pyrox.dev / nixpkgs
lol
fork atom

nixos/anki-sync-server: init

Provide a NixOS module for the [built-in Anki Sync
Server](https://docs.ankiweb.net/sync-server.html) included in recent
versions of Anki. This supersedes the `ankisyncd` module, but we should
keep that for now because `ankisyncd` supports older versions of Anki
clients than this module.

Robert Irelan 8fe9c18e 3808ba76

options
unified split
Changed files
+217
nixos
doc
manual
release-notes
rl-2405.section.md
modules
module-list.nix
services
misc
anki-sync-server.md
anki-sync-server.nix
+2
nixos/doc/manual/release-notes/rl-2405.section.md 
···

       
16

       
16

       
 

       



     

       
17

       
17

       
 

       
- [maubot](https://github.com/maubot/maubot), a plugin-based Matrix bot framework. Available as [services.maubot](#opt-services.maubot.enable).


     

       
18

       
18

       
 

       



     

       

       
19

       
+

       
- [Anki Sync Server](https://docs.ankiweb.net/sync-server.html), the official sync server built into recent versions of Anki. Available as [services.anki-sync-server](#opt-services.anki-sync-server.enable).


     

       

       
20

       
+

       



     

       
19

       
21

       
 

       
## Backward Incompatibilities {#sec-release-24.05-incompatibilities}


     

       
20

       
22

       
 

       



     

       
21

       
23

       
 

       
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
+1
nixos/modules/module-list.nix 
···

       
635

       
635

       
 

       
  ./services/misc/amazon-ssm-agent.nix


     

       
636

       
636

       
 

       
  ./services/misc/ananicy.nix


     

       
637

       
637

       
 

       
  ./services/misc/ankisyncd.nix


     

       

       
638

       
+

       
  ./services/misc/anki-sync-server.nix


     

       
638

       
639

       
 

       
  ./services/misc/apache-kafka.nix


     

       
639

       
640

       
 

       
  ./services/misc/atuin.nix


     

       
640

       
641

       
 

       
  ./services/misc/autofs.nix
+68
nixos/modules/services/misc/anki-sync-server.md 
···

       

       
1

       
+

       
# Anki Sync Server {#module-services-anki-sync-server}


     

       

       
2

       
+

       



     

       

       
3

       
+

       
[Anki Sync Server](https://docs.ankiweb.net/sync-server.html) is the built-in


     

       

       
4

       
+

       
sync server, present in recent versions of Anki. Advanced users who cannot or


     

       

       
5

       
+

       
do not wish to use AnkiWeb can use this sync server instead of AnkiWeb.


     

       

       
6

       
+

       



     

       

       
7

       
+

       
This module is compatible only with Anki versions >=2.1.66, due to [recent


     

       

       
8

       
+

       
enhancements to the Nix anki


     

       

       
9

       
+

       
package](https://github.com/NixOS/nixpkgs/commit/05727304f8815825565c944d012f20a9a096838a).


     

       

       
10

       
+

       



     

       

       
11

       
+

       
## Basic Usage {#module-services-anki-sync-server-basic-usage}


     

       

       
12

       
+

       



     

       

       
13

       
+

       
By default, the module creates a


     

       

       
14

       
+

       
[`systemd`](https://www.freedesktop.org/wiki/Software/systemd/)


     

       

       
15

       
+

       
unit which runs the sync server with an isolated user using the systemd


     

       

       
16

       
+

       
`DynamicUser` option.


     

       

       
17

       
+

       



     

       

       
18

       
+

       
This can be done by enabling the `anki-sync-server` service:


     

       

       
19

       
+

       
```


     

       

       
20

       
+

       
{ ... }:


     

       

       
21

       
+

       



     

       

       
22

       
+

       
{


     

       

       
23

       
+

       
  services.anki-sync-server.enable = true;


     

       

       
24

       
+

       
}


     

       

       
25

       
+

       
```


     

       

       
26

       
+

       



     

       

       
27

       
+

       
It is necessary to set at least one username-password pair under


     

       

       
28

       
+

       
{option}`services.anki-sync-server.users`. For example


     

       

