From 4a800d9290e35b2b9a5790fc70f3e6ec01dc69a2 Mon Sep 17 00:00:00 2001 From: MFlossmann Date: Thu, 16 May 2024 15:09:24 +0200 Subject: [PATCH] add syncthing and keepass --- .sops.yaml | 11 ++-- flake.nix | 5 ++ helperLib/default.nix | 4 ++ helperLib/syncthing.nix | 3 ++ hosts/remus/configuration.nix | 2 + hosts/remus/home.nix | 1 - modules/home/default.nix | 24 ++++----- modules/home/features/syncthing.nix | 53 ------------------ modules/nixOS/bundles/core/default.nix | 9 ++++ modules/nixOS/bundles/core/sops.nix | 37 +++++++++++++ modules/nixOS/bundles/general-desktop.nix | 4 ++ modules/nixOS/default.nix | 22 ++++---- modules/nixOS/services/syncthing/default.nix | 56 ++++++++++++++++++++ secrets/secrets.json | 32 +++++++++++ 14 files changed, 183 insertions(+), 80 deletions(-) create mode 100644 helperLib/syncthing.nix delete mode 100644 modules/home/features/syncthing.nix create mode 100644 modules/nixOS/bundles/core/default.nix create mode 100644 modules/nixOS/bundles/core/sops.nix create mode 100644 modules/nixOS/services/syncthing/default.nix create mode 100644 secrets/secrets.json diff --git a/.sops.yaml b/.sops.yaml index a002d72..2fba00d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,7 +1,12 @@ keys: - - &primary age1r26dvz9zd2ds87clnqd9kxln6hyp9dtyvcfsmp9k894lkws9c49qy3yyrv + - &users: + - &prunebutt age1r26dvz9zd2ds87clnqd9kxln6hyp9dtyvcfsmp9k894lkws9c49qy3yyrv + - &hosts: + - &remus age12p2494hhhjcw28w4kg5q3rv3xtv7gmpyxags9s9ta8c3rc0g4qrst20cvw + creation_rules: - - path_regex: secrets/secrets.yaml$ + - path_regex: secrets/secrets.json$ key_groups: - age: - - *primary + - *prunebutt + - *remus diff --git a/flake.nix b/flake.nix index 8e2547f..11eb19b 100644 --- a/flake.nix +++ b/flake.nix @@ -14,6 +14,11 @@ url = "github:nix-community/disko"; inputs.nixpkgs.follows = "nixpkgs"; }; + + sops-nix = { + url = "github:mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = {...} @ inputs: let diff --git a/helperLib/default.nix b/helperLib/default.nix index 1bd1e8f..0c90406 100644 --- a/helperLib/default.nix +++ b/helperLib/default.nix @@ -5,6 +5,10 @@ stable = inputs.nixpkgs-stable.legacyPackages.${prev.system}; }; in rec { + # imports = [ + # ./syncthing.nix + # ]; + # ================================================================ # # = My Lib = # # ================================================================ # diff --git a/helperLib/syncthing.nix b/helperLib/syncthing.nix new file mode 100644 index 0000000..d032dd2 --- /dev/null +++ b/helperLib/syncthing.nix @@ -0,0 +1,3 @@ +{}: { + getSyncthingDevices = x: trace "foobar" x; +} diff --git a/hosts/remus/configuration.nix b/hosts/remus/configuration.nix index 29ddbf7..c54199e 100644 --- a/hosts/remus/configuration.nix +++ b/hosts/remus/configuration.nix @@ -29,6 +29,8 @@ myNixOS = { bundles.general-desktop.enable = true; + services.syncthing.enable = true; + home-users = { "prunebutt" = { userConfig = ./home.nix; diff --git a/hosts/remus/home.nix b/hosts/remus/home.nix index 60fc768..e68fd99 100644 --- a/hosts/remus/home.nix +++ b/hosts/remus/home.nix @@ -40,7 +40,6 @@ maker.enable = true; graphicDesign.enable = true; }; - syncthing.enable = true; }; programs.zsh.enable = true; diff --git a/modules/home/default.nix b/modules/home/default.nix index 9ad5828..52aac48 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -8,17 +8,17 @@ ... }: let cfg = config.myHomeManager; - # Taking all modules in ./features and adding enables to them - features = - helperLib.extendModules - (name: { - extraOptions = { - myHomeManager.${name}.enable = lib.mkEnableOption "enable my ${name} configuration"; - }; - - configExtension = config: (lib.mkIf cfg.${name}.enable config); - }) - (helperLib.filesIn ./features); + # # Taking all modules in ./features and adding enables to them + # features = + # helperLib.extendModules + # (name: { + # extraOptions = { + # myHomeManager.${name}.enable = lib.mkEnableOption "enable my ${name} configuration"; + # }; + # + # configExtension = config: (lib.mkIf cfg.${name}.enable config); + # }) + # (helperLib.filesIn ./features); # Taking all module bundles in ./bundles and adding bundle.enables to them bundles = @@ -35,7 +35,7 @@ in { imports = [ ] - ++ features + # ++ features ++ bundles ; diff --git a/modules/home/features/syncthing.nix b/modules/home/features/syncthing.nix deleted file mode 100644 index 531cbd3..0000000 --- a/modules/home/features/syncthing.nix +++ /dev/null @@ -1,53 +0,0 @@ -{ - pkgs, - config, - lib, - inputs, - ... - }: let - saintAlphonsoID = "LHASNUO-CXALARH-XI3TU4U-OCULV72-HS3HQ35-P4FECIT-UZ5VMSZ-PMCEPQH"; - - webGuiPort = [ 8384 ]; - cfg = config; - in { - imports = []; - - # options = { - # rootDir = lib.mkOption { - # type = lib.types.path; - # default = "/home/${cfg.myNixOS.sharedSettings.mainUser}/sync"; - # }; - # - # remoteGui = lib.mkEnableOption "Enable port for remote WebGUI"; - # }; - # - # services.syncthing = { - # enable = true; - # user = cfg.myNixOS.sharedSettings.mainUser; - # dataDir = config.rootDir; - # configDir = "/home/${cfg.myNixOS.sharedSettings.mainUser}/.config/syncthing"; - # overrideDevices = true; - # overrideFolders = true; - # settings = { - # devices = { - # "saintAlphonso" = { id = saintAlphonsoID; }; - # }; - # folders = { - # "KeepassXC" = { - # path = "/home/${cfg.myNixOS.sharedSettings.mainUser}/KeepassXC"; - # devices = [ "saintAlphonso" ]; - # }; - # }; - # }; - # }; - - # # Syncthing ports: 8384 for remote access to GUI - # # 22000 TCP and/or UDP for sync traffic - # # 21027/UDP for discovery - # # source: https://docs.syncthing.net/users/firewall.html - # networking.firewall.allowedTCPPorts = - # [ 22000 ] - # ++ webGuiPort; - # - # networking.firewall.allowedUDPPorts = [ 22000 21027 ]; -} diff --git a/modules/nixOS/bundles/core/default.nix b/modules/nixOS/bundles/core/default.nix new file mode 100644 index 0000000..3814fba --- /dev/null +++ b/modules/nixOS/bundles/core/default.nix @@ -0,0 +1,9 @@ +{ + pkgs, + lib, + ... +}: { + imports = [ + # ./sops.nix + ]; +} diff --git a/modules/nixOS/bundles/core/sops.nix b/modules/nixOS/bundles/core/sops.nix new file mode 100644 index 0000000..cce8696 --- /dev/null +++ b/modules/nixOS/bundles/core/sops.nix @@ -0,0 +1,37 @@ +{ + pkgs, + config, + inputs, + ... +}: let + secretsFile = "../../../../secrets/secrets.json"; + secretsSet = builtins.fromJSON (builtins.readFile ./${secretsFile}); + devices = builtins.attrNames secretsSet.syncthing.devices; +in { + imports = [ + inputs.sops-nix.nixosModules.sops + ]; + + sops = { + defaultSopsFile = ./${secretsFile}; + validateSopsFiles = false; + + age = { + # automatically import host SSH keys as age keys + sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + # this will use an age key that is expected to already be in the filesystem + keyFile = "/var/lib/sops-nix/key.txt"; + # generate a new key if the key specified above does not exist + generateKey = true; + }; + + # secrets will be output to /run/secrets + secrets = { + }; + }; + + environment.systemPackages = with pkgs; [ + sops + ]; +} + diff --git a/modules/nixOS/bundles/general-desktop.nix b/modules/nixOS/bundles/general-desktop.nix index 989ed7b..018a383 100644 --- a/modules/nixOS/bundles/general-desktop.nix +++ b/modules/nixOS/bundles/general-desktop.nix @@ -68,4 +68,8 @@ serif = ["JetBrainsMono Nerd Font"]; }; }; + + environment.systemPackages = with pkgs; [ + keepassxc + ]; } diff --git a/modules/nixOS/default.nix b/modules/nixOS/default.nix index 2ba9ade..1deccfc 100644 --- a/modules/nixOS/default.nix +++ b/modules/nixOS/default.nix @@ -34,16 +34,16 @@ (helperLib.filesIn ./bundles); # taking all module services in ./services and adding service.enables to them - # services = - # helperLib.extendModules - # (name: { - # extraOptions = { - # myNixOS.services.${name}.enable = lib.mkEnableOption "enable ${name} module service"; - # }; - # - # configExtension = config: (lib.mkIf cfg.services.${name}.enable config); - # }) - # (helperLib.filesIn ./services); + services = + helperLib.extendModules + (name: { + extraOptions = { + myNixOS.services.${name}.enable = lib.mkEnableOption "enable ${name} module service"; + }; + + configExtension = config: (lib.mkIf cfg.services.${name}.enable config); + }) + (helperLib.filesIn ./services); in { imports = [ @@ -51,7 +51,7 @@ in { ] ++ features ++ bundles - # ++ services + ++ services ; options.myNixOS = { diff --git a/modules/nixOS/services/syncthing/default.nix b/modules/nixOS/services/syncthing/default.nix new file mode 100644 index 0000000..bbaeaca --- /dev/null +++ b/modules/nixOS/services/syncthing/default.nix @@ -0,0 +1,56 @@ +{ + pkgs, + config, + lib, + inputs, + ... + }: let + webGuiPort = [ 8384 ]; + cfg = config; + secretsFile = "../../../secrets/secrets.json"; + secretsSet = builtins.fromJSON (builtins.readFile ./${secretsFile}); + devices = builtins.attrNames secretsSet.syncthing.devices; + in { + options = { + rootDir = lib.mkOption { + type = lib.types.path; + default = "/home/${cfg.myNixOS.sharedSettings.mainUser}/sync"; + }; + + remoteGui = lib.mkEnableOption "Enable port for remote WebGUI"; + }; + + services.syncthing = { + enable = true; + user = cfg.myNixOS.sharedSettings.mainUser; + dataDir = config.rootDir; + configDir = "/home/${cfg.myNixOS.sharedSettings.mainUser}/.config/syncthing"; + overrideDevices = true; + overrideFolders = true; + settings = { + devices = { + "saintAlphonso" = { id ="LHASNUO-CXALARH-XI3TU4U-OCULV72-HS3HQ35-P4FECIT-UZ5VMSZ-PMCEPQH"; }; + "littleUmbrella" = { id ="BH3OHYP-TGGOSZO-EM6MXRY-YHSBOUO-CQHE7DL-N2LOUFY-TF3LEJ7-FHTGTQI"; }; + "pixelRoot" = { id ="PO7U5SE-DYKTOM2-TFDS3BM-A25VK7V-MQ3VPFM-EFX3J4D-B3UDCX4-3XQAIAC"; }; + "pixelDefault" = { id ="HC3CKC7-OUZBLU3-JIKTRYG-DPJE6EC-7POCWNS-6VNOPDU-L7OWYWO-PL332AY"; }; + "pixelGooglor" = { id ="OWDM4I2-O6STMIS-H3EXF65-FSM26K3-5FLQXRN-VOK7JGC-T6H76IR-QAVO3QK"; }; + }; + + folders = { + "/home/${cfg.myNixOS.sharedSettings.mainUser}/KeepassXC" = { + label = "KeepassXC"; + id = "xd4de-mjfcq"; + devices = ["littleUmbrella" "pixelRoot" "pixelDefault" "pixelGooglor" "saintAlphonso"]; + versioning = { type = "simple"; params.keep = "5"; }; + }; + }; + }; + }; + + # Syncthing ports: 8384 for remote access to GUI + # 22000 TCP and/or UDP for sync traffic + # 21027/UDP for discovery + # source: https://docs.syncthing.net/users/firewall.html + networking.firewall.allowedTCPPorts = [ 8384 22000 ]; + networking.firewall.allowedUDPPorts = [ 22000 21027 ]; +} diff --git a/secrets/secrets.json b/secrets/secrets.json new file mode 100644 index 0000000..4650e84 --- /dev/null +++ b/secrets/secrets.json @@ -0,0 +1,32 @@ +{ + "syncthing": { + "devices": { + "saintAlphonso": "ENC[AES256_GCM,data:F0NPMyENcmv1FancYIZ1NBnKoZk6XyZYNeOPHfh5+9s90nvs7bZY2vpHwbzPC9lDH/ID3U9VmFhzizzXKdTT,iv:lYgeYqykmeV6OHzpnZlpCI68Pz4T+qmJXZEcmAmmryY=,tag:yQOp6oEA5TyEpBWjQWLa0Q==,type:str]", + "littleUmbrella": "ENC[AES256_GCM,data:oLzZwulGO0KDpDVCT8kPL/ZVd98M0lnzt29EXEJNcPcdV7xuyEOQGzpz3BKk3As48SEGcuHb8hXCKWM8XgTp,iv:bVgGcsZl5l1OeO2UZIeBdJ2av34jfiKZWzpdsTgifso=,tag:dxArZNoqz8gq+fb6QvQCHg==,type:str]", + "pixelRoot": "ENC[AES256_GCM,data:/DOQjxWeh0IUYOH1YdNFapnXesc6pA3iFLZrl44at597294r9ky98/Olekn/e8hUPrLzSO5XnhYSJAUQYRXj,iv:ry4//bHdSwXObF3TlFXd7rigeSKXf3N+cVrZ2nSM4cY=,tag:KreCzUIKWhaz/VuODEYr6A==,type:str]", + "pixelDefault": "ENC[AES256_GCM,data:/5UP+VDHE5iOF5NztSL/WLqjrXlHLP/SLtjbIzjAEUtMAXC5TQEtsYASPE6xM6RACFyqHoF2HoVZmBrlv//A,iv:2iVbIQ9IJnyGMpGdlQEYGcFZZe0mofL5Jq6f/UjfwVQ=,tag:WMeWFFi0YB0LOHtmOWMf4Q==,type:str]", + "pixelGooglor": "ENC[AES256_GCM,data:9R9xyss0KEbR7hfxCs8oDJX9vG4Idnk/fwOr/k3swvzJ8y3qNRRzqMm6Joxv4BUEgwNH7xzV/wXSn3By+aIe,iv:WN5Ob/Gq+R8GoHivc4vlisRTPT6Wb9lSfb9XBNMNrx0=,tag:fr7sZBOr+6iPlNO9IQU2DQ==,type:str]" + } + }, + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1r26dvz9zd2ds87clnqd9kxln6hyp9dtyvcfsmp9k894lkws9c49qy3yyrv", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0eldLbkg3ODlkU0NNSG4v\nOGt6ZldNR09CRDhMK2daeklpZlZmSTh1cVNrCkhBZkU4azV3aDZ5THhwdUpicng1\nSHBDS0c2cG9Qamx2UE94a3RJbHhqZVkKLS0tIFU4Sm4wWE9qNmYvc1A3UzF2Y2NP\ncTRFUEU0YmZQUmxVc09LMklwU0p5bFUK0mkyYcfRBR+Nto9/hKjW8ibFu1sXJOOi\ncCVNtXoZMvpsdBvUnNdjdaOtntg9hjhhZhWx6q4jzIGE88fkMAL+IA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age12p2494hhhjcw28w4kg5q3rv3xtv7gmpyxags9s9ta8c3rc0g4qrst20cvw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBreEovNWlSUUwrMS9ZcmIz\nZDdhU0t1TGJTcjBCbUV0VnRET09pNzdmckJjClZjMmdubVJTQ285dDFEOE9sUmVN\nQVozQmU3a0h2bldIL1Z6QTJhdHRoa00KLS0tIFhNeUMxU091c2w4MnZqeU9JQ2Ur\nR0tPZ3FnZFVObll1SS9TZVBTV2FjQW8Kd2tgtXWznbtbq2CU6Niiaw+ekkI3hfrp\n9SDTVzv30pDVmldXaxAZ9nrJQaqRHdF7hgtg+/gSL7yjCBUL4ECVXQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-05-16T15:14:00Z", + "mac": "ENC[AES256_GCM,data:ubh98AdyVK5aRV+vJuJL2++t0oV4RRck1TEpykkTuZ6t6W7F5SOPeDTurtn5ZEs2enFg4oPxREzAB6UoKZDbJdr+uNVGUPfQvJNDWcmj6JDDvdktRxEQ3QPktdKBHoBxEtRAGmirOUkmwc3uGnSHeZFVgJuweCQiHKSUQ60oqjo=,iv:fwIo+JB8lfhPAp6OfS7ci2rRVmHdU+99LM5stBBQhho=,tag:DYAAYUXTPVxAsmXQMUNK3g==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.8.1" + } +} \ No newline at end of file