nixos/openvpn3: Add support for systemd-resolved

I noticed that openvpn3 is been clobbering my `/etc/resolv.conf` file. I dug around a bit, and it turns out that upstream actually does have support for systemd-resolved. I think it makes sense for us to automatically enable that feature if the system is configured to use systemd-resolved. I opted to not change the default behavior of `pkgs.openvpn3`, but can easily be convinced to change that if folks think I should.
2023-07-08 17:16:17 -07:00 · 2023-07-08 17:16:17 -07:00 · 7ee5699496
commit 7ee5699496
parent 8b6e86b473
3 changed files with 26 additions and 4 deletions
--- a/nixos/doc/manual/release-notes/rl-2311.section.md
+++ b/nixos/doc/manual/release-notes/rl-2311.section.md
@ -320,6 +320,8 @@

 - The `fonts.fonts` and `fonts.enableDefaultFonts` options have been renamed to `fonts.packages` and `fonts.enableDefaultPackages` respectively.

+- `pkgs.openvpn3` now optionally supports systemd-resolved. `programs.openvpn3` will automatically enable systemd-resolved support if `config.services.resolved.enable` is enabled.
+
 - `services.fail2ban.jails` can now be configured with attribute sets defining settings and filters instead of lines. The stringed options `daemonConfig` and `extraSettings` have respectively been replaced by `daemonSettings` and `jails.DEFAULT.settings` which use attribute sets.

 - The application firewall `opensnitch` now uses the process monitor method eBPF as default as recommended by upstream. The method can be changed with the setting [services.opensnitch.settings.ProcMonitorMethod](#opt-services.opensnitch.settings.ProcMonitorMethod).
--- a/nixos/modules/programs/openvpn3.nix
+++ b/nixos/modules/programs/openvpn3.nix
@ -8,11 +8,23 @@ in
 {
  options.programs.openvpn3 = {
    enable = mkEnableOption (lib.mdDoc "the openvpn3 client");
+    package = mkOption {
+      type = types.package;
+      default = pkgs.openvpn3.override {
+        enableSystemdResolved = config.services.resolved.enable;
+      };
+      defaultText = literalExpression ''pkgs.openvpn3.override {
+        enableSystemdResolved = config.services.resolved.enable;
+      }'';
+      description = lib.mdDoc ''
+        Which package to use for `openvpn3`.
+      '';
+    };
  };

  config = mkIf cfg.enable {
-    services.dbus.packages = with pkgs; [
-      openvpn3
+    services.dbus.packages = [
+      cfg.package
    ];

    users.users.openvpn = {
@ -25,8 +37,8 @@ in
      gid = config.ids.gids.openvpn;
    };

-    environment.systemPackages = with pkgs; [
-      openvpn3
+    environment.systemPackages = [
+      cfg.package
    ];
  };

--- a/pkgs/tools/networking/openvpn3/default.nix
+++ b/pkgs/tools/networking/openvpn3/default.nix
@ -15,6 +15,8 @@
 , pkg-config
 , protobuf
 , python3
+, systemd
+, enableSystemdResolved ? false
 , tinyxml-2
 , wrapGAppsHook
 }:
@ -80,6 +82,8 @@ stdenv.mkDerivation rec {
    openssl
    protobuf
    tinyxml-2
+  ] ++ lib.optionals enableSystemdResolved [
+    systemd
  ];

  # runtime deps
@ -101,6 +105,10 @@ stdenv.mkDerivation rec {
    "--enable-addons-aws"
    "--disable-selinux-build"
    "--disable-build-test-progs"
+  ] ++ lib.optionals enableSystemdResolved [
+    # This defaults to --resolv-conf /etc/resolv.conf. See
+    # https://github.com/OpenVPN/openvpn3-linux/blob/v20/configure.ac#L434
+    "DEFAULT_DNS_RESOLVER=--systemd-resolved"
  ];

  NIX_LDFLAGS = "-lpthread";