feat(synthing): simplified syncthing config

I exported configuration syncthing outside nixos. I don't need immutable config for syncthing
Wittano · Dec 16, 2024 · dd8af4f · dd8af4f
1 parent 863dafe
commit dd8af4f
Showing 1 changed file with 58 additions and 57 deletions.
diff --git a/nixos/services/syncthing.nix b/nixos/services/syncthing.nix
@@ -1,68 +1,69 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 with lib;
 with lib.my;
 let
   cfg = config.services.syncthing.wittano;
-
-  laptop = "Debian - Laptop";
-  work = "Windows - Work";
-  trueNas = "TrueNAS - Server";
-  phone = "Android - Phone";
+  user = "wittano";
+  group = "syncthing";
+  dataDir = "/home/wittano/.cache/syncthing";
+  configDir = "/home/wittano/.config/syncthing";
+  package = pkgs.syncthing;
 in
 {
   options.services.syncthing.wittano.enable = mkEnableOption "Enable syncthing deamon";
 
-  config = {
-    services.syncthing = {
-      enable = cfg.enable;
-      systemService = true;
-      dataDir = "/home/wittano/.cache/syncthing";
-      configDir = "/home/wittano/.config/syncthing";
-      user = "wittano";
-      settings = {
-        folders = {
-          projects = {
-            id = "pwxg9-eq2rf";
-            label = "Programming projects";
-            path = "~/projects";
-            devices = [
-              trueNas
-              laptop
-            ];
-          };
-          learning = {
-            id = "7uub2-oxvra";
-            label = "Enterprice learning projects";
-            path = "~/projects/learning";
-            devices = [
-              work
-              laptop
-            ];
-            versioning = {
-              type = "trashcan";
-              params = {
-                keep = "3";
-                cleanoutDays = "356";
-              };
-            };
-          };
-          sync = {
-            id = "default";
-            label = "Sync folder";
-            path = "~/Sync";
-            devices = [
-              phone
-              trueNas
-              laptop
-            ];
-          };
-        };
-        devices = {
-          ${phone}.id = "WOQUTMO-7NJ7ONW-TMJ27JC-ENUM6QN-WE35NQO-MEUP3VQ-FEMMI2E-TCT4LQ4";
-          ${trueNas}.id = "CIMVMQO-7RLKQAL-BXRS6Z3-XXFPRLB-PYHZUR3-KKH5HGX-PFWLY6S-C3KLEQ6";
-          ${work}.id = "M3EUKVC-IYHSZZF-OFX75LZ-3E4WZAJ-PGUTYXD-FYDZSEW-GRBGRDZ-IBOHGQK";
-          ${laptop}.id = "JAPRBPA-7KH7MCW-7TXX5WA-AYEKCC2-ACWEPAF-6SXEA3N-ELU2N7Q-TFSZ5QM";
-        };
+  config = mkIf cfg.enable {
+    systemd.packages = [ package ];
+
+    users.groups.${group}.gid = config.ids.gids.syncthing;
+
+    users.users.wittano.extraGroups = [
+      group
+    ];
+
+    systemd.services.syncthing = mkIf cfg.enable {
+      description = "Syncthing service";
+      after = [ "network.target" ];
+      environment = {
+        STNORESTART = "yes";
+        STNOUPGRADE = "yes";
+      };
+      wantedBy = [ "multi-user.target" ];
+      serviceConfig = {
+        Restart = "on-failure";
+        SuccessExitStatus = "3 4";
+        RestartForceExitStatus = "3 4";
+        User = user;
+        Group = group;
+        ExecStart = ''
+          ${package}/bin/syncthing \
+            -no-browser \
+            -gui-address=127.0.0.1:8384 \
+            -config=${configDir} \
+            -data=${dataDir} \
+        '';
+        MemoryDenyWriteExecute = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectControlGroups = true;
+        ProtectHostname = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        CapabilityBoundingSet = [
+          "~CAP_SYS_PTRACE"
+          "~CAP_SYS_ADMIN"
+          "~CAP_SETGID"
+          "~CAP_SETUID"
+          "~CAP_SETPCAP"
+          "~CAP_SYS_TIME"
+          "~CAP_KILL"
+        ];
       };
     };
   };