| blob | 119f81baf5cb12052c28d19990d8121c8fb1aff0 |
1 { lib, stdenv, fetchFromGitHub
2 , pkg-config, autoreconfHook, perl, gperf, bison, flex
3 , gmp, python3, iptables, ldns, unbound, openssl, pcsclite, glib
4 , openresolv
5 , systemd, pam
6 , curl
7 , enableTNC ? false, trousers, sqlite, libxml2
8 , enableNetworkManager ? false, networkmanager
9 , darwin
10 , nixosTests
11 }:
13 # Note on curl support: If curl is built with gnutls as its backend, the
14 # strongswan curl plugin may break.
15 # See https://wiki.strongswan.org/projects/strongswan/wiki/Curl for more info.
17 with lib;
19 stdenv.mkDerivation rec {
20 pname = "strongswan";
21 version = "5.9.8"; # Make sure to also update <nixpkgs/nixos/modules/services/networking/strongswan-swanctl/swanctl-params.nix> when upgrading!
23 src = fetchFromGitHub {
24 owner = "strongswan";
25 repo = "strongswan";
26 rev = version;
27 sha256 = "sha256-RRvMQhDVoXF3Uok/Huq20RhqSsMnAsXHKOWfrXypDOk=";
28 };
30 dontPatchELF = true;
32 nativeBuildInputs = [ pkg-config autoreconfHook perl gperf bison flex ];
33 buildInputs =
34 [ curl gmp python3 ldns unbound openssl pcsclite ]
35 ++ optionals enableTNC [ trousers sqlite libxml2 ]
36 ++ optionals stdenv.isLinux [ systemd.dev pam iptables ]
37 ++ optionals stdenv.isDarwin (with darwin.apple_sdk.frameworks; [ SystemConfiguration ])
38 ++ optionals enableNetworkManager [ networkmanager glib ];
40 patches = [
41 ./ext_auth-path.patch
42 ./firewall_defaults.patch
43 ./updown-path.patch
44 ];
46 postPatch = optionalString stdenv.isLinux ''
47 # glibc-2.26 reorganized internal includes
48 sed '1i#include <stdint.h>' -i src/libstrongswan/utils/utils/memory.h
50 substituteInPlace src/libcharon/plugins/resolve/resolve_handler.c --replace "/sbin/resolvconf" "${openresolv}/sbin/resolvconf"
51 '';
53 configureFlags =
54 [ "--enable-swanctl"
55 "--enable-cmd"
56 "--enable-openssl"
57 "--enable-eap-sim" "--enable-eap-sim-file" "--enable-eap-simaka-pseudonym"
58 "--enable-eap-simaka-reauth" "--enable-eap-identity" "--enable-eap-md5"
59 "--enable-eap-gtc" "--enable-eap-aka" "--enable-eap-aka-3gpp2"
60 "--enable-eap-mschapv2" "--enable-eap-radius" "--enable-xauth-eap" "--enable-ext-auth"
61 "--enable-acert"
62 "--enable-pkcs11" "--enable-eap-sim-pcsc" "--enable-dnscert" "--enable-unbound"
63 "--enable-chapoly"
64 "--enable-curl" ]
65 ++ optionals stdenv.isLinux [
66 "--enable-farp" "--enable-dhcp"
67 "--enable-systemd" "--with-systemdsystemunitdir=${placeholder "out"}/etc/systemd/system"
68 "--enable-xauth-pam"
69 "--enable-forecast"
70 "--enable-connmark"
71 "--enable-af-alg" ]
72 ++ optionals stdenv.isx86_64 [ "--enable-aesni" "--enable-rdrand" ]
73 ++ optional (stdenv.hostPlatform.system == "i686-linux") "--enable-padlock"
74 ++ optionals enableTNC [
75 "--disable-gmp" "--disable-aes" "--disable-md5" "--disable-sha1" "--disable-sha2" "--disable-fips-prf"
76 "--enable-eap-tnc" "--enable-eap-ttls" "--enable-eap-dynamic" "--enable-tnccs-20"
77 "--enable-tnc-imc" "--enable-imc-os" "--enable-imc-attestation"
78 "--enable-tnc-imv" "--enable-imv-attestation"
79 "--enable-tnc-ifmap" "--enable-tnc-imc" "--enable-tnc-imv"
80 "--with-tss=trousers"
81 "--enable-aikgen"
82 "--enable-sqlite" ]
83 ++ optionals enableNetworkManager [
84 "--enable-nm"
85 "--with-nm-ca-dir=/etc/ssl/certs" ]
86 # Taken from: https://wiki.strongswan.org/projects/strongswan/wiki/MacOSX
87 ++ optionals stdenv.isDarwin [
88 "--disable-systemd"
89 "--disable-xauth-pam"
90 "--disable-kernel-netlink"
91 "--enable-kernel-pfkey"
92 "--enable-kernel-pfroute"
93 "--enable-kernel-libipsec"
94 "--enable-osx-attr"
95 "--disable-scripts"
96 ];
98 postInstall = ''
99 # this is needed for l2tp
100 echo "include /etc/ipsec.secrets" >> $out/etc/ipsec.secrets
101 '';
103 NIX_LDFLAGS = optionalString stdenv.cc.isGNU "-lgcc_s" ;
105 passthru.tests = { inherit (nixosTests) strongswan-swanctl; };
107 meta = {
108 description = "OpenSource IPsec-based VPN Solution";
109 homepage = "https://www.strongswan.org";
110 license = licenses.gpl2Plus;
111 platforms = platforms.all;
112 };
113 }