diff options
author | Franck Cuny <franck@fcuny.net> | 2022-04-10 14:44:33 -0700 |
---|---|---|
committer | Franck Cuny <franck@fcuny.net> | 2022-04-10 14:44:33 -0700 |
commit | 6a5cb9b7544168e7136ab2dbd833c9fc63020db7 (patch) | |
tree | 88db9fe9f436648acba60ffea98fd47942343b74 /lib | |
parent | add a module for backup with restic (diff) | |
download | world-6a5cb9b7544168e7136ab2dbd833c9fc63020db7.tar.gz |
secrets: move all the secrets under module/
Refactor a bit the configuration, which should simplify the management and usage of secrets from now on.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/default.nix | 1 | ||||
-rw-r--r-- | lib/private-wireguard.nix | 18 |
2 files changed, 6 insertions, 13 deletions
diff --git a/lib/default.nix b/lib/default.nix index 26cd954..4331bf3 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -11,7 +11,6 @@ inherit inputs system hostname; }; modules = [ - inputs.agenix.nixosModules.age ../modules ../profiles ../hosts/${hostname} diff --git a/lib/private-wireguard.nix b/lib/private-wireguard.nix index 5369c3f..d77c7dd 100644 --- a/lib/private-wireguard.nix +++ b/lib/private-wireguard.nix @@ -3,7 +3,7 @@ let inherit (lib) mkEnableOption mkOption mkIf types; inherit (builtins) readFile fromTOML fromJSON; - + secrets = config.age.secrets; cfg = config.networking.private-wireguard; port = 51871; wgcfg = fromTOML (readFile ./../configs/wireguard.toml); @@ -16,22 +16,17 @@ in { }; config = lib.mkIf cfg.enable { - age.secrets.wg-privkey = { - file = ../secrets/network/${config.networking.hostName}/wireguard_privatekey.age; - mode = "0440"; - owner = "0"; - }; - networking = { wireguard.interfaces.wg0 = { listenPort = port; - privateKeyFile = "/run/agenix/wg-privkey"; + privateKeyFile = + secrets."network/${config.networking.hostName}/wireguard_privatekey".path; ips = [ "${wgcfg.subnet4}.${toString thisPeer.ipv4}/${toString wgcfg.mask4}" ]; - peers = lib.mapAttrsToList - (name: peer: { + peers = lib.mapAttrsToList (name: peer: + { allowedIPs = [ "${wgcfg.subnet4}.${toString peer.ipv4}/${toString wgcfg.mask4}" ]; @@ -40,8 +35,7 @@ in { endpoint = "${peer.externalIp}:${toString port}"; } // lib.optionalAttrs (!(thisPeer ? externalIp)) { persistentKeepalive = 10; - }) - otherPeers; + }) otherPeers; }; }; }; |