[PATCH 0/2] Improve customizability of WireGuard service

  • Done
  • quality assurance status badge
Details
2 participants
  • Mathieu Othacehe
  • Richard Sent
Owner
unassigned
Submitted by
Richard Sent
Severity
normal
R
R
Richard Sent wrote on 22 Oct 23:21 +0200
(address . guix-patches@gnu.org)
cover.1729632049.git.richard@freakingpenguin.com
Hi all,

The goal for this patch series is to improve wireguard-service's
customizability, primarily by supporting gexps evaluating to strings in most
fields. Prior to this patch, lists of gexp's were not serialized to strings,
preventing certain constructs from being used.

This was prompted from an issue I ran into a while back. [1]

I tested the serialization of several config records and did not notice any
issues. I would greatly appreciate if any users of wireguard-service could
confirm their existing configurations still serialize correctly. You can do so
via these guix REPL commands:

$ guix repl -L /path/to/guix/clone/with/patches
,use (guix)
,use (gnu services vpn)
,build ((@@ (gnu services vpn) wireguard-configuration-file)
<paste-your-wireguard-configuration>)

I took the liberty of CCing a few people who previously committed to
WireGuard. Apologies if I committed a faux pas. :)


Richard Sent (2):
services: wireguard: Make the private-key field optional.
services: wireguard: Support lists of gexps for most fields.

doc/guix.texi | 5 ++-
gnu/services/vpn.scm | 74 +++++++++++++++++++++++---------------------
2 files changed, 43 insertions(+), 36 deletions(-)


base-commit: bd26815cf8ce38a3b03676a6e3fc482bb74247cb
--
2.46.0
R
R
Richard Sent wrote on 22 Oct 23:25 +0200
[PATCH 1/2] services: wireguard: Make the private-key field optional.
(address . 73955@debbugs.gnu.org)
ec913f9f5e43dd0f809ec45dc437c0b385ba00b3.1729632049.git.richard@freakingpenguin.com
Users who retrieve the private-key via a PreUp field need to be able to
disable the default retrieval mechanism.

* gnu/services/vpn.scm (<wireguard-configuration>)[private-key]: Change
comment.
(wireguard-configuration-file): Conditionally serialize private-key.
* gnu/services/vpn.scm (wireguard-activation): Do not create private-key if
the field is #f.
* doc/guix.texi (VPN Services)[wireguard-configuration]: Document it.

Change-Id: Iac419809ae94eb76e97ff1f1749e2f4b3e65bb04
---
doc/guix.texi | 5 ++++-
gnu/services/vpn.scm | 36 ++++++++++++++++++++----------------
2 files changed, 24 insertions(+), 17 deletions(-)

Toggle diff (79 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index ac3a7adef0..5558bd7d44 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -34453,7 +34453,10 @@ VPN Services
@item @code{private-key} (default: @code{"/etc/wireguard/private.key"})
The private key file for the interface. It is automatically generated
-if the file does not exist.
+if the file does not exist. If this field is @code{#f}, a private key
+is not created and the path is not serialized to the configuration file.
+This allows for retrieving the private key programmatically with a PreUp
+command.
@item @code{peers} (default: @code{'()})
The authorized peers on this interface. This is a list of
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index 7fb4775757..b62e0ac838 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -741,7 +741,7 @@ (define-record-type* <wireguard-configuration>
(default '("10.0.0.1/32")))
(port wireguard-configuration-port ;integer
(default 51820))
- (private-key wireguard-configuration-private-key ;string
+ (private-key wireguard-configuration-private-key ;maybe-string
(default "/etc/wireguard/private.key"))
(peers wireguard-configuration-peers ;list of <wiregard-peer>
(default '()))
@@ -805,9 +805,12 @@ (define (wireguard-configuration-file config)
#$@(if (null? pre-up)
'()
(list (format #f "~{PreUp = ~a~%~}" pre-up)))
- (format #f "PostUp = ~a set %i private-key ~a\
-~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg")
-#$private-key '#$peer-keys)
+ (if #$private-key
+ (format #f "PostUp = ~a set %i private-key ~a\
+~{ peer ~a preshared-key ~a~}"
+ #$(file-append wireguard "/bin/wg")
+ #$private-key '#$peer-keys)
+ "")
#$@(if (null? post-up)
'()
(list (format #f "~{PostUp = ~a~%~}" post-up)))
@@ -838,18 +841,19 @@ (define (wireguard-activation config)
(use-modules (guix build utils)
(ice-9 popen)
(ice-9 rdelim))
- (mkdir-p (dirname #$private-key))
- (unless (file-exists? #$private-key)
- (let* ((pipe
- (open-input-pipe (string-append
- #$(file-append wireguard "/bin/wg")
- " genkey")))
- (key (read-line pipe)))
- (call-with-output-file #$private-key
- (lambda (port)
- (display key port)))
- (chmod #$private-key #o400)
- (close-pipe pipe))))))
+ (when #$private-key
+ (mkdir-p (dirname #$private-key))
+ (unless (file-exists? #$private-key)
+ (let* ((pipe
+ (open-input-pipe (string-append
+ #$(file-append wireguard "/bin/wg")
+ " genkey")))
+ (key (read-line pipe)))
+ (call-with-output-file #$private-key
+ (lambda (port)
+ (display key port)))
+ (chmod #$private-key #o400)
+ (close-pipe pipe)))))))
;;; XXX: Copied from (guix scripts pack), changing define to define*.
(define-syntax-rule (define-with-source (variable args ...) body body* ...)
--
2.46.0
R
R
Richard Sent wrote on 22 Oct 23:25 +0200
[PATCH 2/2] services: wireguard: Support lists of gexps for most fields.
(address . 73955@debbugs.gnu.org)
0bb043a194b4c1b7d85921aac16f2fc2cbac2cfd.1729632049.git.richard@freakingpenguin.com
In order to support more flexibility in Wireguard configuration, ungexp the
configuration fields directly instead of ungexp-splicing a sexp
calculator. This allows for the fields to take arbitrary gexps instead of only
strings which is particularly helpful for the Pre/Post Up/Down commands.

For example, the wg-quick(8) manual has an example on how to use
password-store to retrieve a private key with a PreUp entry. This is now
possible.

* gnu/services/vpn.scm (wireguard-configuration-file): Ungexp configuration
lists instead of ungexp-splicing the code surrounding them.

