diff options
author | Matthieu Coudron <mattator@gmail.com> | 2017-10-31 20:14:00 +0900 |
---|---|---|
committer | Matthieu Coudron <mattator@gmail.com> | 2018-02-07 13:21:49 +0900 |
commit | fe4f4de1c92714aa9a2add7ffb3ca83a861d6d4e (patch) | |
tree | 3ff95b602076c9944d4f995bf1f7525e360349fe /nixos | |
parent | 11a9e1c3c0b2595ea37b8812736427ffb32a0787 (diff) | |
download | nixlib-fe4f4de1c92714aa9a2add7ffb3ca83a861d6d4e.tar nixlib-fe4f4de1c92714aa9a2add7ffb3ca83a861d6d4e.tar.gz nixlib-fe4f4de1c92714aa9a2add7ffb3ca83a861d6d4e.tar.bz2 nixlib-fe4f4de1c92714aa9a2add7ffb3ca83a861d6d4e.tar.lz nixlib-fe4f4de1c92714aa9a2add7ffb3ca83a861d6d4e.tar.xz nixlib-fe4f4de1c92714aa9a2add7ffb3ca83a861d6d4e.tar.zst nixlib-fe4f4de1c92714aa9a2add7ffb3ca83a861d6d4e.zip |
strongswan module: make it work with ipsec l2tp
l2tp saves its secrets into /etc/ipsec.d but strongswan would not read them. l2tp checks for /etc/ipsec.secrets includes /etc/ipsec.d and if not tries to write into it. Solution: Have the strongswan module create /etc/ipsec.d and /etc/ipsec.secrets when networkmanager_l2tp is installed. Include /etc/ipsec.secrets in /nix/store/hash-strongswan/etc/ipsec.secrets so that it can find l2tp secrets. Also when the ppp 'nopeerdns' option is used, the DNS resolver tries to write into an alternate file /etc/ppp/resolv.conf. This fails when /etc/ppp does not exist so the module creates it by default.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/networkmanager.nix | 1 | ||||
-rw-r--r-- | nixos/modules/services/networking/strongswan.nix | 23 |
2 files changed, 20 insertions, 4 deletions
diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 62afbf32c2f6..a5ca6cc74cf5 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -335,6 +335,7 @@ in { preStart = '' mkdir -m 700 -p /etc/NetworkManager/system-connections + mkdir -m 700 -p /etc/ipsec.d mkdir -m 755 -p ${stateDirs} ''; }; diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index 3a3f64221c42..707d24b9220f 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -32,13 +32,13 @@ let ${caConf} ''; - strongswanConf = {setup, connections, ca, secrets, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' + strongswanConf = {setup, connections, ca, secretsFile, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' charon { ${if managePlugins then "load_modular = no" else ""} ${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""} plugins { stroke { - secrets_file = ${ipsecSecrets secrets} + secrets_file = ${secretsFile} } } } @@ -135,7 +135,18 @@ in }; }; - config = with cfg; mkIf enable { + + config = with cfg; + let + secretsFile = ipsecSecrets cfg.secrets; + in + mkIf enable + { + + # here we should use the default strongswan ipsec.secrets and + # append to it (default one is empty so not a pb for now) + environment.etc."ipsec.secrets".source = secretsFile; + systemd.services.strongswan = { description = "strongSwan IPSec Service"; wantedBy = [ "multi-user.target" ]; @@ -143,11 +154,15 @@ in wants = [ "keys.target" ]; after = [ "network-online.target" "keys.target" ]; environment = { - STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secrets managePlugins enabledPlugins; }; + STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; }; }; serviceConfig = { ExecStart = "${pkgs.strongswan}/sbin/ipsec start --nofork"; }; + preStart = '' + # with 'nopeerdns' setting, ppp writes into this folder + mkdir -m 700 -p /etc/ppp + ''; }; }; } |