Not directly related to your question, but given I've been hitting my head against this for a few days..
There are a number of different 'chart' implementations Syncthing, with TrueNAS recently pushing their 'Enterprise' train version with;
-
Blog - Enterprise File Sync Improves Data Mobility and Furthers Data Freedom | TrueNAS Community, and
-
Syncthing | 23.10/scale tutorials
- it is pretty security conscious, and not entirely user friendly, given they disable local and global discovery etc.
- however they makes some opinionated decisions regarding Extended attributes. Which I appreciate, thank you iX Systems. Definitely worth a read
An alternative to the official TrueNAS 'charts' train, is the TrueCharts 'stable' version, which I'm using as it has far more configurable elements;
-
TrueCharts | truecharts.org
Not withstanding that difference with your implementation, the following may be of some use;
- Using the latest TrueNAS 23.10 Corbia, 'host-path validation' is no longer a configuration headache (yet still a security concern)
- Datasets support ACLs, even though Syncthing is using UID/GIDs.
- ACL Type: SMB/NFSv4
- ACL Mode: Passthrough (re-check, as this somehow changed to back to Restricted on occasion)
- "..Syncthing records both the numerical UID and GID for a file and the corresponding user and group names, when they are known. When applying ownership Syncthing will first attempt to look up a local user or group with the given name, and if that fails it will fall back to the numerical UID and GID."
syncOwnership — Syncthing v1.23.4 documentation
- "..if a file is modified on Linux it’s expected that macOS extended attributes will be preserved in the metadata and hence applied again on macOS. This is not always possible - for example if a file is _moved_ on Linux, the macOS extended attributes for that file will be lost."
syncXattrs — Syncthing v1.27.0 documentation
- Nested datasets 'sort of work', for initial sync at least. Moving a file within a client's directory structure (which has no notion of the backing nested datasets) predictably does not move the file into the appropriate sub-dataset. This is I'm sure because Syncthing is clever about moving stuff around on remote systems, to minimise resending data that already exists on the remote system. It tries to 'move' the file which is impossible between ZFS datasets (a copy and delete operation is required).
- I will be ditching my nested datasets, syncing those data that genuinely need that unique ZFS functionality in seperate Syncthing folders
Regarding permissions, and group permissions in particular, I have yet to devise a system for Syncthing in my household. Although shall probably do something similar to my `media` dataset, which uses a new family group, of which the `apps` user is a member.
Probably another good reason to look at the TrueCharts version, as their 'stable' trains include a bunch of standard variables that enhance deployment, such as;
- 'fsGroup
':
"The group that should own ALL storage, generally 568 but some apps may have specific owners (i.e Nextcloud)"
- 'Supplemental Groups': Add any Supplemental Groups as necessary