daemon: use per-interface features

Signed-off-by: Steffen Vogel <post@steffenvogel.de>

etc/cunicu.yaml

@@ -8,7 +8,7 @@ watch_interval: 1s
 # between the peers.
 # E.g. ICE candidates, Peer information
 backends:
-- grpc://signal.cunicu.li
+- grpc://signal.cunicu.li:443
 # - grpc://localhost:8080?insecure=true&skip_verify=true
 # - k8s:///path/to/your/kubeconfig.yaml?namespace=default
 
@@ -25,41 +25,6 @@ rpc:
   wait: false
 
 
-## Hook callbacks
-#
-# Hook callback can be used to invoke subprocesses
-# or web-hooks on certain events within cunīcu.
-hooks:
-
-# An 'exec' hook spawn a subprocess for each event.
-- type: exec
-  command: ../../scripts/hook.sh
-
-  # Prepend additional arguments
-  args: []
-
-  # Pass JSON object via Stdin to command
-  stdin: true
-
-  # Set environment variables for invocation
-  env:
-    COLOR: "1"
-
-# A 'web' hook performs HTTP requests for each event.
-- type: web
-
-  # URL of the webhook endpoint
-  url: https://my-webhook-endpoint.com/api/v1/webhook
-  
-  # HTTP method of the request
-  method: POST
-
-  # Additional HTTP headers which are used for the requests
-  headers:
-    User-Agent: ahoi
-    Authorization: Bearer XXXXXX
-
-
 #### Interface settings start here
 # The following settings can be overwritten for each interface
 # using the 'interfaces' settings (see below).
@@ -98,55 +63,61 @@ wireguard:
   # May be specified in hexadecimal by prepending "0x". Optional.
   fwmark: 0x1000
 
-  # A list of peers.
-  peers: 
-  - # A base64 public key calculated by wg pubkey from a private key,
-    # and usually transmitted out of band
-    # to the author of the configuration file.
-    public_key: FlKHqqQQx+bTAq7+YhwEECwWRg2Ih7NQ48F/SeOYRH8=
+  # The remote WireGuard peers provided as a dictionary
+  # The keys of this dictionary are used as names for the peers
+  peers:  
+    test:
+      # A base64 public key calculated by wg pubkey from a private key,
+      # and usually transmitted out of band
+      # to the author of the configuration file.
+      public_key: FlKHqqQQx+bTAq7+YhwEECwWRg2Ih7NQ48F/SeOYRH8=
     
-    # A base64 pre-shared key generated by wg genpsk.
-    # Optional, and may be omitted.
-    # This option adds an additional layer of symmetric-key
-    # cryptography to be mixed into the already existing
-    # public-key cryptography, for post-quantum resistance.
-    preshared_key: zu86NBVsWOU3cx4UKOQ6MgNj3gv8GXsV9ATzSemdqlI=
+      # A base64 pre-shared key generated by wg genpsk.
+      # Optional, and may be omitted.
+      # This option adds an additional layer of symmetric-key
+      # cryptography to be mixed into the already existing
+      # public-key cryptography, for post-quantum resistance.
+      preshared_key: zu86NBVsWOU3cx4UKOQ6MgNj3gv8GXsV9ATzSemdqlI=
 
-    # A pre-shared passphrase which is used to derive a preshared key.
-    # cunīcu is using Argon2id as the key derivation function.
-    preshared_key_passphrase: some-shared-passphrase
+      # A pre-shared passphrase which is used to derive a preshared key.
+      # cunīcu is using Argon2id as the key derivation function.
+      preshared_key_passphrase: some-shared-passphrase
 
-    # An endpoint IP or hostname, followed by a colon,
-    # and then a port number. This endpoint will be updated
-    # automatically to the most recent source IP address and
-    # port of correctly authenticated packets from the peer.
-    # If provided, no endpoint discovery will be performed.
-    endpoint: vpn.example.com:51820
+      # An endpoint IP or hostname, followed by a colon,
+      # and then a port number. This endpoint will be updated
+      # automatically to the most recent source IP address and
+      # port of correctly authenticated packets from the peer.
+      # If provided, no endpoint discovery will be performed.
+      endpoint: vpn.example.com:51820
 
-    # A time duration, between 1 and 65535s inclusive, of how
-    # often to send an authenticated empty packet to the peer
-    # for the purpose of keeping a stateful firewall or NAT mapping
-    # valid persistently. For example, if the interface very rarely
-    # sends traffic, but it might at anytime receive traffic from a
-    # peer, and it is behind NAT, the interface might benefit from
-    # having a persistent keepalive interval of 25 seconds.
-    # If set to zero, this option is disabled.
-    # By default or when unspecified, this option is off.
-    # Most users will not need this. Optional.
-    persistent_keepalive: 120s
+      # A time duration, between 1 and 65535s inclusive, of how
+      # often to send an authenticated empty packet to the peer
+      # for the purpose of keeping a stateful firewall or NAT mapping
+      # valid persistently. For example, if the interface very rarely
+      # sends traffic, but it might at anytime receive traffic from a
+      # peer, and it is behind NAT, the interface might benefit from
+      # having a persistent keepalive interval of 25 seconds.
+      # If set to zero, this option is disabled.
+      # By default or when unspecified, this option is off.
+      # Most users will not need this. Optional.
+      persistent_keepalive: 120s
+
+      # A comma-separated list of IP (v4 or v6) addresses with
+      # CIDR masks from which incoming traffic for this peer is
+      # allowed and to which outgoing  traffic for this peer is directed.
+      # The catch-all 0.0.0.0/0 may be specified for matching
+      # all IPv4 addresses, and ::/0 may be specified for matching
+      # all IPv6 addresses. May be specified multiple times.
+      allowed_ips:
+      - 192.168.5.0/24
 
