nixos/wireguard-networkd: use systemd credentials for privateKeyFile and presharedKeyFile

nixos/doc/manual/release-notes/rl-2505.section.md

@@ -121,7 +121,7 @@
 
 - Cinnamon has been updated to 6.4.
 
-- `networking.wireguard` now has an optional networkd backend, enabled with `networking.wireguard.useNetworkd`. Some `networking.wireguard` options have slightly different behavior with the networkd and script-based backends, documented in each option. Before upgrading, make sure the `privateKeyFile` and `presharedKeyFile` paths are readable by the `systemd-network` user if using the networkd backend.
+- `networking.wireguard` now has an optional networkd backend, enabled with `networking.wireguard.useNetworkd`. Some `networking.wireguard` options have slightly different behavior with the networkd and script-based backends, documented in each option.
 
 - `services.avahi.ipv6` now defaults to true.
 

nixos/modules/services/networking/wireguard-networkd.nix

@@ -14,14 +14,26 @@ let
     mapAttrsToList
     nameValuePair
     ;
-  inherit (lib.lists) concatMap concatLists;
+  inherit (lib.lists) concatMap concatLists filter;
   inherit (lib.modules) mkIf;
   inherit (lib.options) literalExpression mkOption;
   inherit (lib.strings) hasInfix;
-  inherit (lib.trivial) flip;
+  inherit (lib.trivial) flip pipe;
 
   removeNulls = filterAttrs (_: v: v != null);
 
+  privateKeyCredential = interfaceName: "wireguard-${interfaceName}-private-key";
+  presharedKeyCredential =
+    interfaceName: peer: "wireguard-${interfaceName}-${peer.name}-preshared-key";
+
+  interfaceCredentials =
+    interfaceName: interface:
+    [ "${privateKeyCredential interfaceName}:${interface.privateKeyFile}" ]
+    ++ pipe interface.peers [
+      (filter (peer: peer.presharedKeyFile != null))
+      (map (peer: "${presharedKeyCredential interfaceName peer}:${peer.presharedKeyFile}"))
+    ];
+
   generateNetdev =
     name: interface:
     nameValuePair "40-${name}" {
@@ -31,20 +43,20 @@ let
         MTUBytes = interface.mtu;
       };
       wireguardConfig = removeNulls {
-        PrivateKeyFile = interface.privateKeyFile;
+        PrivateKey = "@${privateKeyCredential name}";
         ListenPort = interface.listenPort;
         FirewallMark = interface.fwMark;
         RouteTable = if interface.allowedIPsAsRoutes then interface.table else null;
         RouteMetric = interface.metric;
       };
-      wireguardPeers = map generateWireguardPeer interface.peers;
+      wireguardPeers = map (generateWireguardPeer name) interface.peers;
     };
 
   generateWireguardPeer =
-    peer:
+    interfaceName: peer:
     removeNulls {
       PublicKey = peer.publicKey;
-      PresharedKeyFile = peer.presharedKeyFile;
+      PresharedKey = "@${presharedKeyCredential interfaceName peer}";
       AllowedIPs = peer.allowedIPs;
       Endpoint = peer.endpoint;
       PersistentKeepalive = peer.persistentKeepalive;
@@ -201,6 +213,8 @@ in
     };
 
     systemd.timers = mapAttrs' generateRefreshTimer refreshEnabledInterfaces;
-    systemd.services = mapAttrs' generateRefreshService refreshEnabledInterfaces;
+    systemd.services = (mapAttrs' generateRefreshService refreshEnabledInterfaces) // {
+      systemd-networkd.serviceConfig.LoadCredential = mapAttrsToList interfaceCredentials cfg.interfaces;
+    };
   };
 }

nixos/modules/services/networking/wireguard.nix

@@ -49,9 +49,6 @@ let
         default = null;
         description = ''
           Private key file as generated by {command}`wg genkey`.
-
-          When {option}`networking.wireguard.useNetworkd` is enabled, this file
-          must be readable by the `systemd-network` user.
         '';
       };
 
@@ -259,9 +256,6 @@ let
           Optional, and may be omitted. This option adds an additional layer of
           symmetric-key cryptography to be mixed into the already existing
           public-key cryptography, for post-quantum resistance.
-
-          When {option}`networking.wireguard.useNetworkd` is enabled, this file
-          must be readable by the `systemd-network` user.
         '';
       };