From 4f0125b3d845c1841e4098b29f7da77d06d0edb9 Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@privatestorage.io>
Date: Thu, 13 May 2021 17:38:13 +0000
Subject: [PATCH] VPN WIP
---
morph/lib/make-issuer.nix | 9 +++-
nixos/modules/monitoring/vpn/client.nix | 66 ++++++++++++++++++-------
2 files changed, 57 insertions(+), 18 deletions(-)
diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index 8556343d..d02d55f5 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -35,7 +35,7 @@
imports = [
hardware
../../nixos/modules/issuer.nix
- ../../nixos/modules/monitoring/vpn/server.nix
+ ../../nixos/modules/monitoring/vpn/client.nix
];
services.private-storage.sshUsers = sshUsers;
@@ -52,4 +52,11 @@
};
system.stateVersion = stateVersion;
+
+ services.private-storage.monitoring.vpn.client = {
+ enable = true;
+ privateKeyFile = "/var/secrets/vpn/private.key";
+ ips = ["172.23.23.21/24"];
+ allowedIPs = ["172.23.23.1/32"];
+ };
}
diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix
index 7a2ba177..46f2a5b3 100644
--- a/nixos/modules/monitoring/vpn/client.nix
+++ b/nixos/modules/monitoring/vpn/client.nix
@@ -1,28 +1,60 @@
# Client section of our Monitoring VPN config
-#{ config, ip, privateKeyPath }:
-
-let
- cfg.server = "192.168.67.21";
- cfg.port = 54321;
- ip = "192.168.42.11";
+{ lib, config, ... }: let
+ cfg = config.services.private-storage.monitoring.vpn;
in {
- networking.wireguard.interfaces.monitoringvpn = {
- ips = [ "${ip}/24" ];
- privateKey = "oFCEeXlRI+iU3UOgNsAOUCaLZFTEKAq4OrVAvusZYGo=";
- peers = [
- {
- allowedIPs = [ "192.168.42.1/32" ];
- endpoint = cfg.server + ":" + toString cfg.port;
- publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU=";
- }
- ];
+ options.services.private-storage.monitoring.vpn.client = {
+ enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service";
+ privateKeyFile = lib.mkOption {
+ type = lib.types.str;
+ example = lib.literalExample "/var/secrets/monitoring-vpn/host.key";
+ description = ''
+ Base64 private key generated by <command>wg genkey</command>.
+ '';
+ };
+ publicKeyFile = lib.mkOption {
+ type = lib.types.str;
+ example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub";
+ description = ''
+ Base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
+ '';
+ };
+ allowedIPs = lib.mkOption {
+ type = lib.types.listOf lib.types.str;
+ example = lib.literalExample [ "172.23.23.1/32" ];
+ description = ''
+ Limits which IPs this client receives data from.
+ '';
+ };
+ ips = lib.mkOption {
+ type = lib.types.listOf lib.types.str;
+ example = lib.literalExample [ "172.23.23.11/24" ];
+ default = [ "172.23.23.21/24" ];
+ description = ''
+ The IP addresses of the interface.
+ See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix .
+ '';
+ };
+ };
+
+ config = lib.mkIf cfg.client.enable {
+ networking.wireguard.interfaces.monitoringvpn = {
+ ips = cfg.client.ips;
+ privateKeyFile = cfg.client.privateKeyFile;
+ peers = [
+ {
+ allowedIPs = cfg.client.allowedIPs;
+ endpoint = "192.168.67.21:54321"; # cfg.server + ":" + toString cfg.port;
+ publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU=";
+ }
+ ];
+ };
};
}
-# just have all config static (no file systems etc)
+# v just have all config static (no file systems etc)
# move cfg into global config (like config.privatestorage.monitoring.*)
# parametrize keys
# - (https://wiki.archlinux.org/index.php/WireGuard
--
GitLab