systemd-initrd: OpenVPN

2025-04-13 10:37:32 +00:00 · 2023-02-17 07:47:40 -05:00 · 2023-02-17 07:47:40 -05:00 · 834ec135ce
commit 834ec135ce
parent 0698a1cf04
3 changed files with 37 additions and 3 deletions
--- a/nixos/modules/system/boot/initrd-openvpn.nix
+++ b/nixos/modules/system/boot/initrd-openvpn.nix
@ -51,7 +51,7 @@ in

    # Add openvpn and ip binaries to the initrd
    # The shared libraries are required for DNS resolution
-    boot.initrd.extraUtilsCommands = ''
+    boot.initrd.extraUtilsCommands = mkIf (!config.boot.initrd.systemd.enable) ''
      copy_bin_and_libs ${pkgs.openvpn}/bin/openvpn
      copy_bin_and_libs ${pkgs.iproute2}/bin/ip

@ -59,18 +59,33 @@ in
      cp -pv ${pkgs.glibc}/lib/libnss_dns.so.2 $out/lib
    '';

+    boot.initrd.systemd.storePaths = [
+      "${pkgs.openvpn}/bin/openvpn"
+      "${pkgs.iproute2}/bin/ip"
+      "${pkgs.glibc}/lib/libresolv.so.2"
+      "${pkgs.glibc}/lib/libnss_dns.so.2"
+    ];
+
    boot.initrd.secrets = {
      "/etc/initrd.ovpn" = cfg.configuration;
    };

    # openvpn --version would exit with 1 instead of 0
-    boot.initrd.extraUtilsCommandsTest = ''
+    boot.initrd.extraUtilsCommandsTest = mkIf (!config.boot.initrd.systemd.enable) ''
      $out/bin/openvpn --show-gateway
    '';

-    boot.initrd.network.postCommands = ''
+    boot.initrd.network.postCommands = mkIf (!config.boot.initrd.systemd.enable) ''
      openvpn /etc/initrd.ovpn &
    '';
+
+    boot.initrd.systemd.services.openvpn = {
+      wantedBy = [ "initrd.target" ];
+      path = [ pkgs.iproute2 ];
+      after = [ "network.target" "initrd-nixos-copy-secrets.service" ];
+      serviceConfig.ExecStart = "${pkgs.openvpn}/bin/openvpn /etc/initrd.ovpn";
+      serviceConfig.Type = "notify";
+    };
  };

 }
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@ -679,6 +679,7 @@ in {
  systemd-initrd-vconsole = handleTest ./systemd-initrd-vconsole.nix {};
  systemd-initrd-networkd = handleTest ./systemd-initrd-networkd.nix {};
  systemd-initrd-networkd-ssh = handleTest ./systemd-initrd-networkd-ssh.nix {};
+  systemd-initrd-networkd-openvpn = handleTest ./initrd-network-openvpn { systemdStage1 = true; };
  systemd-journal = handleTest ./systemd-journal.nix {};
  systemd-machinectl = handleTest ./systemd-machinectl.nix {};
  systemd-networkd = handleTest ./systemd-networkd.nix {};
--- a/nixos/tests/initrd-network-openvpn/default.nix
+++ b/nixos/tests/initrd-network-openvpn/default.nix
@ -1,3 +1,9 @@
+{ system ? builtins.currentSystem
+, config ? {}
+, pkgs ? import ../.. { inherit system config; }
+, systemdStage1 ? false
+}:
+
 import ../make-test-python.nix ({ lib, ...}:

 {
@ -22,6 +28,7 @@ import ../make-test-python.nix ({ lib, ...}:
      minimalboot =
        { ... }:
        {
+          boot.initrd.systemd.enable = systemdStage1;
          boot.initrd.network = {
            enable = true;
            openvpn = {
@ -39,6 +46,17 @@ import ../make-test-python.nix ({ lib, ...}:
          virtualisation.vlans = [ 1 ];

          boot.initrd = {
+            systemd.enable = systemdStage1;
+            systemd.extraBin.nc = "${pkgs.busybox}/bin/nc";
+            systemd.services.nc = {
+              requiredBy = ["initrd.target"];
+              after = ["network.target"];
+              serviceConfig = {
+                ExecStart = "/bin/nc -p 1234 -lke /bin/echo TESTVALUE";
+                Type = "oneshot";
+              };
+            };
+
            # This command does not fork to keep the VM in the state where
            # only the initramfs is loaded
            preLVMCommands =