From 458ac47a1d5491dfb610cb8faaffcf5d5445b224 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Na=C3=AFm=20Favier?= Date: Tue, 29 Mar 2022 21:18:46 +0200 Subject: [PATCH] nixos/wg-quick: improve usage with systemd-networkd Use `networking.resolvconf.package` to allow DNS entries to be set using the system-wide resolver implementation instead of hardcoding systemd or openresolv. Extend the tests by adding DNS entries and making one of the peers use systemd-networkd (hence systemd-resolved). Also add a few `networkd`-specific settings. --- nixos/modules/services/networking/wg-quick.nix | 8 +++++++- nixos/tests/wireguard/wg-quick.nix | 5 +++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/wg-quick.nix b/nixos/modules/services/networking/wg-quick.nix index 236d3f452e7e..d44fad4202bb 100644 --- a/nixos/modules/services/networking/wg-quick.nix +++ b/nixos/modules/services/networking/wg-quick.nix @@ -273,7 +273,7 @@ let after = [ "network.target" "network-online.target" ]; wantedBy = optional values.autostart "multi-user.target"; environment.DEVICE = name; - path = [ pkgs.kmod pkgs.wireguard-tools ]; + path = [ pkgs.kmod pkgs.wireguard-tools config.networking.resolvconf.package ]; serviceConfig = { Type = "oneshot"; @@ -332,5 +332,11 @@ in { # breaks the wg-quick routing because wireguard packets leave with a fwmark from wireguard. networking.firewall.checkReversePath = false; systemd.services = mapAttrs' generateUnit cfg.interfaces; + + # Prevent networkd from clearing the rules set by wg-quick when restarted (e.g. when waking up from suspend). + systemd.network.config.networkConfig.ManageForeignRoutingPolicyRules = mkDefault false; + + # WireGuard interfaces should be ignored in determining whether the network is online. + systemd.network.wait-online.ignoredInterfaces = builtins.attrNames cfg.interfaces; }; } diff --git a/nixos/tests/wireguard/wg-quick.nix b/nixos/tests/wireguard/wg-quick.nix index 961c2e15c30f..bc2cba911888 100644 --- a/nixos/tests/wireguard/wg-quick.nix +++ b/nixos/tests/wireguard/wg-quick.nix @@ -29,6 +29,8 @@ import ../make-test-python.nix ({ pkgs, lib, ... }: inherit (wg-snakeoil-keys.peer1) publicKey; }; + + dns = [ "10.23.42.2" "fc00::2" "wg0" ]; }; }; }; @@ -38,6 +40,7 @@ import ../make-test-python.nix ({ pkgs, lib, ... }: ip6 = "fd00::2"; extraConfig = { boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; }; + networking.useNetworkd = true; networking.wg-quick.interfaces.wg0 = { address = [ "10.23.42.2/32" "fc00::2/128" ]; inherit (wg-snakeoil-keys.peer1) privateKey; @@ -49,6 +52,8 @@ import ../make-test-python.nix ({ pkgs, lib, ... }: inherit (wg-snakeoil-keys.peer0) publicKey; }; + + dns = [ "10.23.42.1" "fc00::1" "wg0" ]; }; }; };