summary refs log tree commit diff
diff options
context:
space:
mode:
authorIgor Pashev <pashev.igor@gmail.com>2014-11-22 19:27:23 +0100
committerIgor Pashev <pashev.igor@gmail.com>2014-11-25 15:29:34 +0100
commit4c33004e1f962d44a5f3f1f4efb057f385b3b764 (patch)
tree7063a97d4bf41932db09a71313043c369177ba99
parent4f9111e91f180165aa43cc9dafb7f95b79686215 (diff)
downloadnixlib-4c33004e1f962d44a5f3f1f4efb057f385b3b764.tar
nixlib-4c33004e1f962d44a5f3f1f4efb057f385b3b764.tar.gz
nixlib-4c33004e1f962d44a5f3f1f4efb057f385b3b764.tar.bz2
nixlib-4c33004e1f962d44a5f3f1f4efb057f385b3b764.tar.lz
nixlib-4c33004e1f962d44a5f3f1f4efb057f385b3b764.tar.xz
nixlib-4c33004e1f962d44a5f3f1f4efb057f385b3b764.tar.zst
nixlib-4c33004e1f962d44a5f3f1f4efb057f385b3b764.zip
Added strongSwan service
Diffstat
-rwxr-xr-xnixos/modules/module-list.nix1


-rw-r--r--nixos/modules/services/networking/strongswan.nix130


2 files changed, 131 insertions, 0 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 3965dc3e53ef..85afcb824fb7 100755
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -274,6 +274,7 @@
   ./services/networking/spiped.nix
   ./services/networking/ssh/lshd.nix
   ./services/networking/ssh/sshd.nix
+  ./services/networking/strongswan.nix
   ./services/networking/supybot.nix
   ./services/networking/syncthing.nix
   ./services/networking/tcpcrypt.nix
diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix
new file mode 100644
index 000000000000..4ceb8254b1ec
--- /dev/null
+++ b/nixos/modules/services/networking/strongswan.nix
@@ -0,0 +1,130 @@
+{ config, lib, pkgs, ... }:
+
+let
+
+  inherit (builtins) toFile;
+  inherit (lib) concatMapStringsSep concatStringsSep mapAttrsToList
+                mkIf mkEnableOption mkOption types;
+
+  cfg = config.services.strongswan;
+
+  ipsecSecrets = secrets: toFile "ipsec.secrets" (
+    concatMapStringsSep "\n" (f: "include ${f}") secrets
+  );
+
+  ipsecConf = {setup, connections, ca}:
+    let
+      # https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf
+      makeSections = type: sections: concatStringsSep "\n\n" (
+        mapAttrsToList (sec: attrs:
+          "${type} ${sec}\n" +
+            (concatStringsSep "\n" ( mapAttrsToList (k: v: "  ${k}=${v}") attrs ))
+        ) sections
+      );
+      setupConf       = makeSections "config" { inherit setup; };
+      connectionsConf = makeSections "conn" connections;
+      caConf          = makeSections "ca" ca;
+
+    in
+    builtins.toFile "ipsec.conf" ''
+      ${setupConf}
+      ${connectionsConf}
+      ${caConf}
+    '';
+
+  strongswanConf = {setup, connections, ca, secrets}: toFile "strongswan.conf" ''
+    charon {
+      plugins {
+        stroke {
+          secrets_file = ${ipsecSecrets secrets}
+        }
+      }
+    }
+
+    starter {
+      config_file = ${ipsecConf { inherit setup connections ca; }}
+    }
+  '';
+
+in
+{
+  options.services.strongswan = {
+    enable = mkEnableOption "strongSwan";
+
+    secrets = mkOption {
+      type = types.listOf types.path;
+      default = [];
+      example = [ "/run/keys/ipsec-foo.secret" ];
+      description = ''
+        A list of paths to IPSec secret files. These
+        files will be included into the main ipsec.secrets file
+        with the `include' directive. It is safer if these paths are absolute.
+      '';
+    };
+
+    setup = mkOption {
+      type = types.attrsOf types.str;
+      default = {};
+      example = { cachecrls = "yes"; strictcrlpolicy = "yes"; };
+      description = ''
+        A set of options for the `config setup' section of
+        the `ipsec.conf' file. Defines general configuration parameters.
+      '';
+    };
+
+    connections = mkOption {
+      type = types.attrsOf (types.attrsOf types.str);
+      default = {};
+      example = {
+        "%default" = {
+          keyexchange = "ikev2";
+          keyingtries = "1";
+        };
+        roadwarrior = {
+          auto       = "add";
+          leftcert   = "/run/keys/moonCert.pem";
+          leftid     = "@moon.strongswan.org";
+          leftsubnet = "10.1.0.0/16";
+          right      = "%any";
+        };
+      };
+      description = ''
+        A set of connections and their options for the `conn xxx'
+        sections of the `ipsec.conf' file.
+      '';
+    };
+
+    ca = mkOption {
+      type = types.attrsOf (types.attrsOf types.str);
+      default = {};
+      example = {
+        strongswan = {
+          auto   = "add";
+          cacert = "/run/keys/strongswanCert.pem";
+          crluri = "http://crl2.strongswan.org/strongswan.crl";
+        };
+      };
+      description = ''
+        A set of CAs (certification authorities) and their options
+        for the `ca xxx' sections of the `ipsec.conf' file.
+      '';
+    };
+  };
+
+  config = with cfg; mkIf enable {
+    systemd.services.strongswan = {
+      description = "strongSwan IPSec service";
+      wantedBy = [ "multi-user.target" ];
+      path = with pkgs; [ kmod ]; # XXX Linux
+      wants = [ "keys.target" ];
+      after = [ "network.target" "keys.target" ];
+      environment = {
+        STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secrets; };
+      };
+      serviceConfig = {
+        ExecStart  = "${pkgs.strongswan}/sbin/ipsec start --nofork";
+      };
+    };
+  };
+}
+

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-17 00:20:14 +0000