From 77a7b20751715ee28ed422e43c2334432be2a735 Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Mon, 10 Jul 2023 00:18:26 +0200
Subject: [PATCH] add syncthing stack

---
 ansible/playbooks/stacks.yml                |   1 +
 ansible/roles/syncthing/cert.pem            |  45 +++++
 ansible/roles/syncthing/config.xml.j2       | 189 ++++++++++++++++++++
 ansible/roles/syncthing/docker-stack.yml.j2 |  62 +++++++
 ansible/roles/syncthing/key.pem             |  20 +++
 ansible/roles/syncthing/tasks/main.yml      |  29 +++
 ansible/roles/syncthing/vars/main.yml       |  34 ++++
 7 files changed, 380 insertions(+)
 create mode 100644 ansible/roles/syncthing/cert.pem
 create mode 100644 ansible/roles/syncthing/config.xml.j2
 create mode 100644 ansible/roles/syncthing/docker-stack.yml.j2
 create mode 100644 ansible/roles/syncthing/key.pem
 create mode 100644 ansible/roles/syncthing/tasks/main.yml
 create mode 100644 ansible/roles/syncthing/vars/main.yml

diff --git a/ansible/playbooks/stacks.yml b/ansible/playbooks/stacks.yml
index 97a8d38..08378d8 100644
--- a/ansible/playbooks/stacks.yml
+++ b/ansible/playbooks/stacks.yml
@@ -18,3 +18,4 @@
     # - {role: jitsi, tags: jitsi}
     - {role: pihole, tags: pihole}
     - {role: nextcloud, tags: nextcloud}
+    - {role: syncthing, tags: syncthing}
diff --git a/ansible/roles/syncthing/cert.pem b/ansible/roles/syncthing/cert.pem
new file mode 100644
index 0000000..eeb08f2
--- /dev/null
+++ b/ansible/roles/syncthing/cert.pem
@@ -0,0 +1,45 @@
+$ANSIBLE_VAULT;1.1;AES256
+37326262373466303939623263623234616338316165316466656131326339306233303834396263
+3139663539356264323038306635363934363364653437350a666438396563643339353765306131
+39653434373966346166323938666364323562313334323262643666373463623536363635643163
+3430353230326634320a643532663765663632623031313463653765643134313538633131613663
+64393533636138323833343630363639656539376163353239313231646662316532666631623734
+31343364393363623164336339303631366162376131613736636131396165663835653433303134
+62323265633039633865326366613366653435653261633662613737353463633663383635303562
+39303933343139363132393035336332363438656333646136333330326533623763393263663563
+36343038393264383639346436316134386531383338386461363538613135663863363434623339
+31373236353337653838396333643638343232653066313662393165343062396137326630646430
+31646566356565386532626433383163643635643930326164353766323263616665636435323339
+38373837393035343737356134373831303831316464666637333231343434316632316464356564
+31613464633761306330303637386230333430396665383262333530336137336236623838326333
+30393861666439623536336231616563303764646563393065353432313965343330633463313564
+66373539373265353765636438393633613839393830366135323139666533393165653736666335
+35303736623534653635343636383662316134376332393239633262363939396263363264616637
+35396261346264373930396462393638316335363833333132393061633337626331323439363131
+39306264386133316137633039366638356130616438373433333635666231366136613363626133
+31316230336534616430633232623430666234643836636338613730356335623434373433643935
+62623266313834353163623439616533623135396134346164373363643364373939396163363837
+36313432393965653664633231393564323936323933313565323337346333313233396666626361
+65383031326630313263343862653063613839373131643265656237623232663761383665333939
+33376531623665653037333563333034363363333435343439663761633734616461353961323434
+66643833353539623265616262383265396237636631346433386638643436383230333438653462
+37383235316634353262316436653163316164356261353663663565396630613434396231353538
+38633330326266303838346365663839646163623264633934363938666234393131356138656439
+31333161643136633836343262326136393964393635623634316532393837376162383835303435
+30643339356434386264643163316165396534373064346334636132316230346437363665636563
+38333835306666626637386562306433373031366136616635623765393630383939353335393930
+61663832383239643363626137343661366436653864643339316537383738323335333866633537
+39316339383239323131653232633833363536313431643364313937633037336564386339383433
