diff options
author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2018-03-03 15:56:05 +0000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-03-03 15:56:05 +0000 |
commit | 9936ed4920974c558eded168d2e36e726bd56b11 (patch) | |
tree | 62998e39015c1180c2ec6fbe97276499e4f6ac66 | |
parent | ce82ae17a9ddbcf88b5feb94a2a9eaa53a725ce0 (diff) | |
parent | fe4f4de1c92714aa9a2add7ffb3ca83a861d6d4e (diff) | |
download | nixlib-9936ed4920974c558eded168d2e36e726bd56b11.tar nixlib-9936ed4920974c558eded168d2e36e726bd56b11.tar.gz nixlib-9936ed4920974c558eded168d2e36e726bd56b11.tar.bz2 nixlib-9936ed4920974c558eded168d2e36e726bd56b11.tar.lz nixlib-9936ed4920974c558eded168d2e36e726bd56b11.tar.xz nixlib-9936ed4920974c558eded168d2e36e726bd56b11.tar.zst nixlib-9936ed4920974c558eded168d2e36e726bd56b11.zip |
Merge pull request #31019 from teto/strongswan_rebased
[RFC/RDY] make l2tp work with Strongswan
-rw-r--r-- | nixos/modules/services/networking/networkmanager.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/networking/strongswan.nix | 23 | ||||
-rw-r--r-- | pkgs/tools/networking/network-manager/l2tp.nix | 3 | ||||
-rw-r--r-- | pkgs/tools/networking/strongswan/default.nix | 5 |
4 files changed, 28 insertions, 4 deletions
diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index e9a035d17d38..f83fb7a6d5dc 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -335,6 +335,7 @@ in { preStart = '' mkdir -m 700 -p /etc/NetworkManager/system-connections + mkdir -m 700 -p /etc/ipsec.d mkdir -m 755 -p ${stateDirs} ''; }; diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index 3a3f64221c42..707d24b9220f 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -32,13 +32,13 @@ let ${caConf} ''; - strongswanConf = {setup, connections, ca, secrets, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' + strongswanConf = {setup, connections, ca, secretsFile, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' charon { ${if managePlugins then "load_modular = no" else ""} ${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""} plugins { stroke { - secrets_file = ${ipsecSecrets secrets} + secrets_file = ${secretsFile} } } } @@ -135,7 +135,18 @@ in }; }; - config = with cfg; mkIf enable { + + config = with cfg; + let + secretsFile = ipsecSecrets cfg.secrets; + in + mkIf enable + { + + # here we should use the default strongswan ipsec.secrets and + # append to it (default one is empty so not a pb for now) + environment.etc."ipsec.secrets".source = secretsFile; + systemd.services.strongswan = { description = "strongSwan IPSec Service"; wantedBy = [ "multi-user.target" ]; @@ -143,11 +154,15 @@ in wants = [ "keys.target" ]; after = [ "network-online.target" "keys.target" ]; environment = { - STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secrets managePlugins enabledPlugins; }; + STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; }; }; serviceConfig = { ExecStart = "${pkgs.strongswan}/sbin/ipsec start --nofork"; }; + preStart = '' + # with 'nopeerdns' setting, ppp writes into this folder + mkdir -m 700 -p /etc/ppp + ''; }; }; } diff --git a/pkgs/tools/networking/network-manager/l2tp.nix b/pkgs/tools/networking/network-manager/l2tp.nix index e5626dee1d4d..54670ff1bce7 100644 --- a/pkgs/tools/networking/network-manager/l2tp.nix +++ b/pkgs/tools/networking/network-manager/l2tp.nix @@ -22,6 +22,9 @@ stdenv.mkDerivation rec { postPatch = '' sed -i -e 's%"\(/usr/sbin\|/usr/pkg/sbin\|/usr/local/sbin\)/[^"]*",%%g' ./src/nm-l2tp-service.c + substituteInPlace ./Makefile.am \ + --replace '$(sysconfdir)/dbus-1/system.d' "$out/etc/dbus-1/system.d" + substituteInPlace ./src/nm-l2tp-service.c \ --replace /sbin/ipsec ${strongswan}/bin/ipsec \ --replace /sbin/xl2tpd ${xl2tpd}/bin/xl2tpd diff --git a/pkgs/tools/networking/strongswan/default.nix b/pkgs/tools/networking/strongswan/default.nix index 3cbff4f25ae8..042f8bea3d62 100644 --- a/pkgs/tools/networking/strongswan/default.nix +++ b/pkgs/tools/networking/strongswan/default.nix @@ -76,6 +76,11 @@ stdenv.mkDerivation rec { "--enable-sqlite" ] ++ optional enableNetworkManager "--enable-nm"; + postInstall = '' + # this is needed for l2tp + echo "include /etc/ipsec.secrets" >> $out/etc/ipsec.secrets + ''; + NIX_LDFLAGS = "-lgcc_s" ; meta = { |