nordvpn: init at 3.15.5 #220616
nordvpn: init at 3.15.5 #220616
Conversation
e1c182c to
737c9f6
Compare
737c9f6 to
7c8200a
Compare
7c8200a to
2e37c87
Compare
|
This pull request has been mentioned on NixOS Discourse. There might be relevant details there: https://discourse.nixos.org/t/prs-ready-for-review/3032/1938 |
2e37c87 to
6b49b8b
Compare
|
Also tested. Working well! |
|
Not sure if this is an issue only on my end due to some other configuration, but I recently bumped my pkgs from 6b70761 -> 9938cdd , causing this package to stop building. Should mention that the package was building and fully functional before this. Anyways, I was able to quite easily fix it by adding |
f2ecebc to
077d47c
Compare
| Restart = "on-failure"; | ||
| RestartSec = 5; | ||
| RuntimeDirectory = "nordvpn"; | ||
| RuntimeDirectoryMode = "0750"; |
There was a problem hiding this comment.
This conflicts with the tmpfiles permissions. Why do you need tmpfiles for this and not just RuntimeDirectory ?
There was a problem hiding this comment.
hmm, you're right. Both the service and tmpfiles rule are taken directly from the files on the original .deb package. I'll remove the rule since it appears everything runs fine without it.
| ]; | ||
| }; | ||
|
|
||
| system.activationScripts.nordvpn = '' |
There was a problem hiding this comment.
- This shouldn't be an activation script but instead run through
ExecStartPrein the service definition. /var/lib/nordvpnshould be created usingStateDirectory.- This is the 3rd place you are creating
/run/nordvpn - I'm assuming that you are getting a lot of connection definition files from pkgs.nordvpn/var/lib/nordvpn, but you are not handling changes to those files from upstream.
| ]; | ||
| }; | ||
|
|
||
| in stdenv.mkDerivation { |
There was a problem hiding this comment.
This looks like a very round-about way of just merging nordVPNBase and nordVPNfhs. Can't you just pull it into a single derivation?
There was a problem hiding this comment.
This derivation is based of the ExpressVPN derivation, which uses the same pattern. How can they be merged together?
There was a problem hiding this comment.
Does merging the derivations together become easier if you build from source instead?
I tried my hand at modifying this PR to instead build from source. It still needs some work, but I'll post it here in case it can be of some help as a starting point
nordvpn/default.nix
```nix
{ autoPatchelfHook, buildFHSEnvChroot, dpkg, fetchFromGitHub, lib, stdenv, sysctl
, iptables, iproute2, procps, cacert, libxml2, libidn2, zlib, wireguard-tools, buildGoModule, pkg-config }:
let
pname = "nordvpn";
version = "3.16.3";
nordVPNCli = buildGoModule rec {
inherit pname version;
src = fetchFromGitHub {
owner = "NordSecurity";
repo = "nordvpn-linux";
rev = "301b667871e0e6a29415d9a56bcf3c12b1efadc5";
sha256 = "sha256-Kvoedrp1wpSGAZB0G6GZwp3lRYBNl6ZGuGBKkuz7nlE=";
};
vendorSha256 = "sha256-lLkx1tUSukOFFlFJh5qkfA0toYDnA3QdZLwhjjIaMPU=";
CGO_CFLAGS = "-g -O2 -D_FORTIFY_SOURCE=2";
CGO_LDFLAGS = "-Wl,-z,relro,-z,now";
CGO_ENABLED = 1;
LDFLAGS = ''
-X main.Version= \
-X main.Environment= \
-X main.Hash= \
-X main.Salt=
'';
buildInputs = [ libxml2 libidn2 ];
nativeBuildInputs = [ dpkg autoPatchelfHook stdenv.cc.cc.lib ];
buildPhase = ''
go build \
-buildmode=pie \
-tags=drop,moose,telio \
-ldflags "-s -w -linkmode=external ${LDFLAGS}" \
-o "bin/nordvpn" "/build/source/cmd/cli"
'';
};
nordVPNDaemon = buildGoModule rec {
inherit pname version;
src = fetchFromGitHub {
owner = "NordSecurity";
repo = "nordvpn-linux";
rev = "301b667871e0e6a29415d9a56bcf3c12b1efadc5";
sha256 = "sha256-Kvoedrp1wpSGAZB0G6GZwp3lRYBNl6ZGuGBKkuz7nlE=";
};
vendorSha256 = "sha256-lLkx1tUSukOFFlFJh5qkfA0toYDnA3QdZLwhjjIaMPU=";
CGO_CFLAGS = "-g -O2 -D_FORTIFY_SOURCE=2";
CGO_ENABLED = 1;
LDFLAGS = ''
-X main.Salt= \
-X main.Version= \
-X main.Environment= \
-X main.Arch= \
-X main.PackageType=
'';
buildInputs = [ libxml2 libidn2 ];
nativeBuildInputs = [ dpkg autoPatchelfHook stdenv.cc.cc.lib pkg-config ];
buildPhase = ''
go build \
-buildmode=pie \
-tags=drop \
-ldflags "-s -w -linkmode=external ${LDFLAGS}" \
-o "bin/nordvpnd" "/build/source/cmd/daemon"
'';
};
nordVPNfhs = buildFHSEnvChroot {
name = "nordvpnd";
runScript = "nordvpnd";
# hardcoded path to /sbin/ip
targetPkgs = pkgs:
with pkgs; [
nordVPNCli
nordVPNDaemon
sysctl
iptables
iproute2
procps
cacert
libxml2
libidn2
zlib
wireguard-tools
];
};
in stdenv.mkDerivation {
inherit pname version;
dontUnpack = true;
dontConfigure = true;
dontBuild = true;
