GNU bug report logs - #63402
[PATCH 0/1] Add a dynamic IP monitoring option to Wireguard service

Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.

Package: guix-patches; Reported by: Maxim Cournoyer <maxim.cournoyer@HIDDEN>; Keywords: patch; merged with #63403; dated Wed, 10 May 2023 01:10:02 UTC; Maintainer for guix-patches is guix-patches@HIDDEN.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 25 May 2023 15:13:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu May 25 11:13:21 2023
Received: from localhost ([127.0.0.1]:47845 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1q2CeX-0006HP-1Y
	for submit <at> debbugs.gnu.org; Thu, 25 May 2023 11:13:21 -0400
Received: from mail-qt1-f178.google.com ([209.85.160.178]:48369)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>)
 id 1q2CeT-0006H4-VV; Thu, 25 May 2023 11:13:18 -0400
Received: by mail-qt1-f178.google.com with SMTP id
 d75a77b69052e-3f6bafd4782so5548401cf.0; 
 Thu, 25 May 2023 08:13:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1685027592; x=1687619592;
 h=content-transfer-encoding:mime-version:user-agent:message-id
 :in-reply-to:date:references:subject:cc:to:from:from:to:cc:subject
 :date:message-id:reply-to;
 bh=Fec5MLNSWNhvEcQxgsE+fb9OQM//l56VchTP0gKTq3k=;
 b=jykprqn7pfio/3lBiSFHpvXmpSjS/83tzlNQ2JRx5G5EeYmXm15IS5QsgydK1SeCx8
 uBJY67kB65DqwohmKIn+kw7NO9tqPxWMy73g9bzm+EsOiueJlaTSozdhpUqQoe0JHPpK
 WJSEGDFPG+z7pAkH7VkjPIMTvYxmiyrj42PmISKfL/qEX2+1sSZPIXGYnv6YEZ0SeCCs
 O5eYbl0BkaY1hRTkEX+ydPi/PrX1o43l6FGLxZ8DBvvaZ1W4Wl0rhBBNtaWI4Xe+/4wc
 BHtXpRkO3W30K6iu9DpQ89MImnnQgdyGP1gQZmMvsMlDWFhjCntgrBP63zSyI8XzxrLB
 ttpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1685027592; x=1687619592;
 h=content-transfer-encoding:mime-version:user-agent:message-id
 :in-reply-to:date:references:subject:cc:to:from:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=Fec5MLNSWNhvEcQxgsE+fb9OQM//l56VchTP0gKTq3k=;
 b=ejp5UscfZh1p9PogJWWQtRcGTnhxSrJlj9eqMJvzEFoacgezMxg9jOBJkRmLrJhRn6
 PQYbcTa/NuwBUoGDxOhDgA/WsR4cjxPX1ApIID3kx/Ej66Zggrt4EOwjgAAnjQQ+nnXb
 +TGCyZgQ0cqEGnWk1KVS0aOOtBtsRmpA56PBi04RZurT7aL4BQJ4Y+1o0aaxFtC9lvnp
 5pRjYaJtFOUxsiXvLLYfPw1z6lFHs3RnagjjaPR31IuO+hTJJqGW+TviEbmolRYZ85mC
 Ameo+1bXuyi2FGo/Zrcj6UtZg6yovpbSYx710MA0n4R3SNRLucRm3LAlTKRQaBhUip34
 MkEg==
X-Gm-Message-State: AC+VfDxpZqMjVfO6EZhKBq0YvgtItGMHeg9Ur1Xp3AB5dMkestouXE0r
 1UYMlLzsmwPb3fZG2HQvO3T2zhCVBlFHNA==
X-Google-Smtp-Source: ACHHUZ7CPuWs2/C4qdpB+Tl+T9YW6onYgNtCnJ0kOOnl5mCwULsrVTwCcBYpW9VQowmYvVc/8MM6ew==
X-Received: by 2002:a05:622a:1452:b0:3f7:b95:f088 with SMTP id
 v18-20020a05622a145200b003f70b95f088mr6363493qtx.20.1685027591772; 
 Thu, 25 May 2023 08:13:11 -0700 (PDT)
Received: from hurd (dsl-149-67.b2b2c.ca. [66.158.149.67])
 by smtp.gmail.com with ESMTPSA id
 p4-20020a0cf684000000b00619adb4b66asm467720qvn.95.2023.05.25.08.13.11
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 25 May 2023 08:13:11 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: bug#63403: [PATCH 1/1] services: wireguard: Implement a dynamic
 IP monitoring feature.
References: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
 <bfaae8df952aabc4e1b00bf7154dc7aa239860b3.1684461197.git.maxim.cournoyer@HIDDEN>
 <87cz2swgpu.fsf_-_@HIDDEN> <87fs7ohrif.fsf@HIDDEN>
 <87pm6pixvf.fsf@HIDDEN>
Date: Thu, 25 May 2023 11:13:10 -0400
In-Reply-To: <87pm6pixvf.fsf@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s=22'?=
 =?utf-8?Q?s?= message of "Wed, 24 May 2023 16:53:56 +0200")
Message-ID: <87h6s0fnqx.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63402
Cc: 63402 <at> debbugs.gnu.org, 63403 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Ludovic,

Ludovic Court=C3=A8s <ludo@HIDDEN> writes:

> Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis:
>
>> Yeah, upstream offers a contrib shell script called reresolve-dns.sh
>> [0], that works a bit differently (it's doesn't actually monitor IPs but
>> just keep a watch on when was the last successful handshake made).
>>
>> [0]  https://github.com/WireGuard/wireguard-tools/blob/master/contrib/re=
resolve-dns/reresolve-dns.
>>
>>> Would that be a viable option?  WDYT?
>>
>> I think my Guile script is more precise in terms of what it does and
>> also produces useful output.  If I knew of the shell script existence
>> when I started I probably wouldn't have bothered re-implementing it in
>> Scheme, but since it's here, and better, I see no reason to not use it
>> :-).  I don't foresee high maintenance for the stable APIs involved
>> (resolving host names and setting an endpoint with 'wg set').
>
> I don=E2=80=99t doubt your script is better (first because it=E2=80=99s i=
n Guile ;-)).
> I=E2=80=99m concerned about adding non-trivial =E2=80=9Cperipheral=E2=80=
=9D code that we=E2=80=99ll all
> be responsible for going forward (the Jami services pose a similar
> challenge IMO: I experienced first-hand the maintenance burden recently
> when investigating system test failures.)

I get that the Jami service is complex, but to be fair here the tests
being broken by a (good) change in the marionette behavior caused by
commit a09c7da, which also affected a few other tests, as demonstrated
in the follow-up commit f518882, rather than because it crumbled under
its own weight.  I personally think this service is a great test suite
for the service infrastructure in Guix :-)  I've now fixed the Jami test
suite with 99fc7e5.  Hopefully QA helps catching regressions like this
early in the future, avoiding the need to fix things after the facts.

> So I=E2=80=99m a bit torn.  I sympathize with the need to improve those
> services, but I=E2=80=99m also concerned what will happen if we don=E2=80=
=99t have clear
> criteria to decide what to take and what to reject.

I think this happens rarely enough that it can be left as an exercise of
judgement rather than policy; e.g. deemed to provide enough value to
justify the maintenance burden, keeping in mind that using some
'contrib' shell script from upstream is not guaranteed to be
maintenance-free.  In this case it's also not on any critical path: it'd
only affects users of the new feature; if it ever breaks only that
feature would be impacted.

--=20
Thanks,
Maxim




Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 24 May 2023 22:12:36 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed May 24 18:12:36 2023
Received: from localhost ([127.0.0.1]:45387 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1q1wii-00033e-8X
	for submit <at> debbugs.gnu.org; Wed, 24 May 2023 18:12:36 -0400
Received: from smtpm3.myservices.hosting ([185.26.105.234]:54752)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mirai@HIDDEN>)
 id 1q1wif-00033Q-S2; Wed, 24 May 2023 18:12:34 -0400
Received: from mail1.netim.hosting (unknown [185.26.106.173])
 by smtpm3.myservices.hosting (Postfix) with ESMTP id 15E9D20FB1;
 Thu, 25 May 2023 00:12:30 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
 by mail1.netim.hosting (Postfix) with ESMTP id 56CFF80097;
 Thu, 25 May 2023 00:12:27 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting
Received: from mail1.netim.hosting ([127.0.0.1])
 by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id mWPjFwObHO-3; Thu, 25 May 2023 00:12:27 +0200 (CEST)
Received: from [192.168.1.239] (unknown [10.192.1.83])
 (Authenticated sender: lumen@HIDDEN)
 by mail1.netim.hosting (Postfix) with ESMTPSA id B382180060;
 Thu, 25 May 2023 00:12:26 +0200 (CEST)
Message-ID: <966ccdfe-8d66-6020-57c5-695ac4701f95@HIDDEN>
Date: Wed, 24 May 2023 23:12:26 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.10.1
Subject: Re: [bug#63403] [PATCH 1/1] services: wireguard: Implement a dynamic
 IP monitoring feature.
Content-Language: en-US
To: =?UTF-8?Q?Ludovic_Court=c3=a8s?= <ludo@HIDDEN>,
 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
References: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
 <bfaae8df952aabc4e1b00bf7154dc7aa239860b3.1684461197.git.maxim.cournoyer@HIDDEN>
 <87cz2swgpu.fsf_-_@HIDDEN> <87fs7ohrif.fsf@HIDDEN>
 <87pm6pixvf.fsf@HIDDEN>
From: Bruno Victal <mirai@HIDDEN>
In-Reply-To: <87pm6pixvf.fsf@HIDDEN>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -1.1 (-)
X-Debbugs-Envelope-To: 63402
Cc: 63402 <at> debbugs.gnu.org, 63403 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.1 (--)

Hi Ludo’,

On 2023-05-24 15:53, Ludovic Courtès wrote:
> I don’t doubt your script is better (first because it’s in Guile ;-)).
> I’m concerned about adding non-trivial “peripheral” code that we’ll all
> be responsible for going forward (the Jami services pose a similar
> challenge IMO: I experienced first-hand the maintenance burden recently
> when investigating system test failures.)
> 
> So I’m a bit torn.  I sympathize with the need to improve those
> services, but I’m also concerned what will happen if we don’t have clear
> criteria to decide what to take and what to reject.
> 

I think having some “indigenous” guix capabilities is a good idea,
if the guix services are to be something more than a (lossy) scheme
translation of some daemon's configuration file syntax.

IMO as long the feature in question is:
* Not overly tailored to some specific setup scenario.
* Generic (or can be reasonably refactored/extended as needed)
* Improves the overall experience of a service.

It should be acceptable to have it in Guix since it brings more value
to the service subsystem. (rather than require a user to import
$MYSTERY_CHANNEL_FROM_INTERNET_USER_5554$ or reinvent the
ω+1 iteration of the same wheel)


-- 
Furthermore, I consider that nonfree software must be eradicated.

Cheers,
Bruno.





Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 24 May 2023 17:42:05 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed May 24 13:42:05 2023
Received: from localhost ([127.0.0.1]:45053 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1q1sUv-0000m0-4T
	for submit <at> debbugs.gnu.org; Wed, 24 May 2023 13:42:05 -0400
Received: from smtpm2.myservices.hosting ([185.26.105.233]:42752)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <mirai@HIDDEN>) id 1q1sUq-0000lX-BF
 for 63402 <at> debbugs.gnu.org; Wed, 24 May 2023 13:42:03 -0400
Received: from mail1.netim.hosting (unknown [185.26.106.173])
 by smtpm2.myservices.hosting (Postfix) with ESMTP id 3951020E8C;
 Wed, 24 May 2023 19:41:57 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
 by mail1.netim.hosting (Postfix) with ESMTP id 80F7C800AD;
 Wed, 24 May 2023 19:25:28 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mail1.netim.hosting
Received: from mail1.netim.hosting ([127.0.0.1])
 by localhost (mail1-2.netim.hosting [127.0.0.1]) (amavisd-new, port 10026)
 with ESMTP id 0C_a8Rq-fZO6; Wed, 24 May 2023 19:25:27 +0200 (CEST)
Received: from [192.168.1.239] (unknown [10.192.1.83])
 (Authenticated sender: lumen@HIDDEN)
 by mail1.netim.hosting (Postfix) with ESMTPSA id A97E9800A7;
 Wed, 24 May 2023 19:25:27 +0200 (CEST)
Message-ID: <ca34e1d6-6e96-655b-b34f-87091aaf79c8@HIDDEN>
Date: Wed, 24 May 2023 18:25:27 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.10.1
Subject: Re: [bug#63402] [PATCH v5 2/5] services: wireguard: Implement a
 dynamic IP monitoring feature.
Content-Language: en-US
To: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
References: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
 <bfaae8df952aabc4e1b00bf7154dc7aa239860b3.1684461197.git.maxim.cournoyer@HIDDEN>
From: Bruno Victal <mirai@HIDDEN>
In-Reply-To: <bfaae8df952aabc4e1b00bf7154dc7aa239860b3.1684461197.git.maxim.cournoyer@HIDDEN>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: -1.1 (-)
X-Debbugs-Envelope-To: 63402
Cc: 63402 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.1 (--)

On 2023-05-19 02:59, Maxim Cournoyer wrote:
> +;;; XXX: Copied from (guix scripts pack), changing define to define*.
> +(define-syntax-rule (define-with-source (variable args ...) body body* ...)
> +  "Bind VARIABLE to a procedure accepting ARGS defined as BODY, also setting
> +its source property."
> +  (begin
> +    (define* (variable args ...)
> +      body body* ...)
> +    (eval-when (load eval)
> +      (set-procedure-property! variable 'source
> +                               '(define* (variable args ...) body body* ...)))))
> +
> +(define (wireguard-service-name interface)
> +  "Return the WireGuard service name (a symbol) configured to use INTERFACE."
> +  (symbol-append 'wireguard- (string->symbol interface)))
> +
> +(define-with-source (strip-port/maybe endpoint #:key ipv6?)
> +  "Strip the colon and port, if present in ENDPOINT, a string."
> +  (if ipv6?
> +      (if (string-prefix? "[" endpoint)
> +          (first (string-split (string-drop endpoint 1) #\])) ;ipv6
> +          endpoint)
> +      (first (string-split endpoint #\:)))) ;ipv4

[...]

> +
> +(define (ipv4-address? str)
> +  "Return true if STR denotes an IPv4 address."
> +  (false-if-exception
> +   (->bool (inet-pton AF_INET (strip-port/maybe str)))))

[...]

> +
> +(define (ipv6-address? str)
> +  "Return true if STR denotes an IPv6 address."
> +  (false-if-exception
> +   (->bool (inet-pton AF_INET6 (strip-port/maybe str #:ipv6? #t)))))

You should use getaddrinfo instead, reason being that inet-pton does
not work with zone-indexes or interface names in IPv6 addresses.
I expect that this snippet would get cloned and reused often which
makes it important to get it right even if zone-indexes don't happen
to be of particular interest here.

I have this snippet that you could adapt to your liking (or use as-is):

--8<---------------cut here---------------start------------->8---
(define* (ip-address? s #:optional family)
  "Check if @var{s} is a valid IP address. It optionally accepts a
@var{family} argument, either AF_INET or AF_INET6, which can be used
to exclusively check for IPv4 or IPv6 addresses."
  ;; Regrettably square brackets aren't accepted by getaddrinfo() and
  ;; must be removed beforehand.
  (let ((address (string-trim-both s (char-set #\[ #\])))
    (false-if-exception
     (->bool (getaddrinfo address #f AI_NUMERICHOST family))))))
--8<---------------cut here---------------end--------------->8---

I'd also harmonize the ipv4 check to use getaddrinfo in case you
specialize the snippet above for IPv6 only. (keeps things simpler)

> +
> +(define (host-name? name)
> +  "Predicate to check whether NAME is a host name, i.e. not an IP address."
> +  (not (or (ipv6-address? name) (ipv4-address? name))))

I'd craft an artificial uri string and extract this information from a uri
record instead, since the above check is likely to reveal insufficient:

--8<---------------cut here---------------start------------->8---
scheme@(guile-user)> (use-modules (web uri))
scheme@(guile-user)> (define s "example.tld:9999")
scheme@(guile-user)> (uri-host (string->uri (string-append "dummy://" s)))
$5 = "example.tld"
scheme@(guile-user)> (define s "[2001:db8::1234]:9999")
scheme@(guile-user)> (uri-host (string->uri (string-append "dummy://" s)))
$6 = "2001:db8::1234"
--8<---------------cut here---------------end--------------->8---

>  (define wireguard-service-type
>    (service-type
>     (name 'wireguard)
> @@ -898,6 +1036,8 @@ (define wireguard-service-type
>                               wireguard-activation)
>            (service-extension profile-service-type
>                               (compose list
> -                                      wireguard-configuration-wireguard))))
> +                                      wireguard-configuration-wireguard))
> +          (service-extension mcron-service-type
> +                             wireguard-monitoring-jobs)))
>     (description "Set up Wireguard @acronym{VPN, Virtual Private Network}
>  tunnels.")))
> diff --git a/tests/services/vpn.scm b/tests/services/vpn.scm
> new file mode 100644
> index 0000000000..a7f4bec26b
> --- /dev/null
> +++ b/tests/services/vpn.scm
> @@ -0,0 +1,83 @@
> +;;; GNU Guix --- Functional package management for GNU
> +;;; Copyright © 2023 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
> +;;;
> +;;; This file is part of GNU Guix.
> +;;;
> +;;; GNU Guix is free software; you can redistribute it and/or modify it
> +;;; under the terms of the GNU General Public License as published by
> +;;; the Free Software Foundation; either version 3 of the License, or (at
> +;;; your option) any later version.
> +;;;
> +;;; GNU Guix is distributed in the hope that it will be useful, but
> +;;; WITHOUT ANY WARRANTY; without even the implied warranty of
> +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
> +;;; GNU General Public License for more details.
> +;;;
> +;;; You should have received a copy of the GNU General Public License
> +;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
> +
> +(define-module (tests services vpn)
> +  #:use-module (gnu packages vpn)
> +  #:use-module (gnu services vpn)
> +  #:use-module (guix gexp)
> +  #:use-module (ice-9 match)
> +  #:use-module (srfi srfi-1)
> +  #:use-module (srfi srfi-64))
> +
> +;;; Commentary:
> +;;;
> +;;; Unit tests for the (gnu services vpn) module.
> +;;;
> +;;; Code:
> +
> +;;; Access some internals for whitebox testing.
> +(define ipv4-address? (@@ (gnu services vpn) ipv4-address?))
> +(define ipv6-address? (@@ (gnu services vpn) ipv6-address?))
> +(define host-name? (@@ (gnu services vpn) host-name?))

IMO, these kind of utility procedures seem useful enough that they
should go into either:
* (gnu services configuration)
* (gnu services network)
* or a new module consisting of useful predicates perhaps?
** (gnu services configuration predicates)
** (gnu services configuration utils)

> +(define endpoint-host-names
> +  (@@ (gnu services vpn) endpoint-host-names))
> +
> +(test-begin "vpn-services")
> +
> +(test-assert "ipv4-address?"
> +  (every ipv4-address?
> +         (list "192.95.5.67:1234"
> +               "10.0.0.1")))
> +
> +(test-assert "ipv6-address?"
> +  (every ipv6-address?
> +         (list "[2607:5300:60:6b0::c05f:543]:2468"
> +               "2607:5300:60:6b0::c05f:543"
> +               "2345:0425:2CA1:0000:0000:0567:5673:23b5"
> +               "2345:0425:2CA1::0567:5673:23b5")))

Are these addresses special?
If not, I'd recommend (properly) generating a random ULA prefix
and use it instead.

> +
> +(define %wireguard-peers
> +  (list (wireguard-peer
> +         (name "dummy1")
> +         (public-key "VlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XjoalC8=")
> +         (endpoint "some.dynamic-dns.service:53281")
> +         (allowed-ips '()))
> +        (wireguard-peer
> +         (name "dummy2")
> +         (public-key "AlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC9=")
> +         (endpoint "example.org")
> +         (allowed-ips '()))
> +        (wireguard-peer
> +         (name "dummy3")
> +         (public-key "BlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC7=")
> +         (endpoint "10.0.0.7:7777")
> +         (allowed-ips '()))
> +        (wireguard-peer
> +         (name "dummy4")
> +         (public-key "ClesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC6=")
> +         (endpoint "[2345:0425:2CA1::0567:5673:23b5]:44444")
> +         (allowed-ips '()))))
> +
> +(test-equal "endpoint-host-names"
> +  '(("VlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XjoalC8=" .
> +     "some.dynamic-dns.service:53281")
> +    ("AlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC9=" .
> +     "example.org"))

I think a comment that explains where these values were obtained from
(or how they were generated) would be helpful for anyone looking at this
in the future.


-- 
Furthermore, I consider that nonfree software must be eradicated.

Cheers,
Bruno.





Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 24 May 2023 14:54:07 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed May 24 10:54:07 2023
Received: from localhost ([127.0.0.1]:44360 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1q1psN-0004J9-EG
	for submit <at> debbugs.gnu.org; Wed, 24 May 2023 10:54:07 -0400
Received: from eggs.gnu.org ([209.51.188.92]:39922)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>)
 id 1q1psK-0004IW-4I; Wed, 24 May 2023 10:54:05 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1q1psE-0003Vz-T7; Wed, 24 May 2023 10:53:58 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To:
 From; bh=xDW0DT4hXyUnZvRkzkjymaaNZqfBs4xwMIrSMIah7GQ=; b=WbnqKC14UxDGV1gZ42Bi
 GzgJ5K2s4LuWY04ycFNUP8hNAi6w/LMRu3pLVd/pvRuSo7U3hX7T9fE9HmWVVQyEZxjohakrZq0lQ
 CuuNQRoLXH+7yynACwzHVQ29j5xsu7nEHynvPuRAGyQSzc4VrUrkb4d24rIfbSTjaeO5UTlRiuwtd
 pQLnPTG7qOmn5wJiPzyJ9iANkuMdBuGsRqyxFQoVpH6XWRqApKHBxZDtTN5Hl45AhQgHfJWu9bjZj
 y+4e/eyRc5D2UEgaL+eaIEUAIHYhegmSGn9OyDjepoK0pdGKpvAqTJt+X6Rs6VwSINAuchqBEEcVM
 eT74EkH10y7Q3g==;
Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201] helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1q1psE-0002bL-G6; Wed, 24 May 2023 10:53:58 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Subject: Re: bug#63403: [PATCH 1/1] services: wireguard: Implement a dynamic
 IP monitoring feature.
References: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
 <bfaae8df952aabc4e1b00bf7154dc7aa239860b3.1684461197.git.maxim.cournoyer@HIDDEN>
 <87cz2swgpu.fsf_-_@HIDDEN> <87fs7ohrif.fsf@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: Quintidi 5 Prairial an 231 de la =?utf-8?Q?R=C3=A9vo?=
 =?utf-8?Q?lution=2C?= jour du Canard
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Wed, 24 May 2023 16:53:56 +0200
In-Reply-To: <87fs7ohrif.fsf@HIDDEN> (Maxim Cournoyer's message of "Mon, 22
 May 2023 19:32:08 -0400")
Message-ID: <87pm6pixvf.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63402
Cc: 63402 <at> debbugs.gnu.org, 63403 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis:

> Yeah, upstream offers a contrib shell script called reresolve-dns.sh
> [0], that works a bit differently (it's doesn't actually monitor IPs but
> just keep a watch on when was the last successful handshake made).
>
> [0]  https://github.com/WireGuard/wireguard-tools/blob/master/contrib/rer=
esolve-dns/reresolve-dns.
>
>> Would that be a viable option?  WDYT?
>
> I think my Guile script is more precise in terms of what it does and
> also produces useful output.  If I knew of the shell script existence
> when I started I probably wouldn't have bothered re-implementing it in
> Scheme, but since it's here, and better, I see no reason to not use it
> :-).  I don't foresee high maintenance for the stable APIs involved
> (resolving host names and setting an endpoint with 'wg set').

I don=E2=80=99t doubt your script is better (first because it=E2=80=99s in =
Guile ;-)).
I=E2=80=99m concerned about adding non-trivial =E2=80=9Cperipheral=E2=80=9D=
 code that we=E2=80=99ll all
be responsible for going forward (the Jami services pose a similar
challenge IMO: I experienced first-hand the maintenance burden recently
when investigating system test failures.)

So I=E2=80=99m a bit torn.  I sympathize with the need to improve those
services, but I=E2=80=99m also concerned what will happen if we don=E2=80=
=99t have clear
criteria to decide what to take and what to reject.

WDYT?

Ludo=E2=80=99.




Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 24 May 2023 14:45:06 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed May 24 10:45:06 2023
Received: from localhost ([127.0.0.1]:44333 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1q1pjO-0003tL-QG
	for submit <at> debbugs.gnu.org; Wed, 24 May 2023 10:45:05 -0400
Received: from eggs.gnu.org ([209.51.188.92]:45994)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>)
 id 1q1pjM-0003t2-Vr; Wed, 24 May 2023 10:44:49 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1q1pjH-00013v-Oc; Wed, 24 May 2023 10:44:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To:
 From; bh=0qd9frzCuNcb/NbHLzYPvEDww1Z4PPsTOrSCJdTcxa0=; b=iWVPVRWCQ4CBm5romj8u
 +soqFjLqRgi/QFHhhdL2VeHzPluthdFd2XTww9J84uvHkV/17aT59B1U6WzXdonMUi/acFhLvkdax
 I1JjnIHHrgIC5GiAhZNlmZ2jtIi/P5SiY2BjNsjK+k0kwaUXMuuoumSdXUmwuag95/+XF20rJ/Z+Y
 PHpAfUF46qfaS2z+BJtxyGlspnLk/p84ebeW2rcOl/7sZL04OElD8yXCOADA03CbgrVugQml7s5mT
 hLty2taZySYjoTlvsGOUIMb4ZcH3zYlLkm9vNW9Z8rDFFOucV2MxM3jE9a7sB6P20nrNF9qEiQeGg
 PRRq2cxYKhsI9A==;
Received: from 91-160-117-201.subs.proxad.net ([91.160.117.201] helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1q1pjH-0001eX-7m; Wed, 24 May 2023 10:44:43 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Subject: Re: bug#63403: [PATCH 1/1] services: wireguard: Implement a dynamic
 IP monitoring feature.
References: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
 <4ae50adcd4cef9d26b26eb4456727538d61f064c.1684461197.git.maxim.cournoyer@HIDDEN>
 <87lehgwgvz.fsf_-_@HIDDEN> <87jzx0hryo.fsf@HIDDEN>
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: Quintidi 5 Prairial an 231 de la =?utf-8?Q?R=C3=A9vo?=
 =?utf-8?Q?lution=2C?= jour du Canard
X-PGP-Key-ID: 0x090B11993D9AEBB5
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 3CE4 6455 8A84 FDC6 9DB4  0CFB 090B 1199 3D9A EBB5
X-OS: x86_64-pc-linux-gnu
Date: Wed, 24 May 2023 16:44:40 +0200
In-Reply-To: <87jzx0hryo.fsf@HIDDEN> (Maxim Cournoyer's message of "Mon, 22
 May 2023 19:22:23 -0400")
Message-ID: <87cz2pkcvb.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63402
Cc: 63402 <at> debbugs.gnu.org, 63403 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Maxim,

Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis:

> Ludovic Court=C3=A8s <ludo@HIDDEN> writes:
>
>> Hi,
>>
>> Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis:
>>
>>> * gnu/services/herd.scm (current-service): New procedure, mostly reusin=
g the
>>> existing current-services.
>>> (current-services): Implement in terms of the above procedure.
>>
>> How about having (lookup-service name) that calls the =E2=80=98status=E2=
=80=99 action on
>> the given service and either returns a <live-service> or #f?
>
> I'd rather keep the name 'current-service',

There=E2=80=99s no notion of a =E2=80=9Ccurrent service=E2=80=9D in the She=
pherd; that would be
confusing to me.

