strongswan module: make it work with ipsec l2tp

l2tp saves its secrets into /etc/ipsec.d but strongswan would not read them. l2tp checks for /etc/ipsec.secrets includes /etc/ipsec.d and if not tries to write into it. Solution: Have the strongswan module create /etc/ipsec.d and /etc/ipsec.secrets when networkmanager_l2tp is installed. Include /etc/ipsec.secrets in /nix/store/hash-strongswan/etc/ipsec.secrets so that it can find l2tp secrets. Also when the ppp 'nopeerdns' option is used, the DNS resolver tries to write into an alternate file /etc/ppp/resolv.conf. This fails when /etc/ppp does not exist so the module creates it by default.
2017-10-31 20:14:00 +09:00 · 2017-10-31 20:14:00 +09:00 · fe4f4de1c9
commit fe4f4de1c9
parent 11a9e1c3c0
4 changed files with 26 additions and 10 deletions
--- a/nixos/modules/services/networking/networkmanager.nix
+++ b/nixos/modules/services/networking/networkmanager.nix
@ -335,6 +335,7 @@ in {

      preStart = ''
        mkdir -m 700 -p /etc/NetworkManager/system-connections
+        mkdir -m 700 -p /etc/ipsec.d
        mkdir -m 755 -p ${stateDirs}
      '';
    };
--- a/nixos/modules/services/networking/strongswan.nix
+++ b/nixos/modules/services/networking/strongswan.nix
@ -32,13 +32,13 @@ let
      ${caConf}
    '';

-  strongswanConf = {setup, connections, ca, secrets, managePlugins, enabledPlugins}: toFile "strongswan.conf" ''
+  strongswanConf = {setup, connections, ca, secretsFile, managePlugins, enabledPlugins}: toFile "strongswan.conf" ''
    charon {
      ${if managePlugins then "load_modular = no" else ""}
      ${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""}
      plugins {
        stroke {
-          secrets_file = ${ipsecSecrets secrets}
+          secrets_file = ${secretsFile}
        }
      }
    }
@ -135,7 +135,18 @@ in
    };
  };

-  config = with cfg; mkIf enable {
+
+  config = with cfg;
+  let
+    secretsFile = ipsecSecrets cfg.secrets;
+  in
+  mkIf enable
+    {
+
+    # here we should use the default strongswan ipsec.secrets and
+    # append to it (default one is empty so not a pb for now)
+    environment.etc."ipsec.secrets".source = secretsFile;
+
    systemd.services.strongswan = {
      description = "strongSwan IPSec Service";
      wantedBy = [ "multi-user.target" ];
@ -143,11 +154,15 @@ in
      wants = [ "keys.target" ];
      after = [ "network-online.target" "keys.target" ];
      environment = {
-        STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secrets managePlugins enabledPlugins; };
+        STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; };
      };
      serviceConfig = {
        ExecStart  = "${pkgs.strongswan}/sbin/ipsec start --nofork";
      };
+      preStart = ''
+        # with 'nopeerdns' setting, ppp writes into this folder
+        mkdir -m 700 -p /etc/ppp
+      '';
    };
  };
 }
--- a/pkgs/tools/networking/network-manager/l2tp.nix
+++ b/pkgs/tools/networking/network-manager/l2tp.nix
@ -41,16 +41,11 @@ stdenv.mkDerivation rec {
  ];

  enableParallelBuilding = true;
-  configureFlags = [
-    "--with-gnome=${if withGnome then "yes" else "no"}"
-    "--localstatedir=/var"
-  ] ;
-

  meta = with stdenv.lib; {
    description = "L2TP plugin for NetworkManager";
    inherit (networkmanager.meta) platforms;
-    homepage = http://github.com/nm-l2tp/network-manager-l2tp;
+    homepage = https://github.com/nm-l2tp/network-manager-l2tp;
    license = licenses.gpl2;
    maintainers = with maintainers; [ abbradar obadz ];
  };
--- a/pkgs/tools/networking/strongswan/default.nix
+++ b/pkgs/tools/networking/strongswan/default.nix
@ -76,6 +76,11 @@ stdenv.mkDerivation rec {
         "--enable-sqlite" ]
    ++ optional enableNetworkManager "--enable-nm";

+  postInstall = ''
+    # this is needed for l2tp
+    echo "include /etc/ipsec.secrets" >> $out/etc/ipsec.secrets
+  '';
+
  NIX_LDFLAGS = "-lgcc_s" ;

  meta = {