Browse Source

Initial commit

master
Felix 2 years ago
commit
8933044c46
  1. 9
      README.md
  2. 13
      defaults/main.yml
  3. 10
      handlers/main.yml
  4. 32
      tasks/apt.yml
  5. 58
      tasks/discosrv.yml
  6. 23
      tasks/main.yml
  7. 63
      tasks/relay.yml
  8. 126
      tasks/syncthing-user.yml
  9. 25
      tasks/syncthing-web.yml
  10. 57
      templates/syncthing-disco.conf.j2
  11. 18
      templates/syncthing-discosrv-override.conf.j2
  12. 1
      templates/syncthing-discosrv-tmpfiles.conf.j2
  13. 15
      templates/syncthing-discosrv.service.j2
  14. 18
      templates/syncthing-relaysrv-override.conf.j2
  15. 1
      templates/syncthing-relaysrv-tmpfiles.conf.j2
  16. 15
      templates/syncthing-relaysrv.service.j2
  17. 1
      templates/syncthing-tmpfiles.conf.j2
  18. 12
      templates/syncthing-user-override.conf.j2
  19. 37
      templates/syncthing-web.conf.j2

9
README.md

@ -0,0 +1,9 @@
# Syncthing ansible role
Depends on unreleased nginx role
- Edit config.xml for user and bcrypt password
- Copy key and cert both as .pem files into .config/syncthing
- Set up port 8080
- Write a systemd unit file, user is e.g. obst (syncthing@obst.service), enable
it

13
defaults/main.yml

@ -0,0 +1,13 @@
---
syncthing_disco_domain: disco.example.com
syncthing_disco_cert_domain: "{{syncthing_disco_domain}}"
syncthing_disco_http_port: 8443
syncthing_domain: syncthing.example.com
syncthing_cert_domain: "{{syncthing_domain}}"
syncthing_user_repos: []
syncthing_web_port: 8384
syncthing_relay_provided_by: ''
syncthing_relay_rate: 500000

10
handlers/main.yml

@ -0,0 +1,10 @@
---
- name: restart nginx
systemd:
name: nginx
state: restarted
daemon_reload: true
- name: apply systemd-tmpfiles
shell: systemd-tmpfiles --create

32
tasks/apt.yml

@ -0,0 +1,32 @@
---
- name: Add syncthing repo key
apt_key:
url: 'https://syncthing.net/release-key.txt'
state: present
validate_certs: true
tags:
- install
- apt
- name: Add syncthing apt repo
apt_repository:
repo: 'deb https://apt.syncthing.net/ syncthing stable'
state: present
filename: 'syncthing'
update_cache: true
tags:
- install
- apt
- name: Install syncthing packages
apt:
name: "{{item}}"
state: present
loop:
- syncthing
- syncthing-discosrv
- syncthing-relaysrv
tags:
- install
- apt

58
tasks/discosrv.yml

@ -0,0 +1,58 @@
---
- name: Create syncthing discosrv folders
file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: 0755
loop:
- "/etc/systemd/system/stdiscosrv.service.d/"
tags:
- install
- discosrv
- name: Configure syncthing discovery server
template:
src: "{{item.src}}"
dest: "{{item.dest}}"
owner: root
group: root
mode: 0755
loop:
- { src: "syncthing-discosrv-tmpfiles.conf.j2",
dest: "/etc/tmpfiles.d/syncthing-discosrv.conf" }
- { src: "syncthing-discosrv-override.conf.j2",
dest: "/etc/systemd/system/stdiscosrv.service.d/exec-override.conf" }
#- { src: "syncthing-discosrv.service.j2",
# dest: "/etc/systemd/system/syncthing-discosrv.service" }
notify:
"apply systemd-tmpfiles"
tags:
- install
- discosrv
- name: Install syncthing discosrv nginx frontend
template:
src: "syncthing-disco.conf.j2"
dest: "/etc/nginx/sites-enabled/dual/{{syncthing_disco_domain}}"
owner: root
group: root
mode: 0755
tags:
- install
- discosrv
- name: Start syncthing discosrv service
systemd:
name: stdiscosrv.service
state: restarted
enabled: true
daemon_reload: true
#name: syncthing-discosrv.service
notify:
restart nginx
tags:
- install
- discosrv

