mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-09-19 19:48:09 +03:00
nixos: add the strongswan-swanctl service
The strongswan-swanctl systemd service starts charon-systemd. This implements a IKE daemon very similar to charon, but it's specifically designed for use with systemd. It uses the systemd libraries for a native integration. Instead of using starter and an ipsec.conf based configuration, the daemon is directly managed by systemd and configured with the swanctl configuration backend. See: https://wiki.strongswan.org/projects/strongswan/wiki/Charon-systemd Note that the strongswan.conf and swantctl.conf configuration files are automatically generated based on NixOS options under services.strongswan-swanctl.strongswan and services.strongswan-swanctl.swanctl respectively.
This commit is contained in:
parent
04dd1987a3
commit
bd24b3addd
@ -560,6 +560,7 @@
|
|||||||
./services/networking/ssh/lshd.nix
|
./services/networking/ssh/lshd.nix
|
||||||
./services/networking/ssh/sshd.nix
|
./services/networking/ssh/sshd.nix
|
||||||
./services/networking/strongswan.nix
|
./services/networking/strongswan.nix
|
||||||
|
./services/networking/strongswan-swanctl/module.nix
|
||||||
./services/networking/stunnel.nix
|
./services/networking/stunnel.nix
|
||||||
./services/networking/supplicant.nix
|
./services/networking/supplicant.nix
|
||||||
./services/networking/supybot.nix
|
./services/networking/supybot.nix
|
||||||
|
@ -0,0 +1,80 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
with (import ./param-lib.nix lib);
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.services.strongswan-swanctl;
|
||||||
|
|
||||||
|
# TODO: auto-generate these files using:
|
||||||
|
# https://github.com/strongswan/strongswan/tree/master/conf
|
||||||
|
# IDEA: extend the format-options.py script to output these Nix files.
|
||||||
|
strongswanParams = import ./strongswan-params.nix lib;
|
||||||
|
swanctlParams = import ./swanctl-params.nix lib;
|
||||||
|
in {
|
||||||
|
options.services.strongswan-swanctl = {
|
||||||
|
enable = mkEnableOption "strongswan-swanctl service";
|
||||||
|
|
||||||
|
package = mkOption {
|
||||||
|
type = types.package;
|
||||||
|
default = pkgs.strongswan;
|
||||||
|
defaultText = "pkgs.strongswan";
|
||||||
|
description = ''
|
||||||
|
The strongswan derivation to use.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
strongswan = paramsToOptions strongswanParams;
|
||||||
|
swanctl = paramsToOptions swanctlParams;
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
|
||||||
|
assertions = [
|
||||||
|
{ assertion = !config.services.strongswan.enable;
|
||||||
|
message = "cannot enable both services.strongswan and services.strongswan-swanctl. Choose either one.";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
environment.etc."swanctl/swanctl.conf".text =
|
||||||
|
paramsToConf cfg.swanctl swanctlParams;
|
||||||
|
|
||||||
|
# The swanctl command complains when the following directories don't exist:
|
||||||
|
# See: https://wiki.strongswan.org/projects/strongswan/wiki/Swanctldirectory
|
||||||
|
system.activationScripts.strongswan-swanctl-etc = stringAfter ["etc"] ''
|
||||||
|
mkdir -p '/etc/swanctl/x509' # Trusted X.509 end entity certificates
|
||||||
|
mkdir -p '/etc/swanctl/x509ca' # Trusted X.509 Certificate Authority certificates
|
||||||
|
mkdir -p '/etc/swanctl/x509ocsp'
|
||||||
|
mkdir -p '/etc/swanctl/x509aa' # Trusted X.509 Attribute Authority certificates
|
||||||
|
mkdir -p '/etc/swanctl/x509ac' # Attribute Certificates
|
||||||
|
mkdir -p '/etc/swanctl/x509crl' # Certificate Revocation Lists
|
||||||
|
mkdir -p '/etc/swanctl/pubkey' # Raw public keys
|
||||||
|
mkdir -p '/etc/swanctl/private' # Private keys in any format
|
||||||
|
mkdir -p '/etc/swanctl/rsa' # PKCS#1 encoded RSA private keys
|
||||||
|
mkdir -p '/etc/swanctl/ecdsa' # Plain ECDSA private keys
|
||||||
|
mkdir -p '/etc/swanctl/bliss'
|
||||||
|
mkdir -p '/etc/swanctl/pkcs8' # PKCS#8 encoded private keys of any type
|
||||||
|
mkdir -p '/etc/swanctl/pkcs12' # PKCS#12 containers
|
||||||
|
'';
|
||||||
|
|
||||||
|
systemd.services.strongswan-swanctl = {
|
||||||
|
description = "strongSwan IPsec IKEv1/IKEv2 daemon using swanctl";
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "network-online.target" "keys.target" ];
|
||||||
|
wants = [ "keys.target" ];
|
||||||
|
path = with pkgs; [ kmod iproute iptables utillinux ];
|
||||||
|
environment.STRONGSWAN_CONF = pkgs.writeTextFile {
|
||||||
|
name = "strongswan.conf";
|
||||||
|
text = paramsToConf cfg.strongswan strongswanParams;
|
||||||
|
};
|
||||||
|
restartTriggers = [ config.environment.etc."swanctl/swanctl.conf".source ];
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = "${cfg.package}/sbin/charon-systemd";
|
||||||
|
Type = "notify";
|
||||||
|
ExecStartPost = "${cfg.package}/sbin/swanctl --load-all --noprompt";
|
||||||
|
ExecReload = "${cfg.package}/sbin/swanctl --reload";
|
||||||
|
Restart = "on-abnormal";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
@ -0,0 +1,162 @@
|
|||||||
|
# In the following context a parameter is an attribute set that
|
||||||
|
# contains a NixOS option and a render function. It also contains the
|
||||||
|
# attribute: '_type = "param"' so we can distinguish it from other
|
||||||
|
# sets.
|
||||||
|
#
|
||||||
|
# The render function is used to convert the value of the option to a
|
||||||
|
# snippet of strongswan.conf. Most parameters simply render their
|
||||||
|
# value to a string. For example, take the following parameter:
|
||||||
|
#
|
||||||
|
# threads = mkIntParam 10 "Threads to use for request handling.";
|
||||||
|
#
|
||||||
|
# When a users defines the corresponding option as for example:
|
||||||
|
#
|
||||||
|
# services.strongswan-swanctl.strongswan.threads = 32;
|
||||||
|
#
|
||||||
|
# It will get rendered to the following snippet in strongswan.conf:
|
||||||
|
#
|
||||||
|
# threads = 32
|
||||||
|
#
|
||||||
|
# Some parameters however need to be able to change the attribute
|
||||||
|
# name. For example, take the following parameter:
|
||||||
|
#
|
||||||
|
# id = mkPrefixedAttrsOfParam (mkOptionalStrParam "") "...";
|
||||||
|
#
|
||||||
|
# A user can define the corresponding option as for example:
|
||||||
|
#
|
||||||
|
# id = {
|
||||||
|
# "foo" = "bar";
|
||||||
|
# "baz" = "qux";
|
||||||
|
# };
|
||||||
|
#
|
||||||
|
# This will get rendered to the following snippet:
|
||||||
|
#
|
||||||
|
# foo-id = bar
|
||||||
|
# baz-id = qux
|
||||||
|
#
|
||||||
|
# For this reason the render function is not simply a function from
|
||||||
|
# value -> string but a function from a value to an attribute set:
|
||||||
|
# { "${name}" = string }. This allows parameters to change the attribute
|
||||||
|
# name like in the previous example.
|
||||||
|
|
||||||
|
lib :
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
with (import ./param-lib.nix lib);
|
||||||
|
|
||||||
|
rec {
|
||||||
|
mkParamOfType = type : strongswanDefault : description : {
|
||||||
|
_type = "param";
|
||||||
|
option = mkOption {
|
||||||
|
type = types.nullOr type;
|
||||||
|
default = null;
|
||||||
|
description = documentDefault description strongswanDefault;
|
||||||
|
};
|
||||||
|
render = single toString;
|
||||||
|
};
|
||||||
|
|
||||||
|
documentDefault = description : strongswanDefault :
|
||||||
|
if isNull strongswanDefault
|
||||||
|
then description
|
||||||
|
else description + ''
|
||||||
|
</para><para>
|
||||||
|
StrongSwan default: <literal><![CDATA[${builtins.toJSON strongswanDefault}]]></literal>
|
||||||
|
'';
|
||||||
|
|
||||||
|
single = f: name: value: { "${name}" = f value; };
|
||||||
|
|
||||||
|
mkStrParam = mkParamOfType types.str;
|
||||||
|
mkOptionalStrParam = mkStrParam null;
|
||||||
|
|
||||||
|
mkEnumParam = values : mkParamOfType (types.enum values);
|
||||||
|
|
||||||
|
mkIntParam = mkParamOfType types.int;
|
||||||
|
mkOptionalIntParam = mkIntParam null;
