public
/
nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Various cleanups in the OpenVPN module. The option 

‘services.openvpn.enable’ is now obsolete; specifying instances in
  ‘services.openvpn.servers’ is enough.

svn path=/nixos/trunk/; revision=32441
This commit is contained in:
Eelco Dolstra 2012-02-20 20:10:07 +00:00
parent 84bff53ca7
commit b2910df04e
2 changed files with 105 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/services/networking/dhcpcd.nix
View File

@ -32,7 +32,7 @@ let
# Ignore peth* devices; on Xen, they're renamed physical # Ignore peth* devices; on Xen, they're renamed physical
# Ethernet cards used for bridging. Likewise for vif* and tap* # Ethernet cards used for bridging. Likewise for vif* and tap*
# (Xen) and virbr* and vnet* (libvirt). # (Xen) and virbr* and vnet* (libvirt).
denyinterfaces ${toString ignoredInterfaces} peth* vif* tap* virbr* vnet* denyinterfaces ${toString ignoredInterfaces} peth* vif* tap* tun* virbr* vnet*
''; '';
# Hook for emitting ip-up/ip-down events. # Hook for emitting ip-up/ip-down events.

189
modules/services/networking/openvpn.nix
View File

@ -8,70 +8,54 @@ let
inherit (pkgs) openvpn; inherit (pkgs) openvpn;
PATH = "${pkgs.iptables}/sbin:${pkgs.coreutils}/bin:${pkgs.iproute}/sbin:${pkgs.nettools}/sbin"; makeOpenVPNJob = cfg: name:
makeOpenVPNJob = cfg : name:
let let
path = (getAttr "openvpn-${name}" config.jobs).path;
upScript = '' upScript = ''
#!/bin/sh #! /bin/sh
exec &> /var/log/openvpn-${name}-up exec > /var/log/openvpn-${name}-up 2>&1
PATH=${PATH} export PATH=${path}
# For convenience in client scripts, extract the remote domain
# name and name server.
for var in ''${!foreign_option_*}; do
x=(''${!var})
if [ "''${x[0]}" = dhcp-option ]; then
if [ "''${x[1]}" = DOMAIN ]; then domain="''${x[2]}"
elif [ "''${x[1]}" = DNS ]; then nameserver="''${x[2]}"
fi
fi
done
${cfg.up} ${cfg.up}
''; '';
downScript = '' downScript = ''
#!/bin/sh #! /bin/sh
exec &> /var/log/openvpn-${name}-down exec > /var/log/openvpn-${name}-down 2>&1
PATH=${PATH} export PATH=${path}
${cfg.down} ${cfg.down}
''; '';
configFile = pkgs.writeText "openvpn-config-${name}" configFile = pkgs.writeText "openvpn-config-${name}"
'' ''
${if cfg.up != "" || cfg.down != "" then "script-security 2" else ""} ${optionalString (cfg.up != "" || cfg.down != "") "script-security 2"}
${cfg.config} ${cfg.config}
${if cfg.up != "" then "up ${pkgs.writeScript "openvpn-${name}-up" upScript}" else "" } ${optionalString (cfg.up != "") "up ${pkgs.writeScript "openvpn-${name}-up" upScript}"}
${if cfg.down != "" then "down ${pkgs.writeScript "openvpn-${name}-down" downScript}" else "" } ${optionalString (cfg.down != "") "down ${pkgs.writeScript "openvpn-${name}-down" downScript}"}
''; '';
in { in {
description = "OpenVPN-${name}"; description = "OpenVPN instance ${name}";
startOn = "started network-interfaces"; startOn = "started network-interfaces";
stopOn = "stopping network-interfaces"; stopOn = "stopping network-interfaces";
environment = { PATH = "${pkgs.coreutils}/bin"; }; path = [ pkgs.iptables pkgs.iproute pkgs.nettools ];
script =
''
exec &> /var/log/openvpn-${name}
${config.system.sbin.modprobe} tun || true
${openvpn}/sbin/openvpn --config ${configFile}
'';
};
openvpnInstanceOptions = {
config = mkOption {
type = types.string;
description = ''
config of this openvpn instance
'';
};
up = mkOption {
default = "";
type = types.string;
description = ''
script which is run when server instance starts up succesfully.
Use it to setup firewall and routing
'';
};
down = mkOption {
default = "";
type = types.string;
description = ''
script which is run when server instance shuts down
