VPN WIP

4f0125b3 · Florian Sesser · 86ce5141 · 4f0125b3 · 4f0125b3
Commit 4f0125b3 authored 3 years ago by Florian Sesser
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -35,7 +35,7 @@
  imports = [
    hardware
    ../../nixos/modules/issuer.nix
-    ../../nixos/modules/monitoring/vpn/server.nix
+    ../../nixos/modules/monitoring/vpn/client.nix
  ];

  services.private-storage.sshUsers = sshUsers;
@@ -52,4 +52,11 @@
  };

  system.stateVersion = stateVersion;
+
+  services.private-storage.monitoring.vpn.client = {
+    enable = true;
+    privateKeyFile = "/var/secrets/vpn/private.key";
+    ips = ["172.23.23.21/24"];
+    allowedIPs = ["172.23.23.1/32"];
+  };
 }
--- a/nixos/modules/monitoring/vpn/client.nix
+++ b/nixos/modules/monitoring/vpn/client.nix
 # Client section of our Monitoring VPN config

-#{ config, ip, privateKeyPath }:
-
-let
-  cfg.server = "192.168.67.21";
-  cfg.port = 54321;
-  ip = "192.168.42.11";
+{ lib, config, ... }: let
+  cfg = config.services.private-storage.monitoring.vpn;

 in {
-  networking.wireguard.interfaces.monitoringvpn = {
-    ips = [ "${ip}/24" ];
-    privateKey = "oFCEeXlRI+iU3UOgNsAOUCaLZFTEKAq4OrVAvusZYGo=";
-    peers = [
-      {
-        allowedIPs = [ "192.168.42.1/32" ];
-        endpoint = cfg.server + ":" + toString cfg.port;
-        publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU=";
-      }
-    ];
+  options.services.private-storage.monitoring.vpn.client = {
+    enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service";
+    privateKeyFile = lib.mkOption {
+      type = lib.types.str;
+      example = lib.literalExample "/var/secrets/monitoring-vpn/host.key";
+      description = ''
+        Base64 private key generated by <command>wg genkey</command>.
+      '';
+    };
+    publicKeyFile = lib.mkOption {
+      type = lib.types.str;
+      example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub";
+      description = ''
+        Base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
+      '';
+    };
+    allowedIPs = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      example = lib.literalExample [ "172.23.23.1/32" ];
+      description = ''
+        Limits which IPs this client receives data from.
+      '';
+    };
+    ips = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      example = lib.literalExample [ "172.23.23.11/24" ];
+      default = [ "172.23.23.21/24" ];
+      description = ''
+        The IP addresses of the interface.
+        See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix .
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.client.enable {
+    networking.wireguard.interfaces.monitoringvpn = {
+      ips = cfg.client.ips;
+      privateKeyFile = cfg.client.privateKeyFile;
+      peers = [
+        {
+          allowedIPs = cfg.client.allowedIPs;
+          endpoint = "192.168.67.21:54321"; # cfg.server + ":" + toString cfg.port;
+          publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU=";
+        }
+      ];
+    };
  };
 }


-# just have all config static (no file systems etc)
+# v just have all config static (no file systems etc)
 # move cfg into global config (like config.privatestorage.monitoring.*)
 # parametrize keys
 #   - (https://wiki.archlinux.org/index.php/WireGuard