From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id EwXNJg4jxmCgCQEAgWs5BA (envelope-from ) for ; Sun, 13 Jun 2021 17:23:58 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id YKJAIQ4jxmBmHwAAB5/wlQ (envelope-from ) for ; Sun, 13 Jun 2021 15:23:58 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 1EAF813E65 for ; Sun, 13 Jun 2021 17:23:58 +0200 (CEST) Received: from localhost ([::1]:38498 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lsRxt-0000jp-0V for larch@yhetil.org; Sun, 13 Jun 2021 11:23:57 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52302) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lsRu8-0000Pl-1c for guix-patches@gnu.org; Sun, 13 Jun 2021 11:20:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:60921) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lsRu7-0002EV-Qt for guix-patches@gnu.org; Sun, 13 Jun 2021 11:20:03 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lsRu7-0006cj-No for guix-patches@gnu.org; Sun, 13 Jun 2021 11:20:03 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#48803] [PATCH] gnu: Add strongswan service. References: In-Reply-To: Resent-From: Domagoj Stolfa Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 13 Jun 2021 15:20:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48803 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 48803@debbugs.gnu.org Received: via spool by 48803-submit@debbugs.gnu.org id=B48803.162359755725372 (code B ref 48803); Sun, 13 Jun 2021 15:20:03 +0000 Received: (at 48803) by debbugs.gnu.org; 13 Jun 2021 15:19:17 +0000 Received: from localhost ([127.0.0.1]:44231 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsRtM-0006b4-Sa for submit@debbugs.gnu.org; Sun, 13 Jun 2021 11:19:17 -0400 Received: from mout.gmx.net ([212.227.15.18]:59939) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsRjR-0006J8-Kn for 48803@debbugs.gnu.org; Sun, 13 Jun 2021 11:09:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1623596935; bh=dvPP4GBuA4koR3jFkjOLT7wrwLNhgOwhuWGrBTb0Afs=; h=X-UI-Sender-Class:Date:From:To:Subject; b=XAc6+VikUxmE7ZCPUaqebI88yr69jepKK5Pe001PHW+6EzPPnfiIYLwwAyvw3dmQX aVzBonlnKxgO6yO30azcobuOl8neK72zF+UxyBoMm4hAa8HCVL+Eg09FQCra8dSzoa x8/6xflDfsQ+jiiyYiyltOtWS8eWEoOgj4BuirD0= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from parenthesis ([131.111.5.130]) by mail.gmx.net (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MbzuH-1lKC6q1sVz-00dUsu for <48803@debbugs.gnu.org>; Sun, 13 Jun 2021 17:08:55 +0200 Date: Sun, 13 Jun 2021 16:08:53 +0100 From: Domagoj Stolfa Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="y7F23p+9OSElA1vA" Content-Disposition: inline X-Provags-ID: V03:K1:/lXGs+fgC93HjmyMbeKW2rg0sz+eTAU7YpPqiucJjiyi5iQ5b8t 20EAGVzpDVJfOLuvlVLtRf1hEsOtIQyJHnRncR5977e2hJkybnoF414l0dKP2TfpZWERQx2 2mbWA3f/dF3S+My1JySPCTIWh0Vsz64l2APICuh73XFbVt9YZ5/iLHUQBXHi2QMR5wGlsaD fRzavX0yPPcpFurlZwhGw== X-UI-Out-Filterresults: notjunk:1;V03:K0:Cx6cPwmS1wc=:MbII5ZWc5ej7KOpXDAsagN F+FVXWahF1PjQbF+mX869nXB9mcYT/2nd+eEibmKJzpjSCRlylN7r561svqbPVmHNRKUd8/3E Shm0rIHb9VralMT/ktP01CN5GKf5BXpebyqQcEmA0zdtF7zRzzlbLlb2eGDNj4ZuLUvVAptzu Sp6IcNMGiHNhWeSet+72q2CRzZI27K7JSiOBkpIXys8Zo9dZznDapOPVQ9obi4tJI88DCpXEE h7CEVfHdOF8uT8YNT+9O9OWWkdNoE1mnahCnbpxKEWNy68b6poqgQ8MyTuAYoX1R5sr8Toth/ FoLbbPWbg5cCP3GO02Olzz1wvQP6G6BNSDy5IpVY+m5xCVnwy5Qt43DB13u+uaUHEihfS6sBc hypSUSi9q2vFgh3Nst3Dyl/yf2hkQXt2xxe7G2mz1pQjBQ7qAktD8CFl7BKZ4gMtuBL9UxSPb Wd3S2xgnAkFZV776F06clT0MIA4CYsh4MaDimt+q12Si5bo1u+SYIf6UMRt0E2SbcloOno4DH VnTP8DHsiKwZoUz/AHroAr02O5b7oVkXFh0dr6GWkjx4RFl2PPIQWp9Uc+QxCMfuPRZDXsjup SI/PUrFIL4Re73aXkbCLGAIFp0JV6XpbfHCtDlibKT88b3ee6PajdCqCH/oCZBnLOCh8mVgv0 