From 86ce5141baa4f0cecc162b9673f4e3c65f8ee56b Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@privatestorage.io>
Date: Thu, 13 May 2021 13:52:42 +0000
Subject: [PATCH] VPN WIP
---
morph/grid/local/vagrant-guest.nix | 3 ++
morph/lib/make-issuer.nix | 1 +
morph/lib/make-testing.nix | 1 +
nixos/modules/monitoring/vpn/client.nix | 68 ++++++-------------------
4 files changed, 21 insertions(+), 52 deletions(-)
diff --git a/morph/grid/local/vagrant-guest.nix b/morph/grid/local/vagrant-guest.nix
index 8505b2f3..9e8e6d8c 100644
--- a/morph/grid/local/vagrant-guest.nix
+++ b/morph/grid/local/vagrant-guest.nix
@@ -22,6 +22,9 @@ in
# Enable the OpenSSH daemon.
services.openssh.enable = true;
+ # Wireguard kernel module
+ boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ];
+
# Enable DBus
services.dbus.enable = true;
diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index 7510b6b8..8556343d 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -35,6 +35,7 @@
imports = [
hardware
../../nixos/modules/issuer.nix
+ ../../nixos/modules/monitoring/vpn/server.nix
];
services.private-storage.sshUsers = sshUsers;
diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix
index ee1e2db4..d25856a7 100644
--- a/morph/lib/make-testing.nix
+++ b/morph/lib/make-testing.nix
@@ -21,6 +21,7 @@
imports = [
hardware
../../nixos/modules/private-storage.nix
+ ../../nixos/modules/monitoring/vpn/client.nix
];
services.private-storage =
diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix
index 24c8a0ec..7a2ba177 100644
--- a/nixos/modules/monitoring/vpn/client.nix
+++ b/nixos/modules/monitoring/vpn/client.nix
@@ -1,59 +1,23 @@
# Client section of our Monitoring VPN config
-{ lib, config, ... }: let
- cfg = config.services.monitoring.vpn;
- # cfg.server = "loki";
- # cfg.port = 54321;
- #ip = "192.168.42.11";
+#{ config, ip, privateKeyPath }:
-in {
-
- options = {
- services.monitoring.vpn.client.enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service";
- services.monitoring.vpn.client.privateKeyFile = lib.mkOption {
- type = lib.types.str;
- example = lib.literalExample "/var/secrets/monitoring-vpn/host.key";
- description = ''
- Base64 private key generated by <command>wg genkey</command>.
- '';
- };
- services.monitoring.vpn.client.publicKeyFile = lib.mkOption {
- type = lib.types.str;
- example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub";
- description = ''
- Base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
- '';
- };
- services.monitoring.vpn.client.allowedIPs = {
- type = lib.types.listOf lib.types.str;
- example = lib.literalExample [ "172.23.23.1/32" ];
- description = ''
- Limits which IPs this client receives data from.
- '';
- };
- services.monitoring.vpn.client.ips = {
- type = lib.types.listOf lib.types.str;
- example = lib.literalExample [ "172.23.23.1/24" ];
- default = [ "172.23.23.1/24" ];
- description = ''
- The IP addresses of the interface.
- See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix .
- '';
- };
- };
+let
+ cfg.server = "192.168.67.21";
+ cfg.port = 54321;
+ ip = "192.168.42.11";
- config = lib.mkIf cfg.client.enable {
- networking.wireguard.interfaces.monitoringvpn = {
- ips = cfg.client.ips;
- privateKeyFile = cfg.client.privateKeyFile;
- peers = [
- {
- allowedIPs = cfg.client.allowedIPs;
- endpoint = "loki:54321"; # cfg.server + ":" + toString cfg.port;
- publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU=";
- }
- ];
- };
+in {
+ networking.wireguard.interfaces.monitoringvpn = {
+ ips = [ "${ip}/24" ];
+ privateKey = "oFCEeXlRI+iU3UOgNsAOUCaLZFTEKAq4OrVAvusZYGo=";
+ peers = [
+ {
+ allowedIPs = [ "192.168.42.1/32" ];
+ endpoint = cfg.server + ":" + toString cfg.port;
+ publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU=";
+ }
+ ];
};
}
--
GitLab