New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ocserv: init at 0.12.1 #42871
ocserv: init at 0.12.1 #42871
Conversation
@tenten8401 before somebody merges this, is this patch sufficient for your use-case? |
the CI fails since |
@GrahamcOfBorg eval |
I'll have a look at it, although I do feel that the service should be renamed from "ocserv-server" just to "ocserv", since serv is in the name already. |
Success on x86_64-linux (full log) Attempted: ocserv Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: ocserv Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: ocserv Partial log (click to expand)
|
Success on x86_64-linux (full log) Attempted: ocserv Partial log (click to expand)
|
Haven't forgotten about this, just haven't had time to test it. Still working on it. |
thanks a lot for your feedback! I'll have a look at it again in the next days to hopefully fix this :) |
@tenten8401 I slightly changed the patch, the service now starts by default and |
Sure thing. |
Success on x86_64-linux (full log) Attempted: ocserv Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: ocserv Partial log (click to expand)
|
3 things I've noticed so far:
|
`ocserv` is a VPN server which follows the openconnect protocol (https://github.com/openconnect/protocol). The packaging is slightly inspired by the AUR version (https://aur.archlinux.org/packages/ocserv/). This patch initializes the package written in C, the man pages and a module for a simple systemd unit to run the VPN server. The package supports the following authentication methods for the server: * `plain` (mostly username/password) * `pam` The third method (`radius`) is currently not supported since `nixpkgs` misses a packaged client. The module can be used like this: ``` nix { services.ocserv = { enable = true; config = '' ... ''; }; } ``` The option `services.ocserv.config` is required on purpose to ensure that nobody just enables the service and experiences unexpected side-effects on the system. For a full reference, please refer to the man pages, the online docs or the example value. The docs recommend to simply use `nobody` as user, so no extra user has been added to the internal user list. Instead a configuration like this can be used: ``` run-as-user = nobody run-as-group = nogroup ``` /cc @tenten8401 Fixes NixOS#42594
good catch! I had this in my VM config and forgot to put it into the actual module :)
dammit, sorry :/ |
Success on x86_64-linux (full log) Attempted: ocserv Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: ocserv Partial log (click to expand)
|
Don't worry about it, I could easily see myself making the same mistakes. I'll test your new commit once more and get back to you on how well it works. |
Seems like it works as expected, with me typing this to you connected to ocserv.
|
Just thought I'd let anyone know this is basically ready to be looked at and merged I'm pretty sure. |
@GrahamcOfBorg build ocserv |
Success on x86_64-linux (full log) Attempted: ocserv Partial log (click to expand)
|
Success on aarch64-linux (full log) Attempted: ocserv Partial log (click to expand)
|
No attempt on x86_64-darwin (full log) The following builds were skipped because they don't evaluate on x86_64-darwin: ocserv Partial log (click to expand)
|
Motivation for this change
ocserv
is a VPN server which follows the openconnect protocol(https://github.com/openconnect/protocol). The packaging is slightly
inspired by the AUR version
(https://aur.archlinux.org/packages/ocserv/).
This patch initializes the package written in C, the man pages and a
module for a simple systemd unit to run the VPN server. The package
supports the following authentication methods for the server:
plain
(mostly username/password)pam
The third method (
radius
) is currently not supported sincenixpkgs
misses a packaged client.
The module can be used like this:
The option
services.ocserv.config
is required on purpose toensure that nobody just enables the service and experiences unexpected
side-effects on the system. For a full reference, please refer to the
man pages, the online docs or the example value.
The docs recommend to simply use
nobody
as user, so no extra user hasbeen added to the internal user list. Instead a configuration like
this can be used:
/cc @tenten8401
Fixes #42594
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)