Merge pull request #7559 from offlinehacker/openvswitch/ipsec

+1

nixos/modules/module-list.nix

··· 307 307 ./services/networking/privoxy.nix 308 308 ./services/networking/prosody.nix 309 309 ./services/networking/quassel.nix 310 + ./services/networking/racoon.nix 310 311 ./services/networking/radicale.nix 311 312 ./services/networking/radvd.nix 312 313 ./services/networking/rdnssd.nix

+42

nixos/modules/services/networking/racoon.nix

··· 1 + { config, lib, pkgs, ... }: 2 + 3 + with lib; 4 + 5 + let 6 + cfg = config.services.racoon; 7 + in { 8 + options.services.racoon = { 9 + enable = mkEnableOption "Whether to enable racoon."; 10 + 11 + config = mkOption { 12 + description = "Contents of racoon configuration file."; 13 + default = ""; 14 + type = types.str; 15 + }; 16 + 17 + configPath = mkOption { 18 + description = "Location of racoon config if config is not provided."; 19 + default = "/etc/racoon/racoon.conf"; 20 + type = types.path; 21 + }; 22 + }; 23 + 24 + config = mkIf cfg.enable { 25 + systemd.services.racoon = { 26 + description = "Racoon Daemon"; 27 + wantedBy = [ "multi-user.target" ]; 28 + after = [ "network.target" ]; 29 + serviceConfig = { 30 + ExecStart = "${pkgs.ipsecTools}/bin/racoon -f ${ 31 + if (cfg.config != "") then pkgs.writeText "racoon.conf" cfg.config 32 + else cfg.configPath 33 + }"; 34 + ExecReload = "${pkgs.ipsecTools}/bin/racoonctl reload-config"; 35 + PIDFile = "/var/run/racoon.pid"; 36 + Type = "forking"; 37 + Restart = "always"; 38 + }; 39 + preStart = "rm /var/run/racoon.pid || true"; 40 + }; 41 + }; 42 + }

