mirror of
https://github.com/foo-dogsquared/nixos-config.git
synced 2025-03-15 06:19:00 +00:00
hosts/plover: move Wireguard secrets to appropriate location
This commit is contained in:
parent
0645422e16
commit
8a84eb2445
@ -103,21 +103,6 @@ in
|
|||||||
"borg/ssh-key" = { };
|
"borg/ssh-key" = { };
|
||||||
"keycloak/db/password".owner = postgresUser;
|
"keycloak/db/password".owner = postgresUser;
|
||||||
"ldap/users/foodogsquared/password".owner = portunusUser;
|
"ldap/users/foodogsquared/password".owner = portunusUser;
|
||||||
"wireguard/private-key" = {
|
|
||||||
group = config.users.users.systemd-network.group;
|
|
||||||
reloadUnits = [ "systemd-networkd.service" ];
|
|
||||||
mode = "0640";
|
|
||||||
};
|
|
||||||
"wireguard/preshared-keys/ni" = {
|
|
||||||
group = config.users.users.systemd-network.group;
|
|
||||||
reloadUnits = [ "systemd-networkd.service" ];
|
|
||||||
mode = "0640";
|
|
||||||
};
|
|
||||||
"wireguard/preshared-keys/phone" = {
|
|
||||||
group = config.users.users.systemd-network.group;
|
|
||||||
reloadUnits = [ "systemd-networkd.service" ];
|
|
||||||
mode = "0640";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
# All of the keys required to deploy the secrets.
|
# All of the keys required to deploy the secrets.
|
||||||
|
@ -12,11 +12,35 @@ let
|
|||||||
|
|
||||||
desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/32" "${IPv6}/128" ];
|
desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/32" "${IPv6}/128" ];
|
||||||
phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/32" "${IPv6}/128" ];
|
phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/32" "${IPv6}/128" ];
|
||||||
|
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
environment.systemPackages = [ pkgs.wireguard-tools ];
|
environment.systemPackages = [ pkgs.wireguard-tools ];
|
||||||
|
|
||||||
|
sops.secrets = let
|
||||||
|
getKey = key: {
|
||||||
|
inherit key;
|
||||||
|
sopsFile = ../../secrets/secrets.yaml;
|
||||||
|
};
|
||||||
|
|
||||||
|
getSecrets = secrets:
|
||||||
|
(lib.mapAttrs' (name: config:
|
||||||
|
lib.nameValuePair
|
||||||
|
"plover/${name}"
|
||||||
|
((getKey name) // config))
|
||||||
|
secrets);
|
||||||
|
|
||||||
|
systemdNetworkdPermission = {
|
||||||
|
group = config.users.users.systemd-network.group;
|
||||||
|
reloadUnits = [ "systemd-networkd.service" ];
|
||||||
|
mode = "0640";
|
||||||
|
};
|
||||||
|
in
|
||||||
|
getSecrets {
|
||||||
|
"wireguard/private-key" = systemdNetworkdPermission;
|
||||||
|
"wireguard/preshared-keys/ni" = systemdNetworkdPermission;
|
||||||
|
"wireguard/preshared-keys/phone" = systemdNetworkdPermission;
|
||||||
|
};
|
||||||
|
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
# Allow the UDP traffic for the Wireguard service.
|
# Allow the UDP traffic for the Wireguard service.
|
||||||
allowedUDPPorts = [ wireguardPort ];
|
allowedUDPPorts = [ wireguardPort ];
|
||||||
|
Loading…
Reference in New Issue
Block a user