···
+
enableNetworkManager ? false,
+
nm = enableNetworkManager;
+
systemd = stdenv.hostPlatform.isLinux;
+
farp = stdenv.hostPlatform.isLinux;
+
dhcp = stdenv.hostPlatform.isLinux;
+
af-alg = stdenv.hostPlatform.isLinux;
+
resolve = stdenv.hostPlatform.isLinux;
+
scripts = stdenv.hostPlatform.isLinux;
+
connmark = stdenv.hostPlatform.isLinux;
+
forecast = stdenv.hostPlatform.isLinux;
+
kernel-netlink = stdenv.hostPlatform.isLinux;
+
aesni = stdenv.hostPlatform.isx86_64;
+
rdrand = stdenv.hostPlatform.isx86_64;
+
padlock = stdenv.hostPlatform.system == "i686-linux";
+
kernel-pfkey = stdenv.hostPlatform.isDarwin || stdenv.hostPlatform.isFreeBSD;
+
kernel-pfroute = stdenv.hostPlatform.isDarwin || stdenv.hostPlatform.isFreeBSD;
+
kernel-libipsec = stdenv.hostPlatform.isDarwin || stdenv.hostPlatform.isFreeBSD;
+
keychain = false; # breaks build
+
osx-attr = stdenv.hostPlatform.isDarwin;
+
# Note on curl support: If curl is built with gnutls as its backend, the
+
# strongswan curl plugin may break.
+
# See https://wiki.strongswan.org/projects/strongswan/wiki/Curl for more info.
+
socket-dynamic = stdenv.hostPlatform.isLinux;
+
eap-simaka-pseudonym = true;
+
eap-simaka-reauth = true;
+
xauth-pam = stdenv.hostPlatform.isLinux;
+
// lib.optionalAttrs enableTNC {
+
imc-attestation = true;
+
imv-attestation = true;
+
// lib.optionalAttrs enableTPM2 {
stdenv.mkDerivation rec {
+
version = "6.0.2"; # Make sure to also update <nixpkgs/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix> when upgrading!
+
hash = "sha256-wjz41gt+Xu4XJkEXRRVl3b3ryEoEtijeqmfVFoRjnA4=";
+
./firewall_defaults.patch
+
lib.optional (features.gmp or false) gmp
+
++ lib.optional (features.eap-sim-pcsc or false) pcsclite
+
++ lib.optional (features.openssl or false) openssl
+
++ lib.optional (features.curl or false) curl
+
++ lib.optional (features.systemd or false) systemd
+
++ lib.optional (features.tnc-ifmap or false) libxml2
+
++ lib.optional (features.xauth-pam or false) pam
+
++ lib.optional (features.forecast or false || features.connmark or false) iptables
+
++ lib.optional (features.tss-trousers or false) trousers
+
++ lib.optional (features.tss-tss2 or false) tpm2-tss
+
++ lib.optional (features.sqlite or false) sqlite
+
++ lib.optionals (features.unbound or false) [
+
++ lib.optionals (features.nm or false) [
+
configureFlags = (lib.mapAttrsToList (lib.flip lib.enableFeature)) features ++ [
+
(lib.withFeatureAs (features.nm or false) "nm-ca-dir" "/etc/ssl/certs")
+
(lib.withFeatureAs (features.systemd or false
+
) "systemdsystemunitdir" "${placeholder "out"}/etc/systemd/system")
"sysconfdir=${placeholder "out"}/etc"
+
enableParallelBuilding = true;
passthru.tests = { inherit (nixosTests) strongswan-swanctl; };
+
postPatch = lib.optionalString features.resolve ''
+
substituteInPlace src/libcharon/plugins/resolve/resolve_handler.c \
+
--replace-fail "/sbin/resolvconf" "${openresolv}/sbin/resolvconf"
+
description = "OpenSource IPsec-based VPN solution";
+
homepage = "https://www.strongswan.org/";
+
changelog = "https://github.com/strongswan/strongswan/blob/${src.rev}/ChangeLog";
+
license = lib.licenses.gpl2Plus;
+
maintainers = with lib.maintainers; [ nickcao ];
+
mainProgram = "swanctl";
+
platforms = lib.platforms.unix;
pyrox.dev