Put syncthing behind nginx
This commit is contained in:
parent
6c10b1bb97
commit
d10fc77af8
@ -13,21 +13,6 @@ data "terraform_remote_state" "nginx" {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
data "terraform_remote_state" "syncthing" {
|
|
||||||
backend = "s3"
|
|
||||||
|
|
||||||
config = {
|
|
||||||
skip_credentials_validation = true
|
|
||||||
skip_metadata_api_check = true
|
|
||||||
access_key = var.spaces_access_id
|
|
||||||
secret_key = var.spaces_secret_key
|
|
||||||
region = "us-east-1"
|
|
||||||
endpoint = "nyc3.digitaloceanspaces.com"
|
|
||||||
bucket = "jdormit-tf-state"
|
|
||||||
key = "prod/syncthing.tfstate"
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
data "terraform_remote_state" "freshrss" {
|
data "terraform_remote_state" "freshrss" {
|
||||||
backend = "s3"
|
backend = "s3"
|
||||||
|
|
||||||
|
@ -80,7 +80,7 @@ resource "digitalocean_record" "syncthing" {
|
|||||||
domain = digitalocean_domain.jeremydormitzer_com.name
|
domain = digitalocean_domain.jeremydormitzer_com.name
|
||||||
type = "A"
|
type = "A"
|
||||||
name = "syncthing"
|
name = "syncthing"
|
||||||
value = data.terraform_remote_state.syncthing.outputs.ip_address
|
value = data.terraform_remote_state.nginx.outputs.nginx_ip_address
|
||||||
ttl = 3600
|
ttl = 3600
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -71,7 +71,16 @@
|
|||||||
"artifact_id": "nyc1:93061502",
|
"artifact_id": "nyc1:93061502",
|
||||||
"packer_run_uuid": "d18c424a-c0cd-547f-52f8-0496f2ece79f",
|
"packer_run_uuid": "d18c424a-c0cd-547f-52f8-0496f2ece79f",
|
||||||
"custom_data": null
|
"custom_data": null
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "digitalocean",
|
||||||
|
"builder_type": "digitalocean",
|
||||||
|
"build_time": 1633480191,
|
||||||
|
"files": null,
|
||||||
|
"artifact_id": "nyc1:93071958",
|
||||||
|
"packer_run_uuid": "522a00fb-024d-6acf-20ef-062536f7440c",
|
||||||
|
"custom_data": null
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"last_run_uuid": "d18c424a-c0cd-547f-52f8-0496f2ece79f"
|
"last_run_uuid": "522a00fb-024d-6acf-20ef-062536f7440c"
|
||||||
}
|
}
|
@ -9,7 +9,9 @@ sudo certbot certonly \
|
|||||||
-m 'jeremy.dormitzer@gmail.com' \
|
-m 'jeremy.dormitzer@gmail.com' \
|
||||||
--dns-digitalocean \
|
--dns-digitalocean \
|
||||||
--dns-digitalocean-credentials ~/do.ini \
|
--dns-digitalocean-credentials ~/do.ini \
|
||||||
-d '*.jeremydormitzer.com'
|
--dns-digitalocean-propagation-seconds 30 \
|
||||||
|
-d '*.jeremydormitzer.com' \
|
||||||
|
-d 'jeremydormitzer.com'
|
||||||
|
|
||||||
sudo mv /tmp/nginx.conf /etc/nginx/nginx.conf
|
sudo mv /tmp/nginx.conf /etc/nginx/nginx.conf
|
||||||
sudo mkdir -p /var/log/nginx
|
sudo mkdir -p /var/log/nginx
|
||||||
|
@ -2,12 +2,9 @@
|
|||||||
|
|
||||||
packer-manifest.json: syncthing-config.xml \
|
packer-manifest.json: syncthing-config.xml \
|
||||||
syncthing.json \
|
syncthing.json \
|
||||||
syncthing.conf \
|
|
||||||
syncthing@.service \
|
syncthing@.service \
|