+90 -42

nixos/modules/virtualisation/openvswitch.nix

··· 7 7 let 8 8 cfg = config.virtualisation.vswitch; 9 9 10 - in 10 + in { 11 11 12 - { 13 - 14 - options = { 15 - 16 - virtualisation.vswitch.enable = mkOption { 12 + options.virtualisation.vswitch = { 13 + enable = mkOption { 17 14 type = types.bool; 18 15 default = false; 19 - description = 20 - '' 21 - Enable Open vSwitch. A configuration 22 - daemon (ovs-server) will be started. 16 + description = '' 17 + Whether to enable Open vSwitch. A configuration daemon (ovs-server) 18 + will be started. 23 19 ''; 24 20 }; 25 21 26 - 27 - virtualisation.vswitch.package = mkOption { 22 + package = mkOption { 28 23 type = types.package; 29 24 default = pkgs.openvswitch; 30 - description = 31 - '' 25 + description = '' 32 26 Open vSwitch package to use. 33 - ''; 27 + ''; 34 28 }; 35 29 30 + ipsec = mkOption { 31 + type = types.bool; 32 + default = false; 33 + description = '' 34 + Whether to start racoon service for openvswitch. 35 + ''; 36 + }; 36 37 }; 37 38 38 - config = mkIf cfg.enable (let 39 + config = mkIf cfg.enable (let 39 40 40 41 # Where the communication sockets live 41 42 runDir = "/var/run/openvswitch"; ··· 43 44 # Where the config database live (can't be in nix-store) 44 45 stateDir = "/var/db/openvswitch"; 45 46 46 - # The path to the an initialized version of the database 47 + # The path to the an initialized version of the database 47 48 db = pkgs.stdenv.mkDerivation { 48 49 name = "vswitch.db"; 49 50 unpackPhase = "true"; ··· 51 52 buildInputs = with pkgs; [ 52 53 cfg.package 53 54 ]; 54 - installPhase = 55 - '' 56 - ensureDir $out/ 57 - ''; 55 + installPhase = "mkdir -p $out"; 58 56 }; 59 57 60 - in { 58 + in (mkMerge [{ 61 59 62 - environment.systemPackages = [ cfg.package ]; 60 + environment.systemPackages = [ cfg.package pkgs.ipsecTools ]; 63 61 64 62 boot.kernelModules = [ "tun" "openvswitch" ]; 65 63 ··· 73 71 path = [ cfg.package ]; 74 72 restartTriggers = [ db cfg.package ]; 75 73 # Create the config database 76 - preStart = 74 + preStart = 77 75 '' 78 76 mkdir -p ${runDir} 79 77 mkdir -p /var/db/openvswitch ··· 85 83 fi 86 84 chmod -R +w /var/db/openvswitch 87 85 ''; 88 - serviceConfig.ExecStart = 89 - '' 90 - ${cfg.package}/bin/ovsdb-server \ 91 - --remote=punix:${runDir}/db.sock \ 92 - --private-key=db:Open_vSwitch,SSL,private_key \ 93 - --certificate=db:Open_vSwitch,SSL,certificate \ 94 - --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \ 95 - --unixctl=ovsdb.ctl.sock \ 96 - /var/db/openvswitch/conf.db 97 - ''; 98 - serviceConfig.Restart = "always"; 99 - serviceConfig.RestartSec = 3; 100 - postStart = 101 - '' 86 + serviceConfig = { 87 + ExecStart = 88 + '' 89 + ${cfg.package}/bin/ovsdb-server \ 90 + --remote=punix:${runDir}/db.sock \ 91 + --private-key=db:Open_vSwitch,SSL,private_key \ 92 + --certificate=db:Open_vSwitch,SSL,certificate \ 93 + --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert \ 94 + --unixctl=ovsdb.ctl.sock \ 95 + --pidfile=/var/run/openvswitch/ovsdb.pid \ 96 + --detach \ 97 + /var/db/openvswitch/conf.db 98 + ''; 99 + Restart = "always"; 100 + RestartSec = 3; 101 + PIDFile = "/var/run/openvswitch/ovsdb.pid"; 102 + Type = "forking"; 103 + }; 104 + postStart = '' 102 105 ${cfg.package}/bin/ovs-vsctl --timeout 3 --retry --no-wait init 103 - ''; 104 - 106 + ''; 105 107 }; 106 108 107 109 systemd.services.vswitchd = { ··· 109 111 bindsTo = [ "ovsdb.service" ]; 110 112 after = [ "ovsdb.service" ]; 111 113 path = [ cfg.package ]; 112 - serviceConfig.ExecStart = ''${cfg.package}/bin/ovs-vswitchd''; 114 + serviceConfig = { 115 + ExecStart = '' 116 + ${cfg.package}/bin/ovs-vswitchd \ 117 + --pidfile=/var/run/openvswitch/ovs-vswitchd.pid \ 118 + --detach 119 + ''; 120 + PIDFile = "/var/run/openvswitch/ovs-vswitchd.pid"; 121 + Type = "forking"; 122 + }; 113 123 }; 114 124 115 - }); 125 + } 126 + (mkIf cfg.ipsec { 127 + services.racoon.enable = true; 128 + services.racoon.configPath = "${runDir}/ipsec/etc/racoon/racoon.conf"; 129 + 130 + networking.firewall.extraCommands = '' 131 + iptables -I INPUT -t mangle -p esp -j MARK --set-mark 1/1 132 + iptables -I INPUT -t mangle -p udp --dport 4500 -j MARK --set-mark 1/1 133 + ''; 134 + 135 + systemd.services.ovs-monitor-ipsec = { 136 + description = "Open_vSwitch Ipsec Daemon"; 137 + wantedBy = [ "multi-user.target" ]; 138 + requires = [ "racoon.service" ]; 139 + after = [ "vswitchd.service" ]; 140 + environment.UNIXCTLPATH = "/tmp/ovsdb.ctl.sock"; 141 + serviceConfig = { 142 + ExecStart = '' 143 + ${cfg.package}/bin/ovs-monitor-ipsec \ 144 + --root-prefix ${runDir}/ipsec \ 145 + --pidfile /var/run/openvswitch/ovs-monitor-ipsec.pid \ 146 + --monitor --detach \ 147 + unix:/var/run/openvswitch/db.sock 148 + ''; 149 + PIDFile = "/var/run/openvswitch/ovs-monitor-ipsec.pid"; 150 + Type = "forking"; 151 + }; 152 + 153 + preStart = '' 154 + rm -r ${runDir}/ipsec/etc/racoon/certs || true 155 + mkdir -p ${runDir}/ipsec/{etc/racoon,etc/init.d/,usr/sbin/} 156 + ln -fs ${pkgs.ipsecTools}/bin/setkey ${runDir}/ipsec/usr/sbin/setkey 157 + ln -fs ${pkgs.writeScript "racoon-restart" '' 158 + #!${pkgs.stdenv.shell} 159 + /var/run/current-system/sw/bin/systemctl $1 racoon 160 + ''} ${runDir}/ipsec/etc/init.d/racoon 161 + ''; 162 + }; 163 + })])); 116 164 117 165 }

