globalprotect-openconnect: Reinstate v1 (#355758)

2024-11-25 08:23:09 +00:00 · 2024-11-15 18:25:57 +01:00 · 2024-11-15 18:25:57 +01:00 · cedd087b81
commit cedd087b81
parent 9b0635ee76 b6bac07973
7 changed files with 117 additions and 7 deletions
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -709,11 +709,10 @@

 - `isync` has been updated to version `1.5.0`, which introduces some breaking changes. See the [compatibility concerns](https://sourceforge.net/projects/isync/files/isync/1.5.0/) for more details.

- Legacy package `globalprotect-openconnect` 1.x and related module
-  `services.globalprotect` were dropped. Two new packages -- `gpauth` and `gpclient`
-  from the 2.x version of the GlobalProtect-openconnect project -- are added in its
-  place. The GUI components related to the project are non-free and not
-  packaged.
+- Two new packages -- `gpauth` and `gpclient` from the 2.x version of the
+  GlobalProtect-openconnect project -- are added in parallel to
+  `globalprotect-openconnect`. The GUI components related to the project are
+  non-free and not packaged.

 - Compatible string matching for `hardware.deviceTree.overlays` has been changed to a more correct behavior. See [below](#sec-release-24.11-migration-dto-compatible) for details.

--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@ -1056,6 +1056,7 @@
  ./services/networking/gdomap.nix
  ./services/networking/ghostunnel.nix
  ./services/networking/git-daemon.nix
+  ./services/networking/globalprotect-vpn.nix
  ./services/networking/gns3-server.nix
  ./services/networking/gnunet.nix
  ./services/networking/go-autoconfig.nix
--- a/nixos/modules/rename.nix
+++ b/nixos/modules/rename.nix
@ -80,7 +80,6 @@ in
    (mkRemovedOptionModule [ "services" "fourStoreEndpoint" ] "The fourStoreEndpoint module has been removed")
    (mkRemovedOptionModule [ "services" "fprot" ] "The corresponding package was removed from nixpkgs.")
    (mkRemovedOptionModule [ "services" "frab" ] "The frab module has been removed")
-    (mkRemovedOptionModule [ "services" "globalprotect"] "The corresponding package was removed from nixpkgs.")
    (mkRemovedOptionModule [ "services" "homeassistant-satellite"] "The `services.homeassistant-satellite` module has been replaced by `services.wyoming-satellite`.")
    (mkRemovedOptionModule [ "services" "hydron" ] "The `services.hydron` module has been removed as the project has been archived upstream since 2022 and is affected by a severe remote code execution vulnerability.")
    (mkRemovedOptionModule [ "services" "ihatemoney" ] "The ihatemoney module has been removed for lack of downstream maintainer")
--- a/nixos/modules/services/networking/globalprotect-vpn.nix
+++ b/nixos/modules/services/networking/globalprotect-vpn.nix
@ -0,0 +1,62 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.services.globalprotect;
+
+  execStart =
+    if cfg.csdWrapper == null then
+      "${pkgs.globalprotect-openconnect}/bin/gpservice"
+    else
+      "${pkgs.globalprotect-openconnect}/bin/gpservice --csd-wrapper=${cfg.csdWrapper}";
+in
+
+{
+  options.services.globalprotect = {
+    enable = lib.mkEnableOption "globalprotect";
+
+    settings = lib.mkOption {
+      description = ''
+        GlobalProtect-openconnect configuration. For more information, visit
+        <https://github.com/yuezk/GlobalProtect-openconnect/wiki/Configuration>.
+      '';
+      default = { };
+      example = {
+        "vpn1.company.com" = {
+          openconnect-args = "--script=/path/to/vpnc-script";
+        };
+      };
+      type = lib.types.attrs;
+    };
+
+    csdWrapper = lib.mkOption {
+      description = ''
+        A script that will produce a Host Integrity Protection (HIP) report,
+        as described at <https://www.infradead.org/openconnect/hip.html>
+      '';
+      default = null;
+      example = lib.literalExpression ''"''${pkgs.openconnect}/libexec/openconnect/hipreport.sh"'';
+      type = lib.types.nullOr lib.types.path;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.dbus.packages = [ pkgs.globalprotect-openconnect ];
+
+    environment.etc."gpservice/gp.conf".text = lib.generators.toINI { } cfg.settings;
+
+    systemd.services.gpservice = {
+      description = "GlobalProtect openconnect DBus service";
+      serviceConfig = {
+        Type = "dbus";
+        BusName = "com.yuezk.qt.GPService";
+        ExecStart = execStart;
+      };
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+    };
+  };
+}
--- a/pkgs/tools/networking/globalprotect-openconnect/default.nix
+++ b/pkgs/tools/networking/globalprotect-openconnect/default.nix
@ -0,0 +1,48 @@
+{
+  stdenv,
+  lib,
+  fetchurl,
+  cmake,
+  qtwebsockets,
+  qtwebengine,
+  qtkeychain,
+  wrapQtAppsHook,
+  openconnect,
+}:
+
+stdenv.mkDerivation rec {
+  pname = "globalprotect-openconnect";
+  version = "1.4.9";
+
+  src = fetchurl {
+    url = "https://github.com/yuezk/GlobalProtect-openconnect/releases/download/v${version}/globalprotect-openconnect-${version}.tar.gz";
+    hash = "sha256-vhvVKESLbqHx3XumxbIWOXIreDkW3yONDMXMHxhjsvk=";
+  };
+
+  nativeBuildInputs = [
+    cmake
+    wrapQtAppsHook
+  ];
+
+  buildInputs = [
+    openconnect
+    qtwebsockets
+    qtwebengine
+    qtkeychain
+  ];
+
+  patchPhase = ''
+    substituteInPlace GPService/gpservice.h \
+      --replace /usr/local/bin/openconnect ${openconnect}/bin/openconnect;
+    substituteInPlace GPService/CMakeLists.txt \
+      --replace /etc/gpservice $out/etc/gpservice;
+  '';
+
+  meta = with lib; {
+    description = "GlobalProtect VPN client (GUI) for Linux based on OpenConnect that supports SAML auth mode";
+    homepage = "https://github.com/yuezk/GlobalProtect-openconnect";
+    license = licenses.gpl3Only;
+    maintainers = [ maintainers.jerith666 ];
+    platforms = platforms.linux;
+  };
+}
--- a/pkgs/top-level/aliases.nix
+++ b/pkgs/top-level/aliases.nix
@ -439,7 +439,6 @@ mapAliases {
  glew-egl = lib.warn "'glew-egl' is now provided by 'glew' directly" glew; # Added 2024-08-11
  glfw-wayland = glfw; # Added 2024-04-19
  glfw-wayland-minecraft = glfw3-minecraft; # Added 2024-05-08
-  globalprotect-openconnect = throw "'globalprotect-openconnect' has been renamed to/replaced by 'gpauth' and 'gpclient'"; # Added 2024-09-21
  glxinfo = mesa-demos; # Added 2024-07-04
  gmailieer = throw "'gmailieer' has been renamed to/replaced by 'lieer'"; # Converted to throw 2024-10-17
  gnatboot11 = gnat-bootstrap11;
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -5650,6 +5650,8 @@ with pkgs;

  inherit (openconnectPackages) openconnect openconnect_openssl;

+  globalprotect-openconnect = libsForQt5.callPackage ../tools/networking/globalprotect-openconnect { };
+
  sssd = callPackage ../os-specific/linux/sssd {
    inherit (perlPackages) Po4a;
    # python312Packages.python-ldap is broken