Commit 42f5ecde authored by James Atkins's avatar James Atkins
Browse files

nixos/networkd: support systemd-creds in WireGuard 

systemd 256 supports network.wireguard.* credentials (https://github.com/systemd/systemd/pull/30826).
Check whether PrivateKey / PresharedKey starts with an @, if so it is a credential.
parent bc947f54

nixos/lib/systemd-lib.nix

+5 −0
Original line number Diff line number Diff line
@@ -17,6 +17,7 @@ let 
    filterAttrs

    flatten

    flip

    hasPrefix

    head

    isInt

    isFloat
@@ -196,6 +197,10 @@ in rec { 
    optional (attr ? ${name})

      "Systemd ${group} field `${name}' has been removed. See ${see}";



  assertKeyIsSystemdCredential = name: group: attr:

    optional (attr ? ${name} && !(hasPrefix "@" attr.${name}))

      "Systemd ${group} field `${name}' is not a systemd credential";



  checkUnitConfig = group: checks: attrs: let

    # We're applied at the top-level type (attrsOf unitOption), so the actual

    # unit options might contain attributes from mkOverride and mkIf that we need to

nixos/modules/system/boot/networkd.nix

+12 −6
Original line number Diff line number Diff line
@@ -411,11 +411,14 @@ let 
        (assertValueOneOf "Layer2SpecificHeader" [ "none" "default" ])

      ];



      # NOTE The PrivateKey directive is missing on purpose here, please

      # do not add it to this list. The nix store is world-readable let's

      # refrain ourselves from providing a footgun.

      # NOTE Check whether the key starts with an @, in which case it is

      # interpreted as the name of the credential from which the actual key

      # shall be read by systemd-creds.

      # Do not remove this check as the nix store is world-readable.

      sectionWireGuard = checkUnitConfig "WireGuard" [

        (assertKeyIsSystemdCredential "PrivateKey")

        (assertOnlyFields [

          "PrivateKey"

          "PrivateKeyFile"

          "ListenPort"

          "FirewallMark"
@@ -426,12 +429,15 @@ let 
        (assertRange "FirewallMark" 1 4294967295)

      ];



      # NOTE The PresharedKey directive is missing on purpose here, please

      # do not add it to this list. The nix store is world-readable,let's

      # refrain ourselves from providing a footgun.

      # NOTE Check whether the key starts with an @, in which case it is

      # interpreted as the name of the credential from which the actual key

      # shall be read by systemd-creds.

      # Do not remove this check as the nix store is world-readable.

      sectionWireGuardPeer = checkUnitConfigWithLegacyKey "wireguardPeerConfig" "WireGuardPeer" [

        (assertKeyIsSystemdCredential "PresharedKey")

        (assertOnlyFields [

          "PublicKey"

          "PresharedKey"

          "PresharedKeyFile"

          "AllowedIPs"

          "Endpoint"