From b63fb76045c0bd81432cdc900ca75a1af1586d1c Mon Sep 17 00:00:00 2001
From: wo2wz <189177184+wo2wz@users.noreply.github.com>
Date: Thu, 18 Dec 2025 12:49:24 -0500
Subject: [PATCH] syncthing: add declarative secrets for Drone

---
 modules/nixos/services/syncthing/server.nix | 46 +++++++++++++--------
 secrets/drone.yaml                          |  7 +++-
 2 files changed, 33 insertions(+), 20 deletions(-)

diff --git a/modules/nixos/services/syncthing/server.nix b/modules/nixos/services/syncthing/server.nix
index e509ec0..6c5119d 100644
--- a/modules/nixos/services/syncthing/server.nix
+++ b/modules/nixos/services/syncthing/server.nix
@@ -1,25 +1,35 @@
 { config, ... }:
 
 {
-  services.syncthing.settings.folders = {
-    minecraft-instances = {
-      path = "${config.services.syncthing.dataDir}/minecraft-instances";
-      type = "receiveonly";
-      devices = [
-        "drone"
-        "earthmover"
-        "swordsmachine"
-      ];
-    };
+  sops.secrets = {
+    "syncthing/cert.pem" = {};
+    "syncthing/key.pem" = {};
+  };
 
-    terraria = {
-      path = "${config.services.syncthing.dataDir}/terraria";
-      type = "receiveonly";
-      devices = [
-        "drone"
-        "earthmover"
-        "swordsmachine"
-      ];
+  services.syncthing = {
+    cert = config.sops.secrets."syncthing/cert.pem".path;
+    key = config.sops.secrets."syncthing/key.pem".path;
+
+    settings.folders = {
+      minecraft-instances = {
+        path = "${config.services.syncthing.dataDir}/minecraft-instances";
+        type = "receiveonly";
+        devices = [
+          "drone"
+          "earthmover"
+          "swordsmachine"
+        ];
+      };
+
+      terraria = {
+        path = "${config.services.syncthing.dataDir}/terraria";
+        type = "receiveonly";
+        devices = [
+          "drone"
+          "earthmover"
+          "swordsmachine"
+        ];
+      };
     };
   };
 }
\ No newline at end of file
diff --git a/secrets/drone.yaml b/secrets/drone.yaml
index 1371fb9..d8fc99f 100755
--- a/secrets/drone.yaml
+++ b/secrets/drone.yaml
@@ -20,6 +20,9 @@ restic:
     rest-auth.env: ENC[AES256_GCM,data:MAJVkdiutkhY8MCLrg1EMumAblektgO85VQLD65McX/VYInYDihxwJOV21+SAJSaN/8vA/MqUEmzsrUb04hgvqPYjXIyyUYpDrE8us47eqjF3SoZJsf70Ukps0lv3+L3LViRSpKJ+2v2v7GenaA/jAk=,iv:5yzIiEpQ1jvl9SDu/MxsAl25PmxmmuPxjRAa+iEGJRU=,tag:9UBXGt0vXj3F0YndwkeQaw==,type:str]
     rest-server:
         .htpasswd: ENC[AES256_GCM,data:605u/QTk6j1s3Wn3Lg2M0BDhy4WbVFIZRYijhLeGmPHC2sZUY0Ngoq8bkr/Jf97Erh+CM4oqiHXA+Jct8Yq0ml6MMFKk0v602yHRxIEn5MOBETygUz889kJnNLGsXDHJeJFCX5J5qmlnj9DZ+93hNEQJAzEP2CvzH/JoHJA/bMrCGl0aZyExrxJi,iv:wuTER92WYPUGm0QNpfoOepZSGcOmq2M16Xa3RVJFYAo=,tag:qgLqtf41735ajBvlEBlJCw==,type:str]
+syncthing:
+    cert.pem: ENC[AES256_GCM,data:BHZ+GuWS9MWWyeXmcGna2IaSli63QbMKOeYFoKZhs3nvLLI1fdsvWhkhR+UZ1/dPrKPz8ZcgvqeClCDnGQLR+UBOIV8/nbuLk/jQxcw+KRl4+OziFeDnHdHdk1ZeSrF8ek7ThCX/MIz3t0/UPv+X0kZQEpwtOYrrLqeYLh3syUKdnVm9N96erv3UWKfSot5dch5EEMDLvli48rZtbqDrNCdx1bg8/CLj56OvmVxKtyPrUW/DZ3euG7PuL4Crrxw1ZeafTWHINpGoTZDrpOfanLEO5BtK65WY6J18ggJ467P9SgpeC2MeRnCJu6WaH1nqRSM5KitDYwhMFFlcdGKDUF30pCUf/W63BZ8AokJFozuhwtTbCWJHAk39j/wYoU+S0MfIhb/5gZu2vs+2Qnkle6r0ew8AS3l0BNcNJbbSdWKnGbYo8uUAtUh6GmK4ADYFx2z8h31z7kONzFAeE03nAkhAEoDtUccDNUlwF6WBeQdaIKYk2lVwU0bi5C4L5RM5qanAlKvsWtqQ7re5B0nbn4QcnGFLBJZsLmxSzX73e+9MRxTaPUyVoPmAsELLuOMBL7y3wqBtmNeLPRih+7zfn2AwQGaZ/UgnfX1s2gJtx3+OnCy8GMRbaxTd+8AM2JkZsFpkQjwG+eI1HE28dELHcpeDZ4ZqzGUh4Xlgq15kmaXo3Ww89Ukq/QCMHs6xqQdbw4ra84Oh33Stt7YFtL+xVcJkoAzIVYKeoJDtqIwPf+LXukvAUZyMbaLSmEJTsfNnKkhsGU1clxyZXs6DK0EaP3LCY6iw9tv096PkrI9wFFNNxbIjuERkQK4xdus506s=,iv:rUJIqoZa9pSMUxSqUmUKnlUahKLEW/vzzmNI4V0LniE=,tag:EKExs0ms3LbIh7FJA923aA==,type:str]
+    key.pem: ENC[AES256_GCM,data:jhYr/fFLvWOGKb7poh3reEDs6WatAoVgYEWw7Y5jwI06eAUO7yQCPpJefKZ+/0VRi0noX71U9Ul/Nv7VNo5bnZ8Yf0fcVxw8FBo0tMXYwg5AMqnJOIr3B48UZUJ9JiWjKG53rE7iGSbnJ4rzvVxB1Opu/wcEDzY=,iv:90R7tjucK/ogTicwAYL5VZ7YF0gCU7KberPQNtAwkBU=,tag:ECCuskrOefltx11+lk2NBA==,type:str]
 vaultwarden:
     secrets.env: ENC[AES256_GCM,data:bvAAiZ/MTqwHzaNFw8C23R4w2wg7v01yL/Oz3PLty6VRCgivwvySVShV3ijde/zW/N4d6dYlG76sCemlWi/79/UcIV8sZivnLZ124oYh2iuBMNv9cLrwG/PiPYO74lyq+WcIhIimnur4f/o5PbqoanDfVTru50v5+3ovwuK1MsjOaLGU,iv:rrDfCcmzl3vpr6JVoNU5rlxYfCCZi3hUzEX5IlEoThU=,tag:dSEY6NOxRggyd28pbvV30w==,type:str]
 sops:
@@ -33,7 +36,7 @@ sops:
             N0U5bkt4aXJOS3N0Z2N4YTg4TDVUVncKCQLUTMmdM/IPzV3NDRhPdta1tvXxy/6P
             RYbLzlUryw+tqfTp8nDrdxyOWScLNzPOswAq0Qf7VMcEQ5bJEkAOhQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-12-14T01:46:32Z"
-    mac: ENC[AES256_GCM,data:FRMydFy3I2QeioZ5ApNwXtsmuWkLpL4zBl6SgLsbSVgGh3MCDPtP3fLgzh7lQDUOeqeYPe/OwlbA7mezDp7PZWOd8pTzUCgIZ4HHNETgnIBW97Pnn3WoRdyappFTKDCWX3uJP0h5L6WgZwCIAdqv0O1K4FefcM2FdYdWYaQVWHw=,iv:R20XN6j9MqttumVxWBObUEzbW5UU36mTO0Sp3KOb0Mo=,tag:7RFuTEe1eRtcYB4h2U+otQ==,type:str]
+    lastmodified: "2025-12-18T17:37:25Z"
+    mac: ENC[AES256_GCM,data:WAbxmwCprdQOJSH1tXdPoTU8BxeesDRfCR5iY4t3LV5AbCDJBGETtBNIRN7/RcHjAZQri1AW/Z+esqAzbytp29To3vaGJX3LgHLM/1A+jpW10V2dUwlBrILNKivift2/wY4+oUMVqK5xY3rxtvvL2GO6gFq4B5Yu4NIhzgv2VgE=,iv:aoislG3JujD8clv1UIT92PZrxZgLcH5wQ77LvLnQgYA=,tag:0n5TpxlJpxwvkBRn5UrHdA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0