From bddc465bf484ddf78cf3576c77b10eff4e753ef8 Mon Sep 17 00:00:00 2001 From: Timo Wilken Date: Mon, 20 Nov 2023 20:59:04 +0100 Subject: Make WireGuard service install its own secrets automatically --- tw/services/files/wireguard/lap-fp4.psk.enc | 8 +++ tw/services/files/wireguard/lap-lud.psk.enc | 8 +++ tw/services/files/wireguard/lap-pi3.psk.enc | 8 +++ tw/services/files/wireguard/lap-vin.psk.enc | 8 +++ tw/services/files/wireguard/lap.key.enc | 8 +++ tw/services/files/wireguard/lud-fp4.psk.enc | 8 +++ tw/services/files/wireguard/lud-lap.psk.enc | 8 +++ tw/services/files/wireguard/lud-pi3.psk.enc | 8 +++ tw/services/files/wireguard/lud-vin.psk.enc | 8 +++ tw/services/files/wireguard/lud.key.enc | 8 +++ tw/services/files/wireguard/vin-fp4.psk.enc | 8 +++ tw/services/files/wireguard/vin-lap.psk.enc | 8 +++ tw/services/files/wireguard/vin-lud.psk.enc | 8 +++ tw/services/files/wireguard/vin-pi3.psk.enc | 8 +++ tw/services/files/wireguard/vin.key.enc | 8 +++ tw/services/wireguard.scm | 86 +++++++++++++++++++++-------- tw/system/files/wireguard/lap-fp4.psk.enc | 8 --- tw/system/files/wireguard/lap-lud.psk.enc | 8 --- tw/system/files/wireguard/lap-pi3.psk.enc | 8 --- tw/system/files/wireguard/lap-vin.psk.enc | 8 --- tw/system/files/wireguard/lap.key.enc | 8 --- tw/system/files/wireguard/lud-fp4.psk.enc | 8 --- tw/system/files/wireguard/lud-lap.psk.enc | 8 --- tw/system/files/wireguard/lud-pi3.psk.enc | 8 --- tw/system/files/wireguard/lud-vin.psk.enc | 8 --- tw/system/files/wireguard/lud.key.enc | 8 --- tw/system/files/wireguard/vin-fp4.psk.enc | 8 --- tw/system/files/wireguard/vin-lap.psk.enc | 8 --- tw/system/files/wireguard/vin-lud.psk.enc | 8 --- tw/system/files/wireguard/vin-pi3.psk.enc | 8 --- tw/system/files/wireguard/vin.key.enc | 8 --- tw/system/lap.scm | 20 +------ tw/system/lud.scm | 17 +----- tw/system/vin.scm | 17 +----- 34 files changed, 187 insertions(+), 193 deletions(-) create mode 100644 tw/services/files/wireguard/lap-fp4.psk.enc create mode 100644 tw/services/files/wireguard/lap-lud.psk.enc create mode 100644 tw/services/files/wireguard/lap-pi3.psk.enc create mode 100644 tw/services/files/wireguard/lap-vin.psk.enc create mode 100644 tw/services/files/wireguard/lap.key.enc create mode 100644 tw/services/files/wireguard/lud-fp4.psk.enc create mode 100644 tw/services/files/wireguard/lud-lap.psk.enc create mode 100644 tw/services/files/wireguard/lud-pi3.psk.enc create mode 100644 tw/services/files/wireguard/lud-vin.psk.enc create mode 100644 tw/services/files/wireguard/lud.key.enc create mode 100644 tw/services/files/wireguard/vin-fp4.psk.enc create mode 100644 tw/services/files/wireguard/vin-lap.psk.enc create mode 100644 tw/services/files/wireguard/vin-lud.psk.enc create mode 100644 tw/services/files/wireguard/vin-pi3.psk.enc create mode 100644 tw/services/files/wireguard/vin.key.enc delete mode 100644 tw/system/files/wireguard/lap-fp4.psk.enc delete mode 100644 tw/system/files/wireguard/lap-lud.psk.enc delete mode 100644 tw/system/files/wireguard/lap-pi3.psk.enc delete mode 100644 tw/system/files/wireguard/lap-vin.psk.enc delete mode 100644 tw/system/files/wireguard/lap.key.enc delete mode 100644 tw/system/files/wireguard/lud-fp4.psk.enc delete mode 100644 tw/system/files/wireguard/lud-lap.psk.enc delete mode 100644 tw/system/files/wireguard/lud-pi3.psk.enc delete mode 100644 tw/system/files/wireguard/lud-vin.psk.enc delete mode 100644 tw/system/files/wireguard/lud.key.enc delete mode 100644 tw/system/files/wireguard/vin-fp4.psk.enc delete mode 100644 tw/system/files/wireguard/vin-lap.psk.enc delete mode 100644 tw/system/files/wireguard/vin-lud.psk.enc delete mode 100644 tw/system/files/wireguard/vin-pi3.psk.enc delete mode 100644 tw/system/files/wireguard/vin.key.enc (limited to 'tw') diff --git a/tw/services/files/wireguard/lap-fp4.psk.enc b/tw/services/files/wireguard/lap-fp4.psk.enc new file mode 100644 index 00000000..170235ce --- /dev/null +++ b/tw/services/files/wireguard/lap-fp4.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWamMrRWw2RWc5WEErdnJs +UnhySUJOaDIwSktpWVFtYUNOL1g5L0d4UkZvCitvdWF0QkNLQzdPT2NHSzAwSnM1 +RWVwMnJuaUxJMUhSKzl6Q3NkOXVyQkkKLS0tIGtmakJBaUxHZmp4UmJCbE03K2xF +Yi9Bbk5XZGdlUXNURkwrcy9ydm9ORjQK2J0gYNONcSb0DpGFFkxZ2XRQLC5lRysY +O6MZeSm1sin4Bj5ZOxluWxpvR2fLoxuHJcd1F4ylHxPMQ2TWKjQuHZXaFXnZ6VYY +/+jvJ7g= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/lap-lud.psk.enc b/tw/services/files/wireguard/lap-lud.psk.enc new file mode 100644 index 00000000..15ba1599 --- /dev/null +++ b/tw/services/files/wireguard/lap-lud.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrKytNRncwdWJNRHZPSlZ0 +ZWJLNnE3WGxDQ2hCYkRkdUZFSU10aVBWc1M4CjY5QThSZERpUnpNcyt5VjdWZFI1 +SzNyRnd4ejV2NkFjWEd3THRZZ3ZhSEUKLS0tIDBhNi9FdUJmckh3MHRNeVo2aEF3 +N3FlWXVzMGpTcloxcWZLVi9VQXp4VjQKUmehShAWGRDMGIkVv4gcvf9TCO9wEgVk +doVPsp8a5AbEUerD4/RHuaOJjA0jNVp799xHISt89rwgTydw3vmuqgRXTEStWOCe +VnDxSVs= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/lap-pi3.psk.enc b/tw/services/files/wireguard/lap-pi3.psk.enc new file mode 100644 index 00000000..00d75345 --- /dev/null +++ b/tw/services/files/wireguard/lap-pi3.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5TGFUek56c2RDd3diTlRx +VnY4N1hkWFZsYmcrczBCRzhEcDJoVWNzQ3pFCkJDSkRnWkovcmhTM0NpSDY1Z0xX +NFpmWjNMVCtYb1VZUkpZNDJpOXFtbzQKLS0tIGZTYldyRFBGaUZpSk5ubHRhU0Zv +M2gxZFc0SUU2K2lTU3VHS1hRWHNLalEKoqVMqXTweXjV4JutcoN6reXECegeY6iX +fzF8aRrczJMYpLxzpW0Oo5RmUumOvNXdm4tcO6g2QpDHQXFp7O6jGAKeyP0GQ7kg +lf5ZW9w= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/lap-vin.psk.enc b/tw/services/files/wireguard/lap-vin.psk.enc new file mode 100644 index 00000000..a335cc14 --- /dev/null +++ b/tw/services/files/wireguard/lap-vin.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1UmVGZG9VMlVubk1nVmNE +VnFONXZ1V01nb1BTaFNaMldoRFYvMlZKU0Y4CndvUmxHZEJ0KzZQWHlPeUgvdjJS +VWF3bkNNMHhWenVLdFdnYVhQcUNCTXcKLS0tIEk4aE9weDNKRFI1RzQ3NXBwYWNz +MU8vSlhkSS80M0w0bWFhNzkxY2d2SmcKUUMsAD+yY6wGjaSTxRgzjABQ/qPwjKNE ++Pz0nnyJkXPrwlHFS+g5n+VUz6NzKi2zxdaDpgsKkGrSkqSHij1z77ZjdKwcy/uv +7auCjMM= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/lap.key.enc b/tw/services/files/wireguard/lap.key.enc new file mode 100644 index 00000000..ce7bac3b --- /dev/null +++ b/tw/services/files/wireguard/lap.key.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOUHZYQVJFenpUbjdQOVVx +dW1mT0VIelR3aTA2ZVRnR01TU21zcE5LZ1VFCkdwQk9VczJjV0psK1Mza2UrUk1H +V3k4R2ovQjhFb0k3NzVueHlkTWk1UUUKLS0tIFdxUTllcmNwSkxzYzBWT0ZRcE5m +RlBqTWVyQ3RJY3ZTb3Y0ZjZsc0xFc0EKJvJ6KrnyxHqucgTydIsnX2dwKqQQwdrg +OHrWGorh3v44xHpHJrS94gnC5AzCblKVVNt5/93esUaUsXYRwaAhQu5TVoUeFdjP +b9POXvk= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/lud-fp4.psk.enc b/tw/services/files/wireguard/lud-fp4.psk.enc new file mode 100644 index 00000000..dedc8814 --- /dev/null +++ b/tw/services/files/wireguard/lud-fp4.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyA5Y2dn +N0M2dkZZN3MyU0dMbnExbGdBSEVlVGxIVjkwY1VieEN3TWR5cDE0CnFIS1ZsSDll +UHNwaG1jZU1LQTJGSE5nS2hsMkRVdmhrUFhMYVlwMHdOaGcKLS0tIHY1bjkzcE9t +UzlySGxtUFRuQUIyYldmY1ZpeTlXOVFYYmdRQXBuUmN1Z2MK14xQAizZ0KvIA0DR +2IEexRvj8V49M5fSShXxQrY3RU+s96Dg5d1giDFvYmIpwQbECFKDwYKfSMQwVtpW +R9XiBZz2ptyPgQJ19Kku12k= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/lud-lap.psk.enc b/tw/services/files/wireguard/lud-lap.psk.enc new file mode 100644 index 00000000..91d1bb1a --- /dev/null +++ b/tw/services/files/wireguard/lud-lap.