From c8ffcadad905135322e0fb0064a34e9a693d2b03 Mon Sep 17 00:00:00 2001
From: a-kenji <aks.kenji@protonmail.com>
Date: Fri, 8 Dec 2023 13:53:32 +0100
Subject: [PATCH] syncthing: restrict access of peers to vpn

---
 clanModules/syncthing.nix | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/clanModules/syncthing.nix b/clanModules/syncthing.nix
index cc5eb7f90..d50da772d 100644
--- a/clanModules/syncthing.nix
+++ b/clanModules/syncthing.nix
@@ -45,7 +45,6 @@
         8384
         22000
       ];
-      # local ui TODO: mkDefault ?
       networking.firewall.allowedTCPPorts = [ 8384 ];
       networking.firewall.interfaces."zt+".allowedUDPPorts = [
         22000
@@ -72,6 +71,8 @@
 
         dataDir = lib.mkDefault "/home/user/";
 
+        group = "syncthing";
+
         key =
           lib.mkDefault
             config.clanCore.secrets.syncthing.secrets."syncthing.key".path or null;
@@ -82,8 +83,7 @@
         settings = {
           options = {
             urAccepted = -1;
-            # TODO:
-            # allowedNetworks = [];
+            allowedNetworks = [ config.clan.networking.zerotier.subnet ];
           };
           devices =
             { }