hosts/plover: move Wireguard secrets to appropriate location

hosts/plover/default.nix

@@ -103,21 +103,6 @@ in
       "borg/ssh-key" = { };
       "keycloak/db/password".owner = postgresUser;
       "ldap/users/foodogsquared/password".owner = portunusUser;
-      "wireguard/private-key" = {
-        group = config.users.users.systemd-network.group;
-        reloadUnits = [ "systemd-networkd.service" ];
-        mode = "0640";
-      };
-      "wireguard/preshared-keys/ni" = {
-        group = config.users.users.systemd-network.group;
-        reloadUnits = [ "systemd-networkd.service" ];
-        mode = "0640";
-      };
-      "wireguard/preshared-keys/phone" = {
-        group = config.users.users.systemd-network.group;
-        reloadUnits = [ "systemd-networkd.service" ];
-        mode = "0640";
-      };
     };
 
   # All of the keys required to deploy the secrets.

hosts/plover/modules/services/wireguard.nix

@@ -12,11 +12,35 @@ let
 
   desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/32" "${IPv6}/128" ];
   phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/32" "${IPv6}/128" ];
-
 in
 {
   environment.systemPackages = [ pkgs.wireguard-tools ];
 
+  sops.secrets = let
+    getKey = key: {
+      inherit key;
+      sopsFile = ../../secrets/secrets.yaml;
+    };
+
+    getSecrets = secrets:
+      (lib.mapAttrs' (name: config:
+        lib.nameValuePair
+          "plover/${name}"
+          ((getKey name) // config))
+          secrets);
+
+    systemdNetworkdPermission = {
+      group = config.users.users.systemd-network.group;
+      reloadUnits = [ "systemd-networkd.service" ];
+      mode = "0640";
+    };
+  in
+  getSecrets {
+    "wireguard/private-key" = systemdNetworkdPermission;
+    "wireguard/preshared-keys/ni" = systemdNetworkdPermission;
+    "wireguard/preshared-keys/phone" = systemdNetworkdPermission;
+  };
+
   networking.firewall = {
     # Allow the UDP traffic for the Wireguard service.
     allowedUDPPorts = [ wireguardPort ];