diff options
author | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:23:43 -0500 |
---|---|---|
committer | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:52:13 -0500 |
commit | 0261e875679f1bf63c8d689da7fc7e014597885d (patch) | |
tree | 3f19cd74a0c1070944f75437f30b098d6ef2ffcb /roles/syncthing | |
download | selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.tar.gz selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.zip |
initial commit
Diffstat (limited to 'roles/syncthing')
-rw-r--r-- | roles/syncthing/defaults/main.yml | 5 | ||||
-rw-r--r-- | roles/syncthing/meta/main.yml | 4 | ||||
-rw-r--r-- | roles/syncthing/tasks/main.yml | 73 | ||||
-rw-r--r-- | roles/syncthing/tasks/syncthing_user.yml | 36 | ||||
-rw-r--r-- | roles/syncthing/templates/etc/systemd/system/syncthing-user@.service.j2 | 27 | ||||
-rw-r--r-- | roles/syncthing/templates/var/lib/syncthing/config.xml.j2 | 116 | ||||
-rw-r--r-- | roles/syncthing/templates/var/www/html/index.html.j2 | 15 | ||||
-rw-r--r-- | roles/syncthing/vars/main.yml | 46 |
8 files changed, 322 insertions, 0 deletions
diff --git a/roles/syncthing/defaults/main.yml b/roles/syncthing/defaults/main.yml new file mode 100644 index 0000000..51f1f66 --- /dev/null +++ b/roles/syncthing/defaults/main.yml @@ -0,0 +1,5 @@ +# username-port mappings +syncthing_users: {} + +syncthing_fs_watcher_enabled: no # inotify doesn't work on nfs. +syncthing_rescan_interval_sec: 60 diff --git a/roles/syncthing/meta/main.yml b/roles/syncthing/meta/main.yml new file mode 100644 index 0000000..29230f9 --- /dev/null +++ b/roles/syncthing/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: yum + yum_repositories: epel + tags: yum diff --git a/roles/syncthing/tasks/main.yml b/roles/syncthing/tasks/main.yml new file mode 100644 index 0000000..cf6b6b2 --- /dev/null +++ b/roles/syncthing/tasks/main.yml @@ -0,0 +1,73 @@ +- name: install packages + dnf: + name: '{{ syncthing_packages }}' + state: present + +- name: mask global syncthing service + systemd: + name: syncthing + scope: global + state: stopped + enabled: no + masked: yes + +- name: increase udp buffer size + sysctl: + name: net.core.rmem_max + value: '{{ syncthing_max_udp_buffer_size }}' + state: present + +- name: create syncthing directory + file: + path: '{{ syncthing_home }}' + state: directory + +- name: generate systemd unit + template: + src: 'etc/systemd/system/syncthing-user@.service.j2' + dest: '/etc/systemd/system/syncthing-user@.service' + register: syncthing_unit + +- name: reload systemd units + systemd: + daemon_reload: yes + when: syncthing_unit.changed + +- name: set httpd_var_run_t selinux context for runtime directory + sefcontext: + target: '{{ syncthing_runtime_dir }}(/.*)?' + setype: httpd_var_run_t + state: present + +- name: generate user directories + include_tasks: syncthing_user.yml + loop: '{{ syncthing_users | dict2items }}' + loop_control: + index_var: syncthing_user_index + vars: + syncthing_user: '{{ item.key }}' + syncthing_port: '{{ item.value }}' + +- name: open firewall ports + firewalld: + port: '{{ item.0 }}/{{ item.1 }}' + permanent: yes + immediate: yes + state: enabled + loop: "{{ syncthing_users.values() | product(['tcp', 'udp']) }}" + tags: firewalld + +- name: generate landing page + template: + src: var/www/html/index.html.j2 + dest: /var/www/html/index.html + +- name: create selinux policy for apache to connect to unix socket + include_role: + name: selinux_policy + apply: + tags: selinux + vars: + selinux_policy_name: syncthing_httpd + selinux_policy_te: '{{ syncthing_selinux_policy_te }}' + tags: selinux diff --git a/roles/syncthing/tasks/syncthing_user.yml b/roles/syncthing/tasks/syncthing_user.yml new file mode 100644 index 0000000..c580df6 --- /dev/null +++ b/roles/syncthing/tasks/syncthing_user.yml @@ -0,0 +1,36 @@ +- name: create user directory + file: + path: '{{ syncthing_home }}/{{ syncthing_user }}' + state: directory + owner: '{{ syncthing_user }}' + group: '{{ syncthing_user }}' + mode: 0700 + +- name: generate default configuration + command: + cmd: syncthing -generate '{{ syncthing_home }}/{{ syncthing_user }}' + creates: '{{ syncthing_home }}/{{ syncthing_user }}/config.xml' + become: yes + become_user: '{{ syncthing_user }}' + register: syncthing_generate + +- name: get device id + command: + cmd: syncthing -home {{ syncthing_home }}/{{ syncthing_user }} -device-id + changed_when: no + register: syncthing_device_id + +- name: generate config file + template: + src: '{{ syncthing_home[1:] }}/config.xml.j2' + dest: '{{ syncthing_home }}/{{ syncthing_user }}/config.xml' + owner: '{{ syncthing_user }}' + group: '{{ syncthing_user }}' + mode: 0600 + force: '{{ syncthing_generate.changed }}' + +- name: enable systemd unit + systemd: + name: 'syncthing-user@{{ syncthing_user }}' + enabled: yes + state: started diff --git a/roles/syncthing/templates/etc/systemd/system/syncthing-user@.service.j2 b/roles/syncthing/templates/etc/systemd/system/syncthing-user@.service.j2 new file mode 100644 index 0000000..ba0ffb5 --- /dev/null +++ b/roles/syncthing/templates/etc/systemd/system/syncthing-user@.service.j2 @@ -0,0 +1,27 @@ +[Unit] +Description=Syncthing - Open Source Continuous File Synchronization for %I +Documentation=man:syncthing(1) +After=autofs.service nss-user-lookup.target network-online.target + +[Service] +User=%i +Group=%i +Environment=STNOUPGRADE=1 +PermissionsStartOnly=true +ExecStartPre=install -o root -g root -m 0755 -Z -d {{ syncthing_runtime_dir | quote }} +ExecStartPre=install -o %i -g apache -m 2750 -Z -d {{ syncthing_runtime_dir | quote }}/%i +ExecStart=/usr/bin/syncthing -no-browser -no-restart -logflags=0 -home {{ syncthing_home | quote}}/%i -gui-address=unix://{{ syncthing_runtime_dir | quote }}/%i/gui.sock +Restart=on-failure +RestartSec=5 +SuccessExitStatus=3 4 +RestartForceExitStatus=3 4 + +# Hardening +ProtectSystem=full +PrivateTmp=true +SystemCallArchitectures=native +MemoryDenyWriteExecute=true +NoNewPrivileges=true + +[Install] +WantedBy=multi-user.target diff --git a/roles/syncthing/templates/var/lib/syncthing/config.xml.j2 b/roles/syncthing/templates/var/lib/syncthing/config.xml.j2 new file mode 100644 index 0000000..7790dd8 --- /dev/null +++ b/roles/syncthing/templates/var/lib/syncthing/config.xml.j2 @@ -0,0 +1,116 @@ +<configuration version="36"> + <device id="{{ syncthing_device_id.stdout }}" name="{{ ansible_fqdn }} ({{ syncthing_user }})" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy=""> + <address>tcp://{{ ansible_fqdn }}:{{ syncthing_port }}</address> + <paused>false</paused> + <autoAcceptFolders>false</autoAcceptFolders> + <maxSendKbps>0</maxSendKbps> + <maxRecvKbps>0</maxRecvKbps> + <maxRequestKiB>0</maxRequestKiB> + <untrusted>false</untrusted> + <remoteGUIPort>0</remoteGUIPort> + </device> + <gui enabled="true" tls="false" debugging="false"> + <address>{{ syncthing_runtime_dir }}/{{ syncthing_user }}/gui.sock</address> + <unixSocketPermissions>770</unixSocketPermissions> + <theme>default</theme> + <insecureSkipHostcheck>true</insecureSkipHostcheck> + </gui> + <ldap></ldap> + <options> + <listenAddress>quic://0.0.0.0:{{ syncthing_port }}</listenAddress> + <listenAddress>tcp://0.0.0.0:{{ syncthing_port }}</listenAddress> + <globalAnnounceServer>default</globalAnnounceServer> + <globalAnnounceEnabled>false</globalAnnounceEnabled> + <localAnnounceEnabled>false</localAnnounceEnabled> + <localAnnouncePort>0</localAnnouncePort> + <localAnnounceMCAddr>[ff32::5222]:0</localAnnounceMCAddr> + <maxSendKbps>0</maxSendKbps> + <maxRecvKbps>0</maxRecvKbps> + <reconnectionIntervalS>60</reconnectionIntervalS> + <relaysEnabled>false</relaysEnabled> + <relayReconnectIntervalM>10</relayReconnectIntervalM> + <startBrowser>false</startBrowser> + <natEnabled>false</natEnabled> + <natLeaseMinutes>60</natLeaseMinutes> + <natRenewalMinutes>30</natRenewalMinutes> + <natTimeoutSeconds>10</natTimeoutSeconds> + <urAccepted>-1</urAccepted> + <urSeen>3</urSeen> + <urUniqueID>00000000</urUniqueID> + <urURL>https://data.syncthing.net/newdata</urURL> + <urPostInsecurely>false</urPostInsecurely> + <urInitialDelayS>1800</urInitialDelayS> + <restartOnWakeup>false</restartOnWakeup> + <autoUpgradeIntervalH>0</autoUpgradeIntervalH> + <upgradeToPreReleases>false</upgradeToPreReleases> + <keepTemporariesH>24</keepTemporariesH> + <cacheIgnoredFiles>false</cacheIgnoredFiles> + <progressUpdateIntervalS>5</progressUpdateIntervalS> + <limitBandwidthInLan>false</limitBandwidthInLan> + <minHomeDiskFree unit="%">1</minHomeDiskFree> + <releasesURL>https://upgrades.syncthing.net/meta.json</releasesURL> + <overwriteRemoteDeviceNamesOnConnect>false</overwriteRemoteDeviceNamesOnConnect> + <tempIndexMinBlocks>10</tempIndexMinBlocks> + <trafficClass>0</trafficClass> + <setLowPriority>false</setLowPriority> + <maxFolderConcurrency>0</maxFolderConcurrency> + <crashReportingURL>https://crash.syncthing.net/newcrash</crashReportingURL> + <crashReportingEnabled>false</crashReportingEnabled> + <stunKeepaliveStartS>0</stunKeepaliveStartS> + <stunKeepaliveMinS>0</stunKeepaliveMinS> + <stunServer>default</stunServer> + <databaseTuning>auto</databaseTuning> + <maxConcurrentIncomingRequestKiB>0</maxConcurrentIncomingRequestKiB> + <announceLANAddresses>true</announceLANAddresses> + <sendFullIndexOnUpgrade>false</sendFullIndexOnUpgrade> + <connectionLimitEnough>0</connectionLimitEnough> + <connectionLimitMax>0</connectionLimitMax> + <insecureAllowOldTLSVersions>false</insecureAllowOldTLSVersions> + </options> + <defaults> + <folder id="" label="" path="~" type="sendreceive" rescanIntervalS="{{ syncthing_rescan_interval_sec }}" fsWatcherEnabled="{{ syncthing_fs_watcher_enabled }}" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true"> + <filesystemType>basic</filesystemType> + <device id="{{ syncthing_device_id.stdout }}" introducedBy=""> + <encryptionPassword></encryptionPassword> + </device> + <minDiskFree