From 912341c1e129fc471759c4206f37ec2f5efb4736 Mon Sep 17 00:00:00 2001 From: Katherina Walshe-Grey Date: Tue, 5 Nov 2024 17:26:56 +0000 Subject: [PATCH] add birdsong.peering.privateKey option --- peering.nix | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/peering.nix b/peering.nix index eea580f..01a4983 100644 --- a/peering.nix +++ b/peering.nix @@ -30,11 +30,20 @@ in description = "Whether to automatically open firewall ports."; type = types.bool; }; + privateKey = mkOption { + description = '' + Private key for this peer, as generated by `wg genkey`. For security, + it is recommended to use {option}`birdsong.peering.privateKeyFile` + instead, or use `@`-syntax to read a systemd credential; see + systemd.netdev(5) for more details. + ''; + type = types.str; + }; privateKeyFile = mkOption { description = '' Path to the private key for this peer, as generated by `wg genkey`. Must - be readable by the user "systemd-network"; systemd.netdev(5) recommends - it be owned by "root:systemd-network" with a "0640" file mode. + be readable by the user "systemd-network"; see systemd.netdev(5) for + more details. ''; type = types.path; }; @@ -60,8 +69,8 @@ in message = "birdsong depends on networkd. systemd.network.enable must be true"; } { - assertion = cfg ? privateKeyFile; - message = "birdsong.peering.privateKeyFile must be set"; + assertion = cfg ? privateKey || cfg ? privateKeyFile; + message = "birdsong.peering.privateKey or birdsong.peering.privateKeyFile must be set"; } { assertion = hostName != null; @@ -86,7 +95,8 @@ in Description = "wireguard tunnel to the birdsong network"; }; wireguardConfig = { - PrivateKeyFile = cfg.privateKeyFile; + PrivateKey = mkIf (cfg ? privateKey) cfg.privateKey; + PrivateKeyFile = mkIf (cfg ? privateKeyFile) cfg.privateKeyFile; ListenPort = host.port; }; wireguardPeers =