fix(tazjin/tverskoy): Downgrade strongswan to 5.9.4
Comments contain all the relevant info. Change-Id: I6d4a715889b562dc79148314092f698ceefcac88 Reviewed-on: https://cl.tvl.fyi/c/depot/+/5221 Tested-by: BuildkiteCI Reviewed-by: tazjin <tazjin@tvl.su>
This commit is contained in:
parent
7fcede0c5b
commit
8099c11a12
2 changed files with 31 additions and 0 deletions
25
third_party/overlays/strongswan-workaround.nix
vendored
Normal file
25
third_party/overlays/strongswan-workaround.nix
vendored
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
# Workaround for an issue where strongswan 5.9.5 can not connect to
|
||||||
|
# some servers that do not have a mitigation for CVE-2021-45079
|
||||||
|
# applied.
|
||||||
|
#
|
||||||
|
# Of course ideally the servers would be patched, but the world is not
|
||||||
|
# ideal.
|
||||||
|
#
|
||||||
|
# Only intended for use by //users/tazjin/nixos/...
|
||||||
|
{ ... }:
|
||||||
|
|
||||||
|
self: super: {
|
||||||
|
# Downgrade strongswan to 5.9.4
|
||||||
|
#
|
||||||
|
# See https://github.com/NixOS/nixpkgs/pull/156567
|
||||||
|
strongswan = super.strongswan.overrideAttrs (_: rec {
|
||||||
|
version = "5.9.4";
|
||||||
|
|
||||||
|
src = self.fetchFromGitHub {
|
||||||
|
owner = "strongswan";
|
||||||
|
repo = "strongswan";
|
||||||
|
rev = version;
|
||||||
|
sha256 = "1y1gs232x7hsbccjga9nbkf4bbi5wxazlkg00qd2v1nz86sfy4cd";
|
||||||
|
};
|
||||||
|
});
|
||||||
|
}
|
|
@ -25,6 +25,12 @@ lib.fix (self: {
|
||||||
|
|
||||||
tvl.cache.enable = true;
|
tvl.cache.enable = true;
|
||||||
|
|
||||||
|
# Work around strongswan 5.9.4 being incompatible with servers not
|
||||||
|
# patched against some CVE. I need this for work ..
|
||||||
|
nixpkgs.overlays = [
|
||||||
|
depot.third_party.overlays.strongswan-workaround
|
||||||
|
];
|
||||||
|
|
||||||
boot = rec {
|
boot = rec {
|
||||||
initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
|
initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
|
||||||
initrd.kernelModules = [ ];
|
initrd.kernelModules = [ ];
|
||||||
|
|
Loading…
Reference in a new issue