public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

* Various cleanups in the OpenVPN module. The option

Browse Source 
‘services.openvpn.enable’ is now obsolete; specifying instances in
  ‘services.openvpn.servers’ is enough.

svn path=/nixos/trunk/; revision=32441
This commit is contained in:
Eelco Dolstra 2012-02-20 20:10:07 +00:00
parent 84bff53ca7
commit b2910df04e
2 changed files with 105 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
modules/services/networking/dhcpcd.nix
View File

@ -32,7 +32,7 @@ let
# Ignore peth* devices; on Xen, they're renamed physical # Ignore peth* devices; on Xen, they're renamed physical
# Ethernet cards used for bridging. Likewise for vif* and tap* # Ethernet cards used for bridging. Likewise for vif* and tap*
# (Xen) and virbr* and vnet* (libvirt). # (Xen) and virbr* and vnet* (libvirt).
denyinterfaces ${toString ignoredInterfaces} peth* vif* tap* virbr* vnet* denyinterfaces ${toString ignoredInterfaces} peth* vif* tap* tun* virbr* vnet*
''; '';
# Hook for emitting ip-up/ip-down events. # Hook for emitting ip-up/ip-down events.

201
modules/services/networking/openvpn.nix
View File

@ -8,72 +8,56 @@ let
inherit (pkgs) openvpn; inherit (pkgs) openvpn;
PATH = "${pkgs.iptables}/sbin:${pkgs.coreutils}/bin:${pkgs.iproute}/sbin:${pkgs.nettools}/sbin"; makeOpenVPNJob = cfg: name:
makeOpenVPNJob = cfg : name:
let let
path = (getAttr "openvpn-${name}" config.jobs).path;
upScript = '' upScript = ''
#!/bin/sh #! /bin/sh
exec &> /var/log/openvpn-${name}-up exec > /var/log/openvpn-${name}-up 2>&1
PATH=${PATH} export PATH=${path}
# For convenience in client scripts, extract the remote domain
# name and name server.
for var in ''${!foreign_option_*}; do
x=(''${!var})
if [ "''${x[0]}" = dhcp-option ]; then
if [ "''${x[1]}" = DOMAIN ]; then domain="''${x[2]}"
elif [ "''${x[1]}" = DNS ]; then nameserver="''${x[2]}"
fi
fi
done
${cfg.up} ${cfg.up}
''; '';
downScript = '' downScript = ''
#!/bin/sh #! /bin/sh
exec &> /var/log/openvpn-${name}-down exec > /var/log/openvpn-${name}-down 2>&1
PATH=${PATH} export PATH=${path}
${cfg.down} ${cfg.down}
''; '';
configFile = pkgs.writeText "openvpn-config-${name}" configFile = pkgs.writeText "openvpn-config-${name}"
'' ''
${if cfg.up != "" || cfg.down != "" then "script-security 2" else ""} ${optionalString (cfg.up != "" || cfg.down != "") "script-security 2"}
${cfg.config} ${cfg.config}
${if cfg.up != "" then "up ${pkgs.writeScript "openvpn-${name}-up" upScript}" else "" } ${optionalString (cfg.up != "") "up ${pkgs.writeScript "openvpn-${name}-up" upScript}"}
${if cfg.down != "" then "down ${pkgs.writeScript "openvpn-${name}-down" downScript}" else "" } ${optionalString (cfg.down != "") "down ${pkgs.writeScript "openvpn-${name}-down" downScript}"}
''; '';
in { in {
description = "OpenVPN-${name}"; description = "OpenVPN instance ${name}";
startOn = "started network-interfaces"; startOn = "started network-interfaces";
stopOn = "stopping network-interfaces"; stopOn = "stopping network-interfaces";
environment = { PATH = "${pkgs.coreutils}/bin"; }; path = [ pkgs.iptables pkgs.iproute pkgs.nettools ];
script = exec = "${openvpn}/sbin/openvpn --config ${configFile}";
''
exec &> /var/log/openvpn-${name}
${config.system.sbin.modprobe} tun || true
${openvpn}/sbin/openvpn --config ${configFile}
'';
}; };
openvpnInstanceOptions = {
config = mkOption {
type = types.string;
description = ''
config of this openvpn instance
'';
};
up = mkOption {
default = "";
type = types.string;
description = ''
script which is run when server instance starts up succesfully.
Use it to setup firewall and routing
'';
};
down = mkOption {
default = "";
type = types.string;
