[jackhill/guix/guix.git] / gnu / services / vpn.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2017 Julien Lepiller <julien@lepiller.eu>
;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu services vpn)
  #:use-module (gnu services)
  #:use-module (gnu services configuration)
  #:use-module (gnu services shepherd)
  #:use-module (gnu system shadow)
  #:use-module (gnu packages admin)
  #:use-module (gnu packages vpn)
  #:use-module (guix packages)
  #:use-module (guix records)
  #:use-module (guix gexp)
  #:use-module (srfi srfi-1)
  #:use-module (ice-9 match)
  #:use-module (ice-9 regex)
  #:export (openvpn-client-service
            openvpn-server-service
            openvpn-client-service-type
            openvpn-server-service-type
            openvpn-client-configuration
            openvpn-server-configuration
            openvpn-remote-configuration
            openvpn-ccd-configuration
            generate-openvpn-client-documentation
            generate-openvpn-server-documentation

            wireguard-peer
            wireguard-peer?
            wireguard-peer-name
            wireguard-peer-endpoint
            wireguard-peer-allowed-ips

            wireguard-configuration
            wireguard-configuration?
            wireguard-configuration-wireguard
            wireguard-configuration-interface
            wireguard-configuration-addresses
            wireguard-configuration-port
            wireguard-configuration-private-key
            wireguard-configuration-peers

            wireguard-service-type))

;;;
;;; OpenVPN.
;;;

(define (uglify-field-name name)
  (match name
    ('verbosity "verb")
    (_ (let ((str (symbol->string name)))
         (if (string-suffix? "?" str)
             (substring str 0 (1- (string-length str)))
             str)))))

(define (serialize-field field-name val)
  (if (eq? field-name 'pid-file)
      (format #t "")
      (format #t "~a ~a\n" (uglify-field-name field-name) val)))
(define serialize-string serialize-field)
(define-maybe string)
(define (serialize-boolean field-name val)
  (if val
      (serialize-field field-name "")
      (format #t "")))

(define (ip-mask? val)
  (and (string? val)
       (if (string-match "^([0-9]+\\.){3}[0-9]+ ([0-9]+\\.){3}[0-9]+$" val)
           (let ((numbers (string-tokenize val char-set:digit)))
             (all-lte numbers (list 255 255 255 255 255 255 255 255)))
           #f)))
(define serialize-ip-mask serialize-string)

(define-syntax define-enumerated-field-type
  (lambda (x)
    (define (id-append ctx . parts)
      (datum->syntax ctx (apply symbol-append (map syntax->datum parts))))
    (syntax-case x ()
      ((_ name (option ...))
       #`(begin
           (define (#,(id-append #'name #'name #'?) x)
             (memq x '(option ...)))
           (define (#,(id-append #'name #'serialize- #'name) field-name val)
             (serialize-field field-name val)))))))

(define-enumerated-field-type proto
  (udp tcp udp6 tcp6))
(define-enumerated-field-type dev
  (tun tap))

(define key-usage? boolean?)
(define (serialize-key-usage field-name value)
  (if value
      (format #t "remote-cert-tls server\n")
      #f))

(define bind? boolean?)
(define (serialize-bind field-name value)
  (if value
      #f
      (format #t "nobind\n")))

(define resolv-retry? boolean?)
(define (serialize-resolv-retry field-name value)
  (if value
      (format #t "resolv-retry infinite\n")
      #f))

(define (serialize-tls-auth role location)
  (if location
      (serialize-field 'tls-auth
                       (string-append location " " (match role
                                                     ('server "0")
                                                     ('client "1"))))
      #f))
(define (tls-auth? val)
  (or (eq? val #f)
      (string? val)))
(define (serialize-tls-auth-server field-name val)
  (serialize-tls-auth 'server val))
(define (serialize-tls-auth-client field-name val)
  (serialize-tls-auth 'client val))
(define tls-auth-server? tls-auth?)
(define tls-auth-client? tls-auth?)

(define (serialize-number field-name val)
  (serialize-field field-name (number->string val)))

(define (all-lte left right)
  (if (eq? left '())
      (eq? right '())
      (and (<= (string->number (car left)) (car right))
           (all-lte (cdr left) (cdr right)))))

(define (cidr4? val)
  (if (string? val)
      (if (string-match "^([0-9]+\\.){3}[0-9]+/[0-9]+$" val)
          (let ((numbers (string-tokenize val char-set:digit)))
            (all-lte numbers (list 255 255 255 255 32)))
          #f)
      (eq? val #f)))

(define (cidr6? val)
  (if (string? val)
      (string-match "^([0-9a-f]{0,4}:){0,8}/[0-9]{1,3}$" val)
      (eq? val #f)))

(define (serialize-cidr4 field-name val)
  (if (eq? val #f) #f (serialize-field field-name val)))

(define (serialize-cidr6 field-name val)
  (if (eq? val #f) #f (serialize-field field-name val)))

(define (ip? val)
  (if (string? val)
      (if (string-match "^([0-9]+\\.){3}[0-9]+$" val)
          (let ((numbers (string-tokenize val char-set:digit)))
            (all-lte numbers (list 255 255 255 255)))
          #f)
      (eq? val #f)))
(define (serialize-ip field-name val)
  (if (eq? val #f) #f (serialize-field field-name val)))

(define (keepalive? val)
  (and (list? val)
       (and (number? (car val))
            (number? (car (cdr val))))))
(define (serialize-keepalive field-name val)
  (format #t "~a ~a ~a\n" (uglify-field-name field-name)
          (number->string (car val)) (number->string (car (cdr val)))))

(define gateway? boolean?)
(define (serialize-gateway field-name val)
  (and val
       (format #t "push \"redirect-gateway\"\n")))


(define-configuration openvpn-remote-configuration
  (name
   (string "my-server")
   "Server name.")
  (port
   (number 1194)
   "Port number the server listens to."))

