The Device tab used to enroll (add) and edit devices. For Arigi to be able to manage a device it must know:

  • The device ID (Actions > Show ID in Syncthing)

  • The device address, which may be an IP address, a domain name, or blank to use the standard Syncthing global discovery infrastructure.

  • The device API port. This is the GUI/API listen port in Syncthing and defaults to 8384.

  • The API key (also shown in Action > Settings) in Syncthing.


Each device can have a label. The label is strictly for display purposes and doesn’t affect the Arigi functionality.

Once a device is saved you can add tags to describe it and link it to templates.

When opening an existing device, the device tab includes some extra information picked up from the device: its version, CPU utilization, etc.

Automatic Enrollment


Reverse Tunneling the API

The usual flow of API access is for Arigi to make the API connection to the Syncthing device. This uses the configured API port and a configured or discovered IP address.

digraph g {
    "Syncthing" [style=filled, color="/accent3/1"]
    "Arigi" [style=filled, color="/accent3/2"]

    "Arigi" -> "Syncthing"

There are cases where this is not practical, such as when the device is behind a firewall and not reachable from Arigi. In this case a reverse HTTP tunnel can be employed. This uses the tunnel server arigitunnelsrv which makes outgoing connections towards both Arigi and the Syncthing API.

digraph g {
    "Syncthing" [style=filled, color="/accent3/1"]
    "arigitunnelsrv" [style=filled, color="/accent3/3"]
    "Arigi" [style=filled, color="/accent3/2"]

    "arigitunnelsrv" -> "Arigi"
    "arigitunnelsrv" -> "Syncthing"

If the tunnel server is placed close to the device, the result is similar to inverting the connection flow: the connection comes to Arigi instead of originating at Arigi.

To accomplish this, the tunnel server needs to be started and pointed towards both the Syncthing device to be forwarded and Arigi itself:

$ arigitunnelsrv --syncthing-device=GITWQ7Q-...-DDVVCAO \
    --syncthing-addr="" \

In addition, Arigi should be configured to expect an incoming tunnel connection:


When checking the “Use reverse HTTP tunnel” checkbox the host and port fields are disabled as they become irrelevant. Further configuration, such as API key, is still available and works in the same way as usual. In particular, the tunnel server has no part in the authentication of the API connection, necessitating Arigi to use the API key as usual. API connections through the tunnel server are end-to-end encrypted between Arigi and the Syncthing device.