From 30156bad3384ba7d1ccca49dc618a87390510282 Mon Sep 17 00:00:00 2001
From: Clara Dautermann <git@cdaut.de>
Date: Tue, 15 Apr 2025 08:43:01 +0200
Subject: [PATCH] sops-nix setup

---
 .gitignore                     |  1 -
 .sops.yaml                     | 15 ++++++++++++++
 configs/services/wireguard.nix | 12 +++++++++--
 secrets/wireguard/secrets.yaml | 37 ++++++++++++++++++++++++++++++++++
 4 files changed, 62 insertions(+), 3 deletions(-)
 create mode 100644 .sops.yaml
 create mode 100644 secrets/wireguard/secrets.yaml

diff --git a/.gitignore b/.gitignore
index 0f18981..e69de29 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +0,0 @@
-secrets/
\ No newline at end of file
diff --git a/.sops.yaml b/.sops.yaml
new file mode 100644
index 0000000..40c5b6e
--- /dev/null
+++ b/.sops.yaml
@@ -0,0 +1,15 @@
+keys:
+  # People
+  - &clara 58EF8D71114EF548DEE3320DE6F04916B6EEBD83
+
+  # Servers
+  - &wireguard age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e
+
+creation_rules:
+  - path_regex: secrets\/all\/*
+    key_groups:
+      - pgp: [*clara]
+  - path_regex: secrets\/wireguard\/*
+    key_groups:
+      - pgp: [*clara]
+        age: [*wireguard]
\ No newline at end of file
diff --git a/configs/services/wireguard.nix b/configs/services/wireguard.nix
index 002bf04..42b2af9 100644
--- a/configs/services/wireguard.nix
+++ b/configs/services/wireguard.nix
@@ -5,6 +5,14 @@ in {
     "net.ipv4.ip_forward" = lib.mkDefault true;
     "net.ipv6.conf.all.forwarding" = lib.mkDefault true;
   };
+
+  # set up secret key
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ../../secrets/wireguard/secrets.yaml;
+    secrets.wg_private_key = { };
+  };
+
   networking = {
     firewall.allowedUDPPorts = [ wg_port ];
     firewall.rejectPackets = true;
@@ -25,8 +33,8 @@ in {
         address = [ "10.8.1.1/16" ];
         listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
 
-        # Path to the private key file.
-        privateKeyFile = "/root/privkey";
+        # Path to the private key file (see sops).
+        privateKeyFile = "/run/secrets/wg_private_key";
 
         peers = [
           # For a client configuration, one peer entry for the server will suffice.
diff --git a/secrets/wireguard/secrets.yaml b/secrets/wireguard/secrets.yaml
new file mode 100644
index 0000000..6f5c8bf
--- /dev/null
+++ b/secrets/wireguard/secrets.yaml
@@ -0,0 +1,37 @@
+wg_private_key: ENC[AES256_GCM,data:51eBmT70Y0dMcTs/tIZrLpPoXsC7YBcbKLl5UPnRp7iEw+ZSpSnrSrKI/uQ=,iv:ULxRzi1bv74WINeDtcw0LrSuquQfQuZTYz+n2eH1nCk=,tag:79oVQvpnYHihdQZviiClvg==,type:str]
+sops:
+    age:
+        - recipient: age12d8mxwnt0a7gl4uu0uwdqaxuqdf5j7zm50qy5qrhj0kd4ny7luaqv7rj4e
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNaUM0RHNTck5PMWtWcnh6
+            R2dpSElSUjhheWZCazBDL2VtcXNLL2VCOW5RCmZIVVNkbi9hWnpMcjFGMldrWjVC
+            alhIMmZLZWVGam9Ld1ZIdjNvcm4xbGcKLS0tIEtYQ2RDWWtNSlpibmJXZHRQdlVD
+            ZFhFdHpSbkFSaTc2VmUyeHUwalZCVUUKNMDMcyrV2J2zhX/m6W5pIzp5YoQlPdKY
+            0QA7RYTQQIBuu0C19+E3VlpU0eMHupsTpqTHMA6RNSwY3wyyV10hrA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-15T06:32:59Z"
+    mac: ENC[AES256_GCM,data:tJpQdvPndAmv9AG81vYlD7Bgf+/np2uOBZ4AjgBJc3D9l80Rb+BVS5DPjFpVhOiIxe5vrKDKfiYAe2Ke6x5F9bE6vIC7CA5pN2oAQ/h5K4wwyCrjCSPMqkjv3KB+a2EFKeX2JRHeGfz+RMMYjnk8lhG9DdxZT9q1T9TyKdFchbc=,iv:bY/hNb3QvCKC0bmtCWZeb4cNgbXNCAWcFhAuKQI4WPM=,tag:3MJGVP4aLuFrZ46rwOS0EA==,type:str]
+    pgp:
+        - created_at: "2025-04-15T06:28:27Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzwtBoBqH5ZOAQ//cOhooxvYdj++jbDDcv6w70gh3K62r5AcBf5iEXgtbHcZ
+            Ag0qQpGxb6dySyys/++//fRizVTokQUd+zFHMX8ppMri7JHlw0ioX7GvUAwlW2jE
+            6nibHvbJFYEJ2xIunGHJwJ98ryPp65qdP0wCyMsdzCc+UOzgKeeyi3NccYbQXYCK
+            0aQ0VnDHh0OF1B9vLbBCSaCfZstTCG8ADnK6FzANipoMoU8KytFdUqjj3zZxNwfx
+            9lgZocFoNm7Kx4Uv5r0DXKrJe56q0UJPFMkDnPoRp8YRU9h7tt2yUvBL9lJyIoFy
+            D/eKIPokM4CjeqByecDfsRTlmmFLRPPoLXHWklcJFkmapfW/c3jmsUhZwq8WAaSa
+            LxtFkesveyXhn/xuL6uWWTtmGdmwk4gJ0QIDDlDhGrrkuHSgRqb+2wI90pIggmHS
+            tZvsSfT16FOWuWgO5Fx+PQqNLT2vvMnsVxFkWeNdvpQ1sBd3BPZiwE48pVaTNQwH
+            2NNYY4gZPxKFPsj1CesPVa8x2jskguYMZ8Mo4O3GSn77jKbaj+GtrBSy+TE2dSJ7
+            k7LEuqtnmGBE1JrsEeXXWmVAnY3mWcaTKmljFOSBOT9/jJPUATTbuB0CCIdlsxlB
+            O3egc9x5VRgYshBnznw/IipLFUGBD0idUFwch+ijPyLk3efhFDXuvId22IPfmjDS
+            XgH83/dkii+PTK0tNdtaeIx8zEtamRlS8UYSE8f/Oko78X2O7Vy/wRpdAgs9RslB
+            VP1Ti9J3yFvo6mhFZg4Mm//WFa8dsMbphjoKKAqrHP0Qa4Z2O5GJvUMkKC0Gy1s=
+            =pswU
+            -----END PGP MESSAGE-----
+          fp: 58EF8D71114EF548DEE3320DE6F04916B6EEBD83
+    unencrypted_suffix: _unencrypted
+    version: 3.10.1