Initial commit

roles/matrix-server/templates/cron.d/matrix-periodic-restarter.j2

@@ -0,0 +1,11 @@
+MAILTO="{{ ssl_support_email }}"
+
+# This periodically restarts the Matrix services
+# to ensure they're using the latest SSL certificate
+# in case it got renewed by the `ssl-certificate-renewal` cronjob
+# (which happens once every ~2-3 months).
+#
+# Because `matrix-nginx-proxy.service` depends on `matrix-synapse.service`,
+# both would be restarted.
+
+{{ matrix_services_restart_cron_time_definition }} root /usr/bin/systemctl restart matrix-synapse.service

roles/matrix-server/templates/cron.d/ssl-certificate-renewal.j2

@@ -0,0 +1,14 @@
+MAILTO="{{ ssl_support_email }}"
+
+# The goal of this cronjob is to ask acmetool to check
+# the current SSL certificates and to see if some need renewal.
+# It so, it would attempt to renew.
+#
+# Various services depend on these certificates and would need to be restarted.
+# This is not our concern here. We simply make sure the certificates are up to date.
+# Restarting of services happens on its own different schedule (other cronjobs).
+#
+# acmetool is supposed to bind to port :80 (forwarded to the host) and solve the challenge directly.
+# We can afford to do that, because all our services run on other ports.
+
+15 4 */5 * * root /usr/bin/docker run --rm --name acmetool-once -p 80:80 -v {{ ssl_certs_path }}:/certs -e ACME_EMAIL={{ ssl_support_email }} willwill/acme-docker acmetool --batch reconcile # --xlog.severity=debug

roles/matrix-server/templates/env/env-postgres-pgsql-docker.j2

@@ -0,0 +1,3 @@
+PGUSER={{ matrix_postgres_connection_username }}
+PGPASSWORD={{ matrix_postgres_connection_password }}
+PGDATABASE={{ matrix_postgres_db_name }}

roles/matrix-server/templates/env/env-postgres-server-docker.j2

@@ -0,0 +1,3 @@
+POSTGRES_USER={{ matrix_postgres_connection_username }}
+POSTGRES_PASSWORD={{ matrix_postgres_connection_password }}
+POSTGRES_DB={{ matrix_postgres_db_name }}

roles/matrix-server/templates/nginx-conf.d/matrix-riot-web.conf.j2

@@ -0,0 +1,21 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name {{ hostname_riot }};
+
+	server_tokens off;
+	root /dev/null;
+
+	ssl on;
+	ssl_certificate /acmetool-certs/live/{{ hostname_riot }}/fullchain;
+	ssl_certificate_key /acmetool-certs/live/{{ hostname_riot }}/privkey;
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+	ssl_prefer_server_ciphers on;
+	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+
+    location / {
+        proxy_pass http://riot:8765;
+        proxy_set_header X-Forwarded-For $remote_addr;
+    }
+}

roles/matrix-server/templates/nginx-conf.d/matrix-synapse.conf.j2

@@ -0,0 +1,21 @@
+server {
+    listen 443 ssl http2;
+    listen [::]:443 ssl http2;
+
+    server_name {{ hostname_matrix }};
+
+	server_tokens off;
+	root /dev/null;
+
+	ssl on;
+	ssl_certificate /acmetool-certs/live/{{ hostname_matrix }}/fullchain;
+	ssl_certificate_key /acmetool-certs/live/{{ hostname_matrix }}/privkey;
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+	ssl_prefer_server_ciphers on;
+	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+
+    location /_matrix {
+        proxy_pass http://synapse:8008;
+        proxy_set_header X-Forwarded-For $remote_addr;
+    }
+}

roles/matrix-server/templates/riot-web/config.json.j2

@@ -0,0 +1,15 @@
+{
+    "default_hs_url": "https://{{ hostname_matrix }}",
+    "default_is_url": "https://vector.im",
+    "brand": "Riot",
+    "integrations_ui_url": "https://scalar.vector.im/",
+    "integrations_rest_url": "https://scalar.vector.im/api",
+    "bug_report_endpoint_url": "https://riot.im/bugreports/submit",
+    "enableLabs": true,
+    "roomDirectory": {
+        "servers": [
+            "matrix.org"
+        ]
+    },
+    "welcomeUserId": "@riot-bot:matrix.org"
+}

roles/matrix-server/templates/riot-web/riot.im.conf.j2

@@ -0,0 +1,3 @@
+-p 8765
+-A 0.0.0.0
+-c 3500

roles/matrix-server/templates/systemd/matrix-nginx-proxy.service.j2

@@ -0,0 +1,27 @@
+[Unit]
+Description=Matrix nginx proxy server
+After=docker.service
+Requires=docker.service
+Requires=matrix-synapse.service
+After=matrix-synapse.service
+Requires=matrix-riot-web.service
+After=matrix-riot-web.service
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker kill matrix-nginx-proxy
+ExecStartPre=-/usr/bin/docker rm matrix-nginx-proxy
+ExecStart=/usr/bin/docker run --rm --name matrix-nginx-proxy \
+			-p 443:443 \
+			--link matrix-synapse:synapse \
+			--link matrix-riot-web:riot \
+			-v {{ matrix_nginx_proxy_confd_path }}:/etc/nginx/conf.d \
+			-v {{ ssl_certs_path }}:/acmetool-certs \
+			{{ docker_nginx_image }}
+ExecStop=-/usr/bin/docker kill matrix-nginx-proxy
+ExecStop=-/usr/bin/docker rm matrix-nginx-proxy
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-server/templates/systemd/matrix-postgres.service.j2

@@ -0,0 +1,24 @@
+[Unit]
+Description=Matrix Postgres server
+After=docker.service
+Requires=docker.service
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker stop matrix-postgres
+ExecStartPre=-/usr/bin/docker rm matrix-postgres
+ExecStartPre=-/usr/bin/mkdir {{ matrix_postgres_data_path }}
+ExecStartPre=-/usr/bin/chown {{ matrix_user_uid }}:{{ matrix_user_gid }} {{ matrix_postgres_data_path }}
+ExecStart=/usr/bin/docker run --rm --name matrix-postgres \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--env-file={{ matrix_environment_variables_data_path }}/env-postgres-server-docker \
+			-v {{ matrix_postgres_data_path }}:/var/lib/postgresql/data \
+			-v /etc/passwd:/etc/passwd:ro \
+			{{ docker_postgres_image }}
+ExecStop=-/usr/bin/docker stop matrix-postgres
+ExecStop=-/usr/bin/docker rm matrix-postgres
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-server/templates/systemd/matrix-riot-web.service.j2

@@ -0,0 +1,19 @@
+[Unit]
+Description=Matrix Riot web server
+After=docker.service
+Requires=docker.service
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker kill matrix-riot-web
+ExecStartPre=-/usr/bin/docker rm matrix-riot-web
+ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \
+			-v {{ matrix_nginx_riot_web_data_path }}:/data \
+			{{ docker_riot_image }}
+ExecStop=-/usr/bin/docker kill matrix-riot-web
+ExecStop=-/usr/bin/docker rm matrix-riot-web
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-server/templates/systemd/matrix-synapse.service.j2

@@ -0,0 +1,26 @@
+[Unit]
+Description=Matrix Synapse server
+After=docker.service
+Requires=docker.service
+Requires=matrix-postgres.service
+After=matrix-postgres.service
+
+[Service]
+Type=simple
+ExecStartPre=-/usr/bin/docker kill matrix-synapse
+ExecStartPre=-/usr/bin/docker rm matrix-synapse
+ExecStartPre=-/usr/bin/chown {{ matrix_user_username }}:{{ matrix_user_username }} {{ ssl_certs_path }} -R
+ExecStart=/usr/bin/docker run --rm --name matrix-synapse \
+			--link matrix-postgres:postgres \
+			-p 8448:8448 \
+			-p 3478:3478 \
+			-v {{ matrix_synapse_data_path }}:/data \
+			-v {{ ssl_certs_path }}:/acmetool-certs \
+			{{ docker_matrix_image }}
+ExecStop=-/usr/bin/docker kill matrix-synapse
+ExecStop=-/usr/bin/docker rm matrix-synapse
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target

roles/matrix-server/templates/usr-local-bin/matrix-postgres-cli.j2

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+docker run --env-file={{ matrix_environment_variables_data_path }}/env-postgres-pgsql-docker -it --link=matrix-postgres:postgres postgres:9.6.3-alpine psql -h postgres

roles/matrix-server/templates/usr-local-bin/matrix-synapse-register-user.j2

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+if [ $# -ne 2 ]; then
+	echo "Usage: "$0" <username> <password>"
+	exit 1
+fi
+
+user=$1
+password=$2
+
+docker exec matrix-synapse register_new_matrix_user -u $user -p $password -a -c /data/homeserver.yaml https://localhost:8448