syncthing: expose encryptionPassword

- Change `folder.devices` type into `oneOf [(listOf str) (attrsOf (submodule { ... }))]`. - Expose `encryptionPassord` within the attrSet of the devices option. This allows the user to set the encrpyption password use to share the folder's data with. We do this by file path, as opposed to string literal, because we do not want to embed the encrpyption password into the nix store.
NixOS · Sep 19, 2024 · 0bc8c16 · 0bc8c16
1 parent b5e81d5
commit 0bc8c16
Showing 1 changed file with 35 additions and 6 deletions.
diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix
@@ -34,12 +34,22 @@ let
       The options services.syncthing.settings.folders.<name>.{rescanInterval,watch,watchDelay}
       were removed. Please use, respectively, {rescanIntervalS,fsWatcherEnabled,fsWatcherDelayS} instead.
     '' {
-    devices = map (device:
-      if builtins.isString device then
-        { deviceId = cfg.settings.devices.${device}.id; }
+    devices = let
+      folderDevices = folder.devices;
+    in
+      if builtins.isList folderDevices then
+        map (device:
+          if builtins.isString device then
+            { deviceId = cfg.settings.devices.${device}.id; }
+          else
+            device
+        ) folderDevices
+      else if builtins.isAttrs folderDevices then
+        mapAttrsToList (deviceName: deviceValue:
+          deviceValue // { deviceId = cfg.settings.devices.${deviceName}.id; }
+        ) folderDevices
       else
-        device
-    ) folder.devices;
+        throw "Invalid type for devices in folder '${folderName}'; expected list or attrset.";
   }) (filterAttrs (_: folder:
     folder.enable
   ) cfg.settings.folders);
@@ -435,11 +445,30 @@ in {
                   };
 
                   devices = mkOption {
-                    type = types.listOf types.str;
+                    type = types.oneOf [
+                      (types.listOf types.str)
+                      (types.attrsOf (types.submodule ({ name, ... }: {
+                        freeformType = settingsFormat.type;
+                        options = {
+                          encryptionPassword = mkOption {
+                            type = types.nullOr types.str;
+                            default = null;
+                            description = ''
+                              Path to encryption password. If set, the file will be read during
+                              service activation, without being embedded in derivation.
+                            '';
+                          };
+                        };
+                      }))
+                    )];
                     default = [];
                     description = ''
                       The devices this folder should be shared with. Each device must
                       be defined in the [devices](#opt-services.syncthing.settings.devices) option.
+
+                      Either a list of strings, or an attribute set, where keys are defined in the
+                      [devices](#opt-services.syncthing.settings.devices) option, and values are
+                      device configurations.
                     '';
                   };