commit
8933044c46
19 changed files with 534 additions and 0 deletions
@ -0,0 +1,9 @@
@@ -0,0 +1,9 @@
|
||||
# Syncthing ansible role |
||||
|
||||
Depends on unreleased nginx role |
||||
|
||||
- Edit config.xml for user and bcrypt password |
||||
- Copy key and cert both as .pem files into .config/syncthing |
||||
- Set up port 8080 |
||||
- Write a systemd unit file, user is e.g. obst (syncthing@obst.service), enable |
||||
it |
@ -0,0 +1,13 @@
@@ -0,0 +1,13 @@
|
||||
--- |
||||
|
||||
syncthing_disco_domain: disco.example.com |
||||
syncthing_disco_cert_domain: "{{syncthing_disco_domain}}" |
||||
syncthing_disco_http_port: 8443 |
||||
|
||||
syncthing_domain: syncthing.example.com |
||||
syncthing_cert_domain: "{{syncthing_domain}}" |
||||
|
||||
syncthing_user_repos: [] |
||||
syncthing_web_port: 8384 |
||||
syncthing_relay_provided_by: '' |
||||
syncthing_relay_rate: 500000 |
@ -0,0 +1,10 @@
@@ -0,0 +1,10 @@
|
||||
--- |
||||
|
||||
- name: restart nginx |
||||
systemd: |
||||
name: nginx |
||||
state: restarted |
||||
daemon_reload: true |
||||
|
||||
- name: apply systemd-tmpfiles |
||||
shell: systemd-tmpfiles --create |
@ -0,0 +1,32 @@
@@ -0,0 +1,32 @@
|
||||
--- |
||||
|
||||
- name: Add syncthing repo key |
||||
apt_key: |
||||
url: 'https://syncthing.net/release-key.txt' |
||||
state: present |
||||
validate_certs: true |
||||
tags: |
||||
- install |
||||
- apt |
||||
|
||||
- name: Add syncthing apt repo |
||||
apt_repository: |
||||
repo: 'deb https://apt.syncthing.net/ syncthing stable' |
||||
state: present |
||||
filename: 'syncthing' |
||||
update_cache: true |
||||
tags: |
||||
- install |
||||
- apt |
||||
|
||||
- name: Install syncthing packages |
||||
apt: |
||||
name: "{{item}}" |
||||
state: present |
||||
loop: |
||||
- syncthing |
||||
- syncthing-discosrv |
||||
- syncthing-relaysrv |
||||
tags: |
||||
- install |
||||
- apt |
@ -0,0 +1,58 @@
@@ -0,0 +1,58 @@
|
||||
--- |
||||
|
||||
- name: Create syncthing discosrv folders |
||||
file: |
||||
path: "{{ item }}" |
||||
state: directory |
||||
owner: root |
||||
group: root |
||||
mode: 0755 |
||||
loop: |
||||
- "/etc/systemd/system/stdiscosrv.service.d/" |
||||
tags: |
||||
- install |
||||
- discosrv |
||||
|
||||
- name: Configure syncthing discovery server |
||||
template: |
||||
src: "{{item.src}}" |
||||
dest: "{{item.dest}}" |
||||
owner: root |
||||
group: root |
||||
mode: 0755 |
||||
loop: |
||||
- { src: "syncthing-discosrv-tmpfiles.conf.j2", |
||||
dest: "/etc/tmpfiles.d/syncthing-discosrv.conf" } |
||||
- { src: "syncthing-discosrv-override.conf.j2", |
||||
dest: "/etc/systemd/system/stdiscosrv.service.d/exec-override.conf" } |
||||
#- { src: "syncthing-discosrv.service.j2", |
||||
# dest: "/etc/systemd/system/syncthing-discosrv.service" } |
||||
notify: |
||||
"apply systemd-tmpfiles" |
||||
tags: |
||||
- install |
||||
- discosrv |
||||
|
||||
- name: Install syncthing discosrv nginx frontend |
||||
template: |
||||
src: "syncthing-disco.conf.j2" |
||||
dest: "/etc/nginx/sites-enabled/dual/{{syncthing_disco_domain}}" |
||||
owner: root |
||||
group: root |
||||
mode: 0755 |
||||
tags: |
||||
- install |
||||
- discosrv |
||||
|
||||
