vpn: add global preshared key. post-quantum resistence sounds great!

0faf6ac7 · Florian Sesser · ef4a991f · 0faf6ac7 · 0faf6ac7 · 0faf6ac7
Commit 0faf6ac7 authored 4 years ago by Florian Sesser
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -37,6 +37,14 @@
        permissions = "0400";
        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
      };
+      "monitoringvpn-preshared-key" = {
+        source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
+        destination = "/var/secrets/monitoringvpn/preshared.key";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0400";
+        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+      };
    };
  };


--- a/morph/lib/make-monitoring.nix
+++ b/morph/lib/make-monitoring.nix
@@ -20,6 +20,14 @@
        permissions = "0444";
        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
      };
+      "monitoringvpn-preshared-key" = {
+        source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
+        destination = "/var/secrets/monitoringvpn/preshared.key";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0400";
+        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+      };
    };
  };


--- a/nixos/modules/monitoring/vpn/client.nix
+++ b/nixos/modules/monitoring/vpn/client.nix
@@ -21,6 +21,14 @@ in {
        File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
      '';
    };
+    presharedKeyFile = lib.mkOption {
+      type = lib.types.path;
+      example = lib.literalExample /var/secrets/monitoringvpn/preshared.key;
+      default = /var/secrets/monitoringvpn/preshared.key;
+      description = ''
+        File with base64 preshared key generated by <command>wg genpsk</command>.
+      '';
+    };
    allowedIPs = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      example = lib.literalExample [ "172.23.23.1/32" ];
@@ -62,6 +70,7 @@ in {
          allowedIPs = cfg.client.allowedIPs;
          endpoint = cfg.client.endpoint;  # meaning: the server.
          publicKey = builtins.readFile(cfg.client.endpointPublicKeyFile);
+          presharedKeyFile = toString cfg.client.presharedKeyFile;
        }
      ];
    };

--- a/nixos/modules/monitoring/vpn/server.nix
+++ b/nixos/modules/monitoring/vpn/server.nix
@@ -22,6 +22,14 @@ in {
        File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
      '';
    };
+    presharedKeyFile = lib.mkOption {
+      type = lib.types.path;
+      example = lib.literalExample /var/secrets/monitoringvpn/preshared.key;
+      default = /var/secrets/monitoringvpn/preshared.key;
+      description = ''
+        File with base64 preshared key generated by <command>wg genpsk</command>.
+      '';
+    };
    ip = lib.mkOption {
      type = lib.types.str;
      example = lib.literalExample [ "172.23.23.23" ];
@@ -50,10 +58,12 @@ in {
        { # node1
          allowedIPs = [ "172.23.23.11/32" ];
          publicKey = "tZ295cvD98ixt/VH4dwPKNgHf9MuhuzsossOWBOOoGU=";
+          presharedKeyFile = toString cfg.server.presharedKeyFile;
        }
        { # node2
          allowedIPs = [ "172.23.23.12/32" ];
          publicKey = "zDxWTejJDXRRmUiMZPC7eVSCDdyFikN9VI6cqapQ6RY=";
+          presharedKeyFile = toString cfg.server.presharedKeyFile;
        }
      ];
    };