From 40369f5d17027675682c0a73c68257b91882c8e6 Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Thu, 17 Jun 2021 15:18:23 -0400
Subject: [PATCH] use nix to extra values from our nix config

---
 docs/source/ops/generating-keys.rst |  6 ++----
 tools/create-vpn-keys.sh            | 29 ++++++++++++++++++-----------
 tools/get-vpn-config.nix            | 19 +++++++++++++++++++
 3 files changed, 39 insertions(+), 15 deletions(-)
 create mode 100644 tools/get-vpn-config.nix

diff --git a/docs/source/ops/generating-keys.rst b/docs/source/ops/generating-keys.rst
index 3ffcd79f..47a1f4e9 100644
--- a/docs/source/ops/generating-keys.rst
+++ b/docs/source/ops/generating-keys.rst
@@ -59,11 +59,11 @@ Create Wireguard VPN key pairs in ``secrets/monitoringvpn/`` or where you have t
 
 ``tools/create-vpn-keys.sh`` holds a script to rotate all VPN keys at once::
 
-  cd secrets/monitoringvpn
-  ../../../../../tools/create-vpn-keys.sh ../../testing/grid.nix
+  ./tools/create-vpn-keys.sh morph/grid/testing/grid.nix
 
 Or do it manually::
 
+  cd secrets/monitoringvpn
   for i in 1 11 12 13 ; do
     wg genkey | tee 172.23.23.${i}.key | wg pubkey > 172.23.23.${i}.pub
   done
@@ -74,5 +74,3 @@ Or do it manually::
 And a shared VPN key for "post-quantum resistance"::
 
   wg genpsk > preshared.key
-
-
diff --git a/tools/create-vpn-keys.sh b/tools/create-vpn-keys.sh
index 90eae2c2..1ea1bf7d 100755
--- a/tools/create-vpn-keys.sh
+++ b/tools/create-vpn-keys.sh
@@ -3,10 +3,13 @@
 # Scope: Create wireguard keys for all monitoringVPN hosts
 # Parameters:
 #   file: path to grid.nix of morph deployment
-# Output: Key files for all monitoring VPN hosts _in_the_current_directory_
-# Convention: the IP ending in ".1" will be symlinked to server.{key,pub}
+#
+# Output: Key files for all monitoring VPN hosts in secrets/monitoringvpn
+#         relative to the grid.nix
+#
+# The server key will also be symlinked to server.{key,pub}.
 
-set -euo pipefail
+set -euxo pipefail
 
 umask 077
 
@@ -15,17 +18,21 @@ if [[ $# -ne 1 ]]; then
     exit 2
 fi
 
-MONITORING_IPS=$(fgrep monitoringvpnIPv4 ${1} | egrep -o "[0-9\.]{7,15}")
-VPNSERVER_IP=$(fgrep monitoringvpnIPv4 ${1} | egrep -o -m1 "[0-9\.]{5,13}\.1")
+SRC=$(dirname $0)
+VPN_SECRETS=$(dirname $1)/secrets/monitoringvpn
 
-for i in $MONITORING_IPS; do
-  wg genkey | tee ${i}.key | wg pubkey > ${i}.pub
+CONFIG=$(nix eval --json -f "${SRC}"/get-vpn-config.nix --arg pathToGrid "${1}" vpn)
+
+MONITORING_IPS=$(echo $CONFIG | jp --unquoted "join(' ', clientIPs)")
+VPNSERVER_IP=$(echo $CONFIG | jp --unquoted "serverIP")
+
+for i in $MONITORING_IPS $VPNSERVER_IP; do
+  wg genkey | tee "${VPN_SECRETS}"/${i}.key | wg pubkey > "${VPN_SECRETS}"/${i}.pub
 done
 
-ln -fs $VPNSERVER_IP.key server.key
-ln -fs $VPNSERVER_IP.pub server.pub
+ln -s $VPNSERVER_IP.key "${VPN_SECRETS}"/server.key
+ln -s $VPNSERVER_IP.pub "${VPN_SECRETS}"/server.pub
 
-wg genpsk > preshared.key
+wg genpsk > "${VPN_SECRETS}"/preshared.key
 
 # EOF
-
diff --git a/tools/get-vpn-config.nix b/tools/get-vpn-config.nix
new file mode 100644
index 00000000..7753292a
--- /dev/null
+++ b/tools/get-vpn-config.nix
@@ -0,0 +1,19 @@
+# A function that accepts a path to a grid.nix-style file and returns a set
+# with two attributes:
+#
+#  * serverIP - a string giving the VPN IP address of the grid's VPN server.
+#
+#  * clientIPs - a list of strings giving the VPN IP addresses of all of the
+#                grid's VPN clients.
+#
+{ pathToGrid }:
+let
+  grid = import pathToGrid;
+  vpnConfig = node: node.services.private-storage.monitoring.vpn or null;
+  vpnClientIP = node: (vpnConfig node).client.ip or null;
+  vpnServerIP = node: (vpnConfig node).server.ip or null;
+in
+{
+ "serverIP" = vpnServerIP grid.monitoring;
+ "clientIPs" = builtins.filter (x: x != null) (map vpnClientIP (builtins.attrValues grid));
+}
-- 
GitLab