diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix index 271980cfd87e214312112d300642cfc8996f261c..1365277e91a318ada5a3fc933586cd5ef8d67b34 100644 --- a/morph/lib/make-issuer.nix +++ b/morph/lib/make-issuer.nix @@ -30,7 +30,7 @@ action = ["sudo" "systemctl" "restart" "zkapissuer.service"]; }; "monitoringvpn-secret-key" = { - source = "../PrivateStorageSecrets/monitoringvpn/storage1.key"; + source = "../../PrivateStorageSecrets/monitoringvpn/storage1.key"; destination = "/var/secrets/monitoringvpn/client.key"; owner.user = "root"; owner.group = "root"; diff --git a/morph/lib/make-monitoring.nix b/morph/lib/make-monitoring.nix new file mode 100644 index 0000000000000000000000000000000000000000..cc896a3ffd34274a686b445f064ce31bf6ca9dc9 --- /dev/null +++ b/morph/lib/make-monitoring.nix @@ -0,0 +1,37 @@ +{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, ... }: rec { + + deployment = { + targetHost = publicIPv4; + + secrets = { + "monitoringvpn-private-key" = { + source = "../../PrivateStorageSecrets/monitoringvpn/server.key"; + destination = "/var/secrets/monitoringvpn/server.key"; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; + }; + "monitoringvpn-public-key" = { + source = "../../PrivateStorageSecrets/monitoringvpn/server.pub"; + destination = "/var/secrets/monitoringvpn/server.pub"; + owner.user = "root"; + owner.group = "root"; + permissions = "0444"; + action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; + }; + }; + }; + + imports = [ + hardware + ../../nixos/modules/monitoring/vpn/server.nix + ]; + + services.private-storage.monitoring.vpn.server = { + enable = true; + ips = [ "172.23.23.10/24" ]; + }; + + system.stateVersion = stateVersion; +} diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix index 06aa255396a18ee45b3c1a12ae27645dd26080eb..1faa6d8a2babc15f6544016ba0022bd1e672b4b1 100644 --- a/nixos/modules/monitoring/vpn/client.nix +++ b/nixos/modules/monitoring/vpn/client.nix @@ -7,16 +7,16 @@ in { options.services.private-storage.monitoring.vpn.client = { enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service"; privateKeyFile = lib.mkOption { - type = lib.types.str; - example = lib.literalExample "/var/secrets/monitoring-vpn/host.key"; - default = "/var/secrets/monitoring-vpn/client.key"; + type = lib.types.path; + example = lib.literalExample /var/secrets/monitoringvpn/host.key; + default = /var/secrets/monitoringvpn/client.key; description = '' File with base64 private key generated by <command>wg genkey</command>. ''; }; publicKeyFile = lib.mkOption { - type = lib.types.str; - example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub"; + type = lib.types.path; + example = lib.literalExample /var/secrets/monitoringvpn/host.pub; description = '' File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>. ''; @@ -31,7 +31,6 @@ in { ips = lib.mkOption { type = lib.types.listOf lib.types.str; example = lib.literalExample [ "172.23.23.11/24" ]; - default = [ "172.23.23.21/24" ]; description = '' The IP addresses of the interface. See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix . @@ -46,8 +45,8 @@ in { ''; }; endpointPublicKeyFile = lib.mkOption { - type = lib.types.str; - example = lib.literalExample "/var/secrets/monitoring-vpn/server.pub"; + type = lib.types.path; + example = lib.literalExample /var/secrets/monitoringvpn/server.pub; description = '' File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>. ''; @@ -57,7 +56,7 @@ in { config = lib.mkIf cfg.client.enable { networking.wireguard.interfaces.monitoringvpn = { ips = cfg.client.ips; - privateKeyFile = cfg.client.privateKeyFile; + privateKeyFile = toString cfg.client.privateKeyFile; peers = [ { allowedIPs = cfg.client.allowedIPs;