summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--hosts/muhammed/syncthing.nix19
-rw-r--r--hosts/muhammed/wireguard/ahmed.nix24
-rw-r--r--secrets/secrets.nix2
-rw-r--r--secrets/syncthing-keys/muhammed/cert.pem.agebin0 -> 2540 bytes
-rw-r--r--secrets/syncthing-keys/muhammed/key.pem.age31
5 files changed, 65 insertions, 11 deletions
diff --git a/hosts/muhammed/syncthing.nix b/hosts/muhammed/syncthing.nix
index 15581a8..41613aa 100644
--- a/hosts/muhammed/syncthing.nix
+++ b/hosts/muhammed/syncthing.nix
@@ -1,4 +1,8 @@
-{...}: {
+{
+ config,
+ flakeInputs,
+ ...
+}: {
# Until nix-community/home-manager@45c07fc becomes part of the channel we're
# following, I've just manually included it here. When that time comes, the
# module should be removed.
@@ -7,12 +11,18 @@
url = "https://github.com/nix-community/home-manager.git";
rev = "45c07fcf7d28b5fb3ee189c260dee0a2e4d14317";
};
- in ["${home-manager'}/modules/services/syncthing.nix"];
+ in [
+ "${home-manager'}/modules/services/syncthing.nix"
+ flakeInputs.agenix.homeManagerModules.age
+ ];
disabledModules = ["services/syncthing.nix"];
services.syncthing = {
enable = true;
+ key = config.age.secrets.syncthing-key.path;
+ cert = config.age.secrets.syncthing-cert.path;
+
settings = {
folders = {
"ebooks" = {
@@ -28,4 +38,9 @@
};
};
};
+
+ # We store the keys as part of the configuration since the device id is based
+ # on the key and we don't want that to change.
+ age.secrets.syncthing-key.file = ../../secrets/syncthing-keys/muhammed/key.pem.age;
+ age.secrets.syncthing-cert.file = ../../secrets/syncthing-keys/muhammed/cert.pem.age;
}
diff --git a/hosts/muhammed/wireguard/ahmed.nix b/hosts/muhammed/wireguard/ahmed.nix
index 406ff7d..5e20813 100644
--- a/hosts/muhammed/wireguard/ahmed.nix
+++ b/hosts/muhammed/wireguard/ahmed.nix
@@ -1,4 +1,8 @@
-{metadata, config, ...}: {
+{
+ metadata,
+ config,
+ ...
+}: {
networking.wg-quick.interfaces.wg0 = {
# Use the address assigned for us in `hosts/ahmed/wireguard-vpn/default.nix`.
address = ["10.100.0.2"];
@@ -8,14 +12,16 @@
privateKeyFile = config.age.secrets.wireguard-key.path;
- peers = [(let
- peerInfo = metadata.hosts.ahmed.wireguard;
- in {
- publicKey = peerInfo.pubkey;
- allowedIPs = ["0.0.0.0/0" "::/0"];
- endpoint = "${peerInfo.ipv4Address}:${toString peerInfo.port}";
- persistentKeepalive = 5; # We are a roaming client, they are static.
- })];
+ peers = [
+ (let
+ peerInfo = metadata.hosts.ahmed.wireguard;
+ in {
+ publicKey = peerInfo.pubkey;
+ allowedIPs = ["0.0.0.0/0" "::/0"];
+ endpoint = "${peerInfo.ipv4Address}:${toString peerInfo.port}";
+ persistentKeepalive = 5; # We are a roaming client, they are static.
