* gnu/services/vpn.scm (strongswan-configuration): New record type. (charon-plugins, strongswan-configuration-file) (strongswan-shepherd-service, strongswan-service-type): New variables. * doc/guix.tex (VPN Services): Document them all. This commit adds a strongswan-service-type which allows the user to start strongswan correctly on Guix. Without this, they would need to manually write a strongswan.conf file and run it with `STRONGSWAN_CONF=/path/to/strongswan.conf ipsec start`. For now, we only support the legacy ipsec.conf/ipsec.secrets interface. Because ipsec.conf depends on indentation and is a deprecated intreface, we do not provide an EDSL to configure it, and we do not put the config file in a Guile string (to avoid indentation issues). Similarly, ipsec.secrets contains the users authentication token/passwords, and is for security reasons transmitted separately from the configuration file. This change allows the user to write something as follows in their config: ``` (service strongswan-service-type (strongswan-configuration (use-ipsec? #t) (ipsec-conf "/etc/ipsec.conf") (ipsec-secrets "/etc/ipsec.secrets"))) ``` This will start the charon daemon and allow them to connect to their VPNs configured in `/config-files/ipsec.conf`. --- doc/guix.texi | 37 ++++++++++++ gnu/services/vpn.scm | 130 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 167 insertions(+) diff --git a/doc/guix.texi b/doc/guix.texi index 59b4ac11b4..f09170c76c 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -90,6 +90,7 @@ Copyright @copyright{} 2020 Edgar Vincent@* Copyright @copyright{} 2021 Maxime Devos@* Copyright @copyright{} 2021 B. Wilson@* Copyright @copyright{} 2021 Xinglu Chen@* +Copyright @copyright{} 2021 Domagoj Stolfa@* Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -27093,6 +27094,42 @@ Defaults to @samp{#f}. @end deftypevr +@subheading StrongSwan + +Currently, the StrongSwan service only provides legacy-style configuration with +ipsec.conf and ipsec.secrets files. + +@defvr {Scheme Variable} strongswan-service-type +A service type for StrongSwan configuration. Its value must be a +@code{strongswan-configuration} record as in this example: + +@lisp +(service strongswan-service-type + (strongswan-configuration + (ipsec-conf "/etc/ipsec.conf") + (ipsec-secrets "/etc/ipsec.secrets"))) +@end lisp + +@end defvr + +@deftp {Data Type} strongswan-configuration +Data type representing the configuration of the StrongSwan service. + +@table @asis +@item @code{strongswan} +The strongswan package to use for this service. + +@item @code{ipsec-conf} (default: @code{#f}) +The path to an ipsec.conf file. If set to @code{#f}, @code{ipsec-secrets} will +also be ignored. + +@item @code{ipsec-secrets} (default @code{#f}) +The path to an ipsec.secrets file. If set to @code{#f}, @code{ipsec-conf} will +also be ignored. + +@end table +@end deftp + @c %end of automatic openvpn-server documentation @subsubheading Wireguard diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index 2bcbf76727..691cc3c05a 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -26,6 +26,7 @@ #:use-module (gnu services shepherd) #:use-module (gnu system shadow) #:use-module (gnu packages admin) + #:use-module (gnu packages networking) #:use-module (gnu packages vpn) #:use-module (guix packages) #:use-module (guix records) @@ -44,6 +45,9 @@ generate-openvpn-client-documentation generate-openvpn-server-documentation + strongswan-configuration + strongswan-service-type + wireguard-peer wireguard-peer? wireguard-peer-name @@ -529,6 +533,132 @@ is truncated and rewritten every minute.") (openvpn-remote-configuration ,openvpn-remote-configuration-fields)) 'openvpn-client-configuration)) +;;; +;;; Strongswan. +;;; + +(define-record-type* + strongswan-configuration