From 734b1a33214bbf0474099ae0b178a2fd9134a13b Mon Sep 17 00:00:00 2001
From: sonny <sonnyba871@gmail.com>
Date: Wed, 12 Mar 2025 22:36:46 +0100
Subject: [PATCH] Update syncthing setup

---
 tasks/syncthing.yml                   |  77 ++++++++++--
 templates/network/hosts.j2            |  16 +--
 templates/nftables.j2                 |  20 ++--
 templates/syncthing.j2                | 164 --------------------------
 templates/syncthing/config.j2         | 153 ++++++++++++++++++++++++
 templates/syncthing/docker-compose.j2 |  44 +++++++
 templates/syncthing/nginx.j2          |  21 ++++
 vars/network.yml                      |   6 +
 vars/syncthing.yml                    |  57 ++++++++-
 9 files changed, 363 insertions(+), 195 deletions(-)
 delete mode 100644 templates/syncthing.j2
 create mode 100644 templates/syncthing/config.j2
 create mode 100644 templates/syncthing/docker-compose.j2
 create mode 100644 templates/syncthing/nginx.j2

diff --git a/tasks/syncthing.yml b/tasks/syncthing.yml
index 615d823..8223bf3 100644
--- a/tasks/syncthing.yml
+++ b/tasks/syncthing.yml
@@ -1,13 +1,66 @@
-# TODO: use docker setup
-- name: create syncthing directory
-  file:
-    path: '{{ ansible_env.HOME }}/.config/syncthing'
-    mode: '755'
-    state: directory
+- name: Disable system process
+  become: true
+  ansible.builtin.systemd:
+    name: syncthing@sonny
+    state: stopped
+    enabled: false
 
-- name: copy syncthing template
-  template:
-    src: 'templates/syncthing.j2'
-    dest: '{{ ansible_env.HOME }}/.config/syncthing/config.xml'
-    mode: '0600'
-  notify: restart syncthing service
+- name: Create Syncthing directories
+  become: true
+  ansible.builtin.file:
+    path: '{{ item.path }}'
+    owner: '{{ item.owner }}'
+    group: '{{ item.group }}'
+    mode: '0755'
+    state: directory
+  loop:
+    - path: '{{ syncthing_app_dir }}'
+      owner: root
+      group: root
+    - path: '{{ syncthing_app_dir }}/state'
+      owner: sonny
+      group: sonny
+    - path: '{{ syncthing_app_dir }}/nginx.conf.d'
+      owner: sonny
+      group: sonny
+
+- name: Remove previous Syncthing configurations
+  become: true
+  ansible.builtin.file:
+    path: '{{  ansible_env.HOME }}/.config/syncthing'
+    state: absent
+
+- name: Copy docker compose configuration
+  become: true
+  ansible.builtin.template:
+    src: 'templates/syncthing/docker-compose.j2'
+    dest: '{{ syncthing_app_dir }}/docker-compose.yml'
+    owner: sonny
+    group: sonny
+    mode: '0755'
+
+- name: Copy Syncthing configuration
+  become: true
+  ansible.builtin.template:
+    src: 'templates/syncthing/config.j2'
+    dest: '{{ syncthing_app_dir }}/state/config.xml'
+    owner: sonny
+    group: sonny
+    mode: '0755'
+
+- name: Copy NGINX configuration
+  become: true
+  ansible.builtin.template:
+    src: 'templates/syncthing/nginx.j2'
+    dest: '{{ syncthing_app_dir }}/nginx.conf.d/default.conf'
+    owner: sonny
+    group: sonny
+    mode: '0755'
+
+- name: Start container
+  community.docker.docker_compose_v2:
+    project_src: '{{ syncthing_app_dir }}'
+    remove_orphans: true
+    state: restarted
+    pull: always
+    wait: true
diff --git a/templates/network/hosts.j2 b/templates/network/hosts.j2
index 1027169..85e64c0 100644
--- a/templates/network/hosts.j2
+++ b/templates/network/hosts.j2
@@ -1,13 +1,9 @@
 # {{ ansible_managed }}
 
