Newer
Older
# Server section of our Monitoring VPN config
{ lib, config, ... }: let
cfg = config.services.private-storage.monitoring.vpn;
in {
options.services.private-storage.monitoring.vpn.server = {
enable = lib.mkEnableOption "PrivateStorageio Monitoring VPN server service";
privateKeyFile = lib.mkOption {
type = lib.types.path;
example = lib.literalExample /var/secrets/monitoringvpn/server.key;
default = /var/secrets/monitoringvpn/server.key;
description = ''
File with base64 private key generated by <command>wg genkey</command>.
'';
};
publicKeyFile = lib.mkOption {
type = lib.types.path;
example = lib.literalExample /var/secrets/monitoringvpn/server.pub;
default = /var/secrets/monitoringvpn/server.pub;
description = ''
File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
'';
};
ips = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
The IP addresses of the interface.
See https://github.com/NixOS/nixpkgs/blob/nixos-20.09/nixos/modules/services/networking/wireguard.nix .
'';
};
port = lib.mkOption {
type = lib.types.port;
example = lib.literalExample 54321;
default = 54321;
description = ''
The UDP port to listen on.
'';
};
};
config = lib.mkIf cfg.server.enable {
networking.firewall.allowedUDPPorts = [ cfg.server.port ];
networking.wireguard.interfaces.monitoringvpn = {
ips = cfg.server.ips;
listenPort = cfg.server.port;
privateKeyFile = toString cfg.server.privateKeyFile;
peers = [
{ # node1
publicKey = "tZ295cvD98ixt/VH4dwPKNgHf9MuhuzsossOWBOOoGU=";
}
{ # node2
publicKey = "zDxWTejJDXRRmUiMZPC7eVSCDdyFikN9VI6cqapQ6RY=";
}
];
};
};
}