nixos/wireguard-networkd: use systemd credentials for privateKeyFile and presharedKeyFile

2025-07-13 21:50:33 +03:00 · 2024-12-10 17:36:46 -05:00 · 2024-12-10 17:36:46 -05:00 · 6bc8dcc630
commit 6bc8dcc630
parent cf793a6ae0
3 changed files with 22 additions and 14 deletions
--- a/nixos/modules/services/networking/wireguard-networkd.nix
+++ b/nixos/modules/services/networking/wireguard-networkd.nix
@ -14,14 +14,26 @@ let
    mapAttrsToList
    nameValuePair
    ;
-  inherit (lib.lists) concatMap concatLists;
+  inherit (lib.lists) concatMap concatLists filter;
  inherit (lib.modules) mkIf;
  inherit (lib.options) literalExpression mkOption;
  inherit (lib.strings) hasInfix;
-  inherit (lib.trivial) flip;
+  inherit (lib.trivial) flip pipe;

  removeNulls = filterAttrs (_: v: v != null);

+  privateKeyCredential = interfaceName: "wireguard-${interfaceName}-private-key";
+  presharedKeyCredential =
+    interfaceName: peer: "wireguard-${interfaceName}-${peer.name}-preshared-key";
+
+  interfaceCredentials =
+    interfaceName: interface:
+    [ "${privateKeyCredential interfaceName}:${interface.privateKeyFile}" ]
+    ++ pipe interface.peers [
+      (filter (peer: peer.presharedKeyFile != null))
+      (map (peer: "${presharedKeyCredential interfaceName peer}:${peer.presharedKeyFile}"))
+    ];
+
  generateNetdev =
    name: interface:
    nameValuePair "40-${name}" {
@ -31,20 +43,20 @@ let
        MTUBytes = interface.mtu;
      };
      wireguardConfig = removeNulls {
-        PrivateKeyFile = interface.privateKeyFile;
+        PrivateKey = "@${privateKeyCredential name}";
        ListenPort = interface.listenPort;
        FirewallMark = interface.fwMark;
        RouteTable = if interface.allowedIPsAsRoutes then interface.table else null;
        RouteMetric = interface.metric;
      };
-      wireguardPeers = map generateWireguardPeer interface.peers;
+      wireguardPeers = map (generateWireguardPeer name) interface.peers;
    };

  generateWireguardPeer =
-    peer:
+    interfaceName: peer:
    removeNulls {
      PublicKey = peer.publicKey;
-      PresharedKeyFile = peer.presharedKeyFile;
+      PresharedKey = "@${presharedKeyCredential interfaceName peer}";
      AllowedIPs = peer.allowedIPs;
      Endpoint = peer.endpoint;
      PersistentKeepalive = peer.persistentKeepalive;
@ -201,6 +213,8 @@ in
    };

    systemd.timers = mapAttrs' generateRefreshTimer refreshEnabledInterfaces;
-    systemd.services = mapAttrs' generateRefreshService refreshEnabledInterfaces;
+    systemd.services = (mapAttrs' generateRefreshService refreshEnabledInterfaces) // {
+      systemd-networkd.serviceConfig.LoadCredential = mapAttrsToList interfaceCredentials cfg.interfaces;
+    };
  };
 }
--- a/nixos/modules/services/networking/wireguard.nix
+++ b/nixos/modules/services/networking/wireguard.nix
@ -49,9 +49,6 @@ let
        default = null;
        description = ''
          Private key file as generated by {command}`wg genkey`.
-
-          When {option}`networking.wireguard.useNetworkd` is enabled, this file
-          must be readable by the `systemd-network` user.
        '';
      };

@ -259,9 +256,6 @@ let
          Optional, and may be omitted. This option adds an additional layer of
          symmetric-key cryptography to be mixed into the already existing
          public-key cryptography, for post-quantum resistance.
-
-          When {option}`networking.wireguard.useNetworkd` is enabled, this file
-          must be readable by the `systemd-network` user.
        '';
      };