This adds a new config key PrivateKeyFile= that simply hooks up the
existing code for the `wg set ... private-key /file` codepath.

Using this new option the interface configs can be much easier to deploy in
an automated fashion as they don't contain secrets anymore. The private key
can easily be provisioned out of band or using a one-time provisioning step

Before this patch we were using a neat hack: it's possible to simply omit
PrivateKey= and set it using PostUp= wg set %i private-key /some/file.
However this breaks when we try to use setconf or synconf as
they will (rightly) unset the private key instead of leaving it as-is.
 src/config.c | 4 ++++
 src/man/wg.8 | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/src/config.c b/src/config.c
index e8db900..49cbb07 100644
--- a/src/config.c
+++ b/src/config.c
@@ -464,6 +464,10 @@ static bool process_line(struct config_ctx *ctx, const 
char *line)
                        ret = parse_key(ctx->device->private_key, value);
                        if (ret)
                                ctx->device->flags |= WGDEVICE_HAS_PRIVATE_KEY;
+               } else if (key_match("PrivateKeyFile")) {
+                       ret = parse_keyfile(ctx->device->private_key, value);
+                       if (ret)
+                               ctx->device->flags |= WGDEVICE_HAS_PRIVATE_KEY;
                } else
                        goto error;
        } else if (ctx->is_peer_section) {
diff --git a/src/man/wg.8 b/src/man/wg.8
index fd9fde7..1d37338 100644
--- a/src/man/wg.8
+++ b/src/man/wg.8
@@ -134,6 +134,8 @@ The \fIInterface\fP section may contain the following 
 .IP \(bu
 PrivateKey \(em a base64 private key generated by \fIwg genkey\fP. Required.
 .IP \(bu
+PrivateKeyFile \(em path to a file containing base64 private key. May be used 
instead of \fIPrivateKey\fP. Optional.
+.IP \(bu
 ListenPort \(em a 16-bit port for listening. Optional; if not specified, chosen
 .IP \(bu

Reply via email to