-127.0.0.1 	localhost
-127.0.1.1 	{{ hostname }}
-{{ lan_ip }} 	{{ domain_name }} {{ hostname }}
-{{ vpn_listen_address }}    {{ vpn_domain }}
+127.0.0.1 	                      localhost
+127.0.1.1 	                      {{ hostname }}
+{{ lan_ip }} 	                    {{ domain_name }} {{ hostname }}
+{{ vpn_listen_address }}          {{ vpn_domain }}
 {{ vpn_media_listen_address }}    {{ vpn_media_domain }}
-{{ transmission_nginx_ip }}    {{ transmission_domain }}
-
-# The following lines are desirable for IPv6 capable hosts
-#::1     localhost ip6-localhost ip6-loopback
-#ff02::1 ip6-allnodes
-#ff02::2 ip6-allrouters
+{{ transmission_nginx_ip }}       {{ transmission_domain }}
+{{ syncthing_nginx_ip }}          {{ syncthing_domain }}
diff --git a/templates/nftables.j2 b/templates/nftables.j2
index b660a5c..74f3d4b 100644
--- a/templates/nftables.j2
+++ b/templates/nftables.j2
@@ -4,6 +4,11 @@
 flush ruleset
 
 table ip filter {
+  chain prerouting {
+    type nat hook prerouting priority -100;
+
+    iifname {{ vpn_interface }} tcp dport {{ syncthing_protocol_port }} ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_nginx_ip }} dnat to {{ syncthing_app_ip }}
+  }
 
   chain input {
     type filter hook input priority 0; policy drop;
@@ -21,15 +26,15 @@ table ip filter {
     ip protocol icmp accept
 
     iifname vmap {
-      {{ network_interface }} : goto wlan-chain,
-      {{ vpn_interface }} : goto vpn-chain,
-      {{ vpn_media_interface }} : goto media-vpn-chain
+      {{ network_interface }} : goto wlan_chain,
+      {{ vpn_interface }} : goto vpn_chain,
+      {{ vpn_media_interface }} : goto media_vpn_chain
     }
 
     log
   }
 
-  chain wlan-chain {
+  chain wlan_chain {
     tcp dport {{ ssh_port }} accept comment "SSH"
     tcp dport {{ forgejo_ssh_port }} accept comment "Forgejo SSH"
     tcp dport { {{ http_port }}, {{ https_port }} } accept comment "HTTP/HTTPS"
@@ -44,14 +49,15 @@ table ip filter {
     elements = { {{ vpn_subnet }} . {{ vpn_listen_address }}/{{ vpn_prefix }} }
   }
 
-  chain vpn-chain {
+  chain vpn_chain {
     meta l4proto { tcp, udp } th dport 53 ip saddr . ip daddr @vpn_set accept comment "DNS"
 
     tcp dport { {{ http_port }}, {{ https_port }} } ip saddr . ip daddr @vpn_set accept comment "HTTP/HTTPS"
 
     tcp dport { 80, 443 } ip saddr {{ vpn_subnet }} ip daddr {{ transmission_nginx_ip }} accept comment "Transmission Web"
 
-    tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr . ip daddr @vpn_set accept comment "Syncthing"
+    tcp dport { 80, 443 } ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_nginx_ip }} accept comment "Syncthing Web"
+    tcp dport {{ syncthing_protocol_port }} ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_app_ip }} accept comment "Syncthing protocol"
 
     tcp dport {{ mpd_port }} ip saddr . ip daddr @vpn_set accept comment "MPD"
     tcp dport {{ mpd_http_stream_port }} ip saddr . ip daddr @vpn_set accept comment "MPD HTTP stream"
@@ -64,7 +70,7 @@ table ip filter {
     elements = { {{ vpn_media_subnet }} . {{ vpn_media_listen_address }}/{{ vpn_media_prefix }} }
   }
 
