6 files changed, 110 insertions, 25 deletions

diff --git a/ivi/ivi.nix b/ivi/ivi.nix
index aed089d..a12ce35 100644
--- a/ivi/ivi.nix
+++ b/ivi/ivi.nix
@@ -119,17 +119,14 @@ self: lib: with lib; let
               nodeKey = "nodekey:3e76e1ec73bc5dcf358948ddc03aefcc349f59fdeeae513e55bd637e01c0e64d";
             };
           };
-          lemptop = {
-            isStation = true;
+          serber = {
+            isServer = true;
             profiles = [
               "core"
-              "station"
-              "email"
+              "server"
             ];
-            syncthing = {
-              enable = true;
-              id = "45TTOOY-YAJCVGX-GGM2Z2M-2YUYDOR-GGFPHFH-TOCCBGQ-A4A2NUB-GEKLGQQ";
-            };
+            ipv4 = [ "65.108.155.179" ];
+            ipv6 = [ "2a01:4f9:c010:d2b5::1" ];
           };
           work = {
             isDarwin = true;
@@ -141,14 +138,17 @@ self: lib: with lib; let
               id = "GR5MHK2-HDCFX4I-Y7JYKDN-EFTQFG6-24CXSHB-M5C6R3G-2GWX5ED-VEPAQA7";
             };
           };
-          serber = {
-            isServer = true;
+          lemptop = {
+            isStation = true;
             profiles = [
               "core"
-              "server"
+              "station"
+              "email"
             ];
-            ipv4 = [ "65.108.155.179" ];
-            ipv6 = [ "2a01:4f9:c010:d2b5::1" ];
+            syncthing = {
+              enable = true;
+              id = "45TTOOY-YAJCVGX-GGM2Z2M-2YUYDOR-GGFPHFH-TOCCBGQ-A4A2NUB-GEKLGQQ";
+            };
           };
           pump = {
             isServer = true;
@@ -163,6 +163,10 @@ self: lib: with lib; let
               ipv6 = "fd7a:115c:a1e0::e2da:915f";
               nodeKey = "nodekey:dcd737aab30c21eb4f44a40193f3b16a8535ffe2fb5008904b39bb54e2da915e";
             };
+            syncthing = {
+              enable = true;
+              id = "7USTCMT-QZTLGPL-5FCRKJW-BZUGMOS-H7D2TTK-F4COYPG-5D7VUO2-QFME2AS";
+            };
           };
         };
       };
diff --git a/machines/lemptop.nix b/machines/lemptop.nix
index 667db8f..5c9b5e0 100644
--- a/machines/lemptop.nix
+++ b/machines/lemptop.nix
@@ -1,6 +1,3 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 { config, lib, pkgs, modulesPath, ... }:
 
 {
@@ -10,15 +7,35 @@
   networking.nameservers = ["192.168.2.13"];
 
   sops.age.keyFile = "${config.hm.xdg.configHome}/sops/age/keys.txt";
+  services.tailscale.enable = true;
+  networking.firewall = {
+    trustedInterfaces = [ "tailscale0" ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+  };
+  services.syncthing = {
+    cert = builtins.toFile "syncthing-cert" ''
+      -----BEGIN CERTIFICATE-----
+      MIICHDCCAaKgAwIBAgIIFZKAkMwT4FgwCgYIKoZIzj0EAwIwSjESMBAGA1UEChMJ
+      U3luY3RoaW5nMSAwHgYDVQQLExdBdXRvbWF0aWNhbGx5IEdlbmVyYXRlZDESMBAG
+      A1UEAxMJc3luY3RoaW5nMB4XDTI0MDIxMTAwMDAwMFoXDTQ0MDIwNjAwMDAwMFow
+      SjESMBAGA1UEChMJU3luY3RoaW5nMSAwHgYDVQQLExdBdXRvbWF0aWNhbGx5IEdl
+      bmVyYXRlZDESMBAGA1UEAxMJc3luY3RoaW5nMHYwEAYHKoZIzj0CAQYFK4EEACID
+      YgAE3vRYSYSQ0ZRPG97Bo9m+0LMVGGiJ3/2I+QBaWHe+pDMh3nB7cOV04z9s2q7z
+      MNjIsWYBPVUxIKFdIMfFN4svH2YpDt1Ps4AdfdPVUv/EsCIoyrtAc13Y64GJSKtF
+      GFKao1UwUzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+      AQUFBwMCMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJc3luY3RoaW5nMAoGCCqG
+      SM49BAMCA2gAMGUCMQDgWiqyibzhjXcbVVj0ZR8uITLTrZrrpUT13iiL674JK7uV
+      DRY28bmdBaZXrOPvOgICMDq8lNeqdQ/jq5CCLe+KJZdtJ/E4XWtls3av09XP+DXK
+      BtFKP2jvlC7HHtZMKManKQ==
+      -----END CERTIFICATE-----
+    '';
+  };
 
   documentation.dev.enable = true;
   networking.hostName = "lemptop";
   networking.networkmanager.enable = true;
 
   programs.slock.enable = true;
-  services.transmission = {
-      enable = true;
-  };
   services.xserver.enable = true;
   services.xserver.displayManager.startx.enable = true;
   services.xserver.libinput.enable = true;
diff --git a/machines/pump.nix b/machines/pump.nix
index 69a2720..4045b79 100644
--- a/machines/pump.nix
+++ b/machines/pump.nix
@@ -12,6 +12,25 @@
       settings.X11Forwarding = true;
   };
   sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+  services.syncthing = {
+    cert = builtins.toFile "syncthing-cert" ''
+      -----BEGIN CERTIFICATE-----
+      MIICGzCCAaKgAwIBAgIIRGieK4FEhD0wCgYIKoZIzj0EAwIwSjESMBAGA1UEChMJ
+      U3luY3RoaW5nMSAwHgYDVQQLExdBdXRvbWF0aWNhbGx5IEdlbmVyYXRlZDESMBAG
+      A1UEAxMJc3luY3RoaW5nMB4XDTI0MDIxMTAwMDAwMFoXDTQ0MDIwNjAwMDAwMFow
+      SjESMBAGA1UEChMJU3luY3RoaW5nMSAwHgYDVQQLExdBdXRvbWF0aWNhbGx5IEdl
+      bmVyYXRlZDESMBAGA1UEAxMJc3luY3RoaW5nMHYwEAYHKoZIzj0CAQYFK4EEACID
+      YgAEH/4taBY2lcNBXZCxNOklTahIlhN+ypYMOqw7LNlKZVdv7JzRR67akp/F99mF
+      PA+IB1CQoPOTXUjnhm84Tob/8MoUA1jM5uspclxXG95eMw2J7E7svBEGJA2RsEQE
+      dsU3o1UwUzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
+      AQUFBwMCMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJc3luY3RoaW5nMAoGCCqG
+      SM49BAMCA2cAMGQCMCP0Ro0ZjGfQf9R3x3neKZzrJxkD11ZK9NBNTaeWAKbrhkjp
+      qqW9uTONfIOXZmgtrQIwf6Ykr934UA5I6Rk8qNV8d082n3FNMw1NgK9GmUv2XMZ5
+      eOpDAYJrhLx5jb7d3L4/
+      -----END CERTIFICATE-----
+    '';
+  };
+
   networking.hostName = "pump";
   networking.domain = "vinkies.net";
 
diff --git a/profiles/core/configuration.nix b/profiles/core/configuration.nix
index 8d113cb..36dc255 100644
--- a/profiles/core/configuration.nix
+++ b/profiles/core/configuration.nix
@@ -1,4 +1,5 @@
 {
+  machine,
   config,
   pkgs,
   lib,
@@ -65,7 +66,7 @@
     file
     pstree
     bc
-  ] ++ optionals (!pkgs.stdenv.isDarwin) [
+  ] ++ optionals (!machine.isDarwin) [
     pkgsi686Linux.glibc
     gdb
     pciutils
diff --git a/profiles/core/syncthing.nix b/profiles/core/syncthing.nix
index d735cca..e5c19f7 100644
--- a/profiles/core/syncthing.nix
+++ b/profiles/core/syncthing.nix
@@ -1,4 +1,4 @@
-{lib,...}: with lib; {
+{config, lib,...}: with lib; {
   services.syncthing = {
     enable = true;
     user = ivi.username;
@@ -6,9 +6,13 @@
     overrideDevices = true;
     overrideFolders = true;
 
-    devices = mapAttrs (_: m: {
-      inherit (m.syncthing) id;
-      introducer = m.isServer;
-    }) (filterAttrs (_: m: m.syncthing.enable) ivi.machines);
+    key = config.secrets.syncthing.path;
+
+    settings = {
+      devices = mapAttrs (_: m: {
+        inherit (m.syncthing) id;
+        introducer = m.isServer;
+      }) (filterAttrs (_: m: m.syncthing.enable) ivi.machines);
+    };
   };
 }
diff --git a/secrets/syncthing.yaml b/secrets/syncthing.yaml
new file mode 100644
index 0000000..422eb06
--- /dev/null
+++ b/secrets/syncthing.yaml
@@ -0,0 +1,40 @@
+lemptop: ENC[AES256_GCM,data:3dmcPh8EtBYe2KQQ1HMddLey5Qdhtz7kGvMFZaqidMZ099ycd+EnXrHsJIRHoWFrGsRbBs6vgWytKX49JBcrl5im8u7Jw6AbFtCh81XOau8+EaKD+Z+uynRhbJ31y+AH5MTGIniM+7RviGUDeBM8oZAvtazbaiswckFkR8HrJ8WcGOi2xkq+HY/OIqTnBpy83Q7A0oD6YPfNjvFJUB0LJFU/mYfrbmADEkobeKQz57sHc22scjrfszWmxcgcjrriuqRReucClU9uQ3GO8bEMvWFT7epjZAkwht7Oq1K2U17kt6xsrqTWRPNwQsB3P2w7i5YQMBnGAtz0b9VC5hH8GyZJGBFLRkk0fzxhUL9SXRid2wvTKrCAoMnjWTCw8K2D,iv:ojRT/RzCcxQlGh2FFz5tdUYOq4bekGcmE8Hm9tUSrDg=,tag:jd/g0vpTCOmf2EdQCcpcZQ==,type:str]
+pump: ENC[AES256_GCM,data:2Vu1idorw/kMsDThT2ywGmdPMgQdDHQItpZRukpdiapcKxMa65U/AQzshkbuQVTN5AaDkMNnLQrrLt8qQY0QxhTpddc4+y1kLaVAE5G+8di/2GJiGKUAjHOwyX72BXqjkAYOZ6u96PThOs3PmyhHhiH5ge9ZpOh1zOG2CD4dzoMLHHPHgSv8NLuhZ3kuc3yE3a/YgMgs9NjCvL44Pks8ktVq9DZAJfJB+eRGJPA9k6sN1NP1vMW9RKnk6dI+ZwOz1OHnQvfyVqe/vJxG96m4ALq4oeqn003+me72GB4DO9GLx2IkAsK0Jw9ZoiiJDSfEMVGzhH348mZXfAsTTb2coN9+834V5tBIT9OVDx+cJfHF7+7sm1FHH+fkzbteSH4q,iv:2IY08X5IYjGPEEZYqB/Sa8B1GOkURQg8nqgRwgTJs5c=,tag:ey3TMSDpt5xuEB9eH1ylOw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age10q9wse8dh0749ffj576q775q496pycucxlla9rjdq5rd7f4csyhqqrmkk0
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwbUpEZUdYcFBnTGpBV2tj
+            S3krRktPSGhNQzZzckVNNnBnNk1XNUc0WlVrCnk0UTcvWlBkcys3YnBXSlBZTTYw
+            U2I2VWtoOFJrLzM5YU9MWGRRMTIrK3cKLS0tIGpTU3ZpcUEySmV5NEU0Zyt5U0NG
+            VWJBNUN4TWpvSERKaldodndkUkExTnMKMnp+JKihjhpiJVasD4eh+DK74Bmz1UdD
+            qGhLTZmRFnLTARQW+ozeOalNTtB5SdMgwsu3ewbb1eAUp9YcN8yuPw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vvr5amtuf7cyhsmc8ge8ujlzpuwvwhleqafrjg2e8mcevnq2zs3qzzqq5m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbFVmbGlqSzFHQm94ZTZW
+            Z3F4TkljY2dRckFuL1NoYytHTEhKV1YydlZZClpYaFB0bU1QSmMvNkdhOVFYci9X
+            UVduQk5IWG9TNy9yM1lzOGZaZzhIc3MKLS0tIGtROEd3c2pIVUtqd0Y2MUtMZUk5
+            c3F2QmRqRGExR3Z6REF4ZGp0NlZwRGsKWKI5YTuSYpSafW9VRfOgBOai11cGWQ2U
+            FOIKHinuvRQtHCGWTE5NMRpYYicNIJJ4w6a0q9p+1jTJ2xP7sgAOiQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1tzsvgxaxwvh4874d977fk0z7ghm4mqpm0c80vhxft87dv46p5uesq7mk42
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaS9yaDV3dHNOQmVNd002
+            emZoU0NuaUNUckdBV0FkTmpaSGM2Zlc1QUVVClp1bnZvWVRrTUhVS1FHRWl6T3BQ
+            YTJPalpYV3BlaDF5NVAxZHkxaWNSUDQKLS0tIDl2NHhwSVdpWGloMjNSTnk0UDVG
+            L1J2UnNuT1pFTkJFL2xvVTA2Vms2c28Krpo5CfIjPvPq1zduh3CiALLsCtjkx6Hv
+            py/kzJ8BGgTiwP25WfP62nhIctU/G3kLHhFf6eppS6asqsK/fRSwtg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-02-11T11:44:24Z"
+    mac: ENC[AES256_GCM,data:QLQt9uFoAVzUOOmCLDoEs5Dmqy0ll64Yb/kcRk38WxMhj6cX5q7WqKajiv0Ns5jWGTi0pq+KilZ+KPhTSPId/l+oKV1CGVrrlk+BrddEWQ+eLYPUph+ib/dl+qP4QPp0HHrpmfAOb3s3I1kJjFTj8oT2iLV5Nbp8U8FTm5AauP0=,iv:wKr5Xr9YQJKhGXZSoYSTwZ6W1LauaQ/5usPS1KH8s5g=,tag:oLB80fGkxKxT3DQa6LspsA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1