From c1f62e9827efe7c8e303e3cfa70dac8f544312b1 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Tue, 9 Aug 2022 11:23:00 +0300 Subject: ... --- modules/yggdrasil-wg/default.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'modules/yggdrasil-wg/default.nix') diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix index 1e52ba06..c27eb286 100644 --- a/modules/yggdrasil-wg/default.nix +++ b/modules/yggdrasil-wg/default.nix @@ -132,11 +132,12 @@ let Kind = "wireguard"; }; wireguardConfig = { - PrivateKeyFile = config.sops.secrets."yggdrasil-wg-${family}.priv".path; + PrivateKeyFile = "/run/credentials/systemd-networkd.service/yggdrasil-wg-${family}.priv"; ListenPort = listenPort.${family}; }; wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family}; }; + familyToLoadCred = family: "yggdrasil-wg-${family}.priv:${config.sops.secrets."yggdrasil-wg-${family}.priv".path}"; familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" { name = "yggdrasil-wg-${family}"; matchConfig = { @@ -159,9 +160,6 @@ let familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) { format = "binary"; sopsFile = privateKeyPath family; - mode = "0640"; - owner = "root"; - group = "systemd-network"; }); thisHost = host: host == hostName; @@ -240,6 +238,8 @@ in { config.routeTables.yggdrasil = 1024; }; + systemd.services."systemd-networkd".serviceConfig.LoadCredential = mkIf inNetwork (map familyToLoadCred hostFamilies); + sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies); boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv]; -- cgit v1.2.3