Luke Granger-Brown
57725ef3ec
git-subtree-dir: third_party/nixpkgs git-subtree-split: 76612b17c0ce71689921ca12d9ffdc9c23ce40b2
158 lines
4.5 KiB
Nix
158 lines
4.5 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
|
|
cfg = config.services.libreswan;
|
|
|
|
libexec = "${pkgs.libreswan}/libexec/ipsec";
|
|
ipsec = "${pkgs.libreswan}/sbin/ipsec";
|
|
|
|
trim = chars: str:
|
|
let
|
|
nonchars = lib.filter (x : !(lib.elem x.value chars))
|
|
(lib.imap0 (i: v: {ind = i; value = v;}) (lib.stringToCharacters str));
|
|
in
|
|
lib.optionalString (nonchars != [ ])
|
|
(lib.substring (lib.head nonchars).ind (lib.add 1 (lib.sub (lib.last nonchars).ind (lib.head nonchars).ind)) str);
|
|
indent = str: lib.concatStrings (lib.concatMap (s: [" " (trim [" " "\t"] s) "\n"]) (lib.splitString "\n" str));
|
|
configText = indent (toString cfg.configSetup);
|
|
connectionText = lib.concatStrings (lib.mapAttrsToList (n: v:
|
|
''
|
|
conn ${n}
|
|
${indent v}
|
|
'') cfg.connections);
|
|
|
|
configFile = pkgs.writeText "ipsec-nixos.conf"
|
|
''
|
|
config setup
|
|
${configText}
|
|
|
|
${connectionText}
|
|
'';
|
|
|
|
policyFiles = lib.mapAttrs' (name: text:
|
|
{ name = "ipsec.d/policies/${name}";
|
|
value.source = pkgs.writeText "ipsec-policy-${name}" text;
|
|
}) cfg.policies;
|
|
|
|
in
|
|
|
|
{
|
|
|
|
###### interface
|
|
|
|
options = {
|
|
|
|
services.libreswan = {
|
|
|
|
enable = lib.mkEnableOption "Libreswan IPsec service";
|
|
|
|
configSetup = lib.mkOption {
|
|
type = lib.types.lines;
|
|
default = ''
|
|
protostack=netkey
|
|
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
|
|
'';
|
|
example = ''
|
|
secretsfile=/root/ipsec.secrets
|
|
protostack=netkey
|
|
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
|
|
'';
|
|
description = "Options to go in the 'config setup' section of the Libreswan IPsec configuration";
|
|
};
|
|
|
|
connections = lib.mkOption {
|
|
type = lib.types.attrsOf lib.types.lines;
|
|
default = {};
|
|
example = lib.literalExpression ''
|
|
{ myconnection = '''
|
|
auto=add
|
|
left=%defaultroute
|
|
leftid=@user
|
|
|
|
right=my.vpn.com
|
|
|
|
ikev2=no
|
|
ikelifetime=8h
|
|
''';
|
|
}
|
|
'';
|
|
description = "A set of connections to define for the Libreswan IPsec service";
|
|
};
|
|
|
|
policies = lib.mkOption {
|
|
type = lib.types.attrsOf lib.types.lines;
|
|
default = {};
|
|
example = lib.literalExpression ''
|
|
{ private-or-clear = '''
|
|
# Attempt opportunistic IPsec for the entire Internet
|
|
0.0.0.0/0
|
|
::/0
|
|
''';
|
|
}
|
|
'';
|
|
description = ''
|
|
A set of policies to apply to the IPsec connections.
|
|
|
|
::: {.note}
|
|
The policy name must match the one of connection it needs to apply to.
|
|
:::
|
|
'';
|
|
};
|
|
|
|
disableRedirects = lib.mkOption {
|
|
type = lib.types.bool;
|
|
default = true;
|
|
description = ''
|
|
Whether to disable send and accept redirects for all network interfaces.
|
|
See the Libreswan [
|
|
FAQ](https://libreswan.org/wiki/FAQ#Why_is_it_recommended_to_disable_send_redirects_in_.2Fproc.2Fsys.2Fnet_.3F) page for why this is recommended.
|
|
'';
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
###### implementation
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
|
|
# Install package, systemd units, etc.
|
|
environment.systemPackages = [ pkgs.libreswan pkgs.iproute2 ];
|
|
systemd.packages = [ pkgs.libreswan ];
|
|
systemd.tmpfiles.packages = [ pkgs.libreswan ];
|
|
|
|
# Install configuration files
|
|
environment.etc = {
|
|
"ipsec.secrets".source = "${pkgs.libreswan}/etc/ipsec.secrets";
|
|
"ipsec.conf".source = "${pkgs.libreswan}/etc/ipsec.conf";
|
|
"ipsec.d/01-nixos.conf".source = configFile;
|
|
} // policyFiles;
|
|
|
|
systemd.services.ipsec = {
|
|
description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec";
|
|
wantedBy = [ "multi-user.target" ];
|
|
restartTriggers = [ configFile ] ++ lib.mapAttrsToList (n: v: v.source) policyFiles;
|
|
path = with pkgs; [
|
|
libreswan
|
|
iproute2
|
|
procps
|
|
nssTools
|
|
iptables
|
|
nettools
|
|
];
|
|
preStart = lib.optionalString cfg.disableRedirects ''
|
|
# Disable send/receive redirects
|
|
echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects
|
|
echo 0 | tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects
|
|
'';
|
|
serviceConfig = {
|
|
StateDirectory = "ipsec/nss";
|
|
StateDirectoryMode = 0700;
|
|
};
|
|
};
|
|
|
|
};
|
|
|
|
}
|