From 7cebaa3751fcfd295ec3e2d7960cd7411a05be2d Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Sun, 16 Apr 2023 19:43:39 +0100
Subject: [PATCH] modules: secrets: move wireguard keys

This is a bit special, as some of the keys do not belong to NixOS hosts,
so store those in the module itself, and into host-specific directories
for the keys that are NixOS hosts.
---
 hosts/nixos/aramis/secrets/secrets.nix           |   2 +-
 .../aramis/secrets/wireguard}/private-key.age    | Bin
 hosts/nixos/porthos/secrets/secrets.nix          |   2 ++
 .../porthos/secrets/wireguard}/private-key.age   |   0
 modules/secrets/secrets.nix                      |   5 -----
 modules/services/wireguard/default.nix           |   2 +-
 .../wireguard/keys}/milady/private-key.age       |   0
 .../wireguard/keys}/richelieu/private-key.age    |   0
 modules/services/wireguard/keys/secrets.nix      |  15 +++++++++++++++
 9 files changed, 19 insertions(+), 7 deletions(-)
 rename {modules/secrets/wireguard/aramis => hosts/nixos/aramis/secrets/wireguard}/private-key.age (100%)
 rename {modules/secrets/wireguard/porthos => hosts/nixos/porthos/secrets/wireguard}/private-key.age (100%)
 rename modules/{secrets/wireguard => services/wireguard/keys}/milady/private-key.age (100%)
 rename modules/{secrets/wireguard => services/wireguard/keys}/richelieu/private-key.age (100%)
 create mode 100644 modules/services/wireguard/keys/secrets.nix

diff --git a/hosts/nixos/aramis/secrets/secrets.nix b/hosts/nixos/aramis/secrets/secrets.nix
index 55e64a9..ce159a5 100644
--- a/hosts/nixos/aramis/secrets/secrets.nix
+++ b/hosts/nixos/aramis/secrets/secrets.nix
@@ -9,5 +9,5 @@ let
   ];
 in
 {
-  # Add secrets here
+  "wireguard/private-key.age".publicKeys = all;
 }
diff --git a/modules/secrets/wireguard/aramis/private-key.age b/hosts/nixos/aramis/secrets/wireguard/private-key.age
similarity index 100%
rename from modules/secrets/wireguard/aramis/private-key.age
rename to hosts/nixos/aramis/secrets/wireguard/private-key.age
diff --git a/hosts/nixos/porthos/secrets/secrets.nix b/hosts/nixos/porthos/secrets/secrets.nix
index 6b77dc6..7d05b7f 100644
--- a/hosts/nixos/porthos/secrets/secrets.nix
+++ b/hosts/nixos/porthos/secrets/secrets.nix
@@ -59,6 +59,8 @@ in
 
   "transmission/credentials.age".publicKeys = all;
 
+  "wireguard/private-key.age".publicKeys = all;
+
   "woodpecker/gitea.age".publicKeys = all;
   "woodpecker/secret.age".publicKeys = all;
   "woodpecker/ssh/private-key.age".publicKeys = all;
diff --git a/modules/secrets/wireguard/porthos/private-key.age b/hosts/nixos/porthos/secrets/wireguard/private-key.age
similarity index 100%
rename from modules/secrets/wireguard/porthos/private-key.age
rename to hosts/nixos/porthos/secrets/wireguard/private-key.age
diff --git a/modules/secrets/secrets.nix b/modules/secrets/secrets.nix
index 221d1e1..0e685d9 100644
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@@ -7,9 +7,4 @@ in
 {
   "users/ambroisie/hashed-password.age".publicKeys = all;
   "users/root/hashed-password.age".publicKeys = all;
-
-  "wireguard/aramis/private-key.age".publicKeys = all;
-  "wireguard/milady/private-key.age".publicKeys = all;
-  "wireguard/porthos/private-key.age".publicKeys = all;
-  "wireguard/richelieu/private-key.age".publicKeys = all;
 }
diff --git a/modules/services/wireguard/default.nix b/modules/services/wireguard/default.nix
index 656fdb2..8d40fd4 100644
--- a/modules/services/wireguard/default.nix
+++ b/modules/services/wireguard/default.nix
@@ -12,7 +12,7 @@ let
     let
       mkPeer = name: attrs: {
         inherit (attrs) clientNum publicKey;
-        privateKeyFile = secrets."wireguard/${name}/private-key".path;
+        privateKeyFile = secrets."wireguard/private-key".path;
       } // lib.optionalAttrs (attrs ? externalIp) {
         inherit (attrs) externalIp;
       };
diff --git a/modules/secrets/wireguard/milady/private-key.age b/modules/services/wireguard/keys/milady/private-key.age
similarity index 100%
rename from modules/secrets/wireguard/milady/private-key.age
rename to modules/services/wireguard/keys/milady/private-key.age
diff --git a/modules/secrets/wireguard/richelieu/private-key.age b/modules/services/wireguard/keys/richelieu/private-key.age
similarity index 100%
rename from modules/secrets/wireguard/richelieu/private-key.age
rename to modules/services/wireguard/keys/richelieu/private-key.age
diff --git a/modules/services/wireguard/keys/secrets.nix b/modules/services/wireguard/keys/secrets.nix
new file mode 100644
index 0000000..3985477
--- /dev/null
+++ b/modules/services/wireguard/keys/secrets.nix
@@ -0,0 +1,15 @@
+# Extra wireguard keys that are not hosts NixOS hosts
+let
+  keys = import ../../../../keys;
+
+  all = [
+    keys.users.ambroisie
+  ];
+in
+{
+  # Sarah's iPhone
+  "milady/private-key.age".publicKeys = all;
+
+  # My Android phone
+  "richelieu/private-key.age".publicKeys = all;
+}