+38303939303835386263633430383061336436383062663462353762376666613530313663623261
+66616266373136326433363338303365653230663763636630353034383832633239383932616365
+37373236396631623866656330623632313538326330626363316262653566383633666531383738
+34353830373137343236343765393665356534356238353861326165303939363236626130626363
+64623164383866393630656232373164343163363433643835396236363132346235356134613564
+66383364623962316564373564363631356234386535653465633864313365396438356235313163
+35633366663836666337653537336334353935323364306635383238373664613530353365323366
+31373831383336336237633064313938393637636231356165656631386132313734333439643733
+62666435363535303530323866623139653138643831623838316432366539316236306133393764
+63386133333832356365396137623332643539633236343762353138386434303632373932336139
+39396364653864316435356434383761306238633164643939363864356362633135623438363861
+64626339663931383133383862313031383638653266306539643061316238616266656136656530
+63666239303034396133
diff --git a/ansible/roles/syncthing/config.xml.j2 b/ansible/roles/syncthing/config.xml.j2
new file mode 100644
index 0000000..1920a68
--- /dev/null
+++ b/ansible/roles/syncthing/config.xml.j2
@@ -0,0 +1,189 @@
+<configuration version="37">
+    {% for folder in st.folders %}
+    <folder id="{{ folder.id }}" label="{{ folder.label }}" path="{{ folder.path }}" type="sendreceive" rescanIntervalS="3600" fsWatcherEnabled="true" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true">
+        <filesystemType>basic</filesystemType>
+	{% for device in folder.devices %}
+        <device id="{{ device }}" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+	{% endfor %}
+        <device id="{{ st.server.id }}" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+        <minDiskFree unit="%">1</minDiskFree>
+        <versioning>
+            <cleanupIntervalS>3600</cleanupIntervalS>
+            <fsPath></fsPath>
+            <fsType>basic</fsType>
+        </versioning>
+        <copiers>0</copiers>
+        <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
+        <hashers>0</hashers>
+        <order>random</order>
+        <ignoreDelete>false</ignoreDelete>
+        <scanProgressIntervalS>0</scanProgressIntervalS>
+        <pullerPauseS>0</pullerPauseS>
+        <maxConflicts>10</maxConflicts>
+        <disableSparseFiles>false</disableSparseFiles>
+        <disableTempIndexes>false</disableTempIndexes>
+        <paused>false</paused>
+        <weakHashThresholdPct>25</weakHashThresholdPct>
+        <markerName>.stfolder</markerName>
+        <copyOwnershipFromParent>false</copyOwnershipFromParent>
+        <modTimeWindowS>0</modTimeWindowS>
+        <maxConcurrentWrites>2</maxConcurrentWrites>
+        <disableFsync>false</disableFsync>
+        <blockPullOrder>standard</blockPullOrder>
+        <copyRangeMethod>standard</copyRangeMethod>
+        <caseSensitiveFS>false</caseSensitiveFS>
+        <junctionsAsDirs>false</junctionsAsDirs>
+        <syncOwnership>false</syncOwnership>
+        <sendOwnership>false</sendOwnership>
+        <syncXattrs>false</syncXattrs>
+        <sendXattrs>false</sendXattrs>
+        <xattrFilter>
+            <maxSingleEntrySize>1024</maxSingleEntrySize>
+            <maxTotalSize>4096</maxTotalSize>
+        </xattrFilter>
+    </folder>
+    {% endfor %}
+    {% for peer in st.peers %}
+    <device id="{{ peer.id }}" name="{{ peer.name }}" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
+        <address>dynamic</address>
+        <paused>false</paused>
+        <autoAcceptFolders>false</autoAcceptFolders>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <maxRequestKiB>0</maxRequestKiB>
+        <untrusted>false</untrusted>
+        <remoteGUIPort>0</remoteGUIPort>
+    </device>
+    {% endfor %}
+    <device id="{{ st.server.id }}" name="{{ st.server.name }}" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
+        <address>dynamic</address>
+        <paused>false</paused>
+        <autoAcceptFolders>false</autoAcceptFolders>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <maxRequestKiB>0</maxRequestKiB>
+        <untrusted>false</untrusted>
+        <remoteGUIPort>0</remoteGUIPort>
+    </device>
+    <gui enabled="true" tls="false" debugging="false">
+        <address>{{ st.gui.address }}</address>
+        <user>{{ st.gui.user }}</user>
+        <password>{{ st.gui.password }}</password>
+        <apikey>{{ st.gui.apikey }}</apikey>
+        <theme>{{ st.gui.theme }}</theme>
+    </gui>
+    <ldap></ldap>
+    <options>
+        <listenAddress>default</listenAddress>
+        <globalAnnounceServer>default</globalAnnounceServer>
+        <globalAnnounceEnabled>true</globalAnnounceEnabled>
+        <localAnnounceEnabled>true</localAnnounceEnabled>
+        <localAnnouncePort>21027</localAnnouncePort>
+        <localAnnounceMCAddr>[ff12::8384]:21027</localAnnounceMCAddr>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <reconnectionIntervalS>60</reconnectionIntervalS>
+        <relaysEnabled>true</relaysEnabled>
+        <relayReconnectIntervalM>10</relayReconnectIntervalM>
+        <startBrowser>true</startBrowser>
+        <natEnabled>true</natEnabled>
+        <natLeaseMinutes>60</natLeaseMinutes>
+        <natRenewalMinutes>30</natRenewalMinutes>
+        <natTimeoutSeconds>10</natTimeoutSeconds>
+        <urAccepted>3</urAccepted>
+        <urSeen>3</urSeen>
+        <urUniqueID></urUniqueID>
+        <urURL>https://data.syncthing.net/newdata</urURL>
+        <urPostInsecurely>false</urPostInsecurely>
+        <urInitialDelayS>1800</urInitialDelayS>
+        <autoUpgradeIntervalH>12</autoUpgradeIntervalH>
+        <upgradeToPreReleases>false</upgradeToPreReleases>
+        <keepTemporariesH>24</keepTemporariesH>
+        <cacheIgnoredFiles>false</cacheIgnoredFiles>
+        <progressUpdateIntervalS>5</progressUpdateIntervalS>
+        <limitBandwidthInLan>false</limitBandwidthInLan>
+        <minHomeDiskFree unit="%">1</minHomeDiskFree>
+        <releasesURL>https://upgrades.syncthing.net/meta.json</releasesURL>
+        <overwriteRemoteDeviceNamesOnConnect>false</overwriteRemoteDeviceNamesOnConnect>
+        <tempIndexMinBlocks>10</tempIndexMinBlocks>
+        <trafficClass>0</trafficClass>
+        <setLowPriority>true</setLowPriority>
+        <maxFolderConcurrency>0</maxFolderConcurrency>
+        <crashReportingURL>https://crash.syncthing.net/newcrash</crashReportingURL>
+        <crashReportingEnabled>true</crashReportingEnabled>
+        <stunKeepaliveStartS>180</stunKeepaliveStartS>
+        <stunKeepaliveMinS>20</stunKeepaliveMinS>
+        <stunServer>default</stunServer>
+        <databaseTuning>auto</databaseTuning>
+        <maxConcurrentIncomingRequestKiB>0</maxConcurrentIncomingRequestKiB>
+        <announceLANAddresses>true</announceLANAddresses>
+        <sendFullIndexOnUpgrade>false</sendFullIndexOnUpgrade>
+        <connectionLimitEnough>0</connectionLimitEnough>
+        <connectionLimitMax>0</connectionLimitMax>
+        <insecureAllowOldTLSVersions>false</insecureAllowOldTLSVersions>
+        <connectionPriorityTcpLan>10</connectionPriorityTcpLan>
+        <connectionPriorityQuicLan>20</connectionPriorityQuicLan>
+        <connectionPriorityTcpWan>30</connectionPriorityTcpWan>
+        <connectionPriorityQuicWan>40</connectionPriorityQuicWan>
+        <connectionPriorityRelay>50</connectionPriorityRelay>
+        <connectionPriorityUpgradeThreshold>0</connectionPriorityUpgradeThreshold>
+    </options>
+    <defaults>
+        <folder id="" label="" path="~" type="sendreceive" rescanIntervalS="3600" fsWatcherEnabled="true" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true">
+            <filesystemType>basic</filesystemType>
+            <device id="{{ st.server.id }}" introducedBy="">
+                <encryptionPassword></encryptionPassword>
+            </device>
+            <minDiskFree unit="%">1</minDiskFree>
+            <versioning>
+                <cleanupIntervalS>3600</cleanupIntervalS>
+                <fsPath></fsPath>
+                <fsType>basic</fsType>
+            </versioning>
+            <copiers>0</copiers>
+            <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