-  chain media-vpn-chain {
+  chain media_vpn_chain {
     meta l4proto { tcp, udp } th dport 53 ip saddr . ip daddr @vpn_media_set accept comment "DNS"
 
     tcp dport {{ jellyfin_http_port }} ip saddr . ip daddr @vpn_media_set accept comment "Jellyfin HTTP"
diff --git a/templates/syncthing.j2 b/templates/syncthing.j2
deleted file mode 100644
index b656556..0000000
--- a/templates/syncthing.j2
+++ /dev/null
@@ -1,164 +0,0 @@
-<!-- {{ ansible_managed }} -->
-
-<configuration version="32">
-<folder id="Pictures" label="Pictures" path="{{ syncthing_picture_folder }}" type="sendreceive" rescanIntervalS="60" fsWatcherEnabled="false" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true">
-        <filesystemType>basic</filesystemType>
-        <device id="CSDXP5E-4UBNC36-32EHTPK-L6Y6JVZ-HQHM42R-FJXN2LI-2MTYRFX-3ZZPUQN" introducedBy="">
-            <encryptionPassword></encryptionPassword>
-        </device>
-        <device id="PGSOVGQ-VOHWV77-F7DFFQO-JZKTWWG-Z2XU2DE-N4ATK5U-F7MXKKM-TFSROQJ" introducedBy="">
-            <encryptionPassword></encryptionPassword>
-        </device>
-        <device id="2AC4LRC-YIJDWWK-YCOEZLT-4OWWC2E-7VEZQQB-F3AAPZR-HU75FE4-PGWWXQH" introducedBy="">
-            <encryptionPassword></encryptionPassword>
-        </device>
-        <minDiskFree unit="%">1</minDiskFree>
-        <versioning>
-            <cleanupIntervalS>3600</cleanupIntervalS>
-        </versioning>
-        <copiers>0</copiers>
-        <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
-        <hashers>0</hashers>
-        <order>random</order>
-        <ignoreDelete>false</ignoreDelete>
-        <scanProgressIntervalS>0</scanProgressIntervalS>
-        <pullerPauseS>0</pullerPauseS>
-        <maxConflicts>10</maxConflicts>
-        <disableSparseFiles>false</disableSparseFiles>
-        <disableTempIndexes>false</disableTempIndexes>
-        <paused>false</paused>
-        <weakHashThresholdPct>25</weakHashThresholdPct>
-        <markerName>.stfolder</markerName>
-        <copyOwnershipFromParent>false</copyOwnershipFromParent>
-        <modTimeWindowS>0</modTimeWindowS>
-        <maxConcurrentWrites>2</maxConcurrentWrites>
-        <disableFsync>false</disableFsync>
-        <blockPullOrder>standard</blockPullOrder>
-        <copyRangeMethod>standard</copyRangeMethod>
-        <caseSensitiveFS>false</caseSensitiveFS>
-        <junctionsAsDirs>true</junctionsAsDirs>
-    </folder>
-    <folder id="default" label="Default" path="{{ syncthing_file_folder }}" type="sendreceive" rescanIntervalS="60" fsWatcherEnabled="false" fsWatcherDelayS="10" ignorePerms="false" autoNormalize="true">
-        <filesystemType>basic</filesystemType>
-        <device id="CSDXP5E-4UBNC36-32EHTPK-L6Y6JVZ-HQHM42R-FJXN2LI-2MTYRFX-3ZZPUQN" introducedBy="">
-            <encryptionPassword></encryptionPassword>
-        </device>
-        <device id="PGSOVGQ-VOHWV77-F7DFFQO-JZKTWWG-Z2XU2DE-N4ATK5U-F7MXKKM-TFSROQJ" introducedBy="">
-            <encryptionPassword></encryptionPassword>
-        </device>
-        <device id="2AC4LRC-YIJDWWK-YCOEZLT-4OWWC2E-7VEZQQB-F3AAPZR-HU75FE4-PGWWXQH" introducedBy="">
-            <encryptionPassword></encryptionPassword>
-        </device>
-        <minDiskFree unit="%">1</minDiskFree>
