summaryrefslogtreecommitdiff
path: root/modules/yggdrasil-wg
diff options
context:
space:
mode:
Diffstat (limited to 'modules/yggdrasil-wg')
-rw-r--r--modules/yggdrasil-wg/default.nix8
1 files changed, 4 insertions, 4 deletions
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix
index 1e52ba06..c27eb286 100644
--- a/modules/yggdrasil-wg/default.nix
+++ b/modules/yggdrasil-wg/default.nix
@@ -132,11 +132,12 @@ let
132 Kind = "wireguard"; 132 Kind = "wireguard";
133 }; 133 };
134 wireguardConfig = { 134 wireguardConfig = {
135 PrivateKeyFile = config.sops.secrets."yggdrasil-wg-${family}.priv".path; 135 PrivateKeyFile = "/run/credentials/systemd-networkd.service/yggdrasil-wg-${family}.priv";
136 ListenPort = listenPort.${family}; 136 ListenPort = listenPort.${family};
137 }; 137 };
138 wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family}; 138 wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family};
139 }; 139 };
140 familyToLoadCred = family: "yggdrasil-wg-${family}.priv:${config.sops.secrets."yggdrasil-wg-${family}.priv".path}";
140 familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" { 141 familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" {
141 name = "yggdrasil-wg-${family}"; 142 name = "yggdrasil-wg-${family}";
142 matchConfig = { 143 matchConfig = {
@@ -159,9 +160,6 @@ let
159 familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) { 160 familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) {
160 format = "binary"; 161 format = "binary";
161 sopsFile = privateKeyPath family; 162 sopsFile = privateKeyPath family;
162 mode = "0640";
163 owner = "root";
164 group = "systemd-network";
165 }); 163 });
166 164
167 thisHost = host: host == hostName; 165 thisHost = host: host == hostName;
@@ -240,6 +238,8 @@ in {
240 config.routeTables.yggdrasil = 1024; 238 config.routeTables.yggdrasil = 1024;
241 }; 239 };
242 240
241 systemd.services."systemd-networkd".serviceConfig.LoadCredential = mkIf inNetwork (map familyToLoadCred hostFamilies);
242
243 sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); 243 sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies);
244 244
245 boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; 245 boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv];
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-26 22:33:22 +0000