diff options
author | Jeremy Fleischman <jeremyfleischman@gmail.com> | 2023-07-08 17:16:17 -0700 |
---|---|---|
committer | Jeremy Fleischman <jeremyfleischman@gmail.com> | 2023-10-13 00:32:15 -0700 |
commit | 7ee56994968e7c7d3e64b32974aecd3386ea8c68 (patch) | |
tree | e4f63b5601cb50ce8fdee3b5a0943806fa883eb7 | |
parent | 8b6e86b47378b36984bd7bc37e34126283c8355c (diff) | |
download | nixpkgs-7ee56994968e7c7d3e64b32974aecd3386ea8c68.tar nixpkgs-7ee56994968e7c7d3e64b32974aecd3386ea8c68.tar.gz nixpkgs-7ee56994968e7c7d3e64b32974aecd3386ea8c68.tar.bz2 nixpkgs-7ee56994968e7c7d3e64b32974aecd3386ea8c68.tar.lz nixpkgs-7ee56994968e7c7d3e64b32974aecd3386ea8c68.tar.xz nixpkgs-7ee56994968e7c7d3e64b32974aecd3386ea8c68.tar.zst nixpkgs-7ee56994968e7c7d3e64b32974aecd3386ea8c68.zip |
nixos/openvpn3: Add support for systemd-resolved
I noticed that openvpn3 is been clobbering my `/etc/resolv.conf` file. I dug around a bit, and it turns out that upstream actually does have support for systemd-resolved. I think it makes sense for us to automatically enable that feature if the system is configured to use systemd-resolved. I opted to not change the default behavior of `pkgs.openvpn3`, but can easily be convinced to change that if folks think I should.
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2311.section.md | 2 | ||||
-rw-r--r-- | nixos/modules/programs/openvpn3.nix | 20 | ||||
-rw-r--r-- | pkgs/tools/networking/openvpn3/default.nix | 8 |
3 files changed, 26 insertions, 4 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2311.section.md b/nixos/doc/manual/release-notes/rl-2311.section.md index a05fda1ce26..547fccbb890 100644 --- a/nixos/doc/manual/release-notes/rl-2311.section.md +++ b/nixos/doc/manual/release-notes/rl-2311.section.md @@ -320,6 +320,8 @@ - The `fonts.fonts` and `fonts.enableDefaultFonts` options have been renamed to `fonts.packages` and `fonts.enableDefaultPackages` respectively. +- `pkgs.openvpn3` now optionally supports systemd-resolved. `programs.openvpn3` will automatically enable systemd-resolved support if `config.services.resolved.enable` is enabled. + - `services.fail2ban.jails` can now be configured with attribute sets defining settings and filters instead of lines. The stringed options `daemonConfig` and `extraSettings` have respectively been replaced by `daemonSettings` and `jails.DEFAULT.settings` which use attribute sets. - The application firewall `opensnitch` now uses the process monitor method eBPF as default as recommended by upstream. The method can be changed with the setting [services.opensnitch.settings.ProcMonitorMethod](#opt-services.opensnitch.settings.ProcMonitorMethod). diff --git a/nixos/modules/programs/openvpn3.nix b/nixos/modules/programs/openvpn3.nix index df7e9ef22c1..37a1bfeb0c3 100644 --- a/nixos/modules/programs/openvpn3.nix +++ b/nixos/modules/programs/openvpn3.nix @@ -8,11 +8,23 @@ in { options.programs.openvpn3 = { enable = mkEnableOption (lib.mdDoc "the openvpn3 client"); + package = mkOption { + type = types.package; + default = pkgs.openvpn3.override { + enableSystemdResolved = config.services.resolved.enable; + }; + defaultText = literalExpression ''pkgs.openvpn3.override { + enableSystemdResolved = config.services.resolved.enable; + }''; + description = lib.mdDoc '' + Which package to use for `openvpn3`. + ''; + }; }; config = mkIf cfg.enable { - services.dbus.packages = with pkgs; [ - openvpn3 + services.dbus.packages = [ + cfg.package ]; users.users.openvpn = { @@ -25,8 +37,8 @@ in gid = config.ids.gids.openvpn; }; - environment.systemPackages = with pkgs; [ - openvpn3 + environment.systemPackages = [ + cfg.package ]; }; diff --git a/pkgs/tools/networking/openvpn3/default.nix b/pkgs/tools/networking/openvpn3/default.nix index 295055d797d..b6037d67d82 100644 --- a/pkgs/tools/networking/openvpn3/default.nix +++ b/pkgs/tools/networking/openvpn3/default.nix @@ -15,6 +15,8 @@ , pkg-config , protobuf , python3 +, systemd +, enableSystemdResolved ? false , tinyxml-2 , wrapGAppsHook }: @@ -80,6 +82,8 @@ stdenv.mkDerivation rec { openssl protobuf tinyxml-2 + ] ++ lib.optionals enableSystemdResolved [ + systemd ]; # runtime deps @@ -101,6 +105,10 @@ stdenv.mkDerivation rec { "--enable-addons-aws" "--disable-selinux-build" "--disable-build-test-progs" + ] ++ lib.optionals enableSystemdResolved [ + # This defaults to --resolv-conf /etc/resolv.conf. See + # https://github.com/OpenVPN/openvpn3-linux/blob/v20/configure.ac#L434 + "DEFAULT_DNS_RESOLVER=--systemd-resolved" ]; NIX_LDFLAGS = "-lpthread"; |