From: Domagoj Stolfa <ds815@gmx.com>
To: 48803@debbugs.gnu.org
Subject: [bug#48803] [PATCH] strongswan: provide a service definition and configuration interface.
Date: Wed, 2 Jun 2021 23:11:03 +0100 [thread overview]
Message-ID: <YLgB91U8SgsJxdCe@pepehands> (raw)
[-- Attachment #1: Type: text/plain, Size: 7586 bytes --]
This commit adds a strongswan-service-type which allows the user to
start strongswan correctly on Guix. Without this, they would need to
manually write a strongswan.conf file and run it with
`STRONGSWAN_CONF=/path/to/strongswan.conf ipsec start`.
For now, we only support the legacy ipsec.conf/ipsec.secrets interface.
Because ipsec.conf depends on indentation and is a deprecated intreface,
we do not provide an EDSL to configure it, and we do not put the config
file in a Guile string (to avoid indentation issues). Similarly,
ipsec.secrets contains the users authentication token/passwords, and is
for security reasons transmitted separately from the configuration file.
This change allows the user to write something as follows in their
config:
```
(service strongswan-service-type
(strongswan-configuration
(use-ipsec? #t)
(ipsec-conf "/config-files/ipsec.conf")
(ipsec-secrets "/config-files/ipsec.secrets")))
```
This will start the charon daemon and allow them to connect to their
VPNs configured in `/config-files/ipsec.conf`.
---
gnu/services/vpn.scm | 128 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 128 insertions(+)
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index 2bcbf76727..e026f2aa58 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -4,6 +4,7 @@
;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
;;; Copyright © 2021 Guillaume Le Vaillant <glv@posteo.net>
;;; Copyright © 2021 Solene Rapenne <solene@perso.pw>
+;;; Copyright © 2021 Domagoj Stolfa <ds815@gmx.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -26,6 +27,7 @@
#:use-module (gnu services shepherd)
#:use-module (gnu system shadow)
#:use-module (gnu packages admin)
+ #:use-module (gnu packages networking)
#:use-module (gnu packages vpn)
#:use-module (guix packages)
#:use-module (guix records)
@@ -44,6 +46,9 @@
generate-openvpn-client-documentation
generate-openvpn-server-documentation
+ strongswan-configuration
+ strongswan-service-type
+
wireguard-peer
wireguard-peer?
wireguard-peer-name
@@ -529,6 +534,129 @@ is truncated and rewritten every minute.")
(openvpn-remote-configuration ,openvpn-remote-configuration-fields))
'openvpn-client-configuration))
+;;;
+;;; Strongswan.
+;;;
+
+(define-record-type* <strongswan-configuration>
+ strongswan-configuration make-strongswan-configuration
+ strongswan-configuration?
+ (strongswan strongswan-configuration-strongswan ;<package>
+ (default strongswan))
+ (use-ipsec? strongswan-configuration-use-ipsec? ;legacy interface
+ (default #f))
+ (ipsec-conf strongswan-configuration-ipsec-conf)
+ (ipsec-secrets strongswan-configuration-ipsec-secrets))
+
+;; In the future, it might be worth implementing a record type to configure
+;; all of the plugins, but for *most* basic usecases, simply creating the
+;; files will be sufficient. Same is true of charon-plugins.
+(define strongswand-config-files
+ (list "charon" "charon-logging" "pki" "pool" "scepclient"
+ "swanctl" "tnc"))
+
+;; Plugins to load.
