summaryrefslogtreecommitdiffstats
path: root/krebs
diff options
context:
space:
mode:
Diffstat (limited to 'krebs')
-rw-r--r--krebs/3modules/exim-retiolum.nix92
-rw-r--r--krebs/3modules/exim-smarthost.nix6
-rw-r--r--krebs/3modules/exim.nix2
-rw-r--r--krebs/3modules/external/default.nix136
-rw-r--r--krebs/3modules/syncthing.nix80
5 files changed, 236 insertions, 80 deletions
diff --git a/krebs/3modules/exim-retiolum.nix b/krebs/3modules/exim-retiolum.nix
index e08024977..118a8b2d5 100644
--- a/krebs/3modules/exim-retiolum.nix
+++ b/krebs/3modules/exim-retiolum.nix
@@ -1,15 +1,17 @@
-{ config, pkgs, lib, ... }:
-
with import <stockholm/lib>;
-let
+{ config, pkgs, lib, ... }: let
cfg = config.krebs.exim-retiolum;
- out = {
- options.krebs.exim-retiolum = api;
- config = lib.mkIf cfg.enable imp;
- };
+ # Due to improvements to the JSON notation, braces around top-level objects
+ # are not necessary^Wsupported by rspamd's parser when including files:
+ # https://github.com/rspamd/rspamd/issues/2674
+ toMostlyJSON = value:
+ assert typeOf value == "set";
+ (s: substring 1 (stringLength s - 2) s)
+ (toJSON value);
- api = {
+in {
+ options.krebs.exim-retiolum = {
enable = mkEnableOption "krebs.exim-retiolum";
local_domains = mkOption {
type = with types; listOf hostname;
@@ -28,22 +30,70 @@ let
"*.r"
];
};
+ rspamd = {
+ enable = mkEnableOption "krebs.exim-retiolum.rspamd" // {
+ default = false;
+ };
+ locals = {
+ logging = {
+ level = mkOption {
+ type = types.enum [
+ "error"
+ "warning"
+ "notice"
+ "info"
+ "debug"
+ "silent"
+ ];
+ default = "notice";
+ };
+ };
+ options = {
+ local_networks = mkOption {
+ type = types.listOf types.cidr;
+ default = [
+ config.krebs.build.host.nets.retiolum.ip4.prefix
+ config.krebs.build.host.nets.retiolum.ip6.prefix
+ ];
+ };
+ };
+ };
+ };
};
-
- imp = {
+ imports = [
+ {
+ config = lib.mkIf cfg.rspamd.enable {
+ services.rspamd.enable = true;
+ services.rspamd.locals =
+ mapAttrs'
+ (name: value: nameValuePair "${name}.inc" {
+ text = toMostlyJSON value;
+ })
+ cfg.rspamd.locals;
+ users.users.${config.krebs.exim.user.name}.extraGroups = [
+ config.services.rspamd.group
+ ];
+ };
+ }
+ ];
+ config = lib.mkIf cfg.enable {
krebs.exim = {
enable = true;