(define-configuration openvpn-ccd-configuration
  (name
   (string "client")
   "Client name.")
  (iroute
   (ip-mask #f)
   "Client own network")
  (ifconfig-push
   (ip-mask #f)
   "Client VPN IP."))

(define (openvpn-remote-list? val)
  (and (list? val)
       (or (eq? val '())
           (and (openvpn-remote-configuration? (car val))
                (openvpn-remote-list? (cdr val))))))
(define (serialize-openvpn-remote-list field-name val)
  (for-each (lambda (remote)
              (format #t "remote ~a ~a\n" (openvpn-remote-configuration-name remote)
                      (number->string (openvpn-remote-configuration-port remote))))
            val))

(define (openvpn-ccd-list? val)
  (and (list? val)
       (or (eq? val '())
           (and (openvpn-ccd-configuration? (car val))
                (openvpn-ccd-list? (cdr val))))))
(define (serialize-openvpn-ccd-list field-name val)
  #f)

(define (create-ccd-directory val)
  "Create a ccd directory containing files for the ccd configuration option
of OpenVPN.  Each file in this directory represents particular settings for a
client.  Each file is named after the name of the client."
  (let ((files (map (lambda (ccd)
                      (list (openvpn-ccd-configuration-name ccd)
                            (with-output-to-string
                              (lambda ()
                                (serialize-configuration
                                 ccd openvpn-ccd-configuration-fields)))))
                    val)))
    (computed-file "ccd"
                   (with-imported-modules '((guix build utils))
                     #~(begin
                         (use-modules (guix build utils))
                         (use-modules (ice-9 match))
                         (mkdir-p #$output)
                         (for-each
                          (lambda (ccd)
                            (match ccd
                              ((name config-string)
                               (call-with-output-file
                                   (string-append #$output "/" name)
                                 (lambda (port) (display config-string port))))))
                          '#$files))))))

(define-syntax define-split-configuration
  (lambda (x)
    (syntax-case x ()
      ((_ name1 name2 (common-option ...) (first-option ...) (second-option ...))
       #`(begin
           (define-configuration #,#'name1
             common-option ...
             first-option ...)
           (define-configuration #,#'name2
             common-option ...
             second-option ...))))))

(define-split-configuration openvpn-client-configuration
  openvpn-server-configuration
  ((openvpn
    (package openvpn)
    "The OpenVPN package.")

   (pid-file
    (string "/var/run/openvpn/openvpn.pid")
    "The OpenVPN pid file.")

   (proto
    (proto 'udp)
    "The protocol (UDP or TCP) used to open a channel between clients and
servers.")

   (dev
    (dev 'tun)
    "The device type used to represent the VPN connection.")

   (ca
    (maybe-string "/etc/openvpn/ca.crt")
    "The certificate authority to check connections against.")

   (cert
    (maybe-string "/etc/openvpn/client.crt")
    "The certificate of the machine the daemon is running on. It should be signed
by the authority given in @code{ca}.")

   (key
    (maybe-string "/etc/openvpn/client.key")
    "The key of the machine the daemon is running on. It must be the key whose
certificate is @code{cert}.")

   (comp-lzo?
    (boolean #t)
    "Whether to use the lzo compression algorithm.")

   (persist-key?
    (boolean #t)
    "Don't re-read key files across SIGUSR1 or --ping-restart.")

   (persist-tun?
    (boolean #t)
    "Don't close and reopen TUN/TAP device or run up/down scripts across
SIGUSR1 or --ping-restart restarts.")

   (fast-io?
     (boolean #f)
     "(Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to
poll/epoll/select prior to the write operation.")

   (verbosity
    (number 3)
    "Verbosity level."))
  ;; client-specific configuration
  ((tls-auth
    (tls-auth-client #f)
    "Add an additional layer of HMAC authentication on top of the TLS control
channel to protect against DoS attacks.")

   (auth-user-pass
     (maybe-string 'disabled)
     "Authenticate with server using username/password.  The option is a file
containing username/password on 2 lines.  Do not use a file-like object as it
would be added to the store and readable by any user.")

   (verify-key-usage?
    (key-usage #t)
    "Whether to check the server certificate has server usage extension.")

   (bind?
    (bind #f)
    "Bind to a specific local port number.")

   (resolv-retry?
    (resolv-retry #t)
    "Retry resolving server address.")

   (remote
    (openvpn-remote-list '())
    "A list of remote servers to connect to."))
  ;; server-specific configuration
  ((tls-auth
    (tls-auth-server #f)
    "Add an additional layer of HMAC authentication on top of the TLS control
channel to protect against DoS attacks.")

   (port
    (number 1194)
    "Specifies the port number on which the server listens.")

   (server
    (ip-mask "10.8.0.0 255.255.255.0")
    "An ip and mask specifying the subnet inside the virtual network.")

   (server-ipv6
    (cidr6 #f)
    "A CIDR notation specifying the IPv6 subnet inside the virtual network.")

   (dh
    (string "/etc/openvpn/dh2048.pem")
    "The Diffie-Hellman parameters file.")

   (ifconfig-pool-persist
    (string "/etc/openvpn/ipp.txt")
    "The file that records client IPs.")

   (redirect-gateway?
    (gateway #f)
    "When true, the server will act as a gateway for its clients.")

   (client-to-client?
    (boolean #f)
    "When true, clients are allowed to talk to each other inside the VPN.")

   (keepalive
    (keepalive '(10 120))
    "Causes ping-like messages to be sent back and forth over the link so that
each side knows when the other side has gone down. @code{keepalive} requires
a pair. The first element is the period of the ping sending, and the second
element is the timeout before considering the other side down.")

   (max-clients
    (number 100)
    "The maximum number of clients.")

   (status
    (string "/var/run/openvpn/status")
    "The status file. This file shows a small report on current connection. It
is truncated and rewritten every minute.")

   (client-config-dir
    (openvpn-ccd-list '())
    "The list of configuration for some clients.")))

(define (openvpn-config-file role config)
  (let ((config-str
         (with-output-to-string
           (lambda ()
             (serialize-configuration config
                                      (match role
                                        ('server
                                         openvpn-server-configuration-fields)
                                        ('client
                                         openvpn-client-configuration-fields))))))
        (ccd-dir (match role
                   ('server (create-ccd-directory
                             (openvpn-server-configuration-client-config-dir
                              config)))
                   ('client #f))))
    (computed-file "openvpn.conf"
                   #~(begin
                       (use-modules (ice-9 match))
                       (call-with-output-file #$output
                         (lambda (port)
                           (match '#$role
                             ('server (display "" port))
                             ('client (display "client\n" port)))
                           (display #$config-str port)
                           (match '#$role
                             ('server (display
                                       (string-append "client-config-dir "
                                                      #$ccd-dir "\n") port))
                             ('client (display "" port)))))))))

(define (openvpn-shepherd-service role)
  (lambda (config)
    (let* ((config-file (openvpn-config-file role config))
           (pid-file ((match role
                        ('server openvpn-server-configuration-pid-file)
                        ('client openvpn-client-configuration-pid-file))
                      config))
           (openvpn ((match role
                       ('server openvpn-server-configuration-openvpn)
                       ('client openvpn-client-configuration-openvpn))
                     config))
           (log-file (match role
                       ('server "/var/log/openvpn-server.log")
                       ('client "/var/log/openvpn-client.log"))))
      (list (shepherd-service
             (documentation (string-append "Run the OpenVPN "
                                           (match role
                                             ('server "server")
                                             ('client "client"))
                                           " daemon."))
             (provision (match role
                          ('server '(vpn-server))
                          ('client '(vpn-client))))
             (requirement '(networking))
             (start #~(make-forkexec-constructor
                       (list (string-append #$openvpn "/sbin/openvpn")
                             "--writepid" #$pid-file "--config" #$config-file
                             "--daemon")
                       #:pid-file #$pid-file))
             (stop #~(make-kill-destructor)))))))

(define %openvpn-accounts
  (list (user-group (name "openvpn") (system? #t))
        (user-account
         (name "openvpn")
         (group "openvpn")
         (system? #t)
         (comment "Openvpn daemon user")
         (home-directory "/var/empty")
         (shell (file-append shadow "/sbin/nologin")))))

(define %openvpn-activation
  #~(begin
      (use-modules (guix build utils))
      (mkdir-p "/var/run/openvpn")))

(define openvpn-server-service-type
  (service-type (name 'openvpn-server)
                (extensions
                 (list (service-extension shepherd-root-service-type
                                          (openvpn-shepherd-service 'server))
                       (service-extension account-service-type
                                          (const %openvpn-accounts))
                       (service-extension activation-service-type
                                          (const %openvpn-activation))))))

(define openvpn-client-service-type
  (service-type (name 'openvpn-client)
                (extensions
                 (list (service-extension shepherd-root-service-type
                                          (openvpn-shepherd-service 'client))
                       (service-extension account-service-type
                                          (const %openvpn-accounts))
                       (service-extension activation-service-type
                                          (const %openvpn-activation))))))

(define* (openvpn-client-service #:key (config (openvpn-client-configuration)))
  (validate-configuration config openvpn-client-configuration-fields)
  (service openvpn-client-service-type config))

(define* (openvpn-server-service #:key (config (openvpn-server-configuration)))
  (validate-configuration config openvpn-server-configuration-fields)
  (service openvpn-server-service-type config))

(define (generate-openvpn-server-documentation)
  (generate-documentation
   `((openvpn-server-configuration
      ,openvpn-server-configuration-fields
      (ccd openvpn-ccd-configuration))
     (openvpn-ccd-configuration ,openvpn-ccd-configuration-fields))
   'openvpn-server-configuration))

(define (generate-openvpn-client-documentation)
  (generate-documentation
   `((openvpn-client-configuration
      ,openvpn-client-configuration-fields
      (remote openvpn-remote-configuration))
     (openvpn-remote-configuration ,openvpn-remote-configuration-fields))
   'openvpn-client-configuration))

\f
;;;
;;; Wireguard.
;;;

(define-record-type* <wireguard-peer>
  wireguard-peer make-wireguard-peer
  wireguard-peer?
  (name              wireguard-peer-name)
  (endpoint          wireguard-peer-endpoint
                     (default #f))     ;string
  (public-key        wireguard-peer-public-key)   ;string
  (allowed-ips       wireguard-peer-allowed-ips)) ;list of strings

(define-record-type* <wireguard-configuration>
  wireguard-configuration make-wireguard-configuration
  wireguard-configuration?
  (wireguard          wireguard-configuration-wireguard ;<package>
                      (default wireguard-tools))
  (interface          wireguard-configuration-interface ;string
                      (default "wg0"))
  (addresses          wireguard-configuration-addresses ;string
                      (default '("10.0.0.1/32")))
  (port               wireguard-configuration-port ;integer
                      (default 51820))
  (private-key        wireguard-configuration-private-key ;string
                      (default "/etc/wireguard/private.key"))
  (peers              wireguard-configuration-peers ;list of <wiregard-peer>
                      (default '())))

