pkgs/by-name/st/strongswan/package.nix

   1 { lib, stdenv, fetchFromGitHub
   2 , pkg-config, autoreconfHook, perl, gperf, bison, flex
   3 , gmp, python3, iptables, ldns, unbound, openssl, pcsclite, glib
   4 , openresolv
   5 , systemd, pam
   6 , curl
   7 , enableTNC            ? false, trousers, sqlite, libxml2
   8 , enableNetworkManager ? false, networkmanager
   9 , darwin
  10 , nixosTests
  11 }:
  12
  13 # Note on curl support: If curl is built with gnutls as its backend, the
  14 # strongswan curl plugin may break.
  15 # See https://wiki.strongswan.org/projects/strongswan/wiki/Curl for more info.
  16
  17 stdenv.mkDerivation rec {
  18   pname = "strongswan";
  19   version = "5.9.14"; # Make sure to also update <nixpkgs/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix> when upgrading!
  20
  21   src = fetchFromGitHub {
  22     owner = "strongswan";
  23     repo = "strongswan";
  24     rev = version;
  25     hash = "sha256-qFM7ErfqiDlUsZdGXJQVW3nJoh+I6tEdKRwzrKteRVY=";
  26   };
  27
  28   dontPatchELF = true;
  29
  30   nativeBuildInputs = [ pkg-config autoreconfHook perl gperf bison flex ];
  31   buildInputs =
  32     [ curl gmp python3 ldns unbound openssl pcsclite ]
  33     ++ lib.optionals enableTNC [ trousers sqlite libxml2 ]
  34     ++ lib.optionals stdenv.hostPlatform.isLinux [ systemd.dev pam iptables ]
  35     ++ lib.optionals stdenv.hostPlatform.isDarwin (with darwin.apple_sdk.frameworks; [ SystemConfiguration ])
  36     ++ lib.optionals enableNetworkManager [ networkmanager glib ];
  37
  38   patches = [
  39     ./ext_auth-path.patch
  40     ./firewall_defaults.patch
  41     ./updown-path.patch
  42   ];
  43
  44   postPatch = lib.optionalString stdenv.hostPlatform.isLinux ''
  45     # glibc-2.26 reorganized internal includes
  46     sed '1i#include <stdint.h>' -i src/libstrongswan/utils/utils/memory.h
  47
  48     substituteInPlace src/libcharon/plugins/resolve/resolve_handler.c --replace "/sbin/resolvconf" "${openresolv}/sbin/resolvconf"
  49     '';
  50
  51   configureFlags =
  52     [ "--enable-swanctl"
  53       "--enable-cmd"
  54       "--enable-openssl"
  55       "--enable-eap-sim" "--enable-eap-sim-file" "--enable-eap-simaka-pseudonym"
  56       "--enable-eap-simaka-reauth" "--enable-eap-identity" "--enable-eap-md5"
  57       "--enable-eap-gtc" "--enable-eap-aka" "--enable-eap-aka-3gpp2"
  58       "--enable-eap-mschapv2" "--enable-eap-radius" "--enable-xauth-eap" "--enable-ext-auth"
  59       "--enable-acert"
  60       "--enable-pkcs11" "--enable-eap-sim-pcsc" "--enable-dnscert" "--enable-unbound"
  61       "--enable-chapoly"
  62       "--enable-curl" ]
  63     ++ lib.optionals stdenv.hostPlatform.isLinux [
  64       "--enable-farp" "--enable-dhcp"
  65       "--enable-systemd" "--with-systemdsystemunitdir=${placeholder "out"}/etc/systemd/system"
  66       "--enable-xauth-pam"
  67       "--enable-forecast"
  68       "--enable-connmark"
  69       "--enable-af-alg" ]
  70     ++ lib.optionals stdenv.hostPlatform.isx86_64 [ "--enable-aesni" "--enable-rdrand" ]
  71     ++ lib.optional (stdenv.hostPlatform.system == "i686-linux") "--enable-padlock"
  72     ++ lib.optionals enableTNC [
  73          "--disable-gmp" "--disable-aes" "--disable-md5" "--disable-sha1" "--disable-sha2" "--disable-fips-prf"
  74          "--enable-eap-tnc" "--enable-eap-ttls" "--enable-eap-dynamic" "--enable-tnccs-20"
  75          "--enable-tnc-imc" "--enable-imc-os" "--enable-imc-attestation"
  76          "--enable-tnc-imv" "--enable-imv-attestation"
  77          "--enable-tnc-ifmap" "--enable-tnc-imc" "--enable-tnc-imv"
  78          "--with-tss=trousers"
  79          "--enable-aikgen"
  80          "--enable-sqlite" ]
  81     ++ lib.optionals enableNetworkManager [
  82          "--enable-nm"
  83          "--with-nm-ca-dir=/etc/ssl/certs" ]
  84     # Taken from: https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX
  85     ++ lib.optionals stdenv.hostPlatform.isDarwin [
  86       "--disable-systemd"
  87       "--disable-xauth-pam"
  88       "--disable-kernel-netlink"
  89       "--enable-kernel-pfkey"
  90       "--enable-kernel-pfroute"
  91       "--enable-kernel-libipsec"
  92       "--enable-osx-attr"
  93       "--disable-scripts"
  94     ];
  95
  96   postInstall = ''
  97     # this is needed for l2tp
  98     echo "include /etc/ipsec.secrets" >> $out/etc/ipsec.secrets
  99   '';
 100
 101   NIX_LDFLAGS = lib.optionalString stdenv.cc.isGNU "-lgcc_s" ;
 102
 103   passthru.tests = { inherit (nixosTests) strongswan-swanctl; };
 104
 105   meta = with lib; {
 106     description = "OpenSource IPsec-based VPN Solution";
 107     homepage = "https://www.strongswan.org";
 108     license = licenses.gpl2Plus;
 109     platforms = platforms.all;
 110   };
 111 }