From 0261e875679f1bf63c8d689da7fc7e014597885d Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Sat, 4 Feb 2023 01:23:43 -0500
Subject: initial commit

---
 roles/syncthing/defaults/main.yml                  |   5 +
 roles/syncthing/meta/main.yml                      |   4 +
 roles/syncthing/tasks/main.yml                     |  73 +++++++++++++
 roles/syncthing/tasks/syncthing_user.yml           |  36 +++++++
 .../etc/systemd/system/syncthing-user@.service.j2  |  27 +++++
 .../templates/var/lib/syncthing/config.xml.j2      | 116 +++++++++++++++++++++
 .../syncthing/templates/var/www/html/index.html.j2 |  15 +++
 roles/syncthing/vars/main.yml                      |  46 ++++++++
 8 files changed, 322 insertions(+)
 create mode 100644 roles/syncthing/defaults/main.yml
 create mode 100644 roles/syncthing/meta/main.yml
 create mode 100644 roles/syncthing/tasks/main.yml
 create mode 100644 roles/syncthing/tasks/syncthing_user.yml
 create mode 100644 roles/syncthing/templates/etc/systemd/system/syncthing-user@.service.j2
 create mode 100644 roles/syncthing/templates/var/lib/syncthing/config.xml.j2
 create mode 100644 roles/syncthing/templates/var/www/html/index.html.j2
 create mode 100644 roles/syncthing/vars/main.yml

(limited to 'roles/syncthing')

diff --git a/roles/syncthing/defaults/main.yml b/roles/syncthing/defaults/main.yml
new file mode 100644
index 0000000..51f1f66
--- /dev/null
+++ b/roles/syncthing/defaults/main.yml
@@ -0,0 +1,5 @@
+# username-port mappings
+syncthing_users: {}
+
+syncthing_fs_watcher_enabled: no  # inotify doesn't work on nfs.
+syncthing_rescan_interval_sec: 60
diff --git a/roles/syncthing/meta/main.yml b/roles/syncthing/meta/main.yml
new file mode 100644
index 0000000..29230f9
--- /dev/null
+++ b/roles/syncthing/meta/main.yml
@@ -0,0 +1,4 @@
+dependencies:
+  - role: yum
+    yum_repositories: epel
+    tags: yum
diff --git a/roles/syncthing/tasks/main.yml b/roles/syncthing/tasks/main.yml
new file mode 100644
index 0000000..cf6b6b2
--- /dev/null
+++ b/roles/syncthing/tasks/main.yml
@@ -0,0 +1,73 @@
+- name: install packages
+  dnf:
+    name: '{{ syncthing_packages }}'
+    state: present
+
+- name: mask global syncthing service
+  systemd:
+    name: syncthing
+    scope: global
+    state: stopped
+    enabled: no
+    masked: yes
+
+- name: increase udp buffer size
+  sysctl:
+    name: net.core.rmem_max
+    value: '{{ syncthing_max_udp_buffer_size }}'
+    state: present
+
+- name: create syncthing directory
+  file:
+    path: '{{ syncthing_home }}'
+    state: directory
+
+- name: generate systemd unit
+  template:
+    src: 'etc/systemd/system/syncthing-user@.service.j2'
+    dest: '/etc/systemd/system/syncthing-user@.service'
+  register: syncthing_unit
+
+- name: reload systemd units
+  systemd:
+    daemon_reload: yes
+  when: syncthing_unit.changed
+
+- name: set httpd_var_run_t selinux context for runtime directory
+  sefcontext:
+    target: '{{ syncthing_runtime_dir }}(/.*)?'