6LvSAF2S6yhMniqPf2zw4qyMq/9/iMg8LO0XLjpPUqDr9nG1hMre0OqEvMSiqMiDLpyrC70PT bF1BTOyMZIEqhBnMye/3x9ZMHOIFBN5Jglc6eG9iXAlrC2vhzEgB2VzcMDCJofRrCWunylIxL z8NX4R9D/kyO3oL0J7T7/ya8V5nci9bzi2VrgK3vK2zWBKpdbhZrbX7du+aSs/jIJMPNQbrCT cRJ/TwRQFu0c7SlxVGW94JEjgdyLPPfAY+3XgZg2C7o7enkmH4AlVUWMKGQBcqt6h0ENCuh8d lkHck4lT6Yscv2McSZ5TzBOUrJj2I11ghjoXPk0vxS8L51OsTU3DYOW5wlFlfPOfIxY5FwKql 7qhgo6/CB8y6KISxC7q6Vu2Z4M/z5wcCDS08lJZg2UtDCbVTNPk7CtQ9ABTqxzi09n6mZmOMM oafS9spGgpYKXU4gRgv906keQ8+ukTC23WX X-Mailman-Approved-At: Sun, 13 Jun 2021 11:19:13 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Mailman-Approved-At: Sun, 13 Jun 2021 11:23:52 -0400 X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1623597838; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:resent-cc:resent-from:resent-sender: resent-message-id:in-reply-to:in-reply-to:references:references: list-id:list-help:list-unsubscribe:list-subscribe:list-post: dkim-signature; bh=4opSqHkWK8YVj0ec1xidCk0pS1lMB2C8rmqn8gbqgIQ=; b=qLGzjpeRKbe+AA2REd4DBzCib7KHMUuHI3OvJduj6w6ozYU4YLiP5PhNOcBzWbIds/k48l st4opT9AebmvwhmELd16kJ7SWRMXBN2Jc/JP20mfckmrSAW0oNQYObbzgRAKm2LtZ1tVC7 c5SzNMR9XU2zkCz5zjZDu7+0vMnsGwRuANSfDflJVsIYJf7/cFjoDeYCoBJdC551MPeF/L CunHEo08aBUWL9MgIloH8vzmBs2sJ/LZhnmv2dObnJipG3yldAVkrrviWJ+exbb5uNUQVf 4nCyPBHxxTk+FXE0kIc/CQgbUhB75LMk//GBuikOz7Yq/qRAAoceOtESZhitxw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1623597838; a=rsa-sha256; cv=none; b=pHfKZ0t8O1LeUdRJ6tVpDTZ3JpIxBouUnI2eVj8IPUu2Y+yZV3qh6TeroIR0+9zPTDLt9t a6JPL52P3MJgAy5EXkdzvfIX351JF6OA4niNANxX/e67C2085dO/jAvnv1pHUhvCpYZTAS q9gBsKmuNS/daM9nUOGmhj5E3EefCN4VxHJn+4zdvQDKWhEOD+dtLC/bGPQaUdBLpOTj4n 1CCrDpC1VDC/ccIgnLleomNatzlAjV/35LpImPAkFVo2r1gLudirtPDJ9fR3FsXdQVV5sK y62RdL+/KKdfLSfBdCmquqpmTtm0Jzlng9KmuECkidvcYBIr4NZMPOi2WJxiug== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmx.net header.s=badeba3b8450 header.b=XAc6+Vik; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmx.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Spam-Score: -2.92 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmx.net header.s=badeba3b8450 header.b=XAc6+Vik; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmx.com (policy=none); spf=pass (aspmx1.migadu.com: domain of guix-patches-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-patches-bounces@gnu.org X-Migadu-Queue-Id: 1EAF813E65 X-Spam-Score: -2.92 X-Migadu-Scanner: scn0.migadu.com X-TUID: ZUZL3hFb9C9f --y7F23p+9OSElA1vA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * gnu/services/vpn.scm (strongswan-configuration): New record type. (charon-plugins, strongswan-configuration-file) (strongswan-shepherd-service, strongswan-service-type): New variables. * doc/guix.tex (VPN Services): Document them all. This commit adds a strongswan-service-type which allows the user to start strongswan correctly on Guix. Without this, they would need to manually write a strongswan.conf file and run it with `STRONGSWAN_CONF=3D/path/to/strongswan.conf ipsec start`. For now, we only support the legacy ipsec.conf/ipsec.secrets interface. Because ipsec.conf depends on indentation and is a deprecated intreface, we do not provide an EDSL to configure it, and we do not put the config file in a Guile string (to avoid indentation issues). Similarly, ipsec.secrets contains the users authentication token/passwords, and is for security reasons transmitted separately from the configuration file. This change allows the user to write something as follows in their config: ``` (service strongswan-service-type (strongswan-configuration (use-ipsec? #t) (ipsec-conf "/etc/ipsec.conf") (ipsec-secrets "/etc/ipsec.secrets"))) ``` This will