5 files changed, 117 insertions, 2 deletions

diff --git a/flake.lock b/flake.lock
index 7033018..c9e5fb0 100755
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,28 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1770165109,
+        "narHash": "sha256-9VnK6Oqai65puVJ4WYtCTvlJeXxMzAp/69HhQuTdl/I=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "b027ee29d959fda4b60b57566d64c98a202e0feb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "base16": {
       "inputs": {
         "fromYaml": "fromYaml"
@@ -83,6 +106,28 @@
         "type": "github"
       }
     },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
     "fenix": {
       "inputs": {
         "nixpkgs": [
@@ -211,6 +256,27 @@
     "home-manager": {
       "inputs": {
         "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
           "nixpkgs"
         ]
       },
@@ -356,9 +422,10 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "crane": "crane",
         "fenix": "fenix",
-        "home-manager": "home-manager",
+        "home-manager": "home-manager_2",
         "nixcord": "nixcord",
         "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable": "nixpkgs-unstable",
@@ -395,7 +462,7 @@
           "nixpkgs"
         ],
         "nur": "nur",
-        "systems": "systems",
+        "systems": "systems_2",
         "tinted-foot": "tinted-foot",
         "tinted-kitty": "tinted-kitty",
         "tinted-schemes": "tinted-schemes",
@@ -432,6 +499,21 @@
         "type": "github"
       }
     },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "tinted-foot": {
       "flake": false,
       "locked": {
diff --git a/flake.nix b/flake.nix
index f44ea41..d1d1227 100644
--- a/flake.nix
+++ b/flake.nix
@@ -12,6 +12,9 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    agenix.url = "github:ryantm/agenix";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
+
     # Theming - centralized color management
     stylix = {
       url = "github:danth/stylix/release-25.11";
@@ -35,6 +38,7 @@
     nixpkgs,
     nixpkgs-unstable,
     home-manager,
+    agenix,
     stylix,
     fenix,
     crane,
@@ -96,6 +100,10 @@
           ./system
           ./home/rices/${rice}/system.nix
           home-manager.nixosModules.home-manager
+          agenix.nixosModules.default
+          {
+            environment.systemPackages = [agenix.packages.${system}.default];
+          }
           stylix.nixosModules.stylix
           (mkHomeManagerModule hostname rice)
         ];
diff --git a/hosts/herra/secrets.nix b/hosts/herra/secrets.nix
new file mode 100644
index 0000000..e8a3126
--- /dev/null
+++ b/hosts/herra/secrets.nix
@@ -0,0 +1,15 @@
+{...}: {
+  age.secrets.wg-key = {
+    file = ./secrets/wg-private-key.age;
+    path = "/run/secrets/wg.key";
+    mode = "0400";
+    owner = "root";
+  };
+
+  age.secrets.wg-psk = {
+    file = ./secrets/wg-psk.age;
+    path = "/run/secrets/wg.psk";
+    mode = "0400";
+    owner = "root";
+  };
+}
diff --git a/hosts/herra/secrets/wg-private-key.age b/hosts/herra/secrets/wg-private-key.age
new file mode 100644
index 0000000..62f663c
--- /dev/null
+++ b/hosts/herra/secrets/wg-private-key.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 vnEwOQ r71IUfe+hXSH2/sK7Q555KWRN8XMWWXI3MIhT8LfVR4
+UetK2T1IyA5FXEglbd5nrkQ7sypo/0/WDz7nBian158
+--- ocJKAzsozFd3/eFIZpwer2r4EARTy40XxT+Hi8T2PqM
+��~����I,��y7/��\����)�>I�e�cfb����M�9��&�,��x_�M��]d׎E�ƴXr,�S�X
\ No newline at end of file
diff --git a/hosts/herra/secrets/wg-psk.age b/hosts/herra/secrets/wg-psk.age
new file mode 100644
index 0000000..de45ae5
--- /dev/null
+++ b/hosts/herra/secrets/wg-psk.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 vnEwOQ jRNs0GY42cioWgRhPIPEACsqMw+HXKsOkmiGs0gDySo
+8iG8AMMYKOMVblKD8b+IIuVmwMKsh623tG9zt98ARDg
+--- 0B102hCKZh1VvWXqnHzG30TsGyMxzaVYCtYjhCgkoWk
+���r�>`���
];��=i��ͫL�E�y/e��By�Rx��L�ȁ�\�rDo=`��,�9H��z)�Ó�7�5�
\ No newline at end of file