diff --git a/morph/lib/make-storage.nix b/morph/lib/make-storage.nix index de34394bf1b9094e27c83819c4234d125c0312dd..8a096d3c0a7b75740f9bb96aabba5e939b1c7e98 100644 --- a/morph/lib/make-storage.nix +++ b/morph/lib/make-storage.nix @@ -11,11 +11,36 @@ # to avoid breaking some software such as # database servers. You should change this only # after NixOS release notes say you should. -, monitoringvpnKeyDir # The directory that holds the VPN keys. -, monitoringvpnIPv4 # This node's IP in the monitoring VPN. -, monitoringvpnEndpoint # The VPN server and port. +, monitoringvpnKeyDir ? null # The directory that holds the VPN keys. +, monitoringvpnIPv4 ? null # This node's IP in the monitoring VPN. +, monitoringvpnEndpoint ? null # The VPN server and port. , ... -}: rec { +}: let + + enableVpn = monitoringvpnKeyDir != null && + monitoringvpnIPv4 != null && + monitoringvpnEndpoint != null; + + vpnSecrets = if !enableVpn then {} else { + "monitoringvpn-secret-key" = { + source = monitoringvpnKeyDir + "/${monitoringvpnIPv4}.key"; + destination = "/run/keys/monitoringvpn/client.key"; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; + }; + "monitoringvpn-preshared-key" = { + source = monitoringvpnKeyDir + "/preshared.key"; + destination = "/run/keys/monitoringvpn/preshared.key"; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; + }; + }; + +in rec { deployment = { targetHost = cfg.publicIPv4; @@ -31,7 +56,7 @@ # extract it from the tahoe-lafs nixos module somehow? action = ["sudo" "systemctl" "restart" "tahoe.storage.service"]; }; - }; + } // vpnSecrets; }; # Any extra NixOS modules to load on this server. @@ -75,7 +100,7 @@ system.stateVersion = stateVersion; - services.private-storage.monitoring.vpn.client = { + services.private-storage.monitoring.vpn.client = if !enableVpn then {} else { enable = true; ip = monitoringvpnIPv4; endpoint = monitoringvpnEndpoint;