> because 'lookup-service' is already a public procedure exported by
> Shepherd's (shepherd service) module; it'd be confusing.

Yeah well, I think we should clarify the client/server architecture and
the context in which (shepherd =E2=80=A6) modules are meant to be used.  I =
made
a first attempt:

  https://git.savannah.gnu.org/cgit/shepherd.git/commit/?id=3Dd3d437a34bcb1=
1fc416bf141181d8908064aeceb

However, what matters most to me is that the procedure names really
represent what they do.  With that in mind, it=E2=80=99s no surprise that t=
he
procedure to look up a service is called =E2=80=98lookup-service=E2=80=99 i=
n both
contexts.

Thanks,
Ludo=E2=80=99.




Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 22 May 2023 23:32:25 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 22 19:32:25 2023
Received: from localhost ([127.0.0.1]:37289 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1q1F0r-0005Ie-EH
	for submit <at> debbugs.gnu.org; Mon, 22 May 2023 19:32:25 -0400
Received: from mail-qk1-f178.google.com ([209.85.222.178]:56778)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>)
 id 1q1F0i-0005IC-HM; Mon, 22 May 2023 19:32:20 -0400
Received: by mail-qk1-f178.google.com with SMTP id
 af79cd13be357-75b0df7b225so92045485a.1; 
 Mon, 22 May 2023 16:32:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684798331; x=1687390331;
 h=content-transfer-encoding:mime-version:user-agent:message-id
 :in-reply-to:date:references:subject:cc:to:from:from:to:cc:subject
 :date:message-id:reply-to;
 bh=UbW4PFRdAfMgpJji7/CdoSejXHPX1C4w+FGbbQLcjQI=;
 b=r8l8jEmRuVhBWHOVWUNJydH8XwqcOtomEogSn/Jq8b3vzkp7P0Y32iG7WGongxreHn
 9p0odLaU/2iSuXVWwRZGDE2O3+JlOn6SrHhfC5tqGuv/UxdIIYNiycl+ESuhYUGm46Dt
 0fX0HZ+rBLpaAWmjlBpUqAPQuo4/kGLgbkmFcVV6yqOoqxdkyLRtU4fl2cn1T/bOs8NU
 wHhO9GYsSeXvr9GP5kHLcC4mGF/BkQgPoN+Aml2NUeCNRBgrIlJkD7SdwryCy4xjxkPG
 xFIjCxP+PZf6Gozh7NmiEv8QsKx4wzS4UpMdk2G9i8fPN9To7MYgfpoFRqogL/gZkbXU
 lXjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684798331; x=1687390331;
 h=content-transfer-encoding:mime-version:user-agent:message-id
 :in-reply-to:date:references:subject:cc:to:from:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=UbW4PFRdAfMgpJji7/CdoSejXHPX1C4w+FGbbQLcjQI=;
 b=TgFuCJvTY9TxzipvLzNt8Yl3Yg39nNXnwjm9nQ3SxIFinGiXQrC3YmU7kap/5Wfzsb
 TXDVjaUwf27yfOElsccECn+l8XHxKKEJotFmfJVjHWEucX0BWNYiVu6rL1eqB1fbDQCo
 shzTK66wgRzK2Gk/hEtoWk1Qh2hUygqGBfg+lDqgBCv3azRc8MX5AHB5IbO5EIUpoMLv
 EdYPIudTCO/ZBuULMOy/G3blQXhqUsoDJ1TkZJlbN8uz0XGh+ha9OjDQ7SY9YBT+zr03
 mDYwxlbFiWUnDmu/eMqZawhFZb2klzlN25XLIuB9FcjN84miQV5EsqYr/frNBCDyMMt3
 i9Og==
X-Gm-Message-State: AC+VfDwnShIBUat/4OlxtP9ob1Mjk59RraCu6gAatukU7ci3OdX+a+yp
 7P5hADS/PGabv5qr1HzA5XY5wjWZKzu+PQ==
X-Google-Smtp-Source: ACHHUZ54ruKky3EB3ofjh427x9es0ntCSEVX7sujSgQG94yi8l7UmCc0FHAV6R3k2YoAeZms1/FoZA==
X-Received: by 2002:a05:622a:34e:b0:3e3:8ed5:a47e with SMTP id
 r14-20020a05622a034e00b003e38ed5a47emr21902142qtw.10.1684798330694; 
 Mon, 22 May 2023 16:32:10 -0700 (PDT)
Received: from hurd (dsl-205-233-124-30.b2b2c.ca. [205.233.124.30])
 by smtp.gmail.com with ESMTPSA id
 k5-20020ac81405000000b003ee4b5a2dd3sm1690093qtj.21.2023.05.22.16.32.09
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 22 May 2023 16:32:10 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: bug#63403: [PATCH 1/1] services: wireguard: Implement a dynamic
 IP monitoring feature.
References: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
 <bfaae8df952aabc4e1b00bf7154dc7aa239860b3.1684461197.git.maxim.cournoyer@HIDDEN>
 <87cz2swgpu.fsf_-_@HIDDEN>
Date: Mon, 22 May 2023 19:32:08 -0400
In-Reply-To: <87cz2swgpu.fsf_-_@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s?=
 =?utf-8?Q?=22's?= message of "Mon, 22 May 2023 17:03:57 +0200")
Message-ID: <87fs7ohrif.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63402
Cc: 63402 <at> debbugs.gnu.org, 63403 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Ludovic,

Ludovic Court=C3=A8s <ludo@HIDDEN> writes:

> Hi,
>
> Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis:
>
>> * gnu/services/vpn.scm (<wireguard-configuration>)
>> [monitor-ips?, monitor-ips-internal]: New fields.
>> * gnu/services/vpn.scm (define-with-source): New syntax.
>> (wireguard-service-name, strip-port/maybe)
>> (ipv4-address?, ipv6-address?, host-name?)
>> (endpoint-host-names): New procedure.
>> (wireguard-monitoring-jobs): Likewise.
>> (wireguard-service-type): Register it.
>> * tests/services/vpn.scm: New file.
>> * Makefile.am (SCM_TESTS): Register it.
>> * doc/guix.texi (VPN Services): Update doc.
>
> As discussed on IRC the other day, I tend to think that this is =E2=80=9C=
not our
> job=E2=80=9D but rather upstream=E2=80=99s.  (As a rule of thumb, I think=
 services
> should merely expose what upstream implements.)
>
> You mentioned that upstream has a shell script to do something similar.
> Using that may not be as nice as what you propose here in terms of
> integration, but the upside is that we wouldn=E2=80=99t have to maintain =
it
> ourselves.

Yeah, upstream offers a contrib shell script called reresolve-dns.sh
[0], that works a bit differently (it's doesn't actually monitor IPs but
just keep a watch on when was the last successful handshake made).

[0]  https://github.com/WireGuard/wireguard-tools/blob/master/contrib/reres=
olve-dns/reresolve-dns.

> Would that be a viable option?  WDYT?

I think my Guile script is more precise in terms of what it does and
also produces useful output.  If I knew of the shell script existence
when I started I probably wouldn't have bothered re-implementing it in
Scheme, but since it's here, and better, I see no reason to not use it
:-).  I don't foresee high maintenance for the stable APIs involved
(resolving host names and setting an endpoint with 'wg set').

--=20
Thanks,
Maxim




Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 22 May 2023 23:22:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 22 19:22:39 2023
Received: from localhost ([127.0.0.1]:37273 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1q1ErP-00050w-0W
	for submit <at> debbugs.gnu.org; Mon, 22 May 2023 19:22:39 -0400
Received: from mail-qk1-f181.google.com ([209.85.222.181]:53651)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>)
 id 1q1ErH-00050Q-Fr; Mon, 22 May 2023 19:22:35 -0400
Received: by mail-qk1-f181.google.com with SMTP id
 af79cd13be357-75b076babc3so101750885a.3; 
 Mon, 22 May 2023 16:22:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684797745; x=1687389745;
 h=content-transfer-encoding:mime-version:user-agent:message-id
 :in-reply-to:date:references:subject:cc:to:from:from:to:cc:subject
 :date:message-id:reply-to;
 bh=N0mIBc/bth0ZNvJZ9Z0OfVgcVChQlviV69YqjCM4Bbc=;
 b=OxwSnlPZxhaPDLni4+7mvsxsIITlCowK2g2w0yiU5MrwMFo8D6Vrui8J+Yq2u2y2+Z
 Ni9EFg+ixZa4LVx5ngj9W/CIEQU57Jkx3XmlLkPWIP1GLM9zd76prRg6mPL+xz87v3Pb
 TRq63UCamXpw9JMvRgVXgSZlIbB+eWwq2V+lPNgXtAkoEVqZip1bHXL6KajaIk7lUUWh
 9LuaiK5co85DgqjtIXfWWm1nugcGilDrEB/48W7AupTmkrT6SDMVMTw2xtXvR2BCFRP6
 CyIOkg5nboht4ElHK5d+V1SjBm06Hb8gyWaU3kqYR6tK9B7XTJAL+NcL35K9Jy43S4bD
 501w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684797745; x=1687389745;
 h=content-transfer-encoding:mime-version:user-agent:message-id
 :in-reply-to:date:references:subject:cc:to:from:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=N0mIBc/bth0ZNvJZ9Z0OfVgcVChQlviV69YqjCM4Bbc=;
 b=F+pr+uLtlg/nKNiOkY+mALs/UyZGeVhu/6zqGVOomC2BWrjR7lUfJVmO47Vehds76a
 bMAwh5+wLgel58652xeMgMg3eBNQi//ljEmmvKBujy1mkIjQ56xNYZeJWQ2C5sjL5DoD
 C+zfiXWWMwvfhVW28q4XmT21N8qjjv36J+lbT3szdgyzvbRebWpDff5yevVGAAqUKVjO
 W3Tjz5jwTPJ7FNHeLg84cYX3RcLD00j6r7TSEsGMrPirgCe5OxzMNakYmaxmMHkUxavx
 B3T3CgM4Aa0YZSPTR6/FwzJJNGvKyp6kFd0eED8sFM8YtYcIGOCxDbJnv2IBmaeiHgHZ
 THlw==
X-Gm-Message-State: AC+VfDyemh9yGQ+SSyjQTUMcuFew8bypT6dZdf76GmSbjtn8EuTrkdlJ
 l6Tb6Ei51lxGkPclRBvU1KrW5c8F4QkOaQ==
X-Google-Smtp-Source: ACHHUZ6ZPTq+li+2pUDCdak0X1+GLRKXDJDv1EMWhrOu+ncPeiG3NWcYel2cB7x2NwU+vWvW53ykKQ==
X-Received: by 2002:a05:620a:2603:b0:75b:23a1:3645 with SMTP id
 z3-20020a05620a260300b0075b23a13645mr2475457qko.6.1684797745600; 
 Mon, 22 May 2023 16:22:25 -0700 (PDT)
Received: from hurd (dsl-205-233-124-30.b2b2c.ca. [205.233.124.30])
 by smtp.gmail.com with ESMTPSA id
 20-20020a05620a06d400b007579ea33cdesm2080019qky.62.2023.05.22.16.22.24
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 22 May 2023 16:22:25 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: Ludovic =?utf-8?Q?Court=C3=A8s?= <ludo@HIDDEN>
Subject: Re: bug#63403: [PATCH 1/1] services: wireguard: Implement a dynamic
 IP monitoring feature.
References: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
 <4ae50adcd4cef9d26b26eb4456727538d61f064c.1684461197.git.maxim.cournoyer@HIDDEN>
 <87lehgwgvz.fsf_-_@HIDDEN>
Date: Mon, 22 May 2023 19:22:23 -0400
In-Reply-To: <87lehgwgvz.fsf_-_@HIDDEN> ("Ludovic =?utf-8?Q?Court=C3=A8s?=
 =?utf-8?Q?=22's?= message of "Mon, 22 May 2023 17:00:16 +0200")
Message-ID: <87jzx0hryo.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63402
Cc: 63402 <at> debbugs.gnu.org, 63403 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi Ludovic,

Ludovic Court=C3=A8s <ludo@HIDDEN> writes:

> Hi,
>
> Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis:
>
>> * gnu/services/herd.scm (current-service): New procedure, mostly reusing=
 the
>> existing current-services.
>> (current-services): Implement in terms of the above procedure.
>
> How about having (lookup-service name) that calls the =E2=80=98status=E2=
=80=99 action on
> the given service and either returns a <live-service> or #f?

I'd rather keep the name 'current-service', because 'lookup-service' is
already a public procedure exported by Shepherd's (shepherd service)
module; it'd be confusing.

> =E2=80=98current-services=E2=80=99 might be implemented as (lookup-servic=
e 'root) but
> this should be kept as an implementation detail.

Yeah, that's my view on current-services being implemented in terms of
(current-service 'root).  It's a bit weird, but that's because the
underlying API is not symmetrical either.

Thanks for taking a look!

--=20
Thanks,
Maxim




Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 22 May 2023 15:04:24 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 22 11:04:24 2023
Received: from localhost ([127.0.0.1]:35796 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1q175D-00048T-LP
	for submit <at> debbugs.gnu.org; Mon, 22 May 2023 11:04:23 -0400
Received: from eggs.gnu.org ([209.51.188.92]:42256)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>)
 id 1q1758-000481-Kx; Mon, 22 May 2023 11:04:19 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1q174q-0003HY-6S; Mon, 22 May 2023 11:04:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To:
 From; bh=CdwlsJJNdCd3v0HrP/VX7se/Vm5JtqQFRAyh1DH40iA=; b=Y/JNe2XHperIsbNv4Svi
 EUouTN6NQUQ88z/qnApwCq5LLBGUX4ylxfALKKWYhuddfRYRDV50aYjUKXhU32Vvnwn+qfRLENvRz
 6EEWbKUIZSjd7aRUH60TQfBl7x0MS378eM7kTe86WiH7r+Sp2w8Wmtqh0cLFoLYnmoL+kDEgVl0Wr
 EP0gbQkgPMJu1bBc2SJiL3kLxz1IGV26SP8d5vrBNKXWhzMAktqJI+xgMz4DFsGH5EBJ6FxeuDDNe
 Esfl8gWLBc9V6nWFMUfxJ0Y6xcYJz1NpGiVw0vmHKL5eWSZ5+GWXTg613nNjtUnEGwdcX8r9clSI7
 zW8AzlLK+bxubQ==;
Received: from [193.50.110.247] (helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1q174p-0003Nv-Bi; Mon, 22 May 2023 11:03:59 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Subject: Re: bug#63403: [PATCH 1/1] services: wireguard: Implement a dynamic
 IP monitoring feature.
References: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
 <bfaae8df952aabc4e1b00bf7154dc7aa239860b3.1684461197.git.maxim.cournoyer@HIDDEN>
Date: Mon, 22 May 2023 17:03:57 +0200
In-Reply-To: <bfaae8df952aabc4e1b00bf7154dc7aa239860b3.1684461197.git.maxim.cournoyer@HIDDEN>
 (Maxim Cournoyer's message of "Thu, 18 May 2023 21:59:14 -0400")
Message-ID: <87cz2swgpu.fsf_-_@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63402
Cc: 63402 <at> debbugs.gnu.org, 63403 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis:

> * gnu/services/vpn.scm (<wireguard-configuration>)
> [monitor-ips?, monitor-ips-internal]: New fields.
> * gnu/services/vpn.scm (define-with-source): New syntax.
> (wireguard-service-name, strip-port/maybe)
> (ipv4-address?, ipv6-address?, host-name?)
> (endpoint-host-names): New procedure.
> (wireguard-monitoring-jobs): Likewise.
> (wireguard-service-type): Register it.
> * tests/services/vpn.scm: New file.
> * Makefile.am (SCM_TESTS): Register it.
> * doc/guix.texi (VPN Services): Update doc.

As discussed on IRC the other day, I tend to think that this is =E2=80=9Cno=
t our
job=E2=80=9D but rather upstream=E2=80=99s.  (As a rule of thumb, I think s=
ervices
should merely expose what upstream implements.)

You mentioned that upstream has a shell script to do something similar.
Using that may not be as nice as what you propose here in terms of
integration, but the upside is that we wouldn=E2=80=99t have to maintain it
ourselves.

Would that be a viable option?  WDYT?

Thanks,
Ludo=E2=80=99.




Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 22 May 2023 15:00:34 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 22 11:00:33 2023
Received: from localhost ([127.0.0.1]:35766 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1q171V-00042G-K9
	for submit <at> debbugs.gnu.org; Mon, 22 May 2023 11:00:33 -0400
Received: from eggs.gnu.org ([209.51.188.92]:52158)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <ludo@HIDDEN>)
 id 1q171T-00041x-RL; Mon, 22 May 2023 11:00:32 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1q171O-0002Vs-EC; Mon, 22 May 2023 11:00:26 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=MIME-Version:In-Reply-To:Date:References:Subject:To:
 From; bh=BWSinoEVF1CI3SOjS1itOx/nICyiSVOaZS2gzGl1tNc=; b=moLGqYcGS3qZX+Cq6ceN
 YXJan2Ov5N5gGdefVC3Gf0bqme9606UqpCLIj24qS908Ez3dyMVlRWRlZkrCS/mFqEkpCnK07U2nW
 xGgeQAg5EWRKVNPcXYHpbz1olkhvENmajW45QFi+KrjSIPp3hDRNmJlV9XfvNpJluB+Km4ROPvW3V
 RgI+kYgQshjdO4xVtCaDBWcN11F6hF/k2ZnjBAiIHvrWEzAteW/5BJ7Nb8nfoXRce1LSu4iUrXgYQ
 CBByMYjWfbnQQxgEwTlaIVFJomdcsFRecODVMo6mkmbAhDfTqbzG62TSAFmKvwznnRmiwrPC2tC1S
 v8ZX/PqZNd2tgQ==;
Received: from [193.50.110.247] (helo=ribbon)
 by fencepost.gnu.org with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <ludo@HIDDEN>)
 id 1q171G-0007n2-Ai; Mon, 22 May 2023 11:00:25 -0400
From: =?utf-8?Q?Ludovic_Court=C3=A8s?= <ludo@HIDDEN>
To: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
Subject: Re: bug#63403: [PATCH 1/1] services: wireguard: Implement a dynamic
 IP monitoring feature.
References: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
 <4ae50adcd4cef9d26b26eb4456727538d61f064c.1684461197.git.maxim.cournoyer@HIDDEN>
Date: Mon, 22 May 2023 17:00:16 +0200
In-Reply-To: <4ae50adcd4cef9d26b26eb4456727538d61f064c.1684461197.git.maxim.cournoyer@HIDDEN>
 (Maxim Cournoyer's message of "Thu, 18 May 2023 21:59:13 -0400")
Message-ID: <87lehgwgvz.fsf_-_@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 63402
Cc: 63402 <at> debbugs.gnu.org, 63403 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Hi,

Maxim Cournoyer <maxim.cournoyer@HIDDEN> skribis:

> * gnu/services/herd.scm (current-service): New procedure, mostly reusing =
the
> existing current-services.
> (current-services): Implement in terms of the above procedure.

How about having (lookup-service name) that calls the =E2=80=98status=E2=80=
=99 action on
the given service and either returns a <live-service> or #f?

=E2=80=98current-services=E2=80=99 might be implemented as (lookup-service =
'root) but
this should be kept as an implementation detail.

Ludo=E2=80=99.




Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 19 May 2023 02:01:29 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu May 18 22:01:29 2023
Received: from localhost ([127.0.0.1]:54958 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pzpQv-00073j-1G
	for submit <at> debbugs.gnu.org; Thu, 18 May 2023 22:01:29 -0400
Received: from mail-qv1-f48.google.com ([209.85.219.48]:61442)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1pzpQs-000738-16
 for 63402 <at> debbugs.gnu.org; Thu, 18 May 2023 22:01:27 -0400
Received: by mail-qv1-f48.google.com with SMTP id
 6a1803df08f44-5ed99ebe076so22055006d6.2
 for <63402 <at> debbugs.gnu.org>; Thu, 18 May 2023 19:01:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684461680; x=1687053680;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=nk18v72OkXiEgIaJmaInj1e1IAwp3OZ2Gf8kq1v3zUg=;
 b=iXdrqA686+9E6Trc++mxquHTEmOYw7hxl5x6lLkf8MwP8DkSZZy57vInBnQISHPO0C
 OJ2iej7OraqE3ntSHFU5KQiyUpBpDYop+Fj2lAToewwp7pDsIqnVMuKQemRehINk/jQQ
 Ny27iLgUelP2pXB1jvo2Q0wAg2v2PEk710eGuKKdGvqJBJN2+MUx4CS9i1IPfpi3UKC6
 s2EYGVsew1uXFNfbFC7aW12hdhE3jNIAHgS0icUDSOEVodOAJxSP+Ik5DGPdQUe7MqGK
 IePwdcnvnUrTdWcVam6vdHV4djRuxvoLcrGENcRy3y4LGKGH+wh+GHpffdN8VtpI6zeB
 n+QQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684461680; x=1687053680;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=nk18v72OkXiEgIaJmaInj1e1IAwp3OZ2Gf8kq1v3zUg=;
 b=am9l3+0Vj6sQl19Ae7oUR5OWMmax4OEhVgvUS8F24ZeAqtZGvnH+if6blBc5aNHpml
 pgPwDNoDsYpsaE27PuImdfLfJ/cHzw2AtgghyXEEWGchu7e+tVS+Ut5cLaT1diWHyGwa
 QKlcGWxRfFvxE7SyQAJ/G4mHOB+qIrDPZhGZIAQ6//Z7WuZXcF8nCD+BjOBZGaxq4Q3N
 hz819z6yAGcH0h7zGyDh47A1+5i0PXXJ+P/hXznTrbGzv7V7prrI+09zuLc44dM20BJC
 p6CP4D/hf8ZIF96wm9I+d484NXqbTJF8jFmPPx3sFci5othZAJ3MbxKzWFE6/8MwuKBe
 MFJA==
X-Gm-Message-State: AC+VfDzo61AIqEgluunqKUkUkESw07sQfEHVOQUlSuZefl/EFddvzM2g
 MnDa/5IH8tllhTLkm+/ZJUGqDkiVNPke6w==
X-Google-Smtp-Source: ACHHUZ7Gft2LO6G2I+EY8FY+JhddaEeq7zNTDpwbKMonCq6g8/KSw7xhYc7STRIRLYUmBo5b1gkmiQ==
X-Received: by 2002:a05:6214:d4b:b0:614:9b92:cac1 with SMTP id
 11-20020a0562140d4b00b006149b92cac1mr2077997qvr.47.1684461680252; 
 Thu, 18 May 2023 19:01:20 -0700 (PDT)
Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33])
 by smtp.gmail.com with ESMTPSA id
 mg14-20020a056214560e00b0062389d885f5sm964348qvb.47.2023.05.18.19.01.19
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 May 2023 19:01:19 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: 63402 <at> debbugs.gnu.org
Subject: [PATCH v5 5/5] gnu: linux-libre: Apply wireguard patch fixing
 keep-alive bug.
Date: Thu, 18 May 2023 21:59:17 -0400
Message-Id: <7ad316feb164d04c47c9f61257f771a1a33209ba.1684461197.git.maxim.cournoyer@HIDDEN>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
References: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
MIME-Version: 1.0
X-Debbugs-Cc: Leo Famulari <leo@HIDDEN>,
 Tobias Geerinckx-Rice <me@HIDDEN>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63402
Cc: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/linux.scm (linux-libre-6.3-source, linux-libre-6.2-source)
(linux-libre-6.1-source, linux-libre-5.15-source)
(linux-libre-5.10-source): Apply it.
---
 gnu/local.mk                                  |   1 +
 gnu/packages/linux.scm                        |  27 ++--
 ...linux-libre-wireguard-postup-privkey.patch | 119 ++++++++++++++++++
 3 files changed, 139 insertions(+), 8 deletions(-)
 create mode 100644 gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 42514ded8e..0b0aafa016 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1515,6 +1515,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/linphone-desktop-without-sdk.patch	\
   %D%/packages/patches/linux-libre-infodocs-target.patch	\
   %D%/packages/patches/linux-libre-support-for-Pinebook-Pro.patch \
+  %D%/packages/patches/linux-libre-wireguard-postup-privkey.patch \
   %D%/packages/patches/linux-pam-no-setfsuid.patch		\
   %D%/packages/patches/linux-pam-unix_chkpwd.patch		\
   %D%/packages/patches/linuxdcpp-openssl-1.1.patch		\
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index 1aa87d3965..2780aa47dc 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -34,7 +34,7 @@
 ;;; Copyright © 2018 Vasile Dumitrascu <va511e@HIDDEN>
 ;;; Copyright © 2019 Tim Gesthuizen <tim.gesthuizen@HIDDEN>
 ;;; Copyright © 2019 mikadoZero <mikadozero@HIDDEN>
-;;; Copyright © 2019, 2020, 2021, 2022 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
+;;; Copyright © 2019, 2020, 2021, 2022, 2023 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
 ;;; Copyright © 2019 Stefan Stefanović <stefanx2ovic@HIDDEN>
 ;;; Copyright © 2019-2022 Brice Waegeneire <brice@HIDDEN>
 ;;; Copyright © 2019 Kei Kebreau <kkebreau@HIDDEN>
@@ -639,28 +639,39 @@ (define (source-with-patches source patches)
 (define-public linux-libre-6.3-source
   (source-with-patches linux-libre-6.3-pristine-source
                        (list %boot-logo-patch
-                             %linux-libre-arm-export-__sync_icache_dcache-patch)))
+                             %linux-libre-arm-export-__sync_icache_dcache-patch
+                             (search-patch
+                              "linux-libre-wireguard-postup-privkey.patch"))))
 
 (define-public linux-libre-6.2-source
   (source-with-patches linux-libre-6.2-pristine-source
                        (list %boot-logo-patch
-                             %linux-libre-arm-export-__sync_icache_dcache-patch)))
+                             %linux-libre-arm-export-__sync_icache_dcache-patch
+                             (search-patch
+                              "linux-libre-wireguard-postup-privkey.patch"))))
 
