globalprotect-openconnect: add core logic and packages for 2.x releases (#316526)

    githubId = 19915050;

    name = "binarycat";

  };

  binary-eater = {

    email = "sergeantsagara@protonmail.com";

    github = "Binary-Eater";

    githubId = 10691440;

    name = "Rahul Rameshbabu";

    keys = [ { fingerprint = "678A 8DF1 D9F2 B51B 7110  BE53 FF24 7B3E 5411 387B"; } ];

  };

  binsky = {

    email = "timo@binsky.org";

    github = "binsky08";

- The `isync` package has been updated to version `1.5.0`, which introduces some breaking changes. See the [compatibility concerns](https://sourceforge.net/projects/isync/files/isync/1.5.0/) for more details.

- Legacy package `globalprotect-openconnect` 1.x and related module

  `globalprotect-vpn` were dropped. Two new packages `gpauth` and `gpclient`

  from the 2.x version of the GlobalProtect-openconnect project are added in its

  place. The GUI components related to the project are non-free and not

  packaged.

## Other Notable Changes {#sec-release-24.11-notable-changes}

<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

  ./services/networking/gdomap.nix

  ./services/networking/ghostunnel.nix

  ./services/networking/git-daemon.nix

  ./services/networking/globalprotect-vpn.nix

  ./services/networking/gns3-server.nix

  ./services/networking/gnunet.nix

  ./services/networking/go-autoconfig.nix

    (mkRemovedOptionModule [ "services" "fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed")

    (mkRemovedOptionModule [ "services" "fprot" ] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "frab" ] "The frab module has been removed")

    (mkRemovedOptionModule [ "services" "globalprotect"] "The corresponding package was removed from nixpkgs.")

    (mkRemovedOptionModule [ "services" "homeassistant-satellite"] "The `services.homeassistant-satellite` module has been replaced by `services.wyoming-satellite`.")

    (mkRemovedOptionModule [ "services" "hydron" ] "The `services.hydron` module has been removed as the project has been archived upstream since 2022 and is affected by a severe remote code execution vulnerability.")

    (mkRemovedOptionModule [ "services" "ihatemoney" ] "The ihatemoney module has been removed for lack of downstream maintainer")

{ config, lib, pkgs, ... }:

let

  cfg = config.services.globalprotect;

  execStart =

    if cfg.csdWrapper == null then

      "${pkgs.globalprotect-openconnect}/bin/gpservice"

    else

      "${pkgs.globalprotect-openconnect}/bin/gpservice --csd-wrapper=${cfg.csdWrapper}";

in

{

  options.services.globalprotect = {

    enable = lib.mkEnableOption "globalprotect";

    settings = lib.mkOption {

      description = ''

        GlobalProtect-openconnect configuration. For more information, visit

        <https://github.com/yuezk/GlobalProtect-openconnect/wiki/Configuration>.

      '';

      default = { };

      example = {

        "vpn1.company.com" = {

          openconnect-args = "--script=/path/to/vpnc-script";

        };

      };

      type = lib.types.attrs;

    };

    csdWrapper = lib.mkOption {

      description = ''

        A script that will produce a Host Integrity Protection (HIP) report,

        as described at <https://www.infradead.org/openconnect/hip.html>

      '';

      default = null;

      example = lib.literalExpression ''"''${pkgs.openconnect}/libexec/openconnect/hipreport.sh"'';

      type = lib.types.nullOr lib.types.path;

    };

  };

  config = lib.mkIf cfg.enable {

    services.dbus.packages = [ pkgs.globalprotect-openconnect ];

    environment.etc."gpservice/gp.conf".text = lib.generators.toINI { } cfg.settings;

    systemd.services.gpservice = {

      description = "GlobalProtect openconnect DBus service";

      serviceConfig = {

        Type = "dbus";

        BusName = "com.yuezk.qt.GPService";

        ExecStart = execStart;

      };

      wantedBy = [ "multi-user.target" ];

      after = [ "network.target" ];

    };

  };

}