---

# Project source code URL: https://github.com/syncthing/syncthing/

syncthing_enabled: true

syncthing_identifier: syncthing

syncthing_uid: ''
syncthing_gid: ''

syncthing_version: 1.27.6

# The hostname at which Syncthing is served.
syncthing_hostname: ''

# The path at which Syncthing is served.
# This value must either be `/` or not end with a slash (e.g. `/syncthing`).
syncthing_path_prefix: /

syncthing_base_path: "/{{ syncthing_identifier }}"
syncthing_config_path: "{{ syncthing_base_path }}/config"
syncthing_data_path: "{{ syncthing_base_path }}/data"

syncthing_basicauth_enabled: true

# A list of credential entries
#
# Example:
# syncthing_credentials:
#   - username: someone
#     password: secret-password
#   - username: another
#     password: more-secret-password
syncthing_basicauth_credentials: []

# A list of `htpasswd -nb user password` entries
# Also see `syncthing_basicauth_credentials` for a more convenient way to create credentials.
# Ansible will run `htpasswd` on the entries in `syncthing_basicauth_credentials` and append them to this list.
syncthing_basicauth_htpasswds: []

# Temporary file path on the host that runs Ansible.
# Used for converting the `syncthing_basicauth_credentials` entries to `syncthing_basicauth_htpasswds` entries.
syncthing_basicauth_file_tmp: "/tmp/ansible_htpasswd"

syncthing_container_image: "{{ syncthing_container_image_registry_prefix }}syncthing/syncthing:{{ syncthing_container_image_tag }}"
syncthing_container_image_registry_prefix: docker.io/
syncthing_container_image_tag: "{{ syncthing_version }}"
syncthing_container_image_force_pull: "{{ syncthing_container_image.endswith(':latest') }}"

# The base container network. It will be auto-created by this role if it doesn't exist already.
syncthing_container_network: "{{ syncthing_identifier }}"

# A list of additional container networks that the container would be connected to.
# The role does not create these networks, so make sure they already exist.
# Use this to expose this container to another reverse proxy, which runs in a different container network.
syncthing_container_additional_networks: "{{ syncthing_container_additional_networks_auto + syncthing_container_additional_networks_custom }}"
syncthing_container_additional_networks_auto: []
syncthing_container_additional_networks_custom: []

# Specifies where the container listens for sync via TCP
#
# Unless you have changed the "Sync Protocol Listen Addresses" (`<ListenAddress>`) configuration, this defaults to 22000.
syncthing_container_sync_tcp_port: '22000'

# Specifies how the container publishes its TCP sync port (syncthing_container_sync_tcp_port)
#
# Takes an "<ip>:<port>" value (e.g. "127.0.0.1:22000"), just a port number or an empty string to not expose.
syncthing_container_sync_tcp_bind_port: "{{ syncthing_container_sync_tcp_port }}"

# Specifies where the container listens for sync via UDP
#
# Unless you have changed the "Sync Protocol Listen Addresses" (`<ListenAddress>`) configuration, this defaults to 22000.
syncthing_container_sync_udp_port: "22000"

# Specifies how the container publishes its UDP sync port (syncthing_container_sync_udp_port)
#
# Takes an "<ip>:<port>" value (e.g. "127.0.0.1:22000"), just a port number or an empty string to not expose.
syncthing_container_sync_udp_bind_port: "{{ syncthing_container_sync_udp_port }}"

# Specifies how the container publishes its UDP local-discovery port
#
# Takes an "<ip>:<port>" value (e.g. "127.0.0.1:21027"), just a port number or an empty string to not expose.
syncthing_container_local_discovery_udp_bind_port: '21027'

# syncthing_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `syncthing_container_labels_additional_labels`.
syncthing_container_labels_traefik_enabled: true
syncthing_container_labels_traefik_docker_network: "{{ syncthing_container_network }}"
syncthing_container_labels_traefik_hostname: "{{ syncthing_hostname }}"
# The path prefix must either be `/` or not end with a slash (e.g. `/syncthing`).
syncthing_container_labels_traefik_path_prefix: "{{ syncthing_path_prefix }}"
syncthing_container_labels_traefik_rule: "Host(`{{ syncthing_container_labels_traefik_hostname }}`){% if syncthing_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ syncthing_container_labels_traefik_path_prefix }}`){% endif %}"
syncthing_container_labels_traefik_priority: 0
syncthing_container_labels_traefik_entrypoints: web-secure
syncthing_container_labels_traefik_tls: "{{ syncthing_container_labels_traefik_entrypoints != 'web' }}"
syncthing_container_labels_traefik_tls_certResolver: default  # noqa var-naming