+    setype: httpd_var_run_t
+    state: present
+
+- name: generate user directories
+  include_tasks: syncthing_user.yml
+  loop: '{{ syncthing_users | dict2items }}'
+  loop_control:
+    index_var: syncthing_user_index
+  vars:
+    syncthing_user: '{{ item.key }}'
+    syncthing_port: '{{ item.value }}'
+
+- name: open firewall ports
+  firewalld:
+    port: '{{ item.0 }}/{{ item.1 }}'
+    permanent: yes
+    immediate: yes
+    state: enabled
+  loop: "{{ syncthing_users.values() | product(['tcp', 'udp']) }}"
+  tags: firewalld
+
+- name: generate landing page
+  template:
+    src: var/www/html/index.html.j2
+    dest: /var/www/html/index.html
+
+- name: create selinux policy for apache to connect to unix socket
+  include_role:
+    name: selinux_policy
+    apply:
+      tags: selinux
+  vars:
+    selinux_policy_name: syncthing_httpd
+    selinux_policy_te: '{{ syncthing_selinux_policy_te }}'
+  tags: selinux
diff --git a/roles/syncthing/tasks/syncthing_user.yml b/roles/syncthing/tasks/syncthing_user.yml
new file mode 100644
index 0000000..c580df6
--- /dev/null
+++ b/roles/syncthing/tasks/syncthing_user.yml
@@ -0,0 +1,36 @@
+- name: create user directory
+  file:
+    path: '{{ syncthing_home }}/{{ syncthing_user }}'
+    state: directory
+    owner: '{{ syncthing_user }}'
+    group: '{{ syncthing_user }}'
+    mode: 0700
+
+- name: generate default configuration
+  command:
+    cmd: syncthing -generate '{{ syncthing_home }}/{{ syncthing_user }}'
+    creates: '{{ syncthing_home }}/{{ syncthing_user }}/config.xml'
+  become: yes
+  become_user: '{{ syncthing_user }}'
+  register: syncthing_generate
+
+- name: get device id
+  command:
+    cmd: syncthing -home {{ syncthing_home }}/{{ syncthing_user }} -device-id
+  changed_when: no
+  register: syncthing_device_id
+
+- name: generate config file
+  template:
+    src: '{{ syncthing_home[1:] }}/config.xml.j2'
+    dest: '{{ syncthing_home }}/{{ syncthing_user }}/config.xml'
+    owner: '{{ syncthing_user }}'
+    group: '{{ syncthing_user }}'
+    mode: 0600
+    force: '{{ syncthing_generate.changed }}'
+
+- name: enable systemd unit
+  systemd:
+    name: 'syncthing-user@{{ syncthing_user }}'
+    enabled: yes
+    state: started
diff --git a/roles/syncthing/templates/etc/systemd/system/syncthing-user@.service.j2 b/roles/syncthing/templates/etc/systemd/system/syncthing-user@.service.j2
new file mode 100644
index 0000000..ba0ffb5
--- /dev/null
+++ b/roles/syncthing/templates/etc/systemd/system/syncthing-user@.service.j2
@@ -0,0 +1,27 @@
+[Unit]
+Description=Syncthing - Open Source Continuous File Synchronization for %I
+Documentation=man:syncthing(1)
+After=autofs.service nss-user-lookup.target network-online.target
+
+[Service]
+User=%i
+Group=%i
+Environment=STNOUPGRADE=1
+PermissionsStartOnly=true
+ExecStartPre=install -o root -g root -m 0755 -Z -d {{ syncthing_runtime_dir | quote }}
+ExecStartPre=install -o %i -g apache -m 2750 -Z -d {{ syncthing_runtime_dir | quote }}/%i
+ExecStart=/usr/bin/syncthing -no-browser -no-restart -logflags=0 -home {{ syncthing_home | quote}}/%i -gui-address=unix://{{ syncthing_runtime_dir | quote }}/%i/gui.sock
+Restart=on-failure
+RestartSec=5
+SuccessExitStatus=3 4
+RestartForceExitStatus=3 4
+
+# Hardening
+ProtectSystem=full
+PrivateTmp=true
+SystemCallArchitectures=native
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/syncthing/templates/var/lib/syncthing/config.xml.j2 b/roles/syncthing/templates/var/lib/syncthing/config.xml.j2
new file mode 100644
index 0000000..7790dd8
--- /dev/null
+++ b/roles/syncthing/templates/var/lib/syncthing/config.xml.j2
@@ -0,0 +1,116 @@
+<configuration version="36">
+  <device id="{{ syncthing_device_id.stdout }}" name="{{ ansible_fqdn }} ({{ syncthing_user }})" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
