-
-
Notifications
You must be signed in to change notification settings - Fork 13.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wireguard: add module #17933
wireguard: add module #17933
Conversation
@ericsagnes, thanks for your PR! By analyzing the annotation information on this pull request, we identified @edolstra, @bjornfor and @offlinehacker to be potential reviewers |
default = null; | ||
example = "rVXs/Ni9tu3oDBLS4hOyAUAa1qTWVA3loR8eL20os3I="; | ||
type = with types; nullOr str; | ||
description = "Preshared key key used by the interface."; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You might want to update the description to say, "Optional preshared key used by the interface; most users will not need this."
Hi -- WireGuard author here. This is nowhere near ready to be merged. I've made several comments inline with the source to review. There's also one big thing missing here: If the IP of the interface is 192.168.2.1/24, and the allowed IPs are 192.168.2.0/24 or a list of anything that falls within 192.168.2.0/24, then you don't need to do anything. However, if the allowed IPs contain something laying outside of 192.168.2.0/24, such as 10.0.0.0/16, then you need to add those routes to the routing table: |
@zx2c4 Thanks for all the inputs, that is very appreciated! It is indeed a rough sketch made in very short time to have some base to talk and work on. |
Added a commit to clean things up a little, not perfect but still an improvement.
Nix expression language is not really a general purpose language and doing a such thing programmatically could end in a little complicated an bloated code. |
This is completely unacceptable. Remove this option immediately. It's not okay, complicates things, and makes no sense. If you can't do any real computation in the language, just add all the allowed-ips as routes. This is equally as valid and the linux routing table will sort things out for you. I don't know this language, but something like this should do: foreach peer in values.peers: |
e35a699
to
97e45cf
Compare
One last quick commit to remove unacceptable and insanity :) I have no much more time to work on this this week, so if you are in a hurry please make a PR to this branch, sorry. |
Changes look good. Will wait til next week to see what's next. Thanks for your hard work on this! |
Regarding the unit
|
Yes. In this case you do want
|
7eb877d
to
2d2982e
Compare
Wow, an upstream author reviewing a NixOS module… that's a first. Thanks a lot for your feedback @zx2c4! 🍻 |
generateUnit = name: values: | ||
nameValuePair "wireguard-${name}" | ||
{ | ||
description = "Wireguard unit for interface ${name}"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a very nice description. Try instead:
WireGuard Tunnel - ${name}
@fpletz My pleasure. 😜 The latest changes look mostly good to me, but still a few things are funky:
Putting these two points together yields this rearranged section:
The descriptions of This is my personal opinion on the matter, but if NixOS developers have a good reason for the override behavior instead, I guess that's fine. My only suggestion, then, would be to call it |
2d2982e
to
9953373
Compare
@zx2c4 Thanks for the feedback, updated the commit according to your last comment. I added a basic example to the Do you have any suggestion of relevant examples for |
Hey @ericsagnes -- excellent work! Something I missed before, that disappeared in the reworkings is that there's no longer an Unrelated question: How does As for your questions: It might be less confusing to have for the example these IPs instead:
One use of |
In a nutshell, There are two advantages in using
So using The added Changes are in a new commit to facilitate review, most important ones are:
|
One advantage I see, when ExecStart is used over script, that in case of an error, |
@Mic92 Thanks, this is indeed a valid point in favor of @zx2c4 Please let me know if you think Update:
So as an unfortunate result, the usage of I tend to think that the flexibility provided by |
Looks fine and mergeable to me in the current state. Will test later and merge. Thanks a lot for your work and the review! 👍 |
Well, ExecStart=-${pkgs.iproute2.bin}/ip link del dev ${name} so this command is allowed to fail. |
@zx2c4 Could you review the latest changes? |
Looks mostly good to me. One question is -- with what umask does |
04cab36
to
50ce418
Compare
Thank you for the review, I squashed the commits and removed the WIP flag so the PR is now ready to merge.
Unfortunately, actually any file in the Nix store is world readable, handling private files in the nix store is an open and complex problem. This is well known problem and other modules also suffer this limitation, but I am afraid there is nothing that can be done in this PR scope to fix that. |
When I tried the example, I noticed that empty ExecStart= entries were generated. |
50ce418
to
16ba139
Compare
@Mic92 Good catch, thanks! I updated the And thanks for the diff, this way indeed save some code, but might make the code harder to understand and to maintain on the long term. |
|
||
postSetup = mkOption { | ||
example = literalExample '' | ||
printf 'nameserver 10.200.100.1' | ${pkgs.openresolv}/bin/resolvconf -a wg0 -m 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this example will not work, because it is not executed within in a shell - take a look at my version.
this version preserves maintainability while still allowing multiple commands and not splitting user defined variables at newline. |
16ba139
to
e234f73
Compare
Thanks, applied! |
Thanks. there was a typo, I made in the postSetup example. |
It was deprecated and removed from all modules in the tree by NixOS#18319. The wireguard module PR (NixOS#17933) was still in the review at the time and the deprecated usage managed to slip inside.
One important comment from @zx2c4 that wasn't addressed is the fact that @zx2c4 one simple feature that could really help us is if you can store the private key in a file and reference it with Ideally Finally I would like to say that I'm excited that WireGuard is being integrated into NixOS. My colleague @FPtje and I are currently setting up a StrongSwan VPN and it's difficult and error prone. I'm looking forward switching over to WireGuard once it's in the next NixOS release. Thanks to anybody involved in this PR! |
@basvandijk note that wireguard is still experimental, which means the protocol can change in a backwards incompatible way. |
Motivation for this change
WIP PR for adding a wireguard module.
Things done
(nix.useChroot on NixOS,
or option
build-use-chroot
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)