Self-hosting Firefox Sync!
I’ve been using Firefox a bit on a couple of my computers, I’m not really sure why. But lately Google have been doing some fuckery with Chrome, so I resolved to only use it for work (where we’re already up to our necks in Google anyway), and I started thinking about using Firefox’s Sync feature. Then in a fountain of whatever-the-opposite-of-serendipity-is, I saw someone talking about Mozilla’s sync server being in a docker container and thought “hey that sounds neat”.
Yeah.
It’s a pain in the arse! I sympathize with the devs a lot, in that they’re a small team and they really only have the resources to care about the actual Mozilla ops, but that doesn’t make it any easier or less stressful to figure out.
The story so far:
-
Someone posted a docker-compose file, which I converted to a Kubernetes manifest, which lets you do 12.x fairly trivially.
-
On 13.x, they moved the namespaces of some of the settings around, which gives a rather confusing error saying that your database URL is incorrect. You have to rename some of the settings. Someone else posted a set of docker-compose configs that’ll work on those versions, but I found this after making it work myself.
-
On 14.x, it straight-up doesn’t work at all. The reason for this appears to be, but I can’t confirm, that the docker container only supports Spanner for a database, not MariaDB, and I would have to build my own docker container to run that version. I can wait for them to hopefully fix it.
But it is working now. It depends on a mysql server (I’m using a MariaDB container), and it still uses Mozilla’s Firefox Account thingo, I don’t think I care enough to self-host that. It also doesn’t look like you can lock it down to specific users either, but I’m not allowing access to it from the rest of the internet (what little I’m out and about I can put up without bookmarks syncing). The only slight concern is setting it up on a new machine and forgetting to add the setting, and syncing my bookmarks to the wrong place, but that’s a fairly minimal concern.
For posterity, here’s my manifest for the deployment itself, the rest is all fairly self-explanatory and it works just fine behind a Traefik IngressRoute, just pass it to a service listening on port 5000:
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: syncstorage-rs
namespace: mozillasync
labels:
app: syncstorage-rs
spec:
replicas: 1
selector:
matchLabels:
app: syncstorage-rs
template:
metadata:
labels:
app: syncstorage-rs
spec:
containers:
- name: syncstorage-rs
image: mozilla/syncstorage-rs@sha256:b30d42fcb79781bdc1b01f47afdcacdb9f54adf9cdae74631a11c1f6daee0cda
env:
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: db-user-pass
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-user-pass
key: password
- name: SYNC_MASTER_SECRET
valueFrom:
secretKeyRef:
name: master-secret
key: secret
- name: SYNC_SYNCSTORAGE__NODE_TYPE
value: mysql
- name: SYNC_TOKENSERVER__NODE_TYPE
value: mysql
- name: SYNC_SYNCSTORAGE__DATABASE_URL
value: mysql://$(DB_USERNAME):$(DB_PASSWORD)@mariadb:3306/syncstorage
- name: SYNC_TOKENSERVER__DATABASE_URL
value: mysql://$(DB_USERNAME):$(DB_PASSWORD)@mariadb:3306/tokenstorage
- name: SYNC_HOST
value: 0.0.0.0
- name: SYNC_TOKENSERVER__ENABLED
value: "true"
- name: SYNC_TOKENSERVER__RUN_MIGRATIONS
value: "true"
- name: SYNC_TOKENSERVER__ADDITIONAL_BLOCKING_THREADS_FOR_FXA_REQUESTS
value: "2"
- name: SYNC_TOKENSERVER__FXA_EMAIL_DOMAIN
value: api.accounts.firefox.com
- name: SYNC_TOKENSERVER__FXA_OAUTH_SERVER_URL
value: https://oauth.accounts.firefox.com/v1
- name: SYNC_TOKENSERVER__FXA_METRICS_HASH_SECRET
valueFrom:
secretKeyRef:
name: master-secret
key: fxa-hash-secret
securityContext:
readOnlyRootFilesystem: false
runAsUser: 10001
runAsGroup: 10001