add syncthing to alisceon-core

nixos/hosts/alisceon-core/configuration.nix

@@ -1,7 +1,7 @@
 { lib, pkgs, modulesPath, ... }:
 let
   forgejoDomain = "git.alisceon.com";
-  forgejoRunnerTokenFile = "/var/lib/forgejo/runner_token";
+  syncthingDomain = "syncthing.alisceon.com";
 
   fetchOciAuthorizedKeys = pkgs.writeShellApplication {
     name = "fetch-oci-authorized-keys";
@@ -34,7 +34,7 @@ let
       pkgs.util-linux
     ];
     text = ''
-      token_file=${lib.escapeShellArg forgejoRunnerTokenFile}
+      token_file=${lib.escapeShellArg "/var/lib/forgejo/runner_token"}
 
       if [ -s "$token_file" ]; then
         chmod 0600 "$token_file"
@@ -69,8 +69,12 @@ in
       22
       80
       443
+      22000
       24601
     ];
+    firewall.allowedUDPPorts = [
+      22000
+    ];
   };
 
   boot = {
@@ -123,6 +127,32 @@ in
     PermitRootLogin = lib.mkForce "prohibit-password";
   };
 
+  services.syncthing = {
+    enable = true;
+    dataDir = "/var/lib/syncthing";
+    guiAddress = "127.0.0.1:8384";
+    openDefaultPorts = false;
+    overrideDevices = false;
+    overrideFolders = false;
+    settings = {
+      gui = {
+        insecureAdminAccess = false;
+        insecureSkipHostcheck = false;
+      };
+      options = {
+        globalAnnounceEnabled = false;
+        localAnnounceEnabled = false;
+        listenAddresses = [
+          "tcp://0.0.0.0:22000"
+          "quic://0.0.0.0:22000"
+        ];
+        natEnabled = false;
+        relaysEnabled = false;
+        urAccepted = -1;
+      };
+    };
+  };
+
   services.forgejo = {
     enable = true;
     package = pkgs.forgejo-lts;
@@ -164,7 +194,7 @@ in
       enable = true;
       name = "alisceon-core-podman";
       url = "https://${forgejoDomain}";
-      tokenFile = forgejoRunnerTokenFile;
+      tokenFile = "/var/lib/forgejo/runner_token";
       labels = [
         "ubuntu-latest:docker://node:22-bookworm"
         "debian-latest:docker://node:22-bookworm"
@@ -203,6 +233,24 @@ in
           recommendedProxySettings = true;
         };
       };
+      ${syncthingDomain} = {
+        serverName = syncthingDomain;
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:8384";
+          recommendedProxySettings = false;
+          extraConfig = ''
+            proxy_set_header Host $proxy_host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Host $host;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_read_timeout 600s;
+            proxy_send_timeout 600s;
+          '';
+        };
+      };
     };
   };
 
@@ -264,6 +312,28 @@ in
 
   systemd.services.fetch-ssh-keys.enable = false;
 
+  systemd.services.syncthing = {
+    serviceConfig = {
+      LockPersonality = true;
+      PrivateIPC = true;
+      ProcSubset = "pid";
+      ProtectClock = true;
+      ProtectHome = true;
+      ProtectProc = "invisible";
+      ProtectSystem = "strict";
+      ReadWritePaths = [ "/var/lib/syncthing" ];
+      RemoveIPC = true;
+      RestrictAddressFamilies = [
+        "AF_INET"
+        "AF_INET6"
+        "AF_NETLINK"
+        "AF_UNIX"
+      ];
+      SystemCallArchitectures = "native";
+      UMask = "0077";
+    };
+  };
+
   systemd.services.forgejo-runner-token = {
     description = "Generate Forgejo runner registration token";
     wantedBy = [ "multi-user.target" ];