+1

lib/maintainers.nix

··· 14 14 aespinosa = "Allan Espinosa <allan.espinosa@outlook.com>"; 15 15 aflatter = "Alexander Flatter <flatter@fastmail.fm>"; 16 16 aforemny = "Alexander Foremny <alexanderforemny@googlemail.com>"; 17 17 + afranchuk = "Alex Franchuk <alex.franchuk@gmail.com>"; 17 18 aherrmann = "Andreas Herrmann <andreash87@gmx.ch>"; 18 19 ak = "Alexander Kjeldaas <ak@formalprivacy.com>"; 19 20 akaWolf = "Artjom Vejsel <akawolf0@gmail.com>";

+1

nixos/modules/module-list.nix

··· 327 327 ./services/networking/ircd-hybrid/default.nix 328 328 ./services/networking/kippo.nix 329 329 ./services/networking/lambdabot.nix 330 330 + ./services/networking/libreswan.nix 330 331 ./services/networking/mailpile.nix 331 332 ./services/networking/minidlna.nix 332 333 ./services/networking/miniupnpd.nix

+126

nixos/modules/services/networking/libreswan.nix

··· 1 1 + { config, lib, pkgs, ... }: 2 2 + 3 3 + with lib; 4 4 + 5 5 + let 6 6 + 7 7 + cfg = config.services.libreswan; 8 8 + 9 9 + libexec = "${pkgs.libreswan}/libexec/ipsec"; 10 10 + ipsec = "${pkgs.libreswan}/sbin/ipsec"; 11 11 + 12 12 + trim = chars: str: let 13 13 + nonchars = filter (x : !(elem x.value chars)) 14 14 + (imap (i: v: {ind = (sub i 1); value = v;}) (stringToCharacters str)); 15 15 + in 16 16 + if length nonchars == 0 then "" 17 17 + else substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str; 18 18 + indent = str: concatStrings (concatMap (s: [" " (trim [" " "\t"] s) "\n"]) (splitString "\n" str)); 19 19 + configText = indent (toString cfg.configSetup); 20 20 + connectionText = concatStrings (mapAttrsToList (n: v: 21 21 + '' 22 22 + conn ${n} 23 23 + ${indent v} 24 24 + 25 25 + '') cfg.connections); 26 26 + configFile = pkgs.writeText "ipsec.conf" 27 27 + '' 28 28 + config setup 29 29 + ${configText} 30 30 + 31 31 + ${connectionText} 32 32 + ''; 33 33 + 34 34 + in 35 35 + 36 36 + { 37 37 + 38 38 + ###### interface 39 39 + 40 40 + options = { 41 41 + 42 42 + services.libreswan = { 43 43 + 44 44 + enable = mkEnableOption "libreswan ipsec service"; 45 45 + 46 46 + configSetup = mkOption { 47 47 + type = types.lines; 48 48 + default = '' 49 49 + protostack=netkey 50 50 + nat_traversal=yes 51 51 + virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 52 52 + ''; 53 53 + example = '' 54 54 + secretsfile=/root/ipsec.secrets 55 55 + protostack=netkey 56 56 + nat_traversal=yes 57 57 + virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 58 58 + ''; 59 59 + description = "Options to go in the 'config setup' section of the libreswan ipsec configuration"; 60 60 + }; 61 61 + 62 62 + connections = mkOption { 63 63 + type = types.attrsOf types.lines; 64 64 + default = {}; 65 65 + example = { 66 66 + myconnection = '' 67 67 + auto=add 68 68 + left=%defaultroute 69 69 + leftid=@user 70 70 + 71 71 + right=my.vpn.com 72 72 + 73 73 + ikev2=no 74 74 + ikelifetime=8h 75 75 + ''; 76 76 + }; 77 77 + description = "A set of connections to define for the libreswan ipsec service"; 78 78 + }; 79 79 + }; 80 80 + 81 81 + }; 82 82 + 83 83 + 84 84 + ###### implementation 85 85 + 86 86 + config = mkIf cfg.enable { 87 87 + 88 88 + environment.systemPackages = [ pkgs.libreswan pkgs.iproute ]; 89 89 + 90 90 + systemd.services.ipsec = { 91 91 + description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec"; 92 92 + path = [ 93 93 + "${pkgs.libreswan}" 94 94 + "${pkgs.iproute}" 95 95 + "${pkgs.procps}" 96 96 + ]; 97 97 + 98 98 + wants = [ "network-online.target" ]; 99 99 + after = [ "network-online.target" ]; 100 100 + wantedBy = [ "multi-user.target" ]; 101 101 + 102 102 + serviceConfig = { 103 103 + Type = "simple"; 104 104 + Restart = "always"; 105 105 + EnvironmentFile = "${pkgs.libreswan}/etc/sysconfig/pluto"; 106 106 + ExecStartPre = [ 107 107 + "${libexec}/addconn --config ${configFile} --checkconfig" 108 108 + "${libexec}/_stackmanager start" 109 109 + "${ipsec} --checknss" 110 110 + "${ipsec} --checknflog" 111 111 + ]; 112 112 + ExecStart = "${libexec}/pluto --config ${configFile} --nofork \$PLUTO_OPTIONS"; 113 113 + ExecStop = "${libexec}/whack --shutdown"; 114 114 + ExecStopPost = [ 115 115 + "${pkgs.iproute}/bin/ip xfrm policy flush" 116 116 + "${pkgs.iproute}/bin/ip xfrm state flush" 117 117 + "${ipsec} --stopnflog" 118 118 + ]; 119 119 + ExecReload = "${libexec}/whack --listen"; 120 120 + }; 121 121 + 122 122 + }; 123 123 + 124 124 + }; 125 125 + 126 126 + }

