From unknown Mon Jun 23 02:22:34 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#73955 <73955@debbugs.gnu.org> To: bug#73955 <73955@debbugs.gnu.org> Subject: Status: [PATCH 0/2] Improve customizability of WireGuard service Reply-To: bug#73955 <73955@debbugs.gnu.org> Date: Mon, 23 Jun 2025 09:22:34 +0000 retitle 73955 [PATCH 0/2] Improve customizability of WireGuard service reassign 73955 guix-patches submitter 73955 Richard Sent severity 73955 normal tag 73955 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 22 17:24:55 2024 Received: (at submit) by debbugs.gnu.org; 22 Oct 2024 21:24:55 +0000 Received: from localhost ([127.0.0.1]:57662 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3MN5-0000Z0-8f for submit@debbugs.gnu.org; Tue, 22 Oct 2024 17:24:55 -0400 Received: from lists.gnu.org ([209.51.188.17]:39742) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3MN3-0000Ys-H7 for submit@debbugs.gnu.org; Tue, 22 Oct 2024 17:24:54 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t3MMZ-0003Cl-3V for guix-patches@gnu.org; Tue, 22 Oct 2024 17:24:23 -0400 Received: from mail-108-mta246.mxroute.com ([136.175.108.246]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1t3MMX-0005Gt-86 for guix-patches@gnu.org; Tue, 22 Oct 2024 17:24:22 -0400 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta246.mxroute.com (ZoneMTA) with ESMTPSA id 192b61dbaac0003e01.003 for (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Tue, 22 Oct 2024 21:24:14 +0000 X-Zone-Loop: 4cbe14b9ab21a0eb442e6de66836c0a769e954210f31 X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:MIME-Version: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=RjhDPYQ062+UtF4SxJlUICNXYjHdEOwJVJCFu2nAm1Q=; b=qdX7/wueiRWyDNfs4SQXNiBaVT l3QcqALU487RaZcuraf4250AjKD3fZ7/glxzLsF6esK7+4P/cyD7RdYko6QFX3tkCBsz0JiLtZD1C Uj6ZC2f1yUIK9FXRgOVCsRlTqTPHAH5+ZFwJmN/cqqmhe5BBO7SV0mhJarGk6KaeqMdfg1htdP8VW I8/TOR4m8QvYB2jAd0URaKqHXvW7rjhDBjm5vI+pEFue4nWX6tbt6kXU+SF083q0lu1OU5ZgXqCqr 6f1AK91RwZS/+Fa1opJWXbMIHBU5SIEK/cVzg9m+kKZLQLtL+Xd8TsIdsebAGFC8D0LzK8lSq5+XM NH23VQrQ==; From: Richard Sent To: guix-patches@gnu.org Subject: [PATCH 0/2] Improve customizability of WireGuard service Date: Tue, 22 Oct 2024 17:21:47 -0400 Message-ID: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Authenticated-Id: richard@freakingpenguin.com Received-SPF: pass client-ip=136.175.108.246; envelope-from=richard@freakingpenguin.com; helo=mail-108-mta246.mxroute.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -1.4 (-) X-Debbugs-Envelope-To: submit Cc: othacehe@gnu.org, Richard Sent , guix@twilken.net, maxim.cournoyer@gmail.com, eu@euandre.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -2.4 (--) Hi all, The goal for this patch series is to improve wireguard-service's customizability, primarily by supporting gexps evaluating to strings in most fields. Prior to this patch, lists of gexp's were not serialized to strings, preventing certain constructs from being used. This was prompted from an issue I ran into a while back. [1] I tested the serialization of several config records and did not notice any issues. I would greatly appreciate if any users of wireguard-service could confirm their existing configurations still serialize correctly. You can do so via these guix REPL commands: $ guix repl -L /path/to/guix/clone/with/patches ,use (guix) ,use (gnu services vpn) ,build ((@@ (gnu services vpn) wireguard-configuration-file) ) I took the liberty of CCing a few people who previously committed to WireGuard. Apologies if I committed a faux pas. :) [1]: https://lists.gnu.org/archive/html/help-guix/2024-01/msg00204.html Richard Sent (2): services: wireguard: Make the private-key field optional. services: wireguard: Support lists of gexps for most fields. doc/guix.texi | 5 ++- gnu/services/vpn.scm | 74 +++++++++++++++++++++++--------------------- 2 files changed, 43 insertions(+), 36 deletions(-) base-commit: bd26815cf8ce38a3b03676a6e3fc482bb74247cb -- 2.46.0 From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 22 17:26:20 2024 Received: (at 73955) by debbugs.gnu.org; 22 Oct 2024 21:26:20 +0000 Received: from localhost ([127.0.0.1]:57670 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3MOR-0000iM-PP for submit@debbugs.gnu.org; Tue, 22 Oct 2024 17:26:20 -0400 Received: from mail-108-mta133.mxroute.com ([136.175.108.133]:33443) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3MOP-0000iA-NT for 73955@debbugs.gnu.org; Tue, 22 Oct 2024 17:26:18 -0400 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta133.mxroute.com (ZoneMTA) with ESMTPSA id 192b61f15da0003e01.001 for <73955@debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Tue, 22 Oct 2024 21:25:43 +0000 X-Zone-Loop: c13ec8335bc03e30c1d6c294c8d07998fe900d791ef4 X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:MIME-Version: References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Yps8+VrzjsqGW5X9iYieiHHsFYW5sWkljBmrUcqi5cU=; b=J5A+c4ugJ8wJmDJNwTkl88TFh2 ni4Jh65X/C0www1UIWbMIetxOMgVBHR8OwAdjCgVw3bEgv6BnokZw2h+NSSQGNge/Bl/NEyQCMgl7 xae4S0HyCdXRos+Tylw8cmtyY3SC8wamFGNUHx/81ElnC2P3gQujQx7I2xbFQ4Z6mqqzsDtRWrWYN IedtNkhau4Ll4Sq6HWmoCJhvUwrAYHi5pdvsmYgRIUyZOqGiCJlNlVcuiQZzSG+XJtHyeABBWIHhU ueDMI+UHGQQX5X/MciLj39pa5bwCo87AuB+klLRX8dJJI5c0Gl4bAsYOpQHkfUnlfsNKXbQvOpHd3 uaT92bhA==; From: Richard Sent To: 73955@debbugs.gnu.org Subject: [PATCH 1/2] services: wireguard: Make the private-key field optional. Date: Tue, 22 Oct 2024 17:25:28 -0400 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Debbugs-Cc: Ludovic Courtès , Maxim Cournoyer Content-Transfer-Encoding: 8bit X-Authenticated-Id: richard@freakingpenguin.com X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 73955 Cc: othacehe@gnu.org, Richard Sent , guix@twilken.net, maxim.cournoyer@gmail.com, eu@euandre.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Users who retrieve the private-key via a PreUp field need to be able to disable the default retrieval mechanism. * gnu/services/vpn.scm ()[private-key]: Change comment. (wireguard-configuration-file): Conditionally serialize private-key. * gnu/services/vpn.scm (wireguard-activation): Do not create private-key if the field is #f. * doc/guix.texi (VPN Services)[wireguard-configuration]: Document it. Change-Id: Iac419809ae94eb76e97ff1f1749e2f4b3e65bb04 --- doc/guix.texi | 5 ++++- gnu/services/vpn.scm | 36 ++++++++++++++++++++---------------- 2 files changed, 24 insertions(+), 17 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index ac3a7adef0..5558bd7d44 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -34453,7 +34453,10 @@ VPN Services @item @code{private-key} (default: @code{"/etc/wireguard/private.key"}) The private key file for the interface. It is automatically generated -if the file does not exist. +if the file does not exist. If this field is @code{#f}, a private key +is not created and the path is not serialized to the configuration file. +This allows for retrieving the private key programmatically with a PreUp +command. @item @code{peers} (default: @code{'()}) The authorized peers on this interface. This is a list of diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index 7fb4775757..b62e0ac838 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -741,7 +741,7 @@ (define-record-type* (default '("10.0.0.1/32"))) (port wireguard-configuration-port ;integer (default 51820)) - (private-key wireguard-configuration-private-key ;string + (private-key wireguard-configuration-private-key ;maybe-string (default "/etc/wireguard/private.key")) (peers wireguard-configuration-peers ;list of (default '())) @@ -805,9 +805,12 @@ (define (wireguard-configuration-file config) #$@(if (null? pre-up) '() (list (format #f "~{PreUp = ~a~%~}" pre-up))) - (format #f "PostUp = ~a set %i private-key ~a\ -~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg") -#$private-key '#$peer-keys) + (if #$private-key + (format #f "PostUp = ~a set %i private-key ~a\ +~{ peer ~a preshared-key ~a~}" + #$(file-append wireguard "/bin/wg") + #$private-key '#$peer-keys) + "") #$@(if (null? post-up) '() (list (format #f "~{PostUp = ~a~%~}" post-up))) @@ -838,18 +841,19 @@ (define (wireguard-activation config) (use-modules (guix build utils) (ice-9 popen) (ice-9 rdelim)) - (mkdir-p (dirname #$private-key)) - (unless (file-exists? #$private-key) - (let* ((pipe - (open-input-pipe (string-append - #$(file-append wireguard "/bin/wg") - " genkey"))) - (key (read-line pipe))) - (call-with-output-file #$private-key - (lambda (port) - (display key port))) - (chmod #$private-key #o400) - (close-pipe pipe)))))) + (when #$private-key + (mkdir-p (dirname #$private-key)) + (unless (file-exists? #$private-key) + (let* ((pipe + (open-input-pipe (string-append + #$(file-append wireguard "/bin/wg") + " genkey"))) + (key (read-line pipe))) + (call-with-output-file #$private-key + (lambda (port) + (display key port))) + (chmod #$private-key #o400) + (close-pipe pipe))))))) ;;; XXX: Copied from (guix scripts pack), changing define to define*. (define-syntax-rule (define-with-source (variable args ...) body body* ...) -- 2.46.0 From debbugs-submit-bounces@debbugs.gnu.org Tue