|
||||||
|
|
||||||
|
# We should have floats in Nix...
|
||||||
|
mkFloatParam = mkStrParam;
|
||||||
|
|
||||||
|
# TODO: Check for hex format:
|
||||||
|
mkHexParam = mkStrParam;
|
||||||
|
mkOptionalHexParam = mkOptionalStrParam;
|
||||||
|
|
||||||
|
# TODO: Check for duration format:
|
||||||
|
mkDurationParam = mkStrParam;
|
||||||
|
mkOptionalDurationParam = mkOptionalStrParam;
|
||||||
|
|
||||||
|
mkYesNoParam = strongswanDefault : description : {
|
||||||
|
_type = "param";
|
||||||
|
option = mkOption {
|
||||||
|
type = types.nullOr types.bool;
|
||||||
|
default = null;
|
||||||
|
description = documentDefault description strongswanDefault;
|
||||||
|
};
|
||||||
|
render = single (b: if b then "yes" else "no");
|
||||||
|
};
|
||||||
|
yes = true;
|
||||||
|
no = false;
|
||||||
|
|
||||||
|
mkSpaceSepListParam = mkSepListParam " ";
|
||||||
|
mkCommaSepListParam = mkSepListParam ",";
|
||||||
|
|
||||||
|
mkSepListParam = sep : strongswanDefault : description : {
|
||||||
|
_type = "param";
|
||||||
|
option = mkOption {
|
||||||
|
type = types.nullOr (types.listOf types.str);
|
||||||
|
default = null;
|
||||||
|
description = documentDefault description strongswanDefault;
|
||||||
|
};
|
||||||
|
render = single (value: concatStringsSep sep value);
|
||||||
|
};
|
||||||
|
|
||||||
|
mkAttrsOfParams = params :
|
||||||
|
mkAttrsOf params (types.submodule {options = paramsToOptions params;});
|
||||||
|
|
||||||
|
mkAttrsOfParam = param :
|
||||||
|
mkAttrsOf param param.option.type;
|
||||||
|
|
||||||
|
mkAttrsOf = param : option : description : {
|
||||||
|
_type = "param";
|
||||||
|
option = mkOption {
|
||||||
|
type = types.attrsOf option;
|
||||||
|
default = {};
|
||||||
|
inherit description;
|
||||||
|
};
|
||||||
|
render = single (attrs:
|
||||||
|
(paramsToRenderedStrings attrs
|
||||||
|
(mapAttrs (_n: _v: param) attrs)));
|
||||||
|
};
|
||||||
|
|
||||||
|
mkPrefixedAttrsOfParams = params :
|
||||||
|
mkPrefixedAttrsOf params (types.submodule {options = paramsToOptions params;});
|
||||||
|
|
||||||
|
mkPrefixedAttrsOfParam = param :
|
||||||
|
mkPrefixedAttrsOf param param.option.type;
|
||||||
|
|
||||||
|
mkPrefixedAttrsOf = p : option : description : {
|
||||||
|
_type = "param";
|
||||||
|
option = mkOption {
|
||||||
|
type = types.attrsOf option;
|
||||||
|
default = {};
|
||||||
|
inherit description;
|
||||||
|
};
|
||||||
|
render = prefix: attrs:
|
||||||
|
let prefixedAttrs = mapAttrs' (name: nameValuePair "${prefix}-${name}") attrs;
|
||||||
|
in paramsToRenderedStrings prefixedAttrs
|
||||||
|
(mapAttrs (_n: _v: p) prefixedAttrs);
|
||||||
|
};
|
||||||
|
|
||||||
|
mkPostfixedAttrsOfParams = params : description : {
|
||||||
|
_type = "param";
|
||||||
|
option = mkOption {
|
||||||
|
type = types.attrsOf (types.submodule {options = paramsToOptions params;});
|
||||||
|
default = {};
|
||||||
|
inherit description;
|
||||||
|
};
|
||||||
|
render = postfix: attrs:
|
||||||
|
let postfixedAttrs = mapAttrs' (name: nameValuePair "${name}-${postfix}") attrs;
|
||||||
|
in paramsToRenderedStrings postfixedAttrs
|
||||||
|
(mapAttrs (_n: _v: params) postfixedAttrs);
|
||||||
|
};
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,82 @@
|
|||||||
|
lib :
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
rec {
|
||||||
|
paramsToConf = cfg : ps : mkConf 0 (paramsToRenderedStrings cfg ps);
|
||||||
|
|
||||||
|
# mkConf takes an indentation level (which usually starts at 0) and a nested
|
||||||
|
# attribute set of strings and will render that set to a strongswan.conf style
|
||||||
|
# configuration format. For example:
|
||||||
|
#
|
||||||
|
# mkConf 0 {a = "1"; b = { c = { "foo" = "2"; "bar" = "3"; }; d = "4";};} => ''
|
||||||
|
# a = 1
|
||||||
|
# b {
|
||||||
|
# c {
|
||||||
|
# foo = 2
|
||||||
|
# bar = 3
|
||||||
|
# }
|
||||||
|
# d = 4
|
||||||
|
# }''
|
||||||
|
mkConf = indent : ps :
|
||||||
|
concatMapStringsSep "\n"
|
||||||
|
(name:
|
||||||
|
let value = ps."${name}";
|
||||||
|
indentation = replicate indent " ";
|
||||||
|
in
|
||||||
|
indentation + (
|
||||||
|
if isAttrs value
|
||||||
|
then "${name} {\n" +
|
||||||
|
mkConf (indent + 2) value + "\n" +
|
||||||
|
indentation + "}"
|
||||||
|
else "${name} = ${value}"
|
||||||
|
)
|
||||||
|
)
|
||||||
|
(attrNames ps);
|
||||||
|
|
||||||
|
replicate = n : c : concatStrings (builtins.genList (_x : c) n);
|
||||||
|
|
||||||
|
# `paramsToRenderedStrings cfg ps` converts the NixOS configuration `cfg`
|
||||||
|
# (typically the "config" argument of a NixOS module) and the set of
|
||||||
|
# parameters `ps` (an attribute set where the values are constructed using the
|
||||||
|
# parameter constructors in ./param-constructors.nix) to a nested attribute
|
||||||
|
# set of strings (rendered parameters).
|
||||||
|
paramsToRenderedStrings = cfg : ps :
|
||||||
|
filterEmptySets (
|
||||||
|
(mapParamsRecursive (path: name: param:
|
||||||
|
let value = attrByPath path null cfg;
|
||||||
|
in optionalAttrs (!isNull value) (param.render name value)
|
||||||
|
) ps));
|
||||||
|
|
||||||
|
filterEmptySets = set : filterAttrs (n: v: !(isNull v)) (mapAttrs (name: value:
|
||||||
|
if isAttrs value
|
||||||
|
then let value' = filterEmptySets value;
|
||||||
|
in if value' == {}
|
||||||
|
then null
|
||||||
|
else value'
|
||||||
|
else value
|
||||||
|
) set);
|
||||||
|
|
||||||
|
# Recursively map over every parameter in the given attribute set.
|
||||||
|
mapParamsRecursive = mapAttrsRecursiveCond' (as: (!(as ? "_type" && as._type == "param")));
|
||||||
|
|
||||||
|
mapAttrsRecursiveCond' = cond: f: set:
|
||||||
|
let
|
||||||
|
recurse = path: set:
|
||||||
|
let
|
||||||
|
g =
|
||||||
|
name: value:
|
||||||
|
if isAttrs value && cond value
|
||||||
|
then { "${name}" = recurse (path ++ [name]) value; }
|
||||||
|
else f (path ++ [name]) name value;
|
||||||
|
in mapAttrs'' g set;
|
||||||
|
in recurse [] set;
|
||||||
|
|
||||||
|
mapAttrs'' = f: set:
|
||||||
|
foldl' (a: b: a // b) {} (map (attr: f attr set.${attr}) (attrNames set));
|
||||||
|
|
||||||
|
# Extract the options from the given set of parameters.
|
||||||
|
paramsToOptions = ps :
|
||||||
|
mapParamsRecursive (_path: name: param: { "${name}" = param.option; }) ps;
|
||||||
|
|
||||||
|
}
|
@ -0,0 +1,568 @@
|
|||||||
|
lib: with (import ./param-constructors.nix lib);
|
||||||
|
|
||||||
|
let loglevelParams = import ./strongswan-loglevel-params.nix lib;
|
||||||
|
in {
|
||||||
|
accept_unencrypted_mainmode_messages = mkYesNoParam no ''
|
||||||
|
Accept unencrypted ID and HASH payloads in IKEv1 Main Mode. Some
|
||||||
|
implementations send the third Main Mode message unencrypted, probably
|
||||||
|
to find the PSKs for the specified ID for authentication. This is very
|
||||||
|
similar to Aggressive Mode, and has the same security implications: A
|
||||||
|
passive attacker can sniff the negotiated Identity, and start brute
|
||||||
|
forcing the PSK using the HASH payload. It is recommended to keep this
|
||||||
|
option to no, unless you know exactly what the implications are and
|
||||||
|
require compatibility to such devices (for example, some SonicWall
|
||||||
|
boxes).
|
||||||
|
'';
|
||||||
|
|
||||||
|
block_threshold = mkIntParam 5 ''
|
||||||
|
Maximum number of half-open IKE_SAs for a single peer IP.
|
||||||
|
'';
|
||||||
|
|
||||||
|
cache_crls = mkYesNoParam no ''
|
||||||
|
Whether Certicate Revocation Lists (CRLs) fetched via HTTP or LDAP
|
||||||
|
should be saved under a unique file name derived from the public
|
||||||
|
key of the Certification Authority (CA) to
|
||||||
|
<literal>/etc/ipsec.d/crls</literal> (stroke) or
|
||||||
|
<literal>/etc/swanctl/x509crl</literal> (vici), respectively.
|
||||||
|
'';
|
||||||
|
|
||||||
|
cert_cache = mkYesNoParam yes ''
|
||||||
|
Whether relations in validated certificate chains should be cached in memory.
|
||||||
|
'';
|
||||||
|
|
||||||
|
cisco_unity = mkYesNoParam no ''
|
||||||
|
Send Cisco Unity vendor ID payload (IKEv1 only), see unity plugin.
