Compare commits
2 Commits
10fa1168a3
...
518d3d7692
Author | SHA1 | Date | |
---|---|---|---|
518d3d7692 | |||
2a8fe0ad3b |
@ -18,6 +18,7 @@ This project was largely inspired by his own [infra](https://github.com/notthebe
|
|||||||
* MediaWiki farm
|
* MediaWiki farm
|
||||||
* Navidrome music server
|
* Navidrome music server
|
||||||
* SFTP (not really a service, included in sshd)
|
* SFTP (not really a service, included in sshd)
|
||||||
|
* Syncthing
|
||||||
* Firewall (UFW)
|
* Firewall (UFW)
|
||||||
|
|
||||||
## Miscellaneous features
|
## Miscellaneous features
|
||||||
@ -31,6 +32,9 @@ This project was largely inspired by his own [infra](https://github.com/notthebe
|
|||||||
|
|
||||||
Install ansible. [Install guide](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html)
|
Install ansible. [Install guide](https://docs.ansible.com/ansible/latest/installation_guide/intro_installation.html)
|
||||||
|
|
||||||
|
Install python-hashlib. This is necessary for syncthing because for some reason
|
||||||
|
it can't compute hashes for bcrypt.
|
||||||
|
|
||||||
|
|
||||||
Clone the repo:
|
Clone the repo:
|
||||||
```
|
```
|
||||||
|
@ -201,6 +201,9 @@ registration_shared_secret: "secret"
|
|||||||
macaroon_secret_key: "secret"
|
macaroon_secret_key: "secret"
|
||||||
form_secret: "secret"
|
form_secret: "secret"
|
||||||
|
|
||||||
|
# Syncthing secrets
|
||||||
|
syncthing_gui_pass: ""
|
||||||
|
|
||||||
# Coturn secrets
|
# Coturn secrets
|
||||||
coturn_secret_key: "secret"
|
coturn_secret_key: "secret"
|
||||||
|
|
||||||
@ -268,7 +271,10 @@ enable_navidrome: yes
|
|||||||
enable_website: yes
|
enable_website: yes
|
||||||
|
|
||||||
# SFTP read-only user
|
# SFTP read-only user
|
||||||
enable_sftpr: yes
|
enable_sftpr: no
|
||||||
|
|
||||||
|
# Syncthing
|
||||||
|
enable_syncthing: yes
|
||||||
|
|
||||||
# Mailserver (local only)
|
# Mailserver (local only)
|
||||||
enable_mail: yes
|
enable_mail: yes
|
||||||
|
@ -22,34 +22,11 @@ then
|
|||||||
exit
|
exit
|
||||||
fi
|
fi
|
||||||
|
|
||||||
if [ ! -f /mnt/disk_b/bk-0.tgz ]
|
mkdir -p /mnt/disk_b/bkd/
|
||||||
then
|
rsync -avxP --delete \
|
||||||
echo "No full archive: preparing to perform complete backup."
|
|
||||||
sleep 5
|
|
||||||
echo "Performing complete backup."
|
|
||||||
|
|
||||||
tar -czv \
|
|
||||||
--exclude={{ dataroot }}/navidrome/cache \
|
--exclude={{ dataroot }}/navidrome/cache \
|
||||||
--exclude={{ dataroot }}/synapse/media_store \
|
--exclude={{ dataroot }}/synapse/media_store \
|
||||||
-f /mnt/disk_b/bk-0.tgz -g /mnt/disk_b/bk.snar /mnt/disk \
|
/mnt/disk/ /mnt/disk_b/bkd/
|
||||||
|
|
||||||
echo "Backup finished."
|
|
||||||
tput bel
|
|
||||||
else
|
|
||||||
LABEL=$(date +"%Y_%m_%d")
|
|
||||||
echo "Preparing to perform incremental backup: $LABEL"
|
|
||||||
sleep 5.
|
|
||||||
echo "Performing incremental backup."
|
|
||||||
cp /mnt/disk_b/bk.snar "/mnt/disk_b/bk-$LABEL.snar"
|
|
||||||
|
|
||||||
tar -czv \
|
|
||||||
--exclude={{ dataroot }}/navidrome/cache \
|
|
||||||
--exclude={{ dataroot }}/synapse/media_store \
|
|
||||||
-f "/mnt/disk_b/bk-$LABEL.tgz" -g "/mnt/disk_b/bk-$LABEL.snar" /mnt/disk \
|
|
||||||
|
|
||||||
echo "Backup finished."
|
|
||||||
tput bel
|
|
||||||
fi
|
|
||||||
|
|
||||||
echo "Preparing to unmount backup disk."
|
echo "Preparing to unmount backup disk."
|
||||||
sleep 5
|
sleep 5
|
||||||
|
@ -15,6 +15,14 @@
|
|||||||
state: enabled
|
state: enabled
|
||||||
when: enable_synapse
|
when: enable_synapse
|
||||||
|
|
||||||
|
- name: Allow Syncthing port
|
||||||
|
community.general.ufw:
|
||||||
|
rule: allow
|
||||||
|
port: 22000
|
||||||
|
proto: any
|
||||||
|
state: enabled
|
||||||
|
when: enable_syncthing
|
||||||
|
|
||||||
- name: Allow http/https ports
|
- name: Allow http/https ports
|
||||||
community.general.ufw:
|
community.general.ufw:
|
||||||
rule: allow
|
rule: allow
|
||||||
|
48
roles/services/syncthing/defaults/main.yaml
Normal file
48
roles/services/syncthing/defaults/main.yaml
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
syncthing_user: syncthing
|
||||||
|
# group for file management
|
||||||
|
syncthing_group: vault
|
||||||
|
syncthing_guiaddress: 127.0.0.1:8080
|
||||||
|
syncthing_listen: tcp://0.0.0.0:22000
|
||||||
|
syncthing_localannounce: true
|
||||||
|
syncthing_globalannounce: true
|
||||||
|
syncthing_home: "/home/{{ syncthing_user }}"
|
||||||
|
syncthing_gui_user: "{{ syncthing_user }}"
|
||||||
|
|
||||||
|
# Paths for Syncthing folders
|
||||||
|
vault_path: "/mnt/disk/uv"
|
||||||
|
archive_path: "/mnt/disk/uva"
|
||||||
|
|
||||||
|
# Put this in the vault in cleartext: the playbook hashes it
|
||||||
|
syncthing_gui_pass: ""
|
||||||
|
|
||||||
|
# 22 chars for bcrypt
|
||||||
|
syncthing_gui_salt: "{{ lookup('password', '/dev/null chars=ascii_letters,digit length=22', seed=inventory_hostname) }}"
