From a9e4030dac03b05858f9f4ad904027cdc0e5e6c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 6 Aug 2025 18:31:00 +0200 Subject: [PATCH 01/14] use nix to build client --- flake.nix | 62 +++++++++++++---------------------- nix/nixos-module.nix | 0 nix/package.nix | 77 ++++++++++++++++++++++++++++++++++++++++++++ nix/package_2.nix | 66 +++++++++++++++++++++++++++++++++++++ nix/shell.nix | 27 ++++++++++++++++ 5 files changed, 193 insertions(+), 39 deletions(-) create mode 100644 nix/nixos-module.nix create mode 100644 nix/package.nix create mode 100644 nix/package_2.nix create mode 100644 nix/shell.nix diff --git a/flake.nix b/flake.nix index c83e4447..c750477f 100644 --- a/flake.nix +++ b/flake.nix @@ -17,34 +17,12 @@ overlays = [rust-overlay.overlays.default]; }; - toolchain = pkgs.rust-bin.stable.latest.default.override { + rustToolchain = pkgs.rust-bin.stable.latest.default.override { extensions = ["rust-analyzer" "rust-src" "rustfmt" "clippy"]; targets = ["wasm32-unknown-unknown" "x86_64-apple-darwin" "aarch64-apple-darwin" "x86_64-pc-windows-gnu"]; }; - packages = with pkgs; [ - cargo - cargo-tauri - toolchain - rust-analyzer-unwrapped - nodejs_20 - nodePackages.pnpm - trunk - sqlx-cli - vtsls - ]; - nativeBuildPackages = with pkgs; [ - pkg-config - dbus - openssl - glib - gtk3 - libsoup_2_4 - webkitgtk_4_0 - librsvg - protobuf - libayatana-appindicator - ]; - libraries = with pkgs; [ + + buildInputs = with pkgs; [ gtk3 cairo gdk-pixbuf @@ -55,22 +33,28 @@ libsoup_3 webkitgtk_4_0 libayatana-appindicator + cargo-tauri_1 + ]; + + nativeBuildInputs = with pkgs; [ + rustToolchain + pkg-config + cargo-tauri_1 + nodejs_24 + pnpm + protobuf + rustPlatform.cargoSetupHook + perl ]; in { - devShells.default = pkgs.mkShell { - buildInputs = packages; - nativeBuildInputs = nativeBuildPackages; - shellHook = with pkgs; '' - export LD_LIBRARY_PATH="${ - lib.makeLibraryPath libraries - }:$LD_LIBRARY_PATH" - export OPENSSL_INCLUDE_DIR="${openssl.dev}/include/openssl" - export OPENSSL_LIB_DIR="${openssl.out}/lib" - export OPENSSL_ROOT_DIR="${openssl.out}" - # https://discourse.nixos.org/t/which-package-includes-org-gtk-gtk4-settings-filechooser/38063/12 - export XDG_DATA_DIRS="${gtk3}/share/gsettings-schemas/gtk+3-${gtk3.dev.version}:$XDG_DATA_DIRS" - export RUST_SRC_PATH="${toolchain}/lib/rustlib/src/rust/library" - ''; + devShells.default = import ./nix/shell.nix { + inherit pkgs buildInputs nativeBuildInputs rustToolchain; + }; + + packages.default = pkgs.callPackage ./nix/package.nix { + inherit pkgs buildInputs nativeBuildInputs; }; + + formatter = pkgs.alejandra; }); } diff --git a/nix/nixos-module.nix b/nix/nixos-module.nix new file mode 100644 index 00000000..e69de29b diff --git a/nix/package.nix b/nix/package.nix new file mode 100644 index 00000000..83c27bf1 --- /dev/null +++ b/nix/package.nix @@ -0,0 +1,77 @@ +{ + pkgs, + lib, + stdenv, + rustPlatform, + makeDesktopItem, + buildInputs, + nativeBuildInputs, +}: let + pname = "defguard-client"; + version = "1.5.0"; # TODO: Get this from Cargo.toml or git + + desktopItem = makeDesktopItem { + name = pname; + exec = pname; + icon = pname; + desktopName = "Defguard"; + genericName = "Defguard VPN Client"; + categories = ["Network" "Security"]; + }; +in + stdenv.mkDerivation (finalAttrs: rec { + inherit pname version buildInputs nativeBuildInputs; + + src = ../.; + + cargoRoot = "src-tauri"; + buildAndTestSubdir = "src-tauri"; + + cargoDeps = rustPlatform.importCargoLock { + lockFile = ../src-tauri/Cargo.lock; + outputHashes = { + "defguard_wireguard_rs-0.7.4" = "sha256-pxwN43BntOEYtp+TlpQFX78gg1ko4zuXEGctZIfSrhg="; + "tauri-plugin-log-0.0.0" = "sha256-jGzlN/T29Hya4bKe9Dwl2mRRFLXMywrHk+32zgwrpJ0="; + }; + }; + + pnpmDeps = pkgs.pnpm.fetchDeps { + inherit + (finalAttrs) + pname + version + ; + + src = ../.; + + fetcherVersion = 2; + hash = "sha256-OIm8OCvE7V77uuWsfeY/ax7T5SSE9Rt0EKrsnuDzOYk="; + }; + + configurePhase = '' + export HOME=$TMPDIR + pnpm config set store-dir ${pnpmDeps} + pnpm config set offline true + pnpm install --frozen-lockfile --ignore-scripts + ''; + + buildPhase = '' + pnpm tauri build + ''; + + postInstall = '' + # copy client binary + mkdir -p $out/bin + cp src-tauri/target/release/${pname} $out/bin/ + mkdir -p $out/share/applications + cp ${desktopItem}/share/applications/* $out/share/applications/ + ''; + + meta = with lib; { + description = "Defguard VPN Client"; + homepage = "https://defguard.net"; + # license = licenses.gpl3Only; + maintainers = with maintainers; []; + platforms = platforms.linux; + }; + }) diff --git a/nix/package_2.nix b/nix/package_2.nix new file mode 100644 index 00000000..004c6bc1 --- /dev/null +++ b/nix/package_2.nix @@ -0,0 +1,66 @@ +{ + lib, + stdenv, + rustPlatform, + cargo-tauri_1, + pkg-config, + dbus, + openssl, + glib, + gtk3, + libsoup_2_4, + webkitgtk_4_0, + librsvg, + protobuf, + libayatana-appindicator, + nodejs_20, + nodePackages, +}: +rustPlatform.buildRustPackage { + pname = "defguard-client"; + version = "0.1.0"; + + src = ../.; + + cargoLock = { + lockFile = ../Cargo.lock; + }; + + nativeBuildInputs = [ + cargo-tauri_1 + cargo-tauri_1.hook + pkg-config + protobuf + nodejs_20 + nodePackages.pnpm + ]; + + buildInputs = [ + dbus + openssl + glib + gtk3 + libsoup_2_4 + webkitgtk_4_0 + librsvg + libayatana-appindicator + ]; + + # Specify frontend distribution directory + tauriFrontendDist = "dist"; + + # Configure the frontend build + preBuild = '' + export HOME=$(mktemp -d) + pnpm config set store-dir $HOME/.pnpm-store + pnpm install --frozen-lockfile + ''; + + meta = with lib; { + description = "Defguard desktop client"; + homepage = "https://github.com/defguard/client"; + license = licenses.asl20; + maintainers = []; + platforms = platforms.linux; + }; +} diff --git a/nix/shell.nix b/nix/shell.nix new file mode 100644 index 00000000..7cb9b6fd --- /dev/null +++ b/nix/shell.nix @@ -0,0 +1,27 @@ +{ + pkgs ? import {}, + buildInputs, + nativeBuildInputs, + rustToolchain, +}: +pkgs.mkShell { + inherit buildInputs nativeBuildInputs; + + packages = with pkgs; [ + trunk + sqlx-cli + vtsls + ]; + + shellHook = with pkgs; '' + export LD_LIBRARY_PATH="${ + lib.makeLibraryPath buildInputs + }:$LD_LIBRARY_PATH" + export OPENSSL_INCLUDE_DIR="${pkgs.openssl.dev}/include/openssl" + export OPENSSL_LIB_DIR="${pkgs.openssl.out}/lib" + export