From b465d49ae394f794404b756f6cf98d678ec34502 Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Wed, 2 Mar 2022 17:37:28 -0800 Subject: wireguard: use agenix from the module This is the correct way to set up the private key, let's see if this works consistently across hosts and reboots. --- lib/private-wireguard.nix | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/lib/private-wireguard.nix b/lib/private-wireguard.nix index 0d9b904..25f30b4 100644 --- a/lib/private-wireguard.nix +++ b/lib/private-wireguard.nix @@ -5,7 +5,7 @@ let inherit (builtins) readFile fromTOML fromJSON; cfg = config.networking.private-wireguard; - port = 51871; + port = 51820; wgcfg = fromTOML (readFile ./../configs/wireguard.toml); allPeers = wgcfg.peers; thisPeer = allPeers."${hostname}" or null; @@ -16,10 +16,16 @@ in { }; config = lib.mkIf cfg.enable { + age.secrets.wg-privkey = { + file = ../secrets/network/${config.networking.hostName}/wireguard_privatekey.age; + mode = "0440"; + owner = "0"; + }; + networking = { wireguard.interfaces.wg0 = { listenPort = port; - privateKeyFile = "/var/lib/wireguard/wg0.key"; + privateKeyFile = "/run/agenix/wg-privkey"; ips = [ "${wgcfg.subnet4}.${toString thisPeer.ipv4}/${toString wgcfg.mask4}" ]; -- cgit 1.4.1