movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-14 06:00:33 +03:00
Code Activity

Merge pull request #31019 from teto/strongswan_rebased

Browse source 
[RFC/RDY] make l2tp work with Strongswan
This commit is contained in:
Jörg Thalheim 2018-03-03 15:56:05 +00:00 committed by GitHub
commit 9936ed4920
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 28 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

1
nixos/modules/services/networking/networkmanager.nix
View file

@ -335,6 +335,7 @@ in {
preStart = '' preStart = ''
mkdir -m 700 -p /etc/NetworkManager/system-connections mkdir -m 700 -p /etc/NetworkManager/system-connections
mkdir -m 700 -p /etc/ipsec.d
mkdir -m 755 -p ${stateDirs} mkdir -m 755 -p ${stateDirs}
''; '';
}; };

23
nixos/modules/services/networking/strongswan.nix
View file

@ -32,13 +32,13 @@ let
${caConf} ${caConf}
''; '';
strongswanConf = {setup, connections, ca, secrets, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' strongswanConf = {setup, connections, ca, secretsFile, managePlugins, enabledPlugins}: toFile "strongswan.conf" ''
charon { charon {
${if managePlugins then "load_modular = no" else ""} ${if managePlugins then "load_modular = no" else ""}
${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""} ${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""}
plugins { plugins {
stroke { stroke {
secrets_file = ${ipsecSecrets secrets} secrets_file = ${secretsFile}
} }
} }
} }
@ -135,7 +135,18 @@ in
}; };
}; };
config = with cfg; mkIf enable {
config = with cfg;
let
secretsFile = ipsecSecrets cfg.secrets;
in
mkIf enable
{
# here we should use the default strongswan ipsec.secrets and
# append to it (default one is empty so not a pb for now)
environment.etc."ipsec.secrets".source = secretsFile;
systemd.services.strongswan = { systemd.services.strongswan = {
description = "strongSwan IPSec Service"; description = "strongSwan IPSec Service";
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
@ -143,11 +154,15 @@ in
wants = [ "keys.target" ]; wants = [ "keys.target" ];
after = [ "network-online.target" "keys.target" ]; after = [ "network-online.target" "keys.target" ];
environment = { environment = {
STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secrets managePlugins enabledPlugins; }; STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; };
}; };
serviceConfig = { serviceConfig = {
ExecStart = "${pkgs.strongswan}/sbin/ipsec start --nofork"; ExecStart = "${pkgs.strongswan}/sbin/ipsec start --nofork";
}; };
preStart = ''
# with 'nopeerdns' setting, ppp writes into this folder
mkdir -m 700 -p /etc/ppp
'';
}; };
}; };
} }

3
pkgs/tools/networking/network-manager/l2tp.nix
View file

@ -22,6 +22,9 @@ stdenv.mkDerivation rec {
postPatch = '' postPatch = ''
sed -i -e 's%"\(/usr/sbin\|/usr/pkg/sbin\|/usr/local/sbin\)/[^"]*",%%g' ./src/nm-l2tp-service.c sed -i -e 's%"\(/usr/sbin\|/usr/pkg/sbin\|/usr/local/sbin\)/[^"]*",%%g' ./src/nm-l2tp-service.c
substituteInPlace ./Makefile.am \
--replace '$(sysconfdir)/dbus-1/system.d' "$out/etc/dbus-1/system.d"
substituteInPlace ./src/nm-l2tp-service.c \ substituteInPlace ./src/nm-l2tp-service.c \
--replace /sbin/ipsec ${strongswan}/bin/ipsec \ --replace /sbin/ipsec ${strongswan}/bin/ipsec \
--replace /sbin/xl2tpd ${xl2tpd}/bin/xl2tpd --replace /sbin/xl2tpd ${xl2tpd}/bin/xl2tpd

5
pkgs/tools/networking/strongswan/default.nix
View file

@ -76,6 +76,11 @@ stdenv.mkDerivation rec {
"--enable-sqlite" ] "--enable-sqlite" ]
++ optional enableNetworkManager "--enable-nm"; ++ optional enableNetworkManager "--enable-nm";
postInstall = ''
# this is needed for l2tp
echo "include /etc/ipsec.secrets" >> $out/etc/ipsec.secrets
'';
NIX_LDFLAGS = "-lgcc_s" ; NIX_LDFLAGS = "-lgcc_s" ;
meta = { meta = {