From 1a4db01c84b5c052e2fb6992c684369cc4bf3d04 Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Thu, 13 May 2021 12:37:59 +0200 Subject: [PATCH] nixos/libreswan: update for version 4.x - Use upstream unit files - Remove deprecated config options - Add option to disable redirects - Add option to configure policies --- .../modules/services/networking/libreswan.nix | 141 +++++++++++------- 1 file changed, 86 insertions(+), 55 deletions(-) diff --git a/nixos/modules/services/networking/libreswan.nix b/nixos/modules/services/networking/libreswan.nix index 81bc4e1cf95..1f0423ac3d8 100644 --- a/nixos/modules/services/networking/libreswan.nix +++ b/nixos/modules/services/networking/libreswan.nix @@ -9,21 +9,22 @@ let libexec = "${pkgs.libreswan}/libexec/ipsec"; ipsec = "${pkgs.libreswan}/sbin/ipsec"; - trim = chars: str: let - nonchars = filter (x : !(elem x.value chars)) - (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str)); - in - if length nonchars == 0 then "" - else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str; + trim = chars: str: + let + nonchars = filter (x : !(elem x.value chars)) + (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str)); + in + if length nonchars == 0 then "" + else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str; indent = str: concatStrings (concatMap (s: [" " (trim [" " "\t"] s) "\n"]) (splitString "\n" str)); configText = indent (toString cfg.configSetup); connectionText = concatStrings (mapAttrsToList (n: v: '' conn ${n} ${indent v} - '') cfg.connections); - configFile = pkgs.writeText "ipsec.conf" + + configFile = pkgs.writeText "ipsec-nixos.conf" '' config setup ${configText} @@ -31,6 +32,11 @@ let ${connectionText} ''; + policyFiles = mapAttrs' (name: text: + { name = "ipsec.d/policies/${name}"; + value.source = pkgs.writeText "ipsec-policy-${name}" text; + }) cfg.policies; + in { @@ -41,41 +47,71 @@ in services.libreswan = { - enable = mkEnableOption "libreswan ipsec service"; + enable = mkEnableOption "Libreswan IPsec service"; configSetup = mkOption { type = types.lines; default = '' protostack=netkey - nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 ''; example = '' secretsfile=/root/ipsec.secrets protostack=netkey - nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 ''; - description = "Options to go in the 'config setup' section of the libreswan ipsec configuration"; + description = "Options to go in the 'config setup' section of the Libreswan IPsec configuration"; }; connections = mkOption { type = types.attrsOf types.lines; default = {}; - example = { - myconnection = '' - auto=add - left=%defaultroute - leftid=@user + example = literalExample '' + { myconnection = ''' + auto=add + left=%defaultroute + leftid=@user - right=my.vpn.com + right=my.vpn.com - ikev2=no - ikelifetime=8h - ''; - }; - description = "A set of connections to define for the libreswan ipsec service"; + ikev2=no + ikelifetime=8h + '''; + } + ''; + description = "A set of connections to define for the Libreswan IPsec service"; }; + + policies = mkOption { + type = types.attrsOf types.lines; + default = {}; + example = literalExample '' + { private-or-clear = ''' + # Attempt opportunistic IPsec for the entire Internet + 0.0.0.0/0 + ::/0 + '''; + } + ''; + description = '' + A set of policies to apply to the IPsec connections. + + + The policy name must match the one of connection it needs to apply to. + + ''; + }; + + disableRedirects = mkOption { + type = types.bool; + default = true; + description = '' + Whether to disable send and accept redirects for all nework interfaces. + See the Libreswan + FAQ page for why this is recommended. + ''; + }; + }; }; @@ -85,43 +121,38 @@ in config = mkIf cfg.enable { + # Install package, systemd units, etc. environment.systemPackages = [ pkgs.libreswan pkgs.iproute2 ]; + systemd.packages = [ pkgs.libreswan ]; + systemd.tmpfiles.packages = [ pkgs.libreswan ]; + + # Install configuration files + environment.etc = { + "ipsec.secrets".source = "${pkgs.libreswan}/etc/ipsec.secrets"; + "ipsec.conf".source = "${pkgs.libreswan}/etc/ipsec.conf"; + "ipsec.d/01-nixos.conf".source = configFile; + } // policyFiles; + + # Create NSS database directory + systemd.tmpfiles.rules = [ "d /var/lib/ipsec/nss 755 root root -" ]; systemd.services.ipsec = { description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec"; - path = [ - "${pkgs.libreswan}" - "${pkgs.iproute2}" - "${pkgs.procps}" - "${pkgs.nssTools}" - "${pkgs.iptables}" - "${pkgs.nettools}" - ]; - - wants = [ "network-online.target" ]; - after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - Type = "simple"; - Restart = "always"; - EnvironmentFile = "-${pkgs.libreswan}/etc/sysconfig/pluto"; - ExecStartPre = [ - "${libexec}/addconn --config ${configFile} --checkconfig" - "${libexec}/_stackmanager start" - "${ipsec} --checknss" - "${ipsec} --checknflog" - ]; - ExecStart = "${libexec}/pluto --config ${configFile} --nofork \$PLUTO_OPTIONS"; - ExecStop = "${libexec}/whack --shutdown"; - ExecStopPost = [ - "${pkgs.iproute2}/bin/ip xfrm policy flush" - "${pkgs.iproute2}/bin/ip xfrm state flush" - "${ipsec} --stopnflog" - ]; - ExecReload = "${libexec}/whack --listen"; - }; - + restartTriggers = [ configFile ] ++ mapAttrsToList (n: v: v.source) policyFiles; + path = with pkgs; [ + libreswan + iproute2 + procps + nssTools + iptables + nettools + ]; + preStart = optionalString cfg.disableRedirects '' + # Disable send/receive redirects + echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects + echo 0 | tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects + ''; }; };