diff options
| author | Craig Jennings <c@cjennings.net> | 2026-07-02 10:02:30 -0400 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-07-02 10:02:30 -0400 |
| commit | 329669c2cb3e7c7902e604c56a2df3c3557a5390 (patch) | |
| tree | 922b1ec35252ed21a0a7853ed8cebacb07ccdfb9 /docs/design | |
| parent | 2fb2af1fde1721a160a9227a41fda24c0712d566 (diff) | |
| download | archsetup-329669c2cb3e7c7902e604c56a2df3c3557a5390.tar.gz archsetup-329669c2cb3e7c7902e604c56a2df3c3557a5390.zip | |
docs(spec): resolve the four net-panel decisions, tunnel badge joins v1
Craig answered all four decision TODOs in the tunnels spec. The bar badge moves from optional to v1. All seven Proton WireGuard configs import cleanly into NetworkManager (only the six import-safe directives), so wg-quick drops out of the spec. Proton runs through the official proton-vpn-cli (stable since April, Arch extra repo) instead of the GTK app, which the install drops. The implementation phases pick up the badge, the package swap, and the one-time config import.
Diffstat (limited to 'docs/design')
| -rw-r--r-- | docs/design/2026-07-02-net-panel-other-interfaces-spec.org | 89 |
1 files changed, 62 insertions, 27 deletions
diff --git a/docs/design/2026-07-02-net-panel-other-interfaces-spec.org b/docs/design/2026-07-02-net-panel-other-interfaces-spec.org index ee01c02..86b2a2f 100644 --- a/docs/design/2026-07-02-net-panel-other-interfaces-spec.org +++ b/docs/design/2026-07-02-net-panel-other-interfaces-spec.org @@ -69,11 +69,21 @@ can_toggle}): messages). Daemon down → state "stopped". Binary absent → backend absent. - wireguard-nm: =nmcli -t connection show= filtered to type wireguard — up/down via the existing nmcli wrapper (activate/deactivate connection). -- wg-quick configs outside NM (files in /etc/wireguard) — read-only listing - at most; toggling them requires root and wg-quick; probably defer. -- proton-gtk: detect its tunnel device (proton0 / ipv6leakintf) when up; - control stays with the Proton app (can_toggle false, detail points at the - app) unless Craig prefers driving it via its CLI. + The seven Proton configs in assets/wireguard-config/ import cleanly + (=nmcli connection import type wireguard file <conf>=, then + =connection.autoconnect no= immediately — imports default to autoconnect + yes). They use only PrivateKey/Address/DNS + PublicKey/AllowedIPs/Endpoint, + no PostUp/PostDown anywhere, so no wg-quick path is needed at all + (Craig, 2026-07-02). All are full-tunnel (AllowedIPs 0.0.0.0/0) — the + panel should treat them as mutually exclusive. +- proton: drive the official proton-vpn-cli (Arch extra repo, v1.0.x, + stable since 2026-04) — connect/disconnect/status verbs. It drives NM + underneath (python-proton-vpn-network-manager), so the panel still sees + connection events through NM. Runtime-exclusive with the GTK app, which + gets dropped from the install. The imported NM wireguard configs remain + a raw fallback when the CLI/API path is down; the CLI stays primary + because the raw configs lack kill switch, port forwarding, and server + rotation. ** Panel @@ -103,35 +113,60 @@ exit node if any. ** Bar indicator -Unchanged by default. Optional later: a small overlay badge on the net glyph -when a tunnel owns the default route. +Part of v1 (Craig, 2026-07-02 — "shouldn't be optional"): a small overlay +badge on the net glyph when a tunnel owns the default route. Rides the same +route/DNS-ownership detection the diagnostics step adds. * Decisions (Craig) -** TODO Which backends ship in the first pass? -Recommendation: tailscale + NM-managed wireguard. Proton app detection-only. -wg-quick configs deferred. - -** TODO Tailscale control path: operator flag at install vs net-priv