From e6ed60548397627bf10f561f9438201dbba0a36e Mon Sep 17 00:00:00 2001 From: Azat Bahawi Date: Sun, 21 Apr 2024 02:15:42 +0300 Subject: 2024-04-21 --- modules/syncthing.nix | 162 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 162 insertions(+) create mode 100644 modules/syncthing.nix (limited to 'modules/syncthing.nix') diff --git a/modules/syncthing.nix b/modules/syncthing.nix new file mode 100644 index 0000000..74d4afe --- /dev/null +++ b/modules/syncthing.nix @@ -0,0 +1,162 @@ +{ + config, + inputs, + lib, + libNginx, + this, + ... +}: +with lib; +let + cfg = config.nixfiles.modules.syncthing; +in +{ + options.nixfiles.modules.syncthing = { + enable = mkEnableOption "Syncthing"; + + port = mkOption { + description = "Port."; + type = with types; port; + default = 8384; + }; + + domain = mkOption { + description = "Domain name sans protocol scheme."; + type = with types; str; + default = "syncthing.${config.networking.fqdn}"; + }; + }; + + config = mkIf cfg.enable (mkMerge [ + { + secrets = { + "syncthing-cert-${this.hostname}" = with config.services.syncthing; { + file = "${inputs.self}/secrets/syncthing-cert-${this.hostname}"; + owner = user; + inherit group; + }; + + "syncthing-key-${this.hostname}" = with config.services.syncthing; { + file = "${inputs.self}/secrets/syncthing-key-${this.hostname}"; + owner = user; + inherit group; + }; + }; + + services.syncthing = { + enable = true; + + user = my.username; + inherit (config.my) group; + + dataDir = "${config.dirs.config}/syncthing"; + configDir = config.services.syncthing.dataDir; + + guiAddress = "127.0.0.1:${toString cfg.port}"; + + cert = config.secrets."syncthing-cert-${this.hostname}".path; + key = config.secrets."syncthing-key-${this.hostname}".path; + + overrideDevices = false; + overrideFolders = false; + + settings = { + options = { + autoUpgradeIntervalH = 0; + crashReportingEnabled = false; + globalAnnounceEnabled = false; + relaysEnabled = false; + setLowPriority = this.isHeadless; + stunKeepaliveStartS = 0; + urAccepted = -1; + }; + + gui = { + insecureAdminAccess = true; + insecureSkipHostcheck = this.isHeadless; + }; + + devices = mapAttrs ( + name: attr: + mkIf (attr.syncthing.id != null && hasAttr "wireguard" attr) { + inherit (attr.syncthing) id; + compression = "metadata"; + introducer = false; + address = "tcp://${name}.${config.networking.domain}:22000"; + autoAcceptFolders = true; + untrusted = false; + } + ) my.configurations; + + folders = + let + filterDevices = + f: + attrNames ( + filterAttrs ( + _: attr: (attr.hostname != this.hostname) && (attr.syncthing.id != null) && f attr + ) my.configurations + ); + all = filterDevices (_: true); + notHeadless = filterDevices (attr: !attr.isHeadless); + notOther = filterDevices (attr: !attr.isOther); + + simple = { + type = "simple"; + params.keep = "5"; + }; + trashcan = { + type = "trashcan"; + params.cleanoutDays = "7"; + }; + in + with config.hm.xdg.userDirs; + { + share = { + path = publicShare; + devices = notHeadless; + versioning = trashcan; + }; + pass = { + path = config.hm.programs.password-store.settings.PASSWORD_STORE_DIR; + devices = notOther; + versioning = trashcan; + }; + org = { + path = "${documents}/org"; + devices = all; + versioning = simple; + }; + roam = { + path = "${documents}/roam"; + devices = notOther; + versioning = simple; + }; + elfeed = { + path = "${config.my.home}/.elfeed"; + devices = notOther; + versioning = trashcan; + }; + books = { + path = "${documents}/books"; + devices = notOther; + versioning = trashcan; + }; + }; + }; + }; + + systemd.services.syncthing.environment.STNODEFAULTFOLDER = "yes"; + } + (mkIf this.isHeadless { + nixfiles.modules.nginx = { + enable = true; + upstreams.syncthing.servers.${config.services.syncthing.guiAddress} = { }; + virtualHosts.${cfg.domain} = { + locations."/".proxyPass = "http://syncthing"; + extraConfig = libNginx.config.internalOnly; + }; + }; + }) + ]); +} -- cgit v1.2.3