pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / xl2tpd.nix
at 25.11-pre 3.9 kB view raw
1{ 2 config, 3 pkgs, 4 lib, 5 ... 6}: 7 8with lib; 9 10{ 11 options = { 12 services.xl2tpd = { 13 enable = mkEnableOption "xl2tpd, the Layer 2 Tunnelling Protocol Daemon"; 14 15 serverIp = mkOption { 16 type = types.str; 17 description = "The server-side IP address."; 18 default = "10.125.125.1"; 19 }; 20 21 clientIpRange = mkOption { 22 type = types.str; 23 description = "The range from which client IPs are drawn."; 24 default = "10.125.125.2-11"; 25 }; 26 27 extraXl2tpOptions = mkOption { 28 type = types.lines; 29 description = "Adds extra lines to the xl2tpd configuration file."; 30 default = ""; 31 }; 32 33 extraPppdOptions = mkOption { 34 type = types.lines; 35 description = "Adds extra lines to the pppd options file."; 36 default = ""; 37 example = '' 38 ms-dns 8.8.8.8 39 ms-dns 8.8.4.4 40 ''; 41 }; 42 }; 43 }; 44 45 config = mkIf config.services.xl2tpd.enable { 46 systemd.services.xl2tpd = 47 let 48 cfg = config.services.xl2tpd; 49 50 # Config files from https://help.ubuntu.com/community/L2TPServer 51 xl2tpd-conf = pkgs.writeText "xl2tpd.conf" '' 52 [global] 53 ipsec saref = no 54 55 [lns default] 56 local ip = ${cfg.serverIp} 57 ip range = ${cfg.clientIpRange} 58 pppoptfile = ${pppd-options} 59 length bit = yes 60 61 ; Extra 62 ${cfg.extraXl2tpOptions} 63 ''; 64 65 pppd-options = pkgs.writeText "ppp-options-xl2tpd.conf" '' 66 refuse-pap 67 refuse-chap 68 refuse-mschap 69 require-mschap-v2 70 # require-mppe-128 71 asyncmap 0 72 auth 73 crtscts 74 idle 1800 75 mtu 1200 76 mru 1200 77 lock 78 hide-password 79 local 80 # debug 81 name xl2tpd 82 # proxyarp 83 lcp-echo-interval 30 84 lcp-echo-failure 4 85 86 # Extra: 87 ${cfg.extraPppdOptions} 88 ''; 89 90 xl2tpd-ppp-wrapped = pkgs.stdenv.mkDerivation { 91 name = "xl2tpd-ppp-wrapped"; 92 phases = [ "installPhase" ]; 93 nativeBuildInputs = with pkgs; [ makeWrapper ]; 94 installPhase = '' 95 mkdir -p $out/bin 96 97 makeWrapper ${pkgs.ppp}/sbin/pppd $out/bin/pppd \ 98 --set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so" \ 99 --set NIX_REDIRECTS "/etc/ppp=/etc/xl2tpd/ppp" 100 101 makeWrapper ${pkgs.xl2tpd}/bin/xl2tpd $out/bin/xl2tpd \ 102 --set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so" \ 103 --set NIX_REDIRECTS "${pkgs.ppp}/sbin/pppd=$out/bin/pppd" 104 ''; 105 }; 106 in 107 { 108 description = "xl2tpd server"; 109 110 requires = [ "network-online.target" ]; 111 wantedBy = [ "multi-user.target" ]; 112 113 preStart = '' 114 install -m 700 -d /etc/xl2tpd/ppp 115 116 [ -f /etc/xl2tpd/ppp/chap-secrets ] || install -m 600 -o root -g root /dev/stdin /etc/xl2tpd/ppp/chap-secrets <<EOF 117 # Secrets for authentication using CHAP 118 # client server secret IP addresses 119 #username xl2tpd password * 120 EOF 121 122 # The documentation says this file should be present but doesn't explain why and things work even if not there: 123 [ -f /etc/xl2tpd/l2tp-secrets ] || install -m 600 -o root -g root <(echo -n "* * "; ${pkgs.apg}/bin/apg -n 1 -m 32 -x 32 -a 1 -M LCN) /etc/xl2tpd/l2tp-secrets 124 125 install -m 701 -o root -g root -d /run/xl2tpd 126 ''; 127 128 serviceConfig = { 129 ExecStart = "${xl2tpd-ppp-wrapped}/bin/xl2tpd -D -c ${xl2tpd-conf} -s /etc/xl2tpd/l2tp-secrets -p /run/xl2tpd/pid -C /run/xl2tpd/control"; 130 KillMode = "process"; 131 Restart = "on-success"; 132 Type = "simple"; 133 PIDFile = "/run/xl2tpd/pid"; 134 }; 135 }; 136 }; 137}