From 0faf6ac72470aa2c950f2a3d7ddb23ff70f007b6 Mon Sep 17 00:00:00 2001
From: Florian Sesser <florian@privatestorage.io>
Date: Sun, 16 May 2021 20:08:50 +0000
Subject: [PATCH] vpn: add global preshared key. post-quantum resistence sounds
great!
---
morph/lib/make-issuer.nix | 8 ++++++++
morph/lib/make-monitoring.nix | 8 ++++++++
nixos/modules/monitoring/vpn/client.nix | 9 +++++++++
nixos/modules/monitoring/vpn/server.nix | 10 ++++++++++
4 files changed, 35 insertions(+)
diff --git a/morph/lib/make-issuer.nix b/morph/lib/make-issuer.nix
index 97bee06a..11d1b626 100644
--- a/morph/lib/make-issuer.nix
+++ b/morph/lib/make-issuer.nix
@@ -37,6 +37,14 @@
permissions = "0400";
action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
};
+ "monitoringvpn-preshared-key" = {
+ source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
+ destination = "/var/secrets/monitoringvpn/preshared.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
};
};
diff --git a/morph/lib/make-monitoring.nix b/morph/lib/make-monitoring.nix
index aeb9b8d8..07fc5f0b 100644
--- a/morph/lib/make-monitoring.nix
+++ b/morph/lib/make-monitoring.nix
@@ -20,6 +20,14 @@
permissions = "0444";
action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
};
+ "monitoringvpn-preshared-key" = {
+ source = "../../PrivateStorageSecrets/monitoringvpn/preshared.key";
+ destination = "/var/secrets/monitoringvpn/preshared.key";
+ owner.user = "root";
+ owner.group = "root";
+ permissions = "0400";
+ action = ["sudo" "systemctl" "restart" "wireguard-monitoringvpn.service"];
+ };
};
};
diff --git a/nixos/modules/monitoring/vpn/client.nix b/nixos/modules/monitoring/vpn/client.nix
index 19cefd56..2515e535 100644
--- a/nixos/modules/monitoring/vpn/client.nix
+++ b/nixos/modules/monitoring/vpn/client.nix
@@ -21,6 +21,14 @@ in {
File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
'';
};
+ presharedKeyFile = lib.mkOption {
+ type = lib.types.path;
+ example = lib.literalExample /var/secrets/monitoringvpn/preshared.key;
+ default = /var/secrets/monitoringvpn/preshared.key;
+ description = ''
+ File with base64 preshared key generated by <command>wg genpsk</command>.
+ '';
+ };
allowedIPs = lib.mkOption {
type = lib.types.listOf lib.types.str;
example = lib.literalExample [ "172.23.23.1/32" ];
@@ -62,6 +70,7 @@ in {
allowedIPs = cfg.client.allowedIPs;
endpoint = cfg.client.endpoint; # meaning: the server.
publicKey = builtins.readFile(cfg.client.endpointPublicKeyFile);
+ presharedKeyFile = toString cfg.client.presharedKeyFile;
}
];
};
diff --git a/nixos/modules/monitoring/vpn/server.nix b/nixos/modules/monitoring/vpn/server.nix
index 58cb6df2..97bbfeee 100644
--- a/nixos/modules/monitoring/vpn/server.nix
+++ b/nixos/modules/monitoring/vpn/server.nix
@@ -22,6 +22,14 @@ in {
File with base64 public key generated by <command>cat private.key | wg pubkey > pubkey.pub</command>.
'';
};
+ presharedKeyFile = lib.mkOption {
+ type = lib.types.path;
+ example = lib.literalExample /var/secrets/monitoringvpn/preshared.key;
+ default = /var/secrets/monitoringvpn/preshared.key;
+ description = ''
+ File with base64 preshared key generated by <command>wg genpsk</command>.
+ '';
+ };
ip = lib.mkOption {
type = lib.types.str;
example = lib.literalExample [ "172.23.23.23" ];
@@ -50,10 +58,12 @@ in {
{ # node1
allowedIPs = [ "172.23.23.11/32" ];
publicKey = "tZ295cvD98ixt/VH4dwPKNgHf9MuhuzsossOWBOOoGU=";
+ presharedKeyFile = toString cfg.server.presharedKeyFile;
}
{ # node2
allowedIPs = [ "172.23.23.12/32" ];
publicKey = "zDxWTejJDXRRmUiMZPC7eVSCDdyFikN9VI6cqapQ6RY=";
+ presharedKeyFile = toString cfg.server.presharedKeyFile;
}
];
};
--
GitLab