Merge pull request #106465 from jerith666/globalprotect-vpn

nixos/modules/module-list.nix

@@ -694,6 +694,7 @@
   ./services/networking/gdomap.nix
   ./services/networking/ghostunnel.nix
   ./services/networking/git-daemon.nix
+  ./services/networking/globalprotect-vpn.nix
   ./services/networking/gnunet.nix
   ./services/networking/go-neb.nix
   ./services/networking/go-shadowsocks2.nix

nixos/modules/services/networking/globalprotect-vpn.nix

@@ -0,0 +1,43 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.globalprotect;
+
+  execStart = if cfg.csdWrapper == null then
+      "${pkgs.globalprotect-openconnect}/bin/gpservice"
+    else
+      "${pkgs.globalprotect-openconnect}/bin/gpservice --csd-wrapper=${cfg.csdWrapper}";
+in
+
+{
+  options.services.globalprotect = {
+    enable = mkEnableOption "globalprotect";
+
+    csdWrapper = mkOption {
+      description = ''
+        A script that will produce a Host Integrity Protection (HIP) report,
+        as described at <link xlink:href="https://www.infradead.org/openconnect/hip.html" />
+      '';
+      default = null;
+      example = literalExample "\${pkgs.openconnect}/libexec/openconnect/hipreport.sh";
+      type = types.nullOr types.path;
+    };
+  };
+
+  config = {
+    services.dbus.packages = [ pkgs.globalprotect-openconnect ];
+
+    systemd.services.gpservice = {
+      description = "GlobalProtect openconnect DBus service";
+      serviceConfig = {
+        Type="dbus";
+        BusName="com.yuezk.qt.GPService";
+        ExecStart=execStart;
+      };
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+    };
+  };
+}

pkgs/tools/networking/globalprotect-openconnect/default.nix

@@ -0,0 +1,43 @@
+{ stdenv, lib, fetchFromGitHub
+, qmake, qtwebsockets, qtwebengine, wrapQtAppsHook, openconnect
+}:
+
+stdenv.mkDerivation rec {
+  pname = "globalprotect-openconnect";
+  version = "1.2.6";
+
+  src = fetchFromGitHub {
+    owner = "yuezk";
+    repo = "GlobalProtect-openconnect";
+    rev = "c14a6ad1d2b62f8d297bc4cfbcb1dcea4d99112f";
+    fetchSubmodules = true;
+    sha256 = "1zkc3vk1j31n2zs5ammzv23dah7x163gfrzz222ynbkvsccrhzrk";
+  };
+
+  nativeBuildInputs = [ qmake wrapQtAppsHook ];
+
+  buildInputs = [ openconnect qtwebsockets qtwebengine ];
+
+  patchPhase = ''
+    for f in GPClient/GPClient.pro \
+      GPClient/com.yuezk.qt.gpclient.desktop \
+      GPService/GPService.pro \
+      GPService/dbus/com.yuezk.qt.GPService.service \
+      GPService/systemd/gpservice.service; do
+        substituteInPlace $f \
+          --replace /usr $out \
+          --replace /etc $out/lib;
+    done;
+
+    substituteInPlace GPService/gpservice.h \
+      --replace /usr/local/bin/openconnect ${openconnect}/bin/openconnect;
+  '';
+
+  meta = with lib; {
+    description = "GlobalProtect VPN client (GUI) for Linux based on OpenConnect that supports SAML auth mode";
+    homepage = "https://github.com/yuezk/GlobalProtect-openconnect";
+    license = licenses.gpl3Only;
+    maintainers = [ maintainers.jerith666 ];
+    platforms = platforms.linux;
+  };
+}

pkgs/tools/networking/openconnect/default.nix

@@ -8,8 +8,8 @@
 , libxml2
 , stoken
 , zlib
-, fetchgit
+, vpnc-scripts
-, darwin
+, PCSC
 , head ? false
   , fetchFromGitLab
   , autoreconfHook
@@ -17,13 +17,7 @@
 
 assert (openssl != null) == (gnutls == null);
 
-let vpnc = fetchgit {
+stdenv.mkDerivation rec {
-  url = "git://git.infradead.org/users/dwmw2/vpnc-scripts.git";
-  rev = "c0122e891f7e033f35f047dad963702199d5cb9e";
-  sha256 = "11b1ls012mb704jphqxjmqrfbbhkdjb64j2q4k8wb5jmja8jnd14";
-};
-
-in stdenv.mkDerivation rec {
   pname = "openconnect${lib.optionalString head "-head"}";
   version = if head then "2021-05-05" else "8.10";
 
@@ -42,19 +36,19 @@ in stdenv.mkDerivation rec {
   outputs = [ "out" "dev" ];
 
   configureFlags = [
-    "--with-vpnc-script=${vpnc}/vpnc-script"
+    "--with-vpnc-script=${vpnc-scripts}/bin/vpnc-script"
     "--disable-nls"
     "--without-openssl-version-check"
   ];
 
   buildInputs = [ openssl gnutls gmp libxml2 stoken zlib ]
-    ++ lib.optional stdenv.isDarwin darwin.apple_sdk.frameworks.PCSC;
+    ++ lib.optional stdenv.isDarwin PCSC;
   nativeBuildInputs = [ pkg-config ]
     ++ lib.optional head autoreconfHook;
 
   meta = with lib; {
     description = "VPN Client for Cisco's AnyConnect SSL VPN";
-    homepage = "http://www.infradead.org/openconnect/";
+    homepage = "https://www.infradead.org/openconnect/";
     license = licenses.lgpl21Only;
     maintainers = with maintainers; [ pradeepchhetri tricktron ];
     platforms = lib.platforms.linux ++ lib.platforms.darwin;

pkgs/tools/networking/vpnc-scripts/default.nix

@@ -0,0 +1,41 @@
+{ lib, stdenv, fetchgit
+, makeWrapper
+, nettools, gawk, systemd, openresolv, coreutils, gnugrep
+}:
+
+stdenv.mkDerivation {
+  pname = "vpnc-scripts";
+  version = "unstable-2021-03-21";
+  src = fetchgit {
+    url = "git://git.infradead.org/users/dwmw2/vpnc-scripts.git";
+    rev = "8fff06090ed193c4a7285e9a10b42e6679e8ecf3";
+    sha256 = "14bzzpwz7kdmlbx825h6s4jjdml9q6ziyrq8311lp8caql68qdq1";
+  };
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  installPhase = ''
+    mkdir -p $out/bin
+    cp vpnc-script $out/bin
+  '';
+
+  preFixup = ''
+    substituteInPlace $out/bin/vpnc-script \
+      --replace "which" "type -P"
+  '' + lib.optionalString stdenv.isLinux ''
+    substituteInPlace $out/bin/vpnc-script \
+      --replace "/sbin/resolvconf" "${openresolv}/bin/resolvconf" \
+      --replace "/usr/bin/resolvectl" "${systemd}/bin/resolvectl"
+  '' + ''
+    wrapProgram $out/bin/vpnc-script \
+      --prefix PATH : "${lib.makeBinPath ([ nettools gawk coreutils gnugrep ] ++ lib.optionals stdenv.isLinux [ openresolv ])}"
+  '';
+
+  meta = with lib; {
+    description = "script for vpnc to configure the network routing and name service";
+    homepage = "https://www.infradead.org/openconnect/";
+    license = licenses.gpl2Only;
+    maintainers = with maintainers; [ jerith666 ];
+    platforms = platforms.linux ++ platforms.darwin;
+  };
+}

pkgs/top-level/all-packages.nix

@@ -9515,6 +9515,8 @@ in
 
   vpnc = callPackage ../tools/networking/vpnc { };
 
+  vpnc-scripts = callPackage ../tools/networking/vpnc-scripts { };
+
   vpn-slice = python3Packages.callPackage ../tools/networking/vpn-slice { };
 
   vp = callPackage ../applications/misc/vp {
@@ -9527,18 +9529,23 @@ in
   openconnect = openconnect_gnutls;
 
   openconnect_openssl = callPackage ../tools/networking/openconnect {
+    inherit (darwin.apple_sdk.frameworks) PCSC;
     gnutls = null;
   };
 
   openconnect_gnutls = callPackage ../tools/networking/openconnect {
+    inherit (darwin.apple_sdk.frameworks) PCSC;
     openssl = null;
   };
 
   openconnect_head = callPackage ../tools/networking/openconnect {
+    inherit (darwin.apple_sdk.frameworks) PCSC;
     head = true;
     openssl = null;
   };
 
+  globalprotect-openconnect = libsForQt5.callPackage ../tools/networking/globalprotect-openconnect { };
+
   ding-libs = callPackage ../tools/misc/ding-libs { };
 
   sssd = callPackage ../os-specific/linux/sssd {