nixpkgs/nixos/modules/services/networking/libreswan.nix

{ config, lib, pkgs, ... }:

with lib;

let

  cfg = config.services.libreswan;

  libexec = "${pkgs.libreswan}/libexec/ipsec";
  ipsec = "${pkgs.libreswan}/sbin/ipsec";

  trim = chars: str: let
      nonchars = filter (x : !(elem x.value chars))
                  (imap (i: v: {ind = (sub i 1); value = v;}) (stringToCharacters str));
    in
      if length nonchars == 0 then ""
      else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str;
  indent = str: concatStrings (concatMap (s: ["  " (trim [" " "\t"] s) "\n"]) (splitString "\n" str));
  configText = indent (toString cfg.configSetup);
  connectionText = concatStrings (mapAttrsToList (n: v: 
    ''
      conn ${n}
      ${indent v}

    '') cfg.connections);
  configFile = pkgs.writeText "ipsec.conf"
    ''
      config setup
      ${configText}
      
      ${connectionText}
    '';

in

{

  ###### interface

  options = {

    services.libreswan = {

      enable = mkEnableOption "libreswan ipsec service";

      configSetup = mkOption {
        type = types.lines;
        default = ''
            protostack=netkey
            nat_traversal=yes
            virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
        '';
        example = ''
            secretsfile=/root/ipsec.secrets
            protostack=netkey
            nat_traversal=yes
            virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
        '';
        description = "Options to go in the 'config setup' section of the libreswan ipsec configuration";
      };

      connections = mkOption {
        type = types.attrsOf types.lines;
        default = {};
        example = {
          myconnection = ''
            auto=add
            left=%defaultroute
            leftid=@user

            right=my.vpn.com

            ikev2=no
            ikelifetime=8h
          '';
        };
        description = "A set of connections to define for the libreswan ipsec service";
      };
    };

  };


  ###### implementation

  config = mkIf cfg.enable {

    environment.systemPackages = [ pkgs.libreswan pkgs.iproute ];

    systemd.services.ipsec = {
      description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec";
      path = [
        "${pkgs.libreswan}"
        "${pkgs.iproute}"
        "${pkgs.procps}"
      ];

      wants = [ "network-online.target" ];
      after = [ "network-online.target" ];
      wantedBy = [ "multi-user.target" ];

      serviceConfig = {
        Type = "simple";
        Restart = "always";
        EnvironmentFile = "-${pkgs.libreswan}/etc/sysconfig/pluto";
        ExecStartPre = [
          "${libexec}/addconn --config ${configFile} --checkconfig"
          "${libexec}/_stackmanager start"
          "${ipsec} --checknss"
          "${ipsec} --checknflog"
        ];
        ExecStart = "${libexec}/pluto --config ${configFile} --nofork \$PLUTO_OPTIONS";
        ExecStop = "${libexec}/whack --shutdown";
        ExecStopPost = [
          "${pkgs.iproute}/bin/ip xfrm policy flush"
          "${pkgs.iproute}/bin/ip xfrm state flush"
          "${ipsec} --stopnflog"
        ];
        ExecReload = "${libexec}/whack --listen";
      };

    };

  };

}
libreswan: add package and service to nixos 2016-02-23 23:06:45 -05:00			`{ config, lib, pkgs, ... }:`

			`with lib;`

			`let`

			`cfg = config.services.libreswan;`

			`libexec = "${pkgs.libreswan}/libexec/ipsec";`
			`ipsec = "${pkgs.libreswan}/sbin/ipsec";`

			`trim = chars: str: let`
			`nonchars = filter (x : !(elem x.value chars))`
			`(imap (i: v: {ind = (sub i 1); value = v;}) (stringToCharacters str));`
			`in`
			`if length nonchars == 0 then ""`
			`else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str;`
			`indent = str: concatStrings (concatMap (s: [" " (trim [" " "\t"] s) "\n"]) (splitString "\n" str));`
			`configText = indent (toString cfg.configSetup);`
			`connectionText = concatStrings (mapAttrsToList (n: v:`
			`''`
			`conn ${n}`
			`${indent v}`

			`'') cfg.connections);`
			`configFile = pkgs.writeText "ipsec.conf"`
			`''`
			`config setup`
			`${configText}`

			`${connectionText}`
			`'';`

			`in`

			`{`

			`###### interface`

			`options = {`

			`services.libreswan = {`

			`enable = mkEnableOption "libreswan ipsec service";`

			`configSetup = mkOption {`
			`type = types.lines;`
			`default = ''`
			`protostack=netkey`
			`nat_traversal=yes`
			`virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10`
			`'';`
			`example = ''`
			`secretsfile=/root/ipsec.secrets`
			`protostack=netkey`
			`nat_traversal=yes`
			`virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10`
			`'';`
			`description = "Options to go in the 'config setup' section of the libreswan ipsec configuration";`
			`};`

			`connections = mkOption {`
			`type = types.attrsOf types.lines;`
			`default = {};`
			`example = {`
			`myconnection = ''`
			`auto=add`
			`left=%defaultroute`
			`leftid=@user`

			`right=my.vpn.com`

			`ikev2=no`
			`ikelifetime=8h`
			`'';`
			`};`
			`description = "A set of connections to define for the libreswan ipsec service";`
			`};`
			`};`

			`};`


			`###### implementation`

			`config = mkIf cfg.enable {`

			`environment.systemPackages = [ pkgs.libreswan pkgs.iproute ];`

			`systemd.services.ipsec = {`
			`description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec";`
			`path = [`
			`"${pkgs.libreswan}"`
			`"${pkgs.iproute}"`
			`"${pkgs.procps}"`
			`];`

			`wants = [ "network-online.target" ];`
			`after = [ "network-online.target" ];`
			`wantedBy = [ "multi-user.target" ];`

			`serviceConfig = {`
			`Type = "simple";`
			`Restart = "always";`
libreswan service: make EnvironmentFile optional (#22591) Recent versions of libreswan seem to omit this file, but it may be added/changed in the future. It is silly to have the service fail because a file is missing that only enriches the environment. 2017-02-09 18:53:44 -05:00			`EnvironmentFile = "-${pkgs.libreswan}/etc/sysconfig/pluto";`
libreswan: add package and service to nixos 2016-02-23 23:06:45 -05:00			`ExecStartPre = [`
			`"${libexec}/addconn --config ${configFile} --checkconfig"`
			`"${libexec}/_stackmanager start"`
			`"${ipsec} --checknss"`
			`"${ipsec} --checknflog"`
			`];`
			`ExecStart = "${libexec}/pluto --config ${configFile} --nofork \$PLUTO_OPTIONS";`
			`ExecStop = "${libexec}/whack --shutdown";`
			`ExecStopPost = [`
			`"${pkgs.iproute}/bin/ip xfrm policy flush"`
			`"${pkgs.iproute}/bin/ip xfrm state flush"`
			`"${ipsec} --stopnflog"`
			`];`
			`ExecReload = "${libexec}/whack --listen";`
			`};`

			`};`

			`};`

			`}`