nixos/networkmanager: set up /etc/ipsec.secrets as required by the L2TP plugin

The networkmanager-l2tp plugin expects /etc/ipsec.secrets to include /etc/ipsec.d/ipsec.nm-l2tp.secrets; see https://github.com/NixOS/nixpkgs/issues/64965 In order for this to continue working if the strongswan module is enabled, we use `"ipsec.secrets".text` instead of `.source` so that the configurations of both modules are concatenated.
2025-06-11 12:15:34 +03:00 · 2024-09-07 17:28:25 +02:00 · 2024-09-07 17:28:25 +02:00 · 6840ba251c
commit 6840ba251c
parent d1f2bc2931
2 changed files with 14 additions and 11 deletions
--- a/nixos/modules/services/networking/networkmanager.nix
+++ b/nixos/modules/services/networking/networkmanager.nix
@ -514,6 +514,12 @@ in

    environment.etc = {
      "NetworkManager/NetworkManager.conf".source = configFile;
+
+      # The networkmanager-l2tp plugin expects /etc/ipsec.secrets to include /etc/ipsec.d/ipsec.nm-l2tp.secrets;
+      # see https://github.com/NixOS/nixpkgs/issues/64965
+      "ipsec.secrets".text = ''
+        include ipsec.d/ipsec.nm-l2tp.secrets
+      '';
    }
    // builtins.listToAttrs (map
      (pkg: nameValuePair "NetworkManager/${pkg.networkManagerPlugin}" {
--- a/nixos/modules/services/networking/strongswan.nix
+++ b/nixos/modules/services/networking/strongswan.nix
@ -3,14 +3,12 @@
 let

  inherit (builtins) toFile;
-  inherit (lib) concatMapStringsSep concatStringsSep mapAttrsToList
+  inherit (lib) concatMapStrings concatStringsSep mapAttrsToList
                mkIf mkEnableOption mkOption types literalExpression optionalString;

  cfg = config.services.strongswan;

-  ipsecSecrets = secrets: toFile "ipsec.secrets" (
-    concatMapStringsSep "\n" (f: "include ${f}") secrets
-  );
+  ipsecSecrets = secrets: concatMapStrings (f: "include ${f}\n") secrets;

  ipsecConf = {setup, connections, ca}:
    let
@ -138,16 +136,12 @@ in
  };


-  config = with cfg;
-  let
-    secretsFile = ipsecSecrets cfg.secrets;
-  in
-  mkIf enable
+  config = with cfg; mkIf enable
    {

    # here we should use the default strongswan ipsec.secrets and
    # append to it (default one is empty so not a pb for now)
-    environment.etc."ipsec.secrets".source = secretsFile;
+    environment.etc."ipsec.secrets".text = ipsecSecrets cfg.secrets;

    systemd.services.strongswan = {
      description = "strongSwan IPSec Service";
@ -156,7 +150,10 @@ in
      wants = [ "network-online.target" ];
      after = [ "network-online.target" ];
      environment = {
-        STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; };
+        STRONGSWAN_CONF = strongswanConf {
+          inherit setup connections ca managePlugins enabledPlugins;
+          secretsFile = "/etc/ipsec.secrets";
+        };
      };
      serviceConfig = {
        ExecStart  = "${pkgs.strongswan}/sbin/ipsec start --nofork";