* [gentoo-commits] repo/gentoo:master commit in: net-vpn/derper/, net-vpn/derper/files/
@ 2025-03-25 2:57 Yixun Lan
0 siblings, 0 replies; only message in thread
From: Yixun Lan @ 2025-03-25 2:57 UTC (permalink / raw
To: gentoo-commits
commit: f0138d169c837b68394a632df107c9c646949c22
Author: Yixun Lan <dlan <AT> gentoo <DOT> org>
AuthorDate: Wed Mar 19 06:57:52 2025 +0000
Commit: Yixun Lan <dlan <AT> gentoo <DOT> org>
CommitDate: Tue Mar 25 02:56:55 2025 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0138d16
net-vpn/derper: add version 1.80.3
Add DERP (Designated Encrypted Relay for Packets) server
for tailnet devices, which quite useful if connecting to
official one is either slow or unstable.
Link: https://tailscale.com/kb/1232/derp-servers
Closes: https://bugs.gentoo.org/951451
Closes: https://github.com/gentoo/gentoo/pull/41165
Signed-off-by: Yixun Lan <dlan <AT> gentoo.org>
net-vpn/derper/Manifest | 2 +
net-vpn/derper/derper-1.80.3.ebuild | 64 ++++++++++++++++++++++++++++++++
net-vpn/derper/files/derper-pre.sh | 59 +++++++++++++++++++++++++++++
net-vpn/derper/files/derper.defaults | 48 ++++++++++++++++++++++++
net-vpn/derper/files/derper.initd | 34 +++++++++++++++++
net-vpn/derper/files/derper.service | 15 ++++++++
net-vpn/derper/files/derper.service.conf | 3 ++
net-vpn/derper/metadata.xml | 11 ++++++
8 files changed, 236 insertions(+)
diff --git a/net-vpn/derper/Manifest b/net-vpn/derper/Manifest
new file mode 100644
index 000000000000..f4fac7024573
--- /dev/null
+++ b/net-vpn/derper/Manifest
@@ -0,0 +1,2 @@
+DIST tailscale-1.80.3-deps.tar.xz 259571740 BLAKE2B 5e9c3cd9d57f416acd008a910760fcf130b32f9d81935c5c7f32822d37cd703ba07f58720bae0c67cbf85a87e93f06002edbce13efd7376eaf40bcd68fb38ba1 SHA512 f8484e9bb3329891b46282ef7e2879bf73cd3485925729ed319e76f1aca32946a56519fffaf644d504b1df4ec01ab8ee7a7a6cb30d3126b20ee5506fe65cf51a
+DIST tailscale-1.80.3.tar.gz 3528273 BLAKE2B 3f9450a24a370146dc0e32f715ffa4eba8e6a7b31c65f20b1e9b40f4bf45fb1f0f27392d2c36870fa2bf2984fb556d72347057a010f18bda2d649242d058b5b2 SHA512 2553642e9ec8adf7754cf869ec986399de22af01b66c1a4d20bff3c1305f62e175e39e70eb2a6e9723e8352421d9ad6590bbcfa42e78a4c88838bd8bb8aa6e80
diff --git a/net-vpn/derper/derper-1.80.3.ebuild b/net-vpn/derper/derper-1.80.3.ebuild
new file mode 100644
index 000000000000..7251c2aa7855
--- /dev/null
+++ b/net-vpn/derper/derper-1.80.3.ebuild
@@ -0,0 +1,64 @@
+# Copyright 2020-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+inherit go-module linux-info systemd
+
+# share same source with net-vpn/tailscale
+VERSION_MINOR="80"
+VERSION_SHORT="1.80.3"
+VERSION_LONG="1.80.3-tbd762b827"
+VERSION_GIT_HASH="bd762b8274a957fe11c4416c6278ba0682124931"
+
+MY_P="tailscale-${PV}"
+DESCRIPTION="DERP server for tailscale network"
+HOMEPAGE="https://tailscale.com"
+SRC_URI="https://github.com/tailscale/tailscale/archive/v${PV}.tar.gz -> ${MY_P}.tar.gz"
+SRC_URI+=" https://dev.gentoo.org/~williamh/dist/${MY_P}-deps.tar.xz"
+S="${WORKDIR}/${MY_P}"
+
+LICENSE="MIT"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86"
+
+CONFIG_CHECK="~TUN"
+
+BDEPEND="
+ acct-group/derper
+ acct-user/derper
+ >=dev-lang/go-1.22
+"
+
+RESTRICT="test"
+
+# This translates the build command from upstream's build_dist.sh to an
+# ebuild equivalent.
