WIP: networking.services: Add vpnc module #77892
Conversation
|
Like mentioned above, I have been using this definition for a while now, but it's probably not super polished, so keep that in mind when reviewing |
| }; | ||
| }; | ||
| up = pkgs.writeScript "up" '' | ||
| #!${pkgs.bash}/bin/bash |
There was a problem hiding this comment.
Even better is pkgs.runtimeShell. stdenv.shell is not correct when cross-compiling
| }; | ||
| up = pkgs.writeScript "up" '' | ||
| #!${pkgs.bash}/bin/bash | ||
| PATH=${makeBinPath [pkgs.nettools pkgs.iproute]}:$PATH |
There was a problem hiding this comment.
please set path on the unit.
| LOCAL_GATEWAY=$(ip r | grep "default via" | grep -oE "([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)" | head -n1) | ||
| ip route del default via $LOCAL_GATEWAY | ||
| ip route add default dev tun0 proto static scope link metric 50 | ||
| if [ ! -d /var/run/vpnc ]; then |
There was a problem hiding this comment.
/var/run is deprecated. Also, use RuntimeDirectory=vpnc to create that directory
| echo -ne $LOCAL_GATEWAY > /var/run/vpnc/LOCAL_GATEWAY | ||
| ''; | ||
| down = pkgs.writeScript "down" '' | ||
| #!${pkgs.bash}/bin/bash |
There was a problem hiding this comment.
stdenv.shell, same as above.
| ''; | ||
| down = pkgs.writeScript "down" '' | ||
| #!${pkgs.bash}/bin/bash | ||
| PATH=${makeBinPath [pkgs.nettools pkgs.iproute]}:$PATH |
There was a problem hiding this comment.
set path in the unit, same as above
| path = [ pkgs.iptables pkgs.nettools pkgs.iproute ]; | ||
| serviceConfig = { | ||
| ExecStart = "${pkgs.vpnc}/bin/vpnc /etc/vpnc/${key}.conf"; | ||
| ExecStartPost = "${up}"; |
There was a problem hiding this comment.
you can pass up directly, without doing the string interpolation,
| secret = mkOption { | ||
| default = ""; | ||
| type = types.separatedString ""; | ||
| description = "Your shared secret"; |
There was a problem hiding this comment.
This shouldn't be part of the nix store, but instead a path where things are read from at runtime.
Maybe it's better to do that for the whole config file - I assume ipsec supports a lot of more options as well…
There was a problem hiding this comment.
I second that. Never store secrets in the Nix store (unless hashed). Better point to a file.
|
Thank you for the comments. I'll mark this as WIP until I get these implemented |
MasseR
changed the title
|
@MasseR do you plan to address these remarks in the near future? Otherwise, I'd just propose to close the PR for now, and reopen a new one once ready. |
|
Closing it for now |
Motivation for this change
Related to the issue #77891, we have been using this vpnc module definition for a while now.
This MR creates a new services.networking.vpnc attributeset, for setting up a vpnc service and systemd definition (the latter was missing in the original module definition).
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)