* Include directive to support "conf.d/*" and the like
@ 2018-03-16 8:02 Roman Mamedov
2018-03-16 8:27 ` Kalin KOZHUHAROV
2018-03-16 10:59 ` Daniel Kahn Gillmor
0 siblings, 2 replies; 5+ messages in thread
From: Roman Mamedov @ 2018-03-16 8:02 UTC (permalink / raw)
To: wireguard
Hello,
I would like to be able to split the [Interface] and [Peer] parts of the config
file into separate files. The reason is that currently I manage configurations
of my various hosts at a central location, then push out common configs to all
hosts.
This becomes problematic with current WireGuard, as it stores both the
host-specific part, and the part common to the entire network, in the same
single file.
While it would be nice if WireGuard had a "hosts/" directory like Tinc uses
(basically storing its equivalents of WG's [Peer] sections each in a separate
file), I feel the most flexible way to support such scenarios would be to have
a generic "Include" directive. That way I could do
"Include /etc/wireguard/peers/*.conf" and then not only store each peer
information in its own file, but also roll-out or fetch and
add/remove/overwrite those files from a central repository.
Also distros could use it by default to enable the often-used "conf.d/*"
mechanism.
Is there anything planned along these lines? Is there a workaround that I
could use with WG in its today's form?
--
With respect,
Roman
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Include directive to support "conf.d/*" and the like
2018-03-16 8:02 Include directive to support "conf.d/*" and the like Roman Mamedov
@ 2018-03-16 8:27 ` Kalin KOZHUHAROV
2018-03-16 10:59 ` Daniel Kahn Gillmor
1 sibling, 0 replies; 5+ messages in thread
From: Kalin KOZHUHAROV @ 2018-03-16 8:27 UTC (permalink / raw)
To: Roman Mamedov; +Cc: WireGuard mailing list
On Fri, Mar 16, 2018 at 9:02 AM, Roman Mamedov <rm.wg@romanrm.net> wrote:
> I would like to be able to split the [Interface] and [Peer] parts of the config
> file into separate files. The reason is that currently I manage configurations
> of my various hosts at a central location, then push out common configs to all
> hosts.
>
BTW, this is the default in Gentoo at the moment... e.g.
# fgrep wg49 /etc/conf.d/net
/etc/conf.d/net:config_wg49="10.1.8.1/16"
/etc/conf.d/net:wireguard_wg49="/etc/wireguard/wg49.conf"
... and I often hate it :-)
In a way it is in a way "include", basically IP address and additional
routing is configured as with any other interface, but WG specific
part (ListenPort,PrivateKey,PublicKey,AllowedIPs,Endpoint) in another,
_interface_specific_ file...
This currently seems to make impossible to use standard
`/etc/init.d/net.wg?? start|stop` mechanism along `wg-quick` commands
(e.g. Address cannot be specified in "/etc/wireguard/wg49.conf").
There was somewhat related discussion few months ago about the
difference between configuration and state (`running config` as Cisco
names it) and them being somewhat mixed.
I guess this part may need reworking, but that should involve at least
a few distributions with a few subsystems (e.g. initrc and systemd
alonng wg-quick) that may be incompatible, so it is a hard task.
Cheers,
Kalin.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Include directive to support "conf.d/*" and the like
2018-03-16 8:02 Include directive to support "conf.d/*" and the like Roman Mamedov
2018-03-16 8:27 ` Kalin KOZHUHAROV
@ 2018-03-16 10:59 ` Daniel Kahn Gillmor
2018-04-14 1:47 ` Jason A. Donenfeld
1 sibling, 1 reply; 5+ messages in thread
From: Daniel Kahn Gillmor @ 2018-03-16 10:59 UTC (permalink / raw)
To: Roman Mamedov, wireguard
On Fri 2018-03-16 13:02:22 +0500, Roman Mamedov wrote:
> While it would be nice if WireGuard had a "hosts/" directory like Tinc uses
> (basically storing its equivalents of WG's [Peer] sections each in a separate
> file), I feel the most flexible way to support such scenarios would be to have
> a generic "Include" directive. That way I could do
> "Include /etc/wireguard/peers/*.conf" and then not only store each peer
> information in its own file, but also roll-out or fetch and
> add/remove/overwrite those files from a central repository.
If you're automating deployment you can always store the config file
broken out this way and then assemble a single config during deployment
with a simple wrapper script. or you could generate the full .conf from
some other toolchain entirely (e.g., export from an rdbms or generate
from a dump from some other pki) -- it's not as clean or tightly
integrated as it would be to have an include directive, but it's
certainly easier to rig together.
--dkg
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Include directive to support "conf.d/*" and the like
2018-03-16 10:59 ` Daniel Kahn Gillmor
@ 2018-04-14 1:47 ` Jason A. Donenfeld
2018-04-14 8:47 ` Roman Mamedov
0 siblings, 1 reply; 5+ messages in thread
From: Jason A. Donenfeld @ 2018-04-14 1:47 UTC (permalink / raw)
To: Roman Mamedov; +Cc: WireGuard mailing list
Hi Roman,
This also came up in another thread I was replying to earlier tonight.
While one way indeed is to have an 'include' directive, it seems
simple enough to just do something like:
$ wg setconf wg0 <(cat /etc/wireguard/mysite.conf.d/*.conf)
And then you can have various fragments in there like:
000-interface.conf
001-peergroupA.conf
001-peergroupB.conf
001-peergroupC.conf
And so forth. Would this be an acceptable solution for you?
Jason
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Include directive to support "conf.d/*" and the like
2018-04-14 1:47 ` Jason A. Donenfeld
@ 2018-04-14 8:47 ` Roman Mamedov
0 siblings, 0 replies; 5+ messages in thread
From: Roman Mamedov @ 2018-04-14 8:47 UTC (permalink / raw)
To: Jason A. Donenfeld; +Cc: WireGuard mailing list, Roman Mamedov
On Sat, 14 Apr 2018 03:47:57 +0200
"Jason A. Donenfeld" <Jason@zx2c4.com> wrote:
> Hi Roman,
>
> This also came up in another thread I was replying to earlier tonight.
> While one way indeed is to have an 'include' directive, it seems
> simple enough to just do something like:
>
> $ wg setconf wg0 <(cat /etc/wireguard/mysite.conf.d/*.conf)
>
> And then you can have various fragments in there like:
>
> 000-interface.conf
> 001-peergroupA.conf
> 001-peergroupB.conf
> 001-peergroupC.conf
>
> And so forth. Would this be an acceptable solution for you?
Yeah, thanks. I settled on a solution similar to this. Since WG in my case is
"external" to the main OS (i.e. not wired into standard initscripts or network
configuration), I have my own shell-script bringing it up anyways -- and that
script might as well pre-process or generate the configuration file. So now I
build a full config file in /tmp/ from various pieces and auto-detected
host-specific conditions, and then do a setconf to that. (Rather than addconf
as some suggested, I prefer to have the complete file available on disk for
inspection in case any debugging is needed).
--
With respect,
Roman
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-04-14 8:33 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-03-16 8:02 Include directive to support "conf.d/*" and the like Roman Mamedov
2018-03-16 8:27 ` Kalin KOZHUHAROV
2018-03-16 10:59 ` Daniel Kahn Gillmor
2018-04-14 1:47 ` Jason A. Donenfeld
2018-04-14 8:47 ` Roman Mamedov
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.