nixos/networkd: support systemd-creds in WireGuard
systemd 256 supports network.wireguard.* credentials (https://github.com/systemd/systemd/pull/30826). Check whether PrivateKey / PresharedKey starts with an @, if so it is a credential.
This commit is contained in:
parent
bc947f541a
commit
42f5ecde9d
@ -17,6 +17,7 @@ let
|
||||
filterAttrs
|
||||
flatten
|
||||
flip
|
||||
hasPrefix
|
||||
head
|
||||
isInt
|
||||
isFloat
|
||||
@ -196,6 +197,10 @@ in rec {
|
||||
optional (attr ? ${name})
|
||||
"Systemd ${group} field `${name}' has been removed. See ${see}";
|
||||
|
||||
assertKeyIsSystemdCredential = name: group: attr:
|
||||
optional (attr ? ${name} && !(hasPrefix "@" attr.${name}))
|
||||
"Systemd ${group} field `${name}' is not a systemd credential";
|
||||
|
||||
checkUnitConfig = group: checks: attrs: let
|
||||
# We're applied at the top-level type (attrsOf unitOption), so the actual
|
||||
# unit options might contain attributes from mkOverride and mkIf that we need to
|
||||
|
@ -411,11 +411,14 @@ let
|
||||
(assertValueOneOf "Layer2SpecificHeader" [ "none" "default" ])
|
||||
];
|
||||
|
||||
# NOTE The PrivateKey directive is missing on purpose here, please
|
||||
# do not add it to this list. The nix store is world-readable let's
|
||||
# refrain ourselves from providing a footgun.
|
||||
# NOTE Check whether the key starts with an @, in which case it is
|
||||
# interpreted as the name of the credential from which the actual key
|
||||
# shall be read by systemd-creds.
|
||||
# Do not remove this check as the nix store is world-readable.
|
||||
sectionWireGuard = checkUnitConfig "WireGuard" [
|
||||
(assertKeyIsSystemdCredential "PrivateKey")
|
||||
(assertOnlyFields [
|
||||
"PrivateKey"
|
||||
"PrivateKeyFile"
|
||||
"ListenPort"
|
||||
"FirewallMark"
|
||||
@ -426,12 +429,15 @@ let
|
||||
(assertRange "FirewallMark" 1 4294967295)
|
||||
];
|
||||
|
||||
# NOTE The PresharedKey directive is missing on purpose here, please
|
||||
# do not add it to this list. The nix store is world-readable,let's
|
||||
# refrain ourselves from providing a footgun.
|
||||
# NOTE Check whether the key starts with an @, in which case it is
|
||||
# interpreted as the name of the credential from which the actual key
|
||||
# shall be read by systemd-creds.
|
||||
# Do not remove this check as the nix store is world-readable.
|
||||
sectionWireGuardPeer = checkUnitConfigWithLegacyKey "wireguardPeerConfig" "WireGuardPeer" [
|
||||
(assertKeyIsSystemdCredential "PresharedKey")
|
||||
(assertOnlyFields [
|
||||
"PublicKey"
|
||||
"PresharedKey"
|
||||
"PresharedKeyFile"
|
||||
"AllowedIPs"
|
||||
"Endpoint"
|
||||
|
Loading…
Reference in New Issue
Block a user