Description of requirements
Hi,
At home I have a bunch of devices which already sync perfectly via Syncthing. Most of them only run when required while the HomeServer runs 24/7. The HomeServer is (older) business grade hardware with Xeon CPU and ECC RAM, therefore I see it as trusted and reliable. When not in my home network, I connect to the HomeServer with Wireguard and sync directly via the VPN tunnel or as fallback via Relay. This also works perfectly. I know that using a VPN is not required (causes unnecessary double encryption) but it is there anyway so I use it instead of opening an additional port for Syncthing.
Now comes an additional requirement (the difficult part). Occasionally I am not at home for several weeks and for rare cases where I cannot reach my HomeServer (due to WAN failure, power outage, hardware failure, …) I want to have a fallback system in my parents’ house (or at other locations, might even be a VPS). I see the fallback system as untrusted as other people might have physical access to it and it does not use full disk encryption.
My idea is that during normal operation:
- My HomeServer syncs all its data to (but not from!) the remote fallback RPi.
- Roaming devices only sync from/to my HomeServer but not from/to the RPi.
Only when my HomeServer is not available for whatever reason:
- Roaming devices connect to the RPi as fallback and sync from/to it.
- As soon as the HomeServer returns, all changes that happened while it was offline are synced to it. The connection from the roaming devices to the RPi is stopped.
An automatic redundancy switchover is not required, manually via WebUI is fine.
The concept should look like this:
Specific questions:
- How can I make sure that during normal operation data which is changed on the RPi is never synced to the HomeServer? The folder type on the RPi will (of course) be receiveencrypted and the folder type on the HomeServer will always be sendreceive (sendonly is not possible as it would not accept changes from my workstations). If the data on the RPi is messed up for whatever reason, I do not want this mess to propagate to the HomeServer and from there to all other systems. Or is this risk only theoretical? What happens if an encrypted file is deleted or manipulated in the untrusted node’s filesystem? Will it also be deleted/manipulated in connected systems or will Syncthing detect that there is something wrong and not sync this deletion/manipulation? I am very sure that manipulation will be detected by Syncthing as encryption includes auth/hashing and the file cannot be decrypted any more. But what about deletions?
- How can I achieve that the roaming devices only connect to the HomeServer and not to the RPi under normal circumstances? My idea would be to set the device RPi to paused mode on all roaming clients by default and only manually resume if required. However, if I forget to pause it manually when not required any more, it will probably stay unpaused forever. Can I only pause specific devices on startup or will I need to use the REST API for that?