Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: a41b38eb266a
Choose a base ref
...
head repository: NixOS/nixpkgs
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: b3dd39ca0e9a
Choose a head ref
  • 4 commits
  • 2 files changed
  • 2 contributors

Commits on May 31, 2019

  1. wireguard: add each peer in a separate service 

    Before, changing any peers caused the entire WireGuard interface to
be torn down and rebuilt. By configuring each peer in a separate
service we're able to only restart the affected peers.

Adding each peer individually also means individual peer
configurations can fail, but the overall interface and all other peers
will still be added.

A WireGuard peer's internal identifier is its public key. This means
it is the only reliable identifier to use for the systemd service.
    @grahamc
    grahamc committed May 31, 2019
    1

    Unverified

    This user has not yet uploaded their public signing key.
    GPG key ID: ED58F95069B004F5
    Learn about vigilant mode
    Copy the full SHA
    dc44fc1 View commit details

  2. wireguard: 0.0.20190406 -> 0.0.20190531

    @grahamc
    grahamc committed May 31, 2019

    Unverified

    This user has not yet uploaded their public signing key.
    GPG key ID: ED58F95069B004F5
    Learn about vigilant mode
    Copy the full SHA
    29eb4bc View commit details

  3. wireguard: attempt infinity times to resolve a peer

    @grahamc
    grahamc committed May 31, 2019

    Unverified

    This user has not yet uploaded their public signing key.
    GPG key ID: ED58F95069B004F5
    Learn about vigilant mode
    Copy the full SHA
    1de35c7 View commit details

  4. Merge pull request #62325 from grahamc/wireguard-master 

     wireguard: 0.0.20190406 -> 0.0.20190531 and Change peers without tearing down the interface, handle DNS failures better
    @flokli
    flokli authored May 31, 2019

    Unverified

    This user has not yet uploaded their public signing key.
    GPG key ID: ED58F95069B004F5
    Learn about vigilant mode
    Copy the full SHA
    b3dd39c View commit details
Showing with 72 additions and 28 deletions.
  1. +70 −26 nixos/modules/services/networking/wireguard.nix
  2. +2 −2 pkgs/tools/networking/wireguard-tools/default.nix
96 changes: 70 additions & 26 deletions nixos/modules/services/networking/wireguard.nix
View file
Original file line number Diff line number Diff line change
@@ -229,8 +229,61 @@ let
'';
};

generatePeerUnit = { interfaceName, interfaceCfg, peer }:
let
keyToUnitName = replaceChars
[ "/" "-" " " "+" "=" ]
[ "-" "\\x2d" "\\x20" "\\x2b" "\\x3d" ];
unitName = keyToUnitName peer.publicKey;
psk =
if peer.presharedKey != null
then pkgs.writeText "wg-psk" peer.presharedKey
else peer.presharedKeyFile;
in nameValuePair "wireguard-${interfaceName}-peer-${unitName}"
{
description = "WireGuard Peer - ${interfaceName} - ${peer.publicKey}";
requires = [ "wireguard-${interfaceName}.service" ];
after = [ "wireguard-${interfaceName}.service" ];
wantedBy = [ "multi-user.target" ];
environment.DEVICE = interfaceName;
environment.WG_ENDPOINT_RESOLUTION_RETRIES = "infinity";
path = with pkgs; [ iproute wireguard-tools ];

serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};

script = let
wg_setup = "wg set ${interfaceName} peer ${peer.publicKey}" +
optionalString (psk != null) " preshared-key ${psk}" +
optionalString (peer.endpoint != null) " endpoint ${peer.endpoint}" +
optionalString (peer.persistentKeepalive != null) " persistent-keepalive ${toString peer.persistentKeepalive}" +
optionalString (peer.allowedIPs != []) " allowed-ips ${concatStringsSep "," peer.allowedIPs}";
route_setup =
optionalString (interfaceCfg.allowedIPsAsRoutes != false)
(concatMapStringsSep "\n"
(allowedIP:
"ip route replace ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}"
) peer.allowedIPs);
in ''
${wg_setup}
${route_setup}
'';

generateSetupServiceUnit = name: values:
postStop = let
route_destroy = optionalString (interfaceCfg.allowedIPsAsRoutes != false)
(concatMapStringsSep "\n"
(allowedIP:
"ip route delete ${allowedIP} dev ${interfaceName} table ${interfaceCfg.table}"
) peer.allowedIPs);
in ''
wg set ${interfaceName} peer ${peer.publicKey} remove
${route_destroy}
'';
};

generateInterfaceUnit = name: values:
# exactly one way to specify the private key must be set
#assert (values.privateKey != null) != (values.privateKeyFile != null);
let privKey = if values.privateKeyFile != null then values.privateKeyFile else pkgs.writeText "wg-key" values.privateKey;
@@ -245,9 +298,7 @@ let
path = with pkgs; [ kmod iproute wireguard-tools ];

serviceConfig = {
Type = "simple";
Restart = "on-failure";
RestartSec = "5s";
Type = "oneshot";
RemainAfterExit = true;
};