+            <hashers>0</hashers>
+            <order>random</order>
+            <ignoreDelete>false</ignoreDelete>
+            <scanProgressIntervalS>0</scanProgressIntervalS>
+            <pullerPauseS>0</pullerPauseS>
+            <maxConflicts>10</maxConflicts>
+            <disableSparseFiles>false</disableSparseFiles>
+            <disableTempIndexes>false</disableTempIndexes>
+            <paused>false</paused>
+            <weakHashThresholdPct>25</weakHashThresholdPct>
+            <markerName>.stfolder</markerName>
+            <copyOwnershipFromParent>false</copyOwnershipFromParent>
+            <modTimeWindowS>0</modTimeWindowS>
+            <maxConcurrentWrites>2</maxConcurrentWrites>
+            <disableFsync>false</disableFsync>
+            <blockPullOrder>standard</blockPullOrder>
+            <copyRangeMethod>standard</copyRangeMethod>
+            <caseSensitiveFS>false</caseSensitiveFS>
+            <junctionsAsDirs>false</junctionsAsDirs>
+            <syncOwnership>false</syncOwnership>
+            <sendOwnership>false</sendOwnership>
+            <syncXattrs>false</syncXattrs>
+            <sendXattrs>false</sendXattrs>
+            <xattrFilter>
+                <maxSingleEntrySize>1024</maxSingleEntrySize>
+                <maxTotalSize>4096</maxTotalSize>
+            </xattrFilter>
+        </folder>
+        <device id="" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
+            <address>dynamic</address>
+            <paused>false</paused>
+            <autoAcceptFolders>false</autoAcceptFolders>
+            <maxSendKbps>0</maxSendKbps>
+            <maxRecvKbps>0</maxRecvKbps>
+            <maxRequestKiB>0</maxRequestKiB>
+            <untrusted>false</untrusted>
+            <remoteGUIPort>0</remoteGUIPort>
+        </device>
+        <ignores></ignores>
+    </defaults>
+</configuration>
diff --git a/ansible/roles/syncthing/docker-stack.yml.j2 b/ansible/roles/syncthing/docker-stack.yml.j2
new file mode 100644
index 0000000..6701dd2
--- /dev/null
+++ b/ansible/roles/syncthing/docker-stack.yml.j2
@@ -0,0 +1,62 @@
+# vi: ft=yaml
+version: "3"
+
+networks:
+  traefik:
+    external: true
+
+configs:
+  config:
+    external: true
+    name: "{{ config.config_name }}"
+  private_key:
+    external: true
+    name: "{{ key.config_name }}"
+  certificate:
+    external: true
+    name: "{{ cert.config_name }}"
+
+volumes:
+  nextcloud_data:
+    driver_opts:
+      type: "nfs"
+      o: "addr=192.168.30.10,nolock,soft,rw"
+      device: ":/mnt/data/nextcloud/data"
+
+services:
+  syncthing:
+    image: lscr.io/linuxserver/syncthing:1.23.6
+    networks:
+      - traefik
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.docker.network=traefik
+
+        - traefik.http.routers.syncthing.entrypoints=localsecure
+        - traefik.http.routers.syncthing.rule=Host(`sync.kun.is`)
+        - traefik.http.routers.syncthing.service=syncthing
+        - traefik.http.routers.syncthing.tls=true
+        - traefik.http.routers.syncthing.tls.certresolver=letsencrypt
+        - traefik.http.services.syncthing.loadbalancer.server.port=8384
+    environment:
+      - PUID=33
+      - PGID=33
+      - TZ=Europe/Amsterdam
+    volumes:
+      - type: volume
+        source: nextcloud_data
+        target: /data
+        volume:
+          nocopy: true
+    configs:
+      - source: config
+        target: /config/config.xml
+      - source: private_key
+        target: /config/key.pem
+        uid: '33'
+        gid: '33'
+      - source: certificate
+        target: /config/cert.pem
+        uid: '33'
+        gid: '33'
diff --git a/ansible/roles/syncthing/key.pem b/ansible/roles/syncthing/key.pem
new file mode 100644
index 0000000..d858202
--- /dev/null
+++ b/ansible/roles/syncthing/key.pem
@@ -0,0 +1,20 @@
+$ANSIBLE_VAULT;1.1;AES256
+31373963666334633437386361353532396162653439373964333935643065383836383537336238
+3065306235363835343330393366326630383163633664300a653635653932663566376165623030
+33666262643032383764343134326439363536353439363134353432373263316164373139633838
+6336363735333862360a386235366434656336333762343330633030613437626262353934636163
+38376431343934373637343631373962653262613766393561383631303563383935616630663833
+62363533616235303834376233663033373531666632313237303661653265613061373131646266
+31643839386134383934623632336538386462626261613039306432366564616162366435363331
+34663464386630373134346264386334376334336363623137363831326338323234373662653932
+33373331663065336230313731303139653036646261643535393662633165356632306536393530
+30363066373064353936313461663235386465323734636263323063333365633066633736336436
+38623966353634356636343833653131646131633536383339663433306130386461303735323632
+64646465373533306266353932653561623363396137383532373734653462346239646562353136
+64313539383566663939663734333565643637376239383337363066373639613934303633343762
+37646565666635363231396139326536356533343065333731656363613731333136636561376430
+35356432373537363034653231636465303135363534323766333530353433663462653837643162
+39616664636464343435643039646362336634333561356438386262653231323033343662383138
+66633534336232663438666632373966613335396639383836666333656235376339343538313838
+39356165323361386535306664643537363764393365363639366637343332306537653962396339
+323030323036393662646636303330666561
diff --git a/ansible/roles/syncthing/tasks/main.yml b/ansible/roles/syncthing/tasks/main.yml
new file mode 100644
index 0000000..af3b970
--- /dev/null
+++ b/ansible/roles/syncthing/tasks/main.yml
@@ -0,0 +1,29 @@
+- name: Create cert.pem config
+  docker_config:
+    name: syncthing_cert
+    data: "{{ lookup('file', '{{ role_path }}/cert.pem') }}"
+    use_ssh_client: true
+    rolling_versions: true
+  register: cert
+
+- name: Create key.pem config
+  docker_config:
+    name: syncthing_key
+    data: "{{ lookup('file', '{{ role_path }}/key.pem') }}"
+    use_ssh_client: true
+    rolling_versions: true
+  register: key
+
+- name: Create config.xml config
+  docker_config:
+    name: syncthing_config
+    data: "{{ lookup('template', '{{ role_path }}/config.xml.j2') }}"
+    use_ssh_client: true
+    rolling_versions: true
+  register: config
+
+- name: Deploy Docker stack
+  docker_stack:
+    name: syncthing
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
diff --git a/ansible/roles/syncthing/vars/main.yml b/ansible/roles/syncthing/vars/main.yml
new file mode 100644
index 0000000..1e1abcb
--- /dev/null
+++ b/ansible/roles/syncthing/vars/main.yml
@@ -0,0 +1,34 @@
+st:
+  server:
+    id: "IGS4TYV-TQ6X2CG-OE3M2RE-DKZWKQZ-HEKIGHT-C6EIGHL-CBP2ULE-M3WZ7QC"
+    name: "dd219859eab5"
+  gui:
+    address: "127.0.0.1:8384"
+    user: pim
+    password: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      66383234373561373935313863393338623331393233626635653637383734623539376633326561
+      3464633966383864306131383334633633356363636163300a393562383730613934613439663431
+      63653465316130626232663132626466643164313830613933363535336634313164386162643839
+      6235303662633931390a313230363636656639653531636131333862356363663535313133663138
+      38356566656161646636313766353937373433663631636265303464633437303464396537663264
+      66326530313661636264336634613633316462343034386134636365383736636436613065323236
+      323933363666353232393635376136363239
+    apikey: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      31633162323338303133353838613336623961626635623165626335353263336130393166666535
+      3763336662326336333436333635656230393838366163660a393737303132373466633265306433
+      66336636666132373235646638653130633263343532353831653533656538663038326463306232
+      3132646634376166620a663339346239643561616362333036633363396263323761663134373630
+      30613730373131636262636266623363663561363863323938613832393864396633656664356534
+      3563626633643766643339316132383434303538636666623934
+    theme: default
+  peers:
+    - id: "B4Y7T5D-PHHDOFH-ZZ4VGOK-YNJINJG-VCYC272-PIE24XA-XJ5HSOD-DF3T6AJ"
+      name: "Pixel 4a"
+  folders:
+    - id: "rthas-wdjsw"
+      label: "pim"
+      path: "/data/data/pim/files"
+      devices:
+        - "B4Y7T5D-PHHDOFH-ZZ4VGOK-YNJINJG-VCYC272-PIE24XA-XJ5HSOD-DF3T6AJ"