Change-Id: If074cbb78473b6fd34e0e4e990d2ed268001d6c7
---
gnu/services/vpn.scm | 38 +++++++++++++++++++-------------------
1 file changed, 19 insertions(+), 19 deletions(-)

Toggle diff (59 lines)
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index b62e0ac838..21a7fb827a 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -797,33 +797,33 @@ (define (wireguard-configuration-file config)
(define lines
(list
"[Interface]"
- #$@(if (null? addresses)
- '()
- (list (format #f "Address = ~{~a~^, ~}"
- addresses)))
+ (if (null? '#$addresses)
+ ""
+ (format #f "Address = ~{~a~^, ~}"
+ (list #$@addresses)))
(format #f "~@[Table = ~a~]" #$table)
- #$@(if (null? pre-up)
- '()
- (list (format #f "~{PreUp = ~a~%~}" pre-up)))
+ (if (null? '#$pre-up)
+ ""
+ (format #f "~{PreUp = ~a~%~}" (list #$@pre-up)))
(if #$private-key
(format #f "PostUp = ~a set %i private-key ~a\
~{ peer ~a preshared-key ~a~}"
#$(file-append wireguard "/bin/wg")
#$private-key '#$peer-keys)
"")
- #$@(if (null? post-up)
- '()
- (list (format #f "~{PostUp = ~a~%~}" post-up)))
- #$@(if (null? pre-down)
- '()
- (list (format #f "~{PreDown = ~a~%~}" pre-down)))
- #$@(if (null? post-down)
- '()
- (list (format #f "~{PostDown = ~a~%~}" post-down)))
+ (if (null? '#$post-up)
+ ""
+ (format #f "~{PostUp = ~a~%~}" (list #$@post-up)))
+ (if (null? '#$pre-down)
+ ""
+ (format #f "~{PreDown = ~a~%~}" (list #$@pre-down)))
+ (if (null? '#$post-down)
+ ""
+ (format #f "~{PostDown = ~a~%~}" (list #$@post-down)))
(format #f "~@[ListenPort = ~a~]" #$port)
- #$@(if (null? dns)
- '()
- (list (format #f "DNS = ~{~a~^, ~}" dns)))))
+ (if (null? '#$dns)
+ ""
+ (format #f "DNS = ~{~a~^, ~}" (list #$@dns)))))
(mkdir #$output)
(chdir #$output)
--
2.46.0
M
M
Mathieu Othacehe wrote on 23 Oct 11:26 +0200
(name . Richard Sent)(address . richard@freakingpenguin.com)
87cyjr2mrh.fsf@gnu.org
Hello Richard,

Thanks for this series.

The first commit looks OK to me.

Toggle quote (4 lines)
> For example, the wg-quick(8) manual has an example on how to use
> password-store to retrieve a private key with a PreUp entry. This is now
> possible.

It would be interesting to provide some testing for that. Sadly, we do
not have a system test for Wireguard yet. We only have a unit test file
in (tests services vpn).

Adding a new (gnu tests vpn) module would be great in the future to test
different Wireguard configurations.

That can of course be done later on :)

Regarding this patch, the documentation is somehow vague on how to pass
post and pre commands:

Toggle snippet (6 lines)
@item @code{post-up} (default: @code{'()})
The script commands to be run after setting up the interface.

...

Maybe you could elaborate on that a little bit and give some examples
that would be the translation of some of the post and pre commands that
are given in the wg-quick man page?

Thanks,

Mathieu
R
R
Richard Sent wrote on 23 Oct 17:30 +0200
[PATCH v2 0/2] Improve customizability in WireGuard service
(address . 73955@debbugs.gnu.org)
cover.1729697407.git.richard@freakingpenguin.com
Hi all,

Thanks for the quick review Mathieu!

This patch is largely the same as before, but I spent some time
adjusting the documentation and adding an example of retrieving the
private key programmatically.

One interesting tidbit is pre-up and pals can alternatively be wrapped
in the gexp directly instead of each entry being gexp'd individually.

Toggle quote (10 lines)
> ;; normal
> (pre-up (list #~(string-append "wg set %i private-key <("
> #$(file-append password-store "/bin/pass")
> " WireGuard/private-keys/%i)")))
>
> ;; alternative
> (pre-up #~((string-append "wg set %i private-key <("
> #$(file-append password-store "/bin/pass")
> " WireGuard/private-keys/%i)")))

I see why this works (and it should work with any other service that
handles config lists with splicing+list wrapping), but it does feel a
little bit odd.

Seeing as how no other service seems to use the alternative form, I
opted to document the former.

Richard Sent (2):
services: wireguard: Make the private-key field optional.
services: wireguard: Support lists of gexps for most fields.

doc/guix.texi | 36 ++++++++++++++++-----
gnu/services/vpn.scm | 75 +++++++++++++++++++++++---------------------
2 files changed, 69 insertions(+), 42 deletions(-)


base-commit: bd26815cf8ce38a3b03676a6e3fc482bb74247cb
--
2.46.0
R
R
Richard Sent wrote on 23 Oct 17:30 +0200
[PATCH v2 1/2] services: wireguard: Make the private-key field optional.
(address . 73955@debbugs.gnu.org)
ec913f9f5e43dd0f809ec45dc437c0b385ba00b3.1729697407.git.richard@freakingpenguin.com
Users who retrieve the private-key via a PreUp field need to be able to
disable the default retrieval mechanism.

* gnu/services/vpn.scm (<wireguard-configuration>)[private-key]: Change
comment.
(wireguard-configuration-file): Conditionally serialize private-key.
* gnu/services/vpn.scm (wireguard-activation): Do not create private-key if
the field is #f.
* doc/guix.texi (VPN Services)[wireguard-configuration]: Document it.

Change-Id: Iac419809ae94eb76e97ff1f1749e2f4b3e65bb04
---
doc/guix.texi | 5 ++++-
gnu/services/vpn.scm | 36 ++++++++++++++++++++----------------
2 files changed, 24 insertions(+), 17 deletions(-)

Toggle diff (79 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index ac3a7adef0..5558bd7d44 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -34453,7 +34453,10 @@ VPN Services
@item @code{private-key} (default: @code{"/etc/wireguard/private.key"})
The private key file for the interface. It is automatically generated
-if the file does not exist.
+if the file does not exist. If this field is @code{#f}, a private key
+is not created and the path is not serialized to the configuration file.
+This allows for retrieving the private key programmatically with a PreUp
+command.
@item @code{peers} (default: @code{'()})
The authorized peers on this interface. This is a list of
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index 7fb4775757..b62e0ac838 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -741,7 +741,7 @@ (define-record-type* <wireguard-configuration>
(default '("10.0.0.1/32")))
(port wireguard-configuration-port ;integer
(default 51820))
- (private-key wireguard-configuration-private-key ;string
+ (private-key wireguard-configuration-private-key ;maybe-string
(default "/etc/wireguard/private.key"))
(peers wireguard-configuration-peers ;list of <wiregard-peer>
(default '()))
@@ -805,9 +805,12 @@ (define (wireguard-configuration-file config)
#$@(if (null? pre-up)
'()
(list (format #f "~{PreUp = ~a~%~}" pre-up)))
- (format #f "PostUp = ~a set %i private-key ~a\
-~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg")
-#$private-key '#$peer-keys)
+ (if #$private-key
+ (format #f "PostUp = ~a set %i private-key ~a\
+~{ peer ~a preshared-key ~a~}"
+ #$(file-append wireguard "/bin/wg")
+ #$private-key '#$peer-keys)
+ "")
#$@(if (null? post-up)
'()
(list (format #f "~{PostUp = ~a~%~}" post-up)))
@@ -838,18 +841,19 @@ (define (wireguard-activation config)
(use-modules (guix build utils)
(ice-9 popen)
(ice-9 rdelim))
- (mkdir-p (dirname #$private-key))
- (unless (file-exists? #$private-key)
- (let* ((pipe
- (open-input-pipe (string-append
- #$(file-append wireguard "/bin/wg")
- " genkey")))
- (key (read-line pipe)))
- (call-with-output-file #$private-key
- (lambda (port)
- (display key port)))
- (chmod #$private-key #o400)
- (close-pipe pipe))))))
+ (when #$private-key
+ (mkdir-p (dirname #$private-key))
+ (unless (file-exists? #$private-key)
+ (let* ((pipe
+ (open-input-pipe (string-append
+ #$(file-append wireguard "/bin/wg")
+ " genkey")))
+ (key (read-line pipe)))
+ (call-with-output-file #$private-key
+ (lambda (port)
+ (display key port)))
+ (chmod #$private-key #o400)
+ (close-pipe pipe)))))))
;;; XXX: Copied from (guix scripts pack), changing define to define*.
(define-syntax-rule (define-with-source (variable args ...) body body* ...)
--
2.46.0
R
R
Richard Sent wrote on 23 Oct 17:30 +0200
[PATCH v2 2/2] services: wireguard: Support lists of gexps for most fields.
(address . 73955@debbugs.gnu.org)
c50245720797859f25a85f0ed1e501a1829914fe.1729697407.git.richard@freakingpenguin.com
In order to support more flexibility in Wireguard configuration, ungexp the
configuration fields directly instead of ungexp-splicing a sexp
calculator. This allows for the fields to take arbitrary gexps instead of only
strings which is particularly helpful for the Pre/Post Up/Down commands.

For example, the wg-quick(8) manual has an example on how to use
password-store to retrieve a private key with a PreUp entry. This is now
possible.

* gnu/services/vpn.scm (wireguard-configuration-file): Ungexp configuration
lists instead of ungexp-splicing the code surrounding them.
* doc/guix.texi (VPN Services)[wireguard]: Document it.

Change-Id: If074cbb78473b6fd34e0e4e990d2ed268001d6c7
---
doc/guix.texi | 31 +++++++++++++++++++++++++------
gnu/services/vpn.scm | 39 ++++++++++++++++++++-------------------
2 files changed, 45 insertions(+), 25 deletions(-)

Toggle diff (127 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 5558bd7d44..0520b24c23 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -34430,13 +34430,15 @@ VPN Services
The interface name for the VPN.
@item @code{addresses} (default: @code{'("10.0.0.1/32")})
-The IP addresses to be assigned to the above interface.
+List of strings or G-expressions which represent the IP addresses to be
+assigned to the above interface.
@item @code{port} (default: @code{51820})
The port on which to listen for incoming connections.
@item @code{dns} (default: @code{'())})
-The DNS server(s) to announce to VPN clients via DHCP.
+List of strings or G-expressions which represent the DNS server(s) to
+announce to VPN clients via DHCP.
@item @code{monitor-ips?} (default: @code{#f})
@cindex Dynamic IP, with Wireguard
@@ -34463,16 +34465,33 @@ VPN Services
@var{wireguard-peer} records.
@item @code{pre-up} (default: @code{'()})
-The script commands to be run before setting up the interface.
+List of strings or G-expressions. These are script snippets which will
+be executed before setting up the interface.
+
+One example shown in the @code{wg-quick(8)} manual is retrieving a
+private key using @code{password-store}. This can be achieved with the
+following code:
+
+@lisp
+(wireguard-configuration
+ ;; Retrieve the private key manually.
+ (private-key #f)
+ (pre-up (list #~(string-append "wg set %i private-key <("
+ #$(file-append password-store "/bin/pass")
+ " WireGuard/private-keys/%i)"))))
+@end lisp
@item @code{post-up} (default: @code{'()})
-The script commands to be run after setting up the interface.
+List of strings or G-expressions. These are script snippets which will
+be executed after setting up the interface.
@item @code{pre-down} (default: @code{'()})
-The script commands to be run before tearing down the interface.
+List of strings or G-expressions. These are script snippets which will
+be executed before tearing down the interface.
@item @code{post-down} (default: @code{'()})
-The script commands to be run after tearing down the interface.
+List of strings or G-expressions. These are script snippets which will
+be executed after tearing down the interface.
@item @code{table} (default: @code{"auto"})
The routing table to which routes are added, as a string. There are two
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index b62e0ac838..c1daba5dc1 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -12,6 +12,7 @@
;;; Copyright © 2022 Cameron V Chaparro <cameron@cameronchaparro.com>
;;; Copyright © 2022 Timo Wilken <guix@twilken.net>
;;; Copyright © 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2024 Richard Sent <richard@freakingpenguin.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -797,33 +798,33 @@ (define (wireguard-configuration-file config)
(define lines
(list
"[Interface]"
- #$@(if (null? addresses)
- '()
- (list (format #f "Address = ~{~a~^, ~}"
- addresses)))
+ (if (null? '#$addresses)
+ ""
+ (format #f "Address = ~{~a~^, ~}"
+ (list #$@addresses)))
(format #f "~@[Table = ~a~]" #$table)
- #$@(if (null? pre-up)
- '()
- (list (format #f "~{PreUp = ~a~%~}" pre-up)))
+ (if (null? '#$pre-up)
+ ""
+ (format #f "~{PreUp = ~a~%~}" (list #$@pre-up)))
(if #$private-key
(format #f "PostUp = ~a set %i private-key ~a\
~{ peer ~a preshared-key ~a~}"
#$(file-append wireguard "/bin/wg")
#$private-key '#$peer-keys)
"")
- #$@(if (null? post-up)
- '()
- (list (format #f "~{PostUp = ~a~%~}" post-up)))
- #$@(if (null? pre-down)
- '()
- (list (format #f "~{PreDown = ~a~%~}" pre-down)))
- #$@(if (null? post-down)
- '()
- (list (format #f "~{PostDown = ~a~%~}" post-down)))
+ (if (null? '#$post-up)
+ ""
+ (format #f "~{PostUp = ~a~%~}" (list #$@post-up)))
+ (if (null? '#$pre-down)
+ ""
+ (format #f "~{PreDown = ~a~%~}" (list #$@pre-down)))
+ (if (null? '#$post-down)
+ ""
+ (format #f "~{PostDown = ~a~%~}" (list #$@post-down)))
(format #f "~@[ListenPort = ~a~]" #$port)
- #$@(if (null? dns)
- '()
- (list (format #f "DNS = ~{~a~^, ~}" dns)))))
+ (if (null? '#$dns)
+ ""
+ (format #f "DNS = ~{~a~^, ~}" (list #$@dns)))))
(mkdir #$output)
(chdir #$output)
--
2.46.0
R
R
Richard Sent wrote on 23 Oct 20:20 +0200
[PATCH v3 1/3] services: wireguard: Make the private-key field optional.
(address . 73955@debbugs.gnu.org)(name . Richard Sent)(address . richard@freakingpenguin.com)
ec913f9f5e43dd0f809ec45dc437c0b385ba00b3.1729707659.git.richard@freakingpenguin.com
Users who retrieve the private-key via a PreUp field need to be able to
disable the default retrieval mechanism.

