diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index 19ad635d07e7..8778b0364f9a 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -118,7 +118,7 @@ in systemd.services.strongswan = { description = "strongSwan IPSec Service"; wantedBy = [ "multi-user.target" ]; - path = with pkgs; [ kmod ]; # XXX Linux + path = with pkgs; [ kmod iproute iptables utillinux ]; # XXX Linux wants = [ "keys.target" ]; after = [ "network.target" "keys.target" ]; environment = { diff --git a/pkgs/build-support/setup-hooks/autoreconf.sh b/pkgs/build-support/setup-hooks/autoreconf.sh index f70a10870843..441d6b43baa2 100644 --- a/pkgs/build-support/setup-hooks/autoreconf.sh +++ b/pkgs/build-support/setup-hooks/autoreconf.sh @@ -1,11 +1,11 @@ preConfigurePhases+=" autoreconfPhase" -for i in @autoconf@ @automake@ @libtool@; do +for i in @autoconf@ @automake@ @libtool@ @gettext@; do findInputs $i nativePkgs propagated-native-build-inputs done autoreconfPhase() { runHook preAutoreconf - autoreconf ${autoreconfFlags:---install --force} + autoreconf ${autoreconfFlags:---install --force --verbose} runHook postAutoreconf } diff --git a/pkgs/tools/networking/strongswan/default.nix b/pkgs/tools/networking/strongswan/default.nix index a41bc5e5b8f0..871cd3e8f473 100644 --- a/pkgs/tools/networking/strongswan/default.nix +++ b/pkgs/tools/networking/strongswan/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchurl, gmp, pkgconfig, python }: +{ stdenv, fetchurl, gmp, pkgconfig, python, autoreconfHook }: stdenv.mkDerivation rec { name = "strongswan-5.2.1"; @@ -10,7 +10,13 @@ stdenv.mkDerivation rec { dontPatchELF = true; - buildInputs = [ gmp pkgconfig python ]; + buildInputs = [ gmp pkgconfig python autoreconfHook ]; + + patches = [ + ./ext_auth-path.patch + ./firewall_defaults.patch + ./updown-path.patch + ]; configureFlags = [ "--enable-swanctl" "--enable-cmd" ]; diff --git a/pkgs/tools/networking/strongswan/ext_auth-path.patch b/pkgs/tools/networking/strongswan/ext_auth-path.patch new file mode 100644 index 000000000000..397537ad8d84 --- /dev/null +++ b/pkgs/tools/networking/strongswan/ext_auth-path.patch @@ -0,0 +1,13 @@ +Index: strongswan-5.2.1/src/libcharon/plugins/ext_auth/ext_auth_listener.c +=================================================================== +--- strongswan-5.2.1.orig/src/libcharon/plugins/ext_auth/ext_auth_listener.c ++++ strongswan-5.2.1/src/libcharon/plugins/ext_auth/ext_auth_listener.c +@@ -101,6 +101,8 @@ METHOD(listener_t, authorize, bool, + + *success = FALSE; + ++ push_env(envp, countof(envp), "PATH=%s", getenv("PATH")); ++ + push_env(envp, countof(envp), "IKE_UNIQUE_ID=%u", + ike_sa->get_unique_id(ike_sa)); + push_env(envp, countof(envp), "IKE_NAME=%s", diff --git a/pkgs/tools/networking/strongswan/firewall_defaults.patch b/pkgs/tools/networking/strongswan/firewall_defaults.patch new file mode 100644 index 000000000000..12c446c8c9aa --- /dev/null +++ b/pkgs/tools/networking/strongswan/firewall_defaults.patch @@ -0,0 +1,32 @@ +Index: strongswan-5.2.1/src/starter/confread.c +=================================================================== +--- strongswan-5.2.1.orig/src/starter/confread.c ++++ strongswan-5.2.1/src/starter/confread.c +@@ -43,7 +43,7 @@ + static const char ike_defaults[] = "aes128-sha1-modp2048,3des-sha1-modp1536"; + static const char esp_defaults[] = "aes128-sha1,3des-sha1"; + +-static const char firewall_defaults[] = IPSEC_SCRIPT " _updown iptables"; ++static const char firewall_defaults[] = IPSEC_SBINDIR "/" IPSEC_SCRIPT " _updown iptables"; + + /** + * Provided by GPERF +Index: strongswan-5.2.1/src/starter/Makefile.am +=================================================================== +--- strongswan-5.2.1.orig/src/starter/Makefile.am ++++ strongswan-5.2.1/src/starter/Makefile.am +@@ -18,10 +18,12 @@ AM_CPPFLAGS = \ + -I$(top_srcdir)/src/libhydra \ + -I$(top_srcdir)/src/starter \ + -I$(top_srcdir)/src/stroke \ +- -DIPSEC_DIR=\"${ipsecdir}\" \ ++ -DIPSEC_BINDIR=\"${bindir}\" \ + -DIPSEC_CONFDIR=\"${sysconfdir}\" \ +- -DIPSEC_PIDDIR=\"${piddir}\" \ ++ -DIPSEC_DIR=\"${ipsecdir}\" \ + -DIPSEC_EAPDIR=\"${eapdir}\" \ ++ -DIPSEC_PIDDIR=\"${piddir}\" \ ++ -DIPSEC_SBINDIR=\"${sbindir}\" \ + -DIPSEC_SCRIPT=\"${ipsec_script}\" \ + -DDEV_RANDOM=\"${random_device}\" \ + -DDEV_URANDOM=\"${urandom_device}\" \ diff --git a/pkgs/tools/networking/strongswan/updown-path.patch b/pkgs/tools/networking/strongswan/updown-path.patch new file mode 100644 index 000000000000..f01da7d7bce6 --- /dev/null +++ b/pkgs/tools/networking/strongswan/updown-path.patch @@ -0,0 +1,26 @@ +Index: strongswan-5.2.1/src/_updown/_updown.in +=================================================================== +--- strongswan-5.2.1.orig/src/_updown/_updown.in ++++ strongswan-5.2.1/src/_updown/_updown.in +@@ -125,7 +125,7 @@ + # + + # define a minimum PATH environment in case it is not set +-PATH="/sbin:/bin:/usr/sbin:/usr/bin:@sbindir@" ++PATH="${PATH:-/sbin:/bin:/usr/sbin:/usr/bin}" + export PATH + + # uncomment to log VPN connections +Index: strongswan-5.2.1/src/libcharon/plugins/updown/updown_listener.c +=================================================================== +--- strongswan-5.2.1.orig/src/libcharon/plugins/updown/updown_listener.c ++++ strongswan-5.2.1/src/libcharon/plugins/updown/updown_listener.c +@@ -240,6 +240,8 @@ static void invoke_once(private_updown_l + process_t *process; + char *envp[128] = {}; + ++ push_env(envp, countof(envp), "PATH=%s", getenv("PATH")); ++ + me = ike_sa->get_my_host(ike_sa); + other = ike_sa->get_other_host(ike_sa); + diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index fcf8c8147c28..91a70516eb0e 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -252,7 +252,7 @@ let }; autoreconfHook = makeSetupHook - { substitutions = { inherit autoconf automake libtool; }; } + { substitutions = { inherit autoconf automake libtool gettext; }; } ../build-support/setup-hooks/autoreconf.sh; buildEnv = import ../build-support/buildenv {