From patchwork Wed Jun 2 22:11:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Domagoj Stolfa X-Patchwork-Id: 29804 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id BE7DF27BC81; Thu, 3 Jun 2021 00:15:29 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL, SPF_HELO_PASS,T_DKIM_INVALID,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 3787B27BC78 for ; Thu, 3 Jun 2021 00:15:29 +0100 (BST) Received: from localhost ([::1]:42820 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1loa5A-00026Y-AE for patchwork@mira.cbaines.net; Wed, 02 Jun 2021 19:15:28 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:44356) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1loa1q-0001ym-TO for guix-patches@gnu.org; Wed, 02 Jun 2021 19:12:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:58235) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1loa1q-0006bO-M2 for guix-patches@gnu.org; Wed, 02 Jun 2021 19:12:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1loa1q-0003dZ-GN for guix-patches@gnu.org; Wed, 02 Jun 2021 19:12:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#48803] [PATCH] strongswan: provide a service definition and configuration interface. Resent-From: Domagoj Stolfa Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 02 Jun 2021 23:12:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 48803 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 48803@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.162267546313908 (code B ref -1); Wed, 02 Jun 2021 23:12:02 +0000 Received: (at submit) by debbugs.gnu.org; 2 Jun 2021 23:11:03 +0000 Received: from localhost ([127.0.0.1]:41548 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1loa0s-0003c5-5g for submit@debbugs.gnu.org; Wed, 02 Jun 2021 19:11:02 -0400 Received: from lists.gnu.org ([209.51.188.17]:50160) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1loZ4x-0002DZ-0i for submit@debbugs.gnu.org; Wed, 02 Jun 2021 18:11:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35972) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1loZ4w-0007NX-S4 for guix-patches@gnu.org; Wed, 02 Jun 2021 18:11:10 -0400 Received: from mout.gmx.net ([212.227.15.15]:38865) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1loZ4u-0000Qb-BM for guix-patches@gnu.org; Wed, 02 Jun 2021 18:11:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1622671865; bh=h/GLYh8hYbxkTMlrfy7Ts0snZOIDMtWRhRHjgT/ssJM=; h=X-UI-Sender-Class:Date:From:To:Subject; b=hEAyWRwYblG7swEHP5dRjfOjC3qIEQCOTdvAcnTx7Fzka4DjRLY+akBKwElOg617Q qL/+9EhddKoUu8W5aaQZsyzXntBGlN2g/uCvMq47EV6iAsxGUS96sbm8IFf1bp+7gF LZQpicSCAPNTNQMwwZFIXcvu7PWfzRZ04AaUIBt0= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from pepehands ([131.111.128.28]) by mail.gmx.net (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1N8ofE-1lLgDO3XIk-015rtg for ; Thu, 03 Jun 2021 00:11:04 +0200 Date: Wed, 2 Jun 2021 23:11:03 +0100 From: Domagoj Stolfa Message-ID: MIME-Version: 1.0 Content-Disposition: inline X-Provags-ID: V03:K1:D6tT+r6SdBHKHR2QU5EAh+GTpnopo4+3d/Dyt/Ez22HYeDQ5Pz9 MZdo8vwdUlcywNrvD4z0W9NiwdtV4H+lkYTlargKurhP3eb0Cr4f65qZfIrvbW5t/eec4GG CF0C0u8kVeOSVmSFnOMcxPP3z8in/yIgEh0pwOGbctkiHH2l6p1Uaag7BQ1lDE+0vRymuaE Do2PTFGlh5SrFvNhome3Q== X-UI-Out-Filterresults: notjunk:1;V03:K0:Z2fxKjy5n8Y=:7bnEMfBqw3lNuuhgV5kAm5 ktgy2kRdn3Waw2hjVY1XsS/Udc63amrzO8QPGv2+7HkUQwyVLCI4HQlzqzn8uG/MGxsdT7D/K 3XAzsGLcbByJ4aLB3YOxBgyo30pgUoFf7TZtTrRQATdvLYjGfxWWmb1NFTxRDSs+vnqxj4/RU IQ95C0Ijf7sOF7J1K9PLzq9EKgiD5yLG+6LQQJvQlbjdHy3uZplSoYcTQciK22FXTD7MOXefk gtuNboh6opwlgV33M3bEI734fhE8xPu4YlK2Rze2SOgcExRkESo88Nq5hNqiMY2hl66k9DL8U odSBf70breNAVTWdGD34iWA7YqhteSU/tSWbpDm+XgXrURZ05OboQaJu+jrxntxMzsqsuZaYQ hWymICXhGywDNK7JFZ+4wbCytXYYCPC98AdTDysXuSMHfmxuk+fiK9Mh4ihkHSkjt4m1y3nus hKINR2+VXMDWNBbHQRo3lALaX3qVxPyr3h818AkgI+lLxMrvAgrQZ63I2ECHsnWI2jx3NbsOk HinQF9un3LVnxjA11e9x5SCPE+XnGZgoTDQ68ZcvW3KLTgymbLEyy56S9gLoBKQF1nHCEHX56 qS2V3wtEuprkIu25b+//5hWe+68Ru8fMJ5Tx3L9qBZ5x1roTRFbN5heyGF83K79UTFVZP7foa 8Tvt/i8ByXZv79/azTV1gQwjbyJ1m+Y6PAD4gWgf0x16wbtu7eDDhuaQjyxpOG9ETFu9fXW6C 5VUOhR3dYV5sK0HaJF5DdBLkUDxTuX188imJWuB0ffOjhneOKRRpPHo7VMw7H78idBpw/Ha8y vq1mI4ORonvNpocs1f6oc5JvPHtLiPrDT6ItgtkziHtJBYnaTJ+ZRGdB9kmpmQiVHu7L485Vy pZUuYvVqhZNsyD2Jqnwp0/UDO57WGs7TB4tzRuqNK4XzkJZKYs1Z8GINYBqqSaWE0ZcdbQ9QD KIYKE0sz+LvrmG+L4DdiTHrwUjp1rrQHHTJK9jAnnoDVPEaUbfEYJjUoLh9PtDgt6qCZUfoUs iJFa3yVFYwHVL2Ey2BPd/qpnmtqiNQDKDbcFj2w42Jr6B99SNBv+Xev3sWrmy/YbGftsnpGSf 6BJ0gfaGpABkSwm3m6CmtaAo+ou2ItHmatp Received-SPF: pass client-ip=212.227.15.15; envelope-from=ds815@gmx.com; helo=mout.gmx.net X-Spam_score_int: -15 X-Spam_score: -1.6 X-Spam_bar: - X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Wed, 02 Jun 2021 19:11:01 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Mailman-Approved-At: Wed, 02 Jun 2021 19:15:09 -0400 X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches This commit adds a strongswan-service-type which allows the user to start strongswan correctly on Guix. Without this, they would need to manually write a strongswan.conf file and run it with `STRONGSWAN_CONF=/path/to/strongswan.conf ipsec start`. For now, we only support the legacy ipsec.conf/ipsec.secrets interface. Because ipsec.conf depends on indentation and is a deprecated intreface, we do not provide an EDSL to configure it, and we do not put the config file in a Guile string (to avoid indentation issues). Similarly, ipsec.secrets contains the users authentication token/passwords, and is for security reasons transmitted separately from the configuration file. This change allows the user to write something as follows in their config: ``` (service strongswan-service-type (strongswan-configuration (use-ipsec? #t) (ipsec-conf "/config-files/ipsec.conf") (ipsec-secrets "/config-files/ipsec.secrets"))) ``` This will start the charon daemon and allow them to connect to their VPNs configured in `/config-files/ipsec.conf`. --- gnu/services/vpn.scm | 128 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 128 insertions(+) diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index 2bcbf76727..e026f2aa58 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -4,6 +4,7 @@ ;;; Copyright © 2017 Mathieu Othacehe ;;; Copyright © 2021 Guillaume Le Vaillant ;;; Copyright © 2021 Solene Rapenne +;;; Copyright © 2021 Domagoj Stolfa ;;; ;;; This file is part of GNU Guix. ;;; @@ -26,6 +27,7 @@ #:use-module (gnu services shepherd) #:use-module (gnu system shadow) #:use-module (gnu packages admin) + #:use-module (gnu packages networking) #:use-module (gnu packages vpn) #:use-module (guix packages) #:use-module (guix records) @@ -44,6 +46,9 @@ generate-openvpn-client-documentation generate-openvpn-server-documentation + strongswan-configuration + strongswan-service-type + wireguard-peer wireguard-peer? wireguard-peer-name @@ -529,6 +534,129 @@ is truncated and rewritten every minute.") (openvpn-remote-configuration ,openvpn-remote-configuration-fields)) 'openvpn-client-configuration)) +;;; +;;; Strongswan. +;;; + +(define-record-type* + strongswan-configuration make-strongswan-configuration + strongswan-configuration? + (strongswan strongswan-configuration-strongswan ; + (default strongswan)) + (use-ipsec? strongswan-configuration-use-ipsec? ;legacy interface + (default #f)) + (ipsec-conf strongswan-configuration-ipsec-conf) + (ipsec-secrets strongswan-configuration-ipsec-secrets)) + +;; In the future, it might be worth implementing a record type to configure +;; all of the plugins, but for *most* basic usecases, simply creating the +;; files will be sufficient. Same is true of charon-plugins. +(define strongswand-config-files + (list "charon" "charon-logging" "pki" "pool" "scepclient" + "swanctl" "tnc")) + +;; Plugins to load. +(define charon-plugins + (list "aes" "aesni" "attr" "attr-sql" "chapoly" "cmac" "constraints" + "counters" "curl" "curve25519" "dhcp" "dnskey" "drbg" "eap-aka-3gpp" + "eap-aka" "eap-dynamic" "eap-identity" "eap-md5" "eap-mschapv2" + "eap-peap" "eap-radius" "eap-simaka-pseudonym" "eap-simaka-reauth" + "eap-simaka-sql" "eap-sim" "eap-sim-file" "eap-tls" "eap-tnc" + "eap-ttls" "ext-auth" "farp" "fips-prf" "gmp" "ha" "hmac" + "kernel-netlink" "led" "md4" "md5" "mgf1" "nonce" "openssl" "pem" + "pgp" "pkcs12" "pkcs1" "pkcs7" "pkcs8" "pubkey" "random" "rc2" + "resolve" "revocation" "sha1" "sha2" "socket-default" "soup" "sql" + "sqlite" "sshkey" "tnc-tnccs" "vici" "x509" "xauth-eap" "xauth-generic" + "xauth-noauth" "xauth-pam" "xcbc")) + +(define (strongswan-configuration-file config) + (match-record config + (strongswan use-ipsec? ipsec-conf ipsec-secrets) + (let* ((strongswan-dir + (computed-file + "strongswan.d" + #~(begin + (mkdir #$output) + ;; Create all of the configuration files in strongswan.d/*.conf + (map (lambda (conf-file) + (let* ((filename (string-append + #$output "/" + conf-file ".conf"))) + (call-with-output-file filename + (lambda (port) + (display + "# Created by 'strongswan-service'\n" + port))))) + (list #$@strongswand-config-files)) + (mkdir (string-append #$output "/charon")) + ;; And all of the strongswan.d/charon/*.conf files (plugins) + (map (lambda (plugin) + (let* ((filename (string-append + #$output "/charon/" + plugin ".conf"))) + (call-with-output-file filename + (lambda (port) + (format port "~a { + load = yes +}" + plugin))))) + (list #$@charon-plugins)))))) + ;; Generate our strongswan.conf to reflect the user configuration. + (computed-file + "strongswan.conf" + #~(begin + (call-with-output-file #$output + (lambda (port) + (display "# Generated by 'strongswan-service'.\n" port) + (format port "charon { + load_modular = yes + plugins { + include ~a/charon/*.conf" + #$strongswan-dir) + (if #$use-ipsec? + (format port " + stroke { + load = yes + secrets_file = ~a + } + } +} + +starter { + config_file = ~a +} + +include ~a/*.conf" + #$ipsec-secrets + #$ipsec-conf + #$strongswan-dir) + (format port " + } +} +include ~a/*.conf" + #$strongswan-dir))))))))) + +(define (strongswan-shepherd-service config) + (let* ((ipsec (file-append strongswan "/sbin/ipsec")) + (strongswan-conf-path (strongswan-configuration-file config))) + (list (shepherd-service + (requirement '(networking)) + (provision '(strongswan)) + (start #~(make-forkexec-constructor + (list #$ipsec "start" "--nofork") + #:environment-variables + (list (string-append "STRONGSWAN_CONF=" + #$strongswan-conf-path)))) + (stop #~(make-kill-destructor)) + (documentation "Start the charon daemon for IPsec VPN"))))) + +(define strongswan-service-type + (service-type + (name 'strongswan) + (extensions + (list (service-extension shepherd-root-service-type + strongswan-shepherd-service))))) + ;;; ;;; Wireguard. ;;;