Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nixos/syncthing: define and handle encryptionPassword option #383442

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
+245 −10
Open

nixos/syncthing: define and handle encryptionPassword option #383442

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
aa96843
syncthing: handle encryptionPassword secret
h33p Sep 15, 2024
142824e
syncthing: expose encryptionPassword
h33p Sep 15, 2024
ac81692
nixosTests.syncthing: define test for declarative folders
h33p Sep 19, 2024
295aefe
nixosTests.syncthing: create encrypted device test
h33p Sep 19, 2024
181420e
doc: 24.11: release note for syncthing changes
h33p Sep 30, 2024
5c19dbd
Demonstration of an alternate way to embed secrets into syncthing config
jfly Jan 13, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
119 changes: 109 additions & 10 deletions nixos/modules/services/networking/syncthing.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,12 +34,17 @@ let
The options services.syncthing.settings.folders.<name>.{rescanInterval,watch,watchDelay}
were removed. Please use, respectively, {rescanIntervalS,fsWatcherEnabled,fsWatcherDelayS} instead.
'' {
devices = map (device:
if builtins.isString device then
{ deviceId = cfg.settings.devices.${device}.id; }
else
device
) folder.devices;
devices = let
folderDevices = folder.devices;
in
map (device:
if builtins.isString device then
{ deviceId = cfg.settings.devices.${device}.id; }
else if builtins.isAttrs device then
{ deviceId = cfg.settings.devices.${device.name}.id; } // device
else
throw "Invalid type for devices in folder '${folderName}'; expected list or attrset."
) folderDevices;
}) (filterAttrs (_: folder:
folder.enable
) cfg.settings.folders);
Expand Down Expand Up @@ -103,9 +108,71 @@ let
# don't exist in the array given. That's why we use here `POST`, and
# only if s.override == true then we DELETE the relevant folders
# afterwards.
(map (new_cfg: ''
curl -d ${lib.escapeShellArg (builtins.toJSON new_cfg)} -X POST ${s.baseAddress}
''))
(map (new_cfg:
let
jsonPreSecretsFile = pkgs.writeTextFile {
name = "${conf_type}-${new_cfg.id}-conf-pre-secrets.json";
text = builtins.toJSON new_cfg;
};
injectSecrtsJqCmd = {
# There are no secrets in `devs`, so no massaging needed.
"devs" = "${jq} .";
"dirs" = let
folder = new_cfg;
devicesWithSecrets = lib.pipe folder.devices [
(lib.filter (device: (builtins.isAttrs device) && device ? encryptionPasswordFile))
(map (device: {
deviceId = device.deviceId;
variableName = "secret_${builtins.hashString "sha256" device.encryptionPasswordFile}";
secretPath = device.encryptionPasswordFile;
}))
];
# At this point, `jsonPreSecretsFile` looks something like this:
#
# {
# ...,
# "devices": [
# {
# "deviceId": "id1",
# "encryptionPasswordFile": "/etc/bar-encryption-password",
# "name": "..."
# }
# ],
# }
#
# We now generate a `jq` command that can replace those
# `encryptionPasswordFile`s with `encryptionPassword`.
# The `jq` command ends up looking like this:
#
# jq --rawfile secret_DEADBEEF /etc/bar-encryption-password '
# .devices[] |= (
# if .deviceId == "id1" then
# del(.encryptionPasswordFile) |
# .encryptionPassword = $secret_DEADBEEF
# else
# .
# end
# )
# '
jqUpdates = map (device: ''
.devices[] |= (
if .deviceId == "${device.deviceId}" then
del(.encryptionPasswordFile) |
.encryptionPassword = ''$${device.variableName}
else
.
end
)
'') devicesWithSecrets;
jqRawFiles = map (device: "--rawfile ${device.variableName} ${lib.escapeShellArg device.secretPath}") devicesWithSecrets;
in
"${jq} ${lib.concatStringsSep " " jqRawFiles} ${lib.escapeShellArg (lib.concatStringsSep "|" (["."] ++ jqUpdates))}";
}.${conf_type};
in
''
${injectSecrtsJqCmd} ${jsonPreSecretsFile} | curl --json @- -X POST ${s.baseAddress}
''
))
(lib.concatStringsSep "\n")
]
/* If we need to override devices/folders, we iterate all currently configured
Expand Down Expand Up @@ -378,11 +445,43 @@ in {
};

devices = mkOption {
type = types.listOf types.str;
type = types.listOf (
types.oneOf [
types.str
(types.submodule ({ ... }: {
freeformType = settingsFormat.type;
options = {
name = mkOption {
type = types.str;
default = null;
description = ''
The name of a device defined in the
[devices](#opt-services.syncthing.settings.devices)
option.
'';
};
encryptionPasswordFile = mkOption {
type = types.nullOr (types.pathWith {
inStore = false;
absolute = true;
});
default = null;
description = ''
Path to encryption password. If set, the file will be read during
service activation, without being embedded in derivation.
'';
};
};
}))
]
);
default = [];
description = ''
The devices this folder should be shared with. Each device must
be defined in the [devices](#opt-services.syncthing.settings.devices) option.

