diff options
| author | Azat Bahawi <azat@bahawi.net> | 2022-09-12 14:03:31 +0300 |
|---|---|---|
| committer | Azat Bahawi <azat@bahawi.net> | 2022-09-12 14:03:31 +0300 |
| commit | 5b01fa945b2122b82da4be33203e4cf753951b7c (patch) | |
| tree | f0693b31788e717d9ab1781cf19e2403727755df /modules/nixfiles/wireguard.nix | |
| parent | 2022-09-11 (diff) | |
2022-09-12
Diffstat (limited to '')
| -rw-r--r-- | modules/nixfiles/wireguard.nix | 18 |
1 files changed, 5 insertions, 13 deletions
diff --git a/modules/nixfiles/wireguard.nix b/modules/nixfiles/wireguard.nix index c4fca1e..f98b4e3 100644 --- a/modules/nixfiles/wireguard.nix +++ b/modules/nixfiles/wireguard.nix @@ -1,5 +1,6 @@ { config, + inputs, lib, pkgs, this, @@ -9,13 +10,6 @@ with lib; let cfg = config.nixfiles.modules.wireguard; in { options.nixfiles.modules.wireguard = { - # TODO Set this automatically shire on the hostname. - privateKeyFile = mkOption { - description = "Path to the private key file."; - type = with types; nullOr string; - default = null; - }; - client = { enable = mkEnableOption "WireGuard client"; @@ -98,10 +92,6 @@ in { { assertions = [ { - assertion = cfg.privateKeyFile != null; - message = "Key file must be specified."; - } - { assertion = config.security.sudo.enable; message = "Sudo is not enabled."; } @@ -113,12 +103,14 @@ in { } // mkMerge [ (mkIf (cfg.client.enable || cfg.server.enable) { + secrets."wireguard-private-key-${this.hostname}".file = "${inputs.self}/secrets/wireguard-private-key-${this.hostname}"; + networking.firewall.trustedInterfaces = [cfg.interface]; }) (mkIf cfg.client.enable { networking.wg-quick.interfaces.${cfg.interface} = mkMerge [ (with this.wireguard; { - inherit (cfg) privateKeyFile; + privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path; address = ["${ipv4.address}/16" "${ipv6.address}/16"]; }) (with cfg.server; { @@ -173,7 +165,7 @@ in { wireguard = { enable = true; interfaces.${cfg.interface} = with cfg.server; { - inherit (cfg) privateKeyFile; + privateKeyFile = config.secrets."wireguard-private-key-${this.hostname}".path; ips = ["${ipv4.address}/16" "${ipv6.address}/16"]; listenPort = port; inherit peers; |