- name: Start syncthing discosrv service |
||||
systemd: |
||||
name: stdiscosrv.service |
||||
state: restarted |
||||
enabled: true |
||||
daemon_reload: true |
||||
#name: syncthing-discosrv.service |
||||
notify: |
||||
restart nginx |
||||
tags: |
||||
- install |
||||
- discosrv |
@ -0,0 +1,23 @@
@@ -0,0 +1,23 @@
|
||||
--- |
||||
|
||||
- name: apt tasks |
||||
include_tasks: apt.yml |
||||
tags: |
||||
- apt |
||||
- name: syncthing-user tasks |
||||
include_tasks: syncthing-user.yml |
||||
tags: |
||||
- syncthing-user |
||||
- debug |
||||
- name: relay tasks |
||||
include_tasks: relay.yml |
||||
tags: |
||||
- relay |
||||
- name: discosrv tasks |
||||
include_tasks: discosrv.yml |
||||
tags: |
||||
- discosrv |
||||
- name: syncthing-web tasks |
||||
include_tasks: syncthing-web.yml |
||||
tags: |
||||
- syncthing-web |
@ -0,0 +1,63 @@
@@ -0,0 +1,63 @@
|
||||
--- |
||||
|
||||
- name: Create syncthing relaysrv folders |
||||
file: |
||||
path: "{{ item }}" |
||||
state: directory |
||||
owner: root |
||||
group: root |
||||
mode: 0755 |
||||
loop: |
||||
- "/etc/systemd/system/strelaysrv.service.d/" |
||||
tags: |
||||
- install |
||||
- relay |
||||
|
||||
- name: Configure syncthing relay server |
||||
template: |
||||
src: "{{item.src}}" |
||||
dest: "{{item.dest}}" |
||||
owner: root |
||||
group: root |
||||
mode: 0755 |
||||
loop: |
||||
- { src: "syncthing-relaysrv-tmpfiles.conf.j2", |
||||
dest: "/etc/tmpfiles.d/syncthing-relaysrv.conf" } |
||||
- { src: syncthing-relaysrv-override.conf.j2, |
||||
dest: /etc/systemd/system/strelaysrv.service.d/env-exec-override.conf } |
||||
#- { src: syncthing-relaysrv.service.j2, |
||||
# dest: /etc/systemd/system/syncthing-relaysrv.service } |
||||
# notify: |
||||
# "apply systemd-tmpfiles" |
||||
tags: |
||||
- install |
||||
- relay |
||||
|
||||
- name: Run tmpfiles.d |
||||
shell: /bin/systemd-tmpfiles --create |
||||
tags: |
||||
- install |
||||
- relay |
||||
|
||||
- name: Open syncthing relay ports |
||||
ufw: |
||||
rule: allow |
||||
port: 22067:22070 |
||||
proto: tcp |
||||
comment: Accept syncthing relay |
||||
tags: |
||||
- install |
||||
- relay |
||||
|
||||
- name: Start syncthing relay service |
||||
systemd: |
||||
name: strelaysrv.service |
||||
state: restarted |
||||
enabled: true |
||||
daemon_reload: true |
||||
#name: syncthing-relaysrv.service |
||||
notify: |
||||
restart nginx |
||||
tags: |
||||
- install |
||||
- relay |
@ -0,0 +1,126 @@
@@ -0,0 +1,126 @@
|
||||
--- |
||||
|
||||
- name: Check if syncthing user exists |
||||
getent: |
||||
database: passwd |
||||
key: syncthing |
||||
fail_key: false |
||||
register: syncthing_user_already |
||||
ignore_errors: true |
||||
tags: |
||||
- install |
||||
- syncthing-user |
||||
|
||||
- name: Create user for syncthing |
||||
user: |
||||
name: "syncthing" |
||||
comment: "User for syncthing" |
||||
home: "/home/syncthing/" |
||||
state: present |
||||
when: syncthing_user_already != true |
||||
ignore_errors: true |
||||
tags: |
||||
- install |
||||
- syncthing-user |
||||
|
||||
- name: Build syncthing folder list |
||||
set_fact: |
||||
st_folder: "{{ ('syncthing-files/%s/' |format(item)) }}" |
||||
