diff --git a/nixos/modules/virtualisation/openvswitch.nix b/nixos/modules/virtualisation/openvswitch.nix index 325f6f5b43f4..436a375fb5eb 100644 --- a/nixos/modules/virtualisation/openvswitch.nix +++ b/nixos/modules/virtualisation/openvswitch.nix @@ -36,17 +36,6 @@ in { Open vSwitch package to use. ''; }; - - ipsec = mkOption { - type = types.bool; - default = false; - description = '' - Whether to start racoon service for openvswitch. - Supported only if openvswitch version is less than 2.6.0. - Use virtualisation.vswitch.package = pkgs.openvswitch-lts - for a version that supports ipsec over GRE. - ''; - }; }; config = mkIf cfg.enable (let @@ -65,7 +54,7 @@ in { installPhase = "mkdir -p $out"; }; - in (mkMerge [{ + in { environment.systemPackages = [ cfg.package ]; boot.kernelModules = [ "tun" "openvswitch" ]; @@ -142,48 +131,14 @@ in { }; }; - } - (mkIf (cfg.ipsec && (versionOlder cfg.package.version "2.6.0")) { - environment.systemPackages = [ pkgs.ipsecTools ]; + }); - services.racoon.enable = true; - services.racoon.configPath = "${runDir}/ipsec/etc/racoon/racoon.conf"; - - networking.firewall.extraCommands = '' - iptables -I INPUT -t mangle -p esp -j MARK --set-mark 1/1 - iptables -I INPUT -t mangle -p udp --dport 4500 -j MARK --set-mark 1/1 - ''; - - systemd.services.ovs-monitor-ipsec = { - description = "Open_vSwitch Ipsec Daemon"; - wantedBy = [ "multi-user.target" ]; - requires = [ "ovsdb.service" ]; - before = [ "vswitchd.service" "racoon.service" ]; - environment.UNIXCTLPATH = "/tmp/ovsdb.ctl.sock"; - serviceConfig = { - ExecStart = '' - ${cfg.package}/bin/ovs-monitor-ipsec \ - --root-prefix ${runDir}/ipsec \ - --pidfile /run/openvswitch/ovs-monitor-ipsec.pid \ - --monitor --detach \ - unix:/run/openvswitch/db.sock - ''; - PIDFile = "/run/openvswitch/ovs-monitor-ipsec.pid"; - # Use service type 'forking' to correctly determine when ovs-monitor-ipsec is ready. - Type = "forking"; - }; - - preStart = '' - rm -r ${runDir}/ipsec/etc/racoon/certs || true - mkdir -p ${runDir}/ipsec/{etc/racoon,etc/init.d/,usr/sbin/} - ln -fs ${pkgs.ipsecTools}/bin/setkey ${runDir}/ipsec/usr/sbin/setkey - ln -fs ${pkgs.writeScript "racoon-restart" '' - #!${pkgs.runtimeShell} - /run/current-system/sw/bin/systemctl $1 racoon - ''} ${runDir}/ipsec/etc/init.d/racoon - ''; - }; - })])); + imports = [ + (mkRemovedOptionModule [ "virtualisation" "vswitch" "ipsec" ] '' + OpenVSwitch IPSec functionality has been removed, because it depended on racoon, + which was removed from nixpkgs, because it was abanoded upstream. + '') + ]; meta.maintainers = with maintainers; [ netixx ];