movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-14 21:49:34 +03:00
Code Issues Projects Releases Packages Wiki Activity
nixpkgs/nixos/modules/services/networking/strongswan.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

212 lines
5.1 KiB
Nix
Raw Permalink Normal View History

Added strongSwan service
2014-11-22 19:27:23 +01:00
{
config,
lib,
pkgs,
...
}:
let
inherit (builtins) toFile;
nixos/networkmanager: set up /etc/ipsec.secrets as required by the L2TP plugin The networkmanager-l2tp plugin expects /etc/ipsec.secrets to include /etc/ipsec.d/ipsec.nm-l2tp.secrets; see https://github.com/NixOS/nixpkgs/issues/64965 In order for this to continue working if the strongswan module is enabled, we use `"ipsec.secrets".text` instead of `.source` so that the configurations of both modules are concatenated.
2024-09-07 17:28:25 +02:00
inherit (lib)
concatMapStrings
concatStringsSep
mapAttrsToList
treewide: use more lib.optionalString
2023-03-19 21:44:31 +01:00
mkIf
mkEnableOption
mkOption
types
literalExpression
optionalString
;
Added strongSwan service
2014-11-22 19:27:23 +01:00
cfg = config.services.strongswan;
nixos/networkmanager: set up /etc/ipsec.secrets as required by the L2TP plugin The networkmanager-l2tp plugin expects /etc/ipsec.secrets to include /etc/ipsec.d/ipsec.nm-l2tp.secrets; see https://github.com/NixOS/nixpkgs/issues/64965 In order for this to continue working if the strongswan module is enabled, we use `"ipsec.secrets".text` instead of `.source` so that the configurations of both modules are concatenated.
2024-09-07 17:28:25 +02:00
ipsecSecrets = secrets: concatMapStrings (f: "include ${f}\n") secrets;
Added strongSwan service
2014-11-22 19:27:23 +01:00
ipsecConf =
{
setup,
connections,
ca,
}:
let
# https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf
makeSections =
type: sections:
concatStringsSep "\n\n" (
mapAttrsToList (
sec: attrs:
"${type} ${sec}\n" + (concatStringsSep "\n" (mapAttrsToList (k: v: " ${k}=${v}") attrs))
) sections
);
setupConf = makeSections "config" { inherit setup; };
connectionsConf = makeSections "conn" connections;
caConf = makeSections "ca" ca;
in
builtins.toFile "ipsec.conf" ''
${setupConf}
${connectionsConf}
${caConf}
'';
strongswan module: make it work with ipsec l2tp l2tp saves its secrets into /etc/ipsec.d but strongswan would not read them. l2tp checks for /etc/ipsec.secrets includes /etc/ipsec.d and if not tries to write into it. Solution: Have the strongswan module create /etc/ipsec.d and /etc/ipsec.secrets when networkmanager_l2tp is installed. Include /etc/ipsec.secrets in /nix/store/hash-strongswan/etc/ipsec.secrets so that it can find l2tp secrets. Also when the ppp 'nopeerdns' option is used, the DNS resolver tries to write into an alternate file /etc/ppp/resolv.conf. This fails when /etc/ppp does not exist so the module creates it by default.
2017-10-31 20:14:00 +09:00
strongswanConf =
{
setup,
connections,
ca,
secretsFile,
managePlugins,
enabledPlugins,
}:
toFile "strongswan.conf" ''
Added strongSwan service
2014-11-22 19:27:23 +01:00
charon {
treewide: use more lib.optionalString
2023-03-19 21:44:31 +01:00
${optionalString managePlugins "load_modular = no"}
${optionalString managePlugins ("load = " + (concatStringsSep " " enabledPlugins))}
Added strongSwan service
2014-11-22 19:27:23 +01:00
plugins {
stroke {
strongswan module: make it work with ipsec l2tp l2tp saves its secrets into /etc/ipsec.d but strongswan would not read them. l2tp checks for /etc/ipsec.secrets includes /etc/ipsec.d and if not tries to write into it. Solution: Have the strongswan module create /etc/ipsec.d and /etc/ipsec.secrets when networkmanager_l2tp is installed. Include /etc/ipsec.secrets in /nix/store/hash-strongswan/etc/ipsec.secrets so that it can find l2tp secrets. Also when the ppp 'nopeerdns' option is used, the DNS resolver tries to write into an alternate file /etc/ppp/resolv.conf. This fails when /etc/ppp does not exist so the module creates it by default.
2017-10-31 20:14:00 +09:00
secrets_file = ${secretsFile}
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
}
Added strongSwan service
2014-11-22 19:27:23 +01:00
}
}
starter {
config_file = ${ipsecConf { inherit setup connections ca; }}
}
'';
in
{
options.services.strongswan = {
enable = mkEnableOption "strongSwan";
secrets = mkOption {
nixos/strongswan: use strings for secrets. The nixos module artifically enforces type.path whereas the ipsec secret configuration files accept pattern or relative paths. Enforcing absolute paths already caused problems with l2tp vpn: https://github.com/nm-l2tp/NetworkManager-l2tp/issues/108
2019-04-06 10:28:33 +09:00
type = types.listOf types.str;
Added strongSwan service
2014-11-22 19:27:23 +01:00
default = [ ];
example = [ "/run/keys/ipsec-foo.secret" ];
description = ''
A list of paths to IPSec secret files. These
Style fixes
2014-11-25 16:01:27 +01:00
files will be included into the main ipsec.secrets file with
the `include` directive. It is safer if these
paths are absolute.
Added strongSwan service
2014-11-22 19:27:23 +01:00
'';
};
setup = mkOption {
type = types.attrsOf types.str;
default = { };
example = {
cachecrls = "yes";
strictcrlpolicy = "yes";
};
description = ''
Style fixes
2014-11-25 16:01:27 +01:00
A set of options for the config setup section of the
{file}`ipsec.conf` file. Defines general
configuration parameters.
Added strongSwan service
2014-11-22 19:27:23 +01:00
'';
};
connections = mkOption {
type = types.attrsOf (types.attrsOf types.str);
default = { };
nixos/doc: clean up defaults and examples
2021-10-03 18:06:03 +02:00
example = literalExpression ''
nixos/treewide: Fix incorrectly rendered examples Many options define their example to be a Nix value without using literalExample. This sometimes gets rendered incorrectly in the manual, causing confusion like in https://github.com/NixOS/nixpkgs/issues/25516 This fixes it by using literalExample for such options. The list of option to fix was determined with this expression: let nixos = import ./nixos { configuration = {}; }; lib = import ./lib; valid = d: { # escapeNixIdentifier from https://github.com/NixOS/nixpkgs/pull/82461 set = lib.all (n: lib.strings.escapeNixIdentifier n == n) (lib.attrNames d) && lib.all (v: valid v) (lib.attrValues d); list = lib.all (v: valid v) d; }.${builtins.typeOf d} or true; optionList = lib.optionAttrSetToDocList nixos.options; in map (opt: { file = lib.elemAt opt.declarations 0; loc = lib.options.showOption opt.loc; }) (lib.filter (opt: if opt ? example then ! valid opt.example else false) optionList) which when evaluated will output all options that use a Nix identifier that would need escaping as an attribute name.
2020-04-02 07:39:04 +02:00
{
"%default" = {
keyexchange = "ikev2";
keyingtries = "1";
};
roadwarrior = {
auto = "add";
leftcert = "/run/keys/moonCert.pem";
leftid = "@moon.strongswan.org";
leftsubnet = "10.1.0.0/16";
right = "%any";
};
}
'';
Added strongSwan service
2014-11-22 19:27:23 +01:00
description = ''
Style fixes
2014-11-25 16:01:27 +01:00
A set of connections and their options for the conn xxx
sections of the {file}`ipsec.conf` file.
