GNU bug report logs - #48803
[PATCH] strongswan: provide a service definition and configuration interface.

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix-patches; Reported by: Domagoj Stolfa <ds815@HIDDEN>; Keywords: patch; dated Wed, 2 Jun 2021 23:12:02 UTC; Maintainer for guix-patches is guix-patches@HIDDEN.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 13 Jun 2021 12:45:02 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jun 13 08:45:02 2021
Received: from localhost ([127.0.0.1]:42939 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lsPU6-0004EM-0V
	for submit <at> debbugs.gnu.org; Sun, 13 Jun 2021 08:45:02 -0400
Received: from lists.gnu.org ([209.51.188.17]:42986)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <me@HIDDEN>) id 1lsPU2-0004Dy-8d
 for submit <at> debbugs.gnu.org; Sun, 13 Jun 2021 08:44:58 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:57124)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@HIDDEN>) id 1lsPU2-0002Bn-09
 for guix-patches@HIDDEN; Sun, 13 Jun 2021 08:44:58 -0400
Received: from tobias.gr ([2a02:c205:2020:6054::1]:49446)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@HIDDEN>) id 1lsPU0-0002s7-CV
 for guix-patches@HIDDEN; Sun, 13 Jun 2021 08:44:57 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018;
 bh=yAEGlqbDWdalvkEnyuzzCzstL33xnUxyDuqMyMPfrZs=; h=date:in-reply-to:
 subject:cc:to:from:references; b=Ku8Vlhvbdw7xD4ZP+73t2qiY3lvnucYb3TBgl
 BeMaeNWkefqHvFsQ7jq+4PItNgmx0lAsvhrB/WRnh4jKLM1sVaOFLxRi9rl/lPy4Jh4SVV
 ACNHy7IUKyha5NeFZLRiir039RNysDrdtMnIzToMiZJrG2mMTsq75WKZkdEfzrHeYo9PKD
 DfNXccd45SQtVSZdubmJ5dOjsRvDYtOQYv5XM7cLiXAgQkFA2GUNBP5kyyxkzuO3nm2OgL
 mSYFDkFraXRpnVK2SPiAHBmiAieQIityudQvxNwBIQmn4K0+/jMB7bU8Kc/VjrGzt5Rx1F
 IzRkDwnF+otKLS5EwmzQV0L4g==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id a6f3d5db
 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO); 
 Sun, 13 Jun 2021 12:44:53 +0000 (UTC)
References: <YLgB91U8SgsJxdCe@pepehands>
From: Tobias Geerinckx-Rice <me@HIDDEN>
To: Domagoj Stolfa <ds815@HIDDEN>
Subject: Re: [bug#48803] [PATCH] strongswan: provide a service definition
 and configuration interface.
In-reply-to: <YLgB91U8SgsJxdCe@pepehands>
BIMI-Selector: v=BIMI1; s=default;
Date: Sun, 13 Jun 2021 14:45:28 +0200
Message-ID: <87o8cax79z.fsf@nckx>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@HIDDEN;
 helo=tobias.gr
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
Cc: 48803 <at> debbugs.gnu.org, guix-patches@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

--=-=-=
Content-Type: text/plain; format=flowed

Forgot to add: please include a GNU/Guix-style commit message 
like:

    gnu: Add strongswan service.

    * gnu/services/vpn.scm (strongswan-configuration): New record 
    type.
    (charon-plugins, strongswan-configuration-file)
    (strongswan-shepherd-service, strongswan-service-type): New 
    variables.
    * doc/guix.tex (VPN Services): Document them all!

Kind regards,

T G-R

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYMX96A0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15P+EBAK+mofMs5eQ9pEmLC2N+w/CPsT4tOrM5Zdt2wckz
xAitAP4urTNYDuR48Ka44TojuysZoRGXAu/4dgB7LCBtw1QFAQ==
=3GM4
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to guix-patches@HIDDEN:
bug#48803; Package guix-patches. Full text available.

Message received at 48803 <at> debbugs.gnu.org:


Received: (at 48803) by debbugs.gnu.org; 13 Jun 2021 12:44:58 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jun 13 08:44:58 2021
Received: from localhost ([127.0.0.1]:42934 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lsPU1-0004Dr-NZ
	for submit <at> debbugs.gnu.org; Sun, 13 Jun 2021 08:44:57 -0400
Received: from tobias.gr ([80.241.217.52]:44316)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <me@HIDDEN>) id 1lsPTz-0004Dh-Nh
 for 48803 <at> debbugs.gnu.org; Sun, 13 Jun 2021 08:44:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018;
 bh=yAEGlqbDWdalvkEnyuzzCzstL33xnUxyDuqMyMPfrZs=; h=date:in-reply-to:
 subject:cc:to:from:references; b=Ku8Vlhvbdw7xD4ZP+73t2qiY3lvnucYb3TBgl
 BeMaeNWkefqHvFsQ7jq+4PItNgmx0lAsvhrB/WRnh4jKLM1sVaOFLxRi9rl/lPy4Jh4SVV
 ACNHy7IUKyha5NeFZLRiir039RNysDrdtMnIzToMiZJrG2mMTsq75WKZkdEfzrHeYo9PKD
 DfNXccd45SQtVSZdubmJ5dOjsRvDYtOQYv5XM7cLiXAgQkFA2GUNBP5kyyxkzuO3nm2OgL
 mSYFDkFraXRpnVK2SPiAHBmiAieQIityudQvxNwBIQmn4K0+/jMB7bU8Kc/VjrGzt5Rx1F
 IzRkDwnF+otKLS5EwmzQV0L4g==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id a6f3d5db
 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO); 
 Sun, 13 Jun 2021 12:44:53 +0000 (UTC)
References: <YLgB91U8SgsJxdCe@pepehands>
From: Tobias Geerinckx-Rice <me@HIDDEN>
To: Domagoj Stolfa <ds815@HIDDEN>
Subject: Re: [bug#48803] [PATCH] strongswan: provide a service definition
 and configuration interface.
In-reply-to: <YLgB91U8SgsJxdCe@pepehands>
BIMI-Selector: v=BIMI1; s=default;
Date: Sun, 13 Jun 2021 14:45:28 +0200
Message-ID: <87o8cax79z.fsf@nckx>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 48803
Cc: 48803 <at> debbugs.gnu.org, guix-patches@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain; format=flowed

Forgot to add: please include a GNU/Guix-style commit message 
like:

    gnu: Add strongswan service.