# DISCUSS: did we break the man pages?
# DISCUSS: what comes from /var ?
installPhase = ''
runHook preInstall
mkdir -p $out/bin $out/share
ln -s ${nordVPNCli}/bin/nordvpn $out/bin
ln -s ${nordVPNfhs}/bin/nordvpnd $out/bin
ln -s ${nordVPNCli}/share/* $out/share/
ln -s ${nordVPNCli}/var $out/
runHook postInstall
'';
meta = with lib; {
description = "CLI client for NordVPN";
homepage = "https://www.nordvpn.com";
license = licenses.gpl3Only;
maintainers = with maintainers; [ LuisChDev ];
platforms = [ "aarch64-linux" "x86_64-linux" ];
};
}
```
| nordVPNBase = stdenv.mkDerivation { | ||
| inherit pname version; | ||
|
|
||
| src = fetchurl { |
There was a problem hiding this comment.
Is the no source code available (I assume no due to the unfree license) we can build from instead?
There was a problem hiding this comment.
no, unfortunately.
There was a problem hiding this comment.
I stumbled upon what I think is the NordVPN Linux client source at https://github.com/NordSecurity/nordvpn-linux.
There was a problem hiding this comment.
@solreynolds :O you're right. How could I miss that? Well, I'll try my hand at building the package, probably this week or next weekend...
| @@ -0,0 +1,82 @@ | |||
| { autoPatchelfHook, buildFHSEnv, dpkg, fetchurl, lib, stdenv, sysctl | |||
| , iptables, iproute2, procps, cacert, libxml2, libidn2, zlib, wireguard-tools }: | |||
There was a problem hiding this comment.
The dependencies here are taken from the .deb package, which states: Depends: iptables, iproute2 | iproute, procps, ca-certificates, libxml2, libidn2-0, zlib1g, plus wireguard-tools which is stated by the arch wiki to be a dependency. I'm currently connecte using the openvpn setting, so it works. maybe it comes bundled together inside
|
|
||
| unpackPhase = '' | ||
| runHook preUnpack | ||
| dpkg --fsys-tarfile $src | tar --extract |
There was a problem hiding this comment.
I think you can pass --extract or similar instead of javing to pipe it to tar.
|
|
||
| installPhase = '' | ||
| runHook preInstall | ||
| mv usr/ $out/ |
| installPhase = '' | ||
| runHook preInstall | ||
| mv usr/ $out/ | ||
| mv var/ $out/ |
There was a problem hiding this comment.
If it's just connection profiles in $out/var, put them into $out/etc.
There was a problem hiding this comment.
there is a bunch of files in /var/lib/nordvpn including a public key, which are assumed by the daemon to be in this folder.
|
Hello. In trying to apply @Toalaah 's fix to the PR (Thank you! :) ) I ran into a different problem: as of #225748, It took me a while to figure out why I was getting a "read-only file system" error... what's happening is that under the new FHSEnv, since the nordvpn base package includes a I will have to figure out how to fix this using the new FHS environment, when I have time, probably on the weekend. In the meantime, I'll revert the changes so that it remains usable on earlier versions of nixpkgs. Thank you for your patience :) |
|
not force-pushing again. sorry about that |
92ab7a7 to
daaec93
Compare
|
BTW, for anyone keeping track of this PR, I uploaded an earlier version of this package and module in the NUR. |
| @@ -0,0 +1,45 @@ | |||
| { config, lib, pkgs, ... }: | |||
|
|
|||
| with lib; { | |||
There was a problem hiding this comment.
Can you please remove the statement with lib; ?
| meta = with lib; { | ||
| description = "CLI client for NordVPN"; | ||
| homepage = "https://www.nordvpn.com"; | ||
| license = licenses.unfree; |
There was a problem hiding this comment.
The Nord client is GPLv3. Only their platform is paid and closed, the client can be used to connect to another provider or a self-hosted server.
It seems to me like the same situation as Pulumi, where the client is open and the platform which it connects by default isn't. Pulumi is not marked as unfree so I think the Nord should also not be unfree
|
Hi all! @LuisChDev Thanks for the effort getting this far! Any thing I can help to get this PR over the line? I'm able to set this up locally, VPN connection seems to be working. However, when trying to enable mesh I get the following in journalctl: |
Use implementation from: NixOS/nixpkgs#220616
|
I included this PR on my configuration and enabled the new service. The CLI works without errors and a VPN connection appears on the network toolbar, but nothing can reach the internet while the VPN is on. https://asciinema.org/a/622115 Some logs that pop to my eye looking at Nothing fancy in my attempt, just wired in this PR: Fryuni/config-files@fe89e16 I tried disabling my encrypted DNS in case that was conflicting but had no luck, still doesn't work. |
|
Hello everyone following this PR. Sorry for taking this long. As it turns out, the source code for bot daemon and CLI client is available and GPL-licensed. I'm taking a look into it, currently getting this error: |
|
I'm kind of hoping we can have this done at some point.. Thanks for the work up until now it looks really good, and I also tried to check out your NUR repo. Although that one doesn't seem to work at all, as it doesn't find the nordvpnd socket. Really looking forward to this- |
|
Linking this too for anyone disappointed coming by: https://gist.github.com/myypo/31c52196f7987ef62f54092cb07aefd7 |
I usually need to |
|
Superseded by #406725 |
Description of changes
started to work on this before knowing that there is #132082 :(. oh well.
everything seems to work (regular servers, P2P, Double VPN, onion over VPN, etc.),
as long as you follow the instructions on the NixOS module.
The dependencies were taken from the NordVPN .deb package, and the Arch wiki
Things done
sandbox = trueset innix.conf? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)