diff --git a/nixos/modules/programs/openvpn3.nix b/nixos/modules/programs/openvpn3.nix index 10042b44471ff7e..a24828ec577dd83 100644 --- a/nixos/modules/programs/openvpn3.nix +++ b/nixos/modules/programs/openvpn3.nix @@ -1,29 +1,91 @@ { config, lib, pkgs, ... }: - let + json = pkgs.formats.json { }; cfg = config.programs.openvpn3; -in -{ - options.programs.openvpn3 = { - enable = lib.mkEnableOption "the openvpn3 client"; - package = lib.mkOption { - type = lib.types.package; - default = pkgs.openvpn3.override { - enableSystemdResolved = config.services.resolved.enable; +in { + options.programs.openvpn3 = let + inherit (lib) + mkEnableOption mkPackageOption mkOption literalExpression max options + lists; + inherit (lib.types) bool submodule ints; + in { + enable = mkEnableOption "the openvpn3 client"; + package = mkPackageOption pkgs "openvpn3" { }; + netcfg = mkOption { + description = "Network configuration"; + default = { }; + type = submodule { + options = { + settings = mkOption { + description = + "Options stored in {file}`/etc/openvpn3/netcfg.json` configuration file"; + default = { }; + type = submodule { + freeformType = json.type; + options = { + systemd_resolved = mkOption { + type = bool; + description = "Whether to use systemd-resolved integration"; + default = config.services.resolved.enable; + defaultText = + literalExpression "config.services.resolved.enable"; + example = false; + }; + }; + }; + }; + }; + }; + }; + log-service = mkOption { + description = "Log service configuration"; + default = { }; + type = submodule { + options = { + settings = mkOption { + description = + "Options stored in {file}`/etc/openvpn3/log-service.json` configuration file"; + default = { }; + type = submodule { + freeformType = json.type; + options = { + journald = mkOption { + description = "Use systemd-journald"; + type = bool; + default = true; + example = false; + }; + log_dbus_details = mkOption { + description = "Add D-Bus details in log file/syslog"; + type = bool; + default = true; + example = false; + }; + log_level = mkOption { + description = "How verbose should the logging be"; + type = (ints.between 0 7) // { + merge = _loc: defs: + lists.foldl max 0 (options.getValues defs); + }; + default = 3; + example = 6; + }; + timestamp = mkOption { + description = "Add timestamp log file"; + type = bool; + default = false; + example = true; + }; + }; + }; + }; + }; }; - defaultText = lib.literalExpression ''pkgs.openvpn3.override { - enableSystemdResolved = config.services.resolved.enable; - }''; - description = '' - Which package to use for `openvpn3`. - ''; }; }; config = lib.mkIf cfg.enable { - services.dbus.packages = [ - cfg.package - ]; + services.dbus.packages = [ cfg.package ]; users.users.openvpn = { isSystemUser = true; @@ -31,13 +93,24 @@ in group = "openvpn"; }; - users.groups.openvpn = { - gid = config.ids.gids.openvpn; + users.groups.openvpn = { gid = config.ids.gids.openvpn; }; + + environment = { + systemPackages = [ cfg.package ]; + etc = let + genConfig = name: options: { + "openvpn3/${name}".source = json.generate name options; + }; + in (genConfig "netcfg.json" cfg.netcfg.settings) + // (genConfig "log-service.json" cfg.log-service.settings); }; - environment.systemPackages = [ - cfg.package - ]; + systemd.packages = [ cfg.package ]; }; + meta.maintainers = [ + lib.maintainers.shamilton + lib.maintainers.kfears + lib.maintainers.progrm_jarvis + ]; } diff --git a/pkgs/by-name/op/openvpn3/package.nix b/pkgs/by-name/op/openvpn3/package.nix new file mode 100644 index 000000000000000..b0d66d36fad8801 --- /dev/null +++ b/pkgs/by-name/op/openvpn3/package.nix @@ -0,0 +1,133 @@ +{ lib +, stdenv +, fetchFromGitHub +, asio +, glib +, jsoncpp +, libcap_ng +, libnl +, libuuid +, lz4 +, openssl +, pkg-config +, protobuf +, python3 +, systemd +, tinyxml-2 +, wrapGAppsHook3 +, gobject-introspection +, meson +, ninja +, gdbuspp +, cmake +, git +, enableSystemdResolved ? true +}: + +stdenv.mkDerivation rec { + pname = "openvpn3"; + # also update openvpn3-core + version = "22_dev"; + + src = fetchFromGitHub { + owner = "OpenVPN"; + repo = "openvpn3-linux"; + rev = "refs/tags/v${version}"; + # Don't forget to actualize version scripts in `postPatch` + hash = "sha256-UbphN5gHgO30ry0kX6W4qSs5Ksrvfhm4xiRNBdzEOhA="; + # `openvpn3-core` is a submodule. + # TODO: make it into a separate package + fetchSubmodules = true; + }; + + patches = [ + ./patches/0001-customizable-asio-path.patch + ./patches/0002-customizable-installation-paths.patch + ]; + + postPatch = '' + echo '#define OPENVPN_VERSION "3.git:unknown:unknown"' > ./src/build-version.h + echo '#define PACKAGE_GUIVERSION "${builtins.replaceStrings ["_"] [":"] version}_unknown__s"' >> ./src/build-version.h + echo '#define PACKAGE_NAME "openvpn3-linux"' >> ./src/build-version.h + + patchShebangs ** /*.py ** /*.sh \ + ./scripts \ + ./src/python/{openvpn2,openvpn3-as,openvpn3-autoload} \ + ./distro/systemd/openvpn3-systemd \ + ./src/tests/dbus/netcfg-subscription-test + ''; + + pythonPath = python3.withPackages (ps: [ + ps.dbus-python + ps.pygobject3 + ps.systemd + ]); + + nativeBuildInputs = [ + meson + ninja + pkg-config + cmake + git + + python3.pkgs.wrapPython + python3.pkgs.docutils + python3.pkgs.jinja2 + python3.pkgs.dbus-python + wrapGAppsHook3 + gobject-introspection.dev + ]; + + buildInputs = [ + asio + glib.dev + jsoncpp.dev + libcap_ng.dev + libnl.dev + libuuid.dev + lz4.dev + openssl.dev + protobuf + tinyxml-2 + gdbuspp + ] ++ lib.optionals enableSystemdResolved [ + systemd.dev + ]; + + mesonFlags = [ + (lib.mesonOption "selinux" "disabled") + (lib.mesonOption "selinux_policy" "disabled") + (lib.mesonOption "bash-completion" "enabled") + (lib.mesonOption "test_programs" "disabled") + (lib.mesonOption "unit_tests" "disabled") + (lib.mesonOption "asio_path" "${asio}") + (lib.mesonOption "dbus_policy_dir" "${placeholder "out"}/share/dbus-1/system.d") + (lib.mesonOption "dbus_system_service_dir" "${placeholder "out"}/share/dbus-1/system-services") + (lib.mesonOption "systemd_system_unit_dir" "${placeholder "out"}/lib/systemd/system") + (lib.mesonOption "sharedstatedir" "/etc") + ]; + + dontWrapGApps = true; + preFixup = '' + makeWrapperArgs+=("''${gappsWrapperArgs[@]}") + ''; + postFixup = '' + wrapPythonPrograms + wrapPythonProgramsIn "$out/libexec/openvpn3-linux" "$out ${pythonPath}" + ''; + + NIX_LDFLAGS = "-lpthread"; + + meta = { + description = "OpenVPN 3 Linux client"; + license = lib.licenses.agpl3Plus; + homepage = "https://github.com/OpenVPN/openvpn3-linux/"; + changelog = "https://github.com/OpenVPN/openvpn3-linux/releases/tag/v${version}"; + maintainers = [ + lib.maintainers.shamilton + lib.maintainers.kfears + lib.maintainers.progrm_jarvis + ]; + platforms = lib.platforms.linux; + }; +} diff --git a/pkgs/by-name/op/openvpn3/patches/0001-customizable-asio-path.patch b/pkgs/by-name/op/openvpn3/patches/0001-customizable-asio-path.patch new file mode 100644 index 000000000000000..47ad83c70b7701b --- /dev/null +++ b/pkgs/by-name/op/openvpn3/patches/0001-customizable-asio-path.patch @@ -0,0 +1,13 @@ +diff --git a/meson.build b/meson.build +index 