diff --git a/nixos/modules/monitoring/vpn/server.nix b/nixos/modules/monitoring/vpn/server.nix new file mode 100644 index 0000000000000000000000000000000000000000..93c5c0d9133a3a3abb27e2a5472cf98ccee5ddbd --- /dev/null +++ b/nixos/modules/monitoring/vpn/server.nix @@ -0,0 +1,63 @@ +# Server section of our Monitoring VPN config + +{ lib, config, ... }: let + cfg = config.services.private-storage.monitoring.vpn; + +in { + options.services.private-storage.monitoring.vpn.server = { + enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN server service"; + privateKeyFile = lib.mkOption { + type = lib.types.path; + example = lib.literalExample /var/secrets/monitoringvpn/server.key; + default = /var/secrets/monitoringvpn/server.key; + description = '' + File with base64 private key generated by <command>wg genkey</command>. + ''; + }; + publicKeyFile = lib.mkOption { + type = lib.types.path; + example = lib.literalExample /var/secrets/monitoringvpn/server.pub; + default = /var/secrets/monitoringvpn/server.pub; + description = '' + File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>. + ''; + }; + ips = lib.mkOption { + type = lib.types.listOf lib.types.str; + example = lib.literalExample [ "172.23.23.10/24" ]; + description = '' + The IP addresses of the interface. + See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix . + ''; + }; + port = lib.mkOption { + type = lib.types.port; + example = lib.literalExample 54321; + default = 54321; + description = '' + The UDP port to listen on. + ''; + }; + }; + + config = lib.mkIf cfg.server.enable { + networking.firewall.allowedUDPPorts = [ cfg.server.port ]; + + networking.wireguard.interfaces.monitoringvpn = { + ips = cfg.server.ips; + listenPort = cfg.server.port; + privateKeyFile = toString cfg.server.privateKeyFile; + peers = [ + { # node1 + allowedIPs = [ "192.168.42.21/32" ]; + publicKey = "tZ295cvD98ixt/VH4dwPKNgHf9MuhuzsossOWBOOoGU="; + } + { # node2 + allowedIPs = [ "192.168.42.22/32" ]; + publicKey = "zDxWTejJDXRRmUiMZPC7eVSCDdyFikN9VI6cqapQ6RY="; + } + ]; + }; + }; +} +