pyrox.dev / nixpkgs
lol
fork atom

nixos/libreswan: update for version 4.x

- Use upstream unit files
- Remove deprecated config options
- Add option to disable redirects
- Add option to configure policies

rnhmjoj 1a4db01c 90d6e6fe

options
unified split
Changed files
+86 -55
nixos
modules
services
networking
libreswan.nix
+86 -55
nixos/modules/services/networking/libreswan.nix 
···

       
9

       
 

       
  libexec = "${pkgs.libreswan}/libexec/ipsec";


     

       
10

       
 

       
  ipsec = "${pkgs.libreswan}/sbin/ipsec";


     

       
11

       
 

       



     

       
12

       
-

       
  trim = chars: str: let


     

       
13

       
-

       
      nonchars = filter (x : !(elem x.value chars))


     

       
14

       
-

       
                  (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str));


     

       
15

       
-

       
    in


     

       
16

       
-

       
      if length nonchars == 0 then ""


     

       
17

       
-

       
      else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str;


     

       

       

       
     

       
18

       
 

       
  indent = str: concatStrings (concatMap (s: ["  " (trim [" " "\t"] s) "\n"]) (splitString "\n" str));


     

       
19

       
 

       
  configText = indent (toString cfg.configSetup);


     

       
20

       
 

       
  connectionText = concatStrings (mapAttrsToList (n: v:


     

       
21

       
 

       
    ''


     

       
22

       
 

       
      conn ${n}


     

       
23

       
 

       
      ${indent v}


     

       

       

       
     

       
24

       
 

       



     

       
25

       
-

       
    '') cfg.connections);


     

       
26

       
-

       
  configFile = pkgs.writeText "ipsec.conf"


     

       
27

       
 

       
    ''


     

       
28

       
 

       
      config setup


     

       
29

       
 

       
      ${configText}


     
···

       
31

       
 

       
      ${connectionText}


     

       
32

       
 

       
    '';


     

       
33

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
34

       
 

       
in


     

       
35

       
 

       



     

       
36

       
 

       
{


     
···

       
41

       
 

       



     

       
42

       
 

       
    services.libreswan = {


     

       
43

       
 

       



     

       
44

       
-

       
      enable = mkEnableOption "libreswan ipsec service";


     

       
45

       
 

       



     

       
46

       
 

       
      configSetup = mkOption {


     

       
47

       
 

       
        type = types.lines;


     

       
48

       
 

       
        default = ''


     

       
49

       
 

       
            protostack=netkey


     

       
50

       
-

       
            nat_traversal=yes


     

       
51

       
 

       
            virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10


     

       
52

       
 

       
        '';


     

       
53

       
 

       
        example = ''


     

       
54

       
 

       
            secretsfile=/root/ipsec.secrets


     

       
55

       
 

       
            protostack=netkey


     

       
56

       
-

       
            nat_traversal=yes


     

       
57

       
 

       
            virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10


     

       
58

       
 

       
        '';


     

       
59

       
-

       
        description = "Options to go in the 'config setup' section of the libreswan ipsec configuration";


     

       
60

       
 

       
      };


     

       
61

       
 

       



     

       
62

       
 

       
      connections = mkOption {


     

       
63

       
 

       
        type = types.attrsOf types.lines;


     

       
64

       
 

       
        default = {};


     

       
65

       
-

       
        example = {


     

       
66

       
-

       
          myconnection = ''


     

       
67

       
-

       
            auto=add


     

       
68

       
-

       
            left=%defaultroute


     

       
69

       
-

       
            leftid=@user


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
70

       
 

       



     

       
71

       
-

       
            right=my.vpn.com


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
72

       
 

       



     

       
73

       
-

       
            ikev2=no


     

       
74

       
-

       
            ikelifetime=8h


     

       
75

       
-

       
          '';


     

       
76

       
-

       
        };


     

       
77

       
-

       
        description = "A set of connections to define for the libreswan ipsec service";


     

       

       

       
     

       

       

       
     

       

       

       
     

       
78

       
 

       
      };


     

       

       

       
     

       
79

       
 

       
    };


     

       
80

       
 

       



     

       
81

       
 

       
  };


     
···

       
85

       
 

       



     

       
86

       
 

       
  config = mkIf cfg.enable {


     

       
87

       
 

       



     

       

       

       
     

       
88

       
 

       
    environment.systemPackages = [ pkgs.libreswan pkgs.iproute2 ];


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
89

       
 

       



     

       
90

       
 

       
    systemd.services.ipsec = {


     

       
91

       
 

       
      description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec";


     

       
92

       
-

       
      path = [


     

       
93

       
-

       
        "${pkgs.libreswan}"


     

       
94

       
-

       
        "${pkgs.iproute2}"


     

       
95

       
-

       
        "${pkgs.procps}"


     

       
96

       
-

       
        "${pkgs.nssTools}"


     

       
97

       
-

       
        "${pkgs.iptables}"


     

       
98

       
-

       
        "${pkgs.nettools}"


     

       
99

       
-

       
      ];


     

       
100

       
-

       



     

       
101

       
-

       
      wants = [ "network-online.target" ];


     

       
102

       
-

       
      after = [ "network-online.target" ];


     

       
103

       
 

       
      wantedBy = [ "multi-user.target" ];


     

       
104

       
-

       



     

       
105

       
-

       
      serviceConfig = {


     

       
106

       
-

       
        Type = "simple";


     

       
107

       
-

       
        Restart = "always";


     

       
108

       
-

       
        EnvironmentFile = "-${pkgs.libreswan}/etc/sysconfig/pluto";


     

       
109

       
-

       
        ExecStartPre = [


     

       
110

       
-

       
          "${libexec}/addconn --config ${configFile} --checkconfig"


     

       
111

       
-

       
          "${libexec}/_stackmanager start"


     

       
112

       
-

       
          "${ipsec} --checknss"


     

       
113

       
-

       
          "${ipsec} --checknflog"


     

       
114

       
-

       
        ];


     

       
115

       
-

       
        ExecStart = "${libexec}/pluto --config ${configFile} --nofork \$PLUTO_OPTIONS";


     

       
116

       
-

       
        ExecStop = "${libexec}/whack --shutdown";


     

       
117

       
-

       
        ExecStopPost = [


     

       
118

       
-

       
          "${pkgs.iproute2}/bin/ip xfrm policy flush"


     

       
119

       
-

       
          "${pkgs.iproute2}/bin/ip xfrm state flush"


     

       
120

       
-

       
          "${ipsec} --stopnflog"


     

       
121

       
-

       
        ];


     

       
122

       
-

       
        ExecReload = "${libexec}/whack --listen";


     

       
123

       
-

       
      };


     

       
124

       
-

       



     

       
125

       
 

       
    };


     

       
126

       
 

       



     

       
127

       
 

       
  };


     
···

       
9

       
 

       
  libexec = "${pkgs.libreswan}/libexec/ipsec";


     

       
10

       
 

       
  ipsec = "${pkgs.libreswan}/sbin/ipsec";


     

       
11

       
 

       



     

       
12

       
+

       
  trim = chars: str:


     

       
13

       
+

       
  let


     

       
14

       
+

       
    nonchars = filter (x : !(elem x.value chars))


     

       
15

       
+

       
               (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str));


     

       
16

       
+

       
  in


     

       
17

       
+

       
    if length nonchars == 0 then ""


     

       
18

       
+

       
    else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str;


     

       
19

       
 

       
  indent = str: concatStrings (concatMap (s: ["  " (trim [" " "\t"] s) "\n"]) (splitString "\n" str));


     

       
20

       
 

       
  configText = indent (toString cfg.configSetup);


     

       
21

       
 

       
  connectionText = concatStrings (mapAttrsToList (n: v:


     

       
22

       
 

       
    ''


     

       
23

       
 

       
      conn ${n}


     

       
24

       
 

       
      ${indent v}


     

       
25

       
+

       
    '') cfg.connections);


     

       
26

       
 

       



     

       
27

       
+

       
  configFile = pkgs.writeText "ipsec-nixos.conf"


     

       

       

       
     

       
28

       
 

       
    ''


     

       
29

       
 

       
      config setup


     

       
30

       
 

       
      ${configText}


     
···

       
32

       
 

       
      ${connectionText}


     

       
33

       
 

       
    '';


     

       
34

       
 

       



     

       
35

       
+

       
  policyFiles = mapAttrs' (name: text:


     

       
36

       
+

       
    { name = "ipsec.d/policies/${name}";


     

       
37

       
+

       
      value.source = pkgs.writeText "ipsec-policy-${name}" text;


     

       
38

       
+

       
    }) cfg.policies;


     

       
39

       
+

       



     

       
40

       
 

       
in


     

       
41

       
 

       



     

       
42

       
 

       
{


     
···

       
47

       
 

       



     

       
48

       
 

       
    services.libreswan = {


     

       
49

       
 

       



     

       
50

       
+

       
      enable = mkEnableOption "Libreswan IPsec service";


     

       
51

       
 

       



     

       
52

       
 

       
      configSetup = mkOption {


     

       
53

       
 

       
        type = types.lines;


     

       
54

       
 

       
        default = ''


     

       
55

       
 

       
            protostack=netkey


     

       

       

       
     

       
56

       
 

       
            virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10


     

       
57

       
 

       
        '';


     

       
58

       
 

       
        example = ''


     

       
59

       
 

       
            secretsfile=/root/ipsec.secrets


     

       
60

       
 

       
            protostack=netkey


     

       

       

       
     

       
61

       
 

       
            virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10


     

       
62

       
 

       
        '';


     

       
63

       
+

       
        description = "Options to go in the 'config setup' section of the Libreswan IPsec configuration";


     

       
64

       
 

       
      };


     

       
65

       
 

       



     

       
66

       
 

       
      connections = mkOption {


     

