From 3061dfc88bed66f79a11f99fb73e4e14a00dfa32 Mon Sep 17 00:00:00 2001
From: Majiir Paktu <majiir@nabaal.net>
Date: Fri, 7 Nov 2025 12:45:09 -0500
Subject: [PATCH] nixos/wireguard-networkd: refresh peer endpoint without
 deleting link

As of systemd v257, netdevs can be reconfigured by modifying the netdev
config file and reloading (not restarting) networkd. This leaves the
interface index unchanged and should generally be less disruptive.
---
 .../services/networking/wireguard-networkd.nix     | 14 +++++++++++---
 nixos/modules/services/networking/wireguard.nix    |  9 ---------
 2 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/nixos/modules/services/networking/wireguard-networkd.nix b/nixos/modules/services/networking/wireguard-networkd.nix
index 0dc9f5b8d91c..08a5f635e331 100644
--- a/nixos/modules/services/networking/wireguard-networkd.nix
+++ b/nixos/modules/services/networking/wireguard-networkd.nix
@@ -101,15 +101,22 @@ let
         iproute2
         systemd
       ];
-      # networkd doesn't provide a mechanism for refreshing endpoints.
+      # networkd doesn't automatically refresh peer endpoints.
       # See: https://github.com/systemd/systemd/issues/9911
-      # This hack does the job but takes down the whole interface to do it.
       script = ''
-        ip link delete ${name} || :
+        touch /etc/systemd/network/40-${name}.netdev
         networkctl reload
       '';
     };
 
+  # netdev config must be a real file (not a symlink to a store file)
+  # so the refresh service can 'touch' it.
+  generateRefreshNetdevMode =
+    name: interface:
+    nameValuePair "systemd/network/40-${name}.netdev" {
+      mode = "0444";
+    };
+
 in
 {
   meta.maintainers = [ lib.maintainers.majiir ];
@@ -225,6 +232,7 @@ in
       networks = mapAttrs generateNetwork cfg.interfaces;
     };
 
+    environment.etc = mapAttrs' generateRefreshNetdevMode refreshEnabledInterfaces;
     systemd.timers = mapAttrs' generateRefreshTimer refreshEnabledInterfaces;
     systemd.services = (mapAttrs' generateRefreshService refreshEnabledInterfaces) // {
       systemd-networkd.serviceConfig.LoadCredential = flatten (
diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix
index 7d266d483fb1..771301852745 100644
--- a/nixos/modules/services/networking/wireguard.nix
+++ b/nixos/modules/services/networking/wireguard.nix
@@ -215,15 +215,6 @@ let
             This option can be set or overridden for individual peers.
 
             Setting this to `0` disables periodic refresh.
-
-            ::: {.warning}
-            When {option}`networking.wireguard.useNetworkd` is enabled, this
-            option deletes the Wireguard interface and brings it back up by
-            reconfiguring the network with `networkctl reload` on every refresh.
-            This could have adverse effects on your network and cause brief
-            connectivity blips. See [systemd/systemd#9911](https://github.com/systemd/systemd/issues/9911)
-            for an upstream feature request that can make this less hacky.
-            :::
           '';
         };