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyA3VGNL +NHhLejluZzk1K3B4bzdUaThzU2Z3TWMzZUJrV0tGWHlnY2xSangwCm1pSUFYV3k2 +UHdIT25adWhVRXZ5eXJqR2ZyVVhtdnpOd1V5aWlpVG91c00KLS0tIHpjV1Y5blNO +bysvbHJUWFprTUtrM054VDZwaTFPWHArb1JES2lNWVNUbUUKPAedksMUAimxMhC1 +Qad62SexojfI3+iI/vzdEDhjNOpohMBPejy4cLPY3EpQKtp3XoFz8S5E2hd+SraQ +bJcw6u7JGgr3zdKBrI6TW/Y= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/lud-pi3.psk.enc b/tw/services/files/wireguard/lud-pi3.psk.enc new file mode 100644 index 00000000..32b8097a --- /dev/null +++ b/tw/services/files/wireguard/lud-pi3.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyAwWmVh +dFZ1S2ZCOXpNZ1VkNmFtcVBzOGczV1FUV2U1eVdZQXVvTFhLL0dZCkRBZE5KTERL +UFBlQ1c3NnhMNllsRTF0QVN5ZERiUFVpQTVONVY5WkZaWmcKLS0tIDNPaWlVYS9L +cm1lU21obm9Yb1h4djhDTk5jQ1prbnF4VnptNmVCY0p6c1EKWijtgsgWpKl+d5tL +Mf16dmJ31IzLNuY8uy0VFtiAqLnyfa5mpYpDUG9OH/i80zDrlqWOQpWtrp76BLdT +PfILs3kDlReEYXlPSNVSyIQ= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/lud-vin.psk.enc b/tw/services/files/wireguard/lud-vin.psk.enc new file mode 100644 index 00000000..693a886a --- /dev/null +++ b/tw/services/files/wireguard/lud-vin.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyBHRjlH +OUVkb1VvZ3N0WFl0MzFyeGIzcVJvWGVNQ0lZN2Y2VWNJS3RldnpBCkZWdlZBSFNw +QlBjM2dsbU5rYTQrQlFTWnlzY1VxY3ltbjkwek42Q1lMc0kKLS0tIExud1NrOWhi +a0d1bmdIL1FERWhVK2ZDbytSRGd5R0M2Z2dia3BPMEp2aTQKQPxKQXV49/O/5IAW +/nm4VVQKUfR5vZrp7Y9syodHz9+wm1zEoAELpRFyhLhd9DH1v0Bk2q+36lysKXD0 +FKd4ldl2NvSmt4o39YM3BP0= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/lud.key.enc b/tw/services/files/wireguard/lud.key.enc new file mode 100644 index 00000000..5001f4ce --- /dev/null +++ b/tw/services/files/wireguard/lud.key.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyBFcGhX +RWF4RUhQYThRV3dtOTBLQlZJWmJNQWlUU3Y4UnpaNFZuUGJ0Z3pFCmtUcjl6TEpp +UE50ejIySTNGQ3JBTmNUWjVVNjVrdzFDSHZFQnVlYkVkaEkKLS0tIEVqWGN3b0Ni +cVBrZVpzelllb0dLZVljV2x3RkZNTkMyQzVSY0RnSXIwVWsKW42mh3RidTcaeqqV +3+Fbk3w9S1c3TKpO3Pz6Ei2SpH2V9zfNnQjJYfJFumZzQbDNAx956KaBvarjiDjk +omyjFTuUtAUjZslkDuz3h0s= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/vin-fp4.psk.enc b/tw/services/files/wireguard/vin-fp4.psk.enc new file mode 100644 index 00000000..e636c35d --- /dev/null +++ b/tw/services/files/wireguard/vin-fp4.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBoczBZ +UkJwUDNpS3ZLNkZQMGVsd241YTNOay9OdzlnaTJLVTBlcjlZRmdBCnlrM2ZUV1Z1 +Q0ZuR3BHUGFTeVY1WUpha0hoaHRzOVRKK1F3WmF0bzZHa0kKLS0tIEM3Z1R5dzdF +djRxcURzL2lBMGlHSWVhNGNtaktSL1JtUytkN0lzUURtREUKaULnyw47eRqRkI2w +ROK8Rfp7zNWkVGE3vL9rSQhhkJL6rhORgbHFDjG7xAnWJECxSSa2xH9Xzcb4OY2K +55hKMGzlEQi8HYuMrjOgm0E= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/vin-lap.psk.enc b/tw/services/files/wireguard/vin-lap.psk.enc new file mode 100644 index 00000000..6975348d --- /dev/null +++ b/tw/services/files/wireguard/vin-lap.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBQNkVF +TElJRys2d3NtRGszNDVaTzl1YUdISlg5bXU0Y1Zic1hVNHJ4ekVNCmQ1ZmUxMTM5 +VnZpNnBiZ2IrRWZmNTNyQnBhZysvdFJwVmk4L1F5MUtjb2sKLS0tIG9VcFRiNERC +Zms4aUROMHd3WFZnTlcrZFdxSWsrMzAwNkpDQlEzQTB5dHMKEtKI+rIW9dPVmAXr +ZAXvEqxw4oC5C6MVwPKjMnpo8D5XuAbU5nXYbaTqmxAJ6cUL9n0ohmet4F1dN4Ni ++JsXzA00hPm3KijiuiD6rJ8= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/vin-lud.psk.enc b/tw/services/files/wireguard/vin-lud.psk.enc new file mode 100644 index 00000000..ba725037 --- /dev/null +++ b/tw/services/files/wireguard/vin-lud.