From ee7d7ca002d9972af8ed3f8951cf89362eb1eead Mon Sep 17 00:00:00 2001 From: Florian Sesser <florian@privatestorage.io> Date: Sat, 15 May 2021 00:38:12 +0000 Subject: [PATCH] monitoring vpn wip --- morph/lib/make-issuer.nix | 2 +- morph/lib/make-monitoring.nix | 37 +++++++++++++++++++++++++ nixos/modules/monitoring/vpn/client.nix | 17 ++++++------ 3 files changed, 46 insertions(+), 10 deletions(-) create mode 100644 morph/lib/make-monitoring.nix diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix index 271980cf..1365277e 100644 --- a/morph/lib/make-issuer.nix +++ b/morph/lib/make-issuer.nix @@ -30,7 +30,7 @@ action = ["sudo" "systemctl" "restart" "zkapissuer.service"]; }; "monitoringvpn-secret-key" = { - source = "../PrivateStorageSecrets/monitoringvpn/storage1.key"; + source = "../../PrivateStorageSecrets/monitoringvpn/storage1.key"; destination = "/var/secrets/monitoringvpn/client.key"; owner.user = "root"; owner.group = "root"; diff --git a/morph/lib/make-monitoring.nix b/morph/lib/make-monitoring.nix new file mode 100644 index 00000000..cc896a3f --- /dev/null +++ b/morph/lib/make-monitoring.nix @@ -0,0 +1,37 @@ +{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, ... }: rec { + + deployment = { + targetHost = publicIPv4; + + secrets = { + "monitoringvpn-private-key" = { + source = "../../PrivateStorageSecrets/monitoringvpn/server.key"; + destination = "/var/secrets/monitoringvpn/server.key"; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; + }; + "monitoringvpn-public-key" = { + source = "../../PrivateStorageSecrets/monitoringvpn/server.pub"; + destination = "/var/secrets/monitoringvpn/server.pub"; + owner.user = "root"; + owner.group = "root"; + permissions = "0444"; + action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; + }; + }; + }; + + imports = [ + hardware + ../../nixos/modules/monitoring/vpn/server.nix + ]; + + services.private-storage.monitoring.vpn.server = { + enable = true; + ips = [ "172.23.23.10/24" ]; + }; + + system.stateVersion = stateVersion; +} diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix index 06aa2553..1faa6d8a 100644 --- a/nixos/modules/monitoring/vpn/client.nix +++ b/nixos/modules/monitoring/vpn/client.nix @@ -7,16 +7,16 @@ in { options.services.private-storage.monitoring.vpn.client = { enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service"; privateKeyFile = lib.mkOption { - type = lib.types.str; - example = lib.literalExample "/var/secrets/monitoring-vpn/host.key"; - default = "/var/secrets/monitoring-vpn/client.key"; + type = lib.types.path; + example = lib.literalExample /var/secrets/monitoringvpn/host.key; + default = /var/secrets/monitoringvpn/client.key; description = '' File with base64 private key generated by <command>wg genkey</command>. ''; }; publicKeyFile = lib.mkOption { - type = lib.types.str; - example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub"; + type = lib.types.path; + example = lib.literalExample /var/secrets/monitoringvpn/host.pub; description = '' File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>. ''; @@ -31,7 +31,6 @@ in { ips = lib.mkOption { type = lib.types.listOf lib.types.str; example = lib.literalExample [ "172.23.23.11/24" ]; - default = [ "172.23.23.21/24" ]; description = '' The IP addresses of the interface. See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix . @@ -46,8 +45,8 @@ in { ''; }; endpointPublicKeyFile = lib.mkOption { - type = lib.types.str; - example = lib.literalExample "/var/secrets/monitoring-vpn/server.pub"; + type = lib.types.path; + example = lib.literalExample /var/secrets/monitoringvpn/server.pub; description = '' File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>. ''; @@ -57,7 +56,7 @@ in { config = lib.mkIf cfg.client.enable { networking.wireguard.interfaces.monitoringvpn = { ips = cfg.client.ips; - privateKeyFile = cfg.client.privateKeyFile; + privateKeyFile = toString cfg.client.privateKeyFile; peers = [ { allowedIPs = cfg.client.allowedIPs; -- GitLab