    * gnu/services/vpn.scm (strongswan-configuration): New record 
    type.
    (charon-plugins, strongswan-configuration-file)
    (strongswan-shepherd-service, strongswan-service-type): New 
    variables.
    * doc/guix.tex (VPN Services): Document them all!

Kind regards,

T G-R

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYMX96A0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15P+EBAK+mofMs5eQ9pEmLC2N+w/CPsT4tOrM5Zdt2wckz
xAitAP4urTNYDuR48Ka44TojuysZoRGXAu/4dgB7LCBtw1QFAQ==
=3GM4
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to guix-patches@HIDDEN:
bug#48803; Package guix-patches. Full text available.

Message received at 48803 <at> debbugs.gnu.org:


Received: (at 48803) by debbugs.gnu.org; 13 Jun 2021 12:40:30 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jun 13 08:40:30 2021
Received: from localhost ([127.0.0.1]:42904 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lsPPh-00044z-SJ
	for submit <at> debbugs.gnu.org; Sun, 13 Jun 2021 08:40:30 -0400
Received: from tobias.gr ([80.241.217.52]:44314)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <me@HIDDEN>) id 1lsPPf-00044o-Vy
 for 48803 <at> debbugs.gnu.org; Sun, 13 Jun 2021 08:40:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018;
 bh=UmIPbuQJ5xrJ+I3xL9oMTqfzN9fZmyAGxToEqQESCeI=; h=date:in-reply-to:
 subject:cc:to:from:references; b=Q75HxeZ2lN1mCD0YHHRQUwa/YWLLZt4XoFBUS
 PFrlbV/8aa5VGOFY9mfbVn+aletBphkxJNGAA+EMBue6NZyJSDZbRTS0sszfuCv916MgZI
 BvA0WUApxJHlqVuTT2eeGgppEuE38ub1VbYKSp7uQILDPPcJWUxAz7ng2IR7ljqmaR4tYy
 Wr9WT7mgu/9Zos8LhZ0aFni5SkL4VjdGsP0Ol1WdwP9g9I18oSalkV9dVNJ58+Pncy4ROd
 iLuWpNNsZVcNeI70kxue7o7C4+dy27Lliu4evmhlJpYx36ax/CnZNiTM+gn5vxLsaL600W
 ZgxbwjduNjiDl8u/NjxtB/h4w==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id def6a300
 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO); 
 Sun, 13 Jun 2021 12:40:24 +0000 (UTC)
References: <YLgB91U8SgsJxdCe@pepehands>
From: Tobias Geerinckx-Rice <me@HIDDEN>
To: Domagoj Stolfa <ds815@HIDDEN>
Subject: Re: [bug#48803] [PATCH] strongswan: provide a service definition
 and configuration interface.
In-reply-to: <YLgB91U8SgsJxdCe@pepehands>
BIMI-Selector: v=BIMI1; s=default;
Date: Sun, 13 Jun 2021 14:41:00 +0200
Message-ID: <87r1h6x7hf.fsf@nckx>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 48803
Cc: 48803 <at> debbugs.gnu.org, guix-patches@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

--=-=-=
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Domagoj,

Domagoj Stolfa =E5=86=99=E9=81=93=EF=BC=9A
> This commit adds a strongswan-service-type which allows the user=20
> to
> start strongswan correctly on Guix.

Thank you!

> Because ipsec.conf depends on indentation and is a deprecated=20
> intreface,
> we do not provide an EDSL to configure it,

OK.

> and we do not put the config
> file in a Guile string (to avoid indentation issues).

Not using a string is fine by me, but I don't understand this=20
particular argument for it.

> Similarly,
> ipsec.secrets contains the users authentication token/passwords,=20
> and is
> for security reasons transmitted separately from the=20
> configuration file.

OK, good to make it hard to inadvertently intern into the store.

>     (service strongswan-service-type
> 	     (strongswan-configuration
> 	      (use-ipsec? #t)
> 	      (ipsec-conf "/config-files/ipsec.conf")
> 	      (ipsec-secrets "/config-files/ipsec.secrets")))

(I)IRC you told me that the majority of users simply point=20
StrongSwan to a .conf/.secrets file they got from on high, and=20
this is all they'll ever need to do so.  Sounds good to me.

This is a bit straightforward (no =E2=80=98local-file=E2=80=99, =E2=80=98pl=
ain-file=E2=80=99, =E2=80=A6)=20
but there's precedent for that:

  (service nginx-service-type
           (nginx-configuration
            (file "/etc/guix/nginx/nginx.conf")))

What does the daemon do now when USE-IPSEC? is #f?  Anything=20
useful?

Could we drop USE-IPSEC? and allow IPSEC-CONF/IPSEC-SECRETS to be=20
#f to signal the same thing (enforcing only sane combinations)?=20
Or would that make things more confusing?

Is all this legacy enough to mark as such in the field name=20
(LEGACY-IPSEC-CONF, etc.) or is it one of those things that will=20
never ever go away and VPN providers will still hand out=20
ipsecs.conf in 2038?

> This will start the charon daemon and allow them to connect to=20
> their
> VPNs configured in `/config-files/ipsec.conf`.
> ---
>  gnu/services/vpn.scm | 128=20
>  +++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 128 insertions(+)
>
> diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
> index 2bcbf76727..e026f2aa58 100644
> --- a/gnu/services/vpn.scm
> +++ b/gnu/services/vpn.scm
> @@ -4,6 +4,7 @@
>  ;;; Copyright =C2=A9 2017 Mathieu Othacehe <m.othacehe@HIDDEN>
>  ;;; Copyright =C2=A9 2021 Guillaume Le Vaillant <glv@HIDDEN>
>  ;;; Copyright =C2=A9 2021 Solene Rapenne <solene@HIDDEN>
> +;;; Copyright =C2=A9 2021 Domagoj Stolfa <ds815@HIDDEN>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -26,6 +27,7 @@
>    #:use-module (gnu services shepherd)
>    #:use-module (gnu system shadow)
>    #:use-module (gnu packages admin)
> +  #:use-module (gnu packages networking)
>    #:use-module (gnu packages vpn)
>    #:use-module (guix packages)
>    #:use-module (guix records)
> @@ -44,6 +46,9 @@
>              generate-openvpn-client-documentation
>              generate-openvpn-server-documentation
>=20=20
> +            strongswan-configuration
> +            strongswan-service-type
> +
>              wireguard-peer
>              wireguard-peer?
>              wireguard-peer-name
> @@ -529,6 +534,129 @@ is truncated and rewritten every minute.")
>       (openvpn-remote-configuration=20
>       ,openvpn-remote-configuration-fields))
>     'openvpn-client-configuration))
>=20=20
> +;;;
> +;;; Strongswan.
> +;;;
> +
> +(define-record-type* <strongswan-configuration>
> +  strongswan-configuration make-strongswan-configuration
> +  strongswan-configuration?
> +  (strongswan      strongswan-configuration-strongswan=20
> ;<package>
> +                   (default strongswan))
> +  (use-ipsec?      strongswan-configuration-use-ipsec? ;legacy=20
> interface
> +                   (default #f))
> +  (ipsec-conf      strongswan-configuration-ipsec-conf)
> +  (ipsec-secrets   strongswan-configuration-ipsec-secrets))
> +
> +;; In the future, it might be worth implementing a record type=20
> to configure
> +;; all of the plugins, but for *most* basic usecases, simply=20
> creating the
> +;; files will be sufficient. Same is true of charon-plugins.
> +(define strongswand-config-files
> +  (list "charon" "charon-logging" "pki" "pool" "scepclient"
> +        "swanctl" "tnc"))
> +
> +;; Plugins to load.
> +(define charon-plugins
> +  (list "aes" "aesni" "attr" "attr-sql" "chapoly" "cmac"=20
> "constraints"
> +        "counters" "curl" "curve25519" "dhcp" "dnskey" "drbg"=20
> "eap-aka-3gpp"
> +        "eap-aka" "eap-dynamic" "eap-identity" "eap-md5"=20
> "eap-mschapv2"
> +        "eap-peap" "eap-radius" "eap-simaka-pseudonym"=20
> "eap-simaka-reauth"
> +        "eap-simaka-sql" "eap-sim" "eap-sim-file" "eap-tls"=20
> "eap-tnc"
> +        "eap-ttls" "ext-auth" "farp" "fips-prf" "gmp" "ha"=20
> "hmac"
> +        "kernel-netlink" "led" "md4" "md5" "mgf1" "nonce"=20
> "openssl" "pem"
> +        "pgp" "pkcs12" "pkcs1" "pkcs7" "pkcs8" "pubkey"=20
> "random" "rc2"
> +        "resolve" "revocation" "sha1" "sha2" "socket-default"=20
> "soup" "sql"
> +        "sqlite" "sshkey" "tnc-tnccs" "vici" "x509" "xauth-eap"=20
> "xauth-generic"
> +        "xauth-noauth" "xauth-pam" "xcbc"))

Are these simply =E2=80=98all of the plug-ins=E2=80=99?

I'm fine with this =E2=80=98temporary=E2=80=99 solution as long as it's nev=
er=20
exported.

I'll trust you on all of this configuration syntax madness:  :-)

> +(define (strongswan-configuration-file config)
> +  (match-record config <strongswan-configuration>
> +    (strongswan use-ipsec? ipsec-conf ipsec-secrets)
> +    (let* ((strongswan-dir
> +            (computed-file
> +             "strongswan.d"
> +             #~(begin
> +                 (mkdir #$output)
> +                 ;; Create all of the configuration files in=20
> strongswan.d/*.conf
> +                 (map (lambda (conf-file)
> +                        (let* ((filename (string-append
> +                                          #$output "/"
> +                                          conf-file ".conf")))
> +                          (call-with-output-file filename
> +                            (lambda (port)
> +                              (display
> +                               "# Created by=20
> 'strongswan-service'\n"
> +                               port)))))
> +                      (list #$@strongswand-config-files))
> +                 (mkdir (string-append #$output "/charon"))
> +                 ;; And all of the strongswan.d/charon/*.conf=20
> files (plugins)

Nitpick: ;;-comments are full sentences ending in a full stop.

> +                 (map (lambda (plugin)
> +                        (let* ((filename (string-append
> +                                          #$output "/charon/"
> +                                          plugin ".conf")))
> +                          (call-with-output-file filename
> +                            (lambda (port)
> +                              (format port "~a {
> +  load =3D yes
> +}"
> +                                      plugin)))))
> +                      (list #$@charon-plugins))))))
> +      ;; Generate our strongswan.conf to reflect the user=20
> configuration.
> +      (computed-file
> +       "strongswan.conf"
> +       #~(begin
> +           (call-with-output-file #$output
> +             (lambda (port)
> +               (display "# Generated by=20
> 'strongswan-service'.\n" port)
> +               (format port "charon {
> +  load_modular =3D yes
> +  plugins {
> +    include ~a/charon/*.conf"
> +                       #$strongswan-dir)
> +               (if #$use-ipsec?
> +                   (format port "
> +    stroke {
> +      load =3D yes
> +      secrets_file =3D ~a
> +    }

All this indentation is doing my head in, but it looks like here=E2=80=A6

> +  }
> +}
> +
> +starter {
> +  config_file =3D ~a
> +}
> +
> +include ~a/*.conf"
> +                           #$ipsec-secrets
> +                           #$ipsec-conf
> +                           #$strongswan-dir)
> +                   (format port "
> +  }
> +}
> +include ~a/*.conf"
> +                           #$strongswan-dir)))))))))

=E2=80=A6you had to choose between two ifs and two #$strongswan-dirs, and=20
chose two #$strongswan-dirs?  I prefer two ifs.

> +(define (strongswan-shepherd-service config)
> +  (let* ((ipsec (file-append strongswan "/sbin/ipsec"))
> +        (strongswan-conf-path (strongswan-configuration-file=20
> config)))
> +    (list (shepherd-service
> +           (requirement '(networking))
> +           (provision '(strongswan))

I guess.  I have no idea how =E2=80=98generic=E2=80=99 StrongSwan is and wh=
ether=20
this makes more sense than (provision '(ipsec)) or not.

> +           (start #~(make-forkexec-constructor
> +                     (list #$ipsec "start" "--nofork")
> +                     #:environment-variables
> +                     (list (string-append "STRONGSWAN_CONF=3D"
> +=20
> #$strongswan-conf-path))))
> +           (stop #~(make-kill-destructor))
> +           (documentation "Start the charon daemon for IPsec=20
> VPN")))))

"StrongSwan's charon IKE keying daemon for IPsec VPN."

Most of =E2=80=98Run the =E2=80=A6=E2=80=99/=E2=80=98Start the =E2=80=A6=E2=
=80=99 noise that has snuck into=20
gnu/services should probably be removed.

> +(define strongswan-service-type
> +  (service-type
> +   (name 'strongswan)
> +   (extensions
> +    (list (service-extension shepherd-root-service-type
> +                             strongswan-shepherd-service)))))
> +
>  ;;;
>  ;;; Wireguard.
>  ;;;

For this to be merged, we're still missing some documentation in=20
doc/guix.text.  Would you be willing to write some?

Kind regards,

T G-R

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYMX83A0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15tw0BAJxhD1hMnjz2I+UlsZJ5Lwsv0GXqbgEBHceH/yvl
2c3zAP9IhfsKMTTD5+O8hB1FLWru2BPF+suePUWUtC0LBGVcAQ==
=YLDL
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to guix-patches@HIDDEN:
bug#48803; Package guix-patches. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 13 Jun 2021 12:40:38 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jun 13 08:40:38 2021
Received: from localhost ([127.0.0.1]:42908 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1lsPPp-00045P-ED
	for submit <at> debbugs.gnu.org; Sun, 13 Jun 2021 08:40:37 -0400
Received: from lists.gnu.org ([209.51.188.17]:41902)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <me@HIDDEN>) id 1lsPPn-00045H-Mp
 for submit <at> debbugs.gnu.org; Sun, 13 Jun 2021 08:40:36 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:56674)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@HIDDEN>) id 1lsPPm-0001LM-3Y
 for guix-patches@HIDDEN; Sun, 13 Jun 2021 08:40:35 -0400
Received: from tobias.gr ([2a02:c205:2020:6054::1]:49444)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <me@HIDDEN>) id 1lsPPh-000169-4A
 for guix-patches@HIDDEN; Sun, 13 Jun 2021 08:40:31 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018;
 bh=UmIPbuQJ5xrJ+I3xL9oMTqfzN9fZmyAGxToEqQESCeI=; h=date:in-reply-to:
 subject:cc:to:from:references; b=Q75HxeZ2lN1mCD0YHHRQUwa/YWLLZt4XoFBUS
 PFrlbV/8aa5VGOFY9mfbVn+aletBphkxJNGAA+EMBue6NZyJSDZbRTS0sszfuCv916MgZI
 BvA0WUApxJHlqVuTT2eeGgppEuE38ub1VbYKSp7uQILDPPcJWUxAz7ng2IR7ljqmaR4tYy
 Wr9WT7mgu/9Zos8LhZ0aFni5SkL4VjdGsP0Ol1WdwP9g9I18oSalkV9dVNJ58+Pncy4ROd
 iLuWpNNsZVcNeI70kxue7o7C4+dy27Lliu4evmhlJpYx36ax/CnZNiTM+gn5vxLsaL600W
 ZgxbwjduNjiDl8u/NjxtB/h4w==
Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id def6a300
 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO); 
 Sun, 13 Jun 2021 12:40:24 +0000 (UTC)
References: <YLgB91U8SgsJxdCe@pepehands>
From: Tobias Geerinckx-Rice <me@HIDDEN>
To: Domagoj Stolfa <ds815@HIDDEN>
Subject: Re: [bug#48803] [PATCH] strongswan: provide a service definition
 and configuration interface.
In-reply-to: <YLgB91U8SgsJxdCe@pepehands>
BIMI-Selector: v=BIMI1; s=default;
Date: Sun, 13 Jun 2021 14:41:00 +0200
Message-ID: <87r1h6x7hf.fsf@nckx>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
 micalg=pgp-sha512; protocol="application/pgp-signature"
Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@HIDDEN;
 helo=tobias.gr
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.4 (-)
X-Debbugs-Envelope-To: submit
Cc: 48803 <at> debbugs.gnu.org, guix-patches@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.4 (--)

--=-=-=
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable

Domagoj,

Domagoj Stolfa =E5=86=99=E9=81=93=EF=BC=9A
> This commit adds a strongswan-service-type which allows the user=20
> to
> start strongswan correctly on Guix.

Thank you!

> Because ipsec.conf depends on indentation and is a deprecated=20
> intreface,
> we do not provide an EDSL to configure it,

OK.

> and we do not put the config
> file in a Guile string (to avoid indentation issues).

Not using a string is fine by me, but I don't understand this=20
particular argument for it.

> Similarly,
> ipsec.secrets contains the users authentication token/passwords,=20
> and is
> for security reasons transmitted separately from the=20
> configuration file.

OK, good to make it hard to inadvertently intern into the store.

>     (service strongswan-service-type
> 	     (strongswan-configuration
> 	      (use-ipsec? #t)
> 	      (ipsec-conf "/config-files/ipsec.conf")
> 	      (ipsec-secrets "/config-files/ipsec.secrets")))

(I)IRC you told me that the majority of users simply point=20
StrongSwan to a .conf/.secrets file they got from on high, and=20
this is all they'll ever need to do so.  Sounds good to me.

This is a bit straightforward (no =E2=80=98local-file=E2=80=99, =E2=80=98pl=
ain-file=E2=80=99, =E2=80=A6)=20
but there's precedent for that:

  (service nginx-service-type
           (nginx-configuration
            (file "/etc/guix/nginx/nginx.conf")))

What does the daemon do now when USE-IPSEC? is #f?  Anything=20
useful?

Could we drop USE-IPSEC? and allow IPSEC-CONF/IPSEC-SECRETS to be=20
#f to signal the same thing (enforcing only sane combinations)?=20
Or would that make things more confusing?

Is all this legacy enough to mark as such in the field name=20
(LEGACY-IPSEC-CONF, etc.) or is it one of those things that will=20
never ever go away and VPN providers will still hand out=20
ipsecs.conf in 2038?

