New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wireguard: Add peers.*.publicKeyFile as an alternative to publicKey #60339
Conversation
42e7113
to
d40823f
Compare
LGTM 👍 @GrahamcOfBorg test wireguard wireguard-generated |
d40823f
to
54735f1
Compare
54735f1
to
e491b04
Compare
b30a23d
to
6d0390d
Compare
@Ma27 @infinisil @grahamc I've rebased this change on the latest version of master and retested on some servers. It's still working. Can this be merged or do I need to do anything else? |
6d0390d
to
3869cc8
Compare
3869cc8
to
7b92c13
Compare
Can you update |
2e2986d
to
07e42a8
Compare
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as I can tell this looks good other than the thing below.
07e42a8
to
07b7fd8
Compare
07b7fd8
to
ec552a7
Compare
@infinisil The changes you requested are done and I just rebased on the latest |
ec552a7
to
7278d77
Compare
Rebased again. |
peerName = if peer.publicKey != null then peer.publicKey else peer.publicKeyFile; | ||
in | ||
[ | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need an assert that one of: publicKey or publicKeyFile is set? I don't see one, but it is possible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That case would be caught by this assertion as well since (null != null) != (null != null)
is false. I basically copied the pre-existing logic for privateKey
and privateKeyFile
.
7278d77
to
b443e6a
Compare
Doesn't work if you set e.g. diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix
index daf10e8284e..6b023b5e41f 100644
--- a/nixos/modules/services/networking/wireguard.nix
+++ b/nixos/modules/services/networking/wireguard.nix
@@ -268,7 +268,7 @@ let
keyToUnitName = replaceChars
[ "/" "-" " " "+" "=" ]
[ "-" "\\x2d" "\\x20" "\\x2b" "\\x3d" ];
- peerName = if peer.publicKey != null then peer.publicKey else peer.publicKeyFile;
+ peerName = if peer.publicKey != null then peer.publicKey else builtins.unsafeDiscardStringContext peer.publicKeyFile;
publicKeyArg = if peer.publicKey != null then peer.publicKey else "\"$(cat ${peer.publicKeyFile})\"";
unitName = keyToUnitName peerName;
psk =
@@ -445,7 +445,7 @@ in
];
peerAssertions = builtins.concatLists (map (peer:
let
- peerName = if peer.publicKey != null then peer.publicKey else peer.publicKeyFile;
+ peerName = if peer.publicKey != null then peer.publicKey else builtins.unsafeDiscardStringContext peer.publicKeyFile;
in
[
{ But then there's the problem that if both |
Is it really an issue? This option's purpose is to be used when the user doesn't have the public key at build time. If the user does, they can use |
b443e6a
to
305b3e2
Compare
If peers' public keys are not known when writing the NixOS configuration, publicKeyFile can be given instead of publicKey.
305b3e2
to
678854f
Compare
I marked this as stale due to inactivity. → More info |
I reworked this PR in #160086; closing this as this has been stale and the new PR can be used for any further changes. |
If peers' public keys are not known when writing the NixOS configuration, publicKeyFile can be given instead of publicKey. This change is a rework of PR NixOS#60339 (by Thomas Feron <thomas.feron@redspline.com>) which has been stale. Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Motivation for this change
When dealing with several servers, we might want a mechanism by which the servers share their public key with each other after being provisioned. Thus, we can't give the NixOS configuration the public keys directly because they are not known at that point in time.
publicKeyFile
solves the issue.Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nix-review --run "nix-review wip"
./result/bin/
)nix path-info -S
before and after)