declarative syncthing config ??

.sops.yaml

@@ -1,20 +1,24 @@
 keys:
-  - &user_violet age14znucymclds0v2sqagnz9m6ptemq9uhqrdr5gtjqzhemu2kdn9rsxcq0ep
+  - &admin_violet age14znucymclds0v2sqagnz9m6ptemq9uhqrdr5gtjqzhemu2kdn9rsxcq0ep
   - &host_liella age17l7dkuhs6y8zqahemjqq4hcrqupd028lelhd437m4m9f7ld3xg2qqm93rs
-  - &host_quartz age1fnm9yafdq8lfmqxgwh5qn282ukmdxuyxzljdsurqvcgeug22kdrshnpuns
   - &host_aqours age10katlmf70gx4knt5w6w6z6a0ary74gfxnvuydq9gpd3mlvrhx35sr2csyr
   - &host_marchenstar age12drezrcjc0xnkzd9mmr6wprdwv4r6fpw9nmtqfzxhtzcaxhdz9pqg98c4c
+  - &user_violet age1wsyj3cgxa94fgcm8ylrkkan4py9e8pxh69t4q7aj45h6y9w98dzqr38hmy
 creation_rules:
   - path_regex: secrets/common\.yaml$
     key_groups:
       - age:
-          - *user_violet
+          - *admin_violet
           - *host_liella
-          - *host_quartz
           - *host_aqours
           - *host_marchenstar
-  - path_regex: secrets/marchenstar\.yaml$
+  - path_regex: secrets/violet\.yaml$
     key_groups:
       - age:
+          - *admin_violet
           - *user_violet
+  - path_regex: secrets/marchenstar\.yaml$
+    key_groups:
+      - age:
+          - *admin_violet
           - *host_marchenstar

config/home-manager/plasma.nix

@@ -60,12 +60,15 @@ in
     customColorSchemes = {
       "dracula-konsole" = "${dracula-konsole}/dracula-konsole.colorscheme";
     };
-    defaultProfile = "fish";
+    defaultProfile = "nu";
     extraConfig = {
       FileLocation = {
         scrollbackUseCacheLocation = false;
         scrollbackUseSystemLocation = true;
       };
+      MainWindow = {
+        MenuBar = "Disabled";
+      };
     };
     profiles = lib.genAttrs [ "fish" "nu" ] (
       shell:
@@ -81,7 +84,7 @@ in
         };
       }
       // {
-        command = shell;
+        command = "${shell} -i";
       }
     );
   };

config/homes/base.nix

@@ -3,8 +3,8 @@
   programs = {
     starship.enable = true;
     fish.enable = true;
-    nushell.enable = true;
     autojump.enable = true;
+    atuin.enable = true;
     ssh = {
       enable = true;
       controlMaster = "auto";
@@ -14,13 +14,16 @@
       controlPersist = "10m";
     };
     man.generateCaches = true;
+    nushell = {
+      enable = true;
+      configFile.source = ./config.nu;
+    };
   };
   home.packages = (
     with pkgs;
     [
       kopia
       fastfetch
-      age
     ]
   );
   home.sessionVariables = {

config/homes/config.nu

@@ -0,0 +1,14 @@
+let fish_completer = {|spans|
+    fish --command $'complete "--do-complete=($spans | str join " ")"'
+    | from tsv --flexible --noheaders --no-infer
+    | rename value description
+}
+$env.config = {
+    completions: {
+        algorithm: "fuzzy"
+        external: {
+            enable: true
+            completer: $fish_completer
+        }
+    }
+}

config/homes/violet.nix

@@ -78,25 +78,25 @@ in
         # why in **** hell is there two binaries ???
         postBuild = "rm -fv $out/bin/discord";
       })
+      (pkgs.zed-editor.fhsWithPackages (pkgs: [
+        pkgs.go
+        pkgs.python3
+        pkgs.unzip # unzip lsp downloads by extensions
+        # shared libraries for dynamically linked lanugage servers
+        (lib.getLib pkgs.openssl)
+      ]))
     ]
     ++ (with pkgs; [
       input-leap
       kopia
       keepassxc
       sops
       signal-desktop
-      gdu
       nixd
       nil
       nixfmt-rfc-style
       yubikey-manager
-      (pkgs.zed-editor.fhsWithPackages (pkgs: [
-        pkgs.go
-        pkgs.python3
-        pkgs.unzip # unzip lsp downloads by extensions
-        # shared libraries for dynamically linked lanugage servers
-        (lib.getLib pkgs.openssl)
-      ]))
+      virt-viewer
     ]);
   home.file = {
     ".kopiaignore".text = ''

