make-monitoring.nix

{ publicIPv4
, hardware
, publicStoragePort
, ristrettoSigningKeyPath
, passValue
, sshUsers
, stateVersion
, monitoringvpnIPv4 ? null
, monitoringvpnKeyDir ? null
, vpnClientIPs ? null
, ... }: let

  enableVpn = monitoringvpnKeyDir != null &&
              monitoringvpnIPv4 != null &&
              vpnClientIPs != null;

  vpnSecrets = if !enableVpn then {} else {
    "monitoringvpn-private-key" = {
      source = monitoringvpnKeyDir + "/server.key";
      destination = "/run/keys/monitoringvpn/server.key";
      owner.user = "root";
      owner.group = "root";
      permissions = "0400";
      action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
    };
    "monitoringvpn-preshared-key" = {
      source = monitoringvpnKeyDir + "/preshared.key";
      destination = "/run/keys/monitoringvpn/preshared.key";
      owner.user = "root";
      owner.group = "root";
      permissions = "0400";
      action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
    };
  };
in rec {

  deployment = {
    targetHost = publicIPv4;

    secrets = { } // vpnSecrets;
  };

  imports = [
    hardware
    ../../nixos/modules/monitoring/vpn/server.nix
  ];

  services.private-storage.monitoring.vpn.server = if !enableVpn then {} else {
    enable = true;
    ip = monitoringvpnIPv4;
    inherit vpnClientIPs;
    pubKeysPath = monitoringvpnKeyDir;
  };

  system.stateVersion = stateVersion;
}