mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-12-04 19:45:54 +00:00
56a7bc05e1
The `keys.target` is used to indicate whether all NixOps keys were successfully uploaded on an unattended reboot. However this can cause startup issues e.g. with NixOS containers (see #67265) and can block boots even though this might not be needed (e.g. with a dovecot2 instance running that doesn't need any of the NixOps keys). As described in the NixOps manual[1], dependencies to keys should be defined like this now: ``` nix { systemd.services.myservice = { after = [ "secret-key.service" ]; wants = [ "secret-key.service" ]; }; } ``` However I'd leave the issue open until it's discussed whether or not to keep `keys.target` in `nixpkgs`. [1] https://nixos.org/nixops/manual/#idm140737322342384
85 lines
3 KiB
Nix
85 lines
3 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
with (import ./param-lib.nix lib);
|
|
|
|
let
|
|
cfg = config.services.strongswan-swanctl;
|
|
swanctlParams = import ./swanctl-params.nix lib;
|
|
in {
|
|
options.services.strongswan-swanctl = {
|
|
enable = mkEnableOption "strongswan-swanctl service";
|
|
|
|
package = mkOption {
|
|
type = types.package;
|
|
default = pkgs.strongswan;
|
|
defaultText = "pkgs.strongswan";
|
|
description = ''
|
|
The strongswan derivation to use.
|
|
'';
|
|
};
|
|
|
|
strongswan.extraConfig = mkOption {
|
|
type = types.str;
|
|
default = "";
|
|
description = ''
|
|
Contents of the <literal>strongswan.conf</literal> file.
|
|
'';
|
|
};
|
|
|
|
swanctl = paramsToOptions swanctlParams;
|
|
};
|
|
|
|
config = mkIf cfg.enable {
|
|
|
|
assertions = [
|
|
{ assertion = !config.services.strongswan.enable;
|
|
message = "cannot enable both services.strongswan and services.strongswan-swanctl. Choose either one.";
|
|
}
|
|
];
|
|
|
|
environment.etc."swanctl/swanctl.conf".text =
|
|
paramsToConf cfg.swanctl swanctlParams;
|
|
|
|
# The swanctl command complains when the following directories don't exist:
|
|
# See: https://wiki.strongswan.org/projects/strongswan/wiki/Swanctldirectory
|
|
system.activationScripts.strongswan-swanctl-etc = stringAfter ["etc"] ''
|
|
mkdir -p '/etc/swanctl/x509' # Trusted X.509 end entity certificates
|
|
mkdir -p '/etc/swanctl/x509ca' # Trusted X.509 Certificate Authority certificates
|
|
mkdir -p '/etc/swanctl/x509ocsp'
|
|
mkdir -p '/etc/swanctl/x509aa' # Trusted X.509 Attribute Authority certificates
|
|
mkdir -p '/etc/swanctl/x509ac' # Attribute Certificates
|
|
mkdir -p '/etc/swanctl/x509crl' # Certificate Revocation Lists
|
|
mkdir -p '/etc/swanctl/pubkey' # Raw public keys
|
|
mkdir -p '/etc/swanctl/private' # Private keys in any format
|
|
mkdir -p '/etc/swanctl/rsa' # PKCS#1 encoded RSA private keys
|
|
mkdir -p '/etc/swanctl/ecdsa' # Plain ECDSA private keys
|
|
mkdir -p '/etc/swanctl/bliss'
|
|
mkdir -p '/etc/swanctl/pkcs8' # PKCS#8 encoded private keys of any type
|
|
mkdir -p '/etc/swanctl/pkcs12' # PKCS#12 containers
|
|
'';
|
|
|
|
systemd.services.strongswan-swanctl = {
|
|
description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network-online.target" ];
|
|
path = with pkgs; [ kmod iproute iptables utillinux ];
|
|
environment = {
|
|
STRONGSWAN_CONF = pkgs.writeTextFile {
|
|
name = "strongswan.conf";
|
|
text = cfg.strongswan.extraConfig;
|
|
};
|
|
SWANCTL_DIR = "/etc/swanctl";
|
|
};
|
|
restartTriggers = [ config.environment.etc."swanctl/swanctl.conf".source ];
|
|
serviceConfig = {
|
|
ExecStart = "${cfg.package}/sbin/charon-systemd";
|
|
Type = "notify";
|
|
ExecStartPost = "${cfg.package}/sbin/swanctl --load-all --noprompt";
|
|
ExecReload = "${cfg.package}/sbin/swanctl --reload";
|
|
Restart = "on-abnormal";
|
|
};
|
|
};
|
|
};
|
|
}
|