diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index 97bee06aff091a85b751540d34da3fb177c258e6..11d1b62609e60936c23b3bf2301a94ed6a6754b0 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -37,6 +37,14 @@
permissions = "0400";
action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
};
+ "monitoringvpn-preshared-key" = {
+ source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
+ destination = "/var/secrets/monitoringvpn/preshared.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
};
};
diff --git a/morph/lib/make-monitoring.nix b/morph/lib/make-monitoring.nix
index aeb9b8d80878875b5d7e3a5e22b94b0ab42d90b7..07fc5f0b6e4737283e5e2ed6a0c8049f6dae5307 100644
--- a/morph/lib/make-monitoring.nix
+++ b/morph/lib/make-monitoring.nix
@@ -20,6 +20,14 @@
permissions = "0444";
action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
};
+ "monitoringvpn-preshared-key" = {
+ source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
+ destination = "/var/secrets/monitoringvpn/preshared.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
};
};
diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix
index 19cefd56e8178642f53aec55235361dcf6aa05fc..2515e53528e640965ba62c6b4a57dc4ec1ce753c 100644
--- a/nixos/modules/monitoring/vpn/client.nix
+++ b/nixos/modules/monitoring/vpn/client.nix
@@ -21,6 +21,14 @@ in {
File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
'';
};
+ presharedKeyFile = lib.mkOption {
+ type = lib.types.path;
+ example = lib.literalExample /var/secrets/monitoringvpn/preshared.key;
+ default = /var/secrets/monitoringvpn/preshared.key;
+ description = ''
+ File with base64 preshared key generated by <command>wg genpsk</command>.
+ '';
+ };
allowedIPs = lib.mkOption {
type = lib.types.listOf lib.types.str;
example = lib.literalExample [ "172.23.23.1/32" ];
@@ -62,6 +70,7 @@ in {
allowedIPs = cfg.client.allowedIPs;
endpoint = cfg.client.endpoint; # meaning: the server.
publicKey = builtins.readFile(cfg.client.endpointPublicKeyFile);
+ presharedKeyFile = toString cfg.client.presharedKeyFile;
}
];
};
diff --git a/nixos/modules/monitoring/vpn/server.nix b/nixos/modules/monitoring/vpn/server.nix
index 58cb6df2eaf715bf063a55ab7e3f4a3fa0a291d3..97bbfeee320fd8ec97dcede8a666d9945f41815e 100644
--- a/nixos/modules/monitoring/vpn/server.nix
+++ b/nixos/modules/monitoring/vpn/server.nix
@@ -22,6 +22,14 @@ in {
File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
'';
};
+ presharedKeyFile = lib.mkOption {
+ type = lib.types.path;
+ example = lib.literalExample /var/secrets/monitoringvpn/preshared.key;
+ default = /var/secrets/monitoringvpn/preshared.key;
+ description = ''
+ File with base64 preshared key generated by <command>wg genpsk</command>.
+ '';
+ };
ip = lib.mkOption {
type = lib.types.str;
example = lib.literalExample [ "172.23.23.23" ];
@@ -50,10 +58,12 @@ in {
{ # node1
allowedIPs = [ "172.23.23.11/32" ];
publicKey = "tZ295cvD98ixt/VH4dwPKNgHf9MuhuzsossOWBOOoGU=";
+ presharedKeyFile = toString cfg.server.presharedKeyFile;
}
{ # node2
allowedIPs = [ "172.23.23.12/32" ];
publicKey = "zDxWTejJDXRRmUiMZPC7eVSCDdyFikN9VI6cqapQ6RY=";
+ presharedKeyFile = toString cfg.server.presharedKeyFile;
}
];
};