New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wireguard: add generatePrivateKeyFile option + test #60138
Conversation
@GrahamcOfBorg test wireguard |
f6c6c62
to
7b7ba23
Compare
@@ -282,7 +333,12 @@ in | |||
boot.extraModulePackages = [ kernel.wireguard ]; | |||
environment.systemPackages = [ pkgs.wireguard-tools ]; | |||
|
|||
systemd.services = mapAttrs' generateUnit cfg.interfaces; | |||
systemd.services = (x: builtins.trace x x) ((mapAttrs' generateSetupServiceUnit cfg.interfaces) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Errant trace.
Plus some nice assertion improvements based on feedback from @infinisil! |
d668f61
to
e1d15a4
Compare
Ideally, private keys never leave the host they're generated on - like SSH. Setting generatePrivateKeyFile to true causes the PK to be generate automatically.
Seems this PR is good then, @Ma27 ? |
e1d15a4
to
06c83a1
Compare
@grahamc thanks! |
Thank you! |
mkdir --mode 0644 -p "${dirOf values.privateKeyFile}" | ||
if [ ! -f "${values.privateKeyFile}" ]; then | ||
touch "${values.privateKeyFile}" | ||
chmod 0600 "${values.privateKeyFile}" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not safe.
The private key can be read by an unprivileged user who opens the file between touch
and chmod
.
touch + chmod 600 + write
are never safe. This is why install --mode
(like mkdir --mode
) and umask
exist. See for example the key generation section in ArchWiki or NixOS's wiki.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Filed as #121288.
Apparently it is not safe to first create a file with touch and then set permissions with chmod. An unprivileged user could open the file in between. See NixOS/nixpkgs#60138 (comment).
Ideally, private keys never leave the host they're generated on - like
SSH. Setting generatePrivateKeyFile to true causes the PK to be
generate automatically.
Motivation for this change
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)