diff options
| author | Gregor Kleen <gkleen@yggdrasil.li> | 2022-08-09 11:23:00 +0300 |
|---|---|---|
| committer | Gregor Kleen <gkleen@yggdrasil.li> | 2022-08-09 11:23:00 +0300 |
| commit | c1f62e9827efe7c8e303e3cfa70dac8f544312b1 (patch) | |
| tree | d20ff0f367804bc87996c6312cebe2fa57b5bd4c /modules/yggdrasil-wg/default.nix | |
| parent | de66ba821b2851cb23bcc7b064e84de3dd848e26 (diff) | |
| download | nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar.gz nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar.bz2 nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.tar.xz nixos-c1f62e9827efe7c8e303e3cfa70dac8f544312b1.zip | |
...
Diffstat (limited to 'modules/yggdrasil-wg/default.nix')
| -rw-r--r-- | modules/yggdrasil-wg/default.nix | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index 1e52ba06..c27eb286 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix | |||
| @@ -132,11 +132,12 @@ let | |||
| 132 | Kind = "wireguard"; | 132 | Kind = "wireguard"; |
| 133 | }; | 133 | }; |
| 134 | wireguardConfig = { | 134 | wireguardConfig = { |
| 135 | PrivateKeyFile = config.sops.secrets."yggdrasil-wg-${family}.priv".path; | 135 | PrivateKeyFile = "/run/credentials/systemd-networkd.service/yggdrasil-wg-${family}.priv"; |
| 136 | ListenPort = listenPort.${family}; | 136 | ListenPort = listenPort.${family}; |
| 137 | }; | 137 | }; |
| 138 | wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family}; | 138 | wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family}; |
| 139 | }; | 139 | }; |
| 140 | familyToLoadCred = family: "yggdrasil-wg-${family}.priv:${config.sops.secrets."yggdrasil-wg-${family}.priv".path}"; | ||
| 140 | familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" { | 141 | familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" { |
| 141 | name = "yggdrasil-wg-${family}"; | 142 | name = "yggdrasil-wg-${family}"; |
| 142 | matchConfig = { | 143 | matchConfig = { |
| @@ -159,9 +160,6 @@ let | |||
| 159 | familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) { | 160 | familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) { |
| 160 | format = "binary"; | 161 | format = "binary"; |
| 161 | sopsFile = privateKeyPath family; | 162 | sopsFile = privateKeyPath family; |
| 162 | mode = "0640"; | ||
| 163 | owner = "root"; | ||
| 164 | group = "systemd-network"; | ||
| 165 | }); | 163 | }); |
| 166 | 164 | ||
| 167 | thisHost = host: host == hostName; | 165 | thisHost = host: host == hostName; |
| @@ -240,6 +238,8 @@ in { | |||
| 240 | config.routeTables.yggdrasil = 1024; | 238 | config.routeTables.yggdrasil = 1024; |
| 241 | }; | 239 | }; |
| 242 | 240 | ||
| 241 | systemd.services."systemd-networkd".serviceConfig.LoadCredential = mkIf inNetwork (map familyToLoadCred hostFamilies); | ||
| 242 | |||
| 243 | sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); | 243 | sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); |
| 244 | 244 | ||
| 245 | boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; | 245 | boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; |