diff options
| author | Niklas Hambüchen <mail@nh2.me> | 2021-04-30 22:56:38 +0200 |
|---|---|---|
| committer | Niklas Hambüchen <mail@nh2.me> | 2021-04-30 23:05:10 +0200 |
| commit | aaffc6447d4cd66be202fb34b31bacf947f0f709 (patch) | |
| tree | c9f9a28a73070f821519181bd8cc0956508fb051 /nixos | |
| parent | c8dff328e51f62760bf646bc345e3aabcfd82046 (diff) | |
| download | nixpkgs-aaffc6447d4cd66be202fb34b31bacf947f0f709.tar nixpkgs-aaffc6447d4cd66be202fb34b31bacf947f0f709.tar.gz nixpkgs-aaffc6447d4cd66be202fb34b31bacf947f0f709.tar.bz2 nixpkgs-aaffc6447d4cd66be202fb34b31bacf947f0f709.tar.lz nixpkgs-aaffc6447d4cd66be202fb34b31bacf947f0f709.tar.xz nixpkgs-aaffc6447d4cd66be202fb34b31bacf947f0f709.tar.zst nixpkgs-aaffc6447d4cd66be202fb34b31bacf947f0f709.zip | |
wireguard module: Quote all command line arguments correctly.
Standard best-practice shell quoting, which can prevent the most horrible production accidents. Note that we cannot use `+ optionalString someBool '' someString''` because Nix's multi-line ''double-quoted'' strings remove leading whitespace.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/services/networking/wireguard.nix | 36 |
1 files changed, 20 insertions, 16 deletions
diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix index 34c86934535..3e097063ae2 100644 --- a/nixos/modules/services/networking/wireguard.nix +++ b/nixos/modules/services/networking/wireguard.nix @@ -286,16 +286,18 @@ let }; script = let - wg_setup = "${wg} set ${interfaceName} peer ${peer.publicKey}" + - optionalString (psk != null) " preshared-key ${psk}" + - optionalString (peer.endpoint != null) " endpoint ${peer.endpoint}" + - optionalString (peer.persistentKeepalive != null) " persistent-keepalive ${toString peer.persistentKeepalive}" + - optionalString (peer.allowedIPs != []) " allowed-ips ${concatStringsSep "," peer.allowedIPs}"; + wg_setup = concatStringsSep " " ( + [ ''${wg} set ${interfaceName} peer "${peer.publicKey}"'' ] + ++ optional (psk != null) ''preshared-key "${psk}"'' + ++ optional (peer.endpoint != null) ''endpoint "${peer.endpoint}"'' + ++ optional (peer.persistentKeepalive != null) ''persistent-keepalive "${toString peer.persistentKeepalive}"'' + ++ optional (peer.allowedIPs != []) ''allowed-ips "${concatStringsSep "," peer.allowedIPs}"'' + ); route_setup = optionalString interfaceCfg.allowedIPsAsRoutes (concatMapStringsSep "\n" (allowedIP: - "${ip} route replace ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}" + ''${ip} route replace "${allowedIP}" dev "${interfaceName}" table "${interfaceCfg.table}"'' ) peer.allowedIPs); in '' ${wg_setup} @@ -306,10 +308,10 @@ let route_destroy = optionalString interfaceCfg.allowedIPsAsRoutes (concatMapStringsSep "\n" (allowedIP: - "${ip} route delete ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}" + ''${ip} route delete "${allowedIP}" dev "${interfaceName}" table "${interfaceCfg.table}"'' ) peer.allowedIPs); in '' - ${wg} set ${interfaceName} peer ${peer.publicKey} remove + ${wg} set "${interfaceName}" peer "${peer.publicKey}" remove ${route_destroy} ''; }; @@ -345,23 +347,25 @@ let ${values.preSetup} - ${ipPreMove} link add dev ${name} type wireguard - ${optionalString (values.interfaceNamespace != null && values.interfaceNamespace != values.socketNamespace) "${ipPreMove} link set ${name} netns ${ns}"} + ${ipPreMove} link add dev "${name}" type wireguard + ${optionalString (values.interfaceNamespace != null && values.interfaceNamespace != values.socketNamespace) ''${ipPreMove} link set "${name}" netns "${ns}"''} ${concatMapStringsSep "\n" (ip: - "${ipPostMove} address add ${ip} dev ${name}" + ''${ipPostMove} address add "${ip}" dev "${name}"'' ) values.ips} - ${wg} set ${name} private-key ${privKey} ${ - optionalString (values.listenPort != null) " listen-port ${toString values.listenPort}"} + ${concatStringsSep " " ( + [ ''${wg} set "${name}" private-key "${privKey}"'' ] + ++ optional (values.listenPort != null) ''listen-port "${toString values.listenPort}"'' + )} - ${ipPostMove} link set up dev ${name} + ${ipPostMove} link set up dev "${name}" ${values.postSetup} ''; postStop = '' - ${ipPostMove} link del dev ${name} + ${ipPostMove} link del dev "${name}" ${values.postShutdown} ''; }; @@ -371,7 +375,7 @@ let nsList = filter (ns: ns != null) [ src dst ]; ns = last nsList; in - if (length nsList > 0 && ns != "init") then "ip netns exec ${ns} ${cmd}" else cmd; + if (length nsList > 0 && ns != "init") then ''ip netns exec "${ns}" "${cmd}"'' else cmd; in { |