Merge pull request 'syncthing: Migrate from facts to vars' (#3388) from kenji/clan-core:syncthing into main

Reviewed-on: https://git.clan.lol/clan/clan-core/pulls/3388
2025-04-23 06:25:12 +00:00
parent 841ad6f48e 356b26e690
commit 2d8847337c
54 changed files with 581 additions and 368 deletions
--- a/checks/syncthing/default.nix
+++ b/checks/syncthing/default.nix
@@ -1,26 +1,37 @@
-(import ../lib/test-base.nix) (
+{
-  # Using nixos-test, because our own test system doesn't support the necessary
+  pkgs,
-  # features for systemd.
+  self,
  clanLib,
  ...
 }:
 clanLib.test.makeTestClan {
  inherit pkgs self;
  nixosTest = (
    { lib, ... }:
    {
      name = "syncthing";
-    nodes.introducer =
+      clan = {
-      { self, ... }:
+        directory = ./.;
-      {
+        inventory = {
-        imports = [
+          machines = lib.genAttrs [
-          self.clanModules.syncthing
+            "introducer"
-          self.nixosModules.clanCore
+            "peer1"
-          {
+            "peer2"
-            clan.core.settings.directory = ./.;
+          ] (_: { });
-            environment.etc = {
+          services = {
-              "syncthing.pam".source = ./introducer/introducer_test_cert;
+            syncthing.default = {
-              "syncthing.key".source = ./introducer/introducer_test_key;
+              roles.peer.machines = [
-              "syncthing.api".source = ./introducer/introducer_test_api;
+                "peer1"
                "peer2"
              ];
              roles.introducer.machines = [ "introducer" ];
            };
-            clan.core.facts.services.syncthing.secret."syncthing.api".path = "/etc/syncthing.api";
+          };
-            services.syncthing.cert = "/etc/syncthing.pam";
+        };
-            services.syncthing.key = "/etc/syncthing.key";
+      };
      nodes.introducer = {
        # Doesn't test zerotier!
        services.syncthing.openDefaultPorts = true;
        services.syncthing.settings.folders = {
@@ -42,64 +53,29 @@
          OnActiveSec = 1;
          OnUnitActiveSec = 1;
        };
          }
        ];
      };
    nodes.peer1 =
      { self, ... }:
      {
        imports = [
          self.clanModules.syncthing
          self.nixosModules.clanCore
          {
            clan.core.settings.directory = ./.;
            clan.syncthing.introducer = lib.strings.removeSuffix "\n" (
              builtins.readFile ./introducer/introducer_device_id
            );
            environment.etc = {
              "syncthing.pam".source = ./peer_1/peer_1_test_cert;
              "syncthing.key".source = ./peer_1/peer_1_test_key;
      };
      nodes.peer1 = {
        services.syncthing.openDefaultPorts = true;
            services.syncthing.cert = "/etc/syncthing.pam";
            services.syncthing.key = "/etc/syncthing.key";
          }
        ];
      };
    nodes.peer2 =
      { self, ... }:
      {
        imports = [
          self.clanModules.syncthing
          self.nixosModules.clanCore
          {
            clan.core.settings.directory = ./.;
            clan.syncthing.introducer = lib.strings.removeSuffix "\n" (
              builtins.readFile ./introducer/introducer_device_id
            );
            environment.etc = {
              "syncthing.pam".source = ./peer_2/peer_2_test_cert;
              "syncthing.key".source = ./peer_2/peer_2_test_key;
      };
      nodes.peer2 = {
        services.syncthing.openDefaultPorts = true;
            services.syncthing.cert = "/etc/syncthing.pam";
            services.syncthing.key = "/etc/syncthing.key";
          }
        ];
      };
      testScript = ''
        start_all()
        introducer.wait_for_unit("syncthing")
        peer1.wait_for_unit("syncthing")
        peer2.wait_for_unit("syncthing")
-      peer1.wait_for_file("/home/user/Shared")
+        peer1.execute("ls -la /var/lib/syncthing")
-      peer2.wait_for_file("/home/user/Shared")
+        peer2.execute("ls -la /var/lib/syncthing")
        peer1.wait_for_file("/var/lib/syncthing/Shared")
        peer2.wait_for_file("/var/lib/syncthing/Shared")
        introducer.shutdown()
-      peer1.execute("echo hello > /home/user/Shared/hello")
+        peer1.execute("echo hello > /var/lib/syncthing/Shared/hello")
-      peer2.wait_for_file("/home/user/Shared/hello")
+        peer2.wait_for_file("/var/lib/syncthing/Shared/hello")
-      out = peer2.succeed("cat /home/user/Shared/hello")
+        out = peer2.succeed("cat /var/lib/syncthing/Shared/hello")
      print(out)
        assert "hello" in out
      '';
    }
-)
+  );
 }
--- a/checks/syncthing/introducer/introducer_device_id
+++ b/checks/syncthing/introducer/introducer_device_id
@@ -1 +0,0 @@
 RN4ZZIJ-5AOJVWT-JD5IAAZ-SWVDTHU-B4RWCXE-AEM3SRG-QBM2KC5-JTGUNQT
--- a/checks/syncthing/introducer/introducer_test_api
+++ b/checks/syncthing/introducer/introducer_test_api
@@ -1 +0,0 @@
 fKwzSQK43LWMnjVK2TDjpTkziY364dvP
--- a/checks/syncthing/introducer/introducer_test_cert
+++ b/checks/syncthing/introducer/introducer_test_cert
@@ -1,14 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIICHDCCAaOgAwIBAgIJAJDWPRNYN7/7MAoGCCqGSM49BAMCMEoxEjAQBgNVBAoT
 CVN5bmN0aGluZzEgMB4GA1UECxMXQXV0b21hdGljYWxseSBHZW5lcmF0ZWQxEjAQ
 BgNVBAMTCXN5bmN0aGluZzAeFw0yMzEyMDUwMDAwMDBaFw00MzExMzAwMDAwMDBa
 MEoxEjAQBgNVBAoTCVN5bmN0aGluZzEgMB4GA1UECxMXQXV0b21hdGljYWxseSBH
 ZW5lcmF0ZWQxEjAQBgNVBAMTCXN5bmN0aGluZzB2MBAGByqGSM49AgEGBSuBBAAi
 A2IABEzIpSQGUVVlrSndNjiwkgZ045eH26agwT5RTN44bGRe8SJqBWC7HP3V7u1C
 6ZQZALSDoDUG5Oi89wGrFnxU48mYFSJFlZAVzyZoqfxVMof3vnk3uFDPo47HA4ex
 8fi6yaNVMFMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
 BgEFBQcDAjAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCXN5bmN0aGluZzAKBggq
 hkjOPQQDAgNnADBkAjB+d84wmaQuv3c94ctxV0sMh23xeTR1cPNcE8wbPQYxHmbO
 HbJ3IWo5HF3di63pVgECMBUfzpmFo8dshYR2/76Ovh573Svzk2+NKEMrqRyoNVFr
 JNQFhCtHbFT1rYfqYWgJBQ==
 -----END CERTIFICATE-----