Added strongSwan service
2014-11-22 19:27:23 +01:00
'';
};
ca = mkOption {
type = types.attrsOf (types.attrsOf types.str);
default = { };
example = {
strongswan = {
auto = "add";
cacert = "/run/keys/strongswanCert.pem";
crluri = "http://crl2.strongswan.org/strongswan.crl";
};
};
description = ''
Style fixes
2014-11-25 16:01:27 +01:00
A set of CAs (certification authorities) and their options for
the ca xxx sections of the {file}`ipsec.conf`
file.
Added strongSwan service
2014-11-22 19:27:23 +01:00
'';
};
strongswan: allow configuring enabled plugins
2017-09-22 03:39:00 -07:00
managePlugins = mkOption {
type = types.bool;
default = false;
description = ''
If set to true, this option will disable automatic plugin loading and
then tell strongSwan to enable the plugins specified in the
{option}`enabledPlugins` option.
'';
};
enabledPlugins = mkOption {
type = types.listOf types.str;
default = [ ];
description = ''
A list of additional plugins to enable if
{option}`managePlugins` is true.
'';
};
Added strongSwan service
2014-11-22 19:27:23 +01:00
};
nixos/networkmanager: set up /etc/ipsec.secrets as required by the L2TP plugin The networkmanager-l2tp plugin expects /etc/ipsec.secrets to include /etc/ipsec.d/ipsec.nm-l2tp.secrets; see https://github.com/NixOS/nixpkgs/issues/64965 In order for this to continue working if the strongswan module is enabled, we use `"ipsec.secrets".text` instead of `.source` so that the configurations of both modules are concatenated.
2024-09-07 17:28:25 +02:00
config =
with cfg;
mkIf enable {
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
strongswan module: make it work with ipsec l2tp l2tp saves its secrets into /etc/ipsec.d but strongswan would not read them. l2tp checks for /etc/ipsec.secrets includes /etc/ipsec.d and if not tries to write into it. Solution: Have the strongswan module create /etc/ipsec.d and /etc/ipsec.secrets when networkmanager_l2tp is installed. Include /etc/ipsec.secrets in /nix/store/hash-strongswan/etc/ipsec.secrets so that it can find l2tp secrets. Also when the ppp 'nopeerdns' option is used, the DNS resolver tries to write into an alternate file /etc/ppp/resolv.conf. This fails when /etc/ppp does not exist so the module creates it by default.
2017-10-31 20:14:00 +09:00
# here we should use the default strongswan ipsec.secrets and
# append to it (default one is empty so not a pb for now)
nixos/networkmanager: set up /etc/ipsec.secrets as required by the L2TP plugin The networkmanager-l2tp plugin expects /etc/ipsec.secrets to include /etc/ipsec.d/ipsec.nm-l2tp.secrets; see https://github.com/NixOS/nixpkgs/issues/64965 In order for this to continue working if the strongswan module is enabled, we use `"ipsec.secrets".text` instead of `.source` so that the configurations of both modules are concatenated.
