public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/libreswan: update for version 4.x

Browse Source 
- Use upstream unit files
- Remove deprecated config options
- Add option to disable redirects
- Add option to configure policies
This commit is contained in:
rnhmjoj 2021-05-13 12:37:59 +02:00
parent 90d6e6fe0f
commit 1a4db01c84
No known key found for this signature in database
GPG Key ID: BFBAF4C975F76450
1 changed files with 86 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

141
nixos/modules/services/networking/libreswan.nix
View File

@ -9,21 +9,22 @@ let
libexec = "${pkgs.libreswan}/libexec/ipsec"; libexec = "${pkgs.libreswan}/libexec/ipsec";
ipsec = "${pkgs.libreswan}/sbin/ipsec"; ipsec = "${pkgs.libreswan}/sbin/ipsec";
trim = chars: str: let trim = chars: str:
nonchars = filter (x : !(elem x.value chars)) let
(imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str)); nonchars = filter (x : !(elem x.value chars))
in (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str));
if length nonchars == 0 then "" in
else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str; if length nonchars == 0 then ""
else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str;
indent = str: concatStrings (concatMap (s: [" " (trim [" " "\t"] s) "\n"]) (splitString "\n" str)); indent = str: concatStrings (concatMap (s: [" " (trim [" " "\t"] s) "\n"]) (splitString "\n" str));
configText = indent (toString cfg.configSetup); configText = indent (toString cfg.configSetup);
connectionText = concatStrings (mapAttrsToList (n: v: connectionText = concatStrings (mapAttrsToList (n: v:
'' ''
conn ${n} conn ${n}
${indent v} ${indent v}
'') cfg.connections); '') cfg.connections);
configFile = pkgs.writeText "ipsec.conf"
configFile = pkgs.writeText "ipsec-nixos.conf"
'' ''
config setup config setup
${configText} ${configText}
@ -31,6 +32,11 @@ let
${connectionText} ${connectionText}
''; '';
policyFiles = mapAttrs' (name: text:
{ name = "ipsec.d/policies/${name}";
value.source = pkgs.writeText "ipsec-policy-${name}" text;
}) cfg.policies;
in in
{ {
@ -41,41 +47,71 @@ in
services.libreswan = { services.libreswan = {
enable = mkEnableOption "libreswan ipsec service"; enable = mkEnableOption "Libreswan IPsec service";
configSetup = mkOption { configSetup = mkOption {
type = types.lines; type = types.lines;
default = '' default = ''
protostack=netkey protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
''; '';
example = '' example = ''
secretsfile=/root/ipsec.secrets secretsfile=/root/ipsec.secrets
protostack=netkey protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
''; '';
description = "Options to go in the 'config setup' section of the libreswan ipsec configuration"; description = "Options to go in the 'config setup' section of the Libreswan IPsec configuration";
}; };
connections = mkOption { connections = mkOption {
type = types.attrsOf types.lines; type = types.attrsOf types.lines;
default = {}; default = {};
example = { example = literalExample ''
myconnection = '' { myconnection = '''
auto=add auto=add
left=%defaultroute left=%defaultroute
leftid=@user leftid=@user
right=my.vpn.com right=my.vpn.com
ikev2=no ikev2=no
ikelifetime=8h ikelifetime=8h
''; ''';
}; }
description = "A set of connections to define for the libreswan ipsec service"; '';
description = "A set of connections to define for the Libreswan IPsec service";
}; };
policies = mkOption {
type = types.attrsOf types.lines;
default = {};
example = literalExample ''
{ private-or-clear = '''
# Attempt opportunistic IPsec for the entire Internet
0.0.0.0/0
::/0
''';
}
'';
description = ''
A set of policies to apply to the IPsec connections.
<note><para>
The policy name must match the one of connection it needs to apply to.
</para></note>
'';
};
disableRedirects = mkOption {
type = types.bool;
default = true;
description = ''
Whether to disable send and accept redirects for all nework interfaces.
See the Libreswan <link xlink:href="https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F">
FAQ</link> page for why this is recommended.
'';
};
}; };
}; };
@ -85,43 +121,38 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
# Install package, systemd units, etc.
environment.systemPackages = [ pkgs.libreswan pkgs.iproute2 ]; environment.systemPackages = [ pkgs.libreswan pkgs.iproute2 ];
systemd.packages = [ pkgs.libreswan ];
systemd.tmpfiles.packages = [ pkgs.libreswan ];
# Install configuration files
environment.etc = {
"ipsec.secrets".source = "${pkgs.libreswan}/etc/ipsec.secrets";
"ipsec.conf".source = "${pkgs.libreswan}/etc/ipsec.conf";
"ipsec.d/01-nixos.conf".source = configFile;
} // policyFiles;
# Create NSS database directory
systemd.tmpfiles.rules = [ "d /var/lib/ipsec/nss 755 root root -" ];
systemd.services.ipsec = { systemd.services.ipsec = {
description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec"; description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec";
path = [
"${pkgs.libreswan}"
"${pkgs.iproute2}"
"${pkgs.procps}"
"${pkgs.nssTools}"
"${pkgs.iptables}"
"${pkgs.nettools}"
];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
restartTriggers = [ configFile ] ++ mapAttrsToList (n: v: v.source) policyFiles;
serviceConfig = { path = with pkgs; [
Type = "simple"; libreswan
Restart = "always"; iproute2
EnvironmentFile = "-${pkgs.libreswan}/etc/sysconfig/pluto"; procps
ExecStartPre = [ nssTools
"${libexec}/addconn --config ${configFile} --checkconfig" iptables
"${libexec}/_stackmanager start" nettools
"${ipsec} --checknss" ];
"${ipsec} --checknflog" preStart = optionalString cfg.disableRedirects ''
]; # Disable send/receive redirects
ExecStart = "${libexec}/pluto --config ${configFile} --nofork \$PLUTO_OPTIONS"; echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects
ExecStop = "${libexec}/whack --shutdown"; echo 0 | tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects
ExecStopPost = [ '';
"${pkgs.iproute2}/bin/ip xfrm policy flush"
"${pkgs.iproute2}/bin/ip xfrm state flush"
"${ipsec} --stopnflog"
];
ExecReload = "${libexec}/whack --listen";
};
}; };
}; };