From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id kkIYCeT8xWB4xwAAgWs5BA (envelope-from ) for ; Sun, 13 Jun 2021 14:41:08 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id iJI7BOT8xWD9LwAAB5/wlQ (envelope-from ) for ; Sun, 13 Jun 2021 12:41:08 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 5BFB88B6C for ; Sun, 13 Jun 2021 14:41:07 +0200 (CEST) Received: from localhost ([::1]:54404 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lsPQI-0001Lx-D2 for larch@yhetil.org; Sun, 13 Jun 2021 08:41:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56746) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lsPQE-0001Lc-7r for guix-patches@gnu.org; Sun, 13 Jun 2021 08:41:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:59596) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lsPQE-0001MU-19 for guix-patches@gnu.org; Sun, 13 Jun 2021 08:41:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lsPQE-00046Q-0h for guix-patches@gnu.org; Sun, 13 Jun 2021 08:41:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#48803] [PATCH] strongswan: provide a service definition and configuration interface. Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 13 Jun 2021 12:41:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48803 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Domagoj Stolfa Cc: 48803@debbugs.gnu.org X-Debbugs-Original-Cc: 48803@debbugs.gnu.org, guix-patches@gnu.org Received: via spool by 48803-submit@debbugs.gnu.org id=B48803.162358803015689 (code B ref 48803); Sun, 13 Jun 2021 12:41:01 +0000 Received: (at 48803) by debbugs.gnu.org; 13 Jun 2021 12:40:30 +0000 Received: from localhost ([127.0.0.1]:42904 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsPPh-00044z-SJ for submit@debbugs.gnu.org; Sun, 13 Jun 2021 08:40:30 -0400 Received: from tobias.gr ([80.241.217.52]:44314) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsPPf-00044o-Vy for 48803@debbugs.gnu.org; Sun, 13 Jun 2021 08:40:28 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018; bh=UmIPbuQJ5xrJ+I3xL9oMTqfzN9fZmyAGxToEqQESCeI=; h=date:in-reply-to: subject:cc:to:from:references; b=Q75HxeZ2lN1mCD0YHHRQUwa/YWLLZt4XoFBUS PFrlbV/8aa5VGOFY9mfbVn+aletBphkxJNGAA+EMBue6NZyJSDZbRTS0sszfuCv916MgZI BvA0WUApxJHlqVuTT2eeGgppEuE38ub1VbYKSp7uQILDPPcJWUxAz7ng2IR7ljqmaR4tYy Wr9WT7mgu/9Zos8LhZ0aFni5SkL4VjdGsP0Ol1WdwP9g9I18oSalkV9dVNJ58+Pncy4ROd iLuWpNNsZVcNeI70kxue7o7C4+dy27Lliu4evmhlJpYx36ax/CnZNiTM+gn5vxLsaL600W ZgxbwjduNjiDl8u/NjxtB/h4w== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id def6a300 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO); Sun, 13 Jun 2021 12:40:24 +0000 (UTC) References: In-reply-to: BIMI-Selector: v=BIMI1; s=default; Date: Sun, 13 Jun 2021 14:41:00 +0200 Message-ID: <87r1h6x7hf.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" Reply-to: Tobias Geerinckx-Rice X-ACL-Warn: , Tobias Geerinckx-Rice via Guix-patches From: Tobias Geerinckx-Rice via Guix-patches via X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1623588067; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=UmIPbuQJ5xrJ+I3xL9oMTqfzN9fZmyAGxToEqQESCeI=; b=nq89da628fPjpVtONnycGONXr6p/71TqRWcwSXEvRlBmJ1ZHWF2IQg7n4XrdaZm+WDMyei 5cUQAj1Pyp8LurBrv9hRVslC/r3jabL2viZPEU7Db/+6C5usJR80bgUiVUf0uaXxPW1mYt EnMK1Y7IlGp3xMuZQFuSHWq3KrE57Lug/x9qGek1GTX7SXK0bzO9M4bZGVinOc182UO5Ht JZR1imrKhQgB2nt14AzS6s1TNvAEeF7rBmmsuOvLIJk3Yb5nJM60Bvg0cyYUb6HRREHkt4 mlK4XDel81rrhzi2cCQvzL9Lz+bcBEfD/WpQXPe8DjwMPDtsYCXh+P6x27ozOw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1623588067; a=rsa-sha256; cv=none; b=FEZSXRmR30Np22cki28NgSzdcEak54roUwGQKaWqjecQWsiqhvnv6/SIqOX6b5tKYOueGq lTsjrGq1uOs03QGHNL1uWF/C/PAv56Oq0eHWtyvEgl5Ex310xZdSg6kSfbMDUUL+Ni9afS RElhf/Z+TJ9RXjtznOL3enuT3ZjHoQtxXvaD+923eXJUYVGXhHqunDYN5ZWxrKtXGwvYZa ajcjXrn2KW3V47n4khnVjVG+3jM07XpL+BSajGk+VSnalm1UFMNEwE4NqCFLwDvNURe3p6 8ZBu4MC+8UrblFeBx9ABtnB5QxuDhtJMBO6FPfzm9pZO2EEeo0M/cKc7zI3FHw== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tobias.gr header.s=2018 header.b=Q75HxeZ2; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -4.52 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=tobias.gr header.s=2018 header.b=Q75HxeZ2; dmarc=pass (policy=none) header.from=gnu.org; spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 5BFB88B6C X-Spam-Score: -4.52 X-Migadu-Scanner: scn1.migadu.com X-TUID: 1VPap0QunYH2 --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Domagoj, Domagoj Stolfa =E5=86=99=E9=81=93=EF=BC=9A > This commit adds a strongswan-service-type which allows the user=20 > to > start strongswan correctly on Guix. Thank you! > Because ipsec.conf depends on indentation and is a deprecated=20 > intreface, > we do not provide an EDSL to configure it, OK. > and we do not put the config > file in a Guile string (to avoid indentation issues). Not using a string is fine by me, but I don't understand this=20 particular argument for it. > Similarly, > ipsec.secrets contains the users authentication token/passwords,=20 > and is > for security reasons transmitted separately from the=20 > configuration file. OK, good to make it hard to inadvertently intern into the store. > (service strongswan-service-type > (strongswan-configuration > (use-ipsec? #t) > (ipsec-conf "/config-files/ipsec.conf") > (ipsec-secrets "/config-files/ipsec.secrets"))) (I)IRC you told me that the majority of users simply point=20 StrongSwan to a .conf/.secrets file they got from on high, and=20 this is all they'll ever need to do so. Sounds good to me. This is a bit straightforward (no =E2=80=98local-file=E2=80=99, =E2=80=98pl= ain-file=E2=80=99, =E2=80=A6)=20 but there's precedent for that: (service nginx-service-type (nginx-configuration (file "/etc/guix/nginx/nginx.conf"))) What does the daemon do now when USE-IPSEC? is #f? Anything=20 useful? Could we drop USE-IPSEC? and allow IPSEC-CONF/IPSEC-SECRETS to be=20 #f to signal the same thing (enforcing only sane combinations)?=20 Or would that make things more confusing? Is all this legacy enough to mark as such in the field name=20 (LEGACY-IPSEC-CONF, etc.) or is it one of those things that will=20 never ever go away and VPN providers will still hand out=20 ipsecs.conf in 2038? > This will start the charon daemon and allow them to connect to=20 > their > VPNs configured in `/config-files/ipsec.conf`. > --- > gnu/services/vpn.scm | 128=20 > +++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 128 insertions(+) > > diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm > index 2bcbf76727..e026f2aa58 100644 > --- a/gnu/services/vpn.scm > +++ b/gnu/services/vpn.scm > @@ -4,6 +4,7 @@ > ;;; Copyright =C2=A9 2017 Mathieu Othacehe > ;;; Copyright =C2=A9 2021 Guillaume Le Vaillant > ;;; Copyright =C2=A9 2021 Solene Rapenne > +;;; Copyright =C2=A9 2021 Domagoj Stolfa > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -26,6 +27,7 @@ > #:use-module (gnu services shepherd) > #:use-module (gnu system shadow) > #:use-module (gnu packages admin) > + #:use-module (gnu packages networking) > #:use-module (gnu packages vpn) > #:use-module (guix packages) > #:use-module (guix records) > @@ -44,6 +46,9 @@ > generate-openvpn-client-documentation > generate-openvpn-server-documentation >=20=20 > + strongswan-configuration > + strongswan-service-type > + > wireguard-peer > wireguard-peer? > wireguard-peer-name > @@ -529,6 +534,129 @@ is truncated and rewritten every minute.") > (openvpn-remote-configuration=20 > ,openvpn-remote-configuration-fields)) > 'openvpn-client-configuration)) >=20=20 > +;;; > +;;; Strongswan. > +;;; > + > +(define-record-type* > + strongswan-configuration make-strongswan-configuration > + strongswan-configuration? > + (strongswan strongswan-configuration-strongswan=20 > ; > + (default strongswan)) > + (use-ipsec? strongswan-configuration-use-ipsec? ;legacy=20 > interface > + (default #f)) > + (ipsec-conf strongswan-configuration-ipsec-conf) > + (ipsec-secrets strongswan-configuration-ipsec-secrets)) > + > +;; In the future, it might be worth implementing a record type=20 > to configure > +;; all of the plugins, but for *most* basic usecases, simply=20 > creating the > +;; files will be sufficient. Same is true of charon-plugins. > +(define strongswand-config-files > + (list "charon" "charon-logging" "pki" "pool" "scepclient" > + "swanctl" "tnc")) > + > +;; Plugins to load. > +(define charon-plugins > + (list "aes" "aesni" "attr" "attr-sql" "chapoly" "cmac"=20 > "constraints" > + "counters" "curl" "curve25519" "dhcp" "dnskey" "drbg"=20 > "eap-aka-3gpp" > + "eap-aka" "eap-dynamic" "eap-identity" "eap-md5"=20 > "eap-mschapv2" > + "eap-peap" "eap-radius" "eap-simaka-pseudonym"=20 > "eap-simaka-reauth" > + "eap-simaka-sql" "eap-sim" "eap-sim-file" "eap-tls"=20 > "eap-tnc" > + "eap-ttls" "ext-auth" "farp" "fips-prf" "gmp" "ha"=20 > "hmac" > + "kernel-netlink" "led" "md4" "md5" "mgf1" "nonce"=20 > "openssl" "pem" > + "pgp" "pkcs12" "pkcs1" "pkcs7" "pkcs8" "pubkey"=20 > "random" "rc2" > + "resolve" "revocation" "sha1" "sha2" "socket-default"=20 > "soup" "sql" > + "sqlite" "sshkey" "tnc-tnccs" "vici" "x509" "xauth-eap"=20 > "xauth-generic" > + "xauth-noauth" "xauth-pam" "xcbc")) Are these simply =E2=80=98all of the plug-ins=E2=80=99? I'm fine with this =E2=80=98temporary=E2=80=99 solution as long as it's nev= er=20 exported. I'll trust you on all of this configuration syntax madness: :-) > +(define (strongswan-configuration-file config) > + (match-record config > + (strongswan use-ipsec? ipsec-conf ipsec-secrets) > + (let* ((strongswan-dir > + (computed-file > + "strongswan.d" > + #~(begin > + (mkdir #$output) > + ;; Create all of the configuration files in=20 > strongswan.d/*.conf > + (map (lambda (conf-file) > + (let* ((filename (string-append > + #$output "/" > + conf-file ".conf"))) > + (call-with-output-file filename > + (lambda (port) > + (display > + "# Created by=20 > 'strongswan-service'\n" > + port))))) > + (list #$@strongswand-config-files)) > + (mkdir (string-append #$output "/charon")) > + ;; And all of the strongswan.d/charon/*.conf=20 > files (plugins) Nitpick: ;;-comments are full sentences ending in a full stop. > + (map (lambda (plugin) > + (let* ((filename (string-append > + #$output "/charon/" > + plugin ".conf"))) > + (call-with-output-file filename > + (lambda (port) > + (format port "~a { > + load =3D yes > +}" > + plugin))))) > + (list #$@charon-plugins)))))) > + ;; Generate our strongswan.conf to reflect the user=20 > configuration. > + (computed-file > + "strongswan.conf" > + #~(begin > + (call-with-output-file #$output > + (lambda (port) > + (display "# Generated by=20 > 'strongswan-service'.\n" port) > + (format port "charon { > + load_modular =3D yes > + plugins { > + include ~a/charon/*.conf" > + #$strongswan-dir) > + (if #$use-ipsec? > + (format port " > + stroke { > + load =3D yes > + secrets_file =3D ~a > + } All this indentation is doing my head in, but it looks like here=E2=80=A6 > + } > +} > + > +starter { > + config_file =3D ~a > +} > + > +include ~a/*.conf" > + #$ipsec-secrets > + #$ipsec-conf > + #$strongswan-dir) > + (format port " > + } > +} > +include ~a/*.conf" > + #$strongswan-dir))))))))) =E2=80=A6you had to choose between two ifs and two #$strongswan-dirs, and=20 chose two #$strongswan-dirs? I prefer two ifs. > +(define (strongswan-shepherd-service config) > + (let* ((ipsec (file-append strongswan "/sbin/ipsec")) > + (strongswan-conf-path (strongswan-configuration-file=20 > config))) > + (list (shepherd-service > + (requirement '(networking)) > + (provision '(strongswan)) I guess. I have no idea how =E2=80=98generic=E2=80=99 StrongSwan is and wh= ether=20 this makes more sense than (provision '(ipsec)) or not. > + (start #~(make-forkexec-constructor > + (list #$ipsec "start" "--nofork") > + #:environment-variables > + (list (string-append "STRONGSWAN_CONF=3D" > +=20 > #$strongswan-conf-path)))) > + (stop #~(make-kill-destructor)) > + (documentation "Start the charon daemon for IPsec=20 > VPN"))))) "StrongSwan's charon IKE keying daemon for IPsec VPN." Most of =E2=80=98Run the =E2=80=A6=E2=80=99/=E2=80=98Start the =E2=80=A6=E2= =80=99 noise that has snuck into=20 gnu/services should probably be removed. > +(define strongswan-service-type > + (service-type > + (name 'strongswan) > + (extensions > + (list (service-extension shepherd-root-service-type > + strongswan-shepherd-service))))) > + > ;;; > ;;; Wireguard. > ;;; For this to be merged, we're still missing some documentation in=20 doc/guix.text. Would you be willing to write some? Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYMX83A0cbWVAdG9iaWFz LmdyAAoJEA2w/4hPVW15tw0BAJxhD1hMnjz2I+UlsZJ5Lwsv0GXqbgEBHceH/yvl 2c3zAP9IhfsKMTTD5+O8hB1FLWru2BPF+suePUWUtC0LBGVcAQ== =YLDL -----END PGP SIGNATURE----- --=-=-=--