From 28d831657afed344353f25b27c1d42b7967ab50b Mon Sep 17 00:00:00 2001
From: Charlotte Van Petegem <charlotte.vanpetegem@ugent.be>
Date: Thu, 24 Nov 2022 16:01:44 +0100
Subject: [PATCH] Use an actual secret for udp2raw

---
 modules/base/network/wireguard.nix  |  11 +++++++++--
 secrets.nix                         |   1 +
 secrets/files/wireguard/udp2raw.age | Bin 0 -> 840 bytes
 3 files changed, 10 insertions(+), 2 deletions(-)
 create mode 100644 secrets/files/wireguard/udp2raw.age

diff --git a/modules/base/network/wireguard.nix b/modules/base/network/wireguard.nix
index 2951a40f..9ad3e5be 100644
--- a/modules/base/network/wireguard.nix
+++ b/modules/base/network/wireguard.nix
@@ -141,13 +141,19 @@ in
           description = "UDP tunnel over TCP for wireguard";
           wantedBy = [ "multi-user.target" ];
           after = [ "network.target" ];
-          script = "${pkgs.udp2raw}/bin/udp2raw -s -l 0.0.0.0:8080 -r 127.0.0.1:51820 -k 'secret'";
+          script = ''
+           ${pkgs.udp2raw}/bin/udp2raw -s -l 0.0.0.0:8080 -r 127.0.0.1:51820 \
+             -k "$(cat ${config.age.secrets."files/wireguard/udp2raw".path})"
+          '';
         };
         udp2raw-client = lib.mkIf config.chvp.base.network.wireguard.onCorporate {
           description = "UDP tunnel over TCP for wireguard";
           wantedBy = [ "multi-user.target" ];
           after = [ "network.target" ];
-          script = "${pkgs.udp2raw}/bin/udp2raw -c -l 127.0.0.1:51820 -r 54.38.222.69:8080 -k 'secret'";
+          script = ''
+            ${pkgs.udp2raw}/bin/udp2raw -c -l 127.0.0.1:51820 -r 54.38.222.69:8080 \
+              -k "$(cat ${config.age.secrets."files/wireguard/udp2raw".path})"
+          '';
         };
       };
     };
@@ -159,5 +165,6 @@ in
       file = ../../../secrets/files/wireguard + "/${config.networking.hostName}.privkey.age";
       owner = "systemd-network";
     };
+    age.secrets."files/wireguard/udp2raw".file = ../../../secrets/files/wireguard/udp2raw.age;
   };
 }
diff --git a/secrets.nix b/secrets.nix
index d13204d9..39d27611 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -86,6 +86,7 @@ in
   "secrets/files/wireguard/lasting-integrity.privkey.age".publicKeys = [ lasting-integrity ] ++ users;
   "secrets/files/wireguard/urithiru.privkey.age".publicKeys = [ urithiru ] ++ users;
   "secrets/files/wireguard/psk.age".publicKeys = hosts ++ users;
+  "secrets/files/wireguard/udp2raw.age".publicKeys = hosts ++ users;
 
   "secrets/data-access/ssh_host_rsa_key.age".publicKeys = [ urithiru ] ++ users;
   "secrets/data-access/ssh_host_rsa_key.pub.age".publicKeys = [ urithiru ] ++ users;
diff --git a/secrets/files/wireguard/udp2raw.age b/secrets/files/wireguard/udp2raw.age
new file mode 100644
index 0000000000000000000000000000000000000000..c5dba8bfa2d7b43c49f0741dba826ece80aba745
GIT binary patch
literal 840
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH&2@{)cU15!OEmH@
z_9#iINHGsA2~G6%4>Yex@`*?()-N&7%1$jvHx2Lzk1(<bDdtK{^{@!{2sd)_D=aki
zaq+M)Fe(fRHOQ@UO>zz{E_P4TE)I=!3^BAw@<g{SF*L=}FI^!eKdZ>ZGubaE)gas{
zKgGl&J0Qz7FVZk6-^blKv#=sGCAZSqvC7vyBAv^%(x4)|#L2?Ez&xWO*v}(3Cn>@`
zH`3IvAS9$BwaPRx#nC*%&DAf<-vr&Z3~xubvOtAAH{(nXuf%YD?er+`;=G6ygA$M2
z!V=#~&%B&K=TM`xa>LNXs*sWhmtroLd|&6HLdWbfi@fkmQ*WP8Z$odd+!P-_7jFaq
z!s5!}j2!b^BVQkbL`QVnECbS9odOk%Ekm7+{HqMYOCn26(zGL;{4$K3%8XpfyeqZK
zvx~i*+{}#fqVkQ?-Lkp7++7p3Lp{r*^8CFGyfb_QvMSumb3%<Gyu9-QB0_v4%MFuE
zyqrTkee%(5E4D03vPf4*^-N32)DMiZEYCDHNlkK2^(?I{@pde8$ttkSh;UA+Oti>0
z_9!!Vtjgv}F3rdba5BoR(DyA*^Nz~%i}cRT%(5(r%qb2sjI1iQ2r+Rs^GLNY&cN_n
zWnzj+SfD~=M!G>jK!J&oVXm2*r$J??yH}c7xq)e-iKThAxw*HQdqAmoak+PKRU}t_
zgmH03n!C2AZ?;QOl$Tphs$oTlVOC*wX}ErIu)9xbRiTrgXF)`eGdSLqe00-`QWJ|)
z73?!TofV8@9MUy4Jrtq}Y6FZE!cCL8xO8=O70h!&4c!ckvO>b$UHr8p+(O;b9V;sW
z@{4^#gDf12wY76oO#BVX3rZ_pxtd-{GknUKmn}KTI)BAW6%Q%iuXDG`<^1X8I`#k1
y9@ZGP?J@VRde?kf@+e!j-cc^2XlL8O|LO_{E$ybn8q7PFl=Sf9qrBqZEN%e#uof8r

literal 0
HcmV?d00001