# Client section of our Monitoring VPN config
{ lib, config, ... }: let
cfg = config.services.monitoring.vpn;
# cfg.server = "loki";
# cfg.port = 54321;
#ip = "192.168.42.11";
in {
options = {
services.monitoring.vpn.client.enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN client service";
services.monitoring.vpn.client.privateKeyFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExample "/var/secrets/monitoring-vpn/host.key";
description = ''
Base64 private key generated by <command>wg genkey</command>.
'';
};
services.monitoring.vpn.client.publicKeyFile = lib.mkOption {
type = lib.types.str;
example = lib.literalExample "/var/secrets/monitoring-vpn/host.pub";
description = ''
Base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
'';
};
services.monitoring.vpn.client.allowedIPs = {
type = lib.types.listOf lib.types.str;
example = lib.literalExample [ "172.23.23.1/32" ];
description = ''
Limits which IPs this client receives data from.
'';
};
services.monitoring.vpn.client.ips = {
type = lib.types.listOf lib.types.str;
example = lib.literalExample [ "172.23.23.1/24" ];
default = [ "172.23.23.1/24" ];
description = ''
The IP addresses of the interface.
See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix .
'';
};
};
config = lib.mkIf cfg.client.enable {
networking.wireguard.interfaces.monitoringvpn = {
ips = cfg.client.ips;
privateKeyFile = cfg.client.privateKeyFile;
peers = [
{
allowedIPs = cfg.client.allowedIPs;
endpoint = "loki:54321"; # cfg.server + ":" + toString cfg.port;
publicKey = "0fS5azg7bBhCSUocI/r9pNkDMVpnlXmJfu9NV3YfEkU=";
}
];
};
};
}
# just have all config static (no file systems etc)
# move cfg into global config (like config.privatestorage.monitoring.*)
# parametrize keys
# - (https://wiki.archlinux.org/index.php/WireGuard
# - (wg genkey | tee peer_A.key | wg pubkey > peer_A.pub)