Summary

Adds systemd-networkd support for running Rosenpass alongside WireGuard interfaces managed by systemd-networkd, as requested in #81.

/claim #81

What this provides

• rosenpass-networkd@.service: A systemd template unit specifically designed for systemd-networkd managed WireGuard interfaces. Key differences from the existing rosenpass@.service:

  • Requires=systemd-networkd.service ensures correct startup ordering
  • BindsTo=sys-subsystem-net-devices-%i.device ties Rosenpass lifecycle to the interface managed by systemd-networkd
  • Restart=on-failure for resilience against transient issues
  • Same security hardening as the existing service template

• Setup helper script (setup-rosenpass-networkd.sh): Automates the generation of WireGuard keys, Rosenpass keys, .netdev/.network files, and the Rosenpass TOML configuration for a given interface name.

• Validation script (validate-config.sh): Checks that the configuration files are consistent – interface names match, no static PresharedKey is set in the .netdev file (since Rosenpass manages PSK rotation), correct file permissions, etc.

• Example configurations: Complete two-peer (server/client) examples with .netdev, .network, and Rosenpass .toml files showing how all the pieces fit together.

• Documentation: Comprehensive README covering quick start, manual setup, architecture explanation (how PSK rotation works with systemd-networkd), troubleshooting, and file layout reference.

How it works

systemd-networkd creates and owns the WireGuard device via .netdev/.network files. Rosenpass performs the post-quantum key exchange and supplies the resulting symmetric key to WireGuard as a pre-shared key using wg set. The PSK is rotated approximately every two minutes. This is the same mechanism the standalone rosenpass tool already uses – the key insight is that systemd-networkd only configures the initial device state, so runtime PSK updates via wg set work independently and without conflict.

Files added

systemd-networkd/
  README.md                          # Comprehensive documentation
  rosenpass-networkd@.service        # systemd template unit
  setup-rosenpass-networkd.sh        # Setup automation script
  validate-config.sh                 # Configuration validator
  examples/
    rosenpass0.netdev                # Generic .netdev template
    rosenpass0.network               # Generic .network template
    rosenpass0.toml                  # Generic Rosenpass config template
    peer-a.netdev                    # Server-side .netdev
    peer-a.network                   # Server-side .network
    peer-a-rosenpass.toml            # Server-side Rosenpass config
    peer-b.netdev                    # Client-side .netdev
    peer-b.network                   # Client-side .network
    peer-b-rosenpass.toml            # Client-side Rosenpass config

Also added a brief reference to the systemd-networkd integration in the main readme.md.

Test plan

• Verify .netdev and .network files are valid systemd-networkd configurations (can be tested with systemd-analyze verify on a systemd system)
• Verify the rosenpass-networkd@.service template loads correctly with systemd-analyze verify
• Run setup-rosenpass-networkd.sh on a test system to confirm it generates all files correctly
• Set up a two-peer test: start systemd-networkd with the generated configs, enable rosenpass-networkd@rp0.service on both peers, and verify that wg show rp0 preshared-keys shows rotating keys
• Confirm that stopping systemd-networkd (removing the interface) correctly stops the Rosenpass service via the BindsTo dependency