about summary refs log tree commit diff
path: root/lib
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2022-04-10 14:44:33 -0700
committerFranck Cuny <franck@fcuny.net>2022-04-10 14:44:33 -0700
commit6a5cb9b7544168e7136ab2dbd833c9fc63020db7 (patch)
tree88db9fe9f436648acba60ffea98fd47942343b74 /lib
parentadd a module for backup with restic (diff)
downloadworld-6a5cb9b7544168e7136ab2dbd833c9fc63020db7.tar.gz
secrets: move all the secrets under module/
Refactor a bit the configuration, which should simplify the management
and usage of secrets from now on.
Diffstat (limited to 'lib')
-rw-r--r--lib/default.nix1
-rw-r--r--lib/private-wireguard.nix18
2 files changed, 6 insertions, 13 deletions
diff --git a/lib/default.nix b/lib/default.nix
index 26cd954..4331bf3 100644
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -11,7 +11,6 @@
         inherit inputs system hostname;
       };
       modules = [
-        inputs.agenix.nixosModules.age
         ../modules
         ../profiles
         ../hosts/${hostname}
diff --git a/lib/private-wireguard.nix b/lib/private-wireguard.nix
index 5369c3f..d77c7dd 100644
--- a/lib/private-wireguard.nix
+++ b/lib/private-wireguard.nix
@@ -3,7 +3,7 @@
 let
   inherit (lib) mkEnableOption mkOption mkIf types;
   inherit (builtins) readFile fromTOML fromJSON;
-
+  secrets = config.age.secrets;
   cfg = config.networking.private-wireguard;
   port = 51871;
   wgcfg = fromTOML (readFile ./../configs/wireguard.toml);
@@ -16,22 +16,17 @@ in {
   };
 
   config = lib.mkIf cfg.enable {
-    age.secrets.wg-privkey = {
-      file = ../secrets/network/${config.networking.hostName}/wireguard_privatekey.age;
-      mode = "0440";
-      owner = "0";
-    };
-
     networking = {
       wireguard.interfaces.wg0 = {
         listenPort = port;
-        privateKeyFile = "/run/agenix/wg-privkey";
+        privateKeyFile =
+          secrets."network/${config.networking.hostName}/wireguard_privatekey".path;
         ips = [
           "${wgcfg.subnet4}.${toString thisPeer.ipv4}/${toString wgcfg.mask4}"
         ];
 
-        peers = lib.mapAttrsToList
-          (name: peer: {
+        peers = lib.mapAttrsToList (name: peer:
+          {
             allowedIPs = [
               "${wgcfg.subnet4}.${toString peer.ipv4}/${toString wgcfg.mask4}"
             ];
@@ -40,8 +35,7 @@ in {
             endpoint = "${peer.externalIp}:${toString port}";
           } // lib.optionalAttrs (!(thisPeer ? externalIp)) {
             persistentKeepalive = 10;
-          })
-          otherPeers;
+          }) otherPeers;
       };
     };
   };