Syncthing is a “continuous file synchronization program” that keeps folders the same across two or more devices. The program lets you associate a local folder with a folder ID that can be shared to many other devices. When you add a folder ID to another device’s Syncthing installation, it will automatically sync the contents of the local folder with any other device that is tracking the same folder.
To make sure that changes are always tracked on at least two devices, it is a good idea to run Syncthing on a dedicated server as well as on your laptop. I decided to set up a FreeBSD jail on a Vultr server to run Syncthing this way.
Prerequisites
- Deploy a regular cloud compute instance of Vultr with FreeBSD 14 loaded.
- Disable SSH password login and only allow SSH key login with
- [Optional] use the latest binaries retrieved by
pkg:
mkdir -p /usr/local/etc/pkg/repos
echo 'FreeBSD: { url: 'pkg+http://pkg.FreeBSD.org/\$\{ABI\}/latest', enabled: yes }' > /usr/local/etc/pkg/repos/FreeBSD.conf- [Optional] attach a block storage device to the instance using the steps at [1].
# Create new 100G device with UFS2 partition
# attach the volume on UI, then...
gpart create -s GPT vtbd1
# new partition with tag
gpart add -t freebsd-ufs -l vultr\\_block\\_storage vtbd1
# initialize
newfs -U vtbd1p1
mkdir /mnt/blockstorage
mount -t ufs /dev/vtbd1p1 /mnt/blockstorage
# view
gpart show
gpart list vtbd1
# edit /etc/fstab
# /dev/gptid/UUID-VALUE /mnt/blockstorage ufs rw 0 0Create a jail with bastille
A jail is a FreeBSD abstraction that is like a container. It is a layer of virtualization that isolates a set of processes from the rest of the system, so that they only share a kernel and other system files with the host system. From the point of view of the processes, they are the only things running in a complete FreeBSD system.
For this application, we will use bastille (a jail manager) to create a “thin jail” for our Syncthing process. A thin jail “shares the base system using OpenZFS snapshots or NullFS mounts from a template” [2], providing less isolation for less resource consumption. The next steps come from Bastille’s quick start guide [3].
- Install
bastillefor jail management.
- Use
sysrcto start containers automatically at boot (/etc/rc.conf)!
- Set up networking mode
loopback
- Create
pffirewall
/etc/pf.conf
ext_if = "vtnet0"
set block-policy return
scrub in on $ext_if all fragment reassemble
set skip on lo
table <jails> persist
nat on $ext_if from <jails> to any -> ($ext_if:0)
rdr-anchor "rdr/*"
block in all
pass out quick keep state
antispoof for $ext_if inet
pass in inet proto tcp from any to any port ssh flags S/SA keep state- Start firewall
- Bootstrap
bastille
- Create a jail for
syncthing
bastille create syncthing 14.2-RELEASE 10.1.1.4/24 bastille0
# Redirect traffic from ports 22000 TCP and 22000 UDP, as well as 21027UDP
bastille rdr syncthing tcp 22000 22000
bastille rdr syncthing udp 22000 22000
bastille rdr syncthing udp 21027 21027
bastille pkg syncthing install -y syncthing
bastille sysrc syncthing syncthing_enable=YES
# [Optional] mount block storage and change Syncthing root folder
bastille mount syncthing /mnt/blockstorage /var/syncthing nullfs rw 0 0
bastille sysrc syncthing syncthing_home=/var/syncthing
bastille service syncthing syncthing start
# enter bastille
bastille console syncthing
# inside bastille
chown -R syncthing:syncthing /var/syncthing
chmod -R 750 /var/syncthing
# edit /usr/local/etc/syncthing/config.xml
# modify path to be /var/syncthing (or any folder new synced folders should be created in)
# <defaults>
# <folder id="" label="" path="/var/syncthing/">
# ...
# </defaults>
# to modify settings
export STHOMEDIR=/usr/local/etc/syncthing
syncthing cli show system
syncthing --device-id
syncthing cli config devices add --device-id $MY_DEVICE
syncthing cli config devices $MY_DEVICE auto-accept-folders set true
# leave syncthing container
exit
# configure resource limit
# append to /boot/loader.conf
# kern.racct.enable=1
bastille limits syncthing memoryuse 1G # or other valueThe result will be a headless Syncthing server open on ports 22000 and 21027, with block storage mounted at /mnt/syncthing.
Finally, add log rotation for the Syncthing service using the steps here [4].
# This file is referred to in the Syncthing rc script
:> /var/log/syncthing.log
chown syncthing:syncthing /var/log/syncthing.log
# setup log rotation
# add the following in /etc/newsyslog.conf.d/syncthing.conf
# /var/log/syncthing.log syncthing:syncthing 640 7 100 * JC
# Test that it works
newsyslog -v | grep syncthing