diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 7de7d70db250..2870a259adb1 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -307,6 +307,7 @@ ./services/networking/privoxy.nix ./services/networking/prosody.nix ./services/networking/quassel.nix + ./services/networking/racoon.nix ./services/networking/radicale.nix ./services/networking/radvd.nix ./services/networking/rdnssd.nix diff --git a/nixos/modules/services/networking/racoon.nix b/nixos/modules/services/networking/racoon.nix new file mode 100644 index 000000000000..00986bbbd849 --- /dev/null +++ b/nixos/modules/services/networking/racoon.nix @@ -0,0 +1,42 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.racoon; +in { + options.services.racoon = { + enable = mkEnableOption "Whether to enable racoon."; + + config = mkOption { + description = "Contents of racoon configuration file."; + default = ""; + type = types.str; + }; + + configPath = mkOption { + description = "Location of racoon config if config is not provided."; + default = "/etc/racoon/racoon.conf"; + type = types.path; + }; + }; + + config = mkIf cfg.enable { + systemd.services.racoon = { + description = "Racoon Daemon"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + ExecStart = "${pkgs.ipsecTools}/bin/racoon -f ${ + if (cfg.config != "") then pkgs.writeText "racoon.conf" cfg.config + else cfg.configPath + }"; + ExecReload = "${pkgs.ipsecTools}/bin/racoonctl reload-config"; + PIDFile = "/var/run/racoon.pid"; + Type = "forking"; + Restart = "always"; + }; + preStart = "rm /var/run/racoon.pid || true"; + }; + }; +} diff --git a/nixos/modules/virtualisation/openvswitch.nix b/nixos/modules/virtualisation/openvswitch.nix index c1579d94657c..69ca13a71479 100644 --- a/nixos/modules/virtualisation/openvswitch.nix +++ b/nixos/modules/virtualisation/openvswitch.nix @@ -7,35 +7,36 @@ with lib; let cfg = config.virtualisation.vswitch; -in +in { -{ - - options = { - - virtualisation.vswitch.enable = mkOption { + options.virtualisation.vswitch = { + enable = mkOption { type = types.bool; default = false; - description = - '' - Enable Open vSwitch. A configuration - daemon (ovs-server) will be started. + description = '' + Whether to enable Open vSwitch. A configuration daemon (ovs-server) + will be started. ''; }; - - virtualisation.vswitch.package = mkOption { + package = mkOption { type = types.package; default = pkgs.openvswitch; - description = - '' + description = '' Open vSwitch package to use. - ''; + ''; }; + ipsec = mkOption { + type = types.bool; + default = false; + description = '' + Whether to start racoon service for openvswitch. + ''; + }; }; - config = mkIf cfg.enable (let + config = mkIf cfg.enable (let # Where the communication sockets live runDir = "/var/run/openvswitch"; @@ -43,7 +44,7 @@ in # Where the config database live (can't be in nix-store) stateDir = "/var/db/openvswitch"; - # The path to the an initialized version of the database + # The path to the an initialized version of the database db = pkgs.stdenv.mkDerivation { name = "vswitch.db"; unpackPhase = "true"; @@ -51,15 +52,12 @@ in buildInputs = with pkgs; [ cfg.package ]; - installPhase = - '' - ensureDir $out/ - ''; + installPhase = "mkdir -p $out"; }; - in { + in (mkMerge [{ - environment.systemPackages = [ cfg.package ]; + environment.systemPackages = [ cfg.package pkgs.ipsecTools ]; boot.kernelModules = [ "tun" "openvswitch" ]; @@ -73,7 +71,7 @@ in path = [ cfg.package ]; restartTriggers = [ db cfg.package ]; # Create the config database - preStart = + preStart = '' mkdir -p ${runDir} mkdir -p /var/db/openvswitch @@ -85,23 +83,27 @@ in fi chmod -R +w /var/db/openvswitch ''; - serviceConfig.ExecStart = - '' - ${cfg.package}/bin/ovsdb-server \ - --remote=punix:${runDir}/db.sock \ - --private-key=db:Open_vSwitch,SSL,private_key \ - --certificate=db:Open_vSwitch,SSL,certificate \ - --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \ - --unixctl=ovsdb.ctl.sock \ - /var/db/openvswitch/conf.db - ''; - serviceConfig.Restart = "always"; - serviceConfig.RestartSec = 3; - postStart = - '' + serviceConfig = { + ExecStart = + '' + ${cfg.package}/bin/ovsdb-server \ + --remote=punix:${runDir}/db.sock \ + --private-key=db:Open_vSwitch,SSL,private_key \ + --certificate=db:Open_vSwitch,SSL,certificate \ + --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \ + --unixctl=ovsdb.ctl.sock \ + --pidfile=/var/run/openvswitch/ovsdb.pid \ + --detach \ + /var/db/openvswitch/conf.db + ''; + Restart = "always"; + RestartSec = 3; + PIDFile = "/var/run/openvswitch/ovsdb.pid"; + Type = "forking"; + }; + postStart = '' ${cfg.package}/bin/ovs-vsctl --timeout 3 --retry --no-wait init - ''; - + ''; }; systemd.services.vswitchd = { @@ -109,9 +111,55 @@ in bindsTo = [ "ovsdb.service" ]; after = [ "ovsdb.service" ]; path = [ cfg.package ]; - serviceConfig.ExecStart = ''${cfg.package}/bin/ovs-vswitchd''; + serviceConfig = { + ExecStart = '' + ${cfg.package}/bin/ovs-vswitchd \ + --pidfile=/var/run/openvswitch/ovs-vswitchd.pid \ + --detach + ''; + PIDFile = "/var/run/openvswitch/ovs-vswitchd.pid"; + Type = "forking"; + }; }; - }); + } + (mkIf cfg.ipsec { + services.racoon.enable = true; + services.racoon.configPath = "${runDir}/ipsec/etc/racoon/racoon.conf"; + + networking.firewall.extraCommands = '' + iptables -I INPUT -t mangle -p esp -j MARK --set-mark 1/1 + iptables -I INPUT -t mangle -p udp --dport 4500 -j MARK --set-mark 1/1 + ''; + + systemd.services.ovs-monitor-ipsec = { + description = "Open_vSwitch Ipsec Daemon"; + wantedBy = [ "multi-user.target" ]; + requires = [ "racoon.service" ]; + after = [ "vswitchd.service" ]; + environment.UNIXCTLPATH = "/tmp/ovsdb.ctl.sock"; + serviceConfig = { + ExecStart = '' + ${cfg.package}/bin/ovs-monitor-ipsec \ + --root-prefix ${runDir}/ipsec \ + --pidfile /var/run/openvswitch/ovs-monitor-ipsec.pid \ + --monitor --detach \ + unix:/var/run/openvswitch/db.sock + ''; + PIDFile = "/var/run/openvswitch/ovs-monitor-ipsec.pid"; + Type = "forking"; + }; + + preStart = '' + rm -r ${runDir}/ipsec/etc/racoon/certs || true + mkdir -p ${runDir}/ipsec/{etc/racoon,etc/init.d/,usr/sbin/} + ln -fs ${pkgs.ipsecTools}/bin/setkey ${runDir}/ipsec/usr/sbin/setkey + ln -fs ${pkgs.writeScript "racoon-restart" '' + #!${pkgs.stdenv.shell} + /var/run/current-system/sw/bin/systemctl $1 racoon + ''} ${runDir}/ipsec/etc/init.d/racoon + ''; + }; + })])); } diff --git a/pkgs/os-specific/linux/openvswitch/default.nix b/pkgs/os-specific/linux/openvswitch/default.nix index 2e25c0383b7b..67cbbd138261 100644 --- a/pkgs/os-specific/linux/openvswitch/default.nix +++ b/pkgs/os-specific/linux/openvswitch/default.nix @@ -1,47 +1,62 @@ -{ stdenv, fetchurl, openssl, python27, iproute, perl, kernel ? null}: +{ stdenv, fetchurl, makeWrapper +, openssl, python27, iproute, perl, kernel ? null }: + +with stdenv.lib; + let - - version = "2.1.2"; - - skipKernelMod = kernel == null; - -in -stdenv.mkDerivation { - version = "2.1.2"; + _kernel = kernel; +in stdenv.mkDerivation rec { + version = "2.3.1"; name = "openvswitch-${version}"; + src = fetchurl { - url = "http://openvswitch.org/releases/openvswitch-2.1.2.tar.gz"; - sha256 = "16q7faqrj2pfchhn0x5s9ggi5ckcg9n62f6bnqaih064aaq2jm47"; + url = "http://openvswitch.org/releases/${name}.tar.gz"; + sha256 = "1lmwyhm5wmdv1l4v1v5xd36d5ra21jz9ix57nh1lgm8iqc0lj5r1"; }; - kernel = if skipKernelMod then null else kernel.dev; - buildInputs = [ - openssl - python27 - perl - ]; + + kernel = optional (_kernel != null) _kernel.dev; + + buildInputs = [ makeWrapper openssl python27 perl ]; + configureFlags = [ "--localstatedir=/var" "--sharedstatedir=/var" "--sbindir=$(out)/bin" - ] ++ (if skipKernelMod then [] else ["--with-linux"]); + ] ++ (optionals (_kernel != null) ["--with-linux"]); + # Leave /var out of this! installFlags = [ "LOGDIR=$(TMPDIR)/dummy" "RUNDIR=$(TMPDIR)/dummy" "PKIDIR=$(TMPDIR)/dummy" ]; + + postInstall = '' + cp debian/ovs-monitor-ipsec $out/share/openvswitch/scripts + makeWrapper \ + $out/share/openvswitch/scripts/ovs-monitor-ipsec \ + $out/bin/ovs-monitor-ipsec \ + --prefix PYTHONPATH : "$out/share/openvswitch/python" + substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \ + --replace "UnixctlServer.create(None)" "UnixctlServer.create(os.environ['UNIXCTLPATH'])" + substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \ + --replace "self.psk_file" "root_prefix + self.psk_file" + substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \ + --replace "self.cert_dir" "root_prefix + self.cert_dir" + ''; + meta = { - platforms = stdenv.lib.platforms.linux; + platforms = platforms.linux; description = "A multilayer virtual switch"; - longDescription = + longDescription = '' - Open vSwitch is a production quality, multilayer virtual switch - licensed under the open source Apache 2.0 license. It is - designed to enable massive network automation through - programmatic extension, while still supporting standard - management interfaces and protocols (e.g. NetFlow, sFlow, SPAN, - RSPAN, CLI, LACP, 802.1ag). In addition, it is designed to - support distribution across multiple physical servers similar + Open vSwitch is a production quality, multilayer virtual switch + licensed under the open source Apache 2.0 license. It is + designed to enable massive network automation through + programmatic extension, while still supporting standard + management interfaces and protocols (e.g. NetFlow, sFlow, SPAN, + RSPAN, CLI, LACP, 802.1ag). In addition, it is designed to + support distribution across multiple physical servers similar to VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V. ''; homepage = "http://openvswitch.org/";