commit: f0138d169c837b68394a632df107c9c646949c22 Author: Yixun Lan <dlan <AT> gentoo <DOT> org> AuthorDate: Wed Mar 19 06:57:52 2025 +0000 Commit: Yixun Lan <dlan <AT> gentoo <DOT> org> CommitDate: Tue Mar 25 02:56:55 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f0138d16
net-vpn/derper: add version 1.80.3 Add DERP (Designated Encrypted Relay for Packets) server for tailnet devices, which quite useful if connecting to official one is either slow or unstable. Link: https://tailscale.com/kb/1232/derp-servers Closes: https://bugs.gentoo.org/951451 Closes: https://github.com/gentoo/gentoo/pull/41165 Signed-off-by: Yixun Lan <dlan <AT> gentoo.org> net-vpn/derper/Manifest | 2 + net-vpn/derper/derper-1.80.3.ebuild | 64 ++++++++++++++++++++++++++++++++ net-vpn/derper/files/derper-pre.sh | 59 +++++++++++++++++++++++++++++ net-vpn/derper/files/derper.defaults | 48 ++++++++++++++++++++++++ net-vpn/derper/files/derper.initd | 34 +++++++++++++++++ net-vpn/derper/files/derper.service | 15 ++++++++ net-vpn/derper/files/derper.service.conf | 3 ++ net-vpn/derper/metadata.xml | 11 ++++++ 8 files changed, 236 insertions(+) diff --git a/net-vpn/derper/Manifest b/net-vpn/derper/Manifest new file mode 100644 index 000000000000..f4fac7024573 --- /dev/null +++ b/net-vpn/derper/Manifest @@ -0,0 +1,2 @@ +DIST tailscale-1.80.3-deps.tar.xz 259571740 BLAKE2B 5e9c3cd9d57f416acd008a910760fcf130b32f9d81935c5c7f32822d37cd703ba07f58720bae0c67cbf85a87e93f06002edbce13efd7376eaf40bcd68fb38ba1 SHA512 f8484e9bb3329891b46282ef7e2879bf73cd3485925729ed319e76f1aca32946a56519fffaf644d504b1df4ec01ab8ee7a7a6cb30d3126b20ee5506fe65cf51a +DIST tailscale-1.80.3.tar.gz 3528273 BLAKE2B 3f9450a24a370146dc0e32f715ffa4eba8e6a7b31c65f20b1e9b40f4bf45fb1f0f27392d2c36870fa2bf2984fb556d72347057a010f18bda2d649242d058b5b2 SHA512 2553642e9ec8adf7754cf869ec986399de22af01b66c1a4d20bff3c1305f62e175e39e70eb2a6e9723e8352421d9ad6590bbcfa42e78a4c88838bd8bb8aa6e80 diff --git a/net-vpn/derper/derper-1.80.3.ebuild b/net-vpn/derper/derper-1.80.3.ebuild new file mode 100644 index 000000000000..7251c2aa7855 --- /dev/null +++ b/net-vpn/derper/derper-1.80.3.ebuild @@ -0,0 +1,64 @@ +# Copyright 2020-2025 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 +inherit go-module linux-info systemd + +# share same source with net-vpn/tailscale +VERSION_MINOR="80" +VERSION_SHORT="1.80.3" +VERSION_LONG="1.80.3-tbd762b827" +VERSION_GIT_HASH="bd762b8274a957fe11c4416c6278ba0682124931" + +MY_P="tailscale-${PV}" +DESCRIPTION="DERP server for tailscale network" +HOMEPAGE="https://tailscale.com"; +SRC_URI="https://github.com/tailscale/tailscale/archive/v${PV}.tar.gz -> ${MY_P}.tar.gz" +SRC_URI+=" https://dev.gentoo.org/~williamh/dist/${MY_P}-deps.tar.xz"; +S="${WORKDIR}/${MY_P}" + +LICENSE="MIT" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc64 ~riscv ~x86" + +CONFIG_CHECK="~TUN" + +BDEPEND=" + acct-group/derper + acct-user/derper + >=dev-lang/go-1.22 +" + +RESTRICT="test" + +# This translates the build command from upstream's build_dist.sh to an +# ebuild equivalent. +build_dist() { + ego build -tags xversion -ldflags " + -X tailscale.com/version.longStamp=${VERSION_LONG} + -X