unit="%">1</minDiskFree> + <versioning> + <cleanupIntervalS>3600</cleanupIntervalS> + <fsPath></fsPath> + <fsType>basic</fsType> + </versioning> + <copiers>0</copiers> + <pullerMaxPendingKiB>0</pullerMaxPendingKiB> + <hashers>0</hashers> + <order>random</order> + <ignoreDelete>false</ignoreDelete> + <scanProgressIntervalS>0</scanProgressIntervalS> + <pullerPauseS>0</pullerPauseS> + <maxConflicts>10</maxConflicts> + <disableSparseFiles>false</disableSparseFiles> + <disableTempIndexes>false</disableTempIndexes> + <paused>false</paused> + <weakHashThresholdPct>25</weakHashThresholdPct> + <markerName>.stfolder</markerName> + <copyOwnershipFromParent>false</copyOwnershipFromParent> + <modTimeWindowS>0</modTimeWindowS> + <maxConcurrentWrites>2</maxConcurrentWrites> + <disableFsync>false</disableFsync> + <blockPullOrder>standard</blockPullOrder> + <copyRangeMethod>standard</copyRangeMethod> + <caseSensitiveFS>false</caseSensitiveFS> + <junctionsAsDirs>false</junctionsAsDirs> + </folder> + <device id="" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy=""> + <address>dynamic</address> + <paused>false</paused> + <autoAcceptFolders>false</autoAcceptFolders> + <maxSendKbps>0</maxSendKbps> + <maxRecvKbps>0</maxRecvKbps> + <maxRequestKiB>0</maxRequestKiB> + <untrusted>false</untrusted> + <remoteGUIPort>0</remoteGUIPort> + </device> + <ignores></ignores> + </defaults> +</configuration> diff --git a/roles/syncthing/templates/var/www/html/index.html.j2 b/roles/syncthing/templates/var/www/html/index.html.j2 new file mode 100644 index 0000000..63944f5 --- /dev/null +++ b/roles/syncthing/templates/var/www/html/index.html.j2 @@ -0,0 +1,15 @@ +<!DOCTYPE html> +<html lang='en'> + <head> + <title>Syncthing</title> + <meta charset='utf-8'> + </head> + <body> + <h1>Choose your username.</h1> + <ul> +{% for user in syncthing_users.keys() %} + <li><a href="/{{ user }}/">{{ user }}</a></li> +{% endfor %} + </ul> + </body> +</html> diff --git a/roles/syncthing/vars/main.yml b/roles/syncthing/vars/main.yml new file mode 100644 index 0000000..2f15f87 --- /dev/null +++ b/roles/syncthing/vars/main.yml @@ -0,0 +1,46 @@ +syncthing_packages: + - syncthing + - syncthing-tools + - httpd + +syncthing_home: /var/lib/syncthing +syncthing_runtime_dir: /var/run/syncthing + +syncthing_max_udp_buffer_size: 2500000 + +syncthing_archive_shell: >- + TIMESTAMP=$(date +%Y%m%d%H%M%S); + tar czf "syncthing-${TIMESTAMP}.tar.gz" + --transform "s|^\.|syncthing-${TIMESTAMP}|" + --exclude="*/index-*.db*" + -C "{{ syncthing_home }}" . + +syncthing_selinux_policy_te: | + require { + type httpd_t; + type unconfined_service_t; + class unix_stream_socket connectto; + } + + #============= httpd_t ============== + allow httpd_t unconfined_service_t:unix_stream_socket connectto; + +syncthing_apache_config: | + {{ apache_proxy_vhost_config }} + + {% for user in syncthing_users %} + <Location /{{ user }}/> + AuthType GSSAPI + AuthName "FreeIPA Single Sign-On" + GssapiLocalName On + {{ apache_gssapi_session_config }} + + Require user {{ user }} + + ProxyPass unix:{{ syncthing_runtime_dir }}/{{ user }}/gui.sock|http://{{ user }}/ + ProxyPassReverse unix:{{ syncthing_runtime_dir }}/{{ user }}/gui.sock|http://{{ user }}/ + + {{ apache_proxy_header_config }} + </Location> + + {% endfor %} |