DavHau
313db5643f
All checks were successful
buildbot/nix-build .#checks.aarch64-darwin.nixos-test_install_machine Build done.
buildbot/nix-build .#checks.aarch64-linux.nixos-test_install_machine Build done.
buildbot/nix-build .#checks.x86_64-linux.check-for-breakpoints Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-ts-api Build done.
buildbot/nix-build .#checks.aarch64-linux.nixos-iso-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.package-default Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-deb Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-fakeroot Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-git Build done.
buildbot/nix-build .#checks.x86_64-linux.package-module-docs Build done.
buildbot/nix-build .#checks.aarch64-darwin.nixos-flash-installer Build done.
buildbot/nix-build .#checks.aarch64-darwin.nixos-iso-installer Build done.
buildbot/nix-build .#checks.aarch64-linux.nixos-flash-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-cli-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-cli Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-archlinux Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-e2fsprogs Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-rpm Build done.
buildbot/nix-build .#checks.aarch64-darwin.nixos-test-backup Build done.
buildbot/nix-build .#checks.x86_64-linux."clan-dep-python3.11-qemu" Build done.
buildbot/nix-build .#checks.aarch64-linux.nixos-test-backup Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-nix Build done.
buildbot/nix-build .#checks.x86_64-linux.renderClanOptions Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-openssh Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-webview-ui Build done.
buildbot/nix-build .#checks.x86_64-linux."clan-dep-python3.11-mypy" Build done.
buildbot/nix-build .#checks.x86_64-linux.deltachat Build done.
buildbot/nix-build .#checks.x86_64-linux.borgbackup Build done.
buildbot/nix-build .#checks.x86_64-linux.matrix-synapse Build done.
buildbot/nix-build .#checks.x86_64-linux.package-editor Build done.
buildbot/nix-build .#checks.x86_64-linux.package-merge-after-ci Build done.
buildbot/nix-build .#checks.x86_64-linux.package-zt-tcp-relay Build done.
buildbot/nix-build .#checks.x86_64-linux.postgresql Build done.
buildbot/nix-build .#checks.x86_64-linux.package-function-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.secrets Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-rsync Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-sops Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-bash Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-test-backup Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-sshpass Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-zbar Build done.
buildbot/nix-build .#checks.x86_64-linux.package-gui-installer-apk Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-age Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-dep-tor Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-app-no-breakpoints Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-default Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-clan-cli Build done.
buildbot/nix-build .#checks.x86_64-linux.container Build done.
buildbot/nix-build .#checks.x86_64-linux.lib-jsonschema-example-valid Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-app-pytest Build done.
buildbot/nix-build .#checks.x86_64-linux.lib-jsonschema-nix-unit-tests Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-test_install_machine Build done.
buildbot/nix-build .#checks.x86_64-linux.package-deploy-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.module-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.package-impure-checks Build done.
buildbot/nix-build .#checks.x86_64-linux.treefmt Build done.
buildbot/nix-build .#checks.x86_64-linux.package-moonlight-sunshine-accept Build done.
buildbot/nix-build .#checks.x86_64-linux.package-pending-reviews Build done.
buildbot/nix-build .#checks.x86_64-linux.package-tea-create-pr Build done.
buildbot/nix-build .#checks.x86_64-linux.package-zerotier-members Build done.
buildbot/nix-build .#checks.x86_64-linux.package-zerotierone Build done.
buildbot/nix-build .#checks.x86_64-linux.package-docs Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-pytest-without-core Build done.
buildbot/nix-build .#checks.x86_64-linux.package-webview-ui Build done.
buildbot/nix-build .#checks.x86_64-linux.package-clan-app Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-flash-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.nixos-iso-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.template-minimal Build done.
buildbot/nix-build .#checks.x86_64-linux.package-module-schema Build done.
buildbot/nix-build .#checks.x86_64-linux.wayland-proxy-virtwl Build done.
buildbot/nix-build .#checks.x86_64-linux.zt-tcp-relay Build done.
buildbot/nix-build .#checks.x86_64-linux.package-iso-installer Build done.
buildbot/nix-build .#checks.x86_64-linux.syncthing Build done.
buildbot/nix-build .#checks.x86_64-linux.devShell-clan-app Build done.
buildbot/nix-build .#checks.x86_64-linux.clan-pytest-with-core Build done.
checks / checks-impure (pull_request) Successful in 2m10s
buildbot/nix-build .#checks.x86_64-linux.package-gui-install-test-ubuntu-22-04 Build done.
buildbot/nix-build .#checks.x86_64-linux.test-backups Build done.
buildbot/nix-build .#checks.x86_64-linux.flash Build done.
buildbot/nix-build .#checks.x86_64-linux.test-installation Build done.
buildbot/nix-eval Build done.
207 lines
7.1 KiB
Nix
207 lines
7.1 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
{
|
|
options.clan.syncthing = {
|
|
id = lib.mkOption {
|
|
type = lib.types.nullOr lib.types.str;
|
|
example = "BABNJY4-G2ICDLF-QQEG7DD-N3OBNGF-BCCOFK6-MV3K7QJ-2WUZHXS-7DTW4AS";
|
|
default = config.clan.core.facts.services.syncthing.public."syncthing.pub".value or null;
|
|
defaultText = "config.clan.core.facts.services.syncthing.public.\"syncthing.pub\".value";
|
|
};
|
|
introducer = lib.mkOption {
|
|
description = ''
|
|
The introducer for the machine.
|
|
'';
|
|
type = lib.types.nullOr lib.types.str;
|
|
default = null;
|
|
};
|
|
autoAcceptDevices = lib.mkOption {
|
|
description = ''
|
|
Auto accept incoming device requests.
|
|
Should only be used on the introducer.
|
|
'';
|
|
type = lib.types.bool;
|
|
default = false;
|
|
};
|
|
autoShares = lib.mkOption {
|
|
description = ''
|
|
Auto share the following Folders by their ID's with introduced devices.
|
|
Should only be used on the introducer.
|
|
'';
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [ ];
|
|
example = [
|
|
"folder1"
|
|
"folder2"
|
|
];
|
|
};
|
|
};
|
|
|
|
imports = [
|
|
{
|
|
# Syncthing ports: 8384 for remote access to GUI
|
|
# 22000 TCP and/or UDP for sync traffic
|
|
# 21027/UDP for discovery
|
|
# source: https://docs.syncthing.net/users/firewall.html
|
|
networking.firewall.interfaces."zt+".allowedTCPPorts = [
|
|
8384
|
|
22000
|
|
];
|
|
networking.firewall.allowedTCPPorts = [ 8384 ];
|
|
networking.firewall.interfaces."zt+".allowedUDPPorts = [
|
|
22000
|
|
21027
|
|
];
|
|
|
|
assertions = [
|
|
{
|
|
assertion = lib.all (
|
|
attr: builtins.hasAttr attr config.services.syncthing.settings.folders
|
|
) config.clan.syncthing.autoShares;
|
|
message = ''
|
|
Syncthing: If you want to AutoShare a folder, you need to have it configured on the sharing device.
|
|
'';
|
|
}
|
|
];
|
|
|
|
# Activates inotify compatibility on syncthing
|
|
# use mkOverride 900 here as it otherwise would collide with the default of the
|
|
# upstream nixos xserver.nix
|
|
boot.kernel.sysctl."fs.inotify.max_user_watches" = lib.mkOverride 900 524288;
|
|
|
|
services.syncthing = {
|
|
enable = true;
|
|
configDir = "/var/lib/syncthing";
|
|
|
|
overrideFolders = lib.mkDefault (
|
|
if (config.clan.syncthing.introducer == null) then true else false
|
|
);
|
|
overrideDevices = lib.mkDefault (
|
|
if (config.clan.syncthing.introducer == null) then true else false
|
|
);
|
|
|
|
dataDir = lib.mkDefault "/home/user/";
|
|
|
|
group = "syncthing";
|
|
|
|
key = lib.mkDefault config.clan.secrets.syncthing.secrets."syncthing.key".path or null;
|
|
cert = lib.mkDefault config.clan.secrets.syncthing.secrets."syncthing.cert".path or null;
|
|
|
|
settings = {
|
|
options = {
|
|
urAccepted = -1;
|
|
allowedNetworks = [ config.clan.networking.zerotier.subnet ];
|
|
};
|
|
devices =
|
|
{ }
|
|
// (
|
|
if (config.clan.syncthing.introducer == null) then
|
|
{ }
|
|
else
|
|
{
|
|
"${config.clan.syncthing.introducer}" = {
|
|
name = "introducer";
|
|
id = config.clan.syncthing.introducer;
|
|
introducer = true;
|
|
autoAcceptFolders = true;
|
|
};
|
|
}
|
|
);
|
|
};
|
|
};
|
|
systemd.services.syncthing-auto-accept =
|
|
let
|
|
baseAddress = "127.0.0.1:8384";
