From f9fe11703f7ad9e99e3baf2b30b93bc8a17354b3 Mon Sep 17 00:00:00 2001 From: Florian Sesser <florian@privatestorage.io> Date: Sun, 16 May 2021 21:26:46 +0000 Subject: [PATCH] VPN: Add remaining hosts, use files for client endpoint pubkeys --- morph/grid/local/grid.nix | 2 ++ morph/lib/make-issuer.nix | 2 +- morph/lib/make-testing.nix | 23 ++++++++++++++++++++++- nixos/modules/monitoring/vpn/client.nix | 10 ++++------ nixos/modules/monitoring/vpn/server.nix | 13 +++++++++---- 5 files changed, 38 insertions(+), 12 deletions(-) diff --git a/morph/grid/local/grid.nix b/morph/grid/local/grid.nix index 3df4e271..8a25747c 100644 --- a/morph/grid/local/grid.nix +++ b/morph/grid/local/grid.nix @@ -18,6 +18,7 @@ import ../../lib/make-grid.nix { "storage1" = import ../../lib/make-testing.nix (rec { publicIPv4 = "192.168.67.22"; + monitoringvpnIPv4 = "172.23.23.12"; inherit sshUsers; hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; }); stateVersion = "19.09"; @@ -25,6 +26,7 @@ import ../../lib/make-grid.nix { "storage2" = import ../../lib/make-testing.nix (rec { publicIPv4 = "192.168.67.23"; + monitoringvpnIPv4 = "172.23.23.13"; inherit sshUsers; hardware = import ./virtual-hardware.nix ({ inherit publicIPv4; }); stateVersion = "19.09"; diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix index 789ff9d5..30cc0eea 100644 --- a/morph/lib/make-issuer.nix +++ b/morph/lib/make-issuer.nix @@ -31,7 +31,7 @@ action = ["sudo" "systemctl" "restart" "zkapissuer.service"]; }; "monitoringvpn-secret-key" = { - source = "../../PrivateStorageSecrets/monitoringvpn/storage1.key"; + source = "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key"; destination = "/var/secrets/monitoringvpn/client.key"; owner.user = "root"; owner.group = "root"; diff --git a/morph/lib/make-testing.nix b/morph/lib/make-testing.nix index d25856a7..24affc98 100644 --- a/morph/lib/make-testing.nix +++ b/morph/lib/make-testing.nix @@ -1,4 +1,4 @@ -{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, ... }: rec { +{ publicIPv4, hardware, publicStoragePort, ristrettoSigningKeyPath, passValue, sshUsers, stateVersion, monitoringvpnIPv4, ... }: rec { deployment = { targetHost = publicIPv4; @@ -15,6 +15,22 @@ # extract it from the tahoe-lafs nixos module somehow? action = ["sudo" "systemctl" "restart" "tahoe.storage.service"]; }; + "monitoringvpn-secret-key" = { + source = "../../PrivateStorageSecrets/monitoringvpn/${monitoringvpnIPv4}.key"; + destination = "/var/secrets/monitoringvpn/client.key"; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; + }; + "monitoringvpn-preshared-key" = { + source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key"; + destination = "/var/secrets/monitoringvpn/preshared.key"; + owner.user = "root"; + owner.group = "root"; + permissions = "0400"; + action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"]; + }; }; }; @@ -34,4 +50,9 @@ }; system.stateVersion = stateVersion; + + services.private-storage.monitoring.vpn.client = { + enable = true; + ip = monitoringvpnIPv4; + }; } diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix index 40cc0516..93828a5b 100644 --- a/nixos/modules/monitoring/vpn/client.nix +++ b/nixos/modules/monitoring/vpn/client.nix @@ -12,6 +12,8 @@ in { default = /var/secrets/monitoringvpn/client.key; description = '' File with base64 private key generated by <command>wg genkey</command>. + Shorthand for public and private key: + <command>wg genkey | tee peer_A.key | wg pubkey > peer_A.pub</command> ''; }; publicKeyFile = lib.mkOption { @@ -19,6 +21,8 @@ in { example = lib.literalExample /var/secrets/monitoringvpn/host.pub; description = '' File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>. + Shorthand for public and private key: + <command>wg genkey | tee peer_A.key | wg pubkey > peer_A.pub</command> ''; }; presharedKeyFile = lib.mkOption { @@ -78,9 +82,3 @@ in { }; } - -# v just have all config static (no file systems etc) -# move cfg into global config (like config.privatestorage.monitoring.*) -# parametrize keys -# - (https://wiki.archlinux.org/index.php/WireGuard -# - (wg genkey | tee peer_A.key | wg pubkey > peer_A.pub) diff --git a/nixos/modules/monitoring/vpn/server.nix b/nixos/modules/monitoring/vpn/server.nix index 97bbfeee..56ecf197 100644 --- a/nixos/modules/monitoring/vpn/server.nix +++ b/nixos/modules/monitoring/vpn/server.nix @@ -55,14 +55,19 @@ in { listenPort = cfg.server.port; privateKeyFile = toString cfg.server.privateKeyFile; peers = [ - { # node1 + { allowedIPs = [ "172.23.23.11/32" ]; - publicKey = "tZ295cvD98ixt/VH4dwPKNgHf9MuhuzsossOWBOOoGU="; + publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/172.23.23.11.pub"); presharedKeyFile = toString cfg.server.presharedKeyFile; } - { # node2 + { allowedIPs = [ "172.23.23.12/32" ]; - publicKey = "zDxWTejJDXRRmUiMZPC7eVSCDdyFikN9VI6cqapQ6RY="; + publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/172.23.23.12.pub"); + presharedKeyFile = toString cfg.server.presharedKeyFile; + } + { + allowedIPs = [ "172.23.23.13/32" ]; + publicKey = builtins.readFile(../../../../morph/PrivateStorageSecrets/monitoringvpn + "/172.23.23.13.pub"); presharedKeyFile = toString cfg.server.presharedKeyFile; } ]; -- GitLab