Syncthing: Difference between revisions

From NixOS Wiki
Wrycode (talk | contribs)
→‎Declarative node IDs: add instructions to generate key.pem and cert.pem
Wrycode (talk | contribs)
m Add note about forwarding web GUI with SSH
Line 74: Line 74:
};
};
</syntaxHighlight>
</syntaxHighlight>
Alternatively, you can leave the GUI inaccessible from the web and forward it using SSH:
<syntaxhighlight lang="bash">$ ssh -L 9998:localhost:8384 user@syncthing-host</syntaxhighlight>Then open up [http://127.0.0.1:9998 127.0.0.1:9998] to administer the node.


=== Declarative node IDs ===
=== Declarative node IDs ===

Revision as of 15:53, 23 April 2024

Syncthing is a decentralized file sync service. You can use it to safely sync all files in a folder between different desktops/servers. In other Linux distribution you configure it via Web-GUI. In NixOS you can fully configure it using Nix.

Install

Syncthing is available as a standalone package: nix-env -iA nixos.syncthing

It can also be enabled as a service. Example:

services = {
    syncthing = {
        enable = true;
        user = "myusername";
        dataDir = "/home/myusername/Documents";    # Default folder for new synced folders
        configDir = "/home/myusername/Documents/.config/syncthing";   # Folder for Syncthing's settings and keys
    };
};

You can confirm Syncthing runs by visiting http://127.0.0.1:8384/ and following the official Getting Started guide: https://docs.syncthing.net/intro/getting-started.html

Declarative configuration

Note: using a declarative configuration will overwrite files in configDir.

You can declaratively set your Syncthing folders by using the services.syncthing.devices and services.syncthing.folders options:

(Note: Before NixOS 21.11, declarative configuration was done in the services.syncthing.declarative option, such as services.syncthing.declarative.folders = {};)

services = {
  syncthing = {
    enable = true;
    user = "myusername";
    dataDir = "/home/myusername/Documents";
    configDir = "/home/myusername/Documents/.config/syncthing";
    overrideDevices = true;     # overrides any devices added or deleted through the WebUI
    overrideFolders = true;     # overrides any folders added or deleted through the WebUI
    settings = {
      devices = {
        "device1" = { id = "DEVICE-ID-GOES-HERE"; };
        "device2" = { id = "DEVICE-ID-GOES-HERE"; };
      };
      folders = {
        "Documents" = {         # Name of folder in Syncthing, also the folder ID
          path = "/home/myusername/Documents";    # Which folder to add to Syncthing
          devices = [ "device1" "device2" ];      # Which devices to share the folder with
        };
        "Example" = {
          path = "/home/myusername/Example";
          devices = [ "device1" ];
          ignorePerms = false;  # By default, Syncthing doesn't sync file permissions. This line enables it for this folder.
        };
      };
    };
  };
};

If running a headless server, you should also change guiAddress to a publicly visible one (or just 0.0.0.0:8384, for example).

You will also probably have to open a few ports in the firewall:

   # Syncthing ports: 8384 for remote access to GUI
   # 22000 TCP and/or UDP for sync traffic
   # 21027/UDP for discovery
   # source: https://docs.syncthing.net/users/firewall.html
   networking.firewall.allowedTCPPorts = [ 8384 22000 ];
   networking.firewall.allowedUDPPorts = [ 22000 21027 ];

It is also a good idea to protect the web GUI with a username and password combination:

services.syncthing.settings.gui = {
    user = "username";
    password = "password";
};

Alternatively, you can leave the GUI inaccessible from the web and forward it using SSH:

$ ssh -L 9998:localhost:8384 user@syncthing-host

Then open up 127.0.0.1:9998 to administer the node.

Declarative node IDs

If you set up Syncthing with the above configuration, you will still need to manually accept the connection from your other devices. If you want to make this automatic, you must also set the key.pem and cert.pem options:

services = {
  syncthing = {
    key = "/path/to/key.pem";
    cert = "/path/to/cert.pem";
    ...
};

This will ensure your node has a stable ID.

You can optionally include the key.pem and cert.pem files in the NixOS configuration using a tool like sops-nix. See Comparison of secret managing schemes.

To generate a new key.cert and key.pem for a deployment, you can use the -generate argument:

$ nix-shell -p syncthing --run "syncthing -generate=myconfig"
2024/04/23 11:41:17 INFO: Generating ECDSA key and certificate for syncthing...
2024/04/23 11:41:17 INFO: Device ID: DMWVMM6-MKEQVB4-I4UZTRH-5A6E24O-XHQTL3K-AAI5R5L-MXNMUGX-QTGRHQ2
2024/04/23 11:41:17 INFO: Default folder created and/or linked to new config
$ ls myconfig/
cert.pem  config.xml  key.pem

Disable default sync folder

Syncthing creates a ‘Sync’ folder in your home directory every time it regenerates a configuration (even if your declarative configuration does not have this folder). You can disable that by setting the STNODEFAULTFOLDER environment variable:

systemd.services.syncthing.environment.STNODEFAULTFOLDER = "true"; # Don't create default ~/Sync folder

Home-manager service

https://github.com/nix-community/home-manager/blob/master/modules/services/syncthing.nix