From 3a6122784bc87e8a712a10fefab8d6b6c1c43bdb Mon Sep 17 00:00:00 2001
From: Jan-Bulthuis <git@bulthuis.dev>
Date: Wed, 28 May 2025 16:35:59 +0200
Subject: [PATCH] Generate self-signed tls for wstunnel

---
 hosts/vm-vpn/configuration.nix | 46 +++++++++++++++++++++++-----------
 1 file changed, 32 insertions(+), 14 deletions(-)

diff --git a/hosts/vm-vpn/configuration.nix b/hosts/vm-vpn/configuration.nix
index ff5e485..41897da 100644
--- a/hosts/vm-vpn/configuration.nix
+++ b/hosts/vm-vpn/configuration.nix
@@ -20,21 +20,39 @@
   # Setup wstunnel server
   services.wstunnel = {
     enable = true;
-    servers.wg-tunnel = {
-      enableHTTPS = true;
-      listen = {
-        host = "0.0.0.0";
-        port = 8080;
+    servers.wg-tunnel =
+      let
+        tlsFiles = pkgs.stdenvNoCC.mkDerivation {
+          name = "tls-files";
+          phases = [
+            "buildPhase"
+            "installPhase"
+          ];
+          buildPhase = ''
+            ${pkgs.openssl}/bin/openssl genrsa > privkey.pem
+            ${pkgs.openssl}/bin/openssl req -new -x509 -key privkey.pem > fullchain.pem
+          '';
+          installPhase = ''
+            mkdir -p $out
+            cp privkey.pem fullchain.pem $out/
+          '';
+        };
+      in
+      {
+        enableHTTPS = true;
+        listen = {
+          host = "0.0.0.0";
+          port = 8080;
+        };
+        restrictTo = [
+          {
+            host = "10.10.40.100";
+            port = 51820;
+          }
+        ];
+        tlsCertificate = "${tlsFiles}/fullchain.pem";
+        tlsKey = "${tlsFiles}/key.pem";
       };
-      restrictTo = [
-        {
-          host = "10.10.40.100";
-          port = 51820;
-        }
-      ];
-      tlsCertificate = "/var/lib/secrets/fullchain.pem";
-      tlsKey = "/var/lib/secrets/key.pem";
-    };
   };
   networking.firewall = {
     allowedTCPPorts = [ 8080 ];