Syncthing: Add relaysrv with nftables forwarding to unprivileged port.

2024-02-19 11:03:16 +01:00 · 2024-02-19 11:03:16 +01:00 · feebb53402
commit feebb53402
parent 8b8e7505eb
3 changed files with 34 additions and 5 deletions
--- a/env.yml
+++ b/env.yml
@ -59,6 +59,8 @@ ports:
  searxng: 8083
  synapse: 8008
  syncthing_discosrv: 8443
+  # Public port, forwarded to 22067 by nftables
+  syncthing_relaysrv: 143
  syncthing_webui: 8384
  syncthing_tcp: 5432
  syncthing_udp: 22000
@ -78,6 +80,7 @@ users:
  synapse_postgres: 70
  syncthing: 1001
  syncthing_discosrv: 1002
+  syncthing_relaysrv: 1003
  vaultwarden: 1000


--- a/roles/nftables/templates/nftables.conf
+++ b/roles/nftables/templates/nftables.conf
@ -2,6 +2,14 @@

 flush ruleset

+# Forward Syncthing relay traffic from port {{ ports['syncthing_relaysrv'] }} to 22067
+table inet nat {
+    chain prerouting {
+        type nat hook prerouting priority dstnat;
+        iif eth0 tcp dport {{ ports['syncthing_relaysrv'] }} redirect to :22067
+    }
+}
+
 table inet filter {
 	chain input {
 		type filter hook input priority 0; policy drop;
@ -22,7 +30,7 @@ table inet filter {
 		tcp dport 995 limit rate 15/minute accept

 		# Syncthing
-		tcp dport {{ ports['syncthing_tcp'] }} limit rate 5/second accept
+		tcp dport { {{ ports['syncthing_tcp'] }}, 22067 } limit rate 5/second accept
 		udp dport {{ ports['syncthing_udp'] }} limit rate 5/second accept

 		# Coturn
--- a/roles/syncthing/templates/docker-compose.yaml
+++ b/roles/syncthing/templates/docker-compose.yaml
@ -18,11 +18,8 @@ services:
    image: syncthing/discosrv:latest
    container_name: syncthing-discosrv
    restart: always
-    entrypoint:
-      - "/bin/entrypoint.sh"
-      - "/bin/stdiscosrv"
+    command:
      - "-http"
-      - "-debug"
    environment:
      - PUID={{ users['syncthing_discosrv'] }}
      - PGID={{ users['syncthing_discosrv'] }}
@ -31,5 +28,26 @@ services:
    ports:
      - 127.0.0.1:{{ ports['syncthing_discosrv'] }}:8443
 
+  strelaysrv:
+    image: syncthing/relaysrv:latest
+    container_name: syncthing-relaysrv
+    restart: always
+    command:
+      - '-ext-address=:{{ ports["syncthing_relaysrv"] }}'
+      - '-pools='
+    environment:
+      - PUID={{ users['syncthing_relaysrv'] }}
+      - PGID={{ users['syncthing_relaysrv'] }}
+    networks:
+      - relaysrv
+    ports:
+      - 22067:22067
+    volumes:
+      - strelaysrv:/var/strelaysrv
+
 networks:
  discosrv:
+  relaysrv:
+
+volumes:
+  strelaysrv: