Remove hard-coded /etc from strongswan

2 files changed, 147 insertions, 2 deletions

diff --git a/pkgs/tools/networking/strongswan/default.nix b/pkgs/tools/networking/strongswan/default.nix
index 56ecdb904e29..9358b9aaa2fb 100644
--- a/pkgs/tools/networking/strongswan/default.nix
+++ b/pkgs/tools/networking/strongswan/default.nix
@@ -8,11 +8,11 @@ stdenv.mkDerivation rec {
     sha256 = "1ki6v9c54ykppqnj3prgh62na97yajnvnm2zr1gjxzv05syk035h";
   };
 
-  patches = [ ./respect-path.patch ./no-sysconfdir-write.patch ];
+  patches = [ ./respect-path.patch ./no-hardcoded-sysconfdir.patch ];
 
   buildInputs = [ gmp autoreconfHook gettext pkgconfig ];
 
-  configureFlags = [ "--enable-swanctl" "--sysconfdir=/etc" ];
+  configureFlags = [ "--enable-swanctl" ];
 
   meta = {
     maintainers = [ stdenv.lib.maintainers.shlevy ];
diff --git a/pkgs/tools/networking/strongswan/no-hardcoded-sysconfdir.patch b/pkgs/tools/networking/strongswan/no-hardcoded-sysconfdir.patch
new file mode 100644
index 000000000000..b186b21a5dd9
--- /dev/null
+++ b/pkgs/tools/networking/strongswan/no-hardcoded-sysconfdir.patch
@@ -0,0 +1,145 @@
+commit 8e2b65ebf597a4d48daa3308aa032962110ad8f6
+Author: Shea Levy <shea@shealevy.com>
+Date:   Tue Sep 30 15:14:47 2014 -0400
+
+    Allow specifying the ipsec.conf location in strongswan.conf
+
+diff --git a/conf/options/starter.opt b/conf/options/starter.opt
+index 4e6574d..6d7162a 100644
+--- a/conf/options/starter.opt
++++ b/conf/options/starter.opt
+@@ -3,3 +3,6 @@ starter.load =
+ 
+ starter.load_warning = yes
+ 	Disable charon plugin load option warning.
++
++starter.config_file = ${sysconfdir}/ipsec.conf
++	Location of the ipsec.conf conf file
+diff --git a/src/starter/starter.c b/src/starter/starter.c
+index 5c84593..1f365cc 100644
+--- a/src/starter/starter.c
++++ b/src/starter/starter.c
+@@ -488,7 +488,8 @@ int main (int argc, char **argv)
+ 	}
+ 	if (!config_file)
+ 	{
+-		config_file = CONFIG_FILE;
++		config_file = lib->settings->get_str(lib->settings, "starter.config_file",
++			CONFIG_FILE);
+ 	}
+ 
+ 	init_log("ipsec_starter");
+
+commit 8b839cec684e26ed96f3d891b3ae3565558b2cff
+Author: Shea Levy <shea@shealevy.com>
+Date:   Tue Sep 30 15:11:03 2014 -0400
+
+    Allow specifying the ipsec.secrets location in strongswan.conf
+
+diff --git a/conf/plugins/stroke.opt b/conf/plugins/stroke.opt
+index 2cfc2c6..b3ca2b7 100644
+--- a/conf/plugins/stroke.opt
++++ b/conf/plugins/stroke.opt
+@@ -11,5 +11,8 @@ charon.plugins.stroke.prevent_loglevel_changes = no
+ charon.plugins.stroke.socket = unix://${piddir}/charon.ctl
+ 	Socket provided by the stroke plugin.
+ 
++charon.plugins.stroke.secrets_file = ${sysconfdir}/ipsec.secrets
++	Location of the ipsec.secrets conf file
++
+ charon.plugins.stroke.timeout = 0
+ 	Timeout in ms for any stroke command. Use 0 to disable the timeout.
+diff --git a/src/libcharon/plugins/stroke/stroke_cred.c b/src/libcharon/plugins/stroke/stroke_cred.c