config =
# This configuration makes only sense for retiolum-enabled hosts.
# TODO modular configuration
assert config.krebs.tinc.retiolum.enable;
- ''
+ /* exim */ ''
keep_environment =
primary_hostname = ${cfg.primary_hostname}
domainlist local_domains = ${concatStringsSep ":" cfg.local_domains}
domainlist relay_to_domains = ${concatStringsSep ":" cfg.relay_to_domains}
+ ${optionalString cfg.rspamd.enable /* exim */ ''
+ spamd_address = /run/rspamd/rspamd.sock variant=rspamd
+ ''}
+
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_data = acl_check_data
@@ -72,6 +122,24 @@ let
acl_check_data:
+ ${optionalString cfg.rspamd.enable /* exim */ ''
+ accept condition = ''${if eq{$interface_port}{587}}
+
+ warn remove_header = ${concatStringsSep " : " [
+ "x-spam"
+ "x-spam-report"
+ "x-spam-score"
+ ]}
+
+ warn
+ spam = nobody:true
+
+ warn
+ condition = ''${if !eq{$spam_action}{no action}}
+ add_header = X-Spam: Yes
+ add_header = X-Spam-Report: $spam_report
+ add_header = X-Spam-Score: $spam_score
+ ''}
accept
@@ -118,4 +186,4 @@ let
'';
};
};
-in out
+}
diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index 5f93ae937..e988fb563 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -121,7 +121,7 @@ let
};
krebs.exim = {
enable = true;
- config = ''
+ config = /* exim */ ''
keep_environment =
primary_hostname = ${cfg.primary_hostname}
@@ -233,7 +233,7 @@ let
remote_smtp:
driver = smtp
- ${optionalString (cfg.dkim != []) (indent ''
+ ${optionalString (cfg.dkim != []) (indent /* exim */ ''
dkim_canon = relaxed
dkim_domain = $sender_address_domain
dkim_private_key = ''${lookup{$sender_address_domain}lsearch{${lsearch.dkim_private_key}}}
@@ -262,7 +262,7 @@ let
begin rewrite
begin authenticators
- ${concatStringsSep "\n" (mapAttrsToList (name: text: ''
+ ${concatStringsSep "\n" (mapAttrsToList (name: text: /* exim */ ''
${name}:
${indent text}
'') cfg.authenticators)}
diff --git a/krebs/3modules/exim.nix b/krebs/3modules/exim.nix
index cfcbbc438..83d88cb0d 100644
--- a/krebs/3modules/exim.nix
+++ b/krebs/3modules/exim.nix
@@ -37,7 +37,7 @@ in {
};
config = lib.mkIf cfg.enable {
environment = {
- etc."exim.conf".source = pkgs.writeEximConfig "exim.conf" ''
+ etc."exim.conf".source = pkgs.writeEximConfig "exim.conf" /* exim */ ''
exim_user = ${cfg.user.name}
exim_group = ${cfg.group.name}
exim_path = /run/wrappers/bin/exim
diff --git a/krebs/3modules/external/default.nix b/krebs/3modules/external/default.nix
index ac656f463..1720811d9 100644
--- a/krebs/3modules/external/default.nix
+++ b/krebs/3modules/external/default.nix
@@ -229,6 +229,35 @@ in {
};
};
};
+ inspector = {