--- a/checks/syncthing/introducer/introducer_test_key
+++ b/checks/syncthing/introducer/introducer_test_key
@@ -1,6 +0,0 @@
 -----BEGIN EC PRIVATE KEY-----
 MIGkAgEBBDBvqJxL4s7JFy0y6Ulg7C9C0m3N9VZlW328uMJrwznGuCdRHa/VD4qY
 IcjtwJisdaqgBwYFK4EEACKhZANiAARMyKUkBlFVZa0p3TY4sJIGdOOXh9umoME+
 UUzeOGxkXvEiagVguxz91e7tQumUGQC0g6A1BuTovPcBqxZ8VOPJmBUiRZWQFc8m
 aKn8VTKH9755N7hQz6OOxwOHsfH4usk=
 -----END EC PRIVATE KEY-----
--- a/checks/syncthing/peer_1/peer_1_test_cert
+++ b/checks/syncthing/peer_1/peer_1_test_cert
@@ -1,14 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIICHTCCAaKgAwIBAgIIT2gZuvqVFP0wCgYIKoZIzj0EAwIwSjESMBAGA1UEChMJ
 U3luY3RoaW5nMSAwHgYDVQQLExdBdXRvbWF0aWNhbGx5IEdlbmVyYXRlZDESMBAG
 A1UEAxMJc3luY3RoaW5nMB4XDTIzMTIwNjAwMDAwMFoXDTQzMTIwMTAwMDAwMFow
 SjESMBAGA1UEChMJU3luY3RoaW5nMSAwHgYDVQQLExdBdXRvbWF0aWNhbGx5IEdl
 bmVyYXRlZDESMBAGA1UEAxMJc3luY3RoaW5nMHYwEAYHKoZIzj0CAQYFK4EEACID
 YgAEBAr1CsciwCa0vi7eC6xxuSGijY3txbjtsyFanec/fge4oJBD3rVpaLKFETb3
 TvHHsuvblzElcP483MEVq6FMUoxwuL9CzTtpJrRhtwSmAs8AHLFu8irVn8sZjgkL
 sXMho1UwUzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
 AQUFBwMCMAwGA1UdEwEB/wQCMAAwFAYDVR0RBA0wC4IJc3luY3RoaW5nMAoGCCqG
 SM49BAMCA2kAMGYCMQDbrtLgfcyMMIkNQn+PJe9DHYAqj8C47LQcWuIY/nekhOu0
 aUfKctEAwyBtI60Y5zcCMQCEdgD/6CNBh7Qqq3z3CKPhlrpxHtCO5tNw17k0jfdH
 haCwJInHZvZgclHk4EtFpTw=
 -----END CERTIFICATE-----
--- a/checks/syncthing/peer_1/peer_1_test_key
+++ b/checks/syncthing/peer_1/peer_1_test_key
@@ -1,6 +0,0 @@
 -----BEGIN EC PRIVATE KEY-----
 MIGkAgEBBDA14Nqo17Xs/xRLGH2KLuyzjKp4eW9iWFobVNM93RZZbECT++W3XcQc
 cEc5WVtiPmWgBwYFK4EEACKhZANiAAQECvUKxyLAJrS+Lt4LrHG5IaKNje3FuO2z
 IVqd5z9+B7igkEPetWlosoURNvdO8cey69uXMSVw/jzcwRWroUxSjHC4v0LNO2km
 tGG3BKYCzwAcsW7yKtWfyxmOCQuxcyE=
 -----END EC PRIVATE KEY-----
--- a/checks/syncthing/peer_2/peer_2_test_cert
+++ b/checks/syncthing/peer_2/peer_2_test_cert
@@ -1,14 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIICHjCCAaOgAwIBAgIJAKbMWefkf1rVMAoGCCqGSM49BAMCMEoxEjAQBgNVBAoT
 CVN5bmN0aGluZzEgMB4GA1UECxMXQXV0b21hdGljYWxseSBHZW5lcmF0ZWQxEjAQ
 BgNVBAMTCXN5bmN0aGluZzAeFw0yMzEyMDYwMDAwMDBaFw00MzEyMDEwMDAwMDBa
 MEoxEjAQBgNVBAoTCVN5bmN0aGluZzEgMB4GA1UECxMXQXV0b21hdGljYWxseSBH
 ZW5lcmF0ZWQxEjAQBgNVBAMTCXN5bmN0aGluZzB2MBAGByqGSM49AgEGBSuBBAAi
 A2IABFZTMt4RfsfBue0va7QuNdjfXMI4HfZzJCEcG+b9MtV7FlDmwMKX5fgGykD9
 FBbC7yiza3+xCobdMb5bakz1qYJ7nUFCv1mwSDo2eNM+/XE+rJmlre8NwkwGmvzl
 h1uhyqNVMFMwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
 BgEFBQcDAjAMBgNVHRMBAf8EAjAAMBQGA1UdEQQNMAuCCXN5bmN0aGluZzAKBggq
 hkjOPQQDAgNpADBmAjEAwzhsroN6R4/quWeXj6dO5gt5CfSTLkLee6vrcuIP5i1U
 rZvJ3OKQVmmGG6IWYe7iAjEAyuq3X2wznaqiw2YK3IDI4qVeYWpCUap0fwRNq7/x
 4dC4k+BOzHcuJOwNBIY/bEuK
 -----END CERTIFICATE-----
--- a/checks/syncthing/peer_2/peer_2_test_key
+++ b/checks/syncthing/peer_2/peer_2_test_key
@@ -1,6 +0,0 @@
 -----BEGIN EC PRIVATE KEY-----
 MIGkAgEBBDCXHGpvumKjjDRxB6SsjZOb7duw3w+rdlGQCJTIvRThLjD6zwjnyImi
 7c3PD5nWtLqgBwYFK4EEACKhZANiAARWUzLeEX7HwbntL2u0LjXY31zCOB32cyQh
 HBvm/TLVexZQ5sDCl+X4BspA/RQWwu8os2t/sQqG3TG+W2pM9amCe51BQr9ZsEg6
 NnjTPv1xPqyZpa3vDcJMBpr85Ydboco=
 -----END EC PRIVATE KEY-----
--- a/checks/syncthing/sops/machines/introducer/key.json
+++ b/checks/syncthing/sops/machines/introducer/key.json
@@ -0,0 +1,6 @@
 [
  {
    "publickey": "age1dtyyp6t7hy570sd0vqleges2hve8jn8pfk2dnnxm9x7c6ultn9yssh0mjh",
    "type": "age"
  }
 ]
--- a/checks/syncthing/sops/machines/peer1/key.json
+++ b/checks/syncthing/sops/machines/peer1/key.json
@@ -0,0 +1,6 @@
 [
  {
    "publickey": "age12xw22jdyk23halj5vafkxhne9uecux0umumcse6vee2eux55wg0qxagw6a",
    "type": "age"
  }
 ]
--- a/checks/syncthing/sops/machines/peer2/key.json
+++ b/checks/syncthing/sops/machines/peer2/key.json
@@ -0,0 +1,6 @@
 [
  {
    "publickey": "age19202wv5mesd4pyvk96rtkqf0tm9hvhwscuxuwxlmhc3v9mtszgxsl500j6",
    "type": "age"
  }
 ]
--- a/checks/syncthing/sops/secrets/introducer-age.key/secret
+++ b/checks/syncthing/sops/secrets/introducer-age.key/secret
@@ -0,0 +1,15 @@
 {
 	"data": "ENC[AES256_GCM,data:VYytkAYIIYym6LIAskCW2IIwxJKZLbO3Ydhchizj53FsdCMxDsZXowANIDevTW8Re0oV8teyDlZ3SfIG0f/eIjEADSJT21eJXF4=,iv:vX6WElASSTdW8hnZsvvq8/CSi+Vaeo1KZoWTXVivNAI=,tag:QF5OtBllxD6TL2CD0mkULA==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUdXFxL0dLOXRYNkJBRUIy\nbzJzaExSYUxQanpEdmdFOGFRUTJ6MmlRSVFBClpqSkR2QWpMS0JNc0x2ejBnMEpR\nU1MzL3JEa0plNmluaSt2R2kyZHNzeGMKLS0tIFFkUlZsTmU1YlhBdkhQL2F0K1BB\nNmhoWVNjOHh5bGhuU28wUEUxMy9LWDAK7Wkg+vYfj276pSJCgHp5iaFtjKlm51n1\nQC2LJFvFndeeU5J/uhrLmfqPv6wxcK2A4Npu3qq3QKQbxkCqWpm3+Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-22T07:36:08Z",
 		"mac": "ENC[AES256_GCM,data:oPqlb68CsEVcjxpWnQp5N9EnunypRNXZuGmt8+Hoxpwy6oMEcoF//dLyCTqU3pbSr+y2lixSVXwwHNJesZRQx4BdbGBmZvAt4eps0UPV5g9dhuANGkjQftT2fSa9fYWrC9qkCO4YVzEgrffA2NX+EGys41LoFntThHEJt9/R2ds=,iv:qJUUdUnXKiP5Bn1q6LE2QGkY8LEtZ6nA7+SJgak/mpg=,tag:TANbiMdwVSF7U4zB/esxRg==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/syncthing/sops/secrets/introducer-age.key/users/admin
+++ b/checks/syncthing/sops/secrets/introducer-age.key/users/admin
@@ -0,0 +1 @@
 ../../../users/admin
--- a/checks/syncthing/sops/secrets/peer1-age.key/secret
+++ b/checks/syncthing/sops/secrets/peer1-age.key/secret
@@ -0,0 +1,15 @@
 {
 	"data": "ENC[AES256_GCM,data:swjiMM5HKx0+pgiSShd+IC3yZWTGQU3+olF8UjcDLyh/rYP921h+V7dxnX8QPcv7a26IgCxnFK13wORFDGmV6jBz3QGXdVzBFcg=,iv:6j5mWCOGYmRYEkvnKylyrQuHdGJkDvSg4fnNGA2EwyU=,tag:cLqS74dQxXUBgAolRAmXmg==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRWFN3dEVnc01BcWRPZlNL\nWmtEU3FaR09xajloRWN1Q0ZzS1B2d1k4THlZCjVKL1k4QWFKRGdva2tKQTRjS0VI\nZi8rYkQxd2FrSHQzVzlKVjlnUDRXSGsKLS0tIE04bmRpMkkyTjJPaGE1aHBPQWlJ\nTk1pVzFvSzdkSVd6VHhHWVpVVmVOTFEKMi0ahPlpt6CVIu5mPigfgcJTphbfu40H\nzAxVOgIAYYP9FVNbT+OHewL+K3DdXelKBWw9HFKa82nJ6yqm1Rkiiw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-22T07:36:24Z",
 		"mac": "ENC[AES256_GCM,data:2cTW34BnVhr6umlT7jbQnt8/u2AeJB6ZlUFaaMLEGmIavFiKovwlZQtxXyWQb055XG2Dy3/jDK+4TdHap7zaJbDNuqJRqdpHOPnCJggReWi4YeiJh6eIRbFkCgCtTshEJ/I2i4W5FNMJXsximXse8SwfDdlAsVs6mt+Jo/3kP64=,iv:OosA83JNvUOCchHxc4QiCziRE9lAUNDSO3qZqxnhcy0=,tag:h7Ayruv/O+jkbfIadyQMUw==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/syncthing/sops/secrets/peer1-age.key/users/admin
+++ b/checks/syncthing/sops/secrets/peer1-age.key/users/admin
@@ -0,0 +1 @@
 ../../../users/admin
--- a/checks/syncthing/sops/secrets/peer2-age.key/secret
+++ b/checks/syncthing/sops/secrets/peer2-age.key/secret
@@ -0,0 +1,15 @@
 {
 	"data": "ENC[AES256_GCM,data:M7ug2BF0rB0HAa7+q/dzXV3rjX+xk55Cc+/PNs05Lm6Dnn+puSugTgcRCcgLjx/mpkIGDPJD4I/bLZ7B8d7fgvUKRO+/xnEtVZs=,iv:2DYlrBnSLG5wPYSXgWyQbuIsLuNUsh6IMF8Knxb0jfc=,tag:+meQgWmVvmnc+DbqcDfkAQ==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1K0p6aWtFdGgvNFlWQ2Fr\nb2oxb05acVAvQTdzaTgyTlV5TnNFUkw1cFVNCmlhb292T3hDUkNsRjhwTmJmelRo\nN2Y1Ynl2VW9uaFcrc292R2RDUHZnT28KLS0tIFpTSTZGVnp6Y2R4YWJRd0NkV3M1\nM1N2M093UVVyVSs0bDJmZ2tacTZ5QW8KzmoCZYdYOhcLG5Em11FbYsWIaInuNHpe\nyd5haSWiIR1kfTAgGoENvZ05W8JU2QTO1hEJCDv8908PcQI7L0fDcw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-22T07:36:40Z",
 		"mac": "ENC[AES256_GCM,data:hm/r1pW+aZhvnfsh3D6IWUVC0OH7N/gYr8x9+K3/NzQ055DIT0PP1DBp7LXZiYZk8sVPwj67OZGFpxtUgq57mZ2j+OsfGS246wnnnRsqdqjYNbDu/WdErC1nvEMvqzQLbcPPxl8G723RtF7flJj0P+kebcIsJDqKGy9I15Kn+Wo=,iv:KGtD8F9agDRfpH64qAjVVsZjyTRAJh4LJUlCh001sbs=,tag:kItsYJRv9C24vH067PKxTw==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/syncthing/sops/secrets/peer2-age.key/users/admin
+++ b/checks/syncthing/sops/secrets/peer2-age.key/users/admin
@@ -0,0 +1 @@
 ../../../users/admin
--- a/checks/syncthing/sops/users/admin/key.json
+++ b/checks/syncthing/sops/users/admin/key.json
@@ -0,0 +1,4 @@
 {
  "publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
  "type": "age"
 }
--- a/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.api/machines/introducer
+++ b/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.api/machines/introducer
@@ -0,0 +1 @@
 ../../../../../../sops/machines/introducer
--- a/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.api/secret
+++ b/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.api/secret
@@ -0,0 +1,19 @@
 {
 	"data": "ENC[AES256_GCM,data:5sdi6CKpBNhpqEWmd4b3pGhoGvfzES2MZCNpfd7uDLlm,iv:rN8Un+aNJ8Jypa87VuzA5638awHIHGVvSFkrRs2YeE8=,tag:MwWM24csH4j+sWoYrxeNhA==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1dtyyp6t7hy570sd0vqleges2hve8jn8pfk2dnnxm9x7c6ultn9yssh0mjh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBES1A3cWlyNzdSYk0ycmRi\nZ2IxanhZZXA4WGwrcTFBTlkwNU03cVVSWjF3CmkvNDRhbDYzc1Z5NXRZT0IyUERM\nQ0s0b2g0M09qRHZiZitwUEtsZDNQem8KLS0tIFJMOGxMMytlYzIvNlpyK1FXaVM0\ncFR3UnpNZ1M3WGo4SmpRUVc0aGdLaFkKHZ3i6j+oBcWIW6OEir69aXUz2lsFEB2P\n5uiZ+BVcVHYCDiyPAo9ujtgTIOBKFqiPsUqI+6R4QL5qDNWh7XlEcA==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnKzVFb1hUQWhJcnN6aTU2\nTDF2NktxZXl5WVVrd3d4MW5TK3pyaUR4QmlZCjRFRDMvZXA3WDQ1ZGkvTkNoWVNC\naUZTWEdneWVLSGJ5TmxjVmRhOTBOeDQKLS0tIGR5Wml4cE54eUNQMHQ4RWdWbFQ4\nM2RMeml3aUdWcFFmMUJTb3NRMnFsdnMKHv69jihf+CKgO94KpavjIlLE1XL+JrFf\n0dyqB9Roxh13JcG4eASs9GSYreuh+tEUOEoAneURWxiepCzYeaCLAw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-22T07:36:16Z",
 		"mac": "ENC[AES256_GCM,data:zpEB1P6mnLAeQYdSZVcPndfZu4NO6iBux6vSIGa47tO2SspMdCstH/ay9sxQu2kFJ+BPk2kR49hf7ZrxHpqGTdKhGvTid4SXoc+8oWHKoYfczbWPLRUeNRfYzovnhkOuO9pKAdEdmMdj6CQvqRN/DiqpQKT2WHbSy9995bACn3E=,iv:xbfX1bHeKtyidBCTeP1rq6iNf3itNhy8Ohx50OzRc/8=,tag:1u22H+SUwVXHGCHCWlxSvw==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.api/users/admin
+++ b/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.api/users/admin
@@ -0,0 +1 @@
 ../../../../../../sops/users/admin
--- a/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.cert/machines/introducer
+++ b/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.cert/machines/introducer
@@ -0,0 +1 @@
 ../../../../../../sops/machines/introducer
--- a/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.cert/secret
+++ b/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.cert/secret
@@ -0,0 +1,19 @@
 {
 	"data": "ENC[AES256_GCM,data:uZA2nYjDytg0pY/8W80D3e6t9BOs25KjoITBrvfxRUSiGElnIFZfcOLSBH7QjEn7C+z8uLQPobNlzEUOjFvynRndKXV/1q4a0O8PfV4b0OFZcaqXzyUChigAynr1TBp93BmtZXi7U7gQVFByK2DD2TBtPBOvLDvUXKQzPsGHJSYZmNLo2FDLVkZ8Y3FaOsBB0bZhY1A894NaITbWqJz1z6Vr9BluBZFl6DZ74SDsqIwMDsIKMOS+9gGuKiz29QZLNkWaHVdgUZfKh+BlXNYMk1T7kAygSMaq/dzHtQkN/+SvrpDF+EIFUTNMwnbOH4w30YzFNLw9KENO5nmCSYTU53oJ7+6lg/SHsMu83aE94Ny+OTr5SGhsy5E8GYzquNNvHvjScOvFrFvdjbrgjH9huKq6LKLikECHR58WiO6wToXa121aiSlYOrjKrq83LRM+RAVnPbwa0ivGw7FYcdNz+XGRS374fvDPpZMvh7iO0EBsw7GKSZTobYC7qbyw/6ZzUatiYyJ9Z799RA7e4lN7zQhSaYDOZyQ6rDhxjf9fgBvlokcdi4kPdHqlit6vm5EYVmWOEy5LeIXp3MaRzpc5p970mqUGsKMlAXAkkPDQ6l29zv+Z0MHcJzI5fxDvCeoJWzNjprieox+rPuE9Yi15AFgprhE3o5pINm+wQF5Z+msTBlwfO/6+kN/6Nxry280gS9ReZ7mHuVXnpSldVXwr8uNtaqsdsDX6hjqdPQ0aavgnipBFrZlmK/sepRnSUqdYfJYkgJWE94YDCmCPSiHMs+57Pq3tfXT/sB1fy5Xt9VJudWLgeqoOWKlHkZUqcjWExEV09psfxrrzez5u9smmINHNBKq9/WUpddum10ghqFXrWPOE2pL7Ec1KJzdvQrZc3VFgf1qZOs8sGfNmKDb0zyvTMLFMx7dn2QBNN0SGlAEx9C3DiZxLMeCRjsU8+5ex0AoUzlPH5W+BjCBg4/9gEIddZhc4lKxk8tL+xKQBBr5XJJug9EFQ4S6L5yf/ymHHgJ0EspzxsIF6/yx11CMbTW0DYPy129c7Wd8=,iv:0H5qAO7XBleThWKewp75XSOthuww0KAY5zDhes+dRR4=,tag:TddUlszviseB8jxSS+GIdQ==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1dtyyp6t7hy570sd0vqleges2hve8jn8pfk2dnnxm9x7c6ultn9yssh0mjh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXUjc2SldYZXFNN1d4ZUlX\nZUZ5L1M5LzVpRTFudlJpM3A5RnFUbEJiSjFvCkY4OGFUeTAzTndMSzZxKzJsY1Ev\naU1DNFBLS21IZ0dFRndmSFh5a05MZ3MKLS0tIGNEdmRuekdQU3o4d0pQZi9TVCt6\nbFYrSHBPeHc4S3dSZ1lGRjllUnIxUGMKa41+cBa1zmT3AgLEmvo7vVADSR/2+HFN\n5xMbfJR/Up1UZoRTIWyDHDJIEj10Jp9z/WD9asw06/8WvSAoNwNL+Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHVjdKWGJDVHVXRTgwMWZZ\neVhYbHZWS3lDY0M5Yk03RWErUW0yeVkxVlg4CklMVlpQQ2Vrd2lTS3dKWHc4T1lO\nME9Kb1k2S1VXcGRlOHlaWEtsQmpzd00KLS0tIE9VV3RKeW5qYW14T01lWXBIYzFL\neEJZdGdnSWJCaVJrRGNKNlhSZ0U0Q3MKY4JcwyNMZXiGgVX7KQf5nUbkKBvGldsK\nG64upfdnX0yTgHPe+7iD0LQeemW+mrcJ2IqZHf+LdVJiBINP5Q1d0Q==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-22T07:36:16Z",
