From 3419e92c8207a7cd475e422336cc029d74bcf5c6 Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@privatestorage.io>
Date: Thu, 13 May 2021 18:53:19 +0000
Subject: [PATCH] VPN WIP

---
 morph/lib/make-issuer.nix               |  3 ++-
 nixos/modules/monitoring/vpn/client.nix | 23 +++++++++++++++++++----
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index d02d55f5..52f0f82b 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -55,8 +55,9 @@
 
   services.private-storage.monitoring.vpn.client = {
     enable = true;
-    privateKeyFile = "/var/secrets/vpn/private.key";
+    privateKeyFile = "/var/secrets/vpn/host.key";
     ips = ["172.23.23.21/24"];
     allowedIPs = ["172.23.23.1/32"];
+    endpointPublicKeyFile = "/var/secrets/vpn/server.pub";
   };
 }
diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix
index 46f2a5b3..434165c2 100644
--- a/nixos/modules/monitoring/vpn/client.nix
+++ b/nixos/modules/monitoring/vpn/client.nix
@@ -10,14 +10,14 @@ in {
       type = lib.types.str;
       example = lib.literalExample "/var/secrets/monitoring-vpn/host.key";
       description = ''
-        Base64 private key generated by <command>wg genkey</command>.
+        File with base64 private key generated by <command>wg genkey</command>.
       '';
     };
     publicKeyFile = lib.mkOption {
       type = lib.types.str;
       example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub";
       description = ''
-        Base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
+        File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
       '';
     };
     allowedIPs = lib.mkOption {
@@ -36,6 +36,21 @@ in {
         See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix .
       '';
     };
+    endpoint = lib.mkOption {
+      type = lib.types.str;
+      example = lib.literalExample "vpn.monitoring.private.storage:54321";
+      default = "192.168.67.21:54321";
+      description = ''
+        The address and port number of the server to establish the VPN with.
+      '';
+    };
+    endpointPublicKeyFile = lib.mkOption {
+      type = lib.types.str;
+      example = lib.literalExample "/var/secrets/monitoring-vpn/server.pub";
+      description = ''
+        File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
+      '';
+    };
   };
 
   config = lib.mkIf cfg.client.enable {
@@ -45,8 +60,8 @@ in {
       peers = [
         {
           allowedIPs = cfg.client.allowedIPs;
-          endpoint = "192.168.67.21:54321"; # cfg.server + ":" + toString cfg.port;
-          publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU=";
+          endpoint = cfg.client.endpoint;  # meaning: the server.
+          publicKey = builtins.readFile(cfg.client.endpointPublicKeyFile);
         }
       ];
     };
-- 
GitLab