Paul Alesius schreef op do 21-04-2022 om 15:26 [+0200]:
> +  (preshared-key     wireguard-peer-preshared-key
> +                     (default #f))   ;string

This should be documented in the documentation, otherwise it will be
difficult to discover.  Also, #f is not a string, did you mean
‘;#f|string’?

Also, a limitation: the preshared key will end up in the store, and
hence be world-readable.  So other users on the same system (other
people or compromised system daemons) could now determine the preshared
key.

Questions:

  * Could the security limitation be documented?

  * What security impact does a leaked secret key have?

  * Does wireguard has some inclusion mechanism, such that the
    wireguard configuration can ‘include’ some file outside the store?

  * WDYT of verifying that the preshared key looks ‘reasonable’
    (I guess only a-z0-9 characters, no spaces or newlines, not a
    bytevector ...)

    As-is, if I do (preshared-keys (string->utf8 "oops I thought this
    needs to be bytevector)) then "guix system reconfigure" doesn't
    give a nice error message, it will just silently produce a broken
    configuration file.

Greetings,
Maxime.