+ owner = config.krebs.users.Mic92;
+ nets = rec {
+ internet = {
+ ip4.addr = "141.76.44.154";
+ aliases = [ "inspector.i" ];
+ };
+ retiolum = {
+ via = internet;
+ ip4.addr = "10.243.29.172";
+ aliases = [ "inspector.r" ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG
+ EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ
+ 7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF
+ m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw
+ WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd
+ eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03
+ OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau
+ ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x
+ B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG
+ q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj
+ 7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
justraute = {
owner = config.krebs.users.raute; # laptop
nets = {
@@ -241,6 +270,30 @@ in {
};
};
};
+ matchbox = {
+ owner = config.krebs.users.Mic92;
+ nets = {
+ retiolum = {
+ ip4.addr = "10.243.29.176";
+ aliases = [ "matchbox.r" ];
+ tinc.pubkey = ''
+ -----BEGIN RSA PUBLIC KEY-----
+ MIICCgKCAgEAqwB9pzV889vpMp/am+T0sfm5qO/wAWS/tv0auYK3Zyx3ChxrQX2m
+ VrxO5a/bjR/g1fi/t2kJIV/6tsVSRHfzKuKHprE2KxeNOmwUuSjjiM4CboASMR+w
+ nra6U0Ldf5vBxtEj5bj384QxwxxVLhSw8NbE43FCM07swSvAT8Y/ZmGUd738674u
+ TNC6zM6zwLvN0dxCDLuD5bwUq7y73JNQTm2YXv1Hfw3T8XqJK/Xson2Atv2Y5ZbE
+ TA0RaH3PoEkhkVeJG/EuUIJhvmunS5bBjFSiOiUZ8oEOSjo9nHUMD0u+x1BZIg/1
+ yy5B5iB4YSGPAtjMJhwD/LRIoI8msWpdVCCnA+FlKCKAsgC7JbJgcOUtK9eDFdbO
+ 4FyzdUJbK+4PDguraPGzIX7p+K3SY8bbyo3SSp5rEb+CEWtFf26oJm7eBhDBT6K4
+ Ofmzp0GjFbS8qkqEGCQcfi4cAsXMVCn4AJ6CKs89y19pLZ42fUtWg7WgUZA7GWV/
+ bPE2RSBMUkGb0ovgoe7Z7NXsL3AST8EQEy+3lAEyUrPFLiwoeGJZmfTDTy1VBFI4
+ nCShp7V+MSmz4DnLK1HLksLVLmGyZmouGsLjYUnEa414EI6NJF3bfEO2ZRGaswyR
+ /vW066YCTe7wi+YrvrMDgkdbyfn/ecMTn2iXsTb4k9/fuO0+hsqL+isCAwEAAQ==
+ -----END RSA PUBLIC KEY-----
+ '';
+ };
+ };
+ };
qubasa = {
owner = config.krebs.users.qubasa;
nets = {
@@ -411,56 +464,53 @@ in {
};
};
};
- inspector = {
- owner = config.krebs.users.Mic92;
- nets = rec {
- internet = {
- ip4.addr = "141.76.44.154";
- aliases = [ "inspector.i" ];
- };
+ uppreisn = {
+ owner = config.krebs.users.ilmu;
+ nets = {
retiolum = {
- via = internet;
- ip4.addr = "10.243.29.172";
- aliases = [ "inspector.r" ];
+ ip4.addr = "10.243.42.13";
+ aliases = [ "ilmu.r" ];
tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAr3l/u7qcxmFa2hUICU3oPDhB2ij2R3lKHyjSsVFVLNfl6TpOdppG
- EDXOapeXL0s+PfBRHdRI3v/dibj4PG9eyKmFxsUJ2gRz4ghb1UE23aQ3pkr3x8sZ
- 7GR+nJYATYf+jolFF9O1x+f0Uo5xaYWkGOMH8wVVzm6+kcsZOYuTEbJAsbTRZywF
- m1MdRfk54hLiDsj2rjGRZIR+ZfUKVs2MTWOLCpBAHLJK+r3HfUiR2nAgeNkJCFLw
- WIir1ftDIViT3Ly6b7enaOkVZ695FNYdPWFZCE4AJI0s9wsbMClzUqCl+0mUkumd
- eRXgWXkmvBsxR4GECnxUhxs6U8Wh3kbQavvemt4vcIKNhkw32+toYc1AFK/n4G03
- OUJBbRqgJYx9wIvo8PEu4DTTdsPlQZnMwiaKsn+Gi4Ap6JAnG/iLN8sChoQf7Dau
- ARZA3sf9CkKx5sZ+9dVrLbzGynKE18Z/ysvf1BLd/rVVOps1B/YRBxDwPj8MZJ0x
- B7b0j+hRVV5palp3RRdcExuWaBrMQQGsXwLUZOFHJJaZUHF9XRdy+5XVJdNOArkG
- q1+yGhosL1DLTQE/VwCxmBHyYTr3L7yZ2lSaeWdIeYvcRvouDROUjREVFrQjdqwj
- 7vIP1cvDxSSqA07h/xEC4YZKACBYc/PI2mqYK5dvAUG3mGrEsjHktPUCAwEAAQ==
- -----END RSA PUBLIC KEY-----
+ -----BEGIN PUBLIC KEY-----
+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAweAz7KtgYVuAfqP7Zoax
+ BrQ++qig30Aabnou5C62bYIf1Fn8Z9RbDROTmkGeF7No7mZ7wH0hNpRXo1N/sLNt
+ gr4bX7fXAvQ3NeeoMmM6VcC+pExnE4NMMnu0Dm3Z/WcQkCsJukkcvpC1gWkjPXea
+ gn3ODl2wbKMiRBhQDA2Ro0zDQ+gAIsgtS9fDA85Rb0AToLwifHHavz81SXF+9piv
+ qIl3rJZVBo1kOiolv5BCh4/O+R5boiFfPGAiqEcob0cTcmSCXaMqis8UNorlm08j
+ ytNG7kazeRQb9olJ/ovCA1b+6iAZ4251twuQkHfNdfC3VM32jbGq7skMyhX3qN/b
+ WoHHeBZR8eH5MpTTIODI+r4cLswAJqlCk816bGMmg6MuZutTlQCRTy1S/wXY/8ei
+ STAZ1IZH6dnwCJ9HXgMC6hcYuOs/KmvSdaa7F+yTEq83IAASewbRgn/YHsMksftI
+ d8db17rEOT5uC1jOGKF98d7e30MX5saTJZLB6XmNDsql/lFoooGzTz/L80JUYiJ0
+ fQFADznZpA+NE+teOH9aXsucDQkX6BOPSO4XKXV86RIejHUSEx5WdaqGOUfmhFUo
+ 9hZhr0qiiKNlXlP8noM9n+hPNKNkOlctQcpnatgdU3uQMtITPyKSLMUDoQIJlSgq
+ lak5LCqzwU9qa9EQSU4nLZ0CAwEAAQ==
+ -----END PUBLIC KEY-----
'';
};
};
};
- matchbox = {
- owner = config.krebs.users.Mic92;
+ unnamed = {
+ owner = config.krebs.users.pie_;
nets = {
retiolum = {
- ip4.addr = "10.243.29.176";
- aliases = [ "matchbox.r" ];
+ ip4.addr = "10.243.3.14";
+ aliases = [ "unnamed.r" ];
tinc.pubkey = ''
- -----BEGIN RSA PUBLIC KEY-----
- MIICCgKCAgEAqwB9pzV889vpMp/am+T0sfm5qO/wAWS/tv0auYK3Zyx3ChxrQX2m
- VrxO5a/bjR/g1fi/t2kJIV/6tsVSRHfzKuKHprE2KxeNOmwUuSjjiM4CboASMR+w
- nra6U0Ldf5vBxtEj5bj384QxwxxVLhSw8NbE43FCM07swSvAT8Y/ZmGUd738674u
- TNC6zM6zwLvN0dxCDLuD5bwUq7y73JNQTm2YXv1Hfw3T8XqJK/Xson2Atv2Y5ZbE
- TA0RaH3PoEkhkVeJG/EuUIJhvmunS5bBjFSiOiUZ8oEOSjo9nHUMD0u+x1BZIg/1
- yy5B5iB4YSGPAtjMJhwD/LRIoI8msWpdVCCnA+FlKCKAsgC7JbJgcOUtK9eDFdbO
- 4FyzdUJbK+4PDguraPGzIX7p+K3SY8bbyo3SSp5rEb+CEWtFf26oJm7eBhDBT6K4
- Ofmzp0GjFbS8qkqEGCQcfi4cAsXMVCn4AJ6CKs89y19pLZ42fUtWg7WgUZA7GWV/
- bPE2RSBMUkGb0ovgoe7Z7NXsL3AST8EQEy+3lAEyUrPFLiwoeGJZmfTDTy1VBFI4
- nCShp7V+MSmz4DnLK1HLksLVLmGyZmouGsLjYUnEa414EI6NJF3bfEO2ZRGaswyR
- /vW066YCTe7wi+YrvrMDgkdbyfn/ecMTn2iXsTb4k9/fuO0+hsqL+isCAwEAAQ==
- -----END RSA PUBLIC KEY-----
- '';
+ -----BEGIN PUBLIC KEY-----
+ MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAvGXVl+WV/bDxFAnYnAhZ
