kiri/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: kiri:bdb9d72c1e9306706e34e753c3b48803902dc802
Branches Tags
kiri:main
..
compare: kiri:main
Branches Tags
kiri:main

17 Commits
bdb9d72c1e ... main

Author SHA1 Message Date
kiri
7153e2d3e3 Merge branch 'main' of orion:kiri/nixos-config 2025-12-04 18:48:31 +01:00
kiri
24b1438410 Sort todoman using priority 2025-12-04 18:45:31 +01:00
kiri
3d62cc10d3 Add host for work github 2025-12-04 18:45:24 +01:00
kiri
f92f4e8362 Add second key to gpg-agent 2025-12-04 18:45:11 +01:00
kiri
60fe1fd579 Remove home-manager syncthing 2025-12-04 18:44:56 +01:00
kiri
575d797b5c Add rustc for nixCats 2025-12-04 18:44:39 +01:00
kiri
b492aeb371 Move lazydev config and load blink.cmp on start 2025-12-04 18:44:15 +01:00
kiri
023007dc79 Fix syncthing perms 2025-12-04 18:42:28 +01:00
kiri
962aadd77b Add trash-cli 2025-12-04 18:42:22 +01:00
kiri
cb2388c3c6 Add harper and enable underline diagnostics 2025-12-04 18:42:17 +01:00
kiri
dca64dd6c2 Enable wake-on-lan for polaris 2025-12-04 18:41:59 +01:00
kiri
2a63a01ce3 Add float rule for imv 2025-12-02 13:29:21 +01:00
kiri
f794cdb44c Add polaris to syncthing devices 2025-12-02 13:20:03 +01:00
kiri
2b7c944ba5 Remove reference to syncthing home-manager module 2025-12-02 13:18:38 +01:00
kiri
b473b2dc16 Replace rclone with syncthing 2025-12-02 02:37:02 +01:00
kiri
1854c56c63 Add a homepage module 2025-12-02 01:31:33 +01:00
kiri
91cafd8108 Disable google drive sync 2025-12-02 01:11:59 +01:00
14 changed files with 467 additions and 199 deletions
Expand all files Collapse all files

2
hosts/orion/system.nix
View File

@@ -10,9 +10,9 @@
../../modules/nixos/caddy.nix ../../modules/nixos/caddy.nix
../../modules/nixos/bitwarden.nix ../../modules/nixos/bitwarden.nix
../../modules/nixos/firewall.nix ../../modules/nixos/firewall.nix
../../modules/nixos/syncthing.nix
../../modules/nixos/filebrowser.nix ../../modules/nixos/filebrowser.nix
../../modules/nixos/home-assistant.nix ../../modules/nixos/home-assistant.nix
../../modules/nixos/glance.nix
../../modules/nixos/radicale.nix ../../modules/nixos/radicale.nix
../../modules/nixos/actual-budget.nix ../../modules/nixos/actual-budget.nix
../../modules/nixos/gitea.nix ../../modules/nixos/gitea.nix

12
hosts/polaris/system.nix
View File

@@ -3,10 +3,22 @@
imports = [ imports = [
../../modules/nixos/desktop.nix ../../modules/nixos/desktop.nix
../../modules/nixos/ssh.nix
./hardware-configuration.nix ./hardware-configuration.nix
./variables.nix ./variables.nix
]; ];
networking = {
interfaces = {
enp5s0 = {
wakeOnLan.enable = true;
};
};
firewall = {
allowedUDPPorts = [ 9 ];
};
};
home-manager.users."${config.var.username}" = import ./home.nix; home-manager.users."${config.var.username}" = import ./home.nix;
system.stateVersion = "24.05"; system.stateVersion = "24.05";

