# SPDX-FileCopyrightText: 2023, 2024 Nikita Chernyi
# SPDX-FileCopyrightText: 2023-2025 Slavi Pantaleev
# SPDX-FileCopyrightText: 2024 Sergio Durigan Junior
# SPDX-FileCopyrightText: 2025 MASH project contributors
# SPDX-FileCopyrightText: 2025, 2026 Suguru Hirahara
#
# SPDX-License-Identifier: AGPL-3.0-or-later

---

# Project source code URL: https://github.com/syncthing/syncthing/

syncthing_enabled: true

syncthing_identifier: syncthing
syncthing_base_path: "/{{ syncthing_identifier }}"
syncthing_config_path: "{{ syncthing_base_path }}/config"
syncthing_data_path: "{{ syncthing_base_path }}/data"
# See `syncthing_container_tmpfs_tmp_enabled`
syncthing_tmp_path: "{{ syncthing_base_path }}/tmp"

# renovate: datasource=docker depName=ghcr.io/syncthing/syncthing versioning=semver
syncthing_version: 2.0.15

syncthing_uid: ""
syncthing_gid: ""

# The hostname at which Syncthing is served.
syncthing_hostname: ""

# The path at which Syncthing is served.
# This value must either be `/` or not end with a slash (e.g. `/syncthing`).
syncthing_path_prefix: /

syncthing_container_image: "{{ syncthing_container_image_registry_prefix }}syncthing/syncthing:{{ syncthing_container_image_tag }}"
syncthing_container_image_tag: "{{ syncthing_version }}"
syncthing_container_image_registry_prefix: "{{ syncthing_container_image_registry_prefix_upstream }}"
syncthing_container_image_registry_prefix_upstream: "{{ syncthing_container_image_registry_prefix_upstream_default }}"
syncthing_container_image_registry_prefix_upstream_default: ghcr.io/
syncthing_container_image_force_pull: "{{ syncthing_container_image.endswith(':latest') }}"

syncthing_container_image_self_build: false
syncthing_container_image_self_build_name: "syncthing/syncthing:{{ syncthing_container_image_self_build_repo_version }}"
syncthing_container_image_self_build_repo: "https://github.com/syncthing/syncthing.git"
syncthing_container_image_self_build_repo_version: "{{ 'v' + syncthing_version if syncthing_version != 'latest' else 'main' }}"
syncthing_container_image_self_build_src_files_path: "{{ syncthing_base_path }}/docker-src"

# The base container network. It will be auto-created by this role if it doesn't exist already.
syncthing_container_network: "{{ syncthing_identifier }}"

# Control if the container network is deleted on uninstalling.
syncthing_container_network_deletion_enabled: true

# Specify how the container publishes its HTTP port for the web UI (as defined by `syncthing_container_http_port`).
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:2586"), or empty string to not expose.
syncthing_container_http_host_bind_port: ""

# Specify how the container publishes its TCP sync port (as defined by `syncthing_container_sync_tcp_port`)
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:22000"), just a port number or an empty string to not expose.
syncthing_container_sync_tcp_bind_port: "{{ syncthing_container_sync_tcp_port }}"

# Specify how the container publishes its UDP sync port (as defined by `syncthing_container_sync_udp_port`)
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:22000"), just a port number or an empty string to not expose.
syncthing_container_sync_udp_bind_port: "{{ syncthing_container_sync_udp_port }}"

# Specify how the container publishes its UDP local-discovery port
#
# Takes an "<ip>:<port>" or "<port>" value (e.g. "127.0.0.1:21027"), just a port number or an empty string to not expose.
syncthing_container_local_discovery_udp_bind_port: '21027'

# The port number in the container
syncthing_container_http_port: 8384

# Specifies where the container listens for sync via TCP
#
# Unless you have changed the "Sync Protocol Listen Addresses" (`<ListenAddress>`) configuration, this defaults to 22000.
syncthing_container_sync_tcp_port: '22000'

# Specifies where the container listens for sync via UDP
#
# Unless you have changed the "Sync Protocol Listen Addresses" (`<ListenAddress>`) configuration, this defaults to 22000.
syncthing_container_sync_udp_port: "22000"

