diff options
| author | Naïm Favier <n@monade.li> | 2022-03-29 21:18:46 +0200 |
|---|---|---|
| committer | Naïm Favier <n@monade.li> | 2022-06-21 22:58:44 +0200 |
| commit | 458ac47a1d5491dfb610cb8faaffcf5d5445b224 (patch) | |
| tree | 891942ea8798e5a745a395fdfeced3ff88876ad5 | |
| parent | fd662e5c4657f451d1fa534fccdc61aebba841ca (diff) | |
| download | nixpkgs-458ac47a1d5491dfb610cb8faaffcf5d5445b224.tar nixpkgs-458ac47a1d5491dfb610cb8faaffcf5d5445b224.tar.gz nixpkgs-458ac47a1d5491dfb610cb8faaffcf5d5445b224.tar.bz2 nixpkgs-458ac47a1d5491dfb610cb8faaffcf5d5445b224.tar.lz nixpkgs-458ac47a1d5491dfb610cb8faaffcf5d5445b224.tar.xz nixpkgs-458ac47a1d5491dfb610cb8faaffcf5d5445b224.tar.zst nixpkgs-458ac47a1d5491dfb610cb8faaffcf5d5445b224.zip | |
nixos/wg-quick: improve usage with systemd-networkd
Use `networking.resolvconf.package` to allow DNS entries to be set using the system-wide resolver implementation instead of hardcoding systemd or openresolv. Extend the tests by adding DNS entries and making one of the peers use systemd-networkd (hence systemd-resolved). Also add a few `networkd`-specific settings.
| -rw-r--r-- | nixos/modules/services/networking/wg-quick.nix | 8 | ||||
| -rw-r--r-- | nixos/tests/wireguard/wg-quick.nix | 5 |
2 files changed, 12 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/wg-quick.nix b/nixos/modules/services/networking/wg-quick.nix index 236d3f452e7..d44fad4202b 100644 --- a/nixos/modules/services/networking/wg-quick.nix +++ b/nixos/modules/services/networking/wg-quick.nix @@ -273,7 +273,7 @@ let after = [ "network.target" "network-online.target" ]; wantedBy = optional values.autostart "multi-user.target"; environment.DEVICE = name; - path = [ pkgs.kmod pkgs.wireguard-tools ]; + path = [ pkgs.kmod pkgs.wireguard-tools config.networking.resolvconf.package ]; serviceConfig = { Type = "oneshot"; @@ -332,5 +332,11 @@ in { # breaks the wg-quick routing because wireguard packets leave with a fwmark from wireguard. networking.firewall.checkReversePath = false; systemd.services = mapAttrs' generateUnit cfg.interfaces; + + # Prevent networkd from clearing the rules set by wg-quick when restarted (e.g. when waking up from suspend). + systemd.network.config.networkConfig.ManageForeignRoutingPolicyRules = mkDefault false; + + # WireGuard interfaces should be ignored in determining whether the network is online. + systemd.network.wait-online.ignoredInterfaces = builtins.attrNames cfg.interfaces; }; } diff --git a/nixos/tests/wireguard/wg-quick.nix b/nixos/tests/wireguard/wg-quick.nix index 961c2e15c30..bc2cba91188 100644 --- a/nixos/tests/wireguard/wg-quick.nix +++ b/nixos/tests/wireguard/wg-quick.nix @@ -29,6 +29,8 @@ import ../make-test-python.nix ({ pkgs, lib, ... }: inherit (wg-snakeoil-keys.peer1) publicKey; }; + + dns = [ "10.23.42.2" "fc00::2" "wg0" ]; }; }; }; @@ -38,6 +40,7 @@ import ../make-test-python.nix ({ pkgs, lib, ... }: ip6 = "fd00::2"; extraConfig = { boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; }; + networking.useNetworkd = true; networking.wg-quick.interfaces.wg0 = { address = [ "10.23.42.2/32" "fc00::2/128" ]; inherit (wg-snakeoil-keys.peer1) privateKey; @@ -49,6 +52,8 @@ import ../make-test-python.nix ({ pkgs, lib, ... }: inherit (wg-snakeoil-keys.peer0) publicKey; }; + + dns = [ "10.23.42.1" "fc00::1" "wg0" ]; }; }; }; |