unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
From: Domagoj Stolfa <ds815@gmx.com>
To: Tobias Geerinckx-Rice <me@tobias.gr>
Cc: 48803@debbugs.gnu.org
Subject: [bug#48803] [PATCH] strongswan: provide a service definition and configuration interface.
Date: Sun, 13 Jun 2021 14:04:00 +0100	[thread overview]
Message-ID: <YMYCQGd9afRr/IrD@parenthesis> (raw)
In-Reply-To: <87r1h6x7hf.fsf@nckx>

[-- Attachment #1: Type: text/plain, Size: 3237 bytes --]

Tobias,
> > and we do not put the config
> > file in a Guile string (to avoid indentation issues).
> 
> Not using a string is fine by me, but I don't understand this particular
> argument for it.

ipsec.conf is pythonistic in the sense that it's sensitive to
indentation. This is just to avoid copy-paste errors in a config file
that results in cryptic error messages because the user missed a space
while copy-pasting something. It's easier to just transmit the file as
given by the "higher-ups" out of bounds than have it as a configuration
string, as ipsec.secrets kind of has to be transmitted that way anyway.

> What does the daemon do now when USE-IPSEC? is #f?  Anything useful?

It doesn't do anything other than use the default configuration that is
provided by strongswan as it is shipped (basically, whatever is in the
build directory by default). This is what it has done up until this
point already, the user would have start strongswan by setting an
environment variable to some local `strongswan.conf`. It is also what
strongswan does on a fresh installation in any other distribution I've
tried it on.

> Could we drop USE-IPSEC? and allow IPSEC-CONF/IPSEC-SECRETS to be #f to
> signal the same thing (enforcing only sane combinations)? Or would that make
> things more confusing?

We could, the plan I had for `strongswan` as a service is to support
both ipsec.conf/ipsec.secrets and swanctl, hence the `use-ipsec?` as a
separate thing. I can refactor it without that flag and have no real
strong opinion on it.

> Is all this legacy enough to mark as such in the field name
> (LEGACY-IPSEC-CONF, etc.) or is it one of those things that will never ever
> go away and VPN providers will still hand out ipsecs.conf in 2038?

Unclear at this point, I don't see how strongswan could drop support for
ipsec.conf and ipsec.secrets without making a lot of users angry at this
point. The VPN that I'm using is configured and documented by people who
are quite familiar with strongswan, and even there the documentation is
referring to ipsec.conf and ipsec.secrets rather than swanctl at the
moment.

> Nitpick: ;;-comments are full sentences ending in a full stop.

ACK. Will fix.

> …you had to choose between two ifs and two #$strongswan-dirs, and chose two
> #$strongswan-dirs?  I prefer two ifs.

I think the reasoning for this was that if we're not using
ipsec.conf/ipsec.secrets, we would be writing swanctl-specific
configuration. Right now, that is just including strongswan.d, but it
might do other things, so I've kept it in a more traditional if-else
format.

> I guess.  I have no idea how ‘generic’ StrongSwan is and whether this makes
> more sense than (provision '(ipsec)) or not.

That's a good question. I think it could probably provision ipsec, but I
haven't really verified it so I didn't want to risk doing that. I assume
that it can, though.

> "StrongSwan's charon IKE keying daemon for IPsec VPN."

ACK.

> For this to be merged, we're still missing some documentation in
> doc/guix.text.  Would you be willing to write some?

Will include the docs with the next patch.

Thanks for the detailed feedback!

-- 
Domagoj


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

  reply	other threads:[~2021-06-13 15:24 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-02 22:11 [bug#48803] [PATCH] strongswan: provide a service definition and configuration interface Domagoj Stolfa
2021-06-13 12:41 ` Tobias Geerinckx-Rice via Guix-patches via
2021-06-13 13:04   ` Domagoj Stolfa [this message]
2021-06-13 12:45 ` Tobias Geerinckx-Rice via Guix-patches via
2021-06-13 15:08 ` [bug#48803] [PATCH] gnu: Add strongswan service Domagoj Stolfa
2021-06-24 23:17   ` bug#48803: " Tobias Geerinckx-Rice via Guix-patches via

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YMYCQGd9afRr/IrD@parenthesis \
    --to=ds815@gmx.com \
    --cc=48803@debbugs.gnu.org \
    --cc=me@tobias.gr \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).