syncthing

Syncthing is designed with a “Zero-Trust” philosophy.

The Device ID is just a key: Device ID lets you knock on the door, but it doesn’t let you in.

The Handshake is the Lock: Syncthing requires a human on both sides to say “Yes, I know this person and I want their files to land in this specific folder.”

Integration with OCI

Here are the steps carried out for the integration of syncthing running on Alpine Linux with oci .

Installation & Optimization

The following steps ensured Syncthing was stable on the 1GB RAM AMD oci instance.

Installed syncthing from official package repositories. Limited the syncthing memory usage to prevent the OCI instance from crashing.

admin@alpine-x86 ~ > cat /etc/conf.d/syncthing
# Use the names the init script is looking for
SYNCTHING_USER="syncthing:lighttpd"
SYNCTHING_ARGS="--no-browser --no-restart --home=/var/lib/syncthing"

# Memory Optimization
export GOMEMLIMIT=150MiB
export GOGC=20
# Fix file ownership
umask 002

Added the syncthing user to the lighttpd group so it could legally touch WebDAV files.

doas addgroup syncthing lighttpd

The following changes were made on the homepc2:

admin@homepc2 ~> cat /etc/conf.d/syncthing
SYNCTHING_USER="syncthing"
SYNCTHING_ARGS="--no-browser --no-restart"

# Enable the below only when debugging
# export STTRACE="watchaggregator"
# The below creates may create a flood of entries.
# export STTRACE="watchaggregator,scanner,fs"

# Overwrites the logger command
output_log="/var/log/syncthing-debug.log"
error_log="/var/log/syncthing-debug.log"

The necessary debug file was created and permissions granted:

doas touch /var/log/syncthing-debug.log
doas chown admin:admin /var/log/syncthing-debug.log

Connectivity & Handshake

Establishing the “trust” between your HomePC and the Cloud.

Most of these were done on the homepc2

  • Copied Device ID from the GUI.
  • Created an encrypted tunnel to access the OCI Syncthing GUI locally by the following command.
    ssh -L 9999:127.0.0.1:8384 admin@oci
  • The previous ssh tunneling step required the below step on oci instance. Permitted the tunnel to pass through the SSH daemon.
    admin@alpine-x86 ~> grep AllowTcpForwarding /etc/ssh/sshd_config
AllowTcpForwarding yes
#	AllowTcpForwarding no
  • Accepted the Device ID from HomePC2 and accepted the Folder Share, all through the OCI syncthing GUI tunneled on homepc2 itself on the URL http://127.0.0.1:9999/↗
  • Once the GUI configuration is finished, the management tunnel can be closed by changing AllowTcpForwarding back to no in sshd_config.

Silent tunnel for syncthing gui management

To use a “Silent Tunnel” Command:

ssh -N -f -L 9999:127.0.0.1:8384 admin@oci

To identify and kill any open tunnels, issue the command on homepc2:

pgrep -fa ssh | grep 9999
pkill -f "9999:127.0.0.1:8384"

Folder & Permission Alignment

  • Pointed the incoming HomePC sync to the WebDAV root.(/var/www/webdav)
  • Set the base owner to the sync engine and group to the web server for both Initial ownershipt and Inheritance using setgid(2775)
    doas chown -R syncthing:lighttpd /var/www/webdav
doas chmod 2775 /var/www/webdav
  • Alternately, the “Magic” Step of Setting the SetGID bit ensures any NEW file created in this folder inherits the group. To turn on the SGID feature on an existing directory without changing its current read/write permissions.(unlike 2775 above).
    chmod g+s /path/to/files
  • To fix File and directory permissions so both Syncthing and Orgzly can Read/Write.
    doas find /var/www/webdav -type f -exec chmod 664 {} +
doas find /var/www/webdav -type d -exec chmod 2775 {} +

Conflict Resolution & Cleanup

Removed duplicate files created when HomePC and OCI versions diverged.

rm /var/www/webdav/*.sync-conflict-*

Performance tuning

A few parameters were modified in the file /etc/sysctl.conf to increase watch limits as syncthing did not synchronize perfectly, when hugo_watcher service was added as mentioned in hugo_server page.

admin@homepc2 ~> cat /etc/sysctl.conf
# content of this file will override /etc/sysctl.d/*
fs.inotify.max_user_watches=524288
fs.inotify.max_user_instances=1024
fs.inotify.max_queued_events=524288

To reload and verify the changes here are the steps:

admin@homepc2 ~> doas sysctl -p
admin@homepc2 ~> cat /proc/sys/fs/inotify/max_user_watches
524288

Even after the above steps, there were syncrhonisation issues as html changes by hugo were not picked up, whereas md file creation by ox-hugo was picked up. Gemini suggested this might be due to rapid deletion and creation of files/directories by hugo.

Fs Watcher Delay setting was changed from 10 to 60 for this folder alone Click Actions (top right) -> Advanced. The synchronisation issue seems to be resolved based on this.

While troubleshooting the following command was run to see the internal working. Stopped the syncthing service and ran this.

$ STTRACE="watchaggregator,scanner,fs" syncthing

The above Environment variable STTRACE is telling the Syncthing binary to “un-mute” its internal debug logs for the filesystem module.

Public relay for handling NAT

Syncthing prefers a direct connection between your devices. However, if both devices are behind firewalls or NAT (Network Address Translation) that prevent them from “seeing” each other directly, Syncthing uses a public relay to pass the data through. If Relaying is disabled in Syncthing, wait about 60 seconds and check the Remote Devices list in the Syncthing GUI. It should say TCP Direct or QUIC instead of Relay-TRS or Relay-CV.

CLI based workflow

Here is how to perform the “Accept” handshake without ever touching a browser.

Accept the HomePC2 Device

On your OCI instance, run this to see the “Pending” device request from your HomePC:

doas -u syncthing syncthing cli show pending devices

You will see your HomePC’s ID. To accept it:

doas -u syncthing syncthing cli config devices add --device-id [HOMEPC_ID] --name HomePC2

Accept the Shared Folder

First, find the Folder ID being offered (it’s usually a random string like abc12-xyz or the folder name):

doas -u syncthing syncthing cli show pending folders

Once you have the ID, run this to link it to your WebDAV directory:

doas -u syncthing syncthing cli config folders add --id [FOLDER_ID] --path /var/www/webdav --label [NAME]

When handling more clients and don’t want to do this every time, you can set your OCI server to “Auto-Accept” everything from your HomePC:

doas -u syncthing syncthing cli config devices [HOMEPC_ID] auto-accept-folders set true

Now, any new folder you share from your HomePC will automatically appear on the OCI server without you needing to run another command.

Syncthing on Android

The android application name is Syncthing-Fork, a wrapper for syncthing application. Following safety measures can be taken when using Syncthing in android .

The familiar Web GUI of syncthing desktop can be used as it is more featureful than the default android menu. Always Click ‘Exit’ to exit the app. Ensure that ‘Expert mode’ is checked under User Interface.

To disable accidental usage of mobile data for syncing files, it is always better to sync with a local desktop/laptop. If this is the case the following changes needs to be made:

  • Uncheck the options ‘Global Discovery’ and ‘Enable Relaying’ under Settings->Syncthing Options.
  • Ensure that except ‘Run on Wi-Fi’ and ‘Respect Android battery saving setting’, all other options are unchecked in Settings->Run Conditions.
  • For extra safety disable ‘Mobile data’ in the Data Usage and verify that ‘Battery Saver’ is enabled in Battery option in the Settings->App Info->Syncthing-Fork.

Previous attemps

The below steps was used in mid'2020 Installation on Linux Mint

Installation

Add https://apt.syncthing.net/↗ as a repository source

$ sudo curl -s -o /usr/share/keyrings/syncthing-archive-keyring.gpg
https://syncthing.net/release-key.gpg*

$ echo "deb [signed-by=/usr/share/keyrings/syncthing-archive-keyring.gpg]
https://apt.syncthing.net/ syncthing stable" | sudo tee
/etc/apt/sources.list.d/syncthing.list*

Update and Install syncthing.

$ sudo apt-get update
$ sudo apt-get install syncthing

Configuration

To run syncthing as systemd user service, executed the following commands on both the computers.

$ sudo systemctl enable syncthing@user.service
$ sudo systemctl start syncthing@user.service

Then shared the folders /data/docs/user and /home/user/Downloads on both the machines. In the Actions->Advanced Menu, enabled Junctions As Dirs option for the folder /data/docs/user to ensure that the Downloads are synced and backed up in the /data/docs folder.

Running multiple instances

https://www.linuxbabe.com/ubuntu/install-syncthing-ubuntu-desktop-server↗

If you have multiple shared folders that belong to different users, it’s a good idea to run multiple instances of Syncthing for each user.

sudo systemctl start syncthing@user1.service
sudo systemctl start syncthing@user2.service

If you run Syncthing as user1 and share folders belonging to user2, you are going to have out-of-sync/permission denied problems, because Syncthing will create the files with the user it runs as.

Each instance needs to have a unique GUI port and sync port, which can be configured in the user’s syncthing configuration file under the home directory. Edit the file ~/.config/syncthing/config.xml

GUI port configuration is

<address>127.0.0.1:8384</address>

The default sync port configuration is

<listenAddress>default</listenAddress>

You can change it to

<listenAddress>tcp://0.0.0.0:22001</listenAddress>

So after making the above changes, configuration details as follows

admin@homepc-lm:~$ sudo ss -lnpt | grep syncthing

LISTEN0 4096 192.168.0.199:8390 0.0.0.0:* ..

LISTEN0 4096 127.0.0.1:8380 0.0.0.0:* ..

LISTEN0 4096 *:22000 *:* ..

LISTEN0 4096 *:22001 *:* ..

Removal

Around late ‘20, removed syncthing due to excessive memory usage on the linux pc’s. The android version was removed earlier due to excess battery usage.

© Prabu Anand K 2020-2026