From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id Ng1TNQ8RuGAIAgEAgWs5BA (envelope-from ) for ; Thu, 03 Jun 2021 01:15:27 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id EKXFLw8RuGAmLgAA1q6Kng (envelope-from ) for ; Wed, 02 Jun 2021 23:15:27 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4D15E18AD2 for ; Thu, 3 Jun 2021 01:15:27 +0200 (CEST) Received: from localhost ([::1]:42820 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1loa58-00026Y-9o for larch@yhetil.org; Wed, 02 Jun 2021 19:15:26 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44356) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1loa1q-0001ym-TO for guix-patches@gnu.org; Wed, 02 Jun 2021 19:12:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58235) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1loa1q-0006bO-M2 for guix-patches@gnu.org; Wed, 02 Jun 2021 19:12:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1loa1q-0003dZ-GN for guix-patches@gnu.org; Wed, 02 Jun 2021 19:12:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#48803] [PATCH] strongswan: provide a service definition and configuration interface. Resent-From: Domagoj Stolfa Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 02 Jun 2021 23:12:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 48803 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 48803@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.162267546313908 (code B ref -1); Wed, 02 Jun 2021 23:12:02 +0000 Received: (at submit) by debbugs.gnu.org; 2 Jun 2021 23:11:03 +0000 Received: from localhost ([127.0.0.1]:41548 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1loa0s-0003c5-5g for submit@debbugs.gnu.org; Wed, 02 Jun 2021 19:11:02 -0400 Received: from lists.gnu.org ([209.51.188.17]:50160) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1loZ4x-0002DZ-0i for submit@debbugs.gnu.org; Wed, 02 Jun 2021 18:11:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35972) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1loZ4w-0007NX-S4 for guix-patches@gnu.org; Wed, 02 Jun 2021 18:11:10 -0400 Received: from mout.gmx.net ([212.227.15.15]:38865) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1loZ4u-0000Qb-BM for guix-patches@gnu.org; Wed, 02 Jun 2021 18:11:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1622671865; bh=h/GLYh8hYbxkTMlrfy7Ts0snZOIDMtWRhRHjgT/ssJM=; h=X-UI-Sender-Class:Date:From:To:Subject; b=hEAyWRwYblG7swEHP5dRjfOjC3qIEQCOTdvAcnTx7Fzka4DjRLY+akBKwElOg617Q qL/+9EhddKoUu8W5aaQZsyzXntBGlN2g/uCvMq47EV6iAsxGUS96sbm8IFf1bp+7gF LZQpicSCAPNTNQMwwZFIXcvu7PWfzRZ04AaUIBt0= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from pepehands ([131.111.128.28]) by mail.gmx.net (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1N8ofE-1lLgDO3XIk-015rtg for ; Thu, 03 Jun 2021 00:11:04 +0200 Date: Wed, 2 Jun 2021 23:11:03 +0100 From: Domagoj Stolfa Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="c5xDyQZg5OchelAC" Content-Disposition: inline X-Provags-ID: V03:K1:D6tT+r6SdBHKHR2QU5EAh+GTpnopo4+3d/Dyt/Ez22HYeDQ5Pz9 MZdo8vwdUlcywNrvD4z0W9NiwdtV4H+lkYTlargKurhP3eb0Cr4f65qZfIrvbW5t/eec4GG CF0C0u8kVeOSVmSFnOMcxPP3z8in/yIgEh0pwOGbctkiHH2l6p1Uaag7BQ1lDE+0vRymuaE Do2PTFGlh5SrFvNhome3Q== X-UI-Out-Filterresults: notjunk:1;V03:K0:Z2fxKjy5n8Y=:7bnEMfBqw3lNuuhgV5kAm5 ktgy2kRdn3Waw2hjVY1XsS/Udc63amrzO8QPGv2+7HkUQwyVLCI4HQlzqzn8uG/MGxsdT7D/K 3XAzsGLcbByJ4aLB3YOxBgyo30pgUoFf7TZtTrRQATdvLYjGfxWWmb1NFTxRDSs+vnqxj4/RU IQ95C0Ijf7sOF7J1K9PLzq9EKgiD5yLG+6LQQJvQlbjdHy3uZplSoYcTQciK22FXTD7MOXefk gtuNboh6opwlgV33M3bEI734fhE8xPu4YlK2Rze2SOgcExRkESo88Nq5hNqiMY2hl66k9DL8U odSBf70breNAVTWdGD34iWA7YqhteSU/tSWbpDm+XgXrURZ05OboQaJu+jrxntxMzsqsuZaYQ hWymICXhGywDNK7JFZ+4wbCytXYYCPC98AdTDysXuSMHfmxuk+fiK9Mh4ihkHSkjt4m1y3nus hKINR2+VXMDWNBbHQRo3lALaX3qVxPyr3h818AkgI+lLxMrvAgrQZ63I2ECHsnWI2jx3NbsOk HinQF9un3LVnxjA11e9x5SCPE+XnGZgoTDQ68ZcvW3KLTgymbLEyy56S9gLoBKQF1nHCEHX56 qS2V3wtEuprkIu25b+//5hWe+68Ru8fMJ5Tx3L9qBZ5x1roTRFbN5heyGF83K79UTFVZP7foa 8Tvt/i8ByXZv79/azTV1gQwjbyJ1m+Y6PAD4gWgf0x16wbtu7eDDhuaQjyxpOG9ETFu9fXW6C 5VUOhR3dYV5sK0HaJF5DdBLkUDxTuX188imJWuB0ffOjhneOKRRpPHo7VMw7H78idBpw/Ha8y vq1mI4ORonvNpocs1f6oc5JvPHtLiPrDT6ItgtkziHtJBYnaTJ+ZRGdB9kmpmQiVHu7L485Vy pZUuYvVqhZNsyD2Jqnwp0/UDO57WGs7TB4tzRuqNK4XzkJZKYs1Z8GINYBqqSaWE0ZcdbQ9QD KIYKE0sz+LvrmG+L4DdiTHrwUjp1rrQHHTJK9jAnnoDVPEaUbfEYJjUoLh9PtDgt6qCZUfoUs iJFa3yVFYwHVL2Ey2BPd/qpnmtqiNQDKDbcFj2w42Jr6B99SNBv+Xev3sWrmy/YbGftsnpGSf 6BJ0gfaGpABkSwm3m6CmtaAo+ou2ItHmatp Received-SPF: pass client-ip=212.227.15.15; envelope-from=ds815@gmx.com; helo=mout.gmx.net X-Spam_score_int: -15 X-Spam_score: -1.6 X-Spam_bar: - X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Wed, 02 Jun 2021 19:11:01 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Mailman-Approved-At: Wed, 02 Jun 2021 19:15:09 -0400 X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1622675727; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:list-id:list-help:list-unsubscribe:list-subscribe: list-post:dkim-signature; bh=NwIWA2TNypWZH41vbz7ZsHH9l41pDF37Kj4HOtUp7+8=; b=t+Y08Q9TT/3wSoTCO8BnW85f8UU9qj601o2IPhPd7EEHrLrVawSAcERikYwIlyWaXK0nKo UJCHqMiJkQMiUSkn7qn18gPKmqxGOgvXTcZu0UbF/zlZntIRKzJ3zpBPTxo7r9w7pBovy1 si/Zk7JoUcwNFLMHy+xldbV3H1BZRNFXQdjw7KcGyiHw1+y1eGlffryrgB0p0t8jpLq8Gf 251UVsnHQ0phzwML50/ZqgyYJSkYVyCwXjiVtEokZyvdibobbxN8beAsPviFClTzM0TFX8 4ZDUY4ev89p+eEJRUgc5Z/St02RqSS6x2pLnBeI8z7c4F6Ivut7c41HboYF1KA== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1622675727; a=rsa-sha256; cv=none; b=eMXaAy/58o4ISkpZUu1KQGRAabnHXlos7ZYqZ9stgFMHsdgv3l9CF/y70F04M76TwF94lO UGOiwiwF+b2/GS7lADVw/OU1PpYinF/R1mDUy79Fa1Gt4CbEImNmW77WCTvZqFRjuR4db9 y65RbWNtqsfAwQBngM4FJjh1K+bbst4qFOOw3GZsDYi+azMv1aWJWu3sxsZ4Cce7LNy2UQ FnWZY8t0W6hIj1mMUTmwUslIvTjTjF4cupwUHhOQUQieSMqJP8nHdEoJ/jmSX10/cLOaoA 7OEOK5A5wYNS7i0I2E9LWrBLk9fwb2HG4cJYzOWw/6a+hOhbdy3OXFhxy6Icmg== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmx.net header.s=badeba3b8450 header.b=hEAyWRwY; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmx.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -2.93 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmx.net header.s=badeba3b8450 header.b=hEAyWRwY; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmx.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 4D15E18AD2 X-Spam-Score: -2.93 X-Migadu-Scanner: scn0.migadu.com X-TUID: OggyI5oeiIAH --c5xDyQZg5OchelAC Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This commit adds a strongswan-service-type which allows the user to start strongswan correctly on Guix. Without this, they would need to manually write a strongswan.conf file and run it with `STRONGSWAN_CONF=3D/path/to/strongswan.conf ipsec start`. For now, we only support the legacy ipsec.conf/ipsec.secrets interface. Because ipsec.conf depends on indentation and is a deprecated intreface, we do not provide an EDSL to configure it, and we do not put the config file in a Guile string (to avoid indentation issues). Similarly, ipsec.secrets contains the users authentication token/passwords, and is for security reasons transmitted separately from the configuration file. This change allows the user to write something as follows in their config: ``` (service strongswan-service-type (strongswan-configuration (use-ipsec? #t) (ipsec-conf "/config-files/ipsec.conf") (ipsec-secrets "/config-files/ipsec.secrets"))) ``` This will start the charon daemon and allow them to connect to their VPNs configured in `/config-files/ipsec.conf`. --- gnu/services/vpn.scm | 128 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 128 insertions(+) diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index 2bcbf76727..e026f2aa58 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -4,6 +4,7 @@ ;;; Copyright =A9 2017 Mathieu Othacehe ;;; Copyright =A9 2021 Guillaume Le Vaillant ;;; Copyright =A9 2021 Solene Rapenne +;;; Copyright =A9 2021 Domagoj Stolfa ;;; ;;; This file is part of GNU Guix. ;;; @@ -26,6 +27,7 @@ #:use-module (gnu services shepherd) #:use-module (gnu system shadow) #:use-module (gnu packages admin) + #:use-module (gnu packages networking) #:use-module (gnu packages vpn) #:use-module (guix packages) #:use-module (guix records) @@ -44,6 +46,9 @@ generate-openvpn-client-documentation generate-openvpn-server-documentation =20 + strongswan-configuration + strongswan-service-type + wireguard-peer wireguard-peer? wireguard-peer-name @@ -529,6 +534,129 @@ is truncated and rewritten every minute.") (openvpn-remote-configuration ,openvpn-remote-configuration-fields)) 'openvpn-client-configuration)) =20 +;;; +;;; Strongswan. +;;; + +(define-record-type* + strongswan-configuration make-strongswan-configuration + strongswan-configuration? + (strongswan strongswan-configuration-strongswan ; + (default strongswan)) + (use-ipsec? strongswan-configuration-use-ipsec? ;legacy interface + (default #f)) + (ipsec-conf strongswan-configuration-ipsec-conf) + (ipsec-secrets strongswan-configuration-ipsec-secrets)) + +;; In the future, it might be worth implementing a record type to configure +;; all of the plugins, but for *most* basic usecases, simply creating the +;; files will be sufficient. Same is true of charon-plugins. +(define strongswand-config-files + (list "charon" "charon-logging" "pki" "pool" "scepclient" + "swanctl" "tnc")) + +;; Plugins to load. +(define charon-plugins + (list "aes" "aesni" "attr" "attr-sql" "chapoly" "cmac" "constraints" + "counters" "curl" "curve25519" "dhcp" "dnskey" "drbg" "eap-aka-3gp= p" + "eap-aka" "eap-dynamic" "eap-identity" "eap-md5" "eap-mschapv2" + "eap-peap" "eap-radius" "eap-simaka-pseudonym" "eap-simaka-reauth" + "eap-simaka-sql" "eap-sim" "eap-sim-file" "eap-tls" "eap-tnc" + "eap-ttls" "ext-auth" "farp" "fips-prf" "gmp" "ha" "hmac" + "kernel-netlink" "led" "md4" "md5" "mgf1" "nonce" "openssl" "pem" + "pgp" "pkcs12" "pkcs1" "pkcs7" "pkcs8" "pubkey" "random" "rc2" + "resolve" "revocation" "sha1" "sha2" "socket-default" "soup" "sql" + "sqlite" "sshkey" "tnc-tnccs" "vici" "x509" "xauth-eap" "xauth-gen= eric" + "xauth-noauth" "xauth-pam" "xcbc")) + +(define (strongswan-configuration-file config) + (match-record config + (strongswan use-ipsec? ipsec-conf ipsec-secrets) + (let* ((strongswan-dir + (computed-file + "strongswan.d" + #~(begin + (mkdir #$output) + ;; Create all of the configuration files in strongswan.d/= *.conf + (map (lambda (conf-file) + (let* ((filename (string-append + #$output "/" + conf-file ".conf"))) + (call-with-output-file filename + (lambda (port) + (display + "# Created by 'strongswan-service'\n" + port))))) + (list #$@strongswand-config-files)) + (mkdir (string-append #$output "/charon")) + ;; And all of the strongswan.d/charon/*.conf files (plugi= ns) + (map (lambda (plugin) + (let* ((filename (string-append + #$output "/charon/" + plugin ".conf"))) + (call-with-output-file filename + (lambda (port) + (format port "~a { + load =3D yes +}" + plugin))))) + (list #$@charon-plugins)))))) + ;; Generate our strongswan.conf to reflect the user configuration. + (computed-file + "strongswan.conf" + #~(begin + (call-with-output-file #$output + (lambda (port) + (display "# Generated by 'strongswan-service'.\n" port) + (format port "charon { + load_modular =3D yes + plugins { + include ~a/charon/*.conf" + #$strongswan-dir) + (if #$use-ipsec? + (format port " + stroke { + load =3D yes + secrets_file =3D ~a + } + } +} + +starter { + config_file =3D ~a +} + +include ~a/*.conf" + #$ipsec-secrets + #$ipsec-conf + #$strongswan-dir) + (format port " + } +} +include ~a/*.conf" + #$strongswan-dir))))))))) + +(define (strongswan-shepherd-service config) + (let* ((ipsec (file-append strongswan "/sbin/ipsec")) + (strongswan-conf-path (strongswan-configuration-file config))) + (list (shepherd-service + (requirement '(networking)) + (provision '(strongswan)) + (start #~(make-forkexec-constructor + (list #$ipsec "start" "--nofork") + #:environment-variables + (list (string-append "STRONGSWAN_CONF=3D" + #$strongswan-conf-path)))) + (stop #~(make-kill-destructor)) + (documentation "Start the charon daemon for IPsec VPN"))))) + +(define strongswan-service-type + (service-type + (name 'strongswan) + (extensions + (list (service-extension shepherd-root-service-type + strongswan-shepherd-service))))) + ;;; ;;; Wireguard. ;;; --=20 2.31.1 --c5xDyQZg5OchelAC Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE7JyU1wrLyiw5G92zcc2InUujXj0FAmC4AfcACgkQcc2InUuj Xj0pyQ//VdkTDnZf33xXTTFEiehsBHZkz/jDa/X+DHPnMwUUJEvsI4hoTU+ialNL ytg6hwfphbcremuh2c3QiYbpxAEl0n3Uep/YTz22+CZ8X/lSnHzrsBQaS2JWMgVT sThwWdjW47RIVYH6VC3kF8zkTPvjkGEDm5wzvEQqo/du5Dp43HClHhEZ4Gc8zTDr gI06/JVdhttb+VNgi3GccAtADEGGOcAR9I4Wd9nNK4utZjNNonmHUWc8l5h/p3ZQ BcD0XRRF86bycVEl1SGuQr9BgOaIepiTr6jcE57nYjZetW2XuZ8sTVxGIRHEUvCt 9cv4ON7DF9hmBGiBU2h2jodGParcTPWf6lxqevG771RjBWaYq28md6umSyKKLeeg uAIbbgRuR0f8NCRXdx5Whjh8XtoUligkf3BzyUbH0ev60/pHaQtsY4Nm2PCPz/Mp QJk6Y8zl0LXlLl/ogDRhMFodzFNLFVBXsV7xCtLWuIp8HqOQxrBRSi1Xa0GlbkiV qMS3FSR3dR3Tykq8GTRMdlTFckgHPo4b8iKkigWXV9+RXf2Dbeuf48wlpV+cb/tu qjE3Z7mO0sl3ZDrmzV5HTavx/XIeaaS/HwVAHAkfURVKX9vHYe9G6tFHnsgvdLSz 1NEQImJ7wcqlFx/9dKNbXIq6eVbDbgTaTuDBYBQiSGJB2tp57vY= =e1Hs -----END PGP SIGNATURE----- --c5xDyQZg5OchelAC--