, gnused, gawk, nss, which, python3,

     

       4
       4
       -
         docs ? false, xmlto, libselinux, ldns

     

       5
       5
       -
         }:

     

       1
       1
       +
       { lib

     

       2
       2
       +
       , stdenv

     

       3
       3
       +
       , fetchurl

     

       4
       4
       +
       , fetchpatch

     

       5
       5
       +
       , nixosTests

     

       6
       6
       +
       , pkg-config

     

       7
       7
       +
       , systemd

     

       8
       8
       +
       , gmp

     

       9
       9
       +
       , unbound

     

       10
       10
       +
       , bison

     

       11
       11
       +
       , flex

     

       12
       12
       +
       , pam

     

       13
       13
       +
       , libevent

     

       14
       14
       +
       , libcap_ng

     

       15
       15
       +
       , curl

     

       16
       16
       +
       , nspr

     

       17
       17
       +
       , bash

     

       18
       18
       +
       , iproute2

     

       19
       19
       +
       , iptables

     

       20
       20
       +
       , procps

     

       21
       21
       +
       , coreutils

     

       22
       22
       +
       , gnused

     

       23
       23
       +
       , gawk

     

       24
       24
       +
       , nss

     

       25
       25
       +
       , which

     

       26
       26
       +
       , python3

     

       27
       27
       +
       , libselinux

     

       28
       28
       +
       , ldns

     

       29
       29
       +
       , xmlto

     

       30
       30
       +
       , docbook_xml_dtd_412

     

       31
       31
       +
       , docbook_xsl

     

       32
       32
       +
       , findXMLCatalogs

     

       33
       33
       +
       }:

     

       6
       34
        
       

     

       7
       35
        
       let

     

       36
       36
       +
         # Tools needed by ipsec scripts

     

       8
       37
        
         binPath = lib.makeBinPath [

     

       9
       9
       -
           bash iproute2 iptables procps coreutils gnused gawk nss.tools which python3

     

       38
       38
       +
           iproute2 iptables procps

     

       39
       39
       +
           coreutils gnused gawk

     

       40
       40
       +
           nss.tools which

     

       10
       41
        
         ];

     

       11
       42
        
       in

     

       12
       43
        
       

     

       13
       13
       -
       assert docs -> xmlto != null;

     

       14
       14
       -
       assert stdenv.isLinux -> libselinux != null;

     

       15
       15
       -
       

     

       16
       44
        
       stdenv.mkDerivation rec {

     

       17
       45
        
         pname = "libreswan";

     

       18
       18
       -
         version = "3.32";

     

       46
       46
       +
         version = "4.4";

     

       19
       47
        
       

     

       20
       48
        
         src = fetchurl {

     

       21
       49
        
           url = "https://download.libreswan.org/${pname}-${version}.tar.gz";

     

       22
       22
       -
           sha256 = "0bj3g6qwd3ir3gk6hdl9npy3k44shf56vcgjahn30qpmx3z5fsr3";

     

       50
       50
       +
           sha256 = "0xj974yc0y1r7235zl4jhvxqz3bpb8js2fy9ic820zq9swh0lgsz";

     

       23
       51
        
         };

     

       24
       52
        
       

     

       25
       53
        
         strictDeps = true;

     

       26
       54
        
       

     

       27
       27
       -
         # These flags were added to compile v3.18. Try to lift them when updating.

     

       28
       28
       -
         NIX_CFLAGS_COMPILE = toString [ "-Wno-error=redundant-decls" "-Wno-error=format-nonliteral"

     

       29
       29
       -
           # these flags were added to build with gcc7

     

       30
       30
       -
           "-Wno-error=implicit-fallthrough"

     

       31
       31
       -
           "-Wno-error=format-truncation"

     

       32
       32
       -
           "-Wno-error=pointer-compare"

     

       33
       33
       -
           "-Wno-error=stringop-truncation"

     

       34
       34
       -
           # The following flag allows libreswan v3.32 to work with NSS 3.22, see

     

       35
       35
       -
           # https://github.com/libreswan/libreswan/issues/334.

     

       36
       36
       -
           # This flag should not be needed for libreswan v3.33 (which is not yet released).

