From unknown Tue Jun 24 05:13:21 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#48803] [PATCH] strongswan: provide a service definition and configuration interface. Resent-From: Domagoj Stolfa Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 02 Jun 2021 23:12:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 48803 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 48803@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.162267546313908 (code B ref -1); Wed, 02 Jun 2021 23:12:02 +0000 Received: (at submit) by debbugs.gnu.org; 2 Jun 2021 23:11:03 +0000 Received: from localhost ([127.0.0.1]:41548 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1loa0s-0003c5-5g for submit@debbugs.gnu.org; Wed, 02 Jun 2021 19:11:02 -0400 Received: from lists.gnu.org ([209.51.188.17]:50160) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1loZ4x-0002DZ-0i for submit@debbugs.gnu.org; Wed, 02 Jun 2021 18:11:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35972) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1loZ4w-0007NX-S4 for guix-patches@gnu.org; Wed, 02 Jun 2021 18:11:10 -0400 Received: from mout.gmx.net ([212.227.15.15]:38865) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1loZ4u-0000Qb-BM for guix-patches@gnu.org; Wed, 02 Jun 2021 18:11:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1622671865; bh=h/GLYh8hYbxkTMlrfy7Ts0snZOIDMtWRhRHjgT/ssJM=; h=X-UI-Sender-Class:Date:From:To:Subject; b=hEAyWRwYblG7swEHP5dRjfOjC3qIEQCOTdvAcnTx7Fzka4DjRLY+akBKwElOg617Q qL/+9EhddKoUu8W5aaQZsyzXntBGlN2g/uCvMq47EV6iAsxGUS96sbm8IFf1bp+7gF LZQpicSCAPNTNQMwwZFIXcvu7PWfzRZ04AaUIBt0= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from pepehands ([131.111.128.28]) by mail.gmx.net (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1N8ofE-1lLgDO3XIk-015rtg for ; Thu, 03 Jun 2021 00:11:04 +0200 Date: Wed, 2 Jun 2021 23:11:03 +0100 From: Domagoj Stolfa Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="c5xDyQZg5OchelAC" Content-Disposition: inline X-Provags-ID: V03:K1:D6tT+r6SdBHKHR2QU5EAh+GTpnopo4+3d/Dyt/Ez22HYeDQ5Pz9 MZdo8vwdUlcywNrvD4z0W9NiwdtV4H+lkYTlargKurhP3eb0Cr4f65qZfIrvbW5t/eec4GG CF0C0u8kVeOSVmSFnOMcxPP3z8in/yIgEh0pwOGbctkiHH2l6p1Uaag7BQ1lDE+0vRymuaE Do2PTFGlh5SrFvNhome3Q== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:Z2fxKjy5n8Y=:7bnEMfBqw3lNuuhgV5kAm5 ktgy2kRdn3Waw2hjVY1XsS/Udc63amrzO8QPGv2+7HkUQwyVLCI4HQlzqzn8uG/MGxsdT7D/K 3XAzsGLcbByJ4aLB3YOxBgyo30pgUoFf7TZtTrRQATdvLYjGfxWWmb1NFTxRDSs+vnqxj4/RU IQ95C0Ijf7sOF7J1K9PLzq9EKgiD5yLG+6LQQJvQlbjdHy3uZplSoYcTQciK22FXTD7MOXefk gtuNboh6opwlgV33M3bEI734fhE8xPu4YlK2Rze2SOgcExRkESo88Nq5hNqiMY2hl66k9DL8U odSBf70breNAVTWdGD34iWA7YqhteSU/tSWbpDm+XgXrURZ05OboQaJu+jrxntxMzsqsuZaYQ hWymICXhGywDNK7JFZ+4wbCytXYYCPC98AdTDysXuSMHfmxuk+fiK9Mh4ihkHSkjt4m1y3nus hKINR2+VXMDWNBbHQRo3lALaX3qVxPyr3h818AkgI+lLxMrvAgrQZ63I2ECHsnWI2jx3NbsOk HinQF9un3LVnxjA11e9x5SCPE+XnGZgoTDQ68ZcvW3KLTgymbLEyy56S9gLoBKQF1nHCEHX56 qS2V3wtEuprkIu25b+//5hWe+68Ru8fMJ5Tx3L9qBZ5x1roTRFbN5heyGF83K79UTFVZP7foa 8Tvt/i8ByXZv79/azTV1gQwjbyJ1m+Y6PAD4gWgf0x16wbtu7eDDhuaQjyxpOG9ETFu9fXW6C 5VUOhR3dYV5sK0HaJF5DdBLkUDxTuX188imJWuB0ffOjhneOKRRpPHo7VMw7H78idBpw/Ha8y vq1mI4ORonvNpocs1f6oc5JvPHtLiPrDT6ItgtkziHtJBYnaTJ+ZRGdB9kmpmQiVHu7L485Vy pZUuYvVqhZNsyD2Jqnwp0/UDO57WGs7TB4tzRuqNK4XzkJZKYs1Z8GINYBqqSaWE0ZcdbQ9QD KIYKE0sz+LvrmG+L4DdiTHrwUjp1rrQHHTJK9jAnnoDVPEaUbfEYJjUoLh9PtDgt6qCZUfoUs iJFa3yVFYwHVL2Ey2BPd/qpnmtqiNQDKDbcFj2w42Jr6B99SNBv+Xev3sWrmy/YbGftsnpGSf 6BJ0gfaGpABkSwm3m6CmtaAo+ou2ItHmatp Received-SPF: pass client-ip=212.227.15.15; envelope-from=ds815@gmx.com; helo=mout.gmx.net X-Spam_score_int: -15 X-Spam_score: -1.6 X-Spam_bar: - X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.9 (/) X-Mailman-Approved-At: Wed, 02 Jun 2021 19:11:01 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.1 (--) --c5xDyQZg5OchelAC Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This commit adds a strongswan-service-type which allows the user to start strongswan correctly on Guix. Without this, they would need to manually write a strongswan.conf file and run it with `STRONGSWAN_CONF=3D/path/to/strongswan.conf ipsec start`. For now, we only support the legacy ipsec.conf/ipsec.secrets interface. Because ipsec.conf depends on indentation and is a deprecated intreface, we do not provide an EDSL to configure it, and we do not put the config file in a Guile string (to avoid indentation issues). Similarly, ipsec.secrets contains the users authentication token/passwords, and is for security reasons transmitted separately from the configuration file. This change allows the user to write something as follows in their config: ``` (service strongswan-service-type (strongswan-configuration (use-ipsec? #t) (ipsec-conf "/config-files/ipsec.conf") (ipsec-secrets "/config-files/ipsec.secrets"))) ``` This will start the charon daemon and allow them to connect to their VPNs configured in `/config-files/ipsec.conf`. --- gnu/services/vpn.scm | 128 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 128 insertions(+) diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index 2bcbf76727..e026f2aa58 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -4,6 +4,7 @@ ;;; Copyright =A9 2017 Mathieu Othacehe ;;; Copyright =A9 2021 Guillaume Le Vaillant ;;; Copyright =A9 2021 Solene Rapenne +;;; Copyright =A9 2021 Domagoj Stolfa ;;; ;;; This file is part of GNU Guix. ;;; @@ -26,6 +27,7 @@ #:use-module (gnu services shepherd) #:use-module (gnu system shadow) #:use-module (gnu packages admin) + #:use-module (gnu packages networking) #:use-module (gnu packages vpn) #:use-module (guix packages) #:use-module (guix records) @@ -44,6 +46,9 @@ generate-openvpn-client-documentation generate-openvpn-server-documentation =20 + strongswan-configuration + strongswan-service-type + wireguard-peer wireguard-peer? wireguard-peer-name @@ -529,6 +534,129 @@ is truncated and rewritten every minute.") (openvpn-remote-configuration ,openvpn-remote-configuration-fields)) 'openvpn-client-configuration)) =20 +;;; +;;; Strongswan. +;;; + +(define-record-type* + strongswan-configuration make-strongswan-configuration + strongswan-configuration? + (strongswan strongswan-configuration-strongswan ; + (default strongswan)) + (use-ipsec? strongswan-configuration-use-ipsec? ;legacy interface + (default #f)) + (ipsec-conf strongswan-configuration-ipsec-conf) + (ipsec-secrets strongswan-configuration-ipsec-secrets)) + +;; In the future, it might be worth implementing a record type to configure +;; all of the plugins, but for *most* basic usecases, simply creating the +;; files will be sufficient. Same is true of charon-plugins. +(define strongswand-config-files + (list "charon" "charon-logging" "pki" "pool" "scepclient" + "swanctl" "tnc")) + +;; Plugins to load. +(define charon-plugins + (list "aes" "aesni" "attr" "attr-sql" "chapoly" "cmac" "constraints" + "counters" "curl" "curve25519" "dhcp" "dnskey" "drbg" "eap-aka-3gp= p" + "eap-aka" "eap-dynamic" "eap-identity" "eap-md5" "eap-mschapv2" + "eap-peap" "eap-radius" "eap-simaka-pseudonym" "eap-simaka-reauth" + "eap-simaka-sql" "eap-sim" "eap-sim-file" "eap-tls" "eap-tnc" + "eap-ttls" "ext-auth" "farp" "fips-prf" "gmp" "ha" "hmac" + "kernel-netlink" "led" "md4" "md5" "mgf1" "nonce" "openssl" "pem" + "pgp" "pkcs12" "pkcs1" "pkcs7" "pkcs8" "pubkey" "random" "rc2" + "resolve" "revocation" "sha1" "sha2" "socket-default" "soup" "sql" + "sqlite" "sshkey" "tnc-tnccs" "vici" "x509" "xauth-eap" "xauth-gen= eric" + "xauth-noauth" "xauth-pam" "xcbc")) + +(define (strongswan-configuration-file config) + (match-record config + (strongswan use-ipsec? ipsec-conf ipsec-secrets) + (let* ((strongswan-dir + (computed-file + "strongswan.d" + #~(begin + (mkdir #$output) + ;; Create all of the configuration files in strongswan.d/= *.conf + (map (lambda (conf-file) + (let* ((filename (string-append + #$output "/" + conf-file ".conf"))) + (call-with-output-file filename + (lambda (port) + (display + "# Created by 'strongswan-service'\n" + port))))) + (list #$@strongswand-config-files)) + (mkdir (string-append #$output "/charon")) + ;; And all of the strongswan.d/charon/*.conf files (plugi= ns) + (map (lambda (plugin) + (let* ((filename (string-append + #$output "/charon/" + plugin ".conf"))) + (call-with-output-file filename + (lambda (port) + (format port "~a { + load =3D yes +}" + plugin))))) + (list #$@charon-plugins)))))) + ;; Generate our strongswan.conf to reflect the user configuration. + (computed-file + "strongswan.conf" + #~(begin + (call-with-output-file #$output + (lambda (port) + (display "# Generated by 'strongswan-service'.