add remaining devices to chaosInternalWireguard and fix partOf behaviour

data/chaosInternalWireGuard.nix

@@ -12,14 +12,14 @@ in rec {
       public = pubkeys."vault";
       endpoint = "vault.servers.genderfucked.monster:51820";
     };
-    #"iphone8" = {
+    "iphone8" = {
-    #  ip = "10.69.42.3";
+      ip = "10.69.42.3";
-    #  public = "PEBw7EI5uogB433cp8eSfJ5DCEiYj+YG2dZd0XkIV1c=";
+      public = pubkeys."iphone8";
-    #};
+    };
-    #"lappy-t495" = {
+    "lappy-t495" = {
-    #  ip = "10.69.42.4";
+      ip = "10.69.42.4";
-    #  public = "BR23xeK/nTgw8Ad001wz9wrfS6gTknTpCKZBLG9bnHM=";
+      public = pubkeys."lappy-t495";
-    #};
+    };
     "raspberry" = {
       ip = "10.69.42.5";
       public = pubkeys."raspberry";

data/chaosInternalWireGuardPubKeys.json

@@ -1,5 +1,7 @@
 {
   "hetzner-vm": "xgOQQcZQXftPC25+A7Iyf/XK6/iSo3Osyx6kTrZKdzw=",
   "vault": "u8hSeht8xR48O9AN+0cSsXPK0ZZFNcnPhOxdc+rsrlI=",
-  "raspberry": "Ghrs0ps2RCsg0My9seLq+8ZFZCM4NLZWE8RiY3g9/RU="
+  "raspberry": "Ghrs0ps2RCsg0My9seLq+8ZFZCM4NLZWE8RiY3g9/RU=",
+  "lappy-t495": "8aZBM3f8/qThiHvGlGP1IHLoe61m/3VTwNzCi7CrhF8=",
+  "iphone8": "jHPQuWXO5TTBACr4o/tk4bpb+N/x/AjCPGbmqkopOko="
 }

home/gui/environments/gnome/default.nix

@@ -19,7 +19,7 @@
     then fontSizesAll.${nixosConfig.networking.hostName}
     else fontSizesAll.default;
 in {
-  imports = with tree; [home.apps.kitty home.apps.rofi];
+  imports = with tree; [home.gui.base home.apps.kitty home.apps.rofi];
 
   home.packages = with pkgs; [dconf2nix gnome.dconf-editor xclip];
 

hosts/hetzner-vm/secrets.nix

@@ -66,8 +66,6 @@ in {
       "passwords/data/slskd"
       "passwords/data/mail"
 
-      "private-public-keys/data/wireguard/chaos-internal/hetzner-vm"
-
       "private-public-keys/data/piped-cockroachdb-ca/nodes/hetzner-vm"
 
       "private-public-keys/data/restic/Mail"
@@ -93,32 +91,6 @@ in {
           echo "GITLAB_TOKEN=$token" > "$secretFile"
         '';
       };
-      # for wireguard
-      wg_priv = {
-        fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .private > "$secretFile"
-        '';
-      };
-      wg_preshared_vault = {
-        fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.vault > "$secretFile"
-        '';
-      };
-      wg_preshared_iphone8 = {
-        fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" .preshared_keys.iphone8 > "$secretFile"
-        '';
-      };
-      wg_preshared_lappy-t495 = {
-        fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" ".preshared_keys.lappy_t495" > "$secretFile"
-        '';
-      };
-      wg_preshared_raspberry = {
-        fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/hetzner-vm" ".preshared_keys.raspberry" > "$secretFile"
-        '';
-      };
 
       # Container: music
       mpd_control_password = {

hosts/lappy-t495/lappy-t495.nix

@@ -4,12 +4,13 @@
     users.chaos
     profiles.sshd
 
-    presets.nixos.desktopSway
+    presets.nixos.desktopGnome
     presets.nixos.laptop
     presets.nixos.encryptedUSB
 
     profiles.cross.arm64
     #profiles.remote-builders
+    profiles.chaosInternalWireGuard
 
     ./secrets.nix
   ];

hosts/lappy-t495/secrets.nix

@@ -2,7 +2,9 @@
   services.secrets = {
     enable = true;
     secrets = {
-      usb_encryption_passphrase = {manual = true;};
+      usb_encryption_passphrase = {
+        manual = true;
+      };
 
       music_stream_password = {
         user = 1000;
@@ -37,23 +39,6 @@
           echo "RESTIC_PASSWORD=''${restic_password}" >> "$secretFile"
         '';
       };
-
-      # for internal wireguard VPN
-      wg_priv = {
-        fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/lappy-t495" .private > "$secretFile"
-        '';
-      };
-      wg_preshared_hetzner-vm = {
-        fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/lappy-t495" .preshared_keys.hetzner_vm > "$secretFile"
-        '';
-      };
-      wg_preshared_vault = {
-        fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/lappy-t495" .preshared_keys.vault > "$secretFile"
-        '';
-      };
     };
   };
 }

hosts/raspberry/secrets.nix

@@ -23,15 +23,11 @@
     requiredVaultPaths = [
       "private-public-keys/data/piped-cockroachdb-ca/nodes/raspberry"
       "private-public-keys/data/cryptsetup/raspberry-ext-drive" # used dynamically
-      "private-public-keys/data/wireguard/chaos-internal/raspberry"
       "passwords/data/wifi/parentals-home"
       "api-keys/data/hetzner/storagebox" # also used dynamically
     ];
 
     secrets = {
-      # Used for fetching the encryption drive's key at runtime
-      # can be revoked in case of hardware theft
-      # Can also run vault-login on host before secrets-init to fetch secrets using raspberry's login
       vault_password = {
         manual = true;
       };
@@ -75,23 +71,6 @@
             | base64 -d > "$secretFile"
         '';
       };
-
-      # for internal wireguard VPN
-      wg_priv = {
-        fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .private > "$secretFile"
-        '';
-      };
-      wg_preshared_hetzner-vm = {
-        fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .preshared_keys.hetzner_vm > "$secretFile"
-        '';
-      };
-      wg_preshared_vault = {
-        fetchScript = ''
-          simple_get "/private-public-keys/wireguard/chaos-internal/raspberry" .preshared_keys.vault > "$secretFile"
-        '';
-      };
     };
   };
 }

modules/nixos/secrets.nix

@@ -6,6 +6,7 @@
 }: let
   inherit (lib.modules) mkIf mkMerge;
   inherit (lib.options) mkOption mkEnableOption;
+  inherit (lib.lists) filter;
   inherit (lib) types;
   inherit (builtins) isString listToAttrs;
 
@@ -76,7 +77,7 @@ in {
               withPartOf = mkOption {
                 type = types.bool;
                 default = true;
-                description = "add auto-secrets.service to the service's PartOf; this may not be wanted for stuff on a timer such as backups";
+                description = "add service to auto-secrets's PartOf; this may not be wanted for stuff on a timer such as backups";
               };
             };
             default = {};
@@ -227,15 +228,23 @@ in {
             })
             cfg.autoSecrets.affectedSystemdServices;
         in {
-          services = listToAttrs (map (unitConfig: {
+          services =
+            (listToAttrs (map (unitConfig: {
                 name = unitConfig.name;
                 value = {
                   after = ["auto-secrets.service"];
                   wants = ["auto-secrets.service"];
-                partOf = mkIf unitConfig.withPartOf ["auto-secrets.service"];
+                  systemctl status wg-quick-wg0partOf = mkIf unitConfig.withPartOf ["auto-secrets.service"];
                 };
               })
+              affectedSystemdServices))
+            // {
+              auto-secrets.partOf =
+                map (unitConfig: unitConfig.name + ".service")
+                (lib.filter
+                  (unitConfig: unitConfig.withPartOf)
                   affectedSystemdServices);
+            };systemctl status wg-quick-wg0
         };
       })
 

profiles/chaosInternalWireGuard/secrets.nix

@@ -1,6 +1,4 @@
 {config, ...}: let
-  #wireguardData = import "${self}/data/chaosInternalWireGuard.nix";
-  #wireguardHosts = wireguardData.hosts;
   currentHostName = config.networking.hostName;
 in {
   services.secrets = {
@@ -11,7 +9,12 @@ in {
     ];
 
     secrets = {
-      wg_priv = {
+      wg_public = {
+        fetchScript = ''
+          simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .public > "$secretFile"
+        '';
+      };
+      wg_private = {
         fetchScript = ''
           simple_get "/private-public-keys/wireguard/chaos-internal/${currentHostName}" .private > "$secretFile"
         '';

profiles/chaosInternalWireGuard/wireguard.nix

@@ -5,7 +5,8 @@
   ...
 }: let
   inherit (lib.modules) mkIf;
-  inherit (builtins) hasAttr;
+  inherit (lib.lists) filter;
+  inherit (builtins) hasAttr attrNames;
 
   # Assume this to be set
   secrets = config.services.secrets.secrets;
@@ -31,34 +32,20 @@ in {
   networking.wg-quick.interfaces = {
     wg0 = {
       address = ["${currentHostConfig.ip}/24"];
-      privateKeyFile = "${secrets.wg_priv.path}";
+      privateKeyFile = "${secrets.wg_private.path}";
       listenPort = mkIf (hasAttr "endpoint" currentHostConfig) 51820;
 
-      peers = [
+      peers = (map (
-        # hetzner-vm
+          hostName: let
-        (mkIf (currentHostName != "hetzner-vm") (let
+            host = wireguardHosts.${hostName};
-          host = wireguardHosts."hetzner-vm";
           in {
               allowedIPs = ["${host.ip}/32"];
               publicKey = host.public;
               endpoint = host.endpoint or null;
-        }))
+          }
-        # vault
+        ) (filter (
-        (mkIf (currentHostName != "vault") (let
+          hostName: hostName != currentHostName
-          host = wireguardHosts."vault";
+        ) (attrNames wireguardHosts)));
-        in {
-          allowedIPs = ["${host.ip}/32"];
-          publicKey = host.public;
-          endpoint = host.endpoint or null;
-        }))
-        (mkIf (currentHostName != "raspberry") (let
-          host = wireguardHosts."raspberry";
-        in {
-          allowedIPs = ["${host.ip}/32"];
-          publicKey = host.public;
-          endpoint = host.endpoint or null;
-        }))
-      ];
     };
   };
 }