2bba337..092b4ce 100644 +--- a/meson.build ++++ b/meson.build +@@ -68,7 +68,7 @@ endif + # + # Setup additional include header dirs + # +-asio_inc = get_option('asio_path') / 'asio' / 'include' ++asio_inc = get_option('asio_path') / 'include' + message ('ASIO library: ' + asio_inc) + + openvpn3_core_inc = get_option('openvpn3_core_path') diff --git a/pkgs/by-name/op/openvpn3/patches/0002-customizable-installation-paths.patch b/pkgs/by-name/op/openvpn3/patches/0002-customizable-installation-paths.patch new file mode 100644 index 000000000000000..2cfe41c74b903e6 --- /dev/null +++ b/pkgs/by-name/op/openvpn3/patches/0002-customizable-installation-paths.patch @@ -0,0 +1,86 @@ +diff --git a/distro/systemd/meson.build b/distro/systemd/meson.build +index 36d556c..9c636b6 100644 +--- a/distro/systemd/meson.build ++++ b/distro/systemd/meson.build +@@ -15,12 +15,17 @@ systemd_cfg = configuration_data({ + + systemd_service_cfg = dependency('systemd') + ++systemd_system_unit_dir = get_option('systemd_system_unit_dir') ++if systemd_system_unit_dir == '' ++ systemd_system_unit_dir = systemd_service_cfg.get_variable('systemdsystemunitdir') ++endif ++ + configure_file( + input: 'openvpn3-autoload.service.in', + output: 'openvpn3-autoload.service', + configuration: systemd_cfg, + install: true, +- install_dir: systemd_service_cfg.get_variable('systemdsystemunitdir'), ++ install_dir: systemd_system_unit_dir, + ) + + configure_file( +@@ -28,7 +33,7 @@ configure_file( + output: 'openvpn3-session@.service', + configuration: systemd_cfg, + install: true, +- install_dir: systemd_service_cfg.get_variable('systemdsystemunitdir'), ++ install_dir: systemd_system_unit_dir, + ) + + custom_target('openvpn3-systemd', +diff --git a/meson.build b/meson.build +index 092b4ce..e1ec8c1 100644 +--- a/meson.build ++++ b/meson.build +@@ -180,8 +180,16 @@ message('OpenVPN 3 Linux service binary directory: ' + get_option('prefix') / li + + # + # D-Bus configuration +-dbus_policy_dir = dep_dbus.get_variable('datadir') / 'dbus-1' / 'system.d' +-dbus_service_dir = dep_dbus.get_variable('system_bus_services_dir') ++dbus_policy_dir = get_option('dbus_policy_dir') ++if dbus_policy_dir == '' ++ dbus_policy_dir = dep_dbus.get_variable('datadir') / 'dbus-1' / 'system.d' ++endif ++ ++dbus_service_dir = get_option('dbus_system_service_dir') ++if dbus_service_dir == '' ++ dbus_service_dir = dep_dbus.get_variable('system_bus_services_dir') ++endif ++ + dbus_config = { + 'OPENVPN_USERNAME': get_option('openvpn_username'), + 'LIBEXEC_PATH': get_option('prefix') / libexec_dir, +diff --git a/meson_options.txt b/meson_options.txt +index e9e759e..68fec37 100644 +--- a/meson_options.txt ++++ b/meson_options.txt +@@ -81,6 +81,16 @@ option('use-legacy-polkit-pkla', type: 'feature', value: 'disabled', + option('polkit_pkla_rulesdir', type: 'string', value: '', + description: 'Override PolicyKit PKLA rules directory') + ++# ++# Installation paths ++# ++option('dbus_policy_dir', type: 'string', ++ description: 'D-Bus policy directory') ++option('dbus_system_service_dir', type: 'string', ++ description: 'D-Bus system service directory') ++option('systemd_system_unit_dir', type: 'string', ++ description: 'Path to systemd system unit directory') ++ + # + # Testing tools + # +diff --git a/src/configmgr/meson.build b/src/configmgr/meson.build +index 5d0a649..b534817 100644 +--- a/src/configmgr/meson.build ++++ b/src/configmgr/meson.build +@@ -55,4 +55,4 @@ configure_file( + # Create the configs directory for persistent configuration profiles + # NOTE: Can be replaced with install_emptydir() when Meson 0.60 or newer + # is available on all supported distros +-meson.add_install_script('sh','-c', 'mkdir -p $DESTDIR@0@'.format(openvpn3_statedir / 'configs')) ++# meson.add_install_script('sh','-c', 'mkdir -p $DESTDIR@0@'.format(openvpn3_statedir / 'configs')) diff --git a/pkgs/tools/networking/openvpn3/default.nix b/pkgs/tools/networking/openvpn3/default.nix deleted file mode 100644 index 5ab94c798f4f143..000000000000000 --- a/pkgs/tools/networking/openvpn3/default.nix +++ /dev/null @@ -1,123 +0,0 @@ -{ lib -, stdenv -, fetchFromGitHub -, asio -, autoconf-archive -, autoreconfHook -, glib -, gtest -, jsoncpp -, libcap_ng -, libnl -, libuuid -, lz4 -, openssl -, pkg-config -, protobuf -, python3 -, systemd -, enableSystemdResolved ? false -, tinyxml-2 -, wrapGAppsHook3 -}: - -let - openvpn3-core = fetchFromGitHub { - owner = "OpenVPN"; - repo = "openvpn3"; - rev = "7590cb109349809b948e8edaeecabdbfe24e4b17"; - hash = "sha256-S9D/FQa7HYj0FJnyb5dCrtgTH9Nf2nvtyp/VHiebq7I="; - }; -in -stdenv.mkDerivation rec { - pname = "openvpn3"; - # also update openvpn3-core - version = "20"; - - src = fetchFromGitHub { - owner = "OpenVPN"; - repo = "openvpn3-linux"; - rev = "v${version}"; - hash = "sha256-Weyb+rcx04mpDdcL7Qt4O+PvPf5MLPAP/Uy+8qoNXbQ="; - }; - - postPatch = '' - rm -r ./vendor/googletest - cp -r ${gtest.src} ./vendor/googletest - rm -r ./openvpn3-core - ln -s ${openvpn3-core} ./openvpn3-core - - chmod -R +w ./vendor/googletest - shopt -s globstar - - patchShebangs **/*.py **/*.sh ./src/python/{openvpn2,openvpn3-as,openvpn3-autoload} \ - ./distro/systemd/openvpn3-systemd ./src/tests/dbus/netcfg-subscription-test - - echo "3.git:v${version}:unknown" > openvpn3-core-version - ''; - - preAutoreconf = '' - substituteInPlace ./update-version-m4.sh --replace 'VERSION="$(git describe --always --tags)"' "VERSION=v${version}" - ./update-version-m4.sh - ''; - - nativeBuildInputs = [ - autoconf-archive - autoreconfHook - python3.pkgs.docutils - python3.pkgs.jinja2 - pkg-config - wrapGAppsHook3 - python3.pkgs.wrapPython - ] ++ pythonPath; - - buildInputs = [ - asio - glib - jsoncpp - libcap_ng - libnl - libuuid - lz4 - openssl - protobuf - tinyxml-2 - ] ++ lib.optionals enableSystemdResolved [ - systemd - ]; - - # runtime deps - pythonPath = with python3.pkgs; [ - dbus-python - pygobject3 - ]; - - dontWrapGApps = true; - preFixup = '' - makeWrapperArgs+=("''${gappsWrapperArgs[@]}") - ''; - postFixup = '' - wrapPythonPrograms - ''; - - configureFlags = [ - "--enable-bash-completion" - "--enable-addons-aws" - "--disable-selinux-build" - "--disable-build-test-progs" - ] ++ lib.optionals enableSystemdResolved [ - # This defaults to --resolv-conf /etc/resolv.conf. See - # https://github.com/OpenVPN/openvpn3-linux/blob/v20/configure.ac#L434 - "DEFAULT_DNS_RESOLVER=--systemd-resolved" - ]; - - NIX_LDFLAGS = "-lpthread"; - - meta = with lib; { - description = "OpenVPN 3 Linux client"; - license = licenses.agpl3Plus; - homepage = "https://github.com/OpenVPN/openvpn3-linux/"; - maintainers = with maintainers; [ shamilton kfears ]; - platforms = platforms.linux; - }; -} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 6497d6ebceee0a8..6e0aa5cfd373eaf 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -11272,8 +11272,6 @@ with pkgs; openvpn = callPackage ../tools/networking/openvpn {}; - openvpn3 = callPackage ../tools/networking/openvpn3 { }; - openvpn_learnaddress = callPackage ../tools/networking/openvpn/openvpn_learnaddress.nix { }; openvpn-auth-ldap = callPackage ../tools/networking/openvpn/openvpn-auth-ldap.nix {