|
|
getPendingDevices = "/rest/cluster/pending/devices";
|
|
postNewDevice = "/rest/config/devices";
|
|
SharedFolderById = "/rest/config/folders/";
|
|
apiKey = config.clan.core.facts.services.syncthing.secret."syncthing.api".path or null;
|
|
in
|
|
lib.mkIf config.clan.syncthing.autoAcceptDevices {
|
|
description = "Syncthing auto accept devices";
|
|
requisite = [ "syncthing.service" ];
|
|
after = [ "syncthing.service" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
script = ''
|
|
set -x
|
|
# query pending deviceID's
|
|
APIKEY=$(cat ${apiKey})
|
|
PENDING=$(${lib.getExe pkgs.curl} -X GET -H "X-API-Key: $APIKEY" ${baseAddress}${getPendingDevices})
|
|
PENDING=$(echo $PENDING | ${lib.getExe pkgs.jq} keys[])
|
|
|
|
# accept pending deviceID's
|
|
for ID in $PENDING;do
|
|
${lib.getExe pkgs.curl} -X POST -d "{\"deviceId\": $ID}" -H "Content-Type: application/json" -H "X-API-Key: $APIKEY" ${baseAddress}${postNewDevice}
|
|
|
|
# get all shared folders by their ID
|
|
for folder in ${builtins.toString config.clan.syncthing.autoShares}; do
|
|
SHARED_IDS=$(${lib.getExe pkgs.curl} -X GET -H "X-API-Key: $APIKEY" ${baseAddress}${SharedFolderById}"$folder" | ${lib.getExe pkgs.jq} ."devices")
|
|
PATCHED_IDS=$(echo $SHARED_IDS | ${lib.getExe pkgs.jq} ".+= [{\"deviceID\": $ID, \"introducedBy\": \"\", \"encryptionPassword\": \"\"}]")
|
|
${lib.getExe pkgs.curl} -X PATCH -d "{\"devices\": $PATCHED_IDS}" -H "X-API-Key: $APIKEY" ${baseAddress}${SharedFolderById}"$folder"
|
|
done
|
|
done
|
|
'';
|
|
};
|
|
|
|
systemd.timers.syncthing-auto-accept = lib.mkIf config.clan.syncthing.autoAcceptDevices {
|
|
description = "Syncthing Auto Accept";
|
|
|
|
wantedBy = [ "syncthing-auto-accept.service" ];
|
|
|
|
timerConfig = {
|
|
OnActiveSec = lib.mkDefault 60;
|
|
OnUnitActiveSec = lib.mkDefault 60;
|
|
};
|
|
};
|
|
|
|
systemd.services.syncthing-init-api-key =
|
|
let
|
|
apiKey = config.clan.core.facts.services.syncthing.secret."syncthing.api".path or null;
|
|
in
|
|
lib.mkIf config.clan.syncthing.autoAcceptDevices {
|
|
description = "Set the api key";
|
|
after = [ "syncthing-init.service" ];
|
|
wantedBy = [ "multi-user.target" ];
|
|
script = ''
|
|
# set -x
|
|
set -efu pipefail
|
|
|
|
APIKEY=$(cat ${apiKey})
|
|
${lib.getExe pkgs.gnused} -i "s/<apikey>.*<\/apikey>/<apikey>$APIKEY<\/apikey>/" /var/lib/syncthing/config.xml
|
|
# sudo systemctl restart syncthing.service
|
|
systemctl restart syncthing.service
|
|
'';
|
|
serviceConfig = {
|
|
WorkingDirectory = "/var/lib/syncthing";
|
|
BindReadOnlyPaths = [ apiKey ];
|
|
Type = "oneshot";
|
|
};
|
|
};
|
|
|
|
clan.core.facts.services.syncthing = {
|
|
secret."syncthing.key" = { };
|
|
secret."syncthing.cert" = { };
|
|
secret."syncthing.api" = { };
|
|
public."syncthing.pub" = { };
|
|
generator.path = [
|
|
pkgs.coreutils
|
|
pkgs.gnugrep
|
|
pkgs.syncthing
|
|
];
|
|
generator.script = ''
|
|
syncthing generate --config "$secrets"
|
|
mv "$secrets"/key.pem "$secrets"/syncthing.key
|
|
mv "$secrets"/cert.pem "$secrets"/syncthing.cert
|
|
cat "$secrets"/config.xml | grep -oP '(?<=<device id=")[^"]+' | uniq > "$facts"/syncthing.pub
|
|
cat "$secrets"/config.xml | grep -oP '<apikey>\K[^<]+' | uniq > "$secrets"/syncthing.api
|
|
'';
|
|
};
|
|
}
|
|
];
|
|
}
|