diff options
44 files changed, 950 insertions, 485 deletions
diff --git a/jeschli/1systems/bolide/config.nix b/jeschli/1systems/bolide/config.nix index 699a85b58..a9f564f75 100644 --- a/jeschli/1systems/bolide/config.nix +++ b/jeschli/1systems/bolide/config.nix @@ -2,15 +2,15 @@ # your system. Help is available in the configuration.nix(5) man page # and in the NixOS manual (accessible by running ‘nixos-help’). -{ config, pkgs, ... }: - +{ config, pkgs, lib, ... }: { imports = [ ./hardware-configuration.nix <stockholm/jeschli> + <home-manager/nixos> <stockholm/jeschli/2configs/urxvt.nix> - <stockholm/jeschli/2configs/emacs.nix> + # <stockholm/jeschli/2configs/emacs.nix> ]; krebs.build.host = config.krebs.hosts.bolide; @@ -29,7 +29,8 @@ allowDiscards = true; } ]; # networking.hostName = "bolide"; # Define your hostname. - networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. +# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + networking.networkmanager.enable = true; # Select internationalisation properties. # i18n = { @@ -52,6 +53,8 @@ }; nixpkgs.config.allowUnfree = true; environment.systemPackages = with pkgs; [ + home-manager + wget vim # system helper ag @@ -92,6 +95,22 @@ zathura ]; + home-manager.useUserPackages = true; + home-manager.users.jeschli = { + home.stateVersion = "19.03"; + }; + + home-manager.users.jeschli.home.file = { + ".emacs.d" = { + source = pkgs.fetchFromGitHub { + owner = "jeschli"; + repo = "emacs.d"; + rev = "8ed6c40"; + sha256 = "1q2y478srwp9f58l8cixnd2wj51909gp1z68k8pjlbjy2mrvibs0"; + }; + recursive = true; + }; + }; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.bash.enableCompletion = true; @@ -103,36 +122,37 @@ # Enable the OpenSSH daemon. services.openssh.enable = true; - # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; - # networking.firewall.allowedUDPPorts = [ ... ]; - # Or disable the firewall altogether. - # networking.firewall.enable = false; - # Enable CUPS to print documents. - # services.printing.enable = true; + services.xserver = { + + enable = true; - # Enable the X11 windowing system. - services.xserver.enable = true; - # services.xserver.layout = "us"; - # services.xserver.xkbOptions = "eurosign:e"; + desktopManager = { + xfce.enable = true; + gnome3.enable = true; + }; +# # Don't install feh into systemPackages +# # refs <nixpkgs/nixos/modules/services/x11/desktop-managers> +# desktopManager.session = lib.mkForce []; +# +# enable = true; +# display = 11; +# tty = 11; +# +# dpi = 96; - services.xserver.displayManager.sddm.enable = true; - services.xserver.windowManager.xmonad.enable = true; - services.xserver.windowManager.xmonad.enableContribAndExtras = true; - # Enable touchpad support. - # services.xserver.libinput.enable = true; + videoDrivers = [ "nvidia" ]; + }; - # Enable the KDE Desktop Environment. - # services.xserver.displayManager.sddm.enable = true; - # services.xserver.desktopManager.plasma5.enable = true; + services.xserver.windowManager.i3.enable = true; - # Define a user account. Don't forget to set a password with ‘passwd’. users.extraUsers.jeschli = { isNormalUser = true; + extraGroups = ["docker" "vboxusers" "audio"]; uid = 1000; }; + hardware.pulseaudio.enable = true; # This value determines the NixOS release with which your system is to be # compatible, in order to avoid breaking some software