2024-09-07 17:28:25 +02:00
environment.etc."ipsec.secrets".text = ipsecSecrets cfg.secrets;
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
Added strongSwan service
2014-11-22 19:27:23 +01:00
systemd.services.strongswan = {
Style fixes
2014-11-25 16:01:27 +01:00
description = "strongSwan IPSec Service";
Added strongSwan service
2014-11-22 19:27:23 +01:00
wantedBy = [ "multi-user.target" ];
iproute: deprecate alias
2021-03-14 17:05:16 +01:00
path = with pkgs; [
kmod
iproute2
iptables
util-linux
]; # XXX Linux
nixos: fix a bunch of services missing dep on network-online.target This was done by generating a truly hilarious configuration: rg 'services\.[^.]+\.enable\t' opts-tags | cut -f1 > allonconfig.nix The following were not tested due to other evaluation errors. They should probably be manually audited. services.amule services.castopod services.ceph services.chatgpt-retrieval-plugin services.clamsmtp services.clight services.dante services.dex services.discourse services.dwm-status services.engelsystem services.foundationdb services.frigate services.frp services.grocy services.guacamole-client services.hedgedoc services.home-assistant services.honk services.imaginary services.jitsi-meet services.kerberos_server services.limesurvey services.mastodon services.mediawiki services.mobilizon services.moodle services.mosquitto services.nextcloud services.nullmailer services.patroni services.pfix-srsd services.pgpkeyserver-lite services.postfixadmin services.roundcube services.schleuder services.self-deploy services.slskd services.spacecookie services.statsd services.step-ca services.sympa services.tsmBackup services.vdirsyncer services.vikunja services.yandex-disk services.zabbixWeb
2023-10-03 22:21:50 -07:00
wants = [ "network-online.target" ];
nixos/treewide: drop dependencies to `keys.target` The `keys.target` is used to indicate whether all NixOps keys were successfully uploaded on an unattended reboot. However this can cause startup issues e.g. with NixOS containers (see #67265) and can block boots even though this might not be needed (e.g. with a dovecot2 instance running that doesn't need any of the NixOps keys). As described in the NixOps manual[1], dependencies to keys should be defined like this now: ``` nix { systemd.services.myservice = { after = [ "secret-key.service" ]; wants = [ "secret-key.service" ]; }; } ``` However I'd leave the issue open until it's discussed whether or not to keep `keys.target` in `nixpkgs`. [1] https://nixos.org/nixops/manual/#idm140737322342384
2019-08-24 16:52:17 +02:00
after = [ "network-online.target" ];
Added strongSwan service
2014-11-22 19:27:23 +01:00
environment = {
nixos/networkmanager: set up /etc/ipsec.secrets as required by the L2TP plugin The networkmanager-l2tp plugin expects /etc/ipsec.secrets to include /etc/ipsec.d/ipsec.nm-l2tp.secrets; see https://github.com/NixOS/nixpkgs/issues/64965 In order for this to continue working if the strongswan module is enabled, we use `"ipsec.secrets".text` instead of `.source` so that the configurations of both modules are concatenated.
2024-09-07 17:28:25 +02:00
STRONGSWAN_CONF = strongswanConf {
inherit
setup
connections
ca
managePlugins
enabledPlugins
;
secretsFile = "/etc/ipsec.secrets";
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
};
nixos/networkmanager: set up /etc/ipsec.secrets as required by the L2TP plugin The networkmanager-l2tp plugin expects /etc/ipsec.secrets to include /etc/ipsec.d/ipsec.nm-l2tp.secrets; see https://github.com/NixOS/nixpkgs/issues/64965 In order for this to continue working if the strongswan module is enabled, we use `"ipsec.secrets".text` instead of `.source` so that the configurations of both modules are concatenated.
2024-09-07 17:28:25 +02:00
};
Added strongSwan service
2014-11-22 19:27:23 +01:00
serviceConfig = {
ExecStart = "${pkgs.strongswan}/sbin/ipsec start --nofork";
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
};
strongswan module: make it work with ipsec l2tp l2tp saves its secrets into /etc/ipsec.d but strongswan would not read them. l2tp checks for /etc/ipsec.secrets includes /etc/ipsec.d and if not tries to write into it. Solution: Have the strongswan module create /etc/ipsec.d and /etc/ipsec.secrets when networkmanager_l2tp is installed. Include /etc/ipsec.secrets in /nix/store/hash-strongswan/etc/ipsec.secrets so that it can find l2tp secrets. Also when the ppp 'nopeerdns' option is used, the DNS resolver tries to write into an alternate file /etc/ppp/resolv.conf. This fails when /etc/ppp does not exist so the module creates it by default.
2017-10-31 20:14:00 +09:00
preStart = ''
# with 'nopeerdns' setting, ppp writes into this folder
mkdir -m 700 -p /etc/ppp
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH
2024-12-10 20:26:33 +01:00
'';
Added strongSwan service
2014-11-22 19:27:23 +01:00
};
};
}
Reference in a new issue Copy permalink