diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index 271980cfd87e214312112d300642cfc8996f261c..1365277e91a318ada5a3fc933586cd5ef8d67b34 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -30,7 +30,7 @@
action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
};
"monitoringvpn-secret-key" = {
- source = "../PrivateStorageSecrets/monitoringvpn/storage1.key";
+ source = "../../PrivateStorageSecrets/monitoringvpn/storage1.key";
destination = "/var/secrets/monitoringvpn/client.key";
owner.user = "root";
owner.group = "root";
diff --git a/morph/lib/make-monitoring.nix b/morph/lib/make-monitoring.nix
new file mode 100644
index 0000000000000000000000000000000000000000..cc896a3ffd34274a686b445f064ce31bf6ca9dc9
--- /dev/null
+++ b/morph/lib/make-monitoring.nix
@@ -0,0 +1,37 @@
+{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, ... }: rec {
+
+ deployment = {
+ targetHost = publicIPv4;
+
+ secrets = {
+ "monitoringvpn-private-key" = {
+ source = "../../PrivateStorageSecrets/monitoringvpn/server.key";
+ destination = "/var/secrets/monitoringvpn/server.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ "monitoringvpn-public-key" = {
+ source = "../../PrivateStorageSecrets/monitoringvpn/server.pub";
+ destination = "/var/secrets/monitoringvpn/server.pub";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0444";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ };
+ };
+
+ imports = [
+ hardware
+ ../../nixos/modules/monitoring/vpn/server.nix
+ ];
+
+ services.private-storage.monitoring.vpn.server = {
+ enable = true;
+ ips = [ "172.23.23.10/24" ];
+ };
+
+ system.stateVersion = stateVersion;
+}
diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix
index 06aa255396a18ee45b3c1a12ae27645dd26080eb..1faa6d8a2babc15f6544016ba0022bd1e672b4b1 100644
--- a/nixos/modules/monitoring/vpn/client.nix
+++ b/nixos/modules/monitoring/vpn/client.nix
@@ -7,16 +7,16 @@ in {
options.services.private-storage.monitoring.vpn.client = {
enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service";
privateKeyFile = lib.mkOption {
- type = lib.types.str;
- example = lib.literalExample "/var/secrets/monitoring-vpn/host.key";
- default = "/var/secrets/monitoring-vpn/client.key";
+ type = lib.types.path;
+ example = lib.literalExample /var/secrets/monitoringvpn/host.key;
+ default = /var/secrets/monitoringvpn/client.key;
description = ''
File with base64 private key generated by <command>wg genkey</command>.
'';
};
publicKeyFile = lib.mkOption {
- type = lib.types.str;
- example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub";
+ type = lib.types.path;
+ example = lib.literalExample /var/secrets/monitoringvpn/host.pub;
description = ''
File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
'';
@@ -31,7 +31,6 @@ in {
ips = lib.mkOption {
type = lib.types.listOf lib.types.str;
example = lib.literalExample [ "172.23.23.11/24" ];
- default = [ "172.23.23.21/24" ];
description = ''
The IP addresses of the interface.
See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix .
@@ -46,8 +45,8 @@ in {
'';
};
endpointPublicKeyFile = lib.mkOption {
- type = lib.types.str;
- example = lib.literalExample "/var/secrets/monitoring-vpn/server.pub";
+ type = lib.types.path;
+ example = lib.literalExample /var/secrets/monitoringvpn/server.pub;
description = ''
File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
'';
@@ -57,7 +56,7 @@ in {
config = lib.mkIf cfg.client.enable {
networking.wireguard.interfaces.monitoringvpn = {
ips = cfg.client.ips;
- privateKeyFile = cfg.client.privateKeyFile;
+ privateKeyFile = toString cfg.client.privateKeyFile;
peers = [
{
allowedIPs = cfg.client.allowedIPs;