syncthing setup

2025-12-30 13:54:59 +01:00 · 2025-12-30 13:54:59 +01:00 · 52c074f973
commit 52c074f973
parent 24df8a251b
19 changed files with 244 additions and 16 deletions
--- a/var/default.nix
+++ b/var/default.nix
@ -1,13 +1,20 @@
-{ ... }@inputs:
+{
+  lib ? null,
+}:
 let
-  inputs' = inputs // {
+  lib' = if builtins.isNull lib then (import <nixpkgs> { }).lib else lib;
+  inputs' = {
+    lib = lib';
    var = outputs;
  };
+  load-var = x: import x inputs';
  # watch out for cycles
  outputs = {
-    "lan-dns" = import ./lan-dns.nix inputs';
-    "ssh-keys" = import ./ssh-keys.nix inputs';
-    "wg" = import ./wg.nix inputs';
+    "lan-dns" = load-var ./lan-dns.nix;
+    "ssh-keys" = load-var ./ssh-keys.nix;
+    "wg" = load-var ./wg.nix;
+    "syncthing" = load-var ./syncthing.nix;
+    "syncthing-managed-clients" = lib'.importJSON ./syncthing-managed-clients.json;
  };
 in
 outputs
--- a/var/lan-dns.nix
+++ b/var/lan-dns.nix
@ -7,6 +7,7 @@ let
  }) var.wg.ips;
  custom-hosts = with var.wg.ips; {
    "git.lan" = roam;
+    "syncthing.roam.lan" = roam;
  };
 in
 rec {
--- a/var/ssh-keys.nix
+++ b/var/ssh-keys.nix
@ -16,12 +16,15 @@ let
    };
  };
  keys' = mkKeys keys;
+  mkTrusted =
+    user: with keys'.by-host.${user}; [
+      solo
+      c2
+      fw
+    ];
 in
 keys'
 // {
-  trusted = with keys'.by-host.hd; [
-    solo
-    c2
-    fw
-  ];
+  trusted-hd = mkTrusted "hd";
+  trusted-root = mkTrusted "root";
 }
--- a/var/syncthing-managed-clients.json
+++ b/var/syncthing-managed-clients.json
@ -0,0 +1,10 @@
+{
+  "managed_clients": [
+    "fw",
+    "roam"
+  ],
+  "hashes": {
+    "fw": "YZGGXOT-MPFD7O4-ACLGOGT-LIMZVD3-7JBSZZR-LFCFWQL-BLO435I-LLH6GAL",
+    "roam": "HMB7ZRF-OODFHHW-2QCIFFJ-M7COVK5-YUB3GKT-SI56D2U-CPTTJEP-R3ZKOQ7"
+  }
+}
--- a/var/syncthing.nix
+++ b/var/syncthing.nix
@ -0,0 +1,18 @@
+{ var, lib, ... }:
+let
+  inherit (var.syncthing-managed-clients) managed_clients hashes;
+  unmanaged = {
+    # "roam".id = "OIKOKOT-LY4JWPX-T7OXE4D-I4ZC3IR-ZLMKFCO-IXSVEYZ-Y3FZOUB-LIG2XAO";
+  };
+in
+assert (
+  lib.assertMsg (
+    builtins.attrNames hashes == managed_clients
+  ) "Not all declaratively configured syncthing clients have keys. Rerun ./bin/gen-syncthing-cert"
+);
+assert (
+  lib.assertMsg (
+    [ ] == (lib.intersectLists managed_clients (builtins.attrNames unmanaged))
+  ) "Syncthing clients must either be unmanaged or declaratively configured."
+);
+unmanaged // builtins.mapAttrs (_: v: { id = v; }) hashes