From ee7d7ca002d9972af8ed3f8951cf89362eb1eead Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@privatestorage.io>
Date: Sat, 15 May 2021 00:38:12 +0000
Subject: [PATCH] monitoring vpn wip

---
 morph/lib/make-issuer.nix               |  2 +-
 morph/lib/make-monitoring.nix           | 37 +++++++++++++++++++++++++
 nixos/modules/monitoring/vpn/client.nix | 17 ++++++------
 3 files changed, 46 insertions(+), 10 deletions(-)
 create mode 100644 morph/lib/make-monitoring.nix

diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index 271980cf..1365277e 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -30,7 +30,7 @@
         action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
       };
       "monitoringvpn-secret-key" = {
-        source = "../PrivateStorageSecrets/monitoringvpn/storage1.key";
+        source = "../../PrivateStorageSecrets/monitoringvpn/storage1.key";
         destination = "/var/secrets/monitoringvpn/client.key";
         owner.user = "root";
         owner.group = "root";
diff --git a/morph/lib/make-monitoring.nix b/morph/lib/make-monitoring.nix
new file mode 100644
index 00000000..cc896a3f
--- /dev/null
+++ b/morph/lib/make-monitoring.nix
@@ -0,0 +1,37 @@
+{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, ... }: rec {
+
+  deployment = {
+    targetHost = publicIPv4;
+
+    secrets = {
+      "monitoringvpn-private-key" = {
+        source = "../../PrivateStorageSecrets/monitoringvpn/server.key";
+        destination = "/var/secrets/monitoringvpn/server.key";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0400";
+        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+      };
+      "monitoringvpn-public-key" = {
+        source = "../../PrivateStorageSecrets/monitoringvpn/server.pub";
+        destination = "/var/secrets/monitoringvpn/server.pub";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0444";
+        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+      };
+    };
+  };
+
+  imports = [
+    hardware
+    ../../nixos/modules/monitoring/vpn/server.nix
+  ];
+
+  services.private-storage.monitoring.vpn.server = {
+    enable = true;
+    ips = [ "172.23.23.10/24" ];
+  };
+
+  system.stateVersion = stateVersion;
+}
diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix
index 06aa2553..1faa6d8a 100644
--- a/nixos/modules/monitoring/vpn/client.nix
+++ b/nixos/modules/monitoring/vpn/client.nix
@@ -7,16 +7,16 @@ in {
   options.services.private-storage.monitoring.vpn.client = {
     enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service";
     privateKeyFile = lib.mkOption {
-      type = lib.types.str;
-      example = lib.literalExample "/var/secrets/monitoring-vpn/host.key";
-      default = "/var/secrets/monitoring-vpn/client.key";
+      type = lib.types.path;
+      example = lib.literalExample /var/secrets/monitoringvpn/host.key;
+      default = /var/secrets/monitoringvpn/client.key;
       description = ''
         File with base64 private key generated by <command>wg genkey</command>.
       '';
     };
     publicKeyFile = lib.mkOption {
-      type = lib.types.str;
-      example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub";
+      type = lib.types.path;
+      example = lib.literalExample /var/secrets/monitoringvpn/host.pub;
       description = ''
         File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
       '';
@@ -31,7 +31,6 @@ in {
     ips = lib.mkOption {
       type = lib.types.listOf lib.types.str;
       example = lib.literalExample [ "172.23.23.11/24" ];
-      default = [ "172.23.23.21/24" ];
       description = ''
         The IP addresses of the interface.
         See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix .
@@ -46,8 +45,8 @@ in {
       '';
     };
     endpointPublicKeyFile = lib.mkOption {
-      type = lib.types.str;
-      example = lib.literalExample "/var/secrets/monitoring-vpn/server.pub";
+      type = lib.types.path;
+      example = lib.literalExample /var/secrets/monitoringvpn/server.pub;
       description = ''
         File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
       '';
@@ -57,7 +56,7 @@ in {
   config = lib.mkIf cfg.client.enable {
     networking.wireguard.interfaces.monitoringvpn = {
       ips = cfg.client.ips;
-      privateKeyFile = cfg.client.privateKeyFile;
+      privateKeyFile = toString cfg.client.privateKeyFile;
       peers = [
         {
           allowedIPs = cfg.client.allowedIPs;
-- 
GitLab