add birdsong.peering.privateKey option

2024-11-05 17:26:56 +00:00 · 2024-11-05 17:26:56 +00:00 · 912341c1e1
parent 8ca844c0d0
commit 912341c1e1
1 changed files with 15 additions and 5 deletions
--- a/peering.nix
+++ b/peering.nix
@ -30,11 +30,20 @@ in
      description = "Whether to automatically open firewall ports.";
      type = types.bool;
    };
+    privateKey = mkOption {
+      description = ''
+        Private key for this peer, as generated by `wg genkey`. For security,
+        it is recommended to use {option}`birdsong.peering.privateKeyFile`
+        instead, or use `@`-syntax to read a systemd credential; see
+        systemd.netdev(5) for more details.
+      '';
+      type = types.str;
+    };
    privateKeyFile = mkOption {
      description = ''
        Path to the private key for this peer, as generated by `wg genkey`. Must
-        be readable by the user "systemd-network"; systemd.netdev(5) recommends
-        it be owned by "root:systemd-network" with a "0640" file mode.
+        be readable by the user "systemd-network"; see systemd.netdev(5) for
+        more details.
      '';
      type = types.path;
    };
@ -60,8 +69,8 @@ in
        message = "birdsong depends on networkd. systemd.network.enable must be true";
      }
      {
-        assertion = cfg ? privateKeyFile;
-        message = "birdsong.peering.privateKeyFile must be set";
+        assertion = cfg ? privateKey || cfg ? privateKeyFile;
+        message = "birdsong.peering.privateKey or birdsong.peering.privateKeyFile must be set";
      }
      {
        assertion = hostName != null;
@ -86,7 +95,8 @@ in
          Description = "wireguard tunnel to the birdsong network";
        };
        wireguardConfig = {
-          PrivateKeyFile = cfg.privateKeyFile;
+          PrivateKey = mkIf (cfg ? privateKey) cfg.privateKey;
+          PrivateKeyFile = mkIf (cfg ? privateKeyFile) cfg.privateKeyFile;
          ListenPort = host.port;
        };
        wireguardPeers =