From 7409fef3cbe6bba6c66ce8b03aef6c2d9dc6c7e7 Mon Sep 17 00:00:00 2001
From: Timo Wilken
Date: Sun, 5 Nov 2023 01:03:55 +0100
Subject: Add secrets service

Allow managing secrets and passwords using Guix.

Secrets are encrypted in the Guix channel repository and decrypted using a
single host key at activation time.
---
 tw/system/lap.scm | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

(limited to 'tw/system/lap.scm')

diff --git a/tw/system/lap.scm b/tw/system/lap.scm
index 516de321..33154d5b 100644
--- a/tw/system/lap.scm
+++ b/tw/system/lap.scm
@@ -21,6 +21,7 @@
   #:use-module (nonguix licenses)
   #:use-module (tw channels)
   #:use-module (tw packages scanner)
+  #:use-module (tw services secrets)
   #:use-module (tw services wireguard)
   #:use-module (tw system))
 
@@ -446,6 +447,26 @@ EndSection
                     (list vin)
                     (list lud))))))
 
+      (service secrets-service-type
+        (secrets-configuration
+         (secrets
+          (list
+           (secret
+            (encrypted-file (local-file "files/wireguard/lap.key.enc"))
+            (destination "/etc/wireguard/private.key"))
+           (secret
+            (encrypted-file (local-file "files/wireguard/lap-fp4.psk.enc"))
+            (destination "/etc/wireguard/fp4.psk"))
+           (secret
+            (encrypted-file (local-file "files/wireguard/lap-lud.psk.enc"))
+            (destination "/etc/wireguard/lud.psk"))
+           (secret
+            (encrypted-file (local-file "files/wireguard/lap-pi3.psk.enc"))
+            (destination "/etc/wireguard/pi3.psk"))
+           (secret
+            (encrypted-file (local-file "files/wireguard/lap-vin.psk.enc"))
+            (destination "/etc/wireguard/vin.psk"))))))
+
       (modify-services (append %system-channel-services %desktop-services)
         ;; Let sane find the airscan backend. ipp-usb needs to be running separately.
         (sane-service-type _ => sane-backends/airscan)
-- 
cgit v1.2.3