* gnu/services/vpn.scm (<wireguard-configuration>)[private-key]: Change
comment.
(wireguard-configuration-file): Conditionally serialize private-key.
* gnu/services/vpn.scm (wireguard-activation): Do not create private-key if
the field is #f.
* doc/guix.texi (VPN Services)[wireguard-configuration]: Document it.

Change-Id: Iac419809ae94eb76e97ff1f1749e2f4b3e65bb04
---
doc/guix.texi | 5 ++++-
gnu/services/vpn.scm | 36 ++++++++++++++++++++----------------
2 files changed, 24 insertions(+), 17 deletions(-)

Toggle diff (79 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index ac3a7adef0..5558bd7d44 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -34453,7 +34453,10 @@ VPN Services
@item @code{private-key} (default: @code{"/etc/wireguard/private.key"})
The private key file for the interface. It is automatically generated
-if the file does not exist.
+if the file does not exist. If this field is @code{#f}, a private key
+is not created and the path is not serialized to the configuration file.
+This allows for retrieving the private key programmatically with a PreUp
+command.
@item @code{peers} (default: @code{'()})
The authorized peers on this interface. This is a list of
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index 7fb4775757..b62e0ac838 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -741,7 +741,7 @@ (define-record-type* <wireguard-configuration>
(default '("10.0.0.1/32")))
(port wireguard-configuration-port ;integer
(default 51820))
- (private-key wireguard-configuration-private-key ;string
+ (private-key wireguard-configuration-private-key ;maybe-string
(default "/etc/wireguard/private.key"))
(peers wireguard-configuration-peers ;list of <wiregard-peer>
(default '()))
@@ -805,9 +805,12 @@ (define (wireguard-configuration-file config)
#$@(if (null? pre-up)
'()
(list (format #f "~{PreUp = ~a~%~}" pre-up)))
- (format #f "PostUp = ~a set %i private-key ~a\
-~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg")
-#$private-key '#$peer-keys)
+ (if #$private-key
+ (format #f "PostUp = ~a set %i private-key ~a\
+~{ peer ~a preshared-key ~a~}"
+ #$(file-append wireguard "/bin/wg")
+ #$private-key '#$peer-keys)
+ "")
#$@(if (null? post-up)
'()
(list (format #f "~{PostUp = ~a~%~}" post-up)))
@@ -838,18 +841,19 @@ (define (wireguard-activation config)
(use-modules (guix build utils)
(ice-9 popen)
(ice-9 rdelim))
- (mkdir-p (dirname #$private-key))
- (unless (file-exists? #$private-key)
- (let* ((pipe
- (open-input-pipe (string-append
- #$(file-append wireguard "/bin/wg")
- " genkey")))
- (key (read-line pipe)))
- (call-with-output-file #$private-key
- (lambda (port)
- (display key port)))
- (chmod #$private-key #o400)
- (close-pipe pipe))))))
+ (when #$private-key
+ (mkdir-p (dirname #$private-key))
+ (unless (file-exists? #$private-key)
+ (let* ((pipe
+ (open-input-pipe (string-append
+ #$(file-append wireguard "/bin/wg")
+ " genkey")))
+ (key (read-line pipe)))
+ (call-with-output-file #$private-key
+ (lambda (port)
+ (display key port)))
+ (chmod #$private-key #o400)
+ (close-pipe pipe)))))))
;;; XXX: Copied from (guix scripts pack), changing define to define*.
(define-syntax-rule (define-with-source (variable args ...) body body* ...)
--
2.46.0
R
R
Richard Sent wrote on 23 Oct 20:20 +0200
[PATCH v3 0/3] Improve customizability of WireGuard service.
(address . 73955@debbugs.gnu.org)(name . Richard Sent)(address . richard@freakingpenguin.com)
cover.1729707659.git.richard@freakingpenguin.com
Hi all,

Apologies for the noise. While playing around some more I realized it
would be useful if preshared-keys also handled gexps. This allows for
constructs like

Toggle quote (12 lines)
> (define (file-redirect script)
> #~(string-append "<(" #$script ")"))
>
> (wireguard-configuration
> (private-key (file-redirect
> (get-secret-program-file "foo")))
> (peers (list (wireguard-peer
> (public-key "X")
> (preshared-key
> (file-redirect
> (get-secret-program-file "bar" )))))))

This results in a PostUp command like:

Toggle quote (3 lines)
> PostUp = /gnu/store/.../wg set %i private-key <(/gnu/store/...wg-get-private)\
> peer X preshared-key <(/gnu/store/...wg-get-preshared)

You could bang this together via the post-up escape hatch before v3 of
this patch, but it would be rather awkward and cause some unpleasant
linkage between peers and the interface configuration (since peers
can't specify their own postup commands).