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBOUm5x +R2J2UDBxamg5MjVqTTZhOGE1NHdDOENXTWlFKzZMRW4vWjNWZkc4CjFPanJQTmQ2 +ZFJtZHF3Y09INXlNRmdrdUVBSUY5SkwyUGNJZVZNL0ZUN00KLS0tIFhsd3BKMkNG +R3dJRFFYeHY2UjVESmZNTUhQd240eDgrQXpGdk9WTkhLdGsKqzXzlh9nwmR2bfwE +mg95yfy6LqDs1tQLMzVqDXvKxz4yrZkI4IXHwGWOt2MAvOYC5ln/UhlJry2D3tpG +2ZaopoLD8E1Q4yNLdqMWO6Q= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/vin-pi3.psk.enc b/tw/services/files/wireguard/vin-pi3.psk.enc new file mode 100644 index 00000000..e273896c --- /dev/null +++ b/tw/services/files/wireguard/vin-pi3.psk.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBuL2c3 +YW9mbXRhTjVjQ2Q1TlVJMzJjaHRPcS9oeVRlSDVPak1paTBTZzBvCk5pdElRNS80 +djdvWERuRUE3ZkVCR0RLZDdscHUwUUgya2kyeUwrdXdtVHcKLS0tIFp4QWlIZWZl +L0dabXJEbm15cGZoeUZ5N3JMSHVxUGUyTFpPT250VzZJejQK41qhHwdeK+M5fWzE +ApbvvEg38s2xKhhH2+NiSGNmwGkFDftopdlnYgeFoA981B/EnpDLbvRTs9FUdSZd +Kcq4eo38LFBLqcZUysia9JE= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/files/wireguard/vin.key.enc b/tw/services/files/wireguard/vin.key.enc new file mode 100644 index 00000000..76b7bed2 --- /dev/null +++ b/tw/services/files/wireguard/vin.key.enc @@ -0,0 +1,8 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBUSUNz +NXNaS3M4cU9aSDJNbThLQUhqUCtjbFdMTjF6and5UXFBd1grWWlvCjVFR2E2aFJl +blU3MjlBUWYydTA4d2d5blA1NHU1azdoc3lKN0REYzQwNjgKLS0tIDJXSFNiUkVm +b25ITlViSFY3RXRCMjFzWFZxSXE1ZjgrbDNYRE9aUlA3VTAK17WT34ih5ZrKQufr +8XTp+CReWYEr+jIW5ap8IVy8Vn2ymhZ4zmo1vxcZZDZLkElMP7QXId6eaiQ6f5hY +h/RgMhIDzLtYt5UCh18goqk= +-----END AGE ENCRYPTED FILE----- diff --git a/tw/services/wireguard.scm b/tw/services/wireguard.scm index 3d35cd2e..e975fe46 100644 --- a/tw/services/wireguard.scm +++ b/tw/services/wireguard.scm @@ -6,6 +6,10 @@ #:use-module (gnu services base) #:use-module (gnu services configuration) #:use-module (gnu services vpn) + #:use-module (guix gexp) + #:use-module ((guix records) #:select (match-record)) + #:use-module ((guix utils) #:select (current-source-directory)) + #:use-module (tw services secrets) #:export (%wireguard-peers tw-wireguard-configuration tw-wireguard-service-type)) @@ -56,41 +60,76 @@ "The host name of the machine being configured.") (peers (wireguard-peers-list %wireguard-peers) - "An alist of WireGuard peers to install.")) + "An alist of WireGuard peers to install.") + (private-key-file + (string "/etc/wireguard/private.key") + "Where to store this host's private key.")) + +(define (other-peers this-host peers) + (let ((own-peer (assoc-ref peers this-host))) + (delq own-peer (map cdr peers)))) (define (tw-wireguard-service config) "Create a full WireGuard config from the personal network CONFIG." - (let ((own-peer (assoc-ref (tw-wireguard-configuration-peers config) - (tw-wireguard-configuration-this-host config)))) - (wireguard-configuration - (addresses - (map (lambda (cidr) - (let ((ipv4 (string-match "/32$" cidr)) - (ipv6 (string-match "/128$" cidr))) - (cond - (ipv4 (regexp-substitute #f ipv4 'pre "/24")) - (ipv6 (regexp-substitute #f ipv6 'pre "/64")) - (#t cidr)))) - (wireguard-peer-allowed-ips own-peer))) - (port - (let ((endpoint (wireguard-peer-endpoint own-peer))) + (match-record config (this-host peers private-key-file) + (match-record (assoc-ref peers this-host) (@@ (gnu services vpn) ) (endpoint allowed-ips) + (wireguard-configuration + (addresses + (map (lambda (cidr) + (let ((ipv4 (string-match "/32$" cidr)) + (ipv6 (string-match "/128$" cidr))) + (cond + (ipv4 (regexp-substitute #f ipv4 'pre "/24")) + (ipv6 (regexp-substitute #f ipv6 'pre "/64")) + (#t cidr)))) + allowed-ips)) + (port (if endpoint (string->number (cadr (string-split endpoint #\:))) - 58921))) - (private-key "/etc/wireguard/private.key") - (peers (delq own-peer (map cdr (tw-wireguard-configuration-peers config))))))) + 58921)) + (private-key private-key-file) + (peers (other-peers this-host peers)))))) + +(define (cut-string-at-char str char-pred) + "Return the first part of STR up to the first occurrence of CHAR-PRED." + (substring str 0 (string-index str char-pred))) (define (peer->ips peer) "Extract IP addresses assigned to the given `wireguard-peer' PEER." - (map (compose car (cut string-split <> #\/)) + (map (cut cut-string-at-char <> #\/) (wireguard-peer-allowed-ips peer))) (define (tw-wireguard-hosts config) "Generate a hosts file entries from the personal WireGuard network CONFIG." - (append-map (lambda (peer) - (map (cut host <> (wireguard-peer-name peer)) - (peer->ips peer))) - (map cdr (tw-wireguard-configuration-peers config)))) + (define (peer->entries peer) + (map (cut host <> (wireguard-peer-name peer)) + (peer->ips peer))) + (append-map (compose peer->entries cdr) + (tw-wireguard-configuration-peers config))) + +(define (tw-wireguard-secrets config) + "Install secrets for the host's private key and preshared keys with peers." + (define (local-file-here path) + (local-file + (canonicalize-path + (string-append + (current-source-directory) "/" path)))) + (match-record config (this-host peers private-key-file) + (define short-host (cut-string-at-char this-host #\.)) + (define private-key + (secret + (encrypted-file + (local-file-here (string-append "files/wireguard/" short-host ".key.enc"))) + (destination private-key-file))) + (define (peer->secret peer) + (let ((short-peer (cut-string-at-char (wireguard-peer-name peer) #\.))) + (secret + (encrypted-file + (local-file-here + (string-append "files/wireguard/" short-host "-" short-peer ".psk.enc"))) + (destination + (string-append "/etc/wireguard/" short-peer ".psk"))))) + (cons private-key (map peer->secret (other-peers this-host peers))))) (define tw-wireguard-service-type (service-type @@ -98,6 +137,7 @@ (description "Set up my personal WireGuard network.") (extensions (cons* (service-extension hosts-service-type tw-wireguard-hosts) + (service-extension secrets-service-type tw-wireguard-secrets) ;; FIXME: `wireguard-service-type' cannot be extended, so copy its ;; service-extensions directly. (map (lambda (ext) diff --git a/tw/system/files/wireguard/lap-fp4.psk.enc b/tw/system/files/wireguard/lap-fp4.psk.enc deleted file mode 100644 index 170235ce..00000000 --- a/tw/system/files/wireguard/lap-fp4.psk.enc +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWamMrRWw2RWc5WEErdnJs -UnhySUJOaDIwSktpWVFtYUNOL1g5L0d4UkZvCitvdWF0QkNLQzdPT2NHSzAwSnM1 -RWVwMnJuaUxJMUhSKzl6Q3NkOXVyQkkKLS0tIGtmakJBaUxHZmp4UmJCbE03K2xF -Yi9Bbk5XZGdlUXNURkwrcy9ydm9ORjQK2J0gYNONcSb0DpGFFkxZ2XRQLC5lRysY -O6MZeSm1sin4Bj5ZOxluWxpvR2fLoxuHJcd1F4ylHxPMQ2TWKjQuHZXaFXnZ6VYY -/+jvJ7g= ------END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/lap-lud.psk.enc b/tw/system/files/wireguard/lap-lud.psk.enc deleted file mode 100644 index 15ba1599..00000000 --- a/tw/system/files/wireguard/lap-lud.psk.enc +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrKytNRncwdWJNRHZPSlZ0 -ZWJLNnE3WGxDQ2hCYkRkdUZFSU10aVBWc1M4CjY5QThSZERpUnpNcyt5VjdWZFI1 -SzNyRnd4ejV2NkFjWEd3THRZZ3ZhSEUKLS0tIDBhNi9FdUJmckh3MHRNeVo2aEF3 -N3FlWXVzMGpTcloxcWZLVi9VQXp4VjQKUmehShAWGRDMGIkVv4gcvf9TCO9wEgVk -doVPsp8a5AbEUerD4/RHuaOJjA0jNVp799xHISt89rwgTydw3vmuqgRXTEStWOCe -VnDxSVs= ------END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/lap-pi3.psk.enc