syncthing

2026-01-13 14:49:48 -05:00
parent a93c789278
commit f83e1170af
3 changed files with 62 additions and 0 deletions
--- a/configuration.nix
+++ b/configuration.nix
@@ -45,6 +45,8 @@
    ./services/graphing-calculator.nix

    ./services/ssh.nix
+
+    ./services/syncthing.nix
  ];

  services.kmscon.enable = true;
--- a/flake.nix
+++ b/flake.nix
@@ -110,6 +110,9 @@
          soulseek_listen = 50300;
          llama_cpp = 8991;
          vaultwarden = 8222;
+          syncthing_gui = 8384;
+          syncthing_protocol = 22000;
+          syncthing_discovery = 21027;
        };

        https = {
@@ -160,6 +163,11 @@
        monero = {
          dataDir = services_dir + "/monero";
        };
+
+        syncthing = {
+          dataDir = services_dir + "/syncthing";
+          signalBackupDir = "/${zpool_ssds}/bak/signal";
+        };
      };

      pkgs = import nixpkgs {
--- a/services/syncthing.nix
+++ b/services/syncthing.nix
@@ -0,0 +1,52 @@
+{
+  config,
+  lib,
+  pkgs,
+  service_configs,
+  ...
+}:
+{
+  imports = [
+    (lib.serviceMountWithZpool "syncthing" service_configs.zpool_ssds [
+      service_configs.syncthing.dataDir
+      service_configs.syncthing.signalBackupDir
+    ])
+  ];
+
+  services.syncthing = {
+    enable = true;
+
+    dataDir = service_configs.syncthing.dataDir;
+
+    guiAddress = "127.0.0.1:${toString service_configs.ports.syncthing_gui}";
+
+    overrideDevices = false;
+    overrideFolders = false;
+
+    settings = {
+      gui = {
+        insecureSkipHostcheck = true; # Allow access via reverse proxy
+      };
+      options = {
+        urAccepted = 1; # enable usage reporting
+        relaysEnabled = true;
+      };
+    };
+  };
+
+  # Open firewall ports for syncthing protocol
+  networking.firewall = {
+    allowedTCPPorts = [ service_configs.ports.syncthing_protocol ];
+    allowedUDPPorts = [ service_configs.ports.syncthing_discovery ];
+  };
+
+  services.caddy.virtualHosts."syncthing.${service_configs.https.domain}".extraConfig = ''
+    import ${config.age.secrets.caddy_auth.path}
+    reverse_proxy :${toString service_configs.ports.syncthing_gui}
+  '';
+
+  systemd.tmpfiles.rules = [
+    "Z ${service_configs.syncthing.dataDir} 0750 ${config.services.syncthing.user} ${config.services.syncthing.group}"
+    "Z ${service_configs.syncthing.signalBackupDir} 0750 ${config.services.syncthing.user} ${config.services.syncthing.group}"
+  ];
+}