<varlistentry>
<term><varname>PrivateKeyFile=</varname></term>
<listitem>
- <para>Takes a absolute path to a file which contains the Base64 encoded private key for the interface.
+ <para>Takes an absolute path to a file which contains the Base64 encoded private key for the interface.
When this option is specified, then <varname>PrivateKey=</varname> is ignored.
Note that the file must be readable by the user <literal>systemd-network</literal>, so it
should be, e.g., owned by <literal>root:systemd-network</literal> with a
</listitem>
</varlistentry>
<varlistentry>
+ <term><varname>PresharedKeyFile=</varname></term>
+ <listitem>
+ <para>Takes an absolute path to a file which contains the Base64 encoded preshared key for the
+ peer. When this option is specified, then <varname>PresharedKey=</varname> is ignored.
+ Note that the file must be readable by the user <literal>systemd-network</literal>, so it
+ should be, e.g., owned by <literal>root:systemd-network</literal> with a
+ <literal>0640</literal> file mode.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
<term><varname>AllowedIPs=</varname></term>
<listitem>
<para>Sets a comma-separated list of IP (v4 or v6) addresses with CIDR masks
WireGuardPeer.Endpoint, config_parse_wireguard_endpoint, 0, 0
WireGuardPeer.PublicKey, config_parse_wireguard_public_key, 0, 0
WireGuardPeer.PresharedKey, config_parse_wireguard_preshared_key, 0, 0
+WireGuardPeer.PresharedKeyFile, config_parse_wireguard_preshared_key_file, 0, 0
WireGuardPeer.PersistentKeepalive, config_parse_wireguard_keepalive, 0, 0
free(peer->endpoint_host);
free(peer->endpoint_port);
+ free(peer->preshared_key_file);
explicit_bzero_safe(peer->preshared_key, WG_KEY_LEN);
free(peer);
return 0;
}
+int config_parse_wireguard_preshared_key_file(
+ const char *unit,
+ const char *filename,
+ unsigned line,
+ const char *section,
+ unsigned section_line,
+ const char *lvalue,
+ int ltype,
+ const char *rvalue,
+ void *data,
+ void *userdata) {
+
+ _cleanup_(wireguard_peer_free_or_set_invalidp) WireguardPeer *peer = NULL;
+ _cleanup_free_ char *path = NULL;
+ Wireguard *w;
+ int r;
+
+ assert(data);
+ w = WIREGUARD(data);
+ assert(w);
+
+ r = wireguard_peer_new_static(w, filename, section_line, &peer);
+ if (r < 0)
+ return r;
+
+ if (isempty(rvalue)) {
+ peer->preshared_key_file = mfree(peer->preshared_key_file);
+ TAKE_PTR(peer);
+ return 0;
+ }
+
+ path = strdup(rvalue);
+ if (!path)
+ return log_oom();
+
+ if (path_simplify_and_warn(path, PATH_CHECK_ABSOLUTE, unit, filename, line, lvalue) < 0)
+ return 0;
+
+ free_and_replace(peer->preshared_key_file, path);
+ TAKE_PTR(peer);
+ return 0;
+}
+
int config_parse_wireguard_public_key(
const char *unit,
const char *filename,
static int wireguard_peer_verify(WireguardPeer *peer) {
NetDev *netdev = NETDEV(peer->wireguard);
+ int r;
if (section_is_invalid(peer->section))
return -EINVAL;
"Ignoring [WireGuardPeer] section from line %u.",
peer->section->filename, peer->section->line);
+ r = wireguard_read_key_file(peer->preshared_key_file, peer->preshared_key);
+ if (r < 0)
+ return log_netdev_error_errno(netdev, r,
+ "%s: Failed to read preshared key from '%s'. "
+ "Ignoring [WireGuardPeer] section from line %u.",
+ peer->section->filename, peer->preshared_key_file,
+ peer->section->line);
+
return 0;
}
uint8_t public_key[WG_KEY_LEN];
uint8_t preshared_key[WG_KEY_LEN];
+ char *preshared_key_file;
uint32_t flags;
uint16_t persistent_keepalive_interval;
CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_private_key);
CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_private_key_file);
CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_preshared_key);
+CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_preshared_key_file);
CONFIG_PARSER_PROTOTYPE(config_parse_wireguard_keepalive);
[WireGuardPeer]
Endpoint=
PresharedKey=
+PresharedKeyFile=
PersistentKeepalive=
PublicKey=
AllowedIPs=