> This will start the charon daemon and allow them to connect to=20
> their
> VPNs configured in `/config-files/ipsec.conf`.
> ---
>  gnu/services/vpn.scm | 128=20
>  +++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 128 insertions(+)
>
> diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
> index 2bcbf76727..e026f2aa58 100644
> --- a/gnu/services/vpn.scm
> +++ b/gnu/services/vpn.scm
> @@ -4,6 +4,7 @@
>  ;;; Copyright =C2=A9 2017 Mathieu Othacehe <m.othacehe@HIDDEN>
>  ;;; Copyright =C2=A9 2021 Guillaume Le Vaillant <glv@HIDDEN>
>  ;;; Copyright =C2=A9 2021 Solene Rapenne <solene@HIDDEN>
> +;;; Copyright =C2=A9 2021 Domagoj Stolfa <ds815@HIDDEN>
>  ;;;
>  ;;; This file is part of GNU Guix.
>  ;;;
> @@ -26,6 +27,7 @@
>    #:use-module (gnu services shepherd)
>    #:use-module (gnu system shadow)
>    #:use-module (gnu packages admin)
> +  #:use-module (gnu packages networking)
>    #:use-module (gnu packages vpn)
>    #:use-module (guix packages)
>    #:use-module (guix records)
> @@ -44,6 +46,9 @@
>              generate-openvpn-client-documentation
>              generate-openvpn-server-documentation
>=20=20
> +            strongswan-configuration
> +            strongswan-service-type
> +
>              wireguard-peer
>              wireguard-peer?
>              wireguard-peer-name
> @@ -529,6 +534,129 @@ is truncated and rewritten every minute.")
>       (openvpn-remote-configuration=20
>       ,openvpn-remote-configuration-fields))
>     'openvpn-client-configuration))
>=20=20
> +;;;
> +;;; Strongswan.
> +;;;
> +
> +(define-record-type* <strongswan-configuration>
> +  strongswan-configuration make-strongswan-configuration
> +  strongswan-configuration?
> +  (strongswan      strongswan-configuration-strongswan=20
> ;<package>
> +                   (default strongswan))
> +  (use-ipsec?      strongswan-configuration-use-ipsec? ;legacy=20
> interface
> +                   (default #f))
> +  (ipsec-conf      strongswan-configuration-ipsec-conf)
> +  (ipsec-secrets   strongswan-configuration-ipsec-secrets))
> +
> +;; In the future, it might be worth implementing a record type=20
> to configure
> +;; all of the plugins, but for *most* basic usecases, simply=20
> creating the
> +;; files will be sufficient. Same is true of charon-plugins.
> +(define strongswand-config-files
> +  (list "charon" "charon-logging" "pki" "pool" "scepclient"
> +        "swanctl" "tnc"))
> +
> +;; Plugins to load.
> +(define charon-plugins
> +  (list "aes" "aesni" "attr" "attr-sql" "chapoly" "cmac"=20
> "constraints"
> +        "counters" "curl" "curve25519" "dhcp" "dnskey" "drbg"=20
> "eap-aka-3gpp"
> +        "eap-aka" "eap-dynamic" "eap-identity" "eap-md5"=20
> "eap-mschapv2"
> +        "eap-peap" "eap-radius" "eap-simaka-pseudonym"=20
> "eap-simaka-reauth"
> +        "eap-simaka-sql" "eap-sim" "eap-sim-file" "eap-tls"=20
> "eap-tnc"
> +        "eap-ttls" "ext-auth" "farp" "fips-prf" "gmp" "ha"=20
> "hmac"
> +        "kernel-netlink" "led" "md4" "md5" "mgf1" "nonce"=20
> "openssl" "pem"
> +        "pgp" "pkcs12" "pkcs1" "pkcs7" "pkcs8" "pubkey"=20
> "random" "rc2"
> +        "resolve" "revocation" "sha1" "sha2" "socket-default"=20
> "soup" "sql"
> +        "sqlite" "sshkey" "tnc-tnccs" "vici" "x509" "xauth-eap"=20
> "xauth-generic"
> +        "xauth-noauth" "xauth-pam" "xcbc"))

Are these simply =E2=80=98all of the plug-ins=E2=80=99?

I'm fine with this =E2=80=98temporary=E2=80=99 solution as long as it's nev=
er=20
exported.

I'll trust you on all of this configuration syntax madness:  :-)

> +(define (strongswan-configuration-file config)
> +  (match-record config <strongswan-configuration>
> +    (strongswan use-ipsec? ipsec-conf ipsec-secrets)
> +    (let* ((strongswan-dir
> +            (computed-file
> +             "strongswan.d"
> +             #~(begin
> +                 (mkdir #$output)
> +                 ;; Create all of the configuration files in=20
> strongswan.d/*.conf
> +                 (map (lambda (conf-file)
> +                        (let* ((filename (string-append
> +                                          #$output "/"
> +                                          conf-file ".conf")))
> +                          (call-with-output-file filename
> +                            (lambda (port)
> +                              (display
> +                               "# Created by=20
> 'strongswan-service'\n"
> +                               port)))))
> +                      (list #$@strongswand-config-files))
> +                 (mkdir (string-append #$output "/charon"))
> +                 ;; And all of the strongswan.d/charon/*.conf=20
> files (plugins)

Nitpick: ;;-comments are full sentences ending in a full stop.

> +                 (map (lambda (plugin)
> +                        (let* ((filename (string-append
> +                                          #$output "/charon/"
> +                                          plugin ".conf")))
> +                          (call-with-output-file filename
> +                            (lambda (port)
> +                              (format port "~a {
> +  load =3D yes
> +}"
> +                                      plugin)))))
> +                      (list #$@charon-plugins))))))
> +      ;; Generate our strongswan.conf to reflect the user=20
> configuration.
> +      (computed-file
> +       "strongswan.conf"
> +       #~(begin
> +           (call-with-output-file #$output
> +             (lambda (port)
> +               (display "# Generated by=20
> 'strongswan-service'.\n" port)
> +               (format port "charon {
> +  load_modular =3D yes
> +  plugins {
> +    include ~a/charon/*.conf"
> +                       #$strongswan-dir)
> +               (if #$use-ipsec?
> +                   (format port "
> +    stroke {
> +      load =3D yes
> +      secrets_file =3D ~a
> +    }

All this indentation is doing my head in, but it looks like here=E2=80=A6

> +  }
> +}
> +
> +starter {
> +  config_file =3D ~a
> +}
> +
> +include ~a/*.conf"
> +                           #$ipsec-secrets
> +                           #$ipsec-conf
> +                           #$strongswan-dir)
> +                   (format port "
> +  }
> +}
> +include ~a/*.conf"
> +                           #$strongswan-dir)))))))))

=E2=80=A6you had to choose between two ifs and two #$strongswan-dirs, and=20
chose two #$strongswan-dirs?  I prefer two ifs.