23
tasks/main.yml

@ -0,0 +1,23 @@
---
- name: apt tasks
include_tasks: apt.yml
tags:
- apt
- name: syncthing-user tasks
include_tasks: syncthing-user.yml
tags:
- syncthing-user
- debug
- name: relay tasks
include_tasks: relay.yml
tags:
- relay
- name: discosrv tasks
include_tasks: discosrv.yml
tags:
- discosrv
- name: syncthing-web tasks
include_tasks: syncthing-web.yml
tags:
- syncthing-web

63
tasks/relay.yml

@ -0,0 +1,63 @@
---
- name: Create syncthing relaysrv folders
file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: 0755
loop:
- "/etc/systemd/system/strelaysrv.service.d/"
tags:
- install
- relay
- name: Configure syncthing relay server
template:
src: "{{item.src}}"
dest: "{{item.dest}}"
owner: root
group: root
mode: 0755
loop:
- { src: "syncthing-relaysrv-tmpfiles.conf.j2",
dest: "/etc/tmpfiles.d/syncthing-relaysrv.conf" }
- { src: syncthing-relaysrv-override.conf.j2,
dest: /etc/systemd/system/strelaysrv.service.d/env-exec-override.conf }
#- { src: syncthing-relaysrv.service.j2,
# dest: /etc/systemd/system/syncthing-relaysrv.service }
# notify:
# "apply systemd-tmpfiles"
tags:
- install
- relay
- name: Run tmpfiles.d
shell: /bin/systemd-tmpfiles --create
tags:
- install
- relay
- name: Open syncthing relay ports
ufw:
rule: allow
port: 22067:22070
proto: tcp
comment: Accept syncthing relay
tags:
- install
- relay
- name: Start syncthing relay service
systemd:
name: strelaysrv.service
state: restarted
enabled: true
daemon_reload: true
#name: syncthing-relaysrv.service
notify:
restart nginx
tags:
- install
- relay

126
tasks/syncthing-user.yml

@ -0,0 +1,126 @@
---
- name: Check if syncthing user exists
getent:
database: passwd
key: syncthing
fail_key: false
register: syncthing_user_already
ignore_errors: true
tags:
- install
- syncthing-user
- name: Create user for syncthing
user:
name: "syncthing"
comment: "User for syncthing"
home: "/home/syncthing/"
state: present
when: syncthing_user_already != true
ignore_errors: true
tags:
- install
- syncthing-user
- name: Build syncthing folder list
set_fact:
st_folder: "{{ ('syncthing-files/%s/' |format(item)) }}"
loop: "{{ syncthing_user_repos|flatten(levels=1) }}"
register: syncthing_folders
tags:
- install
- syncthing-user
- debug:
msg: "{{syncthing_folders.results\
|map(attribute='ansible_facts.st_folder')|list}}"
tags:
- debug
- name: Create syncthing folders
file:
path: "{{'/home/syncthing/' + item}}"
state: directory
owner: syncthing
group: syncthing
mode: 0755
loop: "{{(\
['.config/syncthing/']\
+ syncthing_folders.results\
|map(attribute='ansible_facts.st_folder')\
|list\
)|list}}"
tags:
- install
- syncthing-user
- name: Set up syncthing config
copy:
src: "{{playbook_dir}}/../files/roles/syncthing/{{item}}"
dest: "/home/syncthing/.config/syncthing/{{item}}"
owner: syncthing
group: syncthing
mode: 0600
loop:
- cert.pem
# - config.xml
- csrftokens.txt
- key.pem
tags:
- install
- syncthing-user
- name: Set up syncthing config.xml (only do this if you're sure)
copy:
src: "{{playbook_dir}}/../files/roles/syncthing/{{item}}"
dest: "/home/syncthing/.config/syncthing/{{item}}"
owner: syncthing
group: syncthing
mode: 0600
when: "syncthing_override_config_xml|bool == true"
loop:
- config.xml
tags:
- install
- syncthing-user
- name: Create syncthing user config folders
file:
path: "{{ item }}"
state: directory
owner: root
group: root
mode: 0755
loop:
- "/etc/systemd/system/syncthing@.service.d/"
tags:
- install
- syncthing-user
- name: Configure syncthing user service
template:
src: "{{item.src}}"
dest: "{{item.dest}}"
owner: root
group: root
mode: 0755
loop:
- { src: syncthing-user-override.conf.j2,
dest: /etc/systemd/system/syncthing@.service.d/user-override.conf }
# notify:
# "apply systemd-tmpfiles"
tags:
- install
- syncthing-user
- name: Start syncthing user service
systemd:
name: "syncthing@syncthing.service"
enabled: true
state: restarted
daemon_reload: true
tags:
- install
- update
- syncthing-user

