public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #62325 from grahamc/wireguard-master

Browse Source 
wireguard: 0.0.20190406 -> 0.0.20190531 and Change peers without tearing down the interface, handle DNS failures better
This commit is contained in:
Florian Klink 2019-05-31 23:17:18 +02:00 committed by GitHub
commit b3dd39ca0e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 72 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

96
nixos/modules/services/networking/wireguard.nix
View File

@ -229,8 +229,61 @@ let
''; '';
}; };
generatePeerUnit = { interfaceName, interfaceCfg, peer }:
let
keyToUnitName = replaceChars
[ "/" "-" " " "+" "=" ]
[ "-" "\\x2d" "\\x20" "\\x2b" "\\x3d" ];
unitName = keyToUnitName peer.publicKey;
psk =
if peer.presharedKey != null
then pkgs.writeText "wg-psk" peer.presharedKey
else peer.presharedKeyFile;
in nameValuePair "wireguard-${interfaceName}-peer-${unitName}"
{
description = "WireGuard Peer - ${interfaceName} - ${peer.publicKey}";
requires = [ "wireguard-${interfaceName}.service" ];
after = [ "wireguard-${interfaceName}.service" ];
wantedBy = [ "multi-user.target" ];
environment.DEVICE = interfaceName;
environment.WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
path = with pkgs; [ iproute wireguard-tools ];
generateSetupServiceUnit = name: values: serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = let
wg_setup = "wg set ${interfaceName} peer ${peer.publicKey}" +
optionalString (psk != null) " preshared-key ${psk}" +
optionalString (peer.endpoint != null) " endpoint ${peer.endpoint}" +
optionalString (peer.persistentKeepalive != null) " persistent-keepalive ${toString peer.persistentKeepalive}" +
optionalString (peer.allowedIPs != []) " allowed-ips ${concatStringsSep "," peer.allowedIPs}";
route_setup =
optionalString (interfaceCfg.allowedIPsAsRoutes != false)
(concatMapStringsSep "\n"
(allowedIP:
"ip route replace ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}"
) peer.allowedIPs);
in ''
${wg_setup}
${route_setup}
'';
postStop = let
route_destroy = optionalString (interfaceCfg.allowedIPsAsRoutes != false)
(concatMapStringsSep "\n"
(allowedIP:
"ip route delete ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}"
) peer.allowedIPs);
in ''
wg set ${interfaceName} peer ${peer.publicKey} remove
${route_destroy}
'';
};
generateInterfaceUnit = name: values:
# exactly one way to specify the private key must be set # exactly one way to specify the private key must be set
#assert (values.privateKey != null) != (values.privateKeyFile != null); #assert (values.privateKey != null) != (values.privateKeyFile != null);
let privKey = if values.privateKeyFile != null then values.privateKeyFile else pkgs.writeText "wg-key" values.privateKey; let privKey = if values.privateKeyFile != null then values.privateKeyFile else pkgs.writeText "wg-key" values.privateKey;
@ -245,9 +298,7 @@ let
path = with pkgs; [ kmod iproute wireguard-tools ]; path = with pkgs; [ kmod iproute wireguard-tools ];
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "oneshot";
Restart = "on-failure";
RestartSec = "5s";
RemainAfterExit = true; RemainAfterExit = true;
}; };
@ -265,25 +316,8 @@ let
wg set ${name} private-key ${privKey} ${ wg set ${name} private-key ${privKey} ${
optionalString (values.listenPort != null) " listen-port ${toString values.listenPort}"} optionalString (values.listenPort != null) " listen-port ${toString values.listenPort}"}
${concatMapStringsSep "\n" (peer:
assert (peer.presharedKeyFile == null) || (peer.presharedKey == null); # at most one of the two must be set