tailscale.com/version.shortStamp=${VERSION_SHORT} + -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" "$@" +} + +src_compile() { + build_dist ./cmd/derper + build_dist ./cmd/derpprobe +} + +src_install() { + dobin derper + dobin derpprobe + + insinto /etc/default + newins "${FILESDIR}"/derper.defaults derper + systemd_dounit "${FILESDIR}"/derper.service + systemd_install_serviced "${FILESDIR}"/derper.service.conf derper + + newinitd "${FILESDIR}"/derper.initd derper + + keepdir /var/lib/${PN} + fperms 0750 /var/lib/${PN} + + exeinto /usr/libexec + doexe "${FILESDIR}"/derper-pre.sh +} diff --git a/net-vpn/derper/files/derper-pre.sh b/net-vpn/derper/files/derper-pre.sh new file mode 100644 index 000000000000..ba5b224109be --- /dev/null +++ b/net-vpn/derper/files/derper-pre.sh @@ -0,0 +1,59 @@ +#!/usr/bin/env bash +# + +set -e + +. /etc/default/derper + +if [[ -z ${DERPER_USER} ]]; then + echo "DERPER_USER is not set via /etc/default/derper" >&2 + exit 1 +fi + +if [[ -z ${CERTDIR} ]]; then + eval "CERTDIR=~${_user}/.cache/tailscale/derper-certs" + echo "CERTDIR is not set, fallback to default '${CERTDIR}' directory" >&2 +fi + +if [[ ! -e ${CERTDIR} ]]; then + mkdir -m 750 -p ${CERTDIR} + chown ${DERPER_USER}${DERPER_GROUP:+:}${DERPER_GROUP} ${CERTDIR} +fi + +# according to: https://github.com/tailscale/tailscale/blob/651e0d8aad1e97df71ac09ee25274377995133dd/cmd/derper/cert.go#L63 +parse_hostname() { + local hn="${1}" + while [[ ${hn} =~ (.*)[^a-zA-Z0-9\.-]+(.*) ]]; do + hn=${BASH_REMATCH[1]}${BASH_REMATCH[2]} + done + echo -n ${hn} +} + +cp_cert() { + local suffix=".crt" mode=640 var="CERTFILE" + if [[ ${FUNCNAME[1]} == cp_key ]]; then + suffix=".key" + mode=600 + var="KEYFILE" + fi + + if [[ -z ${HOSTNAME} ]]; then + echo "${var} is set while HOSTNAME is not, ignore ${var}" >&2 + else + local file="${CERTDIR%/}/$(parse_hostname ${HOSTNAME})${suffix}" + cp -f -L ${!var} ${file} + chown ${DERPER_USER}${DERPER_GROUP:+:}${DERPER_GROUP} ${file} + chmod ${mode} ${file} + fi +} + +cp_key() { + cp_cert +} + +if [[ -n ${CERTFILE} ]]; then + cp_cert +fi +if [[ -n ${KEYFILE} ]]; then + cp_key +fi diff --git a/net-vpn/derper/files/derper.defaults b/net-vpn/derper/files/derper.defaults new file mode 100644 index 000000000000..98fed53cf4a0 --- /dev/null +++ b/net-vpn/derper/files/derper.defaults @@ -0,0 +1,48 @@ +# executing user +DERPER_USER=derper + +# executing group +DERPER_GROUP=derper + +# Home dir for derper +HOMEDIR=/var/lib/derper + +# server HTTPS listen address, in form ":port", "ip:port", or for IPv6 "[ip]:port". +# If the IP is omitted, it defaults to all interfaces. +# If you want to listen to 443 or other well-known port +# you should set the executing user to the 'root' +ADDR=":9781" + +# The port on which to serve HTTP. +# -1 means disabled +HTTP_PORT="-1" + +# servername for TLS cert +HOSTNAME="derp.example.com" + +# mode for getting a cert. +# If you want to change to the 'letsencrypt' mode, +# the DERP server should be listened on 443 port, and +# the http port 80 should be listened also at the first time +CERTMODE="manual" +# cert dir +# when in the 'manual' mode, the default cert file and private key +# will be read via path: +# CERTDIR/HOSTNAME.crt +# CERTDIR/HOSTNAME.key +# and all non [a-zA-Z0-9\.