ctucx.git: nixfiles

machines/lollo: use age-secrets

diff --git a/configurations/services/restic-server.nix b/configurations/services/restic-server.nix
@@ -2,6 +2,11 @@
 
 {
 
+  age.secrets.restic-server-htpasswd = {
+    file  = ../../secrets + "/${config.networking.hostName}/restic-server-htpasswd.age";
+    owner = "nginx";
+  };
+
   services = {
     restic.server = {
       enable     = true;

@@ -20,7 +25,7 @@
           extraConfig = ''
             client_max_body_size 10G;
             auth_basic           Auth;
-            auth_basic_user_file /var/lib/secrets/restic-auth;
+            auth_basic_user_file ${config.age.secrets.restic-server-htpasswd.path};
           '';
         };
       };

diff --git a/machines/lollo/router/systemd-networkd.nix b/machines/lollo/router/systemd-networkd.nix
@@ -1,7 +1,14 @@
-{ ... }:
+{ config, ... }:
 
 {
 
+  age.secrets.wireguard-privkey = {
+    file  = ../../../secrets/lollo/wireguard-privkey.age;
+    mode  = "640";
+    owner = "root";
+    group = "systemd-network";
+  };
+
   systemd.network = {
     enable   = true;
     netdevs = {

@@ -29,7 +36,7 @@
           Name = "wg-pbb";
         };
         wireguardConfig = {
-          PrivateKeyFile = "/var/lib/secrets/wg-pbb.privkey";
+          PrivateKeyFile = config.age.secrets.wireguard-privkey.path;
           ListenPort     = 51820;
           FirewallMark   = 51820;
         };