nixos/networkmanager: set up /etc/ipsec.secrets as required by the L2TP plugin

The networkmanager-l2tp plugin expects /etc/ipsec.secrets to include /etc/ipsec.d/ipsec.nm-l2tp.secrets;
see #64965

In order for this to continue working if the strongswan module is
enabled, we use `"ipsec.secrets".text` instead of `.source` so that the
configurations of both modules are concatenated.

Author: ncfavier

nixos/modules/services/networking/networkmanager.nix

@@ -514,6 +514,12 @@ in
 
     environment.etc = {
       "NetworkManager/NetworkManager.conf".source = configFile;
+
+      # The networkmanager-l2tp plugin expects /etc/ipsec.secrets to include /etc/ipsec.d/ipsec.nm-l2tp.secrets;
+      # see https://github.com/NixOS/nixpkgs/issues/64965
+      "ipsec.secrets".text = ''
+        include ipsec.d/ipsec.nm-l2tp.secrets
+      '';
     }
     // builtins.listToAttrs (map
       (pkg: nameValuePair "NetworkManager/${pkg.networkManagerPlugin}" {

nixos/modules/services/networking/strongswan.nix

@@ -3,14 +3,12 @@
 let
 
   inherit (builtins) toFile;
-  inherit (lib) concatMapStringsSep concatStringsSep mapAttrsToList
+  inherit (lib) concatMapStrings concatStringsSep mapAttrsToList
                 mkIf mkEnableOption mkOption types literalExpression optionalString;
 
   cfg = config.services.strongswan;
 
-  ipsecSecrets = secrets: toFile "ipsec.secrets" (
-    concatMapStringsSep "\n" (f: "include ${f}") secrets
-  );
+  ipsecSecrets = secrets: concatMapStrings (f: "include ${f}\n") secrets;
 
   ipsecConf = {setup, connections, ca}:
     let
@@ -138,16 +136,12 @@ in
   };
 
 
-  config = with cfg;
-  let
-    secretsFile = ipsecSecrets cfg.secrets;
-  in
-  mkIf enable
+  config = with cfg; mkIf enable
     {
 
     # here we should use the default strongswan ipsec.secrets and
     # append to it (default one is empty so not a pb for now)
-    environment.etc."ipsec.secrets".source = secretsFile;
+    environment.etc."ipsec.secrets".text = ipsecSecrets cfg.secrets;
 
     systemd.services.strongswan = {
       description = "strongSwan IPSec Service";
@@ -156,7 +150,10 @@ in
       wants = [ "network-online.target" ];
       after = [ "network-online.target" ];
       environment = {
-        STRONGSWAN_CONF = strongswanConf { inherit setup connections ca secretsFile managePlugins enabledPlugins; };
+        STRONGSWAN_CONF = strongswanConf {
+          inherit setup connections ca managePlugins enabledPlugins;
+          secretsFile = "/etc/ipsec.secrets";
+        };
       };
       serviceConfig = {
         ExecStart  = "${pkgs.strongswan}/sbin/ipsec start --nofork";