 		"mac": "ENC[AES256_GCM,data:NkVDSpSAzDTHZGdHlgHwcXZyw8d2g7yWYDH8JNKNc+LCp66zRKOupzejcdcA9bnArIzZHF5H4RGj3JGbUSa2UGkZkJp887ZuLsGZIZxRMawc++qqkPqFH2gK2V1jLF5A807gckimruIwjm44UZjOsv7u6xwfMZVwtDkOiJRhZOc=,iv:4/vuQR1DA35GrbvJLAWdsa2bt2D9ZvfAco97uSUsKs0=,tag:6/cDgKkBGIQde2w6urFkGw==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.cert/users/admin
+++ b/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.cert/users/admin
@@ -0,0 +1 @@
 ../../../../../../sops/users/admin
--- a/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.key/machines/introducer
+++ b/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.key/machines/introducer
@@ -0,0 +1 @@
 ../../../../../../sops/machines/introducer
--- a/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.key/secret
+++ b/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.key/secret
@@ -0,0 +1,19 @@
 {
 	"data": "ENC[AES256_GCM,data:pOGFDKYAQhqJHo16lWzgLVr80I7MxFuqsac328edVrz0Q4HiSifYwu4230yce0SCPrCudfqJAzVwYK2ppIRjb5WvBcVLJMGhAHVm8n6Lf8w9lZ0mM/RZEV9hxr3v76HE8xcv0Qy9s7U53Xgp50Z80t93ANyz1SaYBkoi4TEqcEW5KYoewldaCPtjhJJpnfjDAZDieODzSbMs3N0i2XqZXWzvUBig6MHLpimZeHB5qVcwqyRsvDEOag49xi1z6uC78IGaHpNhTyXZRPNXZxkzzcEck2yOHlvSC+5gp4FO87nyqVzGcvplUuETlItncdaGqvXRnQj3Kex6EA6J4bpYqwp00vYC7S5itBE9p65OTtyYjeVRh4rfLT1auXmES/ZD,iv:yfk5J8yYHRoqsSRiNl9fRrCqPUSK6MLDSQs7KSY8/MI=,tag:CxQeQmQzzPGcWpcHMeVddQ==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age1dtyyp6t7hy570sd0vqleges2hve8jn8pfk2dnnxm9x7c6ultn9yssh0mjh",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2UU9lek5ablhoV2FHT080\neDBTRkpFdDQ4YythUlY4WG5iSlYwK2FLQmc4Cmdwa3BQL2RaQ1FmVmVEV3VMTFdS\nUmZjLy81c2wyS3QycjV0WkU3NkFUZ0kKLS0tIEk0bGZKNzRqVHE1aEczN1FNNTdL\naHI3WWVwWTBBUThQcUlxcW5BeGpyZDAKur2Do6b+ol71yRMNjdSGtCRAJDEF7XlH\ng4+ou54kSmacr+JzX9UmQYXga4AhNT4XfCSupan4E8riDpplUHloEw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4UDFUbWZMOHRMdXhiSm53\neWdpNFBMOEUzNzVDMWNBaTNIT25RQTVtM25BCi94OEF2UGtaNWU5dEN3elR5QlZC\nV0E4WStKTnZQT1l1d25oVENlMUdpYmcKLS0tICtoaFgveHZTQ3ViQlZkSUl4OVdo\nZTBrT1ZETndPY29oak9INGhFQXU5SzAKmROsgLWN78B9qp/nJATpJc/xL/43NY57\nLlxtbCjPp6Hb21S8Yv9cyR4hYRr53QmmveQ9QhYv5NBr8txRADmdDA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-22T07:36:16Z",
 		"mac": "ENC[AES256_GCM,data:a9S1oyItkIVc6xILBeO0S23B+U1tZ+m3Bc41uIAeKwZMd3I/ZysMZ0lJrJv869MGFe4tG0ubq6Wh4Qm++MncbSgPUhDpy4601Rz6GehI7tSRi5LJMQxviszIoKBA99vIrzh9YxQfjJMJnrzy/fdM5PC+vZOjZ+Zn9xUJCQyH14s=,iv:VaM0HMdOwqCXfJQ/N7ZiI1bQsK8gCttOclvlUA0YsAk=,tag:kV01y3BNTeFlVNa9VLvang==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.key/users/admin
+++ b/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.key/users/admin
@@ -0,0 +1 @@
 ../../../../../../sops/users/admin
--- a/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.pub/value
+++ b/checks/syncthing/vars/per-machine/introducer/syncthing/syncthing.pub/value
@@ -0,0 +1 @@
 7LGQU6V-ANAWUZZ-KM3YUEU-YLYHFK2-YIDVB42-5XA2JMM-JBGQSAT-OHUOTAI
--- a/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.api/machines/peer1
+++ b/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.api/machines/peer1
@@ -0,0 +1 @@
 ../../../../../../sops/machines/peer1
--- a/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.api/secret
+++ b/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.api/secret
@@ -0,0 +1,19 @@
 {
 	"data": "ENC[AES256_GCM,data:dRg4nnU5zAr0QO2kROc/Xo1JdqUIBUNX5LVXipJXpVrZ,iv:NL76W9az+zvHTZK/sI8pEnMtsQ+CBOKwZU9TMoLJutA=,tag:AZuq7UrvZZzjBYQfPmbR+Q==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age12xw22jdyk23halj5vafkxhne9uecux0umumcse6vee2eux55wg0qxagw6a",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpRkh2UndZMHMxNTUrRFdV\nVnBUSytyUytCZ0FaOFFVMXc2Ly9HWWYwM1U0CkJBS1NFQUUxdGVZdGMrQmVhVElw\nN3hsQThDVXYyaG1CWmR0M2k2N2VSeDAKLS0tIGwzQk9uMlladjcwbEU5TDMxM0ZT\nczJCamJhZ2kxb3RPS09nVVFCc2JuZ3MKyfCxOlIaxS0bnWVQiH5JWayoAJP5+qZz\nAm3kwKk3+88RrSvJQoK3DCooHTb7BBapujCfFtYNqX23ub4R3s6MXg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxNkNsYnJPd0VzQjNJRk1J\nVVhGOFQ4dGxKaWFhZDRQVUovKzBueS9OOUdnCjNRdmo4NC9NRFlnaDltUWswR2Y2\nQmFhRFRhQ3dOM2Nxb0dUeUFEV1k2em8KLS0tIHZCVWFNcUtneUNSaXQwRDVROFVL\nMXNTd1o5blorcWZGai9MTzN1bU40bW8KU7hnGoF9Sv+CT2JxZQEmzr75UWnYoWEA\nv9Pa4nTTfJ0wnoifJsEfg5TwA+n3eNOB0sTETjQlr9hZKsqYFWwKBw==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-22T07:36:32Z",
 		"mac": "ENC[AES256_GCM,data:cLBMui9KvvL+sWAn6rTcnAwdnZTR90DKC3+XB4xlYoltr30M+PdRNp9r5q4UJgg+WLp/mMDfU7vYkMjLRFskaZ5oBssEixLGMcIytnikGWfglWrhbLiDx9lJgNvMxxYMyEPxME1DTAgVKvm/ROnOoRH5E2+c7XNE87uCdv3pEjg=,iv:r3iFuK5sm+jzNAuLwLfaMFKrA3yqPbYS99N5H8S0IYw=,tag:HI8ui6UOL0PRv3Q8R1wwwQ==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.api/users/admin
+++ b/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.api/users/admin
@@ -0,0 +1 @@
 ../../../../../../sops/users/admin
--- a/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.cert/machines/peer1
+++ b/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.cert/machines/peer1
@@ -0,0 +1 @@
 ../../../../../../sops/machines/peer1
--- a/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.cert/secret
+++ b/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.cert/secret
@@ -0,0 +1,19 @@
 {
 	"data": "ENC[AES256_GCM,data:YkZ+NVzB6vG6q4JXdtCRgV1zC+4/YABlNOua7xLZYK2N1UHTXqb2y8V4BtSj7mYOcsOGKRjJXTS1Q1jccKBNG9ZIeokqlbKNNCUTw3pwnDhkeILax9pJZf4IYv0B2duwuirqcUZOaU87QtnxwEzTm+515418ZGugmeg5EIABm3LCI2IvfzmfnftLCQGQ9vr5Mw7tvquH9Ovopb9ep2Alcbpwb+kLnf5kBL+HJjVZdxPOU4KDQ3oVCm7V+jQNfDCTjfk2hbgzEM+SYghTyYK3ASgsp0Bs6dv6V4VLYIao8S1L3iA3dTwVEmuoH1df8zXfYhWuvDoG6LmB/yAVpFlIWQBRtFBjqLcND/q/jspNhXdXkj2rbXExcux+zqtjKgBHkScpzNY6XvaVUSFEb6tQ9zRyN5Fo2SwDqu8ZREL2zvYYdXp3vsrNONO1GqMADctQegpEMKnz0BGCyKFTeTcsE4n63tPt0qt2V7wfbcAJbCyqlZbrnJv9fgP163A2OMX73lBAwQKwH38p0X4xnhB+B0zWM/4yHi+GzKhZXQzTbOv1AjPa5frmhdt/a5bkCvvxHd14L4bpqWUCh517FGFDRqzDYaCNKz2Ns9HqopUBqSYCDuPfwHhtmkGSL/i9G57Z9v7fmy6zYifCROE7HrNEaWYMHUUPMWEMGegBTKm/HkHEMNvQHbp6ebewZKrgtWF2cKSekYUKF07aAEpxxA4qvqTSlNzxCwV5fbEzr2haNEEF3YaMLi5E2P9I+j5yT2TA/QbdPJz0u9QFrrRx0+1apkyK1MtFtGnf1AzN961ZyxIpfc0BZmwQklt5hhegCtOX8Og9fCTqQGtxwV9/lbaYGxsG65PLpvHrMIfo1i/P3wgDFJDpCGb+4bDjBzSEG7NFETGlkW0hQMg2GO+qqNMSQQn0sjiM5s7kPgq967l8GQeHFqY4NeSn3enWkz6KxdEIZBAZwL4RdmVVhhj+JGG3CymiNEJEheM7I/1vsW9Hf5nPJlX62ebdE5zV7hSSQQ29cFcrV53Jg7V0VI9siYoHQZ9k2jrnpA==,iv:RNtYntJz0tkJNiNs3M0Jhat2nVVKXrdcOQqAV19N9d4=,tag:ApJvUkVkh32f7WlPqNPtYA==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age12xw22jdyk23halj5vafkxhne9uecux0umumcse6vee2eux55wg0qxagw6a",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWVjQxeUFoMTFOdHRVSW1K\nbjJRcnlMcE1UYVU3dHhtNTBWKzdEQ2k0TGxVClhFWjJpZ1JkM3ZjWWt1MUo4R0k2\nVTNTMFVoQTFBeXV3YzY4aGMyczVRSnMKLS0tIGJHQ2pvaDZFaTVUcGdQOEtjSjdI\nUVVPQ0hWbHd0Z1QrTjBmSml0MkV4TDAKkpoJSA79+ABUfEYK4RByzq3Vy40PKeSZ\nXz9JfQJNhYThHHOYB3xIjZqoq7CORwO+1Pryph6rPaZ0+tysdnLcLg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyZnJYbkFJakVINWpTbS91\neVFlMmMyL01KcWF5OHFCdHNSRy9JQTNwa0dVCjAzOExtWEVIOTU5Y0txb3RNNHpV\nYjhKZndRUitQTEptKzJYYUhCUElNTmcKLS0tIEFpZ0hUU21Sak1mTHBSanRpNHRJ\nK3VBWHFtWXJVSEIyQUdUUmh4RStmVTQKpVoroeWOTpLg3W8TQR6mTVcEgXZwqp4u\ntvg6/kEBSo8xQFJQHbhY9a/hVqcgHwC3JBqsKieFxQlmbFdwzrjGvQ==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-22T07:36:32Z",
 		"mac": "ENC[AES256_GCM,data:TwbNSnuWNfT48LWKRLNCLu057QzO4776St1twHH2WO7ADTU1NX0EOr4p8EmwhLPjVnFzqmtvPopNGZnlwZx3C5+jHPOjsPpDwe9HbeoY2kFCQPSv4Jzheeqq2cXw7kS+RhkzV83oyJZ8Lt/QsQfQrLQ0qflSt2TV6R1qkK+80aY=,iv:vuxBTHlMalWTCM4VVqUmlnMc8uLedbY3j53Uk1GeExI=,tag:FEQtCZJPKCX2PR+ncayfBQ==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.cert/users/admin
+++ b/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.cert/users/admin
@@ -0,0 +1 @@
 ../../../../../../sops/users/admin
--- a/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.key/machines/peer1
+++ b/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.key/machines/peer1
@@ -0,0 +1 @@
 ../../../../../../sops/machines/peer1
--- a/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.key/secret
+++ b/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.key/secret
@@ -0,0 +1,19 @@
 {
 	"data": "ENC[AES256_GCM,data:/I7YNh7joCWxUSx0DWdZkHiNWHbFeo7WX5Gt3cqWTpBeVcOCSym5jQ+987H7KNi5VyUG2Ju4dl8Lm5FI0uR4Y0wCq+NNf3HgVCnyuZakokZuZoiZFiXRIWaa00eqv6wvYFJQy6m1+Bl6pVCMVhi8GFaewoZl3zt0BpV+9V0llOPkZCsaAj3IwFe4xoidEvhIG4QMXYT9ubjBRJX8u4kenqTVq68Up3b45Iwo4aAR2h93SP7lWfx4DuSDGiPi+ymA0yDkIElTZZbviRlzrVft7ds1kjJiYYja+KHkpT09BBx1z1KG+RWgym91sVKBc2JugqFjTsxjtFRvihNKRguvu7rQzLpOrNSu/5GzflSaQHu1KrkXZrRyPPW5cJ0gcBHA,iv:0ol8Ob02Y6p4eFIgOlEPbBm4HL2g3WZ/0bq4bKMdhvM=,tag:J8EAEQP9soUErtQp2m0Uhw==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age12xw22jdyk23halj5vafkxhne9uecux0umumcse6vee2eux55wg0qxagw6a",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxYmgvQkZtN1NIQU1yM2s2\nZTltaUdCd0pyMnB0bUpWeCtTYzRTWEp4YlJRCkpVOUcrY3hFZGpiYjRZT2xRZ3Iw\nNEVCNlpBNTFjL0NISk1Bb0tra29IQkUKLS0tIDNPUVd5V3F6UHBCQUZVbGNncEdq\nWmtYOC9tQ3dySU9IMksweG9hdkkyMVkKkMkHgR8UzWIeWcqos2iHRB0HK+JG6NCt\nGuBSepn8fxjs83vLtH1tv04FmTD4Y6voEq0PD2/xh+cPwut2z/h58A==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3WkFpbFp6TUF2M1VYdks5\nSlJWMktqKzg2bWtyeGF0OVR3bGxXeE5NeHgwCnliSmdETklDanBGOGJwMXBKbFQy\nY2JVSERnVDdablRQUjlBdUU5NmdNbXMKLS0tIE5HV0JlR3dMTVJlOVAyNk9YeUUr\nSEhFMThXeU5PV25ucXFYMGx2bHZ4dVUKqxEmacW0eQiO1yLOLILEezw+9tKAXGYF\ndhOnZrsuiGTfdEc2AvEze2okjbaPihXy7fbNGtUtgnijU4gMGxyfHg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-22T07:36:32Z",
 		"mac": "ENC[AES256_GCM,data:93OXqgqB4auVV42dbEpbS/y7TfpK/BjSYue5BjX4mhuPbL2B6v0L5q4QowHmgP2LjpexXToMPWfkA9fjfEYGDYPr1NVs7HIT5K6X+OcnfAeXHWFLwqnL7MpsvaxfdipF0dIBFf2fL7EzMJTPJ1Pvz40rGU8e4ivApJamnKp/dco=,iv:xnIqG8+uunNXR/tAFy0gWzrFujmQ0hdThmQCnjBE5Ow=,tag:Be25dlybgnWmAHgLXRdcnA==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.key/users/admin
+++ b/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.key/users/admin
@@ -0,0 +1 @@
 ../../../../../../sops/users/admin
--- a/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.pub/value
+++ b/checks/syncthing/vars/per-machine/peer1/syncthing/syncthing.pub/value
@@ -0,0 +1 @@
 APWHWIK-TD3HJPF-5G7737K-RISPI5J-GYCUS7W-VYSVEDP-4OGYS6E-26322AF
--- a/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.api/machines/peer2
+++ b/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.api/machines/peer2
@@ -0,0 +1 @@
 ../../../../../../sops/machines/peer2
--- a/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.api/secret
+++ b/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.api/secret
@@ -0,0 +1,19 @@
 {
 	"data": "ENC[AES256_GCM,data:1j/bboTIlAk3C4MA+n46p1COh2xVFvxJ8GkzNb7rE/rF,iv:QLP/WQswMSlhecIaC5/0pLChT/o5FVw99ljdeuAAiNY=,tag:2UwqlIHr6U+6DSX0ngkhOg==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age19202wv5mesd4pyvk96rtkqf0tm9hvhwscuxuwxlmhc3v9mtszgxsl500j6",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TEFMQ21PVXBGSlJONGFN\nWko2cDNyWEIzNVhsZWdaNFpjbHpVaUx5TWtRClJnZDd1WTdnaUN4UlBUWmdGdkV1\nR0JrY2o0NDRsSDdaTUhZV3NNVFgxUXMKLS0tIHhDQ2ZoaE0xcm5paDByOVVsTFVN\nTjNISytNMmZTSFQzZFJyY3d0czA1ejgKHAq3dPeXCVXHHdVrQV3ZI2fFlrG7ha7H\nbA5AmuU/cfJZInbIjq60JR8YjbS+Gmiv3CkLwriJ3zk1X8pTI5NIVw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRVkxpRERsWmJDc3NRZWpt\nZ2lhaFNVR3JhcW5wZUdkdXVTMnNYWmtOTzBVCmdNT05QNSszQ2c5aE9ob2V5VUFU\ndE0xbFpWUU53cGZCUU9oSVdMQW9KbTQKLS0tIGZ0b0hiTHp0N0lSOFZDVDhjWFFj\nellVc0FKQWR5MGhvRDRFeDVuY1FOcFkKDhBN6w3CavrN3a8KsjDL7hOPSXgeUzd6\nwrqesVGZZjTG40JMKDZf6mW45LWFvn+dClWKsAN0/EZlsViiY0L/aA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-22T07:36:48Z",
 		"mac": "ENC[AES256_GCM,data:cnx0Jon5RXnPTvg75Q9Q1nZOroe0i6EckuojUAYcsBg7XdbmAaVbcnGkXyCEeAVxCWRQ6orRmBE/OepRU9wR0JjJaEU1WCFQSrNUu+Pgdbh4WnspGxRI2rfRWIkFgDX1RkRz9blHkjWj4JCxuSIWcuOlSjNsesiDKhbWQM/K1+4=,iv:elnOyvjgJLNrMukOYdZTj9ja55XcwD3W4epkGBaC19k=,tag:dIyGDyhEEwcLigfC1hhCxg==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.api/users/admin
+++ b/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.api/users/admin
@@ -0,0 +1 @@
 ../../../../../../sops/users/admin
--- a/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.cert/machines/peer2
+++ b/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.cert/machines/peer2
@@ -0,0 +1 @@
 ../../../../../../sops/machines/peer2
--- a/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.cert/secret
+++ b/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.cert/secret
@@ -0,0 +1,19 @@
 {
 	"data": "ENC[AES256_GCM,data:JLnKy/IeGv7ZFUqWyGRA0457LcQNuzrCnNJjiKRTtyWcceQs+GwjcXwNCvdjoQiVkRn5E2EvL79zGrDyrSLbFpXnf8mIPtvx4vVIUxemm3ge1OkurayuPCtlSS6eBLTY4ySbPiI+1z+Eb2NuZBhXLXy0nLWJmXg919vIRc+9bO4XPIMrWk2V0cBaC+Sxmc3VqPdp6NKw47nkUipnzTHLDlz1IPX/DYc5Z+1JFFclDW3l6MMnJFaFwtxXgBMwA5bDaopWDn6LsBQoTbnN2AqTbrMkj5d2VNK9nImN6z/kKvdvYuvarJQ0bRTzPvO1yH9p1rFOPllhQJ6/FLlzH3TgS4OMvoRymOAD2EsT6COxnBgECZy5d8U8lfRbwq5fXJdoJckAQ8zOgGp+DzmjDviyFcZXgmZOUToKehVYtv2PE9GqBfux7HaQ9BWVf+o3oaQX3f71/NKozYeNysdw1fwkvVILcRjDjdn0RWBqyvoe2DW7s9eBqmIMyG0gdK76FQLtTQyAC6QTF2hQ/JbM8yUeA6J1YwLl/QmdZkG502+GqbZnmRhiAnwYBEgyDbEmiMAYb/bguLOggR6Z5PfiijiaJZZU6XJF3toKKtv6PWq7s3gNKcvYijFr425i0OYk1VqJNel/MWaxCgBRwtbdSZ3BXzx9dCIFSrr8Ts3tUL69bJsqZ8UtuVm1x5pGN3ZIUGurhD+GlX57FeWKys87LnWPSLT9j8pUP929GxlYncw6wcPU3QJo54vTfDjovy3wsoVTDcMC94LoOD+37HF5WQUGnxL4Y1zbWgYLufno50k1qaauaq2QU+q/66klh7niDDRg0lnUB6gE2JzakR6xQudLM36iK2L+hwskXjwXgyByRLFOvTqak0AWpgy5ZHX9cPVcTvs1uZKcdCQwb3kvOlXxIhmasNb6gcHZ3f0YhBEv0xL2odDiuqEJTadweJADjaoa9HZFPA8fIfuGLrwhlzfENcopXJNiZEesXhb8M/A8EDpW99+bFtcSRSjjPIaO/tK3+fD8YlYJbpdTLAAV4+4SD5pV6PJGjQ==,iv:hSTUpGyJScL8woPr9FwmTJWeDS4y9/4Tfgsgl3pJYDU=,tag:Syv5kIlJhbqbFfnLydph7g==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age19202wv5mesd4pyvk96rtkqf0tm9hvhwscuxuwxlmhc3v9mtszgxsl500j6",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UTA4dXBHcGdGT1laQ3BO\nUmNpWTVyL2sxKy91VkN4SjN2RGI5YkJRT2tBCmNDTXlTTzE4UGsySTM0am1jcmRW\nK1VCTGEvYkh0bnB4Y0w1RXAwTC9YeWcKLS0tIENYM2V0VzZHNzZQc1k3SnVXVGhQ\nWEVYSkx5UkJHbTR4NWdFTFF2Y3U1RUUKiVsbzad+glIsJlR/mCkQxbVBD/lFA1dj\n2eQg1X6gvjDuJRhgCutkfFPDVqzpORtmPkz//WsZp9MobHq8fInDUg==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwMUZ5eDV5T3VHMWRGaGFo\nQmlwVVkvaFJpNXV4K3hNaGpHZDd1eTRVZm5rCnBYTHZNaWM3d0FtWDRIQWNGQnN1\nUCt6L0o1SnU2Wk5QZkM5MXQ3MzF6cWsKLS0tIGxvNWRPUjlBdlRMNUhtR09qTUZH\nZ1IxelJiTHk2NWhFSlFvN2l3cXdVOG8Kz98ZDAkrVgGi/FhzwfQChu6sy8LeOZeP\nDleEeHw9WqVoo900qC7cS0cAgGDDDyGoOuiPjXVdHBPsEsweWipQ0A==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-22T07:36:48Z",
 		"mac": "ENC[AES256_GCM,data:veGo9nuE6mvo1yWk/wweueJzChsbzI6tYVrLS12wXieA9PO6aosS+Z37lYwdnP7Ac+jYDfs2yjvtMHNRBhLwWryRxvGfltrXank4ZLRY01+YxEGhlobR4tQ9lJc0OKaM7Rwx3Up7IWH9kfR9f49T2qE/z2RjF3AMX9fFymuD+Ck=,iv:/lEG4XZNSCbe9UbVfSWzCEU1VHdj7eW1an8dBteVPJg=,tag:ykxjDbvp/I8EecWEGr+Tjg==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.cert/users/admin
+++ b/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.cert/users/admin
@@ -0,0 +1 @@
 ../../../../../../sops/users/admin
--- a/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.key/machines/peer2
+++ b/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.key/machines/peer2
@@ -0,0 +1 @@
 ../../../../../../sops/machines/peer2
--- a/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.key/secret
+++ b/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.key/secret
@@ -0,0 +1,19 @@
 {
 	"data": "ENC[AES256_GCM,data:lfvelW2A5XbkE/rc0QPeQWSWgd35sdNgbAsqXaJN78f5wZHNY/m7CTFU/13BRnaTQor1DizJWp/TAF7hssBjRcqWcEVrRVCDaEw7NJNL6u+VG0PL8XwWxkQ7bY8yOnIRyg3JcKeDNNqD8Ld+B1DH/AGAeinnkvIZmMEVw4/tRsSKwwhq3jLDA0qDFCwVv9K5T/EkdIQj4cqb6VkCoAMvoE75jU8V+x5oQ9kiExGF87d8gVk0pVrr/+lMuvrObzgM+HJQTaeDprjEFP3VROMZgGq5EaaN189eVv8hxRV5dbQUndyFGsokecKWM/nS/kzWGa5/DAVrJwsb74E0FEVAWr5s6AvXOeQD6OXO+4KHe3aM52oARQcR3nAbAIzsZExv,iv:h9htABzxbwBzmj/azorU6sOX8+7PrOdGsESzI/3eCvo=,tag:Vh4EsmYGgZ5vIAWbjX2+Uw==,type:str]",
 	"sops": {
 		"age": [
 			{
 				"recipient": "age19202wv5mesd4pyvk96rtkqf0tm9hvhwscuxuwxlmhc3v9mtszgxsl500j6",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiMlduTExENXdqampxTTYw\nc2krRHJFb3kraDFwMjVPYThUTk0ycFljeWdJCmxiZVNLOWwyVGZxUkRFcVZDY0tH\nL0ROeWhFUGVnYlZ6UjVodHFpYm5GMFEKLS0tIG1nNnc5UExSUjUxczZsdktta2hI\nSEVnbFpBVEpDbnVTbGcyYlNqbTlNT2sKkiA1nAIAjGLNugL0Kk2HxML2V2ZG46g5\nqYQtgl87h68BPX9pjjN3aNcex/RRSqeJwp6ohYqzcqu3VYpovM3Nig==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5Y0hybUhrSGtKUzVxU1NU\naVh5TnFQY0JTMkF0VDdXN3FtNkZSZkk3V21zCmpMQU5HekFyNjV4NVRFN2ZUTllX\nWXZHZWMrWmNVR00zcytjcm5SSjBJUGsKLS0tIEUzS0FYTWI2eVQxa3lPdXJIRnR3\nU0U2dEY1UWtVa1Z6OXVib0xPa0pCQlkKc5TSQEV+tlOY7uatLjLHl+bl/AYyuHyv\nBThcm3rdVIPdON69UmAkiIoAgiIZELXKzjKxsVIy9xqbAiOEv6jMLA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
 		"lastmodified": "2025-04-22T07:36:48Z",
 		"mac": "ENC[AES256_GCM,data:+71j2nRHNrgKJbrdHHkpbAGBJcfJPMXNfeCOYmqFJKFNQ7SjV+f2ZnCdHyf7miPskkeqU0lmHnojIx6t/W25NRfEYHVDZKDFNWf2RpYl4F1EqGMSe0swOF9NJVT0yVbjUwQe/8sbMeNim14lXKX+SB2yhYJ2n5AUQsN3oPsd0/o=,iv:WaKvvHpDWvUmyeJTT/vqYyctHjY1wG9tFCJAu9EjKi0=,tag:G4ulFvwHkF3vr0YZ5iMxjQ==,type:str]",
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.10.1"
 	}
 }
--- a/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.key/users/admin
+++ b/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.key/users/admin
@@ -0,0 +1 @@
 ../../../../../../sops/users/admin
--- a/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.pub/value
+++ b/checks/syncthing/vars/per-machine/peer2/syncthing/syncthing.pub/value
@@ -0,0 +1 @@
 X2YLMVC-GY2NQRV-MBN7EZ2-2JMHIRX-ZFXKLGP-3HXJRPE-GQNY6JX-JE6IYAI
--- a/clanModules/syncthing/README.md
+++ b/clanModules/syncthing/README.md
@@ -1,6 +1,13 @@
 ---
 description = "A secure, file synchronization app for devices over networks, offering a private alternative to cloud services."
 features = [ "inventory" ]
 [constraints]
 roles.introducer.min = 1
 roles.introducer.max = 1
 ---
 **Warning**: This module was written with our VM integration in mind likely won't work outside of this context. They will be generalized in future.
 ## Usage
 We recommend configuring this module as an sync-service through the provided options. Although it provides a Web GUI through which more usage scenarios are supported.
--- a/clanModules/syncthing/default.nix
+++ b/clanModules/syncthing/default.nix
@@ -1,210 +1,6 @@
 # Dont import this file
 # It is only here for backwards compatibility.
 # Dont author new modules with this file.
 {
-  config,
+  imports = [ ./roles/peer.nix ];
  pkgs,
  lib,
  ...
 }:
 {
  options.clan.syncthing = {
    id = lib.mkOption {
      description = ''
        The ID of the machine.
        It is generated automatically by default.
      '';
      type = lib.types.nullOr lib.types.str;
      example = "BABNJY4-G2ICDLF-QQEG7DD-N3OBNGF-BCCOFK6-MV3K7QJ-2WUZHXS-7DTW4AS";
      default = config.clan.core.facts.services.syncthing.public."syncthing.pub".value or null;
      defaultText = "config.clan.core.facts.services.syncthing.public.\"syncthing.pub\".value";
    };
    introducer = lib.mkOption {
      description = ''
        The introducer for the machine.
      '';
      type = lib.types.nullOr lib.types.str;
      default = null;
    };
    autoAcceptDevices = lib.mkOption {
      description = ''
        Auto accept incoming device requests.
        Should only be used on the introducer.
      '';
      type = lib.types.bool;
      default = false;
    };
    autoShares = lib.mkOption {
      description = ''
        Auto share the following Folders by their ID's with introduced devices.
        Should only be used on the introducer.
      '';
      type = lib.types.listOf lib.types.str;
      default = [ ];
      example = [
        "folder1"
        "folder2"
      ];
    };
  };
  imports = [
    {
      # Syncthing ports: 8384 for remote access to GUI
      # 22000 TCP and/or UDP for sync traffic
      # 21027/UDP for discovery
      # source: https://docs.syncthing.net/users/firewall.html
      networking.firewall.interfaces."zt+".allowedTCPPorts = [
        8384
        22000
      ];
      networking.firewall.allowedTCPPorts = [ 8384 ];
      networking.firewall.interfaces."zt+".allowedUDPPorts = [
        22000
        21027
      ];
      assertions = [
        {
          assertion = lib.all (
            attr: builtins.hasAttr attr config.services.syncthing.settings.folders
          ) config.clan.syncthing.autoShares;
          message = ''
            Syncthing: If you want to AutoShare a folder, you need to have it configured on the sharing device.
          '';
        }
      ];
      # Activates inotify compatibility on syncthing
      # use mkOverride 900 here as it otherwise would collide with the default of the
      # upstream nixos xserver.nix
      boot.kernel.sysctl."fs.inotify.max_user_watches" = lib.mkOverride 900 524288;
      services.syncthing = {
        enable = true;
        configDir = "/var/lib/syncthing";
        overrideFolders = lib.mkDefault (
          if (config.clan.syncthing.introducer == null) then true else false
        );
        overrideDevices = lib.mkDefault (
          if (config.clan.syncthing.introducer == null) then true else false
        );
        dataDir = lib.mkDefault "/home/user/";
        group = "syncthing";
        key = lib.mkDefault config.clan.secrets.syncthing.secrets."syncthing.key".path or null;
        cert = lib.mkDefault config.clan.secrets.syncthing.secrets."syncthing.cert".path or null;
        settings = {
          options = {
            urAccepted = -1;
            allowedNetworks = [ config.clan.core.networking.zerotier.subnet ];
          };
          devices =
            { }
            // (
              if (config.clan.syncthing.introducer == null) then
                { }
              else
                {
                  "${config.clan.syncthing.introducer}" = {
                    name = "introducer";
                    id = config.clan.syncthing.introducer;
                    introducer = true;
                    autoAcceptFolders = true;
                  };
                }
            );
        };
      };
      systemd.services.syncthing-auto-accept =
        let
          baseAddress = "127.0.0.1:8384";
          getPendingDevices = "/rest/cluster/pending/devices";
          postNewDevice = "/rest/config/devices";
          SharedFolderById = "/rest/config/folders/";
          apiKey = config.clan.core.facts.services.syncthing.secret."syncthing.api".path or null;
        in
        lib.mkIf config.clan.syncthing.autoAcceptDevices {
          description = "Syncthing auto accept devices";
          requisite = [ "syncthing.service" ];
          after = [ "syncthing.service" ];
          wantedBy = [ "multi-user.target" ];
          script = ''
            set -x
            # query pending deviceID's
            APIKEY=$(cat ${apiKey})
            PENDING=$(${lib.getExe pkgs.curl} -X GET -H "X-API-Key: $APIKEY" ${baseAddress}${getPendingDevices})
            PENDING=$(echo $PENDING | ${lib.getExe pkgs.jq} keys[])
            # accept pending deviceID's
            for ID in $PENDING;do
            ${lib.getExe pkgs.curl} -X POST -d "{\"deviceId\": $ID}" -H "Content-Type: application/json" -H "X-API-Key: $APIKEY" ${baseAddress}${postNewDevice}
            # get all shared folders by their ID
            for folder in ${builtins.toString config.clan.syncthing.autoShares}; do
              SHARED_IDS=$(${lib.getExe pkgs.curl} -X GET -H "X-API-Key: $APIKEY" ${baseAddress}${SharedFolderById}"$folder" | ${lib.getExe pkgs.jq} ."devices")
              PATCHED_IDS=$(echo $SHARED_IDS | ${lib.getExe pkgs.jq} ".+= [{\"deviceID\": $ID, \"introducedBy\": \"\", \"encryptionPassword\": \"\"}]")
              ${lib.getExe pkgs.curl} -X PATCH -d "{\"devices\": $PATCHED_IDS}" -H "X-API-Key: $APIKEY" ${baseAddress}${SharedFolderById}"$folder"
              done
            done
          '';
        };
      systemd.timers.syncthing-auto-accept = lib.mkIf config.clan.syncthing.autoAcceptDevices {
        description = "Syncthing Auto Accept";
        wantedBy = [ "syncthing-auto-accept.service" ];
        timerConfig = {
          OnActiveSec = lib.mkDefault 60;
          OnUnitActiveSec = lib.mkDefault 60;
        };
      };
      systemd.services.syncthing-init-api-key =
        let
          apiKey = config.clan.core.facts.services.syncthing.secret."syncthing.api".path or null;
        in
        lib.mkIf config.clan.syncthing.autoAcceptDevices {
          description = "Set the api key";
          after = [ "syncthing-init.service" ];
          wantedBy = [ "multi-user.target" ];
          script = ''
            # set -x
            set -efu pipefail
            APIKEY=$(cat ${apiKey})
            ${lib.getExe pkgs.gnused} -i "s/<apikey>.*<\/apikey>/<apikey>$APIKEY<\/apikey>/" /var/lib/syncthing/config.xml
            # sudo systemctl restart syncthing.service
            systemctl restart syncthing.service
          '';
          serviceConfig = {
            WorkingDirectory = "/var/lib/syncthing";
            BindReadOnlyPaths = [ apiKey ];
            Type = "oneshot";
          };
        };
      clan.core.facts.services.syncthing = {
        secret."syncthing.key" = { };
        secret."syncthing.cert" = { };
        secret."syncthing.api" = { };
        public."syncthing.pub" = { };
        generator.path = [
          pkgs.coreutils
          pkgs.gnugrep
          pkgs.syncthing
        ];
        generator.script = ''
          syncthing generate --config "$secrets"
          mv "$secrets"/key.pem "$secrets"/syncthing.key
          mv "$secrets"/cert.pem "$secrets"/syncthing.cert
          cat "$secrets"/config.xml | grep -oP '(?<=<device id=")[^"]+' | uniq > "$facts"/syncthing.pub
          cat "$secrets"/config.xml | grep -oP '<apikey>\K[^<]+' | uniq > "$secrets"/syncthing.api
        '';
      };
    }
  ];
 }
--- a/clanModules/syncthing/roles/introducer.nix
+++ b/clanModules/syncthing/roles/introducer.nix
@@ -0,0 +1,6 @@
 { ... }:
 {
  imports = [
    ../shared.nix
  ];
 }
--- a/clanModules/syncthing/roles/peer.nix
+++ b/clanModules/syncthing/roles/peer.nix
@@ -0,0 +1,20 @@
 { config, lib, ... }:
 let
  instanceNames = builtins.attrNames config.clan.inventory.services.syncthing;
  instanceName = builtins.head instanceNames;
  instance = config.clan.inventory.services.syncthing.${instanceName};
  introducer = builtins.head instance.roles.introducer.machines;
  introducerId = "${config.clan.core.settings.directory}/vars/per-machine/${introducer}/syncthing/syncthing.pub/value";
 in
 {
  imports = [
    ../shared.nix
  ];
  clan.syncthing.introducer = lib.strings.removeSuffix "\n" (
    if builtins.pathExists introducerId then
      builtins.readFile introducerId
    else
      throw "${introducerId} does not exists. Please run `clan vars generate ${introducer}` to generate the introducer device id"
  );
 }
--- a/clanModules/syncthing/shared.nix
+++ b/clanModules/syncthing/shared.nix
@@ -0,0 +1,208 @@
 {
  config,
  pkgs,
  lib,
  ...
 }:
 {
  options.clan.syncthing = {
    id = lib.mkOption {
      description = ''
        The ID of the machine.
        It is generated automatically by default.
      '';
      type = lib.types.nullOr lib.types.str;
      example = "BABNJY4-G2ICDLF-QQEG7DD-N3OBNGF-BCCOFK6-MV3K7QJ-2WUZHXS-7DTW4AS";
      default = config.clan.core.vars.generators.syncthing.files."syncthing.pub".value;
      defaultText = "config.clan.core.vars.generators.syncthing.files.\"syncthing.pub\".value";
    };
    introducer = lib.mkOption {
      description = ''
        The introducer for the machine.
      '';
      type = lib.types.nullOr lib.types.str;
      default = null;
    };
    autoAcceptDevices = lib.mkOption {
      description = ''
        Auto accept incoming device requests.
        Should only be used on the introducer.
      '';
      type = lib.types.bool;
      default = false;
    };
    autoShares = lib.mkOption {
      description = ''
        Auto share the following Folders by their ID's with introduced devices.
        Should only be used on the introducer.
      '';
      type = lib.types.listOf lib.types.str;
      default = [ ];
      example = [
        "folder1"
        "folder2"
      ];
    };
  };
  imports = [
    {
      # Syncthing ports: 8384 for remote access to GUI
      # 22000 TCP and/or UDP for sync traffic
      # 21027/UDP for discovery
      # source: https://docs.syncthing.net/users/firewall.html
      networking.firewall.interfaces."zt+".allowedTCPPorts = [
        8384
        22000
      ];
      networking.firewall.allowedTCPPorts = [ 8384 ];
      networking.firewall.interfaces."zt+".allowedUDPPorts = [
        22000
        21027
      ];
      assertions = [
        {
          assertion = lib.all (
            attr: builtins.hasAttr attr config.services.syncthing.settings.folders
          ) config.clan.syncthing.autoShares;
          message = ''
            Syncthing: If you want to AutoShare a folder, you need to have it configured on the sharing device.
          '';
        }
      ];
      # Activates inotify compatibility on syncthing
      # use mkOverride 900 here as it otherwise would collide with the default of the
      # upstream nixos xserver.nix
      boot.kernel.sysctl."fs.inotify.max_user_watches" = lib.mkOverride 900 524288;
      services.syncthing = {
        enable = true;
        overrideFolders = lib.mkDefault (
          if (config.clan.syncthing.introducer == null) then true else false
        );
        overrideDevices = lib.mkDefault (
          if (config.clan.syncthing.introducer == null) then true else false
        );
        key = lib.mkDefault config.clan.core.vars.generators.syncthing.files."syncthing.key".path or null;
        cert = lib.mkDefault config.clan.core.vars.generators.syncthing.files."syncthing.cert".path or null;
        settings = {
          options = {
            urAccepted = -1;
            allowedNetworks = [ ];
          };
          devices =
            { }
            // (
              if (config.clan.syncthing.introducer == null) then
                { }
              else
                {
                  "${config.clan.syncthing.introducer}" = {
                    name = "introducer";
                    id = config.clan.syncthing.introducer;
                    introducer = true;
                    autoAcceptFolders = true;
                  };
                }
            );
        };
      };
      systemd.services.syncthing-auto-accept =
        let
          baseAddress = "127.0.0.1:8384";
          getPendingDevices = "/rest/cluster/pending/devices";
          postNewDevice = "/rest/config/devices";
          SharedFolderById = "/rest/config/folders/";
          apiKey = config.clan.core.vars.generators.syncthing.files."syncthing.api".path;
        in
        lib.mkIf config.clan.syncthing.autoAcceptDevices {
          description = "Syncthing auto accept devices";
          requisite = [ "syncthing.service" ];
          after = [ "syncthing.service" ];
          wantedBy = [ "multi-user.target" ];
          script = ''
            set -x
            # query pending deviceID's
            APIKEY=$(cat ${apiKey})
            PENDING=$(${lib.getExe pkgs.curl} -X GET -H "X-API-Key: $APIKEY" ${baseAddress}${getPendingDevices})
            PENDING=$(echo $PENDING | ${lib.getExe pkgs.jq} keys[])
            # accept pending deviceID's
            for ID in $PENDING;do
            ${lib.getExe pkgs.curl} -X POST -d "{\"deviceId\": $ID}" -H "Content-Type: application/json" -H "X-API-Key: $APIKEY" ${baseAddress}${postNewDevice}
            # get all shared folders by their ID
            for folder in ${builtins.toString config.clan.syncthing.autoShares}; do
              SHARED_IDS=$(${lib.getExe pkgs.curl} -X GET -H "X-API-Key: $APIKEY" ${baseAddress}${SharedFolderById}"$folder" | ${lib.getExe pkgs.jq} ."devices")
              PATCHED_IDS=$(echo $SHARED_IDS | ${lib.getExe pkgs.jq} ".+= [{\"deviceID\": $ID, \"introducedBy\": \"\", \"encryptionPassword\": \"\"}]")
              ${lib.getExe pkgs.curl} -X PATCH -d "{\"devices\": $PATCHED_IDS}" -H "X-API-Key: $APIKEY" ${baseAddress}${SharedFolderById}"$folder"
              done
            done
          '';
        };
      systemd.timers.syncthing-auto-accept = lib.mkIf config.clan.syncthing.autoAcceptDevices {
        description = "Syncthing Auto Accept";
        wantedBy = [ "syncthing-auto-accept.service" ];
        timerConfig = {
          OnActiveSec = lib.mkDefault 60;
          OnUnitActiveSec = lib.mkDefault 60;
        };
      };
      systemd.services.syncthing-init-api-key =
        let
          apiKey = config.clan.core.vars.generators.syncthing.files."syncthing.api".path;
        in
        lib.mkIf config.clan.syncthing.autoAcceptDevices {
          description = "Set the api key";
          after = [ "syncthing-init.service" ];
          wantedBy = [ "multi-user.target" ];
          script = ''
            # set -x
            set -efu pipefail
            APIKEY=$(cat ${apiKey})
            ${lib.getExe pkgs.gnused} -i "s/<apikey>.*<\/apikey>/<apikey>$APIKEY<\/apikey>/" ${config.services.syncthing.configDir}/config.xml
            # sudo systemctl restart syncthing.service
            systemctl restart syncthing.service
          '';
          serviceConfig = {
            BindReadOnlyPaths = [ apiKey ];
            Type = "oneshot";
          };
        };
      clan.core.vars.generators.syncthing = {
        migrateFact = "syncthing";
        files."syncthing.key".group = config.services.syncthing.group;
        files."syncthing.key".owner = config.services.syncthing.user;
        files."syncthing.cert".group = config.services.syncthing.group;
        files."syncthing.cert".owner = config.services.syncthing.user;
        files."syncthing.api".group = config.services.syncthing.group;
        files."syncthing.api".owner = config.services.syncthing.user;
        files."syncthing.pub".secret = false;
        runtimeInputs = [
          pkgs.coreutils
          pkgs.gnugrep
          pkgs.syncthing
        ];
        script = ''
          syncthing generate --config "$out"
          mv "$out"/key.pem "$out"/syncthing.key
          mv "$out"/cert.pem "$out"/syncthing.cert
          cat "$out"/config.xml | grep -oP '(?<=<device id=")[^"]+' | uniq > "$out"/syncthing.pub
          cat "$out"/config.xml | grep -oP '<apikey>\K[^<]+' | uniq > "$out"/syncthing.api
        '';
      };
    }
  ];
 }
		`@@ -1 +0,0 @@`
			`RN4ZZIJ-5AOJVWT-JD5IAAZ-SWVDTHU-B4RWCXE-AEM3SRG-QBM2KC5-JTGUNQT`
		`@@ -0,0 +1 @@`
							`7LGQU6V-ANAWUZZ-KM3YUEU-YLYHFK2-YIDVB42-5XA2JMM-JBGQSAT-OHUOTAI`
		`@@ -0,0 +1 @@`
							`APWHWIK-TD3HJPF-5G7737K-RISPI5J-GYCUS7W-VYSVEDP-4OGYS6E-26322AF`
		`@@ -0,0 +1 @@`
							`X2YLMVC-GY2NQRV-MBN7EZ2-2JMHIRX-ZFXKLGP-3HXJRPE-GQNY6JX-JE6IYAI`