Commit `8908668a84aa`

Vincent Demeester <vincent@sbr.pm>

2026-02-22 16:42:21

fix(firewall): open syncthing ports on all hosts

Added TCP/UDP 22000 and UDP 21027 to firewall for hosts with syncthing configured via home-manager. The user service cannot manage system firewall, so ports were never opened, causing ~3-4k refused connection log entries per hour and potential kernel instability.

main

1 parent cbb49c2

Changed files (2)

systems

common

services

syncthing.nix

default.nix

@@ -0,0 +1,16 @@
+# Open firewall ports for Syncthing (home-manager user service).
+#
+# Syncthing runs as a home-manager service which cannot manage system firewall.
+# This NixOS module opens the required ports:
+#   - TCP 22000: Sync protocol (file transfer)
+#   - UDP 22000: QUIC sync protocol
+#   - UDP 21027: Local discovery (LAN broadcast)
+{
+  networking.firewall = {
+    allowedTCPPorts = [ 22000 ];
+    allowedUDPPorts = [
+      22000
+      21027
+    ];
+  };
+}

@@ -1,9 +1,11 @@
 {
   config,
   desktop,
+  globals,
   hostname,
   inputs,
   lib,
+  libx,
   outputs,
   stateVersion,
   ...
@@ -18,7 +20,11 @@
     ./common/users
   ]
   ++ lib.optional (builtins.pathExists (./. + "/${hostname}/extra.nix")) ./${hostname}/extra.nix
-  ++ lib.optional (builtins.isString desktop) ./common/desktop;
+  ++ lib.optional (builtins.isString desktop) ./common/desktop
+  ++ lib.optional (
+    builtins.hasAttr "${hostname}" globals.machines
+    && libx.hasSyncthingFolders globals.machines."${hostname}"
+  ) ./common/services/syncthing.nix;
 
   nixpkgs = {
     overlays = [

Commit 8908668a84aa

Commit `8908668a84aa`