nixpkgs/nixos/modules/services/networking/libreswan.nix

{
  config,
  lib,
  pkgs,
  ...
}:
let

  cfg = config.services.libreswan;

  libexec = "${pkgs.libreswan}/libexec/ipsec";
  ipsec = "${pkgs.libreswan}/sbin/ipsec";

  trim =
    chars: str:
    let
      nonchars = lib.filter (x: !(lib.elem x.value chars)) (
        lib.imap0 (i: v: {
          ind = i;
          value = v;
        }) (lib.stringToCharacters str)
      );
    in
    lib.optionalString (nonchars != [ ]) (
      lib.substring (lib.head nonchars).ind (lib.add 1 (
        lib.sub (lib.last nonchars).ind (lib.head nonchars).ind
      )) str
    );
  indent =
    str:
    lib.concatStrings (
      lib.concatMap (s: [
        "  "
        (trim [ " " "\t" ] s)
        "\n"
      ]) (lib.splitString "\n" str)
    );
  configText = indent (toString cfg.configSetup);
  connectionText = lib.concatStrings (
    lib.mapAttrsToList (n: v: ''
      conn ${n}
      ${indent v}
    '') cfg.connections
  );

  configFile = pkgs.writeText "ipsec-nixos.conf" ''
    config setup
    ${configText}

    ${connectionText}
  '';

  policyFiles = lib.mapAttrs' (name: text: {
    name = "ipsec.d/policies/${name}";
    value.source = pkgs.writeText "ipsec-policy-${name}" text;
  }) cfg.policies;

in

{

  ###### interface

  options = {

    services.libreswan = {

      enable = lib.mkEnableOption "Libreswan IPsec service";

      configSetup = lib.mkOption {
        type = lib.types.lines;
        default = ''
          protostack=netkey
          virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
        '';
        example = ''
          secretsfile=/root/ipsec.secrets
          protostack=netkey
          virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
        '';
        description = "Options to go in the 'config setup' section of the Libreswan IPsec configuration";
      };

      connections = lib.mkOption {
        type = lib.types.attrsOf lib.types.lines;
        default = { };
        example = lib.literalExpression ''
          { myconnection = '''
              auto=add
              left=%defaultroute
              leftid=@user

              right=my.vpn.com

              ikev2=no
              ikelifetime=8h
            ''';
          }
        '';
        description = "A set of connections to define for the Libreswan IPsec service";
      };

      policies = lib.mkOption {
        type = lib.types.attrsOf lib.types.lines;
        default = { };
        example = lib.literalExpression ''
          { private-or-clear = '''
              # Attempt opportunistic IPsec for the entire Internet
              0.0.0.0/0
              ::/0
            ''';
          }
        '';
        description = ''
          A set of policies to apply to the IPsec connections.

          ::: {.note}
          The policy name must match the one of connection it needs to apply to.
          :::
        '';
      };

      disableRedirects = lib.mkOption {
        type = lib.types.bool;
        default = true;
        description = ''
          Whether to disable send and accept redirects for all network interfaces.
          See the Libreswan [
          FAQ](https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F) page for why this is recommended.
        '';
      };

    };

  };

  ###### implementation

  config = lib.mkIf cfg.enable {

    # Install package, systemd units, etc.
    environment.systemPackages = [
      pkgs.libreswan
      pkgs.iproute2
    ];
    systemd.packages = [ pkgs.libreswan ];
    systemd.tmpfiles.packages = [ pkgs.libreswan ];

    # Install configuration files
    environment.etc = {
      "ipsec.secrets".text = ''
        include ${pkgs.libreswan}/etc/ipsec.secrets
      '';
      "ipsec.conf".source = "${pkgs.libreswan}/etc/ipsec.conf";
      "ipsec.d/01-nixos.conf".source = configFile;
    } // policyFiles;

    systemd.services.ipsec = {
      description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec";
      wantedBy = [ "multi-user.target" ];
      restartTriggers = [ configFile ] ++ lib.mapAttrsToList (n: v: v.source) policyFiles;
      path = with pkgs; [
        libreswan
        iproute2
        procps
        nssTools
        iptables
        nettools
      ];
      preStart = lib.optionalString cfg.disableRedirects ''
        # Disable send/receive redirects
        echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects
        echo 0 | tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects
      '';
      serviceConfig = {
        StateDirectory = "ipsec/nss";
        StateDirectoryMode = 700;
      };
    };

