nixpkgs/nixos/modules/services/networking/xl2tpd.nix

144 lines
3.9 KiB
Nix

{ config, pkgs, lib, ... }:
with lib;
{
options = {
services.xl2tpd = {
enable = mkEnableOption "xl2tpd, the Layer 2 Tunnelling Protocol Daemon";
serverIp = mkOption {
type = types.str;
description = "The server-side IP address.";
default = "10.125.125.1";
};
clientIpRange = mkOption {
type = types.str;
description = "The range from which client IPs are drawn.";
default = "10.125.125.2-11";
};
extraXl2tpOptions = mkOption {
type = types.lines;
description = "Adds extra lines to the xl2tpd configuration file.";
default = "";
};
extraPppdOptions = mkOption {
type = types.lines;
description = "Adds extra lines to the pppd options file.";
default = "";
example = ''
ms-dns 8.8.8.8
ms-dns 8.8.4.4
'';
};
};
};
config = mkIf config.services.xl2tpd.enable {
systemd.services.xl2tpd = let
cfg = config.services.xl2tpd;
# Config files from https://help.ubuntu.com/community/L2TPServer
xl2tpd-conf = pkgs.writeText "xl2tpd.conf" ''
[global]
ipsec saref = no
[lns default]
local ip = ${cfg.serverIp}
ip range = ${cfg.clientIpRange}
pppoptfile = ${pppd-options}
length bit = yes
; Extra
${cfg.extraXl2tpOptions}
'';
pppd-options = pkgs.writeText "ppp-options-xl2tpd.conf" ''
refuse-pap
refuse-chap
refuse-mschap
require-mschap-v2
# require-mppe-128
asyncmap 0
auth
crtscts
idle 1800
mtu 1200
mru 1200
lock
hide-password
local
# debug
name xl2tpd
# proxyarp
lcp-echo-interval 30
lcp-echo-failure 4
# Extra:
${cfg.extraPppdOptions}
'';
xl2tpd-ppp-wrapped = pkgs.stdenv.mkDerivation {
name = "xl2tpd-ppp-wrapped";
phases = [ "installPhase" ];
buildInputs = with pkgs; [ makeWrapper ];
installPhase = ''
mkdir -p $out/bin
makeWrapper ${pkgs.ppp}/sbin/pppd $out/bin/pppd \
--set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so" \
--set NIX_REDIRECTS "/etc/ppp=/etc/xl2tpd/ppp"
makeWrapper ${pkgs.xl2tpd}/bin/xl2tpd $out/bin/xl2tpd \
--set LD_PRELOAD "${pkgs.libredirect}/lib/libredirect.so" \
--set NIX_REDIRECTS "${pkgs.ppp}/sbin/pppd=$out/bin/pppd"
'';
};
in {
description = "xl2tpd server";
requires = [ "network-online.target" ];
wantedBy = [ "multi-user.target" ];
preStart = ''
mkdir -p -m 700 /etc/xl2tpd
pushd /etc/xl2tpd > /dev/null
mkdir -p -m 700 ppp
[ -f ppp/chap-secrets ] || cat > ppp/chap-secrets << EOF
# Secrets for authentication using CHAP
# client server secret IP addresses
#username xl2tpd password *
EOF
chown root:root ppp/chap-secrets
chmod 600 ppp/chap-secrets
# The documentation says this file should be present but doesn't explain why and things work even if not there:
[ -f l2tp-secrets ] || (echo -n "* * "; ${pkgs.apg}/bin/apg -n 1 -m 32 -x 32 -a 1 -M LCN) > l2tp-secrets
chown root:root l2tp-secrets
chmod 600 l2tp-secrets
popd > /dev/null
mkdir -p /run/xl2tpd
chown root:root /run/xl2tpd
chmod 700 /run/xl2tpd
'';
serviceConfig = {
ExecStart = "${xl2tpd-ppp-wrapped}/bin/xl2tpd -D -c ${xl2tpd-conf} -s /etc/xl2tpd/l2tp-secrets -p /run/xl2tpd/pid -C /run/xl2tpd/control";
KillMode = "process";
Restart = "on-success";
Type = "simple";
PIDFile = "/run/xl2tpd/pid";
};
};
};
}