make-monitoring.nix

{ publicIPv4
, hardware
, publicStoragePort
, ristrettoSigningKeyPath
, monitoringvpnKeyDir
, passValue
, sshUsers
, stateVersion
, monitoringvpnIPv4
, vpnClientIPs
, ... }: rec {

  deployment = {
    targetHost = publicIPv4;

    secrets = {
      "monitoringvpn-private-key" = {
        source = monitoringvpnKeyDir + "/server.key";
        destination = "/run/keys/monitoringvpn/server.key";
        owner.user = "root";
        owner.group = "root";
        permissions = "0400";
        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
      };
      "monitoringvpn-preshared-key" = {
        source = monitoringvpnKeyDir + "/preshared.key";
        destination = "/run/keys/monitoringvpn/preshared.key";
        owner.user = "root";
        owner.group = "root";
        permissions = "0400";
        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
      };
    };
  };

  imports = [
    hardware
    ../../nixos/modules/monitoring/vpn/server.nix
  ];

  services.private-storage.monitoring.vpn.server = {
    enable = true;
    ip = monitoringvpnIPv4;
    inherit vpnClientIPs;
  };

  system.stateVersion = stateVersion;
}