+ 2rHCU5dqtBvSg0sywV1j++lEuELBx4Zq14qyjDRGkkIGdgzCZBLK2cCgxPJ3MRFx
+ ZwiO3jPscTu3I7zju7ULO/LqGQG+Yf86estfGh394zFJ2rnFSwegeMNqCpOaurOH
+ GuYtNdjkxn/2wj00s+JEJjCNRMg8bkTMT3czuTr2k+6ICI8SgLZMDH7TjRfePHEW
+ X9/v4O3kMSZccT/wZWmezXuYlO7CJs7f4VV98z+sgubmIZz3uLfQFY8y9gmGp46y
+ 5n5QyD0iIqkLNGIldNnToVJPToRaW5OdNKtZFayU4pWZ296sEcJI0NWLYqy7yZfD
+ PG2FlCQmebUxMYk+iK0cYRLFzOgnr14uXihXxhuHYJ8R1VIbWuto1YFGUv5J/Jct
+ 3vgjwOlHwZKC9FTqnRjgp58QtnKneXGNZ446eKHUCmSRDKl8fc/m9ePHrISnGROY
+ gXMieAmOZtsQIxwRpBGCLjrr3sx8RRNY8ROycqPaQWp3upp61jAvvQW3SIvkp1+M
+ jGvfebJOSkEZurwGcWUar9w9t/oDfsV+R9Nm9n2IkdkNlnvXD1rcj7KqbFPtGf1a
+ MmB3AmwyIVv9Rk1Vpjkz4EtL4kPqiuhPrf1bHQhAdcwqwFGyo8HXsoMedb3Irhwm
+ OxwCRYLtEweku7HLhUVTnDkCAwEAAQ==
+ -----END PUBLIC KEY-----
+ '';
};
};
};
@@ -495,6 +545,9 @@ in {
mail = "dickbutt@excogitation.de";
pubkey = ssh-for "exco";
};
+ ilmu = {
+ mail = "ilmu@rishi.is";
+ };
jan = {
mail = "jan.heidbrink@posteo.de";
};
@@ -527,5 +580,6 @@ in {
};
filly = {
};
+ pie_ = {};
};
}
diff --git a/krebs/3modules/syncthing.nix b/krebs/3modules/syncthing.nix
index 9c6acfb0c..939c8fddf 100644
--- a/krebs/3modules/syncthing.nix
+++ b/krebs/3modules/syncthing.nix
@@ -2,40 +2,69 @@
let
- cfg = config.krebs.syncthing;
+ kcfg = config.krebs.syncthing;
+ scfg = config.services.syncthing;
devices = mapAttrsToList (name: peer: {
name = name;
deviceID = peer.id;
addresses = peer.addresses;
- }) cfg.peers;
+ }) kcfg.peers;
folders = mapAttrsToList ( _: folder: {
inherit (folder) path id type;
- devices = map (peer: { deviceId = cfg.peers.${peer}.id; }) folder.peers;
+ devices = map (peer: { deviceId = kcfg.peers.${peer}.id; }) folder.peers;
rescanIntervalS = folder.rescanInterval;
fsWatcherEnabled = folder.watch;
fsWatcherDelayS = folder.watchDelay;
+ ignoreDelete = folder.ignoreDelete;
ignorePerms = folder.ignorePerms;
- }) cfg.folders;
+ }) kcfg.folders;
getApiKey = pkgs.writeDash "getAPIKey" ''
${pkgs.libxml2}/bin/xmllint \
--xpath 'string(configuration/gui/apikey)'\
- ${config.services.syncthing.configDir}/config.xml
+ ${scfg.configDir}/config.xml
'';
updateConfig = pkgs.writeDash "merge-syncthing-config" ''
set -efu
+
+ # XXX this assumes the GUI address to be "IPv4 address and port"
+ host=${shell.escape (elemAt (splitString ":" scfg.guiAddress) 0)}
+ port=${shell.escape (elemAt (splitString ":" scfg.guiAddress) 1)}
+
# wait for service to restart
- ${pkgs.untilport}/bin/untilport localhost 8384
+ ${pkgs.untilport}/bin/untilport "$host" "$port"
+
API_KEY=$(${getApiKey})
- CFG=$(${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/config)
- echo "$CFG" | ${pkgs.jq}/bin/jq -s '.[] as $in | $in * {
- "devices": (${builtins.toJSON devices}${optionalString (! cfg.overridePeers) " + $in.devices"}),
- "folders": (${builtins.toJSON folders}${optionalString (! cfg.overrideFolders) " + $in.folders"})
- }' | ${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/config -d @-
- ${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/restart -X POST
+
+ _curl() {
+ ${pkgs.curl}/bin/curl \
+ -Ss \
+ -H "X-API-Key: $API_KEY" \
+ "http://$host:$port/rest""$@"
+ }
+
+ old_config=$(_curl /system/config)
+ new_config=${shell.escape (toJSON {
+ inherit devices folders;
+ })}
+ new_config=$(${pkgs.jq}/bin/jq -en \
+ --argjson old_config "$old_config" \
+ --argjson new_config "$new_config" \
+ '
+ $old_config * $new_config
+ ${optionalString (!kcfg.overridePeers) ''
+ * { devices: $old_config.devices }
+ ''}
+ ${optionalString (!kcfg.overrideFolders) ''
+ * { folders: $old_config.folders }
+ ''}
+ '
+ )
+ echo $new_config | _curl /system/config -d @-
+ _curl /system/restart -X POST
'';
in
@@ -129,6 +158,11 @@ in
default = 10;
};
+ ignoreDelete = mkOption {
+ type = types.bool;
+ default = false;
+ };
+
ignorePerms = mkOption {
type = types.bool;
default = true;
@@ -139,19 +173,19 @@ in
};
};
- config = (mkIf cfg.enable) {
+ config = mkIf kcfg.enable {
- systemd.services.syncthing = mkIf (cfg.cert != null || cfg.key != null) {
+ systemd.services.syncthing = mkIf (kcfg.cert != null || kcfg.key != null) {
preStart = ''
- ${optionalString (cfg.cert != null) ''
- cp ${toString cfg.cert} ${config.services.syncthing.configDir}/cert.pem
- chown ${config.services.syncthing.user}:${config.services.syncthing.group} ${config.services.syncthing.configDir}/cert.pem
- chmod 400 ${config.services.syncthing.configDir}/cert.pem
+ ${optionalString (kcfg.cert != null) ''
+ cp ${toString kcfg.cert} ${scfg.configDir}/cert.pem
+ chown ${scfg.user}:${scfg.group} ${scfg.configDir}/cert.pem
+ chmod 400 ${scfg.configDir}/cert.pem
''}
- ${optionalString (cfg.key != null) ''
- cp ${toString cfg.key} ${config.services.syncthing.configDir}/key.pem
- chown ${config.services.syncthing.user}:${config.services.syncthing.group} ${config.services.syncthing.configDir}/key.pem
- chmod 400 ${config.services.syncthing.configDir}/key.pem
+ ${optionalString (kcfg.key != null) ''
+ cp ${toString kcfg.key} ${scfg.configDir}/key.pem
+ chown ${scfg.user}:${scfg.group} ${scfg.configDir}/key.pem
+ chmod 400 ${scfg.configDir}/key.pem
''}
'';
};
@@ -161,7 +195,7 @@ in
wantedBy = [ "multi-user.target" ];
serviceConfig = {
- User = config.services.syncthing.user;
+ User = scfg.user;
RemainAfterExit = true;
Type = "oneshot";
ExecStart = updateConfig;