From 86ce5141baa4f0cecc162b9673f4e3c65f8ee56b Mon Sep 17 00:00:00 2001 From: Florian Sesser <florian@privatestorage.io> Date: Thu, 13 May 2021 13:52:42 +0000 Subject: [PATCH] VPN WIP --- morph/grid/local/vagrant-guest.nix | 3 ++ morph/lib/make-issuer.nix | 1 + morph/lib/make-testing.nix | 1 + nixos/modules/monitoring/vpn/client.nix | 68 ++++++------------------- 4 files changed, 21 insertions(+), 52 deletions(-) diff --git a/morph/grid/local/vagrant-guest.nix b/morph/grid/local/vagrant-guest.nix index 8505b2f3..9e8e6d8c 100644 --- a/morph/grid/local/vagrant-guest.nix +++ b/morph/grid/local/vagrant-guest.nix @@ -22,6 +22,9 @@ in # Enable the OpenSSH daemon. services.openssh.enable = true; + # Wireguard kernel module + boot.extraModulePackages = [ config.boot.kernelPackages.wireguard ]; + # Enable DBus services.dbus.enable = true; diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix index 7510b6b8..8556343d 100644 --- a/morph/lib/make-issuer.nix +++ b/morph/lib/make-issuer.nix @@ -35,6 +35,7 @@ imports = [ hardware ../../nixos/modules/issuer.nix + ../../nixos/modules/monitoring/vpn/server.nix ]; services.private-storage.sshUsers = sshUsers; diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix index ee1e2db4..d25856a7 100644 --- a/morph/lib/make-testing.nix +++ b/morph/lib/make-testing.nix @@ -21,6 +21,7 @@ imports = [ hardware ../../nixos/modules/private-storage.nix + ../../nixos/modules/monitoring/vpn/client.nix ]; services.private-storage = diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix index 24c8a0ec..7a2ba177 100644 --- a/nixos/modules/monitoring/vpn/client.nix +++ b/nixos/modules/monitoring/vpn/client.nix @@ -1,59 +1,23 @@ # Client section of our Monitoring VPN config -{ lib, config, ... }: let - cfg = config.services.monitoring.vpn; - # cfg.server = "loki"; - # cfg.port = 54321; - #ip = "192.168.42.11"; +#{ config, ip, privateKeyPath }: -in { - - options = { - services.monitoring.vpn.client.enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service"; - services.monitoring.vpn.client.privateKeyFile = lib.mkOption { - type = lib.types.str; - example = lib.literalExample "/var/secrets/monitoring-vpn/host.key"; - description = '' - Base64 private key generated by <command>wg genkey</command>. - ''; - }; - services.monitoring.vpn.client.publicKeyFile = lib.mkOption { - type = lib.types.str; - example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub"; - description = '' - Base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>. - ''; - }; - services.monitoring.vpn.client.allowedIPs = { - type = lib.types.listOf lib.types.str; - example = lib.literalExample [ "172.23.23.1/32" ]; - description = '' - Limits which IPs this client receives data from. - ''; - }; - services.monitoring.vpn.client.ips = { - type = lib.types.listOf lib.types.str; - example = lib.literalExample [ "172.23.23.1/24" ]; - default = [ "172.23.23.1/24" ]; - description = '' - The IP addresses of the interface. - See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix . - ''; - }; - }; +let + cfg.server = "192.168.67.21"; + cfg.port = 54321; + ip = "192.168.42.11"; - config = lib.mkIf cfg.client.enable { - networking.wireguard.interfaces.monitoringvpn = { - ips = cfg.client.ips; - privateKeyFile = cfg.client.privateKeyFile; - peers = [ - { - allowedIPs = cfg.client.allowedIPs; - endpoint = "loki:54321"; # cfg.server + ":" + toString cfg.port; - publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU="; - } - ]; - }; +in { + networking.wireguard.interfaces.monitoringvpn = { + ips = [ "${ip}/24" ]; + privateKey = "oFCEeXlRI+iU3UOgNsAOUCaLZFTEKAq4OrVAvusZYGo="; + peers = [ + { + allowedIPs = [ "192.168.42.1/32" ]; + endpoint = cfg.server + ":" + toString cfg.port; + publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU="; + } + ]; }; } -- GitLab