syncthing

configuration.nix

@@ -45,6 +45,8 @@
     ./services/graphing-calculator.nix
 
     ./services/ssh.nix
+
+    ./services/syncthing.nix
   ];
 
   services.kmscon.enable = true;

flake.nix

@@ -110,6 +110,9 @@
           soulseek_listen = 50300;
           llama_cpp = 8991;
           vaultwarden = 8222;
+          syncthing_gui = 8384;
+          syncthing_protocol = 22000;
+          syncthing_discovery = 21027;
         };
 
         https = {
@@ -160,6 +163,11 @@
         monero = {
           dataDir = services_dir + "/monero";
         };
+
+        syncthing = {
+          dataDir = services_dir + "/syncthing";
+          signalBackupDir = "/${zpool_ssds}/bak/signal";
+        };
       };
 
       pkgs = import nixpkgs {

services/syncthing.nix

@@ -0,0 +1,52 @@
+{
+  config,
+  lib,
+  pkgs,
+  service_configs,
+  ...
+}:
+{
+  imports = [
+    (lib.serviceMountWithZpool "syncthing" service_configs.zpool_ssds [
+      service_configs.syncthing.dataDir
+      service_configs.syncthing.signalBackupDir
+    ])
+  ];
+
+  services.syncthing = {
+    enable = true;
+
+    dataDir = service_configs.syncthing.dataDir;
+
+    guiAddress = "127.0.0.1:${toString service_configs.ports.syncthing_gui}";
+
+    overrideDevices = false;
+    overrideFolders = false;
+
+    settings = {
+      gui = {
+        insecureSkipHostcheck = true; # Allow access via reverse proxy
+      };
+      options = {
+        urAccepted = 1; # enable usage reporting
+        relaysEnabled = true;
+      };
+    };
+  };
+
+  # Open firewall ports for syncthing protocol
+  networking.firewall = {
+    allowedTCPPorts = [ service_configs.ports.syncthing_protocol ];
+    allowedUDPPorts = [ service_configs.ports.syncthing_discovery ];
+  };
+
+  services.caddy.virtualHosts."syncthing.${service_configs.https.domain}".extraConfig = ''
+    import ${config.age.secrets.caddy_auth.path}
+    reverse_proxy :${toString service_configs.ports.syncthing_gui}
+  '';
+
+  systemd.tmpfiles.rules = [
+    "Z ${service_configs.syncthing.dataDir} 0750 ${config.services.syncthing.user} ${config.services.syncthing.group}"
+    "Z ${service_configs.syncthing.signalBackupDir} 0750 ${config.services.syncthing.user} ${config.services.syncthing.group}"
+  ];
+}