A list of either strings or attribute sets, where values
are device names or device configurations.
'';
};

Expand Down
1 change: 1 addition & 0 deletions nixos/tests/all-tests.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1025,6 +1025,7 @@ in {
syncthing-no-settings = handleTest ./syncthing-no-settings.nix {};
syncthing-init = handleTest ./syncthing-init.nix {};
syncthing-many-devices = handleTest ./syncthing-many-devices.nix {};
syncthing-folders = runTest ./syncthing-folders.nix;
syncthing-relay = handleTest ./syncthing-relay.nix {};
sysinit-reactivation = runTest ./sysinit-reactivation.nix;
systemd = handleTest ./systemd.nix {};
Expand Down
135 changes: 135 additions & 0 deletions nixos/tests/syncthing-folders.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
{ lib, pkgs, ... }:
let
genNodeId =
name:
pkgs.runCommand "syncthing-test-certs-${name}" { } ''
mkdir -p $out
${pkgs.syncthing}/bin/syncthing generate --config=$out
${pkgs.libxml2}/bin/xmllint --xpath 'string(configuration/device/@id)' $out/config.xml > $out/id
'';
idA = genNodeId "a";
idB = genNodeId "b";
idC = genNodeId "c";
testPassword = "it's a secret";
in
{
name = "syncthing";
meta.maintainers = with pkgs.lib.maintainers; [ zarelit ];

nodes = {
a =
{ config, ... }:
{
environment.etc.bar-encryption-password.text = testPassword;
services.syncthing = {
enable = true;
openDefaultPorts = true;
cert = "${idA}/cert.pem";
key = "${idA}/key.pem";
settings = {
devices.b.id = lib.fileContents "${idB}/id";
devices.c.id = lib.fileContents "${idC}/id";
folders.foo = {
path = "/var/lib/syncthing/foo";
devices = [ "b" ];
};
folders.bar = {
path = "/var/lib/syncthing/bar";
devices = [
{
name = "c";
encryptionPasswordFile = "/etc/${config.environment.etc.bar-encryption-password.target}";
}
];
};
};
};
};
b =
{ config, ... }:
{
environment.etc.bar-encryption-password.text = testPassword;
services.syncthing = {
enable = true;
openDefaultPorts = true;
cert = "${idB}/cert.pem";
key = "${idB}/key.pem";
settings = {
devices.a.id = lib.fileContents "${idA}/id";
devices.c.id = lib.fileContents "${idC}/id";
folders.foo = {
path = "/var/lib/syncthing/foo";
devices = [ "a" ];
};
folders.bar = {
path = "/var/lib/syncthing/bar";
devices = [
{
name = "c";
encryptionPasswordFile = "/etc/${config.environment.etc.bar-encryption-password.target}";
}
];
};
};
};
};
c = {
services.syncthing = {
enable = true;
openDefaultPorts = true;
cert = "${idC}/cert.pem";
key = "${idC}/key.pem";
settings = {
devices.a.id = lib.fileContents "${idA}/id";
devices.b.id = lib.fileContents "${idB}/id";
folders.bar = {
path = "/var/lib/syncthing/bar";
devices = [
"a"
"b"
];
type = "receiveencrypted";
};
};
};
};
};

testScript = ''
start_all()

a.wait_for_unit("syncthing.service")
b.wait_for_unit("syncthing.service")
c.wait_for_unit("syncthing.service")
a.wait_for_open_port(22000)
b.wait_for_open_port(22000)
c.wait_for_open_port(22000)

# Test foo

a.wait_for_file("/var/lib/syncthing/foo")
b.wait_for_file("/var/lib/syncthing/foo")

a.succeed("echo a2b > /var/lib/syncthing/foo/a2b")
b.succeed("echo b2a > /var/lib/syncthing/foo/b2a")

a.wait_for_file("/var/lib/syncthing/foo/b2a")
b.wait_for_file("/var/lib/syncthing/foo/a2b")

# Test bar

a.wait_for_file("/var/lib/syncthing/bar")
b.wait_for_file("/var/lib/syncthing/bar")
c.wait_for_file("/var/lib/syncthing/bar")

a.succeed("echo plaincontent > /var/lib/syncthing/bar/plainname")

# B should be able to decrypt, check that content of file matches
b.wait_for_file("/var/lib/syncthing/bar/plainname")
file_contents = b.succeed("cat /var/lib/syncthing/bar/plainname")
assert "plaincontent\n" == file_contents, f"Unexpected file contents: {file_contents=}"

# Bar on C is untrusted, check that content is not in cleartext
c.fail("grep -R plaincontent /var/lib/syncthing/bar")
'';
}