Usually this reverts what up has done
'';
};
exec = "${openvpn}/sbin/openvpn --config ${configFile}";
}; };
in in
@ -82,69 +66,84 @@ in
options = { options = {
services.openvpn = { /* !!! Obsolete. */
services.openvpn.enable = mkOption {
enable = mkOption { default = true;
default = false;
description = "Whether to enable OpenVPN."; description = "Whether to enable OpenVPN.";
}; };
services.openvpn.servers = mkOption {
servers = mkOption {
default = {}; default = {};
example = { example = {
mostSimple = {
server = {
config = '' config = ''
# Most simple configuration: http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html. # Simplest server configuration: http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html.
# server : # server :
dev tun dev tun
ifconfig 10.8.0.1 10.8.0.2 ifconfig 10.8.0.1 10.8.0.2
secret static.key secret /root/static.key
''; '';
up = "ip route add ..!"; up = "ip route add ...";
down = "ip route add ..!"; down = "ip route del ...";
}; };
clientMostSimple = {
config = '' client = {
#client: config = ''
#remote myremote.mydomain client
#dev tun remote vpn.example.org
#ifconfig 10.8.0.2 10.8.0.1 dev tun
#secret static.key proto tcp-client
''; port 8080
}; ca /root/.vpn/ca.crt
serverScalable = { cert /root/.vpn/alice.crt
config = '' key /root/.vpn/alice.key
multiple clienst '';
see example file found in http://openvpn.net/index.php/documentation/howto.html up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
''; down = "${pkgs.openresolv}/sbin/resolvconf -d $dev";
}; };
}; };
# !!! clean up this description please
description = '' description = ''
You can define multiple openvpn instances. Each attribute of this option defines an Upstart job to run an
OpenVPN instance. These can be OpenVPN servers or clients.
The id of an instance is given by the attribute name. The name of each Upstart job is
<literal>openvpn-</literal><replaceable>name</replaceable>,
Each instance will result in a new job file. where <replaceable>name</replaceable> is the corresponding
attribute name.
Additionally you can specify the up/ down scripts by setting
the up down properties.
Config lines up=/nix/store/xxx-up-script down=...
will be appended to your configuration file automatically
If you define at least one of up/down "script-security 2" will be
prepended to your config otherwise you scripts aren't run by openvpn
Don't forget to check that the all package sizes can be sent. For
examlpe if scp hangs you should set --fragment XXX --mssfix YYY.
''; '';
type = types.attrsOf types.optionSet; type = types.attrsOf types.optionSet;
options = [ openvpnInstanceOptions ];
options = {
config = mkOption {
type = types.string;
description = ''
Configuration of this OpenVPN instance. See
<citerefentry><refentrytitle>openvpn</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for details.
'';
};
up = mkOption {
default = "";
type = types.string;
description = ''
Shell commands executed when the instance is starting.
'';
};
down = mkOption {
default = "";
type = types.string;
description = ''
Shell commands executed when the instance is shutting down.
'';
};
}; };
}; };
@ -154,12 +153,14 @@ in
###### implementation ###### implementation
config = mkIf cfg.enable { config = mkIf (cfg.servers != {}) {
jobs = listToAttrs (mapAttrsFlatten (name: value: nameValuePair "openvpn-${name}" (makeOpenVPNJob value name)) cfg.servers); jobs = listToAttrs (mapAttrsFlatten (name: value: nameValuePair "openvpn-${name}" (makeOpenVPNJob value name)) cfg.servers);
environment.systemPackages = [ openvpn ]; environment.systemPackages = [ openvpn ];
boot.kernelModules = [ "tun" ];
}; };
} }