config/homes/violet@aqours.nix

@@ -1,4 +1,11 @@
-{ pkgs, homeManagerConfig, ... }:
+{
+  lib,
+  config,
+  pkgs,
+  homeManagerConfig,
+  secrets,
+  ...
+}:
 
 let
   f3KanataIdolized = pkgs.fetchurl {
@@ -11,9 +18,49 @@ in
     ./violet.nix
     homeManagerConfig.plasma
   ];
+  sops.age.keyFile = lib.mkForce "${config.home.homeDirectory}/.local/share/sops-nix/key.txt";
   programs.plasma.workspace.wallpaper = "${f3KanataIdolized}";
   programs.plasma.configFile.kdeglobals.General.AccentColor = "166,100,160";
-  services.syncthing.enable = true;
+  sops.secrets."services/syncthing/devices/aqours/key" = {
+    sopsFile = secrets."violet@aqours";
+  };
+  sops.secrets."services/syncthing/devices/aqours/cert" = {
+    sopsFile = secrets."violet@aqours";
+  };
+  services.syncthing = {
+    enable = true;
+    key = config.sops.secrets."services/syncthing/devices/aqours/key".path;
+    cert = config.sops.secrets."services/syncthing/devices/aqours/cert".path;
+    # extraOptions = [ ];
+    overrideDevices = true;
+    overrideFolders = true;
+    # passwordFile = null;
+    settings = {
+      #   options = { };
+      devices = {
+        aqours = {
+          id = "W5X4XBK-AXVMYLS-2GIP5DO-VL6V3DB-SOIRMKM-JWAIUUO-U2AFGOT-BNYK3QH";
+        };
+        ruby = {
+          id = "TEOSCW7-LCY4KQ3-RYLG63K-AA724QG-27G7RMS-M5NKUNY-MXUSJTZ-AO3CMAE";
+        };
+      };
+      folders = {
+        "default" = {
+          label = "Default Folder";
+          path = "~/Sync";
+          type = "sendreceive";
+          versioning = {
+            type = "staggered";
+            params = {
+              maxAge = builtins.toString (60 * 60 * 24 * 365);
+            };
+          };
+          devices = [ "ruby" ];
+        };
+      };
+    };
+  };
   programs.mangohud = {
     enable = true;
     settings = {

config/hosts/x86_64-linux/aqours/default.nix

@@ -9,7 +9,7 @@
 
 let
   users = [ "violet" ];
-  systemd-homework = pkgs.systemd.overrideAttrs (prevAttrs: {
+  systemd-homework = (pkgs.systemd.override { withFirstboot = true; }).overrideAttrs (prevAttrs: {
     patches = prevAttrs.patches ++ [
       (pkgs.fetchpatch2 {
         url = "https://patch-diff.githubusercontent.com/raw/systemd/systemd/pull/35776.patch";
@@ -37,8 +37,7 @@ in
     modules.nixos.steam
     inputs.self.nixosModules.services.OpenLinkHub
   ] ++ lib.map (user: modules.nixos.users.${user}) users;
-  # home-manager.users = lib.genAttrs users (user: modules.homes."${user}@${systemName}");
-  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.kernelPackages = pkgs.linuxPackages_6_12;
   disko.devices.disk.root.device = "/dev/disk/by-path/pci-0000:09:00.0-nvme-1";
   programs.virt-manager.enable = true;
   hardware.bluetooth.enable = true;
@@ -88,6 +87,7 @@ in
       );
     })
   ];
+  networking.firewall.allowedTCPPorts = [ 24800 ]; # input-leap
   programs.kde-pim.enable = false;
   system.stateVersion = "24.11";
   systemd.oomd.enable = true;

config/nixos/base/default.nix

@@ -22,6 +22,7 @@
     ./net.nix
   ];
   sops.secrets."users/root/password".neededForUsers = true;
+  security.pam.services.systemd-run0 = { };
   users.users.root.hashedPasswordFile = lib.mkDefault config.sops.secrets."users/root/password".path;
   boot = {
     initrd = {
@@ -61,6 +62,7 @@
   };
 
   environment.systemPackages = with pkgs; [
+    age
     vim
     curl
     htop
@@ -72,6 +74,7 @@
     openssl
     moreutils
     git
+    ncdu
   ];
   systemd.oomd.enable = lib.mkDefault false;
   programs = {

config/nixos/desktop/plasma.nix

@@ -1,11 +1,17 @@
-{ pkgs, ... }:
+{ pkgs, lib, ... }:
 
 {
   imports = [ ./common.nix ];
   services.desktopManager.plasma6.enable = true;
   services.displayManager.sddm = {
     enable = true;
     wayland.enable = true;
+    settings = {
+      Users = {
+        MinimumUid = 1000;
+        MaximumUid = 60513;
+      };
+    };
   };
   environment.systemPackages = with pkgs; [
     xsettingsd

config/nixos/home-manager.nix

@@ -13,7 +13,10 @@
       home-manager = {
         useGlobalPkgs = true;
         verbose = true;
-        sharedModules = [ inputs.plasma-manager.homeManagerModules.plasma-manager ];
+        sharedModules = [
+          inputs.plasma-manager.homeManagerModules.plasma-manager
+          inputs.sops-nix.homeManagerModules.sops
+        ];
         extraSpecialArgs = homeManagerExtraArgs;
       };
     }

flake.nix

@@ -10,7 +10,7 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     lanzaboote = {
-      url = "github:nix-community/lanzaboote/v0.4.1";
+      url = "github:nix-community/lanzaboote/v0.4.2";
       inputs.nixpkgs.follows = "nixpkgs";
     };
     sops-nix = {
@@ -90,7 +90,7 @@
                 modules
                 secrets
                 ;
-              homeManagerExtraArgs = { inherit homeManagerConfig; };
+              homeManagerExtraArgs = { inherit homeManagerConfig secrets; };
             };
           }
         ) modules.hosts.${system}
@@ -107,10 +107,12 @@
             modules = [
               { programs.home-manager.enable = true; }
               ./overlays
+              inputs.sops-nix.homeManagerModules.sops
+              modules.nixos.sops
               inputs.plasma-manager.homeManagerModules.plasma-manager
               config
             ];
-            extraSpecialArgs = { inherit homeManagerConfig inputs; };
+            extraSpecialArgs = { inherit homeManagerConfig secrets; };
           }
         )
       ) modules.homes;

scripts/syncthing_deviceid.nu

@@ -0,0 +1,22 @@
+#! /usr/bin/env nu
+
+def deviceid [cert: path] {
+    # flawed actual implementation in syncthing (without reverse in luhn mod32)
+    let s = open $cert | openssl x509 -outform der | hash sha256 -b | encode base32 | str trim -r -c '='
+    let charlist = (seq char A Z) ++ (seq 2 7)
+    let charmap = $charlist | enumerate | reduce --fold {} {|it, acc| $acc | upsert ($it.item | into string) $it.index}
+    0..3 |  each {|i| $s | str substring ((13 * $i)..(13 * $i + 12))} |
+    # each {|b| $b + ( $b| split chars | reverse | enumerate | reduce --fold 0 {|it, acc|
+    each {|b| $b + ( $b| split chars | enumerate | reduce --fold 0 {|it, acc|
+        let factor = if ($it.index mod 2 | into bool) { 2 } else { 1 }
+        let addend = $factor * ($charmap | get $it.item)
+        $acc + ($addend // 32) + ($addend mod 32) }|
+    each {|s| let remainder = $s mod 32; (32 - $remainder) mod 32 }|
+    each {|n| $charlist | get $n } | into string)} |
+    each {|b| [ ($b | str substring 0..6)  ($b | str substring 7..13) ]} | flatten |
+    reduce {|it, acc| $acc + "-" + $it}
+}
+
+def main [cert: path] {
+    deviceid $cert
+}