+        <address>tcp://{{ ansible_fqdn }}:{{ syncthing_port }}</address>
+        <paused>false</paused>
+        <autoAcceptFolders>false</autoAcceptFolders>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <maxRequestKiB>0</maxRequestKiB>
+        <untrusted>false</untrusted>
+        <remoteGUIPort>0</remoteGUIPort>
+    </device>
+    <gui enabled="true" tls="false" debugging="false">
+        <address>{{ syncthing_runtime_dir }}/{{ syncthing_user }}/gui.sock</address>
+        <unixSocketPermissions>770</unixSocketPermissions>
+        <theme>default</theme>
+        <insecureSkipHostcheck>true</insecureSkipHostcheck>
+    </gui>
+    <ldap></ldap>
+    <options>
+        <listenAddress>quic://0.0.0.0:{{ syncthing_port }}</listenAddress>
+        <listenAddress>tcp://0.0.0.0:{{ syncthing_port }}</listenAddress>
+        <globalAnnounceServer>default</globalAnnounceServer>
+        <globalAnnounceEnabled>false</globalAnnounceEnabled>
+        <localAnnounceEnabled>false</localAnnounceEnabled>
+        <localAnnouncePort>0</localAnnouncePort>
+        <localAnnounceMCAddr>[ff32::5222]:0</localAnnounceMCAddr>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <reconnectionIntervalS>60</reconnectionIntervalS>
+        <relaysEnabled>false</relaysEnabled>
+        <relayReconnectIntervalM>10</relayReconnectIntervalM>
+        <startBrowser>false</startBrowser>
+        <natEnabled>false</natEnabled>
+        <natLeaseMinutes>60</natLeaseMinutes>
+        <natRenewalMinutes>30</natRenewalMinutes>
+        <natTimeoutSeconds>10</natTimeoutSeconds>
+        <urAccepted>-1</urAccepted>
+        <urSeen>3</urSeen>
+        <urUniqueID>00000000</urUniqueID>
+        <urURL>https://data.syncthing.net/newdata</urURL>
+        <urPostInsecurely>false</urPostInsecurely>
+        <urInitialDelayS>1800</urInitialDelayS>
+        <restartOnWakeup>false</restartOnWakeup>
+        <autoUpgradeIntervalH>0</autoUpgradeIntervalH>
+        <upgradeToPreReleases>false</upgradeToPreReleases>
+        <keepTemporariesH>24</keepTemporariesH>
+        <cacheIgnoredFiles>false</cacheIgnoredFiles>
+        <progressUpdateIntervalS>5</progressUpdateIntervalS>
+        <limitBandwidthInLan>false</limitBandwidthInLan>
+        <minHomeDiskFree unit="%">1</minHomeDiskFree>
+        <releasesURL>https://upgrades.syncthing.net/meta.json</releasesURL>
+        <overwriteRemoteDeviceNamesOnConnect>false</overwriteRemoteDeviceNamesOnConnect>
+        <tempIndexMinBlocks>10</tempIndexMinBlocks>
+        <trafficClass>0</trafficClass>
+        <setLowPriority>false</setLowPriority>
+        <maxFolderConcurrency>0</maxFolderConcurrency>
+        <crashReportingURL>https://crash.syncthing.net/newcrash</crashReportingURL>
+        <crashReportingEnabled>false</crashReportingEnabled>
+        <stunKeepaliveStartS>0</stunKeepaliveStartS>
+        <stunKeepaliveMinS>0</stunKeepaliveMinS>
+        <stunServer>default</stunServer>
+        <databaseTuning>auto</databaseTuning>
+        <maxConcurrentIncomingRequestKiB>0</maxConcurrentIncomingRequestKiB>
+        <announceLANAddresses>true</announceLANAddresses>
+        <sendFullIndexOnUpgrade>false</sendFullIndexOnUpgrade>
+        <connectionLimitEnough>0</connectionLimitEnough>
+        <connectionLimitMax>0</connectionLimitMax>
+        <insecureAllowOldTLSVersions>false</insecureAllowOldTLSVersions>
+    </options>
+    <defaults>
+        <folder id="" label="" path="~" type="sendreceive" rescanIntervalS="{{ syncthing_rescan_interval_sec }}" fsWatcherEnabled="{{ syncthing_fs_watcher_enabled }}" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true">
+            <filesystemType>basic</filesystemType>
+            <device id="{{ syncthing_device_id.stdout }}" introducedBy="">
+                <encryptionPassword></encryptionPassword>
+            </device>
+            <minDiskFree unit="%">1</minDiskFree>
+            <versioning>
+                <cleanupIntervalS>3600</cleanupIntervalS>
+                <fsPath></fsPath>
+                <fsType>basic</fsType>
+            </versioning>
+            <copiers>0</copiers>
+            <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
+            <hashers>0</hashers>
+            <order>random</order>
+            <ignoreDelete>false</ignoreDelete>
+            <scanProgressIntervalS>0</scanProgressIntervalS>
+            <pullerPauseS>0</pullerPauseS>
+            <maxConflicts>10</maxConflicts>
+            <disableSparseFiles>false</disableSparseFiles>
+            <disableTempIndexes>false</disableTempIndexes>
+            <paused>false</paused>
+            <weakHashThresholdPct>25</weakHashThresholdPct>
+            <markerName>.stfolder</markerName>
+            <copyOwnershipFromParent>false</copyOwnershipFromParent>
+            <modTimeWindowS>0</modTimeWindowS>
+            <maxConcurrentWrites>2</maxConcurrentWrites>
+            <disableFsync>false</disableFsync>
+            <blockPullOrder>standard</blockPullOrder>
+            <copyRangeMethod>standard</copyRangeMethod>
+            <caseSensitiveFS>false</caseSensitiveFS>
+            <junctionsAsDirs>false</junctionsAsDirs>
+        </folder>
+        <device id="" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
+            <address>dynamic</address>
+            <paused>false</paused>
+            <autoAcceptFolders>false</autoAcceptFolders>
+            <maxSendKbps>0</maxSendKbps>
+            <maxRecvKbps>0</maxRecvKbps>
+            <maxRequestKiB>0</maxRequestKiB>
+            <untrusted>false</untrusted>
+            <remoteGUIPort>0</remoteGUIPort>
+        </device>
+        <ignores></ignores>
+    </defaults>
+</configuration>
diff --git a/roles/syncthing/templates/var/www/html/index.html.j2 b/roles/syncthing/templates/var/www/html/index.html.j2
new file mode 100644
index 0000000..63944f5
--- /dev/null
+++ b/roles/syncthing/templates/var/www/html/index.html.j2
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html lang='en'>
+ <head>
+  <title>Syncthing</title>
+  <meta charset='utf-8'>
+ </head>
+ <body>
+  <h1>Choose your username.</h1>
+  <ul>
+{% for user in syncthing_users.keys() %}
+   <li><a href="/{{ user }}/">{{ user }}</a></li>
+{% endfor %}
+  </ul>
+ </body>
+</html>
diff --git a/roles/syncthing/vars/main.yml b/roles/syncthing/vars/main.yml
new file mode 100644
index 0000000..2f15f87
--- /dev/null
+++ b/roles/syncthing/vars/main.yml
@@ -0,0 +1,46 @@
+syncthing_packages:
+  - syncthing
+  - syncthing-tools
+  - httpd
+
+syncthing_home: /var/lib/syncthing
+syncthing_runtime_dir: /var/run/syncthing
+
+syncthing_max_udp_buffer_size: 2500000
+
+syncthing_archive_shell: >-
+  TIMESTAMP=$(date +%Y%m%d%H%M%S);
+  tar czf "syncthing-${TIMESTAMP}.tar.gz"
+  --transform "s|^\.|syncthing-${TIMESTAMP}|"
+  --exclude="*/index-*.db*"
+  -C "{{ syncthing_home }}" .
+
+syncthing_selinux_policy_te: |
+  require {
+    type httpd_t;
+    type unconfined_service_t;
+    class unix_stream_socket connectto;
+  }
+
+  #============= httpd_t ==============
+  allow httpd_t unconfined_service_t:unix_stream_socket connectto;
+
+syncthing_apache_config: |
+  {{ apache_proxy_vhost_config }}
+
+  {% for user in syncthing_users %}
+  <Location /{{ user }}/>
+    AuthType GSSAPI
+    AuthName "FreeIPA Single Sign-On"
+    GssapiLocalName On
+    {{ apache_gssapi_session_config }}
+
+    Require user {{ user }}
+
+    ProxyPass        unix:{{ syncthing_runtime_dir }}/{{ user }}/gui.sock|http://{{ user }}/
+    ProxyPassReverse unix:{{ syncthing_runtime_dir }}/{{ user }}/gui.sock|http://{{ user }}/
+
+    {{ apache_proxy_header_config }}
+  </Location>
+
+  {% endfor %}
-- 
cgit