diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index 8a25747ccdb61fa2071538f706bae4ab366dff14..6718f46ada4073ae3edd45d6a9c42fcaa1813800 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -1,12 +1,13 @@
# Load the helper function and call it with arguments tailored for the local
# grid. It will make the morph configuration for us. We share this function
# with the production grid and have one fewer possible point of divergence.
-import ../../lib/make-grid.nix {
+import ../../lib/make-grid.nix rec {
name = "LocalDev";
config = ./config.json;
nodes = cfg:
let
sshUsers = import ../../../../PrivateStorageSecrets/localdev-users.nix;
+ lib = <nixpkgs/lib>;
in {
"payments1" = import ../../lib/make-issuer.nix (rec {
publicIPv4 = "192.168.67.21";
@@ -35,6 +36,7 @@ import ../../lib/make-grid.nix {
"monitoring1" = import ../../lib/make-monitoring.nix (rec {
publicIPv4 = "192.168.67.24";
monitoringvpnIPv4 = "172.23.23.1";
+ vpnClientIPs = builtins.filter (x: x != null) (map (x: lib.attrByPath (lib.splitString "." "services.private-storage.monitoring.vpn.client.ip") null x) (builtins.attrValues nodes));
inherit sshUsers;
hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; });
stateVersion = "19.09";
diff --git a/morph/lib/make-monitoring.nix b/morph/lib/make-monitoring.nix
index 0d8ad9e1468caf5715ea1d5769a8e7b1c9782ea9..ca8dfc913c0b4f05999374cf66a537cb7d1e1763 100644
--- a/morph/lib/make-monitoring.nix
+++ b/morph/lib/make-monitoring.nix
@@ -1,4 +1,4 @@
-{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, monitoringvpnIPv4, ... }: rec {
+{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, monitoringvpnIPv4, vpnClientIPs, ... }: rec {
deployment = {
targetHost = publicIPv4;
@@ -39,6 +39,7 @@
services.private-storage.monitoring.vpn.server = {
enable = true;
ip = monitoringvpnIPv4;
+ inherit vpnClientIPs;
};
system.stateVersion = stateVersion;
diff --git a/nixos/modules/monitoring/vpn/server.nix b/nixos/modules/monitoring/vpn/server.nix
index 56ecf197527482bdbae4df4a88ddf9696a277bb0..0ff1189b248dfd018ff9735cac4d1c13435d29a8 100644
--- a/nixos/modules/monitoring/vpn/server.nix
+++ b/nixos/modules/monitoring/vpn/server.nix
@@ -45,6 +45,13 @@ in {
The UDP port to listen on.
'';
};
+ vpnClientIPs = lib.mkOption {
+ type = lib.types.listOf lib.types.str;
+ example = lib.literalExample [ "172.23.23.23" "172.23.23.42" ];
+ description = ''
+ The IP addresses to allow connections from.
+ '';
+ };
};
config = lib.mkIf cfg.server.enable {
@@ -54,23 +61,7 @@ in {
ips = [ "${cfg.server.ip}/24" ];
listenPort = cfg.server.port;
privateKeyFile = toString cfg.server.privateKeyFile;
- peers = [
- {
- allowedIPs = [ "172.23.23.11/32" ];
- publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/172.23.23.11.pub");
- presharedKeyFile = toString cfg.server.presharedKeyFile;
- }
- {
- allowedIPs = [ "172.23.23.12/32" ];
- publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/172.23.23.12.pub");
- presharedKeyFile = toString cfg.server.presharedKeyFile;
- }
- {
- allowedIPs = [ "172.23.23.13/32" ];
- publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/172.23.23.13.pub");
- presharedKeyFile = toString cfg.server.presharedKeyFile;
- }
- ];
+ peers = map (x: {allowedIPs = [ "${x}/32" ]; publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/${x}.pub"); presharedKeyFile = toString cfg.server.presharedKeyFile;}) cfg.server.vpnClientIPs;
};
};
}