jdormit/jdormit-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add SSL config for Syncthing

Browse Source
This commit is contained in:
Jeremy Dormitzer 2020-12-31 11:04:47 -05:00
parent 61cdfe3f68
commit cf13344168
5 changed files with 106 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
prod/syncthing-packer/packer/Makefile
View File

@ -1,6 +1,13 @@
.PHONY: packer
.PHONY: packer reissue-certs
packer: syncthing-config.xml syncthing.json syncthing-cert.pem syncthing-key.pem certbot/live/syncthing.jeremydormitzer.com/fullchain.pem certbot/live/syncthing.jeremydormitzer.com/privkey.pem
packer-manifest.json: syncthing-config.xml \
syncthing.json \
syncthing.conf \
syncthing@.service \
syncthing-cert.pem \
syncthing-key.pem \
certbot/live/syncthing.jeremydormitzer.com/fullchain.pem \
certbot/live/syncthing.jeremydormitzer.com/privkey.pem
packer build syncthing.json
syncthing-config.xml: syncthing-config.xml.template
@ -13,8 +20,20 @@ syncthing-key.pem: syncthing-key.pem.template
sigil -p -f syncthing-key.pem.template > syncthing-key.pem
certbot/live/syncthing.jeremydormitzer.com/fullchain.pem certbot/live/syncthing.jeremydormitzer.com/privkey.pem &: do.ini
certbot certonly -n --agree-tos --email ${CERTBOT_EMAIL} --dns-digitalocean --dns-digitalocean-credentials do.ini --config-dir ./certbot --work-dir ./certbot --logs-dir ./certbot -d syncthing.jeremydormitzer.com
certbot certonly -n \
--agree-tos \
--email ${CERTBOT_EMAIL} \
--dns-digitalocean \
--dns-digitalocean-credentials do.ini \
--config-dir ./certbot \
--work-dir ./certbot \
--logs-dir ./certbot \
-d syncthing.jeremydormitzer.com
do.ini: do.ini.template
sigil -p -f do.ini.template > do.ini
chmod 600 do.ini
reissue-certs:
rm -rf certbot
make

41
prod/syncthing-packer/packer/packer-manifest.json Normal file
View File

@ -0,0 +1,41 @@
{
"builds": [
{
"name": "digitalocean",
"builder_type": "digitalocean",
"build_time": 1609427687,
"files": null,
"artifact_id": "nyc1:76122293",
"packer_run_uuid": "b8b05181-f2b2-fd24-8231-64db6a8ee83e",
"custom_data": null
},
{
"name": "digitalocean",
"builder_type": "digitalocean",
"build_time": 1609428815,
"files": null,
"artifact_id": "nyc1:76122707",
"packer_run_uuid": "6f564392-0dbc-1643-e857-1dffe292f182",
"custom_data": null
},
{
"name": "digitalocean",
"builder_type": "digitalocean",
"build_time": 1609429797,
"files": null,
"artifact_id": "nyc1:76123038",
"packer_run_uuid": "3476cdcc-3e08-7ede-8348-379491435681",
"custom_data": null
},
{
"name": "digitalocean",
"builder_type": "digitalocean",
"build_time": 1609430273,
"files": null,
"artifact_id": "nyc1:76123201",
"packer_run_uuid": "e61d396f-483d-ad37-8f9f-ba0b436e2c53",
"custom_data": null
}
],
"last_run_uuid": "e61d396f-483d-ad37-8f9f-ba0b436e2c53"
}

22
prod/syncthing-packer/packer/syncthing.conf
View File

@ -1,8 +1,26 @@
server {
listen 80;
listen [::]:80;
location / {
proxy_pass http://127.0.0.1:8384;
}
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate /home/syncthing/.config/syncthing/https-cert.pem;
ssl_certificate_key /home/syncthing/.config/syncthing/https-key.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
}
server {
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}

18
prod/syncthing-packer/packer/syncthing.json
View File

@ -63,15 +63,33 @@
"source": "syncthing.conf",
"destination": "/tmp/syncthing.conf"
},
{
"type": "file",
"source": "certbot/live/syncthing.jeremydormitzer.com/fullchain.pem",
"destination": "/tmp/https-cert.pem"
},
{
"type": "file",
"source": "certbot/live/syncthing.jeremydormitzer.com/privkey.pem",
"destination": "/tmp/https-key.pem"
},
{
"type": "shell",
"inline": [
"sudo apt-get install -y nginx",
"sudo mv /tmp/syncthing.conf /etc/nginx/sites-available/syncthing.conf",
"sudo mv /tmp/https-cert.pem /home/syncthing/.config/syncthing/https-cert.pem",
"sudo mv /tmp/https-key.pem /home/syncthing/.config/syncthing/https-key.pem",
"sudo chown -R syncthing:syncthing /home/syncthing/.config/syncthing",
"sudo ln -s /etc/nginx/sites-available/syncthing.conf /etc/nginx/sites-enabled/",
"sudo unlink /etc/nginx/sites-enabled/default",
"sudo systemctl enable nginx"
]
}
],
"post-processors": [
{
"type": "manifest"
}
]
}

10
prod/syncthing-packer/terraform/main.tf
View File

@ -4,10 +4,6 @@ provider "digitalocean" {
spaces_secret_key = var.spaces_secret_key
}
data "digitalocean_image" "syncthing" {
name = "syncthing-packer-1609384536"
}
data "terraform_remote_state" "do_ssh_keys" {
backend = "s3"
@ -25,7 +21,7 @@ data "terraform_remote_state" "do_ssh_keys" {
resource "digitalocean_droplet" "syncthing" {
name = "syncthing"
image = data.digitalocean_image.syncthing.id
image = "76123201"
region = "nyc1"
size = "s-1vcpu-1gb"
backups = true
@ -43,4 +39,8 @@ resource "digitalocean_volume" "syncthing_volume" {
size = 100
initial_filesystem_label = "syncthing-volume"
initial_filesystem_type = "ext4"
lifecycle {
prevent_destroy = true
}
}