feature request: syncthing: add support for untrusted folders

[bbigras]

syncthing now supports sending a folder encrypted to an untrusted node.

It's hidden in the "untrusted" feature flag for now.

Example of folder:

note type="receiveencrypted" and <encryptionPassword></encryptionPassword>.

<folder id="id" label="Name" path="/var/lib/syncthing/Name" type="receiveencrypted" rescanIntervalS="86400" fsWatcherEnabled="false" fsWatcherDelayS="10" ignorePerms="true" autoNormalize="true">
    <filesystemType>basic</filesystemType>
    <device id="device-id" introducedBy="">
        <encryptionPassword></encryptionPassword>
    </device>
    <minDiskFree unit="%">1</minDiskFree>
    <versioning>
        <cleanupIntervalS>0</cleanupIntervalS>
        <fsPath></fsPath>
        <fsType>basic</fsType>
    </versioning>
    <copiers>0</copiers>
    <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
    <hashers>0</hashers>
    <order>random</order>
    <ignoreDelete>false</ignoreDelete>
    <scanProgressIntervalS>0</scanProgressIntervalS>
    <pullerPauseS>0</pullerPauseS>
    <maxConflicts>10</maxConflicts>
    <disableSparseFiles>false</disableSparseFiles>
    <disableTempIndexes>false</disableTempIndexes>
    <paused>false</paused>
    <weakHashThresholdPct>25</weakHashThresholdPct>
    <markerName>.stfolder</markerName>
    <copyOwnershipFromParent>false</copyOwnershipFromParent>
    <modTimeWindowS>0</modTimeWindowS>
    <maxConcurrentWrites>2</maxConcurrentWrites>
    <disableFsync>false</disableFsync>
    <blockPullOrder>standard</blockPullOrder>
    <copyRangeMethod>standard</copyRangeMethod>
    <caseSensitiveFS>false</caseSensitiveFS>
    <junctionsAsDirs>false</junctionsAsDirs>
</folder>

[bbigras]

cc @Joko @peterhoeg @andrew-d

[peterhoeg]

I don't really have a need for this right now so I'm not going to be spending time implementing it at this point but it would be great to have.

[zarelit]

I'm working on this. The configuration of a folder on the untrusted node is already feasible with folders.<folder>.type = "receiveencrypted";

On the trusted side we need to add an option to set a password for each untrusted device of each untrusted folder, I propose to add an option folders.<folder>.encryptionPasswordFiles so that a folder will look like this:

 services.syncthing.folders.foo = {
   path = "/path/to/folder";
   devices = [ "laptop" "server" ];
   encryptionPasswordFiles = {
     server = "/path/to/passwordFile";
   };
 }

This mimics the syncthing UI where an untrusted devices is just a device with an additional password.

What do you think?

[senorsmile]

@zarelit I was about to figure out how to implement this myself but glad I searched and found this. Have you made progress or do you have an open fork that I could contribute to?

[zarelit]

@senorsmile unluckily I had to stop.
I'm working here: https://github.com/zarelit/nixpkgs/tree/syncthing_untrusted_nodes
at present I only managed to move the tests in their own directory and create a test that actually use the declarative features of the module

the current implementation directly translates the attrset into a POSTable config so we actually need to add a step where we add the password in the json.
My idea was to use jq a second time and replace placeholder passwords with jq variables. jq is able to read the files with the passwords using --rawfile

[k3a]

Shouldn't it be enough to just add a password option directly? Passwords in nixos config can already be protected by using one of the secret management schemas. This way the password obstruction/storage would be done on another layer and the config can be kept password-management-agnostic.

[zarelit]

@k3a I'm a sops-nix user myself, the PR #205653 already exposes encryptionPasswordFiles which can be used in combination with agenix or sops-nix or nixops keys management
as far as I know there isn't an interface that would allow us to reference a secret using the same syntax for all the tools above.

An example with sops-nix would be something like this:

   services.syncthing.folders = {
          myFolder = {
              path = "/var/lib/syncthing/bar";
              devices = [ "cloudserver" ];
              encryptionPasswordFiles = {
                cloudserver = config.sops.secrets.mypassword.path;
              };
            };
};

[Tom-T]

@zarelit Is that what you are using ? I'm trying something similar, but it isn't working. I'm not quite sure what to do. I've tried with and without the path, no joy.

For sops:

  sops.secrets.baks = {
    owner = "tom";
  };

[h33p]

Made a draft PR #342138 that's up-to-date. Works already, but more work is needed.

Not sure how applicable it is to change the type of devices, but the current way where it's a list of strings is relatively clunky and differs from syncthing's structure. But that can be changed.