Using gexps in wireguard-service-type postup

Using gexps in wireguard-service-type postup

[Richard Sent]

Hi all,

I'm trying to create a wireguard service, but I've encountered an issue
that I'm pretty sure I can only resolve using gexps and am having
trouble with the syntax (or if it's even possible to use them in this
case).

I want to fetch my private key from password-store when running the
service, and a PostUp command seems the best way of implementing
that. Using the wg-quick manual as a base, I get a naive solution like:

--8<---------------cut here---------------start------------->8---
(define* (get-secret-command key #:optional (user (sudo-user)))
   "Returns the shell command needed to read KEY from USER."
   (string-append "sudo -u " user " pass ls " key))

(service wireguard-service-type
     (wireguard-configuration
      ...
      (post-up (list
                ;; Returns "wg set wg-nickleslan private-key <(sudo pass
                ;; ls wireguard-nickleslan-private-key-key)"
                (string-append "wg set " interface " private-key <("
                               (get-secret-command 
wireguard-nickleslan-private-key-key) ")")
                (string-append "wg set " interface " peer " 
wireguard-nickleslan-public-key
                               " preshared-key <("
                               (get-secret-command 
wireguard-nickleslan-preshared-key-key) ")")))))
--8<---------------cut here---------------end--------------->8---

Running `sudo herd start wireguard-wg-nickleslan` and checking
`/var/log/messages` shows an pretty unambiguous error, `error: sudo
not found`.

Presumably I need to use the full /gnu/store/...-sudo/bin/sudo path,
which (I think) can be done using gexps and (file-append sudo
"/bin/sudo"). However, I'm not quite sure how to go about it, in part
since I'm moving all the responsibility for key->secret collection to
(get-secret-command), which seems to make things harder.

I /think/ I need to
a) modify (get-secret-command) to return a gexp
b) replace sudo and pass with ungexp'd file-append calls. #$(file-append 
...)
c) gexp the (string-append) calls in post-up
d) ungexp the (get-secret-command) calls

This exact process causes a string representation of the gexp to be
printed to the postup command in wg-nicklesbread.conf, e.g. `PostUp =
#<gexp .......>`.

I'm /guessing/ this is because post-up is assumed to be a string and not
a gexp, although I can see there is some ungexp-splicing going on so
maybe not? (In gnu/services/vpn.scm:wireguard-configuration-file) I only
really have a vague understanding of gexps in isolation so this is
starting to get a bit over my head. It really feels like there should be
a solution here, but I can't quite parse the vpn.scm code to figure it
out.

I'd appreciate any help on this!

-- 
Take it easy,
Richard Sent
Making my computer weirder one commit at a time.

Re: Using gexps in wireguard-service-type postup

[Marek Paśnikowski]

[-- Attachment #1: Type: text/plain, Size: 1115 bytes --]

28.01.2024 03:19:54 CET Richard Sent:

> Running `sudo herd start wireguard-wg-nickleslan` and checking
> `/var/log/messages` shows an pretty unambiguous error, `error: sudo
> not found`.

Guix Gexps are also a bit magical for me, but I did successfully use a couple 
of them for debugging packages build process. However, in your case, it 
appears you want to construct a bash command to run a process during runtime.

I have one question-hint for you: Did you use (which "sudo") in your attempts 
to achieve success? The code you posted here says you did not. The (which) 
function returns the full path to the given command. DO remember to include 
sudo in inputs.

I can not help you with the last bit, because I have never attempted to write 
a service from scratch, and the documentation is totally unreadable to me, 
becuase I do not understand the fundamentals at all. I hope (which) is enough 
to solve your particular issue.