Richard Sent (3):
services: wireguard: Make the private-key field optional.
services: wireguard: Support lists of gexps for most fields.
services: wireguard: Support gexps for peer preshared keys.

doc/guix.texi | 36 ++++++++++++++++-----
gnu/services/vpn.scm | 75 +++++++++++++++++++++++---------------------
2 files changed, 69 insertions(+), 42 deletions(-)


base-commit: bd26815cf8ce38a3b03676a6e3fc482bb74247cb
--
2.46.0
R
R
Richard Sent wrote on 23 Oct 20:20 +0200
[PATCH v3 3/3] services: wireguard: Support gexps for peer preshared keys.
(address . 73955@debbugs.gnu.org)(name . Richard Sent)(address . richard@freakingpenguin.com)
536ca44a1cb23c3185f0dfb9bc5b3e5c87f6d566.1729707659.git.richard@freakingpenguin.com
* gnu/services/vpn.scm (wireguard-configuration-file)[lines]: Ungexp splice
with list instead of quote ungexp.

Change-Id: I50364359baafb749dc975db70478bef49e93d90c
---
gnu/services/vpn.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Toggle diff (15 lines)
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index c1daba5dc1..6a73db78be 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -810,7 +810,7 @@ (define (wireguard-configuration-file config)
(format #f "PostUp = ~a set %i private-key ~a\
~{ peer ~a preshared-key ~a~}"
#$(file-append wireguard "/bin/wg")
- #$private-key '#$peer-keys)
+ #$private-key (list #$@peer-keys))
"")
(if (null? '#$post-up)
""
--
2.46.0
R
R
Richard Sent wrote on 23 Oct 20:20 +0200
[PATCH v3 2/3] services: wireguard: Support lists of gexps for most fields.
(address . 73955@debbugs.gnu.org)(name . Richard Sent)(address . richard@freakingpenguin.com)
c50245720797859f25a85f0ed1e501a1829914fe.1729707659.git.richard@freakingpenguin.com
In order to support more flexibility in Wireguard configuration, ungexp the
configuration fields directly instead of ungexp-splicing a sexp
calculator. This allows for the fields to take arbitrary gexps instead of only
strings which is particularly helpful for the Pre/Post Up/Down commands.

For example, the wg-quick(8) manual has an example on how to use
password-store to retrieve a private key with a PreUp entry. This is now
possible.

* gnu/services/vpn.scm (wireguard-configuration-file): Ungexp configuration
lists instead of ungexp-splicing the code surrounding them.
* doc/guix.texi (VPN Services)[wireguard]: Document it.

Change-Id: If074cbb78473b6fd34e0e4e990d2ed268001d6c7
---
doc/guix.texi | 31 +++++++++++++++++++++++++------
gnu/services/vpn.scm | 39 ++++++++++++++++++++-------------------
2 files changed, 45 insertions(+), 25 deletions(-)

Toggle diff (127 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index 5558bd7d44..0520b24c23 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -34430,13 +34430,15 @@ VPN Services
The interface name for the VPN.
@item @code{addresses} (default: @code{'("10.0.0.1/32")})
-The IP addresses to be assigned to the above interface.
+List of strings or G-expressions which represent the IP addresses to be
+assigned to the above interface.
@item @code{port} (default: @code{51820})
The port on which to listen for incoming connections.
@item @code{dns} (default: @code{'())})
-The DNS server(s) to announce to VPN clients via DHCP.
+List of strings or G-expressions which represent the DNS server(s) to
+announce to VPN clients via DHCP.
@item @code{monitor-ips?} (default: @code{#f})
@cindex Dynamic IP, with Wireguard
@@ -34463,16 +34465,33 @@ VPN Services
@var{wireguard-peer} records.
@item @code{pre-up} (default: @code{'()})
-The script commands to be run before setting up the interface.
+List of strings or G-expressions. These are script snippets which will
+be executed before setting up the interface.
+
+One example shown in the @code{wg-quick(8)} manual is retrieving a
+private key using @code{password-store}. This can be achieved with the
+following code:
+
+@lisp
+(wireguard-configuration
+ ;; Retrieve the private key manually.
+ (private-key #f)
+ (pre-up (list #~(string-append "wg set %i private-key <("
+ #$(file-append password-store "/bin/pass")
+ " WireGuard/private-keys/%i)"))))
+@end lisp
@item @code{post-up} (default: @code{'()})
-The script commands to be run after setting up the interface.
+List of strings or G-expressions. These are script snippets which will
+be executed after setting up the interface.
@item @code{pre-down} (default: @code{'()})
-The script commands to be run before tearing down the interface.
+List of strings or G-expressions. These are script snippets which will
+be executed before tearing down the interface.
@item @code{post-down} (default: @code{'()})
-The script commands to be run after tearing down the interface.
+List of strings or G-expressions. These are script snippets which will
+be executed after tearing down the interface.
@item @code{table} (default: @code{"auto"})
The routing table to which routes are added, as a string. There are two
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index b62e0ac838..c1daba5dc1 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -12,6 +12,7 @@
;;; Copyright © 2022 Cameron V Chaparro <cameron@cameronchaparro.com>
;;; Copyright © 2022 Timo Wilken <guix@twilken.net>
;;; Copyright © 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2024 Richard Sent <richard@freakingpenguin.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -797,33 +798,33 @@ (define (wireguard-configuration-file config)
(define lines
(list
"[Interface]"
- #$@(if (null? addresses)
- '()
- (list (format #f "Address = ~{~a~^, ~}"
- addresses)))
+ (if (null? '#$addresses)
+ ""
+ (format #f "Address = ~{~a~^, ~}"
+ (list #$@addresses)))
(format #f "~@[Table = ~a~]" #$table)
- #$@(if (null? pre-up)
- '()
- (list (format #f "~{PreUp = ~a~%~}" pre-up)))
+ (if (null? '#$pre-up)
+ ""
+ (format #f "~{PreUp = ~a~%~}" (list #$@pre-up)))
(if #$private-key
(format #f "PostUp = ~a set %i private-key ~a\
~{ peer ~a preshared-key ~a~}"
#$(file-append wireguard "/bin/wg")
#$private-key '#$peer-keys)
"")
- #$@(if (null? post-up)
- '()
- (list (format #f "~{PostUp = ~a~%~}" post-up)))
- #$@(if (null? pre-down)
- '()
- (list (format #f "~{PreDown = ~a~%~}" pre-down)))
- #$@(if (null? post-down)
- '()
- (list (format #f "~{PostDown = ~a~%~}" post-down)))
+ (if (null? '#$post-up)
+ ""
+ (format #f "~{PostUp = ~a~%~}" (list #$@post-up)))
+ (if (null? '#$pre-down)
+ ""
+ (format #f "~{PreDown = ~a~%~}" (list #$@pre-down)))
+ (if (null? '#$post-down)
+ ""
+ (format #f "~{PostDown = ~a~%~}" (list #$@post-down)))
(format #f "~@[ListenPort = ~a~]" #$port)
- #$@(if (null? dns)
- '()
- (list (format #f "DNS = ~{~a~^, ~}" dns)))))
+ (if (null? '#$dns)
+ ""
+ (format #f "DNS = ~{~a~^, ~}" (list #$@dns)))))
(mkdir #$output)
(chdir #$output)
--
2.46.0
M
M
Mathieu Othacehe wrote on 4 Nov 07:59 +0100
Re: [bug#73955] [PATCH v3 3/3] services: wireguard: Support gexps for peer preshared keys.
(name . Richard Sent)(address . richard@freakingpenguin.com)(address . 73955@debbugs.gnu.org)
8734k7h4ci.fsf@gnu.org
Hello Richard,

