Guide to using the proprietary Synology NAS and its DiskStation Manager ("DSM") Operating System for self-hosted infrastructure.

Synology is the name of a company (Synology, Inc.) as well as the brand name of a proprietary network-attached storage device vendor. Synology NAS devices can serve as an alternative to a Raspberry Pi. These devices are more expensive, but typically more powerful (faster CPU clock speed, more RAM, etc.) and arguably “easier” to configure or set up.

We do not recommend the use of Synology products because they are proprietary and relatively difficult to secure. That said, they are popular, so this page documents best practice recommendations for utilizing a Synology NAS, and recommendations for safer configurations of its DiskStation Manager ("DSM") Operating System.

Service notes

Service installation

Tor installation

Entware is a repository of software built for embedded devices and is the easiest way to install Tor on a Synology NAS, via its opkg package management tool. However, these packages are completely unverified. Use at your own risk.

After installing Entware on a Synology NAS, an installation of Tor is simple:

sudo opkg install tor

Entware’s tor package places the torrc configuration file at /opt/etc/tor/torrc.

Service configuration

This section documents details about service configuration procedures that deviate from (more-)fully Free Software systems.

rsync configuration

The Web-based Synology DSM provides a graphical interface to configure the rsync service. The graphical Rsync service configuration tool is available via Control Panel → File Services → rsync. Once there, you can add or delete “rsync accounts,” which is Synology’s term for Operating System accounts with associated Rsync user accounts.

Importantly, you cannot create an rsync-only account via the graphical Synology DSM. You must first create an Operating System user account, then add that user to the list of existing rsync accounts. Despite this, the user’s rsync password can (and, probably, should) be different than that same user’s Operating System account password (i.e., the password for logging in to the Synology DSM interface in a Web browser).

Filesystem locations

Synology’s Rsync service keeps rsyncd(8) configuration files in the following non-standard locations:

Configured rsync user accounts. This is consulted instead of the standard /etc/rsyncd.secrets file.
Synology proprietary configuration file in JSON format determining the rsync modules to export. (This replaces the export section[s] in your /etc/rsyncd.conf file.) Add shared folder names as strings in the required_resource.share array to create new modules. For example, after creating a new Shared Folder in the Synology DSM called backups, add it as an exported rsync module: