foodogsquared/nixos-config
1
0
Fork 0
mirror of https://github.com/foo-dogsquared/nixos-config.git synced 2025-03-15 06:19:00 +00:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

hosts/plover: move Wireguard secrets to appropriate location

Browse Source
This commit is contained in:
Gabriel Arazas 2023-06-27 20:52:57 +08:00
parent 0645422e16
commit 8a84eb2445
No known key found for this signature in database
GPG Key ID: ADE0C41DAB221FCC
2 changed files with 25 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
hosts/plover/default.nix
View File

@ -103,21 +103,6 @@ in
"borg/ssh-key" = { }; "borg/ssh-key" = { };
"keycloak/db/password".owner = postgresUser; "keycloak/db/password".owner = postgresUser;
"ldap/users/foodogsquared/password".owner = portunusUser; "ldap/users/foodogsquared/password".owner = portunusUser;
"wireguard/private-key" = {
group = config.users.users.systemd-network.group;
reloadUnits = [ "systemd-networkd.service" ];
mode = "0640";
};
"wireguard/preshared-keys/ni" = {
group = config.users.users.systemd-network.group;
reloadUnits = [ "systemd-networkd.service" ];
mode = "0640";
};
"wireguard/preshared-keys/phone" = {
group = config.users.users.systemd-network.group;
reloadUnits = [ "systemd-networkd.service" ];
mode = "0640";
};
}; };
# All of the keys required to deploy the secrets. # All of the keys required to deploy the secrets.

26
hosts/plover/modules/services/wireguard.nix
View File

@ -12,11 +12,35 @@ let
desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/32" "${IPv6}/128" ]; desktopPeerAddresses = with wireguardPeers.desktop; [ "${IPv4}/32" "${IPv6}/128" ];
phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/32" "${IPv6}/128" ]; phonePeerAddresses = with wireguardPeers.phone; [ "${IPv4}/32" "${IPv6}/128" ];
in in
{ {
environment.systemPackages = [ pkgs.wireguard-tools ]; environment.systemPackages = [ pkgs.wireguard-tools ];
sops.secrets = let
getKey = key: {
inherit key;
sopsFile = ../../secrets/secrets.yaml;
};
getSecrets = secrets:
(lib.mapAttrs' (name: config:
lib.nameValuePair
"plover/${name}"
((getKey name) // config))
secrets);
systemdNetworkdPermission = {
group = config.users.users.systemd-network.group;
reloadUnits = [ "systemd-networkd.service" ];
mode = "0640";
};
in
getSecrets {
"wireguard/private-key" = systemdNetworkdPermission;
"wireguard/preshared-keys/ni" = systemdNetworkdPermission;
"wireguard/preshared-keys/phone" = systemdNetworkdPermission;
};
networking.firewall = { networking.firewall = {
# Allow the UDP traffic for the Wireguard service. # Allow the UDP traffic for the Wireguard service.
allowedUDPPorts = [ wireguardPort ]; allowedUDPPorts = [ wireguardPort ];