jdormit/jdormit-infra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Put syncthing behind nginx

Browse Source
This commit is contained in:
Jeremy Dormitzer 2021-10-05 21:16:44 -04:00
parent 6c10b1bb97
commit f2ef1ba9f2
10 changed files with 49 additions and 101 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
mgmt/do-jeremydormitzer-com/terraform/data.tf
View File

@ -13,21 +13,6 @@ data "terraform_remote_state" "nginx" {
}
}
data "terraform_remote_state" "syncthing" {
backend = "s3"
config = {
skip_credentials_validation = true
skip_metadata_api_check = true
access_key = var.spaces_access_id
secret_key = var.spaces_secret_key
region = "us-east-1"
endpoint = "nyc3.digitaloceanspaces.com"
bucket = "jdormit-tf-state"
key = "prod/syncthing.tfstate"
}
}
data "terraform_remote_state" "freshrss" {
backend = "s3"

2
mgmt/do-jeremydormitzer-com/terraform/main.tf
View File

@ -80,7 +80,7 @@ resource "digitalocean_record" "syncthing" {
domain = digitalocean_domain.jeremydormitzer_com.name
type = "A"
name = "syncthing"
value = data.terraform_remote_state.syncthing.outputs.ip_address
value = data.terraform_remote_state.nginx.outputs.nginx_ip_address
ttl = 3600
}

20
prod/nginx/packer/packer-manifest.json
View File

@ -71,7 +71,25 @@
"artifact_id": "nyc1:93061502",
"packer_run_uuid": "d18c424a-c0cd-547f-52f8-0496f2ece79f",
"custom_data": null
},
{
"name": "digitalocean",
"builder_type": "digitalocean",
"build_time": 1633480191,
"files": null,
"artifact_id": "nyc1:93071958",
"packer_run_uuid": "522a00fb-024d-6acf-20ef-062536f7440c",
"custom_data": null
},
{
"name": "digitalocean",
"builder_type": "digitalocean",
"build_time": 1633490191,
"files": null,
"artifact_id": "nyc1:93089106",
"packer_run_uuid": "fbff41d7-ee1a-5bcf-6859-8655dc171dd9",
"custom_data": null
}
],
"last_run_uuid": "d18c424a-c0cd-547f-52f8-0496f2ece79f"
"last_run_uuid": "fbff41d7-ee1a-5bcf-6859-8655dc171dd9"
}

4
prod/nginx/packer/scripts/nginx.sh
View File

@ -9,7 +9,9 @@ sudo certbot certonly \
-m 'jeremy.dormitzer@gmail.com' \
--dns-digitalocean \
--dns-digitalocean-credentials ~/do.ini \
-d '*.jeremydormitzer.com'
--dns-digitalocean-propagation-seconds 30 \
-d '*.jeremydormitzer.com' \
-d 'jeremydormitzer.com'
sudo mv /tmp/nginx.conf /etc/nginx/nginx.conf
sudo mkdir -p /var/log/nginx

24
prod/syncthing/packer/Makefile
View File

@ -2,12 +2,9 @@
packer-manifest.json: syncthing-config.xml \
syncthing.json \
syncthing.conf \
syncthing@.service \
syncthing-cert.pem \
syncthing-key.pem \
certbot/live/syncthing.jeremydormitzer.com/fullchain.pem \
certbot/live/syncthing.jeremydormitzer.com/privkey.pem
syncthing-key.pem
packer build syncthing.json
syncthing-config.xml: syncthing-config.xml.template
@ -18,22 +15,3 @@ syncthing-cert.pem: syncthing-cert.pem.template
syncthing-key.pem: syncthing-key.pem.template
sigil -p -f syncthing-key.pem.template > syncthing-key.pem
certbot/live/syncthing.jeremydormitzer.com/fullchain.pem certbot/live/syncthing.jeremydormitzer.com/privkey.pem &: do.ini
certbot certonly -n \
--agree-tos \
--email ${CERTBOT_EMAIL} \
--dns-digitalocean \
--dns-digitalocean-credentials do.ini \
--config-dir ./certbot \
--work-dir ./certbot \
--logs-dir ./certbot \
-d syncthing.jeremydormitzer.com
do.ini: do.ini.template
sigil -p -f do.ini.template > do.ini
chmod 600 do.ini
reissue-certs:
rm -rf certbot
make

1
prod/syncthing/packer/do.ini.template
View File

@ -1 +0,0 @@
dns_digitalocean_token = ${DIGITALOCEAN_API_TOKEN:?}

20
prod/syncthing/packer/packer-manifest.json
View File

@ -71,7 +71,25 @@
"artifact_id": "nyc1:85651139",
"packer_run_uuid": "c64817b6-eddc-fa4a-ed1a-9fcc47f7daae",
"custom_data": null
},
{
"name": "digitalocean",
"builder_type": "digitalocean",
"build_time": 1633471355,
"files": null,
"artifact_id": "nyc1:93062577",
"packer_run_uuid": "27dea89d-5116-3f5b-9739-98e7f191c14c",
"custom_data": null
},
{
"name": "digitalocean",
"builder_type": "digitalocean",
"build_time": 1633489816,
"files": null,
"artifact_id": "nyc1:93087880",
"packer_run_uuid": "35962fce-2bc7-25d0-0372-1fc76813715c",
"custom_data": null
}
],
"last_run_uuid": "c64817b6-eddc-fa4a-ed1a-9fcc47f7daae"
"last_run_uuid": "35962fce-2bc7-25d0-0372-1fc76813715c"
}

26
prod/syncthing/packer/syncthing.conf
View File

@ -1,26 +0,0 @@
server {
location / {
proxy_pass http://127.0.0.1:8384;
}
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate /home/syncthing/.config/syncthing/https-cert.pem;
ssl_certificate_key /home/syncthing/.config/syncthing/https-key.pem;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
}
server {
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}

36
prod/syncthing/packer/syncthing.json
View File

@ -14,7 +14,7 @@
"type": "shell",
"inline": [
"sudo apt-get update",
"sudo apt-get install -y bindfs",
"sudo apt-get install -y bindfs ca-certificates",
"sudo useradd -m syncthing",
"sudo mkdir -p /mnt/syncthing-volume",
"sudo mkdir -p /mnt/syncthing",
@ -46,8 +46,10 @@
{
"type": "shell",
"inline": [
"curl -s https://syncthing.net/release-key.txt | sudo apt-key add -",
"echo \"deb https://apt.syncthing.net/ syncthing stable\" | sudo tee /etc/apt/sources.list.d/syncthing.list",
"sudo update-ca-certificates",
"sudo curl -s -o /usr/share/keyrings/syncthing-archive-keyring.gpg https://syncthing.net/release-key.gpg",
"echo \"deb [signed-by=/usr/share/keyrings/syncthing-archive-keyring.gpg] https://apt.syncthing.net/ syncthing stable\" | sudo tee /etc/apt/sources.list.d/syncthing.list",
"printf \"Package: *\nPin: origin apt.syncthing.net\nPin-Priority: 990\n\" | sudo tee /etc/apt/preferences.d/syncthing",
"sudo apt-get update",
"sudo apt-get install -y syncthing",
"sudo mkdir -p /home/syncthing/.config/syncthing",
@ -59,34 +61,6 @@
"sudo systemctl daemon-reload",
"sudo systemctl enable syncthing@syncthing"
]
},
{
"type": "file",
"source": "syncthing.conf",
"destination": "/tmp/syncthing.conf"
},
{
"type": "file",
"source": "certbot/live/syncthing.jeremydormitzer.com/fullchain.pem",
"destination": "/tmp/https-cert.pem"
},
{
"type": "file",
"source": "certbot/live/syncthing.jeremydormitzer.com/privkey.pem",
"destination": "/tmp/https-key.pem"
},
{
"type": "shell",
"inline": [
"sudo apt-get install -y nginx",
"sudo mv /tmp/syncthing.conf /etc/nginx/sites-available/syncthing.conf",
"sudo mv /tmp/https-cert.pem /home/syncthing/.config/syncthing/https-cert.pem",
"sudo mv /tmp/https-key.pem /home/syncthing/.config/syncthing/https-key.pem",
"sudo chown -R syncthing:syncthing /home/syncthing/.config/syncthing",
"sudo ln -s /etc/nginx/sites-available/syncthing.conf /etc/nginx/sites-enabled/",
"sudo unlink /etc/nginx/sites-enabled/default",
"sudo systemctl enable nginx"
]
}
],
"post-processors": [

2
prod/syncthing/packer/syncthing@.service
View File

@ -5,7 +5,7 @@ After=network.target
[Service]
User=%i
ExecStart=/usr/bin/syncthing -no-browser -gui-address="127.0.0.1:8384" -no-restart -logflags=0
ExecStart=/usr/bin/syncthing -no-browser -gui-address="0.0.0.0:8384" -no-restart -logflags=0
Restart=on-failure
SuccessExitStatus=3 4
RestartForceExitStatus=3 4