pyrox.dev
lol
strongswan module: make it work with ipsec l2tp
l2tp saves its secrets into /etc/ipsec.d but strongswan would not read
them. l2tp checks for /etc/ipsec.secrets includes /etc/ipsec.d and if
not tries to write into it.
Solution:
Have the strongswan module create /etc/ipsec.d and /etc/ipsec.secrets
when networkmanager_l2tp is installed.
Include /etc/ipsec.secrets in
/nix/store/hash-strongswan/etc/ipsec.secrets so that it can find l2tp
secrets.
Also when the ppp 'nopeerdns' option is used, the DNS resolver tries to
write into an alternate file /etc/ppp/resolv.conf. This fails when
/etc/ppp does not exist so the module creates it by default.
+1
nixos/modules/services/networking/networkmanager.nix
+1
nixos/modules/services/networking/networkmanager.nix
+19
-4
nixos/modules/services/networking/strongswan.nix
+19
-4
nixos/modules/services/networking/strongswan.nix
···
32
${caConf}
33
'';
34
35
-
strongswanConf = {setup, connections, ca, secrets, managePlugins, enabledPlugins}: toFile "strongswan.conf" ''
36
charon {
37
${if managePlugins then "load_modular = no" else ""}
38
${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""}
39
plugins {
40
stroke {
41
-
secrets_file = ${ipsecSecrets secrets}
42
}
43
}
44
}
···
135
};
136
};
137
138
-
config = with cfg; mkIf enable {
139
systemd.services.strongswan = {
140
description = "strongSwan IPSec Service";
141
wantedBy = [ "multi-user.target" ];
···
143
wants = [ "keys.target" ];
144
after = [ "network-online.target" "keys.target" ];
145
environment = {
146
-
STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secrets managePlugins enabledPlugins; };
147
};
148
serviceConfig = {
149
ExecStart = "${pkgs.strongswan}/sbin/ipsec start --nofork";
150
};
151
};
152
};
153
}
···
32
${caConf}
33
'';
34
35
+
strongswanConf = {setup, connections, ca, secretsFile, managePlugins, enabledPlugins}: toFile "strongswan.conf" ''
36
charon {
37
${if managePlugins then "load_modular = no" else ""}
38
${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""}
39
plugins {
40
stroke {
41
+
secrets_file = ${secretsFile}
42
}
43
}
44
}
···
135
};
136
};
137
138
+
139
+
config = with cfg;
140
+
let
141
+
secretsFile = ipsecSecrets cfg.secrets;
142
+
in
143
+
mkIf enable
144
+
{
145
+
146
+
# here we should use the default strongswan ipsec.secrets and
147
+
# append to it (default one is empty so not a pb for now)
148
+
environment.etc."ipsec.secrets".source = secretsFile;
149
+
150
systemd.services.strongswan = {
151
description = "strongSwan IPSec Service";
152
wantedBy = [ "multi-user.target" ];
···
154
wants = [ "keys.target" ];
155
after = [ "network-online.target" "keys.target" ];
156
environment = {
157
+
STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; };
158
};
159
serviceConfig = {
160
ExecStart = "${pkgs.strongswan}/sbin/ipsec start --nofork";
161
};
162
+
preStart = ''
163
+
# with 'nopeerdns' setting, ppp writes into this folder
164
+
mkdir -m 700 -p /etc/ppp
165
+
'';
166
};
167
};
168
}
+1
-6
pkgs/tools/networking/network-manager/l2tp.nix
+1
-6
pkgs/tools/networking/network-manager/l2tp.nix
···
41
];
42
43
enableParallelBuilding = true;
44
-
configureFlags = [
45
-
"--with-gnome=${if withGnome then "yes" else "no"}"
46
-
"--localstatedir=/var"
47
-
] ;
48
-
49
50
meta = with stdenv.lib; {
51
description = "L2TP plugin for NetworkManager";
52
inherit (networkmanager.meta) platforms;
53
-
homepage = http://github.com/nm-l2tp/network-manager-l2tp;
54
license = licenses.gpl2;
55
maintainers = with maintainers; [ abbradar obadz ];
56
};
···
41
];
42
43
enableParallelBuilding = true;
44
45
meta = with stdenv.lib; {
46
description = "L2TP plugin for NetworkManager";
47
inherit (networkmanager.meta) platforms;
48
+
homepage = https://github.com/nm-l2tp/network-manager-l2tp;
49
license = licenses.gpl2;
50
maintainers = with maintainers; [ abbradar obadz ];
51
};
+5
pkgs/tools/networking/strongswan/default.nix
+5
pkgs/tools/networking/strongswan/default.nix