start the charon daemon and allow them to connect to their VPNs configured in `/config-files/ipsec.conf`. --- doc/guix.texi | 37 ++++++++++++ gnu/services/vpn.scm | 130 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 167 insertions(+) diff --git a/doc/guix.texi b/doc/guix.texi index 59b4ac11b4..f09170c76c 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -90,6 +90,7 @@ Copyright @copyright{} 2020 Edgar Vincent@* Copyright @copyright{} 2021 Maxime Devos@* Copyright @copyright{} 2021 B. Wilson@* Copyright @copyright{} 2021 Xinglu Chen@* +Copyright @copyright{} 2021 Domagoj Stolfa@* =20 Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -27093,6 +27094,42 @@ Defaults to @samp{#f}. @end deftypevr =20 =20 +@subheading StrongSwan + +Currently, the StrongSwan service only provides legacy-style configuration= with +ipsec.conf and ipsec.secrets files. + +@defvr {Scheme Variable} strongswan-service-type +A service type for StrongSwan configuration. Its value must be a +@code{strongswan-configuration} record as in this example: + +@lisp +(service strongswan-service-type + (strongswan-configuration + (ipsec-conf "/etc/ipsec.conf") + (ipsec-secrets "/etc/ipsec.secrets"))) +@end lisp + +@end defvr + +@deftp {Data Type} strongswan-configuration +Data type representing the configuration of the StrongSwan service. + +@table @asis +@item @code{strongswan} +The strongswan package to use for this service. + +@item @code{ipsec-conf} (default: @code{#f}) +The path to an ipsec.conf file. If set to @code{#f}, @code{ipsec-secrets}= will +also be ignored. + +@item @code{ipsec-secrets} (default @code{#f}) +The path to an ipsec.secrets file. If set to @code{#f}, @code{ipsec-conf}= will +also be ignored. + +@end table +@end deftp + @c %end of automatic openvpn-server documentation =20 @subsubheading Wireguard diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index 2bcbf76727..691cc3c05a 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -26,6 +26,7 @@ #:use-module (gnu services shepherd) #:use-module (gnu system shadow) #:use-module (gnu packages admin) + #:use-module (gnu packages networking) #:use-module (gnu packages vpn) #:use-module (guix packages) #:use-module (guix records) @@ -44,6 +45,9 @@ generate-openvpn-client-documentation generate-openvpn-server-documentation =20 + strongswan-configuration + strongswan-service-type + wireguard-peer wireguard-peer? wireguard-peer-name @@ -529,6 +533,132 @@ is truncated and rewritten every minute.") (openvpn-remote-configuration ,openvpn-remote-configuration-fields)) 'openvpn-client-configuration)) =20 +;;; +;;; Strongswan. +;;; + +(define-record-type* + strongswan-configuration make-strongswan-configuration + strongswan-configuration? + (strongswan strongswan-configuration-strongswan ; + (default strongswan)) + (ipsec-conf strongswan-configuration-ipsec-conf + (default #f)) + (ipsec-secrets strongswan-configuration-ipsec-secrets + (default #f))) + +;; In the future, it might be worth implementing a record type to configure +;; all of the plugins, but for *most* basic usecases, simply creating the +;; files will be sufficient. Same is true of charon-plugins. +(define strongswand-config-files + (list "charon" "charon-logging" "pki" "pool" "scepclient" + "swanctl" "tnc")) + +;; Plugins to load. All of these plugins are going to end up as configurat= ion +;; files in strongswan.d/charon/. +(define charon-plugins + (list "aes" "aesni" "attr" "attr-sql" "chapoly" "cmac" "constraints" + "counters" "curl" "curve25519" "dhcp" "dnskey" "drbg" "eap-aka-3gp= p" + "eap-aka" "eap-dynamic" "eap-identity" "eap-md5" "eap-mschapv2" + "eap-peap" "eap-radius" "eap-simaka-pseudonym" "eap-simaka-reauth" + "eap-simaka-sql" "eap-sim" "eap-sim-file" "eap-tls" "eap-tnc" + "eap-ttls" "ext-auth" "farp" "fips-prf" "gmp" "ha" "hmac" + "kernel-netlink" "led" "md4" "md5" "mgf1" "nonce" "openssl" "pem" + "pgp" "pkcs12" "pkcs1" "pkcs7" "pkcs8" "pubkey" "random" "rc2" + "resolve" "revocation" "sha1" "sha2" "socket-default" "soup" "sql" + "sqlite" "sshkey" "tnc-tnccs" "vici" "x509" "xauth-eap" "xauth-gen= eric" + "xauth-noauth" "xauth-pam" "xcbc")) + +(define (strongswan-configuration-file config) + (match-record config + (strongswan ipsec-conf ipsec-secrets) + (let* ((strongswan-dir + (computed-file + "strongswan.d" + #~(begin + (mkdir #$output) + ;; Create all of the config files in strongswan.d/*.conf. + (map (lambda (conf-file) + (let* ((filename (string-append + #$output "/" + conf-file ".conf"))) + (call-with-output-file filename + (lambda (port) + (display + "# Created by 'strongswan-service'\n" + port))))) + (list #$@strongswand-config-files)) + (mkdir (string-append #$output "/charon")) + ;; Create all of the plugins. + (map (lambda (plugin) + (let* ((filename (string-append + #$output "/charon/" + plugin ".conf"))) + (call-with-output-file filename + (lambda (port) + (format port "~a { + load =3D yes +}" + plugin))))) + (list #$@charon-plugins)))))) + ;; Generate our strongswan.conf to reflect the user configuration. + (computed-file + "strongswan.conf" + #~(begin + (call-with-output-file #$output + (lambda (port) + (display "# Generated by 'strongswan-service'.\n" port) + (format port "charon { + load_modular =3D yes + plugins { + include ~a/charon/*.conf" + #$strongswan-dir) + (if (and (not (eq? #$ipsec-conf #f)) + (not (eq? #$ipsec-secrets #f))) + (format port " + stroke { + load =3D yes + secrets_file =3D ~a + } + } +} + +starter { + config_file =3D ~a +} + +include ~a/*.conf" + #$ipsec-secrets + #$ipsec-conf + #$strongswan-dir) + (format port " + } +} +include ~a/*.conf" + #$strongswan-dir))))))))) + +(define (strongswan-shepherd-service config) + (let* ((ipsec (file-append strongswan "/sbin/ipsec")) + (strongswan-conf-path (strongswan-configuration-file config))) + (list (shepherd-service + (requirement '(networking)) + (provision '(ipsec)) + (start #~(make-forkexec-constructor + (list #$ipsec "start" "--nofork") + #:environment-variables + (list (string-append "STRONGSWAN_CONF=3D" + #$strongswan-conf-path)))) + (stop #~(make-kill-destructor)) + (documentation + "StrongSwan's charon IKE keying daemon for IPsec VPN."))))) + +(define strongswan-service-type + (service-type + (name 'strongswan) + (extensions + (list (service-extension shepherd-root-service-type + strongswan-shepherd-service))))) + ;;; ;;; Wireguard. ;;; --=20 2.32.0 --y7F23p+9OSElA1vA Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE7JyU1wrLyiw5G92zcc2InUujXj0FAmDGH4UACgkQcc2InUuj Xj2hsg//U0lCy6zIFG+NOg1SZW9eoHKjwFfLb1Bq7xrf2VmgKNfbswboYwsN7Hgy tdSq4UDqqYbzqwS5B4bzEaNAptM2vFqEqpJsdPG+s99D7SQdfJSkLZsO2kodwNLZ llkcVaZPS2CRnXVd9fl5DqhJax5k9aJhfnPGitaR1Vw0aHGNQw1H8pXqM0TD+rL/ JvNpFXR8m84dc4rCxozDwsri7ciF8HszWntrFeF9ERPfRZKZt5Iwp1E2voQ+eGBV 4tT4ph9WJTo0XTeOGDJQfGaYu7wbkQItAlT1o3bEtCv2Hb/MamJlJL6x5ZmV0PCd hXRMHG9jTnL3JsLPbCN3TJUGOYXc9OzzC60oheHCf3H4um/4b2VC1cvRaoG/+Msv anuZS+yogbpfqU1oF1J/2IxqDTBxuNdrtFjO6/M2z09TIPVBItuUke0OhPosKWvA 2p6ZpSLqgJHdf0GDg2vTWM+FKNvjIXizhXGFAgGmGxddaqsjSi1hY62cHyuLymAu /MnnSzg1JhuIav6YBZ21SiqOptKiD09iw4MojbQZjv8GDCiuiBNQkz4vuUdRfs0s TbZEhPj4IZv9K63fux/W5c2XaIxyvKK6IjXhon03OQ2vyHW23PloIUZrZ5y1E9Y8 1jr2lXOUYVKtvJs9Vp3mTSoUyp05M0HxWXWVoxqusfdTDTLjers= =hO9G -----END PGP SIGNATURE----- --y7F23p+9OSElA1vA--