diff options
| author |  sommerfeld <sommerfeld@sommerfeld.dev> | 2026-06-05 11:06:02 +0100 |
|---|---|---|
| committer | sommerfeld <sommerfeld@sommerfeld.dev> | 2026-06-05 11:06:02 +0100 |
| commit | b0e83e2ee3fc328e55119ee7c1f09ad7ed20a635 (patch) | |
| tree | 0208caee2063e471b4b23b0b45038b2bce00e2fa /etc | |
| parent | 4d8cf1bc30a076e2976787051d28d8072f8f5321 (diff) | |
| download | dotfiles-b0e83e2ee3fc328e55119ee7c1f09ad7ed20a635.tar.gz dotfiles-b0e83e2ee3fc328e55119ee7c1f09ad7ed20a635.tar.bz2 dotfiles-b0e83e2ee3fc328e55119ee7c1f09ad7ed20a635.zip | |
Move more host tooling to Nix
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/pacman.conf | 2 | ||||
| -rw-r--r-- | etc/systemd/system/syncthing@.service | 53 |
2 files changed, 54 insertions, 1 deletions
diff --git a/etc/pacman.conf b/etc/pacman.conf index 7097940..8f8be59 100644 --- a/etc/pacman.conf +++ b/etc/pacman.conf @@ -24,7 +24,7 @@ Architecture = auto # Pacman won't upgrade packages listed in IgnorePkg and members of IgnoreGroup # llama.cpp-vulkan: AUR rebuilds on every llama.cpp commit (1-2 hour build); # pin and update manually with `paru -S llama.cpp-vulkan` when intended. -IgnorePkg = llama.cpp-vulkan +#IgnorePkg = #IgnoreGroup = #NoUpgrade = diff --git a/etc/systemd/system/syncthing@.service b/etc/systemd/system/syncthing@.service new file mode 100644 index 0000000..ff4eba7 --- /dev/null +++ b/etc/systemd/system/syncthing@.service @@ -0,0 +1,53 @@ +[Unit] +Description=Syncthing - Open Source Continuous File Synchronization for %I +Documentation=man:syncthing(1) +After=network.target +StartLimitIntervalSec=60 +StartLimitBurst=4 + +[Service] +User=%i +Environment="STLOGFORMATTIMESTAMP=" +Environment="STLOGFORMATLEVELSTRING=false" +Environment="STLOGFORMATLEVELSYSLOG=true" +ExecStart=/home/%i/.nix-profile/bin/syncthing serve --no-browser --no-restart --allow-newer-config +Restart=on-failure +RestartSec=1 +SuccessExitStatus=3 4 +RestartForceExitStatus=3 4 + +# Best-effort sandboxing, based on the nixpkgs Syncthing system unit. +ProtectSystem=full +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +ProtectHostname=true +ProtectClock=true +NoNewPrivileges=true +RestrictSUIDSGID=true +MemoryDenyWriteExecute=true +RestrictNamespaces=true +RestrictRealtime=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX +CapabilityBoundingSet= +AmbientCapabilities= +LockPersonality=true +SystemCallArchitectures=native +RemoveIPC=true +PrivateIPC=true +PrivateTmp=disconnected +PrivateDevices=true +DevicePolicy=closed +PrivatePIDs=true +ProtectProc=invisible +ProcSubset=pid +SystemCallFilter=@system-service +SystemCallFilter=~@privileged +SystemCallFilter=~io_uring_setup io_uring_enter io_uring_register +SystemCallErrorNumber=EPERM +UMask=7027 +InaccessiblePaths=-/nonexistent + +[Install] +WantedBy=multi-user.target |