From ccf607f10b2cce46ea909bd933c834dc5986f505 Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@privatestorage.io>
Date: Mon, 31 May 2021 09:09:46 +0000
Subject: [PATCH] Add optionality and customizable vpnEndpoint to
 make-storage.nix

---
 morph/lib/make-storage.nix | 37 +++++++++++++++++++++++++++++++------
 1 file changed, 31 insertions(+), 6 deletions(-)

diff --git a/morph/lib/make-storage.nix b/morph/lib/make-storage.nix
index de34394b..8a096d3c 100644
--- a/morph/lib/make-storage.nix
+++ b/morph/lib/make-storage.nix
@@ -11,11 +11,36 @@
                              # to avoid breaking some software such as
                              # database servers. You should change this only
                              # after NixOS release notes say you should.
-, monitoringvpnKeyDir        # The directory that holds the VPN keys.
-, monitoringvpnIPv4          # This node's IP in the monitoring VPN.
-, monitoringvpnEndpoint      # The VPN server and port.
+, monitoringvpnKeyDir ? null # The directory that holds the VPN keys.
+, monitoringvpnIPv4 ? null   # This node's IP in the monitoring VPN.
+, monitoringvpnEndpoint ? null # The VPN server and port.
 , ...
-}: rec {
+}: let
+
+  enableVpn = monitoringvpnKeyDir != null &&
+              monitoringvpnIPv4 != null &&
+              monitoringvpnEndpoint != null;
+
+  vpnSecrets = if !enableVpn then {} else {
+    "monitoringvpn-secret-key" = {
+      source = monitoringvpnKeyDir + "/${monitoringvpnIPv4}.key";
+      destination = "/run/keys/monitoringvpn/client.key";
+      owner.user = "root";
+      owner.group = "root";
+      permissions = "0400";
+      action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+    };
+    "monitoringvpn-preshared-key" = {
+      source = monitoringvpnKeyDir + "/preshared.key";
+      destination = "/run/keys/monitoringvpn/preshared.key";
+      owner.user = "root";
+      owner.group = "root";
+      permissions = "0400";
+      action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+    };
+  };
+
+in rec {
   deployment = {
     targetHost = cfg.publicIPv4;
 
@@ -31,7 +56,7 @@
         # extract it from the tahoe-lafs nixos module somehow?
         action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
       };
-    };
+    } // vpnSecrets;
   };
 
   # Any extra NixOS modules to load on this server.
@@ -75,7 +100,7 @@
 
   system.stateVersion = stateVersion;
 
-  services.private-storage.monitoring.vpn.client = {
+  services.private-storage.monitoring.vpn.client = if !enableVpn then {} else {
     enable = true;
     ip = monitoringvpnIPv4;
     endpoint = monitoringvpnEndpoint;
-- 
GitLab