From ccf607f10b2cce46ea909bd933c834dc5986f505 Mon Sep 17 00:00:00 2001 From: Florian Sesser <florian@privatestorage.io> Date: Mon, 31 May 2021 09:09:46 +0000 Subject: [PATCH] Add optionality and customizable vpnEndpoint to make-storage.nix --- morph/lib/make-storage.nix | 37 +++++++++++++++++++++++++++++++------ 1 file changed, 31 insertions(+), 6 deletions(-) diff --git a/morph/lib/make-storage.nix b/morph/lib/make-storage.nix index de34394b..8a096d3c 100644 --- a/morph/lib/make-storage.nix +++ b/morph/lib/make-storage.nix @@ -11,11 +11,36 @@ # to avoid breaking some software such as # database servers. You should change this only # after NixOS release notes say you should. -, monitoringvpnKeyDir # The directory that holds the VPN keys. -, monitoringvpnIPv4 # This node's IP in the monitoring VPN. -, monitoringvpnEndpoint # The VPN server and port. +, monitoringvpnKeyDir ? null # The directory that holds the VPN keys. +, monitoringvpnIPv4 ? null # This node's IP in the monitoring VPN. +, monitoringvpnEndpoint ? null # The VPN server and port. , ... -}: rec { +}: let + + enableVpn = monitoringvpnKeyDir != null && + monitoringvpnIPv4 != null && + monitoringvpnEndpoint != null; + + vpnSecrets = if !enableVpn then {} else { + "monitoringvpn-secret-key" = { + source = monitoringvpnKeyDir + "/${monitoringvpnIPv4}.key"; + destination = "/run/keys/monitoringvpn/client.key"; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; + }; + "monitoringvpn-preshared-key" = { + source = monitoringvpnKeyDir + "/preshared.key"; + destination = "/run/keys/monitoringvpn/preshared.key"; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; + }; + }; + +in rec { deployment = { targetHost = cfg.publicIPv4; @@ -31,7 +56,7 @@ # extract it from the tahoe-lafs nixos module somehow? action = ["sudo" "systemctl" "restart" "tahoe.storage.service"]; }; - }; + } // vpnSecrets; }; # Any extra NixOS modules to load on this server. @@ -75,7 +100,7 @@ system.stateVersion = stateVersion; - services.private-storage.monitoring.vpn.client = { + services.private-storage.monitoring.vpn.client = if !enableVpn then {} else { enable = true; ip = monitoringvpnIPv4; endpoint = monitoringvpnEndpoint; -- GitLab