From 846070e028a6ce6213dc4af3477dc67d73ec3364 Mon Sep 17 00:00:00 2001
From: Andreas Rammhold <andreas@rammhold.de>
Date: Fri, 22 Sep 2017 23:37:54 +0200
Subject: networking.wireguard: added `allowedIpsAsRoutes` boolean to control
 peer routes

Sometimes (especially in the default route case) it is required to NOT
add routes for all allowed IP ranges. One might run it's own custom
routing on-top of wireguard and only use the wireguard addresses to
exchange prefixes with the remote host.
---
 nixos/modules/services/networking/wireguard.nix | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/nixos/modules/services/networking/wireguard.nix b/nixos/modules/services/networking/wireguard.nix
index 4f54b45639f6..27ca0bcc5747 100644
--- a/nixos/modules/services/networking/wireguard.nix
+++ b/nixos/modules/services/networking/wireguard.nix
@@ -95,6 +95,14 @@ let
         type = with types; listOf (submodule peerOpts);
       };
 
+      allowedIPsAsRoutes = mkOption {
+        example = false;
+        default = true;
+        type = types.bool;
+        description = ''
+          Determines whether to add allowed IPs as routes or not.
+        '';
+      };
     };
 
   };
@@ -217,11 +225,11 @@ let
 
             "${ipCommand} link set up dev ${name}"
 
-            (map (peer:
+            (lib.optional (values.allowedIPsAsRoutes != false) (map (peer:
             (map (allowedIP:
             "${ipCommand} route replace ${allowedIP} dev ${name} table ${values.table}"
             ) peer.allowedIPs)
-            ) values.peers)
+            ) values.peers))
 
             values.postSetup
           ]);
-- 
cgit 1.4.1