make-strongswan-configuration + strongswan-configuration? + (strongswan strongswan-configuration-strongswan ; + (default strongswan)) + (ipsec-conf strongswan-configuration-ipsec-conf + (default #f)) + (ipsec-secrets strongswan-configuration-ipsec-secrets + (default #f))) + +;; In the future, it might be worth implementing a record type to configure +;; all of the plugins, but for *most* basic usecases, simply creating the +;; files will be sufficient. Same is true of charon-plugins. +(define strongswand-config-files + (list "charon" "charon-logging" "pki" "pool" "scepclient" + "swanctl" "tnc")) + +;; Plugins to load. All of these plugins are going to end up as configuration +;; files in strongswan.d/charon/. +(define charon-plugins + (list "aes" "aesni" "attr" "attr-sql" "chapoly" "cmac" "constraints" + "counters" "curl" "curve25519" "dhcp" "dnskey" "drbg" "eap-aka-3gpp" + "eap-aka" "eap-dynamic" "eap-identity" "eap-md5" "eap-mschapv2" + "eap-peap" "eap-radius" "eap-simaka-pseudonym" "eap-simaka-reauth" + "eap-simaka-sql" "eap-sim" "eap-sim-file" "eap-tls" "eap-tnc" + "eap-ttls" "ext-auth" "farp" "fips-prf" "gmp" "ha" "hmac" + "kernel-netlink" "led" "md4" "md5" "mgf1" "nonce" "openssl" "pem" + "pgp" "pkcs12" "pkcs1" "pkcs7" "pkcs8" "pubkey" "random" "rc2" + "resolve" "revocation" "sha1" "sha2" "socket-default" "soup" "sql" + "sqlite" "sshkey" "tnc-tnccs" "vici" "x509" "xauth-eap" "xauth-generic" + "xauth-noauth" "xauth-pam" "xcbc")) + +(define (strongswan-configuration-file config) + (match-record config + (strongswan ipsec-conf ipsec-secrets) + (let* ((strongswan-dir + (computed-file + "strongswan.d" + #~(begin + (mkdir #$output) + ;; Create all of the config files in strongswan.d/*.conf. + (map (lambda (conf-file) + (let* ((filename (string-append + #$output "/" + conf-file ".conf"))) + (call-with-output-file filename + (lambda (port) + (display + "# Created by 'strongswan-service'\n" + port))))) + (list #$@strongswand-config-files)) + (mkdir (string-append #$output "/charon")) + ;; Create all of the plugins. + (map (lambda (plugin) + (let* ((filename (string-append + #$output "/charon/" + plugin ".conf"))) + (call-with-output-file filename + (lambda (port) + (format port "~a { + load = yes +}" + plugin))))) + (list #$@charon-plugins)))))) + ;; Generate our strongswan.conf to reflect the user configuration. + (computed-file + "strongswan.conf" + #~(begin + (call-with-output-file #$output + (lambda (port) + (display "# Generated by 'strongswan-service'.\n" port) + (format port "charon { + load_modular = yes + plugins { + include ~a/charon/*.conf" + #$strongswan-dir) + (if (and (not (eq? #$ipsec-conf #f)) + (not (eq? #$ipsec-secrets #f))) + (format port " + stroke { + load = yes + secrets_file = ~a + } + } +} + +starter { + config_file = ~a +} + +include ~a/*.conf" + #$ipsec-secrets + #$ipsec-conf + #$strongswan-dir) + (format port " + } +} +include ~a/*.conf" + #$strongswan-dir))))))))) + +(define (strongswan-shepherd-service config) + (let* ((ipsec (file-append strongswan "/sbin/ipsec")) + (strongswan-conf-path (strongswan-configuration-file config))) + (list (shepherd-service + (requirement '(networking)) + (provision '(ipsec)) + (start #~(make-forkexec-constructor + (list #$ipsec "start" "--nofork") + #:environment-variables + (list (string-append "STRONGSWAN_CONF=" + #$strongswan-conf-path)))) + (stop #~(make-kill-destructor)) + (documentation + "StrongSwan's charon IKE keying daemon for IPsec VPN."))))) + +(define strongswan-service-type + (service-type + (name 'strongswan) + (extensions + (list (service-extension shepherd-root-service-type + strongswan-shepherd-service))))) + ;;; ;;; Wireguard. ;;; -- 2.32.0