From df8fbb42beea602da6b4a535299b94be0a139d64 Mon Sep 17 00:00:00 2001
From: ismay <git@ismay.email>
Date: Wed, 18 Mar 2026 10:22:52 +0100
Subject: [PATCH 1/2] Fix flake not accepting keyFile option

---
 flake.nix | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/flake.nix b/flake.nix
index 0551f6a..bffd08f 100644
--- a/flake.nix
+++ b/flake.nix
@@ -78,7 +78,8 @@
               };
 
               key = mkOption {
-                type = types.str;
+                type = types.nullOr types.str;
+                default = null;
                 description = "Obfuscation key (must match on both sides)";
                 example = "your_secret_key";
               };
@@ -202,7 +203,7 @@
               }
               {
                 assertion = all (inst:
-                  inst.enable -> (inst.key != "" || inst.keyFile != null)
+                  inst.enable -> (inst.key != null || inst.keyFile != null)
                 ) (attrValues cfg.instances);
                 message = "Each enabled wg-obfuscator instance must have either 'key' or 'keyFile' set";
               }
@@ -263,7 +264,7 @@
                       max-clients = ${toString inst.maxClients}
                       idle-timeout = ${toString inst.idleTimeout}
                       max-dummy = ${toString inst.maxDummy}
-                    '') (attrValues instances)
+                    '') instances
                   )}
                   EOF
 

From da665fb6f6656925c77728b6819aac5f73cc0323 Mon Sep 17 00:00:00 2001
From: Alexey Cluster <cluster@cluster.wtf>
Date: Thu, 2 Apr 2026 00:14:27 +0200
Subject: [PATCH 2/2] Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 flake.nix | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/flake.nix b/flake.nix
index bffd08f..72cf628 100644
--- a/flake.nix
+++ b/flake.nix
@@ -80,7 +80,7 @@
               key = mkOption {
                 type = types.nullOr types.str;
                 default = null;
-                description = "Obfuscation key (must match on both sides)";
+                description = "Obfuscation key (must match on both sides; required when keyFile is not set)";
                 example = "your_secret_key";
               };
 
@@ -203,9 +203,17 @@
               }
               {
                 assertion = all (inst:
-                  inst.enable -> (inst.key != null || inst.keyFile != null)
+                  inst.enable ->
+                    (
+                      inst.keyFile != null
+                      || (
+                        inst.key != null
+                        && builtins.stringLength inst.key >= 1
+                        && builtins.stringLength inst.key <= 255
+                      )
+                    )
                 ) (attrValues cfg.instances);
-                message = "Each enabled wg-obfuscator instance must have either 'key' or 'keyFile' set";
+                message = "Each enabled wg-obfuscator instance must have either 'keyFile' set, or 'key' set to a string of length 1–255 characters";
               }
             ];