> +(define (strongswan-shepherd-service config)
> +  (let* ((ipsec (file-append strongswan "/sbin/ipsec"))
> +        (strongswan-conf-path (strongswan-configuration-file=20
> config)))
> +    (list (shepherd-service
> +           (requirement '(networking))
> +           (provision '(strongswan))

I guess.  I have no idea how =E2=80=98generic=E2=80=99 StrongSwan is and wh=
ether=20
this makes more sense than (provision '(ipsec)) or not.

> +           (start #~(make-forkexec-constructor
> +                     (list #$ipsec "start" "--nofork")
> +                     #:environment-variables
> +                     (list (string-append "STRONGSWAN_CONF=3D"
> +=20
> #$strongswan-conf-path))))
> +           (stop #~(make-kill-destructor))
> +           (documentation "Start the charon daemon for IPsec=20
> VPN")))))

"StrongSwan's charon IKE keying daemon for IPsec VPN."

Most of =E2=80=98Run the =E2=80=A6=E2=80=99/=E2=80=98Start the =E2=80=A6=E2=
=80=99 noise that has snuck into=20
gnu/services should probably be removed.

> +(define strongswan-service-type
> +  (service-type
> +   (name 'strongswan)
> +   (extensions
> +    (list (service-extension shepherd-root-service-type
> +                             strongswan-shepherd-service)))))
> +
>  ;;;
>  ;;; Wireguard.
>  ;;;

For this to be merged, we're still missing some documentation in=20
doc/guix.text.  Would you be willing to write some?

Kind regards,

T G-R

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYMX83A0cbWVAdG9iaWFz
LmdyAAoJEA2w/4hPVW15tw0BAJxhD1hMnjz2I+UlsZJ5Lwsv0GXqbgEBHceH/yvl
2c3zAP9IhfsKMTTD5+O8hB1FLWru2BPF+suePUWUtC0LBGVcAQ==
=YLDL
-----END PGP SIGNATURE-----
--=-=-=--




Information forwarded to guix-patches@HIDDEN:
bug#48803; Package guix-patches. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 2 Jun 2021 23:11:03 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed Jun 02 19:11:02 2021
Received: from localhost ([127.0.0.1]:41548 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1loa0s-0003c5-5g
	for submit <at> debbugs.gnu.org; Wed, 02 Jun 2021 19:11:02 -0400
Received: from lists.gnu.org ([209.51.188.17]:50160)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ds815@HIDDEN>) id 1loZ4x-0002DZ-0i
 for submit <at> debbugs.gnu.org; Wed, 02 Jun 2021 18:11:11 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:35972)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ds815@HIDDEN>) id 1loZ4w-0007NX-S4
 for guix-patches@HIDDEN; Wed, 02 Jun 2021 18:11:10 -0400
Received: from mout.gmx.net ([212.227.15.15]:38865)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ds815@HIDDEN>) id 1loZ4u-0000Qb-BM
 for guix-patches@HIDDEN; Wed, 02 Jun 2021 18:11:10 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net;
 s=badeba3b8450; t=1622671865;
 bh=h/GLYh8hYbxkTMlrfy7Ts0snZOIDMtWRhRHjgT/ssJM=;
 h=X-UI-Sender-Class:Date:From:To:Subject;
 b=hEAyWRwYblG7swEHP5dRjfOjC3qIEQCOTdvAcnTx7Fzka4DjRLY+akBKwElOg617Q
 qL/+9EhddKoUu8W5aaQZsyzXntBGlN2g/uCvMq47EV6iAsxGUS96sbm8IFf1bp+7gF
 LZQpicSCAPNTNQMwwZFIXcvu7PWfzRZ04AaUIBt0=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from pepehands ([131.111.128.28]) by mail.gmx.net (mrgmx005
 [212.227.17.184]) with ESMTPSA (Nemesis) id 1N8ofE-1lLgDO3XIk-015rtg for
 <guix-patches@HIDDEN>; Thu, 03 Jun 2021 00:11:04 +0200
Date: Wed, 2 Jun 2021 23:11:03 +0100
From: Domagoj Stolfa <ds815@HIDDEN>
To: guix-patches@HIDDEN
Subject: [PATCH] strongswan: provide a service definition and configuration
 interface.
Message-ID: <YLgB91U8SgsJxdCe@pepehands>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="c5xDyQZg5OchelAC"
Content-Disposition: inline
X-Provags-ID: V03:K1:D6tT+r6SdBHKHR2QU5EAh+GTpnopo4+3d/Dyt/Ez22HYeDQ5Pz9
 MZdo8vwdUlcywNrvD4z0W9NiwdtV4H+lkYTlargKurhP3eb0Cr4f65qZfIrvbW5t/eec4GG
 CF0C0u8kVeOSVmSFnOMcxPP3z8in/yIgEh0pwOGbctkiHH2l6p1Uaag7BQ1lDE+0vRymuaE
 Do2PTFGlh5SrFvNhome3Q==
X-Spam-Flag: NO
X-UI-Out-Filterresults: notjunk:1;V03:K0:Z2fxKjy5n8Y=:7bnEMfBqw3lNuuhgV5kAm5
 ktgy2kRdn3Waw2hjVY1XsS/Udc63amrzO8QPGv2+7HkUQwyVLCI4HQlzqzn8uG/MGxsdT7D/K
 3XAzsGLcbByJ4aLB3YOxBgyo30pgUoFf7TZtTrRQATdvLYjGfxWWmb1NFTxRDSs+vnqxj4/RU
 IQ95C0Ijf7sOF7J1K9PLzq9EKgiD5yLG+6LQQJvQlbjdHy3uZplSoYcTQciK22FXTD7MOXefk
 gtuNboh6opwlgV33M3bEI734fhE8xPu4YlK2Rze2SOgcExRkESo88Nq5hNqiMY2hl66k9DL8U
 odSBf70breNAVTWdGD34iWA7YqhteSU/tSWbpDm+XgXrURZ05OboQaJu+jrxntxMzsqsuZaYQ
 hWymICXhGywDNK7JFZ+4wbCytXYYCPC98AdTDysXuSMHfmxuk+fiK9Mh4ihkHSkjt4m1y3nus
 hKINR2+VXMDWNBbHQRo3lALaX3qVxPyr3h818AkgI+lLxMrvAgrQZ63I2ECHsnWI2jx3NbsOk
 HinQF9un3LVnxjA11e9x5SCPE+XnGZgoTDQ68ZcvW3KLTgymbLEyy56S9gLoBKQF1nHCEHX56
 qS2V3wtEuprkIu25b+//5hWe+68Ru8fMJ5Tx3L9qBZ5x1roTRFbN5heyGF83K79UTFVZP7foa
 8Tvt/i8ByXZv79/azTV1gQwjbyJ1m+Y6PAD4gWgf0x16wbtu7eDDhuaQjyxpOG9ETFu9fXW6C
 5VUOhR3dYV5sK0HaJF5DdBLkUDxTuX188imJWuB0ffOjhneOKRRpPHo7VMw7H78idBpw/Ha8y
 vq1mI4ORonvNpocs1f6oc5JvPHtLiPrDT6ItgtkziHtJBYnaTJ+ZRGdB9kmpmQiVHu7L485Vy
 pZUuYvVqhZNsyD2Jqnwp0/UDO57WGs7TB4tzRuqNK4XzkJZKYs1Z8GINYBqqSaWE0ZcdbQ9QD
 KIYKE0sz+LvrmG+L4DdiTHrwUjp1rrQHHTJK9jAnnoDVPEaUbfEYJjUoLh9PtDgt6qCZUfoUs
 iJFa3yVFYwHVL2Ey2BPd/qpnmtqiNQDKDbcFj2w42Jr6B99SNBv+Xev3sWrmy/YbGftsnpGSf
 6BJ0gfaGpABkSwm3m6CmtaAo+ou2ItHmatp
Received-SPF: pass client-ip=212.227.15.15; envelope-from=ds815@HIDDEN;
 helo=mout.gmx.net
X-Spam_score_int: -15
X-Spam_score: -1.6
X-Spam_bar: -
X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.9 (/)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Wed, 02 Jun 2021 19:11:01 -0400
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.1 (--)