Thanks for the updated series :)

Toggle quote (3 lines)
> * gnu/services/vpn.scm (wireguard-configuration-file)[lines]: Ungexp splice
> with list instead of quote ungexp.

Do you think that it would make sense to also update the documentation
for the "preshared-key" field, to mention that it can be a gexp?

Mathieu
R
R
Richard Sent wrote on 4 Nov 15:53 +0100
Re: [bug#73955] [PATCH v3 3/3] services: wire guard: Support gexps for peer preshared keys.
(name . Mathieu Othacehe)(address . othacehe@gnu.org)(address . 73955@debbugs.gnu.org)
787F82FB-02BD-4A3B-8D82-3601C98DA998@freakingpenguin.com
Toggle quote (3 lines)
> Do you think that it would make sense to also update the documentation
> for the "preshared-key" field, to mention that it can be a gexp?

Makes sense to me!

Toggle quote (4 lines)
> (wireguard-configuration
> (private-key (file-redirect
> (get-secret-program-file "foo"))))

I'm also realizing that while the wireguard.conf generated in my example is correct, we still bootstrap a private key at file path <(/gnu/store...), which isn't ideal.

We could only attempt to bootstrap "reasonable" file names (i.e. those that start with a /), but this feels icky and <(foo) is technically a valid file name.

I quite like how utilizing the private-key field for commands instead of a file path works (as opposed to a rather ugly manual postup), so perhaps a bootstrap-private-key? field should be added. As long as it defaults to #t I don't see it impacting existing setups.
R
R
Richard Sent wrote on 4 Dec 21:59 +0100
[PATCH v4 1/3] services: wireguard: Make the private-key field optional.
(address . 73955@debbugs.gnu.org)
bc864a4ffe92fa231197a86c8d63d4819460036e.1733345975.git.richard@freakingpenguin.com
Users who retrieve the private-key via a PreUp field need to be able to
disable the default retrieval mechanism.

* gnu/services/vpn.scm (<wireguard-configuration>)[private-key]: Change
comment.
(wireguard-configuration-file): Conditionally serialize private-key.
* gnu/services/vpn.scm (wireguard-activation): Do not create private-key if
the field is #f.
* doc/guix.texi (VPN Services)[wireguard-configuration]: Document it.

Change-Id: Iac419809ae94eb76e97ff1f1749e2f4b3e65bb04
---
doc/guix.texi | 4 +++-
gnu/services/vpn.scm | 36 ++++++++++++++++++++----------------
2 files changed, 23 insertions(+), 17 deletions(-)

Toggle diff (80 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index f43cb53990..fa9a147bd0 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -34626,7 +34626,9 @@ VPN Services
@item @code{private-key} (default: @code{"/etc/wireguard/private.key"})
The private key file for the interface. It is automatically generated
-if the file does not exist.
+if the file does not exist. If this field is @code{#f}, a private key
+is not automatically created and the path is not serialized to the
+configuration file.
@item @code{peers} (default: @code{'()})
The authorized peers on this interface. This is a list of
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index 7fb4775757..b62e0ac838 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -741,7 +741,7 @@ (define-record-type* <wireguard-configuration>
(default '("10.0.0.1/32")))
(port wireguard-configuration-port ;integer
(default 51820))
- (private-key wireguard-configuration-private-key ;string
+ (private-key wireguard-configuration-private-key ;maybe-string
(default "/etc/wireguard/private.key"))
(peers wireguard-configuration-peers ;list of <wiregard-peer>
(default '()))
@@ -805,9 +805,12 @@ (define (wireguard-configuration-file config)
#$@(if (null? pre-up)
'()
(list (format #f "~{PreUp = ~a~%~}" pre-up)))
- (format #f "PostUp = ~a set %i private-key ~a\
-~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg")
-#$private-key '#$peer-keys)
+ (if #$private-key
+ (format #f "PostUp = ~a set %i private-key ~a\
+~{ peer ~a preshared-key ~a~}"
+ #$(file-append wireguard "/bin/wg")
+ #$private-key '#$peer-keys)
+ "")
#$@(if (null? post-up)
'()
(list (format #f "~{PostUp = ~a~%~}" post-up)))
@@ -838,18 +841,19 @@ (define (wireguard-activation config)
(use-modules (guix build utils)
(ice-9 popen)
(ice-9 rdelim))
- (mkdir-p (dirname #$private-key))
- (unless (file-exists? #$private-key)
- (let* ((pipe
- (open-input-pipe (string-append
- #$(file-append wireguard "/bin/wg")
- " genkey")))
- (key (read-line pipe)))
- (call-with-output-file #$private-key
- (lambda (port)
- (display key port)))
- (chmod #$private-key #o400)
- (close-pipe pipe))))))
+ (when #$private-key
+ (mkdir-p (dirname #$private-key))
+ (unless (file-exists? #$private-key)
+ (let* ((pipe
+ (open-input-pipe (string-append
+ #$(file-append wireguard "/bin/wg")
+ " genkey")))
+ (key (read-line pipe)))
+ (call-with-output-file #$private-key
+ (lambda (port)
+ (display key port)))
+ (chmod #$private-key #o400)
+ (close-pipe pipe)))))))
;;; XXX: Copied from (guix scripts pack), changing define to define*.
(define-syntax-rule (define-with-source (variable args ...) body body* ...)