+build_dist() {
+ ego build -tags xversion -ldflags "
+ -X tailscale.com/version.longStamp=${VERSION_LONG}
+ -X tailscale.com/version.shortStamp=${VERSION_SHORT}
+ -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" "$@"
+}
+
+src_compile() {
+ build_dist ./cmd/derper
+ build_dist ./cmd/derpprobe
+}
+
+src_install() {
+ dobin derper
+ dobin derpprobe
+
+ insinto /etc/default
+ newins "${FILESDIR}"/derper.defaults derper
+ systemd_dounit "${FILESDIR}"/derper.service
+ systemd_install_serviced "${FILESDIR}"/derper.service.conf derper
+
+ newinitd "${FILESDIR}"/derper.initd derper
+
+ keepdir /var/lib/${PN}
+ fperms 0750 /var/lib/${PN}
+
+ exeinto /usr/libexec
+ doexe "${FILESDIR}"/derper-pre.sh
+}
diff --git a/net-vpn/derper/files/derper-pre.sh b/net-vpn/derper/files/derper-pre.sh
new file mode 100644
index 000000000000..ba5b224109be
--- /dev/null
+++ b/net-vpn/derper/files/derper-pre.sh
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+#
+
+set -e
+
+. /etc/default/derper
+
+if [[ -z ${DERPER_USER} ]]; then
+ echo "DERPER_USER is not set via /etc/default/derper" >&2
+ exit 1
+fi
+
+if [[ -z ${CERTDIR} ]]; then
+ eval "CERTDIR=~${_user}/.cache/tailscale/derper-certs"
+ echo "CERTDIR is not set, fallback to default '${CERTDIR}' directory" >&2
+fi
+
+if [[ ! -e ${CERTDIR} ]]; then
+ mkdir -m 750 -p ${CERTDIR}
+ chown ${DERPER_USER}${DERPER_GROUP:+:}${DERPER_GROUP} ${CERTDIR}
+fi
+
+# according to: https://github.com/tailscale/tailscale/blob/651e0d8aad1e97df71ac09ee25274377995133dd/cmd/derper/cert.go#L63
+parse_hostname() {
+ local hn="${1}"
+ while [[ ${hn} =~ (.*)[^a-zA-Z0-9\.-]+(.*) ]]; do
+ hn=${BASH_REMATCH[1]}${BASH_REMATCH[2]}
+ done
+ echo -n ${hn}
+}
+
+cp_cert() {
+ local suffix=".crt" mode=640 var="CERTFILE"
+ if [[ ${FUNCNAME[1]} == cp_key ]]; then
+ suffix=".key"
+ mode=600
+ var="KEYFILE"
+ fi
+
+ if [[ -z ${HOSTNAME} ]]; then
+ echo "${var} is set while HOSTNAME is not, ignore ${var}" >&2
+ else
+ local file="${CERTDIR%/}/$(parse_hostname ${HOSTNAME})${suffix}"
+ cp -f -L ${!var} ${file}
+ chown ${DERPER_USER}${DERPER_GROUP:+:}${DERPER_GROUP} ${file}
+ chmod ${mode} ${file}
+ fi
+}
+
+cp_key() {
+ cp_cert
+}
+
+if [[ -n ${CERTFILE} ]]; then
+ cp_cert
+fi
+if [[ -n ${KEYFILE} ]]; then
+ cp_key
+fi
diff --git a/net-vpn/derper/files/derper.defaults b/net-vpn/derper/files/derper.defaults
new file mode 100644
index 000000000000..98fed53cf4a0
--- /dev/null
+++ b/net-vpn/derper/files/derper.defaults
@@ -0,0 +1,48 @@
+# executing user
+DERPER_USER=derper
+
+# executing group
+DERPER_GROUP=derper
+
+# Home dir for derper
+HOMEDIR=/var/lib/derper
+
+# server HTTPS listen address, in form ":port", "ip:port", or for IPv6 "[ip]:port".
+# If the IP is omitted, it defaults to all interfaces.
+# If you want to listen to 443 or other well-known port
+# you should set the executing user to the 'root'
+ADDR=":9781"
+
+# The port on which to serve HTTP.
