add syncthing and keepass

2024-05-16 15:09:24 +02:00 · 2024-05-16 15:09:24 +02:00 · 4a800d9290
commit 4a800d9290
parent bb9494227f
14 changed files with 183 additions and 80 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,7 +1,12 @@
 keys:
-  - &primary age1r26dvz9zd2ds87clnqd9kxln6hyp9dtyvcfsmp9k894lkws9c49qy3yyrv
+  - &users:
+    - &prunebutt age1r26dvz9zd2ds87clnqd9kxln6hyp9dtyvcfsmp9k894lkws9c49qy3yyrv
+  - &hosts:
+    - &remus age12p2494hhhjcw28w4kg5q3rv3xtv7gmpyxags9s9ta8c3rc0g4qrst20cvw
+
 creation_rules:
-  - path_regex: secrets/secrets.yaml$
+  - path_regex: secrets/secrets.json$
    key_groups:
      - age:
-        - *primary
+        - *prunebutt
+        - *remus
--- a/flake.nix
+++ b/flake.nix
@ -14,6 +14,11 @@
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
+    sops-nix = {
+      url = "github:mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs = {...} @ inputs: let
--- a/helperLib/default.nix
+++ b/helperLib/default.nix
@ -5,6 +5,10 @@
    stable = inputs.nixpkgs-stable.legacyPackages.${prev.system};
  };
 in rec {
+  # imports = [
+  #   ./syncthing.nix
+  # ];
+
  # ================================================================ #
  # =                            My Lib                            = #
  # ================================================================ #
--- a/helperLib/syncthing.nix
+++ b/helperLib/syncthing.nix
@ -0,0 +1,3 @@
+{}: {
+  getSyncthingDevices = x: trace "foobar" x;
+}
--- a/hosts/remus/configuration.nix
+++ b/hosts/remus/configuration.nix
@ -29,6 +29,8 @@
  myNixOS = {
    bundles.general-desktop.enable = true;

+    services.syncthing.enable = true;
+
    home-users = {
      "prunebutt" = {
        userConfig = ./home.nix;
--- a/hosts/remus/home.nix
+++ b/hosts/remus/home.nix
@ -40,7 +40,6 @@
      maker.enable = true;
      graphicDesign.enable = true;
    };
-    syncthing.enable = true;
  };

  programs.zsh.enable = true;
--- a/modules/home/default.nix
+++ b/modules/home/default.nix
@ -8,17 +8,17 @@
  ...
 }: let
  cfg = config.myHomeManager;
-  # Taking all modules in ./features and adding enables to them
-  features =
-    helperLib.extendModules
-    (name: {
-      extraOptions = {
-        myHomeManager.${name}.enable = lib.mkEnableOption "enable my ${name} configuration";
-      };
-
-      configExtension = config: (lib.mkIf cfg.${name}.enable config);
-    })
-    (helperLib.filesIn ./features);
+  # # Taking all modules in ./features and adding enables to them
+  # features =
+  #   helperLib.extendModules
+  #   (name: {
+  #     extraOptions = {
+  #       myHomeManager.${name}.enable = lib.mkEnableOption "enable my ${name} configuration";
+  #     };
+  #
+  #     configExtension = config: (lib.mkIf cfg.${name}.enable config);
+  #   })
+  #   (helperLib.filesIn ./features);

  # Taking all module bundles in ./bundles and adding bundle.enables to them
  bundles =
@ -35,7 +35,7 @@
 in {
  imports = [
  ]
-  ++ features
+  # ++ features
  ++ bundles
  ;

--- a/modules/home/features/syncthing.nix
+++ b/modules/home/features/syncthing.nix
@ -1,53 +0,0 @@
-{
-  pkgs,
-  config,
-  lib,
-  inputs,
-  ...
-  }: let
-    saintAlphonsoID = "LHASNUO-CXALARH-XI3TU4U-OCULV72-HS3HQ35-P4FECIT-UZ5VMSZ-PMCEPQH";
-
-    webGuiPort = [ 8384 ];
-    cfg = config;
-  in {
-  imports = [];
-
-  # options = {
-  #   rootDir = lib.mkOption {
-  #     type = lib.types.path;
-  #     default = "/home/${cfg.myNixOS.sharedSettings.mainUser}/sync";
-  #   };
-  #
-  #   remoteGui = lib.mkEnableOption "Enable port for remote WebGUI";
-  # };
-  #
-  # services.syncthing = {
-  #   enable = true;
-  #   user = cfg.myNixOS.sharedSettings.mainUser;
-  #   dataDir = config.rootDir;
-  #   configDir = "/home/${cfg.myNixOS.sharedSettings.mainUser}/.config/syncthing";
-  #   overrideDevices = true;
-  #   overrideFolders = true;
-  #   settings = {
-  #     devices = {
-  #       "saintAlphonso" = { id = saintAlphonsoID; };
-  #     };
-  #     folders = {
-  #       "KeepassXC" = {
-  #         path = "/home/${cfg.myNixOS.sharedSettings.mainUser}/KeepassXC";
-  #         devices = [ "saintAlphonso" ];
-  #       };
-  #     };
-  #   };
-  # };
-
-   # # Syncthing ports: 8384 for remote access to GUI
-   # # 22000 TCP and/or UDP for sync traffic
-   # # 21027/UDP for discovery
-   # # source: https://docs.syncthing.net/users/firewall.html
-   # networking.firewall.allowedTCPPorts = 
-   #   [ 22000 ] 
-   #   ++ webGuiPort;
-   #
-   # networking.firewall.allowedUDPPorts = [ 22000 21027 ];
-}
--- a/modules/nixOS/bundles/core/default.nix
+++ b/modules/nixOS/bundles/core/default.nix
@ -0,0 +1,9 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    # ./sops.nix
+  ];
+}
--- a/modules/nixOS/bundles/core/sops.nix
+++ b/modules/nixOS/bundles/core/sops.nix
@ -0,0 +1,37 @@
+{
+  pkgs,
+  config,
+  inputs,
+  ...
+}: let
+  secretsFile = "../../../../secrets/secrets.json";
+  secretsSet = builtins.fromJSON (builtins.readFile ./${secretsFile});
+  devices = builtins.attrNames secretsSet.syncthing.devices;
+in {
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  sops = {
+    defaultSopsFile = ./${secretsFile};
+    validateSopsFiles = false;
+
+    age = {
+      # automatically import host SSH keys as age keys
+      sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      # this will use an age key that is expected to already be in the filesystem
+      keyFile = "/var/lib/sops-nix/key.txt";
+      # generate a new key if the key specified above does not exist
+      generateKey = true;
+    };
+
+    # secrets will be output to /run/secrets
+    secrets = {
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    sops
+  ];
+}
+
--- a/modules/nixOS/bundles/general-desktop.nix
+++ b/modules/nixOS/bundles/general-desktop.nix
@ -68,4 +68,8 @@
      serif = ["JetBrainsMono Nerd Font"];
    };
  };
+
+  environment.systemPackages = with pkgs; [
+    keepassxc
+  ];
 }
--- a/modules/nixOS/default.nix
+++ b/modules/nixOS/default.nix
@ -34,16 +34,16 @@
    (helperLib.filesIn ./bundles);

  # taking all module services in ./services and adding service.enables to them
-  # services = 
-  #   helperLib.extendModules
-  #   (name: {
-  #     extraOptions = {
-  #       myNixOS.services.${name}.enable = lib.mkEnableOption "enable ${name} module service";
-  #     };
-  #
-  #     configExtension = config: (lib.mkIf cfg.services.${name}.enable config);
-  #   })
-  #   (helperLib.filesIn ./services);
+  services = 
+    helperLib.extendModules
+    (name: {
+      extraOptions = {
+        myNixOS.services.${name}.enable = lib.mkEnableOption "enable ${name} module service";
+      };
+
+      configExtension = config: (lib.mkIf cfg.services.${name}.enable config);
+    })
+    (helperLib.filesIn ./services);
 in {
  imports = 
  [
@ -51,7 +51,7 @@ in {
  ]
  ++ features
  ++ bundles
-  # ++ services
+  ++ services
  ;

  options.myNixOS = {
--- a/modules/nixOS/services/syncthing/default.nix
+++ b/modules/nixOS/services/syncthing/default.nix
@ -0,0 +1,56 @@
+{
+  pkgs,
+  config,
+  lib,
+  inputs,
+  ...
+  }: let
+    webGuiPort = [ 8384 ];
+    cfg = config;
+    secretsFile = "../../../secrets/secrets.json";
+    secretsSet = builtins.fromJSON (builtins.readFile ./${secretsFile});
+    devices = builtins.attrNames secretsSet.syncthing.devices;
+  in {
+  options = {
+    rootDir = lib.mkOption {
+      type = lib.types.path;
+      default = "/home/${cfg.myNixOS.sharedSettings.mainUser}/sync";
+    };
+
+    remoteGui = lib.mkEnableOption "Enable port for remote WebGUI";
+  };
+
+  services.syncthing = {
+    enable = true;
+    user = cfg.myNixOS.sharedSettings.mainUser;
+    dataDir = config.rootDir;
+    configDir = "/home/${cfg.myNixOS.sharedSettings.mainUser}/.config/syncthing";
+    overrideDevices = true;
+    overrideFolders = true;
+    settings = {
+      devices = {
+			  "saintAlphonso"  = { id ="LHASNUO-CXALARH-XI3TU4U-OCULV72-HS3HQ35-P4FECIT-UZ5VMSZ-PMCEPQH"; };
+			  "littleUmbrella" = { id ="BH3OHYP-TGGOSZO-EM6MXRY-YHSBOUO-CQHE7DL-N2LOUFY-TF3LEJ7-FHTGTQI"; };
+			  "pixelRoot"      = { id ="PO7U5SE-DYKTOM2-TFDS3BM-A25VK7V-MQ3VPFM-EFX3J4D-B3UDCX4-3XQAIAC"; };
+			  "pixelDefault"   = { id ="HC3CKC7-OUZBLU3-JIKTRYG-DPJE6EC-7POCWNS-6VNOPDU-L7OWYWO-PL332AY"; };
+			  "pixelGooglor"   = { id ="OWDM4I2-O6STMIS-H3EXF65-FSM26K3-5FLQXRN-VOK7JGC-T6H76IR-QAVO3QK"; };
+      };
+
+      folders = {
+        "/home/${cfg.myNixOS.sharedSettings.mainUser}/KeepassXC" = {
+          label = "KeepassXC";
+          id = "xd4de-mjfcq";
+          devices = ["littleUmbrella" "pixelRoot" "pixelDefault" "pixelGooglor" "saintAlphonso"];
+          versioning = { type = "simple"; params.keep = "5"; };
+        };
+      };
+    };
+  };
+
+  # Syncthing ports: 8384 for remote access to GUI
+  # 22000 TCP and/or UDP for sync traffic
+  # 21027/UDP for discovery
+  # source: https://docs.syncthing.net/users/firewall.html
+  networking.firewall.allowedTCPPorts = [ 8384 22000 ];
+  networking.firewall.allowedUDPPorts = [ 22000 21027 ];
+}
--- a/secrets/secrets.json
+++ b/secrets/secrets.json
@ -0,0 +1,32 @@
+{
+	"syncthing": {
+		"devices": {
