nixos/wg-quick: added support for configuration files

2022-05-01 20:38:24 +04:00 · 2022-05-01 20:38:24 +04:00 · 8de1e9e2f8
commit 8de1e9e2f8
parent b9387eced5
1 changed files with 27 additions and 2 deletions
--- a/nixos/modules/services/networking/wg-quick.nix
+++ b/nixos/modules/services/networking/wg-quick.nix
@ -10,6 +10,18 @@ let

  interfaceOpts = { ... }: {
    options = {
+
+      configFile = mkOption {
+        example = "/secret/wg0.conf";
+        default = null;
+        type = with types; nullOr str;
+        description = ''
+          wg-quick .conf file, describing the interface.
+          This overrides any other configuration interface configuration options.
+          See wg-quick manpage for more details.
+        '';
+      };
+
      address = mkOption {
        example = [ "192.168.2.1/24" ];
        default = [];
@ -205,7 +217,7 @@ let
  writeScriptFile = name: text: ((pkgs.writeShellScriptBin name text) + "/bin/${name}");

  generateUnit = name: values:
-    assert assertMsg ((values.privateKey != null) != (values.privateKeyFile != null)) "Only one of privateKey or privateKeyFile may be set";
+    assert assertMsg (values.configFile != null || ((values.privateKey != null) != (values.privateKeyFile != null))) "Only one of privateKey, configFile or privateKeyFile may be set";
    let
      preUpFile = if values.preUp != "" then writeScriptFile "preUp.sh" values.preUp else null;
      postUp =
@ -247,7 +259,12 @@ let
          optionalString (peer.allowedIPs != []) "AllowedIPs = ${concatStringsSep "," peer.allowedIPs}\n"
        ) values.peers;
      };
-      configPath = "${configDir}/${name}.conf";
+      configPath =
+        if values.configFile != null then
+          # This uses bind-mounted private tmp folder (/tmp/systemd-private-***)
+          "/tmp/${name}.conf"
+        else
+          "${configDir}/${name}.conf";
    in
    nameValuePair "wg-quick-${name}"
      {
@ -265,9 +282,17 @@ let

        script = ''
          ${optionalString (!config.boot.isContainer) "modprobe wireguard"}
+          ${optionalString (values.configFile != null) ''
+            cp ${values.configFile} ${configPath}
+          ''}
          wg-quick up ${configPath}
        '';

+        serviceConfig = {
+          # Used to privately store renamed copies of external config files during activation
+          PrivateTmp = true;
+        };
+
        preStop = ''
          wg-quick down ${configPath}
        '';