strongswan module: make it work with ipsec l2tp

lol

l2tp saves its secrets into /etc/ipsec.d but strongswan would not read
them. l2tp checks for /etc/ipsec.secrets includes /etc/ipsec.d and if
not tries to write into it.

Solution:
Have the strongswan module create /etc/ipsec.d and /etc/ipsec.secrets
when networkmanager_l2tp is installed.
Include /etc/ipsec.secrets in
/nix/store/hash-strongswan/etc/ipsec.secrets so that it can find l2tp
secrets.

Also when the ppp 'nopeerdns' option is used, the DNS resolver tries to
write into an alternate file /etc/ppp/resolv.conf. This fails when
/etc/ppp does not exist so the module creates it by default.

Matthieu Coudron 8 years ago fe4f4de1 11a9e1c3

+26 -10

4 changed files

expand all

unified split

nixos

modules

services

networking

networkmanager.nix

strongswan.nix

pkgs

tools

networking

network-manager

l2tp.nix

strongswan

default.nix

nixos/modules/services/networking/networkmanager.nix

··· 335 335 336 336 preStart = '' 337 337 mkdir -m 700 -p /etc/NetworkManager/system-connections 338 + mkdir -m 700 -p /etc/ipsec.d 338 339 mkdir -m 755 -p ${stateDirs} 339 340 ''; 340 341 };

+19 -4

nixos/modules/services/networking/strongswan.nix

··· 32 32 ${caConf} 33 33 ''; 34 34 35 - strongswanConf = {setup, connections, ca, secrets, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' 35 + strongswanConf = {setup, connections, ca, secretsFile, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' 36 36 charon { 37 37 ${if managePlugins then "load_modular = no" else ""} 38 38 ${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""} 39 39 plugins { 40 40 stroke { 41 - secrets_file = ${ipsecSecrets secrets} 41 + secrets_file = ${secretsFile} 42 42 } 43 43 } 44 44 } ··· 135 135 }; 136 136 }; 137 137 138 - config = with cfg; mkIf enable { 138 + 139 + config = with cfg; 140 + let 141 + secretsFile = ipsecSecrets cfg.secrets; 142 + in 143 + mkIf enable 144 + { 145 + 146 + # here we should use the default strongswan ipsec.secrets and 147 + # append to it (default one is empty so not a pb for now) 148 + environment.etc."ipsec.secrets".source = secretsFile; 149 + 139 150 systemd.services.strongswan = { 140 151 description = "strongSwan IPSec Service"; 141 152 wantedBy = [ "multi-user.target" ]; ··· 143 154 wants = [ "keys.target" ]; 144 155 after = [ "network-online.target" "keys.target" ]; 145 156 environment = { 146 - STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secrets managePlugins enabledPlugins; }; 157 + STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; }; 147 158 }; 148 159 serviceConfig = { 149 160 ExecStart = "${pkgs.strongswan}/sbin/ipsec start --nofork"; 150 161 }; 162 + preStart = '' 163 + # with 'nopeerdns' setting, ppp writes into this folder 164 + mkdir -m 700 -p /etc/ppp 165 + ''; 151 166 }; 152 167 }; 153 168 }

+1 -6

pkgs/tools/networking/network-manager/l2tp.nix

··· 41 41 ]; 42 42 43 43 enableParallelBuilding = true; 44 - configureFlags = [ 45 - "--with-gnome=${if withGnome then "yes" else "no"}" 46 - "--localstatedir=/var" 47 - ] ; 48 - 49 44 50 45 meta = with stdenv.lib; { 51 46 description = "L2TP plugin for NetworkManager"; 52 47 inherit (networkmanager.meta) platforms; 53 - homepage = http://github.com/nm-l2tp/network-manager-l2tp; 48 + homepage = https://github.com/nm-l2tp/network-manager-l2tp; 54 49 license = licenses.gpl2; 55 50 maintainers = with maintainers; [ abbradar obadz ]; 56 51 };

pkgs/tools/networking/strongswan/default.nix

··· 76 76 "--enable-sqlite" ] 77 77 ++ optional enableNetworkManager "--enable-nm"; 78 78 79 + postInstall = '' 80 + # this is needed for l2tp 81 + echo "include /etc/ipsec.secrets" >> $out/etc/ipsec.secrets 82 + ''; 83 + 79 84 NIX_LDFLAGS = "-lgcc_s" ; 80 85 81 86 meta = {