  };

}
libreswan: add package and service to nixos 2016-02-23 23:06:45 -05:00			`{`
			`config,`
			`lib,`
			`pkgs,`
			`...`
			`}:`
			`let`

			`cfg = config.services.libreswan;`

			`libexec = "${pkgs.libreswan}/libexec/ipsec";`
			`ipsec = "${pkgs.libreswan}/sbin/ipsec";`

nixos/libreswan: update for version 4.x - Use upstream unit files - Remove deprecated config options - Add option to disable redirects - Add option to configure policies 2021-05-13 12:37:59 +02:00			`trim =`
			`chars: str:`
			`let`
nixos/services.libreswan: remove `with lib;` 2024-08-24 22:05:53 +02:00			`nonchars = lib.filter (x: !(lib.elem x.value chars)) (`
			`lib.imap0 (i: v: {`
			`ind = i;`
			`value = v;`
			`}) (lib.stringToCharacters str)`
			`);`
nixos/libreswan: update for version 4.x - Use upstream unit files - Remove deprecated config options - Add option to disable redirects - Add option to configure policies 2021-05-13 12:37:59 +02:00			`in`
Update nixos/modules/services/networking/libreswan.nix Co-authored-by: Robert Hensing <roberth@users.noreply.github.com> 2023-07-02 19:03:19 +02:00			`lib.optionalString (nonchars != [ ]) (`
nixos/services.libreswan: remove `with lib;` 2024-08-24 22:05:53 +02:00			`lib.substring (lib.head nonchars).ind (lib.add 1 (`
			`lib.sub (lib.last nonchars).ind (lib.head nonchars).ind`
			`)) str`
			`);`
			`indent =`
			`str:`
			`lib.concatStrings (`
			`lib.concatMap (s: [`
			`" "`
			`(trim [ " " "\t" ] s)`
			`"\n"`
			`]) (lib.splitString "\n" str)`
			`);`
libreswan: add package and service to nixos 2016-02-23 23:06:45 -05:00			`configText = indent (toString cfg.configSetup);`
nixos/services.libreswan: remove `with lib;` 2024-08-24 22:05:53 +02:00			`connectionText = lib.concatStrings (`
			`lib.mapAttrsToList (n: v: ''`
libreswan: add package and service to nixos 2016-02-23 23:06:45 -05:00			`conn ${n}`
			`${indent v}`
			`'') cfg.connections`
			`);`
nixos/libreswan: update for version 4.x - Use upstream unit files - Remove deprecated config options - Add option to disable redirects - Add option to configure policies 2021-05-13 12:37:59 +02:00
			`configFile = pkgs.writeText "ipsec-nixos.conf" ''`
libreswan: add package and service to nixos 2016-02-23 23:06:45 -05:00			`config setup`
			`${configText}`
nixos/libreswan: add missing runtime dependencies 2017-10-22 10:27:26 +03:00
libreswan: add package and service to nixos 2016-02-23 23:06:45 -05:00			`${connectionText}`
			`'';`

nixos/services.libreswan: remove `with lib;` 2024-08-24 22:05:53 +02:00			`policyFiles = lib.mapAttrs' (name: text: {`
nixos/libreswan: update for version 4.x - Use upstream unit files - Remove deprecated config options - Add option to disable redirects - Add option to configure policies 2021-05-13 12:37:59 +02:00			`name = "ipsec.d/policies/${name}";`
			`value.source = pkgs.writeText "ipsec-policy-${name}" text;`
			`}) cfg.policies;`

