dotfiles/modules/os/misc/syncthing.nix
eriedaberrie 1a737bd471 Initial commit
Note: not the actual initial commit.

I swear I will stop repeatedly force pushing to this single commit eventually
ok.
2024-09-21 01:09:53 -07:00

52 lines
1.4 KiB
Nix

{ pkgs, config, lib, ... }:
let
cfg = config.my.syncthing;
in {
options.my.syncthing = {
enable = lib.mkEnableOption null;
asUser = lib.mkEnableOption null;
};
config = lib.mkIf cfg.enable (lib.mkMerge [
{
services.syncthing = {
enable = true;
openDefaultPorts = true;
overrideDevices = false;
overrideFolders = false;
};
}
(lib.mkIf cfg.asUser {
services.syncthing = {
user = config.my.user.username;
configDir = "/var/lib/syncthing";
};
my.user.extraGroups = [ config.services.syncthing.group ];
systemd.tmpfiles.rules = let
inherit (config.services.syncthing) user group configDir;
in [
"d '${configDir}' 0750 ${user} ${group} - -"
"z '${configDir}' 0750 ${user} ${group} - -"
];
})
(let
mullvadCfg = config.services.mullvad-vpn;
in lib.mkIf (mullvadCfg.enable && mullvadCfg.enableExcludeWrapper) {
services.syncthing.package = pkgs.writeShellScriptBin "syncthing" ''
exec /run/wrappers/bin/mullvad-exclude ${pkgs.syncthing}/bin/syncthing "$@"
'';
# Setuid in mullvad-exclude to perform cgroup shenanigans
systemd.services.syncthing.serviceConfig = {
NoNewPrivileges = lib.mkForce false;
RestrictSUIDSGID = lib.mkForce false;
ProtectControlGroups = lib.mkForce false;
};
})
]);
}