loop: "{{ syncthing_user_repos|flatten(levels=1) }}" |
||||
register: syncthing_folders |
||||
tags: |
||||
- install |
||||
- syncthing-user |
||||
|
||||
- debug: |
||||
msg: "{{syncthing_folders.results\ |
||||
|map(attribute='ansible_facts.st_folder')|list}}" |
||||
tags: |
||||
- debug |
||||
|
||||
- name: Create syncthing folders |
||||
file: |
||||
path: "{{'/home/syncthing/' + item}}" |
||||
state: directory |
||||
owner: syncthing |
||||
group: syncthing |
||||
mode: 0755 |
||||
loop: "{{(\ |
||||
['.config/syncthing/']\ |
||||
+ syncthing_folders.results\ |
||||
|map(attribute='ansible_facts.st_folder')\ |
||||
|list\ |
||||
)|list}}" |
||||
tags: |
||||
- install |
||||
- syncthing-user |
||||
|
||||
- name: Set up syncthing config |
||||
copy: |
||||
src: "{{playbook_dir}}/../files/roles/syncthing/{{item}}" |
||||
dest: "/home/syncthing/.config/syncthing/{{item}}" |
||||
owner: syncthing |
||||
group: syncthing |
||||
mode: 0600 |
||||
loop: |
||||
- cert.pem |
||||
# - config.xml |
||||
- csrftokens.txt |
||||
- key.pem |
||||
tags: |
||||
- install |
||||
- syncthing-user |
||||
|
||||
- name: Set up syncthing config.xml (only do this if you're sure) |
||||
copy: |
||||
src: "{{playbook_dir}}/../files/roles/syncthing/{{item}}" |
||||
dest: "/home/syncthing/.config/syncthing/{{item}}" |
||||
owner: syncthing |
||||
group: syncthing |
||||
mode: 0600 |
||||
when: "syncthing_override_config_xml|bool == true" |
||||
loop: |
||||
- config.xml |
||||
tags: |
||||
- install |
||||
- syncthing-user |
||||
|
||||
- name: Create syncthing user config folders |
||||
file: |
||||
path: "{{ item }}" |
||||
state: directory |
||||
owner: root |
||||
group: root |
||||
mode: 0755 |
||||
loop: |
||||
- "/etc/systemd/system/syncthing@.service.d/" |
||||
tags: |
||||
- install |
||||
- syncthing-user |
||||
|
||||
- name: Configure syncthing user service |
||||
template: |
||||
src: "{{item.src}}" |
||||
dest: "{{item.dest}}" |
||||
owner: root |
||||
group: root |
||||
mode: 0755 |
||||
loop: |
||||
- { src: syncthing-user-override.conf.j2, |
||||
dest: /etc/systemd/system/syncthing@.service.d/user-override.conf } |
||||
# notify: |
||||
# "apply systemd-tmpfiles" |
||||
tags: |
||||
- install |
||||
- syncthing-user |
||||
|
||||
- name: Start syncthing user service |
||||
systemd: |
||||
name: "syncthing@syncthing.service" |
||||
enabled: true |
||||
state: restarted |
||||
daemon_reload: true |
||||
tags: |
||||
- install |
||||
- update |
||||
- syncthing-user |
@ -0,0 +1,25 @@
@@ -0,0 +1,25 @@
|
||||
--- |
||||
|
||||
- name: Install syncthing nginx web frontend |
||||
template: |
||||
src: "syncthing-web.conf.j2" |
||||
dest: "/etc/nginx/sites-enabled/dual/{{syncthing_domain}}" |
||||
owner: root |
||||
group: root |
||||
mode: 0755 |
||||
notify: |
||||
restart nginx |
||||
tags: |
||||
- install |
||||
- syncthing-web |
||||
|
||||
- name: Create htpasswd-common file |
||||
copy: |
||||
content: "{{secret_htpasswd_common}}" |
||||
dest: "/etc/nginx/secrets/htpasswd-common" |
||||
owner: root |
||||
group: root |
||||
mode: 0755 |
||||
tags: |
||||
- install |
||||
- syncthing-web |
@ -0,0 +1,57 @@
@@ -0,0 +1,57 @@
|
||||
upstream {{syncthing_disco_domain}} { |
||||
