diff options
author | Franck Cuny <franck@fcuny.net> | 2022-03-02 17:37:28 -0800 |
---|---|---|
committer | Franck Cuny <franck@fcuny.net> | 2022-03-02 17:37:28 -0800 |
commit | b465d49ae394f794404b756f6cf98d678ec34502 (patch) | |
tree | 33bea5d2960eed820326f4af071c9637acd0b5fc /lib | |
parent | users: remove rsa key (diff) | |
download | world-b465d49ae394f794404b756f6cf98d678ec34502.tar.gz |
wireguard: use agenix from the module
This is the correct way to set up the private key, let's see if this works consistently across hosts and reboots.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/private-wireguard.nix | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/lib/private-wireguard.nix b/lib/private-wireguard.nix index 0d9b904..25f30b4 100644 --- a/lib/private-wireguard.nix +++ b/lib/private-wireguard.nix @@ -5,7 +5,7 @@ let inherit (builtins) readFile fromTOML fromJSON; cfg = config.networking.private-wireguard; - port = 51871; + port = 51820; wgcfg = fromTOML (readFile ./../configs/wireguard.toml); allPeers = wgcfg.peers; thisPeer = allPeers."${hostname}" or null; @@ -16,10 +16,16 @@ in { }; config = lib.mkIf cfg.enable { + age.secrets.wg-privkey = { + file = ../secrets/network/${config.networking.hostName}/wireguard_privatekey.age; + mode = "0440"; + owner = "0"; + }; + networking = { wireguard.interfaces.wg0 = { listenPort = port; - privateKeyFile = "/var/lib/wireguard/wg0.key"; + privateKeyFile = "/run/agenix/wg-privkey"; ips = [ "${wgcfg.subnet4}.${toString thisPeer.ipv4}/${toString wgcfg.mask4}" ]; |