From f9fe11703f7ad9e99e3baf2b30b93bc8a17354b3 Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@privatestorage.io>
Date: Sun, 16 May 2021 21:26:46 +0000
Subject: [PATCH] VPN: Add remaining hosts, use files for client endpoint
 pubkeys

---
 morph/grid/local/grid.nix               |  2 ++
 morph/lib/make-issuer.nix               |  2 +-
 morph/lib/make-testing.nix              | 23 ++++++++++++++++++++++-
 nixos/modules/monitoring/vpn/client.nix | 10 ++++------
 nixos/modules/monitoring/vpn/server.nix | 13 +++++++++----
 5 files changed, 38 insertions(+), 12 deletions(-)

diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix
index 3df4e271..8a25747c 100644
--- a/morph/grid/local/grid.nix
+++ b/morph/grid/local/grid.nix
@@ -18,6 +18,7 @@ import ../../lib/make-grid.nix {
 
     "storage1" = import ../../lib/make-testing.nix (rec {
       publicIPv4 = "192.168.67.22";
+      monitoringvpnIPv4 = "172.23.23.12";
       inherit sshUsers;
       hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; });
       stateVersion = "19.09";
@@ -25,6 +26,7 @@ import ../../lib/make-grid.nix {
 
     "storage2" = import ../../lib/make-testing.nix (rec {
       publicIPv4 = "192.168.67.23";
+      monitoringvpnIPv4 = "172.23.23.13";
       inherit sshUsers;
       hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; });
       stateVersion = "19.09";
diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index 789ff9d5..30cc0eea 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -31,7 +31,7 @@
         action = ["sudo" "systemctl" "restart" "zkapissuer.service"];
       };
       "monitoringvpn-secret-key" = {
-        source = "../../PrivateStorageSecrets/monitoringvpn/storage1.key";
+        source = "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key";
         destination = "/var/secrets/monitoringvpn/client.key";
         owner.user = "root";
         owner.group = "root";
diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix
index d25856a7..24affc98 100644
--- a/morph/lib/make-testing.nix
+++ b/morph/lib/make-testing.nix
@@ -1,4 +1,4 @@
-{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, ... }: rec {
+{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, monitoringvpnIPv4, ... }: rec {
 
   deployment = {
     targetHost = publicIPv4;
@@ -15,6 +15,22 @@
         # extract it from the tahoe-lafs nixos module somehow?
         action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
       };
+      "monitoringvpn-secret-key" = {
+        source = "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key";
+        destination = "/var/secrets/monitoringvpn/client.key";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0400";
+        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+      };
+      "monitoringvpn-preshared-key" = {
+        source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
+        destination = "/var/secrets/monitoringvpn/preshared.key";
+        owner.user = "root";
+        owner.group = "root";
+        permissions = "0400";
+        action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+      };
     };
   };
 
@@ -34,4 +50,9 @@
   };
 
   system.stateVersion = stateVersion;
+
+  services.private-storage.monitoring.vpn.client = {
+    enable = true;
+    ip = monitoringvpnIPv4;
+  };
 }
diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix
index 40cc0516..93828a5b 100644
--- a/nixos/modules/monitoring/vpn/client.nix
+++ b/nixos/modules/monitoring/vpn/client.nix
@@ -12,6 +12,8 @@ in {
       default = /var/secrets/monitoringvpn/client.key;
       description = ''
         File with base64 private key generated by <command>wg genkey</command>.
+        Shorthand for public and private key:
+        <command>wg genkey | tee peer_A.key | wg pubkey > peer_A.pub</command>
       '';
     };
     publicKeyFile = lib.mkOption {
@@ -19,6 +21,8 @@ in {
       example = lib.literalExample /var/secrets/monitoringvpn/host.pub;
       description = ''
         File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
+        Shorthand for public and private key:
+        <command>wg genkey | tee peer_A.key | wg pubkey > peer_A.pub</command>
       '';
     };
     presharedKeyFile = lib.mkOption {
@@ -78,9 +82,3 @@ in {
   };
 }
 
-
-# v just have all config static (no file systems etc)
-# move cfg into global config (like config.privatestorage.monitoring.*)
-# parametrize keys
-#   - (https://wiki.archlinux.org/index.php/WireGuard
-#   -  (wg genkey | tee peer_A.key | wg pubkey > peer_A.pub)
diff --git a/nixos/modules/monitoring/vpn/server.nix b/nixos/modules/monitoring/vpn/server.nix
index 97bbfeee..56ecf197 100644
--- a/nixos/modules/monitoring/vpn/server.nix
+++ b/nixos/modules/monitoring/vpn/server.nix
@@ -55,14 +55,19 @@ in {
       listenPort = cfg.server.port;
       privateKeyFile = toString cfg.server.privateKeyFile;
       peers = [
-        { # node1
+        {
           allowedIPs = [ "172.23.23.11/32" ];
-          publicKey = "tZ295cvD98ixt/VH4dwPKNgHf9MuhuzsossOWBOOoGU=";
+          publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/172.23.23.11.pub");
           presharedKeyFile = toString cfg.server.presharedKeyFile;
         }
-        { # node2
+        {
           allowedIPs = [ "172.23.23.12/32" ];
-          publicKey = "zDxWTejJDXRRmUiMZPC7eVSCDdyFikN9VI6cqapQ6RY=";
+          publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/172.23.23.12.pub");
+          presharedKeyFile = toString cfg.server.presharedKeyFile;
+        }
+        {
+          allowedIPs = [ "172.23.23.13/32" ];
+          publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/172.23.23.13.pub");
           presharedKeyFile = toString cfg.server.presharedKeyFile;
         }
       ];
-- 
GitLab