Thanks everyone for your responses. This is as far as I got. It almost works. The only problem is that it can’t pop up the embedded browser. I tried wrapping the browser manually here, but it seems to detect it and think that it’s not installed. If I don’t wrap it, it tries to launch it but the logs show a parsing error. Here’s the code:
{ pkgs, ... }:
let
version = "9.1r15.0-b15819";
runtimeDeps = [
pkgs.atk
pkgs.atkmm
pkgs.cairo
pkgs.cairomm
pkgs.curl
pkgs.dbus
pkgs.gdk-pixbuf
pkgs.glib
pkgs.glibmm
pkgs.gtk3
pkgs.gtkmm3
pkgs.libbsd
pkgs.libcef
pkgs.librsvg
pkgs.libsigcxx
pkgs.libsoup
pkgs.libuuid
pkgs.nss
pkgs.openssl
pkgs.pango
pkgs.pangomm
pkgs.webkitgtk
pkgs.xorg.libX11
];
in
let pulsesecure-pkg = pkgs.stdenv.mkDerivation {
pname = "pulsesecure-pkg";
version = version;
srcs = [
./binaries/ps-pulse-linux-9.1r15.0-b15819-64bit-installer.deb
(pkgs.fetchurl {
url = "https://pcstp.pulsesecure.net/cef/linux/cef64.94.tar.bz2";
sha256 = "1qy65psav9mf6anx3fkiyzg07wax563nxpjskcy2ilw3ifwda4h6";
})
];
dontUnpack = true;
nativeBuildInputs = [
pkgs.autoPatchelfHook
];
preBuild = ''
LIB_PREFIX=$out/opt/pulsesecure
addAutoPatchelfSearchPath $LIB_PREFIX/bin
addAutoPatchelfSearchPath $LIB_PREFIX/lib/ConnectionManager
addAutoPatchelfSearchPath $LIB_PREFIX/lib/ConnectionStore
addAutoPatchelfSearchPath $LIB_PREFIX/lib/dispatch
addAutoPatchelfSearchPath $LIB_PREFIX/lib/dsOpenSSL
addAutoPatchelfSearchPath $LIB_PREFIX/lib/eapService
addAutoPatchelfSearchPath $LIB_PREFIX/lib/iveConnectionMethod
addAutoPatchelfSearchPath $LIB_PREFIX/lib/JamUI
addAutoPatchelfSearchPath $LIB_PREFIX/lib/JUNS
addAutoPatchelfSearchPath $LIB_PREFIX/lib/TnccPlugin
addAutoPatchelfSearchPath $LIB_PREFIX/lib/TunnelManager
addAutoPatchelfSearchPath $LIB_PREFIX/resource
addAutoPatchelfSearchPath /
addAutoPatchelfSearchPath $LIB_PREFIX/lib/cefRuntime/Release
addAutoPatchelfSearchPath $LIB_PREFIX/lib/cefRuntime/Resources
'';
buildInputs = [
pkgs.bzip2
pkgs.dpkg
pkgs.makeWrapper
pkgs.unzip
# The following are used by autoPatchelfHook
] ++ runtimeDeps;
installPhase = ''
for index in "''${!srcs[@]}"; do
if [ $index == 0 ]; then
packages=(''${srcs[$index]})
echo $packages
for package_index in "''${!packages[@]}"; do
if [ $package_index == 0 ]; then
deb=''${packages[$package_index]}
elif [ $package_index == 1 ]; then
cefRuntime=''${packages[$package_index]}
fi
done
fi
done
dpkg-deb -x $deb $out;
chmod 755 "$out"
cd $out/opt/pulsesecure/lib
tar xvjf $cefRuntime
cefPath=cef_binary_94.4.8+g5b52963+chromium-94.0.4606.71_linux64_minimal
mkdir $out/opt/pulsesecure/lib/cefRuntime
mv $cefPath/Release $out/opt/pulsesecure/lib/cefRuntime
mv $cefPath/Resources $out/opt/pulsesecure/lib/cefRuntime
cd $out/..
