modules: services: wireguard: use agenix secrets

This commit is contained in:
Bruno BELANYI 2021-09-25 14:41:43 +02:00
parent ca5e5a53cd
commit b6af754199

View file

@ -5,9 +5,37 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
cfg = config.my.services.wireguard; cfg = config.my.services.wireguard;
secrets = config.age.secrets;
hostName = config.networking.hostName; hostName = config.networking.hostName;
peers = config.my.secrets.wireguard.peers; peers =
let
mkPeer = name: attrs: {
inherit (attrs) clientNum publicKey;
privateKeyFile = secrets."wireguard/${name}/private-key".path;
} // lib.optionalAttrs (attrs ? externalIp) {
inherit (attrs) externalIp;
};
in
lib.mapAttrs mkPeer {
# "Server"
porthos = {
clientNum = 1;
publicKey = "PLdgsizztddri0LYtjuNHr5r2E8D+yI+gM8cm5WDfHQ=";
externalIp = "91.121.177.163";
};
# "Clients"
aramis = {
clientNum = 2;
publicKey = "QJSWIBS1mXTpxYybLlKu/Y5wy0GFbUfn4yPzpF1DZDc=";
};
richelieu = {
clientNum = 3;
publicKey = "w4IADAj2Tt7Qe95a0RxDv9ovg/Dr/f3q1LrVOPF48Rk=";
};
};
thisPeer = peers."${hostName}"; thisPeer = peers."${hostName}";
thisPeerIsServer = thisPeer ? externalIp; thisPeerIsServer = thisPeer ? externalIp;
# Only connect to clients from server, and only connect to server from clients # Only connect to clients from server, and only connect to server from clients
@ -26,8 +54,7 @@ let
"${v4.subnet}.${toString thisPeer.clientNum}/${toString v4.mask}" "${v4.subnet}.${toString thisPeer.clientNum}/${toString v4.mask}"
"${v6.subnet}::${toString thisPeer.clientNum}/${toHexString v6.mask}" "${v6.subnet}::${toString thisPeer.clientNum}/${toHexString v6.mask}"
]; ];
# Insecure, I don't care inherit (thisPeer) privateKeyFile;
privateKey = thisPeer.privateKey;
peers = peers =
let let