@@ -265,25 +316,8 @@ let
wg set ${name} private-key ${privKey} ${
optionalString (values.listenPort != null) " listen-port ${toString values.listenPort}"}
${concatMapStringsSep "\n" (peer:
assert (peer.presharedKeyFile == null) || (peer.presharedKey == null); # at most one of the two must be set
let psk = if peer.presharedKey != null then pkgs.writeText "wg-psk" peer.presharedKey else peer.presharedKeyFile;
in
"wg set ${name} peer ${peer.publicKey}" +
optionalString (psk != null) " preshared-key ${psk}" +
optionalString (peer.endpoint != null) " endpoint ${peer.endpoint}" +
optionalString (peer.persistentKeepalive != null) " persistent-keepalive ${toString peer.persistentKeepalive}" +
optionalString (peer.allowedIPs != []) " allowed-ips ${concatStringsSep "," peer.allowedIPs}"
) values.peers}
ip link set up dev ${name}
${optionalString (values.allowedIPsAsRoutes != false) (concatStringsSep "\n" (concatMap (peer:
(map (allowedIP:
"ip route replace ${allowedIP} dev ${name} table ${values.table}"
) peer.allowedIPs)
) values.peers))}
${values.postSetup}
'';

@@ -335,7 +369,12 @@ in

###### implementation

config = mkIf cfg.enable {
config = mkIf cfg.enable (let
all_peers = flatten
(mapAttrsToList (interfaceName: interfaceCfg:
map (peer: { inherit interfaceName interfaceCfg peer;}) interfaceCfg.peers
) cfg.interfaces);
in {

assertions = (attrValues (
mapAttrs (name: value: {
@@ -346,19 +385,24 @@ in
mapAttrs (name: value: {
assertion = value.generatePrivateKeyFile -> (value.privateKey == null);
message = "networking.wireguard.interfaces.${name}.generatePrivateKey must not be set if networking.wireguard.interfaces.${name}.privateKey is set.";
}) cfg.interfaces));

}) cfg.interfaces))
++ map ({ interfaceName, peer, ... }: {
assertion = (peer.presharedKey == null) || (peer.presharedKeyFile == null);
message = "networking.wireguard.interfaces.${interfaceName} peer «${peer.publicKey}» has both presharedKey and presharedKeyFile set, but only one can be used.";
}) all_peers;

boot.extraModulePackages = [ kernel.wireguard ];
environment.systemPackages = [ pkgs.wireguard-tools ];

systemd.services = (mapAttrs' generateSetupServiceUnit cfg.interfaces)
systemd.services =
(mapAttrs' generateInterfaceUnit cfg.interfaces)
// (listToAttrs (map generatePeerUnit all_peers))
// (mapAttrs' generateKeyServiceUnit
(filterAttrs (name: value: value.generatePrivateKeyFile) cfg.interfaces));

systemd.paths = mapAttrs' generatePathUnit
(filterAttrs (name: value: value.privateKeyFile != null) cfg.interfaces);

};
});

}
4 changes: 2 additions & 2 deletions pkgs/tools/networking/wireguard-tools/default.nix
View file
Original file line number Diff line number Diff line change
@@ -4,11 +4,11 @@ with stdenv.lib;

stdenv.mkDerivation rec {
name = "wireguard-tools-${version}";
version = "0.0.20190406";
version = "0.0.20190531";

src = fetchzip {
url = "https://git.zx2c4.com/WireGuard/snapshot/WireGuard-${version}.tar.xz";
sha256 = "1rqyyyx7j41vpp4jigagqs2qdyfngh15y48ghdqfrkv7v93vwdak";
sha256 = "0caw6kc0lqsvzvdjpdbdn3r9ff93vdl46616pwlig0rsdjrqnklj";
};

sourceRoot = "source/src/tools";