docs: fix configuration

Signed-off-by: Steffen Vogel <post@steffenvogel.de>
2025-09-28 05:32:26 +08:00 · 2022-08-03 16:46:18 +02:00
parent a94dc94490
commit 9eb5308f89
3 changed files with 97 additions and 86 deletions
--- a/docs/Configuration.md
+++ b/docs/Configuration.md
@@ -12,21 +12,15 @@ A full overview is available in its [manpage](./usage/md/wice_daemon.md).
 Alternatively a configuration file can be used for a persistent configuration:
 ```yaml title="wice.yaml"
 domain: 0l.de
 watch_interval: 1s
 community: "some-common-password"
 backends:
- grpc://localhost:8080?insecure=true
+- grpc://localhost:8080?insecure=true&skip_verify=true
 - k8s:///path/to/your/kubeconfig.yaml?namespace=default
 # WireGuard settings
-wg:
+wireguard:  
  # Use wg / wg-quick configuration files
  config:
      path: /etc/wireguard
      sync: false
  # Create WireGuard interfaces using bundled wireguard-go Userspace implementation
  # This will be the default if there is no WireGuard kernel module present.
  userspace: false
@@ -38,6 +32,12 @@ wg:
  interfaces:
  - wg-vpn
  # Port range for ListenPort setting of newly created WireGuard interfaces
  # wice will select the first available port in this range.
  port:
    min: 52820
    max: 65535
 # Control socket settings
 socket:
  path: /var/run/wice.sock
@@ -46,71 +46,82 @@ socket:
  # Mostly useful for testing automation
  wait: false
-# Interactive Connectivity Establishment
+# Synchronize WireGuard interface configurations with wg(8) config-files.
-ice:
+config_sync:
-  # A list of STUN and TURN servers used by ICE
+  enabled: false
  urls:
  - stun:l.google.com:19302
-  # Credentils for STUN/TURN servers configured above
+  # Directory where Wireguard configuration files are located.
-  username: ""
+  # We expect the same format as used by wg(8) and wg-quick(8).
-  password: ""
+  # Filenames must match the interface name with a '.conf' suffix.
  path: /etc/wireguard
-  # Allow connections to STUNS/TURNS servers for which
+  # Watch the configuration files for changes and apply them accordingly.
-  # we cant validate their TLS certificates
+  watch: false
  insecure_skip_verify: false
-  # Limit available network and candidate types
+# Synchronize WireGuard AllowedIPs with Kernel routing table
-  network-types: [udp4, udp6, tcp4, tcp6]
+route_sync:
-  candidate_types: [host, srflx, prflx ,relay]
+  enabled: true
-  # Regular expression whitelist of interfaces which are used to gather ICE candidates.
+  table: main
  interface_filter: .*
-  # Lite agents do not perform connectivity check and only provide host candidates.
+# Discover the WireGuard endpoint of peers
-  lite: false
+endpoint_disc:
  enabled: true
-  # Attempt to find candidates via mDNS discovery
+  # Interactive Connectivity Establishment parameters
-  mdns: false
+  ice:
    # A list of STUN and TURN servers used by ICE
    urls:
    - stun:stun.l.google.com:19302
-  # Sets the max amount of binding requests the agent will send over a candidate pair for validation or nomination.
+    # Credentials for STUN/TURN servers configured above
-  # If after the the configured number, the candidate is yet to answer a binding request or a nomination we set the pair as failed.
+    username: ""
-  max_binding_requests: 7
+    password: ""
-  # SetNAT1To1IPs sets a list of external IP addresses of 1:1 (D)NAT and a candidate type for which the external IP address is used.
+    # Allow connections to STUNS/TURNS servers for which
-  # This is useful when you are host a server using Pion on an AWS EC2 instance which has a private address, behind a 1:1 DNAT with a public IP (e.g. Elastic IP).
+    # we cant validate their TLS certificates
-  # In this case, you can give the public IP address so that Pion will use the public IP address in its candidate instead of the private IP address.
