wgautomesh gossip secret file

1 files changed, 13 insertions, 1 deletions

diff --git a/nix/wgautomesh.nix b/nix/wgautomesh.nix
index 8812fb3..c09b874 100644
--- a/nix/wgautomesh.nix
+++ b/nix/wgautomesh.nix
@@ -23,6 +23,10 @@ in
         type = types.port;
         description = "wgautomesh gossip port";
       };
+      gossipSecretFile = mkOption {
+        type = types.nullOr types.str;
+        description = "File containing the gossip secret encryption key";
+      };
       lanDiscovery = mkOption {
         type = types.bool;
         default = true;
@@ -72,13 +76,16 @@ in
           ${endpointDef}
         '') cfg.peers;
       extraDefs = (if cfg.lanDiscovery then ["lan_discovery = true"] else [])
+        ++ (if (cfg.gossipSecretFile != null)
+          then [''gossip_secret_file = "${cfg.gossipSecretFile}"''] else [])
         ++ (if (cfg.upnpForwardPublicPort != null)
           then [''upnp_forward_external_port = ${toString cfg.upnpForwardPublicPort}''] else []);
       configfile = pkgs.writeText "wgautomesh.toml" ''
         interface = "${cfg.interface}"
         gossip_port = ${toString cfg.gossipPort}
+        ${concatStringsSep "\n" extraDefs}
 
-        ${concatStringsSep "\n" (extraDefs ++ peerDefs)}
+        ${concatStringsSep "\n" peerDefs}
         '';
     in {
       systemd.services.wgautomesh = {
@@ -95,7 +102,12 @@ in
           Restart = "always";
           RestartSec = "30";
 
+          ExecStartPre = [ "+${pkgs.coreutils}/bin/chown wgautomesh /var/lib/wgautomesh/gossip_secret" ];
+
           DynamicUser = true;
+          User = "wgautomesh";
+          StateDirectory = "wgautomesh";
+          StateDirectoryMode = "0700";
           AmbientCapabilities = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
           CapabilityBoundingSet = "CAP_NET_ADMIN CAP_NET_BIND_SERVICE";
         };