pyrox.dev / nixpkgs
lol
fork atom

ocserv: init at 0.12.1 (#42871)

`ocserv` is a VPN server which follows the openconnect protocol
(https://github.com/openconnect/protocol). The packaging is slightly
inspired by the AUR version
(https://aur.archlinux.org/packages/ocserv/).

This patch initializes the package written in C, the man pages and a
module for a simple systemd unit to run the VPN server. The package
supports the following authentication methods for the server:

* `plain` (mostly username/password)
* `pam`

The third method (`radius`) is currently not supported since `nixpkgs`
misses a packaged client.

The module can be used like this:

``` nix
{
services.ocserv = {
enable = true;
config = ''
...
'';
};
}
```

The option `services.ocserv.config` is required on purpose to
ensure that nobody just enables the service and experiences unexpected
side-effects on the system. For a full reference, please refer to the
man pages, the online docs or the example value.

The docs recommend to simply use `nobody` as user, so no extra user has
been added to the internal user list. Instead a configuration like
this can be used:

```
run-as-user = nobody
run-as-group = nogroup
```

/cc @tenten8401
Fixes #42594

Maximilian Bosch cd5e01ed e4ca48c2

options
unified split
Changed files
+128
nixos
modules
module-list.nix
services
networking
ocserv.nix
pkgs
tools
networking
ocserv
default.nix
top-level
all-packages.nix
+1
nixos/modules/module-list.nix 
···

       
543

       
543

       
 

       
  ./services/networking/ntopng.nix


     

       
544

       
544

       
 

       
  ./services/networking/ntpd.nix


     

       
545

       
545

       
 

       
  ./services/networking/nylon.nix


     

       

       
546

       
+

       
  ./services/networking/ocserv.nix


     

       
546

       
547

       
 

       
  ./services/networking/oidentd.nix


     

       
547

       
548

       
 

       
  ./services/networking/openfire.nix


     

       
548

       
549

       
 

       
  ./services/networking/openntpd.nix
+99
nixos/modules/services/networking/ocserv.nix 
···

       

       
1

       
+

       
{ config, pkgs, lib, ... }:


     

       

       
2

       
+

       



     

       

       
3

       
+

       
with lib;


     

       

       
4

       
+

       



     

       

       
5

       
+

       
let


     

       

       
6

       
+

       



     

       

       
7

       
+

       
  cfg = config.services.ocserv;


     

       

       
8

       
+

       



     

       

       
9

       
+

       
in


     

       

       
10

       
+

       



     

       

       
11

       
+

       
{


     

       

       
12

       
+

       
  options.services.ocserv = {


     

       

       
13

       
+

       
    enable = mkEnableOption "ocserv";


     

       

       
14

       
+

       



     

       

       
15

       
+

       
    config = mkOption {


     

       

       
16

       
+

       
      type = types.lines;


     

       

       
17

       
+

       



     

       

       
18

       
+

       
      description = ''


     

       

       
19

       
+

       
        Configuration content to start an OCServ server.


     

       

       
20

       
+

       



     

       

       
21

       
+

       
        For a full configuration reference,please refer to the online documentation


     

       

       
22

       
+

       
        (https://ocserv.gitlab.io/www/manual.html), the openconnect


     

       

       
23

       
+

       
        recipes (https://github.com/openconnect/recipes) or `man ocserv`.


     

       

       
24

       
+

       
      '';


     

       

       
25

       
+

       



     

       

       
26

       
+

       
      example = ''


     

       

       
27

       
+

       
        # configuration examples from $out/doc without explanatory comments.


     

       

       
28

       
+

       
        # for a full reference please look at the installed man pages.


     

       

       
29

       
+

       
        auth = "plain[passwd=./sample.passwd]"


     

       

       
30

       
+

       
        tcp-port = 443


     

       

       
31

       
+

       
        udp-port = 443


     

       

       
32

       
+

       
        run-as-user = nobody


     

       

       
33

       
+

       
        run-as-group = nogroup


     

       

       
34

       
+

       
        socket-file = /var/run/ocserv-socket


     

       

       
35

       
+

       
        server-cert = certs/server-cert.pem


     

       

       
36

       
+

       
        server-key = certs/server-key.pem


     

       

       
37

       
+

       
        keepalive = 32400


     

       

       
38

       
+

       
        dpd = 90


     

       

       
39

       
+

       
        mobile-dpd = 1800


     

       

       
40

       
+

       
        switch-to-tcp-timeout = 25


     

       

       
41

       
+

       
        try-mtu-discovery = false


     

       

       
42

       
+

       
        cert-user-oid = 0.9.2342.19200300.100.1.1


     

       

       
43

       
+

       
        tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"


     

       

       
44

       
+

       
        auth-timeout = 240


     

       

       
45

       
+

       
        min-reauth-time = 300


     

       

       
46

       
+

       
        max-ban-score = 80


     

       

       
47

       
+

       
        ban-reset-time = 1200


     

       

       
48

       
+

       
        cookie-timeout = 300


     

       

       
49

       
+

       
        deny-roaming = false


     

       

       
50

       
+

       
        rekey-time = 172800


     

       

       
51

       
+

       
        rekey-method = ssl


     

       

       
52

       
+

       
        use-occtl = true


     

       

       
53

       
+

       
        pid-file = /var/run/ocserv.pid


     

       

       
54

       
+

       
        device = vpns


     

       

       
55

       
+

       
        predictable-ips = true


     

       

       
56

       
+

       
        default-domain = example.com


     

       

       
57

       
+

       
        ipv4-network = 192.168.1.0


     

       

       
58

       
+

       
        ipv4-netmask = 255.255.255.0


     

       

