In pursuit of trying out NixOS on Rocinante, the device was formatted and in my
basic assumptions, I did not back up userdata.
So, the device is lost and I no longer have the original Syncthing keys for this
device. Being an android phone, it would be unwise to backup and restore the
keys anyway.
So, For now, I am simply removing Rocinante from my backp roster. Oh so much for
extra machine backing up my stuff..
Now only the full fat FLAC dir is shared between enterprise, bebop and Childish
Tycoon. I realised that the overhead of maintaining 2 sets was eventually going
to be too much. The two dirs were already out of sync, and as I was cleaning up
unwanted files from one device, the other dir was falling further behind in
sync.
So, now only FLACs will be shared. This means Rocinante has to be left out of
Music sync. This means there is one less backup, but I hope it will be fine.
Roci originally served the purpose of always-on node, but that role has been
taken over by bebopin much better fashion, so at least for now, I can survive
with one less backup of the music.
This way I'll have at least one backup (albeit on-site only) of the flac
collection.
It took me significant time to build it, and I'd rather not have to build all
of that again
This is really good, because all the folders and devices and all their sharing
matrix is now declarative and part of same config as everything else. This
should remove a lot of headache going forward.
Only question is, the secrets management for Syncthing cert and key.
cert is public info encoded into the device ID, so that is mostly taken care of,
kinda.
But, these are still imperatively generated by Syncthing on the first run. I can
generate my own using openssh, but that isn't strictly better because it adds
more imperative overhead.
Lastly, the cert+key+ID combo is unique and every time a new device comes
in/current device needs to be reinstalled (highly unlikely since the dawn on
NixOS, but never say never), then this needs to be adjusted manually. For now,
I'm gonna leave it be, and deal with it when the need arises.
Declaratively deploying key via agenix is currently shelved, because unlike
other uses, this one directly exposes my network and machine to wide internet,
hedging on single SSH key, that cannot be password protected due to limitation
in agenix.