From aa12068c91d40c568a44c8d2e36d2ee88ce79d84 Mon Sep 17 00:00:00 2001 From: Richard Sent Date: Wed, 4 Dec 2024 15:59:33 -0500 Subject: [PATCH] services: wireguard: Make the private-key field optional. Users who retrieve the private-key via a PreUp field need to be able to disable the default retrieval mechanism. * gnu/services/vpn.scm ()[private-key]: Change comment. (wireguard-configuration-file): Conditionally serialize private-key. * gnu/services/vpn.scm (wireguard-activation): Do not create private-key if the field is #f. * doc/guix.texi (VPN Services)[wireguard-configuration]: Document it. Change-Id: Iac419809ae94eb76e97ff1f1749e2f4b3e65bb04 Signed-off-by: Mathieu Othacehe --- doc/guix.texi | 4 +++- gnu/services/vpn.scm | 36 ++++++++++++++++++++---------------- 2 files changed, 23 insertions(+), 17 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index f43cb539904..fa9a147bd0e 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -34626,7 +34626,9 @@ an mcron time specification (@pxref{Guile Syntax,,,mcron}). @item @code{private-key} (default: @code{"/etc/wireguard/private.key"}) The private key file for the interface. It is automatically generated -if the file does not exist. +if the file does not exist. If this field is @code{#f}, a private key +is not automatically created and the path is not serialized to the +configuration file. @item @code{peers} (default: @code{'()}) The authorized peers on this interface. This is a list of diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm index 7fb4775757f..b62e0ac838e 100644 --- a/gnu/services/vpn.scm +++ b/gnu/services/vpn.scm @@ -741,7 +741,7 @@ strongSwan."))) (default '("10.0.0.1/32"))) (port wireguard-configuration-port ;integer (default 51820)) - (private-key wireguard-configuration-private-key ;string + (private-key wireguard-configuration-private-key ;maybe-string (default "/etc/wireguard/private.key")) (peers wireguard-configuration-peers ;list of (default '())) @@ -805,9 +805,12 @@ strongSwan."))) #$@(if (null? pre-up) '() (list (format #f "~{PreUp = ~a~%~}" pre-up))) - (format #f "PostUp = ~a set %i private-key ~a\ -~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg") -#$private-key '#$peer-keys) + (if #$private-key + (format #f "PostUp = ~a set %i private-key ~a\ +~{ peer ~a preshared-key ~a~}" + #$(file-append wireguard "/bin/wg") + #$private-key '#$peer-keys) + "") #$@(if (null? post-up) '() (list (format #f "~{PostUp = ~a~%~}" post-up))) @@ -838,18 +841,19 @@ strongSwan."))) (use-modules (guix build utils) (ice-9 popen) (ice-9 rdelim)) - (mkdir-p (dirname #$private-key)) - (unless (file-exists? #$private-key) - (let* ((pipe - (open-input-pipe (string-append - #$(file-append wireguard "/bin/wg") - " genkey"))) - (key (read-line pipe))) - (call-with-output-file #$private-key - (lambda (port) - (display key port))) - (chmod #$private-key #o400) - (close-pipe pipe)))))) + (when #$private-key + (mkdir-p (dirname #$private-key)) + (unless (file-exists? #$private-key) + (let* ((pipe + (open-input-pipe (string-append + #$(file-append wireguard "/bin/wg") + " genkey"))) + (key (read-line pipe))) + (call-with-output-file #$private-key + (lambda (port) + (display key port))) + (chmod #$private-key #o400) + (close-pipe pipe))))))) ;;; XXX: Copied from (guix scripts pack), changing define to define*. (define-syntax-rule (define-with-source (variable args ...) body body* ...)