\n" port) + (format port "charon { + load_modular =3D yes + plugins { + include ~a/charon/*.conf" + #$strongswan-dir) + (if #$use-ipsec? + (format port " + stroke { + load =3D yes + secrets_file =3D ~a + } + } +} + +starter { + config_file =3D ~a +} + +include ~a/*.conf" + #$ipsec-secrets + #$ipsec-conf + #$strongswan-dir) + (format port " + } +} +include ~a/*.conf" + #$strongswan-dir))))))))) + +(define (strongswan-shepherd-service config) + (let* ((ipsec (file-append strongswan "/sbin/ipsec")) + (strongswan-conf-path (strongswan-configuration-file config))) + (list (shepherd-service + (requirement '(networking)) + (provision '(strongswan)) + (start #~(make-forkexec-constructor + (list #$ipsec "start" "--nofork") + #:environment-variables + (list (string-append "STRONGSWAN_CONF=3D" + #$strongswan-conf-path)))) + (stop #~(make-kill-destructor)) + (documentation "Start the charon daemon for IPsec VPN"))))) + +(define strongswan-service-type + (service-type + (name 'strongswan) + (extensions + (list (service-extension shepherd-root-service-type + strongswan-shepherd-service))))) + ;;; ;;; Wireguard. ;;; --=20 2.31.1 --c5xDyQZg5OchelAC Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE7JyU1wrLyiw5G92zcc2InUujXj0FAmC4AfcACgkQcc2InUuj Xj0pyQ//VdkTDnZf33xXTTFEiehsBHZkz/jDa/X+DHPnMwUUJEvsI4hoTU+ialNL ytg6hwfphbcremuh2c3QiYbpxAEl0n3Uep/YTz22+CZ8X/lSnHzrsBQaS2JWMgVT sThwWdjW47RIVYH6VC3kF8zkTPvjkGEDm5wzvEQqo/du5Dp43HClHhEZ4Gc8zTDr gI06/JVdhttb+VNgi3GccAtADEGGOcAR9I4Wd9nNK4utZjNNonmHUWc8l5h/p3ZQ BcD0XRRF86bycVEl1SGuQr9BgOaIepiTr6jcE57nYjZetW2XuZ8sTVxGIRHEUvCt 9cv4ON7DF9hmBGiBU2h2jodGParcTPWf6lxqevG771RjBWaYq28md6umSyKKLeeg uAIbbgRuR0f8NCRXdx5Whjh8XtoUligkf3BzyUbH0ev60/pHaQtsY4Nm2PCPz/Mp QJk6Y8zl0LXlLl/ogDRhMFodzFNLFVBXsV7xCtLWuIp8HqOQxrBRSi1Xa0GlbkiV qMS3FSR3dR3Tykq8GTRMdlTFckgHPo4b8iKkigWXV9+RXf2Dbeuf48wlpV+cb/tu qjE3Z7mO0sl3ZDrmzV5HTavx/XIeaaS/HwVAHAkfURVKX9vHYe9G6tFHnsgvdLSz 1NEQImJ7wcqlFx/9dKNbXIq6eVbDbgTaTuDBYBQiSGJB2tp57vY= =e1Hs -----END PGP SIGNATURE----- --c5xDyQZg5OchelAC-- From unknown Tue Jun 24 05:13:21 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#48803] [PATCH] strongswan: provide a service definition and configuration interface. Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 13 Jun 2021 12:41:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48803 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Domagoj Stolfa Cc: 48803@debbugs.gnu.org X-Debbugs-Original-Cc: 48803@debbugs.gnu.org, guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.162358803815715 (code B ref -1); Sun, 13 Jun 2021 12:41:01 +0000 Received: (at submit) by debbugs.gnu.org; 13 Jun 2021 12:40:38 +0000 Received: from localhost ([127.0.0.1]:42908 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsPPp-00045P-ED for submit@debbugs.gnu.org; Sun, 13 Jun 2021 08:40:37 -0400 Received: from lists.gnu.org ([209.51.188.17]:41902) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsPPn-00045H-Mp for submit@debbugs.gnu.org; Sun, 13 Jun 2021 08:40:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:56674) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lsPPm-0001LM-3Y for guix-patches@gnu.org; Sun, 13 Jun 2021 08:40:35 -0400 Received: from tobias.gr ([2a02:c205:2020:6054::1]:49444) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lsPPh-000169-4A for guix-patches@gnu.org; Sun, 13 Jun 2021 08:40:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018; bh=UmIPbuQJ5xrJ+I3xL9oMTqfzN9fZmyAGxToEqQESCeI=; h=date:in-reply-to: subject:cc:to:from:references; b=Q75HxeZ2lN1mCD0YHHRQUwa/YWLLZt4XoFBUS PFrlbV/8aa5VGOFY9mfbVn+aletBphkxJNGAA+EMBue6NZyJSDZbRTS0sszfuCv916MgZI BvA0WUApxJHlqVuTT2eeGgppEuE38ub1VbYKSp7uQILDPPcJWUxAz7ng2IR7ljqmaR4tYy Wr9WT7mgu/9Zos8LhZ0aFni5SkL4VjdGsP0Ol1WdwP9g9I18oSalkV9dVNJ58+Pncy4ROd iLuWpNNsZVcNeI70kxue7o7C4+dy27Lliu4evmhlJpYx36ax/CnZNiTM+gn5vxLsaL600W ZgxbwjduNjiDl8u/NjxtB/h4w== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id def6a300 (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO); Sun, 13 Jun 2021 12:40:24 +0000 (UTC) References: From: Tobias Geerinckx-Rice In-reply-to: BIMI-Selector: v=BIMI1; s=default; Date: Sun, 13 Jun 2021 14:41:00 +0200 Message-ID: <87r1h6x7hf.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr; helo=tobias.gr X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Domagoj, Domagoj Stolfa =E5=86=99=E9=81=93=EF=BC=9A > This commit adds a strongswan-service-type which allows the user=20 > to > start strongswan correctly on Guix. Thank you! > Because ipsec.conf depends on indentation and is a deprecated=20 > intreface, > we do not provide an EDSL to configure it, OK. > and we do not put the config > file in a Guile string (to avoid indentation issues). Not using a string is fine by me, but I don't understand this=20 particular argument for it. > Similarly, > ipsec.secrets contains the users authentication token/passwords,=20 > and is > for security reasons transmitted separately from the=20 > configuration file. OK, good to make it hard to inadvertently intern into the store. > (service strongswan-service-type > (strongswan-configuration > (use-ipsec? #t) > (ipsec-conf "/config-files/ipsec.conf") > (ipsec-secrets "/config-files/ipsec.secrets"))) (I)IRC you told me that the majority of users simply point=20 StrongSwan to a .conf/.secrets file they got from on high, and=20 this is all they'll ever need to do so. Sounds good to me. This is a bit straightforward (no =E2=80=98local-file=E2=80=99, =E2=80=98pl= ain-file=E2=80=99, =E2=80=A6)=20 but there's precedent for that: (service nginx-service-type (nginx-configuration (file "/etc/guix/nginx/nginx.conf"))) What does the daemon do now when USE-IPSEC? is #f? Anything=20 useful? Could we drop USE-IPSEC? and allow IPSEC-CONF/IPSEC-SECRETS to be=20 #f to signal the same thing (enforcing only sane combinations)?=20 Or would that make things more confusing? Is all this legacy enough to mark as such in the field name=20 (LEGACY-IPSEC-CONF, etc.) or is it one of those things that will=20 never ever go away and VPN providers will still hand out=20 ipsecs.conf in 2038? > This will start the charon daemon and allow them to connect to=20 > their > VPNs configured in `/config-files/ipsec.conf`. > --- > gnu/services/vpn.scm | 128=20 > +++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 128 insertions(+) > > diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm > index 2bcbf76727..e026f2aa58 100644 > --- a/gnu/services/vpn.scm > +++ b/gnu/services/vpn.scm > @@ -4,6 +4,7 @@ > ;;; Copyright =C2=A9 2017 Mathieu Othacehe > ;;; Copyright =C2=A9 2021 Guillaume Le Vaillant > ;;; Copyright =C2=A9 2021 Solene Rapenne > +;;; Copyright =C2=A9 2021 Domagoj Stolfa > ;;; > ;;; This file is part of GNU Guix. > ;;; > @@ -26,6 +27,7 @@ > #:use-module (gnu services shepherd) > #:use-module (gnu system shadow) > #:use-module (gnu packages admin) > + #:use-module (gnu packages networking) > #:use-module (gnu packages vpn) > #:use-module (guix packages) > #:use-module (guix records) > @@ -44,6 +46,9 @@ > generate-openvpn-client-documentation > generate-openvpn-server-documentation >=20=20 > + strongswan-configuration > + strongswan-service-type > + > wireguard-peer > wireguard-peer? > wireguard-peer-name > @@ -529,6 +534,129 @@ is truncated and rewritten every minute.") > (openvpn-remote-configuration=20 > ,openvpn-remote-configuration-fields)) > 'openvpn-client-configuration)) >=20=20 > +;;; > +;;; Strongswan. > +;;; > + > +(define-record-type* > + strongswan-configuration make-strongswan-configuration > + strongswan-configuration? > + (strongswan strongswan-configuration-strongswan=20 > ; > + (default strongswan)) > + (use-ipsec? strongswan-configuration-use-ipsec? ;legacy=20 > interface > + (default #f)) > + (ipsec-conf strongswan-configuration-ipsec-conf) > + (ipsec-secrets strongswan-configuration-ipsec-secrets)) > + > +;; In the future, it might be worth implementing a record type=20 > to configure > +;; all of the plugins, but for *most* basic usecases, simply=20 > creating the > +;; files will be sufficient. Same is true of charon-plugins. > +(define strongswand-config-files > + (list "charon" "charon-logging" "pki" "pool" "scepclient" > + "swanctl" "tnc")) > + > +;; Plugins to load. > +(define charon-plugins > + (list "aes" "aesni" "attr" "attr-sql" "chapoly" "cmac"=20 > "constraints" > + "counters" "curl" "curve25519" "dhcp" "dnskey" "drbg"=20 > "eap-aka-3gpp" > + "eap-aka" "eap-dynamic" "eap-identity" "eap-md5"=20 > "eap-mschapv2" > + "eap-peap" "eap-radius" "eap-simaka-pseudonym"=20 > "eap-simaka-reauth" > + "eap-simaka-sql" "eap-sim" "eap-sim-file" "eap-tls"=20 > "eap-tnc" > + "eap-ttls" "ext-auth" "farp" "fips-prf" "gmp" "ha"=20 > "hmac" > + "kernel-netlink" "led" "md4" "md5" "mgf1" "nonce"=20 > "openssl" "pem" > + "pgp" "pkcs12" "pkcs1" "pkcs7" "pkcs8" "pubkey"=20 > "random" "rc2" > + "resolve" "revocation" "sha1" "sha2" "socket-default"=20 > "soup" "sql" > + "sqlite" "sshkey" "tnc-tnccs" "vici" "x509" "xauth-eap"=20 > "xauth-generic" > + "xauth-noauth" "xauth-pam" "xcbc")) Are these simply =E2=80=98all of the plug-ins=E2=80=99? I'm fine with this =E2=80=98temporary=E2=80=99 solution as long as it's nev= er=20 exported. I'll trust you on all of this configuration syntax madness: :-) > +(define (strongswan-configuration-file config) > + (match-record config > + (strongswan use-ipsec? ipsec-conf ipsec-secrets) > + (let* ((strongswan-dir > + (computed-file > + "strongswan.d" > + #~(begin > + (mkdir #$output) > + ;; Create all of the configuration files in=20 > strongswan.d/*.conf > + (map (lambda (conf-file) > + (let* ((filename (string-append > + #$output "/" > + conf-file ".conf"))) > + (call-with-output-file filename > + (lambda (port) > + (display > + "# Created by=20 > 'strongswan-service'\n" > + port))))) > + (list #$@strongswand-config-files)) > + (mkdir (string-append #$output "/charon")) > + ;; And all of the strongswan.d/charon/*.conf=20 > files (plugins) Nitpick: ;;-comments are full sentences ending in a full stop. > + (map (lambda (plugin) > + (let* ((filename (string-append > + #$output "/charon/" > + plugin ".conf"))) > + (call-with-output-file filename > + (lambda (port) > + (format port "~a { > + load =3D yes > +}" > + plugin))))) > + (list #$@charon-plugins)))))) > + ;; Generate our strongswan.conf to reflect the user=20 > configuration. > + (computed-file > + "strongswan.conf" > + #~(begin > + (call-with-output-file #$output > + (lambda (port) > + (display "# Generated by=20 > 'strongswan-service'.\n" port) > + (format port "charon { > + load_modular =3D yes > + plugins { > + include ~a/charon/*.conf" > + #$strongswan-dir) > + (if #$use-ipsec? > + (format port " > + stroke { > + load =3D yes > + secrets_file =3D ~a > + } All this indentation is doing my head in, but it looks like here=E2=80=A6 > + } > +} > + > +starter { > + config_file =3D ~a > +} > + > +include ~a/*.conf" > + #$ipsec-secrets > + #$ipsec-conf > + #$strongswan-dir) > + (format port " > + } > +} > +include ~a/*.conf" > + #$strongswan-dir))))))))) =E2=80=A6you had to choose between two ifs and two #$strongswan-dirs, and=20 chose two #$strongswan-dirs? I prefer two ifs. > +(define (strongswan-shepherd-service config) > + (let* ((ipsec (file-append strongswan "/sbin/ipsec")) > + (strongswan-conf-path (strongswan-configuration-file=20 > config))) > + (list (shepherd-service > + (requirement '(networking)) > + (provision '(strongswan)) I guess. I have no idea how =E2=80=98generic=E2=80=99 StrongSwan is and wh= ether=20 this makes more sense than (provision '(ipsec)) or not. > + (start #~(make-forkexec-constructor > + (list #$ipsec "start" "--nofork") > + #:environment-variables > + (list (string-append "STRONGSWAN_CONF=3D" > +=20 > #$strongswan-conf-path)))) > + (stop #~(make-kill-destructor)) > + (documentation "Start the charon daemon for IPsec=20 > VPN"))))) "StrongSwan's charon IKE keying daemon for IPsec VPN." Most of =E2=80=98Run the =E2=80=A6=E2=80=99/=E2=80=98Start the =E2=80=A6=E2= =80=99 noise that has snuck into=20 gnu/services should probably be removed. > +(define strongswan-service-type > + (service-type > + (name 'strongswan) > + (extensions > + (list (service-extension shepherd-root-service-type > + strongswan-shepherd-service))))) > + > ;;; > ;;; Wireguard. > ;;; For this to be merged, we're still missing some documentation in=20 doc/guix.text. Would you be willing to write some? Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYMX83A0cbWVAdG9iaWFz LmdyAAoJEA2w/4hPVW15tw0BAJxhD1hMnjz2I+UlsZJ5Lwsv0GXqbgEBHceH/yvl 2c3zAP9IhfsKMTTD5+O8hB1FLWru2BPF+suePUWUtC0LBGVcAQ== =YLDL -----END PGP SIGNATURE----- --=-=-=-- From unknown Tue Jun 24 05:13:21 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#48803] [PATCH] strongswan: provide a service definition and configuration interface. Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 13 Jun 2021 12:45:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48803 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Domagoj Stolfa Cc: 48803@debbugs.gnu.org X-Debbugs-Original-Cc: 48803@debbugs.gnu.org, guix-patches@gnu.org Received: via spool by 48803-submit@debbugs.gnu.org id=B48803.162358829816239 (code B ref 48803); Sun, 13 Jun 2021 12:45:02 +0000 Received: (at 48803) by debbugs.gnu.org; 13 Jun 2021 12:44:58 +0000 Received: from localhost ([127.0.0.1]:42934 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsPU1-0004Dr-NZ for submit@debbugs.gnu.org; Sun, 13 Jun 2021 08:44:57 -0400 Received: from tobias.gr ([80.241.217.52]:44316) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsPTz-0004Dh-Nh for 48803@debbugs.gnu.org; Sun, 13 Jun 2021 08:44:56 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tobias.gr; s=2018; bh=yAEGlqbDWdalvkEnyuzzCzstL33xnUxyDuqMyMPfrZs=; h=date:in-reply-to: subject:cc:to:from:references; b=Ku8Vlhvbdw7xD4ZP+73t2qiY3lvnucYb3TBgl BeMaeNWkefqHvFsQ7jq+4PItNgmx0lAsvhrB/WRnh4jKLM1sVaOFLxRi9rl/lPy4Jh4SVV ACNHy7IUKyha5NeFZLRiir039RNysDrdtMnIzToMiZJrG2mMTsq75WKZkdEfzrHeYo9PKD DfNXccd45SQtVSZdubmJ5dOjsRvDYtOQYv5XM7cLiXAgQkFA2GUNBP5kyyxkzuO3nm2OgL mSYFDkFraXRpnVK2SPiAHBmiAieQIityudQvxNwBIQmn4K0+/jMB7bU8Kc/VjrGzt5Rx1F IzRkDwnF+otKLS5EwmzQV0L4g== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id a6f3d5db (TLSv1.2:ECDHE-ECDSA-AES256-GCM-SHA384:256:NO); Sun, 13 Jun 2021 12:44:53 +0000 (UTC) References: From: Tobias Geerinckx-Rice In-reply-to: BIMI-Selector: v=BIMI1; s=default; Date: Sun, 13 Jun 2021 14:45:28 +0200 Message-ID: <87o8cax79z.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; format=flowed Forgot to add: please include a GNU/Guix-style commit message like: gnu: Add strongswan service. * gnu/services/vpn.scm (strongswan-configuration): New record type. (charon-plugins, strongswan-configuration-file) (strongswan-shepherd-service, strongswan-service-type): New variables. * doc/guix.tex (VPN Services): Document them all! Kind regards, T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYMX96A0cbWVAdG9iaWFz LmdyAAoJEA2w/4hPVW15P+EBAK+mofMs5eQ9pEmLC2N+w/CPsT4tOrM5Zdt2wckz xAitAP4urTNYDuR48Ka44TojuysZoRGXAu/4dgB7LCBtw1QFAQ== =3GM4 -----END PGP SIGNATURE----- --=-=-=-- From unknown Tue Jun 24 05:13:21 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#48803] [PATCH] strongswan: provide a service definition and configuration interface. Resent-From: Domagoj Stolfa Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 13 Jun 2021 15:20:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48803 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Tobias Geerinckx-Rice Cc: 48803@debbugs.gnu.org X-Debbugs-Original-Cc: 48803@debbugs.gnu.org, guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.162359755625358 (code B ref -1); Sun, 13 Jun 2021 15:20:02 +0000 Received: (at submit) by debbugs.gnu.org; 13 Jun 2021 15:19:16 +0000 Received: from localhost ([127.0.0.1]:44227 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsRtL-0006ap-El for submit@debbugs.gnu.org; Sun, 13 Jun 2021 11:19:15 -0400 Received: from lists.gnu.org ([209.51.188.17]:51112) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsPmk-0000ju-26 for submit@debbugs.gnu.org; Sun, 13 Jun 2021 09:04:18 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:59212) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lsPmj-0000XL-SV for guix-patches@gnu.org; Sun, 13 Jun 2021 09:04:17 -0400 Received: from mout.gmx.net ([212.227.15.19]:54677) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lsPmh-00019a-5J for guix-patches@gnu.org; Sun, 13 Jun 2021 09:04:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1623589442; bh=Rc8f2ecl+Y3Ko+9vYjLnyrOgFZW5+uq/Av2Ov9CSEts=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject:References:In-Reply-To; b=EDhB9e/tbIAMHoqu93+BJ9OHOH6rpHV+dfrrwX8IuZEO95oZox7mP3ysA67qKUZs5 PrZMTX2e6BQMeIk53fMyQn51u1qOem9kU8gnRUyCc/A/kKtNcIyKzUo49JA5X8bddc 5hwEIK8At/W/9ZG0a9Dvnz2uDyqdO6E6jkeyzTDg= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from parenthesis ([131.111.5.130]) by mail.gmx.net (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1N3siA-1lAetm2uno-00zoND; Sun, 13 Jun 2021 15:04:02 +0200 Date: Sun, 13 Jun 2021 14:04:00 +0100 From: Domagoj Stolfa Message-ID: References: <87r1h6x7hf.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="gvOkqr5dOieReCvD" Content-Disposition: inline In-Reply-To: <87r1h6x7hf.fsf@nckx> X-Provags-ID: V03:K1:ERnKsIhb61mcqTch6Egf/jJZfrcUHkjSzpIJjapVAJbXPJjO8TH H8YkVQhLmOUJtigYo3gap71ZVvb3BOZdk8gmCpL1pcw1wYhmwBSTsnPYK04F4dGy3XiYGHj 1uoCjGf1CePR4hGMsZNgGwMHhRRVvLXNTSJth8ytcQkwlh6lGuLfjk40PPGNWkuB2WdKtoz MJ+VwHk59OsYkNS6ipntw== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:YUP6hsNUKL8=:HpoCaoBxy1jBbZezNTtEBx nnSjARU1PpDC152+3ET2chTU4Te98XHALINyQnwSh/XK8zhmoCuOtgn0t/CGVDo48dAeF5akq 3DdS8fLm8dQlg4bRbodUXsC+UwCbTjh1WtGrcZ8Xbo58yIOCNhGMHqkX5ovYQO2FoGg3Id1H3 JfHplHIeter4oWgeDZ31pIohzp4AFOSXJPiutwJoVuUj/zHCkHTxoOtvP6LN7Q948hB7xbc4J 8ln3VCs/XSKRBqNNixljiBOgoTTq0bpGak3MNmEKbWGC1gbLn6TcZ/6yC4CXjyQDAtA0xXaE0 T6r1WQUyKQcAsSgAN5K9uiwnyx+GsS2yCxpAiA4XSZVX+KRvyFlK+vtJtmH6cUvsXcKvqItT6 R6zCIDLjWcOs/dkpuI+wnFetF8Kmak/1Jq6DZJ5fQOyTxSAPS8eZ1E2RrWwW8nDAj9B6/xJUj +cD/9ZodUJ2fM48krytJ9Y51SVbPddnYJ3oKSx5/mXMTJvvq2Hm1FALP/lgo/9dQrCDzV7ej6 04IgGKCpQRxk14t6OODmiaK592SQA0eBLj39KWTVXTc5/BXsCB8TfR4zKOee69DoqFhEawDUw aduXoWAhoWZj+LUfFeuS0gJIWtOL87SUYyEL1mdvDH44sTc3o7ziA4Ctpvjs2OqQ6jMDuZwP/ UEZhlzDiS0/SFUs52u6uqPkK8wroS+Rgz/Un6SZB5HqtUbZXaWBzkuQtqVwI4KLU+61pGx17S x3qjUDV/5q5IH3fRf+jhP1wQvkBpXsXIeW6F4wjNJACJ/7IVPyd9BViprgFfhJjI9+4R407W6 uUqwrNoX7MtllhrqggrlIOFJm66oz9GTNIqFMKFuvKo3GdajwbAb/WYnnn7yYOg3aXykADgDb fBSC5BTGaPMW+pJsBk6l4lARR2D2JyoWY8/V2vYKepRA/Wr7n95WXddzzWS3CJ9bDdZeuxEMZ 3HfiFLHJj10l7ZqnAR0MpvzrayrNBtIlOT0Vul3pGx6E4i+v5Tk9/GO7TLn8VryVwQ59CwgC4 3YQYsjxvqOmXo29ASHNf3XvAJ62sAo8gBS+jdeaTsnEpkBsAQPaolifB4GwZOWDGjQM8CYs6T MfohZmkd76FG1IJufMohfqFSrU/Vp9Vtlu1 Received-SPF: pass client-ip=212.227.15.19; envelope-from=ds815@gmx.com; helo=mout.gmx.net X-Spam_score_int: -23 X-Spam_score: -2.4 X-Spam_bar: -- X-Spam_report: (-2.4 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.2 (-) X-Mailman-Approved-At: Sun, 13 Jun 2021 11:19:13 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.2 (--) --gvOkqr5dOieReCvD Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Tobias, > > and we do not put the config > > file in a Guile string (to avoid indentation issues). >=20 > Not using a string is fine by me, but I don't understand this particular > argument for it. ipsec.conf is pythonistic in the sense that it's sensitive to indentation. This is just to avoid copy-paste errors in a config file that results in cryptic error messages because the user missed a space while copy-pasting something. It's easier to just transmit the file as given by the "higher-ups" out of bounds than have it as a configuration string, as ipsec.secrets kind of has to be transmitted that way anyway. > What does the daemon do now when USE-IPSEC? is #f? Anything useful? It doesn't do anything other than use the default configuration that is provided by strongswan as it is shipped (basically, whatever is in the build directory by default). This is what it has done up until this point already, the user would have start strongswan by setting an environment variable to some local `strongswan.conf`. It is also what strongswan does on a fresh installation in any other distribution I've tried it on. > Could we drop USE-IPSEC? and allow IPSEC-CONF/IPSEC-SECRETS to be #f to > signal the same thing (enforcing only sane combinations)? Or would that m= ake > things more confusing? We could, the plan I had for `strongswan` as a service is to support both ipsec.conf/ipsec.secrets and swanctl, hence the `use-ipsec?` as a separate thing. I can refactor it without that flag and have no real strong opinion on it. > Is all this legacy enough to mark as such in the field name > (LEGACY-IPSEC-CONF, etc.) or is it one of those things that will never ev= er > go away and VPN providers will still hand out ipsecs.conf in 2038? Unclear at this point, I don't see how strongswan could drop support for ipsec.conf and ipsec.secrets without making a lot of users angry at this point. The VPN that I'm using is configured and documented by people who are quite familiar with strongswan, and even there the documentation is referring to ipsec.conf and ipsec.secrets rather than swanctl at the moment. > Nitpick: ;;-comments are full sentences ending in a full stop. ACK. Will fix. > =E2=80=A6you had to choose between two ifs and two #$strongswan-dirs, and= chose two > #$strongswan-dirs? I prefer two ifs. I think the reasoning for this was that if we're not using ipsec.conf/ipsec.secrets, we would be writing swanctl-specific configuration. Right now, that is just including strongswan.d, but it might do other things, so I've kept it in a more traditional if-else format. > I guess. I have no idea how =E2=80=98generic=E2=80=99 StrongSwan is and = whether this makes > more sense than (provision '(ipsec)) or not. That's a good question. I think it could probably provision ipsec, but I haven't really verified it so I didn't want to risk doing that. I assume that it can, though. > "StrongSwan's charon IKE keying daemon for IPsec VPN." ACK. > For this to be merged, we're still missing some documentation in > doc/guix.text. Would you be willing to write some? Will include the docs with the next patch. Thanks for the detailed feedback! --=20 Domagoj --gvOkqr5dOieReCvD Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE7JyU1wrLyiw5G92zcc2InUujXj0FAmDGAkAACgkQcc2InUuj Xj05XQ//fGwngakdWwDkRacDQJWH4o084wb3aRU5QrQl2AfTol1tbokhPSkPEE47 ndkHbDJzgP4U/WQGy6l/CLu8W77IG385MvLiAv7Od99gTlYCzGrwbaAyogl3FMtq uhmgtaGvmJaldZkZnjRhta1S5yvjxe6WrHPI9iVcuoD7BxSLgRFy+MjQP5mBTvF7 7wgPmFqBCTG+w4dSGlR665hPdVfJK9GTW5ajNaP34eFHZOCmoHahFiKdDsHhbQzU 17EU1JgVIZeMXIIPXQtwrz5knh6Uu1Ft2DIA3VNNbwsmdSdSE4Ww7cotZURNGFM7 FJn6h993KuSL3T2j3XhwnCzXBUEkQXXkmW/Qn9EAzokAzd+MaEca/9FeIUThk8ly AJIoG8gMObCd/XTLz0Ck6NGqr8QPVs3sXl//l4nSzCgYInD6t0Jq6b48sQMwTK31 tRK/UD/O6z/CoB81g7vwN1JR3lm2WpblSNKhPZYD2FJzyKrp1v+d6ZHi05t17Vz9 hMoYZU5z32oA4zGUSpFriV9RWhu2TK6PdpOVW10eBdJd3xuSM5kwRcSNznMgflrR kzahaTmDRcB9ycT+/IdzAyZS7TSMMx0kudxK6x1Soa7PMa+w1+QgrHKWFDdH9H1N XCPMg6jARq9CDp5FUhVzjmiUl4MhbyNA3lz021hpNmz0QLjf8J4= =kZ1X -----END PGP SIGNATURE----- --gvOkqr5dOieReCvD-- From unknown Tue Jun 24 05:13:21 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#48803] [PATCH] gnu: Add strongswan service. References: In-Reply-To: Resent-From: Domagoj Stolfa Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 13 Jun 2021 15:20:03 