How would you configure a derivation or overlay for openconnect with vpn-slice with nixpkgs (non-daemon install, macOS Catalina)?

Question

I’ve recently started using the nix package manager as a single user install (non-daemon).

I’m wondering how to configure openconnect and preferably with vpn-slice, a vpnc-script replacement for easy and secure split-tunnelling.

I can see the default nix packages configuration for openconnect. I assume I’d want to use something like either an override and/or an overlay. (I’m not clear on the distinction between these two as yet and when you’d use one over the other.)

Nevertheless, naturally the steps I’m trying to figure out how to configure with nix are these:

1. The base binary installation (override / overlays / derivations)
2. Configuring particular vpn connections
3. Starting (prompting for password, and secondary otp pass)
4. Stopping

Ideally integrating oath-toolkit would be great. e.g., oathtool --totp -b <secret>

Answer 1

One good option I found was to create a nix shell file.

For example vpn-wrapper.nix:

with import <nixpkgs> {};
with pkgs.python37Packages;

let

    python = python37;
    openconnect = pkgs.openconnect.overrideAttrs (oldAttrs: rec {
      buildInputs = oldAttrs.buildInputs ++ [ libproxy ];
      configureFlags = oldAttrs.configureFlags ++ [ "--with-libproxy" ];
    });
    vpn-slice = buildPythonPackage rec {
      name = "vpn-slice";
      version = "v0.13";

      src = pkgs.fetchFromGitHub {
         owner = "dlenski";
     repo = "${name}";
     rev = "${version}";
     sha256 = "1ibrwal80z27c2mh9hx85idmzilx6cpcmgc15z3lyz57bz0krigb";
      };

      propagatedBuildInputs = [ setproctitle ];

      meta = {
        homepage = "https://github.com/dlenski/vpn-slice";
        description = "vpnc-script replacement for easy and secure split-tunnel VPN setup";
        license = stdenv.lib.licenses.gpl3Plus;
        maintainers = with maintainers; [ dlenski ];
      };
    };

in mkShell {
   name = "vpn-env";
   buildInputs = [ vpn-slice openconnect libproxy ];
   shellHook = ''
     echo "Ready to slice your vpn!"
   '';
}

Then you can execute openconnect via a script:

#!/usr/bin/env nix-shell
#! nix-shell vpn-wrapper.nix -i bash

OPENCONNECT=$(which openconnect)
VPNSLICE=$(which vpn-slice)

USERNAME=$1

$OPENCONNECT --libproxy --passwd-on-stdin --user=“$USERNAME” -s $VPNSCLICE ...

A more extended example (a wip) can be found here.