3
modules/home-manager/desktop.nix
View File

@@ -23,7 +23,6 @@
./kitty.nix ./kitty.nix
./lazygit.nix ./lazygit.nix
./nh.nix ./nh.nix
./rclone.nix
./spicetify.nix ./spicetify.nix
./ssh.nix ./ssh.nix
./thunar.nix ./thunar.nix
@@ -90,6 +89,8 @@
cmatrix cmatrix
libreoffice-qt6-fresh libreoffice-qt6-fresh
trash-cli
]; ];
}; };
} }

8
modules/home-manager/gpg.nix
View File

@@ -2,7 +2,8 @@
config, config,
pkgs, pkgs,
... ...
}: { }:
{
programs.gpg = { programs.gpg = {
enable = true; enable = true;
homedir = "${config.xdg.dataHome}/gnupg"; homedir = "${config.xdg.dataHome}/gnupg";
@@ -15,6 +16,9 @@
pinentry = { pinentry = {
package = pkgs.pinentry-gnome3; package = pkgs.pinentry-gnome3;
}; };
sshKeys = ["CD848796822630B280FC6DFA55F24A20040F22B5"]; sshKeys = [
"CD848796822630B280FC6DFA55F24A20040F22B5"
"B8FBDFBD7F42C444C17E086E0EE2E34FB43A7187"
];
}; };
} }

5
modules/home-manager/hyprland/default.nix
View File

@@ -144,9 +144,10 @@ in
windowrule = [ windowrule = [
"match:title hyprpanel-settings, float on" "match:title hyprpanel-settings, float on"
"match:class xdg-desktop-portal-gtk, float on, center on, size monitor_w/2 monitor_h/2" "match:class xdg-desktop-portal-gtk, float on, center on, size (monitor_w * 0.5) (monitor_h * 0.5)"
# Match on bitwarden chrome extension id # Match on bitwarden chrome extension id
"match:class .*nngceckbapebfimnlniiiahkandclblb.*, float on, center on, size monitor_w/2 monitor_h/2" "match:class .*nngceckbapebfimnlniiiahkandclblb.*, float on, center on, size (monitor_w * 0.5) (monitor_h * 0.5)"
"match:class imv, float on, center on, max_size (monitor_w * 0.8) (monitor_h * 0.8)"
]; ];
layerrule = [ layerrule = [

3
modules/home-manager/nixCats/default.nix
View File

@@ -45,6 +45,7 @@ let
typescript typescript
typescript-language-server typescript-language-server
rustc
rust-analyzer rust-analyzer
rustfmt rustfmt
@@ -60,6 +61,8 @@ let
typstyle typstyle
ltex-ls-plus ltex-ls-plus
harper
]; ];
}; };

14
modules/home-manager/nixCats/lua/plugins/coding.lua
View File

@@ -171,13 +171,25 @@ require("lz.n").load({
require("luasnip.loaders.from_vscode").lazy_load() require("luasnip.loaders.from_vscode").lazy_load()
end, end,
}, },
{
-- lazydev makes your lsp way better in your config without needing extra lsp configuration.
"lazydev.nvim",
cmd = "LazyDev",
ft = "lua",
after = function()
require("lazydev").setup({
library = {
{ words = { "nixCats" }, path = (nixCats.nixCatsPath or "") .. "/lua" },
},
})
end,
},
{ {
"blink.cmp", "blink.cmp",
before = function() before = function()
-- Trigger lazydev so it's ready for blink source -- Trigger lazydev so it's ready for blink source
require("lz.n").trigger_load({ "lazydev.nvim", "luasnip" }) require("lz.n").trigger_load({ "lazydev.nvim", "luasnip" })
end, end,
event = "VimEnter",
after = function() after = function()
require("blink.cmp").setup({ require("blink.cmp").setup({
keymap = { keymap = {

