Added reading wireguard secrets from files

* secrets\wireguard.go follows openvpn.go closely in style and is able to set the private key, preshared key as well as the addresses * helpers.go received the readWireguardAddress function from env\wireguard.go to be used from the original file as well as the new secrets\wireguard.go * vpn.go now also calls readWireguard()
qdm12 · Feb 27, 2023 · 1246326 · 1246326
1 parent 168f621
commit 1246326
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 23 deletions.
diff --git a/internal/configuration/sources/env/wireguard.go b/internal/configuration/sources/env/wireguard.go
@@ -2,7 +2,6 @@ package env
 
 import (
 	"fmt"
-	"net"
 	"os"
 	"strings"
 
@@ -17,30 +16,9 @@ func (s *Source) readWireguard() (wireguard settings.Wireguard, err error) {
 	wireguard.PreSharedKey = envToStringPtr("WIREGUARD_PRESHARED_KEY")
 	_, wireguard.Interface = s.getEnvWithRetro("VPN_INTERFACE", "WIREGUARD_INTERFACE")
 	wireguard.Implementation = os.Getenv("WIREGUARD_IMPLEMENTATION")
-	wireguard.Addresses, err = s.readWireguardAddresses()
+	wireguard.Addresses, err = readWireguardAddresses(s.getEnvWithRetro("WIREGUARD_ADDRESSES", "WIREGUARD_ADDRESS"))
 	if err != nil {
 		return wireguard, err // already wrapped
 	}
 	return wireguard, nil
 }
-
-func (s *Source) readWireguardAddresses() (addresses []net.IPNet, err error) {
-	key, addressesCSV := s.getEnvWithRetro("WIREGUARD_ADDRESSES", "WIREGUARD_ADDRESS")
-	if addressesCSV == "" {
-		return nil, nil
-	}
-
-	addressStrings := strings.Split(addressesCSV, ",")
-	addresses = make([]net.IPNet, len(addressStrings))
-	for i, addressString := range addressStrings {
-		addressString = strings.TrimSpace(addressString)
-		ip, ipNet, err := net.ParseCIDR(addressString)
-		if err != nil {
-			return nil, fmt.Errorf("environment variable %s: %w", key, err)
-		}
-		ipNet.IP = ip
-		addresses[i] = *ipNet
-	}
-
-	return addresses, nil
-}
diff --git a/internal/configuration/sources/secrets/helpers.go b/internal/configuration/sources/secrets/helpers.go
@@ -3,6 +3,7 @@ package secrets
 import (
 	"fmt"
 	"os"
+	"net"
 	"strings"
 
 	"github.com/qdm12/gluetun/internal/configuration/sources/files"
@@ -44,5 +45,25 @@ func readPEMSecretFile(secretPathEnvKey, defaultSecretPath string) (
 		return nil, fmt.Errorf("extracting base64 encoded data from PEM content: %w", err)
 	}
 
+	func readWireguardAddresses(addressesCSV string) (addresses []net.IPNet, err error) {
+		if addressesCSV == "" {
+			return nil, nil
+		}
+
+		key, addressStrings := strings.Split(addressesCSV, ",")
+		addresses = make([]net.IPNet, len(addressStrings))
+		for i, addressString := range addressStrings {
+			addressString = strings.TrimSpace(addressString)
+			ip, ipNet, err := net.ParseCIDR(addressString)
+			if err != nil {
+				return nil, fmt.Errorf("environment variable %s: %w", key, err)
+			}
+			ipNet.IP = ip
+			addresses[i] = *ipNet
+		}
+
+		return addresses, nil
+	}
+
 	return &base64Data, nil
 }
diff --git a/internal/configuration/sources/secrets/vpn.go b/internal/configuration/sources/secrets/vpn.go
@@ -12,5 +12,10 @@ func readVPN() (vpn settings.VPN, err error) {
 		return vpn, fmt.Errorf("cannot read OpenVPN settings: %w", err)
 	}
 
+	vpn.Wireguard, err = readWireguard()
+	if err != nil {
+		return vpn, fmt.Errorf("cannot read Wireguard settings: %w", err)
+	}
+
 	return vpn, nil
 }
diff --git a/internal/configuration/sources/secrets/wireguard.go b/internal/configuration/sources/secrets/wireguard.go
@@ -0,0 +1,36 @@
+package secrets
+
+import (
+	"fmt"
+
+	"github.com/qdm12/gluetun/internal/configuration/settings"
+)
+
+func readWireguard() (
+	wireguard settings.Wireguard, err error) {
+		wireguard.PrivateKey, err = readSecretFileAsStringPtr(
+		"WIREGUARD_PRIVATE_KEY_SECRETFILE",
+		"/run/secrets/wireguard_private_key",
+	)
+	if err != nil {
+		return wireguard, fmt.Errorf("cannot read Wireguard private key file: %w", err)
+	}
+
+	wireguard.PreSharedKey, err = readSecretFileAsStringPtr(
+		"WIREGUARD_PRESHARED_KEY_SECRETFILE",
+		"/run/secrets/wireguard_preshared_key",
+	)
+	if err != nil {
+		return wireguard, fmt.Errorf("cannot read Wireguard preshared key file: %w", err)
+	}
+
+	wireguard.Addresses, err = readWireguardAddresses(readSecretFileAsStringPtr(
+		"WIREGUARD_ADDRESSES_SECRETFILE",
+		"/run/secrets/wireguard_addresses",
+	))
+	if err != nil {
+		return wireguard, fmt.Errorf("cannot read Wireguard addresses file: %w", err)
+	}
+
+	return wireguard, nil
+}