add option to use systemd credential for wireguard key
This commit is contained in:
parent
881078abf8
commit
fd3965ddee
32
peering.nix
32
peering.nix
|
|
@ -1,7 +1,7 @@
|
|||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
let
|
||||
inherit (lib) mkIf mkOption mkEnableOption types optionals filterAttrs mapAttrsToList;
|
||||
cfg = config.birdsong.peering;
|
||||
hostName = if null != cfg.hostName then cfg.hostName else config.networking.hostName;
|
||||
hosts = config.birdsong.hosts;
|
||||
|
|
@ -31,12 +31,27 @@ in
|
|||
type = types.bool;
|
||||
};
|
||||
privateKeyFile = mkOption {
|
||||
default = null;
|
||||
description = ''
|
||||
Path to the private key for this peer, as generated by `wg genkey`. Must
|
||||
be readable by the user "systemd-network"; systemd.netdev(5) recommends
|
||||
it be owned by "root:systemd-network" with a "0640" file mode.
|
||||
Path to the private key for this peer, as generated by
|
||||
{command}`wg genkey`. Must be readable by the user "systemd-network";
|
||||
systemd.netdev(5) recommends it be owned by "root:systemd-network" with
|
||||
a "0640" file mode. Set exactly one of this or
|
||||
{option}`birdsong.peering.privateKeyCredential`.
|
||||
'';
|
||||
type = types.path;
|
||||
type = with types; nullOr str;
|
||||
};
|
||||
privateKeyCred = mkOption {
|
||||
default = null;
|
||||
description = ''
|
||||
Name of a systemd credential containing a private key for this peer, as
|
||||
generated by {command}`wg genkey`. Set exactly one of this or
|
||||
{option}`birdsong.peering.privateKeyFile`.
|
||||
|
||||
To load the credential from an encrypted credential file, set
|
||||
{option}`systemd.services.systemd-networkd.serviceConfig.LoadCredentialEncrypted`.
|
||||
'';
|
||||
type = with types; nullOr str;
|
||||
};
|
||||
persistentKeepalive = mkOption {
|
||||
default = 0;
|
||||
|
|
@ -60,8 +75,8 @@ in
|
|||
message = "birdsong depends on networkd. systemd.network.enable must be true";
|
||||
}
|
||||
{
|
||||
assertion = cfg ? privateKeyFile;
|
||||
message = "birdsong.peering.privateKeyFile must be set";
|
||||
assertion = (cfg.privateKeyCred != null && cfg.privateKeyFile == null) || (cfg.privateKeyFile != null && cfg.privateKeyCred == null);
|
||||
message = "exactly one of birdsong.peering.privateKeyCred or birdsong.peering.privateKeyFile must be set";
|
||||
}
|
||||
{
|
||||
assertion = hostName != null;
|
||||
|
|
@ -84,7 +99,8 @@ in
|
|||
Description = "wireguard tunnel to the birdsong network";
|
||||
};
|
||||
wireguardConfig = {
|
||||
PrivateKeyFile = cfg.privateKeyFile;
|
||||
PrivateKey = mkIf (cfg.privateKeyCred != null) "@${cfg.privateKeyCred}";
|
||||
PrivateKeyFile = mkIf (cfg.privateKeyFile != null) cfg.privateKeyFile;
|
||||
ListenPort = host.port;
|
||||
};
|
||||
wireguardPeers =
|
||||
|
|
|
|||
Loading…
Reference in a new issue