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48803 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 48803@debbugs.gnu.org Received: via spool by 48803-submit@debbugs.gnu.org id=B48803.162359755725372 (code B ref 48803); Sun, 13 Jun 2021 15:20:03 +0000 Received: (at 48803) by debbugs.gnu.org; 13 Jun 2021 15:19:17 +0000 Received: from localhost ([127.0.0.1]:44231 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsRtM-0006b4-Sa for submit@debbugs.gnu.org; Sun, 13 Jun 2021 11:19:17 -0400 Received: from mout.gmx.net ([212.227.15.18]:59939) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lsRjR-0006J8-Kn for 48803@debbugs.gnu.org; Sun, 13 Jun 2021 11:09:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1623596935; bh=dvPP4GBuA4koR3jFkjOLT7wrwLNhgOwhuWGrBTb0Afs=; h=X-UI-Sender-Class:Date:From:To:Subject; b=XAc6+VikUxmE7ZCPUaqebI88yr69jepKK5Pe001PHW+6EzPPnfiIYLwwAyvw3dmQX aVzBonlnKxgO6yO30azcobuOl8neK72zF+UxyBoMm4hAa8HCVL+Eg09FQCra8dSzoa x8/6xflDfsQ+jiiyYiyltOtWS8eWEoOgj4BuirD0= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from parenthesis ([131.111.5.130]) by mail.gmx.net (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1MbzuH-1lKC6q1sVz-00dUsu for <48803@debbugs.gnu.org>; Sun, 13 Jun 2021 17:08:55 +0200 Date: Sun, 13 Jun 2021 16:08:53 +0100 From: Domagoj Stolfa Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="y7F23p+9OSElA1vA" Content-Disposition: inline X-Provags-ID: V03:K1:/lXGs+fgC93HjmyMbeKW2rg0sz+eTAU7YpPqiucJjiyi5iQ5b8t 20EAGVzpDVJfOLuvlVLtRf1hEsOtIQyJHnRncR5977e2hJkybnoF414l0dKP2TfpZWERQx2 2mbWA3f/dF3S+My1JySPCTIWh0Vsz64l2APICuh73XFbVt9YZ5/iLHUQBXHi2QMR5wGlsaD fRzavX0yPPcpFurlZwhGw== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:Cx6cPwmS1wc=:MbII5ZWc5ej7KOpXDAsagN F+FVXWahF1PjQbF+mX869nXB9mcYT/2nd+eEibmKJzpjSCRlylN7r561svqbPVmHNRKUd8/3E Shm0rIHb9VralMT/ktP01CN5GKf5BXpebyqQcEmA0zdtF7zRzzlbLlb2eGDNj4ZuLUvVAptzu Sp6IcNMGiHNhWeSet+72q2CRzZI27K7JSiOBkpIXys8Zo9dZznDapOPVQ9obi4tJI88DCpXEE h7CEVfHdOF8uT8YNT+9O9OWWkdNoE1mnahCnbpxKEWNy68b6poqgQ8MyTuAYoX1R5sr8Toth/ FoLbbPWbg5cCP3GO02Olzz1wvQP6G6BNSDy5IpVY+m5xCVnwy5Qt43DB13u+uaUHEihfS6sBc hypSUSi9q2vFgh3Nst3Dyl/yf2hkQXt2xxe7G2mz1pQjBQ7qAktD8CFl7BKZ4gMtuBL9UxSPb Wd3S2xgnAkFZV776F06clT0MIA4CYsh4MaDimt+q12Si5bo1u+SYIf6UMRt0E2SbcloOno4DH VnTP8DHsiKwZoUz/AHroAr02O5b7oVkXFh0dr6GWkjx4RFl2PPIQWp9Uc+QxCMfuPRZDXsjup SI/PUrFIL4Re73aXkbCLGAIFp0JV6XpbfHCtDlibKT88b3ee6PajdCqCH/oCZBnLOCh8mVgv0 6LvSAF2S6yhMniqPf2zw4qyMq/9/iMg8LO0XLjpPUqDr9nG1hMre0OqEvMSiqMiDLpyrC70PT bF1BTOyMZIEqhBnMye/3x9ZMHOIFBN5Jglc6eG9iXAlrC2vhzEgB2VzcMDCJofRrCWunylIxL z8NX4R9D/kyO3oL0J7T7/ya8V5nci9bzi2VrgK3vK2zWBKpdbhZrbX7du+aSs/jIJMPNQbrCT cRJ/TwRQFu0c7SlxVGW94JEjgdyLPPfAY+3XgZg2C7o7enkmH4AlVUWMKGQBcqt6h0ENCuh8d lkHck4lT6Yscv2McSZ5TzBOUrJj2I11ghjoXPk0vxS8L51OsTU3DYOW5wlFlfPOfIxY5FwKql 7qhgo6/CB8y6KISxC7q6Vu2Z4M/z5wcCDS08lJZg2UtDCbVTNPk7CtQ9ABTqxzi09n6mZmOMM oafS9spGgpYKXU4gRgv906keQ8+ukTC23WX X-Spam-Score: -0.5 (/) X-Mailman-Approved-At: Sun, 13 Jun 2021 11:19:13 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.4 (-) --y7F23p+9OSElA1vA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * gnu/services/vpn.scm (strongswan-configuration): New record type. (charon-plugins, strongswan-configuration-file) (strongswan-shepherd-service, strongswan-service-type): New variables. * doc/guix.tex (VPN Services): Document them all. This commit adds a strongswan-service-type which allows the user to start strongswan correctly on Guix. Without this, they would need to manually write a strongswan.conf file and run it with `STRONGSWAN_CONF=3D/path/to/strongswan.conf ipsec start`. For now, we only support the legacy ipsec.conf/ipsec.secrets interface. Because ipsec.conf depends on indentation and is a deprecated intreface, we do not provide an EDSL to configure it, and we do not put the config file in a Guile string (to avoid indentation issues). Similarly, ipsec.secrets contains the users authentication token/passwords, and is for security reasons transmitted separately from the configuration file. This change allows the user to write something as follows in their config: ``` (service strongswan-service-type (strongswan-configuration (use-ipsec? #t) (ipsec-conf "/etc/ipsec.conf") (ipsec-secrets "/etc/ipsec.secrets"))) ``` This will start the charon daemon and allow them to connect to their VPNs configured in `/config-files/ipsec.conf`. --- doc/guix.texi | 37 ++++++++++++ gnu/services/vpn.scm | 130 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 167 insertions(+) diff --git a/doc/guix.texi b/doc/guix.texi index 59b4ac11b4..f09170c76c 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -90,6 +90,7 @@ Copyright @copyright{} 2020 Edgar Vincent@* Copyright @copyright{} 2021 Maxime Devos@* Copyright @copyright{} 2021 B. Wilson@* Copyright @copyright{} 2021 Xinglu Chen@* +Copyright @copyright{} 2021 Domagoj Stolfa@* =20 Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or @@ -27093,6 +27094,42 @@ Defaults to @samp{#f}. @end deftypevr =20 =20 +@subheading StrongSwan + +Currently, the StrongSwan service only provides legacy-style configuration= with +ipsec.conf and ipsec.secrets files. + +@defvr {Scheme Variable} strongswan-service-type +A service type for StrongSwan configuration. Its value must be a +@code{strongswan-configuration} record as in this example: + +@lisp +(service strongswan-service-type + (strongswan-configuration + (ipsec-conf "/etc/ipsec.conf") + (ipsec-secrets "/etc/ipsec.secrets"))) +@end lisp + +@end defvr + +@deftp {Data Type} strongswan-configuration +Data type representing the configuration of the StrongSwan service. + +@table @asis +@item @code{strongswan} +The strongswan package to use for this service. + +@item @code{ipsec-conf} (default: @code{#f}) +The path to an ipsec.conf file. If set to @code{#f}, @code{ipsec-secrets}= will +also be ignored. + +@item @code{ipsec-secrets} (default @code{#f}) +The path to an ipsec.secrets file. If set to @code{#f}, @code{ipsec-conf}= will +also be ignored. + +@end table +@end deftp + @c %end of automatic openvpn-server documentation =20 @subsubheading Wireguard diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index 2bcbf76727..691cc3c05a 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -26,6 +26,7 @@ #:use-module (gnu services shepherd) #:use-module (gnu system shadow) #:use-module (gnu packages admin) + #:use-module (gnu packages networking) #:use-module (gnu packages vpn) #:use-module (guix packages) #:use-module (guix records) @@ -44,6 +45,9 @@ generate-openvpn-client-documentation generate-openvpn-server-documentation =20 + strongswan-configuration + strongswan-service-type + wireguard-peer wireguard-peer? wireguard-peer-name @@ -529,6 +533,132 @@ is truncated and rewritten every minute.") (openvpn-remote-configuration ,openvpn-remote-configuration-fields)) 'openvpn-client-configuration)) =20 +;;; +;;; Strongswan. +;;; + +(define-record-type* + strongswan-configuration make-strongswan-configuration + strongswan-configuration? + (strongswan strongswan-configuration-strongswan ; + (default strongswan)) + (ipsec-conf strongswan-configuration-ipsec-conf + (default #f)) + (ipsec-secrets strongswan-configuration-ipsec-secrets + (default #f))) + +;; In the future, it might be worth implementing a record type to configure +;; all of the plugins, but for *most* basic usecases, simply creating the +;; files will be sufficient. Same is true of charon-plugins. +(define strongswand-config-files + (list "charon" "charon-logging" "pki" "pool" "scepclient" + "swanctl" "tnc")) + +;; Plugins to load. All of these plugins are going to end up as configurat= ion +;; files in strongswan.d/charon/. +(define charon-plugins + (list "aes" "aesni" "attr" "attr-sql" "chapoly" "cmac" "constraints" + "counters" "curl" "curve25519" "dhcp" "dnskey" "drbg" "eap-aka-3gp= p" + "eap-aka" "eap-dynamic" "eap-identity" "eap-md5" "eap-mschapv2" + "eap-peap" "eap-radius" "eap-simaka-pseudonym" "eap-simaka-reauth" + "eap-simaka-sql" "eap-sim" "eap-sim-file" "eap-tls" "eap-tnc" + "eap-ttls" "ext-auth" "farp" "fips-prf" "gmp" "ha" "hmac" + "kernel-netlink" "led" "md4" "md5" "mgf1" "nonce" "openssl" "pem" + "pgp" "pkcs12" "pkcs1" "pkcs7" "pkcs8" "pubkey" "random" "rc2" + "resolve" "revocation" "sha1" "sha2" "socket-default" "soup" "sql" + "sqlite" "sshkey" "tnc-tnccs" "vici" "x509" "xauth-eap" "xauth-gen= eric" + "xauth-noauth" "xauth-pam" "xcbc")) + +(define (strongswan-configuration-file config) + (match-record config + (strongswan ipsec-conf ipsec-secrets) + (let* ((strongswan-dir + (computed-file + "strongswan.d" + #~(begin + (mkdir #$output) + ;; Create all of the config files in strongswan.d/*.conf. + (map (lambda (conf-file) + (let* ((filename (string-append + #$output "/" + conf-file ".conf"))) + (call-with-output-file filename + (lambda (port) + (display + "# Created by 'strongswan-service'\n" + port))))) + (list #$@strongswand-config-files)) + (mkdir (string-append #$output "/charon")) + ;; Create all of the plugins. + (map (lambda (plugin) + (let* ((filename (string-append + #$output "/charon/" + plugin ".conf"))) + (call-with-output-file filename + (lambda (port) + (format port "~a { + load =3D yes +}" + plugin))))) + (list #$@charon-plugins)))))) + ;; Generate our strongswan.conf to reflect the user configuration. + (computed-file + "strongswan.conf" + #~(begin + (call-with-output-file #$output + (lambda (port) + (display "# Generated by 'strongswan-service'.\n" port) + (format port "charon { + load_modular =3D yes + plugins { + include ~a/charon/*.conf" + #$strongswan-dir) + (if (and (not (eq? #$ipsec-conf #f)) + (not (eq? #$ipsec-secrets #f))) + (format port " + stroke { + load =3D yes + secrets_file =3D ~a + } + } +} + +starter { + config_file =3D ~a +} + +include ~a/*.conf" + #$ipsec-secrets + #$ipsec-conf + #$strongswan-dir) + (format port " + } +} +include ~a/*.conf" + #$strongswan-dir))))))))) + +(define (strongswan-shepherd-service config) + (let* ((ipsec (file-append strongswan "/sbin/ipsec")) + (strongswan-conf-path (strongswan-configuration-file config))) + (list (shepherd-service + (requirement '(networking)) + (provision '(ipsec)) + (start #~(make-forkexec-constructor + (list #$ipsec "start" "--nofork") + #:environment-variables + (list (string-append "STRONGSWAN_CONF=3D" + #$strongswan-conf-path)))) + (stop #~(make-kill-destructor)) + (documentation + "StrongSwan's charon IKE keying daemon for IPsec VPN."))))) + +(define strongswan-service-type + (service-type + (name 'strongswan) + (extensions + (list (service-extension shepherd-root-service-type + strongswan-shepherd-service))))) + ;;; ;;; Wireguard. ;;; --=20 2.32.0 --y7F23p+9OSElA1vA Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE7JyU1wrLyiw5G92zcc2InUujXj0FAmDGH4UACgkQcc2InUuj Xj2hsg//U0lCy6zIFG+NOg1SZW9eoHKjwFfLb1Bq7xrf2VmgKNfbswboYwsN7Hgy tdSq4UDqqYbzqwS5B4bzEaNAptM2vFqEqpJsdPG+s99D7SQdfJSkLZsO2kodwNLZ llkcVaZPS2CRnXVd9fl5DqhJax5k9aJhfnPGitaR1Vw0aHGNQw1H8pXqM0TD+rL/ JvNpFXR8m84dc4rCxozDwsri7ciF8HszWntrFeF9ERPfRZKZt5Iwp1E2voQ+eGBV 4tT4ph9WJTo0XTeOGDJQfGaYu7wbkQItAlT1o3bEtCv2Hb/MamJlJL6x5ZmV0PCd hXRMHG9jTnL3JsLPbCN3TJUGOYXc9OzzC60oheHCf3H4um/4b2VC1cvRaoG/+Msv anuZS+yogbpfqU1oF1J/2IxqDTBxuNdrtFjO6/M2z09TIPVBItuUke0OhPosKWvA 2p6ZpSLqgJHdf0GDg2vTWM+FKNvjIXizhXGFAgGmGxddaqsjSi1hY62cHyuLymAu /MnnSzg1JhuIav6YBZ21SiqOptKiD09iw4MojbQZjv8GDCiuiBNQkz4vuUdRfs0s TbZEhPj4IZv9K63fux/W5c2XaIxyvKK6IjXhon03OQ2vyHW23PloIUZrZ5y1E9Y8 1jr2lXOUYVKtvJs9Vp3mTSoUyp05M0HxWXWVoxqusfdTDTLjers= =hO9G -----END PGP SIGNATURE----- --y7F23p+9OSElA1vA-- From unknown Tue Jun 24 05:13:21 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#48803] [PATCH] gnu: Add strongswan service. Resent-From: Tobias Geerinckx-Rice Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 24 Jun 2021 23:18:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 48803 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Domagoj Stolfa Cc: 48803-done@debbugs.gnu.org, 48803@debbugs.gnu.org X-Debbugs-Original-Cc: 48803-done@debbugs.gnu.org, guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.16245766761559 (code B ref -1); Thu, 24 Jun 2021 23:18:01 +0000 Received: (at submit) by debbugs.gnu.org; 24 Jun 2021 23:17:56 +0000 Received: from localhost ([127.0.0.1]:44306 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lwYbc-0000P5-Iy for submit@debbugs.gnu.org; Thu, 24 Jun 2021 19:17:56 -0400 Received: from lists.gnu.org ([209.51.188.17]:55344) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lwYbY-0000Ov-Jm for submit@debbugs.gnu.org; Thu, 24 Jun 2021 19:17:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:52776) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lwYbW-000317-Fu for guix-patches@gnu.org; Thu, 24 Jun 2021 19:17:52 -0400 Received: from tobias.gr ([2a02:c205:2020:6054::1]:58182) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lwYbT-0007B5-Kx for guix-patches@gnu.org; Thu, 24 Jun 2021 19:17:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=2018; bh=73MzUksfwnf77 eCVHEDpgVZo6b6uwRCpkZY7OY+uTcE=; h=date:in-reply-to:subject:cc:to: from:references; d=tobias.gr; b=fXBCRJ+DwFO8ZP+NXmvn8Mwwg6zZcsHbCSh1tl yzgbrva8HOQ4rDSidkAm0gF5ZoYqSaBsbkNXqSw2BkHrbeDbuBZ2XDLx9/FoZY6aEuOOpL H/OCYTyG9M367v5a7YD4TvoK9TVBZjMCXY1oMaI3yh3G3ee8llIokR2sAtScswrNDb1dYf YeMF5Jng2+AruPKqbLOMHU6anB8rHReWyMo9Qz2igSPiQaBwR8DO+CRvvJceKrGj4m2HGh LRPRH63FcV9jHLc1Jrxiuz1jq+sAFJnZmZF/jwmKp3v7IWKXI3/K6p5geKD+zwVGGOPs/l Y+uYr9GmmH7Pon3oejKiKzvQ== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 3bc1e568 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Thu, 24 Jun 2021 23:17:42 +0000 (UTC) References: From: Tobias Geerinckx-Rice In-reply-to: BIMI-Selector: v=BIMI1; s=default; Date: Fri, 25 Jun 2021 01:17:43 +0200 Message-ID: <87r1gqsvhk.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Received-SPF: pass client-ip=2a02:c205:2020:6054::1; envelope-from=me@tobias.gr; helo=tobias.gr X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Domagoj! This is finally on master with the following changes: Domagoj Stolfa =E5=86=99=E9=81=93=EF=BC=9A > * gnu/services/vpn.scm (strongswan-configuration): New record=20 > type. > (charon-plugins, strongswan-configuration-file) > (strongswan-shepherd-service, strongswan-service-type): New=20 > variables. I don't know where this extra spacing came from but removed it. > +@subheading StrongSwan I'm sure some style guides disapprove, but I changed all usage of=20 =E2=80=98StrongSwan=E2=80=99 to upstream's =E2=80=98strongSwan=E2=80=99. > +Currently, the StrongSwan service only provides legacy-style=20 > configuration with > +ipsec.conf and ipsec.secrets files. We have cool @file{} mark up so I used it. > +@defvr {Scheme Variable} strongswan-service-type > +A service type for StrongSwan configuration. Added a very brief =E2=80=98IPsec VPN=E2=80=99 context. > +@lisp > +(service strongswan-service-type > + (strongswan-configuration > + (ipsec-conf "/etc/ipsec.conf") > + (ipsec-secrets "/etc/ipsec.secrets"))) Fixed the indentation. > +@item @code{ipsec-conf} (default: @code{#f}) > +The path to an ipsec.conf file. If set to @code{#f},=20 > @code{ipsec-secrets} will > +also be ignored. Reworded this to match the exception I added below. Added moar=20 @file{}. > @c %end of automatic openvpn-server documentation This indicates that the author of the previous OpenVPN section=20 automated the docs somehow. I moved it back. > @subsubheading Wireguard > diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm > index 2bcbf76727..691cc3c05a 100644 > --- a/gnu/services/vpn.scm > +++ b/gnu/services/vpn.scm > @@ -26,6 +26,7 @@ > #:use-module (gnu services shepherd) > #:use-module (gnu system shadow) > #:use-module (gnu packages admin) > + #:use-module (gnu packages networking) Oops, noticed this only now=E2=80=A6 I don't think it's needed anymore.=20 Can you confirm? =E2=80=98guix system=E2=80=99 & friends will now throw an inelegant error i= f=20 ipsec-conf & ipsec-secrets are incongruent. I couldn't get=20 meaningful location data out of CONFIG. This does the job: + (throw 'error + (G_ "strongSwan ipsec-conf and ipsec-secrets must=20 \ +both be (un)set"))))) > +(define strongswan-service-type > + (service-type > + (name 'strongswan) > + (extensions > + (list (service-extension shepherd-root-service-type > + strongswan-shepherd-service))))) I added a default-value so people can simply write (service strongswan-service-type) and a short description. Thank you very much! T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYNUSlw0cbWVAdG9iaWFz LmdyAAoJEA2w/4hPVW15fYsBANgZkj+O/7JhdlZQgQTOsxkiMG9PfVWWTMD0xBS2 cXAuAQDtw5b9UqPSdJjvu1+M1RDO1mEY3nzK+YGHkkjFyDcPCw== =2rHS -----END PGP SIGNATURE----- --=-=-=-- From unknown Tue Jun 24 05:13:21 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Domagoj Stolfa Subject: bug#48803: closed (Re: [bug#48803] [PATCH] gnu: Add strongswan service.) Message-ID: References: <87r1gqsvhk.fsf@nckx> X-Gnu-PR-Message: they-closed 48803 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 48803@debbugs.gnu.org Date: Thu, 24 Jun 2021 23:18:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1624576682-1579-1" This is a multi-part message in MIME format... ------------=_1624576682-1579-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #48803: [PATCH] strongswan: provide a service definition and configuration = interface. which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 48803@debbugs.gnu.org. --=20 48803: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D48803 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1624576682-1579-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 48803-done) by debbugs.gnu.org; 24 Jun 2021 23:17:51 +0000 Received: from localhost ([127.0.0.1]:44302 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lwYbX-0000Ol-9H for submit@debbugs.gnu.org; Thu, 24 Jun 2021 19:17:51 -0400 Received: from tobias.gr ([80.241.217.52]:49124) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lwYbS-0000OW-ED for 48803-done@debbugs.gnu.org; Thu, 24 Jun 2021 19:17:50 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=2018; bh=73MzUksfwnf77 eCVHEDpgVZo6b6uwRCpkZY7OY+uTcE=; h=date:in-reply-to:subject:cc:to: from:references; d=tobias.gr; b=fXBCRJ+DwFO8ZP+NXmvn8Mwwg6zZcsHbCSh1tl yzgbrva8HOQ4rDSidkAm0gF5ZoYqSaBsbkNXqSw2BkHrbeDbuBZ2XDLx9/FoZY6aEuOOpL H/OCYTyG9M367v5a7YD4TvoK9TVBZjMCXY1oMaI3yh3G3ee8llIokR2sAtScswrNDb1dYf YeMF5Jng2+AruPKqbLOMHU6anB8rHReWyMo9Qz2igSPiQaBwR8DO+CRvvJceKrGj4m2HGh LRPRH63FcV9jHLc1Jrxiuz1jq+sAFJnZmZF/jwmKp3v7IWKXI3/K6p5geKD+zwVGGOPs/l Y+uYr9GmmH7Pon3oejKiKzvQ== Received: by submission.tobias.gr (OpenSMTPD) with ESMTPSA id 3bc1e568 (TLSv1.3:AEAD-AES256-GCM-SHA384:256:NO); Thu, 24 Jun 2021 23:17:42 +0000 (UTC) References: From: Tobias Geerinckx-Rice To: Domagoj Stolfa Subject: Re: [bug#48803] [PATCH] gnu: Add strongswan service. In-reply-to: BIMI-Selector: v=BIMI1; s=default; Date: Fri, 25 Jun 2021 01:17:43 +0200 Message-ID: <87r1gqsvhk.fsf@nckx> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 48803-done Cc: 48803-done@debbugs.gnu.org, guix-patches@gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable Domagoj! This is finally on master with the following changes: Domagoj Stolfa =E5=86=99=E9=81=93=EF=BC=9A > * gnu/services/vpn.scm (strongswan-configuration): New record=20 > type. > (charon-plugins, strongswan-configuration-file) > (strongswan-shepherd-service, strongswan-service-type): New=20 > variables. I don't know where this extra spacing came from but removed it. > +@subheading StrongSwan I'm sure some style guides disapprove, but I changed all usage of=20 =E2=80=98StrongSwan=E2=80=99 to upstream's =E2=80=98strongSwan=E2=80=99. > +Currently, the StrongSwan service only provides legacy-style=20 > configuration with > +ipsec.conf and ipsec.secrets files. We have cool @file{} mark up so I used it. > +@defvr {Scheme Variable} strongswan-service-type > +A service type for StrongSwan configuration. Added a very brief =E2=80=98IPsec VPN=E2=80=99 context. > +@lisp > +(service strongswan-service-type > + (strongswan-configuration > + (ipsec-conf "/etc/ipsec.conf") > + (ipsec-secrets "/etc/ipsec.secrets"))) Fixed the indentation. > +@item @code{ipsec-conf} (default: @code{#f}) > +The path to an ipsec.conf file. If set to @code{#f},=20 > @code{ipsec-secrets} will > +also be ignored. Reworded this to match the exception I added below. Added moar=20 @file{}. > @c %end of automatic openvpn-server documentation This indicates that the author of the previous OpenVPN section=20 automated the docs somehow. I moved it back. > @subsubheading Wireguard > diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm > index 2bcbf76727..691cc3c05a 100644 > --- a/gnu/services/vpn.scm > +++ b/gnu/services/vpn.scm > @@ -26,6 +26,7 @@ > #:use-module (gnu services shepherd) > #:use-module (gnu system shadow) > #:use-module (gnu packages admin) > + #:use-module (gnu packages networking) Oops, noticed this only now=E2=80=A6 I don't think it's needed anymore.=20 Can you confirm? =E2=80=98guix system=E2=80=99 & friends will now throw an inelegant error i= f=20 ipsec-conf & ipsec-secrets are incongruent. I couldn't get=20 meaningful location data out of CONFIG. This does the job: + (throw 'error + (G_ "strongSwan ipsec-conf and ipsec-secrets must=20 \ +both be (un)set"))))) > +(define strongswan-service-type > + (service-type > + (name 'strongswan) > + (extensions > + (list (service-extension shepherd-root-service-type > + strongswan-shepherd-service))))) I added a default-value so people can simply write (service strongswan-service-type) and a short description. Thank you very much! T G-R --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIMEARYKACsWIQT12iAyS4c9C3o4dnINsP+IT1VteQUCYNUSlw0cbWVAdG9iaWFz LmdyAAoJEA2w/4hPVW15fYsBANgZkj+O/7JhdlZQgQTOsxkiMG9PfVWWTMD0xBS2 cXAuAQDtw5b9UqPSdJjvu1+M1RDO1mEY3nzK+YGHkkjFyDcPCw== =2rHS -----END PGP SIGNATURE----- --=-=-=-- ------------=_1624576682-1579-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 2 Jun 2021 23:11:03 +0000 Received: from localhost ([127.0.0.1]:41548 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1loa0s-0003c5-5g for submit@debbugs.gnu.org; Wed, 02 Jun 2021 19:11:02 -0400 Received: from lists.gnu.org ([209.51.188.17]:50160) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1loZ4x-0002DZ-0i for submit@debbugs.gnu.org; Wed, 02 Jun 2021 18:11:11 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:35972) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1loZ4w-0007NX-S4 for guix-patches@gnu.org; Wed, 02 Jun 2021 18:11:10 -0400 Received: from mout.gmx.net ([212.227.15.15]:38865) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1loZ4u-0000Qb-BM for guix-patches@gnu.org; Wed, 02 Jun 2021 18:11:10 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1622671865; bh=h/GLYh8hYbxkTMlrfy7Ts0snZOIDMtWRhRHjgT/ssJM=; h=X-UI-Sender-Class:Date:From:To:Subject; b=hEAyWRwYblG7swEHP5dRjfOjC3qIEQCOTdvAcnTx7Fzka4DjRLY+akBKwElOg617Q qL/+9EhddKoUu8W5aaQZsyzXntBGlN2g/uCvMq47EV6iAsxGUS96sbm8IFf1bp+7gF LZQpicSCAPNTNQMwwZFIXcvu7PWfzRZ04AaUIBt0= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from pepehands ([131.111.128.28]) by mail.gmx.net (mrgmx005 [212.227.17.184]) with ESMTPSA (Nemesis) id 1N8ofE-1lLgDO3XIk-015rtg for ; Thu, 03 Jun 2021 00:11:04 +0200 Date: Wed, 2 Jun 2021 23:11:03 +0100 From: Domagoj Stolfa To: guix-patches@gnu.org Subject: [PATCH] strongswan: provide a service definition and configuration interface. Message-ID: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="c5xDyQZg5OchelAC" Content-Disposition: inline X-Provags-ID: V03:K1:D6tT+r6SdBHKHR2QU5EAh+GTpnopo4+3d/Dyt/Ez22HYeDQ5Pz9 MZdo8vwdUlcywNrvD4z0W9NiwdtV4H+lkYTlargKurhP3eb0Cr4f65qZfIrvbW5t/eec4GG CF0C0u8kVeOSVmSFnOMcxPP3z8in/yIgEh0pwOGbctkiHH2l6p1Uaag7BQ1lDE+0vRymuaE Do2PTFGlh5SrFvNhome3Q== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:Z2fxKjy5n8Y=:7bnEMfBqw3lNuuhgV5kAm5 ktgy2kRdn3Waw2hjVY1XsS/Udc63amrzO8QPGv2+7HkUQwyVLCI4HQlzqzn8uG/MGxsdT7D/K 3XAzsGLcbByJ4aLB3YOxBgyo30pgUoFf7TZtTrRQATdvLYjGfxWWmb1NFTxRDSs+vnqxj4/RU IQ95C0Ijf7sOF7J1K9PLzq9EKgiD5yLG+6LQQJvQlbjdHy3uZplSoYcTQciK22FXTD7MOXefk