Deploying syncthing on Fly.io with tailscale on port 80

1

Hello and good day,

I am trying to deploy a syncthing deployment with combination of tailscale, which is private VPN I use for my apps.

My goals are as follows:

  1. Deploy syncthing on fly.io with a custom Dockerfile that has tailscale binaries bundled in.
  2. Do not expose any ports to the outside world. I want all communication to and fro the fly machine only via my private network.
  3. Use tailscale Magic DNS to have a CNAME record for the dns name from tailscale to something like sync.mydomain.com.

I have done the first two steps and I can access the service on <private_tailscale_IP>:8384, however I am now struggling how to have access the service on <private_tailscale_IP>:80. Can someone please point me to the right direction?

I have the following fly.toml file:

app = "syncthing-peer"
primary_region = "ams"

[mounts]
source="syncstore"
destination="/var/syncthing"

Here is the Dockerfile and the Entrypoint and they have been just customized to add the tailscale specific instructions following these instructions from the tailscale official docs.

Can someone help me understand how to proceed. My goal now is just to have the service point to port 80 internally and then use tailscale to access the services via it’s MagicDNS feature and set a CNAME record later pointing to that address.

I have already tried the following:

[[services]]
  internal_port = 8384
  protocol = "tcp"

  [[services.ports]]
    handlers = ["http"]
    port = 80
    force_https = true  # optional

But this doesn’t help. Looking forward to learn more.

2

Since you are using tailscale you don’t need the service definition because tailscale connects directly (in fact you don’t want it since that would expose your app publicly). According the syncthing dockerfile, it is only listening on port 8384. Thus when you do <private_tailscale_IP>:8384 tailscale connects directly to port 8384 where syncthing is listening. If you want to use port 80 you can adjust the dockerfile you shared. If you grep for 8384 you’ll find the things you need to change.

3

Thanks for your answer. This makes sense and I wanted to test it out but now I got looped into another issue.

fly deploy now fails at building the docker image. However building the image via a local docker daemon works perfectly.

To make the test simple I am just using the dockerfile from the repository without any of my tweaks. Here the dockerfile that I am trying to use:

ARG GOVERSION=latest

FROM golang:$GOVERSION AS builder
ARG BUILD_USER
ARG BUILD_HOST
ARG TARGETARCH

WORKDIR /src
COPY . .

ENV CGO_ENABLED=0
RUN if [ ! -f syncthing-linux-$TARGETARCH ] ; then \
    go run build.go -no-upgrade build syncthing ; \
    mv syncthing syncthing-linux-$TARGETARCH ; \
  fi

FROM alpine
ARG TARGETARCH

EXPOSE 8384 22000/tcp 22000/udp 21027/udp

VOLUME ["/var/syncthing"]

RUN apk add --no-cache ca-certificates curl libcap su-exec tzdata

COPY --from=builder /src/syncthing-linux-$TARGETARCH /bin/syncthing
COPY --from=builder /src/script/docker-entrypoint.sh /bin/entrypoint.sh

ENV PUID=1000 PGID=1000 HOME=/var/syncthing

HEALTHCHECK --interval=1m --timeout=10s \
  CMD curl -fkLsS -m 2 127.0.0.1:8384/rest/noauth/health | grep -o --color=never OK || exit 1

ENV STGUIADDRESS=0.0.0.0:8384
ENV STHOMEDIR=/var/syncthing/config
RUN chmod 755 /bin/entrypoint.sh
ENTRYPOINT ["/bin/entrypoint.sh", "/bin/syncthing"]

And my fly.toml:

app = "syncthing-peer"
primary_region = "ams"

[build]
    dockerfile = "Dockerfile"

[mounts]
source="syncstore"
destination="/var/syncthing"

There error I get when running fly deploy is as follows:

#10 12.03 # cd /src; git status --porcelain
#10 12.03 fatal: detected dubious ownership in repository at '/src'
#10 12.03 To add an exception for this directory, call:
#10 12.03 
#10 12.03       git config --global --add safe.directory /src
#10 12.03 error obtaining VCS status: exit status 128
#10 12.03       Use -buildvcs=false to disable VCS stamping.
#10 12.03 exit status 1
#10 12.03 exit status 1
#10 12.06 mv: cannot stat 'syncthing': No such file or directory
------
Error: failed to fetch an image or build from source: error building: executor failed running [/bin/sh -c if [ ! -f syncthing-linux-$TARGETARCH ] ; then     go run build.go -no-upgrade build syncthing ;     mv syncthing syncthing-linux-$TARGETARCH ;   fi]: exit code: 1

There is something similar going on with another project that I am trying to deploy on fly, the image builds successfully on my local docker daemon but fails on fly machines with a bit of different error:

#14 177.3   asset img/webpack/jquery.minicolors.0e614115.png 67 KiB [emitted] [immutable] [from: node_modules/@claviska/jquery-minicolors/jquery.minicolors.png] (auxiliary name: minicolors) (auxiliary id hint: vendors)
#14 177.3 webpack 5.88.1 compiled successfully in 31872 ms
#14 179.3 error obtaining VCS status: exit status 128
#14 179.3       Use -buildvcs=false to disable VCS stamping.
#14 179.3 error obtaining VCS status: exit status 128
#14 179.3       Use -buildvcs=false to disable VCS stamping.
#14 179.3 error obtaining VCS status: exit status 128
#14 179.3       Use -buildvcs=false to disable VCS stamping.
#14 179.3 error obtaining VCS status: exit status 128
#14 179.3       Use -buildvcs=false to disable VCS stamping.
#14 179.3 error obtaining VCS status: exit status 128
#14 179.3       Use -buildvcs=false to disable VCS stamping.
#14 179.3 error obtaining VCS status: exit status 128
#14 179.3       Use -buildvcs=false to disable VCS stamping.
#14 179.3 Running go generate...
#14 179.3 go: downloading github.com/mattn/go-sqlite3 v1.14.17
#14 183.9 make: *** No rule to make target 'modules/public/bindata.go', needed by 'gitea'.  Stop.
------
Error: failed to fetch an image or build from source: error building: executor failed running [/bin/sh -c if [ -n "${GITEA_VERSION}" ]; then git checkout "${GITEA_VERSION}"; fi  && make clean-all build]: exit code: 2

I don’t know if these two errors have got to do with something on the docker daemons on fly machines or is it something else. Any insights will be super helpful.

4

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.