syncthing setup

2025-12-30 13:54:59 +01:00 · 2025-12-30 13:54:59 +01:00 · 52c074f973
commit 52c074f973
parent 24df8a251b
19 changed files with 244 additions and 16 deletions
--- a/mod/common/users.nix
+++ b/mod/common/users.nix
@ -23,7 +23,7 @@ with lib;
        extraGroups = [ "wheel" ];
        shell = pkgs.fish;
        packages = [ ];
-        openssh.authorizedKeys.keys = var.ssh-keys.trusted;
+        openssh.authorizedKeys.keys = var.ssh-keys.trusted-hd;
        hashedPasswordFile = config.age.secrets.hd-password.path;
      };
      users.root = {
--- a/mod/default.nix
+++ b/mod/default.nix
@ -5,5 +5,6 @@
    ./common
    ./desktop
    ./nginx.nix
+    ./syncthing.nix
  ];
 }
--- a/mod/syncthing.nix
+++ b/mod/syncthing.nix
@ -0,0 +1,65 @@
+{
+  var,
+  config,
+  lib,
+  secrets,
+  ...
+}:
+let
+  cfg = config.services.syncthing;
+  this = config.networking.hostName;
+
+  is-managed = builtins.elem this var.syncthing-managed-clients.managed_clients;
+  is-server = this == "roam";
+  devices = lib.attrNames var.syncthing;
+  devices-without-this = lib.remove this devices;
+  type-encrypt = if is-server then "receiveencrypted" else "sendreceive";
+  devices-encrypt =
+    if is-server then
+      devices-without-this
+    else
+      lib.remove "roam" devices-without-this
+      ++ [
+        {
+          name = "roam";
+          encryptionPasswordFile = config.age.secrets.syncthing-password.path;
+        }
+      ];
+
+  folders = {
+    documents = {
+      id = "documents-hd";
+      path = if is-server then "/data/sync/documents-hd" else "/home/hd/Documents";
+      type = type-encrypt;
+      devices = devices-encrypt;
+      versioning = {
+        type = "simple";
+        params.keep = "10";
+      };
+    };
+  };
+in
+{
+  age.secrets.syncthing-password = lib.mkIf (cfg.enable && !is-server) {
+    file = secrets."syncthing-password.age";
+    mode = "440";
+    owner = config.services.syncthing.user;
+    group = config.services.syncthing.group;
+  };
+
+  age.secrets.syncthing-key = lib.mkIf (cfg.enable && is-managed) {
+    file = secrets.syncthing."${this}.age";
+    mode = "440";
+    owner = config.services.syncthing.user;
+    group = config.services.syncthing.group;
+  };
+
+  services.syncthing = lib.mkIf cfg.enable {
+    inherit folders;
+    settings = {
+      devices = var.syncthing;
+    };
+    key = lib.optionalAttrs is-managed config.age.secrets.syncthing-key.path;
+    cert = lib.optionalAttrs is-managed "${../pki/syncthing + "/${this}.cert"}";
+  };
+}