nixos/wireguard-networkd: fix loading pre shared keys for peers witho…

…ut a custom name (#368684)
NixOS · Dec 29, 2024 · 1bdf3ca · 1bdf3ca
2 parents 323d07e + 61d11b7
commit 1bdf3ca
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 6 deletions.
diff --git a/nixos/modules/services/networking/wireguard-networkd.nix b/nixos/modules/services/networking/wireguard-networkd.nix
@@ -22,14 +22,16 @@ let
     ;
   inherit (lib.modules) mkIf;
   inherit (lib.options) literalExpression mkOption;
-  inherit (lib.strings) hasInfix;
+  inherit (lib.strings) hasInfix replaceStrings;
   inherit (lib.trivial) flip pipe;
 
   removeNulls = filterAttrs (_: v: v != null);
 
-  privateKeyCredential = interfaceName: "wireguard-${interfaceName}-private-key";
+  escapeCredentialName = input: replaceStrings [ "\\" ] [ "_" ] input;
+
+  privateKeyCredential = interfaceName: escapeCredentialName "wireguard-${interfaceName}-private-key";
   presharedKeyCredential =
-    interfaceName: peer: "wireguard-${interfaceName}-${peer.name}-preshared-key";
+    interfaceName: peer: escapeCredentialName "wireguard-${interfaceName}-${peer.name}-preshared-key";
 
   interfaceCredentials =
     interfaceName: interface:
@@ -61,7 +63,8 @@ let
     interfaceName: peer:
     removeNulls {
       PublicKey = peer.publicKey;
-      PresharedKey = "@${presharedKeyCredential interfaceName peer}";
+      PresharedKey =
+        if peer.presharedKeyFile == null then null else "@${presharedKeyCredential interfaceName peer}";
       AllowedIPs = peer.allowedIPs;
       Endpoint = peer.endpoint;
       PersistentKeepalive = peer.persistentKeepalive;

diff --git a/nixos/tests/wireguard/dynamic-refresh.nix b/nixos/tests/wireguard/dynamic-refresh.nix
@@ -84,7 +84,10 @@ import ../make-test-python.nix (
       ''
         start_all()
 
+        server.systemctl("start network-online.target")
         server.wait_for_unit("network-online.target")
+
+        client.systemctl("start network-online.target")
         client.wait_for_unit("network-online.target")
 
         client.succeed("ping -n -w 1 -c 1 10.23.42.1")

diff --git a/nixos/tests/wireguard/networkd.nix b/nixos/tests/wireguard/networkd.nix
@@ -39,6 +39,9 @@ import ../make-test-python.nix (
                 "fc00::2/128"
               ];
 
+              # !!! Don't do this with real keys. The /nix store is world-readable!
+              presharedKeyFile = toString (pkgs.writeText "presharedKey" wg-snakeoil-keys.presharedKey);
+
               inherit (wg-snakeoil-keys.peer1) publicKey;
             };
           };
@@ -69,6 +72,9 @@ import ../make-test-python.nix (
               endpoint = "192.168.0.1:23542";
               persistentKeepalive = 25;
 
+              # !!! Don't do this with real keys. The /nix store is world-readable!
+              presharedKeyFile = toString (pkgs.writeText "presharedKey" wg-snakeoil-keys.presharedKey);
+
               inherit (wg-snakeoil-keys.peer0) publicKey;
             };
           };
@@ -79,11 +85,18 @@ import ../make-test-python.nix (
     testScript = ''
       start_all()
 
-      peer0.wait_for_unit("systemd-networkd-wait-online.service")
-      peer1.wait_for_unit("systemd-networkd-wait-online.service")
+      peer0.systemctl("start network-online.target")
+      peer0.wait_for_unit("network-online.target")
+
+      peer1.systemctl("start network-online.target")
+      peer1.wait_for_unit("network-online.target")
 
       peer1.succeed("ping -c5 fc00::1")
       peer1.succeed("ping -c5 10.23.42.1")
+
+      with subtest("Has PSK set"):
+        peer0.succeed("wg | grep 'preshared key'")
+        peer1.succeed("wg | grep 'preshared key'")
     '';
   }
 )
diff --git a/nixos/tests/wireguard/snakeoil-keys.nix b/nixos/tests/wireguard/snakeoil-keys.nix
@@ -1,4 +1,6 @@
 {
+  presharedKey = "7myEJlGAWLTg83y7Py29pp7REQBVmZfI4xcawjcZpjg=";
+
   peer0 = {
     privateKey = "OPuVRS2T0/AtHDp3PXkNuLQYDiqJaBEEnYe42BSnJnQ=";
     publicKey = "IujkG119YPr2cVQzJkSLYCdjpHIDjvr/qH1w1tdKswY=";