Unverified Commit 0f37581e authored May 20, 2023 by Koen Wilde

nixos/libreswan: Use StateDirectory to setup ipsec/nss

The systemd manual `systemd.exec(5)` addresses the partly overlapping
functionality of the `tmpfiles.d(5)` setting and other, more semantic
settings and recommends their use if they fit your needs because these
semantic versions offer more guarantees.

One of those guarantees is that they are guaranteed to be ready by the
time the process starts whereas `tmpfiles.d` can be executed
asynchronously. I believe this is the cause of some issues I ran into
where I had to manually create the `/var/lib/ipsec/nss` directory. This
patch fixed those issues for me.

parent c7065be7

nixos/modules/services/networking/libreswan.nix

+4 −3

Original line number	Diff line number	Diff line
		@@ -133,9 +133,6 @@ in
		"ipsec.d/01-nixos.conf".source = configFile;
		} // policyFiles;

		# Create NSS database directory
		systemd.tmpfiles.rules = [ "d /var/lib/ipsec/nss 755 root root -" ];

		systemd.services.ipsec = {
		description = "Internet Key Exchange (IKE) Protocol Daemon for IPsec";
		wantedBy = [ "multi-user.target" ];
		@@ -153,6 +150,10 @@ in
		echo 0 \| tee /proc/sys/net/ipv4/conf/*/send_redirects
		echo 0 \| tee /proc/sys/net/ipv{4,6}/conf/*/accept_redirects
		'';
		serviceConfig = {
		StateDirectory = "ipsec/nss";
		StateDirectoryMode = 0700;
		};
		};

		};

Admin message