migrated wireguard and syncthing

2023-05-12 11:17:58 +02:00 · 2023-05-12 11:17:58 +02:00 · cb1cfa902f
commit cb1cfa902f
parent d90842f276
10 changed files with 202 additions and 77 deletions
--- a/nixos/machines/chungus/configuration.nix
+++ b/nixos/machines/chungus/configuration.nix
@ -7,7 +7,7 @@
    ./disko-config.nix
    ./packages.nix

-    #./network-wireguard.nix
+    ./network-wireguard.nix
    ./network-tinc.nix

    ./hass.nix
@ -15,7 +15,6 @@
    ./hass-mqtt.nix
    #./hass-wifi.nix

-    #./syncthing.nix
    #./mail-fetcher.nix

    #./borg.nix
@ -25,7 +24,6 @@
    ./media-tdarr.nix
    ./media-jellyfin.nix

-
    # logging
    ./loki.nix
    ./loki-promtail.nix
@ -38,6 +36,7 @@
    ./rbackup.nix
    ./sync-torrent.nix
    ./sync-script.nix
+    ./syncthing.nix

  ];

--- a/nixos/machines/chungus/disko-config.nix
+++ b/nixos/machines/chungus/disko-config.nix
@ -117,7 +117,7 @@ in
              compression = "lz4";
              "com.sun:auto-snapshot:daily" = true;
              "com.sun:auto-snapshot:weekly" = true;
-              "com.sun:auto-snapshot:montly" = true;
+              "com.sun:auto-snapshot:monthly" = true;
            };
          };
          "nextcloud" = {
@ -129,7 +129,7 @@ in
              "com.sun:auto-snapshot:hourly" = true;
              "com.sun:auto-snapshot:daily" = true;
              "com.sun:auto-snapshot:weekly" = true;
-              "com.sun:auto-snapshot:montly" = true;
+              "com.sun:auto-snapshot:monthly" = true;
            };
          };
          "legacy" = {
@ -138,7 +138,7 @@ in
            options = {
              mountpoint = "legacy";
              compression = "lz4";
-              "com.sun:auto-snapshot:montly" = true;
+              "com.sun:auto-snapshot:monthly" = true;
            };
          };
          "borg" = {
@ -149,7 +149,18 @@ in
              compression = "lz4";
              "com.sun:auto-snapshot:daily" = true;
              "com.sun:auto-snapshot:weekly" = true;
-              "com.sun:auto-snapshot:montly" = true;
+              "com.sun:auto-snapshot:monthly" = true;
+            };
+          };
+          "syncthing" = {
+            type = "zfs_fs";
+            mountpoint = "/syncthing";
+            options = {
+              mountpoint = "legacy";
+              compression = "lz4";
+              "com.sun:auto-snapshot:daily" = true;
+              "com.sun:auto-snapshot:weekly" = true;
+              "com.sun:auto-snapshot:monthly" = true;
            };
          };
          "services" = {
--- a/nixos/machines/chungus/kiosk.nix
+++ b/nixos/machines/chungus/kiosk.nix
@ -0,0 +1 @@
+# https://dataswamp.org/~solene/2022-10-06-nixos-kiosk.html
--- a/nixos/machines/chungus/network-wireguard.nix
+++ b/nixos/machines/chungus/network-wireguard.nix
@ -0,0 +1,30 @@
+{ pkgs, config, ... }:
+{
+  networking.firewall.trustedInterfaces = [ "wg0" ];
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+  sops.secrets.wireguard_private = { };
+
+
+  # Enable WireGuard
+  networking.wg-quick.interfaces = {
+    # Hub and Spoke Setup
+    # https://www.procustodibus.com/blog/2020/11/wireguard-hub-and-spoke-config/
+    wg0 = {
+      address = [ "10.100.0.2/32" ];
+      listenPort = 51820; # to match firewall allowedUDPPorts (without this wg uses random port numbers)
+      privateKeyFile = config.sops.secrets.wireguard_private.path;
+      mtu = 1280;
+
+      # server
+      peers = [
+        {
+          # robi
+          publicKey = "uWR93xJe5oEbX3DsAYpOS9CuSg1VmXEQxJzdlJpe3DU=";
+          allowedIPs = [ "10.100.0.1/24" ];
+          endpoint = "ingolf-wagner.de:51820";
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+}
--- a/nixos/machines/chungus/syncthing.nix
+++ b/nixos/machines/chungus/syncthing.nix
@ -0,0 +1,55 @@
+{ config, pkgs, lib, ... }: {
+
+  services.syncthing = {
+    enable = true;
+    overrideFolders = true;
+    folders = {
+      # on encrypted drive
+      # ------------------
+      art = {
+        enable = true;
+        path = "/syncthing/art";
+      };
+      private = {
+        enable = true;
+        path = "/syncthing/private";
+      };
+      password-store = {
+        enable = true;
+        path = "/syncthing/password-store";
+      };
+      desktop = {
+        enable = true;
+        path = "/syncthing/desktop";
+      };
+      finance = {
+        enable = true;
+        path = "/syncthing/finance";
+      };
+      fotos = {
+        enable = true;
+        path = "/syncthing/fotos";
+      };
+      books = {
+        enable = true;
+        path = "/syncthing/books";
+      };
+      lost-fotos = {
+        enable = true;
+        path = "/syncthing/lost-fotos.ct";
+      };
+      music-projects = {
+        enable = true;
+        path = "/syncthing/music-projects";
+      };
+    };
+  };
+
+  services.permown."/syncthing" = {
+    owner = "syncthing";
+    group = "syncthing";
+    directory-mode = "760";
+    file-mode = "760";
+  };
+
+}
--- a/nixos/machines/pepe/configuration.nix
+++ b/nixos/machines/pepe/configuration.nix
@ -23,7 +23,7 @@
    ./taskwarrior-pushover.nix
    #./neo4j.nix
    #./jellyfin.nix
-    ./wireguard.nix
+    #./wireguard.nix
    #./tts.nix

    # logging
--- a/nixos/machines/robi/wireguard.nix
+++ b/nixos/machines/robi/wireguard.nix
@ -25,7 +25,7 @@
      # clients
      peers = [
        {
-          # pepe
+          # chungus
          publicKey = "wb54y/fG8ocSH9QrDmfajez/fUcJBZK369xLu37XBHk=";
          allowedIPs = [ "10.100.0.2/32" ];
        }
				`@ -0,0 +1 @@`
				`# https://dataswamp.org/~solene/2022-10-06-nixos-kiosk.html`