From 1a17a0f90d340599f4f29775c100b44610bf87a8 Mon Sep 17 00:00:00 2001 From: Richard Sent Date: Wed, 4 Dec 2024 15:59:34 -0500 Subject: services: wireguard: Add the bootstrap-private-key? field. The syntax from using the private-key field is more convenient than writing a custom PreUp command (more formatting and preshared keys). Instead of trying to guess if private-key is/is not a file path, add an option to disable bootstrapping while still using private-key. * gnu/services/vpn.scm (): Add bootstrap-private-key?. (wireguard-activation): Check bootstrap-private-key? before bootstrapping. * doc/guix.texi (VPN Services)[wireguard]: Document it. Change-Id: I6ba71ad58b26743057a221a54a246369022f83a5 Signed-off-by: Mathieu Othacehe --- doc/guix.texi | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) (limited to 'doc') diff --git a/doc/guix.texi b/doc/guix.texi index fa9a147bd0..ece73a27ae 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -34630,6 +34630,25 @@ if the file does not exist. If this field is @code{#f}, a private key is not automatically created and the path is not serialized to the configuration file. +@item @code{bootstrap-private-key?} (default: @code{#t}) +Whether or not the private key should be generated automatically if it +does not exist. + +Setting this to @code{#f} allows one to set the private key using +command substitution. One example shown in the @code{wg-quick(8)} +manual is retrieving a private key using @code{password-store}. This +can be achieved with the following code: + +@lisp +(wireguard-configuration + (private-key + #~(string-append "<(" + #$(file-append password-store "/bin/pass") + ;; Wireguard replaces %i with the interface name. + " WireGuard/private-keys/%i)"))) +@end lisp + + @item @code{peers} (default: @code{'()}) The authorized peers on this interface. This is a list of @var{wireguard-peer} records. -- cgit v1.2.3