Merge pull request #7559 from offlinehacker/openvswitch/ipsec
openvswitch: ipsec support
This commit is contained in:
commit
1113efec5e
@ -307,6 +307,7 @@
|
||||
./services/networking/privoxy.nix
|
||||
./services/networking/prosody.nix
|
||||
./services/networking/quassel.nix
|
||||
./services/networking/racoon.nix
|
||||
./services/networking/radicale.nix
|
||||
./services/networking/radvd.nix
|
||||
./services/networking/rdnssd.nix
|
||||
|
42
nixos/modules/services/networking/racoon.nix
Normal file
42
nixos/modules/services/networking/racoon.nix
Normal file
@ -0,0 +1,42 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
let
|
||||
cfg = config.services.racoon;
|
||||
in {
|
||||
options.services.racoon = {
|
||||
enable = mkEnableOption "Whether to enable racoon.";
|
||||
|
||||
config = mkOption {
|
||||
description = "Contents of racoon configuration file.";
|
||||
default = "";
|
||||
type = types.str;
|
||||
};
|
||||
|
||||
configPath = mkOption {
|
||||
description = "Location of racoon config if config is not provided.";
|
||||
default = "/etc/racoon/racoon.conf";
|
||||
type = types.path;
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
systemd.services.racoon = {
|
||||
description = "Racoon Daemon";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "network.target" ];
|
||||
serviceConfig = {
|
||||
ExecStart = "${pkgs.ipsecTools}/bin/racoon -f ${
|
||||
if (cfg.config != "") then pkgs.writeText "racoon.conf" cfg.config
|
||||
else cfg.configPath
|
||||
}";
|
||||
ExecReload = "${pkgs.ipsecTools}/bin/racoonctl reload-config";
|
||||
PIDFile = "/var/run/racoon.pid";
|
||||
Type = "forking";
|
||||
Restart = "always";
|
||||
};
|
||||
preStart = "rm /var/run/racoon.pid || true";
|
||||
};
|
||||
};
|
||||
}
|
@ -7,35 +7,36 @@ with lib;
|
||||
let
|
||||
cfg = config.virtualisation.vswitch;
|
||||
|
||||
in
|
||||
in {
|
||||
|
||||
{
|
||||
|
||||
options = {
|
||||
|
||||
virtualisation.vswitch.enable = mkOption {
|
||||
options.virtualisation.vswitch = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description =
|
||||
''
|
||||
Enable Open vSwitch. A configuration
|
||||
daemon (ovs-server) will be started.
|
||||
description = ''
|
||||
Whether to enable Open vSwitch. A configuration daemon (ovs-server)
|
||||
will be started.
|
||||
'';
|
||||
};
|
||||
|
||||
|
||||
virtualisation.vswitch.package = mkOption {
|
||||
package = mkOption {
|
||||
type = types.package;
|
||||
default = pkgs.openvswitch;
|
||||
description =
|
||||
''
|
||||
description = ''
|
||||
Open vSwitch package to use.
|
||||
'';
|
||||
'';
|
||||
};
|
||||
|
||||
ipsec = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Whether to start racoon service for openvswitch.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
config = mkIf cfg.enable (let
|
||||
config = mkIf cfg.enable (let
|
||||
|
||||
# Where the communication sockets live
|
||||
runDir = "/var/run/openvswitch";
|
||||
@ -43,7 +44,7 @@ in
|
||||
# Where the config database live (can't be in nix-store)
|
||||
stateDir = "/var/db/openvswitch";
|
||||
|
||||
# The path to the an initialized version of the database
|
||||
# The path to the an initialized version of the database
|
||||
db = pkgs.stdenv.mkDerivation {
|
||||
name = "vswitch.db";
|
||||
unpackPhase = "true";
|
||||
@ -51,15 +52,12 @@ in
|
||||
buildInputs = with pkgs; [
|
||||
cfg.package
|
||||
];
|
||||
installPhase =
|
||||
''
|
||||
ensureDir $out/
|
||||
'';
|
||||
installPhase = "mkdir -p $out";
|
||||
};
|
||||
|
||||
in {
|
||||
in (mkMerge [{
|
||||
|
||||
environment.systemPackages = [ cfg.package ];
|
||||