--c5xDyQZg5OchelAC
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

This commit adds a strongswan-service-type which allows the user to
start strongswan correctly on Guix. Without this, they would need to
manually write a strongswan.conf file and run it with

`STRONGSWAN_CONF=3D/path/to/strongswan.conf ipsec start`.

For now, we only support the legacy ipsec.conf/ipsec.secrets interface.
Because ipsec.conf depends on indentation and is a deprecated intreface,
we do not provide an EDSL to configure it, and we do not put the config
file in a Guile string (to avoid indentation issues). Similarly,
ipsec.secrets contains the users authentication token/passwords, and is
for security reasons transmitted separately from the configuration file.

This change allows the user to write something as follows in their
config:

```
    (service strongswan-service-type
	     (strongswan-configuration
	      (use-ipsec? #t)
	      (ipsec-conf "/config-files/ipsec.conf")
	      (ipsec-secrets "/config-files/ipsec.secrets")))
```

This will start the charon daemon and allow them to connect to their
VPNs configured in `/config-files/ipsec.conf`.
---
 gnu/services/vpn.scm | 128 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 128 insertions(+)

diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index 2bcbf76727..e026f2aa58 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -4,6 +4,7 @@
 ;;; Copyright =A9 2017 Mathieu Othacehe <m.othacehe@HIDDEN>
 ;;; Copyright =A9 2021 Guillaume Le Vaillant <glv@HIDDEN>
 ;;; Copyright =A9 2021 Solene Rapenne <solene@HIDDEN>
+;;; Copyright =A9 2021 Domagoj Stolfa <ds815@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -26,6 +27,7 @@
   #:use-module (gnu services shepherd)
   #:use-module (gnu system shadow)
   #:use-module (gnu packages admin)
+  #:use-module (gnu packages networking)
   #:use-module (gnu packages vpn)
   #:use-module (guix packages)
   #:use-module (guix records)
@@ -44,6 +46,9 @@
             generate-openvpn-client-documentation
             generate-openvpn-server-documentation
=20
+            strongswan-configuration
+            strongswan-service-type
+
             wireguard-peer
             wireguard-peer?
             wireguard-peer-name
@@ -529,6 +534,129 @@ is truncated and rewritten every minute.")
      (openvpn-remote-configuration ,openvpn-remote-configuration-fields))
    'openvpn-client-configuration))
=20
+;;;
+;;; Strongswan.
+;;;
+
+(define-record-type* <strongswan-configuration>
+  strongswan-configuration make-strongswan-configuration
+  strongswan-configuration?
+  (strongswan      strongswan-configuration-strongswan ;<package>
+                   (default strongswan))
+  (use-ipsec?      strongswan-configuration-use-ipsec? ;legacy interface
+                   (default #f))
+  (ipsec-conf      strongswan-configuration-ipsec-conf)
+  (ipsec-secrets   strongswan-configuration-ipsec-secrets))
+
+;; In the future, it might be worth implementing a record type to configure
+;; all of the plugins, but for *most* basic usecases, simply creating the
+;; files will be sufficient. Same is true of charon-plugins.
+(define strongswand-config-files
+  (list "charon" "charon-logging" "pki" "pool" "scepclient"
+        "swanctl" "tnc"))
+
+;; Plugins to load.
+(define charon-plugins
+  (list "aes" "aesni" "attr" "attr-sql" "chapoly" "cmac" "constraints"
+        "counters" "curl" "curve25519" "dhcp" "dnskey" "drbg" "eap-aka-3gp=
p"
+        "eap-aka" "eap-dynamic" "eap-identity" "eap-md5" "eap-mschapv2"
+        "eap-peap" "eap-radius" "eap-simaka-pseudonym" "eap-simaka-reauth"
+        "eap-simaka-sql" "eap-sim" "eap-sim-file" "eap-tls" "eap-tnc"
+        "eap-ttls" "ext-auth" "farp" "fips-prf" "gmp" "ha" "hmac"
+        "kernel-netlink" "led" "md4" "md5" "mgf1" "nonce" "openssl" "pem"
+        "pgp" "pkcs12" "pkcs1" "pkcs7" "pkcs8" "pubkey" "random" "rc2"
+        "resolve" "revocation" "sha1" "sha2" "socket-default" "soup" "sql"
+        "sqlite" "sshkey" "tnc-tnccs" "vici" "x509" "xauth-eap" "xauth-gen=
eric"
+        "xauth-noauth" "xauth-pam" "xcbc"))
+
+(define (strongswan-configuration-file config)
+  (match-record config <strongswan-configuration>
+    (strongswan use-ipsec? ipsec-conf ipsec-secrets)
+    (let* ((strongswan-dir
+            (computed-file
+             "strongswan.d"
+             #~(begin
