Initial commit

roles/matrix-server/tasks/import_media_store.yml

@@ -0,0 +1,32 @@
+---
+
+- name: Fail if playbook called incorrectly
+  fail: msg="The `local_path_media_store` variable needs to be provided to this playbook, via --extra-vars"
+  when: "local_path_media_store is not defined or local_path_media_store.startswith('<')"
+
+- name: Check if the provided media store directory exists
+  stat: path="{{ local_path_media_store }}"
+  delegate_to: 127.0.0.1
+  become: false
+  register: local_path_media_store_stat
+
+- name: Fail if provided media_store directory doesn't exist on the local machine
+  fail: msg="File cannot be found on the local machine at {{ local_path_media_store }}"
+  when: "not local_path_media_store_stat.stat.exists or not local_path_media_store_stat.stat.isdir"
+
+- name: Ensure matrix-synapse is stopped
+  service: name=matrix-synapse state=stopped daemon_reload=yes
+  register: stopping_result
+
+- name: Ensure provided media_store directory is copied to the server
+  synchronize:
+    src: "{{ local_path_media_store }}/"
+    dest: "{{ matrix_synapse_data_path }}/media_store"
+    delete: yes
+
+- name: Ensure Matrix Synapse is started (if it previously was)
+  service: name="{{ item }}" state=started daemon_reload=yes
+  when: stopping_result.changed
+  with_items:
+    - matrix-synapse
+    - matrix-nginx-proxy

roles/matrix-server/tasks/import_sqlite_db.yml

@@ -0,0 +1,78 @@
+---
+
+- name: Fail if playbook called incorrectly
+  fail: msg="The `local_path_homeserver_db` variable needs to be provided to this playbook, via --extra-vars"
+  when: "local_path_homeserver_db is not defined or local_path_homeserver_db.startswith('<')"
+
+- name: Check if the provided SQLite homeserver.db file exists
+  stat: path="{{ local_path_homeserver_db }}"
+  delegate_to: 127.0.0.1
+  become: false
+  register: local_path_homeserver_db_stat
+
+- name: Fail if provided SQLite homeserver.db file doesn't exist
+  fail: msg="File cannot be found on the local machine at {{ local_path_homeserver_db }}"
+  when: not local_path_homeserver_db_stat.stat.exists
+
+- name: Ensure scratchpad directory exists
+  file:
+    path: "{{ matrix_scratchpad_dir }}"
+    state: directory
+    mode: 0755
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+
+- name: Ensure provided SQLite homeserver.db file is copied to scratchpad directory on the server
+  synchronize:
+    src: "{{ local_path_homeserver_db }}"
+    dest: "{{ matrix_scratchpad_dir }}/homeserver.db"
+
+- name: Ensure matrix-postgres is stopped
+  service: name=matrix-postgres state=stopped daemon_reload=yes
+
+- name: Ensure postgres data is wiped out
+  file:
+    path: "{{ matrix_postgres_data_path }}"
+    state: absent
+
+- name: Ensure postgres data path exists
+  file:
+    path: "{{ matrix_postgres_data_path }}"
+    state: directory
+    mode: 0700
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+
+- name: Ensure matrix-postgres is started
+  service: name=matrix-postgres state=restarted daemon_reload=yes
+
+- name: Wait a while, so that Postgres can manage to start
+  pause: seconds=7
+
+# Fixes a problem with porting the `user_directory_search` table.
+# https://github.com/matrix-org/synapse/issues/2287
+- name: Ensure synapse_port_db_with_patch exists
+  copy:
+    src: "{{ role_path }}/files/synapse_port_db_with_patch"
+    dest: "{{ matrix_scratchpad_dir }}/synapse_port_db_with_patch"
+
+- name: Importing SQLite database into Postgres
+  docker_container:
+    name: matrix-synapse-migrate
+    image: "{{ docker_matrix_image }}"
+    detach: no
+    cleanup: yes
+    entrypoint: /usr/bin/python
+    command: "/usr/local/bin/synapse_port_db_with_patch --sqlite-database /scratchpad/homeserver.db --postgres-config /data/homeserver.yaml"
+    user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
+    volumes:
+      - "{{ matrix_synapse_data_path }}:/data"
+      - "{{ matrix_scratchpad_dir }}:/scratchpad"
+      - "{{ matrix_scratchpad_dir }}/synapse_port_db_with_patch:/usr/local/bin/synapse_port_db_with_patch"
+    links:
+      - "matrix-postgres:postgres"
+
+- name: Ensure scratchpad directory is deleted
+  file:
+    path: "{{ matrix_scratchpad_dir }}"
+    state: absent