environment.systemPackages = [ cfg.package pkgs.ipsecTools ];
|
||||
|
||||
boot.kernelModules = [ "tun" "openvswitch" ];
|
||||
|
||||
@ -73,7 +71,7 @@ in
|
||||
path = [ cfg.package ];
|
||||
restartTriggers = [ db cfg.package ];
|
||||
# Create the config database
|
||||
preStart =
|
||||
preStart =
|
||||
''
|
||||
mkdir -p ${runDir}
|
||||
mkdir -p /var/db/openvswitch
|
||||
@ -85,23 +83,27 @@ in
|
||||
fi
|
||||
chmod -R +w /var/db/openvswitch
|
||||
'';
|
||||
serviceConfig.ExecStart =
|
||||
''
|
||||
${cfg.package}/bin/ovsdb-server \
|
||||
--remote=punix:${runDir}/db.sock \
|
||||
--private-key=db:Open_vSwitch,SSL,private_key \
|
||||
--certificate=db:Open_vSwitch,SSL,certificate \
|
||||
--bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \
|
||||
--unixctl=ovsdb.ctl.sock \
|
||||
/var/db/openvswitch/conf.db
|
||||
'';
|
||||
serviceConfig.Restart = "always";
|
||||
serviceConfig.RestartSec = 3;
|
||||
postStart =
|
||||
''
|
||||
serviceConfig = {
|
||||
ExecStart =
|
||||
''
|
||||
${cfg.package}/bin/ovsdb-server \
|
||||
--remote=punix:${runDir}/db.sock \
|
||||
--private-key=db:Open_vSwitch,SSL,private_key \
|
||||
--certificate=db:Open_vSwitch,SSL,certificate \
|
||||
--bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \
|
||||
--unixctl=ovsdb.ctl.sock \
|
||||
--pidfile=/var/run/openvswitch/ovsdb.pid \
|
||||
--detach \
|
||||
/var/db/openvswitch/conf.db
|
||||
'';
|
||||
Restart = "always";
|
||||
RestartSec = 3;
|
||||
PIDFile = "/var/run/openvswitch/ovsdb.pid";
|
||||
Type = "forking";
|
||||
};
|
||||
postStart = ''
|
||||
${cfg.package}/bin/ovs-vsctl --timeout 3 --retry --no-wait init
|
||||
'';
|
||||
|
||||
'';
|
||||
};
|
||||
|
||||
systemd.services.vswitchd = {
|
||||
@ -109,9 +111,55 @@ in
|
||||
bindsTo = [ "ovsdb.service" ];
|
||||
after = [ "ovsdb.service" ];
|
||||
path = [ cfg.package ];
|
||||
serviceConfig.ExecStart = ''${cfg.package}/bin/ovs-vswitchd'';
|
||||
serviceConfig = {
|
||||
ExecStart = ''
|
||||
${cfg.package}/bin/ovs-vswitchd \
|
||||
--pidfile=/var/run/openvswitch/ovs-vswitchd.pid \
|
||||
--detach
|
||||
'';
|
||||
PIDFile = "/var/run/openvswitch/ovs-vswitchd.pid";
|
||||
Type = "forking";
|
||||
};
|
||||
};
|
||||
|
||||
});
|
||||
}
|
||||
(mkIf cfg.ipsec {
|
||||
services.racoon.enable = true;
|
||||
services.racoon.configPath = "${runDir}/ipsec/etc/racoon/racoon.conf";
|
||||
|
||||
networking.firewall.extraCommands = ''
|
||||
iptables -I INPUT -t mangle -p esp -j MARK --set-mark 1/1
|
||||
iptables -I INPUT -t mangle -p udp --dport 4500 -j MARK --set-mark 1/1
|
||||
'';
|
||||
|
||||
systemd.services.ovs-monitor-ipsec = {
|
||||
description = "Open_vSwitch Ipsec Daemon";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
requires = [ "racoon.service" ];
|
||||
after = [ "vswitchd.service" ];
|
||||
environment.UNIXCTLPATH = "/tmp/ovsdb.ctl.sock";
|
||||
serviceConfig = {
|
||||
ExecStart = ''
|
||||
${cfg.package}/bin/ovs-monitor-ipsec \
|
||||
--root-prefix ${runDir}/ipsec \
|
||||
--pidfile /var/run/openvswitch/ovs-monitor-ipsec.pid \
|
||||
--monitor --detach \
|
||||
unix:/var/run/openvswitch/db.sock
|
||||
'';
|
||||
PIDFile = "/var/run/openvswitch/ovs-monitor-ipsec.pid";
|
||||
Type = "forking";
|
||||
};
|
||||
|
||||
preStart = ''
|
||||
rm -r ${runDir}/ipsec/etc/racoon/certs || true
|
||||
mkdir -p ${runDir}/ipsec/{etc/racoon,etc/init.d/,usr/sbin/}
|
||||
ln -fs ${pkgs.ipsecTools}/bin/setkey ${runDir}/ipsec/usr/sbin/setkey
|
||||
ln -fs ${pkgs.writeScript "racoon-restart" ''
|
||||
#!${pkgs.stdenv.shell}
|
||||
/var/run/current-system/sw/bin/systemctl $1 racoon
|
||||
''} ${runDir}/ipsec/etc/init.d/racoon
