config: big rewrite and switch from viper to koanf

Signed-off-by: Steffen Vogel <post@steffenvogel.de>
2026-04-22 22:57:04 +08:00 · 2022-09-14 03:34:30 +02:00
parent 694ffd45fd
commit 8d96dea17e
28 changed files with 2265 additions and 1324 deletions
@@ -1,28 +1,11 @@
 # An interval at which cunicu will periodically check for added, removed or modified WireGuard interfaces.
 watch_interval: 1s

+
 backends:
 - grpc://localhost:8080?insecure=true&skip_verify=true
 - k8s:///path/to/your/kubeconfig.yaml?namespace=default

-# WireGuard settings
-wireguard:  
-  # Create WireGuard interfaces using bundled wireguard-go Userspace implementation
-  # This will be the default if there is no WireGuard kernel module present.
-  userspace: false
-
-  # Ignore WireGuard interface which do not match this regular expression
-  interface_filter: .*
-
-  # A list of WireGuard interfaces which should be configured
-  interfaces:
-  - wg-vpn
-
-  # Port range for ListenPort setting of newly created WireGuard interfaces
-  # cunicu will select the first available port in this range.
-  port:
-    min: 52820
-    max: 65535

 # RPC control socket settings
 rpc:
@@ -32,34 +15,10 @@ rpc:
  # Mostly useful for testing automation
  wait: false

-# Synchronize local WireGuard interface configuration with wg(8) config-files.
-config_sync:
-  enabled: false
-  
-  # Directory where Wireguard configuration files are located.
-  # We expect the same format as used by wg(8) and wg-quick(8).
-  # Filenames must match the interface name with a '.conf' suffix.
-  path: /etc/wireguard

-  # Watch the configuration files via inotify(7) for changes and apply them accordingly.
-  watch: false
-  
-# Synchronize the kernel routing table with WireGuard's AllowedIPs setting
-# 
-# It checks for routes in the kernel routing table which have a peers link-local address
-# as next-hop and adds those routes to the AllowedIPs setting of the respective peer.
+## Hook callbacks
 #
-# In reverse, also networks listed in a peers AllowedIPs setting will be installed as a
-# kernel route with the peers link-local address as the routes next-hop. 
-route_sync:
-  enabled: true
-
-  table: 254 # See /etc/iproute2/rt_tables for table ids
-
-  # Keep watching the for changes in the kernel routing table via netlink multicast group.
-  watch: true
-
-# Pass events to external processes or web hook handlers
+# Hook callback can be used to invoke subprocesses or web-hooks on certain events within cunicu.
 hooks:
 - type: exec
  command: ../../scripts/hook.sh
@@ -87,11 +46,73 @@ hooks:
    User-Agent: ahoi
    Authorization: Bearer XXXXXX

-# Discovery of other WireGuard peers
-peer_disc:
+
+#### Interface settings start here
+# The following settings can be overwritten for each interface
+# using the 'interfaces' settings (see below).
+# The following settings will be used as default.
+
+# WireGuard settings
+wireguard:  
+  # Create WireGuard interfaces using bundled wireguard-go Userspace implementation
+  # This will be the default if there is no WireGuard kernel module present.
+  userspace: false
+
+  # Port range for ListenPort setting of newly created WireGuard interfaces
+  # cunicu will select the first available port in this range.
+  listen_port_range:
+    min: 52820
+    max: 65535
+
+
+## Config file synchronization
+#
+# Synchronize local WireGuard interface configuration with wg(8) config-files.
+cfgsync:
+  enabled: false
+  
+  # Directory where Wireguard configuration files are located.
+  # We expect the same format as used by wg(8) and wg-quick(8).
+  # Filenames must match the interface name with a '.conf' suffix.
+  path: /etc/wireguard
+
+  # Watch the configuration files via inotify(7) for changes and apply them accordingly.
+  watch: false
+
+
+## Route Synchronization
+#
+# Synchronize the kernel routing table with WireGuard's AllowedIPs setting
+# 
+# It checks for routes in the kernel routing table which have a peers link-local address
+# as next-hop and adds those routes to the AllowedIPs setting of the respective peer.
+#
+# In reverse, also networks listed in a peers AllowedIPs setting will be installed as a
+# kernel route with the peers link-local address as the routes next-hop. 
+rtsync:
+  enabled: true
+
+  table: 254 # See /etc/iproute2/rt_tables for table ids
+
+  # Keep watching the for changes in the kernel routing table via netlink multicast group.
+  watch: true
+
+
+## /etc/hosts synchronization
+#
+# Synchronizes the local /etc/hosts file with host names and link-local IP addresses of connected peers. 
+hsync:
+  enabled: true
+
+
+## Peer discovery
+#
+# Peer discovery finds new peers within the same community and adds them to the respective interface
+pdisc:
  enabled: true

  # A list of WireGuard public keys which are accepted peers
+  # If not configured, all peers will be accepted.
  whitelist:
  - coNsGPwVPdpahc8U+dbbWGzTAdCd6+1BvPIYg10wDCI=
  - AOZzBaNsoV7P8vo0D5UmuIJUQ7AjMbHbGt2EA8eAuEc=
@@ -99,15 +120,35 @@ peer_disc:
  # A passphrase shared among all peers of the same community
  community: "some-common-password"

