From b6af75419951d16930a2ad27eca8f0625fc6af5b Mon Sep 17 00:00:00 2001 From: Bruno BELANYI Date: Sat, 25 Sep 2021 14:41:43 +0200 Subject: [PATCH] modules: services: wireguard: use agenix secrets --- modules/services/wireguard.nix | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix index 977c6c5..d919803 100644 --- a/modules/services/wireguard.nix +++ b/modules/services/wireguard.nix @@ -5,9 +5,37 @@ { config, lib, pkgs, ... }: let cfg = config.my.services.wireguard; + secrets = config.age.secrets; hostName = config.networking.hostName; - peers = config.my.secrets.wireguard.peers; + peers = + let + mkPeer = name: attrs: { + inherit (attrs) clientNum publicKey; + privateKeyFile = secrets."wireguard/${name}/private-key".path; + } // lib.optionalAttrs (attrs ? externalIp) { + inherit (attrs) externalIp; + }; + in + lib.mapAttrs mkPeer { + # "Server" + porthos = { + clientNum = 1; + publicKey = "PLdgsizztddri0LYtjuNHr5r2E8D+yI+gM8cm5WDfHQ="; + externalIp = "91.121.177.163"; + }; + + # "Clients" + aramis = { + clientNum = 2; + publicKey = "QJSWIBS1mXTpxYybLlKu/Y5wy0GFbUfn4yPzpF1DZDc="; + }; + + richelieu = { + clientNum = 3; + publicKey = "w4IADAj2Tt7Qe95a0RxDv9ovg/Dr/f3q1LrVOPF48Rk="; + }; + }; thisPeer = peers."${hostName}"; thisPeerIsServer = thisPeer ? externalIp; # Only connect to clients from server, and only connect to server from clients @@ -26,8 +54,7 @@ let "${v4.subnet}.${toString thisPeer.clientNum}/${toString v4.mask}" "${v6.subnet}::${toString thisPeer.clientNum}/${toHexString v6.mask}" ]; - # Insecure, I don't care - privateKey = thisPeer.privateKey; + inherit (thisPeer) privateKeyFile; peers = let