Hi Michael, On Mon, Nov 21, 2022 at 09:31:41AM +0300, Michael Tokarev wrote: > 21.11.2022 01:46, Daniel Gröber wrote: > > Using this new option the interface configs can be much easier to deploy in > > an automated fashion as they don't contain secrets anymore. The private key > > can easily be provisioned out of band or using a one-time provisioning step > > instead. > > This is definitely a very welcome option in my PoV. > > Add my > Signed-off-by: Michael Tokarev <m...@tls.msk.ru>
I think you mean Reviewed-By? Speaking of which I actually forgot the signoff myself. Doh. Is Reviewed-By something we do here? I can't find a single such tag with `git log --grep Reviewed-By`. I appreciate the positive response nontheless though :) > > Before this patch we were using a neat hack: it's possible to simply omit > > PrivateKey= and set it using PostUp= wg set %i private-key /some/file. > > Well, this isn't really neat, it is a hackish workaround for the missing > functionality ;) It does work surprisingly well though :D. I just re-set the private-key after syncconf now, which definetly ought to loose some traffic but it works at least ;) > On a side, note, almost a year ago I sent a patch for wg utility to recognize > and discard some keywords which are processed by wg-quick script - like, > Address=. This way, there's no need to pre-process the config file anymore, > and in order to recognize more peers, one doesn't have to restart the > tunnel interface, instead, a regular wg syncconf wgif.conf is sufficient, > and many things can be simplified too (removing the preprocessing). Ok I think I found your patch[1]. So we did actually independently come up with the idea of PrivateKeyFile, interesting. Also you support PresharedKey too. I realised I forgot that one right after sending the patch obv. ;) I'll send a v2 for that soon. [1]: https://lists.zx2c4.com/pipermail/wireguard/2021-January/006346.html As for ignoring the wg-quick options, I'm not sure what's the right way to go there. I don't find the wg-quick strip approach toooo taxing but it sure would be more convenient to just call one tool. > I've never got any reply for these patches. I have another patch pending for a longish while aswell "wg: Support restricting address family of DNS resolved Endpoint". IMO you should have just resent your series every couple of months :) --Daniel