From 11a9e1c3c0b2595ea37b8812736427ffb32a0787 Mon Sep 17 00:00:00 2001 From: Matthieu Coudron Date: Tue, 31 Oct 2017 20:08:05 +0900 Subject: l2tp: 1.2.4 -> 1.2.8 the new version brings a new panel in IPsec settings which allows to reenable old algorithms for IPsec phases 1/2 (dropped in recent libreswan/strongswan etc). Also updates the homepage with the new one. --- pkgs/tools/networking/network-manager/l2tp.nix | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/pkgs/tools/networking/network-manager/l2tp.nix b/pkgs/tools/networking/network-manager/l2tp.nix index b40afa605e3..f8047abe1bd 100644 --- a/pkgs/tools/networking/network-manager/l2tp.nix +++ b/pkgs/tools/networking/network-manager/l2tp.nix @@ -22,6 +22,9 @@ stdenv.mkDerivation rec { postPatch = '' sed -i -e 's%"\(/usr/sbin\|/usr/pkg/sbin\|/usr/local/sbin\)/[^"]*",%%g' ./src/nm-l2tp-service.c + substituteInPlace ./Makefile.am \ + --replace '$(sysconfdir)/dbus-1/system.d' "$out/etc/dbus-1/system.d" + substituteInPlace ./src/nm-l2tp-service.c \ --replace /sbin/ipsec ${strongswan}/bin/ipsec \ --replace /sbin/xl2tpd ${xl2tpd}/bin/xl2tpd @@ -38,11 +41,16 @@ stdenv.mkDerivation rec { ]; enableParallelBuilding = true; + configureFlags = [ + "--with-gnome=${if withGnome then "yes" else "no"}" + "--localstatedir=/var" + ] ; + meta = with stdenv.lib; { description = "L2TP plugin for NetworkManager"; inherit (networkmanager.meta) platforms; - homepage = https://github.com/nm-l2tp/network-manager-l2tp; + homepage = http://github.com/nm-l2tp/network-manager-l2tp; license = licenses.gpl2; maintainers = with maintainers; [ abbradar obadz ]; }; -- cgit 1.4.1 From fe4f4de1c92714aa9a2add7ffb3ca83a861d6d4e Mon Sep 17 00:00:00 2001 From: Matthieu Coudron Date: Tue, 31 Oct 2017 20:14:00 +0900 Subject: strongswan module: make it work with ipsec l2tp l2tp saves its secrets into /etc/ipsec.d but strongswan would not read them. l2tp checks for /etc/ipsec.secrets includes /etc/ipsec.d and if not tries to write into it. Solution: Have the strongswan module create /etc/ipsec.d and /etc/ipsec.secrets when networkmanager_l2tp is installed. Include /etc/ipsec.secrets in /nix/store/hash-strongswan/etc/ipsec.secrets so that it can find l2tp secrets. Also when the ppp 'nopeerdns' option is used, the DNS resolver tries to write into an alternate file /etc/ppp/resolv.conf. This fails when /etc/ppp does not exist so the module creates it by default. --- .../modules/services/networking/networkmanager.nix | 1 + nixos/modules/services/networking/strongswan.nix | 23 ++++++++++++++++++---- pkgs/tools/networking/network-manager/l2tp.nix | 7 +------ pkgs/tools/networking/strongswan/default.nix | 5 +++++ 4 files changed, 26 insertions(+), 10 deletions(-) diff --git a/nixos/modules/services/networking/networkmanager.nix b/nixos/modules/services/networking/networkmanager.nix index 62afbf32c2f..a5ca6cc74cf 100644 --- a/nixos/modules/services/networking/networkmanager.nix +++ b/nixos/modules/services/networking/networkmanager.nix @@ -335,6 +335,7 @@ in { preStart = '' mkdir -m 700 -p /etc/NetworkManager/system-connections + mkdir -m 700 -p /etc/ipsec.d mkdir -m 755 -p ${stateDirs} ''; }; diff --git a/nixos/modules/services/networking/strongswan.nix b/nixos/modules/services/networking/strongswan.nix index 3a3f64221c4..707d24b9220 100644 --- a/nixos/modules/services/networking/strongswan.nix +++ b/nixos/modules/services/networking/strongswan.nix @@ -32,13 +32,13 @@ let ${caConf} ''; - strongswanConf = {setup, connections, ca, secrets, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' + strongswanConf = {setup, connections, ca, secretsFile, managePlugins, enabledPlugins}: toFile "strongswan.conf" '' charon { ${if managePlugins then "load_modular = no" else ""} ${if managePlugins then ("load = " + (concatStringsSep " " enabledPlugins)) else ""} plugins { stroke { - secrets_file = ${ipsecSecrets secrets} + secrets_file = ${secretsFile} } } } @@ -135,7 +135,18 @@ in }; }; - config = with cfg; mkIf enable { + + config = with cfg; + let + secretsFile = ipsecSecrets cfg.secrets; + in + mkIf enable + { + + # here we should use the default strongswan ipsec.secrets and + # append to it (default one is empty so not a pb for now) + environment.etc."ipsec.secrets".source = secretsFile; + systemd.services.strongswan = { description = "strongSwan IPSec Service"; wantedBy = [ "multi-user.target" ]; @@ -143,11 +154,15 @@ in wants = [ "keys.target" ]; after = [ "network-online.target" "keys.target" ]; environment = { - STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secrets managePlugins enabledPlugins; }; + STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; }; }; serviceConfig = { ExecStart = "${pkgs.strongswan}/sbin/ipsec start --nofork"; }; + preStart = '' + # with 'nopeerdns' setting, ppp writes into this folder + mkdir -m 700 -p /etc/ppp + ''; }; }; } diff --git a/pkgs/tools/networking/network-manager/l2tp.nix b/pkgs/tools/networking/network-manager/l2tp.nix index f8047abe1bd..e01197a0f75 100644 --- a/pkgs/tools/networking/network-manager/l2tp.nix +++ b/pkgs/tools/networking/network-manager/l2tp.nix @@ -41,16 +41,11 @@ stdenv.mkDerivation rec { ]; enableParallelBuilding = true; - configureFlags = [ - "--with-gnome=${if withGnome then "yes" else "no"}" - "--localstatedir=/var" - ] ; - meta = with stdenv.lib; { description = "L2TP plugin for NetworkManager"; inherit (networkmanager.meta) platforms; - homepage = http://github.com/nm-l2tp/network-manager-l2tp; + homepage = https://github.com/nm-l2tp/network-manager-l2tp; license = licenses.gpl2; maintainers = with maintainers; [ abbradar obadz ]; }; diff --git a/pkgs/tools/networking/strongswan/default.nix b/pkgs/tools/networking/strongswan/default.nix index eff498a174e..7c682704592 100644 --- a/pkgs/tools/networking/strongswan/default.nix +++ b/pkgs/tools/networking/strongswan/default.nix @@ -76,6 +76,11 @@ stdenv.mkDerivation rec { "--enable-sqlite" ] ++ optional enableNetworkManager "--enable-nm"; + postInstall = '' + # this is needed for l2tp + echo "include /etc/ipsec.secrets" >> $out/etc/ipsec.secrets + ''; + NIX_LDFLAGS = "-lgcc_s" ; meta = { -- cgit 1.4.1