nixos/wireguard-networkd: refresh peer endpoint without deleting link

As of systemd v257, netdevs can be reconfigured by modifying the netdev config file and reloading (not restarting) networkd. This leaves the interface index unchanged and should generally be less disruptive.
2025-11-07 12:45:09 -05:00
parent 7b43e45073
commit 3061dfc88b
2 changed files with 11 additions and 12 deletions
--- a/nixos/modules/services/networking/wireguard-networkd.nix
+++ b/nixos/modules/services/networking/wireguard-networkd.nix
@@ -101,15 +101,22 @@ let
        iproute2
        systemd
      ];
-      # networkd doesn't provide a mechanism for refreshing endpoints.
+      # networkd doesn't automatically refresh peer endpoints.
      # See: https://github.com/systemd/systemd/issues/9911
-      # This hack does the job but takes down the whole interface to do it.
      script = ''
-        ip link delete ${name} || :
+        touch /etc/systemd/network/40-${name}.netdev
        networkctl reload
      '';
    };

+  # netdev config must be a real file (not a symlink to a store file)
+  # so the refresh service can 'touch' it.
+  generateRefreshNetdevMode =
+    name: interface:
+    nameValuePair "systemd/network/40-${name}.netdev" {
+      mode = "0444";
+    };
+
 in
 {
  meta.maintainers = [ lib.maintainers.majiir ];
@@ -225,6 +232,7 @@ in
      networks = mapAttrs generateNetwork cfg.interfaces;
    };

+    environment.etc = mapAttrs' generateRefreshNetdevMode refreshEnabledInterfaces;
    systemd.timers = mapAttrs' generateRefreshTimer refreshEnabledInterfaces;
    systemd.services = (mapAttrs' generateRefreshService refreshEnabledInterfaces) // {
      systemd-networkd.serviceConfig.LoadCredential = flatten (
--- a/nixos/modules/services/networking/wireguard.nix
+++ b/nixos/modules/services/networking/wireguard.nix
@@ -215,15 +215,6 @@ let
            This option can be set or overridden for individual peers.

            Setting this to `0` disables periodic refresh.
-
-            ::: {.warning}
-            When {option}`networking.wireguard.useNetworkd` is enabled, this
-            option deletes the Wireguard interface and brings it back up by
-            reconfiguring the network with `networkctl reload` on every refresh.
-            This could have adverse effects on your network and cause brief
-            connectivity blips. See [systemd/systemd#9911](https://github.com/systemd/systemd/issues/9911)
-            for an upstream feature request that can make this less hacky.
-            :::
          '';
        };