2023-12-01 14:57:56 +05:30
{ config , . . . }:
Bebop: Initial setup of Syncthing using declarative NixOS service
This is really good, because all the folders and devices and all their sharing
matrix is now declarative and part of same config as everything else. This
should remove a lot of headache going forward.
Only question is, the secrets management for Syncthing cert and key.
cert is public info encoded into the device ID, so that is mostly taken care of,
kinda.
But, these are still imperatively generated by Syncthing on the first run. I can
generate my own using openssh, but that isn't strictly better because it adds
more imperative overhead.
Lastly, the cert+key+ID combo is unique and every time a new device comes
in/current device needs to be reinstalled (highly unlikely since the dawn on
NixOS, but never say never), then this needs to be adjusted manually. For now,
I'm gonna leave it be, and deal with it when the need arises.
Declaratively deploying key via agenix is currently shelved, because unlike
other uses, this one directly exposes my network and machine to wide internet,
hedging on single SSH key, that cannot be password protected due to limitation
in agenix.
2022-04-18 18:43:25 +05:30
let
payas = " p a y a s " ;
in
# TODO:
# - Setup certificates and keys declaratively? This will be a real possibility of depending on my SSH key for a whole lotta stuff. Perhaps keep that for future
# - Add more folders and devices in declarative way
# - Make ALL the nodes use this declaratively :)
{
services . syncthing = {
2023-08-05 18:27:20 +05:30
enable = true ;
Bebop: Initial setup of Syncthing using declarative NixOS service
This is really good, because all the folders and devices and all their sharing
matrix is now declarative and part of same config as everything else. This
should remove a lot of headache going forward.
Only question is, the secrets management for Syncthing cert and key.
cert is public info encoded into the device ID, so that is mostly taken care of,
kinda.
But, these are still imperatively generated by Syncthing on the first run. I can
generate my own using openssh, but that isn't strictly better because it adds
more imperative overhead.
Lastly, the cert+key+ID combo is unique and every time a new device comes
in/current device needs to be reinstalled (highly unlikely since the dawn on
NixOS, but never say never), then this needs to be adjusted manually. For now,
I'm gonna leave it be, and deal with it when the need arises.
Declaratively deploying key via agenix is currently shelved, because unlike
other uses, this one directly exposes my network and machine to wide internet,
hedging on single SSH key, that cannot be password protected due to limitation
in agenix.
2022-04-18 18:43:25 +05:30
openDefaultPorts = true ;
user = payas ;
2023-07-23 22:03:00 +05:30
group = payas ;
2023-12-01 14:57:56 +05:30
dataDir = " / h o m e / ${ payas } " ;
configDir = config . services . syncthing . dataDir + " / . c o n f i g / s y n c t h i n g " ;
Bebop: Initial setup of Syncthing using declarative NixOS service
This is really good, because all the folders and devices and all their sharing
matrix is now declarative and part of same config as everything else. This
should remove a lot of headache going forward.
Only question is, the secrets management for Syncthing cert and key.
cert is public info encoded into the device ID, so that is mostly taken care of,
kinda.
But, these are still imperatively generated by Syncthing on the first run. I can
generate my own using openssh, but that isn't strictly better because it adds
more imperative overhead.
Lastly, the cert+key+ID combo is unique and every time a new device comes
in/current device needs to be reinstalled (highly unlikely since the dawn on
NixOS, but never say never), then this needs to be adjusted manually. For now,
I'm gonna leave it be, and deal with it when the need arises.
Declaratively deploying key via agenix is currently shelved, because unlike
other uses, this one directly exposes my network and machine to wide internet,
hedging on single SSH key, that cannot be password protected due to limitation
in agenix.
2022-04-18 18:43:25 +05:30
# Hosts can opt-out of folders with enable = false
# When adding new folders, you may want to create them first manually for permissions
# These should be configured per-node
# overrideFolders = true;
2022-04-20 21:56:07 +05:30
overrideDevices = false ;
Bebop: Initial setup of Syncthing using declarative NixOS service
This is really good, because all the folders and devices and all their sharing
matrix is now declarative and part of same config as everything else. This
should remove a lot of headache going forward.
Only question is, the secrets management for Syncthing cert and key.
cert is public info encoded into the device ID, so that is mostly taken care of,
kinda.
But, these are still imperatively generated by Syncthing on the first run. I can
generate my own using openssh, but that isn't strictly better because it adds
more imperative overhead.
Lastly, the cert+key+ID combo is unique and every time a new device comes
in/current device needs to be reinstalled (highly unlikely since the dawn on
NixOS, but never say never), then this needs to be adjusted manually. For now,
I'm gonna leave it be, and deal with it when the need arises.
Declaratively deploying key via agenix is currently shelved, because unlike
other uses, this one directly exposes my network and machine to wide internet,
hedging on single SSH key, that cannot be password protected due to limitation
in agenix.
2022-04-18 18:43:25 +05:30
2023-07-23 22:03:00 +05:30
settings = {
options = {
urAccepted = -1 ;
relaysEnabled = true ;
limitBandwidthInLan = false ;
localAnnounceEnabled = true ;
} ;
2023-05-18 22:14:42 +05:30
gui = {
theme = " b l a c k " ;
2022-06-02 14:20:44 +05:30
} ;
2022-04-18 19:11:10 +05:30
2023-07-23 22:03:00 +05:30
devices = {
hermes = {
id =
2023-08-20 17:58:09 +05:30
" D C G 6 T F N - J R O 4 2 2 C - A Q W F N D T - C C T 7 K C X - Z X U L 7 O G - O 5 U G E C 3 - Q P F 5 V W W - R N X U 5 Q 4 " ;
2023-07-23 22:03:00 +05:30
name = " h e r m e s " ;
} ;
2022-04-18 19:11:10 +05:30
2023-07-23 22:03:00 +05:30
" C h i l d i s h T y c o o n " = {
id =
" E R S V P 6 3 - A S Z C C J B - F W L S Z 3 N - M D Z 4 S V 5 - I X B P 5 Q D - Q K 2 3 5 L I - D Y 5 B Y R C - 6 N S W U Q S " ;
name = " C h i l d i s h T y c o o n " ;
} ;
2022-04-18 19:11:10 +05:30
2023-07-23 22:03:00 +05:30
bebop = {
id =
" M 6 O J Z S Y - M P O Q Y 7 6 - B S Z U F B Q - Q K 7 L B M 6 - 3 Y B O J Z S - 5 H 2 K 7 U V - S 6 B 3 4 O N - T H T 3 O A I " ;
name = " b e b o p " ;
} ;
2023-09-28 19:04:47 +05:30
phoebe = {
id = " Q I Y I N 4 H - Y P F Z B E C - B G 2 7 J X I - V Z M T K 5 2 - P J C H L U P - K V I C D T Y - M C 2 6 C A S - D 6 6 L K Q V " ;
name = " p h o e b e " ;
} ;
2022-04-18 19:11:10 +05:30
} ;
2023-07-23 22:03:00 +05:30
folders = {
# devices, type and versioning to be configured per-node
# Disable unwanted folder in per-node config
2022-04-18 19:11:10 +05:30
2023-08-06 19:38:40 +05:30
Keepass = {
2023-07-23 22:03:00 +05:30
id = " q s o i l - j t f o f " ;
label = " K e e p a s s " ;
2023-08-06 19:34:53 +05:30
path = " ~ / K e e p a s s " ;
2023-07-23 22:03:00 +05:30
} ;
2022-04-24 17:31:29 +05:30
2023-08-06 19:38:40 +05:30
Syncthing = {
2023-07-23 22:03:00 +05:30
id = " y g 7 i n - 0 d l b 8 " ;
label = " S y n c t h i n g " ;
2023-08-06 19:34:53 +05:30
path = " ~ / S y n c t h i n g " ;
2023-07-23 22:03:00 +05:30
} ;
2022-04-20 21:56:07 +05:30
2023-08-06 19:38:40 +05:30
Music = {
2023-07-23 22:03:00 +05:30
id = " 3 q s n r - w j n 9 w " ;
label = " M u s i c " ;
2023-08-06 19:34:53 +05:30
path = " ~ / M u s i c " ;
2023-07-23 22:03:00 +05:30
} ;
Bebop: Initial setup of Syncthing using declarative NixOS service
This is really good, because all the folders and devices and all their sharing
matrix is now declarative and part of same config as everything else. This
should remove a lot of headache going forward.
Only question is, the secrets management for Syncthing cert and key.
cert is public info encoded into the device ID, so that is mostly taken care of,
kinda.
But, these are still imperatively generated by Syncthing on the first run. I can
generate my own using openssh, but that isn't strictly better because it adds
more imperative overhead.
Lastly, the cert+key+ID combo is unique and every time a new device comes
in/current device needs to be reinstalled (highly unlikely since the dawn on
NixOS, but never say never), then this needs to be adjusted manually. For now,
I'm gonna leave it be, and deal with it when the need arises.
Declaratively deploying key via agenix is currently shelved, because unlike
other uses, this one directly exposes my network and machine to wide internet,
hedging on single SSH key, that cannot be password protected due to limitation
in agenix.
2022-04-18 18:43:25 +05:30
2023-08-06 19:38:40 +05:30
org = {
2023-07-23 22:03:00 +05:30
id = " 9 t a 3 z - y r d e 3 " ;
label = " o r g " ;
2023-08-06 19:34:53 +05:30
path = " ~ / o r g " ;
2023-07-23 22:03:00 +05:30
} ;
2023-05-18 22:14:42 +05:30
2023-08-06 19:38:40 +05:30
Pictures = {
2023-07-23 22:03:00 +05:30
id = " r j o z c - v d 3 h h " ;
label = " P i c t u r e s " ;
2023-08-06 19:34:53 +05:30
path = " ~ / P i c t u r e s " ;
2023-07-23 22:03:00 +05:30
} ;
Bebop: Initial setup of Syncthing using declarative NixOS service
This is really good, because all the folders and devices and all their sharing
matrix is now declarative and part of same config as everything else. This
should remove a lot of headache going forward.
Only question is, the secrets management for Syncthing cert and key.
cert is public info encoded into the device ID, so that is mostly taken care of,
kinda.
But, these are still imperatively generated by Syncthing on the first run. I can
generate my own using openssh, but that isn't strictly better because it adds
more imperative overhead.
Lastly, the cert+key+ID combo is unique and every time a new device comes
in/current device needs to be reinstalled (highly unlikely since the dawn on
NixOS, but never say never), then this needs to be adjusted manually. For now,
I'm gonna leave it be, and deal with it when the need arises.
Declaratively deploying key via agenix is currently shelved, because unlike
other uses, this one directly exposes my network and machine to wide internet,
hedging on single SSH key, that cannot be password protected due to limitation
in agenix.
2022-04-18 18:43:25 +05:30
} ;
} ;
} ;
}