From: Brice Waegeneire <brice@waegenei.re>
To: Mathieu Othacehe <othacehe@gnu.org>
Cc: 46504@debbugs.gnu.org
Subject: [bug#46504] [PATCH] services: wireguard: New service.
Date: Sun, 14 Feb 2021 15:35:03 +0100 [thread overview]
Message-ID: <87a6s67m5k.fsf@waegenei.re> (raw)
In-Reply-To: <20210214093301.348381-1-othacehe@gnu.org> (Mathieu Othacehe's message of "Sun, 14 Feb 2021 10:33:01 +0100")
Hello Mathieu,
Mathieu Othacehe <othacehe@gnu.org> writes:
> * gnu/services/vpn.scm (wireguard-peer, wireguard-configuration): New records.
> (wireguard-service-type): New variable.
> * doc/guix.texi (VPN Services): Document it.
> ---
[...]
Cool, more intergration of Wireguard in Guix! I started wiriting such a
service but didn't finialized it yet. Tho, I wasn't sure if it needed to
be implemented with wg-quick since upstream describe it as « a very
quick and dirty bash script for reading a few extra variables from
wg(8)-style configuration files, and automatically configures the
interface »¹.
> +
> +(define-record-type* <wireguard-peer>
> + wireguard-peer make-wireguard-peer
> + wireguard-peer?
> + (name wireguard-peer-name)
> + (endpoint wireguard-peer-endpoint
> + (default #f)) ;string
> + (public-key wireguard-peer-public-key) ;string
> + (allowed-ips wireguard-peer-allowed-ips)) ;list of strings
> +
> +(define-record-type* <wireguard-configuration>
> + wireguard-configuration make-wireguard-configuration
> + wireguard-configuration?
> + (wireguard wireguard-configuration-wireguard ;<package>
> + (default wireguard-tools))
> + (interface wireguard-configuration-interface ;string
> + (default "wg0"))
> + (address wireguard-configuration-address ;string
> + (default "10.0.0.1/32"))
> + (port wireguard-configuration-port ;integer
> + (default 51820))
> + (public-key wireguard-configuration-public-key ;string
> + (default "/etc/wireguard/public.key"))
> + (private-key wireguard-configuration-private-key ;string
> + (default "/etc/wireguard/private.key"))
> + (peers wireguard-configuration-peers ;list of <wiregard-peer>
> + (default '())))
> +
wg-quick(8) say that the ”Address” attribute can be specified multiple
times and is « a comma-separated list of IP (v4 or v6) addresses
(optionally with CIDR masks) to be assigned to the interface. », so the
“address” field should probably be “addresses”, a list of string.
Some of the missing attributes from wg-quick(8) like “DNS” or hooks
seems realy usefull, maybe a “extra-config” field to the record could be
added to support all of thoses attributes.
Why having a “public-key” field since it is derived from the private
key? It seems to allow missconfiguration: what happen if the private
and public part of a key don't match, or if only the “public-key” is
set?
[...]
> +(define (wireguard-shepherd-service config)
> + (match-record config <wireguard-configuration>
> + (wireguard)
> + (let ((wg-quick (file-append wireguard "/bin/wg-quick"))
> + (config (wireguard-configuration-file config)))
> + (list (shepherd-service
> + (requirement '(networking))
> + (provision '(wireguard))
> + (start #~(lambda _
> + (invoke #$wg-quick "up" #$config)))
> + (stop #~(lambda _
> + (invoke #$wg-quick "down" #$config)))
> + (documentation "Run the Wireguard VPN tunnel"))))))
If I understand correclty it's not possible to specify which vpn to stop
if using several of them. Can the provision's symbol be derived from
the interface name to be able to do “sudo herd stop wireguard-wg0”?
> +(define wireguard-service-type
> + (service-type
> + (name 'wireguard)
> + (extensions
> + (list (service-extension shepherd-root-service-type
> + wireguard-shepherd-service)
> + (service-extension activation-service-type
> + wireguard-activation)))))
¹ https://git.zx2c4.com/wireguard-tools/tree/README.md#n47
Cheers,
- Brice
next prev parent reply other threads:[~2021-02-14 14:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-14 9:33 [bug#46504] [PATCH] services: wireguard: New service Mathieu Othacehe
2021-02-14 14:35 ` Brice Waegeneire [this message]
2021-02-17 9:38 ` bug#46504: " Mathieu Othacehe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a6s67m5k.fsf@waegenei.re \
--to=brice@waegenei.re \
--cc=46504@debbugs.gnu.org \
--cc=othacehe@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).