+ })
+ ];
# table = "off";
};
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index dc5fb58..6dab6fa 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -26,4 +26,6 @@ in {
"linus.onl-github-secret.txt.age".publicKeys = [decodingKeys.muhammed] ++ interactiveKeys;
"wireguard-keys/ahmed.age".publicKeys = [decodingKeys.ahmed] ++ interactiveKeys;
"wireguard-keys/muhammed.age".publicKeys = [decodingKeys.muhammed] ++ interactiveKeys;
+ "syncthing-keys/muhammed/key.pem.age".publicKeys = [decodingKeys.muhammed] ++ interactiveKeys;
+ "syncthing-keys/muhammed/cert.pem.age".publicKeys = [decodingKeys.muhammed] ++ interactiveKeys;
}
diff --git a/secrets/syncthing-keys/muhammed/cert.pem.age b/secrets/syncthing-keys/muhammed/cert.pem.age
new file mode 100644
index 0000000..96b5367
--- /dev/null
+++ b/secrets/syncthing-keys/muhammed/cert.pem.age
Binary files differ
diff --git a/secrets/syncthing-keys/muhammed/key.pem.age b/secrets/syncthing-keys/muhammed/key.pem.age
new file mode 100644
index 0000000..fbeec2e
--- /dev/null
+++ b/secrets/syncthing-keys/muhammed/key.pem.age
@@ -0,0 +1,31 @@
+age-encryption.org/v1
+-> ssh-rsa 5MROTA
+L1GweuAqJy5zrA9ibl7Upl6KwP/44JozAPNvcV17WIJqC4Jkx6ec7LF4FnPOZKxL
+PJH0g/iLg+LYTSEtTq3IDTemN/8QJPtwifQ2Os9nGgyjGV4Im+plId+ZwDIdEA9b
+SytX8xXqTTSG/Lal10lB0TefzxyqwxLBGByRkzHgoqRbsMlOzmgCD6eHKsrecyoq
+LLerBdvXfoWFrNZJ3/e96sJpHnkl9phGfoBbX0PJ+8D8oWXPAPobRPjYqQ8uYTdh
+ogZn5g47PSu1ncbafqr+0N0kER/mbTS6+AcXFFBlBji8N/YhVzAGah2T1wafUwF+
+VQgkZN2cALstYukaDRdMWMQoi50tPsbpVCZC0n7M9My+peA63G3HQl6H91L6tPSl
+fF+QZKcEN0yF285/NK2NEy7YwTTZbkaOd1j0py8YRbwdQdLVoeOYk1gZx+bW/J3v
+ZPFCXYySSf0UtieX59diwacOgaj64OtAKEW3Zyr6KFM9DbPtze8Skrj7NJiQYd7r
+FkwEcjxkJNoSiKytXjBP5OBLpcgKbAXCStGD3oUGVGX7RHUMkWg1anuXWkyt8ZCy
+73ucSDjVRY6bp5Tre0GuQETlrBNSMexODQRPi2wl3nha2Qdi77K0FlkSGWoQp9KU
+JQje4Jm94RsRACutIt8jo5aUaw1FqR46BOSODoO7Cn0
+-> ssh-ed25519 MKIkbg nKQnnV2PPlQ9rNIzMUOuuxpqltgn0wNLVjCs7hbgLyk
+1cm1+mWHxa6XsuAVgi2L8ReS2mpRitELjQtKKdXyMhs
+-> ssh-rsa 5MROTA
+am2yM5r701mUDu4GmgY0STL5OxUsIc4WIgz/9cNOHIdKXj3GYUIMXk/wIWlIJWl/
+npcEFq9AMWl1gJixFDUijO3TjnrrAB3gtCXjAZp1+7EpXRvZL1arPp/6LcJJpq2j
+A94AEIV3I8LbH1ZmaJY4bWxZFkj5yNDdKJc8sDSd5RnuyTJbAa5s+DHqSmZ8xJe5
+JP0c9MvbXFEBFxOu8XcbTPy/F0OhBEFLeIbvNXZXXhncU2Z26Czr5A3Eb/4kP1Wq
+YWO6BGG5xnag8pBtI3F7DY6iCnM+CbDHzCZ9cEB1WaP5Tx8cY+6sMuaU2aQ9I8dq
+qRb1J2KV5osuN2NV6MIgqpZcyugMt7j08yFXW6LBUT4MRoEY/ZPQvmYYsb6VKIP3
+s2mPtRcgy8C7e1rgEpCK9W6zuU4D6rJQbkcEMHBSHGF5L/yxaCD3h8pD+ny5U4RT
+JKjtVhLKsYGlcKZIKJfnotGARqFmQURJFg8ofkMo3s8QEmWkEmBTX2KwAv/lsu8+
+KyOb4/oNcqBCZJjCDGzfvgu7pf94eWiy0CtG3Q+3xOxw8a9hzF+uT4rkSFqU2xiv
+OHfvJMRNfu4JovCse6dYpLPy7sBPMYeaCdg8J51D3DGkmifUc9IxzNF6W9GIJe+h
+H2mPciHIC1B5TYNVGowgo1spjpCeQaD7XRBidAcbQqc
+-> ssh-ed25519 lQC6fQ RwW9jnNEAcb5EtlA0bpyz8SQvseI+VxRLGqYcpakhko
+WLNbLMEW/Xa6lmbODnQQUm1uQzQROvJlyUSs5mfcB/E
+--- s7VmlDz/T8ZxNzHFHtrXREOfZB4cHIMuAKSqyeJ9wtk
+m���$��҈7�ܘo��+=T8P�DF�Љ3ѐQnD�U�+�1h�Wd6i�a]໕'�l����^Y�i 2���o�d��Bau�7♼Ə���rzS��[�&��)C2����u� �� �N(n��DD�Q���ۣ$2:�XG�G5Ne�#���u25�@���qx���F��8�U �ӏkvTi�����d3���w�hl老�W�Iװ�a?�����߫�KXa�Ќ`���%��Y�!� ���g��-������'��I�W�¸� Os���p��Z�YO��-����H����RB�w!�pl��\������H)� �Y�# \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-07 20:00:09 +0000