Common/syncthing: use key and cert from secrets

Common: set up secrets
WinMax2: mount persist subvolume
2024-02-19 14:02:34 +01:00 · 2024-02-19 14:02:34 +01:00 · 2024-02-19 14:02:34 +01:00 · 2024-02-19 14:02:28 +01:00
5 changed files with 39 additions and 10 deletions
--- a/flake.lock
+++ b/flake.lock
@ -411,9 +411,26 @@
        "nixpkgs-unstable-raw": "nixpkgs-unstable-raw",
        "nur": "nur",
        "plasma-manager": "plasma-manager",
+        "secrets": "secrets",
        "vscode-extensions": "vscode-extensions"
      }
    },
+    "secrets": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1708347322,
+        "narHash": "sha256-30rLLNMGvVz8xbklqRpA3uE6UDneAUGFz7dCmH9YbA8=",
+        "ref": "refs/heads/main",
+        "rev": "409536f1d2b8ffe741fe47b8701ba28137f9de38",
+        "revCount": 3,
+        "type": "git",
+        "url": "http://git.everest.sable-pancake.ts.net/Toast/nix-secrets"
+      },
+      "original": {
+        "type": "git",
+        "url": "http://git.everest.sable-pancake.ts.net/Toast/nix-secrets"
+      }
+    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@ -2,6 +2,10 @@
 	description = "Configuration for Everest";

 	inputs = {
+		secrets = {
+			url = "git+http://git.everest.sable-pancake.ts.net/Toast/nix-secrets";
+			flake = false;
+		};
 		nixpkgs-raw.url = "nixpkgs/nixos-23.11";
 		nixpkgs-unstable-raw.url = "nixpkgs/nixos-unstable";

--- a/machines/WinMax2/hardware-configuration.nix
+++ b/machines/WinMax2/hardware-configuration.nix
@ -43,12 +43,12 @@ in
 			fsType = "btrfs";
 			options = [ "subvol=@" ];
 		};
-		/*"btrfs_boot" = {
-			mountPoint = "/boot";
+		"btrfs_persist" = {
+			mountPoint = "/persist";
 			label = ssdLabel;
 			fsType = "btrfs";
-			options = [ "subvol=@boot" ];
-		};*/
+			options = [ "subvol=@persist" ];
+		};
 		"btrfs_home" = {
 			mountPoint = "/home";
 			label = ssdLabel;
--- a/roles/common/configuration.nix
+++ b/roles/common/configuration.nix
@ -105,11 +105,7 @@
 	# Set up secrets
 	age = {
 		identityPaths = [ 
-			"/etc/ssh/ssh_host_rsa_key"
-			"/etc/ssh/ssh_host_ed25519_key"
-			# This key has a passcode, so if you need to use it you'll have to 
-			# enter the password A LOT of times. Only on the first setup tho
-			"/tmp/id_ed25519_bootstrap"
+			"/persist/id_host"
 		];
 	};

--- a/roles/common/services/syncthing.nix
+++ b/roles/common/services/syncthing.nix
@ -1,7 +1,19 @@
-{ config, ... }:
+{ config, flakeSelf, ... }:
+
+let
+	hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName;
+in

 {
+	# Get secrets
+	age.secrets = {
+		syncthingKey.file = hostSecrets + "/syncthingKey.age";
+		syncthingCert.file = hostSecrets + "/syncthingCert.age";
+	};
+
 	services.syncthing = {
+		key = config.age.secrets.syncthingKey.path;
+		cert = config.age.secrets.syncthingCert.path;
 		overrideDevices = true;
 		overrideFolders = true;
 		openDefaultPorts = true;
Author	SHA1	Message	Date
Toast	436c1785a8	Common/syncthing: use key and cert from secrets	2024-02-19 14:02:34 +01:00
Toast	2f0230c401	Common: set up secrets	2024-02-19 14:02:34 +01:00
Toast	a1f41b6295	WinMax2: mount persist subvolume	2024-02-19 14:02:34 +01:00
Toast	8a8b69b79b	Flake: add secrets repo	2024-02-19 14:02:28 +01:00