roles/matrix-server/tasks/main.yml

@@ -0,0 +1,45 @@
+---
+
+- include: tasks/setup_base.yml
+  tags:
+    - setup-main
+
+- include: tasks/setup_main.yml
+  tags:
+    - setup-main
+
+- include: tasks/setup_ssl.yml
+  tags:
+    - setup-main
+
+- include: tasks/setup_postgres.yml
+  tags:
+    - setup-main
+
+- include: tasks/setup_synapse.yml
+  tags:
+    - setup-main
+
+- include: tasks/setup_riot_web.yml
+  tags:
+    - setup-main
+
+- include: tasks/setup_nginx_proxy.yml
+  tags:
+    - setup-main
+
+- include: tasks/start.yml
+  tags:
+    - start
+
+- include: tasks/register_user.yml
+  tags:
+    - register-user
+
+- include: tasks/import_sqlite_db.yml
+  tags:
+    - import-sqlite-db
+
+- include: tasks/import_media_store.yml
+  tags:
+    - import-media-store

roles/matrix-server/tasks/register_user.yml

@@ -0,0 +1,20 @@
+---
+
+- name: Fail if playbook called incorrectly
+  fail: msg="The `username` variable needs to be provided to this playbook, via --extra-vars"
+  when: "username is not defined or username == '<your-username>'"
+
+- name: Fail if playbook called incorrectly
+  fail: msg="The `password` variable needs to be provided to this playbook, via --extra-vars"
+  when: "password is not defined or password == '<your-password>'"
+
+- name: Ensure matrix-synapse is started
+  service: name=matrix-synapse state=started daemon_reload=yes
+  register: start_result
+
+- name: Wait a while, so that Matrix Synapse can manage to start
+  pause: seconds=7
+  when: start_result.changed
+
+- name: Register user
+  shell: "matrix-synapse-register-user {{ username }} {{ password }}"

roles/matrix-server/tasks/setup_base.yml

@@ -0,0 +1,46 @@
+---
+
+- name: Ensure Docker repository is enabled (CentOS)
+  template:
+    src: "{{ role_path }}/files/yum.repos.d/{{ item }}"
+    dest: "/etc/yum.repos.d/{{ item }}"
+    owner: "root"
+    group: "root"
+    mode: 0644
+  with_items:
+    - docker-ce.repo
+  when: ansible_distribution == 'CentOS'
+
+- name: Ensure Docker's RPM key is trusted
+  rpm_key:
+    state: present
+    key: https://download.docker.com/linux/centos/gpg
+  when: ansible_distribution == 'CentOS'
+
+- name: Ensure yum packages are installed (base)
+  yum: name="{{ item }}" state=latest update_cache=yes
+  with_items:
+    - bash-completion
+    - docker-ce
+    - docker-python
+    - ntp
+  when: ansible_distribution == 'CentOS'
+
+- name: Ensure Docker is started and autoruns
+  service: name=docker state=started enabled=yes
+
+- name: Ensure firewalld is started and autoruns
+  service: name=firewalld state=started enabled=yes
+
+- name: Ensure ntpd is started and autoruns
+  service: name=ntpd state=started enabled=yes
+
+- name: Ensure SELinux disabled
+  selinux: state=disabled
+
+- name: Ensure correct hostname set
+  hostname: name="{{ hostname_matrix }}"
+
+- name: Ensure timezone is UTC
+  timezone:
+    name: UTC

roles/matrix-server/tasks/setup_main.yml

@@ -0,0 +1,20 @@
+---
+
+- name: Ensure Matrix group is created
+  group:
+    name: "{{ matrix_user_username }}"
+    gid: "{{ matrix_user_gid }}"
+    state: present
+
+- name: Ensure Matrix user is created
+  user:
+    name: "{{ matrix_user_username }}"
+    uid: "{{ matrix_user_uid }}"
+    state: present
+    group: "{{ matrix_user_username }}"
+
+- name: Ensure environment variables data path exists
+  file:
+    path: "{{ matrix_environment_variables_data_path }}"
+    state: directory
+    mode: 0700

roles/matrix-server/tasks/setup_nginx_proxy.yml

@@ -0,0 +1,41 @@
+---
+
+- name: Ensure Matrix nginx-proxy paths exists
+  file:
+    path: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: root
+    group: root
+  with_items:
+    - "{{ matrix_nginx_proxy_data_path }}"
+    - "{{ matrix_nginx_proxy_confd_path }}"
+
+- name: Ensure nginx Docker image is pulled
+  docker_image:
+    name: "{{ docker_nginx_image }}"
+
+- name: Ensure Matrix Synapse proxy vhost configured
+  template:
+    src: "{{ role_path }}/templates/nginx-conf.d/{{ item }}.j2"
+    dest: "{{ matrix_nginx_proxy_confd_path }}/{{ item }}"
+    mode: 0644
+  with_items:
+    - "matrix-synapse.conf"
+    - "matrix-riot-web.conf"
+
+- name: Allow access to nginx proxy ports in firewalld
+  firewalld:
+    service: "{{ item }}"
+    state: enabled
+    immediate: yes
+    permanent: yes
+  with_items:
+    - "http"
+    - "https"
+
+- name: Ensure matrix-nginx-proxy.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2"
+    dest: "/etc/systemd/system/matrix-nginx-proxy.service"
+    mode: 0644

roles/matrix-server/tasks/setup_postgres.yml

@@ -0,0 +1,34 @@
+---
+
+- name: Ensure postgres data path exists
+  file:
+    path: "{{ matrix_postgres_data_path }}"
+    state: directory
+    mode: 0700
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+
+- name: Ensure postgres Docker image is pulled
+  docker_image:
+    name: "{{ docker_postgres_image }}"
+
+- name: Ensure Postgres environment variables file created
+  template:
+    src: "{{ role_path }}/templates/env/{{ item }}.j2"
+    dest: "{{ matrix_environment_variables_data_path }}/{{ item }}"
+    mode: 0640
+  with_items:
+    - "env-postgres-pgsql-docker"
+    - "env-postgres-server-docker"
+
+- name: Ensure matrix-postgres-cli script created
+  template:
+    src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli.j2"
+    dest: "/usr/local/bin/matrix-postgres-cli"
+    mode: 0750
+
+- name: Ensure matrix-postgres.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-postgres.service.j2"
+    dest: "/etc/systemd/system/matrix-postgres.service"
+    mode: 0644

roles/matrix-server/tasks/setup_riot_web.yml

@@ -0,0 +1,30 @@
+---
+
+- name: Ensure Matrix riot-web paths exists
+  file:
+    path: "{{ matrix_nginx_riot_web_data_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+
+- name: Ensure riot-web Docker image is pulled
+  docker_image:
+    name: "{{ docker_riot_image }}"
+
+- name: Ensure Matrix riot-web configured
+  template:
+    src: "{{ role_path }}/templates/riot-web/{{ item }}.j2"
+    dest: "{{ matrix_nginx_riot_web_data_path }}/{{ item }}"
+    mode: 0644
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+  with_items:
+    - "riot.im.conf"
+    - "config.json"
+
+- name: Ensure matrix-riot-web.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-riot-web.service.j2"
+    dest: "/etc/systemd/system/matrix-riot-web.service"
+    mode: 0644

roles/matrix-server/tasks/setup_ssl.yml

@@ -0,0 +1,37 @@
+---
+
+- name: Allow access to HTTP/HTTPS in firewalld
+  firewalld:
+    service: "{{ item }}"
+    state: enabled
+    immediate: yes
+    permanent: yes
+  with_items:
+    - http
+    - https
+
+- name: Ensure acmetool Docker image is pulled
+  docker_image:
+    name: willwill/acme-docker
+
+- name: Ensure SSL certificates path exists
+  file:
+    path: "{{ ssl_certs_path }}"
+    state: directory
+    mode: 0770
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+
+- name: Ensure SSL certificates are marked as wanted in acmetool
+  shell: >-
+    /usr/bin/docker run --rm --name acmetool-host-grab -p 80:80
+    -v {{ ssl_certs_path }}:/certs
+    -e ACME_EMAIL={{ ssl_support_email }}
+    willwill/acme-docker
+    acmetool want {{ hostname_matrix }} {{ hostname_riot }} --xlog.severity=debug
+
+- name: Ensure periodic SSL renewal cronjob configured
+  template:
+    src: "{{ role_path }}/templates/cron.d/ssl-certificate-renewal.j2"
+    dest: "/etc/cron.d/ssl-certificate-renewal"
+    mode: 0600

roles/matrix-server/tasks/setup_synapse.yml

@@ -0,0 +1,87 @@
+---
+
+- name: Ensure Matrix Synapse data path exists
+  file:
+    path: "{{ matrix_synapse_data_path }}"
+    state: directory
+    mode: 0750
+    owner: "{{ matrix_user_username }}"
+    group: "{{ matrix_user_username }}"
+
+- name: Ensure Matrix Docker image is pulled
+  docker_image:
+    name: "{{ docker_matrix_image }}"
+
+- name: Generate initial Matrix config
+  docker_container:
+    name: matrix-config
+    image: "{{ docker_matrix_image }}"
+    detach: no
+    cleanup: yes
+    command: generate
+    env:
+      SERVER_NAME: "{{ hostname_matrix }}"
+      REPORT_STATS: "no"
+    user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
+    volumes:
+      - "{{ matrix_synapse_data_path }}:/data"
+
+- name: Augment Matrix config (configure SSL fullchain location)
+  lineinfile: "dest={{ matrix_synapse_data_path }}/homeserver.yaml"
+  args:
+    regexp: "^tls_certificate_path:"
+    line: 'tls_certificate_path: "/acmetool-certs/live/{{ hostname_matrix }}/fullchain"'
+
+- name: Augment Matrix config (configure SSL private key location)
+  lineinfile: "dest={{ matrix_synapse_data_path }}/homeserver.yaml"
+  args:
+    regexp: "^tls_private_key_path:"
+    line: 'tls_private_key_path: "/acmetool-certs/live/{{ hostname_matrix }}/privkey"'
+
+- name: Augment Matrix config (configure server name)
+  lineinfile: "dest={{ matrix_synapse_data_path }}/homeserver.yaml"
+  args:
+    regexp: "^server_name:"
+    line: 'server_name: "{{ hostname_identity }}"'
+
+- name: Augment Matrix config (change database from SQLite to Postgres)
+  lineinfile:
+    dest: "{{ matrix_synapse_data_path }}/homeserver.yaml"
+    regexp: '(.*)name: "sqlite3"'
+    line: '\1name: "psycopg2"'
+    backrefs: yes
+
+- name: Augment Matrix config (add the Postgres connection parameters)
+  lineinfile:
+    dest: "{{ matrix_synapse_data_path }}/homeserver.yaml"
+    regexp: '(.*)database: "(.*)homeserver.db"'
+    line: '\1user: "{{ matrix_postgres_connection_username }}"\n\1password: "{{ matrix_postgres_connection_password }}"\n\1database: "homeserver"\n\1host: "postgres"\n\1cp_min: 5\n\1cp_max: 10'
+    backrefs: yes
+
+- name: Allow access to Matrix ports in firewalld
+  firewalld:
+    port: "{{ item }}/tcp"
+    state: enabled
+    immediate: yes
+    permanent: yes
+  with_items:
+    - 3478 # Coturn
+    - 8448 # Matrix federation
+
+- name: Ensure matrix-synapse.service installed
+  template:
+    src: "{{ role_path }}/templates/systemd/matrix-synapse.service.j2"
+    dest: "/etc/systemd/system/matrix-synapse.service"
+    mode: 0644
+
+- name: Ensure matrix-synapse-register-user script created
+  template:
+    src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2"
+    dest: "/usr/local/bin/matrix-synapse-register-user"
+    mode: 0750
+
+- name: Ensure periodic restarting of Matrix is configured (for SSL renewal)
+  template:
+    src: "{{ role_path }}/templates/cron.d/matrix-periodic-restarter.j2"
+    dest: "/etc/cron.d/matrix-periodic-restarter"
+    mode: 0600

roles/matrix-server/tasks/start.yml

@@ -0,0 +1,13 @@
+---
+
+- name: Ensure matrix-postgres autoruns and is restarted
+  service: name=matrix-postgres enabled=yes state=restarted daemon_reload=yes
+
+- name: Ensure matrix-synapse autoruns and is restarted
+  service: name=matrix-synapse enabled=yes state=restarted daemon_reload=yes
+
+- name: Ensure matrix-riot-web autoruns and is restarted
+  service: name=matrix-riot-web enabled=yes state=restarted daemon_reload=yes
+
+- name: Ensure matrix-nginx-proxy autoruns and is restarted
+  service: name=matrix-nginx-proxy enabled=yes state=restarted daemon_reload=yes