Merge pull request #8041 from zx2c4-forks/jd/doc-fixups

WireGuard documentation fixes

1 files changed, 9 insertions, 3 deletions

diff --git a/man/systemd.netdev.xml b/man/systemd.netdev.xml
index eb86db9792..2f67d2f223 100644
--- a/man/systemd.netdev.xml
+++ b/man/systemd.netdev.xml
@@ -1025,7 +1025,10 @@
           <para>The Base64 encoded private key for the interface. It can be
             generated using the <command>wg genkey</command> command
             (see <citerefentry project="wireguard"><refentrytitle>wg</refentrytitle><manvolnum>8</manvolnum></citerefentry>).
-            This option is mandatory to use wireguard.</para>
+            This option is mandatory to use WireGuard.
+            Note that because this information is secret, you may want to set
+            the permissions of the .netdev file to be owned by <literal>root:systemd-networkd</literal>
+            with a <literal>0640</literal> file mode.</para>
         </listitem>
       </varlistentry>
       <varlistentry>
@@ -1040,7 +1043,7 @@
       <varlistentry>
         <term><varname>FwMark=</varname></term>
         <listitem>
-          <para>Sets a firewall mark on outgoing wireguard packets from this interface.</para>
+          <para>Sets a firewall mark on outgoing WireGuard packets from this interface.</para>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -1070,7 +1073,10 @@
             by the <command>wg genpsk</command> command. This option adds an
             additional layer of symmetric-key cryptography to be mixed into the
             already existing public-key cryptography, for post-quantum
-            resistance.</para>
+            resistance.
+            Note that because this information is secret, you may want to set
+            the permissions of the .netdev file to be owned by <literal>root:systemd-networkd</literal>
+            with a <literal>0640</literal> file mode.</para>
         </listitem>
       </varlistentry>
       <varlistentry>