-        <versioning>
-            <cleanupIntervalS>3600</cleanupIntervalS>
-        </versioning>
-        <copiers>0</copiers>
-        <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
-        <hashers>0</hashers>
-        <order>random</order>
-        <ignoreDelete>false</ignoreDelete>
-        <scanProgressIntervalS>0</scanProgressIntervalS>
-        <pullerPauseS>0</pullerPauseS>
-        <maxConflicts>10</maxConflicts>
-        <disableSparseFiles>false</disableSparseFiles>
-        <disableTempIndexes>false</disableTempIndexes>
-        <paused>false</paused>
-        <weakHashThresholdPct>25</weakHashThresholdPct>
-        <markerName>.stfolder</markerName>
-        <copyOwnershipFromParent>false</copyOwnershipFromParent>
-        <modTimeWindowS>0</modTimeWindowS>
-        <maxConcurrentWrites>2</maxConcurrentWrites>
-        <disableFsync>false</disableFsync>
-        <blockPullOrder>standard</blockPullOrder>
-        <copyRangeMethod>standard</copyRangeMethod>
-        <caseSensitiveFS>false</caseSensitiveFS>
-        <junctionsAsDirs>true</junctionsAsDirs>
-    </folder>
-    <device id="CSDXP5E-4UBNC36-32EHTPK-L6Y6JVZ-HQHM42R-FJXN2LI-2MTYRFX-3ZZPUQN" name="Desktop" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
-        <address>tcp://10.0.0.3:22000</address>
-        <paused>false</paused>
-        <autoAcceptFolders>false</autoAcceptFolders>
-        <maxSendKbps>0</maxSendKbps>
-        <maxRecvKbps>0</maxRecvKbps>
-        <maxRequestKiB>0</maxRequestKiB>
-        <untrusted>false</untrusted>
-        <remoteGUIPort>0</remoteGUIPort>
-    </device>
-    <device id="PGSOVGQ-VOHWV77-F7DFFQO-JZKTWWG-Z2XU2DE-N4ATK5U-F7MXKKM-TFSROQJ" name="zeus" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
-        <address>dynamic</address>
-        <paused>false</paused>
-        <autoAcceptFolders>false</autoAcceptFolders>
-        <maxSendKbps>0</maxSendKbps>
-        <maxRecvKbps>0</maxRecvKbps>
-        <maxRequestKiB>0</maxRequestKiB>
-        <untrusted>false</untrusted>
-        <remoteGUIPort>0</remoteGUIPort>
-    </device>
-    <device id="2AC4LRC-YIJDWWK-YCOEZLT-4OWWC2E-7VEZQQB-F3AAPZR-HU75FE4-PGWWXQH" name="XPS15" compression="metadata" introducer="false" skipIntroductionRemovals="false" introducedBy="">
-        <address>tcp://10.0.0.2:22000</address>
-        <paused>false</paused>
-        <autoAcceptFolders>false</autoAcceptFolders>
-        <maxSendKbps>0</maxSendKbps>
-        <maxRecvKbps>0</maxRecvKbps>
-        <maxRequestKiB>0</maxRequestKiB>
-        <untrusted>false</untrusted>
-        <remoteGUIPort>0</remoteGUIPort>
-    </device>
-    <gui enabled="true" tls="true" debugging="false">
-    <address>{{ vpn_listen_address }}:{{ syncthing_gui_port }}</address>
-        <user>platvoeten</user>
-        <password>$2a$10$1WqvnXwMfqTU6072LZmxTOkpbqE2osM4G8TrdXfEfkUM1ZEC8I.CK</password>
-        <apikey>6T6cWRLpeXC44ZRoe7QcaKZpHJu2Wug3</apikey>
-        <theme>dark</theme>
-    </gui>
-    <ldap></ldap>
-    <options>
-        <listenAddress>tcp://{{ vpn_listen_address }}:{{ syncthing_protocol_port }}</listenAddress>
-        <globalAnnounceServer>default</globalAnnounceServer>
-        <globalAnnounceEnabled>true</globalAnnounceEnabled>
-        <localAnnounceEnabled>true</localAnnounceEnabled>
-        <localAnnouncePort>21027</localAnnouncePort>
-        <localAnnounceMCAddr>[ff12::8384]:21027</localAnnounceMCAddr>
-        <maxSendKbps>0</maxSendKbps>
-        <maxRecvKbps>0</maxRecvKbps>
-        <reconnectionIntervalS>60</reconnectionIntervalS>
-        <relaysEnabled>true</relaysEnabled>
-        <relayReconnectIntervalM>10</relayReconnectIntervalM>
-        <startBrowser>true</startBrowser>
-        <natEnabled>true</natEnabled>
-        <natLeaseMinutes>60</natLeaseMinutes>
-        <natRenewalMinutes>30</natRenewalMinutes>
-        <natTimeoutSeconds>10</natTimeoutSeconds>
-        <urAccepted>-1</urAccepted>
-        <urSeen>2</urSeen>
-        <urUniqueID>MfeHGcQ6</urUniqueID>
-        <urURL>https://data.syncthing.net/newdata</urURL>
-        <urPostInsecurely>false</urPostInsecurely>
-        <urInitialDelayS>1800</urInitialDelayS>
-        <restartOnWakeup>true</restartOnWakeup>
-        <autoUpgradeIntervalH>12</autoUpgradeIntervalH>
-        <upgradeToPreReleases>false</upgradeToPreReleases>
-        <keepTemporariesH>24</keepTemporariesH>
-        <cacheIgnoredFiles>false</cacheIgnoredFiles>
-        <progressUpdateIntervalS>5</progressUpdateIntervalS>
-        <limitBandwidthInLan>false</limitBandwidthInLan>
-        <minHomeDiskFree unit="%">1</minHomeDiskFree>
-        <releasesURL>https://upgrades.syncthing.net/meta.json</releasesURL>
-        <overwriteRemoteDeviceNamesOnConnect>false</overwriteRemoteDeviceNamesOnConnect>
-        <tempIndexMinBlocks>10</tempIndexMinBlocks>
-        <trafficClass>0</trafficClass>
-        <defaultFolderPath>~</defaultFolderPath>
-        <setLowPriority>true</setLowPriority>
-        <maxFolderConcurrency>0</maxFolderConcurrency>
-        <crashReportingURL>https://crash.syncthing.net/newcrash</crashReportingURL>
-        <crashReportingEnabled>true</crashReportingEnabled>
-        <stunKeepaliveStartS>180</stunKeepaliveStartS>
-        <stunKeepaliveMinS>20</stunKeepaliveMinS>
-        <stunServer>default</stunServer>
-        <databaseTuning>auto</databaseTuning>
-        <maxConcurrentIncomingRequestKiB>0</maxConcurrentIncomingRequestKiB>
-        <announceLANAddresses>true</announceLANAddresses>
-        <sendFullIndexOnUpgrade>false</sendFullIndexOnUpgrade>
-    </options>
-</configuration>
diff --git a/templates/syncthing/config.j2 b/templates/syncthing/config.j2
new file mode 100644
index 0000000..b3d1eed
--- /dev/null
+++ b/templates/syncthing/config.j2
@@ -0,0 +1,153 @@
+<!-- {{ ansible_managed }} -->
+
+<configuration version="{{ syncthing_config_version }}">
+  {% for folder in syncthing_folders %}
+    <folder
+      id="{{ folder.id }}"
+      label="{{ folder.label }}"
+      path="{{ folder.path }}"
+      type="{{ folder.type }}">
+
+      {% for id in folder.devices %}
+        <device id="{{ id }}">
+          <encryptionPassword></encryptionPassword>
+        </device>
+      {% endfor %}
+
+      <filesystemType>basic</filesystemType>
+      <minDiskFree unit="%">20</minDiskFree>
+      <versioning>
+        <cleanupIntervalS>3600</cleanupIntervalS>
+        <fsPath></fsPath>
+        <fsType>basic</fsType>
+      </versioning>
+
+      <copiers>0</copiers>
+      <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