+    insecure_skip_verify: false
  nat_1to1_ips: []
-  # Limit the port range used by ICE
+    # Limit available network and candidate types
-  # This is optional. Leave them 0 for the default UDP port allocation strategy.
+    network_types: [udp4, udp6, tcp4, tcp6]
-  port:
+    candidate_types: [host, srflx, prflx ,relay]
      max: 0
      min: 0
-  # The check interval controls how often our task loop runs when in the connecting state.
+    # Regular expression whitelist of interfaces which are used to gather ICE candidates.
-  check_interval: 200ms
+    interface_filter: .*
-  # If the duration is 0, the ICE Agent will never go to disconnected
+    # Lite agents do not perform connectivity check and only provide host candidates.
-  disconnected_timeout: 5s
+    lite: false
-  # If the duration is 0, we will never go to failed.
+    # Attempt to find candidates via mDNS discovery
-  failed_timeout: 5s
+    mdns: false
  restart_timeout: 5s
-  # Determines how often should we send ICE keepalives (should be less then connection timeout above).
+    # Sets the max amount of binding requests the agent will send over a candidate pair for validation or nomination.
-  # A keepalive interval of 0 means we never send keepalive packets
+    # If after the the configured number, the candidate is yet to answer a binding request or a nomination we set the pair as failed.
-  keepalive_interval: 2s
+    max_binding_requests: 7
-# Settings for forwarding / proxying encapsulated WireGuard traffic between
+    # SetNAT1To1IPs sets a list of external IP addresses of 1:1 (D)NAT and a candidate type for which the external IP address is used.
-# pion/ice and the Kernel WireGuard interfaces
+    # This is useful when you are host a server using Pion on an AWS EC2 instance which has a private address, behind a 1:1 DNAT with a public IP (e.g. Elastic IP).
-proxy:
+    # In this case, you can give the public IP address so that Pion will use the public IP address in its candidate instead of the private IP address.
-  # Use NFtables to setup a port redirect / NAT for server reflexive candidates
+    nat_1to1_ips: []
  nft: true
-  # Use a RAW socket with an attached eBPF socket filter to receive STUN packets while
+    # Limit the port range used by ICE
-  # all other data is directly received by the ListenPort of a kernel-space WireGuard interface.
+    port:
-  ebpf: true
+        min: 49152
        max: 65535
    # The check interval controls how often our task loop runs when in the connecting state.
    check_interval: 200ms
    # If the duration is 0, the ICE Agent will never go to disconnected
    disconnected_timeout: 5s
    # If the duration is 0, we will never go to failed.
    failed_timeout: 5s
    restart_timeout: 5s
    # Determines how often should we send ICE keepalives (should be less then connection timeout above).
    # A keepalive interval of 0 means we never send keepalive packets
    keepalive_interval: 2s
 ```
 ## Environment Variables
@@ -121,15 +132,15 @@ All the settings from the configuration file can also be passed via environment
 -   Prefixing the setting name with `WICE_`
 -   Nested settings are separated by underscores
-**Example:** The setting `ice.max_binding_requests` can be set by the environment variable `WICE_ICE_MAX_BINDING_REQUESTS`
+**Example:** The setting `endpoint_disc.ice.max_binding_requests` can be set by the environment variable `WICE_ENDPOINT_DISC_ICE_MAX_BINDING_REQUESTS`
-**Note:** Setting lists such as `ice.urls` or `backends` can currently not be set via environment variables.
+**Note:** Setting lists such as `endpoint_disc.ice.urls` or `backends` can currently not be set via environment variables.
 ## DNS Auto-configuration
 ɯice als supports retrieving parts of the configuration via DNS lookups.
-When `wice daemon` is started with a `--config-domain example.com` parameter it will look for the following DNS records to obtain its configuration.
+When `wice daemon` is started with a `--domain example.com` parameter it will look for the following DNS records to obtain its configuration.
