Retropex/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nixos/networkd: support systemd-creds in WireGuard

Browse Source 
systemd 256 supports network.wireguard.* credentials (https://github.com/systemd/systemd/pull/30826).
Check whether PrivateKey / PresharedKey starts with an @, if so it is a credential.
This commit is contained in:
James Atkins 2024-10-06 16:52:42 -05:00
parent bc947f541a
commit 42f5ecde9d
2 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
nixos/lib/systemd-lib.nix
View File

@ -17,6 +17,7 @@ let
filterAttrs filterAttrs
flatten flatten
flip flip
hasPrefix
head head
isInt isInt
isFloat isFloat
@ -196,6 +197,10 @@ in rec {
optional (attr ? ${name}) optional (attr ? ${name})
"Systemd ${group} field `${name}' has been removed. See ${see}"; "Systemd ${group} field `${name}' has been removed. See ${see}";
assertKeyIsSystemdCredential = name: group: attr:
optional (attr ? ${name} && !(hasPrefix "@" attr.${name}))
"Systemd ${group} field `${name}' is not a systemd credential";
checkUnitConfig = group: checks: attrs: let checkUnitConfig = group: checks: attrs: let
# We're applied at the top-level type (attrsOf unitOption), so the actual # We're applied at the top-level type (attrsOf unitOption), so the actual
# unit options might contain attributes from mkOverride and mkIf that we need to # unit options might contain attributes from mkOverride and mkIf that we need to

18
nixos/modules/system/boot/networkd.nix
View File

@ -411,11 +411,14 @@ let
(assertValueOneOf "Layer2SpecificHeader" [ "none" "default" ]) (assertValueOneOf "Layer2SpecificHeader" [ "none" "default" ])
]; ];
# NOTE The PrivateKey directive is missing on purpose here, please # NOTE Check whether the key starts with an @, in which case it is
# do not add it to this list. The nix store is world-readable let's # interpreted as the name of the credential from which the actual key
# refrain ourselves from providing a footgun. # shall be read by systemd-creds.
# Do not remove this check as the nix store is world-readable.
sectionWireGuard = checkUnitConfig "WireGuard" [ sectionWireGuard = checkUnitConfig "WireGuard" [
(assertKeyIsSystemdCredential "PrivateKey")
(assertOnlyFields [ (assertOnlyFields [
"PrivateKey"
"PrivateKeyFile" "PrivateKeyFile"
"ListenPort" "ListenPort"
"FirewallMark" "FirewallMark"
@ -426,12 +429,15 @@ let
(assertRange "FirewallMark" 1 4294967295) (assertRange "FirewallMark" 1 4294967295)
]; ];
# NOTE The PresharedKey directive is missing on purpose here, please # NOTE Check whether the key starts with an @, in which case it is
# do not add it to this list. The nix store is world-readable,let's # interpreted as the name of the credential from which the actual key
# refrain ourselves from providing a footgun. # shall be read by systemd-creds.
# Do not remove this check as the nix store is world-readable.
sectionWireGuardPeer = checkUnitConfigWithLegacyKey "wireguardPeerConfig" "WireGuardPeer" [ sectionWireGuardPeer = checkUnitConfigWithLegacyKey "wireguardPeerConfig" "WireGuardPeer" [
(assertKeyIsSystemdCredential "PresharedKey")
(assertOnlyFields [ (assertOnlyFields [
"PublicKey" "PublicKey"
"PresharedKey"
"PresharedKeyFile" "PresharedKeyFile"
"AllowedIPs" "AllowedIPs"
"Endpoint" "Endpoint"