-
-
Notifications
You must be signed in to change notification settings - Fork 14.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/wireguard add endpointFile option #219618
Conversation
example = "/run/secrets/peer.address"; | ||
type = with types; nullOr str; | ||
description = lib.mdDoc '' | ||
File Containing the endpoint IP or hostname of the peer, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question: does this support IPv6? say I put this in the endpointFile
:
[2001:db8::1]:23542
would that work?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I made a local change to the file-config
test to make it use IPv6, and it worked. In general, this should support anything that's usable by directly specifying it in endpoint
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Diff looks good to me
boot = lib.mkIf (kernelPackages != null) { inherit kernelPackages; }; | ||
environment.etc."wireguard/private".text = | ||
wg-snakeoil-keys.peer1.privateKey; | ||
environment.etc."wireguard/endpoint".text = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
suggestion (non-blocking): add a test that uses an endpoint file with an IPv6 address in it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I could modify the existing test to have peer0 specify peer1's ipv6 endpoint, would that suffice, or is that too much in a single test?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
would that suffice
Yes - IMO that is fine since there are existing tests that don't use the IP file
41ff4d4
to
ccbdd0f
Compare
There are two motivating scenarios for this change: 1. In scenarios where the peer's endpoint might change over time, such as with a dynamic ip address, this provides a mechanism for communicating that change via updating a file and restarting wireguard, typically with a small systemd daemon. 2. This provides a way to interate with peers that may not want ip addresses or endpoints to be solicited in public configuration files.
e15f270
to
e2323e9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am sorry, I don't understand very well the motivations of these changes.
First, there is a mention of changing IPs and DNS resolution, why the set of dynamicEndpointRefresh options not enough for this usecase?
Second, endpoint not ending up in public configuration, it seems to me that this is a completely different matter. Why not doing something like builtins.readFile ./endpoint.txt
and not checking in the endpoint.txt
file?
Also, if you want to provide this completely at runtime, I would argue this might be beyond this module's scope and maybe we should check if wireguard in systemd-networkd support or not this usecase?
I'm going to respond to these out of order:
The answer for this depends:
I consider this to be an anti-pattern; I lost a computer recently that was configured using this pattern (have a secrets folder in (I'm using flakes, which broke support for
I mean dynamic ip address as in "my ISP changes my assigned ipv4 every month", and having a file to write that (which triggers a refresh of networkd) is a workflow that would work well for me. I consider this to be a mostly-secondary concern, the primary concern is to respect people's request for privacy with my desire to have a public backup of my config on github for potential disaster recovery :) Here's the kicker: If this contribution doesn't meet the quality bar, I'm perfectly happy to maintain this fork of upstream locally. I hadn't realized that the |
Thank you for the long exposition of the motivations, it's really helpful to understand where you're coming from.
It seems to me this feature is built out of piling on the top of workarounds and workarounds because sanctioned ways to do things are not working as intended, alas. I do not have authority to say no to a change, that being said, accepting such a change means that similar change in similar areas are fair game and I certainly do not want multiplication of similar options to work around similar problems, hence my question (and the fact I am not really in favor of).
First of all, there's no quality bar beyond the one that reviewers put efforts into asking you to get the PR to and I do think it is possible to make the PR in good shape. This is more of an architecture design problem. It seems like the usecase is better covered by manual invocations of
Honestly, I feel like this is a OK-change because it's quite small and you could make it so that static endpoint could be turned into endpointFile by writing a path in the Nix store and endpointFile could exist without any concern regarding the mutual exclusive logic because it would fail for redefinition. It is just I am not in favor of it, but this is a weak opinion. |
That's a bit how I feel too, but I also feel like various parts of NixOS have embraced files as a communication method for sensitive information, so this feels like it might fit, and might have a home upstream.
That's a large part of what I mean by "quality bar" -- does it fit the overall vision for the ecosystem? I don't know! To me, a successful end for this PR could easily be "thanks, but this doesn't fit what we want for upstream!"
I'd be happy to make this change, but I will wait until someone else weighs in on whether or not it is wanted. And thanks again for taking the time to review this! |
Thank you for your answer, I have no real strong opinion, I am interested into @ncfavier opinion who reviewed a lot of change for this module IIRC. Don't hesitate to send the PR on Matrix or Discourse if you want some people chiming in. |
This seems very weird and niche. Just use |
That's where this PR came from -- the |
Description of changes
There are two motivating scenarios for this change:
In scenarios where the peer's endpoint might change over time, such as with a dynamic ip address, this provides a mechanism for communicating that change via updating a file and restarting wireguard, typically with a small systemd daemon.
This provides a way to interate with peers that may not want ip addresses or endpoints to be solicited in public configuration files.
I have been running this change on a server with no noticed issues, see here: https://github.com/mutantmell/dotfiles/blob/main/modules/overrides/wireguard.nix
Things done
sandbox = true
set innix.conf
? (See Nix manual)nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD"
. Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/
)