From f83e1170afcb254ec4636f1caa1ce955e42afad5 Mon Sep 17 00:00:00 2001
From: Simon Gardling <titaniumtown@proton.me>
Date: Tue, 13 Jan 2026 14:49:48 -0500
Subject: [PATCH] syncthing

---
 configuration.nix      |  2 ++
 flake.nix              |  8 +++++++
 services/syncthing.nix | 52 ++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 62 insertions(+)
 create mode 100644 services/syncthing.nix

diff --git a/configuration.nix b/configuration.nix
index d2d520c..ae71767 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -45,6 +45,8 @@
     ./services/graphing-calculator.nix
 
     ./services/ssh.nix
+
+    ./services/syncthing.nix
   ];
 
   services.kmscon.enable = true;
diff --git a/flake.nix b/flake.nix
index 05d5f0f..b7cb414 100644
--- a/flake.nix
+++ b/flake.nix
@@ -110,6 +110,9 @@
           soulseek_listen = 50300;
           llama_cpp = 8991;
           vaultwarden = 8222;
+          syncthing_gui = 8384;
+          syncthing_protocol = 22000;
+          syncthing_discovery = 21027;
         };
 
         https = {
@@ -160,6 +163,11 @@
         monero = {
           dataDir = services_dir + "/monero";
         };
+
+        syncthing = {
+          dataDir = services_dir + "/syncthing";
+          signalBackupDir = "/${zpool_ssds}/bak/signal";
+        };
       };
 
       pkgs = import nixpkgs {
diff --git a/services/syncthing.nix b/services/syncthing.nix
new file mode 100644
index 0000000..cc00227
--- /dev/null
+++ b/services/syncthing.nix
@@ -0,0 +1,52 @@
+{
+  config,
+  lib,
+  pkgs,
+  service_configs,
+  ...
+}:
+{
+  imports = [
+    (lib.serviceMountWithZpool "syncthing" service_configs.zpool_ssds [
+      service_configs.syncthing.dataDir
+      service_configs.syncthing.signalBackupDir
+    ])
+  ];
+
+  services.syncthing = {
+    enable = true;
+
+    dataDir = service_configs.syncthing.dataDir;
+
+    guiAddress = "127.0.0.1:${toString service_configs.ports.syncthing_gui}";
+
+    overrideDevices = false;
+    overrideFolders = false;
+
+    settings = {
+      gui = {
+        insecureSkipHostcheck = true; # Allow access via reverse proxy
+      };
+      options = {
+        urAccepted = 1; # enable usage reporting
+        relaysEnabled = true;
+      };
+    };
+  };
+
+  # Open firewall ports for syncthing protocol
+  networking.firewall = {
+    allowedTCPPorts = [ service_configs.ports.syncthing_protocol ];
+    allowedUDPPorts = [ service_configs.ports.syncthing_discovery ];
+  };
+
+  services.caddy.virtualHosts."syncthing.${service_configs.https.domain}".extraConfig = ''
+    import ${config.age.secrets.caddy_auth.path}
+    reverse_proxy :${toString service_configs.ports.syncthing_gui}
+  '';
+
+  systemd.tmpfiles.rules = [
+    "Z ${service_configs.syncthing.dataDir} 0750 ${config.services.syncthing.user} ${config.services.syncthing.group}"
+    "Z ${service_configs.syncthing.signalBackupDir} 0750 ${config.services.syncthing.user} ${config.services.syncthing.group}"
+  ];
+}