NuggetSync Server is a lightweight backend service designed for one purpose: to securely store encrypted VPN configuration profiles for NuggetVPN users.
It is built with a Zero-Trust, Zero-Knowledge philosophy. The server never sees your data in plaintext. It acts as a dumb, reliable storage locker for encrypted binary blobs.
- True Zero-Knowledge: All encryption and decryption happen on the client (NuggetVPN app) using a master password that never leaves your device. The server only stores encrypted noise.
- Blazing Fast: Built with Rust, Axum, and Tokio. Designed for high performance and low resource usage.
- Self-Hostable: Easily deployable via Docker on any cheap VPS or home server. You own your data infrastructure.
- Database Agnostic: Uses Diesel ORM, supporting PostgreSQL by default (SQLite and MySQL support can be added).
Understanding what this server DOES NOT do is key to understanding its security.
- Takes your user-provided Master Password.
- Uses Argon2id (a memory-hard password hashing function) on your device to derive a strong encryption key.
- Encrypts your profile data using XChaCha20-Poly1305 (a modern, authenticated encryption algorithm).
- Sends the resulting encrypted binary blob (along with the salt and nonce needed for decryption) to the server.
- Authenticates your request using a secure Bearer token (Redis-backed session).
- Validates that the uploaded blob is within acceptable size limits (e.g., < 1MB).
- Stores the encrypted blob in the database against your user ID.
- Retrieves the blob when asked.
Crucially: The server cannot decrypt your data. It does not have your master password, and it does not have the derived encryption key. If the server is compromised, attackers only get useless encrypted data.
- Rust & Cargo: The latest stable version (rustup.rs).
- PostgreSQL: A running instance of PostgreSQL database.
- Diesel CLI: For running migrations (
cargo install diesel_cli --no-default-features --features postgres).
-
Clone the repository:
git clone [https://github.com/Rigby-Foundation/nuggetsync.git](https://github.com/Rigby-Foundation/nuggetsync.git) cd nuggetsync -
Environment Setup: Create a
.envfile in the root directory and configure your database connection and JWT secret.# .env DATABASE_URL=postgres://user:password@localhost:5432/nugget_sync_db REDIS_URL=redis://127.0.0.1:6379 RUST_LOG=nugget_sync_server=debug,tower_http=debug
-
Database Setup:
# Create the database (if it doesn't exist) diesel setup # Run migrations to create tables diesel migration run
-
Run the Server:
cargo run
The server will start listening on http://0.0.0.0:3001.
A Dockerfile is provided for easy deployment.
-
Build the image:
docker build -t nugget-sync-server . -
Run the container: Make sure to provide the necessary environment variables, preferably via an
.envfile or Docker secrets. You'll need a PostgreSQL container running in the same network or an external DB URL.# Example using --env-file (ensure DATABASE_URL points to a reachable DB instance) docker run -d \ -p 3001:3001 \ --env-file .env \ --name nugget-sync \ nugget-sync-server
A docker-compose.yml is provided for a complete stack setup (App + Postgres + Redis).
docker-compose up -d --buildWe welcome contributions! Whether it's a bug report, feature request, or a pull request, your help is appreciated.
Please ensure any PRs follow the existing code style and include tests where appropriate.
This project is open-source and available under the GPL-3.0 License.