nixos/modules/services/networking/strongswan-swanctl/module.nix

   1 { config, lib, pkgs, ... }:
   2
   3 with lib;
   4 with (import ./param-lib.nix lib);
   5
   6 let
   7   cfg = config.services.strongswan-swanctl;
   8   configFile = pkgs.writeText "swanctl.conf"
   9       ( (paramsToConf cfg.swanctl swanctlParams)
  10       + (concatMapStrings (i: "\ninclude ${i}") cfg.includes));
  11   swanctlParams = import ./swanctl-params.nix lib;
  12 in  {
  13   options.services.strongswan-swanctl = {
  14     enable = mkEnableOption "strongswan-swanctl service";
  15
  16     package = mkPackageOption pkgs "strongswan" { };
  17
  18     strongswan.extraConfig = mkOption {
  19       type = types.str;
  20       default = "";
  21       description = ''
  22         Contents of the `strongswan.conf` file.
  23       '';
  24     };
  25
  26     swanctl = paramsToOptions swanctlParams;
  27     includes = mkOption {
  28       type = types.listOf types.path;
  29       default = [];
  30       description = ''
  31         Extra configuration files to include in the swanctl configuration. This can be used to provide secret values from outside the nix store.
  32       '';
  33     };
  34   };
  35
  36   config = mkIf cfg.enable {
  37
  38     assertions = [
  39       { assertion = !config.services.strongswan.enable;
  40         message = "cannot enable both services.strongswan and services.strongswan-swanctl. Choose either one.";
  41       }
  42     ];
  43
  44     environment.etc."swanctl/swanctl.conf".source = configFile;
  45     environment.etc."strongswan.conf".text = cfg.strongswan.extraConfig;
  46
  47     # The swanctl command complains when the following directories don't exist:
  48     # See: https://wiki.strongswan.org/projects/strongswan/wiki/Swanctldirectory
  49     systemd.tmpfiles.rules = [
  50       "d /etc/swanctl/x509 -"     # Trusted X.509 end entity certificates
  51       "d /etc/swanctl/x509ca -"   # Trusted X.509 Certificate Authority certificates
  52       "d /etc/swanctl/x509ocsp -"
  53       "d /etc/swanctl/x509aa -"   # Trusted X.509 Attribute Authority certificates
  54       "d /etc/swanctl/x509ac -"   # Attribute Certificates
  55       "d /etc/swanctl/x509crl -"  # Certificate Revocation Lists
  56       "d /etc/swanctl/pubkey -"   # Raw public keys
  57       "d /etc/swanctl/private -"  # Private keys in any format
  58       "d /etc/swanctl/rsa -"      # PKCS#1 encoded RSA private keys
  59       "d /etc/swanctl/ecdsa -"    # Plain ECDSA private keys
  60       "d /etc/swanctl/bliss -"
  61       "d /etc/swanctl/pkcs8 -"    # PKCS#8 encoded private keys of any type
  62       "d /etc/swanctl/pkcs12 -"   # PKCS#12 containers
  63     ];
  64
  65     systemd.services.strongswan-swanctl = {
  66       description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl";
  67       wantedBy = [ "multi-user.target" ];
  68       wants    = [ "network-online.target" ];
  69       after    = [ "network-online.target" ];
  70       path     = with pkgs; [ kmod iproute2 iptables util-linux ];
  71       restartTriggers = [
  72         config.environment.etc."swanctl/swanctl.conf".source
  73         config.environment.etc."strongswan.conf".source
  74       ];
  75       serviceConfig = {
  76         ExecStart     = "${cfg.package}/sbin/charon-systemd";
  77         Type          = "notify";
  78         ExecStartPost = "${cfg.package}/sbin/swanctl --load-all --noprompt";
  79         ExecReload    = "${cfg.package}/sbin/swanctl --reload";
  80         Restart       = "on-abnormal";
  81       };
  82     };
  83   };
  84 }