diff --git a/nixos/modules/services/networking/libreswan.nix b/nixos/modules/services/networking/libreswan.nix
index 81bc4e1cf95..1f0423ac3d8 100644
--- a/nixos/modules/services/networking/libreswan.nix
+++ b/nixos/modules/services/networking/libreswan.nix
@@ -9,21 +9,22 @@ let
libexec = "${pkgs.libreswan}/libexec/ipsec";
ipsec = "${pkgs.libreswan}/sbin/ipsec";
- trim = chars: str: let
- nonchars = filter (x : !(elem x.value chars))
- (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str));
- in
- if length nonchars == 0 then ""
- else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str;
+ trim = chars: str:
+ let
+ nonchars = filter (x : !(elem x.value chars))
+ (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str));
+ in
+ if length nonchars == 0 then ""
+ else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str;
indent = str: concatStrings (concatMap (s: [" " (trim [" " "\t"] s) "\n"]) (splitString "\n" str));
configText = indent (toString cfg.configSetup);
connectionText = concatStrings (mapAttrsToList (n: v:
''
conn ${n}
${indent v}
-
'') cfg.connections);
- configFile = pkgs.writeText "ipsec.conf"
+
+ configFile = pkgs.writeText "ipsec-nixos.conf"
''
config setup
${configText}
@@ -31,6 +32,11 @@ let
${connectionText}
'';
+ policyFiles = mapAttrs' (name: text:
+ { name = "ipsec.d/policies/${name}";
+ value.source = pkgs.writeText "ipsec-policy-${name}" text;
+ }) cfg.policies;
+
in
{
@@ -41,41 +47,71 @@ in
services.libreswan = {
- enable = mkEnableOption "libreswan ipsec service";
+ enable = mkEnableOption "Libreswan IPsec service";
configSetup = mkOption {
type = types.lines;
default = ''
protostack=netkey
- nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
'';
example = ''
secretsfile=/root/ipsec.secrets
protostack=netkey
- nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
'';
- description = "Options to go in the 'config setup' section of the libreswan ipsec configuration";
+ description = "Options to go in the 'config setup' section of the Libreswan IPsec configuration";
};
connections = mkOption {
type = types.attrsOf types.lines;
default = {};
- example = {
- myconnection = ''
- auto=add
- left=%defaultroute
- leftid=@user
+ example = literalExample ''
+ { myconnection = '''
+ auto=add
+ left=%defaultroute
+ leftid=@user
- right=my.vpn.com
+ right=my.vpn.com
- ikev2=no
- ikelifetime=8h
- '';
- };
- description = "A set of connections to define for the libreswan ipsec service";
+ ikev2=no
+ ikelifetime=8h
+ ''';
+ }
+ '';
+ description = "A set of connections to define for the Libreswan IPsec service";
};
+
+ policies = mkOption {
+ type = types.attrsOf types.lines;
+ default = {};
+ example = literalExample ''
+ { private-or-clear = '''
+ # Attempt opportunistic IPsec for the entire Internet
+ 0.0.0.0/0
+ ::/0
+ ''';
+ }
+ '';
+ description = ''
+ A set of policies to apply to the IPsec connections.
+
+
+ The policy name must match the one of connection it needs to apply to.
+
+ '';
+ };
+
+ disableRedirects = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ Whether to disable send and accept redirects for all nework interfaces.
+ See the Libreswan
+ FAQ page for why this is recommended.
+ '';
+ };
+
};
};
@@ -85,43 +121,38 @@ in
config = mkIf cfg.enable {
+ # Install package, systemd units, etc.
environment.systemPackages = [ pkgs.libreswan pkgs.iproute2 ];
+ systemd.packages = [ pkgs.libreswan ];
+ systemd.tmpfiles.packages = [ pkgs.libreswan ];
+
+ # Install configuration files
+ environment.etc = {
+ "ipsec.secrets".source = "${pkgs.libreswan}/etc/ipsec.secrets";
+ "ipsec.conf".source = "${pkgs.libreswan}/etc/ipsec.conf";
+ "ipsec.d/01-nixos.conf".source = configFile;
+ } // policyFiles;
+
+ # Create NSS database directory
+ systemd.tmpfiles.rules = [ "d /var/lib/ipsec/nss 755 root root -" ];
systemd.services.ipsec = {
description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec";
- path = [
- "${pkgs.libreswan}"
- "${pkgs.iproute2}"
- "${pkgs.procps}"
- "${pkgs.nssTools}"
- "${pkgs.iptables}"
- "${pkgs.nettools}"
- ];
-
- wants = [ "network-online.target" ];
- after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
-
- serviceConfig = {
- Type = "simple";
- Restart = "always";
- EnvironmentFile = "-${pkgs.libreswan}/etc/sysconfig/pluto";
- ExecStartPre = [
- "${libexec}/addconn --config ${configFile} --checkconfig"
- "${libexec}/_stackmanager start"
- "${ipsec} --checknss"
- "${ipsec} --checknflog"
- ];
- ExecStart = "${libexec}/pluto --config ${configFile} --nofork \$PLUTO_OPTIONS";
- ExecStop = "${libexec}/whack --shutdown";
- ExecStopPost = [
- "${pkgs.iproute2}/bin/ip xfrm policy flush"
- "${pkgs.iproute2}/bin/ip xfrm state flush"
- "${ipsec} --stopnflog"
- ];
- ExecReload = "${libexec}/whack --listen";
- };
-
+ restartTriggers = [ configFile ] ++ mapAttrsToList (n: v: v.source) policyFiles;
+ path = with pkgs; [
+ libreswan
+ iproute2
+ procps
+ nssTools
+ iptables
+ nettools
+ ];
+ preStart = optionalString cfg.disableRedirects ''
+ # Disable send/receive redirects
+ echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects
+ echo 0 | tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects
+ '';
};
};