let psk = if peer.presharedKey != null then pkgs.writeText "wg-psk" peer.presharedKey else peer.presharedKeyFile;
in
"wg set ${name} peer ${peer.publicKey}" +
optionalString (psk != null) " preshared-key ${psk}" +
optionalString (peer.endpoint != null) " endpoint ${peer.endpoint}" +
optionalString (peer.persistentKeepalive != null) " persistent-keepalive ${toString peer.persistentKeepalive}" +
optionalString (peer.allowedIPs != []) " allowed-ips ${concatStringsSep "," peer.allowedIPs}"
) values.peers}
ip link set up dev ${name} ip link set up dev ${name}
${optionalString (values.allowedIPsAsRoutes != false) (concatStringsSep "\n" (concatMap (peer:
(map (allowedIP:
"ip route replace ${allowedIP} dev ${name} table ${values.table}"
) peer.allowedIPs)
) values.peers))}
${values.postSetup} ${values.postSetup}
''; '';
@ -335,7 +369,12 @@ in
###### implementation ###### implementation
config = mkIf cfg.enable { config = mkIf cfg.enable (let
all_peers = flatten
(mapAttrsToList (interfaceName: interfaceCfg:
map (peer: { inherit interfaceName interfaceCfg peer;}) interfaceCfg.peers
) cfg.interfaces);
in {
assertions = (attrValues ( assertions = (attrValues (
mapAttrs (name: value: { mapAttrs (name: value: {
@ -346,19 +385,24 @@ in
mapAttrs (name: value: { mapAttrs (name: value: {
assertion = value.generatePrivateKeyFile -> (value.privateKey == null); assertion = value.generatePrivateKeyFile -> (value.privateKey == null);
message = "networking.wireguard.interfaces.${name}.generatePrivateKey must not be set if networking.wireguard.interfaces.${name}.privateKey is set."; message = "networking.wireguard.interfaces.${name}.generatePrivateKey must not be set if networking.wireguard.interfaces.${name}.privateKey is set.";
}) cfg.interfaces)); }) cfg.interfaces))
++ map ({ interfaceName, peer, ... }: {
assertion = (peer.presharedKey == null) || (peer.presharedKeyFile == null);
message = "networking.wireguard.interfaces.${interfaceName} peer «${peer.publicKey}» has both presharedKey and presharedKeyFile set, but only one can be used.";
}) all_peers;
boot.extraModulePackages = [ kernel.wireguard ]; boot.extraModulePackages = [ kernel.wireguard ];
environment.systemPackages = [ pkgs.wireguard-tools ]; environment.systemPackages = [ pkgs.wireguard-tools ];
systemd.services = (mapAttrs' generateSetupServiceUnit cfg.interfaces) systemd.services =
(mapAttrs' generateInterfaceUnit cfg.interfaces)
// (listToAttrs (map generatePeerUnit all_peers))
// (mapAttrs' generateKeyServiceUnit // (mapAttrs' generateKeyServiceUnit
(filterAttrs (name: value: value.generatePrivateKeyFile) cfg.interfaces)); (filterAttrs (name: value: value.generatePrivateKeyFile) cfg.interfaces));
systemd.paths = mapAttrs' generatePathUnit systemd.paths = mapAttrs' generatePathUnit
(filterAttrs (name: value: value.privateKeyFile != null) cfg.interfaces); (filterAttrs (name: value: value.privateKeyFile != null) cfg.interfaces);
}; });
} }

4
pkgs/tools/networking/wireguard-tools/default.nix
View File

@ -4,11 +4,11 @@ with stdenv.lib;
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
name = "wireguard-tools-${version}"; name = "wireguard-tools-${version}";
version = "0.0.20190406"; version = "0.0.20190531";
src = fetchzip { src = fetchzip {
url = "https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${version}.tar.xz"; url = "https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${version}.tar.xz";
sha256 = "1rqyyyx7j41vpp4jigagqs2qdyfngh15y48ghdqfrkv7v93vwdak"; sha256 = "0caw6kc0lqsvzvdjpdbdn3r9ff93vdl46616pwlig0rsdjrqnklj";
}; };
sourceRoot = "source/src/tools"; sourceRoot = "source/src/tools";