{ publicIPv4
, hardware
, publicStoragePort
, ristrettoSigningKeyPath
, passValue
, sshUsers
, stateVersion
, monitoringvpnKeyDir ? null
, monitoringvpnIPv4 ? null
, ... }: let
enableVpn = monitoringvpnKeyDir != null &&
monitoringvpnIPv4 != null;
vpnSecrets = if !enableVpn then {} else {
"monitoringvpn-secret-key" = {
source = monitoringvpnKeyDir + "/${monitoringvpnIPv4}.key";
destination = "/run/keys/monitoringvpn/client.key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
};
"monitoringvpn-preshared-key" = {
source = monitoringvpnKeyDir + "/preshared.key";
destination = "/run/keys/monitoringvpn/preshared.key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
};
};
in rec {
deployment = {
targetHost = publicIPv4;
secrets = {
"ristretto-signing-key" = {
source = ristrettoSigningKeyPath;
destination = "/run/keys/ristretto.signing-key";
owner.user = "root";
owner.group = "root";
permissions = "0400";
# Service name here matches the name defined by our tahoe-lafs nixos
# module. It would be nice to not have to hard-code it here. Can we
# extract it from the tahoe-lafs nixos module somehow?
action = ["sudo" "systemctl" "restart" "tahoe.storage.service"];
};
} // vpnSecrets;
};
imports = [
hardware
../../nixos/modules/private-storage.nix
../../nixos/modules/monitoring/vpn/client.nix
];
services.private-storage =
{ enable = true;
inherit publicIPv4;
inherit publicStoragePort;
ristrettoSigningKeyPath = deployment.secrets.ristretto-signing-key.destination;
inherit passValue;
inherit sshUsers;
};
system.stateVersion = stateVersion;
services.private-storage.monitoring.vpn.client = if !enableVpn then {} else {
enable = true;
ip = monitoringvpnIPv4;
};
}