+# -1 means disabled
+HTTP_PORT="-1"
+
+# servername for TLS cert
+HOSTNAME="derp.example.com"
+
+# mode for getting a cert.
+# If you want to change to the 'letsencrypt' mode,
+# the DERP server should be listened on 443 port, and
+# the http port 80 should be listened also at the first time
+CERTMODE="manual"
+# cert dir
+# when in the 'manual' mode, the default cert file and private key
+# will be read via path:
+# CERTDIR/HOSTNAME.crt
+# CERTDIR/HOSTNAME.key
+# and all non [a-zA-Z0-9\.-] characters will be removed
+# from the HOSTNAME
+CERTDIR="/var/lib/derper/certs"
+# The custom cert and key file path,
+# simplify the certificate deployment process in manual mode,
+# the two files will overwrite the default cert and key files
+# everytime when derper service starts.
+#CERTFILE=
+#KEYFILE=
+
+# extra arguments passed to the derper
+# run derper --help to get help
+# -verify-clients
+# verify clients to this DERP server through a local tailscaled instance.
+FLAGS="-verify-clients"
+
diff --git a/net-vpn/derper/files/derper.initd b/net-vpn/derper/files/derper.initd
new file mode 100644
index 000000000000..ef76ad085ed0
--- /dev/null
+++ b/net-vpn/derper/files/derper.initd
@@ -0,0 +1,34 @@
+#!/sbin/openrc-run
+# Copyright 2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+. /etc/default/derper
+
+name="derper"
+description="Tailscale DERP server"
+command="/usr/bin/derper"
+command_args=" \
+ -certdir ${CERTDIR} \
+ -certmode ${CERTMODE} \
+ -hostname ${HOSTNAME} \
+ -a ${ADDR} \
+ -http-port ${HTTP_PORT} \
+ -c '${HOMEDIR}'/derper.key \
+ ${FLAGS}
+"
+command_user="${DERPER_USER}:${DERPER_GROUP}"
+command_background=true
+pidfile="/run/derper.pid"
+directory="${HOMEDIR}"
+output_log="/var/log/derper/derper.log"
+error_log="/var/log/derper/derper.error"
+
+depend() {
+ need net
+}
+
+start_pre() {
+ checkpath -d -m 700 -o ${command_user} /var/log/derper
+ checkpath -d -m 750 -o ${command_user} ${HOMEDIR}
+ /usr/libexec/derper-pre.sh
+}
diff --git a/net-vpn/derper/files/derper.service b/net-vpn/derper/files/derper.service
new file mode 100644
index 000000000000..44c093af85a5
--- /dev/null
+++ b/net-vpn/derper/files/derper.service
@@ -0,0 +1,15 @@
+[Unit]
+Description=Tailscale DERP server
+Documentation=https://tailscale.com/kb/1118/custom-derp-servers
+Wants=network-pre.target
+After=network-pre.target NetworkManager.service systemd-resolved.service
+
+[Service]
+EnvironmentFile=/etc/default/derper
+ExecStartPre=+/usr/libexec/derper-pre.sh
+ExecStart=/usr/sbin/derper -certdir ${CERTDIR} -certmode ${CERTMODE} -hostname ${HOSTNAME} -a ${ADDR} -http-port ${HTTP_PORT} -c "${HOMEDIR}"/derper.key ${FLAGS}
+ReadWritePaths=${HOMEDIR} ${CERTDIR}
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
diff --git a/net-vpn/derper/files/derper.service.conf b/net-vpn/derper/files/derper.service.conf
new file mode 100644
index 000000000000..0640c936cca6
--- /dev/null
+++ b/net-vpn/derper/files/derper.service.conf
@@ -0,0 +1,3 @@
+[Service]
+User=derper
+Group=derper
diff --git a/net-vpn/derper/metadata.xml b/net-vpn/derper/metadata.xml
new file mode 100644
index 000000000000..8799a931f9d4
--- /dev/null
+++ b/net-vpn/derper/metadata.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+ <maintainer type="person">
+ <email>dlan@gentoo.org</email>
+ <name>Yixun Lan</name>
+ </maintainer>
+ <upstream>
+ <remote-id type="github">tailscale/tailscale</remote-id>
+ </upstream>
+</pkgmetadata>
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2025-03-25 2:57 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-03-25 2:57 [gentoo-commits] repo/gentoo:master commit in: net-vpn/derper/, net-vpn/derper/files/ Yixun Lan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox