search

the-computer-club / lynx

shared nixos modules
BSD 3-Clause "New" or "Revised" License
8 stars 1 forks source link

PSK flake-guard options #12

Open Skarlett opened 7 months ago

Skarlett commented 7 months ago

Related:

RFC

wireguard.networks.my-network.peers.by-name.my-host.psk.peer.sopsLookup = "psk-peer";

These fields will be automatically constructed from wireguard.networks.*.sopsPskPrefix = "psk-";

Issue tracking the support of Preshared keys in flake-guard options.

Skarlett commented 7 months ago

While implementing a new attribute ontop of wireguard.networks.my-network.peers.by-name.my-host, instead of directly implementing psk.peers.

It also be reasonable to instead swap the two keys (peers.psk), so that if there are more extensions to how each host wants to treat other peers on the network.

The only downside with this idea, is it would be nice to reference peers.by-name.* alongside these modifications.

The end result would look something like the following

wireguard.networks.my-network.peers.by-name = 
let 
  peers = config.wireguard.networks.my-network.peers.by-name;
in {
  my-host = {
    publicKey = ...
    peers = {
      my-peer = {
         psk.sopsLookup = "psk-my-peer";
         allowedIPs = [ "10.0.0.100" ]; # <- possible future feature for configuring the interface locally?  
      };
    };
  };
}

Though I'm not a fan of the double use of peers, I think if there to be a more unique name it'd be a perfect adjustment.