PS: Upon review, (which) is not a gexp itself, but a build utility instead
https://guix.gnu.org/manual/en/html_node/Build-Utilities.html

I still hope that is helpful in some way.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Using gexps in wireguard-service-type postup

[Clément Lassieur]

Hi Richard,

On Sat, Jan 27 2024, Richard Sent wrote:

> Hi all,
>
> I'm trying to create a wireguard service, but I've encountered an issue
> that I'm pretty sure I can only resolve using gexps and am having
> trouble with the syntax (or if it's even possible to use them in this
> case).
>
> I want to fetch my private key from password-store when running the
> service, and a PostUp command seems the best way of implementing
> that. Using the wg-quick manual as a base, I get a naive solution like:

I think, here you can just add

  (use-modules (gnu packages admin))

> (define* (get-secret-command key #:optional (user (sudo-user)))
>    "Returns the shell command needed to read KEY from USER."
>    (string-append "sudo -u " user " pass ls " key))
>
> (service wireguard-service-type
>      (wireguard-configuration
        (private-key (file-append sudo "/bin/sudo -u user <(pass ...)"))

which would be se same as

        (private-key #~(string-append #$sudo "/bin/sudo -u user <(pass ...)"))

>       ...
>       (post-up (list
>                 ;; Returns "wg set wg-nickleslan private-key <(sudo pass
>                 ;; ls wireguard-nickleslan-private-key-key)"
>                 (string-append "wg set " interface " private-key <("
>                                (get-secret-command 
> wireguard-nickleslan-private-key-key) ")")
>                 (string-append "wg set " interface " peer " 
> wireguard-nickleslan-public-key
>                                " preshared-key <("
>                                (get-secret-command 
> wireguard-nickleslan-preshared-key-key) ")")))))

This will add another "PostUp" field.

Clément

Re: Using gexps in wireguard-service-type postup

[Richard Sent]

Clément Lassieur <clement@lassieur.org> writes:

On 2024-01-28 09:04, Clément Lassieur wrote:
> Hi Richard,
> which would be se same as
> 
>         (private-key #~(string-append #$sudo "/bin/sudo -u user <(pass ...)"))

Thanks. I made some progress with this, although I wound up hitting
another hurdle with the preshared-key.

When setting private-key, the following works fine:

--8<---------------cut here---------------start------------->8---
(private-key
 #~(string-append "<("
                  #$sudo "/bin/sudo" " -u richard "
                  #$password-store "/bin/pass ls " #$wireguard-nickleslan-private-key-key
                  ")"))
--8<---------------cut here---------------end--------------->8---

preshared-key, unfortunately, doesn't follow that same pattern. When
setting preshared keys with the following snippet:

--8<---------------cut here---------------start------------->8---
(wireguard-peer
 ...
 (preshared-key
  #~(string-append "<("
                   #$sudo "/bin/sudo -u richard "
                   #$password-store "/bin/pass ls " #$wireguard-nickleslan-preshared-key-key
                   ")")))
--8<---------------cut here---------------end--------------->8---

I wind up with a wireguard.conf file with the following line.

--8<---------------cut here---------------start------------->8---
PostUp = /gnu/store/4cnl0h79zc599xryr5jh66d7yq643zk4-wireguard-tools-1.0.20210914/bin/wg set %i private-key <(/gnu/store/gnybfg31is632dyaivd907f2h0wff80d-sudo-1.9.14p3/bin/sudo -u richard /gnu/store/ppd5qmx2b5fadjhww65xw09zkjphll6r-password-store-1.7.4/bin/pass ls System/WireGuard/NicklesBread/private.key) peer EHoPXGJvQVVpQ6PZ/XQtHx0p5FWEVCS3y2oI2O+Y9zo= preshared-key (string-append <( /gnu/store/gnybfg31is632dyaivd907f2h0wff80d-sudo-1.9.14p3 /bin/sudo -u richard  /gnu/store/ppd5qmx2b5fadjhww65xw09zkjphll6r-password-store-1.7.4 /bin/pass ls  System/WireGuard/NicklesBread/preshared.key ))
--8<---------------cut here---------------end--------------->8---

Emphasis on how everything after preshared-key is a Lisp sexp, not
evaluated output. I'm guessing this is because in gnu/services/vpn.scm,
the relevant code is
l
--8<---------------cut here---------------start------------->8---
(format #f "PostUp = ~a set %i private-key ~a\
~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg")
#$private-key '#$peer-keys)
--8<---------------cut here---------------end--------------->8---

Peer keys is quoted immediately before the ungexp. I'm curious why that
would be done and how I can get preshared-key set correctly.

I did try changing preshared-key to (preshared-key #~,(...)), but that
didn't accomplish anything besides creating a wireguard.config file with
`preshared-key (unquote (string-append ...))` I assume this is because a
quote (') is used instead of a quasiquote (`).

Is there anything on my end I can do to fix this or does it have to be
resolved in Guix proper?

-- 
Take it easy,
Richard Sent
Making my computer weirder one commit at a time.

Re: Using gexps in wireguard-service-type postup

[Clément Lassieur]

On Sun, Jan 28 2024, Richard Sent wrote:

> Clément Lassieur <clement@lassieur.org> writes:
>
> On 2024-01-28 09:04, Clément Lassieur wrote:
>> Hi Richard,
>> which would be se same as
>> 
>>         (private-key #~(string-append #$sudo "/bin/sudo -u user <(pass ...)"))
>
> Thanks. I made some progress with this, although I wound up hitting
> another hurdle with the preshared-key.
>
> When setting private-key, the following works fine:
>
> (private-key
>  #~(string-append "<("
>                   #$sudo "/bin/sudo" " -u richard "
>                   #$password-store "/bin/pass ls " #$wireguard-nickleslan-private-key-key
>                   ")"))
>
>
> preshared-key, unfortunately, doesn't follow that same pattern. When
> setting preshared keys with the following snippet:
>
> (wireguard-peer
>  ...
>  (preshared-key
>   #~(string-append "<("
>                    #$sudo "/bin/sudo -u richard "
>                    #$password-store "/bin/pass ls " #$wireguard-nickleslan-preshared-key-key
>                    ")")))
>
>
> I wind up with a wireguard.conf file with the following line.
>
> PostUp = /gnu/store/4cnl0h79zc599xryr5jh66d7yq643zk4-wireguard-tools-1.0.20210914/bin/wg set %i private-key <(/gnu/store/gnybfg31is632dyaivd907f2h0wff80d-sudo-1.9.14p3/bin/sudo -u richard /gnu/store/ppd5qmx2b5fadjhww65xw09zkjphll6r-password-store-1.7.4/bin/pass ls System/WireGuard/NicklesBread/private.key) peer EHoPXGJvQVVpQ6PZ/XQtHx0p5FWEVCS3y2oI2O+Y9zo= preshared-key (string-append <( /gnu/store/gnybfg31is632dyaivd907f2h0wff80d-sudo-1.9.14p3 /bin/sudo -u richard  /gnu/store/ppd5qmx2b5fadjhww65xw09zkjphll6r-password-store-1.7.4 /bin/pass ls  System/WireGuard/NicklesBread/preshared.key ))

Indeed probably the service is not meant to be used this way with
G-exps.  As a workaround you can use the private-key field to add
everything you need there.  As in

    (private-key #~(string-append #$sudo "/bin/sudo -u user <(pass ...) peer " #$peer " preshared-key " #$preshared-key))

> Emphasis on how everything after preshared-key is a Lisp sexp, not
> evaluated output. I'm guessing this is because in gnu/services/vpn.scm,
> the relevant code is
> l
>
> (format #f "PostUp = ~a set %i private-key ~a\
> ~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg")
> #$private-key '#$peer-keys)
>
> Peer keys is quoted immediately before the ungexp. I'm curious why that
> would be done and how I can get preshared-key set correctly.
>
> I did try changing preshared-key to (preshared-key #~,(...)), but that
> didn't accomplish anything besides creating a wireguard.config file with
> `preshared-key (unquote (string-append ...))` I assume this is because a
> quote (') is used instead of a quasiquote (`).
>
> Is there anything on my end I can do to fix this or does it have to be
> resolved in Guix proper?

I haven't looked at it closely but probably the service needs at least a
way to add a raw configuration file as, say, the nginx service does (see
raw-content)...  Those raw configuration files can be built with g-exps.

Clément