syncthing: expose encryptionPassword

h33p · h33p · commit 0bc8c16f7da3 · 2024-09-19T16:20:36.000+01:00
- Change `folder.devices` type into `oneOf [(listOf str) (attrsOf
  (submodule { ... }))]`.
- Expose `encryptionPassord` within the attrSet of the devices option.

This allows the user to set the encrpyption password use to share the
folder's data with. We do this by file path, as opposed to string
literal, because we do not want to embed the encrpyption password into
the nix store.
diff --git a/nixos/modules/services/networking/syncthing.nix b/nixos/modules/services/networking/syncthing.nix
@@ -34,12 +34,22 @@ let
       The options services.syncthing.settings.folders.<name>.{rescanInterval,watch,watchDelay}
       were removed. Please use, respectively, {rescanIntervalS,fsWatcherEnabled,fsWatcherDelayS} instead.
     '' {
-    devices = map (device:
-      if builtins.isString device then
-        { deviceId = cfg.settings.devices.${device}.id; }
+    devices = let
+      folderDevices = folder.devices;
+    in
+      if builtins.isList folderDevices then
+        map (device:
+          if builtins.isString device then
+            { deviceId = cfg.settings.devices.${device}.id; }
+          else
+            device
+        ) folderDevices
+      else if builtins.isAttrs folderDevices then
+        mapAttrsToList (deviceName: deviceValue:
+          deviceValue // { deviceId = cfg.settings.devices.${deviceName}.id; }
+        ) folderDevices
       else
-        device
-    ) folder.devices;
+        throw "Invalid type for devices in folder '${folderName}'; expected list or attrset.";
   }) (filterAttrs (_: folder:
     folder.enable
   ) cfg.settings.folders);
@@ -435,11 +445,30 @@ in {
                   };
 
                   devices = mkOption {
-                    type = types.listOf types.str;
+                    type = types.oneOf [
+                      (types.listOf types.str)
+                      (types.attrsOf (types.submodule ({ name, ... }: {
+                        freeformType = settingsFormat.type;
+                        options = {
+                          encryptionPassword = mkOption {
+                            type = types.nullOr types.str;
+                            default = null;
+                            description = ''
+                              Path to encryption password. If set, the file will be read during
+                              service activation, without being embedded in derivation.
+                            '';
+                          };
+                        };
+                      }))
+                    )];
                     default = [];
                     description = ''
                       The devices this folder should be shared with. Each device must
                       be defined in the [devices](#opt-services.syncthing.settings.devices) option.
+
+                      Either a list of strings, or an attribute set, where keys are defined in the
+                      [devices](#opt-services.syncthing.settings.devices) option, and values are
+                      device configurations.
                     '';
                   };
 
