client.nix

# Client section of our Monitoring VPN config

{ lib, config, ... }: let
  cfg = config.services.private-storage.monitoring.vpn;

in {
  options.services.private-storage.monitoring.vpn.client = {
    enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service";
    privateKeyFile = lib.mkOption {
      type = lib.types.path;
      example = lib.literalExample /var/secrets/monitoringvpn/host.key;
      default = /var/secrets/monitoringvpn/client.key;
      description = ''
        File with base64 private key generated by <command>wg genkey</command>.
      '';
    };
    publicKeyFile = lib.mkOption {
      type = lib.types.path;
      example = lib.literalExample /var/secrets/monitoringvpn/host.pub;
      description = ''
        File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
      '';
    };
    allowedIPs = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      example = lib.literalExample [ "172.23.23.1/32" ];
      description = ''
        Limits which IPs this client receives data from.
      '';
    };
    ips = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      example = lib.literalExample [ "172.23.23.11/24" ];
      description = ''
        The IP addresses of the interface.
        See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix .
      '';
    };
    endpoint = lib.mkOption {
      type = lib.types.str;
      example = lib.literalExample "vpn.monitoring.private.storage:54321";
      default = "192.168.67.24:54321";
      description = ''
        The address and port number of the server to establish the VPN with.
      '';
    };
    endpointPublicKeyFile = lib.mkOption {
      type = lib.types.path;
      example = lib.literalExample /var/secrets/monitoringvpn/server.pub;
      description = ''
        File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
      '';
    };
  };

  config = lib.mkIf cfg.client.enable {
    networking.wireguard.interfaces.monitoringvpn = {
      ips = cfg.client.ips;
      privateKeyFile = toString cfg.client.privateKeyFile;
      peers = [
        {
          allowedIPs = cfg.client.allowedIPs;
          endpoint = cfg.client.endpoint;  # meaning: the server.
          publicKey = builtins.readFile(cfg.client.endpointPublicKeyFile);
        }
      ];
    };
  };
}


# v just have all config static (no file systems etc)
# move cfg into global config (like config.privatestorage.monitoring.*)
# parametrize keys
#   - (https://wiki.archlinux.org/index.php/WireGuard
#   -  (wg genkey | tee peer_A.key | wg pubkey > peer_A.pub)