Fully declarative Syncthing configuration in Nix OS

To ensure that node has stable ID from one nix-os rebuild switch to another, we have to configure Syncthing properly. This article is all about this

Install sops-nix

(there's also official documentation)

Add the following to your flake.nix:


{
    ...
    inputs = {
        nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
        sops-nix.url = "github:Mic92/sops-nix";
        ...
    };
    
    outputs = inputs@{ nixpkgs, home-manager, sops-nix, ... }: {
        nixosConfigurations = {
        nixos = nixpkgs.lib.nixosSystem {
            system = "x86_64-linux";
            specialArgs = { inherit inputs; };
            modules = [
            ./configuration.nix
            ...
            ];
        };
        };
    };
    }

Generate your `age` key

Generate age key from a SSH key. If not SSH, follow sops-nix documantation:

nix-shell -p ssh-to-age --run "ssh-to-age -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt"

Then go to your configuration.nix file and import sops-nix module:


    imports =
    [
        ...
        inputs.sops-nix.nixosModules.sops
    ];
    ...
    sops.defaultSopsFile = ./secrets/secrets.yaml;
    sops.defaultSopsFormat = "yaml";
    sops.age.keyFile = "/home/user/.config/sops/age/keys.txt";

Creating .sops.yaml

Then create .sops.yaml file in your Nix config folder and add the following lines:


    keys:
        - &primary YOUR_PUBLIC_KEY
    creation_rules:
        - path_regex: secrets/secrets.yaml$
        key_groups:
        - age:
            - *primary

To retrieve public age key, use age-keygen -y ~/.config/sops/age/keys.txt

Generating certificate and key for Syncthing

Run nix-shell -p syncthing --run "syncthing generate --config myconfig/". You will get cert.pem and key.pem files.

Creating secrets.yaml

It should look like this:


    cert: |
    -----BEGIN CERTIFICATE-----
    MIICHDCCAaKgAwIBAgIIcjaikeYgJVcwCgYIKoZIzj0EAwIwSjESMBAGA1UEChMJ
    U3luY3RoaW5nMSAwHgYDVQQLExdBdXRvbWF0aWNhbGx5IEdlbmVyYXRlZDESMBAG
    A1UEAxMJc3luY3RoaW5nMB4XDTI1MDQwOTAwMDAwMFoXDTQ1MDQwNDAwMDAwMFow
    SjESMBAGA1UEChMJU3luY3RoaW5nMSAwHgYDVQQLExdBdXRvbWF0aWNhbGx5IEdl
    bmVyYXRlZDESMBAGA1UEAxMJc3luY3RoaW5nMHYwEAYHKoZIzj0CAQYFK4EEACID
    YgAEfRFvMOIvV9PKl06aiwIiyavjiPeYhKO7+/J/l2h66TL7qOXNFCokL0b5imxH
    lJu2gQeY82rPWJse8W/aGM5wZwS+b5B1CM+/mQzKgeAN3w94pX2CrKXOzpSTNguV
    aB9io1UwUzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
    AQUFBwMCMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJc3luY3RoaW5nMAoGCCqG
    SM49BAMCA2gAMGUCMQDE61oyhXo8E+kBxHJP7++UOrhotUsfzQF3634AFYhYsHh9
    BtujNLyM8WRO0/J+L7wCMElBPFEToJWxszRcRlMTV87rAbLAFMNp9279of6MKQGI
    rq68FPmknNtGd7LqhPr0bg==
    -----END CERTIFICATE-----
    key: |
    -----BEGIN EC PRIVATE KEY-----
    MIGkAgEBBDC8mZwMCH3aQUuYmyPgErDjNf5lmnr06T2QL8mDrTEMu1ezSQUcVBXf
    JzcmPXrHSo2gBwYFK4EEACKhZANiAAR9EW8w4i9X08qXTpqLAiLJq+OI95iEo7v7
    8n+XaHrpMvuo5c0UKiQvRvmKbEeUm7aBB5jzas9Ymx7xb9oYznBnBL5vkHUIz7+Z
    DMqB4A3fD3ilfYKspc7OlJM2C5VoH2I=
    -----END EC PRIVATE KEY-----

Don't forget about |

Configuring Syncthing

Create syncthing.nix file or add this lines to your configuration.nix


    { config, lib, pkgs, ... }:

    {
    
    sops = {
        secrets = {
        cert.owner = "daniil";
        key.owner = "daniil";
        };
    };
    
    services.syncthing = {
        enable = true;
        key = "/run/secrets/key";
        cert = "/run/secrets/cert";
        user = "daniil";
        dataDir = "/home/daniil";
        overrideDevices = true;
        overrideFolders = true;
        settings = {
        devices = {
            "phone" = { id = "YOUR_DEVICE_ID_HERE"; };
        };
        folders = {
            "Org" = {
            path = "/home/user/org";
            devices = [ "phone" ];
            };
        };
        };
        };
    }

Than nixos-rebuild switch and now you have fully declarative Syncthing configuration