summaryrefslogtreecommitdiff
path: root/hosts/sif/default.nix
diff options
context:
space:
mode:
Diffstat (limited to 'hosts/sif/default.nix')
-rw-r--r--hosts/sif/default.nix10
1 files changed, 6 insertions, 4 deletions
diff --git a/hosts/sif/default.nix b/hosts/sif/default.nix
index f51535ea..8c64551a 100644
--- a/hosts/sif/default.nix
+++ b/hosts/sif/default.nix
@@ -26,6 +26,8 @@ in {
26 }; 26 };
27 }; 27 };
28 28
29 time.timeZone = null;
30
29 boot = { 31 boot = {
30 initrd = { 32 initrd = {
31 luks.devices = { 33 luks.devices = {
@@ -148,7 +150,7 @@ in {
148 Kind = "wireguard"; 150 Kind = "wireguard";
149 }; 151 };
150 wireguardConfig = { 152 wireguardConfig = {
151 PrivateKeyFile = config.sops.secrets.wgrz.path; 153 PrivateKeyFile = "/run/credentials/systemd-networkd.service/wgrz.priv";
152 ListenPort = 51822; 154 ListenPort = 51822;
153 # FirewallMark = 1; 155 # FirewallMark = 1;
154 }; 156 };
@@ -233,11 +235,11 @@ in {
233 sops.secrets.wgrz = { 235 sops.secrets.wgrz = {
234 format = "binary"; 236 format = "binary";
235 sopsFile = ./wgrz/privkey; 237 sopsFile = ./wgrz/privkey;
236 mode = "0640";
237 owner = "root";
238 group = "systemd-network";
239 }; 238 };
240 networking.networkmanager.unmanaged = ["wgrz" "virbr0"]; 239 networking.networkmanager.unmanaged = ["wgrz" "virbr0"];
240 systemd.services."systemd-networkd".serviceConfig.LoadCredential = [
241 "wgrz.priv:${config.sops.secrets.wgrz.path}"
242 ];
241 243
242 services.dnsmasq = { 244 services.dnsmasq = {
243 enable = true; 245 enable = true;