summary refs log tree commit diff
diff options
context:
space:
mode:
authorseb314 <sebastian.bachem@tum.de>2021-10-02 13:34:25 +0200
committerseb314 <sebastian.bachem@tum.de>2022-10-28 19:16:05 +0200
commit82c5c3c9a9b5309a329f8b247621b0f36fd9210e (patch)
tree44e0e89732f5bc6f2c56007875d8a0478eee72ef
parent574a61b4cd07357b49145925aac994ae710dc9eb (diff)
downloadnixpkgs-82c5c3c9a9b5309a329f8b247621b0f36fd9210e.tar
nixpkgs-82c5c3c9a9b5309a329f8b247621b0f36fd9210e.tar.gz
nixpkgs-82c5c3c9a9b5309a329f8b247621b0f36fd9210e.tar.bz2
nixpkgs-82c5c3c9a9b5309a329f8b247621b0f36fd9210e.tar.lz
nixpkgs-82c5c3c9a9b5309a329f8b247621b0f36fd9210e.tar.xz
nixpkgs-82c5c3c9a9b5309a329f8b247621b0f36fd9210e.tar.zst
nixpkgs-82c5c3c9a9b5309a329f8b247621b0f36fd9210e.zip
wireguard: when dyn-dns refresh is enabled, reconnect after failures
Make the dynamic-dns refresh systemd service (controlled via the
preexisting option dynamicEndpointRefreshSecond) robust to e.g. dns
failures that happen on intermittent network connections.

Background:

When dns resolution fails with a 'permanent' error ("Name or service not
known" instead of "Temporary failure in name resolution"), wireguard
won't retry despite WG_ENDPOINT_RESOLUTION_RETRIES=infinity.

-> This change should improve reliability/connectivity.

somewhat related thread: https://github.com/NixOS/nixpkgs/issues/63869
Diffstat
-rw-r--r--nixos/modules/services/networking/wireguard.nix24
1 files changed, 24 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix
index 55b84935b6c..5c18a1001d8 100644
--- a/nixos/modules/services/networking/wireguard.nix
+++ b/nixos/modules/services/networking/wireguard.nix
@@ -224,6 +224,21 @@ let
         '';
       };
 
+      dynamicEndpointRefreshRestartSeconds = mkOption {
+        default = null;
+        example = 5;
+        type = with types; nullOr ints.unsigned;
+        description = lib.mdDoc ''
+          When the dynamic endpoint refresh that is configured via
+          dynamicEndpointRefreshSeconds exits (likely due to a failure),
+          restart that service after this many seconds.
+
+          If set to `null` the value of
+          {option}`networking.wireguard.dynamicEndpointRefreshSeconds`
+          will be used as the default.
+        '';
+      };
+
       persistentKeepalive = mkOption {
         default = null;
         type = with types; nullOr int;
@@ -320,7 +335,16 @@ let
                 # cannot be used with systemd timers (see `man systemd.timer`),
                 # which is why `simple` with a loop is the best choice here.
                 # It also makes starting and stopping easiest.
+                #
+                # Restart if the service exits (e.g. when wireguard gives up after "Name or service not known" dns failures):
+                Restart = "always";
+                RestartSec = if null != peer.dynamicEndpointRefreshRestartSeconds
+                             then peer.dynamicEndpointRefreshRestartSeconds
+                             else peer.dynamicEndpointRefreshSeconds;
               };
+        unitConfig = lib.optionalAttrs dynamicRefreshEnabled {
+          StartLimitIntervalSec = 0;
+        };
 
         script = let
           wg_setup = concatStringsSep " " (
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-21 01:05:45 +0000