From b20e4ad7b89165b5290f049fa7ea918d391d27a9 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Thu, 7 Nov 2024 17:01:21 -0600 Subject: [PATCH] add syncthing --- nixos/hosts/gandalf/default.nix | 69 +++++++++++--- nixos/hosts/gandalf/secrets.sops.yaml | 93 ++++++++++--------- nixos/hosts/shadowfax/default.nix | 22 +++++ nixos/hosts/shadowfax/secrets.sops.yaml | 86 +++++++++++++++++ nixos/hosts/telchar/default.nix | 23 ++++- nixos/hosts/telchar/secrets.sops.yaml | 86 +++++++++++++++++ nixos/modules/nixos/de/kde.nix | 10 +- nixos/modules/nixos/services/default.nix | 2 +- .../services/syncthing/config/default.nix | 40 ++++++++ .../nixos/services/syncthing/default.nix | 51 ++++++++++ .../services/syncthing/secrets.sops.yaml | 85 +++++++++++++++++ nixos/profiles/global/users.nix | 1 + 12 files changed, 506 insertions(+), 62 deletions(-) create mode 100644 nixos/hosts/shadowfax/secrets.sops.yaml create mode 100644 nixos/hosts/telchar/secrets.sops.yaml create mode 100644 nixos/modules/nixos/services/syncthing/config/default.nix create mode 100644 nixos/modules/nixos/services/syncthing/default.nix create mode 100644 nixos/modules/nixos/services/syncthing/secrets.sops.yaml diff --git a/nixos/hosts/gandalf/default.nix b/nixos/hosts/gandalf/default.nix index 69ff11b..87fd025 100644 --- a/nixos/hosts/gandalf/default.nix +++ b/nixos/hosts/gandalf/default.nix @@ -1,7 +1,13 @@ # Do not modify this file! It was generated by 'nixos-generate-config' # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, modulesPath, inputs, ... }: +{ + config, + lib, + modulesPath, + inputs, + ... +}: let sanoidConfig = import ./config/sanoid.nix { }; disks = import ./config/disks.nix; @@ -9,23 +15,40 @@ let in { - imports = - [ - (modulesPath + "/installer/scan/not-detected.nix") - inputs.disko.nixosModules.disko - (import ../../profiles/disko-nixos.nix { disks = [ "/dev/sda" ]; }) - ]; + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + inputs.disko.nixosModules.disko + (import ../../profiles/disko-nixos.nix { disks = [ "/dev/sda" ]; }) + ]; boot = { initrd = { - availableKernelModules = [ "ehci_pci" "ahci" "mpt3sas" "isci" "usbhid" "usb_storage" "sd_mod" ]; + availableKernelModules = [ + "ehci_pci" + "ahci" + "mpt3sas" + "isci" + "usbhid" + "usb_storage" + "sd_mod" + ]; kernelModules = [ "nfs" ]; supportedFilesystems = [ "nfs" ]; }; - kernelModules = [ "kvm-intel" "vfio" "vfio_iommu_type1" "vfio_pci" "vfio_virqfd" ]; + kernelModules = [ + "kvm-intel" + "vfio" + "vfio_iommu_type1" + "vfio_pci" + "vfio_virqfd" + ]; extraModulePackages = [ ]; - kernelParams = [ "iommu=pt" "intel_iommu=on" "zfs.zfs_arc_max=107374182400" ]; # 100GB + kernelParams = [ + "iommu=pt" + "intel_iommu=on" + "zfs.zfs_arc_max=107374182400" + ]; # 100GB }; swapDevices = [ ]; @@ -76,12 +99,24 @@ in }; }; - + # sops sops = { secrets = { "borg/repository/passphrase" = { sopsFile = ./secrets.sops.yaml; }; + "syncthing/publicCert" = { + sopsFile = ./secrets.sops.yaml; + owner = "syncthing"; + mode = "400"; + restartUnits = [ "syncthing.service" ]; + }; + "syncthing/privateKey" = { + sopsFile = ./secrets.sops.yaml; + owner = "syncthing"; + mode = "400"; + restartUnits = [ "syncthing.service" ]; + }; }; }; @@ -100,7 +135,10 @@ in mySystem = { purpose = "Production"; system = { - motd.networkInterfaces = [ "enp130s0f0" "eno1" ]; + motd.networkInterfaces = [ + "enp130s0f0" + "eno1" + ]; # Incus incus = { enable = true; @@ -129,6 +167,13 @@ in libvirt-qemu.enable = true; podman.enable = true; + # Syncthing + syncthing = { + enable = true; + publicCertPath = config.sops.secrets."syncthing/publicCert".path; + privateKeyPath = config.sops.secrets."syncthing/privateKey".path; + }; + # Scrutiny scrutiny = { enable = true; diff --git a/nixos/hosts/gandalf/secrets.sops.yaml b/nixos/hosts/gandalf/secrets.sops.yaml index d135547..89b94e8 100644 --- a/nixos/hosts/gandalf/secrets.sops.yaml +++ b/nixos/hosts/gandalf/secrets.sops.yaml @@ -1,9 +1,12 @@ lego: dnsimple: - token: ENC[AES256_GCM,data:jtPQzX0FTN1KIVAwDXkakyQY6UJyaDhT2VaalYQv+ghbGfNwAK9hO6aOBw==,iv:+x04TmDryTrxkXRSAXlC7MtwQkUYV3rF45SlXiP0zZA=,tag:579m99+Zwm7/2phDmQM/1w==,type:str] + token: ENC[AES256_GCM,data:wyj88D4qPqnxovjRKS3jg2H6OwznNfhmVyMO9MV7e66mOjUw/vbqkstEqg==,iv:f+1PN+pKpu8bm8eAQ7sFb+ZpMe8fmImukUir41XdKtM=,tag:FRpEAWf0fA8LOoTrJiEwRQ==,type:str] borg: repository: - passphrase: ENC[AES256_GCM,data:BCf4ywpje/eU18drsG9GLVFUCZs=,iv:nCE+7oj0dlnUMzAUtaJmwuhrbZeJKGj1JHoAof8dGfY=,tag:+/aMlnkezV/HYWL9cPVioA==,type:str] + passphrase: ENC[AES256_GCM,data:33OMM880zGxJPTtqsNmbCMCCABE=,iv:8tvOqpKzbyx9sOmHLA+8v05vhLXjhRRuHpGHxGVo++s=,tag:MvsLDcVyX6rPr5lwDOvBqw==,type:str] +syncthing: + publicCert: ENC[AES256_GCM,data:jfQge0lfiZrdc+Kfv1hijHh0suGhQSfOou0cD7GcP+t0EigvRmi1JPyUm4l78x5d64oTfQoeO4Iq0Y+PL0tf/SGHU/7tMwo8456FrLSZwl5r+1iGoqRXu+VaEfEm02YXtwcRCZVOMKiwlZC4xMhUZ3CUZ9ohipluNarieivOEFzrNaFbbUeJITALsvYpBPsoIvxOePASrxYwUAjAtGPUVePuL9xfCdUZA2MMDr3alxpuNlz3wOk36qX+OS0Rc0nM9MfACRWxFsKTA8AxlCYouWjCke3kVeqcEh0rVWSEx2zqIOC9N4Ms1Q1zVqcS4hWi1LLe5BN0pK7LHdjEbuni/3Cns1GpBLJc7mwsUwlBQ7RFStAspP99YmIfAlMeztfm7GuacJC2Bddz6PJ/QEMRXli7KRm3Wimb7J2fqOyaECE35xtplvdN8HIhiQ2X6G9aFW+T3h8Hqopihl23HVZFfHe4//c3BGhHUYgzbj/0frLF7s7QySI/j8G242wKyNqpDmiC+9OCPGmpGmTg98h7X+pG4Tl1GH7xpV7jlPqg2kFm3aVGscNdCAMXyWsXoZZIPyiAxTgMauXTFIkgEjEeCB+d8Eml5xOjs4ADUeJLIc4mNOYh1ggPjbSJAAPw7LYqtmaCkazZ3XWRmpMHwcRTpVtQPmo3sLSETY3hgo9T8Z2pVqBbiiH6qVSDdZ5RANvBH2hU7mZrppN9pSVpWxt895iAs01PeTwJlFg3XleqsUcrhncrx9TVGlLn7MP58LbKeUqWpC2LFCKW42O39ajLT8dES3XQ0zjTZhYGLG6CFs6tj9sDIRAX/f0nM0PLF9ctsR3IRYX75kLSl/Wx1UeFxPoIF4/fIKZxkrsd0Pjalp1ToT2EvYL6cq+eyNeF+QIK9CazCO1FfvgLSVy5NKB9KmSj6t6qEByagE9FX2BvAJ9zA36s/inqo84hrmfZz+vf3zJbkEL2Y8xxRtE0Fd2rU0SubmLDxrlmawBUnYQ8skJEKJAA/g8ptYrbdqshtUyZac2m70ZtxO5VZHAGO8tE+jYQsS/UMD4/Iek=,iv:sq21pry1Yz4vZITF29oyFGnvhUwgyDsFwtHrzl059KE=,tag:rOmVsnWpLL87M0d6mfgovw==,type:str] + privateKey: ENC[AES256_GCM,data:QZYlRzV2FPbCDun72PPgxxx4qvqGbuj0iZhvHggm/0sh3JFjtZIBZ7V4TfYYjJJykhKP+4Tm8rghnijiAmDSjyuGm0xwr9ENreRe/j7VrMYhcBes3h9PWOWY2jx+kh7U6v3da7/G79ISv5neFtsjvvM7UpGmIb4mwygZ9qO1cRRuC/k3CPehT7uN2kYNCKlfYJcRp/IlmvD0L38BtHsnokK0zCqC3q2nOZWWazfv3Hxck0kbQSV7V3OBmqfd6h7sdN/GQBv4gmgqjUH9DsCHz+3LEEyxIOp340zPKAZFZGg1SpBQREFOyyaYUMgk8iXRqvqIPxHeyruFzkDRZf6URni3klfEbQi/6B7eP8Jzt/BPfsdLYO9QSXyuqSYAj+V5,iv:BvlKA+gltrGHOXggwLsvqI5FCz7X+RwcOOCvdMYf31w=,tag:/SICpca+QkqeEh/dXYUxBw==,type:str] sops: kms: [] gcp_kms: [] @@ -13,77 +16,77 @@ sops: - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqUlBQRUxXbW5yd0NOV0Vu - T2loVENJekhiU0xzK25BSVhGTVZ6RSs0VlJFCkRzenI0MHc5dGNLMm81aUxlS0xN - cDh2dk9EOThqZG5oeXBiZ2FJSzdwMVkKLS0tIE5UL3VIQ0F6MDRCRHVPOGZNRG10 - YjY3ZlpCbXFzaGlEVU80emt6L25CWTQK7LNGhKdtgaZ691XkB9cBd7HzbSaRVucv - YNpWEQqTHMOvrXfZoj/iS8BO6AV21zkgPRUJUeH71Rompp8KZf0VfQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4dEJJVHhhTU1XMVp2UmNh + cnEwMTg0ck9oZzR0QndXa2t3UlpVK0M1bzBBCm8zZWpZanJYcHFQeXdKK1BDSk9u + WVcwSGtvS3h0UTZkNG1ZMkZKT3hORkUKLS0tIFh6S1UzWXE3a085bE5NMjl6Zzgx + MDZrbzBNdUNvcnppZS9wMmczVU5uQnMKpYJmsY/Ul7cpUc+ueSt3FkShvR1KqYHW + q6bhaoby5Wz3XxLZl0ONBqovabkDwNiP6Er0rGiv0tK6TIaQE/NaUw== -----END AGE ENCRYPTED FILE----- - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZjhDb3VQV0FrMVBpaXU0 - MnE2UW9vRWlLUVZ4OEN2MCtSWkVLUGZmbXhrCnFMTFJ6ZmJSTVFuby9tdXdvMUkv - YUZxU2d3NVliOVc4ZkJNcjF0NUpMR3MKLS0tIFZaTXlBN2RXRDlSMXJ2c0cvNjhS - T09yeURTMVl1Y3dxalhyT0pnRWowRjQKZ4e0r5VJvlNU3OhqN2uVbJRvJ0794Smq - D3EYz+0Xh7k7L0UGwWgG7OxDsxJwlusDcBFJqgrCiXzd6bBP1scgqw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpTnVFSW8rSUFVN0txbTJz + aXFUdXBnSW1GZkRBcFNFZlBWLzFEa2NhTlJJCldEYUlHcHM2a28za2I0N3JORTZm + S2Foa0MyQng4TlNpaE53VHpLVGlNZFEKLS0tIHRNSWovZHJlaDhGY0xKd3pRQm5y + aExPbjRPVi9kZ2s4bFlxdFhtK3l5bGcK+qEq++r5B48TwAOxyRFWm68MRa91rnZx + levAEpFZYIMxfzxk++i26omu6r1jvXsiwtm2YvdoGhmNUqLU2UDWZA== -----END AGE ENCRYPTED FILE----- - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiR3NPWFUrbnFPNW5qMlFF - L3pvOGVUWnVWN0Rjd1hRY3QyQy9uRENLVFJvCko2Ui9IMFpxQXl2c250RTRnT2Ex - dWQ0REQvMnRFQVBkZlUxNi8vRHZ0dWsKLS0tIHZVSlM0b2RXR1VxVFZCUld2bEIw - NkJmcTB4S2NNNWJpR0VneHBqMkhxbUEK2bEVSifh6NE8zCjssoBZ9FWevQ7GxgQp - ClLKBk8d3DDskkJSsL7sVV/KYUyRXQ8pUAyc4nbbO1n3JJeYPDc1xw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqZzlkQmFiM2puUHVNUFIr + L0E0VGpxck56d2NsemFrNEFWNmZ2MXlTV0Y0CkppUmxYRlVkVUZiWEJoVG55cXAv + N0dRY1d1c2srTk0xU3AxSDNqQTZkdFEKLS0tIFpnZ09jellUWk1YZnh0akNsTysx + ZnBCMVNqdGRvUm4xOVVRbTF0VzY1eEkKJhjFjnVk6Kr0LIUdyRPI3nPRXbPHHW/Q + 0NVqBn7s+NbS6pzSCPu5+T/ibo2HofQZQ0hFFUeCN/EO5xNCaueNFA== -----END AGE ENCRYPTED FILE----- - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoQUNrZW9BUURPT09hc1lS - ZW1Sa3BqSG15SUJPa0Y2NXFQanJxenAvTVEwCmdLUTRQZkJzUHlBSVdRbW5TVThF - WDhlbGRld1FsWEhwTk5NU1V5RG12RUkKLS0tIEpFcnBxdVd3YlcvelhJZlByei9W - NE1WL2F1eHQ2VDBYSkEvdWFkWTloRTAKwLzbJqwk1+u5xEPFHO59QpU+DCoDO4R2 - c9jFmfC/SGyDvtgH/r0inue0paUbssS/EuNbcPUJbgspPgOzXT38LQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArandyVGlHU0NacDdmTDdQ + ZVg5ei9hYW45VU02RkhkTmlNeHdCODgxQ1h3CmpBdnhvdlBwWUkxVVNqcHgvNDc5 + bkFydkRGOXE2a2lyTU9rZ2l2U0NjV2cKLS0tIDhyUm5EUlZxcHFRemlpaHFYRjV0 + ODN2Y1Y5a2tWOU1PTElLa3NPeTVCb3cKqPj5QB/K9uB4RN+KRsK8UGS4WxECJn/q + HCVEo/5YFnoEtE0X7xvyBEKgrAokzVsnuHtNqP0i6ka2XIt0yi2xOw== -----END AGE ENCRYPTED FILE----- - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXNDNkdThheEh6QUJXYzVr - NTJpTGxWelRYc3F3QS9JNXFYNHRJK2JOeEM0CmlFOWZ1MVMxSWs0UkM4anVCbVlP - L2pncEwwaThYNW8xTzVPUCtlRk1xZUkKLS0tIER5UGtPZnJ5OGF2eTUvK3pQSjgr - THNmdDdmT0VSdnVmdlZlRlJTZEdUSDAKhnE1wEbTWa7ufQlo8M7DBPKjMXA88S1D - amtSDhDQBltoEJQiQ5tY8e++uxG0O931b9ygdSs4Mhz3ctcrR17OgQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMbWxBNFpyajNETjM2VUhr + TTdmc2pwb1RVNHlNVGNYaUFMelFOQVUwMlFnClBQRldoMXY4dm9nY2Ntd0pRNUZu + NEhYeVp4YUthMU1MUmZvSjh3ZjVTajQKLS0tIDNKSHNQcWJYNkVvWmFXV2pSNVBP + cHVzY09RZ1ZuSkNWWisxeDQ5V2Z5VW8KybOLJvSkkV5XiH431SBY8k5aSE9QdZ5r + UghLUUTB1OFvycYNyxhyIgetX9ycu54PXitEiTBGWphPiAnXyBG3dQ== -----END AGE ENCRYPTED FILE----- - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWW9QVElmdDJOSGt3Snl0 - RFZJSktrQlpYREkyUEl6Mk5JN3YvaU96MlVJCitURmRlU0QzY0FQcXhibkJxVjdz - MmJZWXpoZ1ZkNTd4MTlsWTdCN1pqVGcKLS0tIFRuenBTa0tqd20wVGtWa1MxeU82 - RVhiMjlaV0hqZ2JtN3RUb1FINDU1czQKECXZ3iUVwOMUmmiiJP8Ke6D0yKJ5iJ3t - 5rLYa/p8JnEKLM7g4WFnJSl4Yks8vc1GE6wvFxVGad+K9d3HFnstFQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxVGRacTlCMjBRaURxMDNt + SXBnZXl6M1l3ZmVZUlVDZEV4U2dJSjREcGpnCkF3L1hhOEFYcnp5Y3VLSEsyTWZE + NFpTNno3VStINnlXdW9wcXd3bW81UGsKLS0tIGR3b3lQa3VIQmZ1bXREQnphQ1lL + KzdCbXNTc054eEJBeklmM0xPVGQ4bmcKgZtxtepmmn/M4HylEsQ0FB/OXlgnyrU8 + 6Yy2ua5/UN+YfFJ2FNoYyxd7OYLDeHsvQQODXJuL7VEGBaF+3ttMHg== -----END AGE ENCRYPTED FILE----- - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaZkZFYVFGMUpLckloMm1w - NTdaa2kzU0x6ZzBRQnU4OFBtaE9UNU44WXhNCmUrUmlUWGgzcGU3eUdVOTJ2MllG - Rkt0eUVQYWtsamJldzN6cXlTOWNWRlUKLS0tIDFvOFo0YXZzTWJ1by9FakRkUHVn - QThtZkpaL1pLaHRVRzQ4OHBQaEc4Z2sK3QcdxD0eC4BMqTJs949EQu+LOMzlQ9d9 - 710uGiOb0fTnDJhbYQo5TfU0YMmsjYz7pfKS33x/hcYKz0yhdYaqYA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAweHZaZjRoaXRCNEFBYk1V + ZWJ3YjVJVFFmeGhpUnVHYXhxNlhvOEtqVTBrCjRIa3N3UnRYeTU5ajUyM0xjanNN + RjArandlM1ljbEdjcHcvL3Fvd2MweFEKLS0tIDZ2Z0dpN1d3bFc5VlNMbXBmZGNn + blVrd3dubmUwWGd5Rk1PSHBPUlFBZ0UKOh5BQgCUxQxFSU2NxmOGEmO3DZ3TuWid + d1vLm0TotAjshXBSy/yo62ejDUhvoCJ38PNDi6+zpZwCFYhaviQM7g== -----END AGE ENCRYPTED FILE----- - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5U1BMc3dkcFUyVkczYWMv - a3NVSHIyS011K3RXcFdpb3NPTDJsNnQyYnh3Ci8yTlZDM2ZVWDliSTJMMTRIZ2NW - VkpBMCt1ZnNQZU9IakF6QWdxY1l2blEKLS0tIGljeHVGbW04UTV3bkU3a2ZQSzFS - RWh3akgwdG5FNmtYZWN2NGFQTlRnSlEK4JDDt681LDq/lxnVEvHzhNeCCtmOQCU1 - m2OW8L053ZweC4t4urqRz33b6VNVyeQG2wejfDtkbzOrbZnOsId8WA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4eTdXNlA2bW1OTmpFNktD + cTgrUjY0UzV4NTE5NWFHdHlYa1JaeW1DblZVCkwrelZjaE5vdkFyTkErMGR0Mmt0 + RkVPb1RTMjlEc2pRSDZjMWpwVVNhZVEKLS0tIEpaV3Y2enoxMWZyTVZjdlpYTWtH + ZTNZOVhTcTBHSDk2UjhXRE90VCs0R2MKUI6Q/P4v4xLnkqXqMuidlcgccDzf3Ig7 + P8aVNYbwtQqjsOwjYcoec4PaQehloW0kt/QSnYQx3znxrYQE1WVVNQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-18T23:57:27Z" - mac: ENC[AES256_GCM,data:etf0bt71hn7uY03VfGucBr9RQVcAyqswTxYjfka4pmGHqMR4zpkYloiPiaPvDEHTNbg8QI4sI7HHkyWO/S/pIsoIosD+jnzxNhvW4HYCVIVn1dr+vzPrdguz2I2cVq3LvkErB2xCjNCfxSNQtTFkNog9yMV25CeT71Yk/hEexRs=,iv:c+FWtxvEZ19SGsgxA1iKib68bndtbxZ7VqLpmFfFfrg=,tag:Jrbi5SRLvzgzuztip63KVQ==,type:str] + lastmodified: "2024-11-08T01:53:24Z" + mac: ENC[AES256_GCM,data:C05zcIFQC3gMa5AVKGB2uvpT5Bj/Pt2XyWizjPfIa4gcx1TzueQZ0mlZHjJY/9qu5SccbLrJ/eNmajzh39cTmFZ7211l9Zz6N8BMboh8olzIWUYFeGzZtXgmKXBRMVH6RPpbcuawLOeXeD9pCLSek6V9Qdx/OUnlWokj9ZPfvuc=,iv:PGMPSs99J6neXoSF18yWbxjCE0M9dSjqtz1ntxwk0TU=,tag:pZfVKcroeKPAvlfft1YsOA==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.9.1 diff --git a/nixos/hosts/shadowfax/default.nix b/nixos/hosts/shadowfax/default.nix index aa101b2..51bf6ca 100644 --- a/nixos/hosts/shadowfax/default.nix +++ b/nixos/hosts/shadowfax/default.nix @@ -116,6 +116,21 @@ in prometheus.exporters.zfs.enable = true; }; + # sops + sops.secrets = { + "syncthing/publicCert" = { + sopsFile = ./secrets.sops.yaml; + owner = "syncthing"; + mode = "400"; + restartUnits = [ "syncthing.service" ]; + }; + "syncthing/privateKey" = { + sopsFile = ./secrets.sops.yaml; + owner = "syncthing"; + mode = "400"; + restartUnits = [ "syncthing.service" ]; + }; + }; # System settings and services. mySystem = { purpose = "Production"; @@ -149,6 +164,13 @@ in podman.enable = true; libvirt-qemu.enable = true; + # Syncthing + syncthing = { + enable = true; + publicCertPath = config.sops.secrets."syncthing/publicCert".path; + privateKeyPath = config.sops.secrets."syncthing/privateKey".path; + }; + # Scrutiny scrutiny = { enable = true; diff --git a/nixos/hosts/shadowfax/secrets.sops.yaml b/nixos/hosts/shadowfax/secrets.sops.yaml new file mode 100644 index 0000000..71305d7 --- /dev/null +++ b/nixos/hosts/shadowfax/secrets.sops.yaml @@ -0,0 +1,86 @@ +syncthing: + publicCert: ENC[AES256_GCM,data:oqQZ/QORhJoMUa1Sn4CoE5DKfgfIwRo7DR30MJoRLC8L3mOEDRQyk+P9ELAn3RIe2sa3OKwionJ9G+GM5htZPTaKg2h/wy//M89sdTRhC01vxJm80wScgQ8sC4HC8BpQCM5yt7A9Ln7mMvp+v61ae6xyEOcPpcZH4i31sxQUxuWURJU/KpdTAHKhora40W+DTx4YL7jEN7VMH+GawhJeW1jNZZDcBoQK/9RvB5uu6AFsQCedRwJE0772F16eaNKeXCu0BpNdTaZ7dNSUEeK0mT/0osb6DNVon8gKcYYEYtAyI/SnUOwRC4x+FeZYkAae3WGWzfKGC6ENN6JEHNG7mS81b83i3tyaN84wwmP/1pgQ5BSSEztH9P494SXLBnw3XxD2u5vxuKjf37q+gPnErq7hCEi9aS5HS/10ksgV5zpzg8eL9fNpyLXHqxDdllfvBo/KJlQaDri2OYcrz8SQlB0oCZI7AbjFz+zomFSzhi5S3gcLN/cB1CXDmK8/Ka26dcc6gAot18PqVt1aCHHVnLGvZEGt9Cj+/bool4Yq9fqQlXDyFMbiu0B57KEYshmeJE5w0fmBhenORyuKq2xhiXL4RCuKVoitjY75T4O2+ZzAqYli3gMcRksG6b+gXAYGF3XhJ2m2tBO5STlWzQx9eo8Ksm8+z0mJk7JgdKpov1mLzWZh9vHNkvUIGw15h+3FBu7oTgcvwrOqGDCCcAQSimMKiPuCUi+r2z4FuFobZOSlqAD2eRX9yh/V8s4VmaohrxacgIdscipkMFnQFGGkV3PHhh4yfMzZNHPll5Dk9fUM0BHrFMUccvP0aww60+4pufTUGWxrW5nRlI6jImPuoMh5KVZj5OAPYUcBj10UHjjtFKWN0V19XGVUx5TBR+AAkQzvAWrobSfyTyuk6P0l3Kpyi6DAJoW1Z7t2EQueKxjAd3uKMeCNDIfJOWVju9j3t2iu4BN3eyZTTbeKMwfkDJALHTsmtisRfc47qLxB3jyOHZXdZsC3OBgzRl2NlejgM+P4CVVH/kwT336u6ouuLJFjpsP+iUdBiRE=,iv:1FVhrbnLirFr2bHWZ53vEdnS6rL+HSMdV/XZarMmNAg=,tag:HCdx2II3FqDGy/t36NGiFA==,type:str] + privateKey: ENC[AES256_GCM,data:UNOJu/8lwtOy76y9mURvAQAcCPkAqCr3k4zo0qJw4WoyRiFnHszFrk988LdX9hi1a8d2SYpSbWBdRxAOBOkB0ljycjudgH+xVdOLeJDKZH69zRKkWwdfq6N4vxYhqnUyCuwsRrFvg4cZYeEx9n133QNf3DPYIvovlPEfurQXDt8s3/tDqVeJ1SuJTX2sp8X79KWypCb9T3mar9X67EirV2Tz6uxzeRiWUpekfQbdzcjITiQPZ9silBcu0ZIwgfneBQ9yqAV/Gu01mJph6H6cYqBhK3xO4T8tXsnk66siBjWmqKP+3kVG5pyFDMAhuM0Jz+0VkaKOjYxTaPff1YMsL7/hWQUXcMgM6NyppMbpJBnvqcaMpEbYuEF444pBVktC,iv:H/X4eW+1//f7uyJRiveZRQRJcPGelxHhz1sIlzsMCcM=,tag:n+/dttJpTBeHFK/H40M0oA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIREVLNDdJUVJlbk1OR2o1 + RFNJLyttRDZoTmoyenZFU2docVUxRnVtdVcwCkM2VEV5ZCtobWJDZUNVYWlkK1I1 + dlJlbzQwKy94dEkrZG9rb1lma3IweGcKLS0tIEZLQjNxT1lobDh2VEJWY3E5cGZE + UzdGT2JpUWtVSzI5VVBXNWVXamlYTEEK5fFvbB55/4Nj3tI2TG3WYhwA1WK3vmfH + Qh5H5GcAYGV37Wlw2mZ/J3SYo9IBG+aNyXO8nE2/pwF7Tbw7GDPQ6A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtM0Q4ekVwWXhYd3krVzJR + anFxQWtaN0I3Qk1qRDE2cFVETGs2T1M0ZHhnCklBL3hmeXh3OWpvYnRzRHJWY2o4 + TWpnYklpOG04S2pCVEdmTWtCYXJSUWMKLS0tIEdSUmthcEo4UjV4THAweC96cmNJ + dVV3TW04eEZDNW83T3JCRFVjMmxrZVkK7mU2HJstMD7p9As/s4XyBuYVJAlqCveA + NvC0imDnZ7btrVWKNTV2UB0VgQiM+opgcNHYhqRT1vLpUv/+ZRFDrg== + -----END AGE ENCRYPTED FILE----- + - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqWElORElqTkQveHZFV1pk + ZitvWnZLTEJJWVFCTzZTVklQOVNCa0J2ZXhRCktGelNLYS85dmhJdlVjUWxkTWpC + R3cycTd0NEVWN2pLZnoxUXFyeG1tSjgKLS0tIHlIbkc0Yzd3YURqOWVwT0NTQlZR + bzRaVDdDL0NlNUZ3cTV4NU84NXNTeWsKZXNd2pYBG5P48kurR/XyswPGStyzSkqs + 2mEjJCwuMZBkBRm9DFzbB/01LxqNnES4U9/6oVri0y4mHl5R7PyTag== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNQ3JHSE1IcWJqYW85cGtr + WXI3TE1SNGZ1R05iRkNKeW0wR2pVNU12dHlFClJseDYxUjFyOFg3Yjdpb1E0aEVj + SExnaTMzK3dDR2NvNEhjTkoyUTI4NlEKLS0tIGsxencxR2dhWWwwaGtFU3VnaU9x + bUNibENVMmQ4NWhOTmlOdmJyTTB3eUUKM5zbfS3IOGgXlAFi+40DAIBZbLiDDyLu + g5CZKtRAw/85WOqOdWl+WJBYegggyZs3029w2QA9WzxymnkGiyl1nA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZb0xEUFc4MmpOM0RaWmZO + Q1MzVkJyRnNFN28zUlQ4TUZ2TktWakFVZVQwCndvdDNzRGJMbE1lMHZaZ1llVzE1 + dXZFMngzVVM4UjZWV2ZlOGY5bWJjQjgKLS0tIHBMWFlxd0syRjlEQUFwRS9lN1Ji + K2hUdmZmUHVWa01qVHVUODBlZ3RvY1UK4u0PsdXstr/NVsYGRglQ8IPhElIcJIbk + 3G83Dunu+WApUNMhoCFpB0OuxSyc+xDIdEOhqcFGvIoywMmnpWWZ8Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrRFBRWWNSU1l5dE44c0No + QlJvYlh3dEZKVVVmS2RKOUdyaWtGMythUHhjCmsvR0M1eHlVd1l1NXVCWEw1ZnBa + SUNpWDFZWWJlSlVnR0VCNlluSWt0b0UKLS0tIENMa3FFWHpkaTg3YlRXRHpML05j + b1dmeXFkZjViVm5hdldOdTJRRWo2QUkK+eoVhfzSHimufxl0O81wRBJQ8iEVb7w2 + rVLONs1qR5xRGCV6OpCtbRqKaNXQgGY/w1CGb/44xdmh7C2C21gs6g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKV1o1cFphUnNhdlM3blh0 + dHpKODg1SXNsbVlnRG5zaVFiNllEOGEvWkM4ClFwZDg3a1o2UDYyUUJwdHAxU0JX + MUN6Rk9rR0NKSjNyK0ZrQ1BaTWpTNjAKLS0tIDZkYTUvd3lkZHV6ei9xemUrUWFQ + TkJ6bDhxVVUzckkzNllsTkZLeFlEMkEKFesi49AfQbNLnYGrlvpCXCwvI22J1DL7 + QK7lBMlDX3+zlutX6DKygQBT3BckSZWI8upOsK2atjP6d8seDVl3cA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0eld2eEwyRTFyMGhXL2w3 + Q1JYSG9VMXVqZE1zak1Ub1dOWVZYaVBNUzM4CmVUNURBcDVWeHhUUVBoRDE4M29B + SzRyUGU5MUVSL0wzRWZLd2RYOGplSmMKLS0tIDNOYWcvL0t0K0tXMWZGQXNybjY5 + NDIwV1hIcXoyZWI3dUEyeWtXd3FLcEUK0YBS95TA9luAL1mObUtH6RG4nesYZ7Fc + bB3e2p6Mrp/t1Oa/8p6WQXxu4vf5y0XCNLXeW6I6/3udrTXARaNNPA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-08T01:54:39Z" + mac: ENC[AES256_GCM,data:YD2Uwxq8rt2NPKfh5gxHvXcbcEmzfO2ZaaYjH0RnhHyNnHrf3jcyzEhJphKkzRRpsCJ/F7UV+x8EQdWkVn7eUykY92TkLeZ9I6TwyqupzfycQGrJK3Ma+jbO0qlG5L7NXXSxj4LKtJ9Rf1BdFH4czeWmrM3aMhtgAclZ4sTSCos=,iv:AElkydOvlkkGu/1iLxclH1bqkd1Pj4uQH3gbp6iGDII=,tag:WEfrJm3F0niQn1vKuowALg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/hosts/telchar/default.nix b/nixos/hosts/telchar/default.nix index 1e43a15..ff0c07e 100644 --- a/nixos/hosts/telchar/default.nix +++ b/nixos/hosts/telchar/default.nix @@ -45,13 +45,32 @@ java.enable = true; }; - # KDE Wallet PAM integration for unlocking the default wallet on login - security.pam.services."sddm".kwallet.enable = true; + # sops + sops.secrets = { + "syncthing/publicCert" = { + sopsFile = ./secrets.sops.yaml; + owner = "syncthing"; + mode = "400"; + restartUnits = [ "syncthing.service" ]; + }; + "syncthing/privateKey" = { + sopsFile = ./secrets.sops.yaml; + owner = "syncthing"; + mode = "400"; + restartUnits = [ "syncthing.service" ]; + }; + }; ## System settings and services. mySystem = { purpose = "Development"; + services.syncthing = { + enable = true; + publicCertPath = config.sops.secrets."syncthing/publicCert".path; + privateKeyPath = config.sops.secrets."syncthing/privateKey".path; + }; + ## Desktop Environment ## Gnome # de.gnome.enable = true; diff --git a/nixos/hosts/telchar/secrets.sops.yaml b/nixos/hosts/telchar/secrets.sops.yaml new file mode 100644 index 0000000..2fc0cd8 --- /dev/null +++ b/nixos/hosts/telchar/secrets.sops.yaml @@ -0,0 +1,86 @@ +syncthing: + publicCert: ENC[AES256_GCM,data:TQ8H4JsIEoSSrOtC9koG12v64ANVDU579hakO+Q/Uo+0uY/wf52U5g6THIJII7maVOJ31VXKhQABKuiirYjGnG5IaWnNkzCRo+8Pv861lr4d0be3H2NBubkIK814HziuiHa9MP5szi/J5aPQu0nj9srHCPYDzsueh8+bZDYQ2VdgKWKAKAbGwZXRcCyyNGP9u1VjUJCfXx/iQ3RbCrLNDuVbSbfmVH9wJxUUlF0ViqnHkaucQCstaAuvIn78tKpGJeM0njG2PDiVDTDBnhb5Pui/NdK+3+QqwVQHwoQRagGvqEoiL05DY3ydBlClMt2J23kqBN5U0Az15plHwQNLJujWVtkXsh4naIM8Pztwdi3xoioTytdZF/7q4q9rT3YmAK2grgSw0A4SEVvHD5RUH4ZuN/cLb0+h3Papt7xUQcwvr2WStoEujDfuHYPjs13bITnErv0PE8Imis9/ffGwC0EMsgbuDOzS8+m+KT+E8smNJD2APBZh0jq2aeSG4K1y1Q+tVnBMfZ89g8K9JZUcPWWKlGFUbWYRzY4Y1ueGH0pAUIfHLGai16q6SFvXA1+WHCJzEbZDYfDMW465yYV27JMiY4vJw+dAGs2P5o2Pf5/DtVuMW35ZQefBB/mFrJi05/3/CRbBMP73RJXvnjkTjnmUQ2FybkdX0w2zqhyWV5C171kSOcTpkBYaNWn1oM0thG246b80npGmbRjNWH7PWqxQm6kR7USiQOLgvy9rbAULNZ1+ou6He0oKD003Hfkm+OSfQVAMviIE8iS2b6xo0f8umvJ/gVEVHrDsv75KUVQHTHOjickYeYvVky6ZqPDI1z4ya8q1csb/UnLqSNvjT16OdMVQvwCOcjSPTtymj5IdDspkHW9bN856dDvbbRn0FxsEnjFpZMATYVvcLf92eA1k1/ghQKJdOcBrZY4HWUKx33e21i5OyDcLrX9JVTOMpVtKjX2pMygmVxzwj6DV5BWQYTrNByI5iHE8ihy+vOFf36b6bcyu4+3PKIoKnC738b5fSudGtPFL+bhlFPMEO9xlIwzUTA==,iv:9K8PKwTAKF1iZNRDY8ABgK2xKDZ4jh6l1C+ZzH1aexQ=,tag:/fxUf++pQQKWD8SZyw3Lqw==,type:str] + privateKey: ENC[AES256_GCM,data:ul6WGC0iMOpm7RcZjSPATJcu5IMENcvJtPreulDB8vODKfFWKeXlWiy13CZ2fsJxn3Xd/SbXGgtqd6wNQAyU9Rp8qrbFAVCrTppGjbVElbLTdPdpWMU940Rxn4ICc9z4LmKziALFj28O2neRANEzhtThCv724PStXnS2h6mO9bvfDBvmWyD85l0W8hjYHT2g6RaKAMB0BQ+SGb/7YTzpJkU2qdcYdqFaFlxqae1ZO0Ik4UdOBwAGQFgiDM/BzwL5kM0H/r3mMd0vgLBk7AGcQx9yI76SDlFh8CT7jYyJhE0X+wSKwcMdttA8qeCcdkxdEiXgzzFreBJfRq9CUc5+y20mE+cv83bXCIAz12yT0RDMoml1efvrn5A/valqTn8y,iv:VSSVxItFPc7+t5vHoDBRP2mmiFsulThRNZqNy82RYFI=,tag:F6IHAmk4HEINtuYb9Kvbxg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3bGFxTi9OcjUwNlJWRWov + OEFtZTJacmxSSDhEeWdGbTRhMHEyQ0pwVW5nCmsvVU5KSHJ4OTZtWExzUWg0ZnBD + Q3BXSFhMNUZ2YjZiRmRwcWV0R1BnVnMKLS0tIDZKaG9abm5JeVROdzNQcXhhZG41 + TDhEVG1yaDhZbWNXVm5HQnFBZld1alUKLjDMyKKMcdh96YjZ3/QPEXecPYlNZMGv + 8BCG4xZq+cqlzxpQ/f9/P+g8crw+BQD/H8S5R/UsNZuT3jFoZYTgyg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFODdNVDNtYytjZmhxK1FY + Q2wvT2M1UFRzbVU5c0hDUXhBd0hXWDNoL21zCnI0ak9ESHl5bCtaM21SMDhpMmlM + SUx1SldFeTlVME9iQ09BZnJCRk44OHcKLS0tIDR5dFdDZU9ESVFhTXowZ0NWQnBj + bFZpNHNQaDZ5M1RnK1FhYXVUVDhpMTAKjbJ7BboI37aWHQ3IIiwd4F725w9QSq/5 + TYoApR7X5dDhEy43ytuuSUASDN3Zw7xg96e23/JCPfAYzjeL/6MbLA== + -----END AGE ENCRYPTED FILE----- + - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXcFZ4YitXNXNJaDd6aENK + OW9Uc0VHS0hhNWUzZXRXbkdUZnRBWTVOWVdnCnlLNmpVRFB0enpUQ1FIbk8rMFhS + a2FHTWZSZTFnbC9vNnFPaWVSK3NFNjAKLS0tIFJDS3N5eFZhQm55QUJQOXV1NER1 + cTJvYVdta0JPRFZ1TUc4eDBNS2VEQzgKkLXYLUC3Fd27KKajQwbKVUUfAawhb4g5 + /1cKOxSs1eMfCpK0xxZKwsSaAcTfmYlXuRBMO82ol9lMD+/fBNaCfg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYb2diT3NqQ1UyZFM3Mmc3 + OWJicDNFVXR5dkNQN3ZVYlVCK29yd3FCMG1jClpPaWdRUWsxK2lrMy9YdGFzWmZ0 + VVNaNE9Pb0lhNEpsWUdGckFRaXNOc3cKLS0tIERLajl6Q1BGcmh3TUYyNGtCS0dI + V2ZhNDNJTlBGWU43MFVHMGpzUElZMncK5i95c/lkjjlnpL2dCchkvhnpoQQzb2w/ + eGx9DQwj7eLhYh/STrsX39vXEEw6kNuIz/2zVMirzVhv/bQ3xmerTQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2dm1wQkx5MEUySWR3YmVS + ZWZTRkdaeGZPVFpudit6SHpBWE0xODFZd2xRCjlGYmk3L0E3eVpjYW1NSVRoa3lk + OHRFK24rWlJNemVWMHhERlowT3ZUZDQKLS0tIHdKancwR0wrb0hWUDBPS3ZBbnFm + bjhSTTNxZVczK3lNSENQUVgyZUlzR3MK++UAqpak2u+E/OjXnpFQ0UFb5SrEm7KK + TwS0VBa7OfQtC6UHuix4MtsLJYkaEf8vYjjrBHRGlbbgAP+yFPaOPw== + -----END AGE ENCRYPTED FILE----- + - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAycC82VGhHVFRkeEs1QVl6 + RHJ3N3RGZXFTWWNIYVpVVXQ0Z0sxdWdyNkRZCnJ0a1QvOUpvekJpckY4eSs5bFRL + b3ZiVHdpSUlCcjBXMFlzMnJvQUNlNmcKLS0tIHhNUDFzNHZpWE1zQnR3UFdFWkFO + VHBGSENKc3lkMkdZaVdVVHlvcWoyc2MKiatzQlU9D1WSZO/6IwGhyd2zFtnRR3SS + t9kqNFnrCfuAReoP7PsMukNbfeZr0edn2bTByZ32EF2qBFmEJicGHQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIOG9TQkhzK0NUazd4RVE3 + Yjh2Y2hJaEdWcVExaWNmNEw1eTZsZHgxdUFZCmhqcHBSblBhd2pSbE8vYVc1NlQ0 + ck1BZG9LRHY0aHJqMkFkMFJVUVZwOFkKLS0tIG5Cc0ZVWVBzTXoySm91bSszZXpS + TXA1RjFETXdRRFBQK3g2Tmk2VGdXVGsK3jkU01wrOWktuThyt51G4opyTrS1W1dR + MKWuw2GljMSeGHij5VP+PwmTfaJrl5KpEm5w8ggKIm8KaR3RI/DYWg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhaEtvNUs4T3czQ25ObG5L + Yk9uZzBvSHFFcjJwdTVXckJFNE1NellDb0VJCitBTWFjRlpOdS9wL0crN3V0ZnBk + bTY2R01LYk9zT3ppVHBaNFlMSkZJRU0KLS0tIDAvOE1Ya29OYUF2Rk41c0ZEbzlq + eFZwL0R3R0psRzVRYjlzRlBURGhXOTAKwewHTFEpnXKOGTv544Tl8djUG3uKS7+n + h7FAGpzGF1/i45+JJYikXjaWbJmN/WqZRrx9BAyu2ymeTQKPzCHShg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-07T23:27:17Z" + mac: ENC[AES256_GCM,data:xPofZ+vRCsvPz1WTTjlxR6bbHYDDTP+sX8Rc8lRWzjAnMcsULsmbpeIwjghcnMgm406Umbct87UX1aFu4LioumG3KE1XHzE/s4Ik095m9IBbo2AVLVx0O2Q5UKwDvP7pPnBJBEmjs4xn70bMsOeYRJl+VECQssN18IzjVUwaVmE=,iv:0we672j+kxTHwXO5aUtu9wCIndgqUDnhGWvEGH2sVQA=,tag:Nu8Fa4bc4BWlvNE4m1DXYw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/modules/nixos/de/kde.nix b/nixos/modules/nixos/de/kde.nix index 87aaa53..8cc91b1 100644 --- a/nixos/modules/nixos/de/kde.nix +++ b/nixos/modules/nixos/de/kde.nix @@ -13,6 +13,7 @@ in config = lib.mkIf cfg.enable { # Ref: https://wiki.nixos.org/wiki/KDE + # KDE services = { displayManager = { @@ -25,8 +26,13 @@ in }; desktopManager.plasma6.enable = true; }; - # realtime process priority - security.rtkit.enable = true; + + security = { + # realtime process priority + rtkit.enable = true; + # KDE Wallet PAM integration for unlocking the default wallet on login + pam.services."sddm".kwallet.enable = true; + }; # enable pipewire for sound services.pipewire = { diff --git a/nixos/modules/nixos/services/default.nix b/nixos/modules/nixos/services/default.nix index 061f97c..8bc19aa 100644 --- a/nixos/modules/nixos/services/default.nix +++ b/nixos/modules/nixos/services/default.nix @@ -16,6 +16,6 @@ ./reboot-required-check.nix ./restic ./sanoid - ./vault + ./syncthing ]; } diff --git a/nixos/modules/nixos/services/syncthing/config/default.nix b/nixos/modules/nixos/services/syncthing/config/default.nix new file mode 100644 index 0000000..2beb2ef --- /dev/null +++ b/nixos/modules/nixos/services/syncthing/config/default.nix @@ -0,0 +1,40 @@ +{ sops, ... }: +{ + settings = { + gui = { + user = sops.secrets.username; + password = sops.secrets.password; + }; + + devices = { + legiondary = { + name = "legiondary"; + id = "O4WI2YC-BZBPF2W-2ALNQ2D-UOP3BK5-ZDSEHVH-DIHS2FG-BSVJCXG-GF47XAE"; + }; + shadowfax = { + name = "shadowfax"; + id = "U3DS7CW-GBZT44M-IFP3MOB-AV6SHVY-YFVEL5P-HE3ACC5-NDDGAOB-HOTKJAC"; + }; + gandalf = { + name = "gandalf"; + id = "2VYHSOB-4QE3UIJ-EFKAD4D-J7YTLYG-4KF36C2-3SOLD4G-MFR6NK3-C2VSAQV"; + }; + telchar = { + name = "telchar"; + id = "ENO4NVK-DUKOLUT-ASJZOEI-IFBVBTA-GDNWKWS-DQF3TZW-JJ72VVB-VWTHNAH"; + }; + }; + + folders = { + "Documents" = { + path = "/home/jahanson/projects"; + devices = [ + "legiondary" + "shadowfax" + "gandalf" + "telchar" + ]; + }; + }; + }; +} diff --git a/nixos/modules/nixos/services/syncthing/default.nix b/nixos/modules/nixos/services/syncthing/default.nix new file mode 100644 index 0000000..f2d0274 --- /dev/null +++ b/nixos/modules/nixos/services/syncthing/default.nix @@ -0,0 +1,51 @@ +{ + config, + lib, + ... +}: +let + cfg = config.mySystem.services.syncthing; +in +{ + options.mySystem.services.syncthing = { + enable = lib.mkEnableOption "Syncthing"; + publicCertPath = lib.mkOption { + type = lib.types.path; + description = "The public certificate for Syncthing"; + }; + privateKeyPath = lib.mkOption { + type = lib.types.path; + description = "The private key for Syncthing"; + }; + }; + + config = lib.mkIf cfg.enable { + # sops + sops.secrets = { + "username" = { + sopsFile = ./secrets.sops.yaml; + owner = "syncthing"; + mode = "400"; + restartUnits = [ "syncthing.service" ]; + }; + "password" = { + sopsFile = ./secrets.sops.yaml; + owner = "syncthing"; + mode = "400"; + restartUnits = [ "syncthing.service" ]; + }; + }; + + services = { + syncthing = { + enable = true; + openDefaultPorts = true; + key = lib.mkIf (cfg.privateKeyPath != null) "${cfg.privateKeyPath}"; + cert = lib.mkIf (cfg.publicCertPath != null) "${cfg.publicCertPath}"; + settings = import ./config { inherit (config) sops; }; + }; + }; + # Don't create default ~/Sync folder + systemd.services.syncthing.environment.STNODEFAULTFOLDER = "true"; + }; +} diff --git a/nixos/modules/nixos/services/syncthing/secrets.sops.yaml b/nixos/modules/nixos/services/syncthing/secrets.sops.yaml new file mode 100644 index 0000000..811e4bc --- /dev/null +++ b/nixos/modules/nixos/services/syncthing/secrets.sops.yaml @@ -0,0 +1,85 @@ +username: ENC[AES256_GCM,data:WSQeuKRVE80=,iv:ci1XiMFsDDx3PbM0sH8ph/twu1FlrI3LSaURp3qaUxE=,tag:GrpaeuVBVK6CqOAiK+F2bg==,type:str] +password: ENC[AES256_GCM,data:Er08gOwq4LMXCiH+c1dPq1eGcVU=,iv:TtYcMYMuIRtsPzT47nCe0SEzpy9byuoBIOMTHWEdJkk=,tag:rIeYTmHDYW44pgntALRx1w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEcDA4MXZCNlk5TzVKK09L + Q0F3bldGN3p6SCtFM1F5dG9QV09uNXhiMFI4CmhFcit6V0FQL1ZYcVJ2UDc3ZWlu + bWc5Qzd0eHBjY3NzRUVXM1V6Sm1tR2MKLS0tIGU4YlNYcGltc21ZbENWMC9TS2JQ + VEhZdklMcUdBUmh5Q1ZXdEtYZ3htblEKWr8uQWvUbu36eD3Q09aKpHaAXkzBCx2f + g9osxa9r8Ih43NWZvJRTQlXdLi7T+oQj3dyYOT3gTL8L8WkbWuG2eA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1m83ups8xn2jy4ayr8gw0pyn34smr0huqc5v76e4887az4vsl4yzsj0dlhd + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtMGxrdEV6SUREMFlyK1p5 + WFZ5aUs4QlNSUUE2eEJXcTVjRitjdlhtTWpFCll1TjlWMWd3N1FoOWRqWTEyODVZ + a0dwd1RIb1U0OGdUdkUyM2IvYmhyR3cKLS0tIEhhUzdhTml5b1ZaeWNQV2NpUmVF + aHdZV2FWbXpmL0RDTUdjQVBuQnBEUjgKELbs5UPRNslIvZz66Imtf4XfFxLUJkIA + xAbMZeGbW61da1kfb5Dc/v/zbB57T1qZNDE48nPfIMpQBNQNh8/9FA== + -----END AGE ENCRYPTED FILE----- + - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBadDFIK1lRR0Z4RVhHRXUw + QldxNk8zUTVOVFpIM1cwV3ZMcXZPcFpTbEZrCm1NWVpsc05ob2FpRVY1VlI5Z291 + WDI3ZEZwS25tRVpTMDR5SDlodE51VDgKLS0tIHk4VmhJcWswTVpwRyt3bEcxZEM0 + MVQrSHR0WHI0eHVaVkpDZzhqZG5sZ28K2vw5S5phg4UXCeWr2baPdwtHDPM7OaUf + idLK+rKGFLxXWOcgzCJPDvwdIbvrmfueEPf8chmqcHus1JPYKzASJA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1lp6rrlvmytp9ka6q89m0e0am26222kwrn7aqd45hu07s3a6jv3gqty86eu + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwTWY2YlFHVU94NnBuRlpN + RlpMS3kxOUhvTWtsNnVyQ2ExU0YzdXN4ZEdNCnpKczFjWFBkVGhnRGcwL2xRejVu + TGhHUHZzeEpVNm5MVk03Zkp3OFYxNjgKLS0tIGEzL2J3SytvZFp6ZTFXWHF5YlU1 + dGZwelk0eWRsM2xwMmtxMWhQSkNVMEUKUSuFRNYCAuodVIVq59mfFDD3NIK3aCMS + WN0/otRuND5kDy4kmTqFil5E8WwRcpHvjZZOAjqDA16DSriZS6mpbQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1e4sd6jjd4uxxsh9xmhdsnu6mqd5h8c4zz4gwme7lkw9ee949fc9q4px9df + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjckh5R0s5Y0E3STZZbWd3 + TDNtWUxGYVZCKzluK1FzZG9VaUppVUFpbEJvCjhtZDA0a0preVd1SW8xTW9jQkdO + cmJQOE9LNUJDa1Q0dFhYcDh6VUxwSzAKLS0tIEd5SkF0RUwvUUVMSW1IY25Oak1W + cHVrZGh6R1YyOStmV2dEbXJsY0U1NTgK7XjhWRazgHzIcsDPIsTV3qrYWhJ6FpCT + 5P+HUNSjdv1sv/KbexJgjWgG0YNv+eRQnqtxzZaniaWcn5gp1JlR7A== + -----END AGE ENCRYPTED FILE----- + - recipient: age19jm7uuam7gkacm3kh2v7uqgkvmmx0slmm9zwdjhd2ln9r60xzd7qh78c5a + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWU0NnS2E1UzlRYVVjcDZC + ajhwSGxpUzNENXBSSE82empzd1pmYkt5SUdzCk5TZWJna0w4UU1MQ1R3WHVOMDJU + Q0pvM09OZFJFYm5OeHdQVDZBNW1mckUKLS0tIEhraG9YUXYrWUp6S3VqeThpcWZw + aEx6bWNNY2t5UFVwcHdBZE9kSEFrYWMKw40ntGaLDFX5tRK5Ir9yRu4Kbsyl7N05 + uyMlyQ20zL0TmsL5OFEuIF3mhaLyu2GgigQaQcGffx/DUJdLRc8Fnw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1nwnqxjuaxlt5g7fe8rnspvn2c36uuef4hzwuwa6cfjfalz2lrd4q4n5fpl + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4SDZaeUtCbWt2OFZRRm9T + Y3l1dzZwU2s0WDlaNXNaUHpFaExFamtSS3lRCmE1VHI0M3hqSDNCanFuR2l4SU8r + aTR6TlhReDJ4SjUvS0J0aHNyY002eTgKLS0tIHYxdU1WSng0VWZETTFiMGh1OHY5 + STQyNWUyNDhRTkxVUXd5VHNjZjJjK0kK8SJirqpGCmLCwLlLul6WdAzIWWiAR4Qf + usYAmNmjbHLHxNftB9mGLEumJ8IAB20Ywk5EbujMvhJ0w1R7kAyC+w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1a8z3p24v32l9yxm5z2l8h7rpc3nhacyfv4jvetk2lenrvsdstd3sdu2kaf + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhbCtUMFhveWVLTzI3Y21Z + ZlY2UU9vVFplcUVIbk5Jay82UmNxT2lZSnk0Cm5DRHRGMVZSaDZ1cElxWk9PQWhs + SmlRMHBiU1lTNVE2UlpQSXgvSDZqazAKLS0tIGxadVhWYUVOV0Jab05LS0ptendn + aWtiSlZlTUdwMW9Eb1dXUERVanVOaFEKSqRistshNg61yLJIe/3kuisRLuvfVbWu + ZsN/jk357Zv1VIYwmdm80LqI6zCGNzDaP30+Bxp8RTasA3gKM1mKrg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-07T23:25:22Z" + mac: ENC[AES256_GCM,data:ngdpFJcw3Qq/G7MWJY4Ka28r5tAobVlPxkQ+ve1MGd4SHKhUMRTA3je7kG+2zB/muQKtZ+SNolFJF4KcCtCOBaC0y70eJcFbGZ7g2iXa8TtNnW53PRpdWPYjJ5BhGbdCcJ3KKNcO+nT/PWIC1JTP6vp0j0aghLlYrm7Bq8+cAj0=,iv:YoTnZcxbn4Mzh+5lGQSr1OxLdyGUtGrnkt/KsNSTw2Q=,tag:63wotwyZVIqnTtZGW47jRA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/nixos/profiles/global/users.nix b/nixos/profiles/global/users.nix index e133701..9e6ee10 100644 --- a/nixos/profiles/global/users.nix +++ b/nixos/profiles/global/users.nix @@ -41,6 +41,7 @@ in "libvirtd" "wireshark" "minecraft" + "syncthing" ]; openssh.authorizedKeys.keys = [