{ config
, lib
, options
, pkgs
, ...
}:
let
inherit (lib)
attrValues
concatLines
concatMap
filter
filterAttrsRecursive
flatten
getExe
mkIf
optional
;
cfg = config.services.rosenpass;
opt = options.services.rosenpass;
settingsFormat = pkgs.formats.toml { };
in
{
options.services.rosenpass =
let
inherit (lib)
literalExpression
mkOption
;
inherit (lib.types)
enum
listOf
nullOr
path
str
submodule
;
in
{
enable = lib.mkEnableOption "Rosenpass";
package = lib.mkPackageOption pkgs "rosenpass" { };
defaultDevice = mkOption {
type = nullOr str;
description = "Name of the network interface to use for all peers by default.";
example = "wg0";
};
settings = mkOption {
type = submodule {
freeformType = settingsFormat.type;
options = {
public_key = mkOption {
type = path;
description = "Path to a file containing the public key of the local Rosenpass peer. Generate this by running {command}`rosenpass gen-keys`.";
};
secret_key = mkOption {
type = path;
description = "Path to a file containing the secret key of the local Rosenpass peer. Generate this by running {command}`rosenpass gen-keys`.";
};
listen = mkOption {
type = listOf str;
description = "List of local endpoints to listen for connections.";
default = [ ];
example = literalExpression "[ \"0.0.0.0:10000\" ]";
};
verbosity = mkOption {
type = enum [ "Verbose" "Quiet" ];
default = "Quiet";
description = "Verbosity of output produced by the service.";
};
peers =
let
peer = submodule {
freeformType = settingsFormat.type;
options = {
public_key = mkOption {
type = path;
description = "Path to a file containing the public key of the remote Rosenpass peer.";
};
endpoint = mkOption {
type = nullOr str;
default = null;
description = "Endpoint of the remote Rosenpass peer.";
};
device = mkOption {
type = str;
default = cfg.defaultDevice;
defaultText = literalExpression "config.${opt.defaultDevice}";
description = "Name of the local WireGuard interface to use for this peer.";
};
peer = mkOption {
type = str;
description = "WireGuard public key corresponding to the remote Rosenpass peer.";
};
};
};
in
mkOption {
type = listOf peer;
description = "List of peers to exchange keys with.";
default = [ ];
};
};
};
default = { };
description = "Configuration for Rosenpass, see for further information.";
};
};
config = mkIf cfg.enable {
warnings =
let
# NOTE: In the descriptions below, we tried to refer to e.g.
# options.systemd.network.netdevs."".wireguardPeers.*.PublicKey
# directly, but don't know how to traverse "" and * in this path.
extractions = [
{
relevant = config.systemd.network.enable;
root = config.systemd.network.netdevs;
peer = (x: x.wireguardPeers);
key = x: x.PublicKey or null;
description = "${options.systemd.network.netdevs}.\"\".wireguardPeers.*.PublicKey";
}
{
relevant = config.networking.wireguard.enable;
root = config.networking.wireguard.interfaces;
peer = (x: x.peers);
key = (x: x.publicKey);
description = "${options.networking.wireguard.interfaces}.\"\".peers.*.publicKey";
}
rec {
relevant = root != { };
root = config.networking.wg-quick.interfaces;
peer = (x: x.peers);
key = (x: x.publicKey);
description = "${options.networking.wg-quick.interfaces}.\"\".peers.*.publicKey";
}
];
relevantExtractions = filter (x: x.relevant) extractions;
extract = { root, peer, key, ... }:
filter (x: x != null) (flatten (concatMap (x: (map key (peer x))) (attrValues root)));
configuredKeys = flatten (map extract relevantExtractions);
itemize = xs: concatLines (map (x: " - ${x}") xs);
descriptions = map (x: "`${x.description}`");
missingKeys = filter (key: !builtins.elem key configuredKeys) (map (x: x.peer) cfg.settings.peers);
unusual = ''
While this may work as expected, e.g. you want to manually configure WireGuard,
such a scenario is unusual. Please double-check your configuration.
'';
in
(optional (relevantExtractions != [ ] && missingKeys != [ ]) ''
You have configured Rosenpass peers with the WireGuard public keys:
${itemize missingKeys}
But there is no corresponding active Wireguard peer configuration in any of:
${itemize (descriptions relevantExtractions)}
${unusual}
'')
++
optional (relevantExtractions == [ ]) ''
You have configured Rosenpass, but you have not configured Wireguard via any of:
${itemize (descriptions extractions)}
${unusual}
'';
environment.systemPackages = [ cfg.package pkgs.wireguard-tools ];
systemd.services.rosenpass =
let
filterNonNull = filterAttrsRecursive (_: v: v != null);
config = settingsFormat.generate "config.toml" (
filterNonNull (cfg.settings
//
(
let
credentialPath = id: "$CREDENTIALS_DIRECTORY/${id}";
# NOTE: We would like to remove all `null` values inside `cfg.settings`
# recursively, since `settingsFormat.generate` cannot handle `null`.
# This would require to traverse both attribute sets and lists recursively.
# `filterAttrsRecursive` only recurses into attribute sets, but not
# into values that might contain other attribute sets (such as lists,
# e.g. `cfg.settings.peers`). Here, we just specialize on `cfg.settings.peers`,
# and this may break unexpectedly whenever a `null` value is contained
# in a list in `cfg.settings`, other than `cfg.settings.peers`.
peersWithoutNulls = map filterNonNull cfg.settings.peers;
in
{
secret_key = credentialPath "pqsk";
public_key = credentialPath "pqpk";
peers = peersWithoutNulls;
}
)
)
);
in
rec {
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
path = [ cfg.package pkgs.wireguard-tools ];
serviceConfig = {
User = "rosenpass";
Group = "rosenpass";
RuntimeDirectory = "rosenpass";
DynamicUser = true;
AmbientCapabilities = [ "CAP_NET_ADMIN" ];
LoadCredential = [
"pqsk:${cfg.settings.secret_key}"
"pqpk:${cfg.settings.public_key}"
];
};
# See
environment.CONFIG = "%t/${serviceConfig.RuntimeDirectory}/config.toml";
script = ''
${getExe pkgs.envsubst} -i ${config} -o "$CONFIG"
rosenpass exchange-config "$CONFIG"
'';
};
};
}