add option to use systemd credential for wireguard key
This commit is contained in:
parent
881078abf8
commit
fd3965ddee
32
peering.nix
32
peering.nix
|
|
@ -1,7 +1,7 @@
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
with lib;
|
|
||||||
let
|
let
|
||||||
|
inherit (lib) mkIf mkOption mkEnableOption types optionals filterAttrs mapAttrsToList;
|
||||||
cfg = config.birdsong.peering;
|
cfg = config.birdsong.peering;
|
||||||
hostName = if null != cfg.hostName then cfg.hostName else config.networking.hostName;
|
hostName = if null != cfg.hostName then cfg.hostName else config.networking.hostName;
|
||||||
hosts = config.birdsong.hosts;
|
hosts = config.birdsong.hosts;
|
||||||
|
|
@ -31,12 +31,27 @@ in
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
};
|
};
|
||||||
privateKeyFile = mkOption {
|
privateKeyFile = mkOption {
|
||||||
|
default = null;
|
||||||
description = ''
|
description = ''
|
||||||
Path to the private key for this peer, as generated by `wg genkey`. Must
|
Path to the private key for this peer, as generated by
|
||||||
be readable by the user "systemd-network"; systemd.netdev(5) recommends
|
{command}`wg genkey`. Must be readable by the user "systemd-network";
|
||||||
it be owned by "root:systemd-network" with a "0640" file mode.
|
systemd.netdev(5) recommends it be owned by "root:systemd-network" with
|
||||||
|
a "0640" file mode. Set exactly one of this or
|
||||||
|
{option}`birdsong.peering.privateKeyCredential`.
|
||||||
'';
|
'';
|
||||||
type = types.path;
|
type = with types; nullOr str;
|
||||||
|
};
|
||||||
|
privateKeyCred = mkOption {
|
||||||
|
default = null;
|
||||||
|
description = ''
|
||||||
|
Name of a systemd credential containing a private key for this peer, as
|
||||||
|
generated by {command}`wg genkey`. Set exactly one of this or
|
||||||
|
{option}`birdsong.peering.privateKeyFile`.
|
||||||
|
|
||||||
|
To load the credential from an encrypted credential file, set
|
||||||
|
{option}`systemd.services.systemd-networkd.serviceConfig.LoadCredentialEncrypted`.
|
||||||
|
'';
|
||||||
|
type = with types; nullOr str;
|
||||||
};
|
};
|
||||||
persistentKeepalive = mkOption {
|
persistentKeepalive = mkOption {
|
||||||
default = 0;
|
default = 0;
|
||||||
|
|
@ -60,8 +75,8 @@ in
|
||||||
message = "birdsong depends on networkd. systemd.network.enable must be true";
|
message = "birdsong depends on networkd. systemd.network.enable must be true";
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
assertion = cfg ? privateKeyFile;
|
assertion = (cfg.privateKeyCred != null && cfg.privateKeyFile == null) || (cfg.privateKeyFile != null && cfg.privateKeyCred == null);
|
||||||
message = "birdsong.peering.privateKeyFile must be set";
|
message = "exactly one of birdsong.peering.privateKeyCred or birdsong.peering.privateKeyFile must be set";
|
||||||
}
|
}
|
||||||
{
|
{
|
||||||
assertion = hostName != null;
|
assertion = hostName != null;
|
||||||
|
|
@ -84,7 +99,8 @@ in
|
||||||
Description = "wireguard tunnel to the birdsong network";
|
Description = "wireguard tunnel to the birdsong network";
|
||||||
};
|
};
|
||||||
wireguardConfig = {
|
wireguardConfig = {
|
||||||
PrivateKeyFile = cfg.privateKeyFile;
|
PrivateKey = mkIf (cfg.privateKeyCred != null) "@${cfg.privateKeyCred}";
|
||||||
|
PrivateKeyFile = mkIf (cfg.privateKeyFile != null) cfg.privateKeyFile;
|
||||||
ListenPort = host.port;
|
ListenPort = host.port;
|
||||||
};
|
};
|
||||||
wireguardPeers =
|
wireguardPeers =
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue