diff --git a/hosts/omega/default.nix b/hosts/omega/default.nix index f11399f..ae6297a 100644 --- a/hosts/omega/default.nix +++ b/hosts/omega/default.nix @@ -4,10 +4,10 @@ ../../modules/base ../../modules/desktop ../../modules/games.nix - ../../modules/syncthing.nix - ./hardware.nix ./borg.nix + ./hardware.nix ./sway.nix + ./syncthing.nix ]; networking.hostName = "omega"; diff --git a/hosts/omega/syncthing.nix b/hosts/omega/syncthing.nix new file mode 100644 index 0000000..709610b --- /dev/null +++ b/hosts/omega/syncthing.nix @@ -0,0 +1,31 @@ +{ + config, + secrets, + ... +}: { + # NOTE: General syncthing configuration is in modules/base/syncthing.nix. + services.syncthing = { + enable = true; + # https://wiki.nixos.org/wiki/Syncthing#Declarative_node_IDs + cert = config.age.secrets.syncthing-omega-cert.path; + key = config.age.secrets.syncthing-omega-key.path; + settings = { + devices = secrets.modules.syncthing.omega.devices; + folders = secrets.modules.syncthing.omega.folders; + }; + }; + + age.secrets.syncthing-omega-cert = { + file = "${secrets}/secrets/syncthing-omega-cert.age"; + mode = "400"; + owner = "caspervk"; + group = "syncthing"; + }; + + age.secrets.syncthing-omega-key = { + file = "${secrets}/secrets/syncthing-omega-key.age"; + mode = "400"; + owner = "caspervk"; + group = "syncthing"; + }; +} diff --git a/hosts/sigma/default.nix b/hosts/sigma/default.nix index eafee13..e4675fe 100644 --- a/hosts/sigma/default.nix +++ b/hosts/sigma/default.nix @@ -15,6 +15,7 @@ ./network.nix ./samba.nix ./sonarr.nix + ./syncthing.nix ]; networking.hostName = "sigma"; diff --git a/hosts/sigma/network.nix b/hosts/sigma/network.nix index a9fbba1..7f55ea8 100644 --- a/hosts/sigma/network.nix +++ b/hosts/sigma/network.nix @@ -145,6 +145,7 @@ 1234 # ad hoc 1337 # ad hoc 139 # Samba + 22000 # syncthing 22 # SSH 25 # Mail SMTP 443 # Caddy @@ -157,6 +158,8 @@ ]; allowedUDPPorts = [ 139 # Samba + 21027 # syncthing + 22000 # syncthing 445 # Samba ]; }; @@ -164,6 +167,7 @@ allowedTCPPorts = [ 1234 # ad hoc 1337 # ad hoc + 22000 # syncthing 22 # SSH 25 # Mail SMTP 443 # Caddy @@ -173,6 +177,10 @@ 80 # Caddy 993 # Mail IMAPS ]; + allowedUDPPorts = [ + 21027 # syncthing + 22000 # syncthing + ]; }; "wg-sigma-p2p" = { allowedTCPPorts = [ diff --git a/hosts/sigma/syncthing.nix b/hosts/sigma/syncthing.nix new file mode 100644 index 0000000..b0fcc9a --- /dev/null +++ b/hosts/sigma/syncthing.nix @@ -0,0 +1,31 @@ +{ + config, + secrets, + ... +}: { + # NOTE: General syncthing configuration is in modules/base/syncthing.nix. + services.syncthing = { + enable = true; + # https://wiki.nixos.org/wiki/Syncthing#Declarative_node_IDs + cert = config.age.secrets.syncthing-sigma-cert.path; + key = config.age.secrets.syncthing-sigma-key.path; + settings = { + devices = secrets.modules.syncthing.sigma.devices; + folders = secrets.modules.syncthing.sigma.folders; + }; + }; + + age.secrets.syncthing-sigma-cert = { + file = "${secrets}/secrets/syncthing-sigma-cert.age"; + mode = "400"; + owner = "caspervk"; + group = "syncthing"; + }; + + age.secrets.syncthing-sigma-key = { + file = "${secrets}/secrets/syncthing-sigma-key.age"; + mode = "400"; + owner = "caspervk"; + group = "syncthing"; + }; +} diff --git a/hosts/zeta/default.nix b/hosts/zeta/default.nix index df9825d..8544b97 100644 --- a/hosts/zeta/default.nix +++ b/hosts/zeta/default.nix @@ -3,10 +3,10 @@ ../../overlays ../../modules/base ../../modules/desktop - ../../modules/syncthing.nix - ./hardware.nix ./borg.nix + ./hardware.nix ./sway.nix + ./syncthing.nix ]; networking.hostName = "zeta"; diff --git a/hosts/zeta/syncthing.nix b/hosts/zeta/syncthing.nix new file mode 100644 index 0000000..bf6b89c --- /dev/null +++ b/hosts/zeta/syncthing.nix @@ -0,0 +1,31 @@ +{ + config, + secrets, + ... +}: { + # NOTE: General syncthing configuration is in modules/base/syncthing.nix. + services.syncthing = { + enable = true; + # https://wiki.nixos.org/wiki/Syncthing#Declarative_node_IDs + cert = config.age.secrets.syncthing-zeta-cert.path; + key = config.age.secrets.syncthing-zeta-key.path; + settings = { + devices = secrets.modules.syncthing.zeta.devices; + folders = secrets.modules.syncthing.zeta.folders; + }; + }; + + age.secrets.syncthing-zeta-cert = { + file = "${secrets}/secrets/syncthing-zeta-cert.age"; + mode = "400"; + owner = "caspervk"; + group = "syncthing"; + }; + + age.secrets.syncthing-zeta-key = { + file = "${secrets}/secrets/syncthing-zeta-key.age"; + mode = "400"; + owner = "caspervk"; + group = "syncthing"; + }; +} diff --git a/modules/base/default.nix b/modules/base/default.nix index 475f0d8..5108b7d 100644 --- a/modules/base/default.nix +++ b/modules/base/default.nix @@ -15,6 +15,7 @@ ./ripgrep.nix ./ssh.nix ./sudo.nix + ./syncthing.nix ./users.nix ./vim ]; diff --git a/modules/base/syncthing.nix b/modules/base/syncthing.nix new file mode 100644 index 0000000..306123b --- /dev/null +++ b/modules/base/syncthing.nix @@ -0,0 +1,22 @@ +{...}: { + # Syncthing is a continuous file synchronization program. It synchronizes + # files between two or more computers in real time. It's basically a + # self-hosted Dropbox for Linux users, but without FTP, curlftpfs, and SVN. + # https://wiki.nixos.org/wiki/Syncthing + # + # Access server's WebUI from desktop: + # > ssh -L 9999:localhost:8384 sigma + services.syncthing = { + # NOTE: syncthing is enabled and further configured in + # hosts/*/syncthing.nix. + openDefaultPorts = true; + user = "caspervk"; + dataDir = "/home/caspervk"; + settings = { + options = { + # Don't submit anonymous usage data + urAccepted = -1; + }; + }; + }; +} diff --git a/modules/syncthing.nix b/modules/syncthing.nix deleted file mode 100644 index 0a99818..0000000 --- a/modules/syncthing.nix +++ /dev/null @@ -1,40 +0,0 @@ -{...}: { - # Syncthing is a continuous file synchronization program. It synchronizes - # files between two or more computers in real time. It's basically a - # self-hosted Dropbox for Linux users, but without FTP, curlftpfs, and SVN. - # https://nixos.wiki/wiki/Syncthing - - services.syncthing = { - enable = true; - user = "caspervk"; - group = "users"; - # The directory where synchronised directories will exist - dataDir = "/home/caspervk"; - settings = { - # Devices ignore their own IDs, allowing for a single configuration. - # TODO: Syncthing generates a private key and ID the first time it is - # started. On first install, add the devices' ID here and apply to the - # other ones. When we get a proper secret management scheme, such as - # agenix, the private keys should be managed declaratively as well. - devices = { - "android" = {id = "IBP6YKY-KGWYPCH-J3CHAQ5-GKCIQ3U-X2L7S7V-BH635EE-ZEDQHN2-ZB4CBAP";}; - "lambda" = { - id = "WES3JH4-S34HTC5-42YZHUJ-MX3Z6PA-PFO72KA-YIJMDOB-GQWZXZ3-I7BBTAS"; - addresses = ["tcp://lambda.caspervk.net"]; - }; - "omega" = {id = "EZIQ7SI-Y6BBLUY-QI4EEYU-UNIXPSG-R6X5E77-AA2UC7S-VRV2LKQ-RNBOGQT";}; - "zeta" = {id = "GQRNHAQ-MMRQYMD-P4RCA6I-5DJ3HXO-J2N2GVP-UGI55YR-HD3EYSO-ERU5QQV";}; - }; - folders = { - "keepass" = { - path = "~/keepass"; - devices = ["android" "lambda" "omega" "zeta"]; - }; - "sync" = { - path = "~/sync"; - devices = ["lambda" "omega" "zeta"]; - }; - }; - }; - }; -}