From 8a84eb244532b3da16e60b061641efb53539320d Mon Sep 17 00:00:00 2001 From: Gabriel Arazas Date: Tue, 27 Jun 2023 20:52:57 +0800 Subject: [PATCH] hosts/plover: move Wireguard secrets to appropriate location --- hosts/plover/default.nix | 15 ------------ hosts/plover/modules/services/wireguard.nix | 26 ++++++++++++++++++++- 2 files changed, 25 insertions(+), 16 deletions(-) diff --git a/hosts/plover/default.nix b/hosts/plover/default.nix index 3581b7f7..19fc9fe6 100644 --- a/hosts/plover/default.nix +++ b/hosts/plover/default.nix @@ -103,21 +103,6 @@ in "borg/ssh-key" = { }; "keycloak/db/password".owner = postgresUser; "ldap/users/foodogsquared/password".owner = portunusUser; - "wireguard/private-key" = { - group = config.users.users.systemd-network.group; - reloadUnits = [ "systemd-networkd.service" ]; - mode = "0640"; - }; - "wireguard/preshared-keys/ni" = { - group = config.users.users.systemd-network.group; - reloadUnits = [ "systemd-networkd.service" ]; - mode = "0640"; - }; - "wireguard/preshared-keys/phone" = { - group = config.users.users.systemd-network.group; - reloadUnits = [ "systemd-networkd.service" ]; - mode = "0640"; - }; }; # All of the keys required to deploy the secrets. diff --git a/hosts/plover/modules/services/wireguard.nix b/hosts/plover/modules/services/wireguard.nix index b1560a5e..9e004124 100644 --- a/hosts/plover/modules/services/wireguard.nix +++ b/hosts/plover/modules/services/wireguard.nix @@ -12,11 +12,35 @@ let desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/32" "${IPv6}/128" ]; phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/32" "${IPv6}/128" ]; - in { environment.systemPackages = [ pkgs.wireguard-tools ]; + sops.secrets = let + getKey = key: { + inherit key; + sopsFile = ../../secrets/secrets.yaml; + }; + + getSecrets = secrets: + (lib.mapAttrs' (name: config: + lib.nameValuePair + "plover/${name}" + ((getKey name) // config)) + secrets); + + systemdNetworkdPermission = { + group = config.users.users.systemd-network.group; + reloadUnits = [ "systemd-networkd.service" ]; + mode = "0640"; + }; + in + getSecrets { + "wireguard/private-key" = systemdNetworkdPermission; + "wireguard/preshared-keys/ni" = systemdNetworkdPermission; + "wireguard/preshared-keys/phone" = systemdNetworkdPermission; + }; + networking.firewall = { # Allow the UDP traffic for the Wireguard service. allowedUDPPorts = [ wireguardPort ];