refactor sops/vpn into modules

3 files changed, 67 insertions, 0 deletions

diff --git a/system/default.nix b/system/default.nix
index 39d41bc..fd2e1cc 100644
--- a/system/default.nix
+++ b/system/default.nix
@@ -23,9 +23,11 @@ in {
     ./fingerprint.nix
     ./networking.nix
     ./nvidia.nix
+    ./sops.nix
     ./sshd.nix
     ./tpm.nix
     ./unfree.nix
+    ./vpn.nix
   ];
 
   # allow flakes
diff --git a/system/sops.nix b/system/sops.nix
new file mode 100644
index 0000000..17f6f13
--- /dev/null
+++ b/system/sops.nix
@@ -0,0 +1,27 @@
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  hostDir,
+  ...
+}: let
+  inherit (lib) mkIf;
+  cfg = config.sops;
+in {
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      sops
+    ];
+
+    sops = {
+      defaultSopsFile = hostDir + "/secrets.yaml";
+      gnupg.home = config.homePath + "/.local/share/gnupg";
+      gnupg.sshKeyPaths = [];
+    };
+  };
+}
diff --git a/system/vpn.nix b/system/vpn.nix
new file mode 100644
index 0000000..c336f32
--- /dev/null
+++ b/system/vpn.nix
@@ -0,0 +1,38 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  inherit (lib) mkIf;
+  cfg = config.vpn;
+in {
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      wireguard-tools
+    ];
+
+    networking.wg-quick.interfaces = {
+      freyanet = {
+        address = [cfg.ip];
+        dns = ["10.2.0.1"];
+        privateKeyFile = config.sops.secrets.freyanetWg.path;
+        autostart = false;
+
+        peers = [
+          {
+            publicKey = "x0ykwakpYCvI/pG+nR83lNUyeOE9m54thnX3bvZ+FUk=";
+            allowedIPs = ["10.0.0.0/8"];
+            endpoint = "freya.cat:3000";
+            persistentKeepalive = 25;
+          }
+        ];
+      };
+    };
+
+    sops = {
+      enable = true;
+      secrets.freyanetWg = {};
+    };
+  };
+}