Newer
Older
# Client section of our Monitoring VPN config
{ lib, config, ... }: let
cfg = config.services.private-storage.monitoring.vpn;
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
options.services.private-storage.monitoring.vpn.client = {
enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service";
privateKeyFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExample "/var/secrets/monitoring-vpn/host.key";
description = ''
Base64 private key generated by <command>wg genkey</command>.
'';
};
publicKeyFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub";
description = ''
Base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
'';
};
allowedIPs = lib.mkOption {
type = lib.types.listOf lib.types.str;
example = lib.literalExample [ "172.23.23.1/32" ];
description = ''
Limits which IPs this client receives data from.
'';
};
ips = lib.mkOption {
type = lib.types.listOf lib.types.str;
example = lib.literalExample [ "172.23.23.11/24" ];
default = [ "172.23.23.21/24" ];
description = ''
The IP addresses of the interface.
See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix .
'';
};
};
config = lib.mkIf cfg.client.enable {
networking.wireguard.interfaces.monitoringvpn = {
ips = cfg.client.ips;
privateKeyFile = cfg.client.privateKeyFile;
peers = [
{
allowedIPs = cfg.client.allowedIPs;
endpoint = "192.168.67.21:54321"; # cfg.server + ":" + toString cfg.port;
publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU=";
}
];
};
# move cfg into global config (like config.privatestorage.monitoring.*)
# parametrize keys
# - (https://wiki.archlinux.org/index.php/WireGuard
# - (wg genkey | tee peer_A.key | wg pubkey > peer_A.pub)