|
||||
'';
|
||||
};
|
||||
})]));
|
||||
|
||||
}
|
||||
|
@ -1,47 +1,62 @@
|
||||
{ stdenv, fetchurl, openssl, python27, iproute, perl, kernel ? null}:
|
||||
{ stdenv, fetchurl, makeWrapper
|
||||
, openssl, python27, iproute, perl, kernel ? null }:
|
||||
|
||||
with stdenv.lib;
|
||||
|
||||
let
|
||||
|
||||
version = "2.1.2";
|
||||
|
||||
skipKernelMod = kernel == null;
|
||||
|
||||
in
|
||||
stdenv.mkDerivation {
|
||||
version = "2.1.2";
|
||||
_kernel = kernel;
|
||||
in stdenv.mkDerivation rec {
|
||||
version = "2.3.1";
|
||||
name = "openvswitch-${version}";
|
||||
|
||||
src = fetchurl {
|
||||
url = "http://openvswitch.org/releases/openvswitch-2.1.2.tar.gz";
|
||||
sha256 = "16q7faqrj2pfchhn0x5s9ggi5ckcg9n62f6bnqaih064aaq2jm47";
|
||||
url = "http://openvswitch.org/releases/${name}.tar.gz";
|
||||
sha256 = "1lmwyhm5wmdv1l4v1v5xd36d5ra21jz9ix57nh1lgm8iqc0lj5r1";
|
||||
};
|
||||
kernel = if skipKernelMod then null else kernel.dev;
|
||||
buildInputs = [
|
||||
openssl
|
||||
python27
|
||||
perl
|
||||
];
|
||||
|
||||
kernel = optional (_kernel != null) _kernel.dev;
|
||||
|
||||
buildInputs = [ makeWrapper openssl python27 perl ];
|
||||
|
||||
configureFlags = [
|
||||
"--localstatedir=/var"
|
||||
"--sharedstatedir=/var"
|
||||
"--sbindir=$(out)/bin"
|
||||
] ++ (if skipKernelMod then [] else ["--with-linux"]);
|
||||
] ++ (optionals (_kernel != null) ["--with-linux"]);
|
||||
|
||||
# Leave /var out of this!
|
||||
installFlags = [
|
||||
"LOGDIR=$(TMPDIR)/dummy"
|
||||
"RUNDIR=$(TMPDIR)/dummy"
|
||||
"PKIDIR=$(TMPDIR)/dummy"
|
||||
];
|
||||
|
||||
postInstall = ''
|
||||
cp debian/ovs-monitor-ipsec $out/share/openvswitch/scripts
|
||||
makeWrapper \
|
||||
$out/share/openvswitch/scripts/ovs-monitor-ipsec \
|
||||
$out/bin/ovs-monitor-ipsec \
|
||||
--prefix PYTHONPATH : "$out/share/openvswitch/python"
|
||||
substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \
|
||||
--replace "UnixctlServer.create(None)" "UnixctlServer.create(os.environ['UNIXCTLPATH'])"
|
||||
substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \
|
||||
--replace "self.psk_file" "root_prefix + self.psk_file"
|
||||
substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \
|
||||
--replace "self.cert_dir" "root_prefix + self.cert_dir"
|
||||
'';
|
||||
|
||||
meta = {
|
||||
platforms = stdenv.lib.platforms.linux;
|
||||
platforms = platforms.linux;
|
||||
description = "A multilayer virtual switch";
|
||||
longDescription =
|
||||
longDescription =
|
||||
''
|
||||
Open vSwitch is a production quality, multilayer virtual switch
|
||||
licensed under the open source Apache 2.0 license. It is
|
||||
designed to enable massive network automation through
|
||||
programmatic extension, while still supporting standard
|
||||
management interfaces and protocols (e.g. NetFlow, sFlow, SPAN,
|
||||
RSPAN, CLI, LACP, 802.1ag). In addition, it is designed to
|
||||
support distribution across multiple physical servers similar
|
||||
Open vSwitch is a production quality, multilayer virtual switch
|
||||
licensed under the open source Apache 2.0 license. It is
|
||||
designed to enable massive network automation through
|
||||
programmatic extension, while still supporting standard
|
||||
management interfaces and protocols (e.g. NetFlow, sFlow, SPAN,
|
||||
RSPAN, CLI, LACP, 802.1ag). In addition, it is designed to
|
||||
support distribution across multiple physical servers similar
|
||||
to VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V.
|
||||
'';
|
||||
homepage = "http://openvswitch.org/";
|
||||
|
Loading…
Reference in New Issue
Block a user