{ config, lib, pkgs, ... }: with lib; let cfg = config.services.syncplay; cmdArgs = [ "--port" cfg.port ] ++ optionals (cfg.salt != null) [ "--salt" cfg.salt ] ++ optionals (cfg.certDir != null) [ "--tls" cfg.certDir ]; in { options = { services.syncplay = { enable = mkOption { type = types.bool; default = false; description = "If enabled, start the Syncplay server."; }; port = mkOption { type = types.port; default = 8999; description = '' TCP port to bind to. ''; }; salt = mkOption { type = types.nullOr types.str; default = null; description = '' Salt to allow room operator passwords generated by this server instance to still work when the server is restarted. ''; }; certDir = mkOption { type = types.nullOr types.path; default = null; description = '' TLS certificates directory to use for encryption. See . ''; }; user = mkOption { type = types.str; default = "nobody"; description = '' User to use when running Syncplay. ''; }; group = mkOption { type = types.str; default = "nogroup"; description = '' Group to use when running Syncplay. ''; }; passwordFile = mkOption { type = types.nullOr types.path; default = null; description = '' Path to the file that contains the server password. If null, the server doesn't require a password. ''; }; }; }; config = mkIf cfg.enable { systemd.services.syncplay = { description = "Syncplay Service"; wantedBy = [ "multi-user.target" ]; after = [ "network-online.target" ]; serviceConfig = { User = cfg.user; Group = cfg.group; LoadCredential = lib.mkIf (cfg.passwordFile != null) "password:${cfg.passwordFile}"; }; script = '' ${lib.optionalString (cfg.passwordFile != null) '' export SYNCPLAY_PASSWORD=$(cat "''${CREDENTIALS_DIRECTORY}/password") ''} exec ${pkgs.syncplay}/bin/syncplay-server ${escapeShellArgs cmdArgs} ''; }; }; }