25
tasks/syncthing-web.yml

@ -0,0 +1,25 @@
---
- name: Install syncthing nginx web frontend
template:
src: "syncthing-web.conf.j2"
dest: "/etc/nginx/sites-enabled/dual/{{syncthing_domain}}"
owner: root
group: root
mode: 0755
notify:
restart nginx
tags:
- install
- syncthing-web
- name: Create htpasswd-common file
copy:
content: "{{secret_htpasswd_common}}"
dest: "/etc/nginx/secrets/htpasswd-common"
owner: root
group: root
mode: 0755
tags:
- install
- syncthing-web

57
templates/syncthing-disco.conf.j2

@ -0,0 +1,57 @@
upstream {{syncthing_disco_domain}} {
# Local IP address:port for discovery server
#server 192.0.2.1:8443;
server 127.0.0.1:{{syncthing_disco_http_port|default('8443')}};
}
server {
listen 80;
listen [::]:80;
server_name {{syncthing_disco_domain}};
include /etc/nginx/snippets/acme-challenge.conf;
rewrite ^ https://$http_host$request_uri? permanent;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{syncthing_disco_domain}};
ssl_certificate /etc/dehydrated/certs/{{syncthing_disco_cert_domain}}/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/{{syncthing_disco_cert_domain}}/privkey.pem;
include /etc/nginx/snippets/tls.conf;
access_log /var/log/nginx/{{syncthing_disco_domain}}.access.log timed_combined;
error_log /var/log/nginx/{{syncthing_disco_domain}}.error.log;
include /etc/nginx/snippets/acme-challenge.conf;
include /etc/nginx/snippets/spam.conf;
# See https://docs.syncthing.net/users/stdiscosrv.html
#proxy_set_header Connection $connection_upgrade;
#proxy_set_header Connection $proxy_connection;
#proxy_set_header Host $http_host;
#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
#proxy_set_header X-Forwarded-Proto $scheme;
ssl_verify_client optional_no_ca;
#location /v2 {
location / {
proxy_pass http://{{syncthing_disco_domain}};
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-SSL-Cert $ssl_client_cert;
client_max_body_size 0;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;
}
}

18
templates/syncthing-discosrv-override.conf.j2

@ -0,0 +1,18 @@
# /etc/systemd/system/stdiscosrv.service.d/override.conf
[Service]
User=
User=syncthing
Group=
Group=syncthing
WorkingDirectory=/var/lib/syncthing/discosrv
ReadWritePaths=
ReadWritePaths=/var/lib/syncthing/discosrv
ExecStart=
ExecStart=/usr/bin/stdiscosrv -listen="127.0.0.1:{{syncthing_disco_http_port|default('8443')}}" -http
# Already set by ubuntu-shipped default unit
#PrivateDevices=true
#ProtectSystem=full
#ProtectHome=true
#NoNewPrivileges=true