# A list of additional container networks that the container would be connected to.
# The role does not create these networks, so make sure they already exist.
# Use this to expose this container to another reverse proxy, which runs in a different container network.
syncthing_container_additional_networks: "{{ syncthing_container_additional_networks_auto + syncthing_container_additional_networks_custom }}"
syncthing_container_additional_networks_auto: []
syncthing_container_additional_networks_custom: []

# A list of additional "volumes" to mount in the container.
# This list gets populated dynamically at runtime. You can provide a different default value,
# if you wish to mount your own files into the container.
# Contains definition objects like this: `{"type": "bind", "src": "/outside", "dst": "/inside", "options": "readonly"}.
# See the `--mount` documentation for the `docker run` command.
syncthing_container_additional_volumes: "{{ syncthing_container_additional_volumes_auto + syncthing_container_additional_volumes_custom }}"
syncthing_container_additional_volumes_auto: []
syncthing_container_additional_volumes_custom: []

# syncthing_container_labels_traefik_enabled controls whether labels to assist a Traefik reverse-proxy will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `syncthing_container_labels_additional_labels_custom`.
syncthing_container_labels_traefik_enabled: true
syncthing_container_labels_traefik_docker_network: "{{ syncthing_container_network }}"
syncthing_container_labels_traefik_hostname: "{{ syncthing_hostname }}"
# The path prefix must either be `/` or not end with a slash (e.g. `/syncthing`).
syncthing_container_labels_traefik_path_prefix: "{{ syncthing_path_prefix }}"
syncthing_container_labels_traefik_rule: "Host(`{{ syncthing_container_labels_traefik_hostname }}`){% if syncthing_container_labels_traefik_path_prefix != '/' %} && PathPrefix(`{{ syncthing_container_labels_traefik_path_prefix }}`){% endif %}"
syncthing_container_labels_traefik_priority: 0
syncthing_container_labels_traefik_entrypoints: web-secure
syncthing_container_labels_traefik_tls: "{{ syncthing_container_labels_traefik_entrypoints != 'web' }}"
syncthing_container_labels_traefik_tls_certResolver: default  # noqa var-naming

# syncthing_container_labels_traefik_tcp_enabled controls whether labels to assist a Traefik reverse-proxy for TCP sync connection will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `syncthing_container_labels_additional_labels_custom`.
syncthing_container_labels_traefik_tcp_enabled: false
syncthing_container_labels_traefik_tcp_docker_network: "{{ syncthing_container_network }}"
syncthing_container_labels_traefik_tcp_hostname: "{{ syncthing_hostname }}"
syncthing_container_labels_traefik_tcp_rule: "HostSNI(`{{ syncthing_container_labels_traefik_tcp_hostname }}`)"
syncthing_container_labels_traefik_tcp_priority: 0
syncthing_container_labels_traefik_tcp_entrypoints: syncthing-tcp
syncthing_container_labels_traefik_tcp_tls: true
syncthing_container_labels_traefik_tcp_tls_certResolver: default  # noqa var-naming

# syncthing_container_labels_traefik_udp_enabled controls whether labels to assist a Traefik reverse-proxy for UDP sync connection will be attached to the container.
# See `../templates/labels.j2` for details.
#
# To inject your own other container labels, see `syncthing_container_labels_additional_labels_custom`.
syncthing_container_labels_traefik_udp_enabled: false
syncthing_container_labels_traefik_udp_docker_network: "{{ syncthing_container_network }}"
syncthing_container_labels_traefik_udp_entrypoints: syncthing-udp

# Controls which additional headers to attach to all HTTP requests.
# To add your own custom request headers, use `syncthing_container_labels_traefik_additional_request_headers_custom`
syncthing_container_labels_traefik_additional_request_headers: "{{ syncthing_container_labels_traefik_additional_request_headers_auto | combine(syncthing_container_labels_traefik_additional_request_headers_custom) }}"
syncthing_container_labels_traefik_additional_request_headers_auto: {}
syncthing_container_labels_traefik_additional_request_headers_custom: {}

# Controls which additional headers to attach to all HTTP responses.
# To add your own custom response headers, use `syncthing_container_labels_traefik_additional_response_headers_custom`
syncthing_container_labels_traefik_additional_response_headers: "{{ syncthing_container_labels_traefik_additional_response_headers_auto | combine(syncthing_container_labels_traefik_additional_response_headers_custom) }}"
syncthing_container_labels_traefik_additional_response_headers_auto: |
  {{
    {}
    | combine ({'X-XSS-Protection': syncthing_http_header_xss_protection} if syncthing_http_header_xss_protection else {})
    | combine ({'X-Content-Type-Options': syncthing_http_header_content_type_options} if syncthing_http_header_content_type_options else {})
    | combine ({'Content-Security-Policy': syncthing_http_header_content_security_policy} if syncthing_http_header_content_security_policy else {})
    | combine ({'Permissions-Policy': syncthing_http_header_permissions_policy} if syncthing_http_header_permissions_policy else {})
    | combine ({'Strict-Transport-Security': syncthing_http_header_strict_transport_security} if syncthing_http_header_strict_transport_security and syncthing_container_labels_traefik_tls else {})
  }}
syncthing_container_labels_traefik_additional_response_headers_custom: {}

# syncthing_container_labels_additional_labels contains a multiline string with additional labels to add to the container label file.
# See `../templates/labels.j2` for details.
# To add your own custom labels, use `syncthing_container_labels_additional_labels_custom`
#
# Example:
# syncthing_container_labels_additional_labels_custom:
#   - my.label=1
#   - another.label="here"
syncthing_container_labels_additional_labels: "{{ syncthing_container_labels_additional_labels_auto + syncthing_container_labels_additional_labels_custom }}"
syncthing_container_labels_additional_labels_auto: []
syncthing_container_labels_additional_labels_custom: []

# Controls whether /tmp should be a tmpfs.
# If not enabled, /tmp will be persisted to disk (see `syncthing_tmp_path`).
syncthing_container_tmpfs_tmp_enabled: true
syncthing_container_tmpfs_tmp_size: "{{ (ansible_facts['memtotal_mb'] / 2) | round | int }}m"

# A list of extra arguments to pass to the container (`docker create` command)
syncthing_container_extra_arguments: "{{ syncthing_container_extra_arguments_auto + syncthing_container_extra_arguments_custom }}"
syncthing_container_extra_arguments_auto: []
syncthing_container_extra_arguments_custom: []

# Specifies how often the container health-check will run.
#
# For Traefik based setups, it's important that the interval is short,
# because the interval value also specifies the "initial wait time".
# This is a Docker (moby) bug: https://github.com/moby/moby/issues/33410
# Without a successful healthcheck, Traefik will not register the service for reverse-proxying.
# Thus, the health interval determines the initial start-up time -- the smaller, the better.
#
# For non-Traefik setups, we use the default healthcheck interval (60s) to decrease overhead.
syncthing_container_health_interval: "{{ '5s' if syncthing_container_labels_traefik_enabled else '60s' }}"

# Intentionally leaving this blank, instead of defaulting it to `syncthing_hostname`, to avoid specifying a hostname
# which could render other services on that hostname potentially unreachable.
# See: https://github.com/mother-of-all-self-hosting/mash-playbook/issues/391
syncthing_container_hostname: ""

# Specifies the value of the `X-XSS-Protection` header
# Stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
#
# Learn more about it is here:
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
# - https://portswigger.net/web-security/cross-site-scripting/reflected
syncthing_http_header_xss_protection: "1; mode=block"

# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
syncthing_http_header_content_type_options: nosniff

# Specifies the value of the `Content-Security-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
syncthing_http_header_content_security_policy: frame-ancestors 'self'

# Specifies the value of the `Permissions-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy
syncthing_http_header_permissions_policy: "{{ 'interest-cohort=()' if syncthing_floc_optout_enabled else '' }}"

# Specifies the value of the `Strict-Transport-Security` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
syncthing_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if syncthing_hsts_preload_enabled else '' }}"

# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
#
# Learn more about what it is here:
# - https://www.eff.org/deeplinks/2021/03/googles-floc-terrible-idea
# - https://paramdeo.com/blog/opting-your-website-out-of-googles-floc-network
# - https://amifloced.org/
#
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
# See: `syncthing_http_header_permissions_policy`
syncthing_floc_optout_enabled: true

# Controls if HSTS preloading is enabled
#
# In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and
# indicates a willingness to be "preloaded" into browsers:
# `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`
# For more information visit:
# - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# - https://hstspreload.org/#opt-in
# See: `syncthing_http_header_strict_transport_security`
syncthing_hsts_preload_enabled: false