+      <hashers>0</hashers>
+      <order>random</order>
+      <ignoreDelete>false</ignoreDelete>
+      <scanProgressIntervalS>0</scanProgressIntervalS>
+      <pullerPauseS>0</pullerPauseS>
+      <maxConflicts>-1</maxConflicts>
+      <disableSparseFiles>false</disableSparseFiles>
+      <disableTempIndexes>false</disableTempIndexes>
+      <paused>false</paused>
+      <weakHashThresholdPct>25</weakHashThresholdPct>
+      <markerName>.stfolder</markerName>
+      <copyOwnershipFromParent>false</copyOwnershipFromParent>
+      <modTimeWindowS>0</modTimeWindowS>
+      <maxConcurrentWrites>2</maxConcurrentWrites>
+      <disableFsync>false</disableFsync>
+      <blockPullOrder>standard</blockPullOrder>
+      <copyRangeMethod>standard</copyRangeMethod>
+      <caseSensitiveFS>false</caseSensitiveFS>
+      <junctionsAsDirs>false</junctionsAsDirs>
+      <syncOwnership>false</syncOwnership>
+      <sendOwnership>false</sendOwnership>
+      <syncXattrs>false</syncXattrs>
+      <sendXattrs>false</sendXattrs>
+    </folder>
+  {% endfor %}
+
+  {% for device in syncthing_devices %}
+    <device
+      id="{{ device.id }}"
+      name="{{ device.name }}"
+      compression="metadata">
+        <address>{{ device.address }}</address>
+        <paused>false</paused>
+        <autoAcceptFolders>false</autoAcceptFolders>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <maxRequestKiB>0</maxRequestKiB>
+        <untrusted>false</untrusted>
+        <remoteGUIPort>0</remoteGUIPort>
+        <numConnections>0</numConnections>
+    </device>
+  {% endfor %}
+
+  <gui enabled="true" tls="true" debugging="false">
+    <address>{{ syncthing_listen_address }}:{{ syncthing_gui_port }}</address>
+    <apikey>{{ syncthing_api_key }}</apikey>
+    <theme>default</theme>
+    <user>{{ syncthing_gui_user }}</user>
+    <password>{{ syncthing_gui_pass }}</password>
+  </gui>
+
+  <options>
+    <listenAddress>tcp://{{ syncthing_listen_address }}:{{ syncthing_protocol_port }}</listenAddress>
+  </options>
+
+  <defaults>
+    <folder 
+      id=""
+      label=""
+      path="~"
+      type="sendreceive"
+      rescanIntervalS="3600"
+      fsWatcherEnabled="true"
+      fsWatcherDelayS="10"
+      fsWatcherTimeoutS="0"
+      ignorePerms="false"
+      autoNormalize="true">
+
+        <filesystemType>basic</filesystemType>
+
+        <device id="S7UKX27-GI7ZTXS-GC6RKUA-7AJGZ44-C6NAYEB-HSKTJQK-KJHU2NO-CWV7EQW" introducedBy="">
+            <encryptionPassword></encryptionPassword>
+        </device>
+
+        <minDiskFree unit="%">1</minDiskFree>
+
+        <versioning>
+            <cleanupIntervalS>3600</cleanupIntervalS>
+            <fsPath></fsPath>
+            <fsType>basic</fsType>
+        </versioning>
+
+        <copiers>0</copiers>
+        <pullerMaxPendingKiB>0</pullerMaxPendingKiB>
+        <hashers>0</hashers>
+        <order>random</order>
+        <ignoreDelete>false</ignoreDelete>
+        <scanProgressIntervalS>0</scanProgressIntervalS>
+        <pullerPauseS>0</pullerPauseS>
+        <maxConflicts>10</maxConflicts>
+        <disableSparseFiles>false</disableSparseFiles>
+        <disableTempIndexes>false</disableTempIndexes>
+        <paused>false</paused>
+        <weakHashThresholdPct>25</weakHashThresholdPct>
