From fd3965ddee060739fb5b63b14e48ba4bb8c8588d Mon Sep 17 00:00:00 2001
From: Katherina Walshe-Grey <git@qenya.tel>
Date: Wed, 25 Dec 2024 04:23:57 +0000
Subject: [PATCH] add option to use systemd credential for wireguard key

---
 peering.nix | 32 ++++++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 8 deletions(-)

diff --git a/peering.nix b/peering.nix
index 9c97bd1..817b046 100644
--- a/peering.nix
+++ b/peering.nix
@@ -1,7 +1,7 @@
 { config, lib, pkgs, ... }:
 
-with lib;
 let
+  inherit (lib) mkIf mkOption mkEnableOption types optionals filterAttrs mapAttrsToList;
   cfg = config.birdsong.peering;
   hostName = if null != cfg.hostName then cfg.hostName else config.networking.hostName;
   hosts = config.birdsong.hosts;
@@ -31,12 +31,27 @@ in
       type = types.bool;
     };
     privateKeyFile = mkOption {
+      default = null;
       description = ''
-        Path to the private key for this peer, as generated by `wg genkey`. Must
-        be readable by the user "systemd-network"; systemd.netdev(5) recommends
-        it be owned by "root:systemd-network" with a "0640" file mode.
+        Path to the private key for this peer, as generated by
+        {command}`wg genkey`. Must be readable by the user "systemd-network";
+        systemd.netdev(5) recommends it be owned by "root:systemd-network" with
+        a "0640" file mode. Set exactly one of this or
+        {option}`birdsong.peering.privateKeyCredential`.
       '';
-      type = types.path;
+      type = with types; nullOr str;
+    };
+    privateKeyCred = mkOption {
+      default = null;
+      description = ''
+        Name of a systemd credential containing a private key for this peer, as
+        generated by {command}`wg genkey`. Set exactly one of this or
+        {option}`birdsong.peering.privateKeyFile`.
+
+        To load the credential from an encrypted credential file, set
+        {option}`systemd.services.systemd-networkd.serviceConfig.LoadCredentialEncrypted`.
+      '';
+      type = with types; nullOr str;
     };
     persistentKeepalive = mkOption {
       default = 0;
@@ -60,8 +75,8 @@ in
         message = "birdsong depends on networkd. systemd.network.enable must be true";
       }
       {
-        assertion = cfg ? privateKeyFile;
-        message = "birdsong.peering.privateKeyFile must be set";
+        assertion = (cfg.privateKeyCred != null && cfg.privateKeyFile == null) || (cfg.privateKeyFile != null && cfg.privateKeyCred == null);
+        message = "exactly one of birdsong.peering.privateKeyCred or birdsong.peering.privateKeyFile must be set";
       }
       {
         assertion = hostName != null;
@@ -84,7 +99,8 @@ in
           Description = "wireguard tunnel to the birdsong network";
         };
         wireguardConfig = {
-          PrivateKeyFile = cfg.privateKeyFile;
+          PrivateKey = mkIf (cfg.privateKeyCred != null) "@${cfg.privateKeyCred}";
+          PrivateKeyFile = mkIf (cfg.privateKeyFile != null) cfg.privateKeyFile;
           ListenPort = host.port;
         };
         wireguardPeers =