diff options
author | Félix Baylac-Jacqué <felix@alternativebit.fr> | 2019-06-24 17:36:08 +0200 |
---|---|---|
committer | David Guibert <david.guibert@gmail.com> | 2019-08-21 11:11:28 +0200 |
commit | 0528816570bf5a80ee396c1eb171b4cefae5ca62 (patch) | |
tree | a88ab3a35c56dd0c844a0abba9dd4aeb17c4afb4 /nixos/modules/system | |
parent | 7fd91a898b0d61f7c5e2d7c2b1fb5272c9b6d8af (diff) |
systemd-networkd: add tests
(cherry picked from commit ec073e41a0dc8273cd81cf61fa37004310120af2)
Diffstat (limited to 'nixos/modules/system')
-rw-r--r-- | nixos/modules/system/boot/networkd.nix | 42 |
1 files changed, 33 insertions, 9 deletions
diff --git a/nixos/modules/system/boot/networkd.nix b/nixos/modules/system/boot/networkd.nix index 2109b0cb15946..f2060e21509c9 100644 --- a/nixos/modules/system/boot/networkd.nix +++ b/nixos/modules/system/boot/networkd.nix @@ -55,18 +55,25 @@ let (assertMacAddress "MACAddress") ]; + # NOTE The PrivateKey directive is missing on purpose here, please + # do not add it to this list. The nix store is world-readable let's + # refrain ourselves from providing a footgun. checkWireGuard = checkUnitConfig "WireGuard" [ (assertOnlyFields [ - "PrivateKey" "PrivateKeyFile" "ListenPort" "FwMark" + "PrivateKeyFile" "ListenPort" "FwMark" ]) - #(assertRange "ListenPort" 1 65535) # Or "auto" + (assertRange "FwMark" 1 4294967295) ]; + # NOTE The PresharedKey directive is missing on purpose here, please + # do not add it to this list. The nix store is world-readable,let's + # refrain ourselves from providing a footgun. checkWireGuardPeer = checkUnitConfig "WireGuardPeer" [ (assertOnlyFields [ - "PublicKey" "PresharedKey" "AllowedIPs" "Endpoint" "PersistentKeepalive" + "PublicKey" "PresharedKeyFile" "AllowedIPs" + "Endpoint" "PersistentKeepalive" ]) - # (assertRange "PersistentKeepalive" 1 65535) # defined as "nullOr int" + (assertRange "PersistentKeepalive" 1 65535) ]; checkVlan = checkUnitConfig "VLAN" [ @@ -336,24 +343,41 @@ let wireguardConfig = mkOption { default = {}; - example = { ListenPort="auto"; }; + example = { + PrivateKeyFile = "/etc/wireguard/secret.key"; + ListenPort = 51820; + FwMark = 42; + }; type = types.addCheck (types.attrsOf unitOption) checkWireGuard; description = '' Each attribute in this set specifies an option in the - <literal>[WireGuard]</literal> section of the unit. See + <literal>[WireGuard]</literal> section of the unit. See <citerefentry><refentrytitle>systemd.netdev</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details. + Use <literal>PrivateKeyFile</literal> instead of + <literal>PrivateKey</literal>: the nix store is + world-readable. ''; }; wireguardPeers = mkOption { - default = [ ]; + default = []; + example = [ { wireguardPeerConfig={ + Endpoint = "192.168.1.1:51820"; + PublicKey = "27s0OvaBBdHoJYkH9osZpjpgSOVNw+RaKfboT/Sfq0g="; + PresharedKeyFile = "/etc/wireguard/psk.key"; + AllowedIPs = [ "10.0.0.1/32" ]; + PersistentKeepalive = 15; + };}]; type = with types; listOf (submodule wireguardPeerOptions); description = '' - Each attribute in this set specifies an option in the - <literal>[WireGuardPeer]</literal> section of the unit. See + Each item in this array specifies an option in the + <literal>[WireGuardPeer]</literal> section of the unit. See <citerefentry><refentrytitle>systemd.netdev</refentrytitle> <manvolnum>5</manvolnum></citerefentry> for details. + Use <literal>PresharedKeyFile</literal> instead of + <literal>PresharedKey</literal>: the nix store is + world-readable. ''; }; |