Update WireGuard configuration to disable secureHost and adjust private key handling

- Changed secureHost setting from true to false in toggles.nix.
- Modified wireguard-linode.nix to use a default private key path when secureHost is false, enhancing flexibility in key management.

hosts/linode/toggles.nix

@@ -3,7 +3,7 @@ _: {
   locale = "en_US.UTF-8";
   wireguard.enable = true;
   network.enable = true;
-  secureHost = true;
+  secureHost = false;
   ips = {
     vps = "51.222.141.104";
     wg-vps = "10.77.0.1";

hosts/linode/wireguard-linode.nix

@@ -6,7 +6,7 @@
 }:
 {
   config = lib.mkIf config.my.services.wireguard.enable {
-    sops.secrets."wireguard/linode/private" = {
+    sops.secrets."wireguard/linode/private" = lib.mkIf config.my.secureHost {
       sopsFile = ../../secrets/wireguard.yaml;
     };
     networking = {
@@ -44,7 +44,11 @@
           "${config.my.ips.wg-friends}/24"
         ];
         listenPort = 51820;
-        privateKeyFile = config.sops.secrets."wireguard/linode/private".path;
+        privateKeyFile =
+          if config.my.secureHost then
+            config.sops.secrets."wireguard/linode/private".path
+          else
+            "/var/lib/wireguard/private.key";
         postSetup = "${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s ${config.my.ips.wg-friends}/24 -o ${
           config.my.interfaces.${config.networking.hostName}
         } -j MASQUERADE";