- update to 1.9.5:

* Backport reestablish relays from cert-v2 to release-1.9 * do not panic when loading a V2 CA certificate OBS-URL: https://build.opensuse.org/package/show/network:vpn/nebula?expand=0&rev=13
2024-12-06 17:32:15 +00:00 · 2024-12-06 17:32:15 +00:00 · ecb0d9f78e
commit ecb0d9f78e
11 changed files with 247 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+.osc
--- a/20
+++ b/20
@ -0,0 +1,20 @@
+<?xml version="1.0" ?>
+<services>
+  <service name="tar_scm" mode="manual">
+    <param name="url">https://github.com/slackhq/nebula.git</param>
+    <param name="scm">git</param>
+    <param name="revision">refs/tags/v1.9.5</param>
+    <param name="versionformat">@PARENT_TAG@</param>
+    <param name="versionrewrite-pattern">v(.*)</param>
+    <param name="package-meta">yes</param>
+  </service>
+  <service name="recompress" mode="manual">
+    <param name="file">*.tar</param>
+    <param name="compression">gz</param>
+  </service>
+  <service name="go_modules" mode="manual">
+    <param name="archive">*.tar.gz</param>
+    <param name="compression">zst</param>
+  </service>
+  <service name="set_version" mode="manual" />
+</services>
--- a/enable-pie.patch
+++ b/enable-pie.patch
@ -0,0 +1,12 @@
+diff -rub nebula/Makefile nebula-patched/Makefile
+--- nebula/Makefile	2024-04-09 08:35:28.559936158 +0200
+++ nebula-patched/Makefile	2024-04-09 08:59:08.363591927 +0200
+@@ -96,7 +96,7 @@
+ 
+ release-boringcrypto: build/nebula-linux-$(shell go env GOARCH)-boringcrypto.tar.gz
+ 
+-BUILD_ARGS = -trimpath
+BUILD_ARGS = -trimpath -buildmode=pie
+ 
+ bin-windows: build/windows-amd64/nebula.exe build/windows-amd64/nebula-cert.exe
+ 	mv $? .
--- a/nebula-1.9.3.tar.gz
+++ b/nebula-1.9.3.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2fa15dcdc9f06787adf3c452b740c2836b1457ea3dd5a49872d96bf74f5b346a
+size 2300352
--- a/nebula-1.9.4.tar.gz
+++ b/nebula-1.9.4.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:8c21d82be965b86a2e0a7a033284e6a1424eb5b13f7986a7fbe87db178f06f7f
+size 2366912
--- a/nebula-1.9.5.tar.gz
+++ b/nebula-1.9.5.tar.gz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:3c7ef224c0e2068627979b37fc6573e35e08b9d8e1c647ca8951647ce8c088f1
+size 2498526
--- a/nebula.changes
+++ b/nebula.changes
@ -0,0 +1,65 @@
+-------------------------------------------------------------------
+Fri Dec  6 17:28:15 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.9.5:
+  * Backport reestablish relays from cert-v2 to release-1.9
+  * do not panic when loading a V2 CA certificate
+
+-------------------------------------------------------------------
+Tue Sep 10 08:26:36 UTC 2024 - Richard Rahl <rrahl0@opensuse.org>
+
+- update to 1.9.4:
+  * Support UDP dialing with gVisor
+  * Make some Nebula state programmatically available via control object
+  * Switch internal representation of IPs to netip, to prepare for IPv6 support
+  * Various dependency updates
+  * Fix a bug on big endian hosts, like mips
+  * Fix a rare panic if a local index collision happens
+  * Fix integer wraparound in the calculation of handshake timeouts on 32-bit
+- build the binaries non statically
+- remove enable-pie.patch as it's not needed anymore, since we build the binaries
+  manually, not using the Makefile anymore
+
+-------------------------------------------------------------------
+Fri Jun  7 06:10:38 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
+
+- update to version 1.9.3:
+  * Initialize messageCounter to 2 instead of verifying later
+
+-------------------------------------------------------------------
+Mon Jun  3 23:08:15 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
+
+- update to version 1.9.2:
+  * Ensure messageCounter is set before handshake is complete
+
+-------------------------------------------------------------------
+Wed May 29 21:39:44 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
+
+- update to version 1.9.1:
+  * Fixed a potential deadlock in GetOrHandshake
+
+-------------------------------------------------------------------
+Thu May 16 23:07:47 UTC 2024 - Richard Rahl <rrahl0@disroot.org>
