movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

nixos/wg-quick: added support for configuration files

Browse source
This commit is contained in:
cab 2022-05-01 20:38:24 +04:00
parent b9387eced5
commit 8de1e9e2f8
No known key found for this signature in database
GPG key ID: 08AA9711F8CD40CF
1 changed files with 27 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

29
nixos/modules/services/networking/wg-quick.nix
View file

@ -10,6 +10,18 @@ let
interfaceOpts = { ... }: { interfaceOpts = { ... }: {
options = { options = {
configFile = mkOption {
example = "/secret/wg0.conf";
default = null;
type = with types; nullOr str;
description = ''
wg-quick .conf file, describing the interface.
This overrides any other configuration interface configuration options.
See wg-quick manpage for more details.
'';
};
address = mkOption { address = mkOption {
example = [ "192.168.2.1/24" ]; example = [ "192.168.2.1/24" ];
default = []; default = [];
@ -205,7 +217,7 @@ let
writeScriptFile = name: text: ((pkgs.writeShellScriptBin name text) + "/bin/${name}"); writeScriptFile = name: text: ((pkgs.writeShellScriptBin name text) + "/bin/${name}");
generateUnit = name: values: generateUnit = name: values:
assert assertMsg ((values.privateKey != null) != (values.privateKeyFile != null)) "Only one of privateKey or privateKeyFile may be set"; assert assertMsg (values.configFile != null || ((values.privateKey != null) != (values.privateKeyFile != null))) "Only one of privateKey, configFile or privateKeyFile may be set";
let let
preUpFile = if values.preUp != "" then writeScriptFile "preUp.sh" values.preUp else null; preUpFile = if values.preUp != "" then writeScriptFile "preUp.sh" values.preUp else null;
postUp = postUp =
@ -247,7 +259,12 @@ let
optionalString (peer.allowedIPs != []) "AllowedIPs = ${concatStringsSep "," peer.allowedIPs}\n" optionalString (peer.allowedIPs != []) "AllowedIPs = ${concatStringsSep "," peer.allowedIPs}\n"
) values.peers; ) values.peers;
}; };
configPath = "${configDir}/${name}.conf"; configPath =
if values.configFile != null then
# This uses bind-mounted private tmp folder (/tmp/systemd-private-***)
"/tmp/${name}.conf"
else
"${configDir}/${name}.conf";
in in
nameValuePair "wg-quick-${name}" nameValuePair "wg-quick-${name}"
{ {
@ -265,9 +282,17 @@ let
script = '' script = ''
${optionalString (!config.boot.isContainer) "modprobe wireguard"} ${optionalString (!config.boot.isContainer) "modprobe wireguard"}
${optionalString (values.configFile != null) ''
cp ${values.configFile} ${configPath}
''}
wg-quick up ${configPath} wg-quick up ${configPath}
''; '';
serviceConfig = {
# Used to privately store renamed copies of external config files during activation
PrivateTmp = true;
};
preStop = '' preStop = ''
wg-quick down ${configPath} wg-quick down ${configPath}
''; '';