work around systemd unit parameters evaluating through mkIf

2024-12-27 02:53:57 +00:00 · 2024-12-27 02:53:57 +00:00 · 54c8b67a44
parent fd3965ddee
commit 54c8b67a44
1 changed files with 17 additions and 9 deletions
--- a/peering.nix
+++ b/peering.nix
@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:

 let
-  inherit (lib) mkIf mkOption mkEnableOption types optionals filterAttrs mapAttrsToList;
+  inherit (lib) types mkIf mkMerge mkOption mkEnableOption optionals filterAttrs mapAttrsToList;
  cfg = config.birdsong.peering;
  hostName = if null != cfg.hostName then cfg.hostName else config.networking.hostName;
  hosts = config.birdsong.hosts;
@ -41,7 +41,7 @@ in
      '';
      type = with types; nullOr str;
    };
-    privateKeyCred = mkOption {
+    privateKeyCredential = mkOption {
      default = null;
      description = ''
        Name of a systemd credential containing a private key for this peer, as
@ -75,8 +75,8 @@ in
        message = "birdsong depends on networkd. systemd.network.enable must be true";
      }
      {
-        assertion = (cfg.privateKeyCred != null && cfg.privateKeyFile == null) || (cfg.privateKeyFile != null && cfg.privateKeyCred == null);
-        message = "exactly one of birdsong.peering.privateKeyCred or birdsong.peering.privateKeyFile must be set";
+        assertion = (cfg.privateKeyCredential != null && cfg.privateKeyFile == null) || (cfg.privateKeyFile != null && cfg.privateKeyCredential == null);
+        message = "exactly one of birdsong.peering.privateKeyCredential or birdsong.peering.privateKeyFile must be set";
      }
      {
        assertion = hostName != null;
@ -98,11 +98,19 @@ in
          Kind = "wireguard";
          Description = "wireguard tunnel to the birdsong network";
        };
-        wireguardConfig = {
-          PrivateKey = mkIf (cfg.privateKeyCred != null) "@${cfg.privateKeyCred}";
-          PrivateKeyFile = mkIf (cfg.privateKeyFile != null) cfg.privateKeyFile;
-          ListenPort = host.port;
-        };
+
+        wireguardConfig = mkMerge [
+          {
+            ListenPort = host.port;
+          }
+          (mkIf (cfg.privateKeyCredential != null) {
+            PrivateKey = "@${cfg.privateKeyCredential}";
+          })
+          (mkIf (cfg.privateKeyFile != null) {
+            PrivateKeyFile = cfg.privateKeyFile;
+          })
+        ];
+
        wireguardPeers =
          let
            canDirectPeer = host: peer: peer.subnet == "internet" || (host.subnet != "roaming" && peer.subnet == host.subnet);