From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id yEBnJhEjxmCgCQEAgWs5BA (envelope-from ) for ; Sun, 13 Jun 2021 17:24:01 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id Y7DHIREjxmC4FwAAbx9fmQ (envelope-from ) for ; Sun, 13 Jun 2021 15:24:01 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3638013E68 for ; Sun, 13 Jun 2021 17:24:01 +0200 (CEST) Received: from localhost ([::1]:38496 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lsRxw-0000jn-85 for larch@yhetil.org; Sun, 13 Jun 2021 11:24:00 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52296) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lsRu6-0000PJ-T8 for guix-patches@gnu.org; Sun, 13 Jun 2021 11:20:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:60918) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lsRu6-0002D1-Lp for guix-patches@gnu.org; Sun, 13 Jun 2021 11:20:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lsRu6-0006cN-Ft for guix-patches@gnu.org; Sun, 13 Jun 2021 11:20:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#48803] [PATCH] strongswan: provide a service definition and configuration interface. Resent-From: Domagoj Stolfa Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 13 Jun 2021 15:20:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48803 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Tobias Geerinckx-Rice Cc: 48803@debbugs.gnu.org X-Debbugs-Original-Cc: 48803@debbugs.gnu.org, guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.162359755625358 (code B ref -1); Sun, 13 Jun 2021 15:20:02 +0000 Received: (at submit) by debbugs.gnu.org; 13 Jun 2021 15:19:16 +0000 Received: from localhost ([127.0.0.1]:44227 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsRtL-0006ap-El for submit@debbugs.gnu.org; Sun, 13 Jun 2021 11:19:15 -0400 Received: from lists.gnu.org ([209.51.188.17]:51112) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsPmk-0000ju-26 for submit@debbugs.gnu.org; Sun, 13 Jun 2021 09:04:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59212) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lsPmj-0000XL-SV for guix-patches@gnu.org; Sun, 13 Jun 2021 09:04:17 -0400 Received: from mout.gmx.net ([212.227.15.19]:54677) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lsPmh-00019a-5J for guix-patches@gnu.org; Sun, 13 Jun 2021 09:04:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1623589442; bh=Rc8f2ecl+Y3Ko+9vYjLnyrOgFZW5+uq/Av2Ov9CSEts=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject:References:In-Reply-To; b=EDhB9e/tbIAMHoqu93+BJ9OHOH6rpHV+dfrrwX8IuZEO95oZox7mP3ysA67qKUZs5 PrZMTX2e6BQMeIk53fMyQn51u1qOem9kU8gnRUyCc/A/kKtNcIyKzUo49JA5X8bddc 5hwEIK8At/W/9ZG0a9Dvnz2uDyqdO6E6jkeyzTDg= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from parenthesis ([131.111.5.130]) by mail.gmx.net (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1N3siA-1lAetm2uno-00zoND; Sun, 13 Jun 2021 15:04:02 +0200 Date: Sun, 13 Jun 2021 14:04:00 +0100 From: Domagoj Stolfa Message-ID: References: <87r1h6x7hf.