Include directive to support "conf.d/*" and the like

Include directive to support "conf.d/*" and the like

[Roman Mamedov]

Hello,

I would like to be able to split the [Interface] and [Peer] parts of the config
file into separate files. The reason is that currently I manage configurations
of my various hosts at a central location, then push out common configs to all
hosts.

This becomes problematic with current WireGuard, as it stores both the
host-specific part, and the part common to the entire network, in the same
single file.

While it would be nice if WireGuard had a "hosts/" directory like Tinc uses
(basically storing its equivalents of WG's [Peer] sections each in a separate
file), I feel the most flexible way to support such scenarios would be to have
a generic "Include" directive. That way I could do
"Include /etc/wireguard/peers/*.conf" and then not only store each peer
information in its own file, but also roll-out or fetch and
add/remove/overwrite those files from a central repository.

Also distros could use it by default to enable the often-used "conf.d/*"
mechanism.

Is there anything planned along these lines? Is there a workaround that I
could use with WG in its today's form?

-- 
With respect,
Roman

Re: Include directive to support "conf.d/*" and the like

[Kalin KOZHUHAROV]

On Fri, Mar 16, 2018 at 9:02 AM, Roman Mamedov <rm.wg@romanrm.net> wrote:
> I would like to be able to split the [Interface] and [Peer] parts of the config
> file into separate files. The reason is that currently I manage configurations
> of my various hosts at a central location, then push out common configs to all
> hosts.
>
BTW, this is the default in Gentoo at the moment... e.g.
# fgrep wg49 /etc/conf.d/net
/etc/conf.d/net:config_wg49="10.1.8.1/16"
/etc/conf.d/net:wireguard_wg49="/etc/wireguard/wg49.conf"

... and I often hate it :-)
In a way it is in a way "include", basically IP address and additional
routing is configured as with any other interface, but WG specific
part (ListenPort,PrivateKey,PublicKey,AllowedIPs,Endpoint) in another,
_interface_specific_ file...

This currently seems to make impossible to use standard
`/etc/init.d/net.wg?? start|stop` mechanism along `wg-quick` commands
(e.g. Address cannot be specified in "/etc/wireguard/wg49.conf").

There was somewhat related discussion few months ago about the
difference between configuration and state (`running config` as Cisco
names it) and them being somewhat mixed.

I guess this part may need reworking, but that should involve at least
a few distributions with a few subsystems (e.g. initrc and systemd
alonng wg-quick) that may be incompatible, so it is a hard task.

Cheers,
Kalin.

Re: Include directive to support "conf.d/*" and the like

[Daniel Kahn Gillmor]

On Fri 2018-03-16 13:02:22 +0500, Roman Mamedov wrote:
> While it would be nice if WireGuard had a "hosts/" directory like Tinc uses
> (basically storing its equivalents of WG's [Peer] sections each in a separate
> file), I feel the most flexible way to support such scenarios would be to have
> a generic "Include" directive. That way I could do
> "Include /etc/wireguard/peers/*.conf" and then not only store each peer
> information in its own file, but also roll-out or fetch and
> add/remove/overwrite those files from a central repository.

If you're automating deployment you can always store the config file
broken out this way and then assemble a single config during deployment
with a simple wrapper script.  or you could generate the full .conf from
some other toolchain entirely (e.g., export from an rdbms or generate
from a dump from some other pki) -- it's not as clean or tightly
integrated as it would be to have an include directive, but it's
certainly easier to rig together.

    --dkg

Re: Include directive to support "conf.d/*" and the like

[Jason A. Donenfeld]

Hi Roman,

This also came up in another thread I was replying to earlier tonight.
While one way indeed is to have an 'include' directive, it seems
simple enough to just do something like:

$ wg setconf wg0 <(cat /etc/wireguard/mysite.conf.d/*.conf)

And then you can have various fragments in there like:

000-interface.conf
001-peergroupA.conf
001-peergroupB.conf
001-peergroupC.conf

And so forth. Would this be an acceptable solution for you?

Jason

Re: Include directive to support "conf.d/*" and the like

[Roman Mamedov]

On Sat, 14 Apr 2018 03:47:57 +0200
"Jason A. Donenfeld" <Jason@zx2c4.com> wrote:

> Hi Roman,
> 
> This also came up in another thread I was replying to earlier tonight.
> While one way indeed is to have an 'include' directive, it seems
> simple enough to just do something like:
> 
> $ wg setconf wg0 <(cat /etc/wireguard/mysite.conf.d/*.conf)
> 
> And then you can have various fragments in there like:
> 
> 000-interface.conf
> 001-peergroupA.conf
> 001-peergroupB.conf
> 001-peergroupC.conf
> 
> And so forth. Would this be an acceptable solution for you?

Yeah, thanks. I settled on a solution similar to this. Since WG in my case is
"external" to the main OS (i.e. not wired into standard initscripts or network
configuration), I have my own shell-script bringing it up anyways -- and that
script might as well pre-process or generate the configuration file. So now I
build a full config file in /tmp/ from various pieces and auto-detected
host-specific conditions, and then do a setconf to that. (Rather than addconf
as some suggested, I prefer to have the complete file available on disk for
inspection in case any debugging is needed).

-- 
With respect,
Roman