diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix index d02d55f544e83ca4aac6010e9fcbf7019f6fe784..52f0f82be914fed91192127b833f351e5a3d4be3 100644 --- a/morph/lib/make-issuer.nix +++ b/morph/lib/make-issuer.nix @@ -55,8 +55,9 @@ services.private-storage.monitoring.vpn.client = { enable = true; - privateKeyFile = "/var/secrets/vpn/private.key"; + privateKeyFile = "/var/secrets/vpn/host.key"; ips = ["172.23.23.21/24"]; allowedIPs = ["172.23.23.1/32"]; + endpointPublicKeyFile = "/var/secrets/vpn/server.pub"; }; } diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix index 46f2a5b3fe648b5c8e65e9ceaae765a76b941a3e..434165c227a9bcb832456e3f31fd8923c786d4ca 100644 --- a/nixos/modules/monitoring/vpn/client.nix +++ b/nixos/modules/monitoring/vpn/client.nix @@ -10,14 +10,14 @@ in { type = lib.types.str; example = lib.literalExample "/var/secrets/monitoring-vpn/host.key"; description = '' - Base64 private key generated by <command>wg genkey</command>. + File with base64 private key generated by <command>wg genkey</command>. ''; }; publicKeyFile = lib.mkOption { type = lib.types.str; example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub"; description = '' - Base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>. + File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>. ''; }; allowedIPs = lib.mkOption { @@ -36,6 +36,21 @@ in { See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix . ''; }; + endpoint = lib.mkOption { + type = lib.types.str; + example = lib.literalExample "vpn.monitoring.private.storage:54321"; + default = "192.168.67.21:54321"; + description = '' + The address and port number of the server to establish the VPN with. + ''; + }; + endpointPublicKeyFile = lib.mkOption { + type = lib.types.str; + example = lib.literalExample "/var/secrets/monitoring-vpn/server.pub"; + description = '' + File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>. + ''; + }; }; config = lib.mkIf cfg.client.enable { @@ -45,8 +60,8 @@ in { peers = [ { allowedIPs = cfg.client.allowedIPs; - endpoint = "192.168.67.21:54321"; # cfg.server + ":" + toString cfg.port; - publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU="; + endpoint = cfg.client.endpoint; # meaning: the server. + publicKey = builtins.readFile(cfg.client.endpointPublicKeyFile); } ]; };