Skip to content
Snippets Groups Projects
Select Git revision
  • 08377895a815dd52ce1b5f20b37ff2515ea9f613
  • develop default protected
  • production protected
  • nixpkgs-upgrade-2025-06-16
  • nixpkgs-upgrade-2024-12-23
  • 190-our-regular-updates-fill-up-the-servers-boot-partitions
  • nixpkgs-upgrade-2024-10-14
  • hro-cloud protected
  • 162.flexible-grafana-module
  • nixpkgs-upgrade-2024-05-13
  • nixpkgs-upgrade-2024-04-22
  • nixpkgs-upgrade-2024-03-25
  • nixpkgs-upgrade-2024-03-18
  • nixpkgs-upgrade-2024-03-11
  • nixpkgs-upgrade-2024-03-04
  • 163.jp-to-ben-for-prod
  • nixpkgs-upgrade-2024-02-26
  • 164.grafana-alert-rules
  • 157.authorize-new-hro-key
  • nixpkgs-upgrade-2024-02-19
  • nixpkgs-upgrade-2024-02-12
21 results

deployment.nix

Blame
    • server.nix 2.40 KiB 
    # Server section of our Monitoring VPN config

{ lib, config, ... }: let
  cfg = config.services.private-storage.monitoring.vpn;
  makePeers = map (x: {
                allowedIPs = [ "${x}/32" ];
                publicKey = lib.fileContents(cfg.server.pubKeysPath + "/${x}.pub");
                presharedKeyFile = toString cfg.server.presharedKeyFile;
              }) cfg.server.vpnClientIPs;

in {
  options.services.private-storage.monitoring.vpn.server = {
    enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN server service";
    privateKeyFile = lib.mkOption {
      type = lib.types.path;
      example = lib.literalExample /run/keys/monitoringvpn/server.key;
      default = /run/keys/monitoringvpn/server.key;
      description = ''
        File with base64 private key generated by <command>wg genkey</command>.
      '';
    };
    presharedKeyFile = lib.mkOption {
      type = lib.types.path;
      example = lib.literalExample /run/keys/monitoringvpn/preshared.key;
      default = /run/keys/monitoringvpn/preshared.key;
      description = ''
        File with base64 preshared key generated by <command>wg genpsk</command>.
      '';
    };
    ip = lib.mkOption {
      type = lib.types.str;
      example = lib.literalExample [ "172.23.23.23" ];
      description = ''
        The IP address of the interface.
      '';
    };
    port = lib.mkOption {
      type = lib.types.port;
      example = lib.literalExample 54321;
      default = 54321;
      description = ''
        The UDP port to listen on.
      '';
    };
    vpnClientIPs = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      example = lib.literalExample [ "172.23.23.23" "172.23.23.42" ];
      description = ''
        The IP addresses to allow connections from.
      '';
    };
    pubKeysPath = lib.mkOption {
      type = lib.types.path;
      example = lib.literalExample ../../../../morph/PrivateStorageSecrets/monitoringvpn;
      default = ../../../../morph/PrivateStorageSecrets/monitoringvpn;
      description = ''
        The path to the directory that holds the public keys.
      '';
    };
  };

  config = lib.mkIf cfg.server.enable {
    networking.firewall.allowedUDPPorts = [ cfg.server.port ];

    networking.wireguard.interfaces.monitoringvpn = {
      ips = [ "${cfg.server.ip}/24" ];
      listenPort = cfg.server.port;
      privateKeyFile = toString cfg.server.privateKeyFile;
      peers = makePeers;
    };