@ -53,30 +53,30 @@ let
} ;
preSetup = mkOption {
example = literalExample [ ''
example = literalExample ''
$ { pkgs . iproute } /bin/ip netns add foo
'' ] ;
default = [ ] ;
type = with types ; listOf str ;
'' ;
default = " " ;
type = with types ; coercedTo ( listOf str ) ( concatStringsSep " \n " ) lines ;
description = ''
A list of c ommands called at the start of the interface setup .
C ommands called at the start of the interface setup .
'' ;
} ;
postSetup = mkOption {
example = literalExample [ ''
$ { pkgs . bash } - c ' printf " n a m e s e r v e r 1 0 . 2 0 0 . 1 0 0 . 1 " | $ { pkgs . openresolv } /bin/resolvconf - a wg0 - m 0 '
'' ] ;
default = [ ] ;
type = with types ; listOf str ;
description = " A l i s t o f c o m m a n d s c a l l e d a t t h e e n d o f t h e i n t e r f a c e s e t u p . " ;
example = literalExample ''
printf " n a m e s e r v e r 1 0 . 2 0 0 . 1 0 0 . 1 " | $ { pkgs . openresolv } /bin/resolvconf - a wg0 - m 0
'' ;
default = " " ;
type = with types ; coercedTo ( listOf str ) ( concatStringsSep " \n " ) lines ;
description = " C o m m a n d s c a l l e d a t t h e e n d o f t h e i n t e r f a c e s e t u p . " ;
} ;
postShutdown = mkOption {
example = literalExample [ "${ pkgs . openresolv } / b i n / r e s o l v c o n f - d w g 0 " ] ;
default = [ ] ;
type = with types ; listOf str ;
description = " A l i s t o f c o m m a n d s c a l l e d a f t e r s h u t t i n g d o w n t h e i n t e r f a c e . " ;
example = literalExample "${ pkgs . openresolv } / b i n / r e s o l v c o n f - d w g 0 " ;
default = " " ;
type = with types ; coercedTo ( listOf str ) ( concatStringsSep " \n " ) lines ;
description = " C o m m a n d s c a l l e d a f t e r s h u t t i n g d o w n t h e i n t e r f a c e . " ;
} ;
table = mkOption {
@ -182,9 +182,6 @@ let
} ;
ipCommand = " ${ pkgs . iproute } / b i n / i p " ;
wgCommand = " ${ pkgs . wireguard } / b i n / w g " ;
generateUnit = name : values :
# exactly one way to specify the private key must be set
assert ( values . privateKey != null ) != ( values . privateKeyFile != null ) ;
@ -196,49 +193,53 @@ let
after = [ " n e t w o r k . t a r g e t " ] ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
environment . DEVICE = name ;
path = with pkgs ; [ kmod iproute wireguard ] ;
serviceConfig = {
Type = " o n e s h o t " ;
RemainAfterExit = true ;
ExecStart = flatten ( [
values . preSetup
} ;
script = ''
modprobe wireguard
$ { values . preSetup }
" - ${ ipCommand } l i n k d e l d e v ${ name } "
" ${ ipCommand } l i n k a d d d e v ${ name } t y p e w i r e g u a r d "
ip link add dev $ { name } type wireguard
( map ( ip :
" ${ ipCommand } a d d r e s s a d d ${ ip } d e v ${ name } "
) values . ips )
$ { concatMapStringsSep " \n " ( ip :
" i p a d d r e s s a d d ${ ip } d e v ${ name } "
) values . ips }
( " ${ wgCommand } s e t ${ name } p r i v a t e - k e y ${ privKey } " +
optionalString ( values . listenPort != null ) " l i s t e n - p o r t ${ toString values . listenPort } " )
wg set $ { name } private-key $ { privKey } $ {
optionalString ( values . listenPort != null ) " l i s t e n - p o r t ${ toString values . listenPort } " }
( map ( peer :
$ { concatMapStringsSep " \n " ( peer :
assert ( peer . presharedKeyFile == null ) || ( peer . presharedKey == null ) ; # at most one of the two must be set
let psk = if peer . presharedKey != null then pkgs . writeText " w g - p s k " peer . presharedKey else peer . presharedKeyFile ;
in
" ${ wgCommand } s e t ${ name } p e e r ${ peer . publicKey } " +
optionalString ( psk != null ) " p r e s h a r e d - k e y ${ psk } " +
optionalString ( peer . endpoint != null ) " e n d p o i n t ${ peer . endpoint } " +
optionalString ( peer . persistentKeepalive != null ) " p e r s i s t e n t - k e e p a l i v e ${ toString peer . persistentKeepalive } " +
optionalString ( peer . allowedIPs != [ ] ) " a l l o w e d - i p s ${ concatStringsSep " , " peer . allowedIPs } "
) values . peers )
" ${ ipCommand } l i n k s e t u p d e v ${ name } "
( optionals ( values . allowedIPsAsRoutes != false ) ( m ap ( peer :
( map ( allowedIP :
" ${ ipCommand } r o u t e r e p l a c e ${ allowedIP } d e v ${ name } t a b l e ${ values . table } "
) peer . allowedIPs )
) values . peers ) )
values . postSetup
] ) ;
ExecStop = flatten ( [
" ${ ipCommand } l i n k d e l d e v ${ name } "
values . postShutdown
] ) ;
} ;
" w g s e t ${ name } p e e r ${ peer . publicKey } " +
optionalString ( psk != null ) " p r e s h a r e d - k e y ${ psk } " +
optionalString ( peer . endpoint != null ) " e n d p o i n t ${ peer . endpoint } " +
optionalString ( peer . persistentKeepalive != null ) " p e r s i s t e n t - k e e p a l i v e ${ toString peer . persistentKeepalive } " +
optionalString ( peer . allowedIPs != [ ] ) " a l l o w e d - i p s ${ concatStringsSep " , " peer . allowedIPs } "
) values . peers }
ip link set up dev $ { name }
$ { optionalString ( values . allowedIPsAsRoutes != false ) ( concatStringsSep " \n " ( concatM ap ( peer :
( map ( allowedIP :
" i p r o u t e r e p l a c e ${ allowedIP } d e v ${ name } t a b l e ${ values . table } "
) peer . allowedIPs )
) values . peers ) ) }
$ { values . postSetup }
'' ;
preStop = ''
ip link del dev $ { name }
$ { values . postShutdown }
'' ;
} ;
in