# manage secrets files that should be managed somehow: - jormungand: /var/spool/nginx/mpd.htpasswd - gaia: (notasecret) /etc/ppp/ip-up - gaia: /etc/ppp/options (contains ppp password) - ssh host keys? Other kludged secrets: - gaia: hostapd wpa_password, final config is written to nix store. Add /secrets dir with something like git-crypt instead of gitignore # wireguard ideally something like https://discourse.nixos.org/t/morph-nix-based-deployment-tool/1276/7 { config, pkgs, ... }: let nodes = { alpha = { peerInfo = { allowedIPs = ["192.168.65.3/32"]; publicKey = "...."; }; ips = ["192.168.65.3/24"]; }; beta = { peerInfo = { publicKey = "...."; allowedIPs = ["192.168.65.0/24"]; }; ips = ["192.168.65.1/24"]; }; }; self = nodes."${config.networking.hostName}"; peers = pkgs.lib.filterAttrs (k: v: k != config.networking.hostName) nodes; extraHosts = lib.mapAttrsToList (k: v: "${lib.head (lib.splitString "/" (lib.head v.ips))} ${k}.vpn.local") nodes; in { networking = { wireguard.interfaces.wg0 = { ips = self.ips; listenPort = 43642; privateKeyFile = "/secrets/wg.private"; peers = pkgs.lib.mapAttrs (k: v: v.peerInfo) peers; }; extraHosts = pkgs.lib.concatStringsSep "\n" extraHosts; }; }