From 4f0125b3d845c1841e4098b29f7da77d06d0edb9 Mon Sep 17 00:00:00 2001 From: Florian Sesser <florian@privatestorage.io> Date: Thu, 13 May 2021 17:38:13 +0000 Subject: [PATCH] VPN WIP --- morph/lib/make-issuer.nix | 9 +++- nixos/modules/monitoring/vpn/client.nix | 66 ++++++++++++++++++------- 2 files changed, 57 insertions(+), 18 deletions(-) diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix index 8556343d..d02d55f5 100644 --- a/morph/lib/make-issuer.nix +++ b/morph/lib/make-issuer.nix @@ -35,7 +35,7 @@ imports = [ hardware ../../nixos/modules/issuer.nix - ../../nixos/modules/monitoring/vpn/server.nix + ../../nixos/modules/monitoring/vpn/client.nix ]; services.private-storage.sshUsers = sshUsers; @@ -52,4 +52,11 @@ }; system.stateVersion = stateVersion; + + services.private-storage.monitoring.vpn.client = { + enable = true; + privateKeyFile = "/var/secrets/vpn/private.key"; + ips = ["172.23.23.21/24"]; + allowedIPs = ["172.23.23.1/32"]; + }; } diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix index 7a2ba177..46f2a5b3 100644 --- a/nixos/modules/monitoring/vpn/client.nix +++ b/nixos/modules/monitoring/vpn/client.nix @@ -1,28 +1,60 @@ # Client section of our Monitoring VPN config -#{ config, ip, privateKeyPath }: - -let - cfg.server = "192.168.67.21"; - cfg.port = 54321; - ip = "192.168.42.11"; +{ lib, config, ... }: let + cfg = config.services.private-storage.monitoring.vpn; in { - networking.wireguard.interfaces.monitoringvpn = { - ips = [ "${ip}/24" ]; - privateKey = "oFCEeXlRI+iU3UOgNsAOUCaLZFTEKAq4OrVAvusZYGo="; - peers = [ - { - allowedIPs = [ "192.168.42.1/32" ]; - endpoint = cfg.server + ":" + toString cfg.port; - publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU="; - } - ]; + options.services.private-storage.monitoring.vpn.client = { + enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service"; + privateKeyFile = lib.mkOption { + type = lib.types.str; + example = lib.literalExample "/var/secrets/monitoring-vpn/host.key"; + description = '' + Base64 private key generated by <command>wg genkey</command>. + ''; + }; + publicKeyFile = lib.mkOption { + type = lib.types.str; + example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub"; + description = '' + Base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>. + ''; + }; + allowedIPs = lib.mkOption { + type = lib.types.listOf lib.types.str; + example = lib.literalExample [ "172.23.23.1/32" ]; + description = '' + Limits which IPs this client receives data from. + ''; + }; + ips = lib.mkOption { + type = lib.types.listOf lib.types.str; + example = lib.literalExample [ "172.23.23.11/24" ]; + default = [ "172.23.23.21/24" ]; + description = '' + The IP addresses of the interface. + See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix . + ''; + }; + }; + + config = lib.mkIf cfg.client.enable { + networking.wireguard.interfaces.monitoringvpn = { + ips = cfg.client.ips; + privateKeyFile = cfg.client.privateKeyFile; + peers = [ + { + allowedIPs = cfg.client.allowedIPs; + endpoint = "192.168.67.21:54321"; # cfg.server + ":" + toString cfg.port; + publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU="; + } + ]; + }; }; } -# just have all config static (no file systems etc) +# v just have all config static (no file systems etc) # move cfg into global config (like config.privatestorage.monitoring.*) # parametrize keys # - (https://wiki.archlinux.org/index.php/WireGuard -- GitLab