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="gvOkqr5dOieReCvD" Content-Disposition: inline In-Reply-To: <87r1h6x7hf.fsf@nckx> X-Provags-ID: V03:K1:ERnKsIhb61mcqTch6Egf/jJZfrcUHkjSzpIJjapVAJbXPJjO8TH H8YkVQhLmOUJtigYo3gap71ZVvb3BOZdk8gmCpL1pcw1wYhmwBSTsnPYK04F4dGy3XiYGHj 1uoCjGf1CePR4hGMsZNgGwMHhRRVvLXNTSJth8ytcQkwlh6lGuLfjk40PPGNWkuB2WdKtoz MJ+VwHk59OsYkNS6ipntw== X-UI-Out-Filterresults: notjunk:1;V03:K0:YUP6hsNUKL8=:HpoCaoBxy1jBbZezNTtEBx nnSjARU1PpDC152+3ET2chTU4Te98XHALINyQnwSh/XK8zhmoCuOtgn0t/CGVDo48dAeF5akq 3DdS8fLm8dQlg4bRbodUXsC+UwCbTjh1WtGrcZ8Xbo58yIOCNhGMHqkX5ovYQO2FoGg3Id1H3 JfHplHIeter4oWgeDZ31pIohzp4AFOSXJPiutwJoVuUj/zHCkHTxoOtvP6LN7Q948hB7xbc4J 8ln3VCs/XSKRBqNNixljiBOgoTTq0bpGak3MNmEKbWGC1gbLn6TcZ/6yC4CXjyQDAtA0xXaE0 T6r1WQUyKQcAsSgAN5K9uiwnyx+GsS2yCxpAiA4XSZVX+KRvyFlK+vtJtmH6cUvsXcKvqItT6 R6zCIDLjWcOs/dkpuI+wnFetF8Kmak/1Jq6DZJ5fQOyTxSAPS8eZ1E2RrWwW8nDAj9B6/xJUj +cD/9ZodUJ2fM48krytJ9Y51SVbPddnYJ3oKSx5/mXMTJvvq2Hm1FALP/lgo/9dQrCDzV7ej6 04IgGKCpQRxk14t6OODmiaK592SQA0eBLj39KWTVXTc5/BXsCB8TfR4zKOee69DoqFhEawDUw aduXoWAhoWZj+LUfFeuS0gJIWtOL87SUYyEL1mdvDH44sTc3o7ziA4Ctpvjs2OqQ6jMDuZwP/ UEZhlzDiS0/SFUs52u6uqPkK8wroS+Rgz/Un6SZB5HqtUbZXaWBzkuQtqVwI4KLU+61pGx17S x3qjUDV/5q5IH3fRf+jhP1wQvkBpXsXIeW6F4wjNJACJ/7IVPyd9BViprgFfhJjI9+4R407W6 uUqwrNoX7MtllhrqggrlIOFJm66oz9GTNIqFMKFuvKo3GdajwbAb/WYnnn7yYOg3aXykADgDb fBSC5BTGaPMW+pJsBk6l4lARR2D2JyoWY8/V2vYKepRA/Wr7n95WXddzzWS3CJ9bDdZeuxEMZ 3HfiFLHJj10l7ZqnAR0MpvzrayrNBtIlOT0Vul3pGx6E4i+v5Tk9/GO7TLn8VryVwQ59CwgC4 3YQYsjxvqOmXo29ASHNf3XvAJ62sAo8gBS+jdeaTsnEpkBsAQPaolifB4GwZOWDGjQM8CYs6T MfohZmkd76FG1IJufMohfqFSrU/Vp9Vtlu1 Received-SPF: pass client-ip=212.227.15.19; envelope-from=ds815@gmx.com; helo=mout.gmx.net X-Spam_score_int: -23 X-Spam_score: -2.4 X-Spam_bar: -- X-Spam_report: (-2.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Sun, 13 Jun 2021 11:19:13 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Mailman-Approved-At: Sun, 13 Jun 2021 11:23:52 -0400 X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1623597841; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=xbUYqKNhi7Adm8WOaNQWaVUOH+bKcBa1BDtBRlC/3M0=; b=kOPriPIxH6qW1aeL5UPpBsYOh8A5Qy9j8ZVipnvR+1GbPEVBx8MIktZOsBlYgkyrm9P28H w6wmQm8mGzc+62GohAU/MKmpxqXfJ+F0xdfY7uXxW9dIQF9uq9ZzPjmUiM4F6p7bDZOd7p XxuEcqk6gaDzGx6EZREO0Xg6sjq6NLmP8SQPOAlIS8bMJDg2vqejyR5EuHkuAYWeuPo8zZ bF0T5CN3p1haPJhgqOc+6oeEHNTi5k0iDHHTlAjl7QlfvFLYftomVJ/MnaTTCGLpLnOJvA tIMaBLsHgdBA13hXm0aE0Cl3V2os+VxJ175PWUpbv1aBY98eriuMoemkPCv37w== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1623597841; a=rsa-sha256; cv=none; b=LBdA/L6Urc0+z4mwdanD4pDdD5xvMo7VEXw20XnykLhH/Hl484F4acHvvc1zMM56Vh+klM ninqBmjSm4FALyJ/O4dJ+Ci49eI836GV0e5BtUT51fwKyXNiPVDYSAPa72AHyfrChW80mR D6iQTyTounUiuwO5xtaX2TXLpqVlwCHkrLvQWpMaepRQuR6hZN8RDojIsQOhlw/xv7twHx D4YiLvJw6wMvdExNWMRpyddtyV/cL+1HD0q7DDwK5tEpvUEYD3QpExe7XnqyUiVvHg1BOd W/UwPGDYK5Trp9A7A/AWp7cjw4uOIQweztH5rQj1yhlssMe7TAmifg74x1OEkg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmx.net header.s=badeba3b8450 header.b="EDhB9e/t"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmx.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -2.92 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmx.net header.s=badeba3b8450 header.b="EDhB9e/t"; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmx.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 3638013E68 X-Spam-Score: -2.92 X-Migadu-Scanner: scn0.migadu.com X-TUID: MCaBdh8SYkr3 --gvOkqr5dOieReCvD Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Tobias, > > and we do not put the config > > file in a Guile string (to avoid indentation issues). >=20 > Not using a string is fine by me, but I don't understand this particular > argument for it. ipsec.conf is pythonistic in the sense that it's sensitive to indentation. This is just to avoid copy-paste errors in a config file that results in cryptic error messages because the user missed a space while copy-pasting something. It's easier to just transmit the file as given by the "higher-ups" out of bounds than have it as a configuration string, as ipsec.secrets kind of has to be transmitted that way anyway. > What does the daemon do now when USE-IPSEC? is #f? Anything useful? It doesn't do anything other than use the default configuration that is provided by strongswan as it is shipped (basically, whatever is in the build directory by default). This is what it has done up until this point already, the user would have start strongswan by setting an environment variable to some local `strongswan.conf`. It is also what strongswan does on a fresh installation in any other distribution I've tried it on. > Could we drop USE-IPSEC? and allow IPSEC-CONF/IPSEC-SECRETS to be #f to > signal the same thing (enforcing only sane combinations)? Or would that m= ake > things more confusing? We could, the plan I had for `strongswan` as a service is to support both ipsec.conf/ipsec.secrets and swanctl, hence the `use-ipsec?` as a separate thing. I can refactor it without that flag and have no real strong opinion on it. > Is all this legacy enough to mark as such in the field name > (LEGACY-IPSEC-CONF, etc.) or is it one of those things that will never ev= er > go away and VPN providers will still hand out ipsecs.conf in 2038? Unclear at this point, I don't see how strongswan could drop support for ipsec.conf and ipsec.secrets without making a lot of users angry at this point. The VPN that I'm using is configured and documented by people who are quite familiar with strongswan, and even there the documentation is referring to ipsec.conf and ipsec.secrets rather than swanctl at the moment. > Nitpick: ;;-comments are full sentences ending in a full stop. ACK. Will fix. > =E2=80=A6you had to choose between two ifs and two #$strongswan-dirs, and= chose two > #$strongswan-dirs? I prefer two ifs. I think the reasoning for this was that if we're not using ipsec.conf/ipsec.secrets, we would be writing swanctl-specific configuration. Right now, that is just including strongswan.d, but it might do other things, so I've kept it in a more traditional if-else format. > I guess. I have no idea how =E2=80=98generic=E2=80=99 StrongSwan is and = whether this makes > more sense than (provision '(ipsec)) or not. That's a good question. I think it could probably provision ipsec, but I haven't really verified it so I didn't want to risk doing that. I assume that it can, though. > "StrongSwan's charon IKE keying daemon for IPsec VPN." ACK. > For this to be merged, we're still missing some documentation in > doc/guix.text. Would you be willing to write some? Will include the docs with the next patch. Thanks for the detailed feedback! --=20 Domagoj --gvOkqr5dOieReCvD Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE7JyU1wrLyiw5G92zcc2InUujXj0FAmDGAkAACgkQcc2InUuj Xj05XQ//fGwngakdWwDkRacDQJWH4o084wb3aRU5QrQl2AfTol1tbokhPSkPEE47 ndkHbDJzgP4U/WQGy6l/CLu8W77IG385MvLiAv7Od99gTlYCzGrwbaAyogl3FMtq uhmgtaGvmJaldZkZnjRhta1S5yvjxe6WrHPI9iVcuoD7BxSLgRFy+MjQP5mBTvF7 7wgPmFqBCTG+w4dSGlR665hPdVfJK9GTW5ajNaP34eFHZOCmoHahFiKdDsHhbQzU 17EU1JgVIZeMXIIPXQtwrz5knh6Uu1Ft2DIA3VNNbwsmdSdSE4Ww7cotZURNGFM7 FJn6h993KuSL3T2j3XhwnCzXBUEkQXXkmW/Qn9EAzokAzd+MaEca/9FeIUThk8ly AJIoG8gMObCd/XTLz0Ck6NGqr8QPVs3sXl//l4nSzCgYInD6t0Jq6b48sQMwTK31 tRK/UD/O6z/CoB81g7vwN1JR3lm2WpblSNKhPZYD2FJzyKrp1v+d6ZHi05t17Vz9 hMoYZU5z32oA4zGUSpFriV9RWhu2TK6PdpOVW10eBdJd3xuSM5kwRcSNznMgflrR kzahaTmDRcB9ycT+/IdzAyZS7TSMMx0kudxK6x1Soa7PMa+w1+QgrHKWFDdH9H1N XCPMg6jARq9CDp5FUhVzjmiUl4MhbyNA3lz021hpNmz0QLjf8J4= =kZ1X -----END PGP SIGNATURE----- --gvOkqr5dOieReCvD--