description = ''
script which is run when server instance shuts down
Usually this reverts what up has done
'';
};
};
in in
{ {
@ -82,69 +66,84 @@ in
options = { options = {
services.openvpn = { /* !!! Obsolete. */
services.openvpn.enable = mkOption {
default = true;
description = "Whether to enable OpenVPN.";
};
enable = mkOption { services.openvpn.servers = mkOption {
default = false; default = {};
description = "Whether to enable OpenVPN.";
};
example = {
servers = mkOption { server = {
config = ''
default = {}; # Simplest server configuration: http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html.
# server :
example = { dev tun
mostSimple = { ifconfig 10.8.0.1 10.8.0.2
config = '' secret /root/static.key
# Most simple configuration: http://openvpn.net/index.php/documentation/miscellaneous/static-key-mini-howto.html. '';
# server : up = "ip route add ...";
dev tun down = "ip route del ...";
ifconfig 10.8.0.1 10.8.0.2
secret static.key
'';
up = "ip route add ..!";
down = "ip route add ..!";
};
clientMostSimple = {
config = ''
#client:
#remote myremote.mydomain
#dev tun
#ifconfig 10.8.0.2 10.8.0.1
#secret static.key
'';
};
serverScalable = {
config = ''
multiple clienst
see example file found in http://openvpn.net/index.php/documentation/howto.html
'';
};
}; };
# !!! clean up this description please client = {
description = '' config = ''
You can define multiple openvpn instances. client
remote vpn.example.org
dev tun
proto tcp-client
port 8080
ca /root/.vpn/ca.crt
cert /root/.vpn/alice.crt
key /root/.vpn/alice.key
'';
up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
down = "${pkgs.openresolv}/sbin/resolvconf -d $dev";
};
The id of an instance is given by the attribute name. };
Each instance will result in a new job file. description = ''
Each attribute of this option defines an Upstart job to run an
OpenVPN instance. These can be OpenVPN servers or clients.
The name of each Upstart job is
<literal>openvpn-</literal><replaceable>name</replaceable>,
where <replaceable>name</replaceable> is the corresponding
attribute name.
'';
Additionally you can specify the up/ down scripts by setting type = types.attrsOf types.optionSet;
the up down properties.
Config lines up=/nix/store/xxx-up-script down=...
will be appended to your configuration file automatically
If you define at least one of up/down "script-security 2" will be options = {
prepended to your config otherwise you scripts aren't run by openvpn
Don't forget to check that the all package sizes can be sent. For config = mkOption {
examlpe if scp hangs you should set --fragment XXX --mssfix YYY. type = types.string;
''; description = ''
Configuration of this OpenVPN instance. See
<citerefentry><refentrytitle>openvpn</refentrytitle><manvolnum>8</manvolnum></citerefentry>
for details.
'';
};
up = mkOption {
default = "";
type = types.string;
description = ''
Shell commands executed when the instance is starting.
'';
};
down = mkOption {
default = "";
type = types.string;
description = ''
Shell commands executed when the instance is shutting down.
'';
};
type = types.attrsOf types.optionSet;
options = [ openvpnInstanceOptions ];
}; };
}; };
@ -154,12 +153,14 @@ in
###### implementation ###### implementation
config = mkIf cfg.enable { config = mkIf (cfg.servers != {}) {
jobs = listToAttrs (mapAttrsFlatten (name: value: nameValuePair "openvpn-${name}" (makeOpenVPNJob value name)) cfg.servers); jobs = listToAttrs (mapAttrsFlatten (name: value: nameValuePair "openvpn-${name}" (makeOpenVPNJob value name)) cfg.servers);
environment.systemPackages = [ openvpn ]; environment.systemPackages = [ openvpn ];
boot.kernelModules = [ "tun" ];
}; };
} }