Upgrade Synapse to v0.99 and simplify dummy TLS cert logic

This commit is contained in:
Slavi Pantaleev 2019-02-06 09:17:55 +02:00
parent 5db692f877
commit 40f3793af7
3 changed files with 6 additions and 56 deletions

View File

@ -295,6 +295,11 @@ matrix_synapse_database_database: "{{ matrix_postgres_db_name }}"
# We do not enable TLS in Synapse by default. # We do not enable TLS in Synapse by default.
# TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse. # TLS is handled by the matrix-nginx-proxy, which proxies the requests to Synapse.
matrix_synapse_no_tls: true matrix_synapse_no_tls: true
# Even though we don't do TLS at the Synapse side, Synapse v0.99 would still like to read
# some certificate file. The container contains a dummy certificate that could be used
# to prevent certificate file reading errors. It won't actually be used for anything else.
# See https://github.com/matrix-org/synapse/issues/4554
matrix_synapse_tls_certificate_path: /conf/dummy.tls.crt
matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}" matrix_synapse_email_enabled: "{{ matrix_mailer_enabled }}"
matrix_synapse_email_smtp_host: "matrix-mailer" matrix_synapse_email_smtp_host: "matrix-mailer"

View File

@ -1,4 +1,4 @@
matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.0rc4-py3" matrix_synapse_docker_image: "matrixdotorg/synapse:v0.99.0-py3"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"
matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config" matrix_synapse_config_dir_path: "{{ matrix_synapse_base_path }}/config"

View File

@ -58,61 +58,6 @@
dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config" dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config"
mode: 0644 mode: 0644
#
# To make Synapse 0.99 happy, we need to generate a valid (self-signed is OK) certificate file that we provide to it.
# It won't be used for anything important, but it needs to be there.
# See https://github.com/matrix-org/synapse/issues/4554
#
# Previously, Synapse would generate such certificate files and actually use them.
# So existing installations already have them.
#
- name: Check if Synapse certificate exists
stat:
path: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt"
register: matrix_synapse_certificate_stat
- name: Ensure OpenSSL installed (RedHat)
yum:
name:
- openssl
state: present
update_cache: no
when: "not matrix_synapse_certificate_stat.stat.exists and ansible_os_family == 'RedHat'"
- name: Ensure OpenSSL installed (Debian)
apt:
name:
- openssl
state: present
update_cache: no
when: "not matrix_synapse_certificate_stat.stat.exists and ansible_os_family == 'Debian'"
# The proper way to do this is by using a sequence of
# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`.
#
# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work,
# which is not available on CentOS 7 (at least).
#
# We'll do it in a more manual way.
- name: Generate SSL certificate
command: |
openssl req -x509 \
-sha256 \
-newkey rsa:4096 \
-nodes \
-subj "/CN={{ hostname_matrix }}" \
-keyout {{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.key \
-out {{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt \
-days 3650
become: true
become_user: "{{ matrix_user_username }}"
when: "not matrix_synapse_certificate_stat.stat.exists"
#
# End of tasks related to making Synapse 0.99 happy.
#
- name: Ensure matrix-synapse.service installed - name: Ensure matrix-synapse.service installed
template: template:
src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse.service.j2" src: "{{ role_path }}/templates/synapse/systemd/matrix-synapse.service.j2"