feat: add secrets via sops-nix

author: spl3g <spleefer6@yandex.ru> 2025-08-24 00:33:34 +0500
committer: spl3g <spleefer6@yandex.ru> 2025-08-24 00:33:34 +0500
commit: 2ebdcc094a6543e36dc51598780e4dbafa2a98e2 (patch)
tree: 148e1a9a2877ff2eeebb9d8fb5e312d3d0d9aa27 /nixos
parent: db248781f3df30afe2aa9abe909f444fb587faf3 (diff)
1 files changed, 10 insertions, 2 deletions
diff --git a/nixos/server/configuration.nix b/nixos/server/configuration.nix
index 97b06c2..75dcec7 100644
--- a/nixos/server/configuration.nix
+++ b/nixos/server/configuration.nix
@@ -16,6 +16,12 @@
   ];
 
   nixpkgs.config.allowUnfree = true;
+  
+  sops = {
+    defaultSopsFile = ../../secrets/ltrr-server/secrets.yaml;
+    defaultSopsFormat = "yaml";
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  };
 
   boot.loader.grub = {
     efiSupport = true;
@@ -87,17 +93,19 @@
     };
   };
 
+  
+  sops.secrets.wg_private_key = {};
   networking.wg-quick = {
     interfaces.wg0 = {
       address = [ "10.1.1.2/32" ];
       listenPort = 51820;
 
-      privateKeyFile = "/root/wireguard-keys/private";
+      privateKeyFile = config.sops.secrets.wg_private_key.path;
 
       peers = [
         {
           endpoint = "147.45.40.6:51820";
-          publicKey = "12UX8icwCjIfADoX1zhv6QvKrSjMcuoSsKbn51Mr/D8=";
+          publicKey = "1RwEOL8br97Mujhz3fkfYKcxUFNHYAmt5JbWTbR3ihE=";
           allowedIPs = ["10.1.1.1/32"];
           persistentKeepalive = 25;
         }
author	spl3g <spleefer6@yandex.ru>	2025-08-24 00:33:34 +0500
committer	spl3g <spleefer6@yandex.ru>	2025-08-24 00:33:34 +0500
commit	2ebdcc094a6543e36dc51598780e4dbafa2a98e2 (patch)
tree	148e1a9a2877ff2eeebb9d8fb5e312d3d0d9aa27 /nixos
parent	db248781f3df30afe2aa9abe909f444fb587faf3 (diff)