-] characters will be removed +# from the HOSTNAME +CERTDIR="/var/lib/derper/certs" +# The custom cert and key file path, +# simplify the certificate deployment process in manual mode, +# the two files will overwrite the default cert and key files +# everytime when derper service starts. +#CERTFILE= +#KEYFILE= + +# extra arguments passed to the derper +# run derper --help to get help +# -verify-clients +# verify clients to this DERP server through a local tailscaled instance. +FLAGS="-verify-clients" + diff --git a/net-vpn/derper/files/derper.initd b/net-vpn/derper/files/derper.initd new file mode 100644 index 000000000000..ef76ad085ed0 --- /dev/null +++ b/net-vpn/derper/files/derper.initd @@ -0,0 +1,34 @@ +#!/sbin/openrc-run +# Copyright 2022 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +. /etc/default/derper + +name="derper" +description="Tailscale DERP server" +command="/usr/bin/derper" +command_args=" \ + -certdir ${CERTDIR} \ + -certmode ${CERTMODE} \ + -hostname ${HOSTNAME} \ + -a ${ADDR} \ + -http-port ${HTTP_PORT} \ + -c '${HOMEDIR}'/derper.key \ + ${FLAGS} +" +command_user="${DERPER_USER}:${DERPER_GROUP}" +command_background=true +pidfile="/run/derper.pid" +directory="${HOMEDIR}" +output_log="/var/log/derper/derper.log" +error_log="/var/log/derper/derper.error" + +depend() { + need net +} + +start_pre() { + checkpath -d -m 700 -o ${command_user} /var/log/derper + checkpath -d -m 750 -o ${command_user} ${HOMEDIR} + /usr/libexec/derper-pre.sh +} diff --git a/net-vpn/derper/files/derper.service b/net-vpn/derper/files/derper.service new file mode 100644 index 000000000000..44c093af85a5 --- /dev/null +++ b/net-vpn/derper/files/derper.service @@ -0,0 +1,15 @@ +[Unit] +Description=Tailscale DERP server +Documentation=https://tailscale.com/kb/1118/custom-derp-servers +Wants=network-pre.target +After=network-pre.target NetworkManager.service systemd-resolved.service + +[Service] +EnvironmentFile=/etc/default/derper +ExecStartPre=+/usr/libexec/derper-pre.sh +ExecStart=/usr/sbin/derper -certdir ${CERTDIR} -certmode ${CERTMODE} -hostname ${HOSTNAME} -a ${ADDR} -http-port ${HTTP_PORT} -c "${HOMEDIR}"/derper.key ${FLAGS} +ReadWritePaths=${HOMEDIR} ${CERTDIR} +Restart=on-failure + +[Install] +WantedBy=multi-user.target diff --git a/net-vpn/derper/files/derper.service.conf b/net-vpn/derper/files/derper.service.conf new file mode 100644 index 000000000000..0640c936cca6 --- /dev/null +++ b/net-vpn/derper/files/derper.service.conf @@ -0,0 +1,3 @@ +[Service] +User=derper +Group=derper diff --git a/net-vpn/derper/metadata.xml b/net-vpn/derper/metadata.xml new file mode 100644 index 000000000000..8799a931f9d4 --- /dev/null +++ b/net-vpn/derper/metadata.xml @@ -0,0 +1,11 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd";> +<pkgmetadata> + <maintainer type="person"> + <email>[email protected]</email> + <name>Yixun Lan</name> + </maintainer> + <upstream> + <remote-id type="github">tailscale/tailscale</remote-id> + </upstream> +</pkgmetadata>