       
29

       
+

       



     

       

       
30

       
+

       
```


     

       

       
31

       
+

       
{


     

       

       
32

       
+

       
  services.anki-sync-server.users = [


     

       

       
33

       
+

       
    {


     

       

       
34

       
+

       
      username = "user";


     

       

       
35

       
+

       
      passwordFile = /etc/anki-sync-server/user;


     

       

       
36

       
+

       
    }


     

       

       
37

       
+

       
  ];


     

       

       
38

       
+

       
}


     

       

       
39

       
+

       
```


     

       

       
40

       
+

       



     

       

       
41

       
+

       
Here, `passwordFile` is the path to a file containing just the password in


     

       

       
42

       
+

       
plaintext. Make sure to set permissions to make this file unreadable to any


     

       

       
43

       
+

       
user besides root.


     

       

       
44

       
+

       



     

       

       
45

       
+

       
By default, the server listen address {option}`services.anki-sync-server.host`


     

       

       
46

       
+

       
is set to localhost, listening on port


     

       

       
47

       
+

       
{option}`services.anki-sync-server.port`, and does not open the firewall. This


     

       

       
48

       
+

       
is suitable for purely local testing, or to be used behind a reverse proxy. If


     

       

       
49

       
+

       
you want to expose the sync server directly to other computers (not recommended


     

       

       
50

       
+

       
in most circumstances, because the sync server doesn't use HTTPS), then set the


     

       

       
51

       
+

       
following options:


     

       

       
52

       
+

       



     

       

       
53

       
+

       
```


     

       

       
54

       
+

       
{


     

       

       
55

       
+

       
  services.anki-sync-server.host = "0.0.0.0";


     

       

       
56

       
+

       
  services.anki-sync-server.openFirewall = true;


     

       

       
57

       
+

       
}


     

       

       
58

       
+

       
```


     

       

       
59

       
+

       



     

       

       
60

       
+

       



     

       

       
61

       
+

       
## Alternatives {#module-services-anki-sync-server-alternatives}


     

       

       
62

       
+

       



     

       

       
63

       
+

       
The [`ankisyncd` NixOS


     

       

       
64

       
+

       
module](https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/misc/ankisyncd.nix)


     

       

       
65

       
+

       
provides similar functionality, but using a third-party implementation,


     

       

       
66

       
+

       
[`anki-sync-server-rs`](https://github.com/ankicommunity/anki-sync-server-rs/).


     

       

       
67

       
+

       
According to that project's README, it is "no longer maintained", and not


     

       

       
68

       
+

       
recommended for Anki 2.1.64+.
+146
nixos/modules/services/misc/anki-sync-server.nix 
···

       

       
1

       
+

       
{


     

       

       
2

       
+

       
  config,


     

       

       
3

       
+

       
  lib,


     

       

       
4

       
+

       
  pkgs,


     

       

       
5

       
+

       
  utils,


     

       

       
6

       
+

       
  ...


     

       

       
7

       
+

       
}:


     

       

       
8

       
+

       
with lib; let


     

       

       
9

       
+

       
  cfg = config.services.anki-sync-server;


     

       

       
10

       
+

       
  name = "anki-sync-server";


     

       

       
11

       
+

       
  specEscape = replaceStrings ["%"] ["%%"];


     

       

       
12

       
+

       
  usersWithIndexes =


     

       

       
13

       
+

       
    lists.imap1 (i: user: {


     

       

       
14

       
+

       
      i = i;


     

       

       
15

       
+

       
      user = user;


     

       

       
16

       
+

       
    })


     

       

       
17

       
+

       
    cfg.users;


     

       

       
18

       
+

       
  usersWithIndexesFile = filter (x: x.user.passwordFile != null) usersWithIndexes;


     

       

       
19

       
+

       
  usersWithIndexesNoFile = filter (x: x.user.passwordFile == null && x.user.password != null) usersWithIndexes;


     

       

       
20

       
+

       
  anki-sync-server-run = pkgs.writeShellScriptBin "anki-sync-server-run" ''


     

       

       
21

       
+

       
    # When services.anki-sync-server.users.passwordFile is set,


     

       

