From ac48e8c86b3d1d83419eb13ee4022bfd311fd7d4 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Tue, 28 Oct 2025 13:31:40 -0600 Subject: [PATCH] Update WireGuard configuration to disable secureHost and adjust private key handling - Changed secureHost setting from true to false in toggles.nix. - Modified wireguard-linode.nix to use a default private key path when secureHost is false, enhancing flexibility in key management. --- hosts/linode/toggles.nix | 2 +- hosts/linode/wireguard-linode.nix | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/hosts/linode/toggles.nix b/hosts/linode/toggles.nix index 4d68238..a6fe5bb 100644 --- a/hosts/linode/toggles.nix +++ b/hosts/linode/toggles.nix @@ -3,7 +3,7 @@ _: { locale = "en_US.UTF-8"; wireguard.enable = true; network.enable = true; - secureHost = true; + secureHost = false; ips = { vps = "51.222.141.104"; wg-vps = "10.77.0.1"; diff --git a/hosts/linode/wireguard-linode.nix b/hosts/linode/wireguard-linode.nix index cf22e11..3236a93 100644 --- a/hosts/linode/wireguard-linode.nix +++ b/hosts/linode/wireguard-linode.nix @@ -6,7 +6,7 @@ }: { config = lib.mkIf config.my.services.wireguard.enable { - sops.secrets."wireguard/linode/private" = { + sops.secrets."wireguard/linode/private" = lib.mkIf config.my.secureHost { sopsFile = ../../secrets/wireguard.yaml; }; networking = { @@ -44,7 +44,11 @@ "${config.my.ips.wg-friends}/24" ]; listenPort = 51820; - privateKeyFile = config.sops.secrets."wireguard/linode/private".path; + privateKeyFile = + if config.my.secureHost then + config.sops.secrets."wireguard/linode/private".path + else + "/var/lib/wireguard/private.key"; postSetup = "${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${config.my.ips.wg-friends}/24 -o ${ config.my.interfaces.${config.networking.hostName} } -j MASQUERADE";