DragonFlyBSD - Install Firefox syncserver with PostgreSQL

This article has been inspired by this article and by the official documentation of Mozilla Firefox syncserver.

After reading the article by Mirabelette, I thought it would be nice to have my own syncserver, the only difference is that:

That led me to two different steps :

It doesn’t require much more on DragonFlyBSD than on Linux to build the software, the only specific parts is the requirement of gmake as bsd-make won’t make it.

sudo pkg install gmake py27-virtualenv

Once this is done, syncserver should build. But don’t do it right now.

We have to add one requirement to the virtualenv so that syncserver can use PostgreSQL. So add this line to the requirements.txt. It’s actually written on the github page but not really advertised.

psycopg2-binary

After that we need to specify to syncserver that its database is PostgreSQL. This is achieved with the following line in syncserver.ini file.

[syncserver]
# This must be edited to point to the public URL of your server,
# i.e. the URL as seen by Firefox.
public_url = https://your.url/

# By default, syncserver will accept identity assertions issued by
# any BrowserID issuer.  The below restricts it to accept assertions
# from just the production Firefox Account servers.  If you are hosting
# your own account server, put its public URL here instead.
identity_provider = https://accounts.firefox.com/

# This defines the database in which to store all server data.
#sqluri = sqlite:////tmp/syncserver.db
sqluri = postgresql://sync:sync@127.0.0.1:5432/sync

And for this to work we need to create a user called sync identified with a password (sync in our case) owning a database sync.

sudo su - pgsql
createuser -P sync
# then type in the password as prompted
createdb -O sync sync

Now syncserver can be built.

I also wrote a little rc script to manage the syncserver service. It will work if you clone the repo in /usr/local/share/sync, and build it there. Then apply the www: rights on it and copy the syncserver.ini file to /usr/local/etc/sync.

#!/bin/sh
## PROVIDE: sync# REQUIRE: NETWORKING LOGIN
# KEYWORD: shutdown## Add the following lines to /etc/rc.conf to enable sync:
##sync_enable="YES"
. /etc/rc.subrname="sync"
rcvar="sync_enable"sync_user="www"sync_command="/usr/local/share/sync/local/bin/gunicorn --paste /usr/local/etc/sync/syncserver.ini"
pidfile="/var/run/${name}/${name}.pid"command="/usr/sbin/daemon"command_args="-P ${pidfile} -r -f ${sync_command}"

load_rc_config $name
: ${sync_enable:=no}

run_rc_command "$1"

After that advices from the official documentation and the Mirabellette article can be followed.

Here is a nginx reverse proxy config file :

server {
    listen         ipv4:80;
    listen         [ipv6]:80;
    server_name    your.url;
    return         301 https://$server_name$request_uri;

    access_log  logs/sync.access.log  main;
    error_log   logs/sync.error.log;
}

server {
        listen       ipv4:443 ssl http2;
        #listen      [ipv6]:443 ssl http2;
        server_name  your.url;


        access_log  logs/sync.access.log  main;
        error_log   logs/sync.error.log;

        ssl_certificate "/usr/local/etc/letsencrypt/live/url/fullchain.pem";
        ssl_certificate_key "/usr/local/etc/letsencrypt/live/url/privkey.pem";

        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_protocols TLSv1.2;
        ssl_ecdh_curve secp384r1;
        ssl_ciphers EECDH+AESGCM:EECDH+CHACHA20:EECDH+AES;
        ssl_prefer_server_ciphers on;
        add_header Strict-Transport-Security "max-age=15552000; preload";
        #ssl_dhparam /etc/nginx/dh4096.pem;
        ssl_stapling on;
        ssl_stapling_verify on;

        client_max_body_size 10000m;

        location / {
                proxy_pass http://127.0.0.1:5000/;
                proxy_set_header Host $http_host;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_redirect off;
        }
}

One last point when replacing the URL in Firefox about:config, one has to use : https://your.url/token/1.0/sync/1.5. Don’t forget the /token part.