       
22

       
+

       
    # each password file is passed as a systemd credential, which is mounted in


     

       

       
23

       
+

       
    # a file system exposed to the service. Here we read the passwords from


     

       

       
24

       
+

       
    # the credential files to pass them as environment variables to the Anki


     

       

       
25

       
+

       
    # sync server.


     

       

       
26

       
+

       
    ${


     

       

       
27

       
+

       
      concatMapStringsSep


     

       

       
28

       
+

       
      "\n"


     

       

       
29

       
+

       
      (x: ''export SYNC_USER${toString x.i}=${escapeShellArg x.user.username}:"''$(cat "''${CREDENTIALS_DIRECTORY}/"${escapeShellArg x.user.username})"'')


     

       

       
30

       
+

       
      usersWithIndexesFile


     

       

       
31

       
+

       
    }


     

       

       
32

       
+

       
    # For users where services.anki-sync-server.users.password isn't set,


     

       

       
33

       
+

       
    # export passwords in environment variables in plaintext.


     

       

       
34

       
+

       
    ${


     

       

       
35

       
+

       
      concatMapStringsSep


     

       

       
36

       
+

       
      "\n"


     

       

       
37

       
+

       
      (x: ''export SYNC_USER${toString x.i}=${escapeShellArg x.user.username}:${escapeShellArg x.user.password}'')


     

       

       
38

       
+

       
      usersWithIndexesNoFile


     

       

       
39

       
+

       
    }


     

       

       
40

       
+

       
    exec ${cfg.package}/bin/anki-sync-server


     

       

       
41

       
+

       
  '';


     

       

       
42

       
+

       
in {


     

       

       
43

       
+

       
  options.services.anki-sync-server = {


     

       

       
44

       
+

       
    enable = mkEnableOption (lib.mdDoc "anki-sync-server");


     

       

       
45

       
+

       



     

       

       
46

       
+

       
    package = mkOption {


     

       

       
47

       
+

       
      type = types.package;


     

       

       
48

       
+

       
      default = pkgs.anki-sync-server;


     

       

       
49

       
+

       
      defaultText = literalExpression "pkgs.anki-sync-server";


     

       

       
50

       
+

       
      description = lib.mdDoc "The package to use for the anki-sync-server command.";


     

       

       
51

       
+

       
    };


     

       

       
52

       
+

       



     

       

       
53

       
+

       
    address = mkOption {


     

       

       
54

       
+

       
      type = types.str;


     

       

       
55

       
+

       
      default = "::1";


     

       

       
56

       
+

       
      description = lib.mdDoc ''


     

       

       
57

       
+

       
        IP address anki-sync-server listens to.


     

       

       
58

       
+

       
        Note host names are not resolved.


     

       

       
59

       
+

       
      '';


     

       

       
60

       
+

       
    };


     

       

       
61

       
+

       



     

       

       
62

       
+

       
    port = mkOption {


     

       

       
63

       
+

       
      type = types.port;


     

       

       
64

       
+

       
      default = 27701;


     

       

       
65

       
+

       
      description = lib.mdDoc "port anki-sync-server listens to";


     

       

       
66

       
+

       
    };


     

       

       
67

       
+

       



     

       

       
68

       
+

       
    openFirewall = mkOption {


     

       

       
69

       
+

       
      default = false;


     

       

       
70

       
+

       
      type = types.bool;


     

       

       
71

       
+

       
      description = lib.mdDoc "Whether to open the firewall for the specified port.";


     

       

       
72

       
+

       
    };


     

       

       
73

       
+

       



     

       

       
74

       
+

       
    users = mkOption {


     

       

       
75

       
+

       
      type = with types;


     

       

       
76

       
+

       
        listOf (submodule {


     

       

       
77

       
+

       
          options = {


     

       

       
78

       
+

       
            username = mkOption {


     

       

       
79

       
+

       
              type = str;


     

       

       
80

       
+

       
              description = lib.mdDoc "User name accepted by anki-sync-server.";


     

       

       
81

       
+

       
            };


     

       

       
82

       
+

       
            password = mkOption {


     

       

       
83

       
+

       
              type = nullOr str;


     

       

       
84

       
+

       
              default = null;


     

       

       
85

       
+

       
              description = lib.mdDoc ''


     

       

       
86

       
+

       
                Password accepted by anki-sync-server for the associated username.


