4 files changed, 158 insertions, 0 deletions

diff --git a/apps/strongswan/options/ca.nix b/apps/strongswan/options/ca.nix
new file mode 100644
index 0000000..e52b088
--- /dev/null
+++ b/apps/strongswan/options/ca.nix
@@ -0,0 +1,20 @@
+{ config, lib, ... }:
+
+let
+
+  inherit (lib) foldl;
+  inherit (lib.types) str path enum;
+  inherit (import ./lib.nix lib) optional;
+
+in {
+  options = foldl (a: b: a//b) {} [
+    { also        = optional str; }
+    { auto        = optional (enum [ "add" "ignore" ]); }
+    { cacert      = optional path; }
+    { certuribase = optional str; }
+    { crluri      = optional str; }
+    { crluri2     = optional str; }
+    { ocspuri     = optional str; }
+    { ocspuri2    = optional str; }
+  ];
+}
diff --git a/apps/strongswan/options/conn.nix b/apps/strongswan/options/conn.nix
new file mode 100644
index 0000000..ac1d88c
--- /dev/null
+++ b/apps/strongswan/options/conn.nix
@@ -0,0 +1,88 @@
+{ config, lib, ... }:
+
+let
+
+  inherit (lib) foldl attrNames head;
+  inherit (lib.types) int str path either listOf enum;
+  inherit (import ./lib.nix lib) boolean boolOr default optional;
+
+  leftright = map
+    (a: let n = head (attrNames a);
+      in {
+        "left${n}" = a."${n}";
+        "right${n}" = a."${n}";
+      })
+  [
+    { allowany   = optional boolean; }
+    { auth       = optional str; }
+    { auth2      = optional str; }
+    { ca         = optional str; }
+    { ca2        = optional str; }
+    { cert       = optional path; }
+    { cert2      = optional path; }
+    { dns        = optional (either str (listOf str)); }
+    { firewall   = optional boolean; }
+    { groups     = optional (either str (listOf str)); }
+    { hostaccess = optional boolean; }
+    { id         = optional str; }
+    { id2        = optional str; }
+    { policy     = optional (either str (listOf str)); }
+    { sendcert   = optional (boolOr [ "never" "always" "ifasked" ]); }
+    { sigkey     = optional (either str path); }
+    { sourceip   = optional str; }
+    { subnet     = optional (either str (listOf str)); }
+    { updown     = optional path; }
+  ];
+
+  conn = leftright ++ [
+    { aaa_identity   = optional str; }
+    { aggressive     = optional boolean; }
+    { ah             = optional (either str (listOf str)); }
+    { also           = optional str; }
+    { authby         = optional (enum [ "pubkey" "rsasig" "ecdsasig" "psk" "secret" "xauthrsasig" "xauthpsk" "never" ]); }
+    { auto           = optional (enum [ "ignore" "add" "route" "start" ]); }
+    { closeaction    = optional (enum [ "none" "clear" "hold" "restart" ]); }
+    { compress       = optional boolean; }
+    { dpdaction      = optional (enum [ "none" "clear" "hold" "restart" ]); }
+    { dpddelay       = optional int; }
+    { dpdtimeout     = optional int; }
+    { eap_identity   = optional str; }
+    { esp            = optional (either str (listOf str)); }
+    { forceencaps    = optional boolean; }
+    { fragmentation  = optional (boolOr [ "force" ]); }
+    { ike            = optional (either str (listOf str)); }
+    { ikedscp        = optional str; }
+    { ikelifetime    = optional int; }
+    { inactivity     = optional int; }
+    { installpolicy  = optional boolean; }
+    { keyexchange    = optional (enum [ "ikev1" "ikev2" ]); }
+    { keyingtries    = optional (either int (enum [ "%forever" ])); }
+    { left           = optional str; }
+    { lifebytes      = optional int; }
+    { lifepackets    = optional int; }
+    { lifetime       = optional int; }
+    { marginbytes    = optional int; }
+    { marginpackets  = optional int; }
+    { mark           = optional str; }
+    { mark_in        = optional str; }
+    { mark_out       = optional str; }
+    { me_peerid      = optional str; }
+    { mediated_by    = optional str; }
+    { mediation      = optional boolean; }
+    { mobike         = optional boolean; }
+    { modeconfig     = optional (enum [ "push" "pull" ]); }
+    { reauth         = optional boolean; }
+    { rekey          = optional boolean; }
+    { rekeyfuzz      = optional int; }
+    { replay_window  = optional int; }
+    { reqid          = optional int; }
+    { right          = optional str; }
+    { tfc            = optional (either int (enum [ "%mtu" ])); }
+    { type           = optional (enum [ "tunnel" "transport" "transport_proxy" "passthrough" "drop" ]); }
+    { xauth          = optional (enum [ "client" "server" ]); }
+    { xauth_identity = optional str; }
+  ];
+
+in {
+  options = foldl (a: b: a//b) {} conn;
+}
diff --git a/apps/strongswan/options/lib.nix b/apps/strongswan/options/lib.nix
new file mode 100644
index 0000000..5b0808f
--- /dev/null
+++ b/apps/strongswan/options/lib.nix
@@ -0,0 +1,26 @@
+lib:
+
+let
+  inherit (lib) mkOption mkOptionType mergeOneOption elem flip concatStringsSep;
+  inherit (lib.types) nullOr submodule bool either;
+
+in rec {
+  default = v: type: mkOption { type = type; default = v; };
+  optional = type: mkOption { type = nullOr type; default = null; };
+  set = opts: mkOption { type = nullOr (submodule { options = opts; }); default = null; };
+
+  # XXX https://github.com/NixOS/nixpkgs/issues/9826
+  enum' = values:
+    let show = v: let t = builtins.typeOf v;
+            in if t == "string" then ''"${v}"''
+          else if t == "int" then builtins.toString v
+          else ''<${t}>'';
+    in mkOptionType {
+      name = "one of ${concatStringsSep ", " (map show values)}";
+      check = flip elem values;
+      merge = mergeOneOption;
+    };
+
+  boolean = either bool (enum' [ "yes" "no" ]);
+  boolOr = l: either bool (enum' ([ "yes" "no" ] ++ l));
+}
diff --git a/apps/strongswan/options/setup.nix b/apps/strongswan/options/setup.nix
new file mode 100644
index 0000000..d60a2af
--- /dev/null
+++ b/apps/strongswan/options/setup.nix
@@ -0,0 +1,24 @@
+{ config, lib, ... }:
+
+let
+
+  inherit (lib) foldl genAttrs;
+  inherit (import ./lib.nix lib) boolean boolOr default optional set enum';
+
+  charondebug = genAttrs [
+    "asn" "cfg" "chd" "dmn"
+    "enc" "esp" "ike" "imc"
+    "imv" "job" "knl" "lib"
+    "mgr" "net" "pts" "tls"
+    "tnc"
+  ] (_: optional (enum' [ (-1) 0 1 2 3 4 ]));
+
+in {
+  options = foldl (a: b: a//b) {} [
+    { cachecrls       = optional boolean; }
+    { charondebug     = set charondebug; }
+    { charonstart     = optional boolean; }
+    { strictcrlpolicy = optional (boolOr [ "ifuri" ]); }
+    { uniqueids       = optional (boolOr [ "never" "replace" "keep" ]); }
+  ];
+}