added secureHost flag

2025-09-28 10:52:27 -06:00
parent d704e0ee13
commit a376428118
24 changed files with 100 additions and 87 deletions
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -1,6 +1,7 @@
 {
  pkgs,
  config,
+  lib,
  ...
 }:
 {
@@ -35,14 +36,16 @@
      supportedFeatures = config.my.nix.features;
    }
  ];
-  sops.secrets."vps/home/private".sopsFile = ../../secrets/wireguard.yaml;
+  sops.secrets."vps/home/private" = lib.mkIf config.my.secureHost {
+    sopsFile = ../../secrets/wireguard.yaml;
+  };
  networking = {
    hostName = "server";
    firewall = {
      allowedUDPPorts = config.networking.firewall.allowedTCPPorts;
      interfaces.wg0.allowedTCPPorts = [ 8081 ];
    };
-    wireguard.interfaces.wg0 = {
+    wireguard.interfaces.wg0 = lib.mkIf config.my.secureHost {
      ips = [ "${config.my.ips.wg-server}/32" ];
      privateKeyFile = config.sops.secrets."vps/home/private".path;
      peers = [