|
||||||
|
|
||||||
|
# Put this in host-vars or group-vars
|
||||||
|
# Follows conventions of Syncthing's REST API: see https://docs.syncthing.net/dev/rest.html
|
||||||
|
# But write in YAML.
|
||||||
|
syncthing_devices: []
|
||||||
|
# - name: "Example Device"
|
||||||
|
# deviceID: "AAAAAAA-AAAAAAA-AAAAAAA-AAAAAAA-AAAAAAA-AAAAAAA-AAAAAAA-AAAAAAA"
|
||||||
|
# - name: "Main Device"
|
||||||
|
# deviceID: "BBBBBBB-BBBBBBB-BBBBBBB-BBBBBBB-BBBBBBB-BBBBBBB-BBBBBBB-BBBBBBB"
|
||||||
|
# introducer: true
|
||||||
|
|
||||||
|
# Also follows REST API convention
|
||||||
|
syncthing_folders: []
|
||||||
|
# - label: "Example Folder"
|
||||||
|
# id: "example"
|
||||||
|
# path: "{{ syncthing_home }}/example/"
|
||||||
|
|
||||||
|
# Settings to add to all folders if not specified otherwise
|
||||||
|
# Separated into default folder settings, and default device settings
|
||||||
|
# Follows REST API convention
|
||||||
|
syncthing_defaults: {}
|
||||||
|
# folder:
|
||||||
|
# devices: "{{ syncthing_devices }}"
|
||||||
|
# versioning:
|
||||||
|
# type: "staggered"
|
||||||
|
# params:
|
||||||
|
# cleanoutDays: "60"
|
||||||
|
# maxAge: "31536000"
|
||||||
|
# device: {}
|
4
roles/services/syncthing/handlers/main.yaml
Normal file
4
roles/services/syncthing/handlers/main.yaml
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
- name: Restart syncthing
|
||||||
|
systemd:
|
||||||
|
name: syncthing@syncthing
|
||||||
|
state: restarted
|
132
roles/services/syncthing/tasks/main.yml
Normal file
132
roles/services/syncthing/tasks/main.yml
Normal file
@ -0,0 +1,132 @@
|
|||||||
|
- name: Install packages for syncthing
|
||||||
|
community.general.pacman:
|
||||||
|
name:
|
||||||
|
- syncthing
|
||||||
|
- python-lxml
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Create file management group
|
||||||
|
group:
|
||||||
|
name: "{{ syncthing_group }}"
|
||||||
|
|
||||||
|
- name: Add unpriviledged user to file management group
|
||||||
|
user:
|
||||||
|
name: "{{ username }}"
|
||||||
|
append: yes
|
||||||
|
groups: "{{ syncthing_group }}"
|
||||||
|
|
||||||
|
- name: Create syncthing user
|
||||||
|
user:
|
||||||
|
name: "{{ syncthing_user }}"
|
||||||
|
home: "{{ syncthing_home }}"
|
||||||
|
group: "{{ syncthing_group }}"
|
||||||
|
|
||||||
|
- name: Enable syncthing service
|
||||||
|
systemd:
|
||||||
|
name: syncthing@syncthing
|
||||||
|
enabled: yes
|
||||||
|
state: started
|
||||||
|
|
||||||
|
- name: Wait for configuration file to be created
|
||||||
|
wait_for:
|
||||||
|
path: "{{ syncthing_home }}/.config/syncthing/config.xml"
|
||||||
|
|
||||||
|
- name: Configure globalannounce
|
||||||
|
xml:
|
||||||
|
file: "{{ syncthing_home }}/.config/syncthing/config.xml"
|
||||||
|
xpath: "/configuration/options/globalAnnounceEnabled"
|
||||||
|
value: "{{ syncthing_globalannounce | lower}}"
|
||||||
|
notify:
|
||||||
|
- Restart syncthing
|
||||||
|
|
||||||
|
- name: Configure localannounce
|
||||||
|
xml:
|
||||||
|
file: "{{ syncthing_home }}/.config/syncthing/config.xml"
|
||||||
|
xpath: "/configuration/options/localAnnounceEnabled"
|
||||||
|
value: "{{ syncthing_localannounce | lower}}"
|
||||||
|
notify:
|
||||||
|
- Restart syncthing
|
||||||
|
|
||||||
|
- name: Configure listen address
|
||||||
|
xml:
|
||||||
|
file: "{{ syncthing_home }}/.config/syncthing/config.xml"
|
||||||
|
xpath: "/configuration/options/listenAddress"
|
||||||
|
value: "{{ syncthing_listen }}"
|
||||||
|
notify:
|
||||||
|
- Restart syncthing
|
||||||
|
|
||||||
|
- name: Configure gui address
|
||||||
|
xml:
|
||||||
|
file: "{{ syncthing_home }}/.config/syncthing/config.xml"
|
||||||
|
xpath: "/configuration/gui/address"
|
||||||
|
value: "{{ syncthing_guiaddress }}"
|
||||||
|
notify:
|
||||||
|
- Restart syncthing
|
||||||
|
|
||||||
|
- name: Configure gui user
|
||||||
|
xml:
|
||||||
|
file: "{{ syncthing_home }}/.config/syncthing/config.xml"
|
||||||
|
xpath: "/configuration/gui/user"
|
||||||
|
value: "{{ syncthing_gui_user }}"
|
||||||
|
notify:
|
||||||
|
- Restart syncthing
|
||||||
|
|
||||||
|
- name: Configure gui password
|
||||||
|
xml:
|
||||||
|
file: "{{ syncthing_home }}/.config/syncthing/config.xml"
|
||||||
|
xpath: "/configuration/gui/password"
|
||||||
|
value: "{{ syncthing_gui_pass | password_hash('bcrypt', syncthing_gui_salt) }}"
|
||||||
|
notify:
|
||||||
|
- Restart syncthing
|
||||||
|
|
||||||
|
- name: Warn if gui password is empty
|
||||||
|
fail:
|
||||||
|
msg: "Syncthing has no configured password!"
|
||||||
|
when: syncthing_gui_pass is not defined or syncthing_gui_pass == ''
|
||||||
|
|
||||||
|
- name: Get API key
|
||||||
|
xml:
|
||||||
|
file: "{{ syncthing_home }}/.config/syncthing/config.xml"
|
||||||
|
xpath: "/configuration/gui/apikey"
|
||||||
|
content: text
|
||||||
|
register: api_key
|
||||||
|
|
||||||
|
- meta: flush_handlers
|
||||||
|
|
||||||
|
- name: Delete default Syncthing folder
|
||||||
|
uri:
|
||||||
|
url: "http://{{ syncthing_guiaddress }}/rest/config/folders/default"
|
||||||
|
method: DELETE
|
||||||
|
return_content: yes
|
||||||
|
headers:
|
||||||
|
X-API-Key: "{{ api_key.matches[0].apikey }}"
|
||||||
|
|
||||||
|
- name: Add known syncthing devices
|
||||||
|
uri:
|
||||||
|
url: "http://{{ syncthing_guiaddress }}/rest/config/devices"
|
||||||
|
method: PUT
|
||||||
|
return_content: yes
|
||||||
|
body_format: json
|
||||||
|
headers:
|
||||||
|
X-API-Key: "{{ api_key.matches[0].apikey }}"
|
||||||
|
body: "{{ syncthing_devices }}"
|
||||||
|
|
||||||
|
- name: Set default folder settings
|
||||||
|
uri:
|
||||||
|
url: "http://{{ syncthing_guiaddress }}/rest/config/defaults/folder"
|
||||||
|
method: PATCH
|
||||||
|
return_content: yes
|
||||||
|
body_format: json
|
||||||
|
body: "{{ syncthing_defaults.folder }}"
|
||||||
|
headers:
|
||||||
|
X-API-Key: "{{ api_key.matches[0].apikey }}"
|
||||||
|
|
||||||
|
- name: Add syncthing folders
|
||||||
|
uri:
|
||||||
|
url: "http://{{ syncthing_guiaddress }}/rest/config/folders"
|
||||||
|
method: PUT
|
||||||
|
return_content: yes
|
||||||
|
body_format: json
|
||||||
|
headers:
|
||||||
|
X-API-Key: "{{ api_key.matches[0].apikey }}"
|
||||||
|
body: "{{ syncthing_folders }}"
|
5
run.yml
5
run.yml
@ -65,6 +65,11 @@
|
|||||||
- mail
|
- mail
|
||||||
when: enable_mail
|
when: enable_mail
|
||||||
|
|
||||||
|
- role: services/syncthing
|
||||||
|
tags:
|
||||||
|
- syncthing
|
||||||
|
when: enable_syncthing
|
||||||
|
|
||||||
# Main SSL certificate (with Let's Encrypt)
|
# Main SSL certificate (with Let's Encrypt)
|
||||||
- role: networking/ssl
|
- role: networking/ssl
|
||||||
tags:
|
tags:
|
||||||
|
Reference in New Issue
Block a user