such as database # servers. You should change this only after NixOS release notes say you diff --git a/jeschli/1systems/bolide/hardware-configuration.nix b/jeschli/1systems/bolide/hardware-configuration.nix index 183b29e42..042b746ef 100644 --- a/jeschli/1systems/bolide/hardware-configuration.nix +++ b/jeschli/1systems/bolide/hardware-configuration.nix @@ -29,4 +29,5 @@ nix.maxJobs = lib.mkDefault 8; powerManagement.cpuFreqGovernor = "powersave"; + hardware.pulseaudio.enable = true; } diff --git a/jeschli/1systems/bolide/home.nix b/jeschli/1systems/bolide/home.nix new file mode 100644 index 000000000..60fee8b67 --- /dev/null +++ b/jeschli/1systems/bolide/home.nix @@ -0,0 +1,171 @@ +{ pkgs, ... }: + +{ + home.file = { + ".emacs.d" = { + source = pkgs.fetchFromGitHub { + owner = "jeschli"; + repo = "emacs.d"; + rev = "8ed6c40"; + sha256 = "1q2y478srwp9f58l8cixnd2wj51909gp1z68k8pjlbjy2mrvibs0"; + }; + recursive = true; + }; + ".config/i3/config".text = '' + +set $mod Mod4 + +font pango:monospace 8 + +floating_modifier $mod + +bindsym $mod+Return exec i3-sensible-terminal + +bindsym $mod+Shift+q kill + +bindsym $mod+d exec rofi -modi drun#run -combi-modi drun#run -show combi -show-icons -display-combi run + +bindsym $mod+x exec rofi -modi window -show window -auto-select + +# switch to last used window +bindsym $mod+Tab exec rofi -show window& sleep 0.15 && xdotool key Down + +# change focus +bindsym $mod+j focus left +bindsym $mod+k focus down +bindsym $mod+l focus up +bindsym $mod+semicolon focus right + +# alternatively, you can use the cursor keys: +bindsym $mod+Left focus left +bindsym $mod+Down focus down +bindsym $mod+Up focus up +bindsym $mod+Right focus right + +# Resizing windows by 10 in i3 using keyboard only +bindsym $mod+Ctrl+Shift+Right resize shrink width 10 px or 10 ppt +bindsym $mod+Ctrl+Shift+Up resize grow height 10 px or 10 ppt +bindsym $mod+Ctrl+Shift+Down resize shrink height 10 px or 10 ppt +bindsym $mod+Ctrl+Shift+Left resize grow width 10 px or 10 ppt + +# move focused window +bindsym $mod+Shift+j move left +bindsym $mod+Shift+k move down +bindsym $mod+Shift+l move up +bindsym $mod+Shift+semicolon move right + +# alternatively, you can use the cursor keys: +bindsym $mod+Shift+Left move left +bindsym $mod+Shift+Down move down +bindsym $mod+Shift+Up move up +bindsym $mod+Shift+Right move right + +# split in horizontal orientation +bindsym $mod+h split h + +# split in vertical orientation +bindsym $mod+v split v + +# enter fullscreen mode for the focused container +bindsym $mod+f fullscreen toggle + +# change container layout (stacked, tabbed, toggle split) +bindsym $mod+s layout stacking +bindsym $mod+w layout tabbed +bindsym $mod+e layout toggle split + +# toggle tiling / floating +bindsym $mod+Shift+space floating toggle + +# change focus between tiling / floating windows +bindsym $mod+space focus mode_toggle + +# focus the parent container +bindsym $mod+a focus parent + +# focus the child container +#bindsym $mod+d focus child + +# Define names for default workspaces for which we configure key bindings later on. +# We use variables to avoid repeating the names in multiple places. +set $ws1 "1" +set $ws2 "2" +set $ws3 "3" +set $ws4 "4" +set $ws5 "5" +set $ws6 "6" +set $ws7 "7" +set $ws8 "8" +set $ws9 "9" +set $ws10 "10" + +# switch to workspace +bindsym $mod+1 workspace $ws1 +bindsym $mod+2 workspace $ws2 +bindsym $mod+3 workspace $ws3 +bindsym $mod+4 workspace $ws4 +bindsym $mod+5 workspace $ws5 +bindsym $mod+6 workspace $ws6 +bindsym $mod+7 workspace $ws7 +bindsym $mod+8 workspace $ws8 +bindsym $mod+9 workspace $ws9 +bindsym $mod+0 workspace $ws10 + +# move focused container to workspace +bindsym $mod+Shift+1 move container to workspace $ws1 +bindsym $mod+Shift+2 move container to workspace $ws2 +bindsym $mod+Shift+3 move container to workspace $ws3 +bindsym $mod+Shift+4 move container to workspace $ws4 +bindsym $mod+Shift+5 move container to workspace $ws5 +bindsym $mod+Shift+6 move container to workspace $ws6 +bindsym $mod+Shift+7 move container to workspace $ws7 +bindsym $mod+Shift+8 move container to workspace $ws8 +bindsym $mod+Shift+9 move container to workspace $ws9 +bindsym $mod+Shift+0 move container to workspace $ws10 + +# reload the configuration file +bindsym $mod+Shift+c reload +# restart i3 inplace (preserves your layout/session, can be used to upgrade i3) +bindsym $mod+Shift+r restart +# exit i3 (logs you out of your X session) +bindsym $mod+Shift+e exec "i3-nagbar -t warning -m 'You pressed the exit shortcut. Do you really want to exit i3? This will end your X session.' -b 'Yes, exit i3' 'i3-msg exit'" + +bindsym $mod+p exec i3-sensible-pager + +# resize window (you can also use the mouse for that) +mode "resize" { + # These bindings trigger as soon as you enter the resize mode + + # Pressing left will shrink the window’s width. + # Pressing right will grow the window’s width. + # Pressing up will shrink the window’s height. + # Pressing down will grow the window’s height. + bindsym j resize shrink width 10 px or 10 ppt + bindsym k resize grow height 10 px or 10 ppt + bindsym l resize shrink height 10 px or 10 ppt + bindsym semicolon resize grow width 10 px or 10 ppt + + # same bindings, but for the arrow keys + bindsym Left resize shrink width 10 px or 10 ppt + bindsym Down resize grow height 10 px or 10 ppt + bindsym Up resize shrink height 10 px or 10 ppt + bindsym Right resize grow width 10 px or 10 ppt + + # back to normal: Enter or Escape or $mod+r + bindsym Return mode "default" + bindsym Escape mode "default" + bindsym $mod+r mode "default" +} + +bindsym $mod+r mode "resize" + +# Start i3bar to display a workspace bar (plus the system information i3status +# finds out, if available) +bar { + position top + status_command i3status +} + ''; + }; + +} diff --git a/jeschli/1systems/brauerei/config.nix b/jeschli/1systems/brauerei/config.nix index b9bb021b8..059ec6d71 100644 --- a/jeschli/1systems/brauerei/config.nix +++ b/jeschli/1systems/brauerei/config.nix @@ -1,19 +1,17 @@ { config, pkgs, lib, ... }: let xmonad-jeschli = pkgs.callPackage <stockholm/jeschli/5pkgs/simple/xmonad-jeschli> { inherit config; }; + mainUser = config.krebs.build.user.name; in { imports = [ <stockholm/jeschli> ./hardware-configuration.nix + <home-manager/nixos> <stockholm/jeschli/2configs/urxvt.nix> -# <stockholm/jeschli/2configs/emacs.nix> -# <stockholm/jeschli/2configs/xdg.nix> -# <stockholm/jeschli/2configs/xserver> <stockholm/jeschli/2configs/steam.nix> <stockholm/jeschli/2configs/virtualbox.nix> - ]; - + ]; krebs.build.host = config.krebs.hosts.brauerei; # Use the GRUB 2 boot loader. boot.loader.grub.enable = true; @@ -54,7 +52,10 @@ in copyq curl dmenu + rofi + xdotool git + gnupg i3lock keepass networkmanagerapplet @@ -92,9 +93,11 @@ in }) # dev tools gnumake + jetbrains.clion jetbrains.goland jetbrains.pycharm-professional jetbrains.webstorm + vscode # document viewer evince zathura @@ -105,7 +108,6 @@ in cargo rustracer rustup - vscode # orga tools taskwarrior # xorg @@ -120,6 +122,24 @@ in # programs.mtr.enable = true; programs.gnupg.agent = { enable = true; enableSSHSupport = true; }; + home-manager.useUserPackages = true; + home-manager.users.jeschli = { + home.stateVersion = "19.03"; + }; +# home-manager.enable = true; + + home-manager.users.jeschli.home.file = { + ".emacs.d" = { + source = pkgs.fetchFromGitHub { + owner = "jeschli"; + repo = "emacs.d"; + rev = "8ed6c40"; + sha256 = "1q2y478srwp9f58l8cixnd2wj51909gp1z68k8pjlbjy2mrvibs0"; + }; + recursive = true; + }; + }; + # List services that you want to enable: # Enable the OpenSSH daemon. @@ -155,6 +175,11 @@ in extraGroups = ["docker" "vboxusers" "audio"]; uid = 1000; }; + users.extraUsers.blafoo = { + isNormalUser = true; + extraGroups = ["audio"]; + uid = 1002; + }; users.extraUsers.jamie = { isNormalUser = true; uid = 1001; # TODO genid diff --git a/jeschli/1systems/enklave/config.nix b/jeschli/1systems/enklave/config.nix index cadec3cab..86d21f7d3 100644 --- a/jeschli/1systems/enklave/config.nix +++ b/jeschli/1systems/enklave/config.nix @@ -49,7 +49,7 @@ listenPort = 53589; organisations.lass.users = [ "jeschli" ]; }; - networking.firewall.allowedTCPPorts = [ 53589 ]; + networking.firewall.allowedTCPPorts = [ 53589 8001 ]; } ]; diff --git a/jeschli/2configs/default.nix b/jeschli/2configs/default.nix index 5aaabe24b..8b61fa29c 100644 --- a/jeschli/2configs/default.nix +++ b/jeschli/2configs/default.nix @@ -2,7 +2,7 @@ with import <stockholm/lib>; { imports = [ - ./vim.nix +# ./vim.nix ./retiolum.nix ./zsh.nix <stockholm/lass/2configs/security-workarounds.nix> @@ -56,7 +56,7 @@ with import <stockholm/lib>; usbutils # logify goify - + vim #unpack stuff p7zip unzip diff --git a/jeschli/2configs/git.nix b/jeschli/2configs/git.nix index a26022789..faa8ccf5b 100644 --- a/jeschli/2configs/git.nix +++ b/jeschli/2configs/git.nix @@ -60,7 +60,7 @@ let with git // config.krebs.users; repo: singleton { - user = [ jeschli jeschli-brauerei]; + user = [ jeschli jeschli-brauerei jeschli-bolide]; repo = [ repo ]; perm = push "refs/*" [ non-fast-forward create delete merge ]; } ++ diff --git a/jeschli/2configs/home-manager/default.nix b/jeschli/2configs/home-manager/default.nix new file mode 100644 index 000000000..ad8663d58 --- /dev/null +++ b/jeschli/2configs/home-manager/default.nix @@ -0,0 +1,9 @@ +{ + imports = [ + <home-manager/nixos> + ]; + home-manager.useUserPackages = true; + home-manager.users.jeschli = { + home.stateVersion = "19.03"; + }; +} diff --git a/jeschli/krops.nix b/jeschli/krops.nix index dbf94bd0d..f3964a553 100644 --- a/jeschli/krops.nix +++ b/jeschli/krops.nix @@ -15,6 +15,12 @@ file = "${lib.getEnv "HOME"}/secrets/${name}"; }; } + { + home-manager.git = { + url = https://github.com/rycee/home-manager; + ref = "2ccbf43"; + }; + } ]; in { diff --git a/krebs/0tests/data/secrets/github-hosts-sync.ssh.id_ed25519 b/krebs/0tests/data/secrets/github-hosts-sync.ssh.id_ed25519 new file mode 100644 index 000000000..e69de29bb --- /dev/null +++ b/krebs/0tests/data/secrets/github-hosts-sync.ssh.id_ed25519 diff --git a/krebs/1systems/hotdog/config.nix b/krebs/1systems/hotdog/config.nix index f68c8ce50..32e416831 100644 --- a/krebs/1systems/hotdog/config.nix +++ b/krebs/1systems/hotdog/config.nix @@ -18,6 +18,7 @@ ]; krebs.build.host = config.krebs.hosts.hotdog; + krebs.github-hosts-sync.enable = true; boot.isContainer = true; networking.useDHCP = false; diff --git a/krebs/3modules/external/palo.nix b/krebs/3modules/external/palo.nix index cefac0959..05808714c 100644 --- a/krebs/3modules/external/palo.nix +++ b/krebs/3modules/external/palo.nix @@ -34,7 +34,10 @@ in { retiolum = { ip4.addr = "10.243.23.3"; tinc.port = 720; - aliases = [ "kruck.r" ]; + aliases = [ + "kruck.r" + "video.kruck.r" + ]; tinc.pubkey = tinc-for "palo"; }; }; @@ -49,6 +52,7 @@ in { tinc.pubkey = tinc-for "palo"; }; }; + syncthing.id = "FLY7DHI-TJLEQBJ-JZNC4YV-NBX53Z2-ZBRWADL-BKSFXYZ-L4FMDVH-MOSEVAQ"; }; workhorse = { owner = config.krebs.users.palo; diff --git a/krebs/3modules/github-hosts-sync.nix b/krebs/3modules/github-hosts-sync.nix index 3b626dc46..0b7d56098 100644 --- a/krebs/3modules/github-hosts-sync.nix +++ b/krebs/3modules/github-hosts-sync.nix @@ -11,17 +11,25 @@ let api = { enable = mkEnableOption "krebs.github-hosts-sync"; - port = mkOption { - type = types.int; # TODO port type - default = 1028; - }; dataDir = mkOption { type = types.str; # TODO path (but not just into store) default = "/var/lib/github-hosts-sync"; }; + srcDir = mkOption { + type = types.str; + default = "${config.krebs.tinc.retiolum.confDir}/hosts"; + }; ssh-identity-file = mkOption { type = types.suffixed-str [".ssh.id_ed25519" ".ssh.id_rsa"]; - default = toString <secrets/github-hosts-sync.ssh.id_rsa>; + default = toString <secrets/github-hosts-sync.ssh.id_ed25519>; + }; + url = mkOption { + type = types.str; + default = "git@github.com:krebs/hosts.git"; + }; + workTree = mkOption { + type = types.absolute-pathname; + default = "${cfg.dataDir}/cache"; }; }; @@ -30,13 +38,18 @@ let after = [ "network.target" ]; wantedBy = [ "multi-user.target" ]; environment = { - port = toString cfg.port; + GITHUB_HOST_SYNC_USER_MAIL = user.mail; + GITHUB_HOST_SYNC_USER_NAME = user.name; + GITHUB_HOST_SYNC_SRCDIR = cfg.srcDir; + GITHUB_HOST_SYNC_WORKTREE = cfg.workTree; + GITHUB_HOST_SYNC_URL = cfg.url; }; serviceConfig = { PermissionsStartOnly = "true"; SyslogIdentifier = "github-hosts-sync"; User = user.name; - Restart = "always"; + Type = "oneshot"; + RemainAfterExit = true; ExecStartPre = pkgs.writeDash "github-hosts-sync-init" '' set -euf install -m 0711 -o ${user.name} -d ${cfg.dataDir} @@ -56,6 +69,7 @@ let }; user = rec { + mail = "${name}@${config.krebs.build.host.name}"; name = "github-hosts-sync"; uid = genid_uint31 name; }; diff --git a/krebs/3modules/github-known-hosts.nix b/krebs/3modules/github-known-hosts.nix index def06f17a..bae8b96bf 100644 --- a/krebs/3modules/github-known-hosts.nix +++ b/krebs/3modules/github-known-hosts.nix @@ -28,12 +28,22 @@ "140.82.125.*" "140.82.126.*" "140.82.127.