     

       

       
87

       
+

       
                **WARNING**: This option is **not secure**. This password will


     

       

       
88

       
+

       
                be stored in *plaintext* and will be visible to *all users*.


     

       

       
89

       
+

       
                See {option}`services.anki-sync-server.users.passwordFile` for


     

       

       
90

       
+

       
                a more secure option.


     

       

       
91

       
+

       
              '';


     

       

       
92

       
+

       
            };


     

       

       
93

       
+

       
            passwordFile = mkOption {


     

       

       
94

       
+

       
              type = nullOr path;


     

       

       
95

       
+

       
              default = null;


     

       

       
96

       
+

       
              description = lib.mdDoc ''


     

       

       
97

       
+

       
                File containing the password accepted by anki-sync-server for


     

       

       
98

       
+

       
                the associated username.  Make sure to make readable only by


     

       

       
99

       
+

       
                root.


     

       

       
100

       
+

       
              '';


     

       

       
101

       
+

       
            };


     

       

       
102

       
+

       
          };


     

       

       
103

       
+

       
        });


     

       

       
104

       
+

       
      description = lib.mdDoc "List of user-password pairs to provide to the sync server.";


     

       

       
105

       
+

       
    };


     

       

       
106

       
+

       
  };


     

       

       
107

       
+

       



     

       

       
108

       
+

       
  config = mkIf cfg.enable {


     

       

       
109

       
+

       
    assertions = [


     

       

       
110

       
+

       
      {


     

       

       
111

       
+

       
        assertion = (builtins.length usersWithIndexesFile) + (builtins.length usersWithIndexesNoFile) > 0;


     

       

       
112

       
+

       
        message = "At least one username-password pair must be set.";


     

       

       
113

       
+

       
      }


     

       

       
114

       
+

       
    ];


     

       

       
115

       
+

       
    networking.firewall.allowedTCPPorts = mkIf cfg.openFirewall [cfg.port];


     

       

       
116

       
+

       



     

       

       
117

       
+

       
    systemd.services.anki-sync-server = {


     

       

       
118

       
+

       
      description = "anki-sync-server: Anki sync server built into Anki";


     

       

       
119

       
+

       
      after = ["network.target"];


     

       

       
120

       
+

       
      wantedBy = ["multi-user.target"];


     

       

       
121

       
+

       
      path = [cfg.package];


     

       

       
122

       
+

       
      environment = {


     

       

       
123

       
+

       
        SYNC_BASE = "%S/%N";


     

       

       
124

       
+

       
        SYNC_HOST = specEscape cfg.address;


     

       

       
125

       
+

       
        SYNC_PORT = toString cfg.port;


     

       

       
126

       
+

       
      };


     

       

       
127

       
+

       



     

       

       
128

       
+

       
      serviceConfig = {


     

       

       
129

       
+

       
        Type = "simple";


     

       

       
130

       
+

       
        DynamicUser = true;


     

       

       
131

       
+

       
        StateDirectory = name;


     

       

       
132

       
+

       
        ExecStart = "${anki-sync-server-run}/bin/anki-sync-server-run";


     

       

       
133

       
+

       
        Restart = "always";


     

       

       
134

       
+

       
        LoadCredential =


     

       

       
135

       
+

       
          map


     

       

       
136

       
+

       
          (x: "${specEscape x.user.username}:${specEscape (toString x.user.passwordFile)}")


     

       

       
137

       
+

       
          usersWithIndexesFile;


     

       

       
138

       
+

       
      };


     

       

       
139

       
+

       
    };


     

       

       
140

       
+

       
  };


     

       

       
141

       
+

       



     

       

       
142

       
+

       
  meta = {


     

       

       
143

       
+

       
    maintainers = with maintainers; [telotortium];


     

       

       
144

       
+

       
    doc = ./anki-sync-server.md;


     

       

       
145

       
+

       
  };


     

       

       
146

       
+

       
}