b/tw/system/files/wireguard/lap-pi3.psk.enc deleted file mode 100644 index 00d75345..00000000 --- a/tw/system/files/wireguard/lap-pi3.psk.enc +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5TGFUek56c2RDd3diTlRx -VnY4N1hkWFZsYmcrczBCRzhEcDJoVWNzQ3pFCkJDSkRnWkovcmhTM0NpSDY1Z0xX -NFpmWjNMVCtYb1VZUkpZNDJpOXFtbzQKLS0tIGZTYldyRFBGaUZpSk5ubHRhU0Zv -M2gxZFc0SUU2K2lTU3VHS1hRWHNLalEKoqVMqXTweXjV4JutcoN6reXECegeY6iX -fzF8aRrczJMYpLxzpW0Oo5RmUumOvNXdm4tcO6g2QpDHQXFp7O6jGAKeyP0GQ7kg -lf5ZW9w= ------END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/lap-vin.psk.enc b/tw/system/files/wireguard/lap-vin.psk.enc deleted file mode 100644 index a335cc14..00000000 --- a/tw/system/files/wireguard/lap-vin.psk.enc +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1UmVGZG9VMlVubk1nVmNE -VnFONXZ1V01nb1BTaFNaMldoRFYvMlZKU0Y4CndvUmxHZEJ0KzZQWHlPeUgvdjJS -VWF3bkNNMHhWenVLdFdnYVhQcUNCTXcKLS0tIEk4aE9weDNKRFI1RzQ3NXBwYWNz -MU8vSlhkSS80M0w0bWFhNzkxY2d2SmcKUUMsAD+yY6wGjaSTxRgzjABQ/qPwjKNE -+Pz0nnyJkXPrwlHFS+g5n+VUz6NzKi2zxdaDpgsKkGrSkqSHij1z77ZjdKwcy/uv -7auCjMM= ------END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/lap.key.enc b/tw/system/files/wireguard/lap.key.enc deleted file mode 100644 index ce7bac3b..00000000 --- a/tw/system/files/wireguard/lap.key.enc +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOUHZYQVJFenpUbjdQOVVx -dW1mT0VIelR3aTA2ZVRnR01TU21zcE5LZ1VFCkdwQk9VczJjV0psK1Mza2UrUk1H -V3k4R2ovQjhFb0k3NzVueHlkTWk1UUUKLS0tIFdxUTllcmNwSkxzYzBWT0ZRcE5m -RlBqTWVyQ3RJY3ZTb3Y0ZjZsc0xFc0EKJvJ6KrnyxHqucgTydIsnX2dwKqQQwdrg -OHrWGorh3v44xHpHJrS94gnC5AzCblKVVNt5/93esUaUsXYRwaAhQu5TVoUeFdjP -b9POXvk= ------END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/lud-fp4.psk.enc b/tw/system/files/wireguard/lud-fp4.psk.enc deleted file mode 100644 index dedc8814..00000000 --- a/tw/system/files/wireguard/lud-fp4.psk.enc +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyA5Y2dn -N0M2dkZZN3MyU0dMbnExbGdBSEVlVGxIVjkwY1VieEN3TWR5cDE0CnFIS1ZsSDll -UHNwaG1jZU1LQTJGSE5nS2hsMkRVdmhrUFhMYVlwMHdOaGcKLS0tIHY1bjkzcE9t -UzlySGxtUFRuQUIyYldmY1ZpeTlXOVFYYmdRQXBuUmN1Z2MK14xQAizZ0KvIA0DR -2IEexRvj8V49M5fSShXxQrY3RU+s96Dg5d1giDFvYmIpwQbECFKDwYKfSMQwVtpW -R9XiBZz2ptyPgQJ19Kku12k= ------END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/lud-lap.psk.enc b/tw/system/files/wireguard/lud-lap.psk.enc deleted file mode 100644 index 91d1bb1a..00000000 --- a/tw/system/files/wireguard/lud-lap.psk.enc +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyA3VGNL -NHhLejluZzk1K3B4bzdUaThzU2Z3TWMzZUJrV0tGWHlnY2xSangwCm1pSUFYV3k2 -UHdIT25adWhVRXZ5eXJqR2ZyVVhtdnpOd1V5aWlpVG91c00KLS0tIHpjV1Y5blNO -bysvbHJUWFprTUtrM054VDZwaTFPWHArb1JES2lNWVNUbUUKPAedksMUAimxMhC1 -Qad62SexojfI3+iI/vzdEDhjNOpohMBPejy4cLPY3EpQKtp3XoFz8S5E2hd+SraQ -bJcw6u7JGgr3zdKBrI6TW/Y= ------END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/lud-pi3.psk.enc b/tw/system/files/wireguard/lud-pi3.psk.enc deleted file mode 100644 index 32b8097a..00000000 --- a/tw/system/files/wireguard/lud-pi3.psk.enc +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyAwWmVh -dFZ1S2ZCOXpNZ1VkNmFtcVBzOGczV1FUV2U1eVdZQXVvTFhLL0dZCkRBZE5KTERL -UFBlQ1c3NnhMNllsRTF0QVN5ZERiUFVpQTVONVY5WkZaWmcKLS0tIDNPaWlVYS9L -cm1lU21obm9Yb1h4djhDTk5jQ1prbnF4VnptNmVCY0p6c1EKWijtgsgWpKl+d5tL -Mf16dmJ31IzLNuY8uy0VFtiAqLnyfa5mpYpDUG9OH/i80zDrlqWOQpWtrp76BLdT -PfILs3kDlReEYXlPSNVSyIQ= ------END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/lud-vin.psk.enc b/tw/system/files/wireguard/lud-vin.psk.enc deleted file mode 100644 index 693a886a..00000000 --- a/tw/system/files/wireguard/lud-vin.psk.enc +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyBHRjlH -OUVkb1VvZ3N0WFl0MzFyeGIzcVJvWGVNQ0lZN2Y2VWNJS3RldnpBCkZWdlZBSFNw -QlBjM2dsbU5rYTQrQlFTWnlzY1VxY3ltbjkwek42Q1lMc0kKLS0tIExud1NrOWhi -a0d1bmdIL1FERWhVK2ZDbytSRGd5R0M2Z2dia3BPMEp2aTQKQPxKQXV49/O/5IAW -/nm4VVQKUfR5vZrp7Y9syodHz9+wm1zEoAELpRFyhLhd9DH1v0Bk2q+36lysKXD0 -FKd4ldl2NvSmt4o39YM3BP0= ------END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/lud.key.enc b/tw/system/files/wireguard/lud.key.enc deleted file mode 100644 index 5001f4ce..00000000 --- a/tw/system/files/wireguard/lud.key.enc +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IHBESlBiZyBFcGhX -RWF4RUhQYThRV3dtOTBLQlZJWmJNQWlUU3Y4UnpaNFZuUGJ0Z3pFCmtUcjl6TEpp -UE50ejIySTNGQ3JBTmNUWjVVNjVrdzFDSHZFQnVlYkVkaEkKLS0tIEVqWGN3b0Ni -cVBrZVpzelllb0dLZVljV2x3RkZNTkMyQzVSY0RnSXIwVWsKW42mh3RidTcaeqqV -3+Fbk3w9S1c3TKpO3Pz6Ei2SpH2V9zfNnQjJYfJFumZzQbDNAx956KaBvarjiDjk -omyjFTuUtAUjZslkDuz3h0s= ------END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/vin-fp4.psk.enc b/tw/system/files/wireguard/vin-fp4.psk.enc deleted file mode 100644 index e636c35d..00000000 --- a/tw/system/files/wireguard/vin-fp4.psk.enc +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBoczBZ -UkJwUDNpS3ZLNkZQMGVsd241YTNOay9OdzlnaTJLVTBlcjlZRmdBCnlrM2ZUV1Z1 -Q0ZuR3BHUGFTeVY1WUpha0hoaHRzOVRKK1F3WmF0bzZHa0kKLS0tIEM3Z1R5dzdF -djRxcURzL2lBMGlHSWVhNGNtaktSL1JtUytkN0lzUURtREUKaULnyw47eRqRkI2w -ROK8Rfp7zNWkVGE3vL9rSQhhkJL6rhORgbHFDjG7xAnWJECxSSa2xH9Xzcb4OY2K -55hKMGzlEQi8HYuMrjOgm0E= ------END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/vin-lap.psk.enc b/tw/system/files/wireguard/vin-lap.psk.enc deleted file mode 100644 index 6975348d..00000000 --- a/tw/system/files/wireguard/vin-lap.psk.enc +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBQNkVF -TElJRys2d3NtRGszNDVaTzl1YUdISlg5bXU0Y1Zic1hVNHJ4ekVNCmQ1ZmUxMTM5 -VnZpNnBiZ2IrRWZmNTNyQnBhZysvdFJwVmk4L1F5MUtjb2sKLS0tIG9VcFRiNERC -Zms4aUROMHd3WFZnTlcrZFdxSWsrMzAwNkpDQlEzQTB5dHMKEtKI+rIW9dPVmAXr -ZAXvEqxw4oC5C6MVwPKjMnpo8D5XuAbU5nXYbaTqmxAJ6cUL9n0ohmet4F1dN4Ni -+JsXzA00hPm3KijiuiD6rJ8= ------END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/vin-lud.psk.enc b/tw/system/files/wireguard/vin-lud.psk.enc deleted file mode 100644 index ba725037..00000000 --- a/tw/system/files/wireguard/vin-lud.psk.enc +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBOUm5x -R2J2UDBxamg5MjVqTTZhOGE1NHdDOENXTWlFKzZMRW4vWjNWZkc4CjFPanJQTmQ2 -ZFJtZHF3Y09INXlNRmdrdUVBSUY5SkwyUGNJZVZNL0ZUN00KLS0tIFhsd3BKMkNG -R3dJRFFYeHY2UjVESmZNTUhQd240eDgrQXpGdk9WTkhLdGsKqzXzlh9nwmR2bfwE -mg95yfy6LqDs1tQLMzVqDXvKxz4yrZkI4IXHwGWOt2MAvOYC5ln/UhlJry2D3tpG -2ZaopoLD8E1Q4yNLdqMWO6Q= ------END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/vin-pi3.psk.enc b/tw/system/files/wireguard/vin-pi3.psk.enc deleted file mode 100644 index e273896c..00000000 --- a/tw/system/files/wireguard/vin-pi3.psk.enc +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBuL2c3 -YW9mbXRhTjVjQ2Q1TlVJMzJjaHRPcS9oeVRlSDVPak1paTBTZzBvCk5pdElRNS80 -djdvWERuRUE3ZkVCR0RLZDdscHUwUUgya2kyeUwrdXdtVHcKLS0tIFp4QWlIZWZl -L0dabXJEbm15cGZoeUZ5N3JMSHVxUGUyTFpPT250VzZJejQK41qhHwdeK+M5fWzE -ApbvvEg38s2xKhhH2+NiSGNmwGkFDftopdlnYgeFoA981B/EnpDLbvRTs9FUdSZd -Kcq4eo38LFBLqcZUysia9JE= ------END AGE ENCRYPTED FILE----- diff --git a/tw/system/files/wireguard/vin.key.enc b/tw/system/files/wireguard/vin.key.enc deleted file mode 100644 index 76b7bed2..00000000 --- a/tw/system/files/wireguard/vin.key.enc +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN AGE ENCRYPTED FILE----- -YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9TV0hVQSBUSUNz -NXNaS3M4cU9aSDJNbThLQUhqUCtjbFdMTjF6and5UXFBd1grWWlvCjVFR2E2aFJl -blU3MjlBUWYydTA4d2d5blA1NHU1azdoc3lKN0REYzQwNjgKLS0tIDJXSFNiUkVm -b25ITlViSFY3RXRCMjFzWFZxSXE1ZjgrbDNYRE9aUlA3VTAK17WT34ih5ZrKQufr -8XTp+CReWYEr+jIW5ap8IVy8Vn2ymhZ4zmo1vxcZZDZLkElMP7QXId6eaiQ6f5hY -h/RgMhIDzLtYt5UCh18goqk= ------END AGE ENCRYPTED FILE----- diff --git a/tw/system/lap.scm b/tw/system/lap.scm index b6049ad3..f6e56116 100644 --- a/tw/system/lap.scm +++ b/tw/system/lap.scm @@ -447,26 +447,10 @@ EndSection (list vin) (list lud)))))) + ;; Set up a secrets config for WireGuard to extend. (service secrets-service-type (secrets-configuration - (host-key "/etc/secrets.key") ; we have no SSH host keys, so use a custom key - (secrets - (list - (secret - (encrypted-file (local-file "files/wireguard/lap.key.enc")) - (destination "/etc/wireguard/private.key")) - (secret - (encrypted-file (local-file "files/wireguard/lap-fp4.psk.enc")) - (destination "/etc/wireguard/fp4.psk")) - (secret - (encrypted-file (local-file "files/wireguard/lap-lud.psk.enc")) - (destination "/etc/wireguard/lud.psk")) - (secret - (encrypted-file (local-file "files/wireguard/lap-pi3.psk.enc")) - (destination "/etc/wireguard/pi3.psk")) - (secret - (encrypted-file (local-file "files/wireguard/lap-vin.psk.enc")) - (destination "/etc/wireguard/vin.psk")))))) + (host-key "/etc/secrets.key"))) ; we have no SSH host keys, so use a custom key (modify-services (append %system-channel-services %desktop-services) ;; Let sane find the airscan backend. ipp-usb needs to be running separately. diff --git a/tw/system/lud.scm b/tw/system/lud.scm index 592b764b..82a3e43f 100644 --- a/tw/system/lud.scm +++ b/tw/system/lud.scm @@ -197,22 +197,7 @@ innodb_io_capacity = 4000 (destination "/etc/nextcloud-database-password.enc")) (secret (encrypted-file (local-file "files/restic/lud-nextcloud.enc")) - (destination "/etc/restic/lud-nextcloud")) - (secret - (encrypted-file (local-file "files/wireguard/lud.key.enc")) - (destination "/etc/wireguard/private.key")) - (secret - (encrypted-file (local-file "files/wireguard/lud-fp4.psk.enc")) - (destination "/etc/wireguard/fp4.psk")) - (secret - (encrypted-file (local-file "files/wireguard/lud-lap.psk.enc")) - (destination "/etc/wireguard/lap.psk")) - (secret - (encrypted-file (local-file "files/wireguard/lud-pi3.psk.enc")) - (destination "/etc/wireguard/pi3.psk")) - (secret - (encrypted-file (local-file "files/wireguard/lud-vin.psk.enc")) - (destination "/etc/wireguard/vin.psk")))))) + (destination "/etc/restic/lud-nextcloud")))))) ;; Only this server has SSDs, not vin. (simple-service 'fstrim mcron-service-type diff --git a/tw/system/vin.scm b/tw/system/vin.scm index 75243e8d..65870e1f 100644 --- a/tw/system/vin.scm +++ b/tw/system/vin.scm @@ -161,22 +161,7 @@ (encrypted-file (local-file "files/restic/vin-grafana.enc")) (destination "/etc/restic/vin-grafana") (user "restic") - (group "restic")) - (secret - (encrypted-file (local-file "files/wireguard/vin.key.enc")) - (destination "/etc/wireguard/private.key")) - (secret - (encrypted-file (local-file "files/wireguard/vin-fp4.psk.enc")) - (destination "/etc/wireguard/fp4.psk")) - (secret - (encrypted-file (local-file "files/wireguard/vin-lud.psk.enc")) - (destination "/etc/wireguard/lud.psk")) - (secret - (encrypted-file (local-file "files/wireguard/vin-pi3.psk.enc")) - (destination "/etc/wireguard/pi3.psk")) - (secret - (encrypted-file (local-file "files/wireguard/vin-lap.psk.enc")) - (destination "/etc/wireguard/lap.psk")))))) + (group "restic")))))) ;; For running the Grafana docker container. (service grafana-service-type -- cgit v1.2.3