From f9fe11703f7ad9e99e3baf2b30b93bc8a17354b3 Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@privatestorage.io>
Date: Sun, 16 May 2021 21:26:46 +0000
Subject: [PATCH] VPN: Add remaining hosts, use files for client endpoint
pubkeys
---
morph/grid/local/grid.nix | 2 ++
morph/lib/make-issuer.nix | 2 +-
morph/lib/make-testing.nix | 23 ++++++++++++++++++++++-
nixos/modules/monitoring/vpn/client.nix | 10 ++++------
nixos/modules/monitoring/vpn/server.nix | 13 +++++++++----
5 files changed, 38 insertions(+), 12 deletions(-)
diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index 3df4e271..8a25747c 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -18,6 +18,7 @@ import ../../lib/make-grid.nix {
"storage1" = import ../../lib/make-testing.nix (rec {
publicIPv4 = "192.168.67.22";
+ monitoringvpnIPv4 = "172.23.23.12";
inherit sshUsers;
hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; });
stateVersion = "19.09";
@@ -25,6 +26,7 @@ import ../../lib/make-grid.nix {
"storage2" = import ../../lib/make-testing.nix (rec {
publicIPv4 = "192.168.67.23";
+ monitoringvpnIPv4 = "172.23.23.13";
inherit sshUsers;
hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; });
stateVersion = "19.09";
diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index 789ff9d5..30cc0eea 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -31,7 +31,7 @@
action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
};
"monitoringvpn-secret-key" = {
- source = "../../PrivateStorageSecrets/monitoringvpn/storage1.key";
+ source = "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key";
destination = "/var/secrets/monitoringvpn/client.key";
owner.user = "root";
owner.group = "root";
diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix
index d25856a7..24affc98 100644
--- a/morph/lib/make-testing.nix
+++ b/morph/lib/make-testing.nix
@@ -1,4 +1,4 @@
-{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, ... }: rec {
+{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, monitoringvpnIPv4, ... }: rec {
deployment = {
targetHost = publicIPv4;
@@ -15,6 +15,22 @@
# extract it from the tahoe-lafs nixos module somehow?
action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
};
+ "monitoringvpn-secret-key" = {
+ source = "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key";
+ destination = "/var/secrets/monitoringvpn/client.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
+ "monitoringvpn-preshared-key" = {
+ source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
+ destination = "/var/secrets/monitoringvpn/preshared.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
};
};
@@ -34,4 +50,9 @@
};
system.stateVersion = stateVersion;
+
+ services.private-storage.monitoring.vpn.client = {
+ enable = true;
+ ip = monitoringvpnIPv4;
+ };
}
diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix
index 40cc0516..93828a5b 100644
--- a/nixos/modules/monitoring/vpn/client.nix
+++ b/nixos/modules/monitoring/vpn/client.nix
@@ -12,6 +12,8 @@ in {
default = /var/secrets/monitoringvpn/client.key;
description = ''
File with base64 private key generated by <command>wg genkey</command>.
+ Shorthand for public and private key:
+ <command>wg genkey | tee peer_A.key | wg pubkey > peer_A.pub</command>
'';
};
publicKeyFile = lib.mkOption {
@@ -19,6 +21,8 @@ in {
example = lib.literalExample /var/secrets/monitoringvpn/host.pub;
description = ''
File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
+ Shorthand for public and private key:
+ <command>wg genkey | tee peer_A.key | wg pubkey > peer_A.pub</command>
'';
};
presharedKeyFile = lib.mkOption {
@@ -78,9 +82,3 @@ in {
};
}
-
-# v just have all config static (no file systems etc)
-# move cfg into global config (like config.privatestorage.monitoring.*)
-# parametrize keys
-# - (https://wiki.archlinux.org/index.php/WireGuard
-# - (wg genkey | tee peer_A.key | wg pubkey > peer_A.pub)
diff --git a/nixos/modules/monitoring/vpn/server.nix b/nixos/modules/monitoring/vpn/server.nix
index 97bbfeee..56ecf197 100644
--- a/nixos/modules/monitoring/vpn/server.nix
+++ b/nixos/modules/monitoring/vpn/server.nix
@@ -55,14 +55,19 @@ in {
listenPort = cfg.server.port;
privateKeyFile = toString cfg.server.privateKeyFile;
peers = [
- { # node1
+ {
allowedIPs = [ "172.23.23.11/32" ];
- publicKey = "tZ295cvD98ixt/VH4dwPKNgHf9MuhuzsossOWBOOoGU=";
+ publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/172.23.23.11.pub");
presharedKeyFile = toString cfg.server.presharedKeyFile;
}
- { # node2
+ {
allowedIPs = [ "172.23.23.12/32" ];
- publicKey = "zDxWTejJDXRRmUiMZPC7eVSCDdyFikN9VI6cqapQ6RY=";
+ publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/172.23.23.12.pub");
+ presharedKeyFile = toString cfg.server.presharedKeyFile;
+ }
+ {
+ allowedIPs = [ "172.23.23.13/32" ];
+ publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/172.23.23.13.pub");
presharedKeyFile = toString cfg.server.presharedKeyFile;
}
];
--
GitLab