caspervk/nixos
1
0
Fork 0
Code Actions Activity

Compare commits

base: caspervk:aec0ac95d5d411bbba68817ed4a86aedb3c379c7
Branches Tags
caspervk:master
caspervk:dev
..
compare: caspervk:d5b9bef71d307cf8d15d6986df836372c3004d6e
Branches Tags
caspervk:master
caspervk:dev

3 commits
aec0ac95d5 ... d5b9bef71d

Author SHA1 Message Date
Casper V. Kristensen d5b9bef71d syncthing 2024-05-10 20:34:38 +02:00
Casper V. Kristensen a1855c9b1f flake.lock: Update 
Flake lock file updates:

• Updated input 'home-manager-unstable':
    'github:nix-community/home-manager/223743313bab8b0b44a57eaf9573de9f69082b4d' (2024-05-10)
  → 'github:nix-community/home-manager/e6a315900db775da3bb3138bab8caa70dafdaf9e' (2024-05-10)
• Updated input 'secrets':
    'git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git?ref=refs/heads/master&rev=a3eefc6a111b5db8884b2bed54d166a0f63d35be' (2024-05-08)
  → 'git+ssh://git@git.caspervk.net/caspervk/nixos-secrets.git?ref=refs/heads/master&rev=aacc223f82da32d9f8a7b336679966b1272ce0e7' (2024-05-10)
 2024-05-10 19:49:41 +02:00
Casper V. Kristensen a990c2ea3a secrets.hosts 2024-05-10 18:50:22 +02:00
15 changed files with 142 additions and 57 deletions
Show stats Expand all files Collapse all files

14
flake.lock
View file

@ -85,11 +85,11 @@
]
},
"locked": {
"lastModified": 1715348159,
"narHash": "sha256-nP0PJZ3dR0ols1V+w+sYBki7JlSRFvFJ8J8B00Oa7BM=",
"lastModified": 1715358385,
"narHash": "sha256-/IQ5UheQ2Ehm79nqn8KUuxZo5mk768gZ9uV6lHIKP8s=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "223743313bab8b0b44a57eaf9573de9f69082b4d",
"rev": "e6a315900db775da3bb3138bab8caa70dafdaf9e",
"type": "github"
},
"original": {
@ -228,11 +228,11 @@
},
"secrets": {
"locked": {
"lastModified": 1715212758,
"narHash": "sha256-6UkyVuS4PZsNgrdvXYWtU+oMW5tuzQYal2gb0le+d3g=",
"lastModified": 1715362161,
"narHash": "sha256-dnwWouxmIktCfPd+gfvMteTS7CL42jDJDkDKx6xkLoY=",
"ref": "refs/heads/master",
"rev": "a3eefc6a111b5db8884b2bed54d166a0f63d35be",
"revCount": 35,
"rev": "aacc223f82da32d9f8a7b336679966b1272ce0e7",
"revCount": 37,
"type": "git",
"url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
},

2
hosts/alpha/network.nix
View file

@ -70,7 +70,7 @@
wireguardPeerConfig = {
PublicKey = "sigmaH/DKSU8KWyrPtucYmS2ewUvDvCNLxd/qYEo0n0=";
PresharedKeyFile = config.age.secrets.wireguard-preshared-key-file.path;
AllowedIPs = ["${secrets.alpha.sigma-p2p-ip-address}/32"];
AllowedIPs = ["${secrets.hosts.alpha.sigma-p2p-ip-address}/32"];
RouteTable = "main";
};
}

4
hosts/omega/default.nix
View file

@ -4,10 +4,10 @@
../../modules/base
../../modules/desktop
../../modules/games.nix
../../modules/syncthing.nix
./hardware.nix
./borg.nix
./hardware.nix
./sway.nix
./syncthing.nix
];
networking.hostName = "omega";

31
hosts/omega/syncthing.nix Normal file
View file

@ -0,0 +1,31 @@
{
config,
secrets,
...
}: {
# NOTE: General syncthing configuration is in modules/base/syncthing.nix.
services.syncthing = {
enable = true;
# https://wiki.nixos.org/wiki/Syncthing#Declarative_node_IDs
cert = config.age.secrets.syncthing-omega-cert.path;
key = config.age.secrets.syncthing-omega-key.path;
settings = {
devices = secrets.modules.syncthing.omega.devices;
folders = secrets.modules.syncthing.omega.folders;
};
};
age.secrets.syncthing-omega-cert = {
file = "${secrets}/secrets/syncthing-omega-cert.age";
mode = "400";
owner = "caspervk";
group = "syncthing";
};
age.secrets.syncthing-omega-key = {
file = "${secrets}/secrets/syncthing-omega-key.age";
mode = "400";
owner = "caspervk";
group = "syncthing";
};
}

2
hosts/sigma/caddy.nix
View file

@ -1,5 +1,5 @@
{secrets, ...}: {
services.caddy.virtualHosts = secrets.sigma.caddy.virtualHosts;
services.caddy.virtualHosts = secrets.hosts.sigma.caddy.virtualHosts;
# Add caddy to the 'torrent' group to allow viewing downloads
users.groups.torrent.members = ["caddy"];

1
hosts/sigma/default.nix
View file

@ -15,6 +15,7 @@
./network.nix
./samba.nix
./sonarr.nix
./syncthing.nix
];
networking.hostName = "sigma";

2
hosts/sigma/deluge.nix
View file

@ -18,7 +18,7 @@
config = {
download_location = "/srv/torrents/downloads/";
# use the dedicated network interface and port
listen_interface = secrets.sigma.sigma-p2p-ip-address;
listen_interface = secrets.hosts.sigma.sigma-p2p-ip-address;
outgoing_interface = "wg-sigma-p2p";
random_port = false;
listen_ports = [60881];

2
hosts/sigma/mail.nix
View file

@ -75,7 +75,7 @@
loginAccounts = {
"casper@vkristensen.dk" = {
hashedPasswordFile = config.age.secrets.mail-hashed-password-file.path;
aliases = secrets.sigma.mail.aliases;
aliases = secrets.hosts.sigma.mail.aliases;
};
};
};

12
hosts/sigma/network.nix
View file

@ -109,7 +109,7 @@
};
networks."wg-sigma-p2p" = {
name = "wg-sigma-p2p";
address = ["${secrets.sigma.sigma-p2p-ip-address}/32"];
address = ["${secrets.hosts.sigma.sigma-p2p-ip-address}/32"];
routingPolicyRules = [
{
# The deluge systemd service has
@ -124,7 +124,7 @@
{
routingPolicyRuleConfig = {
Priority = 1000;
From = "${secrets.sigma.sigma-p2p-ip-address}/32";
From = "${secrets.hosts.sigma.sigma-p2p-ip-address}/32";
Table = "wg-sigma-p2p";
};
}
@ -145,6 +145,7 @@
1234 # ad hoc
1337 # ad hoc
139 # Samba
22000 # syncthing
22 # SSH
25 # Mail SMTP
443 # Caddy
@ -157,6 +158,8 @@
];
allowedUDPPorts = [
139 # Samba
21027 # syncthing
22000 # syncthing
445 # Samba
];
};
@ -164,6 +167,7 @@
allowedTCPPorts = [
1234 # ad hoc
1337 # ad hoc
22000 # syncthing
22 # SSH
25 # Mail SMTP
443 # Caddy
@ -173,6 +177,10 @@
80 # Caddy
993 # Mail IMAPS
];
allowedUDPPorts = [
21027 # syncthing
22000 # syncthing
];
};
"wg-sigma-p2p" = {
allowedTCPPorts = [

31
hosts/sigma/syncthing.nix Normal file
View file

@ -0,0 +1,31 @@
{
config,
secrets,
...
}: {
# NOTE: General syncthing configuration is in modules/base/syncthing.nix.
services.syncthing = {
enable = true;
# https://wiki.nixos.org/wiki/Syncthing#Declarative_node_IDs
cert = config.age.secrets.syncthing-sigma-cert.path;
key = config.age.secrets.syncthing-sigma-key.path;
settings = {
devices = secrets.modules.syncthing.sigma.devices;
folders = secrets.modules.syncthing.sigma.folders;
};
};
age.secrets.syncthing-sigma-cert = {
file = "${secrets}/secrets/syncthing-sigma-cert.age";
mode = "400";
owner = "caspervk";
group = "syncthing";
};
age.secrets.syncthing-sigma-key = {
file = "${secrets}/secrets/syncthing-sigma-key.age";
mode = "400";
owner = "caspervk";
group = "syncthing";
};
}

4
hosts/zeta/default.nix
View file

@ -3,10 +3,10 @@
../../overlays
../../modules/base
../../modules/desktop
../../modules/syncthing.nix
./hardware.nix
./borg.nix
./hardware.nix
./sway.nix
./syncthing.nix
];
networking.hostName = "zeta";

31
hosts/zeta/syncthing.nix Normal file
View file

@ -0,0 +1,31 @@
{
config,
secrets,
...
}: {
# NOTE: General syncthing configuration is in modules/base/syncthing.nix.
services.syncthing = {
enable = true;
# https://wiki.nixos.org/wiki/Syncthing#Declarative_node_IDs
cert = config.age.secrets.syncthing-zeta-cert.path;
key = config.age.secrets.syncthing-zeta-key.path;
settings = {
devices = secrets.modules.syncthing.zeta.devices;
folders = secrets.modules.syncthing.zeta.folders;
};
};
age.secrets.syncthing-zeta-cert = {
file = "${secrets}/secrets/syncthing-zeta-cert.age";
mode = "400";
owner = "caspervk";
group = "syncthing";
};
age.secrets.syncthing-zeta-key = {
file = "${secrets}/secrets/syncthing-zeta-key.age";
mode = "400";
owner = "caspervk";
group = "syncthing";
};
}

1
modules/base/default.nix
View file

@ -15,6 +15,7 @@
./ripgrep.nix
./ssh.nix
./sudo.nix
./syncthing.nix
./users.nix
./vim
];

22
modules/base/syncthing.nix Normal file
View file

@ -0,0 +1,22 @@
{...}: {
# Syncthing is a continuous file synchronization program. It synchronizes
# files between two or more computers in real time. It's basically a
# self-hosted Dropbox for Linux users, but without FTP, curlftpfs, and SVN.
# https://wiki.nixos.org/wiki/Syncthing
#
# Access server's WebUI from desktop:
# > ssh -L 9999:localhost:8384 sigma
services.syncthing = {
# NOTE: syncthing is enabled and further configured in
# hosts/*/syncthing.nix.
openDefaultPorts = true;
user = "caspervk";
dataDir = "/home/caspervk";
settings = {
options = {
# Don't submit anonymous usage data
urAccepted = -1;
};
};
};
}

40
modules/syncthing.nix
View file

@ -1,40 +0,0 @@
{...}: {
# Syncthing is a continuous file synchronization program. It synchronizes
# files between two or more computers in real time. It's basically a
# self-hosted Dropbox for Linux users, but without FTP, curlftpfs, and SVN.
# https://nixos.wiki/wiki/Syncthing
services.syncthing = {
enable = true;
user = "caspervk";
group = "users";
# The directory where synchronised directories will exist
dataDir = "/home/caspervk";
settings = {
# Devices ignore their own IDs, allowing for a single configuration.
# TODO: Syncthing generates a private key and ID the first time it is
# started. On first install, add the devices' ID here and apply to the
# other ones. When we get a proper secret management scheme, such as
# agenix, the private keys should be managed declaratively as well.
devices = {
"android" = {id = "IBP6YKY-KGWYPCH-J3CHAQ5-GKCIQ3U-X2L7S7V-BH635EE-ZEDQHN2-ZB4CBAP";};
"lambda" = {
id = "WES3JH4-S34HTC5-42YZHUJ-MX3Z6PA-PFO72KA-YIJMDOB-GQWZXZ3-I7BBTAS";
addresses = ["tcp://lambda.caspervk.net"];
};
"omega" = {id = "EZIQ7SI-Y6BBLUY-QI4EEYU-UNIXPSG-R6X5E77-AA2UC7S-VRV2LKQ-RNBOGQT";};
"zeta" = {id = "GQRNHAQ-MMRQYMD-P4RCA6I-5DJ3HXO-J2N2GVP-UGI55YR-HD3EYSO-ERU5QQV";};
};
folders = {
"keepass" = {
path = "~/keepass";
devices = ["android" "lambda" "omega" "zeta"];
};
"sync" = {
path = "~/sync";
devices = ["lambda" "omega" "zeta"];
};
};
};
};
}