| blob | ab3249e57a8733c78713ce1edf6275e695c30cd3 |
1 { lib
2 , stdenv
3 , fetchurl
4 , nixosTests
5 , pkg-config
6 , systemd
7 , gmp
8 , unbound
9 , bison
10 , flex
11 , pam
12 , libevent
13 , libcap_ng
14 , libxcrypt
15 , curl
16 , nspr
17 , bash
18 , runtimeShell
19 , iproute2
20 , iptables
21 , procps
22 , coreutils
23 , gnused
24 , gawk
25 , nss
26 , which
27 , python3
28 , libselinux
29 , ldns
30 , xmlto
31 , docbook_xml_dtd_412
32 , docbook_xsl
33 , findXMLCatalogs
34 , dns-root-data
35 }:
37 let
38 # Tools needed by ipsec scripts
39 binPath = lib.makeBinPath [
40 iproute2 iptables procps
41 coreutils gnused gawk
42 nss.tools which
43 ];
44 in
46 stdenv.mkDerivation rec {
47 pname = "libreswan";
48 version = "4.9";
50 src = fetchurl {
51 url = "https://download.libreswan.org/${pname}-${version}.tar.gz";
52 sha256 = "sha256-9kLctjXpCVZMqP2Z6kSrQ/YHI7TXbBWO2BKXjEWzmLk=";
53 };
55 strictDeps = true;
57 nativeBuildInputs = [
58 bison
59 flex
60 pkg-config
61 xmlto
62 docbook_xml_dtd_412
63 docbook_xsl
64 findXMLCatalogs
65 ];
67 buildInputs = [
68 systemd coreutils
69 gnused gawk gmp unbound pam libevent
70 libcap_ng libxcrypt curl nspr nss ldns
71 # needed to patch shebangs
72 python3 bash
73 ] ++ lib.optional stdenv.isLinux libselinux;
75 prePatch = ''
76 # Correct iproute2 and iptables path
77 sed -e 's|/sbin/ip|${iproute2}/bin/ip|g' \
78 -e 's|/sbin/\(ip6\?tables\)|${iptables}/bin/\1|' \
79 -e 's|/bin/bash|${runtimeShell}|g' \
80 -i initsystems/systemd/ipsec.service.in \
81 programs/barf/barf.in \
82 programs/verify.linux/verify.in
83 sed -e 's|\([[:blank:]]\)\(ip6\?tables\(-save\)\? -\)|\1${iptables}/bin/\2|' \
84 -i programs/verify.linux/verify.in
86 # Prevent the makefile from trying to
87 # reload the systemd daemon or create tmpfiles
88 sed -e 's|systemctl|true|g' \
89 -e 's|systemd-tmpfiles|true|g' \
90 -i initsystems/systemd/Makefile
92 # Fix the ipsec program from crushing the PATH
93 sed -e 's|\(PATH=".*"\):.*$|\1:$PATH|' -i programs/ipsec/ipsec.in
95 # Fix python script to use the correct python
96 sed -e 's/^\(\W*\)installstartcheck()/\1sscmd = "ss"\n\0/' \
97 -i programs/verify.linux/verify.in
99 # Replace wget with curl to save a dependency
100 curlArgs='-s --remote-name-all --output-dir'
101 sed -e "s|wget -q -P|${curl}/bin/curl $curlArgs|g" \
102 -i programs/letsencrypt/letsencrypt.in
104 # Patch the Makefile:
105 # 1. correct the pam.d directory install path
106 # 2. do not create the /var/lib/ directory
107 sed -e 's|$(DESTDIR)/etc/pam.d|$(out)/etc/pam.d|' \
108 -e '/test ! -d $(NSSDIR)/,+3d' \
109 -i configs/Makefile
110 '';
112 makeFlags = [
113 "PREFIX=$(out)"
114 "INITSYSTEM=systemd"
115 "UNITDIR=$(out)/etc/systemd/system/"
116 "TMPFILESDIR=$(out)/lib/tmpfiles.d/"
117 "LINUX_VARIANT=nixos"
118 "DEFAULT_DNSSEC_ROOTKEY_FILE=${dns-root-data}/root.key"
119 ];
121 # Hack to make install work
122 installFlags = [
123 "FINALVARDIR=\${out}/var"
124 "FINALSYSCONFDIR=\${out}/etc"
125 ];
127 postInstall = ''
128 # Install examples directory (needed for letsencrypt)
129 cp -r docs/examples $out/share/doc/libreswan/examples
130 '';
132 postFixup = ''
133 # Add a PATH to the main "ipsec" script
134 sed -e '0,/^$/{s||export PATH=${binPath}:$PATH|}' \
135 -i $out/bin/ipsec
136 '';
138 passthru.tests.libreswan = nixosTests.libreswan;
140 meta = with lib; {
141 homepage = "https://libreswan.org";
142 description = "A free software implementation of the VPN protocol based on IPSec and the Internet Key Exchange";
143 platforms = platforms.linux ++ platforms.freebsd;
144 license = with licenses; [ gpl2Plus mpl20 ] ;
145 maintainers = with maintainers; [ afranchuk rnhmjoj ];
146 };
147 }