Re: Using gexps in wireguard-service-type postup

[Clément Lassieur]

On Sun, Jan 28 2024, Richard Sent wrote:

> Clément Lassieur <clement@lassieur.org> writes:
>
> On 2024-01-28 09:04, Clément Lassieur wrote:
>> Hi Richard,
>> which would be se same as
>> 
>>         (private-key #~(string-append #$sudo "/bin/sudo -u user <(pass 
>> ...)"))
>
> Thanks. I made some progress with this, although I wound up hitting
> another hurdle with the preshared-key.
>
> When setting private-key, the following works fine:
>
> (private-key
>  #~(string-append "<("
>                   #$sudo "/bin/sudo" " -u richard "
>                   #$password-store "/bin/pass ls " 
> #$wireguard-nickleslan-private-key-key
>                   ")"))
>
>
> preshared-key, unfortunately, doesn't follow that same pattern. When
> setting preshared keys with the following snippet:
>
> (wireguard-peer
>  ...
>  (preshared-key
>   #~(string-append "<("
>                    #$sudo "/bin/sudo -u richard "
>                    #$password-store "/bin/pass ls " 
> #$wireguard-nickleslan-preshared-key-key
>                    ")")))
>
>
> I wind up with a wireguard.conf file with the following line.
>
> PostUp = 
> /gnu/store/4cnl0h79zc599xryr5jh66d7yq643zk4-wireguard-tools-1.0.20210914/bin/wg
>  set %i private-key 
> <(/gnu/store/gnybfg31is632dyaivd907f2h0wff80d-sudo-1.9.14p3/bin/sudo -u 
> richard 
> /gnu/store/ppd5qmx2b5fadjhww65xw09zkjphll6r-password-store-1.7.4/bin/pass ls 
> System/WireGuard/NicklesBread/private.key) peer 
> EHoPXGJvQVVpQ6PZ/XQtHx0p5FWEVCS3y2oI2O+Y9zo= preshared-key (string-append <( 
> /gnu/store/gnybfg31is632dyaivd907f2h0wff80d-sudo-1.9.14p3 /bin/sudo -u 
> richard  /gnu/store/ppd5qmx2b5fadjhww65xw09zkjphll6r-password-store-1.7.4 
> /bin/pass ls  System/WireGuard/NicklesBread/preshared.key ))

Indeed probably the service is not meant to be used this way with
G-exps.  As a workaround you can use the private-key field to add
everything you need there.  As in

    (private-key #~(string-append #$sudo "/bin/sudo -u user <(pass ...) peer " 
#$peer " preshared-key " #$preshared-key))

> Emphasis on how everything after preshared-key is a Lisp sexp, not
> evaluated output. I'm guessing this is because in gnu/services/vpn.scm,
> the relevant code is
> l
>
> (format #f "PostUp = ~a set %i private-key ~a\
> ~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg")
> #$private-key '#$peer-keys)
>
> Peer keys is quoted immediately before the ungexp. I'm curious why that
> would be done and how I can get preshared-key set correctly.
>
> I did try changing preshared-key to (preshared-key #~,(...)), but that
> didn't accomplish anything besides creating a wireguard.config file with
> `preshared-key (unquote (string-append ...))` I assume this is because a
> quote (') is used instead of a quasiquote (`).
>
> Is there anything on my end I can do to fix this or does it have to be
> resolved in Guix proper?

I haven't looked at it closely but probably the service needs at least a
way to add a raw configuration file as, say, the nginx service does (see
raw-content)...  Those raw configuration files can be built with g-exps.

Clément