1
templates/syncthing-discosrv-tmpfiles.conf.j2

@ -0,0 +1 @@
d /var/lib/syncthing/discosrv 0770 syncthing syncthing -

15
templates/syncthing-discosrv.service.j2

@ -0,0 +1,15 @@
# Unused, we are instead overriding stdiscosrv.service
[Unit]
Description=Syncthing discovery server
After=network.target
[Service]
User=syncthing
Group=syncthing
ExecStart=/usr/bin/stdiscosrv -http
Restart=on-failure
SuccessExitStatus=2
[Install]
WantedBy=multi-user.target

18
templates/syncthing-relaysrv-override.conf.j2

@ -0,0 +1,18 @@
# /etc/systemd/system/strelaysrv.service.d/override.conf
[Service]
User=
User=syncthing
Group=
Group=syncthing
WorkingDirectory=/var/lib/syncthing/relaysrv
ReadWritePaths=
ReadWritePaths=/var/lib/syncthing/relaysrv
ExecStart=
ExecStart=/usr/bin/strelaysrv -nat={{ syncthing_relay_nat|default('true') }} -global-rate {{syncthing_relay_rate|default('500000')}}{% if syncthing_relay_provided_by %} -provided-by="{{syncthing_relay_provided_by}}"{% endif %} ${STRELAYSRV_OPTS}
# Already set by ubuntu-shipped default unit
#PrivateDevices=true
#ProtectSystem=full
#ProtectHome=true
#NoNewPrivileges=true

1
templates/syncthing-relaysrv-tmpfiles.conf.j2

@ -0,0 +1 @@
d /var/lib/syncthing/relaysrv 0770 syncthing syncthing -

15
templates/syncthing-relaysrv.service.j2

@ -0,0 +1,15 @@
# Unused, we are instead overriding strelaysrv.service
[Unit]
Description=Syncthing relay server
After=network.target
[Service]
WorkingDirectory=/var/lib/syncthing/relaysrv
User=syncthing
Group=syncthing
ExecStart=/usr/bin/strelaysrv
Restart=on-failure
[Install]
WantedBy=multi-user.target

1
templates/syncthing-tmpfiles.conf.j2

@ -0,0 +1 @@
d /var/lib/syncthing/ 0770 syncthing syncthing -

12
templates/syncthing-user-override.conf.j2

@ -0,0 +1,12 @@
# /etc/systemd/system/syncthing@syncthing.service.d/override.conf
[Service]
Environemnt="HOME=/home/syncthing"
Environment="XDG_CONFIG_HOME=/home/syncthing/.config"
ExecStart=
ExecStart=/usr/bin/syncthing -no-browser -no-restart -logflags=0 -home="/home/syncthing/.config/syncthing" -gui-address=127.0.0.1:{{syncthing_web_port|default('8384')}}
PrivateDevices=true
# ProtectSystem=full
# ProtectHome=true
NoNewPrivileges=true

37
templates/syncthing-web.conf.j2

@ -0,0 +1,37 @@
server {
listen 80;
listen [::]:80;
server_name {{syncthing_domain}};
rewrite ^ https://$http_host$request_uri? permanent;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{syncthing_domain}};
ssl_certificate /etc/dehydrated/certs/{{syncthing_cert_domain}}/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/{{syncthing_cert_domain}}/privkey.pem;
include /etc/nginx/snippets/tls.conf;
access_log off;
error_log off;
include /etc/nginx/snippets/acme-challenge.conf;
include /etc/nginx/snippets/spam.conf;
include /etc/nginx/snippets/favicon.conf;
location / {
auth_basic "syncthing prompt";
auth_basic_user_file /etc/nginx/secrets/htpasswd-common;
proxy_pass http://127.0.0.1:{{syncthing_web_port|default('8384')}};
proxy_set_header X-Forwarded-For $remote_addr;
client_max_body_size 0;
proxy_connect_timeout 36000s;
proxy_read_timeout 36000s;
proxy_send_timeout 36000s;
send_timeout 36000s;
proxy_request_buffering off;
}
}
Loading…
Cancel
Save