GNU bug report logs - #60182
[PATCH] services: wireguard: Allow specifying pre-shared keys.

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 60182 in the body.
You can then email your comments to 60182 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Timo Wilken <guix <at> twilken.net>
To: guix-patches <at> gnu.org
Cc: zimon.toutoune <at> gmail.com, othacehe <at> gnu.org, ludo <at> gnu.org, mail <at> cbaines.net,
 rekado <at> elephly.net, rg <at> raghavgururajan.name, jgart <at> dismail.de,
 paren <at> disroot.org
Subject: [PATCH] services: wireguard: Allow specifying pre-shared keys.
Date: Sun, 18 Dec 2022 18:19:47 +0100

Hi,

I'm new around here; please forgive any mistakes in my patch
submission! I've also CC'd the mentors; I hope that's OK.

For my WireGuard setup, I use pre-shared keys in addition to the usual
public/private keys.  `wg-quick', which is invoked by
`wireguard-service-type', supports these, Guix just needs to pass them
through to its configuration file.

After kind feedback from members of help-guix, I wrote this code such
that it takes an existing file for each pre-shared key and loads it
from the "main" configuration file, as is done for the private key.

I've tested this code using `sudo -E ./pre-inst-env guix system
reconfigure system.scm', with a system.scm that sets up a WireGuard
service with peers both with and without a pre-shared key. This
generates the correct wg-quick configuration file for me.

* gnu/services/vpn.scm (<wireguard-peer>): Add preshared-key field.
* doc/guix.texi (VPN Services): Document the new preshared-key field.
---
 doc/guix.texi        |  5 +++++
 gnu/services/vpn.scm | 14 +++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index eb37d4d393..06d6df01f8 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -31763,6 +31763,11 @@ VPN Services
 @item @code{public-key}
 The peer public-key represented as a base64 string.
 
+@item @code{preshared-key} (default: @code{#f})
+An optional pre-shared key file for this peer.  Giving a non-existent
+file name here will result in an invalid WireGuard configuration; the
+given file will not be autogenerated.
+
 @item @code{allowed-ips}
 A list of IP addresses from which incoming traffic for this peer is
 allowed and to which incoming traffic for this peer is directed.
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index 7b3bb8903c..44c0d83494 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -61,6 +61,7 @@ (define-module (gnu services vpn)
             wireguard-peer-endpoint
             wireguard-peer-allowed-ips
             wireguard-peer-public-key
+            wireguard-peer-preshared-key
             wireguard-peer-keep-alive
 
             wireguard-configuration
@@ -709,6 +710,8 @@ (define-record-type* <wireguard-peer>
   (endpoint          wireguard-peer-endpoint
                      (default #f))     ;string
   (public-key        wireguard-peer-public-key)   ;string
+  (preshared-key     wireguard-peer-preshared-key
+                     (default #f))     ;string
   (allowed-ips       wireguard-peer-allowed-ips) ;list of strings
   (keep-alive        wireguard-peer-keep-alive
                      (default #f)))    ;integer
@@ -762,10 +765,18 @@ (define (wireguard-configuration-file config)
                   (format #f "PersistentKeepalive = ~a\n" keep-alive)
                   "\n"))))
 
+  (define (peers->preshared-keys peer keys)
+    (let ((public-key (wireguard-peer-public-key peer))
+          (preshared-key (wireguard-peer-preshared-key peer)))
+      (if preshared-key
+          (cons* public-key preshared-key keys)
+          keys)))
+
   (match-record config <wireguard-configuration>
     (wireguard interface addresses port private-key peers dns
                pre-up post-up pre-down post-down table)
     (let* ((config-file (string-append interface ".conf"))
+           (peer-keys (fold peers->preshared-keys (list) peers))
            (peers (map peer->config peers))
            (config
             (computed-file
@@ -780,7 +791,7 @@ (define (wireguard-configuration-file config)
 Address = ~a
 ~a
 ~a
-PostUp = ~a set %i private-key ~a
+PostUp = ~a set %i private-key ~a~{ peer ~a preshared-key ~a~}
 ~a
 ~a
 ~a
@@ -800,6 +811,7 @@ (define (wireguard-configuration-file config)
                                       "\n"))
                                #$(file-append wireguard "/bin/wg")
                                #$private-key
+                               '#$peer-keys
                                #$(if (null? post-up)
                                      ""
                                      (string-join
-- 
2.38.1

Message #10 received at 60182-done <at> debbugs.gnu.org (full text, mbox):

From: Mathieu Othacehe <othacehe <at> gnu.org>
To: Timo Wilken <guix <at> twilken.net>
Cc: zimon.toutoune <at> gmail.com, paren <at> disroot.org, ludo <at> gnu.org, mail <at> cbaines.net,
 rekado <at> elephly.net, rg <at> raghavgururajan.name, 60182-done <at> debbugs.gnu.org,
 jgart <at> dismail.de
Subject: Re: bug#60182: [PATCH] services: wireguard: Allow specifying
 pre-shared keys.
Date: Sun, 25 Dec 2022 16:59:58 +0100

Hello,

> I'm new around here; please forgive any mistakes in my patch
> submission! I've also CC'd the mentors; I hope that's OK.

Welcome aboard!

> * gnu/services/vpn.scm (<wireguard-peer>): Add preshared-key field.
> * doc/guix.texi (VPN Services): Document the new preshared-key field.

It all seems nice, I added your copyright and removed a line from the
documentation before pushing as
2967abf1a2ae6787842c04752949f3c214da9338.

Thanks,

Mathieu

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.