+(define charon-plugins
+ (list "aes" "aesni" "attr" "attr-sql" "chapoly" "cmac" "constraints"
+ "counters" "curl" "curve25519" "dhcp" "dnskey" "drbg" "eap-aka-3gpp"
+ "eap-aka" "eap-dynamic" "eap-identity" "eap-md5" "eap-mschapv2"
+ "eap-peap" "eap-radius" "eap-simaka-pseudonym" "eap-simaka-reauth"
+ "eap-simaka-sql" "eap-sim" "eap-sim-file" "eap-tls" "eap-tnc"
+ "eap-ttls" "ext-auth" "farp" "fips-prf" "gmp" "ha" "hmac"
+ "kernel-netlink" "led" "md4" "md5" "mgf1" "nonce" "openssl" "pem"
+ "pgp" "pkcs12" "pkcs1" "pkcs7" "pkcs8" "pubkey" "random" "rc2"
+ "resolve" "revocation" "sha1" "sha2" "socket-default" "soup" "sql"
+ "sqlite" "sshkey" "tnc-tnccs" "vici" "x509" "xauth-eap" "xauth-generic"
+ "xauth-noauth" "xauth-pam" "xcbc"))
+
+(define (strongswan-configuration-file config)
+ (match-record config <strongswan-configuration>
+ (strongswan use-ipsec? ipsec-conf ipsec-secrets)
+ (let* ((strongswan-dir
+ (computed-file
+ "strongswan.d"
+ #~(begin
+ (mkdir #$output)
+ ;; Create all of the configuration files in strongswan.d/*.conf
+ (map (lambda (conf-file)
+ (let* ((filename (string-append
+ #$output "/"
+ conf-file ".conf")))
+ (call-with-output-file filename
+ (lambda (port)
+ (display
+ "# Created by 'strongswan-service'\n"
+ port)))))
+ (list #$@strongswand-config-files))
+ (mkdir (string-append #$output "/charon"))
+ ;; And all of the strongswan.d/charon/*.conf files (plugins)
+ (map (lambda (plugin)
+ (let* ((filename (string-append
+ #$output "/charon/"
+ plugin ".conf")))
+ (call-with-output-file filename
+ (lambda (port)
+ (format port "~a {
+ load = yes
+}"
+ plugin)))))
+ (list #$@charon-plugins))))))
+ ;; Generate our strongswan.conf to reflect the user configuration.
+ (computed-file
+ "strongswan.conf"
+ #~(begin
+ (call-with-output-file #$output
+ (lambda (port)
+ (display "# Generated by 'strongswan-service'.\n" port)
+ (format port "charon {
+ load_modular = yes
+ plugins {
+ include ~a/charon/*.conf"
+ #$strongswan-dir)
+ (if #$use-ipsec?
+ (format port "
+ stroke {
+ load = yes
+ secrets_file = ~a
+ }
+ }
+}
+
+starter {
+ config_file = ~a
+}
+
+include ~a/*.conf"
+ #$ipsec-secrets
+ #$ipsec-conf
+ #$strongswan-dir)
+ (format port "
+ }
+}
+include ~a/*.conf"
+ #$strongswan-dir)))))))))
+
+(define (strongswan-shepherd-service config)
+ (let* ((ipsec (file-append strongswan "/sbin/ipsec"))
+ (strongswan-conf-path (strongswan-configuration-file config)))
+ (list (shepherd-service
+ (requirement '(networking))
+ (provision '(strongswan))
+ (start #~(make-forkexec-constructor
+ (list #$ipsec "start" "--nofork")
+ #:environment-variables
+ (list (string-append "STRONGSWAN_CONF="
+ #$strongswan-conf-path))))
+ (stop #~(make-kill-destructor))
+ (documentation "Start the charon daemon for IPsec VPN")))))
+
+(define strongswan-service-type
+ (service-type
+ (name 'strongswan)
+ (extensions
+ (list (service-extension shepherd-root-service-type
+ strongswan-shepherd-service)))))
+
;;;
;;; Wireguard.
;;;
--
2.31.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next reply other threads:[~2021-06-02 23:15 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-02 22:11 Domagoj Stolfa [this message]
2021-06-13 12:41 ` [bug#48803] [PATCH] strongswan: provide a service definition and configuration interface Tobias Geerinckx-Rice via Guix-patches via
2021-06-13 13:04 ` Domagoj Stolfa
2021-06-13 12:45 ` Tobias Geerinckx-Rice via Guix-patches via
2021-06-13 15:08 ` [bug#48803] [PATCH] gnu: Add strongswan service Domagoj Stolfa
2021-06-24 23:17 ` bug#48803: " Tobias Geerinckx-Rice via Guix-patches via
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YLgB91U8SgsJxdCe@pepehands \
--to=ds815@gmx.com \
--cc=48803@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).