about summary refs log tree commit diff
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2022-02-03T22·53+0300
committertazjin <tazjin@tvl.su>2022-02-03T23·08+0000
commit8099c11a121f47bd3a54fab7b6c53fa162c830bc (patch)
tree6fbf287d819a2722b25afd7cd3fd92f2172c6511
parent7fcede0c5bd50f6790a99081c006134848ae0f75 (diff)
fix(tazjin/tverskoy): Downgrade strongswan to 5.9.4 r/3757
Comments contain all the relevant info.

Change-Id: I6d4a715889b562dc79148314092f698ceefcac88
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5221
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
-rw-r--r--third_party/overlays/strongswan-workaround.nix25
-rw-r--r--users/tazjin/nixos/tverskoy/default.nix6
2 files changed, 31 insertions, 0 deletions
diff --git a/third_party/overlays/strongswan-workaround.nix b/third_party/overlays/strongswan-workaround.nix
new file mode 100644
index 000000000000..a5c3c26ec981
--- /dev/null
+++ b/third_party/overlays/strongswan-workaround.nix
@@ -0,0 +1,25 @@
+# Workaround for an issue where strongswan 5.9.5 can not connect to
+# some servers that do not have a mitigation for CVE-2021-45079
+# applied.
+#
+# Of course ideally the servers would be patched, but the world is not
+# ideal.
+#
+# Only intended for use by //users/tazjin/nixos/...
+{ ... }:
+
+self: super: {
+  # Downgrade strongswan to 5.9.4
+  #
+  # See https://github.com/NixOS/nixpkgs/pull/156567
+  strongswan = super.strongswan.overrideAttrs (_: rec {
+    version = "5.9.4";
+
+    src = self.fetchFromGitHub {
+      owner = "strongswan";
+      repo = "strongswan";
+      rev = version;
+      sha256 = "1y1gs232x7hsbccjga9nbkf4bbi5wxazlkg00qd2v1nz86sfy4cd";
+    };
+  });
+}
diff --git a/users/tazjin/nixos/tverskoy/default.nix b/users/tazjin/nixos/tverskoy/default.nix
index 86cc3fba68f5..19675fd4273c 100644
--- a/users/tazjin/nixos/tverskoy/default.nix
+++ b/users/tazjin/nixos/tverskoy/default.nix
@@ -25,6 +25,12 @@ lib.fix (self: {
 
   tvl.cache.enable = true;
 
+  # Work around strongswan 5.9.4 being incompatible with servers not
+  # patched against some CVE. I need this for work ..
+  nixpkgs.overlays = [
+    depot.third_party.overlays.strongswan-workaround
+  ];
+
   boot = rec {
     initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
     initrd.kernelModules = [ ];