[bug#46504] [PATCH] services: wireguard: New service.

[Brice Waegeneire <brice@waegenei.re>]

Hello Mathieu,

Mathieu Othacehe <othacehe@gnu.org> writes:

> * gnu/services/vpn.scm (wireguard-peer, wireguard-configuration): New records.
> (wireguard-service-type): New variable.
> * doc/guix.texi (VPN Services): Document it.
> ---

[...]

Cool, more intergration of Wireguard in Guix! I started wiriting such a
service but didn't finialized it yet. Tho, I wasn't sure if it needed to
be implemented with wg-quick since upstream describe it as « a very
quick and dirty bash script for reading a few extra variables from
wg(8)-style configuration files, and automatically configures the
interface »¹.

> +
> +(define-record-type* <wireguard-peer>
> +  wireguard-peer make-wireguard-peer
> +  wireguard-peer?
> +  (name              wireguard-peer-name)
> +  (endpoint          wireguard-peer-endpoint
> +                     (default #f))     ;string
> +  (public-key        wireguard-peer-public-key)   ;string
> +  (allowed-ips       wireguard-peer-allowed-ips)) ;list of strings
> +
> +(define-record-type* <wireguard-configuration>
> +  wireguard-configuration make-wireguard-configuration
> +  wireguard-configuration?
> +  (wireguard          wireguard-configuration-wireguard ;<package>
> +                      (default wireguard-tools))
> +  (interface          wireguard-configuration-interface ;string
> +                      (default "wg0"))
> +  (address            wireguard-configuration-address ;string
> +                      (default "10.0.0.1/32"))
> +  (port               wireguard-configuration-port ;integer
> +                      (default 51820))
> +  (public-key         wireguard-configuration-public-key ;string
> +                      (default "/etc/wireguard/public.key"))
> +  (private-key        wireguard-configuration-private-key ;string
> +                      (default "/etc/wireguard/private.key"))
> +  (peers              wireguard-configuration-peers ;list of <wiregard-peer>
> +                      (default '())))
> +

wg-quick(8) say that the ”Address” attribute can be specified multiple
times and is  « a comma-separated list of IP (v4 or v6) addresses
(optionally with CIDR masks) to be assigned to  the interface. », so the
“address” field should probably be “addresses”, a list of string.

Some of the missing attributes from wg-quick(8) like “DNS” or hooks
seems realy usefull, maybe a “extra-config” field to the record could be
added to support all of thoses attributes.

Why having a “public-key” field since it is derived from the private
key?  It seems to allow missconfiguration: what happen if the private
and public part of a key don't match, or if only the “public-key” is
set?

[...]

> +(define (wireguard-shepherd-service config)
> +  (match-record config <wireguard-configuration>
> +    (wireguard)
> +    (let ((wg-quick (file-append wireguard "/bin/wg-quick"))
> +          (config (wireguard-configuration-file config)))
> +      (list (shepherd-service
> +             (requirement '(networking))
> +             (provision '(wireguard))
> +             (start #~(lambda _
> +                       (invoke #$wg-quick "up" #$config)))
> +             (stop #~(lambda _
> +                       (invoke #$wg-quick "down" #$config)))
> +             (documentation "Run the Wireguard VPN tunnel"))))))

If I understand correclty it's not possible to specify which vpn to stop
if using several of them.  Can the provision's symbol be derived from
the interface name to be able to do “sudo herd stop wireguard-wg0”?

> +(define wireguard-service-type
> +  (service-type
> +   (name 'wireguard)
> +   (extensions
> +    (list (service-extension shepherd-root-service-type
> +                             wireguard-shepherd-service)
> +          (service-extension activation-service-type
> +                             wireguard-activation)))))

¹ https://git.zx2c4.com/wireguard-tools/tree/README.md#n47

Cheers,
- Brice