1a737bd471
Note: not the actual initial commit. I swear I will stop repeatedly force pushing to this single commit eventually ok.
52 lines
1.4 KiB
Nix
52 lines
1.4 KiB
Nix
{ pkgs, config, lib, ... }:
|
|
|
|
let
|
|
cfg = config.my.syncthing;
|
|
in {
|
|
options.my.syncthing = {
|
|
enable = lib.mkEnableOption null;
|
|
asUser = lib.mkEnableOption null;
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable (lib.mkMerge [
|
|
{
|
|
services.syncthing = {
|
|
enable = true;
|
|
openDefaultPorts = true;
|
|
overrideDevices = false;
|
|
overrideFolders = false;
|
|
};
|
|
}
|
|
|
|
(lib.mkIf cfg.asUser {
|
|
services.syncthing = {
|
|
user = config.my.user.username;
|
|
configDir = "/var/lib/syncthing";
|
|
};
|
|
|
|
my.user.extraGroups = [ config.services.syncthing.group ];
|
|
|
|
systemd.tmpfiles.rules = let
|
|
inherit (config.services.syncthing) user group configDir;
|
|
in [
|
|
"d '${configDir}' 0750 ${user} ${group} - -"
|
|
"z '${configDir}' 0750 ${user} ${group} - -"
|
|
];
|
|
})
|
|
|
|
(let
|
|
mullvadCfg = config.services.mullvad-vpn;
|
|
in lib.mkIf (mullvadCfg.enable && mullvadCfg.enableExcludeWrapper) {
|
|
services.syncthing.package = pkgs.writeShellScriptBin "syncthing" ''
|
|
exec /run/wrappers/bin/mullvad-exclude ${pkgs.syncthing}/bin/syncthing "$@"
|
|
'';
|
|
# Setuid in mullvad-exclude to perform cgroup shenanigans
|
|
systemd.services.syncthing.serviceConfig = {
|
|
NoNewPrivileges = lib.mkForce false;
|
|
RestrictSUIDSGID = lib.mkForce false;
|
|
ProtectControlGroups = lib.mkForce false;
|
|
};
|
|
})
|
|
]);
|
|
}
|