From 834ec135ce71cdc93aba9e98cf67f42e41502f32 Mon Sep 17 00:00:00 2001 From: Will Fancher Date: Fri, 17 Feb 2023 07:47:40 -0500 Subject: systemd-initrd: OpenVPN --- nixos/modules/system/boot/initrd-openvpn.nix | 21 ++++++++++++++++++--- nixos/tests/all-tests.nix | 1 + nixos/tests/initrd-network-openvpn/default.nix | 18 ++++++++++++++++++ 3 files changed, 37 insertions(+), 3 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/system/boot/initrd-openvpn.nix b/nixos/modules/system/boot/initrd-openvpn.nix index cbc61d55d6bb3..2530240628e42 100644 --- a/nixos/modules/system/boot/initrd-openvpn.nix +++ b/nixos/modules/system/boot/initrd-openvpn.nix @@ -51,7 +51,7 @@ in # Add openvpn and ip binaries to the initrd # The shared libraries are required for DNS resolution - boot.initrd.extraUtilsCommands = '' + boot.initrd.extraUtilsCommands = mkIf (!config.boot.initrd.systemd.enable) '' copy_bin_and_libs ${pkgs.openvpn}/bin/openvpn copy_bin_and_libs ${pkgs.iproute2}/bin/ip @@ -59,18 +59,33 @@ in cp -pv ${pkgs.glibc}/lib/libnss_dns.so.2 $out/lib ''; + boot.initrd.systemd.storePaths = [ + "${pkgs.openvpn}/bin/openvpn" + "${pkgs.iproute2}/bin/ip" + "${pkgs.glibc}/lib/libresolv.so.2" + "${pkgs.glibc}/lib/libnss_dns.so.2" + ]; + boot.initrd.secrets = { "/etc/initrd.ovpn" = cfg.configuration; }; # openvpn --version would exit with 1 instead of 0 - boot.initrd.extraUtilsCommandsTest = '' + boot.initrd.extraUtilsCommandsTest = mkIf (!config.boot.initrd.systemd.enable) '' $out/bin/openvpn --show-gateway ''; - boot.initrd.network.postCommands = '' + boot.initrd.network.postCommands = mkIf (!config.boot.initrd.systemd.enable) '' openvpn /etc/initrd.ovpn & ''; + + boot.initrd.systemd.services.openvpn = { + wantedBy = [ "initrd.target" ]; + path = [ pkgs.iproute2 ]; + after = [ "network.target" "initrd-nixos-copy-secrets.service" ]; + serviceConfig.ExecStart = "${pkgs.openvpn}/bin/openvpn /etc/initrd.ovpn"; + serviceConfig.Type = "notify"; + }; }; } diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 5771d1c3bc96d..95b67617fe971 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -679,6 +679,7 @@ in { systemd-initrd-vconsole = handleTest ./systemd-initrd-vconsole.nix {}; systemd-initrd-networkd = handleTest ./systemd-initrd-networkd.nix {}; systemd-initrd-networkd-ssh = handleTest ./systemd-initrd-networkd-ssh.nix {}; + systemd-initrd-networkd-openvpn = handleTest ./initrd-network-openvpn { systemdStage1 = true; }; systemd-journal = handleTest ./systemd-journal.nix {}; systemd-machinectl = handleTest ./systemd-machinectl.nix {}; systemd-networkd = handleTest ./systemd-networkd.nix {}; diff --git a/nixos/tests/initrd-network-openvpn/default.nix b/nixos/tests/initrd-network-openvpn/default.nix index 1150e2dc5b0d2..769049905eb8c 100644 --- a/nixos/tests/initrd-network-openvpn/default.nix +++ b/nixos/tests/initrd-network-openvpn/default.nix @@ -1,3 +1,9 @@ +{ system ? builtins.currentSystem +, config ? {} +, pkgs ? import ../.. { inherit system config; } +, systemdStage1 ? false +}: + import ../make-test-python.nix ({ lib, ...}: { @@ -22,6 +28,7 @@ import ../make-test-python.nix ({ lib, ...}: minimalboot = { ... }: { + boot.initrd.systemd.enable = systemdStage1; boot.initrd.network = { enable = true; openvpn = { @@ -39,6 +46,17 @@ import ../make-test-python.nix ({ lib, ...}: virtualisation.vlans = [ 1 ]; boot.initrd = { + systemd.enable = systemdStage1; + systemd.extraBin.nc = "${pkgs.busybox}/bin/nc"; + systemd.services.nc = { + requiredBy = ["initrd.target"]; + after = ["network.target"]; + serviceConfig = { + ExecStart = "/bin/nc -p 1234 -lke /bin/echo TESTVALUE"; + Type = "oneshot"; + }; + }; + # This command does not fork to keep the VM in the state where # only the initramfs is loaded preLVMCommands = -- cgit 1.4.1