 (define-public linux-libre-6.1-source
   (source-with-patches linux-libre-6.1-pristine-source
-                       (list %boot-logo-patch
-                             %linux-libre-arm-export-__sync_icache_dcache-patch
-                             (search-patch "linux-libre-infodocs-target.patch"))))
+                       (append
+                        (list %boot-logo-patch
+                              %linux-libre-arm-export-__sync_icache_dcache-patch)
+                        (search-patches
+                         "linux-libre-infodocs-target.patch"
+                         "linux-libre-wireguard-postup-privkey.patch"))))
 
 (define-public linux-libre-5.15-source
   (source-with-patches linux-libre-5.15-pristine-source
                        (list %boot-logo-patch
-                             %linux-libre-arm-export-__sync_icache_dcache-patch)))
+                             %linux-libre-arm-export-__sync_icache_dcache-patch
+                             (search-patch
+                              "linux-libre-wireguard-postup-privkey.patch"))))
 
 (define-public linux-libre-5.10-source
   (source-with-patches linux-libre-5.10-pristine-source
                        (list %boot-logo-patch
-                             %linux-libre-arm-export-__sync_icache_dcache-patch)))
+                             %linux-libre-arm-export-__sync_icache_dcache-patch
+                             (search-patch
+                              "linux-libre-wireguard-postup-privkey.patch"))))
 
 (define-public linux-libre-5.4-source
   (source-with-patches linux-libre-5.4-pristine-source
diff --git a/gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch b/gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch
new file mode 100644
index 0000000000..a6050499e1
--- /dev/null
+++ b/gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch
@@ -0,0 +1,119 @@
+From 3ac1bf099766f1e9735883d5127148054cd5b30a Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@HIDDEN>
+Date: Thu, 18 May 2023 03:08:44 +0200
+Subject: wireguard: netlink: send staged packets when setting initial private
+ key
+
+Packets bound for peers can queue up prior to the device private key
+being set. For example, if persistent keepalive is set, a packet is
+queued up to be sent as soon as the device comes up. However, if the
+private key hasn't been set yet, the handshake message never sends, and
+no timer is armed to retry, since that would be pointless.
+
+But, if a user later sets a private key, the expectation is that those
+queued packets, such as a persistent keepalive, are actually sent. So
+adjust the configuration logic to account for this edge case, and add a
+test case to make sure this works.
+
+Maxim noticed this with a wg-quick(8) config to the tune of:
+
+    [Interface]
+    PostUp = wg set %i private-key somefile
+
+    [Peer]
+    PublicKey = ...
+    Endpoint = ...
+    PersistentKeepalive = 25
+
+Here, the private key gets set after the device comes up using a PostUp
+script, triggering the bug.
+
+Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
+Cc: stable@HIDDEN
+Reported-by: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
+Link: https://lore.kernel.org/wireguard/87fs7xtqrv.fsf@HIDDEN/
+Signed-off-by: Jason A. Donenfeld <Jason@HIDDEN>
+---
+ drivers/net/wireguard/netlink.c            | 14 +++++++++-----
+ tools/testing/selftests/wireguard/netns.sh | 30 ++++++++++++++++++++++++++----
+ 2 files changed, 35 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireguard/netlink.c b/drivers/net/wireguard/netlink.c
+index 43c8c84e7ea8..6d1bd9f52d02 100644
+--- a/drivers/net/wireguard/netlink.c
++++ b/drivers/net/wireguard/netlink.c
+@@ -546,6 +546,7 @@ static int wg_set_device(struct sk_buff *skb, struct genl_info *info)
+ 		u8 *private_key = nla_data(info->attrs[WGDEVICE_A_PRIVATE_KEY]);
+ 		u8 public_key[NOISE_PUBLIC_KEY_LEN];
+ 		struct wg_peer *peer, *temp;
++		bool send_staged_packets;
+ 
+ 		if (!crypto_memneq(wg->static_identity.static_private,
+ 				   private_key, NOISE_PUBLIC_KEY_LEN))
+@@ -564,14 +565,17 @@ static int wg_set_device(struct sk_buff *skb, struct genl_info *info)
+ 		}
+ 
+ 		down_write(&wg->static_identity.lock);
+-		wg_noise_set_static_identity_private_key(&wg->static_identity,
+-							 private_key);
+-		list_for_each_entry_safe(peer, temp, &wg->peer_list,
+-					 peer_list) {
++		send_staged_packets = !wg->static_identity.has_identity && netif_running(wg->dev);
++		wg_noise_set_static_identity_private_key(&wg->static_identity, private_key);
++		send_staged_packets = send_staged_packets && wg->static_identity.has_identity;
++
++		wg_cookie_checker_precompute_device_keys(&wg->cookie_checker);
++		list_for_each_entry_safe(peer, temp, &wg->peer_list, peer_list) {
+ 			wg_noise_precompute_static_static(peer);
+ 			wg_noise_expire_current_peer_keypairs(peer);
++			if (send_staged_packets)
++				wg_packet_send_staged_packets(peer);
+ 		}
+-		wg_cookie_checker_precompute_device_keys(&wg->cookie_checker);
+ 		up_write(&wg->static_identity.lock);
+ 	}
+ skip_set_private_key:
+diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh
+index 69c7796c7ca9..405ff262ca93 100755
+--- a/tools/testing/selftests/wireguard/netns.sh
++++ b/tools/testing/selftests/wireguard/netns.sh
+@@ -514,10 +514,32 @@ n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
+ n1 ping -W 1 -c 1 192.168.241.2
+ [[ $(n2 wg show wg0 endpoints) == "$pub1	10.0.0.3:1" ]]
+ 
+-ip1 link del veth1
+-ip1 link del veth3
+-ip1 link del wg0
+-ip2 link del wg0
++ip1 link del dev veth3
++ip1 link del dev wg0
++ip2 link del dev wg0
++
++# Make sure persistent keep alives are sent when an adapter comes up
++ip1 link add dev wg0 type wireguard
++n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -eq 0 ]]
++ip1 link set dev wg0 up
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -gt 0 ]]
++ip1 link del dev wg0
++# This should also happen even if the private key is set later
++ip1 link add dev wg0 type wireguard
++n1 wg set wg0 peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -eq 0 ]]
++ip1 link set dev wg0 up
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -eq 0 ]]
++n1 wg set wg0 private-key <(echo "$key1")
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -gt 0 ]]
++ip1 link del dev veth1
++ip1 link del dev wg0
+ 
+ # We test that Netlink/IPC is working properly by doing things that usually cause split responses
+ ip0 link add dev wg0 type wireguard
+-- 
+cgit v1.2.3-59-g8ed1b
+
-- 
2.40.1





Information forwarded to leo@HIDDEN, me@HIDDEN, guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 19 May 2023 02:01:26 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu May 18 22:01:26 2023
Received: from localhost ([127.0.0.1]:54955 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pzpQr-00073S-OU
	for submit <at> debbugs.gnu.org; Thu, 18 May 2023 22:01:25 -0400
Received: from mail-qk1-f174.google.com ([209.85.222.174]:56751)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1pzpQp-000730-Re
 for 63402 <at> debbugs.gnu.org; Thu, 18 May 2023 22:01:24 -0400
Received: by mail-qk1-f174.google.com with SMTP id
 af79cd13be357-75776686671so148008485a.1
 for <63402 <at> debbugs.gnu.org>; Thu, 18 May 2023 19:01:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684461678; x=1687053678;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=LbMFSR6UqxE7vqkbXGv83WQMr34nNAhGaT/gqxHYOnU=;
 b=YvDt0c4iwu9FX5JwzhJgHfoT63BRMKt9W8M33KsRPwtdk023FKnI071hbU86njf9WX
 ACl6C8QROkm6twSUW1k5YjROytcMbIEPAr0Vz47BhiQLw80VnYCMuesyi/mLO4/tiZtY
 OWOLy6AphDzFIBjBwYIXyC2HjGU9e0n/KgeGdgd0CQI78t8cXZuY+b9Lxom/LvVCFjw2
 bTad2qZjlnLrS8Y/wHnFpsqoXeUdCLcvEqimgm7PjVcwi2NDVg9Xcmk/wh9fmaKfZlVk
 +F27Rw07DGTLkwYC3PJxzyzQAzkRQozKpMQnvuSiVJ4Il4naQFPho0D4umrq19JoMuPS
 e4yw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684461678; x=1687053678;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=LbMFSR6UqxE7vqkbXGv83WQMr34nNAhGaT/gqxHYOnU=;
 b=fPRUHfRDtlol6QkjGcsx6cb4URZ2J3P6PZ8UeqaaWcY0DQ7Wwbtq8Nx6KsOJ/ixc66
 xkca697JEcQ1YkINS88vdOkGiix8raEXpaJaMn2Qd+Bt+50CFbo/Nsp/EZXqlf3WXP3s
 QVlPp6ro8MS+sa3GWqM8k1nxJ02ebFuHV2McrPNfNKZfxpqcMYpazMNHvc0V0z5nudmo
 f34xR38DdLf/EvebptkBDPqNHxGtNESBvZYxDCvArqsHNDe+AmzzAX+dt+YiWgu1T3w1
 NMRzymCKsI3DBffWbnQMcHGVIgXaLHvREXX0jU7kiyNlQXsfQlGruCEQQUq8z9vXa2MV
 XODg==
X-Gm-Message-State: AC+VfDwJgSLWJf8KJ0F4qC8ahXdFEHl8m7/C74wxoN5xLHmJbSYxQH0n
 16XP1MQALVur2XYDsFI24inkzr8rQ0bagA==
X-Google-Smtp-Source: ACHHUZ5mNaZgME8/cQ6YPVg0AjrfZk73YlDzFBHDH3uIdyRNrtyj7s/kuecJwZ5+MQc/BFfsyfLxNw==
X-Received: by 2002:a05:6214:627:b0:5ee:e28f:ac4a with SMTP id
 a7-20020a056214062700b005eee28fac4amr1538976qvx.41.1684461678217; 
 Thu, 18 May 2023 19:01:18 -0700 (PDT)
Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33])
 by smtp.gmail.com with ESMTPSA id
 mg14-20020a056214560e00b0062389d885f5sm964348qvb.47.2023.05.18.19.01.17
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 May 2023 19:01:17 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: 63402 <at> debbugs.gnu.org
Subject: [PATCH v5 4/5] services: wireguard: Add a 'configuration' action.
Date: Thu, 18 May 2023 21:59:16 -0400
Message-Id: <e53e54edad7ab7b85bb4249a045ef600d1b1f639.1684461197.git.maxim.cournoyer@HIDDEN>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
References: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63402
Cc: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* gnu/services/vpn.scm (wireguard-shepherd-service) [actions]: New field.
---
 gnu/services/vpn.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index 8740722b6f..e1d9f5f044 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -914,6 +914,7 @@ (define (wireguard-shepherd-service config)
              (stop #~(lambda _
                        (invoke #$wg-quick "down" #$config)
                        #f))                       ;stopped!
+             (actions (list (shepherd-configuration-action config)))
              (documentation "Run the Wireguard VPN tunnel"))))))
 
 (define (wireguard-monitoring-jobs config)
-- 
2.40.1





Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 19 May 2023 02:01:22 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu May 18 22:01:22 2023
Received: from localhost ([127.0.0.1]:54952 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pzpQo-00073B-5K
	for submit <at> debbugs.gnu.org; Thu, 18 May 2023 22:01:22 -0400
Received: from mail-qk1-f171.google.com ([209.85.222.171]:48345)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1pzpQl-00072u-Ke
 for 63402 <at> debbugs.gnu.org; Thu, 18 May 2023 22:01:20 -0400
Received: by mail-qk1-f171.google.com with SMTP id
 af79cd13be357-757731a32ecso144411085a.0
 for <63402 <at> debbugs.gnu.org>; Thu, 18 May 2023 19:01:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684461674; x=1687053674;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=xo5zpV0uTb1+0y0D4cUPi0Qz/eedNC0VVUztyJk81eg=;
 b=PtOvVfcSi5hnaemvJTqFcoIIvIxkl7vehLcC7aYgG26SAAcPhZ9NgZPXOoM7vA1HFj
 6C7PEPEPIXZ7XL5YCafpZPmuiANAdAGRTKSLB/z4uNTLYwYlKnF1Wn9Thj0fKUNWKGxM
 UrWzJyX7DHwEdKeN7etK48s3OTf6tWGz1hfXg35RlNnZyKdYAqpy9D9Mfbcepe8e4MEB
 2gme/MWwNhehYY5WooEJtBm9mra9ltOor4WB//mUFRkvcbzIaqq6NhTQ5FUamBzSwG4t
 Lo/wFR5AHgHGt3wMS8oHm0cgGP43si4c78TTynJtETqtFuDmLr16IgQOa8JDYPHKOWYZ
 A5hA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684461674; x=1687053674;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=xo5zpV0uTb1+0y0D4cUPi0Qz/eedNC0VVUztyJk81eg=;
 b=KTRmTTJAw6ReTb4UkwHF363IYEZUSbw/ajWsDpkIkvKX9yqJ+AiwUUipWU5fUGrhle
 NWokwwV0xwgLhCCEQyEc6fWd89dEGOur+9LA6Ab2lU90v6MWtuCN9lFT36nUMkcE19lZ
 RsXQ49rVaT6oEjkRslIE0kbry6ZP4tBm6K4sP5mcFPchohaNNuOPiEqeUTS+251LZXz6
 VO7jaJwtdnlGKJQ+MRFhEXF5CmbtZ2cT3E3XFWGM+bOTUIsvuroer3PdLsY2W2LLbRAd
 V/kY9ysTxgW53d8rFnC0+mYEjtwxDhApXca7sN0ApmS7bjIaoJQlXaX8XFkhkC462YiN
 R1xA==
X-Gm-Message-State: AC+VfDy45NCOVWVJXLUp/SywGdTWWwcjFTNgxhTdeoP0h8whBaUL0fdN
 tvfULSj1hXw2fUZ5BMazQ/45qBbPLXWkPQ==
X-Google-Smtp-Source: ACHHUZ5lcbUoUjZUw08K0ZB0DfgQk/boXtAOQ7wAK5Fem/d5sTdgTBspyQXe6Sh4N6iWIwWus11R8w==
X-Received: by 2002:a05:6214:509b:b0:61a:943c:11fd with SMTP id
 kk27-20020a056214509b00b0061a943c11fdmr1856105qvb.4.1684461673926; 
 Thu, 18 May 2023 19:01:13 -0700 (PDT)
Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33])
 by smtp.gmail.com with ESMTPSA id
 mg14-20020a056214560e00b0062389d885f5sm964348qvb.47.2023.05.18.19.01.13
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 May 2023 19:01:13 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: 63402 <at> debbugs.gnu.org
Subject: [PATCH v5 3/5] services: wireguard: Clean-up configuration file
 serializer.
Date: Thu, 18 May 2023 21:59:15 -0400
Message-Id: <21fe58a5dac60b6d9640c19a57ac1187180d3df3.1684461197.git.maxim.cournoyer@HIDDEN>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
References: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63402
Cc: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Previously, the generated config file would contain arbitrary whitespace that
made it look ugly.

* gnu/services/vpn.scm (<wireguard-configuration>) [dns]: Change default value
from #f to '().
(wireguard-configuration-file): Use match-record.  Format each line
individually, assembling the lines at the end to avoid extraneous white space.
* doc/guix.texi (VPN Services): Update doc.
---
 doc/guix.texi        |   2 +-
 gnu/services/vpn.scm | 119 ++++++++++++++++---------------------------
 2 files changed, 46 insertions(+), 75 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index b19ba887a1..e2f46852e2 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32639,7 +32639,7 @@ VPN Services
 @item @code{port} (default: @code{51820})
 The port on which to listen for incoming connections.
 
-@item @code{dns} (default: @code{#f})
+@item @code{dns} (default: @code{'())})
 The DNS server(s) to announce to VPN clients via DHCP.
 
 @item @code{monitor-ips?} (default: @code{#f})
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index 9cf08c194a..8740722b6f 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -44,6 +44,7 @@ (define-module (gnu services vpn)
   #:use-module (guix i18n)
   #:use-module (guix deprecation)
   #:use-module (srfi srfi-1)
+  #:use-module (ice-9 format)
   #:use-module (ice-9 match)
   #:use-module (ice-9 regex)
   #:export (openvpn-client-service  ; deprecated
@@ -745,7 +746,7 @@ (define-record-type* <wireguard-configuration>
   (peers              wireguard-configuration-peers ;list of <wiregard-peer>
                       (default '()))
   (dns                wireguard-configuration-dns ;list of strings
-                      (default #f))
+                      (default '()))
   (monitor-ips?       wireguard-configuration-monitor-ips? ;boolean
                       (default #f))
   (monitor-ips-interval wireguard-configuration-monitor-ips-interval
@@ -763,24 +764,15 @@ (define-record-type* <wireguard-configuration>
 
 (define (wireguard-configuration-file config)
   (define (peer->config peer)
-    (let ((name (wireguard-peer-name peer))
-          (public-key (wireguard-peer-public-key peer))
-          (endpoint (wireguard-peer-endpoint peer))
-          (allowed-ips (wireguard-peer-allowed-ips peer))
-          (keep-alive (wireguard-peer-keep-alive peer)))
-      (format #f "[Peer] #~a
-PublicKey = ~a
-AllowedIPs = ~a
-~a~a"
-              name
-              public-key
-              (string-join allowed-ips ",")
-              (if endpoint
-                  (format #f "Endpoint = ~a\n" endpoint)
-                  "")
-              (if keep-alive
-                  (format #f "PersistentKeepalive = ~a\n" keep-alive)
-                  "\n"))))
+    (match-record peer <wireguard-peer>
+      (name public-key endpoint allowed-ips keep-alive)
+      (let ((lines (list
+                    (format #f "[Peer]   #~a" name)
+                    (format #f "PublicKey = ~a" public-key)
+                    (format #f "AllowedIPs = ~{~a~^, ~}" allowed-ips)
+                    (format #f "~@[Endpoint = ~a~]" endpoint)
+                    (format #f "~@[PersistentKeepalive = ~a~]" keep-alive))))
+        (string-join (remove string-null? lines) "\n"))))
 
   (define (peers->preshared-keys peer keys)
     (let ((public-key (wireguard-peer-public-key peer))
@@ -799,65 +791,44 @@ (define (wireguard-configuration-file config)
             (computed-file
              "wireguard-config"
              #~(begin
+                 (use-modules (ice-9 format)
+                              (srfi srfi-1))
+
+                 (define lines
+                   (list
+                    "[Interface]"
+                    #$@(if (null? addresses)
+                           '()
+                           (list (format #f "Address = ~{~a~^, ~}"
+                                         addresses)))
+                    (format #f "~@[Table = ~a~]" #$table)
+                    #$@(if (null? pre-up)
+                           '()
+                           (list (format #f "~{PreUp = ~a~%~}" pre-up)))
+                    (format #f "PostUp = ~a set %i private-key ~a\
+~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg")
+#$private-key '#$peer-keys)
+                    #$@(if (null? post-up)
+                           '()
+                           (list (format #f "~{PostUp = ~a~%~}" post-up)))
+                    #$@(if (null? pre-down)
+                           '()
+                           (list (format #f "~{PreDown = ~a~%~}" pre-down)))
+                    #$@(if (null? post-down)
+                           '()
+                           (list (format #f "~{PostDown = ~a~%~}" post-down)))
+                    (format #f "~@[ListenPort = ~a~]" #$port)
+                    #$@(if (null? dns)
+                           '()
+                           (list (format #f "~{DNS = ~{~a~^, ~}" dns)))))
+
                  (mkdir #$output)
                  (chdir #$output)
                  (call-with-output-file #$config-file
                    (lambda (port)
-                     (let ((format (@ (ice-9 format) format)))
-                       (format port "[Interface]
-Address = ~a
-~a
-~a
-PostUp = ~a set %i private-key ~a~{ peer ~a preshared-key ~a~}
-~a
-~a
-~a
-~a
-~a
-~{~a~^~%~}"
-                               #$(string-join addresses ",")
-                               #$(if table
-                                     (format #f "Table = ~a" table)
-                                     "")
-                               #$(if (null? pre-up)
-                                     ""
-                                     (string-join
-                                      (map (lambda (command)
-                                             (format #f "PreUp = ~a" command))
-                                           pre-up)
-                                      "\n"))
-                               #$(file-append wireguard "/bin/wg")
-                               #$private-key
-                               '#$peer-keys
-                               #$(if (null? post-up)
-                                     ""
-                                     (string-join
-                                      (map (lambda (command)
-                                             (format #f "PostUp = ~a" command))
-                                           post-up)
-                                      "\n"))
-                               #$(if (null? pre-down)
-                                     ""
-                                     (string-join
-                                      (map (lambda (command)
-                                             (format #f "PreDown = ~a" command))
-                                           pre-down)
-                                      "\n"))
-                               #$(if (null? post-down)
-                                     ""
-                                     (string-join
-                                      (map (lambda (command)
-                                             (format #f "PostDown = ~a" command))
-                                           post-down)
-                                      "\n"))
-                               #$(if port
-                                     (format #f "ListenPort = ~a" port)
-                                     "")
-                               #$(if dns
-                                     (format #f "DNS = ~a"
-                                             (string-join dns ","))
-                                     "")
-                               (list #$@peers)))))))))
+                     (format port "~a~%~%~{~a~%~^~%~}"
+                             (string-join (remove string-null? lines) "\n")
+                             '#$peers)))))))
       (file-append config "/" config-file))))
 
 (define (wireguard-activation config)
-- 
2.40.1





Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 19 May 2023 02:01:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu May 18 22:01:09 2023
Received: from localhost ([127.0.0.1]:54949 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pzpQa-00072f-2E
	for submit <at> debbugs.gnu.org; Thu, 18 May 2023 22:01:09 -0400
Received: from mail-qv1-f52.google.com ([209.85.219.52]:56610)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1pzpQX-00071x-KY
 for 63402 <at> debbugs.gnu.org; Thu, 18 May 2023 22:01:06 -0400
Received: by mail-qv1-f52.google.com with SMTP id
 6a1803df08f44-62388997422so11121726d6.1
 for <63402 <at> debbugs.gnu.org>; Thu, 18 May 2023 19:01:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684461660; x=1687053660;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=DWO4lhNSsQPv8Py0KlDl6kw/zyRtM22GunLl5+gnR6k=;
 b=UCuGFN1A7u7uIlq2cweVDcvTD5Aam1ygdESfbnNy2QT+rYTkNSvWsGkBZAf/AHa4p+
 fQeNtT9Xg/vpQaWfStY8Q6p71e2g434hF4UtiIoKMa0ceS6iBr5trEY3ZEty65AU+w2x
 sEZQdHF2GC8cWwvoL9C9NWOgJZrw+iR49jwtIx4gbImS9OSCGpICDGe8jrFmfsHSeXER
 nlxUEJ1q/KRSWBB1r+SKwkIEjE+tp6fdqivRvxWVAkuYQo1Rm7SCwtth+3dy5JIiN32t
 h5zxhhzmBGQiF+njH1BeSClFjPg0ogqI7kvezhc/8q42y7+miSFgW+1ET+S78buKKvGP
 KSFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684461660; x=1687053660;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=DWO4lhNSsQPv8Py0KlDl6kw/zyRtM22GunLl5+gnR6k=;
 b=FbytOGv103q6StN6X/AVRDAZ+M+OUktxeKBwinFvA90j3XZUP86xJAUzBM4TVyqsoU
 MCch6Hl1uipp7YKDaee+Rec8uZ7j/VWVTulyi9UX71jLhTuahVEi2P8tYQs2e9KCrnMR
 LUCSkkm9UMWHmWqQJwG7IiKKAzJ0sAd5srRGRAIW0ebazd/2loIjFMw0YCc9nd29KeDs
 SeJ3j2HqrRQgtfChWEk4xEw9ssH9F2s3yeSXZMM+6HcFVLGJe/pz7F9xm6uK7/ZUwQKD
 ZbZqRqUQTVDp9+Uxrg5ibO4GXFZhtKq4gOy3By+cDcOfwVZOkpYXW13wC0CKt2RwVcrB
 gXAA==
X-Gm-Message-State: AC+VfDx3XJOM+fgMgBqI2lG7J+E6LJe31e0F6PGkJbCybfTbRxClSaQ2
 EebIuRDHc601qMUJBr+0BZBfrXL+jK2ahA==
X-Google-Smtp-Source: ACHHUZ7MMZrAxckAfvRB2bgi2cQd2goHXEbTAY13FhNdMwDw/Y9gyUHB85e6lFHzNImRPm7aFlhVBw==
X-Received: by 2002:a05:6214:21e8:b0:618:e1d9:75b8 with SMTP id
 p8-20020a05621421e800b00618e1d975b8mr1507291qvj.34.1684461659706; 
 Thu, 18 May 2023 19:00:59 -0700 (PDT)
Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33])
 by smtp.gmail.com with ESMTPSA id
 mg14-20020a056214560e00b0062389d885f5sm964348qvb.47.2023.05.18.19.00.59
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 May 2023 19:00:59 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: 63402 <at> debbugs.gnu.org
Subject: [PATCH v5 2/5] services: wireguard: Implement a dynamic IP monitoring
 feature.
Date: Thu, 18 May 2023 21:59:14 -0400
Message-Id: <bfaae8df952aabc4e1b00bf7154dc7aa239860b3.1684461197.git.maxim.cournoyer@HIDDEN>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
References: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63402
Cc: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* gnu/services/vpn.scm (<wireguard-configuration>)
[monitor-ips?, monitor-ips-internal]: New fields.
* gnu/services/vpn.scm (define-with-source): New syntax.
(wireguard-service-name, strip-port/maybe)
(ipv4-address?, ipv6-address?, host-name?)
(endpoint-host-names): New procedure.
(wireguard-monitoring-jobs): Likewise.
(wireguard-service-type): Register it.
* tests/services/vpn.scm: New file.
* Makefile.am (SCM_TESTS): Register it.
* doc/guix.texi (VPN Services): Update doc.
---
 Makefile.am            |   1 +
 doc/guix.texi          |  17 ++++-
 gnu/services/vpn.scm   | 148 +++++++++++++++++++++++++++++++++++++++--
 tests/services/vpn.scm |  83 +++++++++++++++++++++++
 4 files changed, 243 insertions(+), 6 deletions(-)
 create mode 100644 tests/services/vpn.scm

diff --git a/Makefile.am b/Makefile.am
index 8b7bb4772d..e1cb1083fc 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -557,6 +557,7 @@ SCM_TESTS =					\
   tests/services/lightdm.scm			\
   tests/services/linux.scm			\
   tests/services/telephony.scm			\
+  tests/services/vpn.scm			\
   tests/sets.scm				\
   tests/size.scm				\
   tests/status.scm				\
diff --git a/doc/guix.texi b/doc/guix.texi
index b40870f42b..b19ba887a1 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32642,9 +32642,22 @@ VPN Services
 @item @code{dns} (default: @code{#f})
 The DNS server(s) to announce to VPN clients via DHCP.
 
