{ config, lib, ... }: let inherit (config.networking) hostName; in { sops.secrets = let baseDir = ".ssh/ed25519"; keyConfig = file: { sopsFile = ../secrets/keys.yaml; owner = config.users.users.jawz.name; inherit (config.users.users.jawz) group; path = "/home/jawz/${file}"; }; in { jawz-password.neededForUsers = true; "private_keys/age" = keyConfig "${baseDir}_age"; "public_keys/age" = keyConfig "${baseDir}_age.pub"; "private_keys/${hostName}" = keyConfig "${baseDir}_${hostName}"; "git_private_keys/${hostName}" = keyConfig "${baseDir}_git"; "syncthing_keys/${hostName}" = keyConfig ".config/syncthing/key.pem"; "syncthing_certs/${hostName}" = keyConfig ".config/syncthing/cert.pem"; "syncthing_password".sopsFile = ../secrets/keys.yaml; }; home-manager.users.jawz.home.file.".librewolf/.stignore".source = ../dotfiles/stignore; services.syncthing = { enable = true; user = "jawz"; group = "users"; overrideDevices = true; overrideFolders = true; openDefaultPorts = true; key = config.sops.secrets."syncthing_keys/${hostName}".path; cert = config.sops.secrets."syncthing_certs/${hostName}".path; guiAddress = "${config.my.ips."${hostName}"}:8384"; settings = { gui = { user = "jawz"; password = config.sops.secrets.syncthing_password.path; }; devices = { server.id = "BG6PF7S-KATABWO-7WAZFMX-6YO7IS3-WQTMR3M-VSOSV7V-HFFMNNH-BFX2EQ4"; miniserver.id = "HDYEGIR-GFU7ONK-MOOJUFH-N3L3XHX-SXWN3FI-O23K6LD-BJENQK5-VIPV2AT"; workstation.id = "4E4KJ6M-MSTNBVF-D7CNHDW-DUTB3VR-SXKZ4NH-ZKAOMF5-V24JECJ-4STSZAA"; galaxy.id = "UAZ5YDV-YUFBXOY-QMS6S6R-WPIIKZI-4OPPW5L-G4OVUPO-YW5KFYY-YASRAAV"; phone.id = "OSOX2VZ-AO2SA3C-BFB6NKF-K6CR6WX-64TDBKW-RRKEKJ4-FKZE5CV-J2RGJAJ"; wg-friend1 = { id = "XBIYCD4-EFKS5SK-WFF73CU-P37GXVH-OMWEIA4-6KC5F3L-U5UQWSF-SYNNRQF"; addresses = [ "tcp://${config.my.ips.wg-friend1}:22000" ]; introducer = false; autoAcceptFolders = false; paused = false; }; }; folders = let isMainHost = hostName == "workstation"; mkMobile = path: lib.mkIf isMainHost { inherit path; ignorePerms = false; devices = [ "galaxy" "phone" ]; }; in { cache = mkMobile "~/Downloads/cache/"; friends = mkMobile "~/Pictures/Art/Friends/"; forme = mkMobile "~/Pictures/Art/4me/"; comfy = mkMobile "~/Development/AI/ComfyUI/output/"; gdl = { path = "~/.config/jawz/"; ignorePerms = false; devices = [ "server" "miniserver" "workstation" ]; }; librewolf = { path = "~/.librewolf/"; ignorePerms = false; copyOwnershipFromParent = true; type = if isMainHost then "sendonly" else "receiveonly"; devices = [ "server" "miniserver" "workstation" ]; }; notes = { path = "~/Documents/Notes"; ignorePerms = false; devices = [ "galaxy" "phone" "server" "miniserver" "workstation" ]; }; friend_share = lib.mkIf (hostName == "server") { path = "~/Pictures/encrypted/friends"; ignorePerms = false; type = "sendreceive"; devices = [ "wg-friend1" ]; }; }; }; }; users.users.jawz = { uid = 1000; linger = true; isNormalUser = true; hashedPasswordFile = config.sops.secrets.jawz-password.path; extraGroups = [ "wheel" "networkmanager" "scanner" "lp" "piracy" "kavita" "video" "docker" "libvirt" "rslsync" "plugdev" "bluetooth" ]; openssh.authorizedKeys.keyFiles = [ ../secrets/ssh/ed25519_deacero.pub ../secrets/ssh/ed25519_workstation.pub ../secrets/ssh/ed25519_server.pub ../secrets/ssh/ed25519_miniserver.pub ../secrets/ssh/ed25519_galaxy.pub ../secrets/ssh/ed25519_phone.pub ../secrets/ssh/ed25519_vps.pub ]; }; }