pyrox.dev / nixpkgs
lol
fork atom

strongswan module: make it work with ipsec l2tp

l2tp saves its secrets into /etc/ipsec.d but strongswan would not read
them. l2tp checks for /etc/ipsec.secrets includes /etc/ipsec.d and if
not tries to write into it.

Solution:
Have the strongswan module create /etc/ipsec.d and /etc/ipsec.secrets
when networkmanager_l2tp is installed.
Include /etc/ipsec.secrets in
/nix/store/hash-strongswan/etc/ipsec.secrets so that it can find l2tp
secrets.

Also when the ppp 'nopeerdns' option is used, the DNS resolver tries to
write into an alternate file /etc/ppp/resolv.conf. This fails when
/etc/ppp does not exist so the module creates it by default.

Matthieu Coudron fe4f4de1 11a9e1c3

options
unified split
Changed files
+26 -10
nixos
modules
services
networking
networkmanager.nix
strongswan.nix
pkgs
tools
networking
network-manager
l2tp.nix
strongswan
default.nix
+1
nixos/modules/services/networking/networkmanager.nix 
···

       
335

       
335

       
 

       



     

       
336

       
336

       
 

       
      preStart = ''


     

       
337

       
337

       
 

       
        mkdir -m 700 -p /etc/NetworkManager/system-connections


     

       

       
338

       
+

       
        mkdir -m 700 -p /etc/ipsec.d


     

       
338

       
339

       
 

       
        mkdir -m 755 -p ${stateDirs}


     

       
339

       
340

       
 

       
      '';


     

       
340

       
341

       
 

       
    };
+19 -4
nixos/modules/services/networking/strongswan.nix 
···

       
32

       
32

       
 

       
      ${caConf}


     

       
33

       
33

       
 

       
    '';


     

       
34

       
34

       
 

       



     

       
35

       

       
-

       
  strongswanConf = {setup, connections, ca, secrets, managePlugins, enabledPlugins}: toFile "strongswan.conf" ''


     

       

       
35

       
+

       
  strongswanConf = {setup, connections, ca, secretsFile, managePlugins, enabledPlugins}: toFile "strongswan.conf" ''


     

       
36

       
36

       
 

       
    charon {


     

       
37

       
37

       
 

       
      ${if managePlugins then "load_modular = no" else ""}


     

       
38

       
38

       
 

       
      ${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""}


     

       
39

       
39

       
 

       
      plugins {


     

       
40

       
40

       
 

       
        stroke {


     

       
41

       

       
-

       
          secrets_file = ${ipsecSecrets secrets}


     

       

       
41

       
+

       
          secrets_file = ${secretsFile}


     

       
42

       
42

       
 

       
        }


     

       
43

       
43

       
 

       
      }


     

       
44

       
44

       
 

       
    }


     
···

       
135

       
135

       
 

       
    };


     

       
136

       
136

       
 

       
  };


     

       
137

       
137

       
 

       



     

       
138

       

       
-

       
  config = with cfg; mkIf enable {


     

       

       
138

       
+

       



     

       

       
139

       
+

       
  config = with cfg;


     

       

       
140

       
+

       
  let


     

       

       
141

       
+

       
    secretsFile = ipsecSecrets cfg.secrets;


     

       

       
142

       
+

       
  in


     

       

       
143

       
+

       
  mkIf enable


     

       

       
144

       
+

       
    {


     

       

       
145

       
+

       



     

       

       
146

       
+

       
    # here we should use the default strongswan ipsec.secrets and


     

       

       
147

       
+

       
    # append to it (default one is empty so not a pb for now)


     

       

       
148

       
+

       
    environment.etc."ipsec.secrets".source = secretsFile;


     

       

       
149

       
+

       



     

       
139

       
150

       
 

       
    systemd.services.strongswan = {


     

       
140

       
151

       
 

       
      description = "strongSwan IPSec Service";


     

       
141

       
152

       
 

       
      wantedBy = [ "multi-user.target" ];


     
···

       
143

       
154

       
 

       
      wants = [ "keys.target" ];


     

       
144

       
155

       
 

       
      after = [ "network-online.target" "keys.target" ];


     

       
145

       
156

       
 

       
      environment = {


     

       
146

       

       
-

       
        STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secrets managePlugins enabledPlugins; };


     

       

       
157

       
+

       
        STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; };


     

       
147

       
158

       
 

       
      };


     

       
148

       
159

       
 

       
      serviceConfig = {


     

       
149

       
160

       
 

       
        ExecStart  = "${pkgs.strongswan}/sbin/ipsec start --nofork";


     

       
150

       
161

       
 

       
      };


     

       

       
162

       
+

       
      preStart = ''


     

       

       
163

       
+

       
        # with 'nopeerdns' setting, ppp writes into this folder


     

       

       
164

       
+

       
        mkdir -m 700 -p /etc/ppp


     

       

       
165

       
+

       
      '';


     

       
151

       
166

       
 

       
    };


     

       
152

       
167

       
 

       
  };


     

       
153

       
168

       
 

       
}
+1 -6
pkgs/tools/networking/network-manager/l2tp.nix 
···

       
41

       
41

       
 

       
  ];


     

       
42

       
42

       
 

       



     

       
43

       
43

       
 

       
  enableParallelBuilding = true;


     

       
44

       

       
-

       
  configureFlags = [


     

       
45

       

       
-

       
    "--with-gnome=${if withGnome then "yes" else "no"}"


     

       
46

       

       
-

       
    "--localstatedir=/var"


     

       
47

       

       
-

       
  ] ;


     

       
48

       

       
-

       



     

       
49

       
44

       
 

       



     

       
50

       
45

       
 

       
  meta = with stdenv.lib; {


     

       
51

       
46

       
 

       
    description = "L2TP plugin for NetworkManager";


     

       
52

       
47

       
 

       
    inherit (networkmanager.meta) platforms;


     

       
53

       

       
-

       
    homepage = http://github.com/nm-l2tp/network-manager-l2tp;


     

       

       
48

       
+

       
    homepage = https://github.com/nm-l2tp/network-manager-l2tp;


     

       
54

       
49

       
 

       
    license = licenses.gpl2;


     

       
55

       
50

       
 

       
    maintainers = with maintainers; [ abbradar obadz ];


     

       
56

       
51

       
 

       
  };
+5
pkgs/tools/networking/strongswan/default.nix 
···

       
76

       
76

       
 

       
         "--enable-sqlite" ]


     

       
77

       
77

       
 

       
    ++ optional enableNetworkManager "--enable-nm";


     

       
78

       
78

       
 

       



     

       

       
79

       
+

       
  postInstall = ''


     

       

       
80

       
+

       
    # this is needed for l2tp


     

       

       
81

       
+

       
    echo "include /etc/ipsec.secrets" >> $out/etc/ipsec.secrets


     

       

       
82

       
+

       
  '';


     

       

       
83

       
+

       



     

       
79

       
84

       
 

       
  NIX_LDFLAGS = "-lgcc_s" ;


     

       
80

       
85

       
 

       



     

       
81

       
86

       
 

       
  meta = {