wireguard: use agenix from the module

This is the correct way to set up the private key, let's see if this works consistently across hosts and reboots.
author: Franck Cuny <franck@fcuny.net> 2022-03-02 17:37:28 -0800
committer: Franck Cuny <franck@fcuny.net> 2022-03-02 17:37:28 -0800
commit: b465d49ae394f794404b756f6cf98d678ec34502 (patch)
tree: 33bea5d2960eed820326f4af071c9637acd0b5fc
parent: users: remove rsa key (diff)
download: world-b465d49ae394f794404b756f6cf98d678ec34502.tar.gz
1 files changed, 8 insertions, 2 deletions
diff --git a/lib/private-wireguard.nix b/lib/private-wireguard.nix
index 0d9b904..25f30b4 100644
--- a/lib/private-wireguard.nix
+++ b/lib/private-wireguard.nix
@@ -5,7 +5,7 @@ let
   inherit (builtins) readFile fromTOML fromJSON;
 
   cfg = config.networking.private-wireguard;
-  port = 51871;
+  port = 51820;
   wgcfg = fromTOML (readFile ./../configs/wireguard.toml);
   allPeers = wgcfg.peers;
   thisPeer = allPeers."${hostname}" or null;
@@ -16,10 +16,16 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
+    age.secrets.wg-privkey = {
+      file = ../secrets/network/${config.networking.hostName}/wireguard_privatekey.age;
+      mode = "0440";
+      owner = "0";
+    };
+
     networking = {
       wireguard.interfaces.wg0 = {
         listenPort = port;
-        privateKeyFile = "/var/lib/wireguard/wg0.key";
+        privateKeyFile = "/run/agenix/wg-privkey";
         ips = [
           "${wgcfg.subnet4}.${toString thisPeer.ipv4}/${toString wgcfg.mask4}"
         ];
author	Franck Cuny <franck@fcuny.net>	2022-03-02 17:37:28 -0800
committer	Franck Cuny <franck@fcuny.net>	2022-03-02 17:37:28 -0800
commit	b465d49ae394f794404b756f6cf98d678ec34502 (patch)
tree	33bea5d2960eed820326f4af071c9637acd0b5fc
parent	users: remove rsa key (diff)
download	world-b465d49ae394f794404b756f6cf98d678ec34502.tar.gz