Skip to content
Snippets Groups Projects
Commit 19ec60e1 authored by Florian Sesser's avatar Florian Sesser
Browse files

Monitoring VPN client config WIP

parent 8a2975db
No related branches found
No related tags found
3 merge requests!101Merge staging into production,!100Merge develop into staging,!87Add monitoring VPN modules and config
# Client section of our Monitoring VPN config
{ lib, config, ... }: let
cfg = config.services.monitoring.vpn;
# cfg.server = "loki";
# cfg.port = 54321;
#ip = "192.168.42.11";
in {
options = {
services.monitoring.vpn.client.enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service";
services.monitoring.vpn.client.privateKeyFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExample "/var/secrets/monitoring-vpn/host.key";
description = ''
Base64 private key generated by <command>wg genkey</command>.
'';
};
services.monitoring.vpn.client.publicKeyFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub";
description = ''
Base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
'';
};
services.monitoring.vpn.client.allowedIPs = {
type = lib.types.listOf lib.types.str;
example = lib.literalExample [ "172.23.23.1/32" ];
description = ''
Limits which IPs this client receives data from.
'';
};
services.monitoring.vpn.client.ips = {
type = lib.types.listOf lib.types.str;
example = lib.literalExample [ "172.23.23.1/24" ];
default = [ "172.23.23.1/24" ];
description = ''
The IP addresses of the interface.
See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix .
'';
};
};
config = lib.mkIf cfg.client.enable {
networking.wireguard.interfaces.monitoringvpn = {
ips = cfg.client.ips;
privateKeyFile = cfg.client.privateKeyFile;
peers = [
{
allowedIPs = cfg.client.allowedIPs;
endpoint = "loki:54321"; # cfg.server + ":" + toString cfg.port;
publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU=";
}
];
};
};
}
# just have all config static (no file systems etc)
# move cfg into global config (like config.privatestorage.monitoring.*)
# parametrize keys
# - (https://wiki.archlinux.org/index.php/WireGuard
# - (wg genkey | tee peer_A.key | wg pubkey > peer_A.pub)
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment