Add secrets service

Allow managing secrets and passwords using Guix.

Secrets are encrypted in the Guix channel repository and decrypted using a
single host key at activation time.

6 files changed, 26 insertions, 0 deletions

diff --git a/tw/system/files/wireguard/lap-fp4.psk.enc b/tw/system/files/wireguard/lap-fp4.psk.enc
new file mode 100644
index 00000000..ef979978
--- /dev/null
+++ b/tw/system/files/wireguard/lap-fp4.psk.enc
@@ -0,0 +1 @@
+ThP5USmpvehDO14PVZjqyYaBCy8n3jDIQoojYN95O98wvjOHq+Cs+t2NvDD3
diff --git a/tw/system/files/wireguard/lap-lud.psk.enc b/tw/system/files/wireguard/lap-lud.psk.enc
new file mode 100644
index 00000000..d976d90a
--- /dev/null
+++ b/tw/system/files/wireguard/lap-lud.psk.enc
@@ -0,0 +1 @@
+XTD6NjCM0JYnYU9+Z6q+9ZbpUBshnEPPMagwf/wCKMxBsXCXrt63oeqM1TD3
diff --git a/tw/system/files/wireguard/lap-pi3.psk.enc b/tw/system/files/wireguard/lap-pi3.psk.enc
new file mode 100644
index 00000000..2d318777
--- /dev/null
+++ b/tw/system/files/wireguard/lap-pi3.psk.enc
@@ -0,0 +1 @@
+XgTTJRaGle1fGipxe7i78Yr9HhUP3DiOQrctYMA6H/NcmzSV7uC/8d/XjjD3
diff --git a/tw/system/files/wireguard/lap-vin.psk.enc b/tw/system/files/wireguard/lap-vin.psk.enc
new file mode 100644
index 00000000..c84938a9
--- /dev/null
+++ b/tw/system/files/wireguard/lap-vin.psk.enc
@@ -0,0 +1 @@
+EQriKiyMh5x0Ak1WRqzg6q79DjcZ+jXNW50RTog5HqRMmSu3sNKf2seijjD3
diff --git a/tw/system/files/wireguard/lap.key.enc b/tw/system/files/wireguard/lap.key.enc
new file mode 100644
index 00000000..200bf821
--- /dev/null
+++ b/tw/system/files/wireguard/lap.key.enc
@@ -0,0 +1 @@
+ESqNLhK1ubNRY1JDVYuR1tGJDTUvnkKOTawBQcISO8Ntqgil59nRoOSNkjD3
diff --git a/tw/system/lap.scm b/tw/system/lap.scm
index 516de321..33154d5b 100644
--- a/tw/system/lap.scm
+++ b/tw/system/lap.scm
@@ -21,6 +21,7 @@
   #:use-module (nonguix licenses)
   #:use-module (tw channels)
   #:use-module (tw packages scanner)
+  #:use-module (tw services secrets)
   #:use-module (tw services wireguard)
   #:use-module (tw system))
 
@@ -446,6 +447,26 @@ EndSection
                     (list vin)
                     (list lud))))))
 
+      (service secrets-service-type
+        (secrets-configuration
+         (secrets
+          (list
+           (secret
+            (encrypted-file (local-file "files/wireguard/lap.key.enc"))
+            (destination "/etc/wireguard/private.key"))
+           (secret
+            (encrypted-file (local-file "files/wireguard/lap-fp4.psk.enc"))
+            (destination "/etc/wireguard/fp4.psk"))
+           (secret
+            (encrypted-file (local-file "files/wireguard/lap-lud.psk.enc"))
+            (destination "/etc/wireguard/lud.psk"))
+           (secret
+            (encrypted-file (local-file "files/wireguard/lap-pi3.psk.enc"))
+            (destination "/etc/wireguard/pi3.psk"))
+           (secret
+            (encrypted-file (local-file "files/wireguard/lap-vin.psk.enc"))
+            (destination "/etc/wireguard/vin.psk"))))))
+
       (modify-services (append %system-channel-services %desktop-services)
         ;; Let sane find the airscan backend. ipp-usb needs to be running separately.
         (sane-service-type _ => sane-backends/airscan)