diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/default.nix | 1 | ||||
| -rw-r--r-- | lib/private-wireguard.nix | 18 |
2 files changed, 6 insertions, 13 deletions
diff --git a/lib/default.nix b/lib/default.nix index 26cd954..4331bf3 100644 --- a/lib/default.nix +++ b/lib/default.nix @@ -11,7 +11,6 @@ inherit inputs system hostname; }; modules = [ - inputs.agenix.nixosModules.age ../modules ../profiles ../hosts/${hostname} diff --git a/lib/private-wireguard.nix b/lib/private-wireguard.nix index 5369c3f..d77c7dd 100644 --- a/lib/private-wireguard.nix +++ b/lib/private-wireguard.nix @@ -3,7 +3,7 @@ let inherit (lib) mkEnableOption mkOption mkIf types; inherit (builtins) readFile fromTOML fromJSON; - + secrets = config.age.secrets; cfg = config.networking.private-wireguard; port = 51871; wgcfg = fromTOML (readFile ./../configs/wireguard.toml); @@ -16,22 +16,17 @@ in { }; config = lib.mkIf cfg.enable { - age.secrets.wg-privkey = { - file = ../secrets/network/${config.networking.hostName}/wireguard_privatekey.age; - mode = "0440"; - owner = "0"; - }; - networking = { wireguard.interfaces.wg0 = { listenPort = port; - privateKeyFile = "/run/agenix/wg-privkey"; + privateKeyFile = + secrets."network/${config.networking.hostName}/wireguard_privatekey".path; ips = [ "${wgcfg.subnet4}.${toString thisPeer.ipv4}/${toString wgcfg.mask4}" ]; - peers = lib.mapAttrsToList - (name: peer: { + peers = lib.mapAttrsToList (name: peer: + { allowedIPs = [ "${wgcfg.subnet4}.${toString peer.ipv4}/${toString wgcfg.mask4}" ]; @@ -40,8 +35,7 @@ in { endpoint = "${peer.externalIp}:${toString port}"; } // lib.optionalAttrs (!(thisPeer ? externalIp)) { persistentKeepalive = 10; - }) - otherPeers; + }) otherPeers; }; }; }; |