modules: secrets: move wireguard keys

This is a bit special, as some of the keys do not belong to NixOS hosts,
so store those in the module itself, and into host-specific directories
for the keys that are NixOS hosts.

modules/secrets/secrets.nix

@@ -7,9 +7,4 @@ in
 {
   "users/ambroisie/hashed-password.age".publicKeys = all;
   "users/root/hashed-password.age".publicKeys = all;
-
-  "wireguard/aramis/private-key.age".publicKeys = all;
-  "wireguard/milady/private-key.age".publicKeys = all;
-  "wireguard/porthos/private-key.age".publicKeys = all;
-  "wireguard/richelieu/private-key.age".publicKeys = all;
 }

modules/secrets/wireguard/porthos/private-key.age

@@ -1,10 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 cKojmg +WwRpd2MzycutQFXyLsr2+GzSgF67Z6UuvyqYZaLd3w
-sppt8HzaZP3yxnvnhzjl18Trnz8g3VyXJ6CaVBWd7jA
--> ssh-ed25519 jPowng wanoqGB7T8bim/WZ4IAYViFQoGzaIZSgeoTr3YKpeTY
-ihDAdGa1XVW/qQz40V1v7a7iK7tu0EHMa7ayIogpcRw
--> l-grease |PIcZ NIr >0;*
-4o8o0bevQZ6uDSx1WxxlDCURbFCM+yK1XPdrb9aztCSvG2a+ne78E42l5rBcoH7I
-m51A8uWS4nSj36N/76v6K4kelxKzWUg
---- O6cGbTAVbDcdmPHf7UzfZiyiRtu1yfL4sBI+CkJA1qw
-ý
qýŐ$ň`żw'čS“X¸]Ąá÷ř®úî…?¤6‹Đ/ĆN(Bžň N«a”.˙ HŽ7żí•I<E280A2>ú÷Ŕoz‡/4:sK",7J

modules/services/wireguard/default.nix

@@ -12,7 +12,7 @@ let
     let
       mkPeer = name: attrs: {
         inherit (attrs) clientNum publicKey;
-        privateKeyFile = secrets."wireguard/${name}/private-key".path;
+        privateKeyFile = secrets."wireguard/private-key".path;
       } // lib.optionalAttrs (attrs ? externalIp) {
         inherit (attrs) externalIp;
       };

modules/services/wireguard/keys/secrets.nix

@@ -0,0 +1,15 @@
+# Extra wireguard keys that are not hosts NixOS hosts
+let
+  keys = import ../../../../keys;
+
+  all = [
+    keys.users.ambroisie
+  ];
+in
+{
+  # Sarah's iPhone
+  "milady/private-key.age".publicKeys = all;
+
+  # My Android phone
+  "richelieu/private-key.age".publicKeys = all;
+}