wireguard: implement review comments from zx2c4

NixOS · Jul 16, 2017 · 26915ce · 26915ce
1 parent c3cb467
commit 26915ce
Showing 1 changed file with 12 additions and 7 deletions.
diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix
@@ -26,9 +26,10 @@ let
         type = with types; nullOr str;
         default = null;
         description = ''
-          DEPRECATED BECAUSE IT PUTS A WORLD-READABLE COPY OF THE KEY IN /nix/store!
-
           Base64 private key generated by wg genkey.
+
+          WARNING: Consider using privateKeyFile instead if you don't
+          want to store the key in the world-readable Nix store.
         '';
       };
 
@@ -105,12 +106,13 @@ let
         example = "rVXs/Ni9tu3oDBLS4hOyAUAa1qTWVA3loR8eL20os3I=";
         type = with types; nullOr str;
         description = ''
-          DEPRECATED BECAUSE IT PUTS A WORLD-READABLE COPY OF THE KEY IN /nix/store!
-
           Base64 preshared key generated by wg genpsk. Optional,
           and may be omitted. This option adds an additional layer of
           symmetric-key cryptography to be mixed into the already existing
           public-key cryptography, for post-quantum resistance.
+
+          WARNING: Consider using presharedKeyFile instead if you don't
+          want to store the key in the world-readable Nix store.
         '';
       };
 
@@ -167,11 +169,13 @@ let
     PrivateKey = ${if values.privateKeyFile != null then "$(cat ${values.privateKeyFile})" else values.privateKey}
     ${optionalString (values.listenPort != null)   "ListenPort = ${toString values.listenPort}"}
 
-    ${concatStringsSep "\n\n" (map (peer: ''
+    ${concatStringsSep "\n\n" (map (peer:
+    assert (peer.presharedKeyFile != null) != (peer.presharedKey != null);
+    ''
     [Peer]
     PublicKey = ${peer.publicKey}
     ${optionalString (peer.presharedKeyFile != null) "PresharedKey = $(cat ${peer.presharedKeyFile})"}
-    ${optionalString (peer.presharedKey != null && peer.presharedKeyFile == null) "PresharedKey = ${peer.presharedKey}"}
+    ${optionalString (peer.presharedKey != null) "PresharedKey = ${peer.presharedKey}"}
     ${optionalString (peer.allowedIPs != []) "AllowedIPs = ${concatStringsSep ", " peer.allowedIPs}"}
     ${optionalString (peer.endpoint != null) "Endpoint = ${peer.endpoint}"}
     ${optionalString (peer.persistentKeepalive != null) "PersistentKeepalive = ${toString peer.persistentKeepalive}"}
@@ -182,7 +186,8 @@ let
   wgCommand = "${pkgs.wireguard}/bin/wg";
 
   generateUnit = name: values:
-    assert (values.privateKey != null || values.privateKeyFile != null);
+    # exactly one way to specify the private key must be set
+    assert (values.privateKey != null) != (values.privateKeyFile != null);
     nameValuePair "wireguard-${name}"
       {
         description = "WireGuard Tunnel - ${name}";