+index f908219..673e492 100644
+--- a/src/libcharon/plugins/stroke/stroke_cred.c
++++ b/src/libcharon/plugins/stroke/stroke_cred.c
+@@ -67,6 +67,7 @@ struct private_stroke_cred_t {
+ 	/**
+ 	 * credentials
+ 	 */
++	char *secrets_file;
+ 	mem_cred_t *creds;
+ 
+ 	/**
+@@ -1297,7 +1298,7 @@ METHOD(stroke_cred_t, reread, void,
+ 	if (msg->reread.flags & REREAD_SECRETS)
+ 	{
+ 		DBG1(DBG_CFG, "rereading secrets");
+-		load_secrets(this, NULL, SECRETS_FILE, 0, prompt);
++		load_secrets(this, NULL, this->secrets_file, 0, prompt);
+ 	}
+ 	if (msg->reread.flags & REREAD_CACERTS)
+ 	{
+@@ -1370,6 +1371,9 @@ stroke_cred_t *stroke_cred_create()
+ 			.cachecrl = _cachecrl,
+ 			.destroy = _destroy,
+ 		},
++		.secrets_file = lib->settings->get_str(lib->settings,
++			"%s.plugins.stroke.secrets_file", SECRETS_FILE,
++			lib->ns),
+ 		.creds = mem_cred_create(),
+ 	);
+ 
+@@ -1380,7 +1384,7 @@ stroke_cred_t *stroke_cred_create()
+ 						FALSE, lib->ns);
+ 
+ 	load_certs(this);
+-	load_secrets(this, NULL, SECRETS_FILE, 0, NULL);
++	load_secrets(this, NULL, this->secrets_file, 0, NULL);
+ 
+ 	return &this->public;
+ }
+diff --git a/src/starter/starter.c b/src/starter/starter.c
+index 71f33ae..5c84593 100644
+--- a/src/starter/starter.c
++++ b/src/starter/starter.c
+@@ -263,8 +263,11 @@ static void generate_selfcert()
+ {
+ 	struct stat stb;
+ 
++	const char *secrets_file = lib->settings->get_str(lib->settings,
++		"charon.plugins.stroke.secrets_file", SECRETS_FILE);
++
+ 	/* if ipsec.secrets file is missing then generate RSA default key pair */
+-	if (stat(SECRETS_FILE, &stb) != 0)
++	if (stat(secrets_file, &stb) != 0)
+ 	{
+ 		mode_t oldmask;
+ 		FILE *f;
+@@ -302,7 +305,7 @@ static void generate_selfcert()
+ 		/* ipsec.secrets is root readable only */
+ 		oldmask = umask(0066);
+ 
+-		f = fopen(SECRETS_FILE, "w");
++		f = fopen(secrets_file, "w");
+ 		if (f)
+ 		{
+ 			fprintf(f, "# /etc/ipsec.secrets - strongSwan IPsec secrets file\n");
+@@ -310,7 +313,7 @@ static void generate_selfcert()
+ 			fprintf(f, ": RSA myKey.der\n");
+ 			fclose(f);
+ 		}
+-		ignore_result(chown(SECRETS_FILE, uid, gid));
++		ignore_result(chown(secrets_file, uid, gid));
+ 		umask(oldmask);
+ 	}
+ }
+
+commit 5f2ca3b99b40c47a9b59c7cc75655e5dd041787e
+Author: Shea Levy <shea@shealevy.com>
+Date:   Tue Sep 30 14:31:50 2014 -0400
+
+    Allow specifying the path to strongswan.conf in the STRONGSWAN_CONF env var
+
+diff -Naur a/src/libstrongswan/library.c b/src/libstrongswan/library.c
+--- a/src/libstrongswan/library.c	2014-06-05 03:50:30.000000000 -0400
++++ b/src/libstrongswan/library.c	2014-09-30 15:25:27.927757711 -0400
+@@ -307,7 +307,7 @@
+ #ifdef STRONGSWAN_CONF
+ 	if (!settings)
+ 	{
+-		settings = STRONGSWAN_CONF;
++		settings = getenv("STRONGSWAN_CONF") ?: STRONGSWAN_CONF;
+ 	}
+ #endif
+ 	this->public.settings = settings_create(settings);