# Server section of our Monitoring VPN config
{ lib, config, ... }: let
cfg = config.services.private-storage.monitoring.vpn;
clients = map (x: {
allowedIPs = [ "${x}/32" ];
publicKey = lib.fileContents(cfg.server.pubKeysPath + "/${x}.pub");
presharedKeyFile = toString cfg.server.presharedKeyFile;
}) cfg.server.vpnClientIPs;
in {
options.services.private-storage.monitoring.vpn.server = {
enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN server service";
privateKeyFile = lib.mkOption {
type = lib.types.path;
example = /run/keys/monitoringvpn/server.key;
default = /run/keys/monitoringvpn/server.key;
description = ''
File with base64 private key generated by <command>wg genkey</command>.
'';
};
presharedKeyFile = lib.mkOption {
type = lib.types.path;
example = /run/keys/monitoringvpn/preshared.key;
default = /run/keys/monitoringvpn/preshared.key;
description = ''
File with base64 preshared key generated by <command>wg genpsk</command>.
'';
};
ip = lib.mkOption {
type = lib.types.str;
example = [ "172.23.23.23" ];
description = ''
The IP address of the interface.
'';
};
port = lib.mkOption {
type = lib.types.port;
example = 54321;
default = 51820;
description = ''
The UDP port to listen on.
'';
};
vpnClientIPs = lib.mkOption {
type = lib.types.listOf lib.types.str;
example = [ "172.23.23.23" "172.23.23.42" ];
description = ''
The IP addresses to allow connections from.
'';
};
pubKeysPath = lib.mkOption {
type = lib.types.path;
example = ./monitoringvpn;
description = ''
The path to the directory that holds the public keys.
'';
};
};
config = lib.mkIf cfg.server.enable {
networking.firewall.allowedUDPPorts = [ cfg.server.port ];
networking.wireguard.interfaces.monitoringvpn = {
ips = [ "${cfg.server.ip}/24" ];
listenPort = cfg.server.port;
privateKeyFile = toString cfg.server.privateKeyFile;
peers = clients;
};
};
}