mkdir -p $out/opt/pulsesecure/bin-unwrapped
mv $out/opt/pulsesecure/bin/cefBrowser $out/opt/pulsesecure/bin-unwrapped
mv $out/opt/pulsesecure/bin/cefSubProcess $out/opt/pulsesecure/bin-unwrapped
LIB_PREFIX="$out/opt/pulsesecure"
LIBPATH="$LIB_PREFIX/lib/ConnectionManager:$LIB_PREFIX/lib/ConnectionStore:$LIB_PREFIX/lib/dispatch:$LIB_PREFIX/lib/dsOpenSSL:$LIB_PREFIX/lib/eapService:$LIB_PREFIX/lib/iveConnectionMethod:$LIB_PREFIX/lib/JamUI:$LIB_PREFIX/lib/JUNS:$LIB_PREFIX/lib/TnccPlugin:$LIB_PREFIX/lib/TunnelManager:$LIB_PREFIX/bin";
NIX_REDIRECTS="/opt/pulsesecure/lib/JUNS/libdsAccessServicePS.so=$out/opt/pulsesecure/lib/JUNS/libdsAccessServicePS.so:/opt/pulsesecure/resource=$out/opt/pulsesecure/resource:/opt/pulsesecure/lib/JUNS/access.ini=$out/opt/pulsesecure/lib/JUNS/access.ini:/opt/pulsesecure/lib/JamUI/MessageCatalogPulseUI_EN.txt=$out/opt/pulsesecure/lib/JamUI/MessageCatalogPulseUI_EN.txt:/opt/pulsesecure/lib/JUNS/MessageCatalogCommon_EN.txt=$out/opt/pulsesecure/lib/JUNS/MessageCatalogCommon_EN.txt:/opt/pulsesecure/lib/eapService/MessageCatalogEapAM_EN.txt=$out/opt/pulsesecure/lib/eapService/MessageCatalogEapAM_EN.txt:/opt/pulsesecure/lib/TnccPlugin/MessageCatalogTncc_EN.txt=$out/opt/pulsesecure/lib/TnccPlugin/MessageCatalogTncc_EN.txt:/opt/pulsesecure/lib/ConnectionManager/MessageCatalogConnMgr_EN.txt=$out/opt/pulsesecure/lib/ConnectionManager/MessageCatalogConnMgr_EN.txt:/opt/pulsesecure/lib/iveConnectionMethod/MessageCatalogIveAM_EN.txt=$out/opt/pulsesecure/lib/iveConnectionMethod/MessageCatalogIveAM_EN.txt"
# See: https://nixos.wiki/wiki/Packaging/Quirks_and_Caveats
makeWrapper "$out/opt/pulsesecure/bin-unwrapped/cefBrowser" "$out/opt/pulsesecure/bin/cefBrowser" \
--prefix LD_LIBRARY_PATH : "$LIBPATH" \
--set NIX_REDIRECTS "$NIX_REDIRECTS" \
--set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so"
makeWrapper "$out/opt/pulsesecure/bin-unwrapped/cefSubProcess" "$out/opt/pulsesecure/bin/cefSubProcess" \
--prefix LD_LIBRARY_PATH : "$LIBPATH" \
--set NIX_REDIRECTS "$NIX_REDIRECTS" \
--set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so"
makeWrapper "$out/opt/pulsesecure/bin/pulsesecure" "$out/bin/pulsesecure-wrapped" \
--prefix LD_LIBRARY_PATH : "$LIBPATH" \
--set NIX_REDIRECTS "$NIX_REDIRECTS" \
--set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so"
makeWrapper "$out/opt/pulsesecure/bin/jamCommand" "$out/bin/jamCommand" \
--prefix LD_LIBRARY_PATH : "$LIBPATH" \
--set NIX_REDIRECTS "$NIX_REDIRECTS" \
--set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so"
makeWrapper "$out/opt/pulsesecure/bin/pulseUI" "$out/bin/pulseUI" \
--prefix LD_LIBRARY_PATH : "$LIBPATH" \
--set NIX_REDIRECTS "$NIX_REDIRECTS" \
--set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so"
substituteInPlace \
$out/opt/pulsesecure/bin/startup.sh \
--replace /opt/pulsesecure/bin/pulsesecure $out/bin/pulsesecure-wrapped
substituteInPlace \
$out/lib/systemd/system/pulsesecure.service \
--replace /opt/pulsesecure/bin $out/opt/pulsesecure/bin
substituteInPlace \
$out/opt/pulsesecure/bin/startup.sh \
--replace /usr/bin/pgrep pgrep
substituteInPlace \
$out/opt/pulsesecure/bin/startup.sh \
--replace pgrep ${pkgs.procps}/bin/pgrep
substituteInPlace \
$out/opt/pulsesecure/bin/startup.sh \
--replace logger ${pkgs.inetutils}/bin/logger
substituteInPlace \
$out/opt/pulsesecure/bin/setup_cef.sh \
--replace /usr/bin/curl ${pkgs.curl}/bin/curl
substituteInPlace \
$out/opt/pulsesecure/bin/setup_cef.sh \
--replace /usr/bin/wget ${pkgs.wget}/bin/wget
# This doesn't seem to work in the postInstall step
# It doesn't see $out. Why do the other postInstall steps work though?? @TODO
mkdir -p $out/share/dbus-1/system.d $out/share/dbus-1/system-services $out/etc/systemd/system
install -Dm644 $out/opt/pulsesecure/lib/JUNS/net.psecure.pulse.conf $out/share/dbus-1/system.d/net.psecure.pulse.conf