     

       37
       37
       -
           "-DNSS_PKCS11_2_0_COMPAT=1"

     

       38
       38
       -
         ];

     

       39
       39
       -
       

     

       40
       55
        
         nativeBuildInputs = [

     

       41
       56
        
           bison

     

       42
       57
        
           flex

     

       43
       43
       -
           makeWrapper

     

       44
       58
        
           pkg-config

     

       59
       59
       +
           xmlto

     

       60
       60
       +
           docbook_xml_dtd_412

     

       61
       61
       +
           docbook_xsl

     

       62
       62
       +
           findXMLCatalogs

     

       45
       63
        
         ];

     

       46
       64
        
       

     

       47
       47
       -
         buildInputs = [ bash iproute2 iptables systemd coreutils gnused gawk gmp unbound pam libevent

     

       48
       48
       -
                         libcap_ng curl nspr nss python3 ldns ]

     

       49
       49
       -
                       ++ lib.optional docs xmlto

     

       50
       50
       -
                       ++ lib.optional stdenv.isLinux libselinux;

     

       65
       65
       +
         buildInputs = [

     

       66
       66
       +
           systemd coreutils

     

       67
       67
       +
           gnused gawk gmp unbound pam libevent

     

       68
       68
       +
           libcap_ng curl nspr nss ldns

     

       69
       69
       +
           # needed to patch shebangs

     

       70
       70
       +
           python3 bash

     

       71
       71
       +
         ] ++ lib.optional stdenv.isLinux libselinux;

     

       72
       72
       +
       

     

       73
       73
       +
         patches = [

     

       74
       74
       +
           # Fix compilation on aarch64, remove on next update

     

       75
       75
       +
           (fetchpatch {

     

       76
       76
       +
             url = "https://github.com/libreswan/libreswan/commit/ea50d36d2886e44317ba5ba841de1d1bf91aee6c.patch";

     

       77
       77
       +
             sha256 = "1jp89rm9jp55zmiyimyhg7yadj0fwwxaw7i5gyclrs38w3y1aacj";

     

       78
       78
       +
           })

     

       79
       79
       +
         ];

     

       51
       80
        
       

     

       52
       81
        
         prePatch = ''

     

       53
       53
       -
           # Correct bash path

     

       54
       54
       -
           sed -i -e 's|/bin/bash|/usr/bin/env bash|' mk/config.mk

     

       82
       82
       +
           # Correct iproute2 path

     

       83
       83
       +
           sed -e 's|"/sbin/ip"|"${iproute2}/bin/ip"|' \

     

       84
       84
       +
               -e 's|"/sbin/iptables"|"${iptables}/bin/iptables"|' \

     

       85
       85
       +
               -i initsystems/systemd/ipsec.service.in \

     

       86
       86
       +
                  programs/verify/verify.in

     

       55
       87
        
       

     

       56
       56
       -
           # Fix systemd unit directory, and prevent the makefile from trying to reload the

     

       57
       57
       -
           # systemd daemon or create tmpfiles

     

       58
       58
       -
           sed -i -e 's|UNITDIR=.*$|UNITDIR=$\{out}/etc/systemd/system/|g' \

     

       59
       59
       -
             -e 's|TMPFILESDIR=.*$|TMPFILESDIR=$\{out}/tmpfiles.d/|g' \

     

       60
       60
       -
             -e 's|systemctl|true|g' \

     

       61
       61
       -
             -e 's|systemd-tmpfiles|true|g' \

     

       62
       62
       -
             initsystems/systemd/Makefile

     

       88
       88
       +
           # Prevent the makefile from trying to

     

       89
       89
       +
           # reload the systemd daemon or create tmpfiles

     

       90
       90
       +
           sed -e 's|systemctl|true|g' \

     

       91
       91
       +
               -e 's|systemd-tmpfiles|true|g' \

     

       92
       92
       +
               -i initsystems/systemd/Makefile

     

       63
       93
        
       

     

       64
       94
        
           # Fix the ipsec program from crushing the PATH

     

       65
       65
       -
           sed -i -e 's|\(PATH=".*"\):.*$|\1:$PATH|' programs/ipsec/ipsec.in

     

       95
       95
       +
           sed -e 's|\(PATH=".*"\):.*$|\1:$PATH|' -i programs/ipsec/ipsec.in

     

       66
       96
        
       

     

       67
       97
        
           # Fix python script to use the correct python

     

       68
       68
       -
           sed -i -e 's|#!/usr/bin/python|#!/usr/bin/env python|' -e 's/^\(\W*\)installstartcheck()/\1sscmd = "ss"\n\0/' programs/verify/verify.in

     

       98
       98
       +
           sed -e 's/^\(\W*\)installstartcheck()/\1sscmd = "ss"\n\0/' \

     

       99
       99
       +
               -i programs/verify/verify.in

     

       100
       100
       +
       

     

       101
       101
       +
           # Replace wget with curl to save a dependency

     

       102
       102
       +
           curlArgs='-s --remote-name-all --output-dir'

     

       103
       103
       +
           sed -e "s|wget -q -P|${curl}/bin/curl $curlArgs|g" \

     

       104
       104
       +
               -i programs/letsencrypt/letsencrypt.in

     

       105
       105
       +
       

     

       106
       106
       +
           # Patch the Makefile:

     

       107
       107
       +
           # 1. correct the pam.d directory install path

     

       108
       108
       +
           # 2. do not create the /var/lib/ directory

     

       109
       109
       +
           sed -e 's|$(DESTDIR)/etc/pam.d|$(out)/etc/pam.d|' \

     

       110
       110
       +
               -e '/test ! -d $(NSSDIR)/,+3d' \

     

       111
       111
       +
               -i configs/Makefile

     

       69
       112
        
         '';

     

       70
       113
        
       

     

       71
       114
        
         # Set appropriate paths for build

     
···

       73
       116
        
       

     

       74
       117
        
         makeFlags = [

     

       75
       118
        
           "INITSYSTEM=systemd"

     

       76
       76
       -
           (if docs then "all" else "base")

     

       119
       119
       +
           "UNITDIR=$(out)/etc/systemd/system/"

     

       120
       120
       +
           "TMPFILESDIR=$(out)/lib/tmpfiles.d/"

     

       77
       121
        
         ];

     

       78
       122
        
       

     

       79
       79
       -
         installTargets = [ (if docs then "install" else "install-base") ];

     

       80
       123
        
         # Hack to make install work

     

       81
       124
        
         installFlags = [

     

       82
       125
        
           "FINALVARDIR=\${out}/var"

     
···

       84
       127
        
         ];

     

       85
       128
        
       

     

       86
       129
        
         postInstall = ''

     

       87
       87
       -
           for i in $out/bin/* $out/libexec/ipsec/*; do

     

       88
       88
       -
             wrapProgram "$i" --prefix PATH ':' "$out/bin:${binPath}"

     

       89
       89
       -
           done

     

       130
       130
       +
           # Install examples directory (needed for letsencrypt)

     

       131
       131
       +
           cp -r docs/examples $out/share/doc/libreswan/examples

     

       90
       132
        
         '';

     

       91
       133
        
       

     

       92
       92
       -
         enableParallelBuilding = true;

     

       134
       134
       +
         postFixup = ''

     

       135
       135
       +
           # Add a PATH to the main "ipsec" script

     

       136
       136
       +
           sed -e '0,/^$/{s||export PATH=${binPath}:$PATH|}' \

     

       137
       137
       +
               -i $out/bin/ipsec

     

       138
       138
       +
         '';

     

       139
       139
       +
       

     

       140
       140
       +
         passthru.tests.libreswan = nixosTests.libreswan;

     

       93
       141
        
       

     

       94
       142
        
         meta = with lib; {

     

       95
       143
        
           homepage = "https://libreswan.org";

     

       96
       144
        
           description = "A free software implementation of the VPN protocol based on IPSec and the Internet Key Exchange";

     

       97
       145
        
           platforms = platforms.linux ++ platforms.freebsd;

     

       98
       98
       -
           license = licenses.gpl2;

     

       99
       99
       -
           maintainers = [ maintainers.afranchuk ];

     

       146
       146
       +
           license = with licenses; [ gpl2Plus mpl20 ] ;

     

       147
       147
       +
           maintainers = with maintainers; [ afranchuk rnhmjoj ];

     

       100
       148
        
         };

     

       101
       149
        
       }