+        <markerName>.stfolder</markerName>
+        <copyOwnershipFromParent>false</copyOwnershipFromParent>
+        <modTimeWindowS>0</modTimeWindowS>
+        <maxConcurrentWrites>2</maxConcurrentWrites>
+        <disableFsync>false</disableFsync>
+        <blockPullOrder>standard</blockPullOrder>
+        <copyRangeMethod>standard</copyRangeMethod>
+        <caseSensitiveFS>false</caseSensitiveFS>
+        <junctionsAsDirs>false</junctionsAsDirs>
+    </folder>
+
+    <device
+      id=""
+      compression="metadata"
+      introducer="false"
+      skipIntroductionRemovals="false"
+      introducedBy="">
+        <address>dynamic</address>
+        <paused>false</paused>
+        <autoAcceptFolders>false</autoAcceptFolders>
+        <maxSendKbps>0</maxSendKbps>
+        <maxRecvKbps>0</maxRecvKbps>
+        <maxRequestKiB>0</maxRequestKiB>
+        <untrusted>false</untrusted>
+        <remoteGUIPort>0</remoteGUIPort>
+        <numConnections>0</numConnections>
+    </device>
+
+    <ignores>
+        <line>(?d).DS_Store</line>
+    </ignores>
+  </defaults>
+</configuration>
diff --git a/templates/syncthing/docker-compose.j2 b/templates/syncthing/docker-compose.j2
new file mode 100644
index 0000000..628e132
--- /dev/null
+++ b/templates/syncthing/docker-compose.j2
@@ -0,0 +1,44 @@
+# {{ ansible_managed }}
+
+networks:
+  syncthing-net:
+    ipam:
+      config:
+        - subnet: '{{ syncthing_subnet }}'
+      
+services:
+  syncthing:
+    image: syncthing/syncthing
+    container_name: syncthing
+    environment:
+      - PUID=1000
+      - PGID=1000
+    volumes:
+      {% for folder in syncthing_folders -%}
+      - {{ folder.source_path }}:{{ folder.path }}
+      {% endfor -%}
+      - {{ syncthing_app_dir }}/state:/var/syncthing/config
+    restart: always
+    networks:
+      syncthing-net:
+        ipv4_address: '{{ syncthing_app_ip }}'
+    healthcheck:
+      test: curl \
+        --fail \
+        --insecure \
+        --max-time 2 \
+        http://syncthing:8384/rest/noauth/health
+      interval: 1m
+      timeout: 10s
+      retries: 3
+
+  nginx:
+    image: nginx:mainline-alpine
+    depends_on:
+      - syncthing
+    restart: always
+    networks:
+      syncthing-net:
+        ipv4_address: '{{ syncthing_nginx_ip }}'
+    volumes:
+      - '{{ syncthing_app_dir }}/nginx.conf.d:/etc/nginx/conf.d'
diff --git a/templates/syncthing/nginx.j2 b/templates/syncthing/nginx.j2
new file mode 100644
index 0000000..c41eb1b
--- /dev/null
+++ b/templates/syncthing/nginx.j2
@@ -0,0 +1,21 @@
+# {{ ansible_managed }}
+
+upstream syncthing-upstream {
+    server syncthing:8384;
+}
+
+server {
+  listen 80;
+  server_name {{ syncthing_domain }};
+
+  location / {
+    proxy_set_header   Host $host;
+    proxy_set_header   X-Real-IP $remote_addr;
+    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header   X-Forwarded-Proto $scheme;
+
+    proxy_pass         http://syncthing-upstream;
+    proxy_read_timeout 600;
+    proxy_send_timeout 600;
+  }
+}
diff --git a/vars/network.yml b/vars/network.yml
index 1185b32..8d3eb1f 100644
--- a/vars/network.yml
+++ b/vars/network.yml
@@ -46,8 +46,14 @@ glitchtip_ip: '127.0.0.1'
 glitchtip_port: 7200
 glitchtip_domain: 'glitchtip.fudiggity.nl'
 
