Replace rclone with syncthing

2025-12-02 02:37:02 +01:00
parent 1854c56c63
commit b473b2dc16
5 changed files with 75 additions and 1 deletions
--- a/modules/home-manager/desktop.nix
+++ b/modules/home-manager/desktop.nix
@@ -23,9 +23,9 @@
    ./kitty.nix
    ./lazygit.nix
    ./nh.nix
-    ./rclone.nix
    ./spicetify.nix
    ./ssh.nix
+    ./syncthing.nix
    ./thunar.nix
    ./thunderbird.nix
    ./todoman.nix
--- a/modules/nixos/desktop.nix
+++ b/modules/nixos/desktop.nix
@@ -9,5 +9,6 @@
    ./hyprland.nix
    ./printing.nix
    ./systemd-boot.nix
+    ./syncthing.nix
  ];
 }
--- a/modules/nixos/syncthing.nix
+++ b/modules/nixos/syncthing.nix
@@ -0,0 +1,61 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  username = config.var.username;
+  hostname = config.var.hostname;
+  isOrion = hostname == "orion";
+
+  # On desktops, sync to home directory. On server, sync to filebrowser storage.
+  syncPath = if isOrion then "/var/lib/filebrowser/files" else "/home/${username}/sync";
+  group = if isOrion then "filebrowser" else "users";
+in
+{
+  # 1. Firewall rules for synchronization
+  networking.firewall = {
+    allowedTCPPorts = [ 22000 ];
+    allowedUDPPorts = [
+      22000
+      21027
+    ];
+  };
+
+  # 3. Syncthing Service Configuration
+  services.syncthing = {
+    enable = true;
+
+    user = username;
+    group = group;
+
+    overrideDevices = true; # Overrides any devices added via Web UI
+    overrideFolders = true; # Overrides any folders added via Web UI
+
+    settings = {
+      devices = config.var.syncthing.devices;
+
+      folders = {
+        "sync" = {
+          path = syncPath;
+          devices = builtins.attrNames config.var.syncthing.devices; # Share with all defined devices
+          # Ensure new files are readable by the group (chmod 770 approx)
+          ignorePerms = false;
+        };
+      };
+
+      gui = {
+        # access the GUI on localhost:8384
+        theme = "black";
+      };
+    };
+  };
+
+  # 4. Permission Hardening for Orion
+  # Force syncthing to write files with group-write permissions (007 umask = 770 perms)
+  systemd.services.syncthing.serviceConfig.UMask = lib.mkIf isOrion "0007";
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/syncthing 0700 ${username} ${group} -"
+  ];
+}
--- a/modules/variables.nix
+++ b/modules/variables.nix
@@ -25,6 +25,17 @@
      browser = "brave";
    };

+    syncthing = {
+      devices = {
+        "altair" = {
+          id = "HDHWROJ-ZLNQKCL-PN6WGHA-IGJHIRI-3UHDYUU-LUJHYK4-UMKWLAZ-VFISJQF";
+        };
+        "orion" = {
+          id = "7ESQ3BX-FEW7656-ZPT3CKF-FLXON26-HXRNTDW-THSJBNF-LFWCHFB-ASP4WAG";
+        };
+      };
+    };
+
    autoUpgrade = false;
    autoGarbageCollector = true;
  };