movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-11 04:05:40 +03:00
Code Issues Projects Releases Packages Wiki Activity

cato: init at 5.2.1.1

Browse source
This commit is contained in:
Yarek 2024-09-04 13:38:56 +01:00
parent 8d18fff192
commit b30f23ae54
No known key found for this signature in database
GPG key ID: 8988C702ACDA19EB
3 changed files with 145 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
nixos/modules/module-list.nix
View file

@ -988,6 +988,7 @@
./services/networking/bitlbee.nix
./services/networking/blockbook-frontend.nix
./services/networking/blocky.nix
./services/networking/cato-client.nix
./services/networking/centrifugo.nix
./services/networking/cgit.nix
./services/networking/charybdis.nix

75
nixos/modules/services/networking/cato-client.nix Normal file
View file

@ -0,0 +1,75 @@
{
config,
pkgs,
lib,
...
}:
let
inherit (lib) mkIf mkEnableOption mkPackageOption;
cfg = config.services.cato-client;
in
{
options.services.cato-client = {
enable = mkEnableOption "cato-client service";
package = mkPackageOption pkgs "cato-client" { };
};
config = mkIf cfg.enable {
users = {
groups.cato-client = { };
};
environment.systemPackages = [
cfg.package
];
systemd.services.cato-client = {
enable = true;
description = "Cato Networks Linux client - connects tunnel to Cato cloud";
after = [ "network.target" ];
serviceConfig = {
Type = "simple";
User = "root"; # Note: daemon runs as root, tools sticky to group
Group = "cato-client";
ExecStart = "${cfg.package}/bin/cato-clientd systemd";
WorkingDirectory = "${cfg.package}";
Restart = "always";
# Cato client seems to do the following:
# - Look in each user's ~/.cato/ for configuration and keys
# - Write to /var/log/cato-client.log
# - Create and use sockets /var/run/cato-sdp.i, /var/run/cato-sdp.o
# - Read and Write to /opt/cato/ for runtime settings
# - Read /etc/systemd/resolved.conf (but fine if fails)
# - Restart systemd-resolved (also fine if doesn't exist)
NoNewPrivileges = true;
PrivateTmp = true;
ProtectKernelTunables = true;
ProtectControlGroups = true;
ProtectSystem = true;
};
wantedBy = [ "multi-user.target" ];
};
# set up Security wrapper Same as inteded in deb post install
security.wrappers.cato-clientd = {
source = "${cfg.package}/bin/cato-clientd";
owner = "root";
group = "cato-client";
permissions = "u+rwx,g+rwx"; # 770
setgid = true;
};
security.wrappers.cato-sdp = {
source = "${cfg.package}/bin/cato-sdp";
owner = "root";
group = "cato-client";
permissions = "u+rwx,g+rx,a+rx"; # 755
setgid = true;
};
};
}

69
pkgs/by-name/ca/cato-client/package.nix Normal file
View file

@ -0,0 +1,69 @@
{
stdenv,
fetchurl,
writeScript,
autoPatchelfHook,
dpkg,
libz,
lib,
}:
stdenv.mkDerivation rec {
pname = "cato-client";
version = "5.2.1.1";
src = fetchurl {
url = "https://clients.catonetworks.com/linux/${version}/cato-client-install.deb";
sha256 = "sha256-0hUchaxaiKJth2ByQMFfjsCLi/4kl+SrNSQ33Y6r3WA=";
};
passthru.updateScript = writeScript "update-cato-client" ''
#!/usr/bin/env nix-shell
#!nix-shell -i bash -p curl pcre2 common-updater-scripts
set -eu -o pipefail
version="$(curl -sI https://clientdownload.catonetworks.com/public/clients/cato-client-install.deb | grep -Fi 'Location:' | pcre2grep -o1 '/(([0-9]\.?)+)/')"
update-source-version cato-client "$version"
'';
dontConfigure = true;
nativeBuildInputs = [
autoPatchelfHook
dpkg
];
buildInputs = [
libz
stdenv.cc.cc
];
unpackPhase = ''
runHook preUnpack
dpkg -x $src source
cd source
runHook postUnpack
'';
installPhase = ''
runHook preInstall
mkdir $out
mv usr/lib $out/lib
mkdir -p $out/bin
mv usr/sbin/* $out/bin
mv usr/bin/* $out/bin
runHook postInstall
'';
meta = {
description = "Lightweight agent that provides secure zero-trust access to resources everywhere";
homepage = "https://www.catonetworks.com/platform/cato-client/";
mainProgram = "cato-sdp";
license = lib.licenses.unfree;
maintainers = with lib.maintainers; [ yarekt ];
platforms = [ "x86_64-linux" ];
};
}