8 files changed, 68 insertions, 1 deletions

diff --git a/hosts/ahmed/configuration.nix b/hosts/ahmed/configuration.nix
index e1062c5..6986a08 100644
--- a/hosts/ahmed/configuration.nix
+++ b/hosts/ahmed/configuration.nix
@@ -26,6 +26,7 @@
     ./local-dns
     ./vaultwarden
     ./wireguard-vpn
+    ./syncthing
   ];
 
   # Create the main user.
diff --git a/hosts/ahmed/syncthing/default.nix b/hosts/ahmed/syncthing/default.nix
new file mode 100644
index 0000000..1b4bbbc
--- /dev/null
+++ b/hosts/ahmed/syncthing/default.nix
@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./syncthing.nix
+    ./reverse-proxy.nix
+  ];
+}
diff --git a/hosts/ahmed/syncthing/reverse-proxy.nix b/hosts/ahmed/syncthing/reverse-proxy.nix
new file mode 100644
index 0000000..e6b84c0
--- /dev/null
+++ b/hosts/ahmed/syncthing/reverse-proxy.nix
@@ -0,0 +1,25 @@
+{config, ...}: {
+  # Use NGINX as a reverse proxy.
+  # See: https://docs.syncthing.net/users/reverseproxy.html
+  services.nginx = {
+    virtualHosts."syncthing.${config.linus.local-dns.domain}" = {
+      locations."/" = {
+        proxyPass = "http://${config.services.syncthing.guiAddress}";
+        recommendedProxySettings = true;
+      };
+    };
+  };
+
+  # By default Syncthing checks that the Host header says "localhost" which
+  # will not be the case when using a reverse proxy.
+  #
+  # See: https://docs.syncthing.net/users/faq.html#why-do-i-get-host-check-error-in-the-gui-api
+  services.syncthing.settings.gui = {
+    insecureSkipHostcheck = true;
+
+    user = "linus";
+    password = "$y$j9T$mLlnLvW2XHNH3xlL0Vlnr1$Aa1tc2/c0qAKkp/5yt0F7dBD8pSjzqwgAIL4bZ/sAa9";
+  };
+
+  linus.local-dns.subdomains = ["syncthing"];
+}
diff --git a/hosts/ahmed/syncthing/syncthing.nix b/hosts/ahmed/syncthing/syncthing.nix
new file mode 100644
index 0000000..14a7bc7
--- /dev/null
+++ b/hosts/ahmed/syncthing/syncthing.nix
@@ -0,0 +1,30 @@
+# This module sets up syncthing on the server. It's very important because
+# muhammed and boox-tablet seldom are online on the same network at the same
+# time.
+{config, ...}: {
+  services.syncthing = {
+    enable = true;
+
+    key = config.age.secrets.syncthing-key.path;
+    cert = config.age.secrets.syncthing-cert.path;
+
+    settings = {
+      folders = {
+        "ebooks" = {
+          lable = "Ebooks";
+          path = "~/Synced ebooks"; # Recall that `~syncthing` is `/var/lib/syntching`.
+          copyOwnershipFromParent = true;
+          devices = ["muhammed" "boox-tablet"];
+        };
+      };
+
+      devices = {
+        boox-tablet.id = "SFQMOCB-TPRTXLD-WDL3REL-2XINQDR-3PZQ5IT-KX4PGXX-2VJO3JZ-2K2XNQ3";
+        muhammed.id = "ZLKZCO5-K3GX3S6-PTLB5B6-ETRBPQT-6ZCKHYV-FXQNDPI-CGYRSO4-NIRPQAY";
+      };
+    };
+  };
+
+  age.secrets.syncthing-key.file = ../../../secrets/syncthing-keys/ahmed/key.pem.age;
+  age.secrets.syncthing-cert.file = ../../../secrets/syncthing-keys/ahmed/cert.pem.age;
+}
diff --git a/hosts/muhammed/syncthing.nix b/hosts/muhammed/syncthing.nix
index 41613aa..7e1bc29 100644
--- a/hosts/muhammed/syncthing.nix
+++ b/hosts/muhammed/syncthing.nix
@@ -23,18 +23,21 @@
     key = config.age.secrets.syncthing-key.path;
     cert = config.age.secrets.syncthing-cert.path;
 
+    openDefaultPorts = true;
+
     settings = {
       folders = {
         "ebooks" = {
           lable = "Ebooks";
           path = "~/Documents/Synced ebooks";
           copyOwnershipFromParent = true;
-          devices = ["boox-tablet"];
+          devices = ["ahmed" "boox-tablet"];
         };
       };
 
       devices = {
         boox-tablet.id = "SFQMOCB-TPRTXLD-WDL3REL-2XINQDR-3PZQ5IT-KX4PGXX-2VJO3JZ-2K2XNQ3";
+        ahmed.id = "5ESNFDE-D7UZTFN-GNZ56QP-CY3TUCN-OJSNFCN-UVKVLQR-UTIJZ4W-2ZDVCQG";
       };
     };
   };
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 835b617..8c01970 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -26,4 +26,6 @@ in {
   "wireguard-keys/muhammed.age".publicKeys = [decodingKeys.muhammed] ++ interactiveKeys;
   "syncthing-keys/muhammed/key.pem.age".publicKeys = [decodingKeys.muhammed] ++ interactiveKeys;
   "syncthing-keys/muhammed/cert.pem.age".publicKeys = [decodingKeys.muhammed] ++ interactiveKeys;
+  "syncthing-keys/ahmed/key.pem.age".publicKeys = [decodingKeys.ahmed] ++ interactiveKeys;
+  "syncthing-keys/ahmed/cert.pem.age".publicKeys = [decodingKeys.ahmed] ++ interactiveKeys;
 }
diff --git a/secrets/syncthing-keys/ahmed/cert.pem.age b/secrets/syncthing-keys/ahmed/cert.pem.age
new file mode 100644
index 0000000..b0a9585
--- /dev/null
+++ b/secrets/syncthing-keys/ahmed/cert.pem.age
diff --git a/secrets/syncthing-keys/ahmed/key.pem.age b/secrets/syncthing-keys/ahmed/key.pem.age
new file mode 100644
index 0000000..a5d916a
--- /dev/null
+++ b/secrets/syncthing-keys/ahmed/key.pem.age