315
modules/home-manager/nixCats/lua/plugins/lsp.lua
View File

@@ -1,185 +1,172 @@
require("lz.n").load({ require("lz.n").load({
{ {
{ "nvim-lspconfig",
-- lazydev makes your lsp way better in your config without needing extra lsp configuration. event = { "BufReadPre", "BufNewFile" },
"lazydev.nvim", after = function()
cmd = "LazyDev", vim.api.nvim_create_autocmd("LspAttach", {
ft = "lua", group = vim.api.nvim_create_augroup("kickstart-lsp-attach", { clear = true }),
after = function() callback = function(args)
require("lazydev").setup({ -- Get the client and buffer from the event arguments [cite: 119]
library = { local client = vim.lsp.get_client_by_id(args.data.client_id)
{ words = { "nixCats" }, path = (nixCats.nixCatsPath or "") .. "/lua" }, local bufnr = args.buf
local map = function(keys, func, desc, mode)
mode = mode or "n"
vim.keymap.set(mode, keys, func, { buffer = bufnr, desc = "LSP: " .. desc })
end
-- Mappings (Standard LSP functions from lsp-defaults) [cite: 20-23]
map("grn", vim.lsp.buf.rename, "[R]e[n]ame")
map("gra", vim.lsp.buf.code_action, "[G]oto Code [A]ction", { "n", "x" })
map("grD", vim.lsp.buf.declaration, "[G]oto [D]eclaration")
-- Telescope Mappings
map("grr", require("telescope.builtin").lsp_references, "[G]oto [R]eferences")
map("gri", require("telescope.builtin").lsp_implementations, "[G]oto [I]mplementation")
map("grd", require("telescope.builtin").lsp_definitions, "[G]oto [D]efinition")
map("gO", require("telescope.builtin").lsp_document_symbols, "Open Document Symbols")
map("gW", require("telescope.builtin").lsp_dynamic_workspace_symbols, "Open Workspace Symbols")
map("grt", require("telescope.builtin").lsp_type_definitions, "[G]oto [T]ype Definition")
-- Highlight references (Document Highlight)
if client and client:supports_method("textDocument/documentHighlight", bufnr) then
local highlight_augroup = vim.api.nvim_create_augroup("kickstart-lsp-highlight", { clear = false })
vim.api.nvim_create_autocmd({ "CursorHold", "CursorHoldI" }, {
buffer = bufnr,
group = highlight_augroup,
callback = vim.lsp.buf.document_highlight,
})
vim.api.nvim_create_autocmd({ "CursorMoved", "CursorMovedI" }, {
buffer = bufnr,
group = highlight_augroup,
callback = vim.lsp.buf.clear_references,
})
vim.api.nvim_create_autocmd("LspDetach", {
group = vim.api.nvim_create_augroup("kickstart-lsp-detach", { clear = true }),
callback = function(event)
vim.lsp.buf.clear_references()
vim.api.nvim_clear_autocmds({ group = "kickstart-lsp-highlight", buffer = event.buf })
end,
})
end
-- Inlay Hints
if client and client:supports_method("textDocument/inlayHint", bufnr) then
map("<leader>th", function()
vim.lsp.inlay_hint.enable(not vim.lsp.inlay_hint.is_enabled({ bufnr = bufnr }))
end, "[T]oggle Inlay [H]ints")
end
end,
})
-- 1. Setup Diagnostics (Visuals)
vim.diagnostic.config({
severity_sort = true,
-- underline = { severity = vim.diagnostic.severity.ERROR },
signs = {
text = {
[vim.diagnostic.severity.ERROR] = "",
[vim.diagnostic.severity.WARN] = "",
[vim.diagnostic.severity.INFO] = "",
[vim.diagnostic.severity.HINT] = "󰠠 ",
}, },
}) },
end, virtual_text = {
}, source = "if_many",
{ spacing = 4,
"nvim-lspconfig", prefix = "",
event = { "BufReadPre", "BufNewFile" }, format = function(diagnostic)
after = function() local diagnostic_message = {
vim.api.nvim_create_autocmd("LspAttach", { [vim.diagnostic.severity.ERROR] = diagnostic.message,
group = vim.api.nvim_create_augroup("kickstart-lsp-attach", { clear = true }), [vim.diagnostic.severity.WARN] = diagnostic.message,
callback = function(args) [vim.diagnostic.severity.INFO] = diagnostic.message,
-- Get the client and buffer from the event arguments [cite: 119] [vim.diagnostic.severity.HINT] = diagnostic.message,
local client = vim.lsp.get_client_by_id(args.data.client_id) }
local bufnr = args.buf return diagnostic_message[diagnostic.severity]
local map = function(keys, func, desc, mode)
mode = mode or "n"
vim.keymap.set(mode, keys, func, { buffer = bufnr, desc = "LSP: " .. desc })
end
-- Mappings (Standard LSP functions from lsp-defaults) [cite: 20-23]
map("grn", vim.lsp.buf.rename, "[R]e[n]ame")
map("gra", vim.lsp.buf.code_action, "[G]oto Code [A]ction", { "n", "x" })
map("grD", vim.lsp.buf.declaration, "[G]oto [D]eclaration")
-- Telescope Mappings
map("grr", require("telescope.builtin").lsp_references, "[G]oto [R]eferences")
map("gri", require("telescope.builtin").lsp_implementations, "[G]oto [I]mplementation")
map("grd", require("telescope.builtin").lsp_definitions, "[G]oto [D]efinition")
map("gO", require("telescope.builtin").lsp_document_symbols, "Open Document Symbols")
map("gW", require("telescope.builtin").lsp_dynamic_workspace_symbols, "Open Workspace Symbols")
map("grt", require("telescope.builtin").lsp_type_definitions, "[G]oto [T]ype Definition")
-- Highlight references (Document Highlight)
if client and client:supports_method("textDocument/documentHighlight", bufnr) then
local highlight_augroup = vim.api.nvim_create_augroup("kickstart-lsp-highlight", { clear = false })
vim.api.nvim_create_autocmd({ "CursorHold", "CursorHoldI" }, {
buffer = bufnr,
group = highlight_augroup,
callback = vim.lsp.buf.document_highlight,
})
vim.api.nvim_create_autocmd({ "CursorMoved", "CursorMovedI" }, {
buffer = bufnr,
group = highlight_augroup,
callback = vim.lsp.buf.clear_references,
})
vim.api.nvim_create_autocmd("LspDetach", {
group = vim.api.nvim_create_augroup("kickstart-lsp-detach", { clear = true }),
callback = function(event)
vim.lsp.buf.clear_references()
vim.api.nvim_clear_autocmds({ group = "kickstart-lsp-highlight", buffer = event.buf })
end,
})
end
-- Inlay Hints
if client and client:supports_method("textDocument/inlayHint", bufnr) then
map("<leader>th", function()
vim.lsp.inlay_hint.enable(not vim.lsp.inlay_hint.is_enabled({ bufnr = bufnr }))
end, "[T]oggle Inlay [H]ints")
end
end, end,
}) },
})
-- 1. Setup Diagnostics (Visuals) vim.lsp.config("lua_ls", {
vim.diagnostic.config({ settings = {
severity_sort = true, Lua = {
underline = { severity = vim.diagnostic.severity.ERROR }, runtime = { version = "LuaJIT" },
signs = { signatureHelp = { enabled = true },
text = { diagnostics = { globals = { "nixCats", "vim" } },
[vim.diagnostic.severity.ERROR] = "", telemetry = { enabled = false },
[vim.diagnostic.severity.WARN] = "", completion = { callSnippet = "Replace" },
[vim.diagnostic.severity.INFO] = "", },
[vim.diagnostic.severity.HINT] = "󰠠 ", },
})
vim.lsp.enable("lua_ls")
-- Nix
vim.lsp.config("nixd", {
settings = {
nixd = {
nixpkgs = { expr = nixCats.extra("nixdExtras.nixpkgs") },
options = {
nixos = { expr = nixCats.extra("nixdExtras.nixos_options") },
["home-manager"] = { expr = nixCats.extra("nixdExtras.home_manager_options") },
}, },
formatting = { command = { "nixfmt" } },
}, },
virtual_text = { },
source = "if_many", })
spacing = 4, vim.lsp.enable("nixd")
prefix = "",
format = function(diagnostic)
local diagnostic_message = {
[vim.diagnostic.severity.ERROR] = diagnostic.message,
[vim.diagnostic.severity.WARN] = diagnostic.message,
[vim.diagnostic.severity.INFO] = diagnostic.message,
[vim.diagnostic.severity.HINT] = diagnostic.message,
}
return diagnostic_message[diagnostic.severity]
end,
},
})
vim.lsp.config("lua_ls", { -- Dafny
settings = { vim.lsp.enable("dafny")
Lua = {
runtime = { version = "LuaJIT" },
signatureHelp = { enabled = true },
diagnostics = { globals = { "nixCats", "vim" } },
telemetry = { enabled = false },
completion = { callSnippet = "Replace" },
},
},
})
vim.lsp.enable("lua_ls")
-- Nix -- TypeScript/JS
vim.lsp.config("nixd", { vim.lsp.enable("ts_ls")
settings = {
nixd = {
nixpkgs = { expr = nixCats.extra("nixdExtras.nixpkgs") },
options = {
nixos = { expr = nixCats.extra("nixdExtras.nixos_options") },
["home-manager"] = { expr = nixCats.extra("nixdExtras.home_manager_options") },
},
formatting = { command = { "nixfmt" } },
},
},
})
vim.lsp.enable("nixd")
-- Dafny -- Rust
vim.lsp.enable("dafny") vim.lsp.enable("rust_analyzer")
-- TypeScript/JS -- Python
vim.lsp.enable("ts_ls") vim.lsp.config("basedpyright", {
settings = {
-- Rust basedpyright = {
vim.lsp.enable("rust_analyzer") analysis = {
autoSearchPaths = true,
-- Python useLibraryCodeForTypes = true,
vim.lsp.config("basedpyright", { diagnosticMode = "openFilesOnly",
settings = { typeCheckingMode = "standard",
basedpyright = { inlayHints = {
analysis = { variableTypes = true,
autoSearchPaths = true, callArgumentNames = true,
useLibraryCodeForTypes = true, functionReturnTypes = true,
diagnosticMode = "openFilesOnly",
typeCheckingMode = "standard",
inlayHints = {
variableTypes = true,
callArgumentNames = true,
functionReturnTypes = true,
},
}, },
}, },
}, },
}) },
vim.lsp.enable("basedpyright") })
vim.lsp.enable("basedpyright")
vim.lsp.enable("astro") vim.lsp.enable("astro")
vim.lsp.config("tinymist", { vim.lsp.config("tinymist", {
settings = { settings = {
tinymist = { tinymist = {
formatterMode = "typstyle", formatterMode = "typstyle",
},
}, },
}) },
vim.lsp.enable("tinymist") })
vim.lsp.enable("tinymist")
vim.lsp.config("ltex_plus", { vim.lsp.config("ltex_plus", {
settings = { settings = {
ltex = { ltex = {
language = "nl", language = "nl",
},
}, },
}) },
vim.lsp.enable("ltex_plus") })
end, vim.lsp.enable("ltex_plus")
},
vim.lsp.enable("harper_ls")
end,
}, },
}) })

54
modules/home-manager/rclone.nix
View File

@@ -15,33 +15,33 @@
''; '';
remotes = { remotes = {
gdrive = { # gdrive = {
config = { # config = {
type = "drive"; # type = "drive";
scope = "drive"; # scope = "drive";
#
root_folder_id = ""; # root_folder_id = "";
}; # };
#
secrets = { # secrets = {
token = "${config.xdg.configHome}/rclone/gdrive_token"; # token = "${config.xdg.configHome}/rclone/gdrive_token";
#
client_id = "${config.xdg.configHome}/rclone/gdrive_client_id"; # client_id = "${config.xdg.configHome}/rclone/gdrive_client_id";
client_secret = "${config.xdg.configHome}/rclone/gdrive_client_secret"; # TODO: sops? # client_secret = "${config.xdg.configHome}/rclone/gdrive_client_secret"; # TODO: sops?
}; # };
#
mounts = { # mounts = {
"/" = { # "/" = {
enable = true; # enable = true;
mountPoint = "${config.home.homeDirectory}/gdrive"; # mountPoint = "${config.home.homeDirectory}/gdrive";
#
options = { # options = {
dir-cache-time = "5m"; # dir-cache-time = "5m";
poll-interval = "10s"; # poll-interval = "10s";
}; # };
}; # };
}; # };
}; # };
orion = { orion = {
config = { config = {

9
modules/home-manager/ssh.nix
View File

@@ -4,6 +4,15 @@
enable = true; enable = true;
enableDefaultConfig = false; enableDefaultConfig = false;
matchBlocks = {
"github-work" = {
hostname = "github.com";
user = "git";
identityFile = "/home/kiri/.ssh/github-work.pub";
identitiesOnly = true;
};
};
includes = [ includes = [
config.sops.secrets.ssh_config_orion.path config.sops.secrets.ssh_config_orion.path
]; ];

2
modules/home-manager/todoman.nix
View File

@@ -7,7 +7,7 @@
time_format = "%H:%M" time_format = "%H:%M"
default_list = "personal" default_list = "personal"
default_due = 0 default_due = 0
default_command = "list --sort due" default_command = "list --sort priority,due"
humanize = True humanize = True
''; '';
}; };

1
modules/nixos/desktop.nix
View File

@@ -9,5 +9,6 @@
./hyprland.nix ./hyprland.nix
./printing.nix ./printing.nix
./systemd-boot.nix ./systemd-boot.nix
./syncthing.nix
]; ];
} }

165
modules/nixos/homepage.nix Normal file
View File

@@ -0,0 +1,165 @@
{ config, pkgs, ... }:
let
# Define standard colors/icons for consistency
domain = "jelles.net";
in
{
# Enable the Homepage Dashboard service
services.homepage-dashboard = {
enable = true;
listenPort = 8082; # Different from Glance (8101)
allowedHosts = "dashboard.${domain}";
# 1. Service Discovery & API Secrets
# For live stats (widgets), Homepage needs API keys.
# You can reference sops secrets here if you map them to a file readable by the homepage user.
# For now, I have set them to placeholders or disabled the API widgets where secrets are required.
services = [
{
"Personal" = [
{
"Home Assistant" = {
href = "https://home.${domain}";
description = "Smart Home Control";
icon = "home-assistant.png";
# To enable live stats (lights on, etc), un-comment and add a Long Lived Access Token:
# widget = {
# type = "homeassistant";
# url = "http://127.0.0.1:8123";
# key = "YOUR_LONG_LIVED_TOKEN";
# };
};
}
{
"Actual Budget" = {
href = "https://finance.${domain}";
description = "Finance Tracking";
icon = "actual-budget.png";
};
}
{
"Vaultwarden" = {
href = "https://vault.${domain}";
description = "Password Manager";
icon = "bitwarden.png";
# Widget to show status
widget = {
type = "vaultwarden";
url = "https://vault.${domain}";
};
};
}
{
"Radicale" = {
href = "https://radicale.${domain}";
description = "Calendar & Contacts";
icon = "radicale.png";
};
}
];
}
{
"Code & Files" = [
{
"Gitea" = {
href = "https://git.${domain}";
description = "Git Server";
icon = "gitea.png";
};
}
{
"FileBrowser" = {
href = "https://files.${domain}";
description = "Web File Manager";
icon = "filebrowser.png";
};
}
];
}
{
"Websites" = [
{
"Community" = {
href = "https://community.${domain}";
icon = "globe.png";
description = "Community Site";
};
}
{
"Zentire" = {
href = "https://zentire.${domain}";
icon = "globe.png";
description = "Zentire Site";
};
}
];
}
];
# 2. Widgets (Calendar, Search, Resources)
widgets = [
{
search = {
provider = "google";
target = "_blank";
};
}
{
# Shows system stats. Requires 'glances' or similar installed,
# but Homepage can also just show simple resources if running locally.
resources = {
cpu = true;
memory = true;
disk = "/";
};
}
{
# Calendar Widget linked to Radicale
# You need the "Private Export URL" for your calendar from Radicale.
calendar = {
showTime = true;
maxEvents = 10;
integrations = [
{
type = "ical";
url = "https://radicale.${domain}/kiri/personal.ics"; # Verify this path in your Radicale
name = "Personal";
color = "blue";
# If your Radicale is private, you might need to pass auth in the URL
# e.g. https://user:pass@radicale.jelles.net/...
}
];
};
}
];
settings = {
title = "Orion Dashboard";
background = {
# Using the wallpaper from your config if accessible, or a hex color
image = "https://raw.githubusercontent.com/anotherhadi/awesome-wallpapers/refs/heads/main/app/static/wallpapers/leef_dark_purple_minimalist.png";
opacity = 50;
};
layout = {
"Personal" = {
style = "row";
columns = 4;
};
"Code & Files" = {
style = "row";
columns = 2;
};
"Websites" = {
style = "row";
columns = 2;
};
};
};
};
# Expose Homepage via Caddy
services.caddy.virtualHosts."dashboard.${domain}".extraConfig = ''
reverse_proxy :8082
'';
}

73
modules/nixos/syncthing.nix Normal file
View File

@@ -0,0 +1,73 @@
{
config,
lib,
...
}:
let
devices = {
"altair" = {
id = "HDHWROJ-ZLNQKCL-PN6WGHA-IGJHIRI-3UHDYUU-LUJHYK4-UMKWLAZ-VFISJQF";
};
"orion" = {
id = "7ESQ3BX-FEW7656-ZPT3CKF-FLXON26-HXRNTDW-THSJBNF-LFWCHFB-ASP4WAG";
};
"polaris" = {
id = "6YBO3OK-3QVMKWL-ZOS4ZTF-G53CY6K-WYZJNFG-DTYCUA4-WJF2LRC-PJT3NAL";
};
};
username = config.var.username;
hostname = config.var.hostname;
isOrion = hostname == "orion";
# On desktops, sync to home directory. On server, sync to filebrowser storage.
syncPath = if isOrion then "/var/lib/filebrowser/files" else "/home/${username}/sync";
group = if isOrion then "filebrowser" else "users";
in
{
# 1. Firewall rules for synchronization
networking.firewall = {
allowedTCPPorts = [ 22000 ];
allowedUDPPorts = [
22000
21027
];
};
# 3. Syncthing Service Configuration
services.syncthing = {
enable = true;
user = username;
group = group;
overrideDevices = true; # Overrides any devices added via Web UI
overrideFolders = true; # Overrides any folders added via Web UI
settings = {
devices = devices;
folders = {
"sync" = {
path = syncPath;
devices = builtins.attrNames devices; # Share with all defined devices
# Ensure new files are readable by the group (chmod 770 approx)
ignorePerms = true;
};
};
gui = {
# access the GUI on localhost:8384
theme = "black";
};
};
};
# 4. Permission Hardening for Orion
# Force syncthing to write files with group-write permissions (007 umask = 770 perms)
systemd.services.syncthing.serviceConfig.UMask = lib.mkIf isOrion "0007";
systemd.tmpfiles.rules = [
"d /var/lib/syncthing 0700 ${username} ${group} -"
];
}