3 files changed, 42 insertions, 15 deletions

diff --git a/home/default.nix b/home/default.nix
index 6944180..38dbb60 100644
--- a/home/default.nix
+++ b/home/default.nix
@@ -8,5 +8,6 @@
     ./environ
     ./isolation
     ./mail
+    ./syncthing
   ];
 }
diff --git a/home/syncthing/default.nix b/home/syncthing/default.nix
new file mode 100644
index 0000000..e234c42
--- /dev/null
+++ b/home/syncthing/default.nix
@@ -0,0 +1,15 @@
+{ config, lib, ... }:
+with lib; let
+  cfg = config.local.syncthing;
+in
+{
+  options.local.syncthing = {
+    enable = mkEnableOption "syncthing";
+  };
+
+  config = mkIf cfg.enable {
+    services.syncthing = {
+      enable = true;
+    };
+  };
+}
diff --git a/sys/syncthing/default.nix b/sys/syncthing/default.nix
index c351e6c..b87e683 100644
--- a/sys/syncthing/default.nix
+++ b/sys/syncthing/default.nix
@@ -5,27 +5,38 @@ in
 {
   options.local.syncthing = {
     enable = mkEnableOption "syncthing server";
+    openFirewall = mkEnableOption "syncthing firewall rules";
   };
 
-  config = mkIf cfg.enable {
-    services.syncthing = {
-      enable = true;
+  config = mkMerge [
+    ({
+      networking.firewall = {
+        allowedTCPPorts = optional cfg.openFirewall 22000;
+        allowedUDPPorts = optional cfg.openFirewall 22000;
+      };
+    })
+    (mkIf cfg.enable {
+      local.syncthing.openFirewall = true;
 
-      systemService = true;
-      overrideFolders = false;
-      overrideDevices = false;
-      openDefaultPorts = true;
+      services.syncthing = {
+        enable = true;
 
-      guiAddress = "127.0.0.1:8384";
+        systemService = true;
+        overrideFolders = false;
+        overrideDevices = false;
+        openDefaultPorts = true;
 
-      settings.options.urAccepted = -1;
+        guiAddress = "127.0.0.1:8384";
 
-      relay = {
-        enable = true;
+        settings.options.urAccepted = -1;
 
-        pools = [ ];
-        providedBy = "${config.networking.hostName}.${config.networking.domain}";
+        relay = {
+          enable = true;
+
+          pools = [ ];
+          providedBy = "${config.networking.hostName}.${config.networking.domain}";
+        };
       };
-    };
-  };
+    })
+  ];
 }