secrets/chunk: add missing secrets and rewrite everything to new structure

2024-12-16 23:20:51 -05:00 · 2024-12-16 23:20:51 -05:00 · 3d927f8372
commit 3d927f8372
parent 029e608eaa
11 changed files with 123 additions and 39 deletions
--- a/hosts/chunk/wireguard.nix
+++ b/hosts/chunk/wireguard.nix
@ -1,4 +1,8 @@
-{pkgs, ...}: {
+{
+  pkgs,
+  config,
+  ...
+}: {
  networking.nat = {
    enable = true;
    enableIPv6 = true;
@ -9,7 +13,7 @@
  networking.wg-quick.interfaces.wg0 = {
    address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"];
    listenPort = 51820;
-    privateKeyFile = "/run/secrets/wireguard/private";
+    privateKeyFile = config.sops.secrets."wireguard/private".path;
    postUp = ''
      ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT
      ${pkgs.iptables}/bin/iptables -A FORWARD -o wg0 -j ACCEPT
@ -30,12 +34,12 @@
      {
        publicKey = "qUhWoTPVC7jJdDEJLYY92OeiwPkaf8I5pv5kkMcSW3g=";
        allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"];
-        presharedKeyFile = "/run/secrets/wireguard/psk";
+        presharedKeyFile = config.sops.secrets."wireguard/psk-yt".path;
      }
      {
        publicKey = "JIGi60wzLw717Cim1dSFoLCdJz5rePa5AIFfuisJI0k=";
        allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"];
-        presharedKeyFile = "/run/secrets/wireguard/pskphone";
+        presharedKeyFile = config.sops.secrets."wireguard/psk-phone".path;
      }
    ];
  };