gtuNboh6opwlgV33M3bEI734fhE8xPu4YlK2Rze2SOgcExRkESo88Nq5hNqiMY2hl66k9DL8U odSBf70breNAVTWdGD34iWA7YqhteSU/tSWbpDm+XgXrURZ05OboQaJu+jrxntxMzsqsuZaYQ hWymICXhGywDNK7JFZ+4wbCytXYYCPC98AdTDysXuSMHfmxuk+fiK9Mh4ihkHSkjt4m1y3nus hKINR2+VXMDWNBbHQRo3lALaX3qVxPyr3h818AkgI+lLxMrvAgrQZ63I2ECHsnWI2jx3NbsOk HinQF9un3LVnxjA11e9x5SCPE+XnGZgoTDQ68ZcvW3KLTgymbLEyy56S9gLoBKQF1nHCEHX56 qS2V3wtEuprkIu25b+//5hWe+68Ru8fMJ5Tx3L9qBZ5x1roTRFbN5heyGF83K79UTFVZP7foa 8Tvt/i8ByXZv79/azTV1gQwjbyJ1m+Y6PAD4gWgf0x16wbtu7eDDhuaQjyxpOG9ETFu9fXW6C 5VUOhR3dYV5sK0HaJF5DdBLkUDxTuX188imJWuB0ffOjhneOKRRpPHo7VMw7H78idBpw/Ha8y vq1mI4ORonvNpocs1f6oc5JvPHtLiPrDT6ItgtkziHtJBYnaTJ+ZRGdB9kmpmQiVHu7L485Vy pZUuYvVqhZNsyD2Jqnwp0/UDO57WGs7TB4tzRuqNK4XzkJZKYs1Z8GINYBqqSaWE0ZcdbQ9QD KIYKE0sz+LvrmG+L4DdiTHrwUjp1rrQHHTJK9jAnnoDVPEaUbfEYJjUoLh9PtDgt6qCZUfoUs iJFa3yVFYwHVL2Ey2BPd/qpnmtqiNQDKDbcFj2w42Jr6B99SNBv+Xev3sWrmy/YbGftsnpGSf 6BJ0gfaGpABkSwm3m6CmtaAo+ou2ItHmatp Received-SPF: pass client-ip=212.227.15.15; envelope-from=ds815@gmx.com; helo=mout.gmx.net X-Spam_score_int: -15 X-Spam_score: -1.6 X-Spam_bar: - X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Wed, 02 Jun 2021 19:11:01 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.1 (--) --c5xDyQZg5OchelAC Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable This commit adds a strongswan-service-type which allows the user to start strongswan correctly on Guix. Without this, they would need to manually write a strongswan.conf file and run it with `STRONGSWAN_CONF=3D/path/to/strongswan.conf ipsec start`. For now, we only support the legacy ipsec.conf/ipsec.secrets interface. Because ipsec.conf depends on indentation and is a deprecated intreface, we do not provide an EDSL to configure it, and we do not put the config file in a Guile string (to avoid indentation issues). Similarly, ipsec.secrets contains the users authentication token/passwords, and is for security reasons transmitted separately from the configuration file. This change allows the user to write something as follows in their config: ``` (service strongswan-service-type (strongswan-configuration (use-ipsec? #t) (ipsec-conf "/config-files/ipsec.conf") (ipsec-secrets "/config-files/ipsec.secrets"))) ``` This will start the charon daemon and allow them to connect to their VPNs configured in `/config-files/ipsec.conf`. --- gnu/services/vpn.scm | 128 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 128 insertions(+) diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index 2bcbf76727..e026f2aa58 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -4,6 +4,7 @@ ;;; Copyright =A9 2017 Mathieu Othacehe ;;; Copyright =A9 2021 Guillaume Le Vaillant ;;; Copyright =A9 2021 Solene Rapenne +;;; Copyright =A9 2021 Domagoj Stolfa ;;; ;;; This file is part of GNU Guix. ;;; @@ -26,6 +27,7 @@ #:use-module (gnu services shepherd) #:use-module (gnu system shadow) #:use-module (gnu packages admin) + #:use-module (gnu packages networking) #:use-module (gnu packages vpn) #:use-module (guix packages) #:use-module (guix records) @@ -44,6 +46,9 @@ generate-openvpn-client-documentation generate-openvpn-server-documentation =20 + strongswan-configuration + strongswan-service-type + wireguard-peer wireguard-peer? wireguard-peer-name @@ -529,6 +534,129 @@ is truncated and rewritten every minute.") (openvpn-remote-configuration ,openvpn-remote-configuration-fields)) 'openvpn-client-configuration)) =20 +;;; +;;; Strongswan. +;;; + +(define-record-type* + strongswan-configuration make-strongswan-configuration + strongswan-configuration? + (strongswan strongswan-configuration-strongswan ; + (default strongswan)) + (use-ipsec? strongswan-configuration-use-ipsec? ;legacy interface + (default #f)) + (ipsec-conf strongswan-configuration-ipsec-conf) + (ipsec-secrets strongswan-configuration-ipsec-secrets)) + +;; In the future, it might be worth implementing a record type to configure +;; all of the plugins, but for *most* basic usecases, simply creating the +;; files will be sufficient. Same is true of charon-plugins. +(define strongswand-config-files + (list "charon" "charon-logging" "pki" "pool" "scepclient" + "swanctl" "tnc")) + +;; Plugins to load. +(define charon-plugins + (list "aes" "aesni" "attr" "attr-sql" "chapoly" "cmac" "constraints" + "counters" "curl" "curve25519" "dhcp" "dnskey" "drbg" "eap-aka-3gp= p" + "eap-aka" "eap-dynamic" "eap-identity" "eap-md5" "eap-mschapv2" + "eap-peap" "eap-radius" "eap-simaka-pseudonym" "eap-simaka-reauth" + "eap-simaka-sql" "eap-sim" "eap-sim-file" "eap-tls" "eap-tnc" + "eap-ttls" "ext-auth" "farp" "fips-prf" "gmp" "ha" "hmac" + "kernel-netlink" "led" "md4" "md5" "mgf1" "nonce" "openssl" "pem" + "pgp" "pkcs12" "pkcs1" "pkcs7" "pkcs8" "pubkey" "random" "rc2" + "resolve" "revocation" "sha1" "sha2" "socket-default" "soup" "sql" + "sqlite" "sshkey" "tnc-tnccs" "vici" "x509" "xauth-eap" "xauth-gen= eric" + "xauth-noauth" "xauth-pam" "xcbc")) + +(define (strongswan-configuration-file config) + (match-record config + (strongswan use-ipsec? ipsec-conf ipsec-secrets) + (let* ((strongswan-dir + (computed-file + "strongswan.d" + #~(begin + (mkdir #$output) + ;; Create all of the configuration files in strongswan.d/= *.conf + (map (lambda (conf-file) + (let* ((filename (string-append + #$output "/" + conf-file ".conf"))) + (call-with-output-file filename + (lambda (port) + (display + "# Created by 'strongswan-service'\n" + port))))) + (list #$@strongswand-config-files)) + (mkdir (string-append #$output "/charon")) + ;; And all of the strongswan.d/charon/*.conf files (plugi= ns) + (map (lambda (plugin) + (let* ((filename (string-append + #$output "/charon/" + plugin ".conf"))) + (call-with-output-file filename + (lambda (port) + (format port "~a { + load =3D yes +}" + plugin))))) + (list #$@charon-plugins)))))) + ;; Generate our strongswan.conf to reflect the user configuration. + (computed-file + "strongswan.conf" + #~(begin + (call-with-output-file #$output + (lambda (port) + (display "# Generated by 'strongswan-service'.\n" port) + (format port "charon { + load_modular =3D yes + plugins { + include ~a/charon/*.conf" + #$strongswan-dir) + (if #$use-ipsec? + (format port " + stroke { + load =3D yes + secrets_file =3D ~a + } + } +} + +starter { + config_file =3D ~a +} + +include ~a/*.conf" + #$ipsec-secrets + #$ipsec-conf + #$strongswan-dir) + (format port " + } +} +include ~a/*.conf" + #$strongswan-dir))))))))) + +(define (strongswan-shepherd-service config) + (let* ((ipsec (file-append strongswan "/sbin/ipsec")) + (strongswan-conf-path (strongswan-configuration-file config))) + (list (shepherd-service + (requirement '(networking)) + (provision '(strongswan)) + (start #~(make-forkexec-constructor + (list #$ipsec "start" "--nofork") + #:environment-variables + (list (string-append "STRONGSWAN_CONF=3D" + #$strongswan-conf-path)))) + (stop #~(make-kill-destructor)) + (documentation "Start the charon daemon for IPsec VPN"))))) + +(define strongswan-service-type + (service-type + (name 'strongswan) + (extensions + (list (service-extension shepherd-root-service-type + strongswan-shepherd-service))))) + ;;; ;;; Wireguard. ;;; --=20 2.31.1 --c5xDyQZg5OchelAC Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE7JyU1wrLyiw5G92zcc2InUujXj0FAmC4AfcACgkQcc2InUuj Xj0pyQ//VdkTDnZf33xXTTFEiehsBHZkz/jDa/X+DHPnMwUUJEvsI4hoTU+ialNL ytg6hwfphbcremuh2c3QiYbpxAEl0n3Uep/YTz22+CZ8X/lSnHzrsBQaS2JWMgVT sThwWdjW47RIVYH6VC3kF8zkTPvjkGEDm5wzvEQqo/du5Dp43HClHhEZ4Gc8zTDr gI06/JVdhttb+VNgi3GccAtADEGGOcAR9I4Wd9nNK4utZjNNonmHUWc8l5h/p3ZQ BcD0XRRF86bycVEl1SGuQr9BgOaIepiTr6jcE57nYjZetW2XuZ8sTVxGIRHEUvCt 9cv4ON7DF9hmBGiBU2h2jodGParcTPWf6lxqevG771RjBWaYq28md6umSyKKLeeg uAIbbgRuR0f8NCRXdx5Whjh8XtoUligkf3BzyUbH0ev60/pHaQtsY4Nm2PCPz/Mp QJk6Y8zl0LXlLl/ogDRhMFodzFNLFVBXsV7xCtLWuIp8HqOQxrBRSi1Xa0GlbkiV qMS3FSR3dR3Tykq8GTRMdlTFckgHPo4b8iKkigWXV9+RXf2Dbeuf48wlpV+cb/tu qjE3Z7mO0sl3ZDrmzV5HTavx/XIeaaS/HwVAHAkfURVKX9vHYe9G6tFHnsgvdLSz 1NEQImJ7wcqlFx/9dKNbXIq6eVbDbgTaTuDBYBQiSGJB2tp57vY= =e1Hs -----END PGP SIGNATURE----- --c5xDyQZg5OchelAC-- ------------=_1624576682-1579-1--