fix(tazjin/tverskoy): Downgrade strongswan to 5.9.4

Comments contain all the relevant info.

Change-Id: I6d4a715889b562dc79148314092f698ceefcac88
Reviewed-on: https://cl.tvl.fyi/c/depot/+/5221
Tested-by: BuildkiteCI
Reviewed-by: tazjin <tazjin@tvl.su>
This commit is contained in:
Vincent Ambo 2022-02-04 01:53:47 +03:00 committed by tazjin
parent 7fcede0c5b
commit 8099c11a12
2 changed files with 31 additions and 0 deletions

View file

@ -0,0 +1,25 @@
# Workaround for an issue where strongswan 5.9.5 can not connect to
# some servers that do not have a mitigation for CVE-2021-45079
# applied.
#
# Of course ideally the servers would be patched, but the world is not
# ideal.
#
# Only intended for use by //users/tazjin/nixos/...
{ ... }:
self: super: {
# Downgrade strongswan to 5.9.4
#
# See https://github.com/NixOS/nixpkgs/pull/156567
strongswan = super.strongswan.overrideAttrs (_: rec {
version = "5.9.4";
src = self.fetchFromGitHub {
owner = "strongswan";
repo = "strongswan";
rev = version;
sha256 = "1y1gs232x7hsbccjga9nbkf4bbi5wxazlkg00qd2v1nz86sfy4cd";
};
});
}

View file

@ -25,6 +25,12 @@ lib.fix (self: {
tvl.cache.enable = true; tvl.cache.enable = true;
# Work around strongswan 5.9.4 being incompatible with servers not
# patched against some CVE. I need this for work ..
nixpkgs.overlays = [
depot.third_party.overlays.strongswan-workaround
];
boot = rec { boot = rec {
initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; initrd.availableKernelModules = [ "nvme" "ehci_pci" "xhci_pci" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
initrd.kernelModules = [ ]; initrd.kernelModules = [ ];