(define (wireguard-configuration-file config)
  (define (peer->config peer)
    (let ((name (wireguard-peer-name peer))
          (public-key (wireguard-peer-public-key peer))
          (endpoint (wireguard-peer-endpoint peer))
          (allowed-ips (wireguard-peer-allowed-ips peer)))
      (format #f "[Peer] #~a
PublicKey = ~a
AllowedIPs = ~a
~a"
              name
              public-key
              (string-join allowed-ips ",")
              (if endpoint
                  (format #f "Endpoint = ~a\n" endpoint)
                  "\n"))))

  (match-record config <wireguard-configuration>
    (wireguard interface addresses port private-key peers)
    (let* ((config-file (string-append interface ".conf"))
           (peers (map peer->config peers))
           (config
            (computed-file
             "wireguard-config"
             #~(begin
                 (mkdir #$output)
                 (chdir #$output)
                 (call-with-output-file #$config-file
                   (lambda (port)
                     (let ((format (@ (ice-9 format) format)))
                       (format port "[Interface]
Address = ~a
PostUp = ~a set %i private-key ~a
~a
~{~a~^~%~}"
                               #$(string-join addresses ",")
                               #$(file-append wireguard "/bin/wg")
                               #$private-key
                               #$(if port
                                     (format #f "ListenPort = ~a" port)
                                     "")
                               (list #$@peers)))))))))
      (file-append config "/" config-file))))

(define (wireguard-activation config)
  (match-record config <wireguard-configuration>
    (private-key)
    #~(begin
        (use-modules (guix build utils)
                     (ice-9 popen)
                     (ice-9 rdelim))
        (mkdir-p (dirname #$private-key))
        (unless (file-exists? #$private-key)
          (let* ((pipe
                  (open-input-pipe (string-append
                                    #$(file-append wireguard-tools "/bin/wg")
                                    " genkey")))
                 (key (read-line pipe)))
            (call-with-output-file #$private-key
              (lambda (port)
                (display key port)))
            (chmod #$private-key #o400)
            (close-pipe pipe))))))

(define (wireguard-shepherd-service config)
  (match-record config <wireguard-configuration>
    (wireguard interface)
    (let ((wg-quick (file-append wireguard "/bin/wg-quick"))
          (config (wireguard-configuration-file config)))
      (list (shepherd-service
             (requirement '(networking))
             (provision (list
                         (symbol-append 'wireguard-
                                        (string->symbol interface))))
             (start #~(lambda _
                       (invoke #$wg-quick "up" #$config)))
             (stop #~(lambda _
                       (invoke #$wg-quick "down" #$config)))
             (documentation "Run the Wireguard VPN tunnel"))))))

(define wireguard-service-type
  (service-type
   (name 'wireguard)
   (extensions
    (list (service-extension shepherd-root-service-type
                             wireguard-shepherd-service)
          (service-extension activation-service-type
                             wireguard-activation)))))
Commit	Line	Data
2be1b471 JL	1	;;; GNU Guix --- Functional package management for GNU
2be1b471 JL	2	;;; Copyright © 2017 Julien Lepiller <julien@lepiller.eu>
e57bd0be	3	;;; Copyright © 2017 Clément Lassieur <clement@lassieur.org>
85ac401a	4	;;; Copyright © 2017 Mathieu Othacehe <m.othacehe@gmail.com>
2be1b471 JL	5	;;;
	6	;;; This file is part of GNU Guix.
	7	;;;
	8	;;; GNU Guix is free software; you can redistribute it and/or modify it
	9	;;; under the terms of the GNU General Public License as published by
	10	;;; the Free Software Foundation; either version 3 of the License, or (at
	11	;;; your option) any later version.
	12	;;;
	13	;;; GNU Guix is distributed in the hope that it will be useful, but
	14	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	15	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	;;; GNU General Public License for more details.
	17	;;;
	18	;;; You should have received a copy of the GNU General Public License
	19	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	20
	21	(define-module (gnu services vpn)
	22	#:use-module (gnu services)
	23	#:use-module (gnu services configuration)
	24	#:use-module (gnu services shepherd)
	25	#:use-module (gnu system shadow)
	26	#:use-module (gnu packages admin)
	27	#:use-module (gnu packages vpn)
	28	#:use-module (guix packages)
	29	#:use-module (guix records)
	30	#:use-module (guix gexp)
	31	#:use-module (srfi srfi-1)
	32	#:use-module (ice-9 match)
	33	#:use-module (ice-9 regex)
	34	#:export (openvpn-client-service
	35	openvpn-server-service
	36	openvpn-client-service-type
	37	openvpn-server-service-type
	38	openvpn-client-configuration
	39	openvpn-server-configuration
	40	openvpn-remote-configuration
	41	openvpn-ccd-configuration
	42	generate-openvpn-client-documentation
43b2e440 MO	43	generate-openvpn-server-documentation
	44
	45	wireguard-peer
	46	wireguard-peer?
	47	wireguard-peer-name
	48	wireguard-peer-endpoint
	49	wireguard-peer-allowed-ips
	50
	51	wireguard-configuration
	52	wireguard-configuration?
	53	wireguard-configuration-wireguard
	54	wireguard-configuration-interface
	55	wireguard-configuration-addresses
	56	wireguard-configuration-port
	57	wireguard-configuration-private-key
	58	wireguard-configuration-peers
	59
	60	wireguard-service-type))
2be1b471 JL	61
	62	;;;
	63	;;; OpenVPN.
	64	;;;
	65
	66	(define (uglify-field-name name)
	67	(match name
be051880 LC	68	('verbosity "verb")
	69	(_ (let ((str (symbol->string name)))
	70	(if (string-suffix? "?" str)
	71	(substring str 0 (1- (string-length str)))
	72	str)))))
2be1b471 JL	73
	74	(define (serialize-field field-name val)
	75	(if (eq? field-name 'pid-file)
	76	(format #t "")
	77	(format #t "~a ~a\n" (uglify-field-name field-name) val)))
	78	(define serialize-string serialize-field)
c6c44770	79	(define-maybe string)
2be1b471 JL	80	(define (serialize-boolean field-name val)
2be1b471 JL	81	(if val
0372dd1a	82	(serialize-field field-name "")
2be1b471 JL	83	(format #t "")))
	84
	85	(define (ip-mask? val)
	86	(and (string? val)
	87	(if (string-match "^([0-9]+\\.){3}[0-9]+ ([0-9]+\\.){3}[0-9]+$" val)
	88	(let ((numbers (string-tokenize val char-set:digit)))
	89	(all-lte numbers (list 255 255 255 255 255 255 255 255)))
	90	#f)))
	91	(define serialize-ip-mask serialize-string)
	92
	93	(define-syntax define-enumerated-field-type
	94	(lambda (x)
	95	(define (id-append ctx . parts)
	96	(datum->syntax ctx (apply symbol-append (map syntax->datum parts))))
	97	(syntax-case x ()
	98	((_ name (option ...))
	99	#`(begin
	100	(define (#,(id-append #'name #'name #'?) x)
	101	(memq x '(option ...)))
	102	(define (#,(id-append #'name #'serialize- #'name) field-name val)
	103	(serialize-field field-name val)))))))
	104
	105	(define-enumerated-field-type proto
	106	(udp tcp udp6 tcp6))
	107	(define-enumerated-field-type dev
	108	(tun tap))
	109
	110	(define key-usage? boolean?)
	111	(define (serialize-key-usage field-name value)
	112	(if value
	113	(format #t "remote-cert-tls server\n")
	114	#f))
	115
	116	(define bind? boolean?)
	117	(define (serialize-bind field-name value)
	118	(if value
	119	#f
	120	(format #t "nobind\n")))
	121
	122	(define resolv-retry? boolean?)
	123	(define (serialize-resolv-retry field-name value)
	124	(if value
	125	(format #t "resolv-retry infinite\n")
	126	#f))
	127
	128	(define (serialize-tls-auth role location)
4b8b4418 JL	129	(if location
	130	(serialize-field 'tls-auth
	131	(string-append location " " (match role
	132	('server "0")
	133	('client "1"))))
	134	#f))
2be1b471 JL	135	(define (tls-auth? val)
	136	(or (eq? val #f)
	137	(string? val)))
	138	(define (serialize-tls-auth-server field-name val)
	139	(serialize-tls-auth 'server val))
	140	(define (serialize-tls-auth-client field-name val)
	141	(serialize-tls-auth 'client val))
	142	(define tls-auth-server? tls-auth?)
	143	(define tls-auth-client? tls-auth?)
	144
	145	(define (serialize-number field-name val)
	146	(serialize-field field-name (number->string val)))
	147
	148	(define (all-lte left right)
	149	(if (eq? left '())
	150	(eq? right '())
	151	(and (<= (string->number (car left)) (car right))
	152	(all-lte (cdr left) (cdr right)))))
	153
	154	(define (cidr4? val)
	155	(if (string? val)
	156	(if (string-match "^([0-9]+\\.){3}[0-9]+/[0-9]+$" val)
	157	(let ((numbers (string-tokenize val char-set:digit)))
	158	(all-lte numbers (list 255 255 255 255 32)))
	159	#f)
	160	(eq? val #f)))
	161
	162	(define (cidr6? val)
	163	(if (string? val)
	164	(string-match "^([0-9a-f]{0,4}:){0,8}/[0-9]{1,3}$" val)
	165	(eq? val #f)))
	166
	167	(define (serialize-cidr4 field-name val)
	168	(if (eq? val #f) #f (serialize-field field-name val)))
	169
	170	(define (serialize-cidr6 field-name val)
	171	(if (eq? val #f) #f (serialize-field field-name val)))
	172
	173	(define (ip? val)
	174	(if (string? val)
	175	(if (string-match "^([0-9]+\\.){3}[0-9]+$" val)
	176	(let ((numbers (string-tokenize val char-set:digit)))
	177	(all-lte numbers (list 255 255 255 255)))
	178	#f)
	179	(eq? val #f)))
	180	(define (serialize-ip field-name val)
	181	(if (eq? val #f) #f (serialize-field field-name val)))
	182
	183	(define (keepalive? val)
	184	(and (list? val)
	185	(and (number? (car val))
	186	(number? (car (cdr val))))))
	187	(define (serialize-keepalive field-name val)
	188	(format #t "~a ~a ~a\n" (uglify-field-name field-name)
	189	(number->string (car val)) (number->string (car (cdr val)))))
	190
	191	(define gateway? boolean?)
	192	(define (serialize-gateway field-name val)
	193	(and val
	194	(format #t "push \"redirect-gateway\"\n")))
	195
	196
	197	(define-configuration openvpn-remote-configuration
	198	(name
199	(string "my-server")
200	"Server name.")
201	(port
202	(number 1194)
203	"Port number the server listens to."))
204
205	(define-configuration openvpn-ccd-configuration
206	(name
207	(string "client")
208	"Client name.")
209	(iroute
210	(ip-mask #f)
211	"Client own network")
212	(ifconfig-push
213	(ip-mask #f)
214	"Client VPN IP."))
215
216	(define (openvpn-remote-list? val)
217	(and (list? val)
218	(or (eq? val '())
219	(and (openvpn-remote-configuration? (car val))
220	(openvpn-remote-list? (cdr val))))))
221	(define (serialize-openvpn-remote-list field-name val)
222	(for-each (lambda (remote)
223	(format #t "remote ~a ~a\n" (openvpn-remote-configuration-name remote)
224	(number->string (openvpn-remote-configuration-port remote))))
225	val))
226
227	(define (openvpn-ccd-list? val)
228	(and (list? val)
229	(or (eq? val '())
230	(and (openvpn-ccd-configuration? (car val))
231	(openvpn-ccd-list? (cdr val))))))
232	(define (serialize-openvpn-ccd-list field-name val)
233	#f)
234
235	(define (create-ccd-directory val)
236	"Create a ccd directory containing files for the ccd configuration option
237	of OpenVPN. Each file in this directory represents particular settings for a
238	client. Each file is named after the name of the client."
239	(let ((files (map (lambda (ccd)
240	(list (openvpn-ccd-configuration-name ccd)
241	(with-output-to-string
242	(lambda ()
243	(serialize-configuration
244	ccd openvpn-ccd-configuration-fields)))))
245	val)))
246	(computed-file "ccd"
247	(with-imported-modules '((guix build utils))
248	#~(begin
249	(use-modules (guix build utils))
250	(use-modules (ice-9 match))
251	(mkdir-p #$output)
252	(for-each
253	(lambda (ccd)
254	(match ccd
be051880 LC	255	((name config-string)
	256	(call-with-output-file
	257	(string-append #$output "/" name)
	258	(lambda (port) (display config-string port))))))
2be1b471 JL	259	'#$files))))))
	260
	261	(define-syntax define-split-configuration
	262	(lambda (x)
	263	(syntax-case x ()
	264	((_ name1 name2 (common-option ...) (first-option ...) (second-option ...))
	265	#`(begin
	266	(define-configuration #,#'name1
	267	common-option ...
	268	first-option ...)
	269	(define-configuration #,#'name2
	270	common-option ...
	271	second-option ...))))))
	272
	273	(define-split-configuration openvpn-client-configuration
	274	openvpn-server-configuration
	275	((openvpn
	276	(package openvpn)
	277	"The OpenVPN package.")
	278
	279	(pid-file
	280	(string "/var/run/openvpn/openvpn.pid")
	281	"The OpenVPN pid file.")
	282
	283	(proto
	284	(proto 'udp)
	285	"The protocol (UDP or TCP) used to open a channel between clients and
	286	servers.")
	287
	288	(dev
	289	(dev 'tun)
	290	"The device type used to represent the VPN connection.")
	291
	292	(ca
5221df34	293	(maybe-string "/etc/openvpn/ca.crt")
2be1b471 JL	294	"The certificate authority to check connections against.")
	295
	296	(cert
5221df34	297	(maybe-string "/etc/openvpn/client.crt")
2be1b471 JL	298	"The certificate of the machine the daemon is running on. It should be signed
	299	by the authority given in @code{ca}.")
	300
	301	(key
5221df34	302	(maybe-string "/etc/openvpn/client.key")
85ac401a	303	"The key of the machine the daemon is running on. It must be the key whose
2be1b471 JL	304	certificate is @code{cert}.")
	305
	306	(comp-lzo?
	307	(boolean #t)
	308	"Whether to use the lzo compression algorithm.")
	309
	310	(persist-key?
	311	(boolean #t)
	312	"Don't re-read key files across SIGUSR1 or --ping-restart.")
	313
	314	(persist-tun?
	315	(boolean #t)
	316	"Don't close and reopen TUN/TAP device or run up/down scripts across
	317	SIGUSR1 or --ping-restart restarts.")
	318
c6c44770 JL	319	(fast-io?
	320	(boolean #f)
	321	"(Experimental) Optimize TUN/TAP/UDP I/O writes by avoiding a call to
	322	poll/epoll/select prior to the write operation.")
	323
2be1b471 JL	324	(verbosity
	325	(number 3)
	326	"Verbosity level."))
	327	;; client-specific configuration
	328	((tls-auth
	329	(tls-auth-client #f)
	330	"Add an additional layer of HMAC authentication on top of the TLS control
	331	channel to protect against DoS attacks.")
	332
c6c44770 JL	333	(auth-user-pass
	334	(maybe-string 'disabled)
	335	"Authenticate with server using username/password. The option is a file
	336	containing username/password on 2 lines. Do not use a file-like object as it
	337	would be added to the store and readable by any user.")
	338
2be1b471 JL	339	(verify-key-usage?
	340	(key-usage #t)
	341	"Whether to check the server certificate has server usage extension.")
	342
	343	(bind?
	344	(bind #f)
	345	"Bind to a specific local port number.")
	346
	347	(resolv-retry?
	348	(resolv-retry #t)
	349	"Retry resolving server address.")
	350
	351	(remote
	352	(openvpn-remote-list '())
	353	"A list of remote servers to connect to."))
	354	;; server-specific configuration
	355	((tls-auth
	356	(tls-auth-server #f)
	357	"Add an additional layer of HMAC authentication on top of the TLS control
	358	channel to protect against DoS attacks.")
	359
	360	(port
	361	(number 1194)
	362	"Specifies the port number on which the server listens.")
	363
	364	(server
	365	(ip-mask "10.8.0.0 255.255.255.0")
	366	"An ip and mask specifying the subnet inside the virtual network.")
	367
	368	(server-ipv6
	369	(cidr6 #f)
	370	"A CIDR notation specifying the IPv6 subnet inside the virtual network.")
	371
	372	(dh
	373	(string "/etc/openvpn/dh2048.pem")
	374	"The Diffie-Hellman parameters file.")
	375
	376	(ifconfig-pool-persist
	377	(string "/etc/openvpn/ipp.txt")
	378	"The file that records client IPs.")
	379
	380	(redirect-gateway?
	381	(gateway #f)
	382	"When true, the server will act as a gateway for its clients.")
	383
	384	(client-to-client?
	385	(boolean #f)
9fc221b5	386	"When true, clients are allowed to talk to each other inside the VPN.")
2be1b471 JL	387
	388	(keepalive
	389	(keepalive '(10 120))
	390	"Causes ping-like messages to be sent back and forth over the link so that
	391	each side knows when the other side has gone down. @code{keepalive} requires
	392	a pair. The first element is the period of the ping sending, and the second
	393	element is the timeout before considering the other side down.")
	394
	395	(max-clients
	396	(number 100)
	397	"The maximum number of clients.")
	398
	399	(status
	400	(string "/var/run/openvpn/status")
	401	"The status file. This file shows a small report on current connection. It
9fc221b5	402	is truncated and rewritten every minute.")
2be1b471 JL	403
	404	(client-config-dir
	405	(openvpn-ccd-list '())
	406	"The list of configuration for some clients.")))
	407
	408	(define (openvpn-config-file role config)
	409	(let ((config-str
	410	(with-output-to-string
	411	(lambda ()
	412	(serialize-configuration config
	413	(match role
be051880 LC	414	('server
	415	openvpn-server-configuration-fields)
	416	('client
	417	openvpn-client-configuration-fields))))))
2be1b471	418	(ccd-dir (match role
be051880 LC	419	('server (create-ccd-directory
	420	(openvpn-server-configuration-client-config-dir
	421	config)))
	422	('client #f))))
2be1b471 JL	423	(computed-file "openvpn.conf"
	424	#~(begin
	425	(use-modules (ice-9 match))
	426	(call-with-output-file #$output
	427	(lambda (port)
	428	(match '#$role
be051880 LC	429	('server (display "" port))
be051880 LC	430	('client (display "client\n" port)))
2be1b471 JL	431	(display #$config-str port)
2be1b471 JL	432	(match '#$role
be051880 LC	433	('server (display
	434	(string-append "client-config-dir "
	435	#$ccd-dir "\n") port))
	436	('client (display "" port)))))))))
2be1b471 JL	437
	438	(define (openvpn-shepherd-service role)
	439	(lambda (config)
	440	(let* ((config-file (openvpn-config-file role config))
	441	(pid-file ((match role
be051880 LC	442	('server openvpn-server-configuration-pid-file)
be051880 LC	443	('client openvpn-client-configuration-pid-file))
2be1b471 JL	444	config))
2be1b471 JL	445	(openvpn ((match role
be051880 LC	446	('server openvpn-server-configuration-openvpn)
be051880 LC	447	('client openvpn-client-configuration-openvpn))
2be1b471 JL	448	config))
2be1b471 JL	449	(log-file (match role
be051880 LC	450	('server "/var/log/openvpn-server.log")
be051880 LC	451	('client "/var/log/openvpn-client.log"))))
2be1b471 JL	452	(list (shepherd-service
	453	(documentation (string-append "Run the OpenVPN "
	454	(match role
be051880 LC	455	('server "server")
be051880 LC	456	('client "client"))
2be1b471 JL	457	" daemon."))
2be1b471 JL	458	(provision (match role
be051880 LC	459	('server '(vpn-server))
be051880 LC	460	('client '(vpn-client))))
2be1b471 JL	461	(requirement '(networking))
	462	(start #~(make-forkexec-constructor
	463	(list (string-append #$openvpn "/sbin/openvpn")
	464	"--writepid" #$pid-file "--config" #$config-file
	465	"--daemon")
	466	#:pid-file #$pid-file))
	467	(stop #~(make-kill-destructor)))))))
	468
	469	(define %openvpn-accounts
	470	(list (user-group (name "openvpn") (system? #t))
	471	(user-account
	472	(name "openvpn")
	473	(group "openvpn")
	474	(system? #t)
	475	(comment "Openvpn daemon user")
	476	(home-directory "/var/empty")
	477	(shell (file-append shadow "/sbin/nologin")))))
	478
	479	(define %openvpn-activation
e57bd0be CL	480	#~(begin
	481	(use-modules (guix build utils))
	482	(mkdir-p "/var/run/openvpn")))
2be1b471 JL	483
	484	(define openvpn-server-service-type
	485	(service-type (name 'openvpn-server)
	486	(extensions
	487	(list (service-extension shepherd-root-service-type
	488	(openvpn-shepherd-service 'server))
	489	(service-extension account-service-type
	490	(const %openvpn-accounts))
	491	(service-extension activation-service-type
	492	(const %openvpn-activation))))))
	493
	494	(define openvpn-client-service-type
	495	(service-type (name 'openvpn-client)
	496	(extensions
	497	(list (service-extension shepherd-root-service-type
	498	(openvpn-shepherd-service 'client))
	499	(service-extension account-service-type
	500	(const %openvpn-accounts))
	501	(service-extension activation-service-type
	502	(const %openvpn-activation))))))
	503
	504	(define* (openvpn-client-service #:key (config (openvpn-client-configuration)))
	505	(validate-configuration config openvpn-client-configuration-fields)
	506	(service openvpn-client-service-type config))
	507
	508	(define* (openvpn-server-service #:key (config (openvpn-server-configuration)))
	509	(validate-configuration config openvpn-server-configuration-fields)
	510	(service openvpn-server-service-type config))
	511
	512	(define (generate-openvpn-server-documentation)
	513	(generate-documentation
	514	`((openvpn-server-configuration
	515	,openvpn-server-configuration-fields
	516	(ccd openvpn-ccd-configuration))
	517	(openvpn-ccd-configuration ,openvpn-ccd-configuration-fields))
	518	'openvpn-server-configuration))
	519
	520	(define (generate-openvpn-client-documentation)
	521	(generate-documentation
	522	`((openvpn-client-configuration
	523	,openvpn-client-configuration-fields
	524	(remote openvpn-remote-configuration))
	525	(openvpn-remote-configuration ,openvpn-remote-configuration-fields))
	526	'openvpn-client-configuration))
43b2e440 MO	527
	528	\f
	529	;;;
	530	;;; Wireguard.
	531	;;;
	532
	533	(define-record-type* <wireguard-peer>
	534	wireguard-peer make-wireguard-peer
	535	wireguard-peer?
	536	(name wireguard-peer-name)
	537	(endpoint wireguard-peer-endpoint
	538	(default #f)) ;string
	539	(public-key wireguard-peer-public-key) ;string
	540	(allowed-ips wireguard-peer-allowed-ips)) ;list of strings
	541
	542	(define-record-type* <wireguard-configuration>
	543	wireguard-configuration make-wireguard-configuration
	544	wireguard-configuration?
	545	(wireguard wireguard-configuration-wireguard ;<package>
	546	(default wireguard-tools))
	547	(interface wireguard-configuration-interface ;string
	548	(default "wg0"))
	549	(addresses wireguard-configuration-addresses ;string
	550	(default '("10.0.0.1/32")))
	551	(port wireguard-configuration-port ;integer
	552	(default 51820))
	553	(private-key wireguard-configuration-private-key ;string
	554	(default "/etc/wireguard/private.key"))
	555	(peers wireguard-configuration-peers ;list of <wiregard-peer>
	556	(default '())))
	557
	558	(define (wireguard-configuration-file config)
	559	(define (peer->config peer)
	560	(let ((name (wireguard-peer-name peer))
	561	(public-key (wireguard-peer-public-key peer))
	562	(endpoint (wireguard-peer-endpoint peer))
	563	(allowed-ips (wireguard-peer-allowed-ips peer)))
	564	(format #f "[Peer] #~a
	565	PublicKey = ~a
	566	AllowedIPs = ~a
	567	~a"
	568	name
	569	public-key
	570	(string-join allowed-ips ",")
	571	(if endpoint
	572	(format #f "Endpoint = ~a\n" endpoint)
	573	"\n"))))
	574
	575	(match-record config <wireguard-configuration>
	576	(wireguard interface addresses port private-key peers)
	577	(let* ((config-file (string-append interface ".conf"))
	578	(peers (map peer->config peers))
	579	(config
	580	(computed-file
	581	"wireguard-config"
	582	#~(begin
	583	(mkdir #$output)
	584	(chdir #$output)
	585	(call-with-output-file #$config-file
	586	(lambda (port)
	587	(let ((format (@ (ice-9 format) format)))
	588	(format port "[Interface]
	589	Address = ~a
	590	PostUp = ~a set %i private-key ~a
591	~a
592	~{~a~^~%~}"
593	#$(string-join addresses ",")
594	#$(file-append wireguard "/bin/wg")
595	#$private-key
596	#$(if port
597	(format #f "ListenPort = ~a" port)
598	"")
599	(list #$@peers)))))))))
600	(file-append config "/" config-file))))
601
602	(define (wireguard-activation config)
603	(match-record config <wireguard-configuration>
604	(private-key)
605	#~(begin
606	(use-modules (guix build utils)
607	(ice-9 popen)
608	(ice-9 rdelim))
609	(mkdir-p (dirname #$private-key))
610	(unless (file-exists? #$private-key)
611	(let* ((pipe
612	(open-input-pipe (string-append
613	#$(file-append wireguard-tools "/bin/wg")
614	" genkey")))
615	(key (read-line pipe)))
616	(call-with-output-file #$private-key
617	(lambda (port)
618	(display key port)))
619	(chmod #$private-key #o400)
620	(close-pipe pipe))))))
621
622	(define (wireguard-shepherd-service config)
623	(match-record config <wireguard-configuration>
624	(wireguard interface)
625	(let ((wg-quick (file-append wireguard "/bin/wg-quick"))
626	(config (wireguard-configuration-file config)))
627	(list (shepherd-service
628	(requirement '(networking))
629	(provision (list
630	(symbol-append 'wireguard-
631	(string->symbol interface))))
632	(start #~(lambda _
633	(invoke #$wg-quick "up" #$config)))
634	(stop #~(lambda _
635	(invoke #$wg-quick "down" #$config)))
636	(documentation "Run the Wireguard VPN tunnel"))))))
637
638	(define wireguard-service-type
639	(service-type
640	(name 'wireguard)
641	(extensions
642	(list (service-extension shepherd-root-service-type
643	wireguard-shepherd-service)
644	(service-extension activation-service-type
645	wireguard-activation)))))