-# Discovery of WireGuard endpoint addresses
-endpoint_disc:
+
+## Endpoint discovery
+#
+# Endpoint discovery uses Interactive Connectivity Establishment (ICE) as used by WebRTC to
+# gather a list of candidate endpoints and performs connectivity checks to find a suitable
+# endpoint address which can be used by WireGuard
+epdisc:
  enabled: true

  # Interactive Connectivity Establishment (ICE) parameters
  ice:
    # A list of STUN and TURN servers used by ICE.
    urls:
-    - stun:stun.l.google.com:19302
+    # Community provided STUN/TURN servers
+    - grpc://relay.cunicu.li
+
+    # Public STUN servers
+    - stun:stun3.l.google.com:19302
+    - stun:relay.webwormhole.io
+    - stun:stun.sipgate.net
+    - stun:stun.ekiga.net
+    - stun:stun.services.mozilla.com
+
+    # Caution: OpenRelay servers are located in Ontario, Canada.
+    # Beware of the latency!
+    # See also: https://www.metered.ca/tools/openrelay/
+    # - turn:openrelayproject:openrelayproject@openrelay.metered.ca:80
+    # - turn:openrelayproject:openrelayproject@openrelay.metered.ca:443
+    # - turn:openrelayproject:openrelayproject@openrelay.metered.ca:443?transport=tcp

    # Credentials for STUN/TURN servers configured above.
    username: ""
@@ -117,11 +158,11 @@ endpoint_disc:
    insecure_skip_verify: false

    # Limit available network and candidate types.
-    network_types: [udp4, udp6, tcp4, tcp6]
-    candidate_types: [host, srflx, prflx ,relay]
+    # network_types: [udp4, udp6, tcp4, tcp6]
+    # candidate_types: [host, srflx, prflx, relay]

-    # Regular expression whitelist of interfaces which are used to gather ICE candidates (e.g. \"eth[0-9]+\").
-    interface_filter: .*
+    # A glob(7) pattern to match interfaces against which are used to gather ICE candidates (e.g. \"eth[0-9]\").
+    interface_filter: "*"

    # Lite agents do not perform connectivity check and only provide host candidates.
    lite: false
@@ -136,10 +177,11 @@ endpoint_disc:
    # SetNAT1To1IPs sets a list of external IP addresses of 1:1 (D)NAT and a candidate type for which the external IP address is used.
    # This is useful when you are host a server using Pion on an AWS EC2 instance which has a private address, behind a 1:1 DNAT with a public IP (e.g. Elastic IP).
    # In this case, you can give the public IP address so that Pion will use the public IP address in its candidate instead of the private IP address.
-    nat_1to1_ips: []
+    # nat_1to1_ips:
+    # - 10.10.2.3

    # Limit the port range used by ICE
-    port:
+    port_range:
        # Minimum port for allocation policy for ICE sockets (range: 0-65535)
        min: 49152

@@ -163,3 +205,62 @@ endpoint_disc:
    # Interval between STUN keepalives (should be less then connection timeout above).
    # Af the interval is 0, we never send keepalive packets
    keepalive_interval: 2s
+
+
+## Interface specific settings / overwrites.
+#
+# Most of the top-level settings of this configuration file can be overwritten
+# with settings specific to a single or a group of interfaces.
+# This includes the following settings (see below):
+# - wireguard
+# - cfgsync
+# - rtsync
+# - hsync
+# - pdisc
+# - epdisc
+# 
+# The keys of this mapping are glob(7) patterns which are matched against the
+# interface names.
+# Settings are overlayed in the order in which the keys are provided in the
+# interface map.
+#
+# Keys which are not a glob(8) pattern, will be created as new interfaces if
+# they do not exist already in the system.
+interfaces:
+  # 
+  \*:
+    cfgsync:
+      path: /some/special/wireguard/config-dir/
+
+  # A simple interface specific setting
+  # cunicu will set the private key of interface 'wg0' to the provided value.
+  wg0:
+    private_key: kODOmlTNhYbF9htW3uYiE1qKuvBnJKd7MFvaookGd14=
+
+  # No settings are overwritten. But since this is not a glob pattern,
+  # A new interface named 'wg1' will be created if it does not exist yet.
+  # The same applies to the previous interface 'wg0'
+  wg1: {}
+
+  # Create a new interface using the wireguard-go user-space implementation.
+  wg2:
+    wireguard:
+      userspace: true
+
+  # This pattern configuration will be applied to all interfaces which match the pattern.
+  # This rule will not create any new interfaces.
+  wg-work-*:
+    pdisc:
+      community: "mysecret-pass" 
+    
+    epdisc:
+      ice:
+        urls:
+        - turn:mysecret.turn-server.com
+
+  # Multiple patterns are supported and evaluated in the order they a defined in the configuration file.
+  # 
+  wg-work-external-*:
+    epdisc:
+      ice:
+        network_types: [ udp6 ]