server.nix

# Server section of our Monitoring VPN config

{ lib, config, ... }: let
  cfg = config.services.private-storage.monitoring.vpn;

in {
  options.services.private-storage.monitoring.vpn.server = {
    enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN server service";
    privateKeyFile = lib.mkOption {
      type = lib.types.path;
      example = lib.literalExample /var/secrets/monitoringvpn/server.key;
      default = /var/secrets/monitoringvpn/server.key;
      description = ''
        File with base64 private key generated by <command>wg genkey</command>.
      '';
    };
    publicKeyFile = lib.mkOption {
      type = lib.types.path;
      example = lib.literalExample /var/secrets/monitoringvpn/server.pub;
      default = /var/secrets/monitoringvpn/server.pub;
      description = ''
        File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
      '';
    };
    presharedKeyFile = lib.mkOption {
      type = lib.types.path;
      example = lib.literalExample /var/secrets/monitoringvpn/preshared.key;
      default = /var/secrets/monitoringvpn/preshared.key;
      description = ''
        File with base64 preshared key generated by <command>wg genpsk</command>.
      '';
    };
    ip = lib.mkOption {
      type = lib.types.str;
      example = lib.literalExample [ "172.23.23.23" ];
      description = ''
        The IP address of the interface.
      '';
    };
    port = lib.mkOption {
      type = lib.types.port;
      example = lib.literalExample 54321;
      default = 54321;
      description = ''
        The UDP port to listen on.
      '';
    };
  };

  config = lib.mkIf cfg.server.enable {
    networking.firewall.allowedUDPPorts = [ cfg.server.port ];

    networking.wireguard.interfaces.monitoringvpn = {
      ips = [ "${cfg.server.ip}/24" ];
      listenPort = cfg.server.port;
      privateKeyFile = toString cfg.server.privateKeyFile;
      peers = [
        {
          allowedIPs = [ "172.23.23.11/32" ];
          publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/172.23.23.11.pub");
          presharedKeyFile = toString cfg.server.presharedKeyFile;
        }
        {
          allowedIPs = [ "172.23.23.12/32" ];
          publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/172.23.23.12.pub");
          presharedKeyFile = toString cfg.server.presharedKeyFile;
        }
        {
          allowedIPs = [ "172.23.23.13/32" ];
          publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/172.23.23.13.pub");
          presharedKeyFile = toString cfg.server.presharedKeyFile;
        }
      ];
    };
  };
}