+			"saintAlphonso": "ENC[AES256_GCM,data:F0NPMyENcmv1FancYIZ1NBnKoZk6XyZYNeOPHfh5+9s90nvs7bZY2vpHwbzPC9lDH/ID3U9VmFhzizzXKdTT,iv:lYgeYqykmeV6OHzpnZlpCI68Pz4T+qmJXZEcmAmmryY=,tag:yQOp6oEA5TyEpBWjQWLa0Q==,type:str]",
+			"littleUmbrella": "ENC[AES256_GCM,data:oLzZwulGO0KDpDVCT8kPL/ZVd98M0lnzt29EXEJNcPcdV7xuyEOQGzpz3BKk3As48SEGcuHb8hXCKWM8XgTp,iv:bVgGcsZl5l1OeO2UZIeBdJ2av34jfiKZWzpdsTgifso=,tag:dxArZNoqz8gq+fb6QvQCHg==,type:str]",
+			"pixelRoot": "ENC[AES256_GCM,data:/DOQjxWeh0IUYOH1YdNFapnXesc6pA3iFLZrl44at597294r9ky98/Olekn/e8hUPrLzSO5XnhYSJAUQYRXj,iv:ry4//bHdSwXObF3TlFXd7rigeSKXf3N+cVrZ2nSM4cY=,tag:KreCzUIKWhaz/VuODEYr6A==,type:str]",
+			"pixelDefault": "ENC[AES256_GCM,data:/5UP+VDHE5iOF5NztSL/WLqjrXlHLP/SLtjbIzjAEUtMAXC5TQEtsYASPE6xM6RACFyqHoF2HoVZmBrlv//A,iv:2iVbIQ9IJnyGMpGdlQEYGcFZZe0mofL5Jq6f/UjfwVQ=,tag:WMeWFFi0YB0LOHtmOWMf4Q==,type:str]",
+			"pixelGooglor": "ENC[AES256_GCM,data:9R9xyss0KEbR7hfxCs8oDJX9vG4Idnk/fwOr/k3swvzJ8y3qNRRzqMm6Joxv4BUEgwNH7xzV/wXSn3By+aIe,iv:WN5Ob/Gq+R8GoHivc4vlisRTPT6Wb9lSfb9XBNMNrx0=,tag:fr7sZBOr+6iPlNO9IQU2DQ==,type:str]"
+		}
+	},
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1r26dvz9zd2ds87clnqd9kxln6hyp9dtyvcfsmp9k894lkws9c49qy3yyrv",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0eldLbkg3ODlkU0NNSG4v\nOGt6ZldNR09CRDhMK2daeklpZlZmSTh1cVNrCkhBZkU4azV3aDZ5THhwdUpicng1\nSHBDS0c2cG9Qamx2UE94a3RJbHhqZVkKLS0tIFU4Sm4wWE9qNmYvc1A3UzF2Y2NP\ncTRFUEU0YmZQUmxVc09LMklwU0p5bFUK0mkyYcfRBR+Nto9/hKjW8ibFu1sXJOOi\ncCVNtXoZMvpsdBvUnNdjdaOtntg9hjhhZhWx6q4jzIGE88fkMAL+IA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age12p2494hhhjcw28w4kg5q3rv3xtv7gmpyxags9s9ta8c3rc0g4qrst20cvw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBreEovNWlSUUwrMS9ZcmIz\nZDdhU0t1TGJTcjBCbUV0VnRET09pNzdmckJjClZjMmdubVJTQ285dDFEOE9sUmVN\nQVozQmU3a0h2bldIL1Z6QTJhdHRoa00KLS0tIFhNeUMxU091c2w4MnZqeU9JQ2Ur\nR0tPZ3FnZFVObll1SS9TZVBTV2FjQW8Kd2tgtXWznbtbq2CU6Niiaw+ekkI3hfrp\n9SDTVzv30pDVmldXaxAZ9nrJQaqRHdF7hgtg+/gSL7yjCBUL4ECVXQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-05-16T15:14:00Z",
+		"mac": "ENC[AES256_GCM,data:ubh98AdyVK5aRV+vJuJL2++t0oV4RRck1TEpykkTuZ6t6W7F5SOPeDTurtn5ZEs2enFg4oPxREzAB6UoKZDbJdr+uNVGUPfQvJNDWcmj6JDDvdktRxEQ3QPktdKBHoBxEtRAGmirOUkmwc3uGnSHeZFVgJuweCQiHKSUQ60oqjo=,iv:fwIo+JB8lfhPAp6OfS7ci2rRVmHdU+99LM5stBBQhho=,tag:DYAAYUXTPVxAsmXQMUNK3g==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.8.1"
+	}
+}