|
|
|
@ -36,17 +36,6 @@ in { |
|
|
|
|
Open vSwitch package to use. |
|
|
|
|
''; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
ipsec = mkOption { |
|
|
|
|
type = types.bool; |
|
|
|
|
default = false; |
|
|
|
|
description = '' |
|
|
|
|
Whether to start racoon service for openvswitch. |
|
|
|
|
Supported only if openvswitch version is less than 2.6.0. |
|
|
|
|
Use <literal>virtualisation.vswitch.package = pkgs.openvswitch-lts</literal> |
|
|
|
|
for a version that supports ipsec over GRE. |
|
|
|
|
''; |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
config = mkIf cfg.enable (let |
|
|
|
@ -65,7 +54,7 @@ in { |
|
|
|
|
installPhase = "mkdir -p $out"; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
in (mkMerge [{ |
|
|
|
|
in { |
|
|
|
|
environment.systemPackages = [ cfg.package ]; |
|
|
|
|
boot.kernelModules = [ "tun" "openvswitch" ]; |
|
|
|
|
|
|
|
|
@ -142,48 +131,14 @@ in { |
|
|
|
|
}; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
} |
|
|
|
|
(mkIf (cfg.ipsec && (versionOlder cfg.package.version "2.6.0")) { |
|
|
|
|
environment.systemPackages = [ pkgs.ipsecTools ]; |
|
|
|
|
|
|
|
|
|
services.racoon.enable = true; |
|
|
|
|
services.racoon.configPath = "${runDir}/ipsec/etc/racoon/racoon.conf"; |
|
|
|
|
}); |
|
|
|
|
|
|
|
|
|
networking.firewall.extraCommands = '' |
|
|
|
|
iptables -I INPUT -t mangle -p esp -j MARK --set-mark 1/1 |
|
|
|
|
iptables -I INPUT -t mangle -p udp --dport 4500 -j MARK --set-mark 1/1 |
|
|
|
|
''; |
|
|
|
|
|
|
|
|
|
systemd.services.ovs-monitor-ipsec = { |
|
|
|
|
description = "Open_vSwitch Ipsec Daemon"; |
|
|
|
|
wantedBy = [ "multi-user.target" ]; |
|
|
|
|
requires = [ "ovsdb.service" ]; |
|
|
|
|
before = [ "vswitchd.service" "racoon.service" ]; |
|
|
|
|
environment.UNIXCTLPATH = "/tmp/ovsdb.ctl.sock"; |
|
|
|
|
serviceConfig = { |
|
|
|
|
ExecStart = '' |
|
|
|
|
${cfg.package}/bin/ovs-monitor-ipsec \ |
|
|
|
|
--root-prefix ${runDir}/ipsec \ |
|
|
|
|
--pidfile /run/openvswitch/ovs-monitor-ipsec.pid \ |
|
|
|
|
--monitor --detach \ |
|
|
|
|
unix:/run/openvswitch/db.sock |
|
|
|
|
''; |
|
|
|
|
PIDFile = "/run/openvswitch/ovs-monitor-ipsec.pid"; |
|
|
|
|
# Use service type 'forking' to correctly determine when ovs-monitor-ipsec is ready. |
|
|
|
|
Type = "forking"; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
preStart = '' |
|
|
|
|
rm -r ${runDir}/ipsec/etc/racoon/certs || true |
|
|
|
|
mkdir -p ${runDir}/ipsec/{etc/racoon,etc/init.d/,usr/sbin/} |
|
|
|
|
ln -fs ${pkgs.ipsecTools}/bin/setkey ${runDir}/ipsec/usr/sbin/setkey |
|
|
|
|
ln -fs ${pkgs.writeScript "racoon-restart" '' |
|
|
|
|
#!${pkgs.runtimeShell} |
|
|
|
|
/run/current-system/sw/bin/systemctl $1 racoon |
|
|
|
|
''} ${runDir}/ipsec/etc/init.d/racoon |
|
|
|
|
''; |
|
|
|
|
}; |
|
|
|
|
})])); |
|
|
|
|
imports = [ |
|
|
|
|
(mkRemovedOptionModule [ "virtualisation" "vswitch" "ipsec" ] '' |
|
|
|
|
OpenVSwitch IPSec functionality has been removed, because it depended on racoon, |
|
|
|
|
which was removed from nixpkgs, because it was abanoded upstream. |
|
|
|
|
'') |
|
|
|
|
]; |
|
|
|
|
|
|
|
|
|
meta.maintainers = with maintainers; [ netixx ]; |
|
|
|
|
|
|
|
|
|