sync: Init

.sops.yaml

@@ -1,15 +1,24 @@
 keys:
   - &peter age1d085lpynkxxf0mfus0rd3qq0r38clwz9d5ddrl79x982z00j6qsqq8f54g
   - &system_mns age1s7xs405mkw2gagclktekz27lxhh38se7adrkdfc0x2l28j9xsvdqcdrsyr
+  - &system_sync age1ap6uwhhy4uvq72hwyts7gzl027mnypakvj6svphgw2fm8jk72v7qtccs76
+
 creation_rules:
   - path_regex: secrets/common.(yaml|json|env|ini)$
     key_groups:
     - age:
       - *peter
       - *system_mns
+      - *system_sync
 
   - path_regex: secrets/[^/]+\.mns.(yaml|json|env|ini)$
     key_groups:
     - age:
       - *peter
       - *system_mns
+
+  - path_regex: secrets/[^/]+\.sync.(yaml|json|env|ini)$
+    key_groups:
+    - age:
+      - *peter
+      - *system_sync

flake.nix

@@ -32,6 +32,14 @@
             self.nixosModules.common
           ];
         };
+        sync = nixpkgs.lib.nixosSystem {
+          specialArgs = { inherit inputs outputs; };
+          system = "x86_64-linux";
+          modules = [
+            ./nodes/sync
+            self.nixosModules.common
+          ];
+        };
       };
 
       nixosModules = {

nodes/sync/default.nix

@@ -0,0 +1,12 @@
+{
+  imports = [
+    # ./backup.nix
+    ./disko.nix
+    ./hardware-configuration.nix
+    ./mount.nix
+    ./networking.nix
+    ./syncthing.nix
+  ];
+
+
+}

nodes/sync/disko.nix

@@ -0,0 +1,34 @@
+{
+  disko.devices = {
+    disk = {
+      sda = {
+        device = "/dev/sda";
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              label = "EFI";
+              type = "EF00";
+              size = "500M";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            root = {
+              label = "NIXOS";
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

nodes/sync/hardware-configuration.nix

@@ -0,0 +1,18 @@
+{ config, lib, pkgs, modulesPath, ... }:
+{
+  imports =
+    [
+      (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

nodes/sync/mount.nix

@@ -0,0 +1,23 @@
+{ inputs
+, pkgs
+, config
+, ...
+}:
+{
+  sops.secrets."storagebox" = {
+    neededForUsers = true;
+    sopsFile = "${inputs.self}/secrets/mount.sync.yaml";
+  };
+  environment.systemPackages = [ pkgs.cifs-utils ];
+  fileSystems."/mnt/share" = {
+    device = "//u351929.your-storagebox.de/backup";
+    fsType = "cifs";
+    options =
+      let
+        # this line prevents hanging on network split
+        automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+
+      in
+      [ "${automount_opts},uid=237,credentials=${config.sops.secrets."storagebox".path}" ];
+  };
+}

nodes/sync/networking.nix

@@ -0,0 +1,40 @@
+{ lib
+, ...
+}:
+{
+  networking = {
+    useNetworkd = true;
+    useDHCP = false;
+    hostName = "sync";
+    usePredictableInterfaceNames = lib.mkDefault false;
+    domain = "xnee.de";
+    nameservers = [
+      #HETZNER
+      "2a01:4ff:ff00::add:2"
+      "2a01:4ff:ff00::add:1"
+    ];
+    dhcpcd.enable = false;
+  };
+  systemd.network = {
+    enable = true;
+    networks."10-wan" = {
+      networkConfig.DHCP = "no";
+      matchConfig.Name = "eth0";
+      address = [
+        "2a01:4f9:c011:aeba::1/64"
+        "135.181.206.213/32"
+      ];
+      routes = [
+        { routeConfig.Gateway = "fe80::1"; }
+        { routeConfig = { Destination = "172.31.1.1"; }; }
+        {
+          routeConfig = {
+            Gateway = "172.31.1.1";
+            GatewayOnLink = true;
+          };
+        }
+      ];
+      linkConfig.RequiredForOnline = "routable";
+    };
+  };
+}

nodes/sync/syncthing.nix

@@ -0,0 +1,62 @@
+{ config, lib, pkgs, ... }:
+let
+  domain = "sync.xnee.de";
+in
+{
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+  services.caddy = {
+    enable = true;
+    virtualHosts = {
+      "sync.xnee.de" = {
+        extraConfig = ''
+          reverse_proxy http://localhost:8384 {
+            header_up Host {upstream_hostport}
+          } 
+        '';
+      };
+    };
+  };
+
+  services.syncthing = {
+    enable = true;
+    dataDir = "/mnt/share";
+    guiAddress = "127.0.0.1:8384";
+    settings = {
+      devices = {
+        kleeblatt = {
+          name = "kleeblatt.xnee.net";
+          id = "ZMOLUG3-6LSPE3R-FRAO253-HEFQ4FC-Y6XS7ED-P5WWKKJ-NHPAL3U-CKOKSAH";
+        };
+        hasenpfote = {
+          name = "hasenpfote.xnee.net";
+          id = "LAXQGRV-P7YOQLX-OACH3ZD-RHOQHFI-T233PKG-FKVKOMM-HQHM2FT-E7P6FAV";
+        };
+        tab_s8_xnee_de = {
+          name = "Tab S8";
+          id = "TWRW63W-65RC4D4-76XRSPS-RCLMBF2-4W3GLAV-4M2DN36-R3BHNZM-ZXDLQAB";
+        };
+        win11_desktop_xnee_de = {
+          name = "Win11@Desktop";
+          id = "7LVG6JG-N7GRS45-B3THPPH-THPNTKJ-SHL5PX2-AMEVKWP-F24PED6-74CWNAV";
+        };
+      };
+      folders = {
+        keepass = {
+          id = "56n2x-jhoz6";
+          path = "~/keepass";
+          devices = [ "kleeblatt" "hasenpfote" "tab_s8_xnee_de" "win11_desktop_xnee_de" ];
+        };
+        obsidianvault = {
+          id = "esczl-qkfaz";
+          path = "~/obsidianvault";
+          devices = [ "kleeblatt" "hasenpfote" "tab_s8_xnee_de" "win11_desktop_xnee_de" ];
+        };
+        dcim = {
+          id = "vpehd-xcue1";
+          path = "~/dcim";
+          devices = [ "kleeblatt" "hasenpfote" "tab_s8_xnee_de" "win11_desktop_xnee_de" ];
+        };
+      };
+    };
+  };
+}

secrets/common.yaml

@@ -14,20 +14,29 @@ sops:
         - recipient: age1d085lpynkxxf0mfus0rd3qq0r38clwz9d5ddrl79x982z00j6qsqq8f54g
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaLzFVK1Zxa0s5YjJ1Vk1K
-            Vy9FNXpVR053eUlvOEdvS0lwQTVHdkVTU2xZCkF5SWNlTmEvVFpXd2hUYVFVcncv
-            NDNpdHZvY080N3gyL0NjNmVQdHFHMlkKLS0tIGZPaGNsQnh4R2xTRnZNVThZSVlj
-            MTFtc3lpOHF3cmF0WnU5d2tlbVV1MGMKc6OLD+yqFbgzzbDsleOvcNjcSyHvELml
-            2ldIRXLSFt9hA/feP8N06Ql1FmZuCl04zZnJOlNnvwIWd+knT5oCfw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByaEZFVjM5TnJ5V1huY0cx
+            Q3E4WERJNzJ5YTRQeXlxVlpPRWY3SWcyZGhRCms1VEZPUTVhWE1ia1pzN3FIdjl5
+            NUxoMkdzQjBnQkRGcjVPUVg3aVFaU1EKLS0tIE1hQ3VRc2pIVFVRYnUyTk9TZ2lC
+            RDdyL0tvVUJ2YUdXM3k5ZmpFQ2tvLzQKsKTnfnUPr8B/EckxvukpUAFJ9JuEx1xO
+            a9BS1+uN6iH3z3OyZBRUoAG8Umxhj7vD3mQS30QoNXkjvuEf8whTcA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1s7xs405mkw2gagclktekz27lxhh38se7adrkdfc0x2l28j9xsvdqcdrsyr
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoNnh3U254aER6VWthWVla
-            L296U09rUnBad1d1UTdiVlZMSTJDajhTOVc0CnZOa2lwRzF4eDNIdDl5RDYxUXBp
-            TjRFa3ZUTEhhNG9DUmVIZnhKSDE1R3MKLS0tIFZQWHE1Z2VzVGw4WFp2MDdCRWZt
-            aituK29BSi8wMUY4K2dDSWk5dERvc3cK0axyp2UnE3ssSvcapcdHnrR9G8n3THzm
-            XbLG8PHt8ZBGlhX2P7dATkT92VrXEyI/mAJpnHmgMMpYqoMclNbkXw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArYXNIZ1owMkovWHZJQ0pn
+            b3NuSm9JSjVQV2NQanRYbkZJVExmUHRUbHgwCjRHMGhXNGdwdU5ORm5TOVpndkVx
+            ZTcxSFFFa1JJRmZ0TWN0VEJIYVY2Z0EKLS0tIGozNXd6ZHdsdmd0YXk1eVZGdjdE
+            UGduTHl5NWYrVTc1VGVrT2E3Y3BXVFEKTiHFviQ6wIvL9F97xQ9grzcIUVnKhsPl
+            TTECSIYGA4sDZlNIJDpXyXX2sxEsi+czpU4AemiEbEgZjPj/B5QHpQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ap6uwhhy4uvq72hwyts7gzl027mnypakvj6svphgw2fm8jk72v7qtccs76
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtV05CSHZRcGRkN2JjTEtr
+            RmtEbFhQemRqYmYvMmdxTVJHbmo2MnQ3Smk4Cm5JTTdNN1VaM3ZqYVpBVWNLOG45
+            ejFQaER2VGdMQzNaM3RmUUMxQW10OUEKLS0tIGxxcy9zOHUyS2pBcW9yVXJPSmwv
+            bk9aNU5PTzdSQjVtVWREckpOTVYrWVUKdBl4Y29KzEOIHiAjdo/v4kp9uPsld4j7
+            TfAYXtZNN7pigXrk6JHsjVFGMSGe2Pwuto0BtiJcdxzPrYgbKfwY7Q==
             -----END AGE ENCRYPTED FILE-----
     lastmodified: "2024-02-19T17:41:41Z"
     mac: ENC[AES256_GCM,data:S8PWuHdD4HFuluWiAE+iBncltTVHz73k+hN3ssuCuTgZw3aRiEXugcGBTn8VxG6m+CUiJhFqd0AW+93ic5C0mgnMTnHA8OJsIPxtj0qvpV76kMhkUr68himtoKHnrjwj6B6Eh3RXRP8qtuaYkmopNQU416TISP+lZNfqJAUxmW8=,iv:8T9JyGI90+/lYI4QHnXl59Hwj74h54NHe99eWh3VvW0=,tag:3MImaroxs6wTOILiRdKoZw==,type:str]

secrets/mount.sync.yaml

@@ -0,0 +1,30 @@
+storagebox: ENC[AES256_GCM,data:MJCHyYDvyySm7axUDkgLh9F8Imw3+NQz/CGef4Lo7On2dH447rL2d1Ws,iv:6Ar2/wG4VoFeyevYLX8XoGRuBhHaZve7ee8Akxtzwi8=,tag:46GAdKZ3yfnrubEbOMG8Rg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1d085lpynkxxf0mfus0rd3qq0r38clwz9d5ddrl79x982z00j6qsqq8f54g
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvdndDY3A0SzNKNlpkWFJY
+            T0g5SXNiZHF2YkZNZy9PeHNTSWh3NFJ0MVZnClk5YUk4djJSQjF4d0VEK3FPbm11
+            ZUFPS0x5RE1yYUJIWG1SMThGYnZmVTAKLS0tIDF0VWI3U1oyb2F2TWZwY2JKNWwz
+            VjBJOVdyL00rL3cwcnNDWXlVWldlRmMKd281qvbSyTAfU9sod7A+HEJXyACScYQ/
+            VDxjb6q5T2TxsucYilbKs/R6OvwweQ+kRuFGkp7h8xxsl/C2etP0Aw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ap6uwhhy4uvq72hwyts7gzl027mnypakvj6svphgw2fm8jk72v7qtccs76
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXQTlIalk4TDZTNW5DeHhI
+            VU9lbGVTRC9MZldBVnEwT2h2eFhkcDRPcHo4CjF3dmtrYk9sOHRXUkY4dkxILzJT
+            eUdaRXRBcHRrYVdpamgrK0k2dE9xL00KLS0tIFdvV0xUWnVISXo0eUpJS1lDMWtF
+            TWw4YnVRcEV3b0J5VmJGaTkvMWx1U0kKadJQi9phyEisv0JTrVPF6/syUgp6i4VO
+            3rGwYDWrmtV/Zq+DBVKPKenS5OlMQMM/HhiFiKI8CSjt0an0nbtd9g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-07T11:42:25Z"
+    mac: ENC[AES256_GCM,data:5bHMoxqEOCqHZt12ajhWaMC3gm0LPiARnNscVvXBmi42bnyob1BPZ2rRYv4nyiCb41yuDAQCNc7BDBhMVif1ATUnaEV67wQAe+7LHrIaoozcA0bA1040FD7HJi/DpKw6elFiSxefj706DW+nmShawZ7+153umOlFrcvKq1eG96A=,iv:BLCFmq4XwHeOmGu91slvWnYxaIuxzLFitllsr7xuD4c=,tag:VWMuzt9B4ab+Pg36Gv4tYg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1