*" + "13.114.40.48" "13.229.188.59" + "13.234.176.102" + "13.234.210.38" + "13.236.229.21" + "13.237.44.5" "13.250.177.223" + "15.164.81.167" "18.194.104.89" "18.195.85.27" "35.159.8.160" + "52.192.72.89" + "52.64.108.95" + "52.69.186.44" "52.74.223.119" + "52.78.231.108" ]; publicKey = "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ=="; }; diff --git a/krebs/3modules/lass/default.nix b/krebs/3modules/lass/default.nix index 41f3852b9..f4c8f5c6a 100644 --- a/krebs/3modules/lass/default.nix +++ b/krebs/3modules/lass/default.nix @@ -35,6 +35,7 @@ in { default._domainkey 60 IN TXT "k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUv3DMndFellqu208feABEzT/PskOfTSdJCOF/HELBR0PHnbBeRoeHEm9XAcOe/Mz2t/ysgZ6JFXeFxCtoM5fG20brUMRzsVRxb9Ur5cEvOYuuRrbChYcKa+fopu8pYrlrqXD3miHISoy6ErukIYCRpXWUJHi1TlNQhLWFYqAaywIDAQAB" cache 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} cgit 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} + codi 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} go 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} io 60 IN NS ions.lassul.us. ions 60 IN A ${config.krebs.hosts.prism.nets.internet.ip4.addr} diff --git a/krebs/3modules/syncthing.nix b/krebs/3modules/syncthing.nix index 897ba1e7f..9c6acfb0c 100644 --- a/krebs/3modules/syncthing.nix +++ b/krebs/3modules/syncthing.nix @@ -22,7 +22,7 @@ let getApiKey = pkgs.writeDash "getAPIKey" '' ${pkgs.libxml2}/bin/xmllint \ --xpath 'string(configuration/gui/apikey)'\ - ${config.services.syncthing.dataDir}/config.xml + ${config.services.syncthing.configDir}/config.xml ''; updateConfig = pkgs.writeDash "merge-syncthing-config" '' @@ -31,9 +31,9 @@ let ${pkgs.untilport}/bin/untilport localhost 8384 API_KEY=$(${getApiKey}) CFG=$(${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/config) - echo "$CFG" | ${pkgs.jq}/bin/jq -s '.[] * { - "devices": ${builtins.toJSON devices}, - "folders": ${builtins.toJSON folders} + echo "$CFG" | ${pkgs.jq}/bin/jq -s '.[] as $in | $in * { + "devices": (${builtins.toJSON devices}${optionalString (! cfg.overridePeers) " + $in.devices"}), + "folders": (${builtins.toJSON folders}${optionalString (! cfg.overrideFolders) " + $in.folders"}) }' | ${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/config -d @- ${pkgs.curl}/bin/curl -Ss -H "X-API-Key: $API_KEY" localhost:8384/rest/system/restart -X POST ''; @@ -45,11 +45,6 @@ in enable = mkEnableOption "syncthing-init"; - id = mkOption { - type = types.str; - default = config.krebs.build.host.name; - }; - cert = mkOption { type = types.nullOr types.absolute-pathname; default = null; @@ -60,6 +55,13 @@ in default = null; }; + overridePeers = mkOption { + type = types.bool; + default = true; + description = '' + Whether to delete the peers which are not configured via the peers option + ''; + }; peers = mkOption { default = {}; type = types.attrsOf (types.submodule ({ @@ -80,6 +82,13 @@ in })); }; + overrideFolders = mkOption { + type = types.bool; + default = true; + description = '' + Whether to delete the folders which are not configured via the peers option + ''; + }; folders = mkOption { default = {}; type = types.attrsOf (types.submodule ({ config, ... }: { @@ -135,14 +144,14 @@ in systemd.services.syncthing = mkIf (cfg.cert != null || cfg.key != null) { preStart = '' ${optionalString (cfg.cert != null) '' - cp ${toString cfg.cert} ${config.services.syncthing.dataDir}/cert.pem - chown ${config.services.syncthing.user}:${config.services.syncthing.group} ${config.services.syncthing.dataDir}/cert.pem - chmod 400 ${config.services.syncthing.dataDir}/cert.pem + cp ${toString cfg.cert} ${config.services.syncthing.configDir}/cert.pem + |