Initial commit

README.md

@@ -0,0 +1,9 @@
+# Syncthing ansible role
+
+Depends on unreleased nginx role
+
+- Edit config.xml for user and bcrypt password
+- Copy key and cert both as .pem files into .config/syncthing
+- Set up port 8080
+- Write a systemd unit file, user is e.g. obst (syncthing@obst.service), enable
+  it

defaults/main.yml

@@ -0,0 +1,13 @@
+---
+
+syncthing_disco_domain: disco.example.com
+syncthing_disco_cert_domain: "{{syncthing_disco_domain}}"
+syncthing_disco_http_port: 8443
+
+syncthing_domain: syncthing.example.com
+syncthing_cert_domain: "{{syncthing_domain}}"
+
+syncthing_user_repos: []
+syncthing_web_port: 8384
+syncthing_relay_provided_by: ''
+syncthing_relay_rate: 500000

handlers/main.yml

@@ -0,0 +1,10 @@
+---
+
+- name: restart nginx
+  systemd:
+    name: nginx
+    state: restarted
+    daemon_reload: true
+
+- name: apply systemd-tmpfiles
+  shell: systemd-tmpfiles --create

tasks/apt.yml

@@ -0,0 +1,32 @@
+---
+
+- name: Add syncthing repo key
+  apt_key:
+    url: 'https://syncthing.net/release-key.txt'
+    state: present
+    validate_certs: true
+  tags:
+    - install
+    - apt
+
+- name: Add syncthing apt repo
+  apt_repository:
+    repo: 'deb https://apt.syncthing.net/ syncthing stable'
+    state: present
+    filename: 'syncthing'
+    update_cache: true
+  tags:
+    - install
+    - apt
+
+- name: Install syncthing packages
+  apt:
+    name: "{{item}}"
+    state: present
+  loop:
+    - syncthing
+    - syncthing-discosrv
+    - syncthing-relaysrv
+  tags:
+    - install
+    - apt

tasks/discosrv.yml

@@ -0,0 +1,58 @@
+---
+
+- name: Create syncthing discosrv folders
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  loop:
+    - "/etc/systemd/system/stdiscosrv.service.d/"
+  tags:
+    - install
+    - discosrv
+
+- name: Configure syncthing discovery server
+  template:
+    src: "{{item.src}}"
+    dest: "{{item.dest}}"
+    owner: root
+    group: root
+    mode: 0755
+  loop:
+    - { src: "syncthing-discosrv-tmpfiles.conf.j2",
+        dest: "/etc/tmpfiles.d/syncthing-discosrv.conf" }
+    - { src: "syncthing-discosrv-override.conf.j2",
+        dest: "/etc/systemd/system/stdiscosrv.service.d/exec-override.conf" }
+    #- { src: "syncthing-discosrv.service.j2",
+    #    dest: "/etc/systemd/system/syncthing-discosrv.service" }
+  notify:
+    "apply systemd-tmpfiles"
+  tags:
+    - install
+    - discosrv
+
+- name: Install syncthing discosrv nginx frontend
+  template:
+    src: "syncthing-disco.conf.j2"
+    dest: "/etc/nginx/sites-enabled/dual/{{syncthing_disco_domain}}"
+    owner: root
+    group: root
+    mode: 0755
+  tags:
+    - install
+    - discosrv
+
+- name: Start syncthing discosrv service
+  systemd:
+    name: stdiscosrv.service
+    state: restarted
+    enabled: true
+    daemon_reload: true
+    #name: syncthing-discosrv.service
+  notify:
+    restart nginx
+  tags:
+    - install
+    - discosrv

tasks/main.yml

@@ -0,0 +1,23 @@
+---
+
+- name: apt tasks
+  include_tasks: apt.yml
+  tags:
+    - apt
+- name: syncthing-user tasks
+  include_tasks: syncthing-user.yml
+  tags:
+    - syncthing-user
+    - debug
+- name: relay tasks
+  include_tasks: relay.yml
+  tags:
+    - relay
+- name: discosrv tasks
+  include_tasks: discosrv.yml
+  tags:
+    - discosrv
+- name: syncthing-web tasks
+  include_tasks: syncthing-web.yml
+  tags:
+    - syncthing-web

tasks/relay.yml

@@ -0,0 +1,63 @@
+---
+
+- name: Create syncthing relaysrv folders
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  loop:
+    - "/etc/systemd/system/strelaysrv.service.d/"
+  tags:
+    - install
+    - relay
+
+- name: Configure syncthing relay server
+  template:
+    src: "{{item.src}}"
+    dest: "{{item.dest}}"
+    owner: root
+    group: root
+    mode: 0755
+  loop:
+    - { src: "syncthing-relaysrv-tmpfiles.conf.j2",
+        dest: "/etc/tmpfiles.d/syncthing-relaysrv.conf" }
+    - { src: syncthing-relaysrv-override.conf.j2,
+        dest: /etc/systemd/system/strelaysrv.service.d/env-exec-override.conf }
+    #- { src: syncthing-relaysrv.service.j2,
+    #    dest: /etc/systemd/system/syncthing-relaysrv.service }
+  # notify:
+  #   "apply systemd-tmpfiles"
+  tags:
+    - install
+    - relay
+
+- name: Run tmpfiles.d
+  shell: /bin/systemd-tmpfiles --create
+  tags:
+    - install
+    - relay
+
+- name: Open syncthing relay ports
+  ufw:
+    rule: allow
+    port: 22067:22070
+    proto: tcp
+    comment: Accept syncthing relay
+  tags:
+    - install
+    - relay
+
+- name: Start syncthing relay service
+  systemd:
+    name: strelaysrv.service
+    state: restarted
+    enabled: true
+    daemon_reload: true
+    #name: syncthing-relaysrv.service
+  notify:
+    restart nginx
+  tags:
+    - install
+    - relay

tasks/syncthing-user.yml

@@ -0,0 +1,126 @@
+---
+
+- name: Check if syncthing user exists
+  getent:
+    database: passwd
+    key: syncthing
+    fail_key: false
+  register: syncthing_user_already
+  ignore_errors: true
+  tags:
+    - install
+    - syncthing-user
+
+- name: Create user for syncthing
+  user:
+    name: "syncthing"
+    comment: "User for syncthing"
+    home: "/home/syncthing/"
+    state: present
+  when: syncthing_user_already != true
+  ignore_errors: true
+  tags:
+    - install
+    - syncthing-user
+
+- name: Build syncthing folder list
+  set_fact:
+    st_folder: "{{ ('syncthing-files/%s/' |format(item)) }}"
+  loop: "{{ syncthing_user_repos|flatten(levels=1) }}"
+  register: syncthing_folders
+  tags:
+    - install
+    - syncthing-user
+
+- debug:
+    msg: "{{syncthing_folders.results\
+            |map(attribute='ansible_facts.st_folder')|list}}"
+  tags:
+    - debug
+
+- name: Create syncthing folders
+  file:
+    path: "{{'/home/syncthing/' + item}}"
+    state: directory
+    owner: syncthing
+    group: syncthing
+    mode: 0755
+  loop: "{{(\
+            ['.config/syncthing/']\
+            + syncthing_folders.results\
+              |map(attribute='ansible_facts.st_folder')\
+              |list\
+           )|list}}"
+  tags:
+    - install
+    - syncthing-user
+
+- name: Set up syncthing config
+  copy:
+    src: "{{playbook_dir}}/../files/roles/syncthing/{{item}}"
+    dest: "/home/syncthing/.config/syncthing/{{item}}"
+    owner: syncthing
+    group: syncthing
+    mode: 0600
+  loop:
+    - cert.pem
+    # - config.xml
+    - csrftokens.txt
+    - key.pem
+  tags:
+    - install
+    - syncthing-user
+
+- name: Set up syncthing config.xml (only do this if you're sure)
+  copy:
+    src: "{{playbook_dir}}/../files/roles/syncthing/{{item}}"
+    dest: "/home/syncthing/.config/syncthing/{{item}}"
+    owner: syncthing
+    group: syncthing
+    mode: 0600
+  when: "syncthing_override_config_xml|bool == true"
+  loop:
+    - config.xml
+  tags:
+    - install
+    - syncthing-user
+
+- name: Create syncthing user config folders
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  loop:
+    - "/etc/systemd/system/syncthing@.service.d/"
+  tags:
+    - install
+    - syncthing-user
+
+- name: Configure syncthing user service
+  template:
+    src: "{{item.src}}"
+    dest: "{{item.dest}}"
+    owner: root
+    group: root
+    mode: 0755
+  loop:
+    - { src: syncthing-user-override.conf.j2,
+        dest: /etc/systemd/system/syncthing@.service.d/user-override.conf }
+  # notify:
+  #   "apply systemd-tmpfiles"
+  tags:
+    - install
+    - syncthing-user
+
+- name: Start syncthing user service
+  systemd:
+    name: "syncthing@syncthing.service"
+    enabled: true
+    state: restarted
+    daemon_reload: true
+  tags:
+    - install
+    - update
+    - syncthing-user

