From 54c8b67a44ed58f92b6233934387b6e568151336 Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@qenya.tel>
Date: Fri, 27 Dec 2024 02:53:57 +0000
Subject: [PATCH] work around systemd unit parameters evaluating through mkIf

---
 peering.nix | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/peering.nix b/peering.nix
index 817b046..b25f215 100644
--- a/peering.nix
+++ b/peering.nix
@@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 
 let
-  inherit (lib) mkIf mkOption mkEnableOption types optionals filterAttrs mapAttrsToList;
+  inherit (lib) types mkIf mkMerge mkOption mkEnableOption optionals filterAttrs mapAttrsToList;
   cfg = config.birdsong.peering;
   hostName = if null != cfg.hostName then cfg.hostName else config.networking.hostName;
   hosts = config.birdsong.hosts;
@@ -41,7 +41,7 @@ in
       '';
       type = with types; nullOr str;
     };
-    privateKeyCred = mkOption {
+    privateKeyCredential = mkOption {
       default = null;
       description = ''
         Name of a systemd credential containing a private key for this peer, as
@@ -75,8 +75,8 @@ in
         message = "birdsong depends on networkd. systemd.network.enable must be true";
       }
       {
-        assertion = (cfg.privateKeyCred != null && cfg.privateKeyFile == null) || (cfg.privateKeyFile != null && cfg.privateKeyCred == null);
-        message = "exactly one of birdsong.peering.privateKeyCred or birdsong.peering.privateKeyFile must be set";
+        assertion = (cfg.privateKeyCredential != null && cfg.privateKeyFile == null) || (cfg.privateKeyFile != null && cfg.privateKeyCredential == null);
+        message = "exactly one of birdsong.peering.privateKeyCredential or birdsong.peering.privateKeyFile must be set";
       }
       {
         assertion = hostName != null;
@@ -98,11 +98,19 @@ in
           Kind = "wireguard";
           Description = "wireguard tunnel to the birdsong network";
         };
-        wireguardConfig = {
-          PrivateKey = mkIf (cfg.privateKeyCred != null) "@${cfg.privateKeyCred}";
-          PrivateKeyFile = mkIf (cfg.privateKeyFile != null) cfg.privateKeyFile;
-          ListenPort = host.port;
-        };
+
+        wireguardConfig = mkMerge [
+          {
+            ListenPort = host.port;
+          }
+          (mkIf (cfg.privateKeyCredential != null) {
+            PrivateKey = "@${cfg.privateKeyCredential}";
+          })
+          (mkIf (cfg.privateKeyFile != null) {
+            PrivateKeyFile = cfg.privateKeyFile;
+          })
+        ];
+
         wireguardPeers =
           let
             canDirectPeer = host: peer: peer.subnet == "internet" || (host.subnet != "roaming" && peer.subnet == host.subnet);