From 3419e92c8207a7cd475e422336cc029d74bcf5c6 Mon Sep 17 00:00:00 2001 From: Florian Sesser <florian@privatestorage.io> Date: Thu, 13 May 2021 18:53:19 +0000 Subject: [PATCH] VPN WIP --- morph/lib/make-issuer.nix | 3 ++- nixos/modules/monitoring/vpn/client.nix | 23 +++++++++++++++++++---- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix index d02d55f5..52f0f82b 100644 --- a/morph/lib/make-issuer.nix +++ b/morph/lib/make-issuer.nix @@ -55,8 +55,9 @@ services.private-storage.monitoring.vpn.client = { enable = true; - privateKeyFile = "/var/secrets/vpn/private.key"; + privateKeyFile = "/var/secrets/vpn/host.key"; ips = ["172.23.23.21/24"]; allowedIPs = ["172.23.23.1/32"]; + endpointPublicKeyFile = "/var/secrets/vpn/server.pub"; }; } diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix index 46f2a5b3..434165c2 100644 --- a/nixos/modules/monitoring/vpn/client.nix +++ b/nixos/modules/monitoring/vpn/client.nix @@ -10,14 +10,14 @@ in { type = lib.types.str; example = lib.literalExample "/var/secrets/monitoring-vpn/host.key"; description = '' - Base64 private key generated by <command>wg genkey</command>. + File with base64 private key generated by <command>wg genkey</command>. ''; }; publicKeyFile = lib.mkOption { type = lib.types.str; example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub"; description = '' - Base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>. + File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>. ''; }; allowedIPs = lib.mkOption { @@ -36,6 +36,21 @@ in { See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix . ''; }; + endpoint = lib.mkOption { + type = lib.types.str; + example = lib.literalExample "vpn.monitoring.private.storage:54321"; + default = "192.168.67.21:54321"; + description = '' + The address and port number of the server to establish the VPN with. + ''; + }; + endpointPublicKeyFile = lib.mkOption { + type = lib.types.str; + example = lib.literalExample "/var/secrets/monitoring-vpn/server.pub"; + description = '' + File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>. + ''; + }; }; config = lib.mkIf cfg.client.enable { @@ -45,8 +60,8 @@ in { peers = [ { allowedIPs = cfg.client.allowedIPs; - endpoint = "192.168.67.21:54321"; # cfg.server + ":" + toString cfg.port; - publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU="; + endpoint = cfg.client.endpoint; # meaning: the server. + publicKey = builtins.readFile(cfg.client.endpointPublicKeyFile); } ]; }; -- GitLab