diff options
| -rw-r--r-- | third_party/overlays/strongswan-workaround.nix | 25 | ||||
| -rw-r--r-- | users/tazjin/nixos/tverskoy/default.nix | 6 |
2 files changed, 31 insertions, 0 deletions
diff --git a/third_party/overlays/strongswan-workaround.nix b/third_party/overlays/strongswan-workaround.nix new file mode 100644 index 000000000000..a5c3c26ec981 --- /dev/null +++ b/third_party/overlays/strongswan-workaround.nix @@ -0,0 +1,25 @@ +# Workaround for an issue where strongswan 5.9.5 can not connect to +# some servers that do not have a mitigation for CVE-2021-45079 +# applied. +# +# Of course ideally the servers would be patched, but the world is not +# ideal. +# +# Only intended for use by //users/tazjin/nixos/... +{ ... }: + +self: super: { + # Downgrade strongswan to 5.9.4 + # + # See https://github.com/NixOS/nixpkgs/pull/156567 + strongswan = super.strongswan.overrideAttrs (_: rec { + version = "5.9.4"; + + src = self.fetchFromGitHub { + owner = "strongswan"; + repo = "strongswan"; + rev = version; + sha256 = "1y1gs232x7hsbccjga9nbkf4bbi5wxazlkg00qd2v1nz86sfy4cd"; + }; + }); +} diff --git a/users/tazjin/nixos/tverskoy/default.nix b/users/tazjin/nixos/tverskoy/default.nix index 86cc3fba68f5..19675fd4273c 100644 --- a/users/tazjin/nixos/tverskoy/default.nix +++ b/users/tazjin/nixos/tverskoy/default.nix @@ -25,6 +25,12 @@ lib.fix (self: { tvl.cache.enable = true; + # Work around strongswan 5.9.4 being incompatible with servers not + # patched against some CVE. I need this for work .. + nixpkgs.overlays = [ + depot.third_party.overlays.strongswan-workaround + ]; + boot = rec { initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; initrd.kernelModules = [ ]; |