|
||||||
|
'';
|
||||||
|
|
||||||
|
close_ike_on_child_failure = mkYesNoParam no ''
|
||||||
|
Close the IKE_SA if setup of the CHILD_SA along with IKE_AUTH failed.
|
||||||
|
'';
|
||||||
|
|
||||||
|
cookie_threshold = mkIntParam 10 ''
|
||||||
|
Number of half-open IKE_SAs that activate the cookie mechanism.
|
||||||
|
'';
|
||||||
|
|
||||||
|
crypto_test.bench = mkYesNoParam no ''
|
||||||
|
Benchmark crypto algorithms and order them by efficiency.
|
||||||
|
'';
|
||||||
|
|
||||||
|
crypto_test.bench_size = mkIntParam 1024 ''
|
||||||
|
Buffer size used for crypto benchmark.
|
||||||
|
'';
|
||||||
|
|
||||||
|
crypto_test.bench_time = mkIntParam 50 ''
|
||||||
|
Number of iterations to test each algorithm.
|
||||||
|
'';
|
||||||
|
|
||||||
|
crypto_test.on_add = mkYesNoParam no ''
|
||||||
|
Test crypto algorithms during registration
|
||||||
|
(requires test vectors provided by the test-vectors plugin).
|
||||||
|
'';
|
||||||
|
|
||||||
|
crypto_test.on_create = mkYesNoParam no ''
|
||||||
|
Test crypto algorithms on each crypto primitive instantiation.
|
||||||
|
'';
|
||||||
|
|
||||||
|
crypto_test.required = mkYesNoParam no ''
|
||||||
|
Strictly require at least one test vector to enable an algorithm.
|
||||||
|
'';
|
||||||
|
|
||||||
|
crypto_test.rng_true = mkYesNoParam no ''
|
||||||
|
Whether to test RNG with TRUE quality; requires a lot of entropy.
|
||||||
|
'';
|
||||||
|
|
||||||
|
delete_rekeyed = mkYesNoParam no ''
|
||||||
|
Delete CHILD_SAs right after they got successfully rekeyed (IKEv1 only).
|
||||||
|
Reduces the number of stale CHILD_SAs in scenarios with a lot of rekeyings.
|
||||||
|
However, this might cause problems with implementations that continue
|
||||||
|
to use rekeyed SAs until they expire.
|
||||||
|
'';
|
||||||
|
|
||||||
|
delete_rekeyed_delay = mkIntParam 5 ''
|
||||||
|
Delay in seconds until inbound IPsec SAs are deleted after rekeyings
|
||||||
|
(IKEv2 only).
|
||||||
|
</para><para>
|
||||||
|
To process delayed packets the inbound part of a CHILD_SA is kept
|
||||||
|
installed up to the configured number of seconds after it got replaced
|
||||||
|
during a rekeying. If set to 0 the CHILD_SA will be kept installed until
|
||||||
|
it expires (if no lifetime is set it will be destroyed immediately).
|
||||||
|
'';
|
||||||
|
|
||||||
|
dh_exponent_ansi_x9_42 = mkYesNoParam yes ''
|
||||||
|
Use ANSI X9.42 DH exponent size or optimum size matched to
|
||||||
|
cryptographical strength.
|
||||||
|
'';
|
||||||
|
|
||||||
|
dlopen_use_rtld_now = mkYesNoParam no ''
|
||||||
|
Use RTLD_NOW with dlopen() when loading plugins and IMV/IMCs to reveal
|
||||||
|
missing symbols immediately. Useful during development of custom plugins.
|
||||||
|
'';
|
||||||
|
|
||||||
|
dns1 = mkOptionalStrParam ''
|
||||||
|
DNS server assigned to peer via configuration payload (CP), see attr plugin.
|
||||||
|
'';
|
||||||
|
|
||||||
|
dns2 = mkOptionalStrParam ''
|
||||||
|
DNS server assigned to peer via configuration payload (CP).
|
||||||
|
'';
|
||||||
|
|
||||||
|
dos_protection = mkYesNoParam yes ''
|
||||||
|
Enable Denial of Service protection using cookies and aggressiveness checks.
|
||||||
|
'';
|
||||||
|
|
||||||
|
ecp_x_coordinate_only = mkYesNoParam yes ''
|
||||||
|
Compliance with the errata for RFC 4753.
|
||||||
|
'';
|
||||||
|
|
||||||
|
filelog = mkAttrsOfParams ({
|
||||||
|
append = mkYesNoParam yes ''
|
||||||
|
If this option is enabled log entries are appended to the existing file.
|
||||||
|
'';
|
||||||
|
|
||||||
|
flush_line = mkYesNoParam no ''
|
||||||
|
Enabling this option disables block buffering and enables line
|
||||||
|
buffering. That is, a flush to disk is enforced for each logged line.
|
||||||
|
'';
|
||||||
|
|
||||||
|
ike_name = mkYesNoParam no ''
|
||||||
|
Prefix each log entry with the connection name and a unique numerical
|
||||||
|
identifier for each IKE_SA.
|
||||||
|
'';
|
||||||
|
|
||||||
|
time_format = mkOptionalStrParam ''
|
||||||
|
Prefix each log entry with a timestamp. The option accepts a format string
|
||||||
|
as passed to strftime(3).
|
||||||
|
'';
|
||||||
|
|
||||||
|
time_add_ms = mkYesNoParam no ''
|
||||||
|
Adds the milliseconds within the current second after the timestamp
|
||||||
|
(separated by a dot, so time_format should end with %S or %T)
|
||||||
|
'';
|
||||||
|
} // loglevelParams) ''Section to define file loggers, see LoggerConfiguration.'';
|
||||||
|
|
||||||
|
flush_auth_cfg = mkYesNoParam no ''
|
||||||
|
If enabled objects used during authentication (certificates, identities
|
||||||
|
etc.) are released to free memory once an IKE_SA is
|
||||||
|
established. Enabling this might conflict with plugins that later need
|
||||||
|
access to e.g. the used certificates.
|
||||||
|
'';
|
||||||
|
|
||||||
|
follow_redirects = mkYesNoParam yes ''
|
||||||
|
Whether to follow IKEv2 redirects (RFC 5685).
|
||||||
|
'';
|
||||||
|
|
||||||
|
fragment_size = mkIntParam 1280 ''
|
||||||
|
Maximum size (complete IP datagram size in bytes) of a sent IKE fragment
|
||||||
|
when using proprietary IKEv1 or standardized IKEv2 fragmentation,
|
||||||
|
defaults to 1280 (use 0 for address family specific default values,
|
||||||
|
which uses a lower value for IPv4). If specified this limit is used for
|
||||||
|
both IPv4 and IPv6.
|
||||||
|
'';
|
||||||
|
|
||||||
|
group = mkOptionalStrParam ''
|
||||||
|
Name of the group the daemon changes to after startup.
|
||||||
|
'';
|
||||||
|
|
||||||
|
half_open_timeout = mkIntParam 30 ''
|
||||||
|
Timeout in seconds for connecting IKE_SAs, also see IKE_SA_INIT dropping.
|
||||||
|
'';
|
||||||
|
|
||||||
|
hash_and_url = mkYesNoParam no ''
|
||||||
|
Enable hash and URL support.
|
||||||
|
'';
|
||||||
|
|
||||||
|
host_resolver.max_threads = mkIntParam 3 ''
|
||||||
|
Maximum number of concurrent resolver threads (they are terminated if unused).
|
||||||
|
'';
|
||||||
|
|
||||||
|
host_resolver.min_threads = mkIntParam 0 ''
|
||||||
|
Minimum number of resolver threads to keep around.
|
||||||
|
'';
|
||||||
|
|
||||||
|
i_dont_care_about_security_and_use_aggressive_mode_psk = mkYesNoParam no ''
|
||||||
|
If enabled responders are allowed to use IKEv1 Aggressive Mode with
|
||||||
|
pre-shared keys, which is discouraged due to security concerns (offline
|
||||||
|
attacks on the openly transmitted hash of the PSK).
|
||||||
|
'';
|
||||||
|
|
||||||
|
ignore_acquire_ts = mkYesNoParam no ''
|
||||||
|
If this is disabled the traffic selectors from the kernel's acquire
|
||||||
|
events, which are derived from the triggering packet, are prepended to
|
||||||
|
the traffic selectors from the configuration for IKEv2 connection. By
|
||||||
|
enabling this, such specific traffic selectors will be ignored and only
|
||||||
|
the ones in the config will be sent. This always happens for IKEv1
|
||||||
|
connections as the protocol only supports one set of traffic selectors
|
||||||
|
per CHILD_SA.
|
||||||
|
'';
|
||||||
|
|
||||||
|
ignore_routing_tables = mkSpaceSepListParam [] ''
|
||||||
|
A space-separated list of routing tables to be excluded from route lookup.
|
||||||
|
'';
|
||||||
|
|
||||||
|
ikesa_limit = mkIntParam 0 ''
|
||||||
|
Maximum number of IKE_SAs that can be established at the same time
|
||||||
|
before new connection attempts are blocked.
|
||||||
|
'';
|
||||||
|
|
||||||
|
ikesa_table_segments = mkIntParam 1 ''
|
||||||
|
Number of exclusively locked segments in the hash table, see IKE_SA
|
||||||
|
lookup tuning.
|
||||||
|
'';
|
||||||
|
|
||||||
|
ikesa_table_size = mkIntParam 1 ''
|
||||||
|
Size of the IKE_SA hash table, see IKE_SA lookup tuning.
|
||||||
|
'';
|
||||||
|
|
||||||
|
inactivity_close_ike = mkYesNoParam no ''
|
||||||
|
Whether to close IKE_SA if the only CHILD_SA closed due to inactivity.
|
||||||
|
'';
|
||||||
|
|
||||||
|
init_limit_half_open = mkIntParam 0 ''
|
||||||
|
Limit new connections based on the current number of half open IKE_SAs,
|
||||||
|
see IKE_SA_INIT dropping.
|
||||||
|
'';
|
||||||
|
|
||||||
|
init_limit_job_load = mkIntParam 0 ''
|
||||||
|
Limit new connections based on the number of jobs currently queued for
|
||||||
|
processing, see IKE_SA_INIT dropping.
|
||||||
|
'';
|
||||||
|
|
||||||
|
initiator_only = mkYesNoParam no ''
|
||||||
|
Causes charon daemon to ignore IKE initiation requests.
|
||||||
|
'';
|
||||||
|
|
||||||
|
install_routes = mkYesNoParam yes ''
|
||||||
|
Install routes into a separate routing table for established IPsec
|
||||||
|
tunnels. If disabled a more efficient lookup for source and next-hop
|
||||||
|
addresses is used since 5.5.2.
|
||||||
|
'';
|
||||||
|
|
||||||
|
install_virtual_ip = mkYesNoParam yes ''
|
||||||
|
Install virtual IP addresses.
|
||||||
|
'';
|
||||||
|
|
||||||
|
install_virtual_ip_on = mkOptionalStrParam ''
|
||||||
|
The name of the interface on which virtual IP addresses should be
|
||||||
|
installed. If not specified the addresses will be installed on the
|
||||||
|
outbound interface.
|
||||||
|
'';
|
||||||
|
|
||||||
|
integrity_test = mkYesNoParam no ''
|
||||||
|
Check daemon, libstrongswan and plugin integrity at startup.
|
||||||
|
'';
|
||||||
|
|
||||||
|
interfaces_ignore = mkCommaSepListParam [] ''
|
||||||
|
List of network interfaces that should be ignored, if
|
||||||
|
<option>interfaces_use</option> is specified this option has no effect.
|
||||||
|
'';
|
||||||
|
|
||||||
|
interfaces_use = mkCommaSepListParam [] ''
|
||||||
|
List of network interfaces that should be used by
|
||||||
|
charon. All other interfaces are ignored.
|
||||||
|
'';
|
||||||
|
|
||||||
|
keep_alive = mkIntParam 20 ''
|
||||||
|
NAT keep alive interval in seconds.
|
||||||
|
'';
|
||||||
|
|
||||||
|
leak_detective.detailed = mkYesNoParam yes ''
|
||||||
|
Includes source file names and line numbers in leak detective output.
|
||||||
|
'';
|
||||||
|
|
||||||
|
leak_detective.usage_threshold = mkIntParam 10240 ''
|
||||||
|
Threshold in bytes for leaks to be reported (0 to report all).
|
||||||
|
'';
|
||||||
|
|
||||||
|
leak_detective.usage_threshold_count = mkIntParam 0 ''
|
||||||
|
Threshold in number of allocations for leaks to be reported (0 to report
|
||||||
|
all).
|
||||||
|
'';
|
||||||
|
|
||||||
|
load = mkSpaceSepListParam [] ''
|
||||||
|
Plugins to load in IKEv2 charon daemon, see PluginLoad.
|
||||||
|
'';
|
||||||
|
|
||||||
|
load_modular = mkYesNoParam no ''
|
||||||
|
If enabled the list of plugins to load is determined by individual load
|
||||||
|
settings for each plugin, see PluginLoad.
|
||||||
|
'';
|
||||||
|
|
||||||
|
make_before_break = mkYesNoParam no ''
|
||||||
|
Initiate IKEv2 reauthentication with a make-before-break instead of a
|
||||||
|
break-before-make scheme. Make-before-break uses overlapping IKE and
|
||||||
|
CHILD_SA during reauthentication by first recreating all new SAs before
|
||||||
|
deleting the old ones. This behavior can be beneficial to avoid
|
||||||
|
connectivity gaps during reauthentication, but requires support for
|
||||||
|
overlapping SAs by the peer. strongSwan can handle such overlapping SAs
|
||||||
|
since 5.3.0.
|
||||||
|
'';
|
||||||
|
|
||||||
|
max_ikev1_exchanges = mkIntParam 3 ''
|
||||||
|
Maximum number of IKEv1 phase 2 exchanges per IKE_SA to keep state about
|
||||||
|
and track concurrently.
|
||||||
|
'';
|
||||||
|
|
||||||
|
max_packet = mkIntParam 10000 ''
|
||||||
|
Maximum packet size accepted by charon.
|
||||||
|
'';
|
||||||
|
|
||||||
|
multiple_authentication = mkYesNoParam yes ''
|
||||||
|
Enable multiple authentication exchanges (RFC 4739).
|
||||||
|
'';
|
||||||
|
|
||||||
|
nbns1 = mkOptionalStrParam ''
|
||||||
|
WINS server assigned to peer via configuration payload (CP), see attr
|
||||||
|
plugin.
|
||||||
|
'';
|
||||||
|
|
||||||
|
nbns2 = mkOptionalStrParam ''
|
||||||
|
WINS server assigned to peer via configuration payload (CP).
|
||||||
|
'';
|
||||||
|
|
||||||
|
port = mkIntParam 500 ''
|
||||||
|
UDP port used locally. If set to 0 a random port will be allocated.
|
||||||
|
'';
|
||||||
|
|
||||||
|
port_nat_t = mkIntParam 4500 ''
|
||||||
|
UDP port used locally in case of NAT-T. If set to 0 a random port will
|
||||||
|
be allocated. Has to be different from charon.port, otherwise a random
|
||||||
|
port will be allocated.
|
||||||
|
'';
|
||||||
|
|
||||||
|
prefer_best_path = mkYesNoParam no ''
|
||||||
|
By default, charon keeps SAs on the routing path with addresses it
|
||||||
|
previously used if that path is still usable. By enabling this option,
|
||||||
|
it tries more aggressively to update SAs with MOBIKE on routing priority
|
||||||
|
changes using the cheapest path. This adds more noise, but allows to
|
||||||
|
dynamically adapt SAs to routing priority changes. This option has no
|
||||||
|
effect if MOBIKE is not supported or disabled.
|
||||||
|
'';
|
||||||
|
|
||||||
|
prefer_configured_proposals = mkYesNoParam yes ''
|
||||||
|
Prefer locally configured proposals for IKE/IPsec over supplied ones as
|
||||||
|
responder (disabling this can avoid keying retries due to
|
||||||
|
INVALID_KE_PAYLOAD notifies).
|
||||||
|
'';
|
||||||
|
|
||||||
|
prefer_temporary_addrs = mkYesNoParam no ''
|
||||||
|
By default public IPv6 addresses are preferred over temporary ones
|
||||||
|
(according to RFC 4941), to make connections more stable. Enable this
|
||||||
|
option to reverse this.
|
||||||
|
'';
|
||||||
|
|
||||||
|
process_route = mkYesNoParam yes ''
|
||||||
|
Process RTM_NEWROUTE and RTM_DELROUTE events.
|
||||||
|
'';
|
||||||
|
|
||||||
|
processor.priority_threads = {
|
||||||
|
critical = mkIntParam 0 ''
|
||||||
|
Threads reserved for CRITICAL priority class jobs.
|
||||||
|
'';
|
||||||
|
|
||||||
|
high = mkIntParam 0 ''
|
||||||
|
Threads reserved for HIGH priority class jobs.
|
||||||
|
'';
|
||||||
|
|
||||||
|
medium = mkIntParam 0 ''
|
||||||
|
Threads reserved for MEDIUM priority class jobs.
|
||||||
|
'';
|
||||||
|
|
||||||
|
low = mkIntParam 0 ''
|
||||||
|
Threads reserved for LOW priority class jobs.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
receive_delay = mkIntParam 0 ''
|
||||||
|
Delay in ms for receiving packets, to simulate larger RTT.
|
||||||
|
'';
|
||||||
|
|
||||||
|
receive_delay_response = mkYesNoParam yes ''
|
||||||
|
Delay response messages.
|
||||||
|
'';
|
||||||
|
|
||||||
|
receive_delay_request = mkYesNoParam yes ''
|
||||||
|
Delay request messages.
|
||||||
|
'';
|
||||||
|
|
||||||
|
receive_delay_type = mkIntParam 0 ''
|
||||||
|
Specific IKEv2 message type to delay, 0 for any.
|
||||||
|
'';
|
||||||
|
|
||||||
|
replay_window = mkIntParam 32 ''
|
||||||
|
Size of the AH/ESP replay window, in packets.
|
||||||
|
'';
|
||||||
|
|
||||||
|
retransmit_base = mkFloatParam "1.8" ''
|
||||||
|
Base to use for calculating exponential back off, see Retransmission.
|
||||||
|
'';
|
||||||
|
|
||||||
|
retransmit_jitter = mkIntParam 0 ''
|
||||||
|
Maximum jitter in percent to apply randomly to calculated retransmission
|
||||||
|
timeout (0 to disable).
|
||||||
|
'';
|
||||||
|
|
||||||
|
retransmit_limit = mkIntParam 0 ''
|
||||||
|
Upper limit in seconds for calculated retransmission timeout (0 to
|
||||||
|
disable).
|
||||||
|
'';
|
||||||
|
|
||||||
|
retransmit_timeout = mkFloatParam "4.0" ''
|
||||||
|
Timeout in seconds before sending first retransmit.