       
59

       
+

       
        dns = 192.168.1.2


     

       

       
60

       
+

       
        ping-leases = false


     

       

       
61

       
+

       
        route = 10.10.10.0/255.255.255.0


     

       

       
62

       
+

       
        route = 192.168.0.0/255.255.0.0


     

       

       
63

       
+

       
        no-route = 192.168.5.0/255.255.255.0


     

       

       
64

       
+

       
        cisco-client-compat = true


     

       

       
65

       
+

       
        dtls-legacy = true


     

       

       
66

       
+

       



     

       

       
67

       
+

       
        [vhost:www.example.com]


     

       

       
68

       
+

       
        auth = "certificate"


     

       

       
69

       
+

       
        ca-cert = certs/ca.pem


     

       

       
70

       
+

       
        server-cert = certs/server-cert-secp521r1.pem


     

       

       
71

       
+

       
        server-key = cersts/certs/server-key-secp521r1.pem


     

       

       
72

       
+

       
        ipv4-network = 192.168.2.0


     

       

       
73

       
+

       
        ipv4-netmask = 255.255.255.0


     

       

       
74

       
+

       
        cert-user-oid = 0.9.2342.19200300.100.1.1


     

       

       
75

       
+

       
      '';


     

       

       
76

       
+

       
    };


     

       

       
77

       
+

       
  };


     

       

       
78

       
+

       



     

       

       
79

       
+

       
  config = mkIf cfg.enable {


     

       

       
80

       
+

       
    environment.systemPackages = [ pkgs.ocserv ];


     

       

       
81

       
+

       
    environment.etc."ocserv/ocserv.conf".text = cfg.config;


     

       

       
82

       
+

       



     

       

       
83

       
+

       
    security.pam.services.ocserv = {};


     

       

       
84

       
+

       



     

       

       
85

       
+

       
    systemd.services.ocserv = {


     

       

       
86

       
+

       
      description = "OpenConnect SSL VPN server";


     

       

       
87

       
+

       
      documentation = [ "man:ocserv(8)" ];


     

       

       
88

       
+

       
      after = [ "dbus.service" "network-online.target" ];


     

       

       
89

       
+

       
      wantedBy = [ "multi-user.target" ];


     

       

       
90

       
+

       



     

       

       
91

       
+

       
      serviceConfig = {


     

       

       
92

       
+

       
        PrivateTmp = true;


     

       

       
93

       
+

       
        PIDFile = "/var/run/ocserv.pid";


     

       

       
94

       
+

       
        ExecStart = "${pkgs.ocserv}/bin/ocserv --foreground --pid-file /var/run/ocesrv.pid --config /etc/ocserv/ocserv.conf";


     

       

       
95

       
+

       
        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";


     

       

       
96

       
+

       
      };


     

       

       
97

       
+

       
    };


     

       

       
98

       
+

       
  };


     

       

       
99

       
+

       
}
+26
pkgs/tools/networking/ocserv/default.nix 
···

       

       
1

       
+

       
{ stdenv, fetchFromGitLab, autoreconfHook, pkgconfig, nettle, gnutls


     

       

       
2

       
+

       
, libev, protobufc, guile, geoip, libseccomp, gperf, readline


     

       

       
3

       
+

       
, lz4, libgssglue, ronn, coreutils, pam


     

       

       
4

       
+

       
}:


     

       

       
5

       
+

       



     

       

       
6

       
+

       
stdenv.mkDerivation rec {


     

       

       
7

       
+

       
  name = "ocserv-${version}";


     

       

       
8

       
+

       
  version = "0.12.1";


     

       

       
9

       
+

       



     

       

       
10

       
+

       
  src = fetchFromGitLab {


     

       

       
11

       
+

       
    owner = "openconnect";


     

       

       
12

       
+

       
    repo = "ocserv";


     

       

       
13

       
+

       
    rev = "ocserv_${stdenv.lib.replaceStrings [ "." ] [ "_" ] version}";


     

       

       
14

       
+

       
    sha256 = "0jn91a50r3ryj1ph9fzxwy2va877b0b37ahargxzn7biccd8nh0y";


     

       

       
15

       
+

       
  };


     

       

       
16

       
+

       



     

       

       
17

       
+

       
  nativeBuildInputs = [ autoreconfHook pkgconfig ];


     

       

       
18

       
+

       
  buildInputs = [ nettle gnutls libev protobufc guile geoip libseccomp gperf readline lz4 libgssglue ronn pam ];


     

       

       
19

       
+

       



     

       

       
20

       
+

       
  meta = with stdenv.lib; {


     

       

       
21

       
+

       
    homepage = https://gitlab.com/openconnect/ocserv;


     

       

       
22

       
+

       
    license = licenses.gpl2;


     

       

       
23

       
+

       
    description = "This program is openconnect VPN server (ocserv), a server for the openconnect VPN client.";


     

       

       
24

       
+

       
    maintainers = with maintainers; [ ma27 ];


     

       

       
25

       
+

       
  };


     

       

       
26

       
+

       
}
+2
pkgs/top-level/all-packages.nix 
···

       
4252

       
4252

       
 

       



     

       
4253

       
4253

       
 

       
  ocproxy = callPackage ../tools/networking/ocproxy { };


     

       
4254

       
4254

       
 

       



     

       

       
4255

       
+

       
  ocserv = callPackage ../tools/networking/ocserv { };


     

       

       
4256

       
+

       



     

       
4255

       
4257

       
 

       
  openfortivpn = callPackage ../tools/networking/openfortivpn { };


     

       
4256

       
4258

       
 

       



     

       
4257

       
4259

       
 

       
  obexfs = callPackage ../tools/bluetooth/obexfs { };