+@item @code{monitor-ips?} (default: @code{#f})
+@cindex Dynamic IP, with Wireguard
+@cindex dyndns, usage with Wireguard
+Whether to monitor the resolved Internet addresses (IPs) of the
+endpoints of the configured peers, resetting the peer endpoints using an
+IP address that no longer correspond to their freshly resolved host
+name.  Set this to @code{#t} if one or more endpoints use host names
+provided by a dynamic DNS service to keep the sessions alive.
+
+@item @code{monitor-ips-internal} (default: @code{'(next-minute (range 0 60 5))})
+The time interval at which the IP monitoring job should run, provided as
+an mcron time specification (@pxref{Guile Syntax,,,mcron}).
+
 @item @code{private-key} (default: @code{"/etc/wireguard/private.key"})
-The private key file for the interface.  It is automatically generated if
-the file does not exist.
+The private key file for the interface.  It is automatically generated
+if the file does not exist.
 
 @item @code{peers} (default: @code{'()})
 The authorized peers on this interface.  This is a list of
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index a884d71eb2..9cf08c194a 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -11,6 +11,7 @@
 ;;; Copyright © 2021 Nathan Dehnel <ncdehnel@HIDDEN>
 ;;; Copyright © 2022 Cameron V Chaparro <cameron@HIDDEN>
 ;;; Copyright © 2022 Timo Wilken <guix@HIDDEN>
+;;; Copyright © 2023 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -31,10 +32,12 @@ (define-module (gnu services vpn)
   #:use-module (gnu services)
   #:use-module (gnu services configuration)
   #:use-module (gnu services dbus)
+  #:use-module (gnu services mcron)
   #:use-module (gnu services shepherd)
   #:use-module (gnu system shadow)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages vpn)
+  #:use-module (guix modules)
   #:use-module (guix packages)
   #:use-module (guix records)
   #:use-module (guix gexp)
@@ -73,6 +76,8 @@ (define-module (gnu services vpn)
             wireguard-configuration-addresses
             wireguard-configuration-port
             wireguard-configuration-dns
+            wireguard-configuration-monitor-ips?
+            wireguard-configuration-monitor-ips-interval
             wireguard-configuration-private-key
             wireguard-configuration-peers
             wireguard-configuration-pre-up
@@ -741,6 +746,10 @@ (define-record-type* <wireguard-configuration>
                       (default '()))
   (dns                wireguard-configuration-dns ;list of strings
                       (default #f))
+  (monitor-ips?       wireguard-configuration-monitor-ips? ;boolean
+                      (default #f))
+  (monitor-ips-interval wireguard-configuration-monitor-ips-interval
+                        (default '(next-minute (range 0 60 5)))) ;string | list
   (pre-up             wireguard-configuration-pre-up ;list of strings
                       (default '()))
   (post-up            wireguard-configuration-post-up ;list of strings
@@ -871,6 +880,56 @@ (define (wireguard-activation config)
             (chmod #$private-key #o400)
             (close-pipe pipe))))))
 
+;;; XXX: Copied from (guix scripts pack), changing define to define*.
+(define-syntax-rule (define-with-source (variable args ...) body body* ...)
+  "Bind VARIABLE to a procedure accepting ARGS defined as BODY, also setting
+its source property."
+  (begin
+    (define* (variable args ...)
+      body body* ...)
+    (eval-when (load eval)
+      (set-procedure-property! variable 'source
+                               '(define* (variable args ...) body body* ...)))))
+
+(define (wireguard-service-name interface)
+  "Return the WireGuard service name (a symbol) configured to use INTERFACE."
+  (symbol-append 'wireguard- (string->symbol interface)))
+
+(define-with-source (strip-port/maybe endpoint #:key ipv6?)
+  "Strip the colon and port, if present in ENDPOINT, a string."
+  (if ipv6?
+      (if (string-prefix? "[" endpoint)
+          (first (string-split (string-drop endpoint 1) #\])) ;ipv6
+          endpoint)
+      (first (string-split endpoint #\:)))) ;ipv4
+
+(define (ipv4-address? str)
+  "Return true if STR denotes an IPv4 address."
+  (false-if-exception
+   (->bool (inet-pton AF_INET (strip-port/maybe str)))))
+
+(define (ipv6-address? str)
+  "Return true if STR denotes an IPv6 address."
+  (false-if-exception
+   (->bool (inet-pton AF_INET6 (strip-port/maybe str #:ipv6? #t)))))
+
+(define (host-name? name)
+  "Predicate to check whether NAME is a host name, i.e. not an IP address."
+  (not (or (ipv6-address? name) (ipv4-address? name))))
+
+(define (endpoint-host-names peers)
+  "Return an association list of endpoint host names keyed by their peer
+public key, if any."
+  (reverse
+   (fold (lambda (peer host-names)
+           (let ((public-key (wireguard-peer-public-key peer))
+                 (endpoint (wireguard-peer-endpoint peer)))
+             (if (and endpoint (host-name? endpoint))
+                 (cons (cons public-key endpoint) host-names)
+                 host-names)))
+         '()
+         peers)))
+
 (define (wireguard-shepherd-service config)
   (match-record config <wireguard-configuration>
     (wireguard interface)
@@ -878,9 +937,7 @@ (define (wireguard-shepherd-service config)
           (config (wireguard-configuration-file config)))
       (list (shepherd-service
              (requirement '(networking))
-             (provision (list
-                         (symbol-append 'wireguard-
-                                        (string->symbol interface))))
+             (provision (list (wireguard-service-name interface)))
              (start #~(lambda _
                        (invoke #$wg-quick "up" #$config)))
              (stop #~(lambda _
@@ -888,6 +945,87 @@ (define (wireguard-shepherd-service config)
                        #f))                       ;stopped!
              (documentation "Run the Wireguard VPN tunnel"))))))
 
+(define (wireguard-monitoring-jobs config)
+  ;; Loosely based on WireGuard's own 'reresolve-dns.sh' shell script (see:
+  ;; https://raw.githubusercontent.com/WireGuard/wireguard-tools/
+  ;; master/contrib/reresolve-dns/reresolve-dns.sh).
+  (match-record config <wireguard-configuration>
+    (interface monitor-ips? monitor-ips-interval peers)
+    (let ((host-names (endpoint-host-names peers)))
+      (if monitor-ips?
+          (if (null? host-names)
+              (begin
+                (warn "monitor-ips? is #t but no host name to monitor")
+                '())
+              ;; The mcron monitor job may be a string or a list; ungexp strips
+              ;; one quote level, which must be added back when a list is
+              ;; provided.
+              (list
+               #~(job
+                  (if (string? #$monitor-ips-interval)
+                      #$monitor-ips-interval
+                      '#$monitor-ips-interval)
+                  #$(program-file
+                     (format #f "wireguard-~a-monitoring" interface)
+                     (with-imported-modules (source-module-closure
+                                             '((gnu services herd)
+                                               (guix build utils)))
+                       #~(begin
+                           (use-modules (gnu services herd)
+                                        (guix build utils)
+                                        (ice-9 popen)
+                                        (ice-9 match)
+                                        (ice-9 textual-ports)
+                                        (srfi srfi-1)
+                                        (srfi srfi-26))
+
+                           (define (resolve-host name)
+                             "Return the IP address resolved from NAME."
+                             (let* ((ai (car (getaddrinfo name)))
+                                    (sa (addrinfo:addr ai)))
+                               (inet-ntop (sockaddr:fam sa)
+                                          (sockaddr:addr sa))))
+
+                           (define wg #$(file-append wireguard-tools "/bin/wg"))
+
+                           #$(procedure-source strip-port/maybe)
+
+                           (define service-name '#$(wireguard-service-name
+                                                    interface))
+
+                           (when (live-service-running
+                                  (current-service service-name))
+                             (let* ((pipe (open-pipe* OPEN_READ wg "show"
+                                                      #$interface "endpoints"))
+                                    (lines (string-split (get-string-all pipe)
+                                                         #\newline))
+                                    ;; IPS is an association list mapping
+                                    ;; public keys to IP addresses.
+                                    (ips (map (match-lambda
+                                                ((public-key ip)
+                                                 (cons public-key
+                                                       (strip-port/maybe ip))))
+                                              (map (cut string-split <> #\tab)
+                                                   (remove string-null?
+                                                           lines)))))
+                               (close-pipe pipe)
+                               (for-each
+                                (match-lambda
+                                  ((key . host-name)
+                                   (let ((resolved-ip (resolve-host
+                                                       (strip-port/maybe
+                                                        host-name)))
+                                         (current-ip (assoc-ref ips key)))
+                                     (unless (string=? resolved-ip current-ip)
+                                       (format #t "resetting `~a' peer \
+endpoint to `~a' due to stale IP (`~a' instead of `~a')~%"
+                                               key host-name
+                                               current-ip resolved-ip)
+                                       (invoke wg "set" #$interface "peer" key
+                                               "endpoint" host-name)))))
+                                '#$host-names)))))))))
+          '()))))                     ;monitor-ips? is #f
+
 (define wireguard-service-type
   (service-type
    (name 'wireguard)
@@ -898,6 +1036,8 @@ (define wireguard-service-type
                              wireguard-activation)
           (service-extension profile-service-type
                              (compose list
-                                      wireguard-configuration-wireguard))))
+                                      wireguard-configuration-wireguard))
+          (service-extension mcron-service-type
+                             wireguard-monitoring-jobs)))
    (description "Set up Wireguard @acronym{VPN, Virtual Private Network}
 tunnels.")))
diff --git a/tests/services/vpn.scm b/tests/services/vpn.scm
new file mode 100644
index 0000000000..a7f4bec26b
--- /dev/null
+++ b/tests/services/vpn.scm
@@ -0,0 +1,83 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2023 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (tests services vpn)
+  #:use-module (gnu packages vpn)
+  #:use-module (gnu services vpn)
+  #:use-module (guix gexp)
+  #:use-module (ice-9 match)
+  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-64))
+
+;;; Commentary:
+;;;
+;;; Unit tests for the (gnu services vpn) module.
+;;;
+;;; Code:
+
+;;; Access some internals for whitebox testing.
+(define ipv4-address? (@@ (gnu services vpn) ipv4-address?))
+(define ipv6-address? (@@ (gnu services vpn) ipv6-address?))
+(define host-name? (@@ (gnu services vpn) host-name?))
+(define endpoint-host-names
+  (@@ (gnu services vpn) endpoint-host-names))
+
+(test-begin "vpn-services")
+
+(test-assert "ipv4-address?"
+  (every ipv4-address?
+         (list "192.95.5.67:1234"
+               "10.0.0.1")))
+
+(test-assert "ipv6-address?"
+  (every ipv6-address?
+         (list "[2607:5300:60:6b0::c05f:543]:2468"
+               "2607:5300:60:6b0::c05f:543"
+               "2345:0425:2CA1:0000:0000:0567:5673:23b5"
+               "2345:0425:2CA1::0567:5673:23b5")))
+
+(define %wireguard-peers
+  (list (wireguard-peer
+         (name "dummy1")
+         (public-key "VlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XjoalC8=")
+         (endpoint "some.dynamic-dns.service:53281")
+         (allowed-ips '()))
+        (wireguard-peer
+         (name "dummy2")
+         (public-key "AlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC9=")
+         (endpoint "example.org")
+         (allowed-ips '()))
+        (wireguard-peer
+         (name "dummy3")
+         (public-key "BlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC7=")
+         (endpoint "10.0.0.7:7777")
+         (allowed-ips '()))
+        (wireguard-peer
+         (name "dummy4")
+         (public-key "ClesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC6=")
+         (endpoint "[2345:0425:2CA1::0567:5673:23b5]:44444")
+         (allowed-ips '()))))
+
+(test-equal "endpoint-host-names"
+  '(("VlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XjoalC8=" .
+     "some.dynamic-dns.service:53281")
+    ("AlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC9=" .
+     "example.org"))
+  (endpoint-host-names %wireguard-peers))
+
+(test-end "vpn-services")
-- 
2.40.1





Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 19 May 2023 02:01:00 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu May 18 22:01:00 2023
Received: from localhost ([127.0.0.1]:54945 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pzpQR-00071p-Go
	for submit <at> debbugs.gnu.org; Thu, 18 May 2023 22:01:00 -0400
Received: from mail-qv1-f43.google.com ([209.85.219.43]:61719)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1pzpQO-00071Y-37
 for 63402 <at> debbugs.gnu.org; Thu, 18 May 2023 22:00:58 -0400
Received: by mail-qv1-f43.google.com with SMTP id
 6a1803df08f44-61b58b6e864so21966916d6.3
 for <63402 <at> debbugs.gnu.org>; Thu, 18 May 2023 19:00:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684461650; x=1687053650;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=AHK10pNweAf429LFpGHvkcqrYp/sf1a9/2a23XpN7PA=;
 b=qncQ1dXi+KS5O0AxbzuvrLuMRQQWTnKcCsfe+fk2SL2+Y6WX2wlcnyq2TZYW49KGQI
 qSrPuj1BSXHllev7QKSJYpc/2Cdw5oOoeedZFknW3nPs0f5IIOvHGos09irJTbPO+37u
 kMvemFf5bqjVCi7JUjlwH87Y7iHfAFtFeX7XziHa5GVuboj/PiTSqKNuQPq6aT97CVq7
 3ZCP+BHVhNROUF8jV3D8kJjl7qaXveqEasiyzyklazvmxrtJLwBDFIx3NJoZ+VClGAA8
 OCJz0nr7JWMShFUKGCaosXoPXmLFosJP+AMhHOUXomNYZfE0xyNaL+PYkCu6iugGfL/q
 g1Rg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684461650; x=1687053650;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=AHK10pNweAf429LFpGHvkcqrYp/sf1a9/2a23XpN7PA=;
 b=DcVg4FICdPa1VTNSGKRZUTiOVDVNALbqSTP2v6QeBQkIWGJHwqN6I37KpF9VmgUgJO
 Bzw6daesw3ODyLFMRFnrhJBCWQZh30QCVgc0S8E4LFE9Huj5POcfJCq1SBzOs10qL4AV
 qHKeSLMdKTI1b7NwwOhsXnc+w9U/HzL6HSlZWROb+cBZwkhifGEorUmPPuUU+HAsYzav
 IWrb7w3s9BT9gWqlOxBnDQCHHI6AH2yxZTCkZmnHHTcu1lwrK/mkU9ri1V2Qoghq2RaK
 tm7Yn6kobm2NNu7oGu1Mo9Bf9i6j5MTE3MBwMvgAthMicxirwXQ5WHPOD/RgYOmJvLCu
 1sKw==
X-Gm-Message-State: AC+VfDxpSMIYOwe9gH3t0An+8ol9rtR7PUorXqskhIIPcwSzrY+D561F
 koYl0guM7zMQ0j3nxsfpgJRhu8p2jbSNhw==
X-Google-Smtp-Source: ACHHUZ5HC0Xv5eho/vhrlVuscMxCtl2orG+H7zSNUVc/b+2lvVwgHxW9TF8Q2819SkVy9f+cDo+CyQ==
X-Received: by 2002:a05:6214:1256:b0:5ef:5049:f49a with SMTP id
 r22-20020a056214125600b005ef5049f49amr2081236qvv.32.1684461650105; 
 Thu, 18 May 2023 19:00:50 -0700 (PDT)
Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33])
 by smtp.gmail.com with ESMTPSA id
 mg14-20020a056214560e00b0062389d885f5sm964348qvb.47.2023.05.18.19.00.49
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 May 2023 19:00:49 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: 63402 <at> debbugs.gnu.org
Subject: [PATCH v5 1/5] services: herd: Add a new 'current-service' procedure.
Date: Thu, 18 May 2023 21:59:13 -0400
Message-Id: <4ae50adcd4cef9d26b26eb4456727538d61f064c.1684461197.git.maxim.cournoyer@HIDDEN>
X-Mailer: git-send-email 2.40.1
In-Reply-To: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
References: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63402
Cc: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* gnu/services/herd.scm (current-service): New procedure, mostly reusing the
existing current-services.
(current-services): Implement in terms of the above procedure.
---
 gnu/services/herd.scm | 52 +++++++++++++++++++++++++++----------------
 1 file changed, 33 insertions(+), 19 deletions(-)

diff --git a/gnu/services/herd.scm b/gnu/services/herd.scm
index 48594015fc..02c2fec20f 100644
--- a/gnu/services/herd.scm
+++ b/gnu/services/herd.scm
@@ -1,6 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2016-2019, 2022-2023 Ludovic Courtès <ludo@HIDDEN>
 ;;; Copyright © 2017, 2020 Mathieu Othacehe <m.othacehe@HIDDEN>
+;;; Copyright © 2023 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -51,6 +52,7 @@ (define-module (gnu services herd)
             live-service-canonical-name
 
             with-shepherd-action
+            current-service
             current-services
             unload-services
             unload-service
@@ -208,31 +210,43 @@ (define (live-service-canonical-name service)
   "Return the 'canonical name' of SERVICE."
   (first (live-service-provision service)))
 
-(define (current-services)
-  "Return the list of currently defined Shepherd services, represented as
-<live-service> objects.  Return #f if the list of services could not be
-obtained."
-  (with-shepherd-action 'root ('status) results
-    ;; We get a list of results, one for each service with the name 'root'.
+(define (current-service name)
+  "Return the currently defined Shepherd service NAME, as a <live-service>
+object.  Return #f if the service could not be obtained.  As a special case,
+@code{(current-service 'root)} returns all the current services."
+  (define (process-services services)
+    (resolve-transients
+     (map (lambda (service)
+            (alist-let* service (provides requires running transient?)
+              ;; The Shepherd 0.9.0 would not provide 'transient?' in
+              ;; its status sexp.  Thus, when it's missing, query it
+              ;; via an "eval" request.
+              (live-service provides requires
+                            (if (sloppy-assq 'transient? service)
+                                transient?
+                                (and running *unspecified*))
+                            running)))
+          services)))
+
+  (with-shepherd-action name ('status) results
+    ;; We get a list of results, one for each service with the name NAME.
     ;; In practice there's only one such service though.
     (match results
       ((services _ ...)
        (match services
          ((('service ('version 0 _ ...) _ ...) ...)
-          (resolve-transients
-           (map (lambda (service)
-                  (alist-let* service (provides requires running transient?)
-                    ;; The Shepherd 0.9.0 would not provide 'transient?' in its
-                    ;; status sexp.  Thus, when it's missing, query it via an
-                    ;; "eval" request.
-                    (live-service provides requires
-                                  (if (sloppy-assq 'transient? service)
-                                      transient?
-                                      (and running *unspecified*))
-                                  running)))
-                services)))
+          ;; Summary of all services (when NAME is 'root or 'shepherd).
+          (process-services services))
+         (('service ('version 0 _ ...) _ ...) ;single service
+          (first (process-services (list services))))
          (x
-          #f))))))
+          #f))))))                ;singleton
+
+(define (current-services)
+  "Return the list of currently defined Shepherd services, represented as
+<live-service> objects.  Return #f if the list of services could not be
+obtained."
+  (current-service 'root))
 
 (define (resolve-transients services)
   "Resolve the subset of SERVICES whose 'transient?' field is undefined.  This
-- 
2.40.1





Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 19 May 2023 01:59:46 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu May 18 21:59:46 2023
Received: from localhost ([127.0.0.1]:54939 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pzpPG-0006yC-3a
	for submit <at> debbugs.gnu.org; Thu, 18 May 2023 21:59:46 -0400
Received: from mail-qk1-f179.google.com ([209.85.222.179]:44538)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1pzpPD-0006xy-Ct
 for 63402 <at> debbugs.gnu.org; Thu, 18 May 2023 21:59:44 -0400
Received: by mail-qk1-f179.google.com with SMTP id
 af79cd13be357-7576e0b14ceso149466885a.1
 for <63402 <at> debbugs.gnu.org>; Thu, 18 May 2023 18:59:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684461577; x=1687053577;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=Z6AwWh3sF7BQsmOFgjvZxGazG4LYCVa9UZelYa9SaaU=;
 b=ijJbwZWplsfzm2yMbcnqa29ij58+g1JTnJwKA0c/qvMdiGljDLNS9HTAyXKvctHIEN
 n25ndGEGW3rf7DA5IyDlZJHAsWP9iA9t/9v07lQfCUpVxHe9icZQwwW1pRBof5Kuquhs
 G6WifkHOZPz9Rq4QqTnTZRH8trxrSXS9Cj9EgoMPjnpTZc0cXbJ0rBYOJEIJ9XmG6z6Z
 w9BbKUY5eKz9/JvtIxzG3GzVMjq/jeEyoFS5yg/p83DIzg2+HRK9OTFhuTUznYuLMQZc
 BKrXHWghE9rFT9E0hGkumFy6ufeXWanYpoyONf106OqkXwXMWtZn72eQKZZK7ViQwF9r
 isVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684461577; x=1687053577;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=Z6AwWh3sF7BQsmOFgjvZxGazG4LYCVa9UZelYa9SaaU=;
 b=NA2remYVU4Cdc1MzesE/gAel7NxVF6Ii5ZKeyUc5AveENPrsS54aH/GCuFKMhyqqWy
 anhxuCmHmfLJg8HItpW5+RF94iYHgt6jse0ehRXPiA0F3/6iOs600sXkP2WbrER+1Mag
 /FzDubL/PAupWmLvKgD+4His3D7BnI3XhYZBOh3CNhFoWh0+1H/5EKs4+JXgPfOrHq48
 xLODDVFpUrDckYss2/wkLUVBWA0JTdLdS60rl3VvNhsStt9JehT4psoSrHYuoCuDJCj4
 LL7Nk6KLxiwWX4/WAE82QIdQ8fhGUNWcs5OOkUT+yr8A8B8sna3fqFenRA12KhhvWw88
 kWPg==
X-Gm-Message-State: AC+VfDyCsAAB8xMiagb4ocAX1KwkGk+a0sCdi3mMX/FvuMTQ8+pLYjcf
 xzpmhzLZowXG0ahcfr8lrOQEY338AfBvJQ==
X-Google-Smtp-Source: ACHHUZ5s7p13d0fQYcp5zM+wb95OTv1fy+hxiOGyCaTo5fXTYtzFMm+yA3eOOWGf8xRCgpd5rHCpZw==
X-Received: by 2002:a05:6214:2526:b0:621:1c72:af3 with SMTP id
 gg6-20020a056214252600b006211c720af3mr2489228qvb.0.1684461577520; 
 Thu, 18 May 2023 18:59:37 -0700 (PDT)
Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33])
 by smtp.gmail.com with ESMTPSA id
 mg14-20020a056214560e00b0062389d885f5sm964348qvb.47.2023.05.18.18.59.35
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 May 2023 18:59:36 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: 63402 <at> debbugs.gnu.org
Subject: [PATCH v5 0/5] Implement a dynamic IP monitoring feature.
Date: Thu, 18 May 2023 21:59:12 -0400
Message-Id: <cover.1684461197.git.maxim.cournoyer@HIDDEN>
X-Mailer: git-send-email 2.40.1
MIME-Version: 1.0
X-Debbugs-Cc: Leo Famulari <leo@HIDDEN>,
 Tobias Geerinckx-Rice <me@HIDDEN>
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63402
Cc: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hi,

Compared to v4, this series adds a new 'current-service' procedure to
(gnu services herd) and makes use of it to check if the current
wireguard service is already running without causing it to restart if
it was stopped, via something like:

  (live-service-running (current-service 'wireguard-wg0))

Thanks,

Maxim Cournoyer (5):
  services: herd: Add a new 'current-service' procedure.
  services: wireguard: Implement a dynamic IP monitoring feature.
  services: wireguard: Clean-up configuration file serializer.
  services: wireguard: Add a 'configuration' action.
  gnu: linux-libre: Apply wireguard patch fixing keep-alive bug.