verbs? -Recommendation: =tailscale set --operator=$USER= in archsetup's tailscale -step (declarative, no sudo at runtime); net-priv verbs only if operator mode -proves insufficient (e.g. up with flags). - -** TODO Does "Tunnels" belong in Connections or its own tab? -Recommendation: a Connections group. A fourth top tab dilutes the V2 nav for -three rows. - -** TODO Proton VPN: detect-only or drive its CLI? -Recommendation: detect-only first; the app owns reconnect/kill-switch logic. - +** DONE Which backends ship in the first pass? +CLOSED: [2026-07-02 Thu] +Approved (Craig, 2026-07-02): tailscale + NM-managed wireguard. Craig asked +whether the wireguard configs can be ported to NM so wg-quick drops out +entirely — yes: all seven configs in assets/wireguard-config/ use only the +six directives NM imports cleanly (verified 2026-07-02; import command and +autoconnect caveat now in the design sketch). wg-quick is out of the spec, +not deferred. Proton control is CLI-driven per the Proton decision below, +superseding the detection-only recommendation here. + +** DONE Tailscale control path: operator flag at install vs net-priv verbs? +CLOSED: [2026-07-02 Thu] +Approved (Craig, 2026-07-02): =tailscale set --operator=$USER= in archsetup's +tailscale step (declarative, no sudo at runtime); net-priv verbs only if +operator mode proves insufficient (e.g. up with flags). +** DONE Does "Tunnels" belong in Connections or its own tab? +CLOSED: [2026-07-02 Thu] +Approved (Craig, 2026-07-02): a Connections group. A fourth top tab dilutes +the V2 nav for three rows. + +** DONE Proton VPN: detect-only or drive its CLI? +CLOSED: [2026-07-02 Thu] +Decided (Craig, 2026-07-02): drive it through a CLI. Research (2026-07-02): +Proton shipped an official Linux CLI — first release 2025-11, stable v1.0.0 +2026-04, packaged in Arch extra as proton-vpn-cli (1.0.1 at check time), +with kill switch, port forwarding, NetShield, server selection, and a +status command. It drives NM underneath, so the panel sees its connections +through the existing NM event path. Spec changes: the proton backend calls +protonvpn connect/disconnect/status instead of device-detection +(can_toggle true); archsetup installs proton-vpn-cli and drops +proton-vpn-gtk-app (the two can't run concurrently per the project README — +untested locally); the imported NM wireguard configs stay as a raw fallback. +Sources: [[https://protonvpn.com/support/linux-cli][Proton Linux CLI guide]], +[[https://protonvpn.com/support/release-notes-linux-cli][CLI release notes]], +[[https://github.com/ProtonVPN/proton-vpn-cli][proton-vpn-cli repo]]. * Implementation phases -1. overlays.py probes (tailscale JSON, nmcli wireguard filter, proton device - detection) — pure engine, TDD with fake binaries; =net status= grows an +1. overlays.py probes (tailscale JSON, nmcli wireguard filter, proton-vpn-cli + status) — pure engine, TDD with fake binaries; =net status= grows an overlays section. 2. Panel Tunnels group + Up/Down wiring through the worker thread; AT-SPI smoke extension. 3. Diagnose/doctor overlay awareness (route/DNS ownership step, classifier rows, evidence text) — TDD against the diag harness. -4. archsetup: tailscale operator flag in the tailscale install step; VM test - assertion. +4. waybar-net tunnel badge on the net glyph (v1 per the bar-indicator + decision), riding phase 3's route-ownership detection; suite coverage. +5. archsetup: tailscale operator flag in the tailscale install step; + proton-vpn-cli replaces proton-vpn-gtk-app in the package list; VM test + assertions. +6. One-time per-machine migration: import the seven assets/wireguard-config + configs into NM with autoconnect off (scriptable; both daily drivers). |