# Controls which additional headers to attach to all HTTP requests.
# To add your own custom request headers, use `syncthing_container_labels_traefik_additional_response_headers_custom`
syncthing_container_labels_traefik_additional_request_headers: "{{ syncthing_container_labels_traefik_additional_request_headers_auto | combine(syncthing_container_labels_traefik_additional_request_headers_custom) }}"
syncthing_container_labels_traefik_additional_request_headers_auto: {}
syncthing_container_labels_traefik_additional_request_headers_custom: {}

# Controls which additional headers to attach to all HTTP responses.
# To add your own custom response headers, use `syncthing_container_labels_traefik_additional_response_headers_custom`
syncthing_container_labels_traefik_additional_response_headers: "{{ syncthing_container_labels_traefik_additional_response_headers_auto | combine(syncthing_container_labels_traefik_additional_response_headers_custom) }}"
syncthing_container_labels_traefik_additional_response_headers_auto: |
  {{
    {}
    | combine ({'X-XSS-Protection': syncthing_http_header_xss_protection} if syncthing_http_header_xss_protection else {})
    | combine ({'X-Frame-Options': syncthing_http_header_frame_options} if syncthing_http_header_frame_options else {})
    | combine ({'X-Content-Type-Options': syncthing_http_header_content_type_options} if syncthing_http_header_content_type_options else {})
    | combine ({'Content-Security-Policy': syncthing_http_header_content_security_policy} if syncthing_http_header_content_security_policy else {})
    | combine ({'Permission-Policy': syncthing_http_header_content_permission_policy} if syncthing_http_header_content_permission_policy else {})
    | combine ({'Strict-Transport-Security': syncthing_http_header_strict_transport_security} if syncthing_http_header_strict_transport_security and syncthing_container_labels_traefik_tls else {})
  }}
syncthing_container_labels_traefik_additional_response_headers_custom: {}

# syncthing_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
#
# Example:
# syncthing_container_labels_additional_labels: |
#   my.label=1
#   another.label="here"
syncthing_container_labels_additional_labels: ''

# Specifies how often the container health-check will run.
#
# For Traefik based setups, it's important that the interval is short,
# because the interval value also specifies the "initial wait time".
# This is a Docker (moby) bug: https://github.com/moby/moby/issues/33410
# Without a successful healthcheck, Traefik will not register the service for reverse-proxying.
# Thus, the health interval determines the initial start-up time -- the smaller, the better.
#
# For non-Traefik setups, we use the default healthcheck interval (60s) to decrease overhead.
syncthing_container_health_interval: "{{ '5s' if syncthing_container_labels_traefik_enabled else '60s' }}"

syncthing_container_hostname: "{{ syncthing_hostname }}"

# A list of additional "volumes" to mount in the container.
#
# See the `--mount` documentation for the `docker run` command.
#
# Example:
# syncthing_container_additional_volumes:
#   - type: bind
#     src: /path/on/the/host
#     dst: /data
#   - type: bind
#     src: /another-path/on/the/host
#     dst: /read-only
#     options: readonly
syncthing_container_additional_volumes: []

# A list of extra arguments to pass to the container
syncthing_container_extra_arguments: []

# Additional environment variables.
syncthing_environment_variables_additional_variables: ''

# Specifies the value of the `X-XSS-Protection` header
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
#
# Learn more about it is here:
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
# - https://portswigger.net/web-security/cross-site-scripting/reflected
syncthing_http_header_xss_protection: "1; mode=block"

# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
syncthing_http_header_frame_options: SAMEORIGIN

# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
syncthing_http_header_content_type_options: nosniff

# Specifies the value of the `Content-Security-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
syncthing_http_header_content_security_policy: frame-ancestors 'self'

# Specifies the value of the `Permission-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
syncthing_http_header_content_permission_policy: "{{ 'interest-cohort=()' if syncthing_floc_optout_enabled else '' }}"

# Specifies the value of the `Strict-Transport-Security` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
syncthing_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if syncthing_hsts_preload_enabled else '' }}"

# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
#
# Learn more about what it is here:
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
# - https://amifloced.org/
#
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
# See: `syncthing_content_permission_policy`
syncthing_floc_optout_enabled: true

# Controls if HSTS preloading is enabled
#
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
# indicates a willingness to be "preloaded" into browsers:
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
# For more information visit:
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# - https://hstspreload.org/#opt-in
# See: `syncthing_http_header_strict_transport_security`
syncthing_hsts_preload_enabled: false

# List of systemd services that syncthing.service depends on
syncthing_systemd_required_services_list: "{{ syncthing_systemd_required_services_list_default + syncthing_systemd_required_services_list_auto + syncthing_systemd_required_services_list_custom }}"
syncthing_systemd_required_services_list_default: ['docker.service']
syncthing_systemd_required_services_list_auto: []
syncthing_systemd_required_services_list_custom: []