+syncthing_domain: 'syncthing.{{ domain_name }}'
+syncthing_listen_address: '0.0.0.0'
+syncthing_prefix: 24
+syncthing_subnet: '172.32.238.0/{{ syncthing_prefix }}'
 syncthing_gui_port: 8384
 syncthing_protocol_port: 22000
+syncthing_nginx_ip: '172.32.238.10'
+syncthing_app_ip: '172.32.238.11'
 
 radicale_listen_addres: '127.0.0.1'
 radicale_port: 5232
diff --git a/vars/syncthing.yml b/vars/syncthing.yml
index 93e6e24..74447c4 100644
--- a/vars/syncthing.yml
+++ b/vars/syncthing.yml
@@ -1,2 +1,55 @@
-syncthing_file_folder: '{{ ansible_env.HOME }}/files/Sync/'
-syncthing_picture_folder: '{{ ansible_env.HOME }}/files/Pictures/'
+syncthing_app_dir: '/srv/docker/syncthing'
+syncthing_config_version: 37
+syncthing_api_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          31663863326431623139663861316432656264646533323934393033386263613162303266613265
+          3239613930623264383161363664636232663764616138360a643239393735393862376133313062
+          63643434636462306663303434393837353230623830323065626432346336363332363063313533
+          6334633838636664610a323762373839393331653130393136356136303535393662643736643735
+          30316565373866326337383137633639636566623263333061633830366634666537633765343533
+          3736383135393238663963353131663733363962343163363539
+
+syncthing_gui_user: sonny
+syncthing_gui_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          32393632636263333466313465396334306462303030373439643933626464643231636466393230
+          3463306237616265333666313135373636646561386235300a303938326234663237336639613561
+          62616132306266363166396333643730386233343261653338373937363137356333383932323332
+          6539663665653732370a363565383239646264363931356361366466326161393730396433346635
+          62636666356632663230646238343033623430363063393962396632393730343164656438343231
+          62623966623964656164363233653230373366346235303239326665623637396563633939313565
+          313230626464383238313931663265373233
+
+syncthing_devices:
+  - name: Desktop
+    id: &desktop_id CSDXP5E-4UBNC36-32EHTPK-L6Y6JVZ-HQHM42R-FJXN2LI-2MTYRFX-3ZZPUQN
+    address: tcp://10.0.0.3:22000
+
+  - name: Fudiggity
+    id: &host_id PGSOVGQ-VOHWV77-F7DFFQO-JZKTWWG-Z2XU2DE-N4ATK5U-F7MXKKM-TFSROQJ
+    address: dynamic
+
+  - name: XPS15
+    id: &xps_id 2AC4LRC-YIJDWWK-YCOEZLT-4OWWC2E-7VEZQQB-F3AAPZR-HU75FE4-PGWWXQH
+    address: tcp://10.0.0.2:22000
+
+syncthing_folders:
+  - id: default
+    label: Default
+    path: '/var/syncthing/default'
+    source_path: '{{ ansible_env.HOME }}/files/sync/'
+    type: sendreceive
+    devices:
+      - *desktop_id
+      - *host_id
+      - *xps_id
+
+  - id: pictures
+    label: Pictures
+    path: '/var/syncthing/pictures'
+    source_path: '{{ ansible_env.HOME }}/files/pictures/'
+    type: sendreceive
+    devices:
+      - *desktop_id
+      - *host_id
+      - *xps_id