libreswan: add package and service to nixos 2016-02-23 23:06:45 -05:00			`in`

			`{`

			`###### interface`

			`options = {`

			`services.libreswan = {`

nixos/services.libreswan: remove `with lib;` 2024-08-24 22:05:53 +02:00			`enable = lib.mkEnableOption "Libreswan IPsec service";`
libreswan: add package and service to nixos 2016-02-23 23:06:45 -05:00
nixos/services.libreswan: remove `with lib;` 2024-08-24 22:05:53 +02:00			`configSetup = lib.mkOption {`
			`type = lib.types.lines;`
libreswan: add package and service to nixos 2016-02-23 23:06:45 -05:00			`default = ''`
			`protostack=netkey`
			`virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10`
			`'';`
			`example = ''`
			`secretsfile=/root/ipsec.secrets`
			`protostack=netkey`
			`virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10`
			`'';`
nixos/libreswan: update for version 4.x - Use upstream unit files - Remove deprecated config options - Add option to disable redirects - Add option to configure policies 2021-05-13 12:37:59 +02:00			`description = "Options to go in the 'config setup' section of the Libreswan IPsec configuration";`
libreswan: add package and service to nixos 2016-02-23 23:06:45 -05:00			`};`

nixos/services.libreswan: remove `with lib;` 2024-08-24 22:05:53 +02:00			`connections = lib.mkOption {`
			`type = lib.types.attrsOf lib.types.lines;`
libreswan: add package and service to nixos 2016-02-23 23:06:45 -05:00			`default = { };`
nixos/services.libreswan: remove `with lib;` 2024-08-24 22:05:53 +02:00			`example = lib.literalExpression ''`
nixos/libreswan: update for version 4.x - Use upstream unit files - Remove deprecated config options - Add option to disable redirects - Add option to configure policies 2021-05-13 12:37:59 +02:00			`{ myconnection = '''`
			`auto=add`
			`left=%defaultroute`
			`leftid=@user`

			`right=my.vpn.com`

			`ikev2=no`
			`ikelifetime=8h`
			`''';`
			`}`
			`'';`
			`description = "A set of connections to define for the Libreswan IPsec service";`
			`};`

nixos/services.libreswan: remove `with lib;` 2024-08-24 22:05:53 +02:00			`policies = lib.mkOption {`
			`type = lib.types.attrsOf lib.types.lines;`
nixos/libreswan: update for version 4.x - Use upstream unit files - Remove deprecated config options - Add option to disable redirects - Add option to configure policies 2021-05-13 12:37:59 +02:00			`default = { };`
nixos/services.libreswan: remove `with lib;` 2024-08-24 22:05:53 +02:00			`example = lib.literalExpression ''`
nixos/libreswan: update for version 4.x - Use upstream unit files - Remove deprecated config options - Add option to disable redirects - Add option to configure policies 2021-05-13 12:37:59 +02:00			`{ private-or-clear = '''`
			`# Attempt opportunistic IPsec for the entire Internet`
			`0.0.0.0/0`
			`::/0`
			`''';`
			`}`
			`'';`
			`description = ''`
			`A set of policies to apply to the IPsec connections.`

			`::: {.note}`
			`The policy name must match the one of connection it needs to apply to.`
nixos/*: convert options with admonitions to MD rendering changes only slightly, most changes are in spacing. 2022-08-30 02:30:04 +02:00			`:::`
nixos/libreswan: update for version 4.x - Use upstream unit files - Remove deprecated config options - Add option to disable redirects - Add option to configure policies 2021-05-13 12:37:59 +02:00			`'';`
libreswan: add package and service to nixos 2016-02-23 23:06:45 -05:00			`};`
nixos/libreswan: update for version 4.x - Use upstream unit files - Remove deprecated config options - Add option to disable redirects - Add option to configure policies 2021-05-13 12:37:59 +02:00
nixos/services.libreswan: remove `with lib;` 2024-08-24 22:05:53 +02:00			`disableRedirects = lib.mkOption {`
			`type = lib.types.bool;`
nixos/libreswan: update for version 4.x - Use upstream unit files - Remove deprecated config options - Add option to disable redirects - Add option to configure policies 2021-05-13 12:37:59 +02:00			`default = true;`
			`description = ''`
nixos: fix typos 2022-12-17 19:31:14 -05:00			`Whether to disable send and accept redirects for all network interfaces.`
nixos/libreswan: update for version 4.x - Use upstream unit files - Remove deprecated config options - Add option to disable redirects - Add option to configure policies 2021-05-13 12:37:59 +02:00			`See the Libreswan [`
			`FAQ](https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F) page for why this is recommended.`
			`'';`
			`};`

