| blob | fd234cec03a6b4d384397476ba4631f0a6b4ba7a |
1 {
2 config,
3 pkgs,
4 lib,
5 ...
6 }:
8 with lib;
10 {
11 options = {
12 services.xl2tpd = {
13 enable = mkEnableOption "xl2tpd, the Layer 2 Tunnelling Protocol Daemon";
15 serverIp = mkOption {
16 type = types.str;
17 description = "The server-side IP address.";
18 default = "10.125.125.1";
19 };
21 clientIpRange = mkOption {
22 type = types.str;
23 description = "The range from which client IPs are drawn.";
24 default = "10.125.125.2-11";
25 };
27 extraXl2tpOptions = mkOption {
28 type = types.lines;
29 description = "Adds extra lines to the xl2tpd configuration file.";
30 default = "";
31 };
33 extraPppdOptions = mkOption {
34 type = types.lines;
35 description = "Adds extra lines to the pppd options file.";
36 default = "";
37 example = ''
38 ms-dns 8.8.8.8
39 ms-dns 8.8.4.4
40 '';
41 };
42 };
43 };
45 config = mkIf config.services.xl2tpd.enable {
46 systemd.services.xl2tpd =
47 let
48 cfg = config.services.xl2tpd;
50 # Config files from https://help.ubuntu.com/community/L2TPServer
51 xl2tpd-conf = pkgs.writeText "xl2tpd.conf" ''
52 [global]
53 ipsec saref = no
55 [lns default]
56 local ip = ${cfg.serverIp}
57 ip range = ${cfg.clientIpRange}
58 pppoptfile = ${pppd-options}
59 length bit = yes
61 ; Extra
62 ${cfg.extraXl2tpOptions}
63 '';
65 pppd-options = pkgs.writeText "ppp-options-xl2tpd.conf" ''
66 refuse-pap
67 refuse-chap
68 refuse-mschap
69 require-mschap-v2
70 # require-mppe-128
71 asyncmap 0
72 auth
73 crtscts
74 idle 1800
75 mtu 1200
76 mru 1200
77 lock
78 hide-password
79 local
80 # debug
81 name xl2tpd
82 # proxyarp
83 lcp-echo-interval 30
84 lcp-echo-failure 4
86 # Extra:
87 ${cfg.extraPppdOptions}
88 '';
90 xl2tpd-ppp-wrapped = pkgs.stdenv.mkDerivation {
91 name = "xl2tpd-ppp-wrapped";
92 phases = [ "installPhase" ];
93 nativeBuildInputs = with pkgs; [ makeWrapper ];
94 installPhase = ''
95 mkdir -p $out/bin
97 makeWrapper ${pkgs.ppp}/sbin/pppd $out/bin/pppd \
98 --set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so" \
99 --set NIX_REDIRECTS "/etc/ppp=/etc/xl2tpd/ppp"
101 makeWrapper ${pkgs.xl2tpd}/bin/xl2tpd $out/bin/xl2tpd \
102 --set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so" \
103 --set NIX_REDIRECTS "${pkgs.ppp}/sbin/pppd=$out/bin/pppd"
104 '';
105 };
106 in
107 {
108 description = "xl2tpd server";
110 requires = [ "network-online.target" ];
111 wantedBy = [ "multi-user.target" ];
113 preStart = ''
114 install -m 700 -d /etc/xl2tpd/ppp
116 [ -f /etc/xl2tpd/ppp/chap-secrets ] || install -m 600 -o root -g root /dev/stdin /etc/xl2tpd/ppp/chap-secrets <<EOF
117 # Secrets for authentication using CHAP
118 # client server secret IP addresses
119 #username xl2tpd password *
120 EOF
122 # The documentation says this file should be present but doesn't explain why and things work even if not there:
123 [ -f /etc/xl2tpd/l2tp-secrets ] || install -m 600 -o root -g root <(echo -n "* * "; ${pkgs.apg}/bin/apg -n 1 -m 32 -x 32 -a 1 -M LCN) /etc/xl2tpd/l2tp-secrets
125 install -m 701 -o root -g root -d /run/xl2tpd
126 '';
128 serviceConfig = {
129 ExecStart = "${xl2tpd-ppp-wrapped}/bin/xl2tpd -D -c ${xl2tpd-conf} -s /etc/xl2tpd/l2tp-secrets -p /run/xl2tpd/pid -C /run/xl2tpd/control";
130 KillMode = "process";
131 Restart = "on-success";
132 Type = "simple";
133 PIDFile = "/run/xl2tpd/pid";
134 };
135 };
136 };
137 }