[How-To] Install Firefox Sync in a FreeNAS 9.10 Jail

[kaipee]

Basic instructions here, will tidy up/format later

Install Firefox Sync v1.5

Code:

pkg update
pkg upgrade
pkg install nano
pkg install gmake
pkg install python
pkg install py27-pip
pkg install py27-virtualenv
pkg install py27-sqlite3
pkg install git
mkdir -p /usr/local/www/ffsync
mkdir -p /usr/local/www/ffsync/logs
cd /usr/local/www/ffsync
git clone https://github.com/mozilla-services/syncserver
cd ./syncserver
gmake serve

Configure FFsync
Generate secure hash head -c 20 /dev/urandom | shasum . Save this hash to be added to your ffsync config.
Edit syncserver.ini /usr/local/www/ffsync/syncserver/syncserver.ini

Code:

[server:main]
use = egg:gunicorn
host = 127.0.0.1
port = FFSYNC_PORT
workers = 2
timeout =60
forwarded_allow_ips = *

[app:main]
use = egg:syncserver

[syncserver]
# This must be edited to point to the public URL of your server,
# i.e. the URL as seen by Firefox.
public_url = https://YOUR_DOMAIN:YOUR_SSL_PORT

# This defines the database in which to store all server data.
sqluri = sqlite:////tmp/syncserver.db (or wherever you want to save your DB)

# This is a secret key used for signing authentication tokens.
# It should be long and randomly-generated.
# The following command will give a suitable value on *nix systems:
#
#	head -c 20 /dev/urandom | sha1sum
#
# If not specified then the server will generate a temporary one at startup.
secret = YOUR_SECRET_HASH

# Set this to "false" to disable new-user signups on the server.
# Only request by existing accounts will be honoured.
allow_new_users = false

# Set this to "true" to work around a mismatch between public_url and
# the application URL as seen by python, which can happen in certain reverse-
# proxy hosting setups.  It will overwrite the WSGI environ dict with the
# details from public_url.  This could have security implications if e.g.
# you tell the app that it's on HTTPS but it's really on HTTP, so it should
# only be used as a last resort and after careful checking of server config.
force_wsgi_environ = true

# Uncomment and edit the following to use a local BrowserID verifier
# rather than posting assertions to the mozilla-hosted verifier.
# Audiences should be set to your public_url without a trailing slash.
#[browserid]
#backend = tokenserver.verifiers.LocalVerifier
#audiences = https://localhost:5000

Start FFsync /usr/local/www/ffsync/syncserver/local/bin/gunicorn --daemon --log-file=/usr/local/www/ffsync/logs/ffsync.log --paste /usr/local/www/ffsync/syncserver/syncserver.ini

Install NGINX

Code:

pkg install nginx
mkdir -p /usr/local/etc/nginx/logs (put your logs here)
mkdir -p /usr/local/etc/nginx/certs (put your SSL certs here)
nano /etc/rc.conf
nginx_enable="YES"

Configure NGINX
Edit /usr/local/etc/nginx/nginx.conf

Code:

worker_processes  4;

events {
	worker_connections  1024;
	multi_accept on;
}

http {
	include	   mime.types;
	default_type  application/octet-stream;

	sendfile	   on;
	tcp_nopush	 on;
	tcp_nodelay	on;

	keepalive_timeout  65;
	client_body_timeout  30;
	client_header_timeout  30;
	send_timeout  30;
	client_max_body_size  64m;

	error_log /usr/local/etc/nginx/logs/error.log warn;
	access_log /usr/local/etc/nginx/logs/access.log;

	gzip  on;

	server_tokens off;
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-Xss-Protection "1; mode=block" always;

	server {
		listen YOUR_SSL_PORT ssl;
		server_name YOUR_SUB.DOMAIN.TLD localhost YOUR_SERVER_IP;

		ssl_certificate /usr/local/www/certs/YOUR_CERT.crt;
		ssl_certificate_key /usr/local/www/certs/YOUR_KEY.key;
		ssl_trusted_certificate /usr/local/www/certs/YOUR_BUNDLE.crt;
		ssl_session_cache shared:SSL:50m;
		ssl_session_timeout 5m;
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
		ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
		ssl_prefer_server_ciphers on;
		ssl_stapling on;
		resolver 8.8.8.8;
		add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

		location / {
			proxy_set_header Host $http_host;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_redirect off;
			proxy_read_timeout 120;
			proxy_connect_timeout 10;
			proxy_pass http://127.0.0.1:FFSYNC_PORT/;
		}

	}

}

Start NGINX service nginx start

Browse to https://YOUR_DOMAIN:YOUR_SSL_PORT/token/1.0/sync/1.5 and check it returns an output

 

[kaipee]

I would be interested in someone helping me make this into a plugin, and advise the correct procedure for turning firefox_sync into a service (able to auto-start)

 

[ezra]

My man, you are amazing, thanks! Flawlessly used this guide...

Only problem indeed is the 'service' part. I'm using crontab @Reboot at this time but we sure need to fix this. I'd like to help with this if you're still up for the task.

 

[DonCorleone]

Thank you for placing the guide! The question is where to get the ssl certificate?

 

[silverback]

Thank you for placing the guide! The question is where to get the ssl certificate?

https://www.ixsystems.com/community...-to-reverse-proxy-your-jails-w-certbot.49876/

The instructions at the beginning of this guide might help.

 

[BrickNick]

Hello all,

thank you very much for the write-up. As I do not have the necessary knowledge, could somebody walk me through installing the Firefox Sync server in a TrueNas 13 jail? My issue is that, since Python 2.7 is no longer suppported, I am unable to build the server. I tried installing the py39-virtualenv, but building results in errors:

Code:

root@ffsync:/usr/local/www/ffsync/syncserver # gmake serve
# Install the latest Python 2 compatible setuptools manually:
# https://github.com/mozilla-services/syncserver/issues/239
`which python2 python2.7 python | head -n 1` -m virtualenv --python=`which python2 python2.7 python | head -n 1` ./local --no-setuptools
/usr/local/bin/python2.7: No module named virtualenv
gmake: *** [Makefile:29: local/COMPLETE] Error 1

Any help would be appreciated.

Thanks and regards,
Nick

 

[John Doe]

I am also interested.

firefox or mozilla are using github.
according to 2nd comment, firefox sync is currently beeing rewritten

What happens now? · Issue #264 · mozilla-services/syncserver

What happens now with the syncserver? Does it now come to Python3 or does it stay with python2? Thanks...

github.com

The official plan is to replace the python version with a newer rust based version. While we've done this internally, we've not yet packaged things up quite as elegantly here.


To do that, we're working on integrating the token server into syncstorage-rs, as well as some kinks in continuing to support local SQL databases. Then we'll have to package things up into an appropriate release (more than likely, this will be something like Docker) and update documents where needed.


Let me also note that we're a very small team (3 people) working on several different critical services and have a significant backlog on all of them. Our first priority is to make sure that our systems are running, efficient and maintainable. This means that we can't offer any schedule for when any of this will be available since we can't predict what sort of fires or emergencies will happen that will demand our attention.


We do, quite happily, accept pull requests and community contributions, and all of our code is open source.

looks like it is working but not documented :-(