From 61dbfd2da6884d1c8225f37c8d27650a030fbac6 Mon Sep 17 00:00:00 2001
From: Konarak <me@konarak.in>
Date: Mon, 18 Aug 2025 00:09:08 +0530
Subject: [PATCH] specify systemd-network as owner+group for wg secrets

---
 modules/wireguard.nix | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/modules/wireguard.nix b/modules/wireguard.nix
index a5881c4..475d943 100644
--- a/modules/wireguard.nix
+++ b/modules/wireguard.nix
@@ -73,9 +73,14 @@ in {
   };
 
   config = {
-    sops.secrets = lib.mkMerge (map (cfg: {
-      "${cfg.serverPrivateKeyFile}" = { };
-      "${cfg.clientPublicKeyFile}" = { };
+    sops.secrets = let
+      def = {
+        owner = "systemd-network";
+        group = "systemd-network";
+      };
+    in lib.mkMerge (map (cfg: {
+      "${cfg.serverPrivateKeyFile}" = def;
+      "${cfg.clientPublicKeyFile}" = def;
     }) interfaces);
 
     assertions = lib.mkAfter (secretAssertions ++ uniquenessAssertions);