Own Firefox-Sync-Server on ArchLinux with Apache & sqlite

Hi folks! A blog entry how to run a own Firefox-Sync-Server for privacy reason. That is a full installation on Arch Linux with latest Apache, mod_wsgi and sqlite as database.

The hole Firefox-Sync-Server is running as systemd service and is working on any device with a new Firefox version on iOS,Android,Linux,BSD, OSx or Windows.

It’s a more or less easy installation but not full documented on Arch Linux Wiki so i had the idea to do this.

First install apache,certbot and the database sqlite with pacman

sudo pacman -S apache sqlite certbot

As next Mozilla Firefox own sync server and the needed mod_wsgi for Apache with yay ( A AUR package manager)

yay -S mozilla-firefox-sync-server mod_wsgi

Add mod_wsgi to apache as module in httpd.conf and wsgi reverse proxy

sudo vim /etc/httpd/conf/httpd.conf

#Add following lines

# Act as a reverse proxy to the Mozilla Sync server:
Include conf/extra/httpd-wsgi.conf

#Add module wsgi 
LoadModule wsgi_module modules/mod_wsgi.so

Make a group and a user for the wsgi process

sudo groupadd sync
sudo useradd -g sync weave

Add following lines to httpd-wsgi.conf

sudo vim /etc/httpd/conf/extra/httpd-wsgi.conf

#Add following lines

<Directory /opt/mozilla-firefox-sync-server>
          Order deny,allow
          Allow from all

<VirtualHost *:80>
	ServerName sync.joelmueller.ch
	DocumentRoot /opt/mozilla-firefox-sync-server
RewriteEngine on
RewriteCond %{SERVER_NAME} =sync.joelmueller.ch
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:443>
          ServerName sync.joelmueller.ch
          DocumentRoot /opt/mozilla-firefox-sync-server
          WSGIProcessGroup sync
          WSGIDaemonProcess sync user=weave group=sync processes=2 threads=25
          WSGIPassAuthorization On
          WSGIScriptAlias / /opt/mozilla-firefox-sync-server/syncserver.wsgi
          CustomLog /var/log/httpd/sync.joelmueller.ch-access.log combined
          ErrorLog  /var/log/httpd/sync.joelmueller.ch-error.log
Include /etc/letsencrypt/options-ssl-apache.conf
#SSLCertificateFile /etc/letsencrypt/live/sync.joelmueller.ch/fullchain.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/sync.joelmueller.ch/privkey.pem

Make a dir and give the ownership and permission

sudo mkdir /home/weave 
sudo chown weave:sync /home/weave
sudo chmod 711 /home/weave

Edit syncserver.ini

sudo vim /opt/mozilla-firefox-sync-server/syncserver.ini
sudo touch /opt/mozilla-firefox-sync-server/syncserver.db

# The config should look like this

use = egg:gunicorn
host =
port = 5000
workers = 1 
timeout = 30

use = egg:syncserver

# This must be edited to point to the public URL of your server,
# i.e. the URL as seen by Firefox.
public_url = https://sync.joelmueller.ch

# By default, syncserver will accept identity assertions issued by
# any BrowserID issuer.  The line below restricts it to accept assertions
# from just the production Firefox Account servers.  If you are hosting
# your own account server, put its public URL here instead.
identity_provider = https://accounts.firefox.com/

# This defines the database in which to store all server data.
sqluri = sqlite:///opt/mozilla-firefox-sync-server/syncserver.db
#sqluri = pymysql://sample_user:sample_password@

# This is a secret key used for signing authentication tokens.
# It should be long and randomly-generated.
# The following command will give a suitable value on *nix systems:
#    head -c 20 /dev/urandom | sha1sum
# If not specified then the server will generate a temporary one at startup.

# Set this to "false" to disable new-user signups on the server.
# Only requests by existing accounts will be honoured.
# allow_new_users = false

# Set this to "true" to work around a mismatch between public_url and
# the application URL as seen by python, which can happen in certain reverse-
# proxy hosting setups.  It will overwrite the WSGI environ dict with the
# details from public_url.  This could have security implications if e.g.
# you tell the app that it's on HTTPS but it's really on HTTP, so it should
# only be used as a last resort and after careful checking of server config.
force_wsgi_environ = true

# Use a custom MySQL based syncstorage node hosted at http://localhost:8000

# node_url = http://localhost:8000
# sqluri = pymysql://sample_user:sample_password@

# Replace syncserver endpoints with alternate server implementation, ie:
# MySQL based syncstorage-rs 1.5 server hosted at http://localhost:8000/1.5

# "{node}/1.5/{uid}"
# sync-1.5 = "http://localhost:8000/1.5/{uid}"

Start Apache webserver and generate with certbot the ssl certs

sudo systemctl start httpd
sudo certbot --apache
sudo systemctl restart httpd

Systemd service for Mollzila sync server

sudo vim /etc/systemd/system/firefox-sync.service

#Add these lines to the file

Description=Firefox Sync Server
After=syslog.target network.target remote-fs.target nss-lookup.target
ExecStart=/opt/mozilla-firefox-sync-server/local/bin/gunicorn --paste /opt/mozilla-firefox-sync-server/syncserver.ini

Enable systemd service firefox-sync and start it

sudo systemctl enable --now firefox-sync.service

Client side configuration for Mozilla Firefox Browser on Arch Linux

Open Firefox Browser
Sign out on sync
Hit in the URL Bar about:config
Search identity.sync.tokenserver.uri
Insert as value at identity.sync.tokenserver.uri: https://sync.joelmueller.ch/token/1.0/sync/1.5
Now sign in on accounts.mozilla.org

You can delete your user data on the mozilla servers

sudo apt install python-pip

cd /tmp

pip install PyFxA

python ./bin/delete_user_data.py mailadresse@domain.tld

If you want more information you can read the links under this text

  • https://wiki.archlinux.org/title/Firefox_Sync_Server
  • https://gnulinux.ch/sync-server-wechseln-im-firefox-desktop-android-und-ios
  • https://alien.slackbook.org/blog/setting-up-your-own-mozilla-sync-server/
  • https://canox.net/2020/01/eigenen-firefox-sync-server-betreiben/