+                 (mkdir #$output)
+                 ;; Create all of the configuration files in strongswan.d/=
*.conf
+                 (map (lambda (conf-file)
+                        (let* ((filename (string-append
+                                          #$output "/"
+                                          conf-file ".conf")))
+                          (call-with-output-file filename
+                            (lambda (port)
+                              (display
+                               "# Created by 'strongswan-service'\n"
+                               port)))))
+                      (list #$@strongswand-config-files))
+                 (mkdir (string-append #$output "/charon"))
+                 ;; And all of the strongswan.d/charon/*.conf files (plugi=
ns)
+                 (map (lambda (plugin)
+                        (let* ((filename (string-append
+                                          #$output "/charon/"
+                                          plugin ".conf")))
+                          (call-with-output-file filename
+                            (lambda (port)
+                              (format port "~a {
+  load =3D yes
+}"
+                                      plugin)))))
+                      (list #$@charon-plugins))))))
+      ;; Generate our strongswan.conf to reflect the user configuration.
+      (computed-file
+       "strongswan.conf"
+       #~(begin
+           (call-with-output-file #$output
+             (lambda (port)
+               (display "# Generated by 'strongswan-service'.\n" port)
+               (format port "charon {
+  load_modular =3D yes
+  plugins {
+    include ~a/charon/*.conf"
+                       #$strongswan-dir)
+               (if #$use-ipsec?
+                   (format port "
+    stroke {
+      load =3D yes
+      secrets_file =3D ~a
+    }
+  }
+}
+
+starter {
+  config_file =3D ~a
+}
+
+include ~a/*.conf"
+                           #$ipsec-secrets
+                           #$ipsec-conf
+                           #$strongswan-dir)
+                   (format port "
+  }
+}
+include ~a/*.conf"
+                           #$strongswan-dir)))))))))
+
+(define (strongswan-shepherd-service config)
+  (let* ((ipsec (file-append strongswan "/sbin/ipsec"))
+        (strongswan-conf-path (strongswan-configuration-file config)))
+    (list (shepherd-service
+           (requirement '(networking))
+           (provision '(strongswan))
+           (start #~(make-forkexec-constructor
+                     (list #$ipsec "start" "--nofork")
+                     #:environment-variables
+                     (list (string-append "STRONGSWAN_CONF=3D"
+                                          #$strongswan-conf-path))))
+           (stop #~(make-kill-destructor))
+           (documentation "Start the charon daemon for IPsec VPN")))))
+
+(define strongswan-service-type
+  (service-type
+   (name 'strongswan)
+   (extensions
+    (list (service-extension shepherd-root-service-type
+                             strongswan-shepherd-service)))))
+
 ;;;
 ;;; Wireguard.
 ;;;
--=20
2.31.1


--c5xDyQZg5OchelAC
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE7JyU1wrLyiw5G92zcc2InUujXj0FAmC4AfcACgkQcc2InUuj
Xj0pyQ//VdkTDnZf33xXTTFEiehsBHZkz/jDa/X+DHPnMwUUJEvsI4hoTU+ialNL
ytg6hwfphbcremuh2c3QiYbpxAEl0n3Uep/YTz22+CZ8X/lSnHzrsBQaS2JWMgVT
sThwWdjW47RIVYH6VC3kF8zkTPvjkGEDm5wzvEQqo/du5Dp43HClHhEZ4Gc8zTDr
gI06/JVdhttb+VNgi3GccAtADEGGOcAR9I4Wd9nNK4utZjNNonmHUWc8l5h/p3ZQ
BcD0XRRF86bycVEl1SGuQr9BgOaIepiTr6jcE57nYjZetW2XuZ8sTVxGIRHEUvCt
9cv4ON7DF9hmBGiBU2h2jodGParcTPWf6lxqevG771RjBWaYq28md6umSyKKLeeg
uAIbbgRuR0f8NCRXdx5Whjh8XtoUligkf3BzyUbH0ev60/pHaQtsY4Nm2PCPz/Mp
QJk6Y8zl0LXlLl/ogDRhMFodzFNLFVBXsV7xCtLWuIp8HqOQxrBRSi1Xa0GlbkiV
qMS3FSR3dR3Tykq8GTRMdlTFckgHPo4b8iKkigWXV9+RXf2Dbeuf48wlpV+cb/tu
qjE3Z7mO0sl3ZDrmzV5HTavx/XIeaaS/HwVAHAkfURVKX9vHYe9G6tFHnsgvdLSz
1NEQImJ7wcqlFx/9dKNbXIq6eVbDbgTaTuDBYBQiSGJB2tp57vY=
=e1Hs
-----END PGP SIGNATURE-----

--c5xDyQZg5OchelAC--




Acknowledgement sent to Domagoj Stolfa <ds815@HIDDEN>:
New bug report received and forwarded. Copy sent to guix-patches@HIDDEN. Full text available.
Report forwarded to guix-patches@HIDDEN:
bug#48803; Package guix-patches. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Sun, 13 Jun 2021 13:00:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.