Viyurz/vps
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Syncthing: Add relaysrv with nftables forwarding to unprivileged port.

Browse source
This commit is contained in:
Viyurz 2024-02-19 11:03:16 +01:00
parent 8b8e7505eb
commit feebb53402
3 changed files with 34 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
env.yml
View file

@ -59,6 +59,8 @@ ports:
searxng: 8083 searxng: 8083
synapse: 8008 synapse: 8008
syncthing_discosrv: 8443 syncthing_discosrv: 8443
# Public port, forwarded to 22067 by nftables
syncthing_relaysrv: 143
syncthing_webui: 8384 syncthing_webui: 8384
syncthing_tcp: 5432 syncthing_tcp: 5432
syncthing_udp: 22000 syncthing_udp: 22000
@ -78,6 +80,7 @@ users:
synapse_postgres: 70 synapse_postgres: 70
syncthing: 1001 syncthing: 1001
syncthing_discosrv: 1002 syncthing_discosrv: 1002
syncthing_relaysrv: 1003
vaultwarden: 1000 vaultwarden: 1000

10
roles/nftables/templates/nftables.conf
View file

@ -2,6 +2,14 @@
flush ruleset flush ruleset
# Forward Syncthing relay traffic from port {{ ports['syncthing_relaysrv'] }} to 22067
table inet nat {
chain prerouting {
type nat hook prerouting priority dstnat;
iif eth0 tcp dport {{ ports['syncthing_relaysrv'] }} redirect to :22067
}
}
table inet filter { table inet filter {
chain input { chain input {
type filter hook input priority 0; policy drop; type filter hook input priority 0; policy drop;
@ -22,7 +30,7 @@ table inet filter {
tcp dport 995 limit rate 15/minute accept tcp dport 995 limit rate 15/minute accept
# Syncthing # Syncthing
tcp dport {{ ports['syncthing_tcp'] }} limit rate 5/second accept tcp dport { {{ ports['syncthing_tcp'] }}, 22067 } limit rate 5/second accept
udp dport {{ ports['syncthing_udp'] }} limit rate 5/second accept udp dport {{ ports['syncthing_udp'] }} limit rate 5/second accept
# Coturn # Coturn

26
roles/syncthing/templates/docker-compose.yaml
View file

@ -18,11 +18,8 @@ services:
image: syncthing/discosrv:latest image: syncthing/discosrv:latest
container_name: syncthing-discosrv container_name: syncthing-discosrv
restart: always restart: always
entrypoint: command:
- "/bin/entrypoint.sh"
- "/bin/stdiscosrv"
- "-http" - "-http"
- "-debug"
environment: environment:
- PUID={{ users['syncthing_discosrv'] }} - PUID={{ users['syncthing_discosrv'] }}
- PGID={{ users['syncthing_discosrv'] }} - PGID={{ users['syncthing_discosrv'] }}
@ -31,5 +28,26 @@ services:
ports: ports:
- 127.0.0.1:{{ ports['syncthing_discosrv'] }}:8443 - 127.0.0.1:{{ ports['syncthing_discosrv'] }}:8443
strelaysrv:
image: syncthing/relaysrv:latest
container_name: syncthing-relaysrv
restart: always
command:
- '-ext-address=:{{ ports["syncthing_relaysrv"] }}'
- '-pools='
environment:
- PUID={{ users['syncthing_relaysrv'] }}
- PGID={{ users['syncthing_relaysrv'] }}
networks:
- relaysrv
ports:
- 22067:22067
volumes:
- strelaysrv:/var/strelaysrv
networks: networks:
discosrv: discosrv:
relaysrv:
volumes:
strelaysrv: