{ config, inputs, lib, libNginx, this, ... }: with lib; let cfg = config.nixfiles.modules.syncthing; in { options.nixfiles.modules.syncthing = { enable = mkEnableOption "Syncthing"; domain = mkOption { description = "Domain name sans protocol scheme."; type = with types; str; default = "syncthing.${config.networking.fqdn}"; }; }; config = mkIf cfg.enable (mkMerge [ { secrets = { "syncthing-cert-${this.hostname}" = with config.services.syncthing; { file = "${inputs.self}/secrets/syncthing-cert-${this.hostname}"; owner = user; inherit group; }; "syncthing-key-${this.hostname}" = with config.services.syncthing; { file = "${inputs.self}/secrets/syncthing-key-${this.hostname}"; owner = user; inherit group; }; }; services.syncthing = { enable = true; user = my.username; inherit (config.my) group; dataDir = config.my.home; guiAddress = "127.0.0.1:8384"; cert = config.secrets."syncthing-cert-${this.hostname}".path; key = config.secrets."syncthing-key-${this.hostname}".path; overrideDevices = true; overrideFolders = true; settings = { options = { autoUpgradeIntervalH = 0; crashReportingEnabled = false; globalAnnounceEnabled = false; relaysEnabled = false; setLowPriority = this.isHeadless; stunKeepaliveStartS = 0; urAccepted = -1; }; gui = { insecureAdminAccess = true; insecureSkipHostcheck = this.isHeadless; }; devices = mapAttrs (name: attr: mkIf (attr.syncthing.id != null && hasAttr "wireguard" attr) { inherit (attr.syncthing) id; addresses = ["tcp://${name}.${config.networking.domain}:22000"]; introducer = this.isHeadless; }) my.configurations; folders = let filterDevices = f: attrNames (filterAttrs (_: attr: (attr.hostname != this.hostname) && (attr.syncthing.id != null) && f attr) my.configurations); all = filterDevices (_: true); notHeadless = filterDevices (attr: !attr.isHeadless); notOther = filterDevices (attr: !attr.isOther); simple = { type = "simple"; params.keep = "5"; }; trashcan = { type = "trashcan"; params.cleanoutDays = "7"; }; in with config.hm.xdg.userDirs; { share = { path = publicShare; devices = notHeadless; versioning = trashcan; }; pass = { path = config.hm.programs.password-store.settings.PASSWORD_STORE_DIR; devices = notOther; versioning = trashcan; }; org = { path = "${documents}/org"; # Configured by Emacs. devices = all; versioning = simple; }; roam = { path = "${documents}/roam"; # Configured by Emacs. devices = notOther; versioning = simple; }; elfeed = { path = "${config.my.home}/.elfeed"; # Configured by Emacs. devices = notOther; versioning = trashcan; }; books = { path = "${documents}/books"; devices = notOther; versioning = trashcan; }; }; }; }; systemd.services.syncthing.environment.STNODEFAULTFOLDER = "yes"; } (mkIf this.isHeadless { nixfiles.modules.nginx = { enable = true; upstreams.syncthing.servers.${config.services.syncthing.guiAddress} = {}; virtualHosts.${cfg.domain} = { locations."/".proxyPass = "http://syncthing"; extraConfig = libNginx.config.internalOnly; }; }; }) ]); }