tasks/syncthing-web.yml

@@ -0,0 +1,25 @@
+---
+
+- name: Install syncthing nginx web frontend
+  template:
+    src: "syncthing-web.conf.j2"
+    dest: "/etc/nginx/sites-enabled/dual/{{syncthing_domain}}"
+    owner: root
+    group: root
+    mode: 0755
+  notify:
+    restart nginx
+  tags:
+    - install
+    - syncthing-web
+
+- name: Create htpasswd-common file
+  copy:
+    content: "{{secret_htpasswd_common}}"
+    dest: "/etc/nginx/secrets/htpasswd-common"
+    owner: root
+    group: root
+    mode: 0755
+  tags:
+    - install
+    - syncthing-web

templates/syncthing-disco.conf.j2

@@ -0,0 +1,57 @@
+upstream {{syncthing_disco_domain}} {
+    # Local IP address:port for discovery server
+    #server 192.0.2.1:8443;
+    server 127.0.0.1:{{syncthing_disco_http_port|default('8443')}};
+}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{syncthing_disco_domain}};
+    include /etc/nginx/snippets/acme-challenge.conf;
+    rewrite ^ https://$http_host$request_uri? permanent;
+}
+
+server {
+    listen              443 ssl http2;
+    listen              [::]:443 ssl http2;
+    server_name         {{syncthing_disco_domain}};
+    ssl_certificate     /etc/dehydrated/certs/{{syncthing_disco_cert_domain}}/fullchain.pem;
+    ssl_certificate_key /etc/dehydrated/certs/{{syncthing_disco_cert_domain}}/privkey.pem;
+    include /etc/nginx/snippets/tls.conf;
+
+    access_log      /var/log/nginx/{{syncthing_disco_domain}}.access.log timed_combined;
+    error_log       /var/log/nginx/{{syncthing_disco_domain}}.error.log;
+
+    include /etc/nginx/snippets/acme-challenge.conf;
+
+    include /etc/nginx/snippets/spam.conf;
+
+    # See https://docs.syncthing.net/users/stdiscosrv.html
+    #proxy_set_header Connection $connection_upgrade;
+    #proxy_set_header Connection $proxy_connection;
+    #proxy_set_header Host $http_host;
+    #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    #proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
+    #proxy_set_header X-Forwarded-Proto $scheme;
+
+    ssl_verify_client optional_no_ca;
+
+    #location /v2 {
+    location / {
+        proxy_pass http://{{syncthing_disco_domain}};
+        # HTTP 1.1 support
+        proxy_http_version 1.1;
+        proxy_buffering off;
+        proxy_set_header Host $http_host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header X-Forwarded-For $remote_addr;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-SSL-Cert $ssl_client_cert;
+        client_max_body_size    0;
+        proxy_connect_timeout   36000s;
+        proxy_read_timeout      36000s;
+        proxy_send_timeout      36000s;
+        send_timeout            36000s;
+    }
+}

templates/syncthing-discosrv-override.conf.j2

@@ -0,0 +1,18 @@
+# /etc/systemd/system/stdiscosrv.service.d/override.conf
+
+[Service]
+User=
+User=syncthing
+Group=
+Group=syncthing
+WorkingDirectory=/var/lib/syncthing/discosrv
+ReadWritePaths=
+ReadWritePaths=/var/lib/syncthing/discosrv
+ExecStart=
+ExecStart=/usr/bin/stdiscosrv -listen="127.0.0.1:{{syncthing_disco_http_port|default('8443')}}" -http
+
+# Already set by ubuntu-shipped default unit
+#PrivateDevices=true
+#ProtectSystem=full
+#ProtectHome=true
+#NoNewPrivileges=true

templates/syncthing-discosrv-tmpfiles.conf.j2

@@ -0,0 +1 @@
+d /var/lib/syncthing/discosrv 0770 syncthing syncthing -

templates/syncthing-discosrv.service.j2

@@ -0,0 +1,15 @@
+# Unused, we are instead overriding stdiscosrv.service
+
+[Unit]
+Description=Syncthing discovery server
+After=network.target
+
+[Service]
+User=syncthing
+Group=syncthing
+ExecStart=/usr/bin/stdiscosrv -http
+Restart=on-failure
+SuccessExitStatus=2
+
+[Install]
+WantedBy=multi-user.target

templates/syncthing-relaysrv-override.conf.j2

@@ -0,0 +1,18 @@
+# /etc/systemd/system/strelaysrv.service.d/override.conf
+
+[Service]
+User=
+User=syncthing
+Group=
+Group=syncthing
+WorkingDirectory=/var/lib/syncthing/relaysrv
+ReadWritePaths=
+ReadWritePaths=/var/lib/syncthing/relaysrv
+ExecStart=
+ExecStart=/usr/bin/strelaysrv -nat={{ syncthing_relay_nat|default('true') }} -global-rate {{syncthing_relay_rate|default('500000')}}{% if syncthing_relay_provided_by %} -provided-by="{{syncthing_relay_provided_by}}"{% endif %} ${STRELAYSRV_OPTS}
+
+# Already set by ubuntu-shipped default unit
+#PrivateDevices=true
+#ProtectSystem=full
+#ProtectHome=true
+#NoNewPrivileges=true

templates/syncthing-relaysrv-tmpfiles.conf.j2

@@ -0,0 +1 @@
+d /var/lib/syncthing/relaysrv 0770 syncthing syncthing -

templates/syncthing-relaysrv.service.j2

@@ -0,0 +1,15 @@
+# Unused, we are instead overriding strelaysrv.service
+
+[Unit]
+Description=Syncthing relay server
+After=network.target
+
+[Service]
+WorkingDirectory=/var/lib/syncthing/relaysrv
+User=syncthing
+Group=syncthing
+ExecStart=/usr/bin/strelaysrv
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target

templates/syncthing-tmpfiles.conf.j2

@@ -0,0 +1 @@
+d /var/lib/syncthing/         0770 syncthing syncthing -

templates/syncthing-user-override.conf.j2

@@ -0,0 +1,12 @@
+# /etc/systemd/system/syncthing@syncthing.service.d/override.conf
+
+[Service]
+Environemnt="HOME=/home/syncthing"
+Environment="XDG_CONFIG_HOME=/home/syncthing/.config"
+ExecStart=
+ExecStart=/usr/bin/syncthing -no-browser -no-restart -logflags=0 -home="/home/syncthing/.config/syncthing" -gui-address=127.0.0.1:{{syncthing_web_port|default('8384')}}
+
+PrivateDevices=true
+# ProtectSystem=full
+# ProtectHome=true
+NoNewPrivileges=true

templates/syncthing-web.conf.j2

@@ -0,0 +1,37 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{syncthing_domain}};
+    rewrite ^ https://$http_host$request_uri? permanent;
+}
+
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+    server_name {{syncthing_domain}};
+    ssl_certificate /etc/dehydrated/certs/{{syncthing_cert_domain}}/fullchain.pem;
+    ssl_certificate_key /etc/dehydrated/certs/{{syncthing_cert_domain}}/privkey.pem;
+    include /etc/nginx/snippets/tls.conf;
+
+    access_log off;
+    error_log  off;
+
+    include /etc/nginx/snippets/acme-challenge.conf;
+
+    include /etc/nginx/snippets/spam.conf;
+
+    include /etc/nginx/snippets/favicon.conf;
+
+    location / {
+        auth_basic "syncthing prompt";
+        auth_basic_user_file /etc/nginx/secrets/htpasswd-common;
+        proxy_pass http://127.0.0.1:{{syncthing_web_port|default('8384')}};
+        proxy_set_header X-Forwarded-For $remote_addr;
+        client_max_body_size 0;
+        proxy_connect_timeout  36000s;
+        proxy_read_timeout  36000s;
+        proxy_send_timeout  36000s;
+        send_timeout  36000s;
+        proxy_request_buffering off;
+    }
+}