summary refs log tree commit diff
diff options
context:
space:
mode:
authorJeremy Fleischman <jeremyfleischman@gmail.com>2023-07-08 17:16:17 -0700
committerJeremy Fleischman <jeremyfleischman@gmail.com>2023-10-13 00:32:15 -0700
commit7ee56994968e7c7d3e64b32974aecd3386ea8c68 (patch)
treee4f63b5601cb50ce8fdee3b5a0943806fa883eb7
parent8b6e86b47378b36984bd7bc37e34126283c8355c (diff)
downloadnixpkgs-7ee56994968e7c7d3e64b32974aecd3386ea8c68.tar
nixpkgs-7ee56994968e7c7d3e64b32974aecd3386ea8c68.tar.gz
nixpkgs-7ee56994968e7c7d3e64b32974aecd3386ea8c68.tar.bz2
nixpkgs-7ee56994968e7c7d3e64b32974aecd3386ea8c68.tar.lz
nixpkgs-7ee56994968e7c7d3e64b32974aecd3386ea8c68.tar.xz
nixpkgs-7ee56994968e7c7d3e64b32974aecd3386ea8c68.tar.zst
nixpkgs-7ee56994968e7c7d3e64b32974aecd3386ea8c68.zip
nixos/openvpn3: Add support for systemd-resolved
I noticed that openvpn3 is been clobbering my `/etc/resolv.conf` file. I
dug around a bit, and it turns out that upstream actually does have
support for systemd-resolved. I think it makes sense for us to
automatically enable that feature if the system is configured to use
systemd-resolved.

I opted to not change the default behavior of `pkgs.openvpn3`, but can
easily be convinced to change that if folks think I should.
Diffstat
-rw-r--r--nixos/doc/manual/release-notes/rl-2311.section.md2
-rw-r--r--nixos/modules/programs/openvpn3.nix20
-rw-r--r--pkgs/tools/networking/openvpn3/default.nix8
3 files changed, 26 insertions, 4 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md
index a05fda1ce26..547fccbb890 100644
--- a/nixos/doc/manual/release-notes/rl-2311.section.md
+++ b/nixos/doc/manual/release-notes/rl-2311.section.md
@@ -320,6 +320,8 @@
 
 - The `fonts.fonts` and `fonts.enableDefaultFonts` options have been renamed to `fonts.packages` and `fonts.enableDefaultPackages` respectively.
 
+- `pkgs.openvpn3` now optionally supports systemd-resolved. `programs.openvpn3` will automatically enable systemd-resolved support if `config.services.resolved.enable` is enabled.
+
 - `services.fail2ban.jails` can now be configured with attribute sets defining settings and filters instead of lines. The stringed options `daemonConfig` and `extraSettings` have respectively been replaced by `daemonSettings` and `jails.DEFAULT.settings` which use attribute sets.
 
 - The application firewall `opensnitch` now uses the process monitor method eBPF as default as recommended by upstream. The method can be changed with the setting [services.opensnitch.settings.ProcMonitorMethod](#opt-services.opensnitch.settings.ProcMonitorMethod).
diff --git a/nixos/modules/programs/openvpn3.nix b/nixos/modules/programs/openvpn3.nix
index df7e9ef22c1..37a1bfeb0c3 100644
--- a/nixos/modules/programs/openvpn3.nix
+++ b/nixos/modules/programs/openvpn3.nix
@@ -8,11 +8,23 @@ in
 {
   options.programs.openvpn3 = {
     enable = mkEnableOption (lib.mdDoc "the openvpn3 client");
+    package = mkOption {
+      type = types.package;
+      default = pkgs.openvpn3.override {
+        enableSystemdResolved = config.services.resolved.enable;
+      };
+      defaultText = literalExpression ''pkgs.openvpn3.override {
+        enableSystemdResolved = config.services.resolved.enable;
+      }'';
+      description = lib.mdDoc ''
+        Which package to use for `openvpn3`.
+      '';
+    };
   };
 
   config = mkIf cfg.enable {
-    services.dbus.packages = with pkgs; [
-      openvpn3
+    services.dbus.packages = [
+      cfg.package
     ];
 
     users.users.openvpn = {
@@ -25,8 +37,8 @@ in
       gid = config.ids.gids.openvpn;
     };
 
-    environment.systemPackages = with pkgs; [
-      openvpn3
+    environment.systemPackages = [
+      cfg.package
     ];
   };
 
diff --git a/pkgs/tools/networking/openvpn3/default.nix b/pkgs/tools/networking/openvpn3/default.nix
index 295055d797d..b6037d67d82 100644
--- a/pkgs/tools/networking/openvpn3/default.nix
+++ b/pkgs/tools/networking/openvpn3/default.nix
@@ -15,6 +15,8 @@
 , pkg-config
 , protobuf
 , python3
+, systemd
+, enableSystemdResolved ? false
 , tinyxml-2
 , wrapGAppsHook
 }:
@@ -80,6 +82,8 @@ stdenv.mkDerivation rec {
     openssl
     protobuf
     tinyxml-2
+  ] ++ lib.optionals enableSystemdResolved [
+    systemd
   ];
 
   # runtime deps
@@ -101,6 +105,10 @@ stdenv.mkDerivation rec {
     "--enable-addons-aws"
     "--disable-selinux-build"
     "--disable-build-test-progs"
+  ] ++ lib.optionals enableSystemdResolved [
+    # This defaults to --resolv-conf /etc/resolv.conf. See
+    # https://github.com/OpenVPN/openvpn3-linux/blob/v20/configure.ac#L434
+    "DEFAULT_DNS_RESOLVER=--systemd-resolved"
   ];
 
   NIX_LDFLAGS = "-lpthread";
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-19 12:08:52 +0000