|
||||||
|
'';
|
||||||
|
|
||||||
|
retransmit_tries = mkIntParam 5 ''
|
||||||
|
Number of times to retransmit a packet before giving up.
|
||||||
|
'';
|
||||||
|
|
||||||
|
retry_initiate_interval = mkIntParam 0 ''
|
||||||
|
Interval in seconds to use when retrying to initiate an IKE_SA (e.g. if
|
||||||
|
DNS resolution failed), 0 to disable retries.
|
||||||
|
'';
|
||||||
|
|
||||||
|
reuse_ikesa = mkYesNoParam yes ''
|
||||||
|
Initiate CHILD_SA within existing IKE_SAs (always enabled for IKEv1).
|
||||||
|
'';
|
||||||
|
|
||||||
|
routing_table = mkIntParam 220 ''
|
||||||
|
Numerical routing table to install routes to.
|
||||||
|
'';
|
||||||
|
|
||||||
|
routing_table_prio = mkIntParam 220 ''
|
||||||
|
Priority of the routing table.
|
||||||
|
'';
|
||||||
|
|
||||||
|
send_delay = mkIntParam 0 ''
|
||||||
|
Delay in ms for sending packets, to simulate larger RTT.
|
||||||
|
'';
|
||||||
|
|
||||||
|
send_delay_request = mkYesNoParam yes ''
|
||||||
|
Delay request messages.
|
||||||
|
'';
|
||||||
|
|
||||||
|
send_delay_response = mkYesNoParam yes ''
|
||||||
|
Delay response messages.
|
||||||
|
'';
|
||||||
|
|
||||||
|
send_delay_type = mkIntParam 0 ''
|
||||||
|
Specific IKEv2 message type to delay, 0 for any.
|
||||||
|
'';
|
||||||
|
|
||||||
|
send_vendor_id = mkYesNoParam no ''
|
||||||
|
Send strongSwan vendor ID payload.
|
||||||
|
'';
|
||||||
|
|
||||||
|
signature_authentication = mkYesNoParam yes ''
|
||||||
|
Whether to enable Signature Authentication as per RFC 7427.
|
||||||
|
'';
|
||||||
|
|
||||||
|
signature_authentication_constraints = mkYesNoParam yes ''
|
||||||
|
If enabled, signature schemes configured in rightauth, in addition to
|
||||||
|
getting used as constraints against signature schemes employed in the
|
||||||
|
certificate chain, are also used as constraints against the signature
|
||||||
|
scheme used by peers during IKEv2.
|
||||||
|
'';
|
||||||
|
|
||||||
|
spi_min = mkHexParam "0xc0000000" ''
|
||||||
|
The lower limit for SPIs requested from the kernel for IPsec SAs. Should
|
||||||
|
not be set lower than 0x00000100 (256), as SPIs between 1 and 255 are
|
||||||
|
reserved by IANA.
|
||||||
|
'';
|
||||||
|
|
||||||
|
spi_max = mkHexParam "0xcfffffff" ''
|
||||||
|
The upper limit for SPIs requested from the kernel for IPsec SAs.
|
||||||
|
'';
|
||||||
|
|
||||||
|
start-scripts = mkAttrsOfParam (mkStrParam "" "") ''
|
||||||
|
Section containing a list of scripts (name = path) that are executed
|
||||||
|
when the daemon is started.
|
||||||
|
'';
|
||||||
|
|
||||||
|
stop-scripts = mkAttrsOfParam (mkStrParam "" "") ''
|
||||||
|
Section containing a list of scripts (name = path) that are executed
|
||||||
|
when the daemon is terminated.
|
||||||
|
'';
|
||||||
|
|
||||||
|
syslog = loglevelParams // {
|
||||||
|
identifier = mkOptionalStrParam ''
|
||||||
|
Identifier for use with openlog(3).
|
||||||
|
</para><para>
|
||||||
|
Global identifier used for an openlog(3) call, prepended to each log
|
||||||
|
message by syslog. If not configured, openlog(3) is not called, so
|
||||||
|
the value will depend on system defaults (often the program name).
|
||||||
|
'';
|
||||||
|
|
||||||
|
ike_name = mkYesNoParam no ''
|
||||||
|
Prefix each log entry with the connection name and a unique numerical
|
||||||
|
identifier for each IKE_SA.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
threads = mkIntParam 16 ''
|
||||||
|
Number of worker threads in charon. Several of these are reserved for
|
||||||
|
long running tasks in internal modules and plugins. Therefore, make sure
|
||||||
|
you don't set this value too low. The number of idle worker threads
|
||||||
|
listed in ipsec statusall might be used as indicator on the number of
|
||||||
|
reserved threads (JobPriority has more on this).
|
||||||
|
'';
|
||||||
|
|
||||||
|
user = mkOptionalStrParam ''
|
||||||
|
Name of the user the daemon changes to after startup.
|
||||||
|
'';
|
||||||
|
|
||||||
|
x509.enforce_critical = mkYesNoParam yes ''
|
||||||
|
Discard certificates with unsupported or unknown critical extensions.
|
||||||
|
'';
|
||||||
|
|
||||||
|
plugins = import ./strongswan-charon-plugins-params.nix lib;
|
||||||
|
|
||||||
|
imcv = {
|
||||||
|
assessment_result = mkYesNoParam yes ''
|
||||||
|
Whether IMVs send a standard IETF Assessment Result attribute.
|
||||||
|
'';
|
||||||
|
|
||||||
|
database = mkOptionalStrParam ''
|
||||||
|
Global IMV policy database URI. If it contains a password, make sure to
|
||||||
|
adjust the permissions of the config file accordingly.
|
||||||
|
'';
|
||||||
|
|
||||||
|
os_info.default_password_enabled = mkYesNoParam no ''
|
||||||
|
Manually set whether a default password is enabled.
|
||||||
|
'';
|
||||||
|
|
||||||
|
os_info.name = mkOptionalStrParam ''
|
||||||
|
Manually set the name of the client OS (e.g. <literal>NixOS</literal>).
|
||||||
|
'';
|
||||||
|
|
||||||
|
os_info.version = mkOptionalStrParam ''
|
||||||
|
Manually set the version of the client OS (e.g. <literal>17.09</literal>).
|
||||||
|
'';
|
||||||
|
|
||||||
|
policy_script = mkStrParam "ipsec _imv_policy" ''
|
||||||
|
Script called for each TNC connection to generate IMV policies.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
tls = {
|
||||||
|
cipher = mkSpaceSepListParam [] ''
|
||||||
|
List of TLS encryption ciphers.
|
||||||
|
'';
|
||||||
|
|
||||||
|
key_exchange = mkSpaceSepListParam [] ''
|
||||||
|
List of TLS key exchange methods.
|
||||||
|
'';
|
||||||
|
|
||||||
|
mac = mkSpaceSepListParam [] ''
|
||||||
|
List of TLS MAC algorithms.
|
||||||
|
'';
|
||||||
|
|
||||||
|
suites = mkSpaceSepListParam [] ''
|
||||||
|
List of TLS cipher suites.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
tnc = {
|
||||||
|
libtnccs.tnc_config = mkStrParam "/etc/tnc_config" ''
|
||||||
|
TNC IMC/IMV configuration file.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,291 @@
|
|||||||
|
lib : with (import ./param-constructors.nix lib); {
|
||||||
|
debug_level = mkIntParam 1 ''
|
||||||
|
Debug level for a stand-alone libimcv library.
|
||||||
|
'';
|
||||||
|
|
||||||
|
load = mkSpaceSepListParam ["random" "nonce" "gmp" "pubkey" "x509"] ''
|
||||||
|
Plugins to load in IMC/IMVs with stand-alone libimcv library.
|
||||||
|
'';
|
||||||
|
|
||||||
|
stderr_quiet = mkYesNoParam no ''
|
||||||
|
Disable the output to stderr with a stand-alone libimcv library.
|
||||||
|
'';
|
||||||
|
|
||||||
|
swid_gen = {
|
||||||
|
command = mkStrParam "/usr/local/bin/swid_generator" ''
|
||||||
|
SWID generator command to be executed.
|
||||||
|
'';
|
||||||
|
|
||||||
|
tag_creator = {
|
||||||
|
name = mkStrParam "strongSwan Project" ''
|
||||||
|
Name of the tagCreator entity.
|
||||||
|
'';
|
||||||
|
|
||||||
|
regid = mkStrParam "strongswan.org" ''
|
||||||
|
regid of the tagCreator entity.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
plugins = {
|
||||||
|
|
||||||
|
imc-attestation = {
|
||||||
|
aik_blob = mkOptionalStrParam ''
|
||||||
|
AIK encrypted private key blob file.
|
||||||
|
'';
|
||||||
|
|
||||||
|
aik_cert = mkOptionalStrParam ''
|
||||||
|
AIK certificate file.
|
||||||
|
'';
|
||||||
|
|
||||||
|
aik_handle = mkOptionalStrParam ''
|
||||||
|
AIK object handle, e.g. 0x81010003.
|
||||||
|
'';
|
||||||
|
|
||||||
|
aik_pubkey = mkOptionalStrParam ''
|
||||||
|
AIK public key file.
|
||||||
|
'';
|
||||||
|
|
||||||
|
mandatory_dh_groups = mkYesNoParam yes ''
|
||||||
|
Enforce mandatory Diffie-Hellman groups
|
||||||
|
'';
|
||||||
|
|
||||||
|
nonce_len = mkIntParam 20 ''
|
||||||
|
DH nonce length.