base-commit: e00ca95e08bc1cc2cb39f3178485ef16defce0be
--
2.46.0
R
R
Richard Sent wrote on 4 Dec 21:59 +0100
[PATCH v4 3/3] services: wireguard: Support lists of gexps for most fields.
(address . 73955@debbugs.gnu.org)
c5eff8126b5e9f33daa447657327ee3d4138e384.1733345975.git.richard@freakingpenguin.com
In order to support more flexibility in Wireguard configuration, ungexp the
configuration fields directly instead of ungexp-splicing a sexp
calculator. This allows for the fields to take arbitrary gexps instead of only
strings which is particularly helpful for the Pre/Post Up/Down commands.

* gnu/services/vpn.scm (wireguard-configuration-file): Ungexp configuration
lists instead of ungexp-splicing the code surrounding them.
* doc/guix.texi (VPN Services)[wireguard]: Document it.

Change-Id: If074cbb78473b6fd34e0e4e990d2ed268001d6c7
---
doc/guix.texi | 22 ++++++++++++++--------
gnu/services/vpn.scm | 41 +++++++++++++++++++++--------------------
2 files changed, 35 insertions(+), 28 deletions(-)

Toggle diff (126 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index ece73a27ae..43aa1ad71a 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -34603,13 +34603,15 @@ VPN Services
The interface name for the VPN.
@item @code{addresses} (default: @code{'("10.0.0.1/32")})
-The IP addresses to be assigned to the above interface.
+List of strings or G-expressions which represent the IP addresses to be
+assigned to the above interface.
@item @code{port} (default: @code{51820})
The port on which to listen for incoming connections.
@item @code{dns} (default: @code{'())})
-The DNS server(s) to announce to VPN clients via DHCP.
+List of strings or G-expressions which represent the DNS server(s) to
+announce to VPN clients via DHCP.
@item @code{monitor-ips?} (default: @code{#f})
@cindex Dynamic IP, with Wireguard
@@ -34654,16 +34656,20 @@ VPN Services
@var{wireguard-peer} records.
@item @code{pre-up} (default: @code{'()})
-The script commands to be run before setting up the interface.
+List of strings or G-expressions. These are script snippets which will
+be executed before setting up the interface.
@item @code{post-up} (default: @code{'()})
-The script commands to be run after setting up the interface.
+List of strings or G-expressions. These are script snippets which will
+be executed after setting up the interface.
@item @code{pre-down} (default: @code{'()})
-The script commands to be run before tearing down the interface.
+List of strings or G-expressions. These are script snippets which will
+be executed before tearing down the interface.
@item @code{post-down} (default: @code{'()})
-The script commands to be run after tearing down the interface.
+List of strings or G-expressions. These are script snippets which will
+be executed after tearing down the interface.
@item @code{table} (default: @code{"auto"})
The routing table to which routes are added, as a string. There are two
@@ -34689,8 +34695,8 @@ VPN Services
The peer public-key represented as a base64 string.
@item @code{preshared-key} (default: @code{#f})
-An optional pre-shared key file for this peer. The given file will not
-be autogenerated.
+An optional pre-shared key file for this peer that can be either a
+string or a G-expression. The given file will not be autogenerated.
@item @code{allowed-ips}
A list of IP addresses from which incoming traffic for this peer is
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index f9693fb099..8e90032c93 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -12,6 +12,7 @@
;;; Copyright © 2022 Cameron V Chaparro <cameron@cameronchaparro.com>
;;; Copyright © 2022 Timo Wilken <guix@twilken.net>
;;; Copyright © 2023 Maxim Cournoyer <maxim.cournoyer@gmail.com>
+;;; Copyright © 2024 Richard Sent <richard@freakingpenguin.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -800,33 +801,33 @@ (define (wireguard-configuration-file config)
(define lines
(list
"[Interface]"
- #$@(if (null? addresses)
- '()
- (list (format #f "Address = ~{~a~^, ~}"
- addresses)))
+ (if (null? '#$addresses)
+ ""
+ (format #f "Address = ~{~a~^, ~}"
+ (list #$@addresses)))
(format #f "~@[Table = ~a~]" #$table)
- #$@(if (null? pre-up)
- '()
- (list (format #f "~{PreUp = ~a~%~}" pre-up)))
+ (if (null? '#$pre-up)
+ ""
+ (format #f "~{PreUp = ~a~%~}" (list #$@pre-up)))
(if #$private-key
(format #f "PostUp = ~a set %i private-key ~a\
~{ peer ~a preshared-key ~a~}"
#$(file-append wireguard "/bin/wg")
- #$private-key '#$peer-keys)
+ #$private-key (list #$@peer-keys))
"")
- #$@(if (null? post-up)
- '()
- (list (format #f "~{PostUp = ~a~%~}" post-up)))
- #$@(if (null? pre-down)
- '()
- (list (format #f "~{PreDown = ~a~%~}" pre-down)))
- #$@(if (null? post-down)
- '()
- (list (format #f "~{PostDown = ~a~%~}" post-down)))
+ (if (null? '#$post-up)
+ ""
+ (format #f "~{PostUp = ~a~%~}" (list #$@post-up)))
+ (if (null? '#$pre-down)
+ ""
+ (format #f "~{PreDown = ~a~%~}" (list #$@pre-down)))
+ (if (null? '#$post-down)
+ ""
+ (format #f "~{PostDown = ~a~%~}" (list #$@post-down)))
(format #f "~@[ListenPort = ~a~]" #$port)
- #$@(if (null? dns)
- '()
- (list (format #f "DNS = ~{~a~^, ~}" dns)))))
+ (if (null? '#$dns)
+ ""
+ (format #f "DNS = ~{~a~^, ~}" (list #$@dns)))))
(mkdir #$output)
(chdir #$output)
--
2.46.0
R
R
Richard Sent wrote on 4 Dec 21:59 +0100
[PATCH v4 2/3] services: wireguard: Add the bootstrap-private-key? field.
(address . 73955@debbugs.gnu.org)
42d409dafeaa87d39a8c682d4c3dfe2c9f2fb8c4.1733345975.git.richard@freakingpenguin.com
The syntax from using the private-key field is more convenient than writing a
custom PreUp command (more formatting and preshared keys). Instead of trying
to guess if private-key is/is not a file path, add an option to disable
bootstrapping while still using private-key.

