modules: services: wireguard: use agenix secrets

modules/services/wireguard.nix

@@ -5,9 +5,37 @@
 { config, lib, pkgs, ... }:
 let
   cfg = config.my.services.wireguard;
+  secrets = config.age.secrets;
   hostName = config.networking.hostName;
 
-  peers = config.my.secrets.wireguard.peers;
+  peers =
+    let
+      mkPeer = name: attrs: {
+        inherit (attrs) clientNum publicKey;
+        privateKeyFile = secrets."wireguard/${name}/private-key".path;
+      } // lib.optionalAttrs (attrs ? externalIp) {
+        inherit (attrs) externalIp;
+      };
+    in
+    lib.mapAttrs mkPeer {
+      # "Server"
+      porthos = {
+        clientNum = 1;
+        publicKey = "PLdgsizztddri0LYtjuNHr5r2E8D+yI+gM8cm5WDfHQ=";
+        externalIp = "91.121.177.163";
+      };
+
+      # "Clients"
+      aramis = {
+        clientNum = 2;
+        publicKey = "QJSWIBS1mXTpxYybLlKu/Y5wy0GFbUfn4yPzpF1DZDc=";
+      };
+
+      richelieu = {
+        clientNum = 3;
+        publicKey = "w4IADAj2Tt7Qe95a0RxDv9ovg/Dr/f3q1LrVOPF48Rk=";
+      };
+    };
   thisPeer = peers."${hostName}";
   thisPeerIsServer = thisPeer ? externalIp;
   # Only connect to clients from server, and only connect to server from clients
@@ -26,8 +54,7 @@ let
       "${v4.subnet}.${toString thisPeer.clientNum}/${toString v4.mask}"
       "${v6.subnet}::${toString thisPeer.clientNum}/${toHexString v6.mask}"
     ];
-    # Insecure, I don't care
+    inherit (thisPeer) privateKeyFile;
-    privateKey = thisPeer.privateKey;
 
     peers =
       let