From c1f62e9827efe7c8e303e3cfa70dac8f544312b1 Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 9 Aug 2022 11:23:00 +0300
Subject: ...

---
 modules/netns.nix                | 8 +++++---
 modules/yggdrasil-wg/default.nix | 8 ++++----
 2 files changed, 9 insertions(+), 7 deletions(-)

(limited to 'modules')

diff --git a/modules/netns.nix b/modules/netns.nix
index 18e066e5..d4f07feb 100644
--- a/modules/netns.nix
+++ b/modules/netns.nix
@@ -92,9 +92,11 @@ let
       mkdir -p -m 0755 \
         "/nix/var/nix/profiles/per-container/${containerName}" \
         "/nix/var/nix/gcroots/per-container/${containerName}"
-      credsBind=""
+      credsBind=()
       if [ -n "''${CREDENTIALS_DIRECTORY}" ]; then
-        credsBind="--bind-ro=''${CREDENTIALS_DIRECTORY}:/run/host/credentials"
+        while IFS= read -r -d $'\0' credFile; do
+          credsBind+=("--load-credential=$(basename "''${credFile}"):''${credFile}")
+        done < <(find ''${CREDENTIALS_DIRECTORY} -type f -print0)
       fi
       # Run systemd-nspawn without startup notification (we'll
       # wait for the container systemd to signal readiness).
@@ -105,7 +107,7 @@ let
         --bind-ro=/nix/store \
         --bind-ro=/nix/var/nix/db \
         --bind-ro=/nix/var/nix/daemon-socket \
-        $credsBind \
+        ''${credsBind} \
         --bind="/nix/var/nix/profiles/per-container/${containerName}:/nix/var/nix/profiles" \
         --bind="/nix/var/nix/gcroots/per-container/${containerName}:/nix/var/nix/gcroots" \
         --setenv PATH="$PATH" \
diff --git a/modules/yggdrasil-wg/default.nix b/modules/yggdrasil-wg/default.nix
index 1e52ba06..c27eb286 100644
--- a/modules/yggdrasil-wg/default.nix
+++ b/modules/yggdrasil-wg/default.nix
@@ -132,11 +132,12 @@ let
       Kind = "wireguard";
     };
     wireguardConfig = {
-      PrivateKeyFile = config.sops.secrets."yggdrasil-wg-${family}.priv".path;
+      PrivateKeyFile = "/run/credentials/systemd-networkd.service/yggdrasil-wg-${family}.priv";
       ListenPort = listenPort.${family};
     };
     wireguardPeers = map (opts@{to, from, ...}: { wireguardPeerConfig = linkToPeer family opts; }) hostLinks.${family};
   };
+  familyToLoadCred = family: "yggdrasil-wg-${family}.priv:${config.sops.secrets."yggdrasil-wg-${family}.priv".path}";
   familyToYggdrasilNetwork = family: nameValuePair "yggdrasil-wg-${family}" {
     name = "yggdrasil-wg-${family}";
     matchConfig = {
@@ -159,9 +160,6 @@ let
   familyToSopsSecret = family: nameValuePair "yggdrasil-wg-${family}.priv" (mkIf (pathExists (privateKeyPath family)) {
     format = "binary";
     sopsFile = privateKeyPath family;
-    mode = "0640";
-    owner = "root";
-    group = "systemd-network";
   });
 
   thisHost = host: host == hostName;
@@ -240,6 +238,8 @@ in {
       config.routeTables.yggdrasil = 1024;
     };
 
+    systemd.services."systemd-networkd".serviceConfig.LoadCredential = mkIf inNetwork (map familyToLoadCred hostFamilies);
+
     sops.secrets = listToAttrs (map familyToSopsSecret hostFamilies);
 
     boot.extraModulePackages = optional (versionOlder kernel.kernel.version "5.6") kernel.wireguard ++ [kernel.batman_adv];
-- 
cgit v1.2.3