       
67

       
 

       
        type = types.attrsOf types.lines;


     

       
68

       
 

       
        default = {};


     

       
69

       
+

       
        example = literalExample ''


     

       
70

       
+

       
          { myconnection = '''


     

       
71

       
+

       
              auto=add


     

       
72

       
+

       
              left=%defaultroute


     

       
73

       
+

       
              leftid=@user


     

       
74

       
+

       



     

       
75

       
+

       
              right=my.vpn.com


     

       
76

       
+

       



     

       
77

       
+

       
              ikev2=no


     

       
78

       
+

       
              ikelifetime=8h


     

       
79

       
+

       
            ''';


     

       
80

       
+

       
          }


     

       
81

       
+

       
        '';


     

       
82

       
+

       
        description = "A set of connections to define for the Libreswan IPsec service";


     

       
83

       
+

       
      };


     

       
84

       
+

       



     

       
85

       
+

       
      policies = mkOption {


     

       
86

       
+

       
        type = types.attrsOf types.lines;


     

       
87

       
+

       
        default = {};


     

       
88

       
+

       
        example = literalExample ''


     

       
89

       
+

       
          { private-or-clear = '''


     

       
90

       
+

       
              # Attempt opportunistic IPsec for the entire Internet


     

       
91

       
+

       
              0.0.0.0/0


     

       
92

       
+

       
              ::/0


     

       
93

       
+

       
            ''';


     

       
94

       
+

       
          }


     

       
95

       
+

       
        '';


     

       
96

       
+

       
        description = ''


     

       
97

       
+

       
          A set of policies to apply to the IPsec connections.


     

       
98

       
 

       



     

       
99

       
+

       
          <note><para>


     

       
100

       
+

       
            The policy name must match the one of connection it needs to apply to.


     

       
101

       
+

       
          </para></note>


     

       
102

       
+

       
        '';


     

       
103

       
+

       
      };


     

       
104

       
 

       



     

       
105

       
+

       
      disableRedirects = mkOption {


     

       
106

       
+

       
        type = types.bool;


     

       
107

       
+

       
        default = true;


     

       
108

       
+

       
        description = ''


     

       
109

       
+

       
          Whether to disable send and accept redirects for all nework interfaces.


     

       
110

       
+

       
          See the Libreswan <link xlink:href="https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F">


     

       
111

       
+

       
          FAQ</link> page for why this is recommended.


     

       
112

       
+

       
        '';


     

       
113

       
 

       
      };


     

       
114

       
+

       



     

       
115

       
 

       
    };


     

       
116

       
 

       



     

       
117

       
 

       
  };


     
···

       
121

       
 

       



     

       
122

       
 

       
  config = mkIf cfg.enable {


     

       
123

       
 

       



     

       
124

       
+

       
    # Install package, systemd units, etc.


     

       
125

       
 

       
    environment.systemPackages = [ pkgs.libreswan pkgs.iproute2 ];


     

       
126

       
+

       
    systemd.packages = [ pkgs.libreswan ];


     

       
127

       
+

       
    systemd.tmpfiles.packages = [ pkgs.libreswan ];


     

       
128

       
+

       



     

       
129

       
+

       
    # Install configuration files


     

       
130

       
+

       
    environment.etc = {


     

       
131

       
+

       
      "ipsec.secrets".source = "${pkgs.libreswan}/etc/ipsec.secrets";


     

       
132

       
+

       
      "ipsec.conf".source = "${pkgs.libreswan}/etc/ipsec.conf";


     

       
133

       
+

       
      "ipsec.d/01-nixos.conf".source = configFile;


     

       
134

       
+

       
    } // policyFiles;


     

       
135

       
+

       



     

       
136

       
+

       
    # Create NSS database directory


     

       
137

       
+

       
    systemd.tmpfiles.rules = [ "d /var/lib/ipsec/nss 755 root root -" ];


     

       
138

       
 

       



     

       
139

       
 

       
    systemd.services.ipsec = {


     

       
140

       
 

       
      description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec";


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
141

       
 

       
      wantedBy = [ "multi-user.target" ];


     

       
142

       
+

       
      restartTriggers = [ configFile ] ++ mapAttrsToList (n: v: v.source) policyFiles;


     

       
143

       
+

       
      path = with pkgs; [


     

       
144

       
+

       
        libreswan


     

       
145

       
+

       
        iproute2


     

       
146

       
+

       
        procps


     

       
147

       
+

       
        nssTools


     

       
148

       
+

       
        iptables


     

       
149

       
+

       
        nettools


     

       
150

       
+

       
      ];


     

       
151

       
+

       
      preStart = optionalString cfg.disableRedirects ''


     

       
152

       
+

       
        # Disable send/receive redirects


     

       
153

       
+

       
        echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects


     

       
154

       
+

       
        echo 0 | tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects


     

       
155

       
+

       
      '';


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
156

       
 

       
    };


     

       
157

       
 

       



     

       
158

       
 

       
  };