| blob | 7d25957076122f26411eed98550f110718e54b3c |
1 { config, pkgs, lib, ... }:
3 with lib;
5 {
6 options = {
7 services.xl2tpd = {
8 enable = mkEnableOption (lib.mdDoc "xl2tpd, the Layer 2 Tunnelling Protocol Daemon");
10 serverIp = mkOption {
11 type = types.str;
12 description = lib.mdDoc "The server-side IP address.";
13 default = "10.125.125.1";
14 };
16 clientIpRange = mkOption {
17 type = types.str;
18 description = lib.mdDoc "The range from which client IPs are drawn.";
19 default = "10.125.125.2-11";
20 };
22 extraXl2tpOptions = mkOption {
23 type = types.lines;
24 description = lib.mdDoc "Adds extra lines to the xl2tpd configuration file.";
25 default = "";
26 };
28 extraPppdOptions = mkOption {
29 type = types.lines;
30 description = lib.mdDoc "Adds extra lines to the pppd options file.";
31 default = "";
32 example = ''
33 ms-dns 8.8.8.8
34 ms-dns 8.8.4.4
35 '';
36 };
37 };
38 };
40 config = mkIf config.services.xl2tpd.enable {
41 systemd.services.xl2tpd = let
42 cfg = config.services.xl2tpd;
44 # Config files from https://help.ubuntu.com/community/L2TPServer
45 xl2tpd-conf = pkgs.writeText "xl2tpd.conf" ''
46 [global]
47 ipsec saref = no
49 [lns default]
50 local ip = ${cfg.serverIp}
51 ip range = ${cfg.clientIpRange}
52 pppoptfile = ${pppd-options}
53 length bit = yes
55 ; Extra
56 ${cfg.extraXl2tpOptions}
57 '';
59 pppd-options = pkgs.writeText "ppp-options-xl2tpd.conf" ''
60 refuse-pap
61 refuse-chap
62 refuse-mschap
63 require-mschap-v2
64 # require-mppe-128
65 asyncmap 0
66 auth
67 crtscts
68 idle 1800
69 mtu 1200
70 mru 1200
71 lock
72 hide-password
73 local
74 # debug
75 name xl2tpd
76 # proxyarp
77 lcp-echo-interval 30
78 lcp-echo-failure 4
80 # Extra:
81 ${cfg.extraPppdOptions}
82 '';
84 xl2tpd-ppp-wrapped = pkgs.stdenv.mkDerivation {
85 name = "xl2tpd-ppp-wrapped";
86 phases = [ "installPhase" ];
87 nativeBuildInputs = with pkgs; [ makeWrapper ];
88 installPhase = ''
89 mkdir -p $out/bin
91 makeWrapper ${pkgs.ppp}/sbin/pppd $out/bin/pppd \
92 --set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so" \
93 --set NIX_REDIRECTS "/etc/ppp=/etc/xl2tpd/ppp"
95 makeWrapper ${pkgs.xl2tpd}/bin/xl2tpd $out/bin/xl2tpd \
96 --set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so" \
97 --set NIX_REDIRECTS "${pkgs.ppp}/sbin/pppd=$out/bin/pppd"
98 '';
99 };
100 in {
101 description = "xl2tpd server";
103 requires = [ "network-online.target" ];
104 wantedBy = [ "multi-user.target" ];
106 preStart = ''
107 mkdir -p -m 700 /etc/xl2tpd
109 pushd /etc/xl2tpd > /dev/null
111 mkdir -p -m 700 ppp
113 [ -f ppp/chap-secrets ] || cat > ppp/chap-secrets << EOF
114 # Secrets for authentication using CHAP
115 # client server secret IP addresses
116 #username xl2tpd password *
117 EOF
119 chown root:root ppp/chap-secrets
120 chmod 600 ppp/chap-secrets
122 # The documentation says this file should be present but doesn't explain why and things work even if not there:
123 [ -f l2tp-secrets ] || (echo -n "* * "; ${pkgs.apg}/bin/apg -n 1 -m 32 -x 32 -a 1 -M LCN) > l2tp-secrets
124 chown root:root l2tp-secrets
125 chmod 600 l2tp-secrets
127 popd > /dev/null
129 mkdir -p /run/xl2tpd
130 chown root:root /run/xl2tpd
131 chmod 700 /run/xl2tpd
132 '';
134 serviceConfig = {
135 ExecStart = "${xl2tpd-ppp-wrapped}/bin/xl2tpd -D -c ${xl2tpd-conf} -s /etc/xl2tpd/l2tp-secrets -p /run/xl2tpd/pid -C /run/xl2tpd/control";
136 KillMode = "process";
137 Restart = "on-success";
138 Type = "simple";
139 PIDFile = "/run/xl2tpd/pid";
140 };
141 };
142 };
143 }