From 9790519c3faf4a368ce7f43953a4ab9479960cf9 Mon Sep 17 00:00:00 2001
From: Timo Wilken
Date: Wed, 8 Nov 2023 19:50:05 +0100
Subject: Track restic and wireguard secrets on vin

---
 tw/system/vin.scm | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

(limited to 'tw/system/vin.scm')

diff --git a/tw/system/vin.scm b/tw/system/vin.scm
index 24dd367a..75243e8d 100644
--- a/tw/system/vin.scm
+++ b/tw/system/vin.scm
@@ -17,6 +17,7 @@
   #:use-module (tw services dns)
   #:use-module (tw services grafana)
   #:use-module (tw services restic)
+  #:use-module (tw services secrets)
   #:use-module (tw system))
 
 ;; The device's BIOS does not support UEFI, sadly.  It also doesn't recognise
@@ -137,6 +138,46 @@
                (keep-daily 14)
                (keep-monthly -1))))
 
+      (service secrets-service-type
+        (secrets-configuration
+         (secrets
+          (list
+           (secret
+            (encrypted-file (local-file "files/restic/timo-laptop.enc"))
+            (destination "/etc/restic/timo-laptop")
+            (user "restic")
+            (group "restic"))
+           (secret
+            (encrypted-file (local-file "files/restic/timo-phone.enc"))
+            (destination "/etc/restic/timo-phone")
+            (user "restic")
+            (group "restic"))
+           (secret
+            (encrypted-file (local-file "files/restic/timo-sync.enc"))
+            (destination "/etc/restic/timo-sync")
+            (user "restic")
+            (group "restic"))
+           (secret
+            (encrypted-file (local-file "files/restic/vin-grafana.enc"))
+            (destination "/etc/restic/vin-grafana")
+            (user "restic")
+            (group "restic"))
+           (secret
+            (encrypted-file (local-file "files/wireguard/vin.key.enc"))
+            (destination "/etc/wireguard/private.key"))
+           (secret
+            (encrypted-file (local-file "files/wireguard/vin-fp4.psk.enc"))
+            (destination "/etc/wireguard/fp4.psk"))
+           (secret
+            (encrypted-file (local-file "files/wireguard/vin-lud.psk.enc"))
+            (destination "/etc/wireguard/lud.psk"))
+           (secret
+            (encrypted-file (local-file "files/wireguard/vin-pi3.psk.enc"))
+            (destination "/etc/wireguard/pi3.psk"))
+           (secret
+            (encrypted-file (local-file "files/wireguard/vin-lap.psk.enc"))
+            (destination "/etc/wireguard/lap.psk"))))))
+
       ;; For running the Grafana docker container.
       (service grafana-service-type
         (grafana-configuration
-- 
cgit v1.2.3