Nixpkgs: syncthing is broken in stable

Created on 4 Jul 2020 · 18Comments · Source: NixOS/nixpkgs

Describe the bug
Folders added in syncthing are not accessible to anyone.

To Reproduce
Steps to reproduce the behavior:

Enable syncthing via services.syncthing.enable = true;
nixos-rebuild switch
Configure a folder to be shared

Expected behavior
The folder is available to everyone in the syncthing group under /var/lib/syncthing/folderlocation.

Additional context
The rights to /var/lib/syncthing seem to be "user syncthing can read/write, everyone else cannot do anything" which doesn't work. Setting user = "philipp" results in /var/lib/syncthing to be rwx for the user "237" in my case, and I still cannot access it.

Also, the syncthing version is very old and not the latest stable.

Notify maintainers

Metadata

system: "x86_64-linux"
host os: Linux 5.4.50, NixOS, 20.03.2437.d6260a33e43 (Markhor)
multi-user?: yes
sandbox: yes
version: nix-env (Nix) 2.3.6
channels(root): "nixos-20.03.2437.d6260a33e43"
nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

Maintainer information:

# a list of nixpkgs attributes affected by the problem
attribute:
# a list of nixos modules affected by the problem
module:

bug nixos

Source

pmiddend

All 18 comments

ping @Lassulus @mrVanDalo @peterhoeg

rnhmjoj on 7 Jul 2020

Regarding the permissions, this came up before and the problem is the syncthing home directory is created with 0700, so even if owned by the syncthing group you can't access it (see #59988). This could be solved by a chmod -R g=u and an ACL rule for default file mode.

rnhmjoj on 7 Jul 2020

hmm, never thought about having a shared folder in /var/lib/syncthing. Is that a usecase? why not have it inside your HOME or some other place? maybe there is a way to change the default sync folder directory to something else.

Lassulus on 7 Jul 2020

Apparently it is, the user in #47513 was doing exactly this.

rnhmjoj on 7 Jul 2020

hmm, never thought about having a shared folder in /var/lib/syncthing. Is that a usecase? why not have it inside your HOME or some other place? maybe there is a way to change the default sync folder directory to something else.

Which user are you running syncthing as in the case you have the shared folder in your HOME directory?

aanderse on 7 Jul 2020

Which user are you running syncthing as in the case you have the shared folder in your HOME directory?

I run it as the user syncthing. I have 711 permissions on my home. the synced folder has the permissions -rw-rw-r-- and the group syncthing

Lassulus on 7 Jul 2020

@Lassulus ah nice, thanks.

aanderse on 7 Jul 2020

Uhm, my plan doesn't exactly work. By using those ACLs I can get syncthing to create new shared folders with the correct ownership and file permissions: syncthing:syncthing 664. However, if permissions syncronization is enable and a remote node add a new file with 640, the local syncthing group won't have read access, though it owns the file.

rnhmjoj on 7 Jul 2020

I set

    dataDir = "/home/palo/.syncthing";
    configDir = "/home/palo/.syncthing";

which works fine when I set my user = "palo"

mrVanDalo on 9 Jul 2020

@mrVanDalo generally speaking you shouldn't run systemd non user level services as regular user accounts... Some NixOS modules are bad at all but promoting that sort of thing :worried:

aanderse on 9 Jul 2020

Yeah, if you're running it as your user you better be enabling the user service instead (not the system-wide service).

rnhmjoj on 9 Jul 2020

👍1

there is no way to configure the user service with nixos?

Actually I also have to fix permissions of the created files with inotify, because syncthing can't create them as my user if it runs as another user. A workaround for that would be to let syncthing run as root or with capabilities like CAP_CHOWN. Or as @mrVanDalo suggested running it as your own user.

Lassulus on 9 Jul 2020

there is no way to configure the user service with nixos?

Maybe it was a bad assumption... but I just assumed there was a home manager service. I don't use home manager, so don't know. Is there?

aanderse on 9 Jul 2020

there is a home-manager service, but it lacks the very cool services.syncthing.declarative.* feature.
What is actually the problem with running systemd-services as normal users? I do this actually often, since I'm unhappy I can't depend on system services with user services.

Lassulus on 9 Jul 2020

@Lassulus I'm not saying you can't, but some problems seem to creep up once in a while when people do that. I'm trying to find a few conversations that have discussed this, but can only find one reference at the moment: https://github.com/NixOS/nixpkgs/pull/65078#discussion_r305577473

If a service is going to be running as a regular user conceptually it just makes more sense to run as a user service or home manager module. So can the services.syncthing.declarative.* options be ported to home manager?

aanderse on 10 Jul 2020

@aanderse well it depends on the usecase. the service can only be run once per system. I use it to manage a lot of different users at the same time. So home-manager wouldn't fit my usecase.

porting it to home-manager should be possible if people want to run it as their own user. sadly code would be duplicated in both projects then.

Lassulus on 10 Jul 2020

I don't see any problem running the system-wide service as another user than syncthing and in another home folder than /var/lib/syncthing.

Maybe instead to keep code in sync with home-manager, a flag like runAsUserService to start the service as systemd.user.services instead of systemd.services is a simple fix.

mrVanDalo on 12 Jul 2020

The way to think of the current nixos syncthing module as that of an appliance. If you want to run a vm/container/thing somewhere that acts as a server, you would use this module. For actual interactive users, home-manager or home-rolled is the way to go.