Generate self-signed tls for wstunnel

2025-05-28 16:35:59 +02:00 · 2025-05-28 16:35:59 +02:00 · 3a6122784b
commit 3a6122784b
parent d4338f1861
1 changed files with 32 additions and 14 deletions
--- a/hosts/vm-vpn/configuration.nix
+++ b/hosts/vm-vpn/configuration.nix
@ -20,21 +20,39 @@
  # Setup wstunnel server
  services.wstunnel = {
    enable = true;
-    servers.wg-tunnel = {
-      enableHTTPS = true;
-      listen = {
-        host = "0.0.0.0";
-        port = 8080;
+    servers.wg-tunnel =
+      let
+        tlsFiles = pkgs.stdenvNoCC.mkDerivation {
+          name = "tls-files";
+          phases = [
+            "buildPhase"
+            "installPhase"
+          ];
+          buildPhase = ''
+            ${pkgs.openssl}/bin/openssl genrsa > privkey.pem
+            ${pkgs.openssl}/bin/openssl req -new -x509 -key privkey.pem > fullchain.pem
+          '';
+          installPhase = ''
+            mkdir -p $out
+            cp privkey.pem fullchain.pem $out/
+          '';
+        };
+      in
+      {
+        enableHTTPS = true;
+        listen = {
+          host = "0.0.0.0";
+          port = 8080;
+        };
+        restrictTo = [
+          {
+            host = "10.10.40.100";
+            port = 51820;
+          }
+        ];
+        tlsCertificate = "${tlsFiles}/fullchain.pem";
+        tlsKey = "${tlsFiles}/key.pem";
      };
-      restrictTo = [
-        {
-          host = "10.10.40.100";
-          port = 51820;
-        }
-      ];
-      tlsCertificate = "/var/lib/secrets/fullchain.pem";
-      tlsKey = "/var/lib/secrets/key.pem";
-    };
  };
  networking.firewall = {
    allowedTCPPorts = [ 8080 ];