Oct 22 17:26:24 2024 Received: (at 73955) by debbugs.gnu.org; 22 Oct 2024 21:26:24 +0000 Received: from localhost ([127.0.0.1]:57673 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3MOW-0000il-8B for submit@debbugs.gnu.org; Tue, 22 Oct 2024 17:26:24 -0400 Received: from mail-108-mta188.mxroute.com ([136.175.108.188]:35351) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3MOU-0000iX-FE for 73955@debbugs.gnu.org; Tue, 22 Oct 2024 17:26:23 -0400 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta188.mxroute.com (ZoneMTA) with ESMTPSA id 192b61f2db50003e01.001 for <73955@debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Tue, 22 Oct 2024 21:25:49 +0000 X-Zone-Loop: 50f58fd63cf2ace2cba80cf11eece7b52a0d3be16c42 X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:MIME-Version: References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=lq2h9XrWM9WXMxvdRNIZU0rAGmv5q5v/5QrryLEibbA=; b=SUpNCtutuQ8JshNpu68Z23wksy YTbJjPQDjXGS8bxIC7jL1gw/iRKqJpbh0fq6YQZC7MejwcJadIWdG7fXtN0hHYz0IcAFpSr1uC+CA 3prwZaAYAXanhK6IKljwchLGoF9Q053Dq8tDsxUwAUY371thJD0UCaC8J+/+XIGFW7eclTTN2xJKS 9V3OyojLnavf91w6F9e7TjmcJ0FZNj2UOBuzngkJdjBsmjGvGsYRpPUPnZ9YRcZWNbowk78nGfN2m Un5JoLlX5IDFwgBHhLhss9mkeXdgPrErwFrs1Z/i148YDXJJXR73feI8sNUGDP21epgAeLavV8vZc tUBXsfRQ==; From: Richard Sent To: 73955@debbugs.gnu.org Subject: [PATCH 2/2] services: wireguard: Support lists of gexps for most fields. Date: Tue, 22 Oct 2024 17:25:29 -0400 Message-ID: <0bb043a194b4c1b7d85921aac16f2fc2cbac2cfd.1729632049.git.richard@freakingpenguin.com> In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Authenticated-Id: richard@freakingpenguin.com X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 73955 Cc: othacehe@gnu.org, Richard Sent , guix@twilken.net, maxim.cournoyer@gmail.com, eu@euandre.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) In order to support more flexibility in Wireguard configuration, ungexp the configuration fields directly instead of ungexp-splicing a sexp calculator. This allows for the fields to take arbitrary gexps instead of only strings which is particularly helpful for the Pre/Post Up/Down commands. For example, the wg-quick(8) manual has an example on how to use password-store to retrieve a private key with a PreUp entry. This is now possible. * gnu/services/vpn.scm (wireguard-configuration-file): Ungexp configuration lists instead of ungexp-splicing the code surrounding them. Change-Id: If074cbb78473b6fd34e0e4e990d2ed268001d6c7 --- gnu/services/vpn.scm | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index b62e0ac838..21a7fb827a 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -797,33 +797,33 @@ (define (wireguard-configuration-file config) (define lines (list "[Interface]" - #$@(if (null? addresses) - '() - (list (format #f "Address = ~{~a~^, ~}" - addresses))) + (if (null? '#$addresses) + "" + (format #f "Address = ~{~a~^, ~}" + (list #$@addresses))) (format #f "~@[Table = ~a~]" #$table) - #$@(if (null? pre-up) - '() - (list (format #f "~{PreUp = ~a~%~}" pre-up))) + (if (null? '#$pre-up) + "" + (format #f "~{PreUp = ~a~%~}" (list #$@pre-up))) (if #$private-key (format #f "PostUp = ~a set %i private-key ~a\ ~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg") #$private-key '#$peer-keys) "") - #$@(if (null? post-up) - '() - (list (format #f "~{PostUp = ~a~%~}" post-up))) - #$@(if (null? pre-down) - '() - (list (format #f "~{PreDown = ~a~%~}" pre-down))) - #$@(if (null? post-down) - '() - (list (format #f "~{PostDown = ~a~%~}" post-down))) + (if (null? '#$post-up) + "" + (format #f "~{PostUp = ~a~%~}" (list #$@post-up))) + (if (null? '#$pre-down) + "" + (format #f "~{PreDown = ~a~%~}" (list #$@pre-down))) + (if (null? '#$post-down) + "" + (format #f "~{PostDown = ~a~%~}" (list #$@post-down))) (format #f "~@[ListenPort = ~a~]" #$port) - #$@(if (null? dns) - '() - (list (format #f "DNS = ~{~a~^, ~}" dns))))) + (if (null? '#$dns) + "" + (format #f "DNS = ~{~a~^, ~}" (list #$@dns))))) (mkdir #$output) (chdir #$output) -- 2.46.0 From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 23 05:27:41 2024 Received: (at 73955) by debbugs.gnu.org; 23 Oct 2024 09:27:41 +0000 Received: from localhost ([127.0.0.1]:58616 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3XeW-0001jL-LZ for submit@debbugs.gnu.org; Wed, 23 Oct 2024 05:27:40 -0400 Received: from eggs.gnu.org ([209.51.188.92]:46588) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3XeU-0001j8-Ib for 73955@debbugs.gnu.org; Wed, 23 Oct 2024 05:27:39 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t3Xds-0003C4-EN; Wed, 23 Oct 2024 05:27:01 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=ByM4dJ/dAdwdIH8Dl08q5m3NtdGZ5ezLdJrXhjlqnHU=; b=Wnt5pgmSA9rvP750uYAO nKai4M+pYxuellLMbhuu2CbGW8SYajCd+GnWNhIXsKKr/kdFrdl3z1KL4+Khc/aIxYFrAkmiD5DMa JWyVSJ2VLeC+ns5pSrM+52CsRzkkt6En7m66iw3XbMaZNsfnNuOtM/PBXQINNK5TDKU06ufgQqR1d JNLqVt6UYupODqyypU+BJ3SY7sde1XrFxzafFSNsFesfer6YKfkfXYaDfKhO6VVcU+j3scVQ34SkI i5ZW0IBcNWJlYTFkFzm8dLrtslRjmJ0iUbTR+y+MQLwBLVWNbmWBQGvigS2thIpHw6jL60PHpciKw YzVUJ28Tj2qitw==; From: Mathieu Othacehe To: Richard Sent Subject: Re: [PATCH 2/2] services: wireguard: Support lists of gexps for most fields. In-Reply-To: <0bb043a194b4c1b7d85921aac16f2fc2cbac2cfd.1729632049.git.richard@freakingpenguin.com> (Richard Sent's message of "Tue, 22 Oct 2024 17:25:29 -0400") References: <0bb043a194b4c1b7d85921aac16f2fc2cbac2cfd.1729632049.git.richard@freakingpenguin.com> Date: Wed, 23 Oct 2024 11:26:26 +0200 Message-ID: <87cyjr2mrh.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 73955 Cc: eu@euandre.org, maxim.cournoyer@gmail.com, 73955@debbugs.gnu.org, guix@twilken.net X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello Richard, Thanks for this series. The first commit looks OK to me. > For example, the wg-quick(8) manual has an example on how to use > password-store to retrieve a private key with a PreUp entry. This is now > possible. It would be interesting to provide some testing for that. Sadly, we do not have a system test for Wireguard yet. We only have a unit test file in (tests services vpn). Adding a new (gnu tests vpn) module would be great in the future to test different Wireguard configurations. That can of course be done later on :) Regarding this patch, the documentation is somehow vague on how to pass post and pre commands: --8<---------------cut here---------------start------------->8--- @item @code{post-up} (default: @code{'()}) The script commands to be run after setting up the interface. ... --8<---------------cut here---------------end--------------->8--- Maybe you could elaborate on that a little bit and give some examples that would be the translation of some of the post and pre commands that are given in the wg-quick man page? Thanks, Mathieu From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 23 11:48:10 2024 Received: (at 73955) by debbugs.gnu.org; 23 Oct 2024 15:48:10 +0000 Received: from localhost ([127.0.0.1]:60455 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3dak-0002A2-10 for submit@debbugs.gnu.org; Wed, 23 Oct 2024 11:48:10 -0400 Received: from mail-108-mta131.mxroute.com ([136.175.108.131]:32967) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3dah-00029s-UO for 73955@debbugs.gnu.org; Wed, 23 Oct 2024 11:48:08 -0400 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta131.mxroute.com (ZoneMTA) with ESMTPSA id 192ba0fddf60003e01.001 for <73955@debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 23 Oct 2024 15:47:35 +0000 X-Zone-Loop: 68e2fae0c90fe29678510bd1fc13483a997b7d1c1a0e X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:MIME-Version: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=n7Ub4zzSt0tnvDelKnnE8EtbYOAQA7nJwtgPobmIPhE=; b=Geq9MMFoxXBl14LjAXSkcvczKZ VQMCvHMghMXDQ6wFv+CT5U8CtZlIhdHicNOdpCtVddazO8HvGo3XP8DfxHFs8FRtV8EA3pfCaMKSi fyq/AFYu1M4bCztdJH50x7BL1fsH5HnMrfXwcnQuiQh5PbQeU3DhFyBoedvQvm9mr5dokhIKv7Lhy PWFeBTRMnS9vHVKgsXImUVT67xfsvEY5sYPBwkxMNDXavkDO7lz3uhcQTFMqaSqPtdS0oZjY+TPC0 5FdtEt1WMM06uKeKvuWbEgmtOFQHHo4cSz/XoVRe7dtSh6TDtY+7bHQBiKg+hqkEwsNrRkrDM/0TJ BhxvsHRQ==; From: Richard Sent To: 73955@debbugs.gnu.org Subject: [PATCH v2 0/2] Improve customizability in WireGuard service Date: Wed, 23 Oct 2024 11:30:05 -0400 Message-ID: MIME-Version: 1.0 X-Debbugs-Cc: Ludovic Courtès , Maxim Cournoyer Content-Transfer-Encoding: 8bit X-Authenticated-Id: richard@freakingpenguin.com X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 73955 Cc: othacehe@gnu.org, Richard Sent X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi all, Thanks for the quick review Mathieu! This patch is largely the same as before, but I spent some time adjusting the documentation and adding an example of retrieving the private key programmatically. One interesting tidbit is pre-up and pals can alternatively be wrapped in the gexp directly instead of each entry being gexp'd individually. > ;; normal > (pre-up (list #~(string-append "wg set %i private-key <(" > #$(file-append password-store "/bin/pass") > " WireGuard/private-keys/%i)"))) > > ;; alternative > (pre-up #~((string-append "wg set %i private-key <(" > #$(file-append