## This seems to already exist. Generated by dbus service below?
# cp -v $out/lib/systemd/system/pulsesecure.service $out/etc/systemd/system
cat <<END > $out/share/dbus-1/system-services/net.psecure.pulse.service
[D-BUS Service]
Name=net.psecure.pulse
Exec=$out/opt/pulsesecure/bin/startup.sh start
User=root
SystemdService=pulsesecure.service
END
'';
};
in
let pulsesecure = pkgs.symlinkJoin {
name = "pulsesecure";
paths = [
pulsesecure-pkg
];
};
in
{
environment.systemPackages = [ pulsesecure ];
services.dbus.packages = [ pulsesecure ];
systemd.packages = [ pulsesecure ];
# These must be individual so that the /opt/pulsesecure/lib folder remains writable
systemd.tmpfiles.rules = [
# Despite using patchelf, LD_LIBRARY_PATH, and NIX_REDIRECTS/LD_PRELOAD/libredirect, it seems
# that some binaries insist on looking in /opt for libraries.
"L+ /opt/pulsesecure/bin - - - - ${pulsesecure}/opt/pulsesecure/bin"
"L+ /opt/pulsesecure/resource - - - - ${pulsesecure}/opt/pulsesecure/resource"
"L+ /opt/pulsesecure/lib/ConnectionManager - - - - ${pulsesecure}/opt/pulsesecure/lib/ConnectionManager"
"L+ /opt/pulsesecure/lib/ConnectionStore - - - - ${pulsesecure}/opt/pulsesecure/lib/ConnectionStore"
"L+ /opt/pulsesecure/lib/dispatch - - - - ${pulsesecure}/opt/pulsesecure/lib/dispatch"
"L+ /opt/pulsesecure/lib/dsOpenSSL - - - - ${pulsesecure}/opt/pulsesecure/lib/dsOpenSSL"
"L+ /opt/pulsesecure/lib/eapService - - - - ${pulsesecure}/opt/pulsesecure/lib/eapService"
"L+ /opt/pulsesecure/lib/iveConnectionMethod - - - - ${pulsesecure}/opt/pulsesecure/lib/iveConnectionMethod"
"L+ /opt/pulsesecure/lib/JamUI - - - - ${pulsesecure}/opt/pulsesecure/lib/JamUI"
"L+ /opt/pulsesecure/lib/JUNS - - - - ${pulsesecure}/opt/pulsesecure/lib/JUNS"
"L+ /opt/pulsesecure/lib/TnccPlugin - - - - ${pulsesecure}/opt/pulsesecure/lib/TnccPlugin"
"L+ /opt/pulsesecure/lib/TunnelManager - - - - ${pulsesecure}/opt/pulsesecure/lib/TunnelManager"
"L+ /opt/pulsesecure/lib/cefRuntime - - - - ${pulsesecure}/opt/pulsesecure/lib/cefRuntime"
"L+ /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt - - - - /etc/ssl/certs/ca-certificates.crt"
"d /var/lib/pulsesecure/pulse 1755 root root"
];
}