I’m doing a very rapid selection process for a sync platform. Syncthing is one of the tools I’ve identified as a candidate.
Just breezing through the documents, I spotted the standard process for linking 2 endpoints that will sync with each other. It’s very manual - install, get the id, copy it to the other device, install on the other device, take id from device 2 and copy to device 1, etc…
I’ll have a single source for data to be synced and perhaps 300 recipients of the data. I’ll be creating a number of these deployments. I don’t want this manual process in the middle of my deployment.
I guess I can live with putting the source device’s id on each of the recipient devices as part of a custom installation on those devices. But I don’t want to have to then grab each of those 300 ids and use them to configure the source.
Is there any support for some sort of discovery at startup? I’d like the source device to find out about the recipients through some sort of broadcast protocol or something similar.
I can generate a key pair in advance and keep the public keys on the source device. Taht way, the discovery messages can be digitally signed by the recipients to avoid spoofing.
I would suggest centrally generating the keys and configs and pushing them out. If you’re deploying 300 devices you’ll probably have some sort of configuration management in place. That is, the remote device gets its keys and a config that points to the central source; the central source gets the remote device ID added.
You could also skip the last step if you want to avoid stomping on the central device’s config. A script could listen for incoming rejected connection attempts (via the event API) and add them to the config. It’s obviously insecure to just add whomever connects, but if this is in a closed environment it might be acceptable.
I’ve had some thoughts about using certificates for things like this. That is, the remote devices could get a certificate that was signed by some trusted CE, and the other devices would allow connections from such certificates. But so far no need for it.
Thanks, Jakob. I guess you’re right - I could just spend a little extra time working on the deployment side. If I pre-generate keys and configs that would get me most of the way there at least for the initial deployment. Then I’ll have to think about the inevitable scenarios like replacing one of the remote devices due to breakage or something. In my use case, touching any of these devices is expensive. So things like discovery can really help. I’m thinking of the ability to just drop in the new hardware and have the software configure itself. But perhaps I can do without it.