From 8a84eb244532b3da16e60b061641efb53539320d Mon Sep 17 00:00:00 2001
From: Gabriel Arazas <foodogsquared@foodogsquared.one>
Date: Tue, 27 Jun 2023 20:52:57 +0800
Subject: [PATCH] hosts/plover: move Wireguard secrets to appropriate location

---
 hosts/plover/default.nix                    | 15 ------------
 hosts/plover/modules/services/wireguard.nix | 26 ++++++++++++++++++++-
 2 files changed, 25 insertions(+), 16 deletions(-)

diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix
index 3581b7f7..19fc9fe6 100644
--- a/hosts/plover/default.nix
+++ b/hosts/plover/default.nix
@@ -103,21 +103,6 @@ in
       "borg/ssh-key" = { };
       "keycloak/db/password".owner = postgresUser;
       "ldap/users/foodogsquared/password".owner = portunusUser;
-      "wireguard/private-key" = {
-        group = config.users.users.systemd-network.group;
-        reloadUnits = [ "systemd-networkd.service" ];
-        mode = "0640";
-      };
-      "wireguard/preshared-keys/ni" = {
-        group = config.users.users.systemd-network.group;
-        reloadUnits = [ "systemd-networkd.service" ];
-        mode = "0640";
-      };
-      "wireguard/preshared-keys/phone" = {
-        group = config.users.users.systemd-network.group;
-        reloadUnits = [ "systemd-networkd.service" ];
-        mode = "0640";
-      };
     };
 
   # All of the keys required to deploy the secrets.
diff --git a/hosts/plover/modules/services/wireguard.nix b/hosts/plover/modules/services/wireguard.nix
index b1560a5e..9e004124 100644
--- a/hosts/plover/modules/services/wireguard.nix
+++ b/hosts/plover/modules/services/wireguard.nix
@@ -12,11 +12,35 @@ let
 
   desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/32" "${IPv6}/128" ];
   phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/32" "${IPv6}/128" ];
-
 in
 {
   environment.systemPackages = [ pkgs.wireguard-tools ];
 
+  sops.secrets = let
+    getKey = key: {
+      inherit key;
+      sopsFile = ../../secrets/secrets.yaml;
+    };
+
+    getSecrets = secrets:
+      (lib.mapAttrs' (name: config:
+        lib.nameValuePair
+          "plover/${name}"
+          ((getKey name) // config))
+          secrets);
+
+    systemdNetworkdPermission = {
+      group = config.users.users.systemd-network.group;
+      reloadUnits = [ "systemd-networkd.service" ];
+      mode = "0640";
+    };
+  in
+  getSecrets {
+    "wireguard/private-key" = systemdNetworkdPermission;
+    "wireguard/preshared-keys/ni" = systemdNetworkdPermission;
+    "wireguard/preshared-keys/phone" = systemdNetworkdPermission;
+  };
+
   networking.firewall = {
     # Allow the UDP traffic for the Wireguard service.
     allowedUDPPorts = [ wireguardPort ];