cato: init at 5.2.1.1

[YarekTyshchenko]

Description of changes

Add Cato VPN client
https://www.catonetworks.com/platform/cato-client/

From their webpage:

The Cato Client is a lightweight agent that provides secure zero-trust access to resources everywhere – on the Internet, SaaS, and Cloud or in your private data center. The Cato Client delivers endpoint protection capabilities for the enterprise with comprehensive malware prevention. With support for Windows, MacOS, Linux, Android, and iOS, the client brings the full capabilities of the Cato SASE Cloud Platform to any user device without compromising on security or network performance.

closes #338964

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
  • sandbox = relaxed
  • sandbox = true
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 24.11 Release Notes (or backporting 23.11 and 24.05 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
• Fits CONTRIBUTING.md.

---

Add a 👍 reaction to pull requests you find important.

[YarekTyshchenko]

One thing I haven't solved yet is the named pipes created in /var/run/cato-sdp.* are owned by root, they should probably be owned by a new cato group, so users don't need to run cato-sdp with root, or manually chown the pipes.
Suggestions welcome, nay, pleaded for.

[Frontear]

One thing I haven't solved yet is the named pipes created in /var/run/cato-sdp.* are owned by root, they should probably be owned by a new cato group, so users don't need to run cato-sdp with root, or manually chown the pipes. Suggestions welcome, nay, pleaded for.

For this I'd encourage writing a module that can leverage either some kind of systemd unit or systemd.tmpfiles to ensure proper permissions are set.

EDIT: Since I see there is a systemd service, set User=<USER> and write a nixos module to create this user. You can find multiple examples of such behavior in many nixos modules.

[Frontear]

I believe the commonly accepted decision these days is to have the package in pkgs/by-name.

If you're certain about keeping it here, please link it in pkgs/top-level/all-packages.nix, as currently its inaccessible by the standard pkgs.cato entrypoint

[tie]

Since this is a prebuilt package (#339533 (comment)), I assume it was built for x86_64-linux? In this case, platforms should not be set to all Linux platforms.

[YarekTyshchenko]

One thing I haven't solved yet is the named pipes created in /var/run/cato-sdp.* are owned by root, they should probably be owned by a new cato group, so users don't need to run cato-sdp with root, or manually chown the pipes. Suggestions welcome, nay, pleaded for.

For this I'd encourage writing a module that can leverage either some kind of systemd unit or systemd.tmpfiles to ensure proper permissions are set.

EDIT: Since I see there is a systemd service, set User=<USER> and write a nixos module to create this user. You can find multiple examples of such behavior in many nixos modules.

I have created a module. Tried to start the service with User=cato-client, but it needs permissions for /var/log/cato-client.log as well as to create the socket files in /var/run/. I don't have a way of overriding that, the service doesn't seem to have any options. I'd be cool if I could just run the whole think inside a fake /, but I'm not fussed having it running as root for now.

Are the paths correct now that it's a module? I notice that If I include it like this in my /etc/nixos/configuration.nix it doesn't install the other binary that I need, cato-sdp to enable the tunnel, and login with an account:

{ config, lib, pkgs, ... }:

{
  imports = [ /home/yarek/Play/nixpkgs/pkgs/by-name/ca/cato-client/package.nix ];

  services.cato-client.enable = true;
  # ...
}

Should I have a line that installs it into systemPackages somewhere inside the cfg.enable bit?

[YarekTyshchenko]

Now this looks better:

{ config, lib, pkgs, ... }:

{
  imports = [/home/yarek/Play/nixpkgs/nixos/modules/services/networking/cato-client.nix ];

  services.cato-client = {
    enable = true;
    package = (pkgs.callPackage /home/yarek/Play/nixpkgs/pkgs/by-name/ca/cato-client/package.nix {});
  };