New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: networking.services: Add vpnc module #77892
Conversation
Like mentioned above, I have been using this definition for a while now, but it's probably not super polished, so keep that in mind when reviewing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, see #74035 for the reasons this was dropped.
}; | ||
}; | ||
up = pkgs.writeScript "up" '' | ||
#!${pkgs.bash}/bin/bash |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
stdenv.shell
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Even better is pkgs.runtimeShell
. stdenv.shell
is not correct when cross-compiling
}; | ||
up = pkgs.writeScript "up" '' | ||
#!${pkgs.bash}/bin/bash | ||
PATH=${makeBinPath [pkgs.nettools pkgs.iproute]}:$PATH |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please set path
on the unit.
LOCAL_GATEWAY=$(ip r | grep "default via" | grep -oE "([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" | head -n1) | ||
ip route del default via $LOCAL_GATEWAY | ||
ip route add default dev tun0 proto static scope link metric 50 | ||
if [ ! -d /var/run/vpnc ]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/var/run
is deprecated. Also, use RuntimeDirectory=vpnc
to create that directory
echo -ne $LOCAL_GATEWAY > /var/run/vpnc/LOCAL_GATEWAY | ||
''; | ||
down = pkgs.writeScript "down" '' | ||
#!${pkgs.bash}/bin/bash |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
stdenv.shell, same as above.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
pkgs.runtimeShell
here too
''; | ||
down = pkgs.writeScript "down" '' | ||
#!${pkgs.bash}/bin/bash | ||
PATH=${makeBinPath [pkgs.nettools pkgs.iproute]}:$PATH |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
set path in the unit, same as above
path = [ pkgs.iptables pkgs.nettools pkgs.iproute ]; | ||
serviceConfig = { | ||
ExecStart = "${pkgs.vpnc}/bin/vpnc /etc/vpnc/${key}.conf"; | ||
ExecStartPost = "${up}"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you can pass up
directly, without doing the string interpolation,
secret = mkOption { | ||
default = ""; | ||
type = types.separatedString ""; | ||
description = "Your shared secret"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This shouldn't be part of the nix store, but instead a path where things are read from at runtime.
Maybe it's better to do that for the whole config file - I assume ipsec supports a lot of more options as well…
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I second that. Never store secrets in the Nix store (unless hashed). Better point to a file.
Thank you for the comments. I'll mark this as WIP until I get these implemented |
@MasseR do you plan to address these remarks in the near future? Otherwise, I'd just propose to close the PR for now, and reopen a new one once ready. |
Closing it for now |
Motivation for this change
Related to the issue #77891, we have been using this vpnc module definition for a while now.
This MR creates a new services.networking.vpnc attributeset, for setting up a vpnc service and systemd definition (the latter was missing in the original module definition).
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)