OPENSSL_ROOT_DIR="${pkgs.openssl.out}" + # https://discourse.nixos.org/t/which-package-includes-org-gtk-gtk4-settings-filechooser/38063/12 + export XDG_DATA_DIRS="${pkgs.gtk3}/share/gsettings-schemas/gtk+3-${pkgs.gtk3.dev.version}:$XDG_DATA_DIRS" + export RUST_SRC_PATH="${rustToolchain}/lib/rustlib/src/rust/library" + ''; +} From 1eed61ade1f0c80b8635668d2256c29c9ef145b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 6 Aug 2025 19:44:10 +0200 Subject: [PATCH 02/14] include submodules in flake --- flake.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/flake.nix b/flake.nix index c750477f..18a53145 100644 --- a/flake.nix +++ b/flake.nix @@ -3,6 +3,9 @@ nixpkgs.url = "nixpkgs"; flake-utils.url = "github:numtide/flake-utils"; rust-overlay.url = "github:oxalica/rust-overlay"; + + # include git submodules + self.submodules = true; }; outputs = { From 2094e39f3862ce02d0de498e2fedd1ed82d1b8c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 6 Aug 2025 19:44:49 +0200 Subject: [PATCH 03/14] update gitignore --- .gitignore | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.gitignore b/.gitignore index dbfa7123..e41b803e 100644 --- a/.gitignore +++ b/.gitignore @@ -29,3 +29,7 @@ dist-ssr .direnv .envrc +.aider* + +# nix stuff +result From f8fbca793a35f4ffad73b4aa51342663ad8d3070 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Wed, 6 Aug 2025 19:50:03 +0200 Subject: [PATCH 04/14] include remaining binaries in package --- nix/package.nix | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/nix/package.nix b/nix/package.nix index 83c27bf1..39f8c2e1 100644 --- a/nix/package.nix +++ b/nix/package.nix @@ -63,6 +63,13 @@ in # copy client binary mkdir -p $out/bin cp src-tauri/target/release/${pname} $out/bin/ + # copy service binary + mkdir -p $out/bin + cp src-tauri/target/release/defguard-service $out/bin/ + # copy cli binary + mkdir -p $out/bin + cp src-tauri/target/release/dg $out/bin/ + mkdir -p $out/share/applications cp ${desktopItem}/share/applications/* $out/share/applications/ ''; From 4922281dd260e6df223b3e4eb1be242a6aeedf12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 7 Aug 2025 09:00:32 +0200 Subject: [PATCH 05/14] use pnpm configHook --- flake.nix | 3 +++ nix/package.nix | 15 +++++---------- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/flake.nix b/flake.nix index 18a53145..f3efa839 100644 --- a/flake.nix +++ b/flake.nix @@ -45,7 +45,10 @@ cargo-tauri_1 nodejs_24 pnpm + # configures pnpm to use pre-fetched dependencies + pnpm.configHook protobuf + # configures cargo to use pre-fetched dependencies rustPlatform.cargoSetupHook perl ]; diff --git a/nix/package.nix b/nix/package.nix index 39f8c2e1..fed30953 100644 --- a/nix/package.nix +++ b/nix/package.nix @@ -24,37 +24,32 @@ in src = ../.; + # prefetch cargo dependencies cargoRoot = "src-tauri"; buildAndTestSubdir = "src-tauri"; cargoDeps = rustPlatform.importCargoLock { lockFile = ../src-tauri/Cargo.lock; + # specify hashes for git dependencies outputHashes = { "defguard_wireguard_rs-0.7.4" = "sha256-pxwN43BntOEYtp+TlpQFX78gg1ko4zuXEGctZIfSrhg="; "tauri-plugin-log-0.0.0" = "sha256-jGzlN/T29Hya4bKe9Dwl2mRRFLXMywrHk+32zgwrpJ0="; }; }; + # prefetch pnpm dependencies pnpmDeps = pkgs.pnpm.fetchDeps { inherit (finalAttrs) pname version + src ; - src = ../.; - fetcherVersion = 2; - hash = "sha256-OIm8OCvE7V77uuWsfeY/ax7T5SSE9Rt0EKrsnuDzOYk="; + hash = "sha256-lQUhwy1/zz3mUN7wNLQyKeULYPQiu2UvMS2REu9XxEc="; }; - configurePhase = '' - export HOME=$TMPDIR - pnpm config set store-dir ${pnpmDeps} - pnpm config set offline true - pnpm install --frozen-lockfile --ignore-scripts - ''; - buildPhase = '' pnpm tauri build ''; From febf09c81c62891fe1e39b6c241e6ff536020022 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 7 Aug 2025 09:12:31 +0200 Subject: [PATCH 06/14] remove test file --- nix/package_2.nix | 66 ----------------------------------------------- 1 file changed, 66 deletions(-) delete mode 100644 nix/package_2.nix diff --git a/nix/package_2.nix b/nix/package_2.nix deleted file mode 100644 index 004c6bc1..00000000 --- a/nix/package_2.nix +++ /dev/null @@ -1,66 +0,0 @@ -{ - lib, - stdenv, - rustPlatform, - cargo-tauri_1, - pkg-config, - dbus, - openssl, - glib, - gtk3, - libsoup_2_4, - webkitgtk_4_0, - librsvg, - protobuf, - libayatana-appindicator, - nodejs_20, - nodePackages, -}: -rustPlatform.buildRustPackage { - pname = "defguard-client"; - version = "0.1.0"; - - src = ../.; - - cargoLock = { - lockFile = ../Cargo.lock; - }; - - nativeBuildInputs = [ - cargo-tauri_1 - cargo-tauri_1.hook - pkg-config - protobuf - nodejs_20 - nodePackages.pnpm - ]; - - buildInputs = [ - dbus - openssl - glib - gtk3 - libsoup_2_4 - webkitgtk_4_0 - librsvg - libayatana-appindicator - ]; - - # Specify frontend distribution directory - tauriFrontendDist = "dist"; - - # Configure the frontend build - preBuild = '' - export HOME=$(mktemp -d) - pnpm config set store-dir $HOME/.pnpm-store - pnpm install --frozen-lockfile - ''; - - meta = with lib; { - description = "Defguard desktop client"; - homepage = "https://github.com/defguard/client"; - license = licenses.asl20; - maintainers = []; - platforms = platforms.linux; - }; -} From 9f69d26adf86c669834a5753dcd1970bd73289d4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 7 Aug 2025 10:30:24 +0200 Subject: [PATCH 07/14] inherit build inputs from package --- flake.nix | 43 ++++++------------------------------ nix/package.nix | 31 ++++++++++++++++++++++++-- nix/shell.nix | 58 +++++++++++++++++++++++++++++-------------------- 3 files changed, 70 insertions(+), 62 deletions(-) diff --git a/flake.nix b/flake.nix index f3efa839..6bd1404c 100644 --- a/flake.nix +++ b/flake.nix @@ -15,52 +15,23 @@ rust-overlay, }: flake-utils.lib.eachDefaultSystem (system: let + # add rust overlay pkgs = import nixpkgs { inherit system; overlays = [rust-overlay.overlays.default]; }; - - rustToolchain = pkgs.rust-bin.stable.latest.default.override { - extensions = ["rust-analyzer" "rust-src" "rustfmt" "clippy"]; - targets = ["wasm32-unknown-unknown" "x86_64-apple-darwin" "aarch64-apple-darwin" "x86_64-pc-windows-gnu"]; - }; - - buildInputs = with pkgs; [ - gtk3 - cairo - gdk-pixbuf - glib - dbus - openssl - librsvg - libsoup_3 - webkitgtk_4_0 - libayatana-appindicator - cargo-tauri_1 - ]; - - nativeBuildInputs = with pkgs; [ - rustToolchain - pkg-config - cargo-tauri_1 - nodejs_24 - pnpm - # configures pnpm to use pre-fetched dependencies - pnpm.configHook - protobuf - # configures cargo to use pre-fetched dependencies - rustPlatform.cargoSetupHook - perl - ]; in { devShells.default = import ./nix/shell.nix { - inherit pkgs buildInputs nativeBuildInputs rustToolchain; + inherit pkgs; }; packages.default = pkgs.callPackage ./nix/package.nix { - inherit pkgs buildInputs nativeBuildInputs; + inherit pkgs; }; formatter = pkgs.alejandra; - }); + }) + // { + nixosModules.default = import ./nix/nixos-module.nix; + }; } diff --git a/nix/package.nix b/nix/package.nix index fed30953..2c47e87b 100644 --- a/nix/package.nix +++ b/nix/package.nix @@ -4,8 +4,6 @@ stdenv, rustPlatform, makeDesktopItem, - buildInputs, - nativeBuildInputs, }: let pname = "defguard-client"; version = "1.5.0"; # TODO: Get this from Cargo.toml or git @@ -18,6 +16,35 @@ genericName = "Defguard VPN Client"; categories = ["Network" "Security"]; }; + + rustToolchain = pkgs.rust-bin.stable.latest.default; + + buildInputs = with pkgs; [ + gtk3 + cairo + gdk-pixbuf + glib + dbus + openssl + librsvg + libsoup_3 + webkitgtk_4_0 + libayatana-appindicator + ]; + + nativeBuildInputs = with pkgs; [ + rustToolchain + pkg-config + cargo-tauri_1 + nodejs_24 + pnpm + # configures pnpm to use pre-fetched dependencies + pnpm.configHook + protobuf + # configures cargo to use pre-fetched dependencies + rustPlatform.cargoSetupHook + perl + ]; in stdenv.mkDerivation (finalAttrs: rec { inherit pname version buildInputs nativeBuildInputs; diff --git a/nix/shell.nix b/nix/shell.nix index 7cb9b6fd..3de733fd 100644 --- a/nix/shell.nix +++ b/nix/shell.nix @@ -1,27 +1,37 @@ -{ - pkgs ? import {}, - buildInputs, - nativeBuildInputs, - rustToolchain, -}: -pkgs.mkShell { - inherit buildInputs nativeBuildInputs; +{pkgs ? import {}}: let + # add development-related cargo tooling + rustToolchain = pkgs.rust-bin.stable.latest.default.override { + extensions = ["rust-analyzer" "rust-src" "rustfmt" "clippy"]; + targets = ["x86_64-apple-darwin" "aarch64-apple-darwin" "x86_64-pc-windows-gnu"]; + }; - packages = with pkgs; [ - trunk - sqlx-cli - vtsls + defguard-client = pkgs.callPackage ./package.nix {}; + + # runtime libraries needed to run the dev server + libraries = with pkgs; [ + libayatana-appindicator ]; +in + pkgs.mkShell { + # inherit build inputs from the package + inputsFrom = [defguard-client]; + + # add additional dev tools + packages = with pkgs; [ + trunk + sqlx-cli + vtsls + ]; - shellHook = with pkgs; '' - export LD_LIBRARY_PATH="${ - lib.makeLibraryPath buildInputs - }:$LD_LIBRARY_PATH" - export OPENSSL_INCLUDE_DIR="${pkgs.openssl.dev}/include/openssl" - export OPENSSL_LIB_DIR="${pkgs.openssl.out}/lib" - export OPENSSL_ROOT_DIR="${pkgs.openssl.out}" - # https://discourse.nixos.org/t/which-package-includes-org-gtk-gtk4-settings-filechooser/38063/12 - export XDG_DATA_DIRS="${pkgs.gtk3}/share/gsettings-schemas/gtk+3-${pkgs.gtk3.dev.version}:$XDG_DATA_DIRS" - export RUST_SRC_PATH="${rustToolchain}/lib/rustlib/src/rust/library" - ''; -} + shellHook = with pkgs; '' + export LD_LIBRARY_PATH="${ + lib.makeLibraryPath libraries + }:$LD_LIBRARY_PATH" + export OPENSSL_INCLUDE_DIR="${pkgs.openssl.dev}/include/openssl" + export OPENSSL_LIB_DIR="${pkgs.openssl.out}/lib" + export OPENSSL_ROOT_DIR="${pkgs.openssl.out}" + # https://discourse.nixos.org/t/which-package-includes-org-gtk-gtk4-settings-filechooser/38063/12 + export XDG_DATA_DIRS="${pkgs.gtk3}/share/gsettings-schemas/gtk+3-${pkgs.gtk3.dev.version}:$XDG_DATA_DIRS" + export RUST_SRC_PATH="${rustToolchain}/lib/rustlib/src/rust/library" + ''; + } From d08b994d03194b4f1d3c211387c58a24976f4697 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 7 Aug 2025 10:30:58 +0200 Subject: [PATCH 08/14] add initial nixos module skeleton --- nix/nixos-module.nix | 59 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/nix/nixos-module.nix b/nix/nixos-module.nix index e69de29b..cc658fcd 100644 --- a/nix/nixos-module.nix +++ b/nix/nixos-module.nix @@ -0,0 +1,59 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.programs.defguard-client; + defguard-client = pkgs.callPackage ./package.nix {}; +in { + options.services.defguard = { + enable = mkEnableOption "Defguard VPN client and service"; + + package = mkOption { + type = types.package; + default = defguard-client; + description = "defguard-client package to use"; + }; + + logLevel = mkOption { + type = types.str; + default = "info"; + description = "Log level for defguard-service"; + }; + + statsPeriod = mkOption { + type = types.int; + default = 30; + description = "Interval in seconds for interface statistics updates"; + }; + }; + + config = mkIf cfg.enable { + environment.systemPackages = [cfg.package]; + + systemd.services.defguard-service = { + description = "Defguard VPN Service"; + wantedBy = ["multi-user.target"]; + wants = ["network-online.target"]; + after = ["network-online.target"]; + serviceConfig = { + ExecStart = "${cfg.package}/bin/defguard-service --log-level ${cfg.logLevel} --stats-period ${toString cfg.statsPeriod}"; + Restart = "on-failure"; + RestartSec = 5; + User = "defguard"; + Group = "defguard"; + StateDirectory = "defguard"; + LogsDirectory = "defguard"; + }; + }; + + users.users.defguard = { + isSystemUser = true; + group = "defguard"; + }; + + users.groups.defguard = {}; + }; +} From 31c429cfcacfa4757924cc113147700912cfcc12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 21 Aug 2025 11:56:07 +0200 Subject: [PATCH 09/14] update deps --- nix/package.nix | 34 ++++++++++++++++++++++------------ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/nix/package.nix b/nix/package.nix index 2c47e87b..e2316be9 100644 --- a/nix/package.nix +++ b/nix/package.nix @@ -6,7 +6,7 @@ makeDesktopItem, }: let pname = "defguard-client"; - version = "1.5.0"; # TODO: Get this from Cargo.toml or git + version = "1.5.1"; # TODO: Get this from Cargo.toml or git desktopItem = makeDesktopItem { name = pname; @@ -20,30 +20,40 @@ rustToolchain = pkgs.rust-bin.stable.latest.default; buildInputs = with pkgs; [ - gtk3 + at-spi2-atk + atkmm cairo + dbus gdk-pixbuf glib - dbus - openssl + glib-networking + gtk4 + harfbuzz librsvg libsoup_3 - webkitgtk_4_0 + pango + webkitgtk_4_1 + openssl libayatana-appindicator + mesa + libGL + libGLU ]; nativeBuildInputs = with pkgs; [ rustToolchain pkg-config - cargo-tauri_1 + gobject-introspection + cargo-tauri nodejs_24 + protobuf pnpm # configures pnpm to use pre-fetched dependencies pnpm.configHook - protobuf # configures cargo to use pre-fetched dependencies rustPlatform.cargoSetupHook perl + wrapGAppsHook ]; in stdenv.mkDerivation (finalAttrs: rec { @@ -58,10 +68,10 @@ in cargoDeps = rustPlatform.importCargoLock { lockFile = ../src-tauri/Cargo.lock; # specify hashes for git dependencies - outputHashes = { - "defguard_wireguard_rs-0.7.4" = "sha256-pxwN43BntOEYtp+TlpQFX78gg1ko4zuXEGctZIfSrhg="; - "tauri-plugin-log-0.0.0" = "sha256-jGzlN/T29Hya4bKe9Dwl2mRRFLXMywrHk+32zgwrpJ0="; - }; + # outputHashes = { + # "defguard_wireguard_rs-0.7.5" = "sha256-pxwN43BntOEYtp+TlpQFX78gg1ko4zuXEGctZIfSrhg="; + # "tauri-plugin-log-0.0.0" = "sha256-jGzlN/T29Hya4bKe9Dwl2mRRFLXMywrHk+32zgwrpJ0="; + # }; }; # prefetch pnpm dependencies @@ -74,7 +84,7 @@ in ; fetcherVersion = 2; - hash = "sha256-lQUhwy1/zz3mUN7wNLQyKeULYPQiu2UvMS2REu9XxEc="; + hash = "sha256-ccSwlPY3sOnUJoYfB4MWs0gU8/Aq/CiCrLWouQ7PqhY="; }; buildPhase = '' From 99b614a05e74e903908075d33fbf04fd6acaf44f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 21 Aug 2025 12:17:27 +0200 Subject: [PATCH 10/14] update inputs --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 0384f507..7cc2ca6b 100644 --- a/flake.lock +++ b/flake.lock @@ -20,11 +20,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1752596105, - "narHash": "sha256-lFNVsu/mHLq3q11MuGkMhUUoSXEdQjCHvpReaGP1S2k=", + "lastModified": 1755706679, + "narHash": "sha256-WJ6eaSiN6xtz3vyH2bTYLQ3+ct0W8ai/BkYaq1n1jP8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "dab3a6e781554f965bde3def0aa2fda4eb8f1708", + "rev": "c3fc1fe6d8765d99c8614c6f82d611dc56b9ae37", "type": "github" }, "original": { @@ -60,11 +60,11 @@ "nixpkgs": "nixpkgs_2" }, "locked": { - "lastModified": 1752633862, - "narHash": "sha256-Bj7ozT1+5P7NmvDcuAXJvj56txcXuAhk3Vd9FdWFQzk=", + "lastModified": 1755743804, + "narHash": "sha256-M6qT02voARH5e9eTXQBzpYIE/hAp6jPgBCyxLmw5uBM=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "8668ca94858206ac3db0860a9dec471de0d995f8", + "rev": "80322e975e27d834451d6b66e63f8abae9d74bf2", "type": "github" }, "original": { From 1cd9d2d741d6ca96645ffec5be995d6f863152c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 21 Aug 2025 12:32:43 +0200 Subject: [PATCH 11/14] add missing library to path --- nix/package.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/nix/package.nix b/nix/package.nix index e2316be9..2fed2680 100644 --- a/nix/package.nix +++ b/nix/package.nix @@ -54,6 +54,8 @@ rustPlatform.cargoSetupHook perl wrapGAppsHook + # helper to add dynamic library paths + makeWrapper ]; in stdenv.mkDerivation (finalAttrs: rec { @@ -102,6 +104,10 @@ in mkdir -p $out/bin cp src-tauri/target/release/dg $out/bin/ + # add required library to client binary RPATH + wrapProgram $out/bin/${pname} \ + --prefix LD_LIBRARY_PATH : ${lib.makeLibraryPath [pkgs.libayatana-appindicator]} + mkdir -p $out/share/applications cp ${desktopItem}/share/applications/* $out/share/applications/ ''; From 2bd718ee2bb251791989147890af2eaf91c27be7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 21 Aug 2025 15:54:22 +0200 Subject: [PATCH 12/14] update nixos module setup --- flake.nix | 12 +++++++++++- nix/nixos-module.nix | 20 ++++++++++++++++++-- 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/flake.nix b/flake.nix index 6bd1404c..d3cfc456 100644 --- a/flake.nix +++ b/flake.nix @@ -32,6 +32,16 @@ formatter = pkgs.alejandra; }) // { - nixosModules.default = import ./nix/nixos-module.nix; + nixosModules.default = { + nixpkgs, + lib, + config, + ... + }: + import ./nix/nixos-module.nix { + inherit lib; + inherit (nixpkgs) pkgs; + inherit config; + }; }; } diff --git a/nix/nixos-module.nix b/nix/nixos-module.nix index cc658fcd..37b94585 100644 --- a/nix/nixos-module.nix +++ b/nix/nixos-module.nix @@ -5,10 +5,10 @@ ... }: with lib; let - cfg = config.programs.defguard-client; defguard-client = pkgs.callPackage ./package.nix {}; + cfg = config.programs.defguard-client; in { - options.services.defguard = { + options.programs.defguard.client = { enable = mkEnableOption "Defguard VPN client and service"; package = mkOption { @@ -46,6 +46,22 @@ in { Group = "defguard"; StateDirectory = "defguard"; LogsDirectory = "defguard"; + # Add capabilities to manage network interfaces + CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_MODULE"; + AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_MODULE"; + # Allow access to /dev/net/tun for TUN/TAP devices + DeviceAllow = "/dev/net/tun rw"; + # Access to /sys for network configuration + BindReadOnlyPaths = [ + "/sys" + "/proc" + ]; + # Protect the system while giving necessary access + ProtectSystem = "strict"; + ProtectHome = true; + NoNewPrivileges = true; + # Allow the service to manage network namespaces + PrivateNetwork = false; }; }; From 693ffde8fb7e76c6750265b6ae06f1a24b5ff59b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 21 Aug 2025 16:16:04 +0200 Subject: [PATCH 13/14] remove submodule property --- flake.nix | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/flake.nix b/flake.nix index d3cfc456..f4de5c37 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ rust-overlay.url = "github:oxalica/rust-overlay"; # include git submodules - self.submodules = true; + # self.submodules = true; }; outputs = { @@ -32,16 +32,6 @@ formatter = pkgs.alejandra; }) // { - nixosModules.default = { - nixpkgs, - lib, - config, - ... - }: - import ./nix/nixos-module.nix { - inherit lib; - inherit (nixpkgs) pkgs; - inherit config; - }; + nixosModules.default = import ./nix/nixos-module.nix; }; } From 47a822a3f567a69bdc46c88ad9c78ab42ef0d2d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20W=C3=B3jcik?= Date: Thu, 21 Aug 2025 16:26:55 +0200 Subject: [PATCH 14/14] fix typo --- nix/nixos-module.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nix/nixos-module.nix b/nix/nixos-module.nix index 37b94585..b21b0b1f 100644 --- a/nix/nixos-module.nix +++ b/nix/nixos-module.nix @@ -8,7 +8,7 @@ with lib; let defguard-client = pkgs.callPackage ./package.nix {}; cfg = config.programs.defguard-client; in { - options.programs.defguard.client = { + options.programs.defguard-client = { enable = mkEnableOption "Defguard VPN client and service"; package = mkOption {