Unverified Commit 7ee56994 authored by Jeremy Fleischman's avatar Jeremy Fleischman
Browse files

nixos/openvpn3: Add support for systemd-resolved 

I noticed that openvpn3 is been clobbering my `/etc/resolv.conf` file. I
dug around a bit, and it turns out that upstream actually does have
support for systemd-resolved. I think it makes sense for us to
automatically enable that feature if the system is configured to use
systemd-resolved.

I opted to not change the default behavior of `pkgs.openvpn3`, but can
easily be convinced to change that if folks think I should.
parent 8b6e86b4

nixos/doc/manual/release-notes/rl-2311.section.md

+2 −0
Original line number Diff line number Diff line
@@ -320,6 +320,8 @@ 


- The `fonts.fonts` and `fonts.enableDefaultFonts` options have been renamed to `fonts.packages` and `fonts.enableDefaultPackages` respectively.



- `pkgs.openvpn3` now optionally supports systemd-resolved. `programs.openvpn3` will automatically enable systemd-resolved support if `config.services.resolved.enable` is enabled.



- `services.fail2ban.jails` can now be configured with attribute sets defining settings and filters instead of lines. The stringed options `daemonConfig` and `extraSettings` have respectively been replaced by `daemonSettings` and `jails.DEFAULT.settings` which use attribute sets.



- The application firewall `opensnitch` now uses the process monitor method eBPF as default as recommended by upstream. The method can be changed with the setting [services.opensnitch.settings.ProcMonitorMethod](#opt-services.opensnitch.settings.ProcMonitorMethod).

nixos/modules/programs/openvpn3.nix

+16 −4
Original line number Diff line number Diff line
@@ -8,11 +8,23 @@ in 
{

  options.programs.openvpn3 = {

    enable = mkEnableOption (lib.mdDoc "the openvpn3 client");

    package = mkOption {

      type = types.package;

      default = pkgs.openvpn3.override {

        enableSystemdResolved = config.services.resolved.enable;

      };

      defaultText = literalExpression ''pkgs.openvpn3.override {

        enableSystemdResolved = config.services.resolved.enable;

      }'';

      description = lib.mdDoc ''

        Which package to use for `openvpn3`.

      '';

    };

  };



  config = mkIf cfg.enable {

    services.dbus.packages = with pkgs; [

      openvpn3

    services.dbus.packages = [

      cfg.package

    ];



    users.users.openvpn = {
@@ -25,8 +37,8 @@ in 
      gid = config.ids.gids.openvpn;

    };



    environment.systemPackages = with pkgs; [

      openvpn3

    environment.systemPackages = [

      cfg.package

    ];

  };

pkgs/tools/networking/openvpn3/default.nix

+8 −0
Original line number Diff line number Diff line
@@ -15,6 +15,8 @@ 
, pkg-config

, protobuf

, python3

, systemd

, enableSystemdResolved ? false

, tinyxml-2

, wrapGAppsHook

}:
@@ -80,6 +82,8 @@ stdenv.mkDerivation rec { 
    openssl

    protobuf

    tinyxml-2

  ] ++ lib.optionals enableSystemdResolved [

    systemd

  ];



  # runtime deps
@@ -101,6 +105,10 @@ stdenv.mkDerivation rec { 
    "--enable-addons-aws"

    "--disable-selinux-build"

    "--disable-build-test-progs"

  ] ++ lib.optionals enableSystemdResolved [

    # This defaults to --resolv-conf /etc/resolv.conf. See

    # https://github.com/OpenVPN/openvpn3-linux/blob/v20/configure.ac#L434

    "DEFAULT_DNS_RESOLVER=--systemd-resolved"

  ];



  NIX_LDFLAGS = "-lpthread";