sops-nix setup

configs/services/wireguard.nix

@@ -5,6 +5,14 @@ in {
     "net.ipv4.ip_forward" = lib.mkDefault true;
     "net.ipv6.conf.all.forwarding" = lib.mkDefault true;
   };
+
+  # set up secret key
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ../../secrets/wireguard/secrets.yaml;
+    secrets.wg_private_key = { };
+  };
+
   networking = {
     firewall.allowedUDPPorts = [ wg_port ];
     firewall.rejectPackets = true;
@@ -25,8 +33,8 @@ in {
         address = [ "10.8.1.1/16" ];
         listenPort = wg_port; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
 
-        # Path to the private key file.
-        privateKeyFile = "/root/privkey";
+        # Path to the private key file (see sops).
+        privateKeyFile = "/run/secrets/wg_private_key";
 
         peers = [
           # For a client configuration, one peer entry for the server will suffice.