Merge pull request #171155 from cab404/wg-quick-files

pyrox.dev / nixpkgs

fork atom

lol

fork atom

nixos/wg-quick: added support for configuration files

authored by

Timothy DeHerrera and committed by

GitHub 3 years ago ec4e23d4 18bd58aa

+27 -2

1 changed file

expand all

nixos

modules

services

networking

wg-quick.nix

+27 -2

nixos/modules/services/networking/wg-quick.nix

··· 10 10 11 11 interfaceOpts = { ... }: { 12 12 options = { 13 + 14 + configFile = mkOption { 15 + example = "/secret/wg0.conf"; 16 + default = null; 17 + type = with types; nullOr str; 18 + description = '' 19 + wg-quick .conf file, describing the interface. 20 + This overrides any other configuration interface configuration options. 21 + See wg-quick manpage for more details. 22 + ''; 23 + }; 24 + 13 25 address = mkOption { 14 26 example = [ "192.168.2.1/24" ]; 15 27 default = []; ··· 205 217 writeScriptFile = name: text: ((pkgs.writeShellScriptBin name text) + "/bin/${name}"); 206 218 207 219 generateUnit = name: values: 208 - assert assertMsg ((values.privateKey != null) != (values.privateKeyFile != null)) "Only one of privateKey or privateKeyFile may be set"; 220 + assert assertMsg (values.configFile != null || ((values.privateKey != null) != (values.privateKeyFile != null))) "Only one of privateKey, configFile or privateKeyFile may be set"; 209 221 let 210 222 preUpFile = if values.preUp != "" then writeScriptFile "preUp.sh" values.preUp else null; 211 223 postUp = ··· 247 259 optionalString (peer.allowedIPs != []) "AllowedIPs = ${concatStringsSep "," peer.allowedIPs}\n" 248 260 ) values.peers; 249 261 }; 250 - configPath = "${configDir}/${name}.conf"; 262 + configPath = 263 + if values.configFile != null then 264 + # This uses bind-mounted private tmp folder (/tmp/systemd-private-***) 265 + "/tmp/${name}.conf" 266 + else 267 + "${configDir}/${name}.conf"; 251 268 in 252 269 nameValuePair "wg-quick-${name}" 253 270 { ··· 265 282 266 283 script = '' 267 284 ${optionalString (!config.boot.isContainer) "modprobe wireguard"} 285 + ${optionalString (values.configFile != null) '' 286 + cp ${values.configFile} ${configPath} 287 + ''} 268 288 wg-quick up ${configPath} 269 289 ''; 290 + 291 + serviceConfig = { 292 + # Used to privately store renamed copies of external config files during activation 293 + PrivateTmp = true; 294 + }; 270 295 271 296 preStop = '' 272 297 wg-quick down ${configPath}