From 4f0125b3d845c1841e4098b29f7da77d06d0edb9 Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@privatestorage.io>
Date: Thu, 13 May 2021 17:38:13 +0000
Subject: [PATCH] VPN WIP

---
 morph/lib/make-issuer.nix               |  9 +++-
 nixos/modules/monitoring/vpn/client.nix | 66 ++++++++++++++++++-------
 2 files changed, 57 insertions(+), 18 deletions(-)

diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index 8556343d..d02d55f5 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -35,7 +35,7 @@
   imports = [
     hardware
     ../../nixos/modules/issuer.nix
-    ../../nixos/modules/monitoring/vpn/server.nix
+    ../../nixos/modules/monitoring/vpn/client.nix
   ];
 
   services.private-storage.sshUsers = sshUsers;
@@ -52,4 +52,11 @@
   };
 
   system.stateVersion = stateVersion;
+
+  services.private-storage.monitoring.vpn.client = {
+    enable = true;
+    privateKeyFile = "/var/secrets/vpn/private.key";
+    ips = ["172.23.23.21/24"];
+    allowedIPs = ["172.23.23.1/32"];
+  };
 }
diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix
index 7a2ba177..46f2a5b3 100644
--- a/nixos/modules/monitoring/vpn/client.nix
+++ b/nixos/modules/monitoring/vpn/client.nix
@@ -1,28 +1,60 @@
 # Client section of our Monitoring VPN config
 
-#{ config, ip, privateKeyPath }:
-
-let
-  cfg.server = "192.168.67.21";
-  cfg.port = 54321;
-  ip = "192.168.42.11";
+{ lib, config, ... }: let
+  cfg = config.services.private-storage.monitoring.vpn;
 
 in {
-  networking.wireguard.interfaces.monitoringvpn = {
-    ips = [ "${ip}/24" ];
-    privateKey = "oFCEeXlRI+iU3UOgNsAOUCaLZFTEKAq4OrVAvusZYGo=";
-    peers = [
-      {
-        allowedIPs = [ "192.168.42.1/32" ];
-        endpoint = cfg.server + ":" + toString cfg.port;
-        publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU=";
-      }
-    ];
+  options.services.private-storage.monitoring.vpn.client = {
+    enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service";
+    privateKeyFile = lib.mkOption {
+      type = lib.types.str;
+      example = lib.literalExample "/var/secrets/monitoring-vpn/host.key";
+      description = ''
+        Base64 private key generated by <command>wg genkey</command>.
+      '';
+    };
+    publicKeyFile = lib.mkOption {
+      type = lib.types.str;
+      example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub";
+      description = ''
+        Base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
+      '';
+    };
+    allowedIPs = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      example = lib.literalExample [ "172.23.23.1/32" ];
+      description = ''
+        Limits which IPs this client receives data from.
+      '';
+    };
+    ips = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      example = lib.literalExample [ "172.23.23.11/24" ];
+      default = [ "172.23.23.21/24" ];
+      description = ''
+        The IP addresses of the interface.
+        See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix .
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.client.enable {
+    networking.wireguard.interfaces.monitoringvpn = {
+      ips = cfg.client.ips;
+      privateKeyFile = cfg.client.privateKeyFile;
+      peers = [
+        {
+          allowedIPs = cfg.client.allowedIPs;
+          endpoint = "192.168.67.21:54321"; # cfg.server + ":" + toString cfg.port;
+          publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU=";
+        }
+      ];
+    };
   };
 }
 
 
-# just have all config static (no file systems etc)
+# v just have all config static (no file systems etc)
 # move cfg into global config (like config.privatestorage.monitoring.*)
 # parametrize keys
 #   - (https://wiki.archlinux.org/index.php/WireGuard
-- 
GitLab