commit 86bcff43e5aed4034e01968c120a4ce0c9b285b9 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

strongswan: 5.9.14 -> 6.0.2

Nick Cao 4 months ago 86bcff43 1dc8745c

+155 -164

1 changed file

expand all

unified split

pkgs

by-name

strongswan

package.nix

+155 -164

pkgs/by-name/st/strongswan/package.nix

··· 2 2 lib, 3 3 stdenv, 4 4 fetchFromGitHub, 5 - fetchpatch2, 5 + autoreconfHook, 6 6 pkg-config, 7 - autoreconfHook, 8 - perl, 9 - gperf, 10 7 bison, 11 8 flex, 12 - gmp, 13 - python3, 14 - iptables, 15 - ldns, 16 - unbound, 9 + curl, 10 + perl, 11 + gperf, 17 12 openssl, 18 13 pcsclite, 19 - glib, 14 + networkmanager, 20 15 openresolv, 16 + glib, 21 17 systemd, 18 + tpm2-tss, 19 + libxml2, 22 20 pam, 23 - curl, 24 - enableTNC ? false, 21 + iptables, 25 22 trousers, 26 23 sqlite, 27 - libxml2, 28 - enableTPM2 ? false, 29 - tpm2-tss, 30 - enableNetworkManager ? false, 31 - networkmanager, 24 + unbound, 25 + ldns, 26 + gmp, 32 27 nixosTests, 28 + enableNetworkManager ? false, 29 + enableTNC ? false, 30 + enableTPM2 ? false, 33 31 }: 32 + let 33 + features = rec { 34 + nm = enableNetworkManager; 35 + cmd = true; 36 + stroke = true; 37 + swanctl = true; 38 + systemd = stdenv.hostPlatform.isLinux; 34 39 35 - # Note on curl support: If curl is built with gnutls as its backend, the 36 - # strongswan curl plugin may break. 37 - # See https://wiki.strongswan.org/projects/strongswan/wiki/Curl for more info. 40 + openssl = true; 41 + 42 + farp = stdenv.hostPlatform.isLinux; 43 + dhcp = stdenv.hostPlatform.isLinux; 44 + af-alg = stdenv.hostPlatform.isLinux; 45 + resolve = stdenv.hostPlatform.isLinux; 46 + scripts = stdenv.hostPlatform.isLinux; 47 + connmark = stdenv.hostPlatform.isLinux; 48 + forecast = stdenv.hostPlatform.isLinux; 49 + kernel-netlink = stdenv.hostPlatform.isLinux; 50 + 51 + aesni = stdenv.hostPlatform.isx86_64; 52 + rdrand = stdenv.hostPlatform.isx86_64; 53 + padlock = stdenv.hostPlatform.system == "i686-linux"; 54 + 55 + kernel-pfkey = stdenv.hostPlatform.isDarwin || stdenv.hostPlatform.isFreeBSD; 56 + kernel-pfroute = stdenv.hostPlatform.isDarwin || stdenv.hostPlatform.isFreeBSD; 57 + kernel-libipsec = stdenv.hostPlatform.isDarwin || stdenv.hostPlatform.isFreeBSD; 38 58 59 + keychain = false; # breaks build 60 + osx-attr = stdenv.hostPlatform.isDarwin; 61 + 62 + ml = true; 63 + # Note on curl support: If curl is built with gnutls as its backend, the 64 + # strongswan curl plugin may break. 65 + # See https://wiki.strongswan.org/projects/strongswan/wiki/Curl for more info. 66 + curl = true; 67 + acert = true; 68 + pkcs11 = true; 69 + dnscert = true; 70 + unbound = true; 71 + chapoly = true; 72 + ext-auth = true; 73 + socket-dynamic = stdenv.hostPlatform.isLinux; 74 + 75 + eap-sim = true; 76 + eap-sim-file = true; 77 + eap-sim-pcsc = true; 78 + eap-simaka-pseudonym = true; 79 + eap-simaka-reauth = true; 80 + eap-identity = true; 81 + eap-md5 = true; 82 + eap-gtc = true; 83 + eap-aka = true; 84 + eap-aka-3gpp = true; 85 + eap-aka-3gpp2 = true; 86 + eap-mschapv2 = true; 87 + eap-tls = true; 88 + eap-peap = true; 89 + eap-radius = true; 90 + 91 + xauth-eap = true; 92 + xauth-pam = stdenv.hostPlatform.isLinux; 93 + xauth-noauth = true; 94 + 95 + gmp = eap-aka-3gpp2; 96 + } 97 + // lib.optionalAttrs enableTNC { 98 + eap-tnc = true; 99 + eap-ttls = true; 100 + eap-dynamic = true; 101 + 102 + tnccs-20 = true; 103 + 104 + tnc-imc = true; 105 + tnc-imv = true; 106 + tnc-ifmap = true; 107 + 108 + imc-os = true; 109 + imv-os = true; 110 + imc-attestation = true; 111 + imv-attestation = true; 112 + 113 + aikgen = true; 114 + tss-trousers = true; 115 + 116 + sqlite = true; 117 + } 118 + // lib.optionalAttrs enableTPM2 { 119 + tpm = true; 120 + tss-tss2 = true; 121 + }; 122 + in 39 123 stdenv.mkDerivation rec { 40 124 pname = "strongswan"; 41 - version = "5.9.14"; # Make sure to also update <nixpkgs/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix> when upgrading! 125 + version = "6.0.2"; # Make sure to also update <nixpkgs/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix> when upgrading! 42 126 43 127 src = fetchFromGitHub { 44 128 owner = "strongswan"; 45 129 repo = "strongswan"; 46 - rev = version; 47 - hash = "sha256-qFM7ErfqiDlUsZdGXJQVW3nJoh+I6tEdKRwzrKteRVY="; 130 + tag = version; 131 + hash = "sha256-wjz41gt+Xu4XJkEXRRVl3b3ryEoEtijeqmfVFoRjnA4="; 48 132 }; 49 133 50 - dontPatchELF = true; 134 + patches = [ 135 + ./ext_auth-path.patch 136 + ./firewall_defaults.patch 137 + ./updown-path.patch 138 + ]; 51 139 52 140 nativeBuildInputs = [ 141 + autoreconfHook 53 142 pkg-config 54 - autoreconfHook 55 - perl 56 - gperf 57 143 bison 58 144 flex 59 - ]; 60 - buildInputs = [ 61 - curl 62 - gmp 63 - python3 64 - ldns 65 - unbound 66 - openssl 67 - pcsclite 68 - ] 69 - ++ lib.optionals enableTNC [ 70 - trousers 71 - sqlite 72 - libxml2 73 - ] 74 - ++ lib.optional enableTPM2 tpm2-tss 75 - ++ lib.optionals stdenv.hostPlatform.isLinux [ 76 - systemd.dev 77 - pam 78 - iptables 79 - ] 80 - ++ lib.optionals enableNetworkManager [ 81 - networkmanager 82 - glib 145 + perl 146 + gperf 83 147 ]; 84 148 85 - patches = [ 86 - ./ext_auth-path.patch 87 - ./firewall_defaults.patch 88 - ./updown-path.patch 89 - # Fixes for gettext 0.25 90 - (fetchpatch2 { 91 - url = "https://github.com/strongswan/strongswan/commit/7ec0101250bf2ac3da7a576cbb4204fceb2ef10c.patch?full_index=1"; 92 - excludes = [ "scripts/test.sh" ]; 93 - hash = "sha256-ATd/oj6/1vrtZdwMs45rA2MGtH2viumyucVj0LZ8Nnc="; 94 - }) 95 - (fetchpatch2 { 96 - url = "https://github.com/strongswan/strongswan/commit/e8e5e2d4419a686c5a2c064648618ec281089b2e.patch?full_index=1"; 97 - hash = "sha256-p98LSX8jjsDK/GZTovj/salmQ8T+txEV3vKD+wTUvsM="; 98 - }) 99 - (fetchpatch2 { 100 - url = "https://github.com/strongswan/strongswan/commit/2b3a5172d89c513ed28d21bb406c1b4ef0ac787a.patch?full_index=1"; 101 - hash = "sha256-xqp2Lq4pp3Uu0nVC/fl4E5mpJqCNgyZXP2g/Y2wShhI="; 102 - }) 103 - ]; 104 - 105 - postPatch = lib.optionalString stdenv.hostPlatform.isLinux '' 106 - # glibc-2.26 reorganized internal includes 107 - sed '1i#include <stdint.h>' -i src/libstrongswan/utils/utils/memory.h 108 - 109 - substituteInPlace src/libcharon/plugins/resolve/resolve_handler.c --replace "/sbin/resolvconf" "${openresolv}/sbin/resolvconf" 110 - ''; 149 + buildInputs = 150 + lib.optional (features.gmp or false) gmp 151 + ++ lib.optional (features.eap-sim-pcsc or false) pcsclite 152 + ++ lib.optional (features.openssl or false) openssl 153 + ++ lib.optional (features.curl or false) curl 154 + ++ lib.optional (features.systemd or false) systemd 155 + ++ lib.optional (features.tnc-ifmap or false) libxml2 156 + ++ lib.optional (features.xauth-pam or false) pam 157 + ++ lib.optional (features.forecast or false || features.connmark or false) iptables 158 + ++ lib.optional (features.tss-trousers or false) trousers 159 + ++ lib.optional (features.tss-tss2 or false) tpm2-tss 160 + ++ lib.optional (features.sqlite or false) sqlite 161 + ++ lib.optionals (features.unbound or false) [ 162 + unbound 163 + ldns 164 + ] 165 + ++ lib.optionals (features.nm or false) [ 166 + networkmanager 167 + glib 168 + ]; 111 169 112 - configureFlags = [ 170 + configureFlags = (lib.mapAttrsToList (lib.flip lib.enableFeature)) features ++ [ 113 171 "--sysconfdir=/etc" 114 - "--enable-swanctl" 115 - "--enable-cmd" 116 - "--enable-openssl" 117 - "--enable-eap-sim" 118 - "--enable-eap-sim-file" 119 - "--enable-eap-simaka-pseudonym" 120 - "--enable-eap-simaka-reauth" 121 - "--enable-eap-identity" 122 - "--enable-eap-md5" 123 - "--enable-eap-gtc" 124 - "--enable-eap-aka" 125 - "--enable-eap-aka-3gpp2" 126 - "--enable-eap-mschapv2" 127 - "--enable-eap-radius" 128 - "--enable-xauth-eap" 129 - "--enable-ext-auth" 130 - "--enable-acert" 131 - "--enable-pkcs11" 132 - "--enable-eap-sim-pcsc" 133 - "--enable-dnscert" 134 - "--enable-unbound" 135 - "--enable-chapoly" 136 - "--enable-curl" 137 - ] 138 - ++ lib.optionals stdenv.hostPlatform.isLinux [ 139 - "--enable-farp" 140 - "--enable-dhcp" 141 - "--enable-systemd" 142 - "--with-systemdsystemunitdir=${placeholder "out"}/etc/systemd/system" 143 - "--enable-xauth-pam" 144 - "--enable-forecast" 145 - "--enable-connmark" 146 - "--enable-af-alg" 147 - ] 148 - ++ lib.optionals stdenv.hostPlatform.isx86_64 [ 149 - "--enable-aesni" 150 - "--enable-rdrand" 151 - ] 152 - ++ lib.optional (stdenv.hostPlatform.system == "i686-linux") "--enable-padlock" 153 - ++ lib.optionals enableTNC [ 154 - "--disable-gmp" 155 - "--disable-aes" 156 - "--disable-md5" 157 - "--disable-sha1" 158 - "--disable-sha2" 159 - "--disable-fips-prf" 160 - "--enable-eap-tnc" 161 - "--enable-eap-ttls" 162 - "--enable-eap-dynamic" 163 - "--enable-tnccs-20" 164 - "--enable-tnc-imc" 165 - "--enable-imc-os" 166 - "--enable-imc-attestation" 167 - "--enable-tnc-imv" 168 - "--enable-imv-attestation" 169 - "--enable-tnc-ifmap" 170 - "--enable-tnc-imc" 171 - "--enable-tnc-imv" 172 - "--with-tss=trousers" 173 - "--enable-aikgen" 174 - "--enable-sqlite" 175 - ] 176 - ++ lib.optionals enableTPM2 [ 177 - "--enable-tpm" 178 - "--enable-tss-tss2" 179 - ] 180 - ++ lib.optionals enableNetworkManager [ 181 - "--enable-nm" 182 - "--with-nm-ca-dir=/etc/ssl/certs" 183 - ] 184 - # Taken from: https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX 185 - ++ lib.optionals stdenv.hostPlatform.isDarwin [ 186 - "--disable-systemd" 187 - "--disable-xauth-pam" 188 - "--disable-kernel-netlink" 189 - "--enable-kernel-pfkey" 190 - "--enable-kernel-pfroute" 191 - "--enable-kernel-libipsec" 192 - "--enable-osx-attr" 193 - "--disable-scripts" 172 + (lib.withFeatureAs (features.nm or false) "nm-ca-dir" "/etc/ssl/certs") 173 + (lib.withFeatureAs (features.systemd or false 174 + ) "systemdsystemunitdir" "${placeholder "out"}/etc/systemd/system") 194 175 ]; 195 176 196 177 installFlags = [ 197 178 "sysconfdir=${placeholder "out"}/etc" 198 179 ]; 199 180 200 - NIX_LDFLAGS = lib.optionalString stdenv.cc.isGNU "-lgcc_s"; 181 + enableParallelBuilding = true; 182 + 183 + dontPatchELF = true; 201 184 202 185 passthru.tests = { inherit (nixosTests) strongswan-swanctl; }; 203 186 204 - meta = with lib; { 205 - description = "OpenSource IPsec-based VPN Solution"; 206 - homepage = "https://www.strongswan.org"; 207 - license = licenses.gpl2Plus; 208 - platforms = platforms.all; 187 + postPatch = lib.optionalString features.resolve '' 188 + substituteInPlace src/libcharon/plugins/resolve/resolve_handler.c \ 189 + --replace-fail "/sbin/resolvconf" "${openresolv}/sbin/resolvconf" 190 + ''; 191 + 192 + meta = { 193 + description = "OpenSource IPsec-based VPN solution"; 194 + homepage = "https://www.strongswan.org/"; 195 + changelog = "https://github.com/strongswan/strongswan/blob/${src.rev}/ChangeLog"; 196 + license = lib.licenses.gpl2Plus; 197 + maintainers = with lib.maintainers; [ nickcao ]; 198 + mainProgram = "swanctl"; 199 + platforms = lib.platforms.unix; 209 200 }; 210 201 }