 STUN and TURN servers used for ICE are retrieved by SVR lookups and other ɯice settings are retrieved via TXT lookups: 
@@ -142,8 +153,8 @@ _turns._tcp.example.com. 3600 IN SRV 10 0 5349 turn.example.com.
 example.com.             3600 IN TXT "wice-backend=p2p"
 example.com.             3600 IN TXT "wice-community=my-community-password"
-example.com.             3600 IN TXT "wice-ice-username=user1"
+example.com.             3600 IN TXT "wice-endpoint-disc-ice-username=user1"
-example.com.             3600 IN TXT "wice-ice-password=pass1"
+example.com.             3600 IN TXT "wice-endpoint-disc-ice-password=pass1"
 example.com.             3600 IN TXT "wice-config=https://example.com/wice.yaml"
 ```
--- a/docs/Installation.md
+++ b/docs/Installation.md
@@ -10,11 +10,11 @@ These binary versions can be manually downloaded and installed.
 ## By Hand
-1. [Download your desired version](https://github.com/stv0g/wice/releases)
+1.  [Download your desired version](https://github.com/stv0g/wice/releases)
-2. Unzip it: `gunzip wice_0.0.1_linux_amd64.gz`
+2.  Unzip it: `gunzip wice_0.0.1_linux_amd64.gz`
-3. Move the unzipped binary to its desired destination: `mv wice_0.0.1_linux_amd64 /usr/local/bin/wice`
+3.  Move the unzipped binary to its desired destination: `mv wice_0.0.1_linux_amd64 /usr/local/bin/wice`
-5. Make it executable: `chmod +x /usr/local/bin/wice`
+4.  Make it executable: `chmod +x /usr/local/bin/wice`
-6. From there, you should be able to run the client and add the stable repo: `wice help`.
+5.  From there, you should be able to run the client and add the stable repo: `wice help`.
 **Note:** ɯice automated tests are performed for Linux, macOS and Windows on x86_64, ARMv6, ARMv8 amd ARM64 architectures.
 Testing of other OSes are the responsibility of the community requesting ɯice for the OS in question.
@@ -27,9 +27,9 @@ You can fetch that script, and then execute it locally.
 It's well documented so that you can read through it and understand what it is doing before you run it.
 ```bash
-$ curl -fsSL -o get_wice.sh https://raw.githubusercontent.com/stv0g/wice/master/scripts/get_wice.sh
+curl -fsSL -o get_wice.sh https://raw.githubusercontent.com/stv0g/wice/master/scripts/get_wice.sh
-$ chmod 700 get_wice.sh
+chmod 700 get_wice.sh
-$ ./get_wice.sh
+./get_wice.sh
 ```
 Yes, you can `curl https://raw.githubusercontent.com/stv0g/wice/master/scripts/get_wice.sh | bash` if you want to live on the edge.
@@ -66,14 +66,14 @@ Building ɯice is fairly easy and allows you to install the latest unreleased ve
 You must have a working Go environment.
-```
+```bash
-$ go install riasc.eu/wice/cmd@latest
+go install riasc.eu/wice/cmd@latest
 ```
 If required, it will fetch the dependencies and cache them, and validate configuration.
 It will then compile ɯice and place it in `${GOPATH}/bin/wice`.
-##  Conclusion
+## Conclusion
 In most cases, installation is as simple as getting a pre-built ɯice binary.
 This document covers additional cases for those who want to do more sophisticated things with ɯice.
--- a/etc/wice.yaml
+++ b/etc/wice.yaml
@@ -2,7 +2,7 @@ watch_interval: 1s
 community: "some-common-password"
 backends:
- grpc://localhost:8080?insecure=true
+- grpc://localhost:8080?insecure=true&skip_verify=true
 - k8s:///path/to/your/kubeconfig.yaml?namespace=default
 # WireGuard settings
@@ -58,7 +58,7 @@ endpoint_disc:
  ice:
    # A list of STUN and TURN servers used by ICE
    urls:
-    - stun:l.google.com:19302
+    - stun:stun.l.google.com:19302
    # Credentials for STUN/TURN servers configured above
    username: ""