Move helium to sops-nix

2025-06-21 14:03:46 +03:00 · 2025-06-21 14:03:46 +03:00 · ec685a2e86
commit ec685a2e86
parent 924f738618
8 changed files with 161 additions and 41 deletions
--- a/personal/networking/home-wg.nix
+++ b/personal/networking/home-wg.nix
@ -6,47 +6,64 @@
    description = "IPv6 GUA Suffix for Home WireGuard config";
  };

-  config = {
-    networking = {
-      networkmanager.settings."connection"."ipv4.dhcp-ipv6-only-preferred" = 1;
+  config =
+    let
+      host = config.networking.hostName;
+    in
+    {
+      sops = {
+        secrets = {
+          priv-home-wg = {
+            sopsFile = ../../secrets/${host}/home-wg.yaml;
+            restartUnits = [ "wg-quick-wg0.service" ];
+          };
+          psk-home-wg = {
+            sopsFile = ../../secrets/${host}/home-wg.yaml;
+            restartUnits = [ "wg-quick-wg0.service" ];
+          };
+        };
+      };

-      wg-quick.interfaces = {
-        wg0 = {
-          autostart = true;
-          address = [ "${config.custom.gua_pref}ff::${config.custom.home_wg_suffix}/64" ];
-          dns = [
-            "${config.custom.gua_pref}ff::1"
-            "vsinerva.fi"
-          ];
-          privateKeyFile = "/persist/secrets/wireguard/priv-home";
-          listenPort = 51820;
+      networking = {
+        networkmanager.settings."connection"."ipv4.dhcp-ipv6-only-preferred" = 1;

-          peers = [
-            {
-              publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34=";
-              presharedKeyFile = "/persist/secrets/wireguard/psk-home";
-              allowedIPs = [ "::/0" ];
-              endpoint = "home.vsinerva.fi:51820";
-            }
-          ];
+        wg-quick.interfaces = {
+          wg0 = {
+            autostart = true;
+            address = [ "${config.custom.gua_pref}ff::${config.custom.home_wg_suffix}/64" ];
+            dns = [
+              "${config.custom.gua_pref}ff::1"
+              "vsinerva.fi"
+            ];
+            privateKeyFile = config.sops.secrets.priv-home-wg.path;
+            listenPort = 51820;
+
+            peers = [
+              {
+                publicKey = "f9QoYPxyaxylUcOI9cE9fE9DJoEX4c6GUtr4p+rsd34=";
+                presharedKeyFile = config.sops.secrets.psk-home-wg.path;
+                allowedIPs = [ "::/0" ];
+                endpoint = "home.vsinerva.fi:51820";
+              }
+            ];
+          };
+        };
+      };
+
+      services.clatd = {
+        enable = true;
+        settings.clat-v6-addr = "${config.custom.gua_pref}ff::c${config.custom.home_wg_suffix}";
+      };
+
+      systemd.services = {
+        "wg-quick-wg0" = {
+          wants = [ "network-online.target" ];
+          after = [ "network-online.target" ];
+        };
+        clatd = {
+          wants = [ "wg-quick-wg0.service" ];
+          after = [ "wg-quick-wg0.service" ];
        };
      };
    };
-
-    services.clatd = {
-      enable = true;
-      settings.clat-v6-addr = "${config.custom.gua_pref}ff::c${config.custom.home_wg_suffix}";
-    };
-
-    systemd.services = {
-      "wg-quick-wg0" = {
-        wants = [ "network-online.target" ];
-        after = [ "network-online.target" ];
-      };
-      clatd = {
-        wants = [ "wg-quick-wg0.service" ];
-        after = [ "wg-quick-wg0.service" ];
-      };
-    };
-  };
 }