 Makefile.am                                   |   1 +
 doc/guix.texi                                 |  19 +-
 gnu/local.mk                                  |   1 +
 gnu/packages/linux.scm                        |  27 +-
 ...linux-libre-wireguard-postup-privkey.patch | 119 ++++++++
 gnu/services/herd.scm                         |  52 ++--
 gnu/services/vpn.scm                          | 266 +++++++++++++-----
 tests/services/vpn.scm                        |  83 ++++++
 8 files changed, 461 insertions(+), 107 deletions(-)
 create mode 100644 gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch
 create mode 100644 tests/services/vpn.scm


base-commit: deda3cc9057f20b1e3d34d63a64da0bdd6ca1998
-- 
2.40.1





Information forwarded to leo@HIDDEN, me@HIDDEN, guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 18 May 2023 17:49:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu May 18 13:49:09 2023
Received: from localhost ([127.0.0.1]:54410 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pzhkS-0001gP-TM
	for submit <at> debbugs.gnu.org; Thu, 18 May 2023 13:49:09 -0400
Received: from mail-qv1-f45.google.com ([209.85.219.45]:42231)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1pzhkP-0001f0-0j
 for 63402 <at> debbugs.gnu.org; Thu, 18 May 2023 13:49:05 -0400
Received: by mail-qv1-f45.google.com with SMTP id
 6a1803df08f44-62385de2d40so7466936d6.0
 for <63402 <at> debbugs.gnu.org>; Thu, 18 May 2023 10:49:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684432139; x=1687024139;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=Qg03Fbiq3xmc+Z90K1Ru5CLtjdVMJPdv1lfOn+t0kwQ=;
 b=BL3fr38G5vJEqi4sHFmwXgjuPDceHUX76p4Rcd3UgZ2fYdnOEwr+IMp995QXCLBQbv
 t88gZJE6SIvd+gegN8UXeiDzJLPsEHNohWuoXj2uVsf77zE5yf8pytkihGrSAwK+scEJ
 UjGSJtTgSelcJHkaEEZxhuQa+AAylkRNk+T8sU6+0TpSvcO+x/qBp8pi3qUuml7Z7+UK
 mWgNGWYpejVdU6DMyBdtYE1m/TDAdthp4sNrlHMNiNvK7RBkRLv+giTSSutYypDH8vfP
 eGJL+Uz0KHKfhtGRf4Ee9Pgkfrtf1uDAU69Vy1UXgoOwqun81+1iyeIqYjvuP9YNcL/B
 B+cQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684432139; x=1687024139;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=Qg03Fbiq3xmc+Z90K1Ru5CLtjdVMJPdv1lfOn+t0kwQ=;
 b=l/HVUGuBHfreqAViRaKLpwt0gsBICKrxdJo2RZ1lhKNdfkUQw387dsnbBuVuI4FbC7
 msw9eNYyLjMpcRglJM0RcoxFHQwONmQhCit9rzACakXoj6jxNMwbcgIisQGW00ibxOc/
 RRNTzDownJ/eigYQih4PZp/CR1nE+KnIn67OcmISGQM27YKAOwuAGzetMIEkqUs1N7NU
 //KKShYl/78GHOrtthuN2dbfWf0QtQjZw+2YMFrE+nMg6bkS6EIVGJ6mbepI2bAIxzTA
 lK1SnjJ96iJNRj99QQRtHSm8Dagccdl3rm60Xct0qEjx1DY2QGi2GCEPS10QU0NNQylE
 qZjg==
X-Gm-Message-State: AC+VfDzIi0MFaV9JYpuvzmdZqqBF9RbTbhlAYfT6o26WVFWRMTt8jJ68
 5pZTDNNP8AbuFXyeSBXUtoN0EBMPCKigxA==
X-Google-Smtp-Source: ACHHUZ4DmCwCGx0GArh8fzl2Y6BJUIum03TxHFkvHhFFudo3PW6QJ5Cas4TIAazKht4ISDU7pwXMVA==
X-Received: by 2002:ad4:5d4e:0:b0:616:49fe:f150 with SMTP id
 jk14-20020ad45d4e000000b0061649fef150mr928699qvb.18.1684432139174; 
 Thu, 18 May 2023 10:48:59 -0700 (PDT)
Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33])
 by smtp.gmail.com with ESMTPSA id
 ml7-20020a056214584700b0061a0f7fb340sm689006qvb.6.2023.05.18.10.48.58
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 May 2023 10:48:58 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: 63402 <at> debbugs.gnu.org
Subject: [PATCH v4 4/4] gnu: linux-libre: Apply wireguard patch fixing
 keep-alive bug.
Date: Thu, 18 May 2023 13:48:42 -0400
Message-Id: <4f49bf6c8952680bd5e017f90b3e7478fe338111.1684431342.git.maxim.cournoyer@HIDDEN>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <cover.1684431342.git.maxim.cournoyer@HIDDEN>
References: <cover.1684431342.git.maxim.cournoyer@HIDDEN>
MIME-Version: 1.0
X-Debbugs-Cc: Leo Famulari <leo@HIDDEN>,
 Tobias Geerinckx-Rice <me@HIDDEN>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63402
Cc: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch: New patch.
* gnu/local.mk (dist_patch_DATA): Register it.
* gnu/packages/linux.scm (linux-libre-6.3-source, linux-libre-6.2-source)
(linux-libre-6.1-source, linux-libre-5.15-source)
(linux-libre-5.10-source): Apply it.
---
 gnu/local.mk                                  |   1 +
 gnu/packages/linux.scm                        |  27 ++--
 ...linux-libre-wireguard-postup-privkey.patch | 119 ++++++++++++++++++
 3 files changed, 139 insertions(+), 8 deletions(-)
 create mode 100644 gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch

diff --git a/gnu/local.mk b/gnu/local.mk
index 42514ded8e..0b0aafa016 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1515,6 +1515,7 @@ dist_patch_DATA =						\
   %D%/packages/patches/linphone-desktop-without-sdk.patch	\
   %D%/packages/patches/linux-libre-infodocs-target.patch	\
   %D%/packages/patches/linux-libre-support-for-Pinebook-Pro.patch \
+  %D%/packages/patches/linux-libre-wireguard-postup-privkey.patch \
   %D%/packages/patches/linux-pam-no-setfsuid.patch		\
   %D%/packages/patches/linux-pam-unix_chkpwd.patch		\
   %D%/packages/patches/linuxdcpp-openssl-1.1.patch		\
diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm
index c38287e16b..6440e358c0 100644
--- a/gnu/packages/linux.scm
+++ b/gnu/packages/linux.scm
@@ -34,7 +34,7 @@
 ;;; Copyright © 2018 Vasile Dumitrascu <va511e@HIDDEN>
 ;;; Copyright © 2019 Tim Gesthuizen <tim.gesthuizen@HIDDEN>
 ;;; Copyright © 2019 mikadoZero <mikadozero@HIDDEN>
-;;; Copyright © 2019, 2020, 2021, 2022 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
+;;; Copyright © 2019, 2020, 2021, 2022, 2023 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
 ;;; Copyright © 2019 Stefan Stefanović <stefanx2ovic@HIDDEN>
 ;;; Copyright © 2019-2022 Brice Waegeneire <brice@HIDDEN>
 ;;; Copyright © 2019 Kei Kebreau <kkebreau@HIDDEN>
@@ -639,28 +639,39 @@ (define (source-with-patches source patches)
 (define-public linux-libre-6.3-source
   (source-with-patches linux-libre-6.3-pristine-source
                        (list %boot-logo-patch
-                             %linux-libre-arm-export-__sync_icache_dcache-patch)))
+                             %linux-libre-arm-export-__sync_icache_dcache-patch
+                             (search-patch
+                              "linux-libre-wireguard-postup-privkey.patch"))))
 
 (define-public linux-libre-6.2-source
   (source-with-patches linux-libre-6.2-pristine-source
                        (list %boot-logo-patch
-                             %linux-libre-arm-export-__sync_icache_dcache-patch)))
+                             %linux-libre-arm-export-__sync_icache_dcache-patch
+                             (search-patch
+                              "linux-libre-wireguard-postup-privkey.patch"))))
 
 (define-public linux-libre-6.1-source
   (source-with-patches linux-libre-6.1-pristine-source
-                       (list %boot-logo-patch
-                             %linux-libre-arm-export-__sync_icache_dcache-patch
-                             (search-patch "linux-libre-infodocs-target.patch"))))
+                       (append
+                        (list %boot-logo-patch
+                              %linux-libre-arm-export-__sync_icache_dcache-patch)
+                        (search-patches
+                         "linux-libre-infodocs-target.patch"
+                         "linux-libre-wireguard-postup-privkey.patch"))))
 
 (define-public linux-libre-5.15-source
   (source-with-patches linux-libre-5.15-pristine-source
                        (list %boot-logo-patch
-                             %linux-libre-arm-export-__sync_icache_dcache-patch)))
+                             %linux-libre-arm-export-__sync_icache_dcache-patch
+                             (search-patch
+                              "linux-libre-wireguard-postup-privkey.patch"))))
 
 (define-public linux-libre-5.10-source
   (source-with-patches linux-libre-5.10-pristine-source
                        (list %boot-logo-patch
-                             %linux-libre-arm-export-__sync_icache_dcache-patch)))
+                             %linux-libre-arm-export-__sync_icache_dcache-patch
+                             (search-patch
+                              "linux-libre-wireguard-postup-privkey.patch"))))
 
 (define-public linux-libre-5.4-source
   (source-with-patches linux-libre-5.4-pristine-source
diff --git a/gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch b/gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch
new file mode 100644
index 0000000000..a6050499e1
--- /dev/null
+++ b/gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch
@@ -0,0 +1,119 @@
+From 3ac1bf099766f1e9735883d5127148054cd5b30a Mon Sep 17 00:00:00 2001
+From: "Jason A. Donenfeld" <Jason@HIDDEN>
+Date: Thu, 18 May 2023 03:08:44 +0200
+Subject: wireguard: netlink: send staged packets when setting initial private
+ key
+
+Packets bound for peers can queue up prior to the device private key
+being set. For example, if persistent keepalive is set, a packet is
+queued up to be sent as soon as the device comes up. However, if the
+private key hasn't been set yet, the handshake message never sends, and
+no timer is armed to retry, since that would be pointless.
+
+But, if a user later sets a private key, the expectation is that those
+queued packets, such as a persistent keepalive, are actually sent. So
+adjust the configuration logic to account for this edge case, and add a
+test case to make sure this works.
+
+Maxim noticed this with a wg-quick(8) config to the tune of:
+
+    [Interface]
+    PostUp = wg set %i private-key somefile
+
+    [Peer]
+    PublicKey = ...
+    Endpoint = ...
+    PersistentKeepalive = 25
+
+Here, the private key gets set after the device comes up using a PostUp
+script, triggering the bug.
+
+Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
+Cc: stable@HIDDEN
+Reported-by: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
+Link: https://lore.kernel.org/wireguard/87fs7xtqrv.fsf@HIDDEN/
+Signed-off-by: Jason A. Donenfeld <Jason@HIDDEN>
+---
+ drivers/net/wireguard/netlink.c            | 14 +++++++++-----
+ tools/testing/selftests/wireguard/netns.sh | 30 ++++++++++++++++++++++++++----
+ 2 files changed, 35 insertions(+), 9 deletions(-)
+
+diff --git a/drivers/net/wireguard/netlink.c b/drivers/net/wireguard/netlink.c
+index 43c8c84e7ea8..6d1bd9f52d02 100644
+--- a/drivers/net/wireguard/netlink.c
++++ b/drivers/net/wireguard/netlink.c
+@@ -546,6 +546,7 @@ static int wg_set_device(struct sk_buff *skb, struct genl_info *info)
+ 		u8 *private_key = nla_data(info->attrs[WGDEVICE_A_PRIVATE_KEY]);
+ 		u8 public_key[NOISE_PUBLIC_KEY_LEN];
+ 		struct wg_peer *peer, *temp;
++		bool send_staged_packets;
+ 
+ 		if (!crypto_memneq(wg->static_identity.static_private,
+ 				   private_key, NOISE_PUBLIC_KEY_LEN))
+@@ -564,14 +565,17 @@ static int wg_set_device(struct sk_buff *skb, struct genl_info *info)
+ 		}
+ 
+ 		down_write(&wg->static_identity.lock);
+-		wg_noise_set_static_identity_private_key(&wg->static_identity,
+-							 private_key);
+-		list_for_each_entry_safe(peer, temp, &wg->peer_list,
+-					 peer_list) {
++		send_staged_packets = !wg->static_identity.has_identity && netif_running(wg->dev);
++		wg_noise_set_static_identity_private_key(&wg->static_identity, private_key);
++		send_staged_packets = send_staged_packets && wg->static_identity.has_identity;
++
++		wg_cookie_checker_precompute_device_keys(&wg->cookie_checker);
++		list_for_each_entry_safe(peer, temp, &wg->peer_list, peer_list) {
+ 			wg_noise_precompute_static_static(peer);
+ 			wg_noise_expire_current_peer_keypairs(peer);
++			if (send_staged_packets)
++				wg_packet_send_staged_packets(peer);
+ 		}
+-		wg_cookie_checker_precompute_device_keys(&wg->cookie_checker);
+ 		up_write(&wg->static_identity.lock);
+ 	}
+ skip_set_private_key:
+diff --git a/tools/testing/selftests/wireguard/netns.sh b/tools/testing/selftests/wireguard/netns.sh
+index 69c7796c7ca9..405ff262ca93 100755
+--- a/tools/testing/selftests/wireguard/netns.sh
++++ b/tools/testing/selftests/wireguard/netns.sh
+@@ -514,10 +514,32 @@ n2 bash -c 'printf 0 > /proc/sys/net/ipv4/conf/all/rp_filter'
+ n1 ping -W 1 -c 1 192.168.241.2
+ [[ $(n2 wg show wg0 endpoints) == "$pub1	10.0.0.3:1" ]]
+ 
+-ip1 link del veth1
+-ip1 link del veth3
+-ip1 link del wg0
+-ip2 link del wg0
++ip1 link del dev veth3
++ip1 link del dev wg0
++ip2 link del dev wg0
++
++# Make sure persistent keep alives are sent when an adapter comes up
++ip1 link add dev wg0 type wireguard
++n1 wg set wg0 private-key <(echo "$key1") peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -eq 0 ]]
++ip1 link set dev wg0 up
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -gt 0 ]]
++ip1 link del dev wg0
++# This should also happen even if the private key is set later
++ip1 link add dev wg0 type wireguard
++n1 wg set wg0 peer "$pub2" endpoint 10.0.0.1:1 persistent-keepalive 1
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -eq 0 ]]
++ip1 link set dev wg0 up
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -eq 0 ]]
++n1 wg set wg0 private-key <(echo "$key1")
++read _ _ tx_bytes < <(n1 wg show wg0 transfer)
++[[ $tx_bytes -gt 0 ]]
++ip1 link del dev veth1
++ip1 link del dev wg0
+ 
+ # We test that Netlink/IPC is working properly by doing things that usually cause split responses
+ ip0 link add dev wg0 type wireguard
+-- 
+cgit v1.2.3-59-g8ed1b
+
-- 
2.39.2





Information forwarded to leo@HIDDEN, me@HIDDEN, guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 18 May 2023 17:49:04 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu May 18 13:49:04 2023
Received: from localhost ([127.0.0.1]:54405 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pzhkO-0001g1-7L
	for submit <at> debbugs.gnu.org; Thu, 18 May 2023 13:49:04 -0400
Received: from mail-qv1-f53.google.com ([209.85.219.53]:48276)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1pzhkL-0001ep-Ek
 for 63402 <at> debbugs.gnu.org; Thu, 18 May 2023 13:49:01 -0400
Received: by mail-qv1-f53.google.com with SMTP id
 6a1803df08f44-62383441211so10346236d6.0
 for <63402 <at> debbugs.gnu.org>; Thu, 18 May 2023 10:49:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684432136; x=1687024136;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=M2Pu/CLLi9flH476knewJVsZPAJxxvAeW8qlmtN6Gyc=;
 b=DsZaeVfZMeEA5j278Z37YWMC8xPb3VtXfR+MPxGBZh/ZZCBHDrDJOANZJUulehdMZC
 BRnsA9gqQNLh/n4GhR1l6fQlAtmiITxQdWAleUSYvGphRSnTKynVtNoRK94EMYiIgXql
 Y3Qy2/UAgiX404X6RKlVGJMMZtBWVik44zIOaCPIB37sb5Lh4D+6yeWlfYdfu9CaO15H
 8pHVApZBY7JID9moOGHr9wquoEClqEQ5MR/OGruq4FuByFKxtIowUEWSB07nSlFiWn1X
 iiDmYJTC+l2LOSG6NZNm/Lv+G/BocxHdjJRKDtNYtStVnNaVZvxMj+jmIFf9h5+PnPU/
 Mz0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684432136; x=1687024136;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=M2Pu/CLLi9flH476knewJVsZPAJxxvAeW8qlmtN6Gyc=;
 b=ada8B0CEghU/OqAR3KwBF20K89hIyi1s/6OD+UotWHLzsL3ID2HKC/c9lfwSd0yv33
 juDZ0gY6YOw42o7GGkSe6w8IZCuBQ+iTVjvYZyPkgrngDLC0A4PiVj6I3qKDikd/tTA3
 R2hiIYl9VSjWZBjP75rksouRzud76o4aMvZaNqjQcd/8U6GDRUFJCWySorPzjN8WCLuc
 bj3gJ4pHrRgaZJJ58rnDo6QarwBJQGN+Lm0DBOHYSosctHqKnnjqtQSmt+Is5jO2MI8j
 yjVBEa+HMM2DJBJe9P9OCaEofPhstcJajFIoftYoUwX99miGitY6pHxqHAKDKkIrznSA
 5GCg==
X-Gm-Message-State: AC+VfDxbXjfGrEGcb2J/CodQTMMy3SJfY7Zw0p9hWejXFW38NzyYwGNs
 tmJoIjgfZeFcjuTkhNZIPTY7Xy1B/+ZevA==
X-Google-Smtp-Source: ACHHUZ6AD8jCKk9mfxzHc3XR7VzS9GcXtlYrsLLK6DJ0BSAWOruRL1VSbN1hlGVXpucGJHra15fmqg==
X-Received: by 2002:a05:6214:5182:b0:623:557d:91c7 with SMTP id
 kl2-20020a056214518200b00623557d91c7mr712081qvb.25.1684432135832; 
 Thu, 18 May 2023 10:48:55 -0700 (PDT)
Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33])
 by smtp.gmail.com with ESMTPSA id
 ml7-20020a056214584700b0061a0f7fb340sm689006qvb.6.2023.05.18.10.48.55
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 May 2023 10:48:55 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: 63402 <at> debbugs.gnu.org
Subject: [PATCH v4 3/4] services: wireguard: Add a 'configuration' action.
Date: Thu, 18 May 2023 13:48:41 -0400
Message-Id: <9644e77d72a5fb88c5e788e10d43d152078d9419.1684431342.git.maxim.cournoyer@HIDDEN>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <cover.1684431342.git.maxim.cournoyer@HIDDEN>
References: <cover.1684431342.git.maxim.cournoyer@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63402
Cc: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* gnu/services/vpn.scm (wireguard-shepherd-service) [actions]: New field.
---
 gnu/services/vpn.scm | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index a34889a6cc..c3fe82a063 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -914,6 +914,7 @@ (define (wireguard-shepherd-service config)
              (stop #~(lambda _
                        (invoke #$wg-quick "down" #$config)
                        #f))                       ;stopped!
+             (actions (list (shepherd-configuration-action config)))
              (documentation "Run the Wireguard VPN tunnel"))))))
 
 (define (wireguard-monitoring-jobs config)
-- 
2.39.2





Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 18 May 2023 17:49:04 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu May 18 13:49:04 2023
Received: from localhost ([127.0.0.1]:54403 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pzhkN-0001fu-LX
	for submit <at> debbugs.gnu.org; Thu, 18 May 2023 13:49:04 -0400
Received: from mail-qk1-f178.google.com ([209.85.222.178]:54517)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1pzhkK-0001eg-37
 for 63402 <at> debbugs.gnu.org; Thu, 18 May 2023 13:49:00 -0400
Received: by mail-qk1-f178.google.com with SMTP id
 af79cd13be357-75783ac48e7so212798685a.0
 for <63402 <at> debbugs.gnu.org>; Thu, 18 May 2023 10:49:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684432134; x=1687024134;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=mweOIvBXYiHwoWCpNrNTXmRvqevL4WPkYv5E8K/bjTo=;
 b=nmqyDtFDiF7BUkFBXe3h2XYONBsNAK7tZW94F+vU4UGhuwRR1bC0DcLjd+/GfFZD3f
 rrgDAPWgiD/yeKijugJ9fJQdem81N9kNeBSkVI2NTXDECOyX8Bqzel3mtXAO6TAmvaDk
 OSCz/UO+ppjPZrz0d5PggwLxiYskFOFCm7s5kI6G49nW1dEEax8ulMLfFHAlA7pzqdv5
 WF3FKNVlWC8OqIULxMqJi27xLrzu9mG67nKvsW1YsTUGeNmQ+Jj7Z85DWvLbH8CA0N/Q
 ZKAZD+P6FW9CT/ibQAh4eUwBOFqvJ982wwtxGLpG0kJtZ1BO/mqqJ6zLt5N/7bikYkDs
 40Ug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684432134; x=1687024134;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=mweOIvBXYiHwoWCpNrNTXmRvqevL4WPkYv5E8K/bjTo=;
 b=YjvFmmsTyawBj7yky7u7WIJUu5B7SFQK3V8o4GjiXxiXCBff41nX/hzQFgjJ03Zncx
 MxKLNnRv+R6YarKzMI9OzycsOTcpx9hFW6WCeDvxGye893z/45U4j124XvACrl4Rk1YV
 bdxw6wHGvEdZTcs6LxdJPumKhBVlCsvF/FH5aUktvaNaVdlMpvHVQ8AvgrIlRvAJTXr6
 e1VDr2bdWmeQMnBRkHOVzxioKpdPVnC6rCdE4BY+CEw3Taw+voLgCa9jtp85cD3WSrSB
 VoQJPOESVRBag1Z9ZHhaCe3bxKpHV/rEiCiV41rWnOQnd49P6r4EOy0/jUHC9tjf42N6
 eL5A==
X-Gm-Message-State: AC+VfDx4q/J3X5FcS2D8mFLbJ3A0oW3QJKp3LK5t9Xq3FYP9EVAe30Q8
 S8VtlxILJJdxzW+Jqex5ejPPOsmD0TLnpg==
X-Google-Smtp-Source: ACHHUZ4sSHZLxA0GdN9ug6gGZoZcmZ3iihgBTby8hL80RIifc1X+Xk6sqAvVzQSfxqc2gxt7Jm8y3Q==
X-Received: by 2002:a05:6214:411c:b0:5ef:67b9:8d37 with SMTP id
 kc28-20020a056214411c00b005ef67b98d37mr619645qvb.13.1684432134308; 
 Thu, 18 May 2023 10:48:54 -0700 (PDT)
Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33])
 by smtp.gmail.com with ESMTPSA id
 ml7-20020a056214584700b0061a0f7fb340sm689006qvb.6.2023.05.18.10.48.53
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 May 2023 10:48:54 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: 63402 <at> debbugs.gnu.org
Subject: [PATCH v4 2/4] services: wireguard: Clean-up configuration file
 serializer.
Date: Thu, 18 May 2023 13:48:40 -0400
Message-Id: <235e307060c61947158361f4ef4eb40df72c79de.1684431342.git.maxim.cournoyer@HIDDEN>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <cover.1684431342.git.maxim.cournoyer@HIDDEN>
References: <cover.1684431342.git.maxim.cournoyer@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63402
Cc: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Previously, the generated config file would contain arbitrary whitespace that
made it look ugly.

* gnu/services/vpn.scm (<wireguard-configuration>) [dns]: Change default value
from #f to '().
(wireguard-configuration-file): Use match-record.  Format each line
individually, assembling the lines at the end to avoid extraneous white space.
* doc/guix.texi (VPN Services): Update doc.
---
 doc/guix.texi        |   2 +-
 gnu/services/vpn.scm | 119 ++++++++++++++++---------------------------
 2 files changed, 46 insertions(+), 75 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index ef96d064ed..b61a2ceb5b 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32588,7 +32588,7 @@ VPN Services
 @item @code{port} (default: @code{51820})
 The port on which to listen for incoming connections.
 
-@item @code{dns} (default: @code{#f})
+@item @code{dns} (default: @code{'())})
 The DNS server(s) to announce to VPN clients via DHCP.
 
 @item @code{monitor-ips?} (default: @code{#f})
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index c11faed879..a34889a6cc 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -44,6 +44,7 @@ (define-module (gnu services vpn)
   #:use-module (guix i18n)
   #:use-module (guix deprecation)
   #:use-module (srfi srfi-1)
+  #:use-module (ice-9 format)
   #:use-module (ice-9 match)
   #:use-module (ice-9 regex)
   #:export (openvpn-client-service  ; deprecated
@@ -745,7 +746,7 @@ (define-record-type* <wireguard-configuration>
   (peers              wireguard-configuration-peers ;list of <wiregard-peer>
                       (default '()))
   (dns                wireguard-configuration-dns ;list of strings
-                      (default #f))
+                      (default '()))
   (monitor-ips?       wireguard-configuration-monitor-ips? ;boolean
                       (default #f))
   (monitor-ips-interval wireguard-configuration-monitor-ips-interval
@@ -763,24 +764,15 @@ (define-record-type* <wireguard-configuration>
 
 (define (wireguard-configuration-file config)
   (define (peer->config peer)
-    (let ((name (wireguard-peer-name peer))
-          (public-key (wireguard-peer-public-key peer))
-          (endpoint (wireguard-peer-endpoint peer))
-          (allowed-ips (wireguard-peer-allowed-ips peer))
-          (keep-alive (wireguard-peer-keep-alive peer)))
-      (format #f "[Peer] #~a
-PublicKey = ~a
-AllowedIPs = ~a
-~a~a"
-              name
-              public-key
-              (string-join allowed-ips ",")
-              (if endpoint
-                  (format #f "Endpoint = ~a\n" endpoint)
-                  "")
-              (if keep-alive
-                  (format #f "PersistentKeepalive = ~a\n" keep-alive)
-                  "\n"))))
+    (match-record peer <wireguard-peer>
+      (name public-key endpoint allowed-ips keep-alive)
+      (let ((lines (list
+                    (format #f "[Peer]   #~a" name)
+                    (format #f "PublicKey = ~a" public-key)
+                    (format #f "AllowedIPs = ~{~a~^, ~}" allowed-ips)
+                    (format #f "~@[Endpoint = ~a~]" endpoint)
+                    (format #f "~@[PersistentKeepalive = ~a~]" keep-alive))))
+        (string-join (remove string-null? lines) "\n"))))
 
   (define (peers->preshared-keys peer keys)
     (let ((public-key (wireguard-peer-public-key peer))
@@ -799,65 +791,44 @@ (define (wireguard-configuration-file config)
             (computed-file
              "wireguard-config"
              #~(begin
+                 (use-modules (ice-9 format)
+                              (srfi srfi-1))
+
+                 (define lines
+                   (list
+                    "[Interface]"
+                    #$@(if (null? addresses)
+                           '()
+                           (list (format #f "Address = ~{~a~^, ~}"
+                                         addresses)))
+                    (format #f "~@[Table = ~a~]" #$table)
+                    #$@(if (null? pre-up)
+                           '()
+                           (list (format #f "~{PreUp = ~a~%~}" pre-up)))
+                    (format #f "PostUp = ~a set %i private-key ~a\
+~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg")
+#$private-key '#$peer-keys)
+                    #$@(if (null? post-up)
+                           '()
+                           (list (format #f "~{PostUp = ~a~%~}" post-up)))
+                    #$@(if (null? pre-down)
+                           '()
+                           (list (format #f "~{PreDown = ~a~%~}" pre-down)))
+                    #$@(if (null? post-down)
+                           '()
+                           (list (format #f "~{PostDown = ~a~%~}" post-down)))
+                    (format #f "~@[ListenPort = ~a~]" #$port)
+                    #$@(if (null? dns)
+                           '()
+                           (list (format #f "~{DNS = ~{~a~^, ~}" dns)))))
+
                  (mkdir #$output)
                  (chdir #$output)
                  (call-with-output-file #$config-file
                    (lambda (port)
-                     (let ((format (@ (ice-9 format) format)))
-                       (format port "[Interface]
-Address = ~a
-~a
-~a
-PostUp = ~a set %i private-key ~a~{ peer ~a preshared-key ~a~}
-~a
-~a
-~a
-~a
-~a
-~{~a~^~%~}"
-                               #$(string-join addresses ",")
-                               #$(if table
-                                     (format #f "Table = ~a" table)
-                                     "")
-                               #$(if (null? pre-up)
-                                     ""
-                                     (string-join
-                                      (map (lambda (command)
-                                             (format #f "PreUp = ~a" command))
-                                           pre-up)
-                                      "\n"))
-                               #$(file-append wireguard "/bin/wg")
-                               #$private-key
-                               '#$peer-keys
-                               #$(if (null? post-up)
-                                     ""
-                                     (string-join
-                                      (map (lambda (command)
-                                             (format #f "PostUp = ~a" command))
-                                           post-up)
-                                      "\n"))
-                               #$(if (null? pre-down)
-                                     ""
-                                     (string-join
-                                      (map (lambda (command)
-                                             (format #f "PreDown = ~a" command))
-                                           pre-down)
-                                      "\n"))
-                               #$(if (null? post-down)
-                                     ""
-                                     (string-join
-                                      (map (lambda (command)
-                                             (format #f "PostDown = ~a" command))
-                                           post-down)
-                                      "\n"))
-                               #$(if port
-                                     (format #f "ListenPort = ~a" port)
-                                     "")
-                               #$(if dns
-                                     (format #f "DNS = ~a"
-                                             (string-join dns ","))
-                                     "")
-                               (list #$@peers)))))))))
+                     (format port "~a~%~%~{~a~%~^~%~}"
+                             (string-join (remove string-null? lines) "\n")
+                             '#$peers)))))))
       (file-append config "/" config-file))))
 
 (define (wireguard-activation config)
-- 
2.39.2





Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 18 May 2023 17:49:00 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu May 18 13:49:00 2023
Received: from localhost ([127.0.0.1]:54394 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pzhkJ-0001ey-G0
	for submit <at> debbugs.gnu.org; Thu, 18 May 2023 13:49:00 -0400
Received: from mail-qv1-f46.google.com ([209.85.219.46]:57712)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1pzhkG-0001eV-UV
 for 63402 <at> debbugs.gnu.org; Thu, 18 May 2023 13:48:57 -0400
Received: by mail-qv1-f46.google.com with SMTP id
 6a1803df08f44-623914a4bf0so5058896d6.3
 for <63402 <at> debbugs.gnu.org>; Thu, 18 May 2023 10:48:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684432131; x=1687024131;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=Fw4OeDUUSA23vGlOSbp2JVBYyPOhBNJ4PLtJ1rPJa/E=;
 b=d8D/ZDtSvGWyT67KgsXOkw4+ZC8y7lM78DYshQxETFTbz/7Y9wrbNo8cEGIOJTp16i
 glrm/4Ywr8TVztUrHpJoVdUlXNPXJ3xi0rN2ylDcZGcgEr9KLum9IPgaszr4q0iQ2rFx
 45O9jLNxvjwa4FxEta56jaADW04utq9sjO8Lp/7a3btoTGkzVnP+5mTjozaLQ5NeUFRt
 nmfDn1IyZvclVtZSK84+gODvGf8nEbYArLY+PYlmPMp3Od+hHRHYFEleofkQKQcvHY0S
 AI9SkGMJ3yc0ceOk9lKAcw0nXHPl9nfhAv4UKLDO3qkccRFE+Zum7r/FVuiYSXJTLSjT
 Jqxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684432131; x=1687024131;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=Fw4OeDUUSA23vGlOSbp2JVBYyPOhBNJ4PLtJ1rPJa/E=;
 b=aXWSAal0RpVcyYe1TfRhxkqeSF/s8xfaGnc/HLuOZZW47q+OHbLK/3N+r7GHVTmQSs
 8MGLt2jI9Yn2Fdmfs7IZxxqaCTQAxAqJ7IsFZHbCRQsymeQl742G4J+RUKDsK2Upi/f5
 fbAemSjG5vn3+IoIRBwi3GI9+SeljcNOyGf+PSUvrNdQ47a0ZRrkP3Ebtw1UUYi/I5ny
 +DEm2OYyuYTqUNmanCOAMx7UoTUypFi/E8dZsLh/kOuMNSDd5FyzWKNaN6gOxByVjt03
 BQ80mdlPl0awlhXwJrGFJXXh+gucXlz4W6116FdDcImE9HqCU2va8NMKzpex+6liXswO
 jqjw==
X-Gm-Message-State: AC+VfDz+SmSABN2UIoobU/fxecE9DD6HRbJsYTgsC3D3z6J3BSYD2d8m
 oA49uzCIDaNodRw7stSPhwCtsVhcuZUTVQ==
X-Google-Smtp-Source: ACHHUZ4et5zCNAsCW7ZMuxPKXDKmHE8aCbaT+ofSyY4+gJ6RQ0HV4Ifq5nIMlZSU0wT2Dl3raTPOXQ==
X-Received: by 2002:a05:6214:401d:b0:5f1:5ed3:dd82 with SMTP id
 kd29-20020a056214401d00b005f15ed3dd82mr543888qvb.48.1684432131095; 
 Thu, 18 May 2023 10:48:51 -0700 (PDT)
Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33])
 by smtp.gmail.com with ESMTPSA id
 ml7-20020a056214584700b0061a0f7fb340sm689006qvb.6.2023.05.18.10.48.50
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 May 2023 10:48:50 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: 63402 <at> debbugs.gnu.org
Subject: [PATCH v4 1/4] services: wireguard: Implement a dynamic IP monitoring
 feature.
Date: Thu, 18 May 2023 13:48:39 -0400
Message-Id: <b961acfb78b861b4270b980ce7f557e19a33f0b6.1684431342.git.maxim.cournoyer@HIDDEN>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <cover.1684431342.git.maxim.cournoyer@HIDDEN>
References: <cover.1684431342.git.maxim.cournoyer@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63402
Cc: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* gnu/services/vpn.scm (<wireguard-configuration>)
[monitor-ips?, monitor-ips-internal]: New fields.
* gnu/services/vpn.scm (define-with-source): New syntax.
(wireguard-service-name, strip-port/maybe)
(ipv4-address?, ipv6-address?, host-name?)
(endpoint-host-names): New procedure.
(wireguard-monitoring-jobs): Likewise.
(wireguard-service-type): Register it.
* tests/services/vpn.scm: New file.
* Makefile.am (SCM_TESTS): Register it.
* doc/guix.texi (VPN Services): Update doc.
---
 Makefile.am            |   1 +
 doc/guix.texi          |  17 ++++-
 gnu/services/vpn.scm   | 147 +++++++++++++++++++++++++++++++++++++++--
 tests/services/vpn.scm |  83 +++++++++++++++++++++++
 4 files changed, 242 insertions(+), 6 deletions(-)
 create mode 100644 tests/services/vpn.scm

diff --git a/Makefile.am b/Makefile.am
index 8b7bb4772d..e1cb1083fc 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -557,6 +557,7 @@ SCM_TESTS =					\
   tests/services/lightdm.scm			\
   tests/services/linux.scm			\
   tests/services/telephony.scm			\
+  tests/services/vpn.scm			\
   tests/sets.scm				\
   tests/size.scm				\
   tests/status.scm				\
diff --git a/doc/guix.texi b/doc/guix.texi
index 60972f408d..ef96d064ed 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32591,9 +32591,22 @@ VPN Services
 @item @code{dns} (default: @code{#f})
 The DNS server(s) to announce to VPN clients via DHCP.
 
+@item @code{monitor-ips?} (default: @code{#f})
+@cindex Dynamic IP, with Wireguard
+@cindex dyndns, usage with Wireguard
+Whether to monitor the resolved Internet addresses (IPs) of the
+endpoints of the configured peers, resetting the peer endpoints using an
+IP address that no longer correspond to their freshly resolved host
+name.  Set this to @code{#t} if one or more endpoints use host names
+provided by a dynamic DNS service to keep the sessions alive.
+
+@item @code{monitor-ips-internal} (default: @code{'(next-minute (range 0 60 5))})
+The time interval at which the IP monitoring job should run, provided as
+an mcron time specification (@pxref{Guile Syntax,,,mcron}).
+
 @item @code{private-key} (default: @code{"/etc/wireguard/private.key"})
-The private key file for the interface.  It is automatically generated if
-the file does not exist.
+The private key file for the interface.  It is automatically generated
+if the file does not exist.
 
 @item @code{peers} (default: @code{'()})
 The authorized peers on this interface.  This is a list of
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index a884d71eb2..c11faed879 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -11,6 +11,7 @@
 ;;; Copyright © 2021 Nathan Dehnel <ncdehnel@HIDDEN>
 ;;; Copyright © 2022 Cameron V Chaparro <cameron@HIDDEN>
 ;;; Copyright © 2022 Timo Wilken <guix@HIDDEN>
+;;; Copyright © 2023 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -31,10 +32,12 @@ (define-module (gnu services vpn)
   #:use-module (gnu services)
   #:use-module (gnu services configuration)
   #:use-module (gnu services dbus)
+  #:use-module (gnu services mcron)
   #:use-module (gnu services shepherd)
   #:use-module (gnu system shadow)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages vpn)
+  #:use-module (guix modules)
   #:use-module (guix packages)
   #:use-module (guix records)
   #:use-module (guix gexp)
@@ -73,6 +76,8 @@ (define-module (gnu services vpn)
             wireguard-configuration-addresses
             wireguard-configuration-port
             wireguard-configuration-dns
+            wireguard-configuration-monitor-ips?
+            wireguard-configuration-monitor-ips-interval
             wireguard-configuration-private-key
             wireguard-configuration-peers
             wireguard-configuration-pre-up
@@ -741,6 +746,10 @@ (define-record-type* <wireguard-configuration>
                       (default '()))
   (dns                wireguard-configuration-dns ;list of strings
                       (default #f))
+  (monitor-ips?       wireguard-configuration-monitor-ips? ;boolean
+                      (default #f))
+  (monitor-ips-interval wireguard-configuration-monitor-ips-interval
+                        (default '(next-minute (range 0 60 5)))) ;string | list
   (pre-up             wireguard-configuration-pre-up ;list of strings
                       (default '()))
   (post-up            wireguard-configuration-post-up ;list of strings
@@ -871,6 +880,56 @@ (define (wireguard-activation config)
             (chmod #$private-key #o400)
             (close-pipe pipe))))))
 
+;;; XXX: Copied from (guix scripts pack), changing define to define*.
+(define-syntax-rule (define-with-source (variable args ...) body body* ...)
+  "Bind VARIABLE to a procedure accepting ARGS defined as BODY, also setting
+its source property."
+  (begin
+    (define* (variable args ...)
+      body body* ...)
+    (eval-when (load eval)
+      (set-procedure-property! variable 'source
+                               '(define* (variable args ...) body body* ...)))))
+
+(define (wireguard-service-name interface)
+  "Return the WireGuard service name (a symbol) configured to use INTERFACE."
+  (symbol-append 'wireguard- (string->symbol interface)))
+
+(define-with-source (strip-port/maybe endpoint #:key ipv6?)
+  "Strip the colon and port, if present in ENDPOINT, a string."
+  (if ipv6?
+      (if (string-prefix? "[" endpoint)
+          (first (string-split (string-drop endpoint 1) #\])) ;ipv6
+          endpoint)
+      (first (string-split endpoint #\:)))) ;ipv4
+
+(define (ipv4-address? str)
+  "Return true if STR denotes an IPv4 address."
+  (false-if-exception
+   (->bool (inet-pton AF_INET (strip-port/maybe str)))))
+
+(define (ipv6-address? str)
+  "Return true if STR denotes an IPv6 address."
+  (false-if-exception
+   (->bool (inet-pton AF_INET6 (strip-port/maybe str #:ipv6? #t)))))
+
+(define (host-name? name)
+  "Predicate to check whether NAME is a host name, i.e. not an IP address."
+  (not (or (ipv6-address? name) (ipv4-address? name))))
+
+(define (endpoint-host-names peers)
+  "Return an association list of endpoint host names keyed by their peer
+public key, if any."
+  (reverse
+   (fold (lambda (peer host-names)
+           (let ((public-key (wireguard-peer-public-key peer))
+                 (endpoint (wireguard-peer-endpoint peer)))
+             (if (and endpoint (host-name? endpoint))
+                 (cons (cons public-key endpoint) host-names)
+                 host-names)))
+         '()
+         peers)))
+
 (define (wireguard-shepherd-service config)
   (match-record config <wireguard-configuration>
     (wireguard interface)
@@ -878,9 +937,7 @@ (define (wireguard-shepherd-service config)
           (config (wireguard-configuration-file config)))
       (list (shepherd-service
              (requirement '(networking))
-             (provision (list
-                         (symbol-append 'wireguard-
-                                        (string->symbol interface))))
+             (provision (list (wireguard-service-name interface)))
              (start #~(lambda _
                        (invoke #$wg-quick "up" #$config)))
              (stop #~(lambda _
@@ -888,6 +945,86 @@ (define (wireguard-shepherd-service config)
                        #f))                       ;stopped!
              (documentation "Run the Wireguard VPN tunnel"))))))
 
+(define (wireguard-monitoring-jobs config)
+  ;; Loosely based on WireGuard's own 'reresolve-dns.sh' shell script (see:
+  ;; https://raw.githubusercontent.com/WireGuard/wireguard-tools/
+  ;; master/contrib/reresolve-dns/reresolve-dns.sh).
+  (match-record config <wireguard-configuration>
+    (interface monitor-ips? monitor-ips-interval peers)
+    (let ((host-names (endpoint-host-names peers)))
+      (if monitor-ips?
+          (if (null? host-names)
+              (begin
+                (warn "monitor-ips? is #t but no host name to monitor")
+                '())
+              ;; The mcron monitor job may be a string or a list; ungexp strips
+              ;; one quote level, which must be added back when a list is
+              ;; provided.
+              (list
+               #~(job
+                  (if (string? #$monitor-ips-interval)
+                      #$monitor-ips-interval
+                      '#$monitor-ips-interval)
+                  #$(program-file
+                     (format #f "wireguard-~a-monitoring" interface)
+                     (with-imported-modules (source-module-closure
+                                             '((gnu services herd)
+                                               (guix build utils)))
+                       #~(begin
+                           (use-modules (gnu services herd)
+                                        (guix build utils)
+                                        (ice-9 popen)
+                                        (ice-9 match)
+                                        (ice-9 textual-ports)
+                                        (srfi srfi-1)
+                                        (srfi srfi-26))
+
+                           (define (resolve-host name)
+                             "Return the IP address resolved from NAME."
+                             (let* ((ai (car (getaddrinfo name)))
+                                    (sa (addrinfo:addr ai)))
+                               (inet-ntop (sockaddr:fam sa)
+                                          (sockaddr:addr sa))))
+
+                           (define wg #$(file-append wireguard-tools "/bin/wg"))
+
+                           #$(procedure-source strip-port/maybe)
+
+                           (define service-name '#$(wireguard-service-name
+                                                    interface))
+
+                           (when (start-service service-name)
+                             (let* ((pipe (open-pipe* OPEN_READ wg "show"
+                                                      #$interface "endpoints"))
+                                    (lines (string-split (get-string-all pipe)
+                                                         #\newline))
+                                    ;; IPS is an association list mapping
+                                    ;; public keys to IP addresses.
+                                    (ips (map (match-lambda
+                                                ((public-key ip)
+                                                 (cons public-key
+                                                       (strip-port/maybe ip))))
+                                              (map (cut string-split <> #\tab)
+                                                   (remove string-null?
+                                                           lines)))))
+                               (close-pipe pipe)
+                               (for-each
+                                (match-lambda
+                                  ((key . host-name)
+                                   (let ((resolved-ip (resolve-host
+                                                       (strip-port/maybe
+                                                        host-name)))
+                                         (current-ip (assoc-ref ips key)))
+                                     (unless (string=? resolved-ip current-ip)
+                                       (format #t "resetting `~a' peer \
+endpoint to `~a' due to stale IP (`~a' instead of `~a')~%"
+                                               key host-name
+                                               current-ip resolved-ip)
+                                       (invoke wg "set" #$interface "peer" key
+                                               "endpoint" host-name)))))
+                                '#$host-names)))))))))
+          '()))))                       ;monitor-ips? is #f
+
 (define wireguard-service-type
   (service-type
    (name 'wireguard)
@@ -898,6 +1035,8 @@ (define wireguard-service-type
                              wireguard-activation)
           (service-extension profile-service-type
                              (compose list
-                                      wireguard-configuration-wireguard))))
+                                      wireguard-configuration-wireguard))
+          (service-extension mcron-service-type
+                             wireguard-monitoring-jobs)))
    (description "Set up Wireguard @acronym{VPN, Virtual Private Network}
 tunnels.")))
diff --git a/tests/services/vpn.scm b/tests/services/vpn.scm
new file mode 100644
index 0000000000..a7f4bec26b
--- /dev/null
+++ b/tests/services/vpn.scm
@@ -0,0 +1,83 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2023 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (tests services vpn)
+  #:use-module (gnu packages vpn)
+  #:use-module (gnu services vpn)
+  #:use-module (guix gexp)
+  #:use-module (ice-9 match)
+  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-64))
+
+;;; Commentary:
+;;;
+;;; Unit tests for the (gnu services vpn) module.
+;;;
+;;; Code:
+
+;;; Access some internals for whitebox testing.
+(define ipv4-address? (@@ (gnu services vpn) ipv4-address?))
+(define ipv6-address? (@@ (gnu services vpn) ipv6-address?))
+(define host-name? (@@ (gnu services vpn) host-name?))
+(define endpoint-host-names
+  (@@ (gnu services vpn) endpoint-host-names))
+
+(test-begin "vpn-services")
+
+(test-assert "ipv4-address?"
+  (every ipv4-address?
+         (list "192.95.5.67:1234"
+               "10.0.0.1")))
+
+(test-assert "ipv6-address?"
+  (every ipv6-address?
+         (list "[2607:5300:60:6b0::c05f:543]:2468"
+               "2607:5300:60:6b0::c05f:543"
+               "2345:0425:2CA1:0000:0000:0567:5673:23b5"
+               "2345:0425:2CA1::0567:5673:23b5")))
+
+(define %wireguard-peers
+  (list (wireguard-peer
+         (name "dummy1")
+         (public-key "VlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XjoalC8=")
+         (endpoint "some.dynamic-dns.service:53281")
+         (allowed-ips '()))
+        (wireguard-peer
+         (name "dummy2")
+         (public-key "AlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC9=")
+         (endpoint "example.org")
+         (allowed-ips '()))
+        (wireguard-peer
+         (name "dummy3")
+         (public-key "BlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC7=")
+         (endpoint "10.0.0.7:7777")
+         (allowed-ips '()))
+        (wireguard-peer
+         (name "dummy4")
+         (public-key "ClesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC6=")
+         (endpoint "[2345:0425:2CA1::0567:5673:23b5]:44444")
+         (allowed-ips '()))))
+
+(test-equal "endpoint-host-names"
+  '(("VlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XjoalC8=" .
+     "some.dynamic-dns.service:53281")
+    ("AlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC9=" .
+     "example.org"))
+  (endpoint-host-names %wireguard-peers))
+
+(test-end "vpn-services")
-- 
2.39.2





Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 18 May 2023 17:48:55 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu May 18 13:48:55 2023
Received: from localhost ([127.0.0.1]:54391 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pzhkF-0001eh-4R
	for submit <at> debbugs.gnu.org; Thu, 18 May 2023 13:48:55 -0400
Received: from mail-qv1-f43.google.com ([209.85.219.43]:44041)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1pzhkC-0001eQ-RX
 for 63402 <at> debbugs.gnu.org; Thu, 18 May 2023 13:48:54 -0400
Received: by mail-qv1-f43.google.com with SMTP id
 6a1803df08f44-62382e7b164so10205596d6.0
 for <63402 <at> debbugs.gnu.org>; Thu, 18 May 2023 10:48:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684432127; x=1687024127;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=bCMUlFtBIaleIxs8X7tP0aXMff5IDs/ALewYrJN7BQ8=;
 b=oPnKTTH48Un1CBHAEkFvsMjVQAFHIEpeNmaVmEyERz/+2cMqiBBGXiLOA9nTrjqxZK
 g1ko0evbHZm8pm7E801Pi4OxpMr9HJel31mL+2vtqB+fqT0MGNtzEB+y81grTJ3CFSqb
 Xy3L471dA0b6+3uDMT2VxOXGZ1veFbv3F8R0MrvZOdxJSMSCZ+kXlnhH8D1wGQj/q8Ap
 Y0F6MC+cSs1ZmawLEbzwbPTCayuDqVQ8KKmWSV441zNc0toBU1JDAzquomjGPpby1rzE
 wSwnnVO2eI3B1GnPjXo809ryVzL6Js37mopUjMAvXHB1BeMb1keRd6UamfrtLIu/hG5E
 Za2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684432127; x=1687024127;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=bCMUlFtBIaleIxs8X7tP0aXMff5IDs/ALewYrJN7BQ8=;
 b=PcjnlJqo/37Am0ea3MeXKtjXEDSmawSasiw8I5XaKcRrw1XfsYteDFh1WWH3rm+yXW
 anWzCBtOrzFREZUuvgnMNFF5/pNl72irL1K/tozWMNgwSRDmSsWBKMFW2APk/FNoBaiN
 57uBgylNnJQp8HtVkutfvaVNA/loq82BxTwIO7SglMnHhLBiE6syVzDwCrdUI7w/z9I2
 ex34ikWxC86Eukzd6QGQg+iw50qIV8HIh392bFSWnH2BgdYSS3IbFHkzgTILOI7Bb9DN
 3UGQIh6xmjISFySYmXVqc2GPvxkRFnthoZHaf0RS3nyhYRCk0GO/vERpubuT0y2JWMLs
 Odlg==
X-Gm-Message-State: AC+VfDwjHouPziZj2R6HtV1D0+ZE6Koe4fzJ3nXG4QYRXWpf+SNJThAy
 KJSwk4MYbX0crWa7hU0hDcrlsmwWe1aEQA==
X-Google-Smtp-Source: ACHHUZ4A1K/qgI/yGbtlnxPoGIwXuWIwBw11GcrPmHV3nf9VFGj0PpruwZO4a5q5sd8AsRlYmBS5fw==
X-Received: by 2002:a05:6214:2a4e:b0:621:4669:c806 with SMTP id
 jf14-20020a0562142a4e00b006214669c806mr877978qvb.37.1684432127009; 
 Thu, 18 May 2023 10:48:47 -0700 (PDT)
Received: from localhost.localdomain (dsl-150-33.b2b2c.ca. [66.158.150.33])
 by smtp.gmail.com with ESMTPSA id
 ml7-20020a056214584700b0061a0f7fb340sm689006qvb.6.2023.05.18.10.48.45
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 18 May 2023 10:48:46 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: 63402 <at> debbugs.gnu.org
Subject: [PATCH v4 0/4] Implement a dynamic IP monitoring feature.
Date: Thu, 18 May 2023 13:48:38 -0400
Message-Id: <cover.1684431342.git.maxim.cournoyer@HIDDEN>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
X-Debbugs-Cc: Leo Famulari <leo@HIDDEN>,
 Tobias Geerinckx-Rice <me@HIDDEN>
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63402
Cc: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Hello,

This fourth revision reworks the monitoring script to use 'wg set' to
reset the affected endpoint instead of restarting the whole service.

It also applies an upstream patch to the kernel that resolves the bug
where keep-alive would not work to (re)establish a session after it
was lost (e.g. when the listener's dynamic IP changed with an
interruption to its Internet service), instead of applying a
workaround to our PostUp command.

Thanks,

Maxim Cournoyer (4):
  services: wireguard: Implement a dynamic IP monitoring feature.
  services: wireguard: Clean-up configuration file serializer.
  services: wireguard: Add a 'configuration' action.
  gnu: linux-libre: Apply wireguard patch fixing keep-alive bug.

 Makefile.am                                   |   1 +
 doc/guix.texi                                 |  19 +-
 gnu/local.mk                                  |   1 +
 gnu/packages/linux.scm                        |  27 +-
 ...linux-libre-wireguard-postup-privkey.patch | 119 ++++++++
 gnu/services/vpn.scm                          | 265 +++++++++++++-----
 tests/services/vpn.scm                        |  83 ++++++
 7 files changed, 427 insertions(+), 88 deletions(-)
 create mode 100644 gnu/packages/patches/linux-libre-wireguard-postup-privkey.patch
 create mode 100644 tests/services/vpn.scm


base-commit: 5b700945fb0b33eec410de8979cae2fbf0d4f118
-- 
2.39.2





Information forwarded to leo@HIDDEN, me@HIDDEN, guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 16 May 2023 04:10:57 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue May 16 00:10:57 2023
Received: from localhost ([127.0.0.1]:44876 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pym1Y-00022g-OE
	for submit <at> debbugs.gnu.org; Tue, 16 May 2023 00:10:57 -0400
Received: from mail-qv1-f54.google.com ([209.85.219.54]:60648)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1pym1V-00022C-CR
 for 63402 <at> debbugs.gnu.org; Tue, 16 May 2023 00:10:54 -0400
Received: by mail-qv1-f54.google.com with SMTP id
 6a1803df08f44-61b5a653df7so118446576d6.0
 for <63402 <at> debbugs.gnu.org>; Mon, 15 May 2023 21:10:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684210248; x=1686802248;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=JcTcv/Aw7Vjf3SttVzvHv8nhjL8pJjQ48Rsechc2B1I=;
 b=FMmFe/NNU8KdQYJ9flEiGmUrF5CZiIb/Fyj08Op7FYk9gbU501pX+ynxAalTPuYtq+
 LvsWKKEUBuHVUQ2qhCAHegWAGbJLzhC/hY1QJ8zARG+qIs6uF01pixWiv4YgrWceEyQu
 dVRaovajCRXz23tJyZk7rMezlmm6DunA88UAPnolQXzxKRjqd71AWHoXRDHLocZEYCPb
 ETA6s4ImT1TjqKd1A3e+mM4xYAUt98UN0EjVp9LEmYVflsKja8D9wcK+koRUb6A0yxiz
 w/CRcNRe5UOTmPSPd8Gg7EorN7GUiioL1Efss7205e9z0+5SC6soI3gFzMZEbhfwB4lt
 9zJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684210248; x=1686802248;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=JcTcv/Aw7Vjf3SttVzvHv8nhjL8pJjQ48Rsechc2B1I=;
 b=VPRxegiuPdMMzGQde8X4gpHZZvBTTmTjU7FVr2B6O3PQvC32Z2LmKSiEuoDOyTHSUd
 whJpp58BPTZxnmAD3WBSevgQUv13fthptd+M2EfRu0L8N7dQBWJNblVsYambWz7ngSE2
 Sa0TZD9uY8sniYsTmvbfQErjyq1oCfjZP2sp1WIK+C4S0o3ztaYOSUA0Uo6QKH/cq8Uh
 qzyphY9oEjEnka2s9zLhIC6d3P8yH4ObnV8dX2Y3SK/mPYp+hhjQ2GzNFXJ4maK0Hc4A
 eBOZH4tIn41fO3hESdUjojbObJFJmUgm5TVTEoEBBPLT7+pQI4tXHcidINfbBkueUHY7
 v9xA==
X-Gm-Message-State: AC+VfDwyPcBRN7gfsDu4CvbWpFIBloK0Ck52A5JILt6irrZCFeSljiJF
 7HNRXy+h0YcmulcuTqwxEUxzBuPzrCBp2MeU
X-Google-Smtp-Source: ACHHUZ7rAYV1XDvJ0b4bfXhRLX5nLCFgsnUTc4YBo7CV8H0RGJ5JHIcgj2MFSrN3EYnv3FVYpyYYMw==
X-Received: by 2002:a05:6214:4118:b0:622:7b7f:ed2f with SMTP id
 kc24-20020a056214411800b006227b7fed2fmr21521992qvb.18.1684210247767; 
 Mon, 15 May 2023 21:10:47 -0700 (PDT)
Received: from localhost.localdomain (dsl-205-236-230-106.b2b2c.ca.
 [205.236.230.106]) by smtp.gmail.com with ESMTPSA id
 f21-20020a0caa95000000b005f2dba7a5b0sm5367347qvb.132.2023.05.15.21.10.46
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 15 May 2023 21:10:47 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: 63402 <at> debbugs.gnu.org
Subject: [PATCH v3 3/3] services: wireguard: Workaround keep-alives bug.
Date: Tue, 16 May 2023 00:09:08 -0400
Message-Id: <7ae336651ea9af2aa191e99b8f046bfbc24a1335.1684210148.git.maxim.cournoyer@HIDDEN>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <76b34e5229e0e97068cb3bd42152f29630a8dbfc.1684210148.git.maxim.cournoyer@HIDDEN>
References: <76b34e5229e0e97068cb3bd42152f29630a8dbfc.1684210148.git.maxim.cournoyer@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63402
Cc: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* gnu/services/vpn.scm (wireguard-configuration-file): Add the
'persistent-keepalive' option to the PostUp script to workaround a bug.
---
 gnu/services/vpn.scm | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index 3f66db79de..587bfcfc0e 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -774,18 +774,19 @@ (define (wireguard-configuration-file config)
                     (format #f "~@[PersistentKeepalive = ~a~]" keep-alive))))
         (string-join (remove string-null? lines) "\n"))))
 
-  (define (peers->preshared-keys peer keys)
-    (let ((public-key (wireguard-peer-public-key peer))
-          (preshared-key (wireguard-peer-preshared-key peer)))
-      (if preshared-key
-          (cons* public-key preshared-key keys)
-          keys)))
+  (define (peers->preshared-keys+keep-alive peer data)
+    (match-record peer <wireguard-peer>
+      (public-key preshared-key keep-alive)
+      (if (or preshared-key keep-alive)
+          (cons* public-key preshared-key keep-alive data)
+          data)))
 
   (match-record config <wireguard-configuration>
     (wireguard interface addresses port private-key peers dns
                pre-up post-up pre-down post-down table)
     (let* ((config-file (string-append interface ".conf"))
-           (peer-keys (fold peers->preshared-keys (list) peers))
+           (peer-keys+keep-alive (fold peers->preshared-keys+keep-alive
+                                       '() peers))
            (peers (map peer->config peers))
            (config
             (computed-file
@@ -805,9 +806,14 @@ (define (wireguard-configuration-file config)
                     #$@(if (null? pre-up)
                            '()
                            (list (format #f "~{PreUp = ~a~%~}" pre-up)))
+                    ;; Duplicate the persistent-keepalive setting here, to
+                    ;; workaround a bug in WireGuard where keep-alives are not
+                    ;; sent when an interface is initially brought up without
+                    ;; a private key.
                     (format #f "PostUp = ~a set %i private-key ~a\
-~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg")
-#$private-key '#$peer-keys)
+~{ peer ~a~@[ preshared-key ~a~]~@[ persistent-keepalive ~a~]~}"
+                            #$(file-append wireguard "/bin/wg")
+                            #$private-key '#$peer-keys+keep-alive)
                     #$@(if (null? post-up)
                            '()
                            (list (format #f "~{PostUp = ~a~%~}" post-up)))
-- 
2.39.2





Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 16 May 2023 04:10:55 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue May 16 00:10:55 2023
Received: from localhost ([127.0.0.1]:44874 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pym1W-00022O-7Q
	for submit <at> debbugs.gnu.org; Tue, 16 May 2023 00:10:55 -0400
Received: from mail-qk1-f178.google.com ([209.85.222.178]:60717)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1pym1T-000227-D8
 for 63402 <at> debbugs.gnu.org; Tue, 16 May 2023 00:10:52 -0400
Received: by mail-qk1-f178.google.com with SMTP id
 af79cd13be357-75773a7bd66so1055306585a.1
 for <63402 <at> debbugs.gnu.org>; Mon, 15 May 2023 21:10:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684210245; x=1686802245;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:from:to:cc:subject:date
 :message-id:reply-to;
 bh=jpQwKmoBpnx+YxEEHaVPQfQrfFXNaLnDWAMgJbg8Ry0=;
 b=VVKeaGT+EzTqaRhzmg7buDIHUYnwJplU/FjJWhv0ccYJH7duR1wmkQpP+r6iB8s29i
 W4ZmVT0g10skBQNgXkQ/TVxU20ufupu+C1De/30mKLLx/38Hgc8atbPi9jkRiwQLQmd/
 TOMKZM/v2Vvx8bvBVQ8MAzSGjSe49uLVdD1/gBT3ryYP4w9+nG9nmyqIJNs78hr4hufG
 IcFa3q+9f3++ze9jJY7bg8qeax2n0OEu8d3rp9E+xeuSWzpekXv2TnDOl4nyWRnUUoAP
 antl2faGPfLpxcdWLBSCzxclsP46TQHqSzxLBx3EjIVWtRv/3pnicXuaSR+eAnDkxbVI
 fPkA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684210245; x=1686802245;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=jpQwKmoBpnx+YxEEHaVPQfQrfFXNaLnDWAMgJbg8Ry0=;
 b=i9pEjTBO2df+FcrzQQcGBgAdc9rsRcM2xrAP4mJ/HYlYW2TwoCZQ13Sla9ES6uIzVi
 fE9aCXI9L3FDERnPMTHGNzxEgofBohqf6ZoNjo6DhL3zGzl7C0UuYY/DdjRB0Ck+STf/
 SlmkFa0g17FaSLFulgo5MmJP3a2m39qmBesnsHYFVl8PHRSYzytWLTZavkNsy4buKXv/
 8aqiKAwnk0Xe72hlS1A5F31NPLSD9gELpdIXDE7MWnUWVxsxCQyIrBDlryhTYwCEN5Tl
 Vnout531rLbvDhFH9pq9FMaxfqkw7gP7N3jrb7wpBN9QMrvD7jiqS8L8kgd+AT7H4eFC
 h4Ug==
X-Gm-Message-State: AC+VfDxOoyQY7i8BW0gnsistQ0IGjQGzhPkFQDZUb/bU2OH3S1orD4yA
 nvKHR+fErmTicMrUnwW2FxchRpbDexjVxDY1
X-Google-Smtp-Source: ACHHUZ5ZnzZmp2b8+bPrWl5RH2JB9WDWm/fwhzg1z8ljCqmBtHKPi14eNLMm/GIkVXnojSOLLqU4Aw==
X-Received: by 2002:ad4:5cce:0:b0:5e8:979f:2e49 with SMTP id
 iu14-20020ad45cce000000b005e8979f2e49mr54008527qvb.41.1684210245515; 
 Mon, 15 May 2023 21:10:45 -0700 (PDT)
Received: from localhost.localdomain (dsl-205-236-230-106.b2b2c.ca.
 [205.236.230.106]) by smtp.gmail.com with ESMTPSA id
 f21-20020a0caa95000000b005f2dba7a5b0sm5367347qvb.132.2023.05.15.21.10.44
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 15 May 2023 21:10:45 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: 63402 <at> debbugs.gnu.org
Subject: [PATCH v3 2/3] services: wireguard: Clean-up configuration file
 serializer.
Date: Tue, 16 May 2023 00:09:07 -0400
Message-Id: <f470d66ce837c6572badfaa13ace01ecbcdcac3d.1684210148.git.maxim.cournoyer@HIDDEN>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <76b34e5229e0e97068cb3bd42152f29630a8dbfc.1684210148.git.maxim.cournoyer@HIDDEN>
References: <76b34e5229e0e97068cb3bd42152f29630a8dbfc.1684210148.git.maxim.cournoyer@HIDDEN>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63402
Cc: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Previously, the generated config file would contain arbitrary whitespace that
made it look ugly.

* gnu/services/vpn.scm (<wireguard-configuration>) [dns]: Change default value
from #f to '().
(wireguard-configuration-file): Use match-record.  Format each line
individually, assembling the lines at the end to avoid extraneous white space.
* doc/guix.texi (VPN Services): Update doc.
---
 doc/guix.texi        |   2 +-
 gnu/services/vpn.scm | 119 ++++++++++++++++---------------------------
 2 files changed, 46 insertions(+), 75 deletions(-)

diff --git a/doc/guix.texi b/doc/guix.texi
index 4499a911d6..51c75a7dfc 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32588,7 +32588,7 @@ VPN Services
 @item @code{port} (default: @code{51820})
 The port on which to listen for incoming connections.
 
-@item @code{dns} (default: @code{#f})
+@item @code{dns} (default: @code{'())})
 The DNS server(s) to announce to VPN clients via DHCP.
 
 @item @code{monitor-ips?} (default: @code{#f})
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index e21f999bc0..3f66db79de 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -44,6 +44,7 @@ (define-module (gnu services vpn)
   #:use-module (guix i18n)
   #:use-module (guix deprecation)
   #:use-module (srfi srfi-1)
+  #:use-module (ice-9 format)
   #:use-module (ice-9 match)
   #:use-module (ice-9 regex)
   #:export (openvpn-client-service  ; deprecated
@@ -745,7 +746,7 @@ (define-record-type* <wireguard-configuration>
   (peers              wireguard-configuration-peers ;list of <wiregard-peer>
                       (default '()))
   (dns                wireguard-configuration-dns ;list of strings
-                      (default #f))
+                      (default '()))
   (monitor-ips?       wireguard-configuration-monitor-ips? ;boolean
                       (default #f))
   (monitor-ips-interval wireguard-configuration-monitor-ips-interval
@@ -763,24 +764,15 @@ (define-record-type* <wireguard-configuration>
 
 (define (wireguard-configuration-file config)
   (define (peer->config peer)
-    (let ((name (wireguard-peer-name peer))
-          (public-key (wireguard-peer-public-key peer))
-          (endpoint (wireguard-peer-endpoint peer))
-          (allowed-ips (wireguard-peer-allowed-ips peer))
-          (keep-alive (wireguard-peer-keep-alive peer)))
-      (format #f "[Peer] #~a
-PublicKey = ~a
-AllowedIPs = ~a
-~a~a"
-              name
-              public-key
-              (string-join allowed-ips ",")
-              (if endpoint
-                  (format #f "Endpoint = ~a\n" endpoint)
-                  "")
-              (if keep-alive
-                  (format #f "PersistentKeepalive = ~a\n" keep-alive)
-                  "\n"))))
+    (match-record peer <wireguard-peer>
+      (name public-key endpoint allowed-ips keep-alive)
+      (let ((lines (list
+                    (format #f "[Peer]   #~a" name)
+                    (format #f "PublicKey = ~a" public-key)
+                    (format #f "AllowedIPs = ~{~a~^, ~}" allowed-ips)
+                    (format #f "~@[Endpoint = ~a~]" endpoint)
+                    (format #f "~@[PersistentKeepalive = ~a~]" keep-alive))))
+        (string-join (remove string-null? lines) "\n"))))
 
   (define (peers->preshared-keys peer keys)
     (let ((public-key (wireguard-peer-public-key peer))
@@ -799,65 +791,44 @@ (define (wireguard-configuration-file config)
             (computed-file
              "wireguard-config"
              #~(begin
+                 (use-modules (ice-9 format)
+                              (srfi srfi-1))
+
+                 (define lines
+                   (list
+                    "[Interface]"
+                    #$@(if (null? addresses)
+                           '()
+                           (list (format #f "Address = ~{~a~^, ~}"
+                                         addresses)))
+                    (format #f "~@[Table = ~a~]" #$table)
+                    #$@(if (null? pre-up)
+                           '()
+                           (list (format #f "~{PreUp = ~a~%~}" pre-up)))
+                    (format #f "PostUp = ~a set %i private-key ~a\
+~{ peer ~a preshared-key ~a~}" #$(file-append wireguard "/bin/wg")
+#$private-key '#$peer-keys)
+                    #$@(if (null? post-up)
+                           '()
+                           (list (format #f "~{PostUp = ~a~%~}" post-up)))
+                    #$@(if (null? pre-down)
+                           '()
+                           (list (format #f "~{PreDown = ~a~%~}" pre-down)))
+                    #$@(if (null? post-down)
+                           '()
+                           (list (format #f "~{PostDown = ~a~%~}" post-down)))
+                    (format #f "~@[ListenPort = ~a~]" #$port)
+                    #$@(if (null? dns)
+                           '()
+                           (list (format #f "~{DNS = ~{~a~^, ~}" dns)))))
+
                  (mkdir #$output)
                  (chdir #$output)
                  (call-with-output-file #$config-file
                    (lambda (port)
-                     (let ((format (@ (ice-9 format) format)))
-                       (format port "[Interface]
-Address = ~a
-~a
-~a
-PostUp = ~a set %i private-key ~a~{ peer ~a preshared-key ~a~}
-~a
-~a
-~a
-~a
-~a
-~{~a~^~%~}"
-                               #$(string-join addresses ",")
-                               #$(if table
-                                     (format #f "Table = ~a" table)
-                                     "")
-                               #$(if (null? pre-up)
-                                     ""
-                                     (string-join
-                                      (map (lambda (command)
-                                             (format #f "PreUp = ~a" command))
-                                           pre-up)
-                                      "\n"))
-                               #$(file-append wireguard "/bin/wg")
-                               #$private-key
-                               '#$peer-keys
-                               #$(if (null? post-up)
-                                     ""
-                                     (string-join
-                                      (map (lambda (command)
-                                             (format #f "PostUp = ~a" command))
-                                           post-up)
-                                      "\n"))
-                               #$(if (null? pre-down)
-                                     ""
-                                     (string-join
-                                      (map (lambda (command)
-                                             (format #f "PreDown = ~a" command))
-                                           pre-down)
-                                      "\n"))
-                               #$(if (null? post-down)
-                                     ""
-                                     (string-join
-                                      (map (lambda (command)
-                                             (format #f "PostDown = ~a" command))
-                                           post-down)
-                                      "\n"))
-                               #$(if port
-                                     (format #f "ListenPort = ~a" port)
-                                     "")
-                               #$(if dns
-                                     (format #f "DNS = ~a"
-                                             (string-join dns ","))
-                                     "")
-                               (list #$@peers)))))))))
+                     (format port "~a~%~%~{~a~%~^~%~}"
+                             (string-join (remove string-null? lines) "\n")
+                             '#$peers)))))))
       (file-append config "/" config-file))))
 
 (define (wireguard-activation config)
-- 
2.39.2





Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 16 May 2023 04:10:45 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue May 16 00:10:45 2023
Received: from localhost ([127.0.0.1]:44870 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pym1M-00021y-5t
	for submit <at> debbugs.gnu.org; Tue, 16 May 2023 00:10:45 -0400
Received: from mail-qv1-f41.google.com ([209.85.219.41]:57430)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1pym1J-00021i-6z
 for 63402 <at> debbugs.gnu.org; Tue, 16 May 2023 00:10:42 -0400
Received: by mail-qv1-f41.google.com with SMTP id
 6a1803df08f44-61d97ab176eso63486046d6.2
 for <63402 <at> debbugs.gnu.org>; Mon, 15 May 2023 21:10:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684210235; x=1686802235;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=gOYKLpYJZ8DjDgNtBykKf8sqQMfZNacugWijB7wPfDc=;
 b=PbVGMGb+WOt/kJP3yAUizC82AsbgrTI7P4yHw9W1evUUkkqbiObR9OHVdP93cO++CS
 BMmlq+5jqpe90LZcjSbd7plgfEAPBBqffTV/Hy0/S80ps+NMFjY1X5tGjx4YJWGOl7ui
 n2tnxrhTF5BHklRz1XSXTmJiRlYrrmvc6S5O2E6dF3e16Z2K5G9EyC8H8ixgiIFoFr0c
 w8+WH9Z2LZEL+6H55gLNCQz3TID4mlErjzeusZLCFNY8bykVaKNI5lvZTVk4/i3fBecB
 QnXecN2TWL8JMW+iIG41H2rIb1CLBX4u2gYGnHyXS7XR5Fx6RDOr1ZuWqorxjwC9XONo
 5rHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684210235; x=1686802235;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=gOYKLpYJZ8DjDgNtBykKf8sqQMfZNacugWijB7wPfDc=;
 b=UP1eJEPtDsGwHff/YitKFILnea0Jp5fymqR6nrh0ITs/uKxy77najIFe+d4YgxxzOl
 IIr5PrXAIuUblTEcBlB4/eaRpu+/69f8AuV8anrPlv3mhYjjL9FTIaPJCTRt1JkkdREp
 tap0SNI1XfWV7R+BXWOYRFGHpMnETQV6nULeaRdoSadsjK22+knXhqopR4aaaoVbbROa
 xf/W6FYavKgFrFJt18a/jLlFmeF0uCXyBTwFAxbWeDlZL81HEL38rH0BC3CYlvP0e7ON
 2AM28sgWlBkdkUMI3JPAXOr2rvCkt9ASn8GFXaO5G0+QdkzXuTXjUMJ4Rxse3kKJlQ6R
 zksA==
X-Gm-Message-State: AC+VfDzkCiG6E920D2QctBE97CGObjPq44WovVyx6xFQCEQnF+99HJkY
 ek905JHL1NoPUqeTRU7GDKf9oSd8Z9FJT0El
X-Google-Smtp-Source: ACHHUZ4f0P1ktohmtev3mc6KdsCgyDGBrW9qhZj4smrQk1ejRKVuNsJ6fTmazSQ8lyanIk/5soeDfA==
X-Received: by 2002:a05:6214:1cc4:b0:618:e1d9:75b8 with SMTP id
 g4-20020a0562141cc400b00618e1d975b8mr52530172qvd.34.1684210234926; 
 Mon, 15 May 2023 21:10:34 -0700 (PDT)
Received: from localhost.localdomain (dsl-205-236-230-106.b2b2c.ca.
 [205.236.230.106]) by smtp.gmail.com with ESMTPSA id
 f21-20020a0caa95000000b005f2dba7a5b0sm5367347qvb.132.2023.05.15.21.10.33
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 15 May 2023 21:10:34 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: 63402 <at> debbugs.gnu.org
Subject: [PATCH v3 1/3] services: wireguard: Implement a dynamic IP monitoring
 feature.
Date: Tue, 16 May 2023 00:09:06 -0400
Message-Id: <76b34e5229e0e97068cb3bd42152f29630a8dbfc.1684210148.git.maxim.cournoyer@HIDDEN>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63402
Cc: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* gnu/services/vpn.scm (<wireguard-configuration>)
[monitor-ips?, monitor-ips-internal]: New fields.
* gnu/services/vpn.scm (define-with-source): New syntax.
(wireguard-service-name, strip-port/maybe)
(ipv4-address?, ipv6-address?, host-name?)
(peers->endpoint-host-names)
(wireguard-monitoring-jobs): New procedures.
(wireguard-service-type): Register it.
* tests/services/vpn.scm: New file.
* Makefile.am (SCM_TESTS): Register it.
* doc/guix.texi (VPN Services): Update doc.
---
 Makefile.am            |   1 +
 doc/guix.texi          |  18 +++++-
 gnu/services/vpn.scm   | 123 +++++++++++++++++++++++++++++++++++++++--
 tests/services/vpn.scm |  80 +++++++++++++++++++++++++++
 4 files changed, 216 insertions(+), 6 deletions(-)
 create mode 100644 tests/services/vpn.scm

diff --git a/Makefile.am b/Makefile.am
index 13718e4353..fb6e4f57cd 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -553,6 +553,7 @@ SCM_TESTS =					\
   tests/services/lightdm.scm			\
   tests/services/linux.scm			\
   tests/services/telephony.scm			\
+  tests/services/vpn.scm			\
   tests/sets.scm				\
   tests/size.scm				\
   tests/status.scm				\
diff --git a/doc/guix.texi b/doc/guix.texi
index 60972f408d..4499a911d6 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32591,9 +32591,23 @@ VPN Services
 @item @code{dns} (default: @code{#f})
 The DNS server(s) to announce to VPN clients via DHCP.
 
+@item @code{monitor-ips?} (default: @code{#f})
+@cindex Dynamic IP, with Wireguard
+@cindex dyndns, usage with Wireguard
+Whether to monitor the resolved Internet addresses (IPs) of the
+endpoints of the configured peers, restarting the service when there is
+a mismatch between the endpoint IPs in actual use versus those freshly
+resolved from their host names.  Set this to @code{#t} if one or more
+endpoints use host names provided by a dynamic DNS service to keep
+connections working.
+
+@item @code{monitor-ips-internal} (default: @code{'(next-minute (range 0 60 5))})
+The time interval at which the IP monitoring job should run, provided as
+an mcron time specification (@pxref{Guile Syntax,,,mcron}).
+
 @item @code{private-key} (default: @code{"/etc/wireguard/private.key"})
-The private key file for the interface.  It is automatically generated if
-the file does not exist.
+The private key file for the interface.  It is automatically generated
+if the file does not exist.
 
 @item @code{peers} (default: @code{'()})
 The authorized peers on this interface.  This is a list of
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index a884d71eb2..e21f999bc0 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -11,6 +11,7 @@
 ;;; Copyright © 2021 Nathan Dehnel <ncdehnel@HIDDEN>
 ;;; Copyright © 2022 Cameron V Chaparro <cameron@HIDDEN>
 ;;; Copyright © 2022 Timo Wilken <guix@HIDDEN>
+;;; Copyright © 2023 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -31,10 +32,12 @@ (define-module (gnu services vpn)
   #:use-module (gnu services)
   #:use-module (gnu services configuration)
   #:use-module (gnu services dbus)
+  #:use-module (gnu services mcron)
   #:use-module (gnu services shepherd)
   #:use-module (gnu system shadow)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages vpn)
+  #:use-module (guix modules)
   #:use-module (guix packages)
   #:use-module (guix records)
   #:use-module (guix gexp)
@@ -73,6 +76,8 @@ (define-module (gnu services vpn)
             wireguard-configuration-addresses
             wireguard-configuration-port
             wireguard-configuration-dns
+            wireguard-configuration-monitor-ips?
+            wireguard-configuration-monitor-ips-interval
             wireguard-configuration-private-key
             wireguard-configuration-peers
             wireguard-configuration-pre-up
@@ -741,6 +746,10 @@ (define-record-type* <wireguard-configuration>
                       (default '()))
   (dns                wireguard-configuration-dns ;list of strings
                       (default #f))
+  (monitor-ips?       wireguard-configuration-monitor-ips? ;boolean
+                      (default #f))
+  (monitor-ips-interval wireguard-configuration-monitor-ips-interval
+                        (default '(next-minute (range 0 60 5)))) ;string | list
   (pre-up             wireguard-configuration-pre-up ;list of strings
                       (default '()))
   (post-up            wireguard-configuration-post-up ;list of strings
@@ -871,6 +880,49 @@ (define (wireguard-activation config)
             (chmod #$private-key #o400)
             (close-pipe pipe))))))
 
+;;; XXX: Copied from (guix scripts pack), changing define to define*.
+(define-syntax-rule (define-with-source (variable args ...) body body* ...)
+  "Bind VARIABLE to a procedure accepting ARGS defined as BODY, also setting
+its source property."
+  (begin
+    (define* (variable args ...)
+      body body* ...)
+    (eval-when (load eval)
+      (set-procedure-property! variable 'source
+                               '(define* (variable args ...) body body* ...)))))
+
+(define (wireguard-service-name interface)
+  "Return the WireGuard service name (a symbol) configured to use INTERFACE."
+  (symbol-append 'wireguard- (string->symbol interface)))
+
+(define-with-source (strip-port/maybe endpoint #:key ipv6?)
+  "Strip the colon and port, if present in ENDPOINT, a string."
+  (if ipv6?
+      (if (string-prefix? "[" endpoint)
+          (first (string-split (string-drop endpoint 1) #\])) ;ipv6
+          endpoint)
+      (first (string-split endpoint #\:)))) ;ipv4
+
+(define (ipv4-address? str)
+  "Return true if STR denotes an IPv4 address."
+  (false-if-exception
+   (->bool (inet-pton AF_INET (strip-port/maybe str)))))
+
+(define (ipv6-address? str)
+  "Return true if STR denotes an IPv6 address."
+  (false-if-exception
+   (->bool (inet-pton AF_INET6 (strip-port/maybe str #:ipv6? #t)))))
+
+(define (host-name? name)
+  "Predicate to check whether NAME is a host name, i.e. not an IP address."
+  (not (or (ipv6-address? name) (ipv4-address? name))))
+
+(define (peers->endpoint-host-names peers)
+  "Return host names used as the endpoints of PEERS, if any.  Any \":PORT\"
+suffixes are stripped."
+  (map strip-port/maybe
+       (filter host-name? (filter-map wireguard-peer-endpoint peers))))
+
 (define (wireguard-shepherd-service config)
   (match-record config <wireguard-configuration>
     (wireguard interface)
@@ -878,9 +930,7 @@ (define (wireguard-shepherd-service config)
           (config (wireguard-configuration-file config)))
       (list (shepherd-service
              (requirement '(networking))
-             (provision (list
-                         (symbol-append 'wireguard-
-                                        (string->symbol interface))))
+             (provision (list (wireguard-service-name interface)))
              (start #~(lambda _
                        (invoke #$wg-quick "up" #$config)))
              (stop #~(lambda _
@@ -888,6 +938,69 @@ (define (wireguard-shepherd-service config)
                        #f))                       ;stopped!
              (documentation "Run the Wireguard VPN tunnel"))))))
 
+(define (wireguard-monitoring-jobs config)
+  (match-record config <wireguard-configuration>
+    (interface monitor-ips? monitor-ips-interval peers)
+    (let ((host-names (peers->endpoint-host-names peers)))
+      (if monitor-ips?
+          (if (null? host-names)
+              (begin
+                (warn "monitor-ips? is #t but no host name to monitor")
+                '())
+              ;; The mcron monitor job may be a string or a list; ungexp strips
+              ;; one quote level, which must be added back when a list is
+              ;; provided.
+              (list
+               #~(job
+                  (if (string? #$monitor-ips-interval)
+                      #$monitor-ips-interval
+                      '#$monitor-ips-interval)
+                  #$(program-file
+                     (format #f "wireguard-~a-monitoring" interface)
+                     (with-imported-modules (source-module-closure
+                                             '((gnu services herd)))
+                       #~(begin
+                           (use-modules (gnu services herd)
+                                        (ice-9 popen)
+                                        (ice-9 textual-ports)
+                                        (srfi srfi-1)
+                                        (srfi srfi-26))
+
+                           (define (host-name->ip name)
+                             "Return the IP address resolved from NAME."
+                             (let* ((ai (car (getaddrinfo name)))
+                                    (sa (addrinfo:addr ai)))
+                               (inet-ntop (sockaddr:fam sa)
+                                          (sockaddr:addr sa))))
+
+                           #$(procedure-source strip-port/maybe)
+
+                           (define service-name '#$(wireguard-service-name
+                                                    interface))
+
+                           (when (start-service service-name)
+                             (let* ((resolved-ips (map host-name->ip
+                                                       '#$host-names))
+                                    (pipe (open-pipe*
+                                           OPEN_READ
+                                           #$(file-append wireguard-tools
+                                                          "/bin/wg")
+                                           "show" #$interface "endpoints"))
+                                    (lines (string-split (get-string-all pipe)
+                                                         #\newline))
+                                    (used-ips (map (compose
+                                                    strip-port/maybe
+                                                    last
+                                                    (cut string-split <> #\tab))
+                                                   lines)))
+                               (close-pipe pipe)
+                               (unless (every (cut member <> used-ips)
+                                              resolved-ips)
+                                 (format #t "restarting ~a service due to \
+stale endpoint IPs~%" service-name)
+                                 (restart-service service-name))))))))))
+          '()))))                       ;monitor-ips? is #f
+
 (define wireguard-service-type
   (service-type
    (name 'wireguard)
@@ -898,6 +1011,8 @@ (define wireguard-service-type
                              wireguard-activation)
           (service-extension profile-service-type
                              (compose list
-                                      wireguard-configuration-wireguard))))
+                                      wireguard-configuration-wireguard))
+          (service-extension mcron-service-type
+                             wireguard-monitoring-jobs)))
    (description "Set up Wireguard @acronym{VPN, Virtual Private Network}
 tunnels.")))
diff --git a/tests/services/vpn.scm b/tests/services/vpn.scm
new file mode 100644
index 0000000000..9c6fa65df6
--- /dev/null
+++ b/tests/services/vpn.scm
@@ -0,0 +1,80 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2023 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (tests services vpn)
+  #:use-module (gnu packages vpn)
+  #:use-module (gnu services vpn)
+  #:use-module (guix gexp)
+  #:use-module (ice-9 match)
+  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-64))
+
+;;; Commentary:
+;;;
+;;; Unit tests for the (gnu services vpn) module.
+;;;
+;;; Code:
+
+;;; Access some internals for whitebox testing.
+(define ipv4-address? (@@ (gnu services vpn) ipv4-address?))
+(define ipv6-address? (@@ (gnu services vpn) ipv6-address?))
+(define host-name? (@@ (gnu services vpn) host-name?))
+(define peers->endpoint-host-names
+  (@@ (gnu services vpn) peers->endpoint-host-names))
+
+(test-begin "vpn-services")
+
+(test-assert "ipv4-address?"
+  (every ipv4-address?
+         (list "192.95.5.67:1234"
+               "10.0.0.1")))
+
+(test-assert "ipv6-address?"
+  (every ipv6-address?
+         (list "[2607:5300:60:6b0::c05f:543]:2468"
+               "2607:5300:60:6b0::c05f:543"
+               "2345:0425:2CA1:0000:0000:0567:5673:23b5"
+               "2345:0425:2CA1::0567:5673:23b5")))
+
+(define %wireguard-peers
+  (list (wireguard-peer
+         (name "dummy1")
+         (public-key "VlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XjoalC8=")
+         (endpoint "some.dynamic-dns.service:53281")
+         (allowed-ips '()))
+        (wireguard-peer
+         (name "dummy2")
+         (public-key "AlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC9=")
+         (endpoint "example.org")
+         (allowed-ips '()))
+        (wireguard-peer
+         (name "dummy3")
+         (public-key "BlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC7=")
+         (endpoint "10.0.0.7:7777")
+         (allowed-ips '()))
+        (wireguard-peer
+         (name "dummy4")
+         (public-key "ClesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC6=")
+         (endpoint "[2345:0425:2CA1::0567:5673:23b5]:44444")
+         (allowed-ips '()))))
+
+(test-equal "peers->endpoint-host-names"
+  '("some.dynamic-dns.service" "example.org")
+  (peers->endpoint-host-names %wireguard-peers))
+
+(test-end "vpn-services")

base-commit: 242cc93438d67f5b35602d5add02e230850b0b43
-- 
2.39.2





Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.

Message received at 63402 <at> debbugs.gnu.org:


Received: (at 63402) by debbugs.gnu.org; 15 May 2023 16:13:24 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon May 15 12:13:24 2023
Received: from localhost ([127.0.0.1]:44192 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pyap9-0004P6-FT
	for submit <at> debbugs.gnu.org; Mon, 15 May 2023 12:13:24 -0400
Received: from mail-qt1-f177.google.com ([209.85.160.177]:53341)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1pyap4-0004Op-6C
 for 63402 <at> debbugs.gnu.org; Mon, 15 May 2023 12:13:21 -0400
Received: by mail-qt1-f177.google.com with SMTP id
 d75a77b69052e-3f5279cc284so6987831cf.2
 for <63402 <at> debbugs.gnu.org>; Mon, 15 May 2023 09:13:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1684167192; x=1686759192;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=YN+cM8K/UhOmbNRyiwFL2AzOlKefFB1abWWR05flHM4=;
 b=o6PEXwnFABvEp9iMZsyQEC1kfMS4CUWY44LUiwr558vH/oyamXaxtz62Hmw2NV9nQf
 hceDrIqXBtC65plO+B5HrdEJRO+R/sxRh9dSPPP7kMIqR2Dw4T/VemiU3zpthDNLufOa
 nQXDBhKc32zML8QovwsF4eKEC2oEWvKPTG0oP9qEDKWUGWCjF78nSw30Pvrw9YICzOF7
 ATXuTnxYDxlJKJeALlGH2K5Auhf2rMNABT7pyz7retqDNP+yHoJpQj0WsTatKZhf5UtM
 +tVr6OyJVcviw8OfXDyW7VhFIx3vMNghvwBysAEtExtHf1SD+GSUc2u95rnSKMhfRyYQ
 JfVg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1684167192; x=1686759192;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=YN+cM8K/UhOmbNRyiwFL2AzOlKefFB1abWWR05flHM4=;
 b=j9MeVciFQyuwa9vMjJqhEz5UhlfvviqEZro1DR1FIJKHMlGeZbk2FFGnUTagRQyT+8
 4mmodXhHwEaUX3WEIsV2lYAmaeeDSayxAITSPXEcHJExvspFBXMtp+0nxgMkIAGiwFsZ
 EGbrep2oIeP0rHA4hyci1sOInx94EarbLyPCY6BSOAfkTqjrM2eVw8PLbEopV3DVL08A
 XL83D5pZTUOAGGHqOHYavDrSbT8w1cqkrotIAaiwZlZed+/F+BhUy0vThoyn//T6ZLBv
 eVZuZ/2Z95kjVcgBg/EAnHNxLg2YQ6GbMuWVoY00isqm3gsDPaY7p1C3eZYlpBSiHMo0
 qPNg==
X-Gm-Message-State: AC+VfDzDGUfw1PaMU+S5OjUuuRGbcVPAIPwEQXTGUeMmBrfz0HvQ7UQ+
 7fntuxeMcWpoq4MYfZ15Phfwy+V86S+0BELB
X-Google-Smtp-Source: ACHHUZ6BSJEOp4wl+BT0uO5Fk/ucL74Mw5UyABkrfGEKQJTPZqtz7o1/uiwdSOwpNc2Z2mcmBxE5vw==
X-Received: by 2002:a05:622a:1008:b0:3f1:fd6b:2a00 with SMTP id
 d8-20020a05622a100800b003f1fd6b2a00mr54190804qte.24.1684167192122; 
 Mon, 15 May 2023 09:13:12 -0700 (PDT)
Received: from localhost.localdomain (dsl-205-236-230-106.b2b2c.ca.
 [205.236.230.106]) by smtp.gmail.com with ESMTPSA id
 a17-20020ac86111000000b003e4c6b2cc35sm5451292qtm.24.2023.05.15.09.13.11
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 15 May 2023 09:13:11 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: 63402 <at> debbugs.gnu.org
Subject: [PATCH v2] services: wireguard: Implement a dynamic IP monitoring
 feature.
Date: Mon, 15 May 2023 12:13:02 -0400
Message-Id: <a07e9f398564ddb9499c525bf5ed75988d1b0dab.1684167181.git.maxim.cournoyer@HIDDEN>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 63402
Cc: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

* gnu/services/vpn.scm (<wireguard-configuration>)
[monitor-ips?, monitor-ips-internal]: New fields.
* gnu/services/vpn.scm (define-with-source): New syntax.
(wireguard-service-name, strip-port/maybe)
(ipv4-address?, ipv6-address?, host-name?)
(peers->endpoint-host-names)
(wireguard-monitoring-jobs): New procedures.
(wireguard-service-type): Register it.
* tests/services/vpn.scm: New file.
* Makefile.am (SCM_TESTS): Register it.
* doc/guix.texi (VPN Services): Update doc.
---
 Makefile.am            |   1 +
 doc/guix.texi          |  18 +++++-
 gnu/services/vpn.scm   | 123 +++++++++++++++++++++++++++++++++++++++--
 tests/services/vpn.scm |  80 +++++++++++++++++++++++++++
 4 files changed, 216 insertions(+), 6 deletions(-)
 create mode 100644 tests/services/vpn.scm

diff --git a/Makefile.am b/Makefile.am
index 13718e4353..fb6e4f57cd 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -553,6 +553,7 @@ SCM_TESTS =					\
   tests/services/lightdm.scm			\
   tests/services/linux.scm			\
   tests/services/telephony.scm			\
+  tests/services/vpn.scm			\
   tests/sets.scm				\
   tests/size.scm				\
   tests/status.scm				\
diff --git a/doc/guix.texi b/doc/guix.texi
index 60972f408d..4499a911d6 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -32591,9 +32591,23 @@ VPN Services
 @item @code{dns} (default: @code{#f})
 The DNS server(s) to announce to VPN clients via DHCP.
 
+@item @code{monitor-ips?} (default: @code{#f})
+@cindex Dynamic IP, with Wireguard
+@cindex dyndns, usage with Wireguard
+Whether to monitor the resolved Internet addresses (IPs) of the
+endpoints of the configured peers, restarting the service when there is
+a mismatch between the endpoint IPs in actual use versus those freshly
+resolved from their host names.  Set this to @code{#t} if one or more
+endpoints use host names provided by a dynamic DNS service to keep
+connections working.
+
+@item @code{monitor-ips-internal} (default: @code{'(next-minute (range 0 60 5))})
+The time interval at which the IP monitoring job should run, provided as
+an mcron time specification (@pxref{Guile Syntax,,,mcron}).
+
 @item @code{private-key} (default: @code{"/etc/wireguard/private.key"})
-The private key file for the interface.  It is automatically generated if
-the file does not exist.
+The private key file for the interface.  It is automatically generated
+if the file does not exist.
 
 @item @code{peers} (default: @code{'()})
 The authorized peers on this interface.  This is a list of
diff --git a/gnu/services/vpn.scm b/gnu/services/vpn.scm
index a884d71eb2..e21f999bc0 100644
--- a/gnu/services/vpn.scm
+++ b/gnu/services/vpn.scm
@@ -11,6 +11,7 @@
 ;;; Copyright © 2021 Nathan Dehnel <ncdehnel@HIDDEN>
 ;;; Copyright © 2022 Cameron V Chaparro <cameron@HIDDEN>
 ;;; Copyright © 2022 Timo Wilken <guix@HIDDEN>
+;;; Copyright © 2023 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
 ;;;
 ;;; This file is part of GNU Guix.
 ;;;
@@ -31,10 +32,12 @@ (define-module (gnu services vpn)
   #:use-module (gnu services)
   #:use-module (gnu services configuration)
   #:use-module (gnu services dbus)
+  #:use-module (gnu services mcron)
   #:use-module (gnu services shepherd)
   #:use-module (gnu system shadow)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages vpn)
+  #:use-module (guix modules)
   #:use-module (guix packages)
   #:use-module (guix records)
   #:use-module (guix gexp)
@@ -73,6 +76,8 @@ (define-module (gnu services vpn)
             wireguard-configuration-addresses
             wireguard-configuration-port
             wireguard-configuration-dns
+            wireguard-configuration-monitor-ips?
+            wireguard-configuration-monitor-ips-interval
             wireguard-configuration-private-key
             wireguard-configuration-peers
             wireguard-configuration-pre-up
@@ -741,6 +746,10 @@ (define-record-type* <wireguard-configuration>
                       (default '()))
   (dns                wireguard-configuration-dns ;list of strings
                       (default #f))
+  (monitor-ips?       wireguard-configuration-monitor-ips? ;boolean
+                      (default #f))
+  (monitor-ips-interval wireguard-configuration-monitor-ips-interval
+                        (default '(next-minute (range 0 60 5)))) ;string | list
   (pre-up             wireguard-configuration-pre-up ;list of strings
                       (default '()))
   (post-up            wireguard-configuration-post-up ;list of strings
@@ -871,6 +880,49 @@ (define (wireguard-activation config)
             (chmod #$private-key #o400)
             (close-pipe pipe))))))
 
+;;; XXX: Copied from (guix scripts pack), changing define to define*.
+(define-syntax-rule (define-with-source (variable args ...) body body* ...)
+  "Bind VARIABLE to a procedure accepting ARGS defined as BODY, also setting
+its source property."
+  (begin
+    (define* (variable args ...)
+      body body* ...)
+    (eval-when (load eval)
+      (set-procedure-property! variable 'source
+                               '(define* (variable args ...) body body* ...)))))
+
+(define (wireguard-service-name interface)
+  "Return the WireGuard service name (a symbol) configured to use INTERFACE."
+  (symbol-append 'wireguard- (string->symbol interface)))
+
+(define-with-source (strip-port/maybe endpoint #:key ipv6?)
+  "Strip the colon and port, if present in ENDPOINT, a string."
+  (if ipv6?
+      (if (string-prefix? "[" endpoint)
+          (first (string-split (string-drop endpoint 1) #\])) ;ipv6
+          endpoint)
+      (first (string-split endpoint #\:)))) ;ipv4
+
+(define (ipv4-address? str)
+  "Return true if STR denotes an IPv4 address."
+  (false-if-exception
+   (->bool (inet-pton AF_INET (strip-port/maybe str)))))
+
+(define (ipv6-address? str)
+  "Return true if STR denotes an IPv6 address."
+  (false-if-exception
+   (->bool (inet-pton AF_INET6 (strip-port/maybe str #:ipv6? #t)))))
+
+(define (host-name? name)
+  "Predicate to check whether NAME is a host name, i.e. not an IP address."
+  (not (or (ipv6-address? name) (ipv4-address? name))))
+
+(define (peers->endpoint-host-names peers)
+  "Return host names used as the endpoints of PEERS, if any.  Any \":PORT\"
+suffixes are stripped."
+  (map strip-port/maybe
+       (filter host-name? (filter-map wireguard-peer-endpoint peers))))
+
 (define (wireguard-shepherd-service config)
   (match-record config <wireguard-configuration>
     (wireguard interface)
@@ -878,9 +930,7 @@ (define (wireguard-shepherd-service config)
           (config (wireguard-configuration-file config)))
       (list (shepherd-service
              (requirement '(networking))
-             (provision (list
-                         (symbol-append 'wireguard-
-                                        (string->symbol interface))))
+             (provision (list (wireguard-service-name interface)))
              (start #~(lambda _
                        (invoke #$wg-quick "up" #$config)))
              (stop #~(lambda _
@@ -888,6 +938,69 @@ (define (wireguard-shepherd-service config)
                        #f))                       ;stopped!
              (documentation "Run the Wireguard VPN tunnel"))))))
 
+(define (wireguard-monitoring-jobs config)
+  (match-record config <wireguard-configuration>
+    (interface monitor-ips? monitor-ips-interval peers)
+    (let ((host-names (peers->endpoint-host-names peers)))
+      (if monitor-ips?
+          (if (null? host-names)
+              (begin
+                (warn "monitor-ips? is #t but no host name to monitor")
+                '())
+              ;; The mcron monitor job may be a string or a list; ungexp strips
+              ;; one quote level, which must be added back when a list is
+              ;; provided.
+              (list
+               #~(job
+                  (if (string? #$monitor-ips-interval)
+                      #$monitor-ips-interval
+                      '#$monitor-ips-interval)
+                  #$(program-file
+                     (format #f "wireguard-~a-monitoring" interface)
+                     (with-imported-modules (source-module-closure
+                                             '((gnu services herd)))
+                       #~(begin
+                           (use-modules (gnu services herd)
+                                        (ice-9 popen)
+                                        (ice-9 textual-ports)
+                                        (srfi srfi-1)
+                                        (srfi srfi-26))
+
+                           (define (host-name->ip name)
+                             "Return the IP address resolved from NAME."
+                             (let* ((ai (car (getaddrinfo name)))
+                                    (sa (addrinfo:addr ai)))
+                               (inet-ntop (sockaddr:fam sa)
+                                          (sockaddr:addr sa))))
+
+                           #$(procedure-source strip-port/maybe)
+
+                           (define service-name '#$(wireguard-service-name
+                                                    interface))
+
+                           (when (start-service service-name)
+                             (let* ((resolved-ips (map host-name->ip
+                                                       '#$host-names))
+                                    (pipe (open-pipe*
+                                           OPEN_READ
+                                           #$(file-append wireguard-tools
+                                                          "/bin/wg")
+                                           "show" #$interface "endpoints"))
+                                    (lines (string-split (get-string-all pipe)
+                                                         #\newline))
+                                    (used-ips (map (compose
+                                                    strip-port/maybe
+                                                    last
+                                                    (cut string-split <> #\tab))
+                                                   lines)))
+                               (close-pipe pipe)
+                               (unless (every (cut member <> used-ips)
+                                              resolved-ips)
+                                 (format #t "restarting ~a service due to \
+stale endpoint IPs~%" service-name)
+                                 (restart-service service-name))))))))))
+          '()))))                       ;monitor-ips? is #f
+
 (define wireguard-service-type
   (service-type
    (name 'wireguard)
@@ -898,6 +1011,8 @@ (define wireguard-service-type
                              wireguard-activation)
           (service-extension profile-service-type
                              (compose list
-                                      wireguard-configuration-wireguard))))
+                                      wireguard-configuration-wireguard))
+          (service-extension mcron-service-type
+                             wireguard-monitoring-jobs)))
    (description "Set up Wireguard @acronym{VPN, Virtual Private Network}
 tunnels.")))
diff --git a/tests/services/vpn.scm b/tests/services/vpn.scm
new file mode 100644
index 0000000000..9c6fa65df6
--- /dev/null
+++ b/tests/services/vpn.scm
@@ -0,0 +1,80 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2023 Maxim Cournoyer <maxim.cournoyer@HIDDEN>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (tests services vpn)
+  #:use-module (gnu packages vpn)
+  #:use-module (gnu services vpn)
+  #:use-module (guix gexp)
+  #:use-module (ice-9 match)
+  #:use-module (srfi srfi-1)
+  #:use-module (srfi srfi-64))
+
+;;; Commentary:
+;;;
+;;; Unit tests for the (gnu services vpn) module.
+;;;
+;;; Code:
+
+;;; Access some internals for whitebox testing.
+(define ipv4-address? (@@ (gnu services vpn) ipv4-address?))
+(define ipv6-address? (@@ (gnu services vpn) ipv6-address?))
+(define host-name? (@@ (gnu services vpn) host-name?))
+(define peers->endpoint-host-names
+  (@@ (gnu services vpn) peers->endpoint-host-names))
+
+(test-begin "vpn-services")
+
+(test-assert "ipv4-address?"
+  (every ipv4-address?
+         (list "192.95.5.67:1234"
+               "10.0.0.1")))
+
+(test-assert "ipv6-address?"
+  (every ipv6-address?
+         (list "[2607:5300:60:6b0::c05f:543]:2468"
+               "2607:5300:60:6b0::c05f:543"
+               "2345:0425:2CA1:0000:0000:0567:5673:23b5"
+               "2345:0425:2CA1::0567:5673:23b5")))
+
+(define %wireguard-peers
+  (list (wireguard-peer
+         (name "dummy1")
+         (public-key "VlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XjoalC8=")
+         (endpoint "some.dynamic-dns.service:53281")
+         (allowed-ips '()))
+        (wireguard-peer
+         (name "dummy2")
+         (public-key "AlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC9=")
+         (endpoint "example.org")
+         (allowed-ips '()))
+        (wireguard-peer
+         (name "dummy3")
+         (public-key "BlesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC7=")
+         (endpoint "10.0.0.7:7777")
+         (allowed-ips '()))
+        (wireguard-peer
+         (name "dummy4")
+         (public-key "ClesLiEB5BFd//OD2ILKXviolfz+hodG6uZ+XgoalC6=")
+         (endpoint "[2345:0425:2CA1::0567:5673:23b5]:44444")
+         (allowed-ips '()))))
+
+(test-equal "peers->endpoint-host-names"
+  '("some.dynamic-dns.service" "example.org")
+  (peers->endpoint-host-names %wireguard-peers))
+
+(test-end "vpn-services")

base-commit: 7b00b155d8f474d493a22ff7cccbeec311b9bbc8
-- 
2.39.2





Information forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.
Forcibly Merged 63402 63403. Request was from Maxim Cournoyer <maxim.cournoyer@HIDDEN> to control <at> debbugs.gnu.org. Full text available.

Message received at submit <at> debbugs.gnu.org:


Received: (at submit) by debbugs.gnu.org; 10 May 2023 01:09:28 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue May 09 21:09:28 2023
Received: from localhost ([127.0.0.1]:44834 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1pwYKW-0006Q9-IJ
	for submit <at> debbugs.gnu.org; Tue, 09 May 2023 21:09:28 -0400
Received: from lists.gnu.org ([209.51.188.17]:34282)
 by debbugs.gnu.org with esmtp (Exim 4.84_2)
 (envelope-from <maxim.cournoyer@HIDDEN>) id 1pwYKS-0006Ps-4q
 for submit <at> debbugs.gnu.org; Tue, 09 May 2023 21:09:19 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <maxim.cournoyer@HIDDEN>)
 id 1pwYKR-0003WZ-UN
 for guix-patches@HIDDEN; Tue, 09 May 2023 21:09:15 -0400
Received: from mail-qv1-xf2d.google.com ([2607:f8b0:4864:20::f2d])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <maxim.cournoyer@HIDDEN>)
 id 1pwYKL-000550-SY
 for guix-patches@HIDDEN; Tue, 09 May 2023 21:09:12 -0400
Received: by mail-qv1-xf2d.google.com with SMTP id
 6a1803df08f44-619ca08c166so32060236d6.1
 for <guix-patches@HIDDEN>; Tue, 09 May 2023 18:09:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20221208; t=1683680948; x=1686272948;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:from:to:cc:subject:date:message-id:reply-to;
 bh=ateTvMa5FVjUhneHfMXPWTJ+mEW1oJMct3wYvjdr1hE=;
 b=Pkv7ZmVbEcEdqz04vHZmdy9cuLr7JYENH4qhHXQLSF0+WXoFCb07XC0foFBYbjMyS4
 PpkKIjlTBEZkUPIX5tZpUJiVwt/exB5bvnvFW5OPYrdpb7iPAZCo2dV7luK58uXslklJ
 yszX6bL2WlAzsiNdycwCGuxh/xfiAax9tN9YEZZY2Z87kBqFO5LG1qxHvh09m8RxIypg
 zRty2bw+Ycz3mIlutIZMgT/mHKJnJxUid8GZCThhYni0rIvmnx31ThDsmpvNOiygpqHT
 HDW+OrvJkZT98iKZS7rHf5wWXrUPHPZX0YB5m2ziTJb+UOsukpsIwiX8jWrZSu2jyu0T
 OEWQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1683680948; x=1686272948;
 h=content-transfer-encoding:mime-version:message-id:date:subject:to
 :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
 bh=ateTvMa5FVjUhneHfMXPWTJ+mEW1oJMct3wYvjdr1hE=;
 b=FtNZuj7yHnBH1+dggX+Slj+7/PlgD6G8P7g5F72q6BOVKrDfZmFM4w6E1mhIlgUyuk
 NLiA4KpnfXc4L0a/ebWHpoqXgB7EA66dw3nd68URwJy6WW1OrikDfWBhQtjk/KOjaGEz
 FIQ77WOTQDH6Q6sm+jIapnV9CgN5zYLyiepHeH/6PMPzJuLeU437TI7jJdcJhouug/Iy
 oZ/7tWIyfgn3XjJQi1zjdBUHqZbclZGu2pVcbdxIiRK27aBfJVvyFjv9qrYX3MacQxKi
 dRaMTAoT8rbant0wzf90qfWKq8/Tcakbl35cIaouisES0DEsQYbtUfAOhxr7foYUbGNB
 /kDQ==
X-Gm-Message-State: AC+VfDxCtzqomEXLriqaCTaQZ3l0uPpY2vLRcX1QIj56PuQwIcZ2frXp
 FUfkURr3OOcaRtEA4KuLeeLrKlZeFc0=
X-Google-Smtp-Source: ACHHUZ7vWmQNSTS7sEwkxSvCzpiPVbpuYUGq57XxKL/OJYxcPMXyeWBkqCX0HdpCvGkoZShXJbK+Rw==
X-Received: by 2002:a05:6214:f26:b0:5f0:23be:a302 with SMTP id
 iw6-20020a0562140f2600b005f023bea302mr27388791qvb.9.1683680948353; 
 Tue, 09 May 2023 18:09:08 -0700 (PDT)
Received: from localhost.localdomain (dsl-156-94.b2b2c.ca. [66.158.156.94])
 by smtp.gmail.com with ESMTPSA id
 z29-20020ac8431d000000b003f3941ba4d9sm972632qtm.32.2023.05.09.18.09.07
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 09 May 2023 18:09:07 -0700 (PDT)
From: Maxim Cournoyer <maxim.cournoyer@HIDDEN>
To: guix-patches@HIDDEN,
	maxim.cournoyer@HIDDEN
Subject: [PATCH 0/1] Add a dynamic IP monitoring option to Wireguard service
Date: Tue,  9 May 2023 21:08:59 -0400
Message-Id: <cover.1683679924.git.maxim.cournoyer@HIDDEN>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2607:f8b0:4864:20::f2d;
 envelope-from=maxim.cournoyer@HIDDEN; helo=mail-qv1-xf2d.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001,
 T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: -1.3 (-)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -2.3 (--)

Hi,

This change adds an option to monitor dynamic IP hosts used as
endpoints in Wireguard peer configuration and restart the service when
the IP captured by Wireguard has changed.

We have a keep-alive option already but this doesn't completely
prevent a connection from becoming stale, for example when the
Wireguard *server* is hosted on a machine with a dynamic IP and the
Wireguard *clients* are the ones initiating the connection to it.

When the Wireguard server disappears (in my case my ISP resets my IP
once per day, which breaks active connections), the keep-alives are
interrupted and the clients are stuck with a stale IP.

I've tested this with a duckdns.org dynamic host name that I use to
reach my private machine from the Internet, and it seems to work.
I'll report after a few days of usage.

Maxim Cournoyer (1):
  services: wireguard: Implement a dynamic IP monitoring feature.

 Makefile.am            |   1 +
 doc/guix.texi          |  18 +++++-
 gnu/services/vpn.scm   | 122 +++++++++++++++++++++++++++++++++++++++--
 tests/services/vpn.scm |  80 +++++++++++++++++++++++++++
 4 files changed, 215 insertions(+), 6 deletions(-)
 create mode 100644 tests/services/vpn.scm


base-commit: 7f89eee664c18d4d8214abf17cdad0e24096a5e7
-- 
2.39.2





Acknowledgement sent to Maxim Cournoyer <maxim.cournoyer@HIDDEN>:
New bug report received and forwarded. Copy sent to guix-patches@HIDDEN. Full text available.
Report forwarded to guix-patches@HIDDEN:
bug#63402; Package guix-patches. Full text available.
Please note: This is a static page, with minimal formatting, updated once a day.
Click here to see this page with the latest information and nicer formatting.
Last modified: Thu, 25 May 2023 15:15:01 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.