Set up Synapse configuration using a template (not line/regexp replacements)
Until now, we were starting from a fresh configuration, as generated by Synapse and manipulating it with regex and line replacements, until we made it work. This is more fragile and less predictable, so we're moving to a static configuration file generated from a Jinja template. The upside is that configuration will be stable and predictable. The downside of this new approach is that any manual configuration changes after the playbook is done, will be thrown away on future playbook invocations. There are 2 ways to work around the need for manual configuration changes though: - making them part of this playbook and its default template configuration files (which benefits everyone) - going your own way for a given host and overriding the template files that gets used (that is, the `matrix_synapse_template_synapse_homeserver` or `matrix_synapse_template_synapse_log` variables)
This commit is contained in:
Slavi Pantaleev
@ -1,5 +1,10 @@
|
||||
---
|
||||
|
||||
- name: Fail if Macaroon key is missing
|
||||
fail:
|
||||
msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable"
|
||||
when: "matrix_synapse_macaroon_secret_key == ''"
|
||||
|
||||
- name: Ensure Matrix Synapse paths exists
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
@ -41,6 +46,8 @@
|
||||
path: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
||||
register: matrix_synapse_config_stat
|
||||
|
||||
# We do this mostly so that the keys would get generated.
|
||||
# We'll replace the rest of the configuration with our own templates below.
|
||||
- name: Generate initial Matrix config
|
||||
docker_container:
|
||||
name: matrix-config
|
||||
@ -57,86 +64,17 @@
|
||||
- "{{ matrix_synapse_config_dir_path }}:/data"
|
||||
when: "not matrix_synapse_config_stat.stat.exists"
|
||||
|
||||
- name: Augment Matrix log config
|
||||
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config"
|
||||
args:
|
||||
regexp: "{{ item.regexp }}"
|
||||
line: '{{ item.line }}'
|
||||
backrefs: '{{ item.backrefs }}'
|
||||
with_items:
|
||||
- {"regexp": '^(\s+)filename:', "line": '\1filename: /matrix-run/homeserver.log', backrefs: yes}
|
||||
- {"regexp": '^(\s+)maxBytes:', "line": '\1maxBytes: {{ matrix_max_log_file_size_mb * 1024 * 1024 }}', backrefs: yes}
|
||||
- {"regexp": '^(\s+)backupCount:', "line": '\1backupCount: {{ matrix_max_log_files_count }}', backrefs: yes}
|
||||
|
||||
- name: Augment Matrix config
|
||||
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
||||
args:
|
||||
regexp: "{{ item.regexp }}"
|
||||
line: '{{ item.line }}'
|
||||
with_items:
|
||||
- {"regexp": "^log_file:", "line": 'log_file: "/matrix-run/homeserver.log"'}
|
||||
- {"regexp": "^uploads_path:", "line": 'uploads_path: "/matrix-run/uploads"'}
|
||||
- {"regexp": "^server_name:", "line": 'server_name: "{{ hostname_identity }}"'}
|
||||
- {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'}
|
||||
- {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'}
|
||||
- {"regexp": "^max_upload_size:", "line": 'max_upload_size: "{{ matrix_max_upload_size_mb }}M"'}
|
||||
- {"regexp": "^media_store_path:", "line": 'media_store_path: "/matrix-storage/media-store"'}
|
||||
|
||||
- name: Augment Matrix config (configure Macaroon secret)
|
||||
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
||||
args:
|
||||
regexp: "{{ item.regexp }}"
|
||||
line: '{{ item.line }}'
|
||||
with_items:
|
||||
- {"regexp": "^macaroon_secret_key:", "line": 'macaroon_secret_key: "{{ matrix_synapse_macaroon_secret_key }}"'}
|
||||
when: "matrix_synapse_macaroon_secret_key is not none"
|
||||
|
||||
- name: Augment Matrix config (specify URL previews blacklist)
|
||||
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
||||
args:
|
||||
regexp: "^url_preview_ip_range_blacklist:"
|
||||
line: 'url_preview_ip_range_blacklist: ["127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", "169.254.0.0/16"]'
|
||||
insertafter: '^# url_preview_ip_range_blacklist:$'
|
||||
|
||||
# We only wish to do this for the 8008 port and not for the 8448 port
|
||||
# (2nd instance of `x_forwarded` found in the config)
|
||||
- name: Augment Matrix config (mark 8008 plain traffic as forwarded)
|
||||
replace: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
||||
args:
|
||||
regexp: "8008((?:.|\n)*)x_forwarded(.*)"
|
||||
replace: '8008\g<1>x_forwarded: true'
|
||||
|
||||
- name: Augment Matrix config (change database from SQLite to Postgres)
|
||||
lineinfile:
|
||||
- name: Ensure Matrix homeserver config installed
|
||||
template:
|
||||
src: "{{ matrix_synapse_template_synapse_homeserver }}"
|
||||
dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
||||
regexp: '(.*)name: "sqlite3"'
|
||||
line: '\1name: "psycopg2"'
|
||||
backrefs: yes
|
||||
mode: 0644
|
||||
|
||||
- name: Augment Matrix config (set the Postgres connection parameters)
|
||||
replace:
|
||||
dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
||||
regexp: '(.*)name: "psycopg2"((?:.|\n)*?)\n\n'
|
||||
replace: '\1name: "psycopg2"\n\1args:\n\1\1user: "{{ matrix_postgres_connection_username }}"\n\1\1password: "{{ matrix_postgres_connection_password }}"\n\1\1database: "{{ matrix_postgres_db_name }}"\n\1\1host: "{{ matrix_postgres_connection_hostname }}"\n\1\1cp_min: 5\n\1\1cp_max: 10\n\n'
|
||||
|
||||
- name: Augment Matrix config (configure TURN)
|
||||
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
||||
args:
|
||||
regexp: "{{ item.regexp }}"
|
||||
line: '{{ item.line }}'
|
||||
with_items:
|
||||
- {"regexp": "^turn_uris:", "line": 'turn_uris: ["turn:{{ hostname_matrix }}:3478?transport=udp", "turn:{{ hostname_matrix }}:3478?transport=tcp"]'}
|
||||
- {"regexp": "^turn_shared_secret:", "line": 'turn_shared_secret: "{{ matrix_coturn_turn_static_auth_secret }}"'}
|
||||
|
||||
- name: Allow access to Matrix ports in firewalld
|
||||
firewalld:
|
||||
port: "{{ item }}"
|
||||
state: enabled
|
||||
immediate: yes
|
||||
permanent: yes
|
||||
with_items:
|
||||
- '8448/tcp' # Matrix federation
|
||||
when: ansible_os_family == 'RedHat'
|
||||
- name: Ensure Matrix log config installed
|
||||
template:
|
||||
src: "{{ matrix_synapse_template_synapse_log }}"
|
||||
dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config"
|
||||
mode: 0644
|
||||
|
||||
- name: Ensure matrix-synapse.service installed
|
||||
template:
|
||||
@ -149,3 +87,13 @@
|
||||
src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2"
|
||||
dest: "/usr/local/bin/matrix-synapse-register-user"
|
||||
mode: 0750
|
||||
|
||||
- name: Allow access to Matrix ports in firewalld
|
||||
firewalld:
|
||||
port: "{{ item }}"
|
||||
state: enabled
|
||||
immediate: yes
|
||||
permanent: yes
|
||||
with_items:
|
||||
- '8448/tcp' # Matrix federation
|
||||
when: ansible_os_family == 'RedHat'
|
||||
|
||||
Reference in New Issue
Block a user