Merge pull request #7559 from offlinehacker/openvswitch/ipsec

openvswitch: ipsec support

4 files changed, 174 insertions, 68 deletions

diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 7de7d70db250..2870a259adb1 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -307,6 +307,7 @@
   ./services/networking/privoxy.nix
   ./services/networking/prosody.nix
   ./services/networking/quassel.nix
+  ./services/networking/racoon.nix
   ./services/networking/radicale.nix
   ./services/networking/radvd.nix
   ./services/networking/rdnssd.nix
diff --git a/nixos/modules/services/networking/racoon.nix b/nixos/modules/services/networking/racoon.nix
new file mode 100644
index 000000000000..00986bbbd849
--- /dev/null
+++ b/nixos/modules/services/networking/racoon.nix
@@ -0,0 +1,42 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  cfg = config.services.racoon;
+in {
+  options.services.racoon = {
+    enable = mkEnableOption "Whether to enable racoon.";
+
+    config = mkOption {
+      description = "Contents of racoon configuration file.";
+      default = "";
+      type = types.str;
+    };
+
+    configPath = mkOption {
+      description = "Location of racoon config if config is not provided.";
+      default = "/etc/racoon/racoon.conf";
+      type = types.path;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    systemd.services.racoon = {
+      description = "Racoon Daemon";
+      wantedBy = [ "multi-user.target" ];
+      after = [ "network.target" ];
+      serviceConfig = {
+        ExecStart = "${pkgs.ipsecTools}/bin/racoon -f ${
+          if (cfg.config != "") then pkgs.writeText "racoon.conf" cfg.config
+          else cfg.configPath
+        }";
+        ExecReload = "${pkgs.ipsecTools}/bin/racoonctl reload-config";
+        PIDFile = "/var/run/racoon.pid";
+        Type = "forking";
+        Restart = "always";
+      };
+      preStart = "rm /var/run/racoon.pid || true";
+    };
+  };
+}
diff --git a/nixos/modules/virtualisation/openvswitch.nix b/nixos/modules/virtualisation/openvswitch.nix
index c1579d94657c..69ca13a71479 100644
--- a/nixos/modules/virtualisation/openvswitch.nix
+++ b/nixos/modules/virtualisation/openvswitch.nix
@@ -7,35 +7,36 @@ with lib;
 let
   cfg = config.virtualisation.vswitch;
 
-in
+in {
 
-{
-
-  options = {
-
-    virtualisation.vswitch.enable = mkOption {
+  options.virtualisation.vswitch = {
+    enable = mkOption {
       type = types.bool;
       default = false;
-      description =
-        ''
-        Enable Open vSwitch. A configuration 
-        daemon (ovs-server) will be started.
+      description = ''
+        Whether to enable Open vSwitch. A configuration daemon (ovs-server)
+        will be started.
         '';
     };
 
-
-    virtualisation.vswitch.package = mkOption {
+    package = mkOption {
       type = types.package;
       default = pkgs.openvswitch;
-      description =
-        ''
+      description = ''
         Open vSwitch package to use.
-        '';
+      '';
     };
 
+    ipsec = mkOption {
+      type = types.bool;
+      default = false;
+      description = ''
+        Whether to start racoon service for openvswitch.
+      '';
+    };
   };
 
-  config = mkIf cfg.enable (let 
+  config = mkIf cfg.enable (let
 
     # Where the communication sockets live
     runDir = "/var/run/openvswitch";
@@ -43,7 +44,7 @@ in
     # Where the config database live (can't be in nix-store)
     stateDir = "/var/db/openvswitch";
 
-    # The path to the an initialized version of the database 
+    # The path to the an initialized version of the database
     db = pkgs.stdenv.mkDerivation {
       name = "vswitch.db";
       unpackPhase = "true";
@@ -51,15 +52,12 @@ in
       buildInputs = with pkgs; [
         cfg.package
       ];
-      installPhase = 
-        ''
-        ensureDir $out/
-        '';
+      installPhase = "mkdir -p $out";
     };
 
-  in {
+  in (mkMerge [{
 
-    environment.systemPackages = [ cfg.package ]; 
+    environment.systemPackages = [ cfg.package pkgs.ipsecTools ];
 
     boot.kernelModules = [ "tun" "openvswitch" ];
 
