networking.wireguard: added `allowedIpsAsRoutes` boolean to control peer routes

Sometimes (especially in the default route case) it is required to NOT
add routes for all allowed IP ranges. One might run it's own custom
routing on-top of wireguard and only use the wireguard addresses to
exchange prefixes with the remote host.

1 files changed, 10 insertions, 2 deletions

diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix
index 4f54b45639f6..27ca0bcc5747 100644
--- a/nixos/modules/services/networking/wireguard.nix
+++ b/nixos/modules/services/networking/wireguard.nix
@@ -95,6 +95,14 @@ let
         type = with types; listOf (submodule peerOpts);
       };
 
+      allowedIPsAsRoutes = mkOption {
+        example = false;
+        default = true;
+        type = types.bool;
+        description = ''
+          Determines whether to add allowed IPs as routes or not.
+        '';
+      };
     };
 
   };
@@ -217,11 +225,11 @@ let
 
             "${ipCommand} link set up dev ${name}"
 
-            (map (peer:
+            (lib.optional (values.allowedIPsAsRoutes != false) (map (peer:
             (map (allowedIP:
             "${ipCommand} route replace ${allowedIP} dev ${name} table ${values.table}"
             ) peer.allowedIPs)
-            ) values.peers)
+            ) values.peers))
 
             values.postSetup
           ]);