{ config, lib, pkgs, ... }: with lib; let cfg = config.services.libreswan; libexec = "${pkgs.libreswan}/libexec/ipsec"; ipsec = "${pkgs.libreswan}/sbin/ipsec"; trim = chars: str: let nonchars = filter (x : !(elem x.value chars)) (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str)); in if length nonchars == 0 then "" else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str; indent = str: concatStrings (concatMap (s: [" " (trim [" " "\t"] s) "\n"]) (splitString "\n" str)); configText = indent (toString cfg.configSetup); connectionText = concatStrings (mapAttrsToList (n: v: '' conn ${n} ${indent v} '') cfg.connections); configFile = pkgs.writeText "ipsec.conf" '' config setup ${configText} ${connectionText} ''; in { ###### interface options = { services.libreswan = { enable = mkEnableOption "libreswan ipsec service"; configSetup = mkOption { type = types.lines; default = '' protostack=netkey nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 ''; example = '' secretsfile=/root/ipsec.secrets protostack=netkey nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 ''; description = "Options to go in the 'config setup' section of the libreswan ipsec configuration"; }; connections = mkOption { type = types.attrsOf types.lines; default = {}; example = { myconnection = '' auto=add left=%defaultroute leftid=@user right=my.vpn.com ikev2=no ikelifetime=8h ''; }; description = "A set of connections to define for the libreswan ipsec service"; }; }; }; ###### implementation config = mkIf cfg.enable { environment.systemPackages = [ pkgs.libreswan pkgs.iproute2 ]; systemd.services.ipsec = { description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec"; path = [ "${pkgs.libreswan}" "${pkgs.iproute2}" "${pkgs.procps}" "${pkgs.nssTools}" "${pkgs.iptables}" "${pkgs.nettools}" ]; wants = [ "network-online.target" ]; after = [ "network-online.target" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "simple"; Restart = "always"; EnvironmentFile = "-${pkgs.libreswan}/etc/sysconfig/pluto"; ExecStartPre = [ "${libexec}/addconn --config ${configFile} --checkconfig" "${libexec}/_stackmanager start" "${ipsec} --checknss" "${ipsec} --checknflog" ]; ExecStart = "${libexec}/pluto --config ${configFile} --nofork \$PLUTO_OPTIONS"; ExecStop = "${libexec}/whack --shutdown"; ExecStopPost = [ "${pkgs.iproute2}/bin/ip xfrm policy flush" "${pkgs.iproute2}/bin/ip xfrm state flush" "${ipsec} --stopnflog" ]; ExecReload = "${libexec}/whack --listen"; }; }; }; }