services: wireguard: Add the bootstrap-private-key? field.

The syntax from using the private-key field is more convenient than writing a
custom PreUp command (more formatting and preshared keys). Instead of trying
to guess if private-key is/is not a file path, add an option to disable
bootstrapping while still using private-key.

* gnu/services/vpn.scm (<wireguard-configuration>): Add
bootstrap-private-key?.
(wireguard-activation): Check bootstrap-private-key? before bootstrapping.
* doc/guix.texi (VPN Services)[wireguard]: Document it.

Change-Id: I6ba71ad58b26743057a221a54a246369022f83a5
Signed-off-by: Mathieu Othacehe <othacehe@gnu.org>

1 files changed, 19 insertions, 0 deletions

diff --git a/doc/guix.texi b/doc/guix.texi
index fa9a147bd0..ece73a27ae 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -34630,6 +34630,25 @@ if the file does not exist.  If this field is @code{#f}, a private key
 is not automatically created and the path is not serialized to the
 configuration file.
 
+@item @code{bootstrap-private-key?} (default: @code{#t})
+Whether or not the private key should be generated automatically if it
+does not exist.
+
+Setting this to @code{#f} allows one to set the private key using
+command substitution.  One example shown in the @code{wg-quick(8)}
+manual is retrieving a private key using @code{password-store}.  This
+can be achieved with the following code:
+
+@lisp
+(wireguard-configuration
+ (private-key
+  #~(string-append "<("
+                   #$(file-append password-store "/bin/pass")
+                   ;; Wireguard replaces %i with the interface name.
+                   " WireGuard/private-keys/%i)")))
+@end lisp
+
+
 @item @code{peers} (default: @code{'()})
 The authorized peers on this interface.  This is a list of
 @var{wireguard-peer} records.