diff options
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/networking/libreswan.nix | 43 |
1 files changed, 20 insertions, 23 deletions
diff --git a/nixos/modules/services/networking/libreswan.nix b/nixos/modules/services/networking/libreswan.nix index ae71acf089f4..a66ff3065224 100644 --- a/nixos/modules/services/networking/libreswan.nix +++ b/nixos/modules/services/networking/libreswan.nix @@ -1,7 +1,4 @@ { config, lib, pkgs, ... }: - -with lib; - let cfg = config.services.libreswan; @@ -11,14 +8,14 @@ let trim = chars: str: let - nonchars = filter (x : !(elem x.value chars)) - (imap0 (i: v: {ind = i; value = v;}) (stringToCharacters str)); + nonchars = lib.filter (x : !(lib.elem x.value chars)) + (lib.imap0 (i: v: {ind = i; value = v;}) (lib.stringToCharacters str)); in lib.optionalString (nonchars != [ ]) - (substring (head nonchars).ind (add 1 (sub (last nonchars).ind (head nonchars).ind)) str); - indent = str: concatStrings (concatMap (s: [" " (trim [" " "\t"] s) "\n"]) (splitString "\n" str)); + (lib.substring (lib.head nonchars).ind (lib.add 1 (lib.sub (lib.last nonchars).ind (lib.head nonchars).ind)) str); + indent = str: lib.concatStrings (lib.concatMap (s: [" " (trim [" " "\t"] s) "\n"]) (lib.splitString "\n" str)); configText = indent (toString cfg.configSetup); - connectionText = concatStrings (mapAttrsToList (n: v: + connectionText = lib.concatStrings (lib.mapAttrsToList (n: v: '' conn ${n} ${indent v} @@ -32,7 +29,7 @@ let ${connectionText} ''; - policyFiles = mapAttrs' (name: text: + policyFiles = lib.mapAttrs' (name: text: { name = "ipsec.d/policies/${name}"; value.source = pkgs.writeText "ipsec-policy-${name}" text; }) cfg.policies; @@ -47,10 +44,10 @@ in services.libreswan = { - enable = mkEnableOption "Libreswan IPsec service"; + enable = lib.mkEnableOption "Libreswan IPsec service"; - configSetup = mkOption { - type = types.lines; + configSetup = lib.mkOption { + type = lib.types.lines; default = '' protostack=netkey virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10 @@ -63,10 +60,10 @@ in description = "Options to go in the 'config setup' section of the Libreswan IPsec configuration"; }; - connections = mkOption { - type = types.attrsOf types.lines; + connections = lib.mkOption { + type = lib.types.attrsOf lib.types.lines; default = {}; - example = literalExpression '' + example = lib.literalExpression '' { myconnection = ''' auto=add left=%defaultroute @@ -82,10 +79,10 @@ in description = "A set of connections to define for the Libreswan IPsec service"; }; - policies = mkOption { - type = types.attrsOf types.lines; + policies = lib.mkOption { + type = lib.types.attrsOf lib.types.lines; default = {}; - example = literalExpression '' + example = lib.literalExpression '' { private-or-clear = ''' # Attempt opportunistic IPsec for the entire Internet 0.0.0.0/0 @@ -102,8 +99,8 @@ in ''; }; - disableRedirects = mkOption { - type = types.bool; + disableRedirects = lib.mkOption { + type = lib.types.bool; default = true; description = '' Whether to disable send and accept redirects for all network interfaces. @@ -119,7 +116,7 @@ in ###### implementation - config = mkIf cfg.enable { + config = lib.mkIf cfg.enable { # Install package, systemd units, etc. environment.systemPackages = [ pkgs.libreswan pkgs.iproute2 ]; @@ -136,7 +133,7 @@ in systemd.services.ipsec = { description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec"; wantedBy = [ "multi-user.target" ]; - restartTriggers = [ configFile ] ++ mapAttrsToList (n: v: v.source) policyFiles; + restartTriggers = [ configFile ] ++ lib.mapAttrsToList (n: v: v.source) policyFiles; path = with pkgs; [ libreswan iproute2 @@ -145,7 +142,7 @@ in iptables nettools ]; - preStart = optionalString cfg.disableRedirects '' + preStart = lib.optionalString cfg.disableRedirects '' # Disable send/receive redirects echo 0 | tee /proc/sys/net/ipv4/conf/*/send_redirects echo 0 | tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects |