4d545297d8
* lib: introduce imap0, imap1
For historical reasons, imap starts counting at 1 and it's not
consistent with the rest of the lib.
So for now we split imap into imap0 that starts counting at zero and
imap1 that starts counting at 1. And imap is marked as deprecated.
See c71e2d4235 (commitcomment-21873221)
* replace uses of lib.imap
* lib: move imap to deprecated.nix
127 lines
3.3 KiB
Nix
127 lines
3.3 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
let
|
|
|
|
cfg = config.services.libreswan;
|
|
|
|
libexec = "${pkgs.libreswan}/libexec/ipsec";
|
|
ipsec = "${pkgs.libreswan}/sbin/ipsec";
|
|
|
|
trim = chars: str: let
|
|
nonchars = filter (x : !(elem x.value chars))
|
|
(imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str));
|
|
in
|
|
if length nonchars == 0 then ""
|
|
else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str;
|
|
indent = str: concatStrings (concatMap (s: [" " (trim [" " "\t"] s) "\n"]) (splitString "\n" str));
|
|
configText = indent (toString cfg.configSetup);
|
|
connectionText = concatStrings (mapAttrsToList (n: v:
|
|
''
|
|
conn ${n}
|
|
${indent v}
|
|
|
|
'') cfg.connections);
|
|
configFile = pkgs.writeText "ipsec.conf"
|
|
''
|
|
config setup
|
|
${configText}
|
|
|
|
${connectionText}
|
|
'';
|
|
|
|
in
|
|
|
|
{
|
|
|
|
###### interface
|
|
|
|
options = {
|
|
|
|
services.libreswan = {
|
|
|
|
enable = mkEnableOption "libreswan ipsec service";
|
|
|
|
configSetup = mkOption {
|
|
type = types.lines;
|
|
default = ''
|
|
protostack=netkey
|
|
nat_traversal=yes
|
|
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
|
|
'';
|
|
example = ''
|
|
secretsfile=/root/ipsec.secrets
|
|
protostack=netkey
|
|
nat_traversal=yes
|
|
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
|
|
'';
|
|
description = "Options to go in the 'config setup' section of the libreswan ipsec configuration";
|
|
};
|
|
|
|
connections = mkOption {
|
|
type = types.attrsOf types.lines;
|
|
default = {};
|
|
example = {
|
|
myconnection = ''
|
|
auto=add
|
|
left=%defaultroute
|
|
leftid=@user
|
|
|
|
right=my.vpn.com
|
|
|
|
ikev2=no
|
|
ikelifetime=8h
|
|
'';
|
|
};
|
|
description = "A set of connections to define for the libreswan ipsec service";
|
|
};
|
|
};
|
|
|
|
};
|
|
|
|
|
|
###### implementation
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
environment.systemPackages = [ pkgs.libreswan pkgs.iproute ];
|
|
|
|
systemd.services.ipsec = {
|
|
description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec";
|
|
path = [
|
|
"${pkgs.libreswan}"
|
|
"${pkgs.iproute}"
|
|
"${pkgs.procps}"
|
|
];
|
|
|
|
wants = [ "network-online.target" ];
|
|
after = [ "network-online.target" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
serviceConfig = {
|
|
Type = "simple";
|
|
Restart = "always";
|
|
EnvironmentFile = "-${pkgs.libreswan}/etc/sysconfig/pluto";
|
|
ExecStartPre = [
|
|
"${libexec}/addconn --config ${configFile} --checkconfig"
|
|
"${libexec}/_stackmanager start"
|
|
"${ipsec} --checknss"
|
|
"${ipsec} --checknflog"
|
|
];
|
|
ExecStart = "${libexec}/pluto --config ${configFile} --nofork \$PLUTO_OPTIONS";
|
|
ExecStop = "${libexec}/whack --shutdown";
|
|
ExecStopPost = [
|
|
"${pkgs.iproute}/bin/ip xfrm policy flush"
|
|
"${pkgs.iproute}/bin/ip xfrm state flush"
|
|
"${ipsec} --stopnflog"
|
|
];
|
|
ExecReload = "${libexec}/whack --listen";
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|