add birdsong.peering.privateKey option

peering.nix

@@ -30,11 +30,20 @@ in
       description = "Whether to automatically open firewall ports.";
       type = types.bool;
     };
+    privateKey = mkOption {
+      description = ''
+        Private key for this peer, as generated by `wg genkey`. For security,
+        it is recommended to use {option}`birdsong.peering.privateKeyFile`
+        instead, or use `@`-syntax to read a systemd credential; see
+        systemd.netdev(5) for more details.
+      '';
+      type = types.str;
+    };
     privateKeyFile = mkOption {
       description = ''
         Path to the private key for this peer, as generated by `wg genkey`. Must
-        be readable by the user "systemd-network"; systemd.netdev(5) recommends
+        be readable by the user "systemd-network"; see systemd.netdev(5) for
-        it be owned by "root:systemd-network" with a "0640" file mode.
+        more details.
       '';
       type = types.path;
     };
@@ -60,8 +69,8 @@ in
         message = "birdsong depends on networkd. systemd.network.enable must be true";
       }
       {
-        assertion = cfg ? privateKeyFile;
+        assertion = cfg ? privateKey || cfg ? privateKeyFile;
-        message = "birdsong.peering.privateKeyFile must be set";
+        message = "birdsong.peering.privateKey or birdsong.peering.privateKeyFile must be set";
       }
       {
         assertion = hostName != null;
@@ -86,7 +95,8 @@ in
           Description = "wireguard tunnel to the birdsong network";
         };
         wireguardConfig = {
-          PrivateKeyFile = cfg.privateKeyFile;
+          PrivateKey = mkIf (cfg ? privateKey) cfg.privateKey;
+          PrivateKeyFile = mkIf (cfg ? privateKeyFile) cfg.privateKeyFile;
           ListenPort = host.port;
         };
         wireguardPeers =