Sops-Nix

system-modules/hsmw.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, system, host, user, allowed, secrets, ... }: 
+{ pkgs, lib, host, secrets, ... }: 
 lib.mkIf (host != "NxACE") 
 {
   environment.systemPackages = [

system-modules/sops.nix

@@ -1,8 +1,25 @@
-{ pkgs, ... }:
+{ pkgs, user, ... }:
 {
   environment.systemPackages = with pkgs; [
     age
     ssh-to-age   
     sops
   ];
+  sops = {
+    defaultSopsFile = ../sops-secrets.yaml;
+    defaultSopsFormat = "yaml";
+    # age = {
+    #   # keyFile = "/home/${user}/.config/sops/age/keys.txt";
+    #   # keyFile = "/var/lib/sops-nix/key.txt";
+    #   # keyFile = "/home/${user}/.config/sops/age/age-public-key-from-ssh-A-subkey.txt";
+    #   sshKeyPaths = [ ];
+    #   # sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    #   # generateKey = true;
+    # };
+    # gnupg = {
+    #   sshKeyPaths = [];
+    #   home = "/home/${user}/.gnupg";
+    # };
+    secrets.example = {}; 
+  };
 }

system-modules/sshd.nix

@@ -1,9 +1,19 @@
-{ config, pkgs, lib, secrets, ... }:
+{ host, secrets, ... }:
 
 {
+  environment.etc."ssh/ssh_host_ed25519_key.pub".text = if (host == "NxNORTH") then
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF1r5gUQPPS/dGB0SsvWtP6WdNWoxMwhhHRrqlO19cJt root@NxNORTH"
+    else if ( host == "NxXPS") then
+    ""
+    else 
+    "";
+  sops.secrets."ssh/${host}-ssh_host_ed25519_key" = {
+    mode = "0600";
+    path = "/etc/ssh/ssh_host_ed25519_key.shadow";
+  };
   services.openssh = {
     enable = true;
-    ports = secrets.nx2site.ssh.ports;
+    ports = secrets.ssh.ports;
     settings = {
       PasswordAuthentication = false;
     };

system-modules/syncthing.nix

@@ -1,37 +1,56 @@
-{ pkgs, lib, user, host, secrets, ...}:
+{ config, pkgs, lib, user, host, secrets, ...}:
 let 
-  devices = {
-    north = { name = "NxNORTH"; id = ""; };
-    xps = { name = "NxXPS"; id = ""; };
-    ace = { name = "NxACE"; id = ""; };
-    s21u = { name = "NxS21U"; id = ""; };
-    diane = { name = "diane"; id = ""; };
-    daniel = { name = "daniel"; id = ""; };
-    tessa = { name = "tessa"; id = ""; };
-    georg = { name = "georg"; id = ""; };
-  };
+  # helper funcitons
   conv = _: device: with device; { "${name}" = {id = id;};}; 
+  justname = devices: (builtins.map (device: device.name)) devices;
+  todevice = key: name: { inherit name; id = secrets.syncthing.id.${key}; };
+  
+  devices = builtins.mapAttrs todevice {
+    north = "NxNORTH";
+    xps = "NxXPS";
+    ace = "NxACE";
+    s21u = "NxS21U";
+    diane = "diane";
+    daniel = "daniel";
+    tessa = "tessa";
+    georg = "georg";
+  };
+
   dirs = {
     default = { name = "sync"; path = "/home/${user}/sync"; };
   };
-  justname = devices: (builtins.map (device: device.name)) devices;
-  cd = /home/${user}/.config/syncthing;
+  cd = "/home/${user}/.config/syncthing";
 in 
 lib.mkIf (user != "tv")
 {
-  services.syncthing = {
+
+  sops.secrets = {
+    "syncthing/${host}-cert.pem" = {
+      owner = user;
+      # path = "/home/${user}/.config/syncthing/cert.pem";
+    };
+    "syncthing/${host}-key.pem" = {
+      owner = user;
+      # path = "/home/${user}/.config/syncthing/key.pem";
+    };
+  };
+
+  services.syncthing = with (builtins.mapAttrs conv devices); {
     enable = true;
     user = "${user}";
     dataDir = "/home/${user}/.local/share/syncthing"; # useless ?
     configDir = cd; 
-    # key = builtins.toFile "key.pem" secrets.syncthing.${host}.key;
-    # cert = builtins.toFile "cert.pem" secrets.syncthing.${host}.cert;
-    # overrideDevices = true;    
-    # overrideFolders = true;    
+    # key = "/home/${user}/.config/syncthing/key.pem";
+    # cert = "/home/${user}/.config/syncthing/cert.pem";
+    key = config.sops.secrets."syncthing/${host}-key.pem".path;
+    cert = config.sops.secrets."syncthing/${host}-cert.pem".path;
+    overrideDevices = true;    
+    overrideFolders = true;    
+    guiAddress = if ( host == "NxACE" ) then "0.0.0.0:8384" else "127.0.0.1:8384";
     settings = {
       devices = with (builtins.mapAttrs conv devices); if (host == "NxXPS") then (
         north // ace // s21u
-      ) else if (host == "NxNORTH") then (
+      ) else if (host == "NxNORTH") then (        
         xps // ace // s21u
       ) else (
         north // xps // s21u // diane // daniel // tessa // georg 
@@ -41,11 +60,26 @@ lib.mkIf (user != "tv")
           path = default.path;
           devices = with devices; (justname [ north ace s21u ]);     
         };
+      } else if (host == "NxNORTH") then {
+        "${default.name}" = {        
+          path = default.path;
+          devices = with devices; (justname [  s21u ]);
+          # devices = with devices; (justname [ xps ace s21u ]);
+        };
       } else {
-        what = "dman";
+        "${default.name}" = {        
+          path = default.path;
+          devices = with devices; (justname [ xps north s21u ]);
+        };
+      };
+      gui = {
+        theme = "black";
+        user = user;
+        password = secrets.syncthing.gui-password; # option to use a file is till in the works... https://github.com/NixOS/nixpkgs/issues/85336
       };
     };
   };
-  
+
+  systemd.services."syncthing".after = [ "sops-nix.service" ];
 }