password-store "/bin/pass") > " WireGuard/private-keys/%i)"))) I see why this works (and it should work with any other service that handles config lists with splicing+list wrapping), but it does feel a little bit odd. Seeing as how no other service seems to use the alternative form, I opted to document the former. Richard Sent (2): services: wireguard: Make the private-key field optional. services: wireguard: Support lists of gexps for most fields. doc/guix.texi | 36 ++++++++++++++++----- gnu/services/vpn.scm | 75 +++++++++++++++++++++++--------------------- 2 files changed, 69 insertions(+), 42 deletions(-) base-commit: bd26815cf8ce38a3b03676a6e3fc482bb74247cb -- 2.46.0 From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 23 11:48:14 2024 Received: (at 73955) by debbugs.gnu.org; 23 Oct 2024 15:48:14 +0000 Received: from localhost ([127.0.0.1]:60458 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3dao-0002AJ-C2 for submit@debbugs.gnu.org; Wed, 23 Oct 2024 11:48:14 -0400 Received: from mail-108-mta227.mxroute.com ([136.175.108.227]:38175) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3dam-0002AB-3Q for 73955@debbugs.gnu.org; Wed, 23 Oct 2024 11:48:12 -0400 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta227.mxroute.com (ZoneMTA) with ESMTPSA id 192ba0ff5460003e01.001 for <73955@debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 23 Oct 2024 15:47:40 +0000 X-Zone-Loop: 66527e9fb7a4bae20df31644f6398dd8c1efe0ccd430 X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:MIME-Version: References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Yps8+VrzjsqGW5X9iYieiHHsFYW5sWkljBmrUcqi5cU=; b=cHw3kf3Q+BsExlur7Bs84w5flH orU6NpPNaCTNte3P8GWojkpHpuOD2qCEO98t9RQMJjRZH6MVRCYjRfHBjL53VkgT+Bc7hCDAndciG xSiUMFX18AvgH/ofQ6rjX4+hMlWTnOCdmfSkO2H2gpjPjIjuyyMNpBd5Xf1w6qmRq6ViB1ZG+9iZ4 oxUGo6rKvn7+R25belu34zov5oF1i7lYWR5VhojX3fEXsfIeTq8hDqmT2eDEBaHFMstwy9DdAo/RA oerxJC3JnQf2X/k2qg5p3/fspimtvRYXZMqoVyN1KmYsA9LJJjpd8jvcz3kL6dTMRSi6usd2mWRUc f8oAYURw==; From: Richard Sent To: 73955@debbugs.gnu.org Subject: [PATCH v2 1/2] services: wireguard: Make the private-key field optional. Date: Wed, 23 Oct 2024 11:30:06 -0400 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Debbugs-Cc: Ludovic Courtès , Maxim Cournoyer Content-Transfer-Encoding: 8bit X-Authenticated-Id: richard@freakingpenguin.com X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 73955 Cc: othacehe@gnu.org, Richard Sent X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Users who retrieve the private-key via a PreUp field need to be able to disable the default retrieval mechanism. * gnu/services/vpn.scm ()[private-key]: Change comment. (wireguard-configuration-file): Conditionally serialize private-key. * gnu/services/vpn.scm (wireguard-activation): Do not create private-key if the field is #f. * doc/guix.texi (VPN Services)[wireguard-configuration]: Document it. Change-Id: Iac419809ae94eb76e97ff1f1749e2f4b3e65bb04 --- doc/guix.texi | 5 ++++- gnu/services/vpn.scm | 36 ++++++++++++++++++++---------------- 2 files changed, 24 insertions(+), 17 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index ac3a7adef0..5558bd7d44 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -34453,7 +34453,10 @@ VPN Services @item @code{private-key} (default: @code{"/etc/wireguard/private.key"}) The private key file for the interface. It is automatically generated -if the file does not exist. +if the file does not exist. If this field is @code{#f}, a private key +is not created and the path is not serialized to the configuration file. +This allows for retrieving the private key programmatically with a PreUp +command. @item @code{peers} (default: @code{'()}) The authorized peers on this interface. This is a list of diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index 7fb4775757..b62e0ac838 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -741,7 +741,7 @@ (define-record-type* (default '("10.0.0.1/32"))) (port wireguard-configuration-port ;integer (default 51820)) - (private-key wireguard-configuration-private-key ;string + (private-key wireguard-configuration-private-key ;maybe-string (default "/etc/wireguard/private.key")) (peers wireguard-configuration-peers ;list of (default '())) @@ -805,9 +805,12 @@ (define (wireguard-configuration-file config) #$@(if (null? pre-up) '() (list (format #f "~{PreUp = ~a~%~}" pre-up))) - (format #f "PostUp = ~a set %i private-key ~a\ -~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg") -#$private-key '#$peer-keys) + (if #$private-key + (format #f "PostUp = ~a set %i private-key ~a\ +~{ peer ~a preshared-key ~a~}" + #$(file-append wireguard "/bin/wg") + #$private-key '#$peer-keys) + "") #$@(if (null? post-up) '() (list (format #f "~{PostUp = ~a~%~}" post-up))) @@ -838,18 +841,19 @@ (define (wireguard-activation config) (use-modules (guix build utils) (ice-9 popen) (ice-9 rdelim)) - (mkdir-p (dirname #$private-key)) - (unless (file-exists? #$private-key) - (let* ((pipe - (open-input-pipe (string-append - #$(file-append wireguard "/bin/wg") - " genkey"))) - (key (read-line pipe))) - (call-with-output-file #$private-key - (lambda (port) - (display key port))) - (chmod #$private-key #o400) - (close-pipe pipe)))))) + (when #$private-key + (mkdir-p (dirname #$private-key)) + (unless (file-exists? #$private-key) + (let* ((pipe + (open-input-pipe (string-append + #$(file-append wireguard "/bin/wg") + " genkey"))) + (key (read-line pipe))) + (call-with-output-file #$private-key + (lambda (port) + (display key port))) + (chmod #$private-key #o400) + (close-pipe pipe))))))) ;;; XXX: Copied from (guix scripts pack), changing define to define*. (define-syntax-rule (define-with-source (variable args ...) body body* ...) -- 2.46.0 From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 23 11:48:19 2024 Received: (at 73955) by debbugs.gnu.org; 23 Oct 2024 15:48:19 +0000 Received: from localhost ([127.0.0.1]:60461 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3das-0002Aa-Ru for submit@debbugs.gnu.org; Wed, 23 Oct 2024 11:48:19 -0400 Received: from mail-108-mta151.mxroute.com ([136.175.108.151]:43179) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3dar-0002AS-0T for 73955@debbugs.gnu.org; Wed, 23 Oct 2024 11:48:18 -0400 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta151.mxroute.com (ZoneMTA) with ESMTPSA id 192ba10085e0003e01.001 for <73955@debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 23 Oct 2024 15:47:45 +0000 X-Zone-Loop: f4f2c2d9bda77eb1ccfd98b6096baba6bd3dd80a2a4b X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:Content-Type: MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=TVOpfyTX3eiW7fUSYS2zQjtVjVZtSWCcWX0G9xBrehQ=; b=QFGdBZcegQryGhbXYFpiU0Mjbo LfLueNkRCBKUm4XhW8ipUsAkflvKgscIxmEhXYOdsWHoWCJlTCgt0qwQohRXp5V2PpOWf+6DkWvWK sHrbvNxzjzk0SNSTLenKRf9N3bIIso1AST8URyAbbwsxRWsjMZTEyVOClwJGTVeIbJnl0xkjmXvei VCA45INCN/BEhsXJPI4N4Dw6jrHxKu6U1enOrRuSfgRv4nJkWv3yxBdDGcziAiQ53ksKwziw7b1Z6 74ZBvspIoLwoCQBCUDIr63/NDadEMnHO3bRC8TLX3dT0czgXhs+A2zGpxI+YfFifjegb0TCM8deh4 cfMSfh6g==; From: Richard Sent To: 73955@debbugs.gnu.org Subject: [PATCH v2 2/2] services: wireguard: Support lists of gexps for most fields. Date: Wed, 23 Oct 2024 11:30:07 -0400 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Debbugs-Cc: Ludovic Courtès , Maxim Cournoyer Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Authenticated-Id: richard@freakingpenguin.com X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 73955 Cc: othacehe@gnu.org, Richard Sent X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) In order to support more flexibility in Wireguard configuration, ungexp the configuration fields directly instead of ungexp-splicing a sexp calculator. This allows for the fields to take arbitrary gexps instead of only strings which is particularly helpful for the Pre/Post Up/Down commands. For example, the wg-quick(8) manual has an example on how to use password-store to retrieve a private key with a PreUp entry. This is now possible. * gnu/services/vpn.scm (wireguard-configuration-file): Ungexp configuration lists instead of ungexp-splicing the code surrounding them. * doc/guix.texi (VPN Services)[wireguard]: Document it. Change-Id: If074cbb78473b6fd34e0e4e990d2ed268001d6c7 --- doc/guix.texi | 31 +++++++++++++++++++++++++------ gnu/services/vpn.scm | 39 ++++++++++++++++++++------------------- 2 files changed, 45 insertions(+), 25 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 5558bd7d44..0520b24c23 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -34430,13 +34430,15 @@ VPN Services The interface name for the VPN. @item @code{addresses} (default: @code{'("10.0.0.1/32")}) -The IP addresses to be assigned to the above interface. +List of strings or G-expressions which represent the IP addresses to be +assigned to the above interface. @item @code{port} (default: @code{51820}) The port on which to listen for incoming connections. @item @code{dns} (default: @code{'())}) -The DNS server(s) to announce to VPN clients via DHCP. +List of strings or G-expressions which represent the DNS server(s) to +announce to VPN clients via DHCP. @item @code{monitor-ips?} (default: @code{#f}) @cindex Dynamic IP, with Wireguard @@ -34463,16 +34465,33 @@ VPN Services @var{wireguard-peer} records. @item @code{pre-up} (default: @code{'()}) -The script commands to be run before setting up the interface. +List of strings or G-expressions. These are script snippets which will +be executed before setting up the interface. + +One example shown in the @code{wg-quick(8)} manual is retrieving a +private key using @code{password-store}. This can be achieved with the +following code: + +@lisp +(wireguard-configuration + ;; Retrieve the private key manually. + (private-key #f) + (pre-up (list #~(string-append "wg set %i private-key <(" + #$(file-append password-store "/bin/pass") + " WireGuard/private-keys/%i)")))) +@end lisp @item @code{post-up} (default: @code{'()}) -The script commands to be run after setting up the interface. +List of strings or G-expressions. These are script snippets which will +be executed after setting up the interface. @item @code{pre-down} (default: @code{'()}) -The script commands to be run before tearing down the interface. +List of strings or G-expressions. These are script snippets which will +be executed before tearing down the interface. @item @code{post-down} (default: @code{'()}) -The script commands to be run after tearing down the interface. +List of strings or G-expressions. These are script snippets which will +be executed after tearing down the interface. @item @code{table} (default: @code{"auto"}) The routing table to which routes are added, as a string. There are two diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index b62e0ac838..c1daba5dc1 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -12,6 +12,7 @@ ;;; Copyright © 2022 Cameron V Chaparro ;;; Copyright © 2022 Timo Wilken ;;; Copyright © 2023 Maxim Cournoyer +;;; Copyright © 2024 Richard Sent ;;; ;;; This file is part of GNU Guix. ;;; @@ -797,33 +798,33 @@ (define (wireguard-configuration-file config) (define lines (list "[Interface]" - #$@(if (null? addresses) - '() - (list (format #f "Address = ~{~a~^, ~}" - addresses))) + (if (null? '#$addresses) + "" + (format #f "Address = ~{~a~^, ~}" + (list #$@addresses))) (format #f "~@[Table = ~a~]" #$table) - #$@(if (null? pre-up) - '() - (list (format #f "~{PreUp = ~a~%~}" pre-up))) + (if (null? '#$pre-up) + "" + (format #f "~{PreUp = ~a~%~}" (list #$@pre-up))) (if #$private-key (format #f "PostUp = ~a set %i private-key ~a\ ~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg") #$private-key '#$peer-keys) "") - #$@(if (null? post-up) - '() - (list (format #f "~{PostUp = ~a~%~}" post-up))) - #$@(if (null? pre-down) - '() - (list (format #f "~{PreDown = ~a~%~}" pre-down))) - #$@(if (null? post-down) - '() - (list (format #f "~{PostDown = ~a~%~}" post-down))) + (if (null? '#$post-up) + "" + (format #f "~{PostUp = ~a~%~}" (list #$@post-up))) + (if (null? '#$pre-down) + "" + (format #f "~{PreDown = ~a~%~}" (list #$@pre-down))) + (if (null? '#$post-down) + "" + (format #f "~{PostDown = ~a~%~}" (list #$@post-down))) (format #f "~@[ListenPort = ~a~]" #$port) - #$@(if (null? dns) - '() - (list (format #f "DNS = ~{~a~^, ~}" dns))))) + (if (null? '#$dns) + "" + (format #f "DNS = ~{~a~^, ~}" (list #$@dns))))) (mkdir #$output) (chdir #$output) -- 2.46.0 From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 23 14:46:28 2024 Received: (at 73955) by debbugs.gnu.org; 23 Oct 2024 18:46:28 +0000 Received: from localhost ([127.0.0.1]:60797 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3gNH-00023h-SL for submit@debbugs.gnu.org; Wed, 23 Oct 2024 14:46:28 -0400 Received: from mail-108-mta101.mxroute.com ([136.175.108.101]:35099) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3gNF-00023R-DI for 73955@debbugs.gnu.org; Wed, 23 Oct 2024 14:46:26 -0400 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta101.mxroute.com (ZoneMTA) with ESMTPSA id 192bab3207e0003e01.001 for <73955@debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 23 Oct 2024 18:45:54 +0000 X-Zone-Loop: dd171930292cbf9799cd9ce9cf890fb3e9203317cb89 X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:MIME-Version: References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=Yps8+VrzjsqGW5X9iYieiHHsFYW5sWkljBmrUcqi5cU=; b=XqKJyctYDFSdmf0rmkdFoBKMDF BXMyBbDi5u8MhjzMDchLUOho5aMpyJtuUjHf2L5cd062fBOouiZ5YHPMcgRmbXQWtDDoL4ZoU/Uq/ xfndDuTc93jloJ+c6s2W4Y+mIbD/It7IRZhqkj0SyrxBER6VrHCxlqlN/H3fcYdN0l2Sn9T3GBYfl 3Wsk56cvXWwMXSdDzY+wlxmVhqvfR1KZANqKQwBm9g9oTPDmldvBemAstU26gtpVdsZtk6sPC4mZz I7sc3AQqUF5u9cUEDCeSSHAueI65jiqXTwfvt4wdLvBBNy3UCde/lfPO+M/I3rDaftM0FZcweSRHp hO/rYyrw==; From: Richard Sent To: 73955@debbugs.gnu.org Subject: [PATCH v3 1/3] services: wireguard: Make the private-key field optional. Date: Wed, 23 Oct 2024 14:20:57 -0400 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Debbugs-Cc: Ludovic Courtès , Maxim Cournoyer Content-Transfer-Encoding: 8bit X-Authenticated-Id: richard@freakingpenguin.com X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 73955 Cc: Richard Sent X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Users who retrieve the private-key via a PreUp field need to be able to disable the default retrieval mechanism. * gnu/services/vpn.scm ()[private-key]: Change comment. (wireguard-configuration-file): Conditionally serialize private-key. * gnu/services/vpn.scm (wireguard-activation): Do not create private-key if the field is #f. * doc/guix.texi (VPN Services)[wireguard-configuration]: Document it. Change-Id: Iac419809ae94eb76e97ff1f1749e2f4b3e65bb04 --- doc/guix.texi | 5 ++++- gnu/services/vpn.scm | 36 ++++++++++++++++++++---------------- 2 files changed, 24 insertions(+), 17 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index ac3a7adef0..5558bd7d44 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -34453,7 +34453,10 @@ VPN Services @item @code{private-key} (default: @code{"/etc/wireguard/private.key"}) The private key file for the interface. It is automatically generated -if the file does not exist. +if the file does not exist. If this field is @code{#f}, a private key +is not created and the path is not serialized to the configuration file. +This allows for retrieving the private key programmatically with a PreUp +command. @item @code{peers} (default: @code{'()}) The authorized peers on this interface. This is a list of diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index 7fb4775757..b62e0ac838 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -741,7 +741,7 @@ (define-record-type* (default '("10.0.0.1/32"))) (port wireguard-configuration-port ;integer (default 51820)) - (private-key wireguard-configuration-private-key ;string + (private-key wireguard-configuration-private-key ;maybe-string (default "/etc/wireguard/private.key")) (peers wireguard-configuration-peers ;list of (default '())) @@ -805,9 +805,12 @@ (define (wireguard-configuration-file config) #$@(if (null? pre-up) '() (list (format #f "~{PreUp = ~a~%~}" pre-up))) - (format #f "PostUp = ~a set %i private-key ~a\ -~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg") -#$private-key '#$peer-keys) + (if #$private-key + (format #f "PostUp = ~a set %i private-key ~a\ +~{ peer ~a preshared-key ~a~}" + #$(file-append wireguard "/bin/wg") + #$private-key '#$peer-keys) + "") #$@(if (null? post-up) '() (list (format #f "~{PostUp = ~a~%~}" post-up))) @@ -838,18 +841,19 @@ (define (wireguard-activation config) (use-modules (guix build utils) (ice-9 popen) (ice-9 rdelim)) - (mkdir-p (dirname #$private-key)) - (unless (file-exists? #$private-key) - (let* ((pipe - (open-input-pipe (string-append - #$(file-append wireguard "/bin/wg") - " genkey"))) - (key (read-line pipe))) - (call-with-output-file #$private-key - (lambda (port) - (display key port))) - (chmod #$private-key #o400) - (close-pipe pipe)))))) + (when #$private-key + (mkdir-p (dirname #$private-key)) + (unless (file-exists? #$private-key) + (let* ((pipe + (open-input-pipe (string-append + #$(file-append wireguard "/bin/wg") + " genkey"))) + (key (read-line pipe))) + (call-with-output-file #$private-key + (lambda (port) + (display key port))) + (chmod #$private-key #o400) + (close-pipe pipe))))))) ;;; XXX: Copied from (guix scripts pack), changing define to define*. (define-syntax-rule (define-with-source (variable args ...) body body* ...) -- 2.46.0 From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 23 14:46:28 2024 Received: (at 73955) by debbugs.gnu.org; 23 Oct 2024 18:46:28 +0000 Received: from localhost ([127.0.0.1]:60799 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3gNI-00023m-DX for submit@debbugs.gnu.org; Wed, 23 Oct 2024 14:46:28 -0400 Received: from mail-108-mta55.mxroute.com ([136.175.108.55]:43089) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3gNF-00023Q-B4 for 73955@debbugs.gnu.org; Wed, 23 Oct 2024 14:46:26 -0400 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta55.mxroute.com (ZoneMTA) with ESMTPSA id 192bab31c760003e01.001 for <73955@debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 23 Oct 2024 18:45:53 +0000 X-Zone-Loop: d7bcbd312944af0f1c82ad6e139f0e7eb2fde11a81ff X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:MIME-Version: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=dK5Wk0qN6aclO/dmNZzAQkUHIelDG/tv86VYY107FKQ=; b=JZ21jaDAJ8HjG/j7caeRpmMCJF 0a80QqFR+AtWfFfbalegORpyE3p3ldcgpSRnQqF3T5ysPS7ueTsBg7F+NBXuA3QtM7DCgFGEofP8+ sHtmbCBe6l5G+CP43ESfoLXnN25e05wEQ+DKMuSK67S/QuT8V3f98cMb/RqHkX5gwFY/dc+JWT3y5 IRODYVzoEHMUXHtU0hCtxbSNx3r8sw5ojwbUtlGH6pRhRnFwsPG2QLFtKj+XanbcAW/lb4d7fYVDq vjTWn7QCaG9YtPk9ncuQTpyQjnq5waO0EOQ8UuoQ8urvtDWSyf6dY1xIvjeepvePlKz7dzwFhjPNp yfTws7UA==; From: Richard Sent To: 73955@debbugs.gnu.org Subject: [PATCH v3 0/3] Improve customizability of WireGuard service. Date: Wed, 23 Oct 2024 14:20:56 -0400 Message-ID: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Authenticated-Id: richard@freakingpenguin.com X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 73955 Cc: Richard Sent X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi all, Apologies for the noise. While playing around some more I realized it would be useful if preshared-keys also handled gexps. This allows for constructs like > (define (file-redirect script) > #~(string-append "<(" #$script ")")) > > (wireguard-configuration > (private-key (file-redirect > (get-secret-program-file "foo"))) > (peers (list (wireguard-peer > (public-key "X") > (preshared-key > (file-redirect > (get-secret-program-file "bar" ))))))) This results in a PostUp command like: > PostUp = /gnu/store/.../wg set %i private-key <(/gnu/store/...wg-get-private)\ > peer X preshared-key <(/gnu/store/...wg-get-preshared) You could bang this together via the post-up escape hatch before v3 of this patch, but it would be rather awkward and cause some unpleasant linkage between peers and the interface configuration (since peers can't specify their own postup commands). Richard Sent (3): services: wireguard: Make the private-key field optional. services: wireguard: Support lists of gexps for most fields. services: wireguard: Support gexps for peer preshared keys. doc/guix.texi | 36 ++++++++++++++++----- gnu/services/vpn.scm | 75 +++++++++++++++++++++++--------------------- 2 files changed, 69 insertions(+), 42 deletions(-) base-commit: bd26815cf8ce38a3b03676a6e3fc482bb74247cb -- 2.46.0 From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 23 14:46:34 2024 Received: (at 73955) by debbugs.gnu.org; 23 Oct 2024 18:46:34 +0000 Received: from localhost ([127.0.0.1]:60803 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3gNN-00024G-Tu for submit@debbugs.gnu.org; Wed, 23 Oct 2024 14:46:34 -0400 Received: from mail-108-mta38.mxroute.com ([136.175.108.38]:45033) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3gNJ-000240-Su for 73955@debbugs.gnu.org; Wed, 23 Oct 2024 14:46:30 -0400 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta38.mxroute.com (ZoneMTA) with ESMTPSA id 192bab327ab0003e01.001 for <73955@debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 23 Oct 2024 18:45:56 +0000 X-Zone-Loop: 887f41cb02ebf5d64d4e3115fc08672a5458f1b678cf X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:MIME-Version: References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=UT3lcj4BmkcFYGpQxAWZeklp6u3MLLoLDjTulaxLoNo=; b=JsQvE1U2OsOTMiN94fs1Z5V0fV BmfCesg/iHR1DjgYKPX4fuLvRoRMHBozShk+MJtxYNLo7JE8wEot5UP9vCUm3wSsmQ8mO1Ue2dx8+ xFmpUU7nq21kYrvmarbR27oU8X4bJPqZ3+ZNMEJyssM6jY+2ap9nvxTxV4NWQD/sWL1GCiqzV5IQw 4eeNZq+rMxUvcn5lkKL/oJ1G8OFhRdTgTNsREhDfj2ViX9ab9eI/tlsVkIgtLhd5LkHcDUMQVR0+0 k6lJxTT+g0qqQFiSrq7VTG2QC29Usa+IkS94V2OYFfeyZCF+nm3egrBGe6e+S5pZoMnR1PkK8GrLU Q7SfjBig==; From: Richard Sent To: 73955@debbugs.gnu.org Subject: [PATCH v3 3/3] services: wireguard: Support gexps for peer preshared keys. Date: Wed, 23 Oct 2024 14:20:59 -0400 Message-ID: <536ca44a1cb23c3185f0dfb9bc5b3e5c87f6d566.1729707659.git.richard@freakingpenguin.com> In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Authenticated-Id: richard@freakingpenguin.com X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 73955 Cc: Richard Sent X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/services/vpn.scm (wireguard-configuration-file)[lines]: Ungexp splice with list instead of quote ungexp. Change-Id: I50364359baafb749dc975db70478bef49e93d90c --- gnu/services/vpn.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index c1daba5dc1..6a73db78be 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -810,7 +810,7 @@ (define (wireguard-configuration-file config) (format #f "PostUp = ~a set %i private-key ~a\ ~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg") - #$private-key '#$peer-keys) + #$private-key (list #$@peer-keys)) "") (if (null? '#$post-up) "" -- 2.46.0 From debbugs-submit-bounces@debbugs.gnu.org Wed Oct 23 14:46:35 2024 Received: (at 73955) by debbugs.gnu.org; 23 Oct 2024 18:46:35 +0000 Received: from localhost ([127.0.0.1]:60805 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3gNO-00024N-G6 for submit@debbugs.gnu.org; Wed, 23 Oct 2024 14:46:35 -0400 Received: from mail-108-mta17.mxroute.com ([136.175.108.17]:36603) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t3gNK-00023z-3O for 73955@debbugs.gnu.org; Wed, 23 Oct 2024 14:46:30 -0400 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta17.mxroute.com (ZoneMTA) with ESMTPSA id 192bab3269f0003e01.001 for <73955@debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 23 Oct 2024 18:45:56 +0000 X-Zone-Loop: 42328fd5e92501493cfb2e59c110369711c1401c0438 X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:Content-Type: MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=TVOpfyTX3eiW7fUSYS2zQjtVjVZtSWCcWX0G9xBrehQ=; b=NaXhLyVqE+4PQ97jh9qZ7moTb9 b9lfJUTG6fwESSeAPurklGguMCL/YJ3TGzBKAeoiZlVpeAcL+kGw1L2tUy/fme5TBsVrUOvdMpR/j WJCk2OABk7t+dUkVaitCBNj2zEDVo++QQOdrnC7Xm3HyMf1YAggMyX2oYOIwoFFk6ydKebTYMYM+N B11qe7WEUP+uG2Kg1/85knmP2+6qeb3gqPtaBJq2tFT9bQApj8r4cBR/OAgKsDF4iYVmkpqII/uTl n++K7ILTyXr3wGnYZ3qmmVkw/TztgxyuW7NApTjqkRBH+B7BrHYCO5oD+3olfiuNknDzJPjemDjvJ zHMwhGGw==; From: Richard Sent To: 73955@debbugs.gnu.org Subject: [PATCH v3 2/3] services: wireguard: Support lists of gexps for most fields. Date: Wed, 23 Oct 2024 14:20:58 -0400 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Debbugs-Cc: Ludovic Courtès , Maxim Cournoyer Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Authenticated-Id: richard@freakingpenguin.com X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 73955 Cc: Richard Sent X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) In order to support more flexibility in Wireguard configuration, ungexp the configuration fields directly instead of ungexp-splicing a sexp calculator. This allows for the fields to take arbitrary gexps instead of only strings which is particularly helpful for the Pre/Post Up/Down commands. For example, the wg-quick(8) manual has an example on how to use password-store to retrieve a private key with a PreUp entry. This is now possible. * gnu/services/vpn.scm (wireguard-configuration-file): Ungexp configuration lists instead of ungexp-splicing the code surrounding them. * doc/guix.texi (VPN Services)[wireguard]: Document it. Change-Id: If074cbb78473b6fd34e0e4e990d2ed268001d6c7 --- doc/guix.texi | 31 +++++++++++++++++++++++++------ gnu/services/vpn.scm | 39 ++++++++++++++++++++------------------- 2 files changed, 45 insertions(+), 25 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index 5558bd7d44..0520b24c23 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -34430,13 +34430,15 @@ VPN Services The interface name for the VPN. @item @code{addresses} (default: @code{'("10.0.0.1/32")}) -The IP addresses to be assigned to the above interface. +List of strings or G-expressions which represent the IP addresses to be +assigned to the above interface. @item @code{port} (default: @code{51820}) The port on which to listen for incoming connections. @item @code{dns} (default: @code{'())}) -The DNS server(s) to announce to VPN clients via DHCP. +List of strings or G-expressions which represent the DNS server(s) to +announce to VPN clients via DHCP. @item @code{monitor-ips?