+73

pkgs/tools/networking/libreswan/default.nix

··· 1 1 + { stdenv, fetchurl, makeWrapper, 2 2 + pkgconfig, systemd, gmp, unbound, bison, flex, pam, libevent, libcap_ng, curl, nspr, 3 3 + bash, iproute, iptables, procps, coreutils, gnused, gawk, nssTools, which, python, 4 4 + docs ? false, xmlto 5 5 + }: 6 6 + 7 7 + let 8 8 + optional = stdenv.lib.optional; 9 9 + version = "3.16"; 10 10 + name = "libreswan-${version}"; 11 11 + binPath = stdenv.lib.makeBinPath [ 12 12 + bash iproute iptables procps coreutils gnused gawk nssTools which python 13 13 + ]; 14 14 + in 15 15 + 16 16 + assert docs -> xmlto != null; 17 17 + 18 18 + stdenv.mkDerivation { 19 19 + inherit name; 20 20 + inherit version; 21 21 + 22 22 + src = fetchurl { 23 23 + url = "https://download.libreswan.org/${name}.tar.gz"; 24 24 + sha256 = "15qv4101p1jw591l04gsfscb3farzd278mgi8yph015vmifyjxrd"; 25 25 + }; 26 26 + 27 27 + nativeBuildInputs = [ makeWrapper ]; 28 28 + buildInputs = [ pkgconfig bash iproute iptables systemd coreutils gnused gawk gmp unbound bison flex pam libevent 29 29 + libcap_ng curl nspr nssTools python ] 30 30 + ++ optional docs xmlto; 31 31 + 32 32 + prePatch = '' 33 33 + # Correct bash path 34 34 + sed -i -e 's|/bin/bash|/usr/bin/env bash|' mk/config.mk 35 35 + 36 36 + # Fix systemd unit directory, and prevent the makefile from trying to reload the systemd daemon 37 37 + sed -i -e 's|UNITDIR=.*$|UNITDIR=$\{out}/etc/systemd/system/|' -e 's|systemctl --system daemon-reload|true|' initsystems/systemd/Makefile 38 38 + 39 39 + # Fix the ipsec program from crushing the PATH 40 40 + sed -i -e 's|\(PATH=".*"\):.*$|\1:$PATH|' programs/ipsec/ipsec.in 41 41 + 42 42 + # Fix python script to use the correct python 43 43 + sed -i -e 's|#!/usr/bin/python|#!/usr/bin/env python|' -e 's/^\(\W*\)installstartcheck()/\1sscmd = "ss"\n\0/' programs/verify/verify.in 44 44 + ''; 45 45 + 46 46 + # Set appropriate paths for build 47 47 + preBuild = "export INC_USRLOCAL=\${out}"; 48 48 + 49 49 + makeFlags = [ 50 50 + "INITSYSTEM=systemd" 51 51 + (if docs then "all" else "base") 52 52 + ]; 53 53 + 54 54 + installTargets = [ (if docs then "install" else "install-base") ]; 55 55 + # Hack to make install work 56 56 + installFlags = [ 57 57 + "FINALVARDIR=\${out}/var" 58 58 + "FINALSYSCONFDIR=\${out}/etc" 59 59 + ]; 60 60 + 61 61 + postInstall = '' 62 62 + for i in $out/bin/* $out/libexec/ipsec/*; do 63 63 + wrapProgram "$i" --prefix PATH ':' "$out/bin:${binPath}" 64 64 + done 65 65 + ''; 66 66 + 67 67 + meta = { 68 68 + homepage = "https://libreswan.org"; 69 69 + description = "A free software implementation of the VPN protocol based on IPSec and the Internet Key Exchange"; 70 70 + platforms = stdenv.lib.platforms.linux ++ stdenv.lib.platforms.darwin ++ stdenv.lib.platforms.freebsd; 71 71 + maintainers = [ stdenv.lib.maintainers.afranchuk ]; 72 72 + }; 73 73 + }

+2

pkgs/top-level/all-packages.nix

··· 2306 2306 2307 2307 librdmacm = callPackage ../development/libraries/librdmacm { }; 2308 2308 2309 2309 + libreswan = callPackage ../tools/networking/libreswan { }; 2310 2310 + 2309 2311 libwebsockets = callPackage ../development/libraries/libwebsockets { }; 2310 2312 2311 2313 limesurvey = callPackage ../servers/limesurvey { };