modules: services: wireguard: use agenix secrets

2021-09-25 14:41:43 +02:00 · 2021-09-25 14:41:43 +02:00 · b6af754199
parent ca5e5a53cd
commit b6af754199
1 changed files with 30 additions and 3 deletions
--- a/modules/services/wireguard.nix
+++ b/modules/services/wireguard.nix
@ -5,9 +5,37 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.my.services.wireguard;
+  secrets = config.age.secrets;
  hostName = config.networking.hostName;

-  peers = config.my.secrets.wireguard.peers;
+  peers =
+    let
+      mkPeer = name: attrs: {
+        inherit (attrs) clientNum publicKey;
+        privateKeyFile = secrets."wireguard/${name}/private-key".path;
+      } // lib.optionalAttrs (attrs ? externalIp) {
+        inherit (attrs) externalIp;
+      };
+    in
+    lib.mapAttrs mkPeer {
+      # "Server"
+      porthos = {
+        clientNum = 1;
+        publicKey = "PLdgsizztddri0LYtjuNHr5r2E8D+yI+gM8cm5WDfHQ=";
+        externalIp = "91.121.177.163";
+      };
+
+      # "Clients"
+      aramis = {
+        clientNum = 2;
+        publicKey = "QJSWIBS1mXTpxYybLlKu/Y5wy0GFbUfn4yPzpF1DZDc=";
+      };
+
+      richelieu = {
+        clientNum = 3;
+        publicKey = "w4IADAj2Tt7Qe95a0RxDv9ovg/Dr/f3q1LrVOPF48Rk=";
+      };
+    };
  thisPeer = peers."${hostName}";
  thisPeerIsServer = thisPeer ? externalIp;
  # Only connect to clients from server, and only connect to server from clients
@ -26,8 +54,7 @@ let
      "${v4.subnet}.${toString thisPeer.clientNum}/${toString v4.mask}"
      "${v6.subnet}::${toString thisPeer.clientNum}/${toHexString v6.mask}"
    ];
-    # Insecure, I don't care
-    privateKey = thisPeer.privateKey;
+    inherit (thisPeer) privateKeyFile;

    peers =
      let