diff options
Diffstat (limited to 'modules/yggdrasil-wg/default.nix')
-rw-r--r-- | modules/yggdrasil-wg/default.nix | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index 1e52ba06..c27eb286 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix | |||
@@ -132,11 +132,12 @@ let | |||
132 | Kind = "wireguard"; | 132 | Kind = "wireguard"; |
133 | }; | 133 | }; |
134 | wireguardConfig = { | 134 | wireguardConfig = { |
135 | PrivateKeyFile = config.sops.secrets."yggdrasil-wg-${family}.priv".path; | 135 | PrivateKeyFile = "/run/credentials/systemd-networkd.service/yggdrasil-wg-${family}.priv"; |
136 | ListenPort = listenPort.${family}; | 136 | ListenPort = listenPort.${family}; |
137 | }; | 137 | }; |
138 | wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family}; | 138 | wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family}; |
139 | }; | 139 | }; |
140 | familyToLoadCred = family: "yggdrasil-wg-${family}.priv:${config.sops.secrets."yggdrasil-wg-${family}.priv".path}"; | ||
140 | familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" { | 141 | familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" { |
141 | name = "yggdrasil-wg-${family}"; | 142 | name = "yggdrasil-wg-${family}"; |
142 | matchConfig = { | 143 | matchConfig = { |
@@ -159,9 +160,6 @@ let | |||
159 | familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) { | 160 | familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) { |
160 | format = "binary"; | 161 | format = "binary"; |
161 | sopsFile = privateKeyPath family; | 162 | sopsFile = privateKeyPath family; |
162 | mode = "0640"; | ||
163 | owner = "root"; | ||
164 | group = "systemd-network"; | ||
165 | }); | 163 | }); |
166 | 164 | ||
167 | thisHost = host: host == hostName; | 165 | thisHost = host: host == hostName; |
@@ -240,6 +238,8 @@ in { | |||
240 | config.routeTables.yggdrasil = 1024; | 238 | config.routeTables.yggdrasil = 1024; |
241 | }; | 239 | }; |
242 | 240 | ||
241 | systemd.services."systemd-networkd".serviceConfig.LoadCredential = mkIf inNetwork (map familyToLoadCred hostFamilies); | ||
242 | |||
243 | sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); | 243 | sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); |
244 | 244 | ||
245 | boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; | 245 | boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; |