libreswan: add package and service to nixos 2016-02-23 23:06:45 -05:00			`};`

			`};`

			`###### implementation`

nixos/services.libreswan: remove `with lib;` 2024-08-24 22:05:53 +02:00			`config = lib.mkIf cfg.enable {`
libreswan: add package and service to nixos 2016-02-23 23:06:45 -05:00
nixos/libreswan: update for version 4.x - Use upstream unit files - Remove deprecated config options - Add option to disable redirects - Add option to configure policies 2021-05-13 12:37:59 +02:00			`# Install package, systemd units, etc.`
iproute: deprecate alias 2021-03-14 17:05:16 +01:00			`environment.systemPackages = [`
			`pkgs.libreswan`
			`pkgs.iproute2`
			`];`
nixos/libreswan: update for version 4.x - Use upstream unit files - Remove deprecated config options - Add option to disable redirects - Add option to configure policies 2021-05-13 12:37:59 +02:00			`systemd.packages = [ pkgs.libreswan ];`
			`systemd.tmpfiles.packages = [ pkgs.libreswan ];`

			`# Install configuration files`
			`environment.etc = {`
nixos/libreswan: use `environment.etc."ipsec.secrets".text` This is to ensure compatibility with the networkmanager module, which uses the `text` option. 2024-11-20 19:59:02 +01:00			`"ipsec.secrets".text = ''`
			`include ${pkgs.libreswan}/etc/ipsec.secrets`
			`'';`
nixos/libreswan: update for version 4.x - Use upstream unit files - Remove deprecated config options - Add option to disable redirects - Add option to configure policies 2021-05-13 12:37:59 +02:00			`"ipsec.conf".source = "${pkgs.libreswan}/etc/ipsec.conf";`
			`"ipsec.d/01-nixos.conf".source = configFile;`
			`} // policyFiles;`

libreswan: add package and service to nixos 2016-02-23 23:06:45 -05:00			`systemd.services.ipsec = {`
			`description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec";`
			`wantedBy = [ "multi-user.target" ];`
nixos/services.libreswan: remove `with lib;` 2024-08-24 22:05:53 +02:00			`restartTriggers = [ configFile ] ++ lib.mapAttrsToList (n: v: v.source) policyFiles;`
nixos/libreswan: update for version 4.x - Use upstream unit files - Remove deprecated config options - Add option to disable redirects - Add option to configure policies 2021-05-13 12:37:59 +02:00			`path = with pkgs; [`
			`libreswan`
			`iproute2`
			`procps`
			`nssTools`
			`iptables`
			`nettools`
			`];`
nixos/services.libreswan: remove `with lib;` 2024-08-24 22:05:53 +02:00			`preStart = lib.optionalString cfg.disableRedirects ''`
nixos/libreswan: update for version 4.x - Use upstream unit files - Remove deprecated config options - Add option to disable redirects - Add option to configure policies 2021-05-13 12:37:59 +02:00			`# Disable send/receive redirects`
			`echo 0 \| tee /proc/sys/net/ipv4/conf/*/send_redirects`
			`echo 0 \| tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects`
			`'';`
nixos/libreswan: Use StateDirectory to setup ipsec/nss The systemd manual `systemd.exec(5)` addresses the partly overlapping functionality of the `tmpfiles.d(5)` setting and other, more semantic settings and recommends their use if they fit your needs because these semantic versions offer more guarantees. One of those guarantees is that they are guaranteed to be ready by the time the process starts whereas `tmpfiles.d` can be executed asynchronously. I believe this is the cause of some issues I ran into where I had to manually create the `/var/lib/ipsec/nss` directory. This patch fixed those issues for me. 2023-05-20 13:36:33 +02:00			`serviceConfig = {`
			`StateDirectory = "ipsec/nss";`
			`StateDirectoryMode = 700;`
			`};`
libreswan: add package and service to nixos 2016-02-23 23:06:45 -05:00			`};`

			`};`

			`}`