# List of systemd services that the Syncthing systemd service depends on
syncthing_systemd_required_services_list: "{{ syncthing_systemd_required_services_list_default + syncthing_systemd_required_services_list_auto + syncthing_systemd_required_services_list_custom }}"
syncthing_systemd_required_services_list_default: "{{ [devture_systemd_docker_base_docker_service_name] if devture_systemd_docker_base_docker_service_name else [] }}"
syncthing_systemd_required_services_list_auto: []
syncthing_systemd_required_services_list_custom: []

# List of systemd services that the Syncthing systemd service wants
syncthing_systemd_wanted_services_list: "{{ syncthing_systemd_wanted_services_list_default + syncthing_systemd_wanted_services_list_auto + syncthing_systemd_wanted_services_list_custom }}"
syncthing_systemd_wanted_services_list_default: []
syncthing_systemd_wanted_services_list_auto: []
syncthing_systemd_wanted_services_list_custom: []

# Controls how long to wait for the container to stop gracefully before killing it.
syncthing_container_stop_grace_time_seconds: "{{ devture_systemd_docker_base_container_stop_grace_time_seconds }}"

# Controls how long the pre-start cleanup should wait for stale container-name release
# before failing startup explicitly.
syncthing_container_cleanup_timeout_seconds: "{{ devture_systemd_docker_base_container_cleanup_timeout_seconds }}"

# Controls the delay between pre-start cleanup retries.
syncthing_container_cleanup_retry_delay_seconds: "{{ devture_systemd_docker_base_container_cleanup_retry_delay_seconds }}"

# Shell command used in the systemd pre-start phase to deterministically remove a stale
# container and wait until Docker releases its name.
syncthing_container_cleanup_command: |
  i=0;
  while [ "$i" -lt {{ syncthing_container_cleanup_timeout_seconds }} ]; do
  {{ devture_systemd_docker_base_host_command_docker }} stop -t {{ syncthing_container_stop_grace_time_seconds }} {{ syncthing_identifier }} >/dev/null 2>&1 || true;
  {{ devture_systemd_docker_base_host_command_docker }} rm -f {{ syncthing_identifier }} >/dev/null 2>&1 || true;
  if {{ devture_systemd_docker_base_host_command_docker }} container inspect {{ syncthing_identifier }} >/dev/null 2>&1; then
  i=$((i + 1));
  sleep {{ syncthing_container_cleanup_retry_delay_seconds }};
  continue;
  fi;
  if {{ devture_systemd_docker_base_host_command_docker }} info >/dev/null 2>&1; then
  exit 0;
  fi;
  echo "Failed to query Docker daemon while cleaning up {{ syncthing_identifier }}" >&2;
  exit 1;
  done;
  echo "Failed to remove stale container {{ syncthing_identifier }} after {{ syncthing_container_cleanup_timeout_seconds }} attempts" >&2;
  exit 1

# Specify the timezone
syncthing_environment_variables_tz: UTC

syncthing_basicauth_enabled: true

# A list of credential entries
#
# Example:
# syncthing_credentials:
#   - username: someone
#     password: secret-password
#   - username: another
#     password: more-secret-password
syncthing_basicauth_credentials: []

# A list of `htpasswd -nb user password` entries
# Also see `syncthing_basicauth_credentials` for a more convenient way to create credentials.
# Ansible will run `htpasswd` on the entries in `syncthing_basicauth_credentials` and append them to this list.
syncthing_basicauth_htpasswds: []

# Temporary file path on the host that runs Ansible.
# Used for converting the `syncthing_basicauth_credentials` entries to `syncthing_basicauth_htpasswds` entries.
syncthing_basicauth_file_tmp: "/tmp/ansible_htpasswd"

# Additional environment variables.
syncthing_environment_variables_additional_variables: ""

# syncthing_restart_necessary controls whether the Syncthing systemd
# service will be restarted (when true) or merely started (when false) by the
# systemd service manager role (when conditional restart is enabled).
#
# This value is automatically computed during installation based on whether
# any configuration files, the systemd service file, or the container image changed.
# The default of `false` means "no restart needed" — appropriate when the role's
# installation tasks haven't run (e.g., due to --tags skipping them).
syncthing_restart_necessary: false