wireguard: port private key to secrets.nix

machines/uninsane/net.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, secrets, ... }:
 
 {
   networking.domain = "uninsane.org";
@@ -35,10 +35,7 @@
   # DOCS: https://nixos.wiki/wiki/WireGuard
   networking.wireguard.enable = true;
   networking.wireguard.interfaces.wg0 = {
-    # to generate:
-    # wg genkey > /etc/nixos/secrets/wg0.private
-    # wg pubkey < /etc/nixos/secrets/wg0.private > /etc/nixos/secrets/wg0.public
-    privateKeyFile = "/etc/nixos/secrets/wg0.private";
+    privateKey = secrets.wireguard.privateKey;
     # wg is active only in this namespace.
     # run e.g. ip netns exec ovpns <some command like ping/curl/etc, it'll go through wg>
     #   sudo ip netns exec ovpns ping www.google.com

secrets.nix

@@ -1,8 +1,14 @@
 {
   ddns-he.password = "<REPLACEME>";
+
   # format: b2://$key_id:$app_key@$bucket
   # create key with: b2 create-key --bucket uninsane-host-duplicity uninsane-host-duplicity-safe listBuckets,listFiles,readBuckets,readFiles,writeFiles
   #   ^ run this until you get a key with no forward slashes :upside_down:
   #   web-created keys are allowed to delete files, which you probably don't want for an incremental backup program
   duplicity.url = "b2://<REPLACEME:KEY_ID>:<REPLACEME:APPKEY>:<REPLACEME:BUCKET>";
+
+  # to generate:
+  # wg genkey > wg0.private
+  # wg pubkey < wg0.private > wg0.public
+  wireguard.privateKey = "<REPLACEME>";
 }