+41 -26

pkgs/os-specific/linux/openvswitch/default.nix

··· 1 - { stdenv, fetchurl, openssl, python27, iproute, perl, kernel ? null}: 2 - let 1 + { stdenv, fetchurl, makeWrapper 2 + , openssl, python27, iproute, perl, kernel ? null }: 3 3 4 - version = "2.1.2"; 4 + with stdenv.lib; 5 5 6 - skipKernelMod = kernel == null; 7 - 8 - in 9 - stdenv.mkDerivation { 10 - version = "2.1.2"; 6 + let 7 + _kernel = kernel; 8 + in stdenv.mkDerivation rec { 9 + version = "2.3.1"; 11 10 name = "openvswitch-${version}"; 11 + 12 12 src = fetchurl { 13 - url = "http://openvswitch.org/releases/openvswitch-2.1.2.tar.gz"; 14 - sha256 = "16q7faqrj2pfchhn0x5s9ggi5ckcg9n62f6bnqaih064aaq2jm47"; 13 + url = "http://openvswitch.org/releases/${name}.tar.gz"; 14 + sha256 = "1lmwyhm5wmdv1l4v1v5xd36d5ra21jz9ix57nh1lgm8iqc0lj5r1"; 15 15 }; 16 - kernel = if skipKernelMod then null else kernel.dev; 17 - buildInputs = [ 18 - openssl 19 - python27 20 - perl 21 - ]; 16 + 17 + kernel = optional (_kernel != null) _kernel.dev; 18 + 19 + buildInputs = [ makeWrapper openssl python27 perl ]; 20 + 22 21 configureFlags = [ 23 22 "--localstatedir=/var" 24 23 "--sharedstatedir=/var" 25 24 "--sbindir=$(out)/bin" 26 - ] ++ (if skipKernelMod then [] else ["--with-linux"]); 25 + ] ++ (optionals (_kernel != null) ["--with-linux"]); 26 + 27 27 # Leave /var out of this! 28 28 installFlags = [ 29 29 "LOGDIR=$(TMPDIR)/dummy" 30 30 "RUNDIR=$(TMPDIR)/dummy" 31 31 "PKIDIR=$(TMPDIR)/dummy" 32 32 ]; 33 + 34 + postInstall = '' 35 + cp debian/ovs-monitor-ipsec $out/share/openvswitch/scripts 36 + makeWrapper \ 37 + $out/share/openvswitch/scripts/ovs-monitor-ipsec \ 38 + $out/bin/ovs-monitor-ipsec \ 39 + --prefix PYTHONPATH : "$out/share/openvswitch/python" 40 + substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \ 41 + --replace "UnixctlServer.create(None)" "UnixctlServer.create(os.environ['UNIXCTLPATH'])" 42 + substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \ 43 + --replace "self.psk_file" "root_prefix + self.psk_file" 44 + substituteInPlace $out/share/openvswitch/scripts/ovs-monitor-ipsec \ 45 + --replace "self.cert_dir" "root_prefix + self.cert_dir" 46 + ''; 47 + 33 48 meta = { 34 - platforms = stdenv.lib.platforms.linux; 49 + platforms = platforms.linux; 35 50 description = "A multilayer virtual switch"; 36 - longDescription = 51 + longDescription = 37 52 '' 38 - Open vSwitch is a production quality, multilayer virtual switch 39 - licensed under the open source Apache 2.0 license. It is 40 - designed to enable massive network automation through 41 - programmatic extension, while still supporting standard 42 - management interfaces and protocols (e.g. NetFlow, sFlow, SPAN, 43 - RSPAN, CLI, LACP, 802.1ag). In addition, it is designed to 44 - support distribution across multiple physical servers similar 53 + Open vSwitch is a production quality, multilayer virtual switch 54 + licensed under the open source Apache 2.0 license. It is 55 + designed to enable massive network automation through 56 + programmatic extension, while still supporting standard 57 + management interfaces and protocols (e.g. NetFlow, sFlow, SPAN, 58 + RSPAN, CLI, LACP, 802.1ag). In addition, it is designed to 59 + support distribution across multiple physical servers similar 45 60 to VMware's vNetwork distributed vswitch or Cisco's Nexus 1000V. 46 61 ''; 47 62 homepage = "http://openvswitch.org/";