||||||
syncthing-cert.pem \
|
syncthing-cert.pem \
|
||||||
syncthing-key.pem \
|
syncthing-key.pem
|
||||||
certbot/live/syncthing.jeremydormitzer.com/fullchain.pem \
|
|
||||||
certbot/live/syncthing.jeremydormitzer.com/privkey.pem
|
|
||||||
packer build syncthing.json
|
packer build syncthing.json
|
||||||
|
|
||||||
syncthing-config.xml: syncthing-config.xml.template
|
syncthing-config.xml: syncthing-config.xml.template
|
||||||
@ -18,22 +15,3 @@ syncthing-cert.pem: syncthing-cert.pem.template
|
|||||||
|
|
||||||
syncthing-key.pem: syncthing-key.pem.template
|
syncthing-key.pem: syncthing-key.pem.template
|
||||||
sigil -p -f syncthing-key.pem.template > syncthing-key.pem
|
sigil -p -f syncthing-key.pem.template > syncthing-key.pem
|
||||||
|
|
||||||
certbot/live/syncthing.jeremydormitzer.com/fullchain.pem certbot/live/syncthing.jeremydormitzer.com/privkey.pem &: do.ini
|
|
||||||
certbot certonly -n \
|
|
||||||
--agree-tos \
|
|
||||||
--email ${CERTBOT_EMAIL} \
|
|
||||||
--dns-digitalocean \
|
|
||||||
--dns-digitalocean-credentials do.ini \
|
|
||||||
--config-dir ./certbot \
|
|
||||||
--work-dir ./certbot \
|
|
||||||
--logs-dir ./certbot \
|
|
||||||
-d syncthing.jeremydormitzer.com
|
|
||||||
|
|
||||||
do.ini: do.ini.template
|
|
||||||
sigil -p -f do.ini.template > do.ini
|
|
||||||
chmod 600 do.ini
|
|
||||||
|
|
||||||
reissue-certs:
|
|
||||||
rm -rf certbot
|
|
||||||
make
|
|
||||||
|
@ -1 +0,0 @@
|
|||||||
dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?}
|
|
@ -71,7 +71,16 @@
|
|||||||
"artifact_id": "nyc1:85651139",
|
"artifact_id": "nyc1:85651139",
|
||||||
"packer_run_uuid": "c64817b6-eddc-fa4a-ed1a-9fcc47f7daae",
|
"packer_run_uuid": "c64817b6-eddc-fa4a-ed1a-9fcc47f7daae",
|
||||||
"custom_data": null
|
"custom_data": null
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"name": "digitalocean",
|
||||||
|
"builder_type": "digitalocean",
|
||||||
|
"build_time": 1633471355,
|
||||||
|
"files": null,
|
||||||
|
"artifact_id": "nyc1:93062577",
|
||||||
|
"packer_run_uuid": "27dea89d-5116-3f5b-9739-98e7f191c14c",
|
||||||
|
"custom_data": null
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"last_run_uuid": "c64817b6-eddc-fa4a-ed1a-9fcc47f7daae"
|
"last_run_uuid": "27dea89d-5116-3f5b-9739-98e7f191c14c"
|
||||||
}
|
}
|
@ -1,26 +0,0 @@
|
|||||||
server {
|
|
||||||
|
|
||||||
location / {
|
|
||||||
proxy_pass http://127.0.0.1:8384;
|
|
||||||
}
|
|
||||||
|
|
||||||
listen [::]:443 ssl ipv6only=on;
|
|
||||||
listen 443 ssl;
|
|
||||||
|
|
||||||
ssl_certificate /home/syncthing/.config/syncthing/https-cert.pem;
|
|
||||||
ssl_certificate_key /home/syncthing/.config/syncthing/https-key.pem;
|
|
||||||
|
|
||||||
ssl_session_cache shared:le_nginx_SSL:1m;
|
|
||||||
ssl_session_timeout 1440m;
|
|
||||||
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
listen [::]:80;
|
|
||||||
return 301 https://$host$request_uri;
|
|
||||||
}
|
|
@ -14,7 +14,7 @@
|
|||||||
"type": "shell",
|
"type": "shell",
|
||||||
"inline": [
|
"inline": [
|
||||||
"sudo apt-get update",
|
"sudo apt-get update",
|
||||||
"sudo apt-get install -y bindfs",
|
"sudo apt-get install -y bindfs ca-certificates",
|
||||||
"sudo useradd -m syncthing",
|
"sudo useradd -m syncthing",
|
||||||
"sudo mkdir -p /mnt/syncthing-volume",
|
"sudo mkdir -p /mnt/syncthing-volume",
|
||||||
"sudo mkdir -p /mnt/syncthing",
|
"sudo mkdir -p /mnt/syncthing",
|
||||||
@ -46,8 +46,10 @@
|
|||||||
{
|
{
|
||||||
"type": "shell",
|
"type": "shell",
|
||||||
"inline": [
|
"inline": [
|
||||||
"curl -s https://syncthing.net/release-key.txt | sudo apt-key add -",
|
"sudo update-ca-certificates",
|
||||||
"echo \"deb https://apt.syncthing.net/ syncthing stable\" | sudo tee /etc/apt/sources.list.d/syncthing.list",
|
"sudo curl -s -o /usr/share/keyrings/syncthing-archive-keyring.gpg https://syncthing.net/release-key.gpg",
|
||||||
|
"echo \"deb [signed-by=/usr/share/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable\" | sudo tee /etc/apt/sources.list.d/syncthing.list",
|
||||||
|
"printf \"Package: *\nPin: origin apt.syncthing.net\nPin-Priority: 990\n\" | sudo tee /etc/apt/preferences.d/syncthing",
|
||||||
"sudo apt-get update",
|
"sudo apt-get update",
|
||||||
"sudo apt-get install -y syncthing",
|
"sudo apt-get install -y syncthing",
|
||||||
"sudo mkdir -p /home/syncthing/.config/syncthing",
|
"sudo mkdir -p /home/syncthing/.config/syncthing",
|
||||||
@ -59,34 +61,6 @@
|
|||||||
"sudo systemctl daemon-reload",
|
"sudo systemctl daemon-reload",
|
||||||
"sudo systemctl enable syncthing@syncthing"
|
"sudo systemctl enable syncthing@syncthing"
|
||||||
]
|
]
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "file",
|
|
||||||
"source": "syncthing.conf",
|
|
||||||
"destination": "/tmp/syncthing.conf"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "file",
|
|
||||||
"source": "certbot/live/syncthing.jeremydormitzer.com/fullchain.pem",
|
|
||||||
"destination": "/tmp/https-cert.pem"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "file",
|
|
||||||
"source": "certbot/live/syncthing.jeremydormitzer.com/privkey.pem",
|
|
||||||
"destination": "/tmp/https-key.pem"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"type": "shell",
|
|
||||||
"inline": [
|
|
||||||
"sudo apt-get install -y nginx",
|
|
||||||
"sudo mv /tmp/syncthing.conf /etc/nginx/sites-available/syncthing.conf",
|
|
||||||
"sudo mv /tmp/https-cert.pem /home/syncthing/.config/syncthing/https-cert.pem",
|
|
||||||
"sudo mv /tmp/https-key.pem /home/syncthing/.config/syncthing/https-key.pem",
|
|
||||||
"sudo chown -R syncthing:syncthing /home/syncthing/.config/syncthing",
|
|
||||||
"sudo ln -s /etc/nginx/sites-available/syncthing.conf /etc/nginx/sites-enabled/",
|
|
||||||
"sudo unlink /etc/nginx/sites-enabled/default",
|
|
||||||
"sudo systemctl enable nginx"
|
|
||||||
]
|
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"post-processors": [
|
"post-processors": [
|
||||||
|
Loading…
Reference in New Issue
Block a user