From: Brice Waegeneire <brice@waegenei.re>
To: Mathieu Othacehe <othacehe@gnu.org>
Cc: 46504@debbugs.gnu.org
Subject: [bug#46504] [PATCH] services: wireguard: New service.
Date: Sun, 14 Feb 2021 15:35:03 +0100 [thread overview]
Message-ID: <87a6s67m5k.fsf@waegenei.re> (raw)
In-Reply-To: <20210214093301.348381-1-othacehe@gnu.org> (Mathieu Othacehe's message of "Sun, 14 Feb 2021 10:33:01 +0100")
Hello Mathieu,
Mathieu Othacehe <othacehe@gnu.org> writes:
> * gnu/services/vpn.scm (wireguard-peer, wireguard-configuration): New records.
> (wireguard-service-type): New variable.
> * doc/guix.texi (VPN Services): Document it.
> ---
[...]
Cool, more intergration of Wireguard in Guix! I started wiriting such a
service but didn't finialized it yet. Tho, I wasn't sure if it needed to
be implemented with wg-quick since upstream describe it as « a very
quick and dirty bash script for reading a few extra variables from
wg(8)-style configuration files, and automatically configures the
interface »¹.
> +
> +(define-record-type* <wireguard-peer>
> + wireguard-peer make-wireguard-peer
> + wireguard-peer?
> + (name wireguard-peer-name)
> + (endpoint wireguard-peer-endpoint
> + (default #f)) ;string
> + (public-key wireguard-peer-public-key) ;string
> + (allowed-ips wireguard-peer-allowed-ips)) ;list of strings
> +
> +(define-record-type* <wireguard-configuration>
> + wireguard-configuration make-wireguard-configuration
> + wireguard-configuration?
> + (wireguard wireguard-configuration-wireguard ;<package>
> + (default wireguard-tools))
> + (interface wireguard-configuration-interface ;string
> + (default "wg0"))
> + (address wireguard-configuration-address ;string
> + (default "10.0.0.1/32"))
> + (port wireguard-configuration-port ;integer
> + (default 51820))
> + (public-key wireguard-configuration-public-key ;string
> + (default "/etc/wireguard/public.key"))
> + (private-key wireguard-configuration-private-key ;string
> + (default "/etc/wireguard/private.key"))
> + (peers wireguard-configuration-peers ;list of <wiregard-peer>
> + (default '())))
> +
wg-quick(8) say that the ”Address” attribute can be specified multiple
times and is « a comma-separated list of IP (v4 or v6) addresses
(optionally with CIDR masks) to be assigned to the interface. », so the
“address” field should probably be “addresses”, a list of string.
Some of the missing attributes from wg-quick(8) like “DNS” or hooks
seems realy usefull, maybe a “extra-config” field to the record could be
added to support all of thoses attributes.
Why having a “public-key” field since it is derived from the private
key? It seems to allow missconfiguration: what happen if the private
and public part of a key don't match, or if only the “public-key” is
set?
[...]
> +(define (wireguard-shepherd-service config)
> + (match-record config <wireguard-configuration>
> + (wireguard)
> + (let ((wg-quick (file-append wireguard "/bin/wg-quick"))
> + (config (wireguard-configuration-file config)))
> + (list (shepherd-service
> + (requirement '(networking))
> + (provision '(wireguard))
> + (start #~(lambda _
> + (invoke #$wg-quick "up" #$config)))
> + (stop #~(lambda _
> + (invoke #$wg-quick "down" #$config)))
> + (documentation "Run the Wireguard VPN tunnel"))))))
If I understand correclty it's not possible to specify which vpn to stop
if using several of them. Can the provision's symbol be derived from
the interface name to be able to do “sudo herd stop wireguard-wg0”?
> +(define wireguard-service-type
> + (service-type
> + (name 'wireguard)
> + (extensions
> + (list (service-extension shepherd-root-service-type
> + wireguard-shepherd-service)
> + (service-extension activation-service-type
> + wireguard-activation)))))
¹ https://git.zx2c4.com/wireguard-tools/tree/README.md#n47
Cheers,
- Brice
next prev parent reply other threads:[~2021-02-14 14:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-14 9:33 [bug#46504] [PATCH] services: wireguard: New service Mathieu Othacehe
2021-02-14 14:35 ` Brice Waegeneire [this message]
2021-02-17 9:38 ` bug#46504: " Mathieu Othacehe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a6s67m5k.fsf@waegenei.re \
--to=brice@waegenei.re \
--cc=46504@debbugs.gnu.org \
--cc=othacehe@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.