pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / modules / services / networking / strongswan-swanctl / module.nix
at master 3.1 kB view raw
1{ 2 config, 3 lib, 4 pkgs, 5 ... 6}: 7 8with lib; 9with (import ./param-lib.nix lib); 10 11let 12 cfg = config.services.strongswan-swanctl; 13 configFile = pkgs.writeText "swanctl.conf" ( 14 (paramsToConf cfg.swanctl swanctlParams) + (concatMapStrings (i: "\ninclude ${i}") cfg.includes) 15 ); 16 swanctlParams = import ./swanctl-params.nix lib; 17in 18{ 19 options.services.strongswan-swanctl = { 20 enable = mkEnableOption "strongswan-swanctl service"; 21 22 package = mkPackageOption pkgs "strongswan" { }; 23 24 strongswan.extraConfig = mkOption { 25 type = types.str; 26 default = ""; 27 description = '' 28 Contents of the `strongswan.conf` file. 29 ''; 30 }; 31 32 swanctl = paramsToOptions swanctlParams; 33 includes = mkOption { 34 type = types.listOf types.path; 35 default = [ ]; 36 description = '' 37 Extra configuration files to include in the swanctl configuration. This can be used to provide secret values from outside the nix store. 38 ''; 39 }; 40 }; 41 42 config = mkIf cfg.enable { 43 44 assertions = [ 45 { 46 assertion = !config.services.strongswan.enable; 47 message = "cannot enable both services.strongswan and services.strongswan-swanctl. Choose either one."; 48 } 49 ]; 50 51 environment.etc."swanctl/swanctl.conf".source = configFile; 52 environment.etc."strongswan.conf".text = cfg.strongswan.extraConfig; 53 54 # The swanctl command complains when the following directories don't exist: 55 # See: https://wiki.strongswan.org/projects/strongswan/wiki/Swanctldirectory 56 systemd.tmpfiles.rules = [ 57 "d /etc/swanctl/x509 -" # Trusted X.509 end entity certificates 58 "d /etc/swanctl/x509ca -" # Trusted X.509 Certificate Authority certificates 59 "d /etc/swanctl/x509ocsp -" 60 "d /etc/swanctl/x509aa -" # Trusted X.509 Attribute Authority certificates 61 "d /etc/swanctl/x509ac -" # Attribute Certificates 62 "d /etc/swanctl/x509crl -" # Certificate Revocation Lists 63 "d /etc/swanctl/pubkey -" # Raw public keys 64 "d /etc/swanctl/private -" # Private keys in any format 65 "d /etc/swanctl/rsa -" # PKCS#1 encoded RSA private keys 66 "d /etc/swanctl/ecdsa -" # Plain ECDSA private keys 67 "d /etc/swanctl/bliss -" 68 "d /etc/swanctl/pkcs8 -" # PKCS#8 encoded private keys of any type 69 "d /etc/swanctl/pkcs12 -" # PKCS#12 containers 70 ]; 71 72 systemd.services.strongswan-swanctl = { 73 description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl"; 74 wantedBy = [ "multi-user.target" ]; 75 wants = [ "network-online.target" ]; 76 after = [ "network-online.target" ]; 77 path = with pkgs; [ 78 kmod 79 iproute2 80 iptables 81 util-linux 82 ]; 83 restartTriggers = [ 84 config.environment.etc."swanctl/swanctl.conf".source 85 config.environment.etc."strongswan.conf".source 86 ]; 87 serviceConfig = { 88 ExecStart = "${cfg.package}/sbin/charon-systemd"; 89 Type = "notify"; 90 ExecStartPost = "${cfg.package}/sbin/swanctl --load-all --noprompt"; 91 ExecReload = "${cfg.package}/sbin/swanctl --reload"; 92 Restart = "on-abnormal"; 93 }; 94 }; 95 }; 96}