Skip to content
Snippets Groups Projects
Normal view Permalink
client.nix 2.17 KiB
Newer Older
Florian Sesser's avatar
Monitoring VPN client config WIP
Florian Sesser committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 
# Client section of our Monitoring VPN config

{ lib, config, ... }: let
  cfg = config.services.monitoring.vpn;
  # cfg.server = "loki";
  # cfg.port = 54321;
  #ip = "192.168.42.11";

in {

  options = {
    services.monitoring.vpn.client.enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service";
    services.monitoring.vpn.client.privateKeyFile = lib.mkOption {
      type = lib.types.str;
      example = lib.literalExample "/var/secrets/monitoring-vpn/host.key";
      description = ''
        Base64 private key generated by <command>wg genkey</command>.
      '';
    };
    services.monitoring.vpn.client.publicKeyFile = lib.mkOption {
      type = lib.types.str;
      example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub";
      description = ''
        Base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
      '';
    };
    services.monitoring.vpn.client.allowedIPs = {
      type = lib.types.listOf lib.types.str;
      example = lib.literalExample [ "172.23.23.1/32" ];
      description = ''
        Limits which IPs this client receives data from.
      '';
    };
    services.monitoring.vpn.client.ips = {
      type = lib.types.listOf lib.types.str;
      example = lib.literalExample [ "172.23.23.1/24" ];
      default = [ "172.23.23.1/24" ];
      description = ''
        The IP addresses of the interface.
        See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix .
      '';
    };
  };

  config = lib.mkIf cfg.client.enable {
    networking.wireguard.interfaces.monitoringvpn = {
      ips = cfg.client.ips;
      privateKeyFile = cfg.client.privateKeyFile;
      peers = [
        {
          allowedIPs = cfg.client.allowedIPs;
          endpoint = "loki:54321"; # cfg.server + ":" + toString cfg.port;
          publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU=";
        }
      ];
    };
  };
}


# just have all config static (no file systems etc)
# move cfg into global config (like config.privatestorage.monitoring.*)
# parametrize keys
#   - (https://wiki.archlinux.org/index.php/WireGuard
#   -  (wg genkey | tee peer_A.key | wg pubkey > peer_A.pub)