-    # A comma-separated list of IP (v4 or v6) addresses with
-    # CIDR masks from which incoming traffic for this peer is
-    # allowed and to which outgoing  traffic for this peer is directed.
-    # The catch-all 0.0.0.0/0 may be specified for matching
-    # all IPv4 addresses, and ::/0 may be specified for matching
-    # all IPv6 addresses. May be specified multiple times.
-    allowed_ips:
-    - 192.168.5.0/24
 
 ## Auto configuration
 #
 autocfg:
+  # Enable auto-configuration
+  enabled: true
+
   # The Maximum Transfer Unit of the WireGuard interface.
   # If not specified, the MTU is automatically determined from
   # the endpoint addresses or the system default route,
@@ -175,16 +146,13 @@ autocfg:
   # Assign link-local addresses to the WireGuard interface.
   link_local: true
 
-## Config file synchronization
+
+## Config synchronization
 #
 # Synchronize local WireGuard interface configuration with wg(8) config-files.
 cfgsync:
+  # Enable config synchronization
   enabled: false
-  
-  # Directory where Wireguard configuration files are located.
-  # We expect the same format as used by wg(8) and wg-quick(8).
-  # Filenames must match the interface name with a '.conf' suffix.
-  path: /etc/wireguard
 
   # Watch the configuration files via inotify(7) for changes and apply them accordingly.
   watch: false
@@ -200,9 +168,12 @@ cfgsync:
 # In reverse, also networks listed in a peers AllowedIPs setting will be installed as a
 # kernel route with the peers link-local address as the routes next-hop. 
 rtsync:
+  # Enable route synchronization
   enabled: true
 
-  table: 254 # See /etc/iproute2/rt_tables for table ids
+  # Kernel routing table which is used
+  # On Linux, see /etc/iproute2/rt_tables for table ids and names
+  table: 254
 
   # Keep watching the for changes in the kernel routing table via netlink multicast group.
   watch: true
@@ -212,6 +183,7 @@ rtsync:
 #
 # Synchronizes the local /etc/hosts file with host names and link-local IP addresses of connected peers. 
 hsync:
+  # Enable hosts file synchronization
   enabled: true
 
   # The domain name which is appended to each of the peer host names
@@ -222,11 +194,15 @@ hsync:
 #
 # Peer discovery finds new peers within the same community and adds them to the respective interface
 pdisc:
+  # Enable peer discovery
   enabled: true
 
   # The hostname which gets advertised to remote peers
   hostname: my-node
 
+  # A passphrase shared among all peers of the same community
+  community: "some-common-password"
+
   # Networks which are reachable via this peer and get advertised to remote peers
   # These will be part of this interfaces AllowedIPs at the remote peers.
   networks:
@@ -237,10 +213,10 @@ pdisc:
   # If not configured, all peers will be accepted.
   whitelist:
   - coNsGPwVPdpahc8U+dbbWGzTAdCd6+1BvPIYg10wDCI=
-  - AOZzBaNsoV7P8vo0D5UmuIJUQ7AjMbHbGt2EA8eAuEc=
 
-  # A passphrase shared among all peers of the same community
-  community: "some-common-password"
+  # A list if WireGuard public keys which are rejected as peers
+  blacklist:
+  - AOZzBaNsoV7P8vo0D5UmuIJUQ7AjMbHbGt2EA8eAuEc=
 
 
 ## Endpoint discovery
@@ -249,6 +225,7 @@ pdisc:
 # gather a list of candidate endpoints and performs connectivity checks to find a suitable
 # endpoint address which can be used by WireGuard
 epdisc:
+  # Enable endpoint discovery
   enabled: true
 
   # Interactive Connectivity Establishment (ICE) parameters
@@ -329,6 +306,41 @@ epdisc:
     keepalive_interval: 2s
 
 
+## Hook callbacks
+#
+# Hook callback can be used to invoke subprocesses
+# or web-hooks on certain events within cunīcu.
+hooks:
+
+  # An 'exec' hook spawn a subprocess for each event.
+  - type: exec
+    command: ../../scripts/hook.sh
+  
+    # Prepend additional arguments
+    args: []
+  
+    # Pass JSON object via Stdin to command
+    stdin: true
+  
+    # Set environment variables for invocation
+    env:
+      COLOR: "1"
+  
+  # A 'web' hook performs HTTP requests for each event.
+  - type: web
+  
+    # URL of the webhook endpoint
+    url: https://my-webhook-endpoint.com/api/v1/webhook
+    
+    # HTTP method of the request
+    method: POST
+  
+    # Additional HTTP headers which are used for the requests
+    headers:
+      User-Agent: ahoi
+      Authorization: Bearer XXXXXX
+
+
 ## Interface specific settings / overwrites.
 #
 # Most of the top-level settings of this configuration file can be overwritten