From 19ec60e1fef61420a54b9a861bbd8e2984328cbe Mon Sep 17 00:00:00 2001 From: Florian Sesser <florian@privatestorage.io> Date: Wed, 12 May 2021 21:11:24 +0000 Subject: [PATCH] Monitoring VPN client config WIP --- nixos/modules/monitoring/vpn/client.nix | 65 +++++++++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 nixos/modules/monitoring/vpn/client.nix diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix new file mode 100644 index 00000000..24c8a0ec --- /dev/null +++ b/nixos/modules/monitoring/vpn/client.nix @@ -0,0 +1,65 @@ +# Client section of our Monitoring VPN config + +{ lib, config, ... }: let + cfg = config.services.monitoring.vpn; + # cfg.server = "loki"; + # cfg.port = 54321; + #ip = "192.168.42.11"; + +in { + + options = { + services.monitoring.vpn.client.enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service"; + services.monitoring.vpn.client.privateKeyFile = lib.mkOption { + type = lib.types.str; + example = lib.literalExample "/var/secrets/monitoring-vpn/host.key"; + description = '' + Base64 private key generated by <command>wg genkey</command>. + ''; + }; + services.monitoring.vpn.client.publicKeyFile = lib.mkOption { + type = lib.types.str; + example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub"; + description = '' + Base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>. + ''; + }; + services.monitoring.vpn.client.allowedIPs = { + type = lib.types.listOf lib.types.str; + example = lib.literalExample [ "172.23.23.1/32" ]; + description = '' + Limits which IPs this client receives data from. + ''; + }; + services.monitoring.vpn.client.ips = { + type = lib.types.listOf lib.types.str; + example = lib.literalExample [ "172.23.23.1/24" ]; + default = [ "172.23.23.1/24" ]; + description = '' + The IP addresses of the interface. + See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix . + ''; + }; + }; + + config = lib.mkIf cfg.client.enable { + networking.wireguard.interfaces.monitoringvpn = { + ips = cfg.client.ips; + privateKeyFile = cfg.client.privateKeyFile; + peers = [ + { + allowedIPs = cfg.client.allowedIPs; + endpoint = "loki:54321"; # cfg.server + ":" + toString cfg.port; + publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU="; + } + ]; + }; + }; +} + + +# just have all config static (no file systems etc) +# move cfg into global config (like config.privatestorage.monitoring.*) +# parametrize keys +# - (https://wiki.archlinux.org/index.php/WireGuard +# - (wg genkey | tee peer_A.key | wg pubkey > peer_A.pub) -- GitLab