[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[bug#46504] [PATCH] services: wireguard: New service.
|
From: |
Brice Waegeneire |
|
Subject: |
[bug#46504] [PATCH] services: wireguard: New service. |
|
Date: |
Sun, 14 Feb 2021 15:35:03 +0100 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
Hello Mathieu,
Mathieu Othacehe <othacehe@gnu.org> writes:
> * gnu/services/vpn.scm (wireguard-peer, wireguard-configuration): New records.
> (wireguard-service-type): New variable.
> * doc/guix.texi (VPN Services): Document it.
> ---
[...]
Cool, more intergration of Wireguard in Guix! I started wiriting such a
service but didn't finialized it yet. Tho, I wasn't sure if it needed to
be implemented with wg-quick since upstream describe it as « a very
quick and dirty bash script for reading a few extra variables from
wg(8)-style configuration files, and automatically configures the
interface »¹.
> +
> +(define-record-type* <wireguard-peer>
> + wireguard-peer make-wireguard-peer
> + wireguard-peer?
> + (name wireguard-peer-name)
> + (endpoint wireguard-peer-endpoint
> + (default #f)) ;string
> + (public-key wireguard-peer-public-key) ;string
> + (allowed-ips wireguard-peer-allowed-ips)) ;list of strings
> +
> +(define-record-type* <wireguard-configuration>
> + wireguard-configuration make-wireguard-configuration
> + wireguard-configuration?
> + (wireguard wireguard-configuration-wireguard ;<package>
> + (default wireguard-tools))
> + (interface wireguard-configuration-interface ;string
> + (default "wg0"))
> + (address wireguard-configuration-address ;string
> + (default "10.0.0.1/32"))
> + (port wireguard-configuration-port ;integer
> + (default 51820))
> + (public-key wireguard-configuration-public-key ;string
> + (default "/etc/wireguard/public.key"))
> + (private-key wireguard-configuration-private-key ;string
> + (default "/etc/wireguard/private.key"))
> + (peers wireguard-configuration-peers ;list of <wiregard-peer>
> + (default '())))
> +
wg-quick(8) say that the ”Address” attribute can be specified multiple
times and is « a comma-separated list of IP (v4 or v6) addresses
(optionally with CIDR masks) to be assigned to the interface. », so the
“address” field should probably be “addresses”, a list of string.
Some of the missing attributes from wg-quick(8) like “DNS” or hooks
seems realy usefull, maybe a “extra-config” field to the record could be
added to support all of thoses attributes.
Why having a “public-key” field since it is derived from the private
key? It seems to allow missconfiguration: what happen if the private
and public part of a key don't match, or if only the “public-key” is
set?
[...]
> +(define (wireguard-shepherd-service config)
> + (match-record config <wireguard-configuration>
> + (wireguard)
> + (let ((wg-quick (file-append wireguard "/bin/wg-quick"))
> + (config (wireguard-configuration-file config)))
> + (list (shepherd-service
> + (requirement '(networking))
> + (provision '(wireguard))
> + (start #~(lambda _
> + (invoke #$wg-quick "up" #$config)))
> + (stop #~(lambda _
> + (invoke #$wg-quick "down" #$config)))
> + (documentation "Run the Wireguard VPN tunnel"))))))
If I understand correclty it's not possible to specify which vpn to stop
if using several of them. Can the provision's symbol be derived from
the interface name to be able to do “sudo herd stop wireguard-wg0”?
> +(define wireguard-service-type
> + (service-type
> + (name 'wireguard)
> + (extensions
> + (list (service-extension shepherd-root-service-type
> + wireguard-shepherd-service)
> + (service-extension activation-service-type
> + wireguard-activation)))))
¹ https://git.zx2c4.com/wireguard-tools/tree/README.md#n47
Cheers,
- Brice