nixos/networkd: support systemd-creds in WireGuard

systemd 256 supports network.wireguard.* credentials (https://github.com/systemd/systemd/pull/30826). Check whether PrivateKey / PresharedKey starts with an @, if so it is a credential.
2024-11-25 16:33:15 +00:00 · 2024-10-06 16:52:42 -05:00 · 2024-10-06 16:52:42 -05:00 · 42f5ecde9d
commit 42f5ecde9d
parent bc947f541a
2 changed files with 17 additions and 6 deletions
--- a/nixos/lib/systemd-lib.nix
+++ b/nixos/lib/systemd-lib.nix
@ -17,6 +17,7 @@ let
    filterAttrs
    flatten
    flip
+    hasPrefix
    head
    isInt
    isFloat
@ -196,6 +197,10 @@ in rec {
    optional (attr ? ${name})
      "Systemd ${group} field `${name}' has been removed. See ${see}";

+  assertKeyIsSystemdCredential = name: group: attr:
+    optional (attr ? ${name} && !(hasPrefix "@" attr.${name}))
+      "Systemd ${group} field `${name}' is not a systemd credential";
+
  checkUnitConfig = group: checks: attrs: let
    # We're applied at the top-level type (attrsOf unitOption), so the actual
    # unit options might contain attributes from mkOverride and mkIf that we need to
--- a/nixos/modules/system/boot/networkd.nix
+++ b/nixos/modules/system/boot/networkd.nix
@ -411,11 +411,14 @@ let
        (assertValueOneOf "Layer2SpecificHeader" [ "none" "default" ])
      ];

-      # NOTE The PrivateKey directive is missing on purpose here, please
-      # do not add it to this list. The nix store is world-readable let's
-      # refrain ourselves from providing a footgun.
+      # NOTE Check whether the key starts with an @, in which case it is
+      # interpreted as the name of the credential from which the actual key
+      # shall be read by systemd-creds.
+      # Do not remove this check as the nix store is world-readable.
      sectionWireGuard = checkUnitConfig "WireGuard" [
+        (assertKeyIsSystemdCredential "PrivateKey")
        (assertOnlyFields [
+          "PrivateKey"
          "PrivateKeyFile"
          "ListenPort"
          "FirewallMark"
@ -426,12 +429,15 @@ let
        (assertRange "FirewallMark" 1 4294967295)
      ];

-      # NOTE The PresharedKey directive is missing on purpose here, please
-      # do not add it to this list. The nix store is world-readable,let's
-      # refrain ourselves from providing a footgun.
+      # NOTE Check whether the key starts with an @, in which case it is
+      # interpreted as the name of the credential from which the actual key
+      # shall be read by systemd-creds.
+      # Do not remove this check as the nix store is world-readable.
      sectionWireGuardPeer = checkUnitConfigWithLegacyKey "wireguardPeerConfig" "WireGuardPeer" [
+        (assertKeyIsSystemdCredential "PresharedKey")
        (assertOnlyFields [
          "PublicKey"
+          "PresharedKey"
          "PresharedKeyFile"
          "AllowedIPs"
          "Endpoint"