+
+- update to version 1.9.0:
+    * This release adds a new setting default_local_cidr_any that defaults to
+      true to match previous behavior, but will default to false in the next
+      release (1.10)
+    * Added example service script for OpenRC
+    * The SSH daemon now supports inlined host keys
+    * The SSH daemon now supports certificates with sshd.trusted_cas
+    * Config setting tun.unsafe_routes is now reloadable
+    * Support for the deprecated local_range option has been removed
+    * Remove the TCP round trip tracking metrics, as they never had correct data
+    * Fixed a potential deadlock introduced in 1.8.1
+    * Fixed support for Linux when IPv6 has been disabled at the OS level
+    * DNS will return NXDOMAIN now when there are no results
+    * Allow :: in lighthouse.dns.host
+    * Capitalization of NotAfter fixed in DNS TXT response
+    * Don't log invalid certificates. It is untrusted data and can cause a large
+      volume of logs
+
+-------------------------------------------------------------------
+Tue Apr  9 06:08:08 UTC 2024 - Richard Rahl <rrahl0@proton.me>
+
+- initial packaging
--- a/nebula.service
+++ b/nebula.service
@ -0,0 +1,30 @@
+[Unit]
+Description=Nebula overlay networking tool
+Wants=basic.target network-online.target nss-lookup.target time-sync.target
+After=basic.target network.target network-online.target
+Before=sshd.service
+AssertDirectoryNotEmpty=/etc/nebula
+
+[Service]
+Type=notify
+NotifyAccess=main
+SyslogIdentifier=nebula
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/sbin/nebula -config /etc/nebula/config.yml
+Restart=always
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+PrivateDevices=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+RestrictRealtime=true
+# give permission to TUN
+BindPaths=/dev/net/tun
+DeviceAllow=/dev/net/tun rw
+
+[Install]
+WantedBy=multi-user.target
--- a/nebula.spec
+++ b/nebula.spec
@ -0,0 +1,84 @@
+#
+# spec file for package nebula
+#
+# Copyright (c) 2024 SUSE LLC
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
+#
+
+
+Name:           nebula
+Version:        1.9.5
+Release:        0
+Summary:        A scalable overlay networking tool
+License:        MIT
+URL:            https://github.com/slackhq/nebula
+Source0:        %{name}-%{version}.tar.gz
+Source1:        vendor.tar.zst
+Source2:        %{name}.service
+BuildRequires:  git-core
+BuildRequires:  golang-packaging
+BuildRequires:  zstd
+BuildRequires:  golang(API) = 1.22
+
+%description
+Nebula is a scalable overlay networking tool with a focus on performance,
+simplicity and security. It lets you seamlessly connect computers anywhere
+in the world. It can be used to connect a small number of computers,
+but is also able to connect tens of thousands of computers.
+
+%package cert
+Summary:        Seperate %{name}-cert package
+
+%description cert
+This package only includes the %{name}-cert binary.
+
+%prep
+%autosetup -a1
+
+%build
+go build -buildmode=pie -mod=vendor -ldflags "-X main.Build=%{version}-dirty" -o %{name} ./cmd/%{name}
+go build -buildmode=pie -mod=vendor -ldflags "-X main.Build=%{version}-dirty" -o %{name}-cert ./cmd/%{name}-cert
+
+%install
+install -Dm0755 -t %{buildroot}%{_sbindir} %{name}
+install -Dm0755 -t %{buildroot}%{_bindir} %{name}-cert
+install -Dm0644 -t %{buildroot}%{_unitdir} %{SOURCE2}
+install -d %{buildroot}%{_sysconfdir}/%{name}
+
+%pre
+%service_add_pre %{name}.service
+
+%post
+%service_add_post %{name}.service
+
+%preun
+%service_del_preun %{name}.service
+
+%postun
+%service_del_postun %{name}.service
+
+%check
+%make_build test
+
+%files
+%license LICENSE
+%doc AUTHORS CHANGELOG.md LOGGING.md README.md SECURITY.md examples/config.yml
+%{_sbindir}/%{name}
+%{_unitdir}/%{name}.service
+%{_sysconfdir}/%{name}
+
+%files cert
+%license LICENSE
+%{_bindir}/%{name}-cert
+
+%changelog
--- a/vendor.tar.zst
+++ b/vendor.tar.zst
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:0a7e2c586b53eba9e5249fc079789fbf550ea8b47acb996001e21ab585b29b03
+size 2536026