|
||||||
|
'';
|
||||||
|
|
||||||
|
pcr_info = mkYesNoParam no ''
|
||||||
|
Whether to send pcr_before and pcr_after info.
|
||||||
|
'';
|
||||||
|
|
||||||
|
use_quote2 = mkYesNoParam yes ''
|
||||||
|
Use Quote2 AIK signature instead of Quote signature.
|
||||||
|
'';
|
||||||
|
|
||||||
|
use_version_info = mkYesNoParam no ''
|
||||||
|
Version Info is included in Quote2 signature.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
imc-hcd.push_info = mkYesNoParam yes ''
|
||||||
|
Send quadruple info without being prompted.
|
||||||
|
'';
|
||||||
|
|
||||||
|
imc-hcd.subtypes = let
|
||||||
|
imcHcdSubtypeParams = let
|
||||||
|
softwareParams = mkAttrsOfParams {
|
||||||
|
name = mkOptionalStrParam ''
|
||||||
|
Name of the software installed on the hardcopy device.
|
||||||
|
'';
|
||||||
|
|
||||||
|
patches = mkOptionalStrParam ''
|
||||||
|
String describing all patches applied to the given software on this
|
||||||
|
hardcopy device. The individual patches are separated by a newline
|
||||||
|
character '\\n'.
|
||||||
|
'';
|
||||||
|
|
||||||
|
string_version = mkOptionalStrParam ''
|
||||||
|
String describing the version of the given software on this hardcopy device.
|
||||||
|
'';
|
||||||
|
|
||||||
|
version = mkOptionalStrParam ''
|
||||||
|
Hex-encoded version string with a length of 16 octets consisting of
|
||||||
|
the fields major version number (4 octets), minor version number (4
|
||||||
|
octets), build number (4 octets), service pack major number (2
|
||||||
|
octets) and service pack minor number (2 octets).
|
||||||
|
'';
|
||||||
|
} ''
|
||||||
|
Defines a software section having an arbitrary name.
|
||||||
|
'';
|
||||||
|
in {
|
||||||
|
firmware = softwareParams;
|
||||||
|
resident_application = softwareParams;
|
||||||
|
user_application = softwareParams;
|
||||||
|
attributes_natural_language = mkStrParam "en" ''
|
||||||
|
Variable length natural language tag conforming to RFC 5646 specifies
|
||||||
|
the language to be used in the health assessment message of a given
|
||||||
|
subtype.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
system = imcHcdSubtypeParams // {
|
||||||
|
certification_state = mkOptionalStrParam ''
|
||||||
|
Hex-encoded certification state.
|
||||||
|
'';
|
||||||
|
|
||||||
|
configuration_state = mkOptionalStrParam ''
|
||||||
|
Hex-encoded configuration state.
|
||||||
|
'';
|
||||||
|
|
||||||
|
machine_type_model = mkOptionalStrParam ''
|
||||||
|
String specifying the machine type and model of the hardcopy device.
|
||||||
|
'';
|
||||||
|
|
||||||
|
pstn_fax_enabled = mkYesNoParam no ''
|
||||||
|
Specifies if a PSTN facsimile interface is installed and enabled on the
|
||||||
|
hardcopy device.
|
||||||
|
'';
|
||||||
|
|
||||||
|
time_source = mkOptionalStrParam ''
|
||||||
|
String specifying the hostname of the network time server used by the
|
||||||
|
hardcopy device.
|
||||||
|
'';
|
||||||
|
|
||||||
|
user_application_enabled = mkYesNoParam no ''
|
||||||
|
Specifies if users can dynamically download and execute applications on
|
||||||
|
the hardcopy device.
|
||||||
|
'';
|
||||||
|
|
||||||
|
user_application_persistence_enabled = mkYesNoParam no ''
|
||||||
|
Specifies if user dynamically downloaded applications can persist outside
|
||||||
|
the boundaries of a single job on the hardcopy device.
|
||||||
|
'';
|
||||||
|
|
||||||
|
vendor_name = mkOptionalStrParam ''
|
||||||
|
String specifying the manufacturer of the hardcopy device.
|
||||||
|
'';
|
||||||
|
|
||||||
|
vendor_smi_code = mkOptionalIntParam ''
|
||||||
|
Integer specifying the globally unique 24-bit SMI code assigned to the
|
||||||
|
manufacturer of the hardcopy device.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
control = imcHcdSubtypeParams;
|
||||||
|
marker = imcHcdSubtypeParams;
|
||||||
|
finisher = imcHcdSubtypeParams;
|
||||||
|
interface = imcHcdSubtypeParams;
|
||||||
|
scanner = imcHcdSubtypeParams;
|
||||||
|
};
|
||||||
|
|
||||||
|
imc-os = {
|
||||||
|
device_cert = mkOptionalStrParam ''
|
||||||
|
Manually set the path to the client device certificate
|
||||||
|
(e.g. /etc/pts/aikCert.der)
|
||||||
|
'';
|
||||||
|
|
||||||
|
device_id = mkOptionalStrParam ''
|
||||||
|
Manually set the client device ID in hexadecimal format
|
||||||
|
(e.g. 1083f03988c9762703b1c1080c2e46f72b99cc31)
|
||||||
|
'';
|
||||||
|
|
||||||
|
device_pubkey = mkOptionalStrParam ''
|
||||||
|
Manually set the path to the client device public key
|
||||||
|
(e.g. /etc/pts/aikPub.der)
|
||||||
|
'';
|
||||||
|
|
||||||
|
push_info = mkYesNoParam yes ''
|
||||||
|
Send operating system info without being prompted.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
imc-scanner.push_info = mkYesNoParam yes ''
|
||||||
|
Send open listening ports without being prompted.
|
||||||
|
'';
|
||||||
|
|
||||||
|
imc-swid = {
|
||||||
|
swid_full = mkYesNoParam no ''
|
||||||
|
Include file information in the XML-encoded SWID tags.
|
||||||
|
'';
|
||||||
|
|
||||||
|
swid_pretty = mkYesNoParam no ''
|
||||||
|
Generate XML-encoded SWID tags with pretty indentation.
|
||||||
|
'';
|
||||||
|
|
||||||
|
swid_directory = mkStrParam "\${prefix}/share" ''
|
||||||
|
Directory where SWID tags are located.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
imc-swima = {
|
||||||
|
eid_epoch = mkHexParam "0x11223344" ''
|
||||||
|
Set 32 bit epoch value for event IDs manually if software collector
|
||||||
|
database is not available.
|
||||||
|
'';
|
||||||
|
|
||||||
|
swid_database = mkOptionalStrParam ''
|
||||||
|
URI to software collector database containing event timestamps, software
|
||||||
|
creation and deletion events and collected software identifiers. If it
|
||||||
|
contains a password, make sure to adjust the permissions of the config
|
||||||
|
file accordingly.
|
||||||
|
'';
|
||||||
|
|
||||||
|
swid_directory = mkStrParam "\${prefix}/share" ''
|
||||||
|
Directory where SWID tags are located.
|
||||||
|
'';
|
||||||
|
|
||||||
|
swid_pretty = mkYesNoParam no ''
|
||||||
|
Generate XML-encoded SWID tags with pretty indentation.
|
||||||
|
'';
|
||||||
|
|
||||||
|
swid_full = mkYesNoParam no ''
|
||||||
|
Include file information in the XML-encoded SWID tags.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
imc-test = {
|
||||||
|
additional_ids = mkIntParam 0 ''
|
||||||
|
Number of additional IMC IDs.
|
||||||
|
'';
|
||||||
|
|
||||||
|
command = mkStrParam "none" ''
|
||||||
|
Command to be sent to the Test IMV.
|
||||||
|
'';
|
||||||
|
|
||||||
|
dummy_size = mkIntParam 0 ''
|
||||||
|
Size of dummy attribute to be sent to the Test IMV (0 = disabled).
|
||||||
|
'';
|
||||||
|
|
||||||
|
retry = mkYesNoParam no ''
|
||||||
|
Do a handshake retry.
|
||||||
|
'';
|
||||||
|
|
||||||
|
retry_command = mkOptionalStrParam ''
|
||||||
|
Command to be sent to the IMV Test in the handshake retry.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
imv-attestation = {
|
||||||
|
cadir = mkOptionalStrParam ''
|
||||||
|
Path to directory with AIK cacerts.
|
||||||
|
'';
|
||||||
|
|
||||||
|
dh_group = mkStrParam "ecp256" ''
|
||||||
|
Preferred Diffie-Hellman group.
|
||||||
|
'';
|
||||||
|
|
||||||
|
hash_algorithm = mkStrParam "sha256" ''
|
||||||
|
Preferred measurement hash algorithm.
|
||||||
|
'';
|
||||||
|
|
||||||
|
min_nonce_len = mkIntParam 0 ''
|
||||||
|
DH minimum nonce length.
|
||||||
|
'';
|
||||||
|
|
||||||
|
remediation_uri = mkOptionalStrParam ''
|
||||||
|
URI pointing to attestation remediation instructions.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
imv-os.remediation_uri = mkOptionalStrParam ''
|
||||||
|
URI pointing to operating system remediation instructions.
|
||||||
|
'';
|
||||||
|
|
||||||
|
imv-scanner.remediation_uri = mkOptionalStrParam ''
|
||||||
|
URI pointing to scanner remediation instructions.
|
||||||
|
'';
|
||||||
|
|
||||||
|
imv-swima.rest_api = {
|
||||||
|
uri = mkOptionalStrParam ''
|
||||||
|
HTTP URI of the SWID REST API.
|
||||||
|
'';
|
||||||
|
|
||||||
|
timeout = mkIntParam 120 ''
|
||||||
|
Timeout of SWID REST API HTTP POST transaction.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
imv-test.rounds = mkIntParam 0 ''
|
||||||
|
Number of IMC-IMV retry rounds.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
@ -0,0 +1,29 @@
|
|||||||
|
lib : with (import ./param-constructors.nix lib);
|
||||||
|
|
||||||
|
let mkJournalParam = description :
|
||||||
|
mkEnumParam [(-1) 0 1 2 3 4] 0 "Logging level for ${description}";
|
||||||
|
in {
|
||||||
|
default = mkIntParam 1 ''
|
||||||
|
Specifies the default loglevel to be used for subsystems for which no
|
||||||
|
specific loglevel is defined.
|
||||||
|
'';
|
||||||
|
|
||||||
|
app = mkJournalParam "applications other than daemons.";
|
||||||
|
asn = mkJournalParam "low-level encoding/decoding (ASN.1, X.509 etc.)";
|
||||||
|
cfg = mkJournalParam "configuration management and plugins.";
|
||||||
|
chd = mkJournalParam "CHILD_SA/IPsec SA.";
|
||||||
|
dmn = mkJournalParam "main daemon setup/cleanup/signal handling.";
|
||||||
|
enc = mkJournalParam "packet encoding/decoding encryption/decryption operations.";
|
||||||
|
esp = mkJournalParam "libipsec library messages.";
|
||||||
|
ike = mkJournalParam "IKE_SA/ISAKMP SA.";
|
||||||
|
imc = mkJournalParam "integrity Measurement Collector.";
|
||||||
|
imv = mkJournalParam "integrity Measurement Verifier.";
|
||||||
|
job = mkJournalParam "jobs queuing/processing and thread pool management.";
|
||||||
|
knl = mkJournalParam "IPsec/Networking kernel interface.";
|
||||||
|
lib = mkJournalParam "libstrongwan library messages.";
|
||||||
|
mgr = mkJournalParam "IKE_SA manager, handling synchronization for IKE_SA access.";
|
||||||
|
net = mkJournalParam "IKE network communication.";
|
||||||
|
pts = mkJournalParam "platform Trust Service.";
|
||||||
|
tls = mkJournalParam "libtls library messages.";
|
||||||
|
tnc = mkJournalParam "trusted Network Connect.";
|
||||||
|
}
|
@ -0,0 +1,228 @@
|
|||||||
|
# See: https://wiki.strongswan.org/projects/strongswan/wiki/StrongswanConf
|
||||||
|
#
|
||||||
|
# When strongSwan is upgraded please update the parameters in this file. You can
|
||||||
|
# see which parameters should be deleted, changed or added by diffing
|
||||||
|
# the strongswan conf directory:
|
||||||
|
#
|
||||||
|
# git clone https://github.com/strongswan/strongswan.git
|
||||||
|
# cd strongswan
|
||||||
|
# git diff 5.5.3..5.6.0 conf/
|
||||||
|
|
||||||
|
lib: with (import ./param-constructors.nix lib);
|
||||||
|
|
||||||
|
let charonParams = import ./strongswan-charon-params.nix lib;
|
||||||
|
in {
|
||||||
|
aikgen = {
|
||||||
|
load = mkSpaceSepListParam [] ''
|
||||||
|
Plugins to load in ipsec aikgen tool.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
attest = {
|
||||||
|
database = mkOptionalStrParam ''
|
||||||
|
File measurement information database URI. If it contains a password,
|
||||||
|
make sure to adjust the permissions of the config file accordingly.
|
||||||
|
'';
|
||||||
|
|
||||||
|
load = mkSpaceSepListParam [] ''
|
||||||
|
Plugins to load in ipsec attest tool.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
charon = charonParams;
|
||||||
|
|
||||||
|
charon-nm = {
|
||||||
|
ca_dir = mkStrParam "<default>" ''
|
||||||
|
Directory from which to load CA certificates if no certificate is
|
||||||
|
configured.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
charon-systemd = charonParams // {
|
||||||
|
journal = import ./strongswan-loglevel-params.nix lib;
|
||||||
|
};
|
||||||
|
|
||||||
|
imv_policy_manager = {
|
||||||
|
command_allow = mkOptionalStrParam ''
|
||||||
|
Shell command to be executed with recommendation allow.
|
||||||
|
'';
|
||||||
|
|
||||||
|
command_block = mkOptionalStrParam ''
|
||||||
|
Shell command to be executed with all other recommendations.
|
||||||
|
'';
|
||||||
|
|
||||||
|
database = mkOptionalStrParam ''
|
||||||
|
Database URI for the database that stores the package information. If it
|
||||||
|
contains a password, make sure to adjust permissions of the config file
|
||||||
|
accordingly.
|
||||||
|
'';
|
||||||
|
|
||||||
|
load = mkSpaceSepListParam ["sqlite"] ''
|
||||||
|
Plugins to load in IMV policy manager.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
libimcv = import ./strongswan-libimcv-params.nix lib;
|
||||||
|
|
||||||
|
manager = {
|
||||||
|
database = mkOptionalStrParam ''
|
||||||
|
Credential database URI for manager. If it contains a password, make
|
||||||
|
sure to adjust the permissions of the config file accordingly.
|
||||||
|
'';
|
||||||
|
|
||||||
|
debug = mkYesNoParam no ''
|
||||||
|
Enable debugging in manager.
|
||||||
|
'';
|
||||||
|
|
||||||
|
load = mkSpaceSepListParam [] ''
|
||||||
|
Plugins to load in manager.
|
||||||
|
'';
|
||||||
|
|
||||||
|
socket = mkOptionalStrParam ''
|
||||||
|
FastCGI socket of manager, to run it statically.
|
||||||
|
'';
|
||||||
|
|
||||||
|
threads = mkIntParam 10 ''
|
||||||
|
Threads to use for request handling.
|
||||||
|
'';
|
||||||
|
|
||||||
|
timeout = mkDurationParam "15m" ''
|
||||||
|
Session timeout for manager.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
medcli = {
|
||||||
|
database = mkOptionalStrParam ''
|
||||||
|
Mediation client database URI. If it contains a password, make sure to
|
||||||
|
adjust the permissions of the config file accordingly.
|
||||||
|
'';
|
||||||
|
|
||||||
|
dpd = mkDurationParam "5m" ''
|
||||||
|
DPD timeout to use in mediation client plugin.
|
||||||
|
'';
|
||||||
|
|
||||||
|
rekey = mkDurationParam "20m" ''
|
||||||
|
Rekeying time on mediation connections in mediation client plugin.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
medsrv = {
|
||||||
|
database = mkOptionalStrParam ''
|
||||||
|
Mediation server database URI. If it contains a password, make sure to
|
||||||
|
adjust the permissions of the config file accordingly.
|
||||||
|
'';
|
||||||
|
|
||||||
|
debug = mkYesNoParam no ''
|
||||||
|
Debugging in mediation server web application.
|
||||||
|
'';
|
||||||
|
|
||||||
|
dpd = mkDurationParam "5m" ''
|
||||||
|
DPD timeout to use in mediation server plugin.
|
||||||
|
'';
|
||||||
|
|
||||||
|
load = mkSpaceSepListParam [] ''
|
||||||
|
Plugins to load in mediation server plugin.
|
||||||
|
'';
|
||||||
|
|
||||||
|
password_length = mkIntParam 6 ''
|
||||||
|
Minimum password length required for mediation server user accounts.
|
||||||
|
'';
|
||||||
|
|
||||||
|
rekey = mkDurationParam "20m" ''
|
||||||
|
Rekeying time on mediation connections in mediation server plugin.
|
||||||
|
'';
|
||||||
|
|
||||||
|
socket = mkOptionalStrParam ''
|
||||||
|
Run Mediation server web application statically on socket.
|
||||||
|
'';
|
||||||
|
|
||||||
|
threads = mkIntParam 5 ''
|
||||||
|
Number of thread for mediation service web application.
|
||||||
|
'';
|
||||||
|
|
||||||
|
timeout = mkDurationParam "15m" ''
|
||||||
|
Session timeout for mediation service.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
pacman.database = mkOptionalStrParam ''
|
||||||
|
Database URI for the database that stores the package information. If it
|
||||||
|
contains a password, make sure to adjust the permissions of the config
|
||||||
|
file accordingly.
|
||||||
|
'';
|
||||||
|
|
||||||
|
pki.load = mkSpaceSepListParam [] ''
|
||||||
|
Plugins to load in ipsec pki tool.
|
||||||
|
'';
|
||||||
|
|
||||||
|
pool = {
|
||||||
|
database = mkOptionalStrParam ''
|
||||||
|
Database URI for the database that stores IP pools and configuration
|
||||||
|
attributes. If it contains a password, make sure to adjust the
|
||||||
|
permissions of the config file accordingly.
|
||||||
|
'';
|
||||||
|
|
||||||
|
load = mkSpaceSepListParam [] ''
|
||||||
|
Plugins to load in ipsec pool tool.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
pt-tls-client.load = mkSpaceSepListParam [] ''
|
||||||
|
Plugins to load in ipsec pt-tls-client tool.
|
||||||
|
'';
|
||||||
|
|
||||||
|
scepclient.load = mkSpaceSepListParam [] ''
|
||||||
|
Plugins to load in ipsec scepclient tool.
|
||||||
|
'';
|
||||||
|
|
||||||
|
starter = {
|
||||||
|
config_file = mkStrParam "\${sysconfdir}/ipsec.conf" ''
|
||||||
|
Location of the ipsec.conf file.
|
||||||
|
'';
|
||||||
|
|
||||||
|
load_warning = mkYesNoParam yes ''
|
||||||
|
Show charon.load setting warning, see
|
||||||
|
https://wiki.strongswan.org/projects/strongswan/wiki/PluginLoad
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
sw-collector = {
|
||||||
|
database = mkOptionalStrParam ''
|
||||||
|
URI to software collector database containing event timestamps,
|
||||||
|
software creation and deletion events and collected software
|
||||||
|
identifiers. If it contains a password, make sure to adjust the
|
||||||
|
permissions of the config file accordingly.
|
||||||
|
'';
|
||||||
|
|
||||||
|
first_file = mkStrParam "/var/log/bootstrap.log" ''
|
||||||
|
Path pointing to file created when the Linux OS was installed.
|
||||||
|
'';
|
||||||
|
|
||||||
|
first_time = mkStrParam "0000-00-00T00:00:00Z" ''
|
||||||
|
Time in UTC when the Linux OS was installed.
|
||||||
|
'';
|
||||||
|
|
||||||
|
history = mkOptionalStrParam ''
|
||||||
|
Path pointing to apt history.log file.
|
||||||
|
'';
|
||||||
|
|
||||||
|
rest_api = {
|
||||||
|
uri = mkOptionalStrParam ''
|
||||||
|
HTTP URI of the central collector's REST API.
|
||||||
|
'';
|
||||||
|
|
||||||
|
timeout = mkIntParam 120 ''
|
||||||
|
Timeout of REST API HTTP POST transaction.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
load = mkSpaceSepListParam [] "Plugins to load in sw-collector tool.";
|
||||||
|
};
|
||||||
|
|
||||||
|
swanctl = {
|
||||||
|
load = mkSpaceSepListParam [] "Plugins to load in swanctl.";
|
||||||
|
|
||||||
|
socket = mkStrParam "unix://\${piddir}/charon.vici" ''
|
||||||
|
VICI socket to connect to by default.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
File diff suppressed because it is too large
Load Diff
@ -352,6 +352,7 @@ in rec {
|
|||||||
tests.smokeping = callTest tests/smokeping.nix {};
|
tests.smokeping = callTest tests/smokeping.nix {};
|
||||||
tests.snapper = callTest tests/snapper.nix {};
|
tests.snapper = callTest tests/snapper.nix {};
|
||||||
tests.statsd = callTest tests/statsd.nix {};
|
tests.statsd = callTest tests/statsd.nix {};
|
||||||
|
tests.strongswan-swanctl = callTest tests/strongswan-swanctl.nix {};
|
||||||
tests.sudo = callTest tests/sudo.nix {};
|
tests.sudo = callTest tests/sudo.nix {};
|
||||||
tests.switchTest = callTest tests/switch-test.nix {};
|
tests.switchTest = callTest tests/switch-test.nix {};
|
||||||
tests.taskserver = callTest tests/taskserver.nix {};
|
tests.taskserver = callTest tests/taskserver.nix {};
|
||||||
|
154
nixos/tests/strongswan-swanctl.nix
Normal file
154
nixos/tests/strongswan-swanctl.nix
Normal file
@ -0,0 +1,154 @@
|
|||||||
|
# This strongswan-swanctl test is based on:
|
||||||
|
# https://www.strongswan.org/testing/testresults/swanctl/rw-psk-ipv4/index.html
|
||||||
|
# https://github.com/strongswan/strongswan/tree/master/testing/tests/swanctl/rw-psk-ipv4
|
||||||
|
#
|
||||||
|
# The roadwarrior carol sets up a connection to gateway moon. The authentication
|
||||||
|
# is based on pre-shared keys and IPv4 addresses. Upon the successful
|
||||||
|
# establishment of the IPsec tunnels, the specified updown script automatically
|
||||||
|
# inserts iptables-based firewall rules that let pass the tunneled traffic. In
|
||||||
|
# order to test both tunnel and firewall, carol pings the client alice behind
|
||||||
|
# the gateway moon.
|
||||||
|
#
|
||||||
|
# alice moon carol
|
||||||
|
# eth1------vlan_0------eth1 eth2------vlan_1------eth1
|
||||||
|
# 192.168.0.1 192.168.0.3 192.168.1.3 192.168.1.2
|
||||||
|
#
|
||||||
|
# See the NixOS manual for how to run this test:
|
||||||
|
# https://nixos.org/nixos/manual/index.html#sec-running-nixos-tests-interactively
|
||||||
|
|
||||||
|
import ./make-test.nix ({ pkgs, ...} :
|
||||||
|
|
||||||
|
let
|
||||||
|
ifAddr = node: iface: (pkgs.lib.head node.config.networking.interfaces.${iface}.ip4).address;
|
||||||
|
|
||||||
|
allowESP = "iptables --insert INPUT --protocol ESP --jump ACCEPT";
|
||||||
|
|
||||||
|
# Shared VPN settings:
|
||||||
|
vlan0 = "192.168.0.0/24";
|
||||||
|
version = 2;
|
||||||
|
secret = "0sFpZAZqEN6Ti9sqt4ZP5EWcqx";
|
||||||
|
esp_proposals = [ "aes128gcm128-x25519" ];
|
||||||
|
proposals = [ "aes128-sha256-x25519" ];
|
||||||
|
in {
|
||||||
|
name = "strongswan-swanctl";
|
||||||
|
meta.maintainers = with pkgs.stdenv.lib.maintainers; [ basvandijk ];
|
||||||
|
nodes = {
|
||||||
|
|
||||||
|
alice = { nodes, ... } : {
|
||||||
|
virtualisation.vlans = [ 0 ];
|
||||||
|
networking = {
|
||||||
|
dhcpcd.enable = false;
|
||||||
|
defaultGateway = ifAddr nodes.moon "eth1";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
moon = {pkgs, config, nodes, ...} :
|
||||||
|
let
|
||||||
|
carolIp = ifAddr nodes.carol "eth1";
|
||||||
|
moonIp = ifAddr nodes.moon "eth2";
|
||||||
|
strongswan = config.services.strongswan-swanctl.package;
|
||||||
|
in {
|
||||||
|
virtualisation.vlans = [ 0 1 ];
|
||||||
|
networking = {
|
||||||
|
dhcpcd.enable = false;
|
||||||
|
firewall = {
|
||||||
|
allowedUDPPorts = [ 4500 500 ];
|
||||||
|
extraCommands = allowESP;
|
||||||
|
};
|
||||||
|
nat = {
|
||||||
|
enable = true;
|
||||||
|
internalIPs = [ vlan0 ];
|
||||||
|
internalInterfaces = [ "eth1" ];
|
||||||
|
externalIP = moonIp;
|
||||||
|
externalInterface = "eth2";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
environment.systemPackages = [ strongswan ];
|
||||||
|
services.strongswan-swanctl = {
|
||||||
|
enable = true;
|
||||||
|
swanctl = {
|
||||||
|
connections = {
|
||||||
|
"rw" = {
|
||||||
|
local_addrs = [ moonIp ];
|
||||||
|
local."main" = {
|
||||||
|
auth = "psk";
|
||||||
|
};
|
||||||
|
remote."main" = {
|
||||||
|
auth = "psk";
|
||||||
|
};
|
||||||
|
children = {
|
||||||
|
"net" = {
|
||||||
|
local_ts = [ vlan0 ];
|
||||||
|
updown = "${strongswan}/libexec/ipsec/_updown iptables";
|
||||||
|
inherit esp_proposals;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
inherit version;
|
||||||
|
inherit proposals;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
secrets = {
|
||||||
|
ike."carol" = {
|
||||||
|
id."main" = carolIp;
|
||||||
|
inherit secret;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
carol = {pkgs, config, nodes, ...} :
|
||||||
|
let
|
||||||
|
carolIp = ifAddr nodes.carol "eth1";
|
||||||
|
moonIp = ifAddr nodes.moon "eth2";
|
||||||
|
strongswan = config.services.strongswan-swanctl.package;
|
||||||
|
in {
|
||||||
|
virtualisation.vlans = [ 1 ];
|
||||||
|
networking = {
|
||||||
|
dhcpcd.enable = false;
|
||||||
|
firewall.extraCommands = allowESP;
|
||||||
|
};
|
||||||
|
environment.systemPackages = [ strongswan ];
|
||||||
|
services.strongswan-swanctl = {
|
||||||
|
enable = true;
|
||||||
|
swanctl = {
|
||||||
|
connections = {
|
||||||
|
"home" = {
|
||||||
|
local_addrs = [ carolIp ];
|
||||||
|
remote_addrs = [ moonIp ];
|
||||||
|
local."main" = {
|
||||||
|
auth = "psk";
|
||||||
|
id = carolIp;
|
||||||
|
};
|
||||||
|
remote."main" = {
|
||||||
|
auth = "psk";
|
||||||
|
id = moonIp;
|
||||||
|
};
|
||||||
|
children = {
|
||||||
|
"home" = {
|
||||||
|
remote_ts = [ vlan0 ];
|
||||||
|
start_action = "trap";
|
||||||
|
updown = "${strongswan}/libexec/ipsec/_updown iptables";
|
||||||
|
inherit esp_proposals;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
inherit version;
|
||||||
|
inherit proposals;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
secrets = {
|
||||||
|
ike."moon" = {
|
||||||
|
id."main" = moonIp;
|
||||||
|
inherit secret;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
};
|
||||||
|
testScript = ''
|
||||||
|
startAll();
|
||||||
|
$carol->waitUntilSucceeds("ping -c 1 alice");
|
||||||
|
'';
|
||||||
|
})
|
Loading…
Reference in New Issue
Block a user