# Local IP address:port for discovery server |
||||
#server 192.0.2.1:8443; |
||||
server 127.0.0.1:{{syncthing_disco_http_port|default('8443')}}; |
||||
} |
||||
|
||||
server { |
||||
listen 80; |
||||
listen [::]:80; |
||||
server_name {{syncthing_disco_domain}}; |
||||
include /etc/nginx/snippets/acme-challenge.conf; |
||||
rewrite ^ https://$http_host$request_uri? permanent; |
||||
} |
||||
|
||||
server { |
||||
listen 443 ssl http2; |
||||
listen [::]:443 ssl http2; |
||||
server_name {{syncthing_disco_domain}}; |
||||
ssl_certificate /etc/dehydrated/certs/{{syncthing_disco_cert_domain}}/fullchain.pem; |
||||
ssl_certificate_key /etc/dehydrated/certs/{{syncthing_disco_cert_domain}}/privkey.pem; |
||||
include /etc/nginx/snippets/tls.conf; |
||||
|
||||
access_log /var/log/nginx/{{syncthing_disco_domain}}.access.log timed_combined; |
||||
error_log /var/log/nginx/{{syncthing_disco_domain}}.error.log; |
||||
|
||||
include /etc/nginx/snippets/acme-challenge.conf; |
||||
|
||||
include /etc/nginx/snippets/spam.conf; |
||||
|
||||
# See https://docs.syncthing.net/users/stdiscosrv.html |
||||
#proxy_set_header Connection $connection_upgrade; |
||||
#proxy_set_header Connection $proxy_connection; |
||||
#proxy_set_header Host $http_host; |
||||
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
||||
#proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; |
||||
#proxy_set_header X-Forwarded-Proto $scheme; |
||||
|
||||
ssl_verify_client optional_no_ca; |
||||
|
||||
#location /v2 { |
||||
location / { |
||||
proxy_pass http://{{syncthing_disco_domain}}; |
||||
# HTTP 1.1 support |
||||
proxy_http_version 1.1; |
||||
proxy_buffering off; |
||||
proxy_set_header Host $http_host; |
||||
proxy_set_header Upgrade $http_upgrade; |
||||
proxy_set_header X-Forwarded-For $remote_addr; |
||||
proxy_set_header X-Real-IP $remote_addr; |
||||
proxy_set_header X-SSL-Cert $ssl_client_cert; |
||||
client_max_body_size 0; |
||||
proxy_connect_timeout 36000s; |
||||
proxy_read_timeout 36000s; |
||||
proxy_send_timeout 36000s; |
||||
send_timeout 36000s; |
||||
} |
||||
} |
@ -0,0 +1,18 @@
@@ -0,0 +1,18 @@
|
||||
# /etc/systemd/system/stdiscosrv.service.d/override.conf |
||||
|
||||
[Service] |
||||
User= |
||||
User=syncthing |
||||
Group= |
||||
Group=syncthing |
||||
WorkingDirectory=/var/lib/syncthing/discosrv |
||||
ReadWritePaths= |
||||
ReadWritePaths=/var/lib/syncthing/discosrv |
||||
ExecStart= |
||||
ExecStart=/usr/bin/stdiscosrv -listen="127.0.0.1:{{syncthing_disco_http_port|default('8443')}}" -http |
||||
|
||||
# Already set by ubuntu-shipped default unit |
||||
#PrivateDevices=true |
||||
#ProtectSystem=full |
||||
#ProtectHome=true |
||||
#NoNewPrivileges=true |
@ -0,0 +1 @@
@@ -0,0 +1 @@
|
||||
d /var/lib/syncthing/discosrv 0770 syncthing syncthing - |
@ -0,0 +1,15 @@
@@ -0,0 +1,15 @@
|
||||
# Unused, we are instead overriding stdiscosrv.service |
||||
|
||||
[Unit] |
||||
Description=Syncthing discovery server |
||||
After=network.target |
||||
|
||||
[Service] |
||||
User=syncthing |
||||
Group=syncthing |
||||
ExecStart=/usr/bin/stdiscosrv -http |
||||
Restart=on-failure |
||||
SuccessExitStatus=2 |
||||
|
||||
[Install] |
||||
WantedBy=multi-user.target |
@ -0,0 +1,18 @@
@@ -0,0 +1,18 @@
|
||||
# /etc/systemd/system/strelaysrv.service.d/override.conf |
||||
|
||||
[Service] |
||||
User= |
||||
User=syncthing |
||||
Group= |
||||
Group=syncthing |
||||
WorkingDirectory=/var/lib/syncthing/relaysrv |
||||
ReadWritePaths= |
||||
ReadWritePaths=/var/lib/syncthing/relaysrv |
||||
ExecStart= |
||||
ExecStart=/usr/bin/strelaysrv -nat={{ syncthing_relay_nat|default('true') }} -global-rate {{syncthing_relay_rate|default('500000')}}{% if syncthing_relay_provided_by %} -provided-by="{{syncthing_relay_provided_by}}"{% endif %} ${STRELAYSRV_OPTS} |
||||
|
||||
# Already set by ubuntu-shipped default unit |
||||
#PrivateDevices=true |
||||
#ProtectSystem=full |
||||
#ProtectHome=true |
||||
#NoNewPrivileges=true |
@ -0,0 +1 @@
@@ -0,0 +1 @@
|
||||
d /var/lib/syncthing/relaysrv 0770 syncthing syncthing - |
@ -0,0 +1,15 @@
@@ -0,0 +1,15 @@
|
||||
# Unused, we are instead overriding strelaysrv.service |
||||
|
||||
[Unit] |
||||
Description=Syncthing relay server |
||||
After=network.target |
||||
|
||||
[Service] |
||||
WorkingDirectory=/var/lib/syncthing/relaysrv |
||||
User=syncthing |
||||
Group=syncthing |
||||
ExecStart=/usr/bin/strelaysrv |
||||
Restart=on-failure |
||||
|
||||
[Install] |
||||
WantedBy=multi-user.target |
@ -0,0 +1 @@
@@ -0,0 +1 @@
|
||||
d /var/lib/syncthing/ 0770 syncthing syncthing - |
@ -0,0 +1,12 @@
@@ -0,0 +1,12 @@
|
||||
# /etc/systemd/system/syncthing@syncthing.service.d/override.conf |
||||
|
||||
[Service] |
||||
Environemnt="HOME=/home/syncthing" |
||||
Environment="XDG_CONFIG_HOME=/home/syncthing/.config" |
||||
ExecStart= |
||||
ExecStart=/usr/bin/syncthing -no-browser -no-restart -logflags=0 -home="/home/syncthing/.config/syncthing" -gui-address=127.0.0.1:{{syncthing_web_port|default('8384')}} |
||||
|
||||
PrivateDevices=true |
||||
# ProtectSystem=full |
||||
# ProtectHome=true |
||||
NoNewPrivileges=true |
@ -0,0 +1,37 @@
@@ -0,0 +1,37 @@
|
||||
server { |
||||
listen 80; |
||||
listen [::]:80; |
||||
server_name {{syncthing_domain}}; |
||||
rewrite ^ https://$http_host$request_uri? permanent; |
||||
} |
||||
|
||||
server { |
||||
listen 443 ssl http2; |
||||
listen [::]:443 ssl http2; |
||||
server_name {{syncthing_domain}}; |
||||
ssl_certificate /etc/dehydrated/certs/{{syncthing_cert_domain}}/fullchain.pem; |
||||
ssl_certificate_key /etc/dehydrated/certs/{{syncthing_cert_domain}}/privkey.pem; |
||||
include /etc/nginx/snippets/tls.conf; |
||||
|
||||
access_log off; |
||||
error_log off; |
||||
|
||||
include /etc/nginx/snippets/acme-challenge.conf; |
||||
|
||||
include /etc/nginx/snippets/spam.conf; |
||||
|
||||
include /etc/nginx/snippets/favicon.conf; |
||||
|
||||
location / { |
||||
auth_basic "syncthing prompt"; |
||||
auth_basic_user_file /etc/nginx/secrets/htpasswd-common; |
||||
proxy_pass http://127.0.0.1:{{syncthing_web_port|default('8384')}}; |
||||
proxy_set_header X-Forwarded-For $remote_addr; |
||||
client_max_body_size 0; |
||||
proxy_connect_timeout 36000s; |
||||
proxy_read_timeout 36000s; |
||||
proxy_send_timeout 36000s; |
||||
send_timeout 36000s; |
||||
proxy_request_buffering off; |
||||
} |
||||
} |
Loading…
Reference in new issue