2 files changed, 32 insertions, 11 deletions
diff --git a/hosts/muhammed/syncthing.nix b/hosts/muhammed/syncthing.nix
index 15581a8..41613aa 100644
--- a/hosts/muhammed/syncthing.nix
+++ b/hosts/muhammed/syncthing.nix
@@ -1,4 +1,8 @@
-{...}: {
+{
+  config,
+  flakeInputs,
+  ...
+}: {
   # Until nix-community/home-manager@45c07fc becomes part of the channel we're
   # following, I've just manually included it here. When that time comes, the
   # module should be removed.
@@ -7,12 +11,18 @@
       url = "https://github.com/nix-community/home-manager.git";
       rev = "45c07fcf7d28b5fb3ee189c260dee0a2e4d14317";
     };
-  in ["${home-manager'}/modules/services/syncthing.nix"];
+  in [
+    "${home-manager'}/modules/services/syncthing.nix"
+    flakeInputs.agenix.homeManagerModules.age
+  ];
   disabledModules = ["services/syncthing.nix"];
 
   services.syncthing = {
     enable = true;
 
+    key = config.age.secrets.syncthing-key.path;
+    cert = config.age.secrets.syncthing-cert.path;
+
     settings = {
       folders = {
         "ebooks" = {
@@ -28,4 +38,9 @@
       };
     };
   };
+
+  # We store the keys as part of the configuration since the device id is based
+  # on the key and we don't want that to change.
+  age.secrets.syncthing-key.file = ../../secrets/syncthing-keys/muhammed/key.pem.age;
+  age.secrets.syncthing-cert.file = ../../secrets/syncthing-keys/muhammed/cert.pem.age;
 }
diff --git a/hosts/muhammed/wireguard/ahmed.nix b/hosts/muhammed/wireguard/ahmed.nix
index 406ff7d..5e20813 100644
--- a/hosts/muhammed/wireguard/ahmed.nix
+++ b/hosts/muhammed/wireguard/ahmed.nix
@@ -1,4 +1,8 @@
-{metadata, config, ...}: {
+{
+  metadata,
+  config,
+  ...
+}: {
   networking.wg-quick.interfaces.wg0 = {
     # Use the address assigned for us in `hosts/ahmed/wireguard-vpn/default.nix`.
     address = ["10.100.0.2"];
@@ -8,14 +12,16 @@
 
     privateKeyFile = config.age.secrets.wireguard-key.path;
 
-    peers = [(let
-      peerInfo = metadata.hosts.ahmed.wireguard;
-    in {
-      publicKey = peerInfo.pubkey;
-      allowedIPs = ["0.0.0.0/0" "::/0"];
-      endpoint = "${peerInfo.ipv4Address}:${toString peerInfo.port}";
-      persistentKeepalive = 5; # We are a roaming client, they are static.
-    })];
+    peers = [
+      (let
+        peerInfo = metadata.hosts.ahmed.wireguard;
+      in {
+        publicKey = peerInfo.pubkey;
+        allowedIPs = ["0.0.0.0/0" "::/0"];
+        endpoint = "${peerInfo.ipv4Address}:${toString peerInfo.port}";
+        persistentKeepalive = 5; # We are a roaming client, they are static.
+      })
+    ];
 
     # table = "off";
   };