nixos/modules/virtualisation/openvswitch.nix at v192 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / virtualisation / openvswitch.nix
at v192 4.8 kB view raw
  1# Systemd services for openvswitch
  2
  3{ config, lib, pkgs, ... }:
  4
  5with lib;
  6
  7let
  8  cfg = config.virtualisation.vswitch;
  9
 10in {
 11
 12  options.virtualisation.vswitch = {
 13    enable = mkOption {
 14      type = types.bool;
 15      default = false;
 16      description = ''
 17        Whether to enable Open vSwitch. A configuration daemon (ovs-server)
 18        will be started.
 19        '';
 20    };
 21
 22    package = mkOption {
 23      type = types.package;
 24      default = pkgs.openvswitch;
 25      description = ''
 26        Open vSwitch package to use.
 27      '';
 28    };
 29
 30    ipsec = mkOption {
 31      type = types.bool;
 32      default = false;
 33      description = ''
 34        Whether to start racoon service for openvswitch.
 35      '';
 36    };
 37  };
 38
 39  config = mkIf cfg.enable (let
 40
 41    # Where the communication sockets live
 42    runDir = "/var/run/openvswitch";
 43
 44    # Where the config database live (can't be in nix-store)
 45    stateDir = "/var/db/openvswitch";
 46
 47    # The path to the an initialized version of the database
 48    db = pkgs.stdenv.mkDerivation {
 49      name = "vswitch.db";
 50      unpackPhase = "true";
 51      buildPhase = "true";
 52      buildInputs = with pkgs; [
 53        cfg.package
 54      ];
 55      installPhase = "mkdir -p $out";
 56    };
 57
 58  in (mkMerge [{
 59
 60    environment.systemPackages = [ cfg.package pkgs.ipsecTools ];
 61
 62    boot.kernelModules = [ "tun" "openvswitch" ];
 63
 64    boot.extraModulePackages = [ cfg.package ];
 65
 66    systemd.services.ovsdb = {
 67      description = "Open_vSwitch Database Server";
 68      wantedBy = [ "multi-user.target" ];
 69      after = [ "systemd-udev-settle.service" ];
 70      path = [ cfg.package ];
 71      restartTriggers = [ db cfg.package ];
 72      # Create the config database
 73      preStart =
 74        ''
 75        mkdir -p ${runDir}
 76        mkdir -p /var/db/openvswitch
 77        chmod +w /var/db/openvswitch
 78        if [[ ! -e /var/db/openvswitch/conf.db ]]; then
 79          ${cfg.package}/bin/ovsdb-tool create \
 80            "/var/db/openvswitch/conf.db" \
 81            "${cfg.package}/share/openvswitch/vswitch.ovsschema"
 82        fi
 83        chmod -R +w /var/db/openvswitch
 84        '';
 85      serviceConfig = {
 86        ExecStart =
 87          ''
 88          ${cfg.package}/bin/ovsdb-server \
 89            --remote=punix:${runDir}/db.sock \
 90            --private-key=db:Open_vSwitch,SSL,private_key \
 91            --certificate=db:Open_vSwitch,SSL,certificate \
 92            --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \
 93            --unixctl=ovsdb.ctl.sock \
 94            --pidfile=/var/run/openvswitch/ovsdb.pid \
 95            --detach \
 96            /var/db/openvswitch/conf.db
 97          '';
 98        Restart = "always";
 99        RestartSec = 3;
100        PIDFile = "/var/run/openvswitch/ovsdb.pid";
101        Type = "forking";
102      };
103      postStart = ''
104        ${cfg.package}/bin/ovs-vsctl --timeout 3 --retry --no-wait init
105      '';
106    };
107
108    systemd.services.vswitchd = {
109      description = "Open_vSwitch Daemon";
110      wantedBy = [ "multi-user.target" ];
111      bindsTo = [ "ovsdb.service" ];
112      after = [ "ovsdb.service" ];
113      path = [ cfg.package ];
114      serviceConfig = {
115        ExecStart = ''
116          ${cfg.package}/bin/ovs-vswitchd \
117          --pidfile=/var/run/openvswitch/ovs-vswitchd.pid \
118          --detach
119        '';
120        PIDFile = "/var/run/openvswitch/ovs-vswitchd.pid";
121        Type = "forking";
122      };
123    };
124
125  }
126  (mkIf cfg.ipsec {
127    services.racoon.enable = true;
128    services.racoon.configPath = "${runDir}/ipsec/etc/racoon/racoon.conf";
129
130    networking.firewall.extraCommands = ''
131      iptables -I INPUT -t mangle -p esp -j MARK --set-mark 1/1
132      iptables -I INPUT -t mangle -p udp --dport 4500 -j MARK --set-mark 1/1
133    '';
134
135    systemd.services.ovs-monitor-ipsec = {
136      description = "Open_vSwitch Ipsec Daemon";
137      wantedBy = [ "multi-user.target" ];
138      requires = [ "ovsdb.service" ];
139      before = [ "vswitchd.service" "racoon.service" ];
140      environment.UNIXCTLPATH = "/tmp/ovsdb.ctl.sock";
141      serviceConfig = {
142        ExecStart = ''
143          ${cfg.package}/bin/ovs-monitor-ipsec \
144            --root-prefix ${runDir}/ipsec \
145            --pidfile /var/run/openvswitch/ovs-monitor-ipsec.pid \
146            --monitor --detach \
147            unix:/var/run/openvswitch/db.sock
148        '';
149        PIDFile = "/var/run/openvswitch/ovs-monitor-ipsec.pid";
150        Type = "forking";
151      };
152
153      preStart = ''
154        rm -r ${runDir}/ipsec/etc/racoon/certs || true
155        mkdir -p ${runDir}/ipsec/{etc/racoon,etc/init.d/,usr/sbin/}
156        ln -fs ${pkgs.ipsecTools}/bin/setkey ${runDir}/ipsec/usr/sbin/setkey
157        ln -fs ${pkgs.writeScript "racoon-restart" ''
158        #!${pkgs.stdenv.shell}
159        /var/run/current-system/sw/bin/systemctl $1 racoon
160        ''} ${runDir}/ipsec/etc/init.d/racoon
161      '';
162    };
163  })]));
164
165}