} (default: @code{#f}) @cindex Dynamic IP, with Wireguard @@ -34463,16 +34465,33 @@ VPN Services @var{wireguard-peer} records. @item @code{pre-up} (default: @code{'()}) -The script commands to be run before setting up the interface. +List of strings or G-expressions. These are script snippets which will +be executed before setting up the interface. + +One example shown in the @code{wg-quick(8)} manual is retrieving a +private key using @code{password-store}. This can be achieved with the +following code: + +@lisp +(wireguard-configuration + ;; Retrieve the private key manually. + (private-key #f) + (pre-up (list #~(string-append "wg set %i private-key <(" + #$(file-append password-store "/bin/pass") + " WireGuard/private-keys/%i)")))) +@end lisp @item @code{post-up} (default: @code{'()}) -The script commands to be run after setting up the interface. +List of strings or G-expressions. These are script snippets which will +be executed after setting up the interface. @item @code{pre-down} (default: @code{'()}) -The script commands to be run before tearing down the interface. +List of strings or G-expressions. These are script snippets which will +be executed before tearing down the interface. @item @code{post-down} (default: @code{'()}) -The script commands to be run after tearing down the interface. +List of strings or G-expressions. These are script snippets which will +be executed after tearing down the interface. @item @code{table} (default: @code{"auto"}) The routing table to which routes are added, as a string. There are two diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index b62e0ac838..c1daba5dc1 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -12,6 +12,7 @@ ;;; Copyright © 2022 Cameron V Chaparro ;;; Copyright © 2022 Timo Wilken ;;; Copyright © 2023 Maxim Cournoyer +;;; Copyright © 2024 Richard Sent ;;; ;;; This file is part of GNU Guix. ;;; @@ -797,33 +798,33 @@ (define (wireguard-configuration-file config) (define lines (list "[Interface]" - #$@(if (null? addresses) - '() - (list (format #f "Address = ~{~a~^, ~}" - addresses))) + (if (null? '#$addresses) + "" + (format #f "Address = ~{~a~^, ~}" + (list #$@addresses))) (format #f "~@[Table = ~a~]" #$table) - #$@(if (null? pre-up) - '() - (list (format #f "~{PreUp = ~a~%~}" pre-up))) + (if (null? '#$pre-up) + "" + (format #f "~{PreUp = ~a~%~}" (list #$@pre-up))) (if #$private-key (format #f "PostUp = ~a set %i private-key ~a\ ~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg") #$private-key '#$peer-keys) "") - #$@(if (null? post-up) - '() - (list (format #f "~{PostUp = ~a~%~}" post-up))) - #$@(if (null? pre-down) - '() - (list (format #f "~{PreDown = ~a~%~}" pre-down))) - #$@(if (null? post-down) - '() - (list (format #f "~{PostDown = ~a~%~}" post-down))) + (if (null? '#$post-up) + "" + (format #f "~{PostUp = ~a~%~}" (list #$@post-up))) + (if (null? '#$pre-down) + "" + (format #f "~{PreDown = ~a~%~}" (list #$@pre-down))) + (if (null? '#$post-down) + "" + (format #f "~{PostDown = ~a~%~}" (list #$@post-down))) (format #f "~@[ListenPort = ~a~]" #$port) - #$@(if (null? dns) - '() - (list (format #f "DNS = ~{~a~^, ~}" dns))))) + (if (null? '#$dns) + "" + (format #f "DNS = ~{~a~^, ~}" (list #$@dns))))) (mkdir #$output) (chdir #$output) -- 2.46.0 From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 04 01:58:55 2024 Received: (at 73955) by debbugs.gnu.org; 4 Nov 2024 06:58:55 +0000 Received: from localhost ([127.0.0.1]:37782 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t7r39-0007Xn-Im for submit@debbugs.gnu.org; Mon, 04 Nov 2024 01:58:55 -0500 Received: from eggs.gnu.org ([209.51.188.92]:45402) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t7r36-0007Xf-Od for 73955@debbugs.gnu.org; Mon, 04 Nov 2024 01:58:54 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1t7r31-0002FY-1u; Mon, 04 Nov 2024 01:58:47 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=r/k/zdapOp/gcayMRP7YqX44X9agaJG2J5k2wxhiSPU=; b=So600eKJZRvO8PRjHN3g FlzBb8Mn6lTUr14GmH8vhehF7B3XPKU+JPUej6+cmUVdXFKY+J/h7LSjzCoMz0H8ehFooTl1NYh27 T7Qk14qUoWougDMDGY+ipdth1kzFYEset3Xg5Qm+zaCyNV2Zydu2pglPG/4rfc2zoa1PDGPrwvMyV r+J1Shs2Q3L9nUzGLCZ6Uqi+Gaubc+k71qNhBJL/t81PBkS6AANyzX4u6YFUJoBP5+UjzyPxbdTV6 T3pGRUxC9J9DgU96yDfgmJHfltqv+nYieRShzoXWA4OpXFzyLtFfyIidJdOu4ocrBXdZC0e4JGRLu BjxRnUUbSZIoQg==; From: Mathieu Othacehe To: Richard Sent Subject: Re: [bug#73955] [PATCH v3 3/3] services: wireguard: Support gexps for peer preshared keys. In-Reply-To: <536ca44a1cb23c3185f0dfb9bc5b3e5c87f6d566.1729707659.git.richard@freakingpenguin.com> (Richard Sent's message of "Wed, 23 Oct 2024 14:20:59 -0400") References: <536ca44a1cb23c3185f0dfb9bc5b3e5c87f6d566.1729707659.git.richard@freakingpenguin.com> Date: Mon, 04 Nov 2024 07:59:09 +0100 Message-ID: <8734k7h4ci.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 73955 Cc: 73955@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello Richard, Thanks for the updated series :) > * gnu/services/vpn.scm (wireguard-configuration-file)[lines]: Ungexp splice > with list instead of quote ungexp. Do you think that it would make sense to also update the documentation for the "preshared-key" field, to mention that it can be a gexp? Mathieu From debbugs-submit-bounces@debbugs.gnu.org Mon Nov 04 09:54:01 2024 Received: (at 73955) by debbugs.gnu.org; 4 Nov 2024 14:54:01 +0000 Received: from localhost ([127.0.0.1]:40395 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t7ySu-0005kK-Pe for submit@debbugs.gnu.org; Mon, 04 Nov 2024 09:54:01 -0500 Received: from mail-108-mta115.mxroute.com ([136.175.108.115]:46639) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1t7ySt-0005kC-6I for 73955@debbugs.gnu.org; Mon, 04 Nov 2024 09:53:59 -0500 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta115.mxroute.com (ZoneMTA) with ESMTPSA id 192f7ab16fa0003e01.001 for <73955@debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Mon, 04 Nov 2024 14:53:57 +0000 X-Zone-Loop: 8679f5aaddf166e8bc713c320c0b0d860f3fdfb58295 X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Message-ID:References:In-Reply-To:Subject:CC:To:From:Date:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=V7uR/qqZCwDSi4m4hYgu6IpUgUQDBrI5I8kLMNi+BUI=; b=CjznDf0wT57uy0IO7/tkoTMDD5 LhKsXv7ouBi//IQUYwWLhbIlcI1TsojhlcC4Rs6hX4d9wVXKp0QAYhRlFUbi3Ll4OTEy2gFkOqnPn fDYpywpdH1lvedk02TraZrIT8Mh5GPRVPd5h+zwDt93DGoRrYVDDhww2Ni2cEYb6f3nt9Ou1MSlME hVksKP4sgxWdtr0/tyDb9lqjLsx43uZBe6U6c/TxcYT5+ZWw1qg2iRY7zrc/kfM4/+dvcjSzM/9cd KTiJD90S1+yaAnZQbAWBTl2piUEHnFAx3rtWki0k9wgZs/5qy/mZHkq+vnh6S3irKjxcL2W4vqL/4 /qAD/53w==; Date: Mon, 04 Nov 2024 09:53:49 -0500 From: Richard Sent To: Mathieu Othacehe Subject: =?US-ASCII?Q?Re=3A_=5Bbug=2373955=5D_=5BPATCH_v3_3/3=5D_services=3A_wire?= =?US-ASCII?Q?guard=3A_Support_gexps_for_peer_preshared_keys=2E?= User-Agent: K-9 Mail for Android In-Reply-To: <8734k7h4ci.fsf@gnu.org> References: <536ca44a1cb23c3185f0dfb9bc5b3e5c87f6d566.1729707659.git.richard@freakingpenguin.com> <8734k7h4ci.fsf@gnu.org> Message-ID: <787F82FB-02BD-4A3B-8D82-3601C98DA998@freakingpenguin.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Authenticated-Id: richard@freakingpenguin.com X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 73955 Cc: 73955@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) > Do you think that it would make sense to also update the documentation > for the "preshared-key" field, to mention that it can be a gexp? Makes sense to me! > (wireguard-configuration > (private-key (file-redirect > (get-secret-program-file "foo")))) I'm also realizing that while the wireguard=2Econf generated in my example= is correct, we still bootstrap a private key at file path <(/gnu/store=2E= =2E=2E), which isn't ideal=2E We could only attempt to bootstrap "reasonable" file names (i=2Ee=2E those= that start with a /), but this feels icky and <(foo) is technically a vali= d file name=2E I quite like how utilizing the private-key field for commands instead of a= file path works (as opposed to a rather ugly manual postup), so perhaps a = bootstrap-private-key? field should be added=2E As long as it defaults to #= t I don't see it impacting existing setups=2E From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 04 16:00:27 2024 Received: (at 73955) by debbugs.gnu.org; 4 Dec 2024 21:00:27 +0000 Received: from localhost ([127.0.0.1]:37043 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tIwTz-0007cx-Cy for submit@debbugs.gnu.org; Wed, 04 Dec 2024 16:00:27 -0500 Received: from mail-108-mta189.mxroute.com ([136.175.108.189]:41733) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tIwTx-0007cn-FQ for 73955@debbugs.gnu.org; Wed, 04 Dec 2024 16:00:26 -0500 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta189.mxroute.com (ZoneMTA) with ESMTPSA id 19393795a830003e01.001 for <73955@debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 04 Dec 2024 21:00:24 +0000 X-Zone-Loop: 983df5604cc4d49eb4f43418a3a11d3b7341c87a9d90 X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:MIME-Version: Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=4fWdmaTz0njFlr9t8tAyD291+n6zx17nX5h8o41Gb1I=; b=oQQVXUsWmSUq0bGI1SOgVPJ4/8 /dx5s5xpNHTXarK5eMzDEfy4nwz4kaOAg6sF71Pma2stGY0RD3ylBoZcPZ3UgIlwXkH0TqOvnxnte 8HVNCEWCS/+fNsy3/OL5p5KQc31rXK5l7BF7Wz2UyJhxu1a1x4t2uT9Y4APyLpzZrfD8GA0igtMuC 22UiohdpPsDI0fPTeoXLATA7YUUBS0uhRprzwEDhhtt8rQwxPG/LNQr/k0AuJ/WGJcCzaTK/Zo+1r 49Xsx9pKqN/ggkoEc73dnYJoJOrfyKEckYa4G/a0XTxdExNjM4F2CV7TEXq03arXF4lU3VLSs4CIr qxa1/jhg==; From: Richard Sent To: 73955@debbugs.gnu.org Subject: [PATCH v4 1/3] services: wireguard: Make the private-key field optional. Date: Wed, 4 Dec 2024 15:59:33 -0500 Message-ID: MIME-Version: 1.0 X-Debbugs-Cc: Ludovic Courtès , Maxim Cournoyer Content-Transfer-Encoding: 8bit X-Authenticated-Id: richard@freakingpenguin.com X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 73955 Cc: othacehe@gnu.org, Richard Sent X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Users who retrieve the private-key via a PreUp field need to be able to disable the default retrieval mechanism. * gnu/services/vpn.scm ()[private-key]: Change comment. (wireguard-configuration-file): Conditionally serialize private-key. * gnu/services/vpn.scm (wireguard-activation): Do not create private-key if the field is #f. * doc/guix.texi (VPN Services)[wireguard-configuration]: Document it. Change-Id: Iac419809ae94eb76e97ff1f1749e2f4b3e65bb04 --- doc/guix.texi | 4 +++- gnu/services/vpn.scm | 36 ++++++++++++++++++++---------------- 2 files changed, 23 insertions(+), 17 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index f43cb53990..fa9a147bd0 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -34626,7 +34626,9 @@ VPN Services @item @code{private-key} (default: @code{"/etc/wireguard/private.key"}) The private key file for the interface. It is automatically generated -if the file does not exist. +if the file does not exist. If this field is @code{#f}, a private key +is not automatically created and the path is not serialized to the +configuration file. @item @code{peers} (default: @code{'()}) The authorized peers on this interface. This is a list of diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index 7fb4775757..b62e0ac838 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -741,7 +741,7 @@ (define-record-type* (default '("10.0.0.1/32"))) (port wireguard-configuration-port ;integer (default 51820)) - (private-key wireguard-configuration-private-key ;string + (private-key wireguard-configuration-private-key ;maybe-string (default "/etc/wireguard/private.key")) (peers wireguard-configuration-peers ;list of (default '())) @@ -805,9 +805,12 @@ (define (wireguard-configuration-file config) #$@(if (null? pre-up) '() (list (format #f "~{PreUp = ~a~%~}" pre-up))) - (format #f "PostUp = ~a set %i private-key ~a\ -~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg") -#$private-key '#$peer-keys) + (if #$private-key + (format #f "PostUp = ~a set %i private-key ~a\ +~{ peer ~a preshared-key ~a~}" + #$(file-append wireguard "/bin/wg") + #$private-key '#$peer-keys) + "") #$@(if (null? post-up) '() (list (format #f "~{PostUp = ~a~%~}" post-up))) @@ -838,18 +841,19 @@ (define (wireguard-activation config) (use-modules (guix build utils) (ice-9 popen) (ice-9 rdelim)) - (mkdir-p (dirname #$private-key)) - (unless (file-exists? #$private-key) - (let* ((pipe - (open-input-pipe (string-append - #$(file-append wireguard "/bin/wg") - " genkey"))) - (key (read-line pipe))) - (call-with-output-file #$private-key - (lambda (port) - (display key port))) - (chmod #$private-key #o400) - (close-pipe pipe)))))) + (when #$private-key + (mkdir-p (dirname #$private-key)) + (unless (file-exists? #$private-key) + (let* ((pipe + (open-input-pipe (string-append + #$(file-append wireguard "/bin/wg") + " genkey"))) + (key (read-line pipe))) + (call-with-output-file #$private-key + (lambda (port) + (display key port))) + (chmod #$private-key #o400) + (close-pipe pipe))))))) ;;; XXX: Copied from (guix scripts pack), changing define to define*. (define-syntax-rule (define-with-source (variable args ...) body body* ...) base-commit: e00ca95e08bc1cc2cb39f3178485ef16defce0be -- 2.46.0 From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 04 16:00:33 2024 Received: (at 73955) by debbugs.gnu.org; 4 Dec 2024 21:00:33 +0000 Received: from localhost ([127.0.0.1]:37047 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tIwU4-0007dL-S6 for submit@debbugs.gnu.org; Wed, 04 Dec 2024 16:00:33 -0500 Received: from mail-108-mta62.mxroute.com ([136.175.108.62]:46787) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tIwU2-0007d7-3F for 73955@debbugs.gnu.org; Wed, 04 Dec 2024 16:00:30 -0500 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta62.mxroute.com (ZoneMTA) with ESMTPSA id 193937968b30003e01.001 for <73955@debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 04 Dec 2024 21:00:27 +0000 X-Zone-Loop: 3a144130da18d61ee46878ef5e9528fbe3c8b74bd08c X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:Content-Type: MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=qzvFIjE3vj/LoyMfXcv+sEd/wgoPYyVpPz6D6d2UIlU=; b=MKlfvRiP8marpQdOsMWg9l+vdb x6lYfLK8EGn+jYnXD1SXxTbCiZApMJTFd3hilzSu7Y4tyhlYqLs4fHLRvalUBa+lIzKwVoNxKY+4C anLMmPz0+gZZ1jQj2QMemNr+u0Ae5PQzK3Z4qx7OEwKUu7SYs3MrM8HC4SRWhDUp2hahzkV5htYKv eUBW4oyHJ3sbJ/bAt7bhvjMkbN0iM6HnBAfeRMlrFUjN8apJP2vc2ZEBQGVZEIh3mp8xvSS4ChhEZ aCiiDPClWRrEb6zjbAfdCFUugJ7tArEajFa7rPg76USu2vp9iJWRZD9NEYsFWAk2j2241ZirQyyx3 TGRZCHEQ==; From: Richard Sent To: 73955@debbugs.gnu.org Subject: [PATCH v4 3/3] services: wireguard: Support lists of gexps for most fields. Date: Wed, 4 Dec 2024 15:59:35 -0500 Message-ID: In-Reply-To: References: MIME-Version: 1.0 X-Debbugs-Cc: Ludovic Courtès , Maxim Cournoyer Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Authenticated-Id: richard@freakingpenguin.com X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 73955 Cc: othacehe@gnu.org, Richard Sent X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) In order to support more flexibility in Wireguard configuration, ungexp the configuration fields directly instead of ungexp-splicing a sexp calculator. This allows for the fields to take arbitrary gexps instead of only strings which is particularly helpful for the Pre/Post Up/Down commands. * gnu/services/vpn.scm (wireguard-configuration-file): Ungexp configuration lists instead of ungexp-splicing the code surrounding them. * doc/guix.texi (VPN Services)[wireguard]: Document it. Change-Id: If074cbb78473b6fd34e0e4e990d2ed268001d6c7 --- doc/guix.texi | 22 ++++++++++++++-------- gnu/services/vpn.scm | 41 +++++++++++++++++++++-------------------- 2 files changed, 35 insertions(+), 28 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index ece73a27ae..43aa1ad71a 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -34603,13 +34603,15 @@ VPN Services The interface name for the VPN. @item @code{addresses} (default: @code{'("10.0.0.1/32")}) -The IP addresses to be assigned to the above interface. +List of strings or G-expressions which represent the IP addresses to be +assigned to the above interface. @item @code{port} (default: @code{51820}) The port on which to listen for incoming connections. @item @code{dns} (default: @code{'())}) -The DNS server(s) to announce to VPN clients via DHCP. +List of strings or G-expressions which represent the DNS server(s) to +announce to VPN clients via DHCP. @item @code{monitor-ips?} (default: @code{#f}) @cindex Dynamic IP, with Wireguard @@ -34654,16 +34656,20 @@ VPN Services @var{wireguard-peer} records. @item @code{pre-up} (default: @code{'()}) -The script commands to be run before setting up the interface. +List of strings or G-expressions. These are script snippets which will +be executed before setting up the interface. @item @code{post-up} (default: @code{'()}) -The script commands to be run after setting up the interface. +List of strings or G-expressions. These are script snippets which will +be executed after setting up the interface. @item @code{pre-down} (default: @code{'()}) -The script commands to be run before tearing down the interface. +List of strings or G-expressions. These are script snippets which will +be executed before tearing down the interface. @item @code{post-down} (default: @code{'()}) -The script commands to be run after tearing down the interface. +List of strings or G-expressions. These are script snippets which will +be executed after tearing down the interface. @item @code{table} (default: @code{"auto"}) The routing table to which routes are added, as a string. There are two @@ -34689,8 +34695,8 @@ VPN Services The peer public-key represented as a base64 string. @item @code{preshared-key} (default: @code{#f}) -An optional pre-shared key file for this peer. The given file will not -be autogenerated. +An optional pre-shared key file for this peer that can be either a +string or a G-expression. The given file will not be autogenerated. @item @code{allowed-ips} A list of IP addresses from which incoming traffic for this peer is diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index f9693fb099..8e90032c93 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -12,6 +12,7 @@ ;;; Copyright © 2022 Cameron V Chaparro ;;; Copyright © 2022 Timo Wilken ;;; Copyright © 2023 Maxim Cournoyer +;;; Copyright © 2024 Richard Sent ;;; ;;; This file is part of GNU Guix. ;;; @@ -800,33 +801,33 @@ (define (wireguard-configuration-file config) (define lines (list "[Interface]" - #$@(if (null? addresses) - '() - (list (format #f "Address = ~{~a~^, ~}" - addresses))) + (if (null? '#$addresses) + "" + (format #f "Address = ~{~a~^, ~}" + (list #$@addresses))) (format #f "~@[Table = ~a~]" #$table) - #$@(if (null? pre-up) - '() - (list (format #f "~{PreUp = ~a~%~}" pre-up))) + (if (null? '#$pre-up) + "" + (format #f "~{PreUp = ~a~%~}" (list #$@pre-up))) (if #$private-key (format #f "PostUp = ~a set %i private-key ~a\ ~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg") - #$private-key '#$peer-keys) + #$private-key (list #$@peer-keys)) "") - #$@(if (null? post-up) - '() - (list (format #f "~{PostUp = ~a~%~}" post-up))) - #$@(if (null? pre-down) - '() - (list (format #f "~{PreDown = ~a~%~}" pre-down))) - #$@(if (null? post-down) - '() - (list (format #f "~{PostDown = ~a~%~}" post-down))) + (if (null? '#$post-up) + "" + (format #f "~{PostUp = ~a~%~}" (list #$@post-up))) + (if (null? '#$pre-down) + "" + (format #f "~{PreDown = ~a~%~}" (list #$@pre-down))) + (if (null? '#$post-down) + "" + (format #f "~{PostDown = ~a~%~}" (list #$@post-down))) (format #f "~@[ListenPort = ~a~]" #$port) - #$@(if (null? dns) - '() - (list (format #f "DNS = ~{~a~^, ~}" dns))))) + (if (null? '#$dns) + "" + (format #f "DNS = ~{~a~^, ~}" (list #$@dns))))) (mkdir #$output) (chdir #$output) -- 2.46.0 From debbugs-submit-bounces@debbugs.gnu.org Wed Dec 04 16:00:34 2024 Received: (at 73955) by debbugs.gnu.org; 4 Dec 2024 21:00:34 +0000 Received: from localhost ([127.0.0.1]:37049 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tIwU5-0007dO-Dt for submit@debbugs.gnu.org; Wed, 04 Dec 2024 16:00:34 -0500 Received: from mail-108-mta246.mxroute.com ([136.175.108.246]:45349) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tIwU2-0007d6-7v for 73955@debbugs.gnu.org; Wed, 04 Dec 2024 16:00:30 -0500 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta246.mxroute.com (ZoneMTA) with ESMTPSA id 193937962490003e01.001 for <73955@debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Wed, 04 Dec 2024 21:00:26 +0000 X-Zone-Loop: 3dcb7fb689e399454127553e843c86106647e9a10f61 X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:MIME-Version: References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=ErVVfKYWCXxpPq4mHIbOHS4lM62vg0Len5/Znar/yN4=; b=cz5ZTvEiiOOx6QhQ+QfkopQcJp Sm2fTCpfwB+qyY72xJpa1qbQjI/l6cRlPC3JMfZykrslmdP6ANhEriakgMo6KVRtVT8LmCgEMRcd3 Ioz83v3j00fsKdqhVld9/YMzejjuowQOj8MwipkktnkAQtE4loUraq2qV+oFawBi7WTXVOEw7YK86 FbtEabeqG0Jta0YT0W1bJYYHujrKycBdaWybdBxMmj1WCUcAwxwS1A/Zlls08gwxBk9VX/3VX9IWN +khI9HQJx3aLld2ieGMddDpxEmyuAR0NqzPzceVjYjITQX6kU/OzMkiFRs9l/KHO0vGvehIjhoxas fhhc94MQ==; From: Richard Sent To: 73955@debbugs.gnu.org Subject: [PATCH v4 2/3] services: wireguard: Add the bootstrap-private-key? field. Date: Wed, 4 Dec 2024 15:59:34 -0500 Message-ID: <42d409dafeaa87d39a8c682d4c3dfe2c9f2fb8c4.1733345975.git.richard@freakingpenguin.com> In-Reply-To: References: MIME-Version: 1.0 X-Debbugs-Cc: Ludovic Courtès , Maxim Cournoyer Content-Transfer-Encoding: 8bit X-Authenticated-Id: richard@freakingpenguin.com X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 73955 Cc: othacehe@gnu.org, Richard Sent X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) The syntax from using the private-key field is more convenient than writing a custom PreUp command (more formatting and preshared keys). Instead of trying to guess if private-key is/is not a file path, add an option to disable bootstrapping while still using private-key. * gnu/services/vpn.scm (): Add bootstrap-private-key?. (wireguard-activation): Check bootstrap-private-key? before bootstrapping. * doc/guix.texi (VPN Services)[wireguard]: Document it. Change-Id: I6ba71ad58b26743057a221a54a246369022f83a5 --- doc/guix.texi | 19 +++++++++++++ gnu/services/vpn.scm | 64 +++++++++++++++++++++++--------------------- 2 files changed, 53 insertions(+), 30 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index fa9a147bd0..ece73a27ae 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -34630,6 +34630,25 @@ VPN Services is not automatically created and the path is not serialized to the configuration file. +@item @code{bootstrap-private-key?} (default: @code{#t}) +Whether or not the private key should be generated automatically if it +does not exist. + +Setting this to @code{#f} allows one to set the private key using +command substitution. One example shown in the @code{wg-quick(8)} +manual is retrieving a private key using @code{password-store}. This +can be achieved with the following code: + +@lisp +(wireguard-configuration + (private-key + #~(string-append "<(" + #$(file-append password-store "/bin/pass") + ;; Wireguard replaces %i with the interface name. + " WireGuard/private-keys/%i)"))) +@end lisp + + @item @code{peers} (default: @code{'()}) The authorized peers on this interface. This is a list of @var{wireguard-peer} records. diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index b62e0ac838..f9693fb099 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -80,6 +80,7 @@ (define-module (gnu services vpn) wireguard-configuration-monitor-ips? wireguard-configuration-monitor-ips-interval wireguard-configuration-private-key + wireguard-configuration-bootstrap-private-key? wireguard-configuration-peers wireguard-configuration-pre-up wireguard-configuration-post-up @@ -733,34 +734,36 @@ (define-record-type* (define-record-type* wireguard-configuration make-wireguard-configuration wireguard-configuration? - (wireguard wireguard-configuration-wireguard ;file-like - (default wireguard-tools)) - (interface wireguard-configuration-interface ;string - (default "wg0")) - (addresses wireguard-configuration-addresses ;string - (default '("10.0.0.1/32"))) - (port wireguard-configuration-port ;integer - (default 51820)) - (private-key wireguard-configuration-private-key ;maybe-string - (default "/etc/wireguard/private.key")) - (peers wireguard-configuration-peers ;list of - (default '())) - (dns wireguard-configuration-dns ;list of strings - (default '())) - (monitor-ips? wireguard-configuration-monitor-ips? ;boolean - (default #f)) - (monitor-ips-interval wireguard-configuration-monitor-ips-interval - (default '(next-minute (range 0 60 5)))) ;string | list - (pre-up wireguard-configuration-pre-up ;list of strings - (default '())) - (post-up wireguard-configuration-post-up ;list of strings - (default '())) - (pre-down wireguard-configuration-pre-down ;list of strings - (default '())) - (post-down wireguard-configuration-post-down ;list of strings - (default '())) - (table wireguard-configuration-table ;string - (default "auto"))) + (wireguard wireguard-configuration-wireguard ;file-like + (default wireguard-tools)) + (interface wireguard-configuration-interface ;string + (default "wg0")) + (addresses wireguard-configuration-addresses ;string + (default '("10.0.0.1/32"))) + (port wireguard-configuration-port ;integer + (default 51820)) + (private-key wireguard-configuration-private-key ;maybe-string + (default "/etc/wireguard/private.key")) + (bootstrap-private-key? wireguard-configuration-bootstrap-private-key? ;boolean + (default #t)) + (peers wireguard-configuration-peers ;list of + (default '())) + (dns wireguard-configuration-dns ;list of strings + (default '())) + (monitor-ips? wireguard-configuration-monitor-ips? ;boolean + (default #f)) + (monitor-ips-interval wireguard-configuration-monitor-ips-interval + (default '(next-minute (range 0 60 5)))) ;string | list + (pre-up wireguard-configuration-pre-up ;list of strings + (default '())) + (post-up wireguard-configuration-post-up ;list of strings + (default '())) + (pre-down wireguard-configuration-pre-down ;list of strings + (default '())) + (post-down wireguard-configuration-post-down ;list of strings + (default '())) + (table wireguard-configuration-table ;string + (default "auto"))) (define (wireguard-configuration-file config) (define (peer->config peer) @@ -836,12 +839,13 @@ (define (wireguard-configuration-file config) (define (wireguard-activation config) (match-record config - (private-key wireguard) + (private-key bootstrap-private-key? wireguard) #~(begin (use-modules (guix build utils) (ice-9 popen) (ice-9 rdelim)) - (when #$private-key + (when (and #$private-key + #$bootstrap-private-key?) (mkdir-p (dirname #$private-key)) (unless (file-exists? #$private-key) (let* ((pipe -- 2.46.0 From debbugs-submit-bounces@debbugs.gnu.org Fri Dec 06 15:39:23 2024 Received: (at 73955-done) by debbugs.gnu.org; 6 Dec 2024 20:39:24 +0000 Received: from localhost ([127.0.0.1]:44407 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tJf6h-0005Ta-IU for submit@debbugs.gnu.org; Fri, 06 Dec 2024 15:39:23 -0500 Received: from eggs.gnu.org ([209.51.188.92]:54660) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tJf6f-0005TE-1q for 73955-done@debbugs.gnu.org; Fri, 06 Dec 2024 15:39:21 -0500 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tJf4R-00026R-T7; Fri, 06 Dec 2024 15:37:03 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=7HdUqPdIp0CpNyatViTQcMFTRgzJ+ymd7wF2GAdpkpc=; b=e4aFaq8QPklF53n9wAXs WrON7ReuFBNQzdRinXjIg4QOBGIozdqqJ8rKVjMUx2zjjg+xgTek1/tKzw9+P3eRBTSdwRrGhjlHd uv/sLEOUy75yY69t2Gkt7KjqOOvRg6jpbg21JtnWcb+NTjAdoi12McF6IKZHKkyB/8G+9l60848sN hISq23tTeiLJDbJ/vCdaIgoA/O0bkd3599H9fSdah+1n1AREleQbSto2MelOEtF3Lc+JkD0aMO5GG RhIWUODlyECcJMavt2+hIQfsO/LHFhjbMudSyVOO4feSYmtRXADEtNpegDGDxdeCiBnKELUb5EeDl UfipVSaZUpLngg==; From: Mathieu Othacehe To: Richard Sent Subject: Re: [PATCH v4 1/3] services: wireguard: Make the private-key field optional. In-Reply-To: (Richard Sent's message of "Wed, 4 Dec 2024 15:59:33 -0500") References: Date: Fri, 06 Dec 2024 21:36:04 +0100 Message-ID: <87ttbgft1n.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 73955-done Cc: 73955-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Hello Richard, I have pushed the series, Thanks for your patience, Mathieu From unknown Mon Jun 23 02:22:34 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Sat, 04 Jan 2025 12:24:10 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator