unofficial mirror of guix-patches@gnu.org 
 help / color / mirror / code / Atom feed
From: Richard Sent <richard@freakingpenguin.com>
To: 73955@debbugs.gnu.org
Cc: othacehe@gnu.org, "Richard Sent" <richard@freakingpenguin.com>,
	"Ludovic Courtès" <ludo@gnu.org>,
	"Maxim Cournoyer" <maxim.cournoyer@gmail.com>
Subject: [bug#73955] [PATCH v2 1/2] services: wireguard: Make the private-key field optional.
Date: Wed, 23 Oct 2024 11:30:06 -0400	[thread overview]
Message-ID: <ec913f9f5e43dd0f809ec45dc437c0b385ba00b3.1729697407.git.richard@freakingpenguin.com> (raw)
In-Reply-To: <cover.1729697407.git.richard@freakingpenguin.com>

Users who retrieve the private-key via a PreUp field need to be able to
disable the default retrieval mechanism.

* gnu/services/vpn.scm (<wireguard-configuration>)[private-key]: Change
comment.
(wireguard-configuration-file): Conditionally serialize private-key.
* gnu/services/vpn.scm (wireguard-activation): Do not create private-key if
the field is #f.
* doc/guix.texi (VPN Services)[wireguard-configuration]: Document it.

Change-Id: Iac419809ae94eb76e97ff1f1749e2f4b3e65bb04
---
 doc/guix.texi        |  5 ++++-
 gnu/services/vpn.scm | 36 ++++++++++++++++++++----------------
 2 files changed, 24 insertions(+), 17 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index ac3a7adef0..5558bd7d44 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -34453,7 +34453,10 @@ VPN Services
 
 @item @code{private-key} (default: @code{"/etc/wireguard/private.key"})
 The private key file for the interface.  It is automatically generated
-if the file does not exist.
+if the file does not exist.  If this field is @code{#f}, a private key
+is not created and the path is not serialized to the configuration file.
+This allows for retrieving the private key programmatically with a PreUp
+command.
 
 @item @code{peers} (default: @code{'()})
 The authorized peers on this interface.  This is a list of
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index 7fb4775757..b62e0ac838 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -741,7 +741,7 @@ (define-record-type* <wireguard-configuration>
                       (default '("10.0.0.1/32")))
   (port               wireguard-configuration-port ;integer
                       (default 51820))
-  (private-key        wireguard-configuration-private-key ;string
+  (private-key        wireguard-configuration-private-key ;maybe-string
                       (default "/etc/wireguard/private.key"))
   (peers              wireguard-configuration-peers ;list of <wiregard-peer>
                       (default '()))
@@ -805,9 +805,12 @@ (define (wireguard-configuration-file config)
                     #$@(if (null? pre-up)
                            '()
                            (list (format #f "~{PreUp = ~a~%~}" pre-up)))
-                    (format #f "PostUp = ~a set %i private-key ~a\
-~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg")
-#$private-key '#$peer-keys)
+                    (if #$private-key
+                        (format #f "PostUp = ~a set %i private-key ~a\
+~{ peer ~a preshared-key ~a~}"
+                                #$(file-append wireguard "/bin/wg")
+                                #$private-key '#$peer-keys)
+                        "")
                     #$@(if (null? post-up)
                            '()
                            (list (format #f "~{PostUp = ~a~%~}" post-up)))
@@ -838,18 +841,19 @@ (define (wireguard-activation config)
         (use-modules (guix build utils)
                      (ice-9 popen)
                      (ice-9 rdelim))
-        (mkdir-p (dirname #$private-key))
-        (unless (file-exists? #$private-key)
-          (let* ((pipe
-                  (open-input-pipe (string-append
-                                    #$(file-append wireguard "/bin/wg")
-                                    " genkey")))
-                 (key (read-line pipe)))
-            (call-with-output-file #$private-key
-              (lambda (port)
-                (display key port)))
-            (chmod #$private-key #o400)
-            (close-pipe pipe))))))
+        (when #$private-key
+          (mkdir-p (dirname #$private-key))
+          (unless (file-exists? #$private-key)
+            (let* ((pipe
+                    (open-input-pipe (string-append
+                                      #$(file-append wireguard "/bin/wg")
+                                      " genkey")))
+                   (key (read-line pipe)))
+              (call-with-output-file #$private-key
+                (lambda (port)
+                  (display key port)))
+              (chmod #$private-key #o400)
+              (close-pipe pipe)))))))
 
 ;;; XXX: Copied from (guix scripts pack), changing define to define*.
 (define-syntax-rule (define-with-source (variable args ...) body body* ...)
-- 
2.46.0





  reply	other threads:[~2024-10-23 15:49 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-10-22 21:21 [bug#73955] [PATCH 0/2] Improve customizability of WireGuard service Richard Sent
2024-10-22 21:25 ` [bug#73955] [PATCH 1/2] services: wireguard: Make the private-key field optional Richard Sent
2024-10-22 21:25 ` [bug#73955] [PATCH 2/2] services: wireguard: Support lists of gexps for most fields Richard Sent
2024-10-23  9:26   ` Mathieu Othacehe
2024-10-23 15:30 ` [bug#73955] [PATCH v2 0/2] Improve customizability in WireGuard service Richard Sent
2024-10-23 15:30   ` Richard Sent [this message]
2024-10-23 15:30   ` [bug#73955] [PATCH v2 2/2] services: wireguard: Support lists of gexps for most fields Richard Sent
2024-10-23 18:20 ` [bug#73955] [PATCH v3 0/3] Improve customizability of WireGuard service Richard Sent
2024-10-23 18:20   ` [bug#73955] [PATCH v3 1/3] services: wireguard: Make the private-key field optional Richard Sent
2024-10-23 18:20   ` [bug#73955] [PATCH v3 2/3] services: wireguard: Support lists of gexps for most fields Richard Sent
2024-10-23 18:20   ` [bug#73955] [PATCH v3 3/3] services: wireguard: Support gexps for peer preshared keys Richard Sent
2024-11-04  6:59     ` Mathieu Othacehe
2024-11-04 14:53       ` Richard Sent

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://guix.gnu.org/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ec913f9f5e43dd0f809ec45dc437c0b385ba00b3.1729697407.git.richard@freakingpenguin.com \
    --to=richard@freakingpenguin.com \
    --cc=73955@debbugs.gnu.org \
    --cc=ludo@gnu.org \
    --cc=maxim.cournoyer@gmail.com \
    --cc=othacehe@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).