{ config, lib, pkgs, ... }:
let
inherit (builtins) toFile;
inherit (lib) concatMapStringsSep concatStringsSep mapAttrsToList
mkIf mkEnableOption mkOption types;
cfg = config.services.strongswan;
ipsecSecrets = secrets: toFile "ipsec.secrets" (
concatMapStringsSep "\n" (f: "include ${f}") secrets
);
ipsecConf = {setup, connections, ca}:
let
# https://wiki.strongswan.org/projects/strongswan/wiki/IpsecConf
makeSections = type: sections: concatStringsSep "\n\n" (
mapAttrsToList (sec: attrs:
"${type} ${sec}\n" +
(concatStringsSep "\n" ( mapAttrsToList (k: v: " ${k}=${v}") attrs ))
) sections
);
setupConf = makeSections "config" { inherit setup; };
connectionsConf = makeSections "conn" connections;
caConf = makeSections "ca" ca;
in
builtins.toFile "ipsec.conf" ''
${setupConf}
${connectionsConf}
${caConf}
'';
strongswanConf = {setup, connections, ca, secretsFile, managePlugins, enabledPlugins}: toFile "strongswan.conf" ''
charon {
${if managePlugins then "load_modular = no" else ""}
${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""}
plugins {
stroke {
secrets_file = ${secretsFile}
}
}
}
starter {
config_file = ${ipsecConf { inherit setup connections ca; }}
}
'';
in
{
options.services.strongswan = {
enable = mkEnableOption "strongSwan";
secrets = mkOption {
type = types.listOf types.str;
default = [];
example = [ "/run/keys/ipsec-foo.secret" ];
description = ''
A list of paths to IPSec secret files. These
files will be included into the main ipsec.secrets file with
the include directive. It is safer if these
paths are absolute.
'';
};
setup = mkOption {
type = types.attrsOf types.str;
default = {};
example = { cachecrls = "yes"; strictcrlpolicy = "yes"; };
description = ''
A set of options for the ‘config setup’ section of the
ipsec.conf file. Defines general
configuration parameters.
'';
};
connections = mkOption {
type = types.attrsOf (types.attrsOf types.str);
default = {};
example = {
"%default" = {
keyexchange = "ikev2";
keyingtries = "1";
};
roadwarrior = {
auto = "add";
leftcert = "/run/keys/moonCert.pem";
leftid = "@moon.strongswan.org";
leftsubnet = "10.1.0.0/16";
right = "%any";
};
};
description = ''
A set of connections and their options for the ‘conn xxx’
sections of the ipsec.conf file.
'';
};
ca = mkOption {
type = types.attrsOf (types.attrsOf types.str);
default = {};
example = {
strongswan = {
auto = "add";
cacert = "/run/keys/strongswanCert.pem";
crluri = "http://crl2.strongswan.org/strongswan.crl";
};
};
description = ''
A set of CAs (certification authorities) and their options for
the ‘ca xxx’ sections of the ipsec.conf
file.
'';
};
managePlugins = mkOption {
type = types.bool;
default = false;
description = ''
If set to true, this option will disable automatic plugin loading and
then tell strongSwan to enable the plugins specified in the
option.
'';
};
enabledPlugins = mkOption {
type = types.listOf types.str;
default = [];
description = ''
A list of additional plugins to enable if
is true.
'';
};
};
config = with cfg;
let
secretsFile = ipsecSecrets cfg.secrets;
in
mkIf enable
{
# here we should use the default strongswan ipsec.secrets and
# append to it (default one is empty so not a pb for now)
environment.etc."ipsec.secrets".source = secretsFile;
systemd.services.strongswan = {
description = "strongSwan IPSec Service";
wantedBy = [ "multi-user.target" ];
path = with pkgs; [ kmod iproute iptables utillinux ]; # XXX Linux
wants = [ "keys.target" ];
after = [ "network-online.target" "keys.target" ];
environment = {
STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; };
};
serviceConfig = {
ExecStart = "${pkgs.strongswan}/sbin/ipsec start --nofork";
};
preStart = ''
# with 'nopeerdns' setting, ppp writes into this folder
mkdir -m 700 -p /etc/ppp
'';
};
};
}