use tmpfiles for file permission

nixos/components/network/syncthing.nix

@@ -4,28 +4,30 @@ with lib; {
   networking.firewall.interfaces."gummybears".allowedTCPPorts = [ 8384 ];
 
   clanCore.facts.services.syncthing = factsGenerator.syncthing { };
-  tmpfiles.settings.syncthing.d = {
+
-    "/run/facts/syncthing" = {
+  # todo : use tmpfiles.rules
-      type = "d";
+  systemd.tmpfiles.settings.syncthing = {
-      user = config.services.syncthing.user;
+    "/run/facts/syncthing.key".C = {
-      group = config.services.syncthing.group;
-      mode = "400";
-    };
-    "/run/facts/syncthing.key" = {
       type = "C";
       user = config.services.syncthing.user;
       group = config.services.syncthing.group;
       mode = "400";
       argument = config.clanCore.facts.services.syncthing.secret."syncthing.key".path;
     };
+    "/run/facts/syncthing.cert".C = {
+      type = "C";
+      user = config.services.syncthing.user;
+      group = config.services.syncthing.group;
+      mode = "400";
+      argument = config.clanCore.facts.services.syncthing.secret."syncthing.cert".path;
+    };
   };
 
   services.syncthing = {
     guiAddress = lib.mkDefault "${config.networking.hostName}.${ config.clan.static-hosts.topLevelDomain }:8384";
     overrideDevices = lib.mkDefault true;
-    key = config.clanCore.facts.services.syncthing.secret."syncthing.key".path;
+    key = "/run/facts/syncthing.key";
-    cert = config.clanCore.facts.services.syncthing.secret."syncthing.cert".path;
+    cert = "/run/facts/syncthing.cert";
-
     settings.devices =
       let
         machineDir = "${config.clanCore.clanDir}/machines";