@@ -73,7 +71,7 @@ in
       path = [ cfg.package ];
       restartTriggers = [ db cfg.package ];
       # Create the config database
-      preStart = 
+      preStart =
         ''
         mkdir -p ${runDir}
         mkdir -p /var/db/openvswitch
@@ -85,23 +83,27 @@ in
         fi
         chmod -R +w /var/db/openvswitch
         '';
-      serviceConfig.ExecStart = 
-        ''
-        ${cfg.package}/bin/ovsdb-server \
-          --remote=punix:${runDir}/db.sock \
-          --private-key=db:Open_vSwitch,SSL,private_key \
-          --certificate=db:Open_vSwitch,SSL,certificate \
-          --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \
-          --unixctl=ovsdb.ctl.sock \
-          /var/db/openvswitch/conf.db
-        '';       
-      serviceConfig.Restart = "always";
-      serviceConfig.RestartSec = 3;
-      postStart =
-        ''
+      serviceConfig = {
+        ExecStart =
+          ''
+          ${cfg.package}/bin/ovsdb-server \
+            --remote=punix:${runDir}/db.sock \
+            --private-key=db:Open_vSwitch,SSL,private_key \
+            --certificate=db:Open_vSwitch,SSL,certificate \
+            --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \
+            --unixctl=ovsdb.ctl.sock \
+            --pidfile=/var/run/openvswitch/ovsdb.pid \
+            --detach \
+            /var/db/openvswitch/conf.db
+          '';
+        Restart = "always";
+        RestartSec = 3;
+        PIDFile = "/var/run/openvswitch/ovsdb.pid";
+        Type = "forking";
+      };
+      postStart = ''
         ${cfg.package}/bin/ovs-vsctl --timeout 3 --retry --no-wait init
-        '';
-
+      '';
     };
 
     systemd.services.vswitchd = {
@@ -109,9 +111,55 @@ in
       bindsTo = [ "ovsdb.service" ];
       after = [ "ovsdb.service" ];
       path = [ cfg.package ];
-      serviceConfig.ExecStart = ''${cfg.package}/bin/ovs-vswitchd'';
+      serviceConfig = {
+        ExecStart = ''
+          ${cfg.package}/bin/ovs-vswitchd \
+          --pidfile=/var/run/openvswitch/ovs-vswitchd.pid \
+          --detach
+        '';
+        PIDFile = "/var/run/openvswitch/ovs-vswitchd.pid";
+        Type = "forking";
+      };
     };
 
-  });
+  }
+  (mkIf cfg.ipsec {
+    services.racoon.enable = true;
+    services.racoon.configPath = "${runDir}/ipsec/etc/racoon/racoon.conf";
+
+    networking.firewall.extraCommands = ''
+      iptables -I INPUT -t mangle -p esp -j MARK --set-mark 1/1
+      iptables -I INPUT -t mangle -p udp --dport 4500 -j MARK --set-mark 1/1
+    '';
+
+    systemd.services.ovs-monitor-ipsec = {
+      description = "Open_vSwitch Ipsec Daemon";
+      wantedBy = [ "multi-user.target" ];
+      requires = [ "racoon.service" ];
+      after = [ "vswitchd.service" ];
+      environment.UNIXCTLPATH = "/tmp/ovsdb.ctl.sock";
+      serviceConfig = {
+        ExecStart = ''
+          ${cfg.package}/bin/ovs-monitor-ipsec \
+            --root-prefix ${runDir}/ipsec \
+            --pidfile /var/run/openvswitch/ovs-monitor-ipsec.pid \
+            --monitor --detach \
+            unix:/var/run/openvswitch/db.sock
+        '';
+        PIDFile = "/var/run/openvswitch/ovs-monitor-ipsec.pid";
+        Type = "forking";
+      };
+
+      preStart = ''
+        rm -r ${runDir}/ipsec/etc/racoon/certs || true
+        mkdir -p ${runDir}/ipsec/{etc/racoon,etc/init.d/,usr/sbin/}
+        ln -fs ${pkgs.ipsecTools}/bin/setkey ${runDir}/ipsec/usr/sbin/setkey
+        ln -fs ${pkgs.writeScript "racoon-restart" ''
+        #!${pkgs.stdenv.shell}
+        /var/run/current-system/sw/bin/systemctl $1 racoon
+        ''} ${runDir}/ipsec/etc/init.d/racoon
+      '';
+    };
+  })]));
 
