diff options
| author | Timothy DeHerrera <tim.deh@pm.me> | 2022-06-11 22:00:45 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-06-11 22:00:45 -0700 |
| commit | ec4e23d4e97b0391fafc356fd2625e8e93fc11f9 (patch) | |
| tree | 7438610097d3743618ea2551f13399507d9f202f | |
| parent | 18bd58aa85947bdef47ae3a601fff2d81de0b2d3 (diff) | |
| parent | 8de1e9e2f88e82df7fcdc109ed58b2db2da59ce7 (diff) | |
| download | nixpkgs-ec4e23d4e97b0391fafc356fd2625e8e93fc11f9.tar nixpkgs-ec4e23d4e97b0391fafc356fd2625e8e93fc11f9.tar.gz nixpkgs-ec4e23d4e97b0391fafc356fd2625e8e93fc11f9.tar.bz2 nixpkgs-ec4e23d4e97b0391fafc356fd2625e8e93fc11f9.tar.lz nixpkgs-ec4e23d4e97b0391fafc356fd2625e8e93fc11f9.tar.xz nixpkgs-ec4e23d4e97b0391fafc356fd2625e8e93fc11f9.tar.zst nixpkgs-ec4e23d4e97b0391fafc356fd2625e8e93fc11f9.zip | |
Merge pull request #171155 from cab404/wg-quick-files
nixos/wg-quick: added support for configuration files
| -rw-r--r-- | nixos/modules/services/networking/wg-quick.nix | 29 |
1 files changed, 27 insertions, 2 deletions
diff --git a/nixos/modules/services/networking/wg-quick.nix b/nixos/modules/services/networking/wg-quick.nix index 0b3815d0cc6..236d3f452e7 100644 --- a/nixos/modules/services/networking/wg-quick.nix +++ b/nixos/modules/services/networking/wg-quick.nix @@ -10,6 +10,18 @@ let interfaceOpts = { ... }: { options = { + + configFile = mkOption { + example = "/secret/wg0.conf"; + default = null; + type = with types; nullOr str; + description = '' + wg-quick .conf file, describing the interface. + This overrides any other configuration interface configuration options. + See wg-quick manpage for more details. + ''; + }; + address = mkOption { example = [ "192.168.2.1/24" ]; default = []; @@ -205,7 +217,7 @@ let writeScriptFile = name: text: ((pkgs.writeShellScriptBin name text) + "/bin/${name}"); generateUnit = name: values: - assert assertMsg ((values.privateKey != null) != (values.privateKeyFile != null)) "Only one of privateKey or privateKeyFile may be set"; + assert assertMsg (values.configFile != null || ((values.privateKey != null) != (values.privateKeyFile != null))) "Only one of privateKey, configFile or privateKeyFile may be set"; let preUpFile = if values.preUp != "" then writeScriptFile "preUp.sh" values.preUp else null; postUp = @@ -247,7 +259,12 @@ let optionalString (peer.allowedIPs != []) "AllowedIPs = ${concatStringsSep "," peer.allowedIPs}\n" ) values.peers; }; - configPath = "${configDir}/${name}.conf"; + configPath = + if values.configFile != null then + # This uses bind-mounted private tmp folder (/tmp/systemd-private-***) + "/tmp/${name}.conf" + else + "${configDir}/${name}.conf"; in nameValuePair "wg-quick-${name}" { @@ -265,9 +282,17 @@ let script = '' ${optionalString (!config.boot.isContainer) "modprobe wireguard"} + ${optionalString (values.configFile != null) '' + cp ${values.configFile} ${configPath} + ''} wg-quick up ${configPath} ''; + serviceConfig = { + # Used to privately store renamed copies of external config files during activation + PrivateTmp = true; + }; + preStop = '' wg-quick down ${configPath} ''; |