* gnu/services/vpn.scm (<wireguard-configuration>): Add
bootstrap-private-key?.
(wireguard-activation): Check bootstrap-private-key? before bootstrapping.
* doc/guix.texi (VPN Services)[wireguard]: Document it.

Change-Id: I6ba71ad58b26743057a221a54a246369022f83a5
---
doc/guix.texi | 19 +++++++++++++
gnu/services/vpn.scm | 64 +++++++++++++++++++++++---------------------
2 files changed, 53 insertions(+), 30 deletions(-)

Toggle diff (125 lines)
diff --git a/doc/guix.texi b/doc/guix.texi
index fa9a147bd0..ece73a27ae 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -34630,6 +34630,25 @@ VPN Services
is not automatically created and the path is not serialized to the
configuration file.
+@item @code{bootstrap-private-key?} (default: @code{#t})
+Whether or not the private key should be generated automatically if it
+does not exist.
+
+Setting this to @code{#f} allows one to set the private key using
+command substitution. One example shown in the @code{wg-quick(8)}
+manual is retrieving a private key using @code{password-store}. This
+can be achieved with the following code:
+
+@lisp
+(wireguard-configuration
+ (private-key
+ #~(string-append "<("
+ #$(file-append password-store "/bin/pass")
+ ;; Wireguard replaces %i with the interface name.
+ " WireGuard/private-keys/%i)")))
+@end lisp
+
+
@item @code{peers} (default: @code{'()})
The authorized peers on this interface. This is a list of
@var{wireguard-peer} records.
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index b62e0ac838..f9693fb099 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -80,6 +80,7 @@ (define-module (gnu services vpn)
wireguard-configuration-monitor-ips?
wireguard-configuration-monitor-ips-interval
wireguard-configuration-private-key
+ wireguard-configuration-bootstrap-private-key?
wireguard-configuration-peers
wireguard-configuration-pre-up
wireguard-configuration-post-up
@@ -733,34 +734,36 @@ (define-record-type* <wireguard-peer>
(define-record-type* <wireguard-configuration>
wireguard-configuration make-wireguard-configuration
wireguard-configuration?
- (wireguard wireguard-configuration-wireguard ;file-like
- (default wireguard-tools))
- (interface wireguard-configuration-interface ;string
- (default "wg0"))
- (addresses wireguard-configuration-addresses ;string
- (default '("10.0.0.1/32")))
- (port wireguard-configuration-port ;integer
- (default 51820))
- (private-key wireguard-configuration-private-key ;maybe-string
- (default "/etc/wireguard/private.key"))
- (peers wireguard-configuration-peers ;list of <wiregard-peer>
- (default '()))
- (dns wireguard-configuration-dns ;list of strings
- (default '()))
- (monitor-ips? wireguard-configuration-monitor-ips? ;boolean
- (default #f))
- (monitor-ips-interval wireguard-configuration-monitor-ips-interval
- (default '(next-minute (range 0 60 5)))) ;string | list
- (pre-up wireguard-configuration-pre-up ;list of strings
- (default '()))
- (post-up wireguard-configuration-post-up ;list of strings
- (default '()))
- (pre-down wireguard-configuration-pre-down ;list of strings
- (default '()))
- (post-down wireguard-configuration-post-down ;list of strings
- (default '()))
- (table wireguard-configuration-table ;string
- (default "auto")))
+ (wireguard wireguard-configuration-wireguard ;file-like
+ (default wireguard-tools))
+ (interface wireguard-configuration-interface ;string
+ (default "wg0"))
+ (addresses wireguard-configuration-addresses ;string
+ (default '("10.0.0.1/32")))
+ (port wireguard-configuration-port ;integer
+ (default 51820))
+ (private-key wireguard-configuration-private-key ;maybe-string
+ (default "/etc/wireguard/private.key"))
+ (bootstrap-private-key? wireguard-configuration-bootstrap-private-key? ;boolean
+ (default #t))
+ (peers wireguard-configuration-peers ;list of <wiregard-peer>
+ (default '()))
+ (dns wireguard-configuration-dns ;list of strings
+ (default '()))
+ (monitor-ips? wireguard-configuration-monitor-ips? ;boolean
+ (default #f))
+ (monitor-ips-interval wireguard-configuration-monitor-ips-interval
+ (default '(next-minute (range 0 60 5)))) ;string | list
+ (pre-up wireguard-configuration-pre-up ;list of strings
+ (default '()))
+ (post-up wireguard-configuration-post-up ;list of strings
+ (default '()))
+ (pre-down wireguard-configuration-pre-down ;list of strings
+ (default '()))
+ (post-down wireguard-configuration-post-down ;list of strings
+ (default '()))
+ (table wireguard-configuration-table ;string
+ (default "auto")))
(define (wireguard-configuration-file config)
(define (peer->config peer)
@@ -836,12 +839,13 @@ (define (wireguard-configuration-file config)
(define (wireguard-activation config)
(match-record config <wireguard-configuration>
- (private-key wireguard)
+ (private-key bootstrap-private-key? wireguard)
#~(begin
(use-modules (guix build utils)
(ice-9 popen)
(ice-9 rdelim))
- (when #$private-key
+ (when (and #$private-key
+ #$bootstrap-private-key?)
(mkdir-p (dirname #$private-key))
(unless (file-exists? #$private-key)
(let* ((pipe
--
2.46.0
M
M
Mathieu Othacehe wrote on 6 Dec 21:36 +0100
Re: [PATCH v4 1/3] services: wireguard: Make the private-key field optional.
(name . Richard Sent)(address . richard@freakingpenguin.com)(address . 73955-done@debbugs.gnu.org)
87ttbgft1n.fsf@gnu.org
Hello Richard,

I have pushed the series,

Thanks for your patience,

Mathieu
Closed
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 73955@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 73955
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch