mermet: nginx: autogeree.net: add /julm/perso/images/

[sourcephile-nix.git] / hosts / losurdo / wireguard / wg-intra.nix

diff --git a/hosts/losurdo/wireguard/wg-intra.nix b/hosts/losurdo/wireguard/wg-intra.nix
index 2ae13d09033a366883aef1cabc174dfa8444ef53..ea952d6aa2ef45dc731c33887903c2fbae2f925b 100644 (file)
--- a/hosts/losurdo/wireguard/wg-intra.nix
+++ b/hosts/losurdo/wireguard/wg-intra.nix
@@ -10,6 +10,14 @@ in
   imports = [
     (inputs.julm-nix + "/nixos/profiles/wireguard/wg-intra.nix")
   ];
+  systemd.services."wireguard-${wgIface}" = {
+    serviceConfig = {
+      LoadCredentialEncrypted = [ "privateKey:${./. + "/${wgIface}/privateKey.cred"}" ];
+    };
+    unitConfig = {
+      Upholds = [ "upnpc-${toString wg.listenPort}.service" ];
+    };
+  };
   networking.wireguard.${wgIface}.peers = {
     mermet.enable = true;
     oignon.enable = true;
@@ -17,9 +25,6 @@ in
     carotte.enable = true;
     aubergine.enable = true;
   };
-  systemd.services."wireguard-${wgIface}" = {
-    unitConfig.Upholds = [ "upnpc-${toString wg.listenPort}.service" ];
-  };
   networking.nftables.ruleset = ''
     table inet filter {
       chain input-intra {
@@ -40,6 +45,7 @@ in
     }
   '';
   # Apparently required to get NAT reflection.
+  services.upnpc.enable = true;
   services.upnpc.redirections = [
     {
       description = "WireGuard";