systemd credentials not working for multiple keys like private and preshaed key

[svistoi]

Describe the bug

#364078 introduced a switch to use systemd credentials. This fails when both private key and preshared key files are specified.

The cause appears to be that LoadCredential=wireguard-wg0-private-key:/run/secrets/wireguard-wg0-private-key wireguard-wg0-my-peer-preshared-key:/run/secrets/wireguard-wg0-preshared-key is not a valid way to specify multiple secrets.

This results in Failed to deserialize: Invalid Argument errors, and systemd-networkd not coming up.

Steps To Reproduce

Configuration below, with some of the data redacted

  networking = {
    wireguard = {
      enable = true;
      useNetworkd = true;
      interfaces.wg0 = {
        ips = [ "10.0.0.1/32" ];
        privateKeyFile = "/run/secrets/wireguard-wg0-private-key";
        allowedIPsAsRoutes = true;
        peers = [
          {
            name = "my-peer";
            publicKey = "redacted";
            presharedKeyFile = "/run/secrets/wireguard-wg0-preshared-key";
            allowedIPs = [ "0.0.0.0/0" ];
            endpoint = "my.host.redacted";
            persistentKeepalive = 15;
          }
        ];
      };
    };
  };

On target system inspecting the override.conf produced in terms of LoadCredential and trying it out

systemd-run -P --wait -p 'LoadCredential=wireguard-wg0-private-key:/run/secrets/wireguard-wg0-private-key wireguard-wg0-my-peer-preshared-key:/run/secrets/wireguard-wg0-preshared-key' s
ystemd-creds list
Running as unit: run-u11.service; invocation ID: 1263d4494a624e67931fc967519f6632
Finished with result: exit-code
Main processes terminated with: code=exited, status=1/FAILURE
Service runtime: 36ms
CPU time consumed: 17ms
Memory peak: 1.4M (swap: 0B)

However multiple lines would have worked

 systemd-run -P --wait -p 'LoadCredential=wireguard-wg0-private-key:/run/secrets/wireguard-wg0-private-key' -p 'LoadCredential=wireguard-wg0-my-peer-preshared-key:/run/secrets/wiregu
ard-wg0-preshared-key' systemd-creds list
Running as unit: run-u12.service; invocation ID: 046e58dd1fe4452a847e545382e32826
NAME                                SECURE SIZE PATH                                                                
wireguard-wg0-my-peer-preshared-key weak    44B /run/credentials/run-u12.service/wireguard-wg0-my-peer-preshared-key
wireguard-wg0-private-key           weak    44B /run/credentials/run-u12.service/wireguard-wg0-private-key
Finished with result: success
Main processes terminated with: code=exited, status=0/SUCCESS
Service runtime: 73ms
CPU time consumed: 28ms
Memory peak: 1.6M (swap: 0B)
IO bytes read: 72K

Expected behavior

networkd wireguard working with private and preshared key

Additional context

I'm running systemd 256 (256.8), on nixos-unstable branch 231f5f6370e78d04675c9fa8199be6c3b1b85773 commit.

Metadata

Notify maintainers

@Majiir

---

Note for maintainers: Please tag this issue in your PR.

---

Add a 👍 reaction to issues you find important.

[networkException]

Can you test the changes from #365407? For example by specifying

imports = [
  ./path/to/updated-module.nix
];

disabledModules = [
  "services/networking/wireguard-networkd.nix"
];

[svistoi]

Thanks very much!

Works for 2 interfaces, 1 with just private key, 1 with private and preshared key.