So, we’ve been hitting the 1TB bandwidth limit in our household. The majority of our use is video streaming. However, while keeping tabs on our usage, I did identify some room for improvement in the use of OneDrive for file synchronization.
They way things work right now is that I upload all my photos (mostly from my camera) to OneDrive. OneDrive is great for this purpose. The app will even notify me when it finds pictures in new folders and asks whether I want to upload those photos, too.
However, because I don’t want to solely rely my OneDrive account—that is, I am preparing for the scenario where someone hacks my account and deletes all my photos—I do want a local copy as well. I do this local download with rclone and pull all the OneDrive folders back to my NAS server.
Things get worse when I then run ON1 Raw for photo editing and it starts downloading every picture I have ever taken on OneDrive to index them. Since I recently ran ON1 when we were at 880 GB (out of 1024 GB) of usage, I shut this down.
For this purpose (having direct access to all my pictures), I wanted to go back to the days where my Android phone would just directly connect to the NAS. That is, I will continue to upload to OneDrive and download a backup copy. But, additionally, I want a direct copy (from my Android phones) to my NAS.
I have an app called Sync.Me that works great for this synchronization. The problem is that it does no encryption (uses Samba directly) and I don’t want plaintext Samba exposed to my Android devices.
So, that is where SyncThing comes in. Syncthing is pretty secure, providing encryption in transit. In addition, devices are authenticated by a device ID (UUID).
However, I want to set up such a service for each person in the house. So I need 5 syncthing services running. I decided to make an iocage template jail and stamp out 5 running jails for this purpose.
Overall Procedure
I followed @vermaden’s instructions with a few changes:
- Vermaden notes that syncthing is not possible in a jail. For me, this worked, but I had to use a VIMAGE/VNET jail.
- I made fewer edits to /etc/rc.conf. I only enabled the syncthing service in /etc/rc.conf. iocage already disabled sendmail. I did not change anything else.
- In addition to the syncthing package, I installed ca_root_nss package. Synchthing was having a hard time with https relay servers without this package. Which makes sense, since ca_root_nss includes the root Certificate Authority (CA) certificates to validate https connections.
- I followed all of vermaden’s advice on creating /var/log/syncthing.log, including newsyslog and permissions.
- I did not create a default /syncthing/ directory, since each user will need only a Photos directory that I would mount and define separately.
- I installed the vim-tiny package in the template jail.
Since I was going to be doing this multiple times, I created a template jail called syncthing-template. I also created a script to stamp out jails for each user’s syncthing service:
create_st_jail.sh
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
!/bin/sh jnum="$1" uname="$2" jname="syncthing-$2" bip=30 # base IP address; IP numbers are assigned sequentially starting with this one jip=<code>expr "$bip" + "$jnum" pubnet="192.168.3" prinet="192.168.1" iocage create -t syncthing-template -n "$jname" iocage set defaultrouter="${pubnet}.1" "$jname" iocage set ip4_addr="vnet0|${prinet}.${jip},vnet1|${pubnet}.${jip}/24" "$jname" iocage set interfaces="vnet0:bridge0,vnet1:bridge2" "$jname" iocage set resolver="search local.net;nameserver ${pubnet}.1" "$jname" iocage set vnet=on "$jname" . /root/scripts/mod_st_jail.sh |
The main thing this script does is set up networking. It does so by defining to VNET interfaces: vnet0 & vnet1. The first (vnet0) is a private trusted network (designated by the IP prefix 192.168.1. and parameterized in the variable prinet). The second (vnet1) is a public untrusted network (designated by 192.168.3. and parameterized in the variable pubnet). This second network is where my WiFi devices live.
The idea here is that since we are running syncthing in a jail, it’s going to be more bloated and more difficult to log in to the admin page. We would need to either forward ports on the jail’s localhost interface or run a web browser within the jail. I don’t even understand (yet) how localhost works in a FreeBSD jail, and definitely didn’t want to install a web browser (and therefore X Windows GUI) in each jail.
This convenience (at some cost of security) was worth it to me. However, I can see others installing X Windows and Firefox in the jail to adminster it. This alternative is especially enticing if you don’t have your networks segmented the way I do.
mod_st_jails.sh
The last line of the above script calls mod-st_jail.sh. This script
- Runs the jail and therefore the syncthing daemon once to create a config.xml, certificates, etc.
- Stops syncthing & the jail
- Sets up fstab entries using nullfs to point to the zfs file systems that store the actual data
- Edits the config.xml file to use the private IP address for GUI (administration) & turns on TLS for the GUI
Here it is:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
#!/bin/sh jroot="/tank/iocage/jails/${jname}/root" conf_file="${jroot}/usr/local/etc/syncthing/config.xml" iocage start "$jname" iocage list sleep 20 # wait for first-time start of syncthing service (and jail) iocage exec "$jname" service syncthing stop iocage stop "$jname" iocage list mkdir -p "${jroot}/Sync/Pictures" mkdir -p "${jroot}/Sync/Videos" iocage fstab "$jname" -a "/tank/Users/${uname}/Pictures" "/Sync/Pictures" "nullfs" "rw,noatime" 0 0 iocage fstab "$jname" -a "/tank/Users/${uname}/Videos" "/Sync/Videos" "nullfs" "rw,noatime" 0 0 mv $conf_file $conf_file.bak sed -e "s/127.0.0.1/${prinet}.${jip}/g" -e 's/tls="false"/tls="true"/g' "${conf_file}.bak" > "$conf_file" iocage start "$jname" |
Users & Permissions
The syncthing FreeBSD package creates a user named syncthing within the jail. However, this user does not exist in the host system. To make things look nice, I created this user with the same userid as the jail user:
|
1 2 3 |
[root@server scripts]<strong>pw user add -n syncthing -u 983 -s /usr/sbin/nologin -c "Compatability with SyncThing Jails"</strong> [root@server scripts]<strong>pw user show syncthing </strong>syncthing:*:983:983::0:0:Compatability with SyncThing Jails:/home/syncthing:/usr/sbin/nologin |
You see that I ran these commands in the host system (called server).
You’ll see that I used user ID 983 for this syncthing user. This was the user ID within the jail template, so all subsequent jails will have this user ID. I would expect that he syncthing package always chooses this user ID.
Next, I gave syncthing exactly the same access as the owner to the libraries I wanted to share/synchronize. In the host system (not in the jail), for example in the directory to sync my LG G8 phone:
|
1 2 3 4 5 6 7 8 9 |
[root@server LG G8 ThinQ]$<strong>setfacl -m <code>user:syncthing:rwxp--aARWcCos:fd-----:allow</code> .</strong> [root@server LG G8 ThinQ]$<strong>getfacl .</strong> file: . owner: <redacted> group: <redacted> user:syncthing:rwxp--aARWcCos:fd-----:allow owner@:rwxp--aARWcCos:-------:allow group@:r-x---a-R-c--s:-------:allow everyone@:r-x---a-R-c--s:-------:allow |
If you don’t do this permission-granting step, syncthing will complain that it cannot create the .stfolder hidden directory.
The nice thing about the above is that permissions can be assigned on a case-by-case basis to different folders or files in the target directory. And all of this permission management is outside the jail.