 }
diff --git a/pkgs/os-specific/linux/openvswitch/default.nix b/pkgs/os-specific/linux/openvswitch/default.nix
index 2e25c0383b7b..67cbbd138261 100644
--- a/pkgs/os-specific/linux/openvswitch/default.nix
+++ b/pkgs/os-specific/linux/openvswitch/default.nix
@@ -1,47 +1,62 @@
-{ stdenv, fetchurl, openssl, python27, iproute, perl, kernel ? null}:
-let
-
-  version = "2.1.2";
+{ stdenv, fetchurl, makeWrapper
+, openssl, python27, iproute, perl, kernel ? null }:
 
-  skipKernelMod = kernel == null;
+with stdenv.lib;
 
-in
-stdenv.mkDerivation {
-  version = "2.1.2";
+let
+  _kernel = kernel;
+in stdenv.mkDerivation rec {
+  version = "2.3.1";
   name = "openvswitch-${version}";
+
   src = fetchurl {
-    url = "http://openvswitch.org/releases/openvswitch-2.1.2.tar.gz";
-    sha256 = "16q7faqrj2pfchhn0x5s9ggi5ckcg9n62f6bnqaih064aaq2jm47";
+    url = "http://openvswitch.org/releases/${name}.tar.gz";
+    sha256 = "1lmwyhm5wmdv1l4v1v5xd36d5ra21jz9ix57nh1lgm8iqc0lj5r1";
   };
-  kernel = if skipKernelMod then null else kernel.dev;
-  buildInputs = [
-    openssl
-    python27
-    perl
-  ];
+
+  kernel = optional (_kernel != null) _kernel.dev;
+
+  buildInputs = [ makeWrapper openssl python27 perl ];
+
   configureFlags = [
     "--localstatedir=/var"
     "--sharedstatedir=/var"
     "--sbindir=$(out)/bin"
-  ] ++ (if skipKernelMod then [] else ["--with-linux"]);
+  ] ++ (optionals (_kernel != null) ["--with-linux"]);
+
   # Leave /var out of this!
   installFlags = [
     "LOGDIR=$(TMPDIR)/dummy"
     "RUNDIR=$(TMPDIR)/dummy"
     "PKIDIR=$(TMPDIR)/dummy"
   ];
+
+  postInstall = ''
+    cp debian/ovs-monitor-ipsec $out/share/openvswitch/scripts
+    makeWrapper \
+      $out/share/openvswitch/scripts/ovs-monitor-ipsec \
+      $out/bin/ovs-monitor-ipsec \
+      --prefix PYTHONPATH : "$out/share/openvswitch/python"
+    substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \
+      --replace "UnixctlServer.create(None)" "UnixctlServer.create(os.environ['UNIXCTLPATH'])"
+    substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \
+      --replace "self.psk_file" "root_prefix + self.psk_file"
+    substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \
+      --replace "self.cert_dir" "root_prefix + self.cert_dir"
+  '';
+
   meta = {
-    platforms = stdenv.lib.platforms.linux;
+    platforms = platforms.linux;
     description = "A multilayer virtual switch";
-    longDescription = 
+    longDescription =
       ''
-      Open vSwitch is a production quality, multilayer virtual switch 
-      licensed under the open source Apache 2.0 license. It is 
-      designed to enable massive network automation through 
-      programmatic extension, while still supporting standard 
-      management interfaces and protocols (e.g. NetFlow, sFlow, SPAN, 
-      RSPAN, CLI, LACP, 802.1ag). In addition, it is designed to 
-      support distribution across multiple physical servers similar 
+      Open vSwitch is a production quality, multilayer virtual switch
+      licensed under the open source Apache 2.0 license. It is
+      designed to enable massive network automation through
+      programmatic extension, while still supporting standard
+      management interfaces and protocols (e.g. NetFlow, sFlow, SPAN,
+      RSPAN, CLI, LACP, 802.1ag). In addition, it is designed to
+      support distribution across multiple physical servers similar
       to VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V.
       '';
     homepage = "http://openvswitch.org/";