nixos/system/boot/initrd-openvpn: New openvpn options for initrd #63165
Conversation
|
I like this - I don't have a need for it, but it looks like the right thing to do. The only thing that concerns me is stuff that messes around with initrd without a test. Something basic would be fine as long as we are sure that enabling this doesn't break booting. |
|
I'll have a look into writing a test and will add it as soon as it is ready. |
|
Would it make sense to squash the two commits, as they both just add tests (and one commit consumes the other one)? |
|
This is cool! I'm still a bit -1 on this though. While we don't have any formal criteria for inclusion/exclusion of features, I think this is a use case specific and rare enough that it will only be used by you and might be better off in your personal config than in nixpkgs. |
|
I support this. I think the usecase is not too niche. Now you need a possibility to connect to the homeserver and unlock the disks. |
|
I'm also a big fan of this PR, sadly I couldn't test it because of general busyness. Codewise it looks good to me. |
|
@Amarandus, can you get someone else to test it as well (again due it messing with the boot process) to make sure all is good? Maybe a post on https://discourse.nixos.org if you don't have anyone at hand to try it out? |
|
Thank you for your contributions.
|
stale
bot
added
the
2.status: stale
stale
bot
removed
the
2.status: stale
CRTified
force-pushed
the
module/initrd-ovpn
branch
from
fb5414a
to
840428b
Compare
nixos/tests/initrd-openvpn: Add test for openvpn in the initramfs
The module in this commit adds new options that allows the
integration of an OpenVPN client into the initrd.
This can be used e.g. to remotely unlock LUKS devices.
This commit also adds two tests for `boot.initrd.network.openvpn`.
The first one is a basic test to validate that a failing connection
does not prevent the machine from booting.
The second test validates that this module actually creates a valid
openvpn connection.
For this, it spawns three nodes:
- The client that uses boot.initrd.network.openvpn
- An OpenVPN server that acts as gateway and forwards a port
to the client
- A node that is external to the OpenVPN network
The client connects to the OpenVPN server and spawns a netcat instance
that echos a value to every client.
Afterwards, the external node checks if it receives this value over the
forwarded port on the OpenVPN gateway.
CRTified
force-pushed
the
module/initrd-ovpn
branch
from
840428b
to
c684398
Compare
|
So, I finally got time to update this PR and squashed the commits together.
|
ofborg
bot
added
10.rebuild-linux: 1-10
10.rebuild-linux: 1
and removed
10.rebuild-linux: 0
labels
The module in this commit adds new options that allows the integration of an OpenVPN client into the initrd.
Motivation for this change
The main motivation for this change is the ability to remotely unlock LUKS containers on hosts that are behind a restrictive firewall, but are able to connect to other hosts. Using a VPN connection allows that host to tunnel into a network that might be reachable by external devices (either by providing a public IPv4/6 address or by connecting into a private VPN).
Things done
sandboxinnix.confon non-NixOS)nix-shell -p nix-review --run "nix-review wip"./result/bin/)nix path-info -Sbefore and after)