5. Set up Syncthing for Vaultwarden data sync

by Jan Bachelor

To ensure that the uploaded data stay consistent across multiple web servers, we will employ Syncthing, which I already use on my web servers. If you would like some help with deploying it, check out my previous tutorial on How to Configure HA for Web Servers.

  • The permissions depend on which user runs the Syncthing service. In my case, this is www-data. We will need to ensure that this user has access to Docker for monitoring purposes:
# Stop the container briefly to ensure the folder is free:
cd /opt/vaultwarden
sudo docker compose down

# Grant the 'www-data' user full Read/Write access to the docker volume
# using ACLs (Access Control Lists). This persists even if Docker recreates files.
sudo setfacl -R -m u:www-data:rwx /opt/vaultwarden/vw-data
sudo setfacl -d -m u:www-data:rwx /opt/vaultwarden/vw-data

# Start the container again (in a detached mode to free up the shell):
sudo docker compose up -d
  • Assuming you have Syncthing already deployed, add a new folder on web1:
    • General tab
      • Label: Vaultwarden (web1)
      • Path: /opt/vaultwarden/vw-data
    • Sharing tab → if you already have your other Syncthing web servers defined, then tick the boxes.
    • File versioning tab→ It is recommended to set up ‘Trash can versioning’ for 30 days+.
    • Skip to the Advanced tab → Check [x] Ignore Permissions (Docker manages the ownership, Syncthing just moves the data bits).
    • Go back to the Ignore Patterns tab (tick the box and once you complete the other tabs and go forward, copy paste this list):
icon_cache/
tmp/
temp/
*.sqlite3
*.sqlite3-wal
*.sqlite3-shm
*.log
Add a folder into Syncthing to monitor changes for.
Add a folder to Syncthing
Ensure that permissions are ignored due to nested docker permissions limitation.
Ignore permissions due to virtualization nesting with Docker
Add certain temp files and folders into an ignore list including a potential local DB, even though we are not using it in our set up.
Ignore temp files and local DB (not in use)

Troubleshooting Syncthing folder addition

  • In case you add the sync job and immediately get a permission error like the one below, it means your permissions on the /opt/vaultwarden folder are not correct:
A scenario in which the folder permissions are not set up properly for Syncthing to have read+write access.
Ensure Syncthing can read and write into the folder
  • While in my case, the user is www-data, in your case, it is likely different. How can you find out? Let’s take a look:
 # List all running processes, filter 'syncthing' and filter out the command itself:
 sudo ps aux | grep syncthing | grep -v grep
  • Then adjust the ‘sudo setfacl -R’ and ‘sudo setfacl -d’ commands above accordingly.
  • For additional troubleshooting scenarios, you can check my previous guide for Syncthing that includes data loss situations and recovery options.

Add Syncthing on other web nodes

  • SSH into your other web server nodes and set up the file permissions accordingly as we have done at the beginning of this Step.
  • Open Syncthing on each of your other web nodes and accept the invitation:
A notification in Syncthing on another web server that a folder sync is available - add it.
A notification on another web server once the folder is monitored

Set up the name, path, trash can, ignore permissions in the Advanced tab and then set up the file/folder patterns to be ignored, as we have done previously.

Go back to course overview: Deploy Vaultwarden in multi-site environment (Docker, OPNSense, Galera cluster, Nginx)

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

This site uses Akismet to reduce spam. Learn how your comment data is processed.