Add Syncthing to server container stack

AGENTS.md

@@ -41,6 +41,7 @@ Ansible-driven personal infrastructure repo for Void desktops, Linux workstation
 - Waybar JSON: `python3 -m json.tool dotfiles/desktop/.config/waybar/config-sway.jsonc >/dev/null`
   - Mail bootstrap: `sh -n scripts/bootstrap_mail.sh` and `shellcheck scripts/bootstrap_mail.sh`
   - Windows bootstrap parse: `pwsh -NoProfile -Command "[void][System.Management.Automation.Language.Parser]::ParseFile('scripts/bootstrap_windows_workstation.ps1', [ref]$null, [ref]$null)"`
+  - Server compose render: `docker compose -f /opt/docker/server/docker-compose.yml config`
 
 ## Conventions
 - Use FQCN Ansible modules.

README.md

@@ -194,8 +194,9 @@ Lo stato attuale del profilo server include:
 - installazione pacchetti base Ubuntu via apt
 - installazione e configurazione di Docker dal repository ufficiale
 - abilitazione dei servizi systemd dichiarati in inventory/group vars
-- copia dei dotfiles server e rendering dei template server
+- copia dei dotfiles server e rendering dei template server, incluso il `docker-compose.yml` dello stack servizi
 - attivazione del firewall UFW con regola SSH esplicita
+- apertura delle porte Syncthing `22000/tcp`, `22000/udp` e `21027/udp`, lasciando la GUI non esposta direttamente su UFW
 
 Utente del profilo server:
 
@@ -294,6 +295,7 @@ Questo significa che, allo stato attuale:
 - la workstation Fedora (`deadalus-fedora`) usa lo stesso principio di composizione a gruppi con il ramo Fedora dedicato e con `gsettings` host-specifici dichiarati in inventory
 - il ramo Windows + WSL e predisposto con bootstrap PowerShell e play Windows/WSL dedicati
 - il server Ubuntu (`prometheus`) e gestito con pacchetti, servizi, dotfiles server e firewall
+- lo stack container server include `navidrome`, `postgres`, `gitea`, `nginx-proxy-manager` e `syncthing`, con GUI Syncthing raggiungibile tramite la rete Docker `web`
 
 # Dotfiles
 
@@ -400,6 +402,7 @@ ansible-playbook ansible/site.yml --limit <host> --tags <tag1>,<tag2> --check --
 ansible-playbook ansible/site.yml --limit <host> --start-at-task "<task name>" --check --diff
 ansible-lint ansible/roles/<role>
 yamllint ansible/path/to/file.yml
+docker compose -f /opt/docker/server/docker-compose.yml config
 ```
 
 ## Tag supportati dal playbook

ansible/inventory/group_vars/server.yml

@@ -80,10 +80,34 @@ server_directories:
     owner: root
     group: root
     mode: "0755"
+  - path: /opt/syncthing/config
+    owner: root
+    group: root
+    mode: "0755"
+  - path: /srv/syncthing
+    owner: root
+    group: root
+    mode: "0755"
+  - path: /srv/syncthing/data
+    owner: root
+    group: root
+    mode: "0755"
 
 server_ufw_rules:
   - rule: allow
     name: OpenSSH
+  - rule: allow
+    port: "22000"
+    proto: tcp
+    comment: Syncthing sync traffic
+  - rule: allow
+    port: "22000"
+    proto: udp
+    comment: Syncthing QUIC sync traffic
+  - rule: allow
+    port: "21027"
+    proto: udp
+    comment: Syncthing local discovery
 
 server_sshd_settings:
   PermitRootLogin: "no"

ansible/templates/server/docker-compose.yml.j2

@@ -68,6 +68,23 @@ services:
       - "3000:3000"
       - "127.0.0.1:222:22"
 
+  syncthing:
+    image: syncthing/syncthing:2
+    container_name: syncthing
+    hostname: syncthing
+    restart: unless-stopped
+    expose:
+      - "8384"
+    volumes:
+      - "/opt/syncthing/config:/var/syncthing"
+      - "/srv/syncthing/data:/data"
+    ports:
+      - "22000:22000/tcp"
+      - "22000:22000/udp"
+      - "21027:21027/udp"
+    networks:
+      - web
+
 networks:
   web:
     external: false