finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Make roles more independent of one another

Browse Source 
With this change, the following roles are now only dependent
on the minimal `matrix-base` role:
- `matrix-corporal`
- `matrix-coturn`
- `matrix-mailer`
- `matrix-mxisd`
- `matrix-postgres`
- `matrix-riot-web`
- `matrix-synapse`

The `matrix-nginx-proxy` role still does too much and remains
dependent on the others.

Wiring up the various (now-independent) roles happens
via a glue variables file (`group_vars/matrix-servers`).
It's triggered for all hosts in the `matrix-servers` group.

According to Ansible's rules of priority, we have the following
chain of inclusion/overriding now:
- role defaults (mostly empty or good for independent usage)
- playbook glue variables (`group_vars/matrix-servers`)
- inventory host variables (`inventory/host_vars/matrix.<your-domain>`)

All roles default to enabling their main component
(e.g. `matrix_mxisd_enabled: true`, `matrix_riot_web_enabled: true`).
Reasoning: if a role is included in a playbook (especially separately,
in another playbook), it should "work" by default.

Our playbook disables some of those if they are not generally useful
(e.g. `matrix_corporal_enabled: false`).
This commit is contained in:
Slavi Pantaleev
2019-01-16 18:05:48 +02:00
parent 515f04e936
commit c10182e5a6
57 changed files with 807 additions and 289 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
roles/matrix-base/defaults/main.yml
View File

@ -22,7 +22,8 @@ matrix_base_data_path_mode: "750"
matrix_static_files_base_path: "{{ matrix_base_data_path }}/static-files"
matrix_homeserver_url: "https://{{ hostname_matrix }}"
matrix_identity_server_url: "https://{{ matrix_synapse_trusted_third_party_id_servers[0] }}"
matrix_identity_server_url: ~
# The Docker network that all services would be put into
matrix_docker_network: "matrix"

10
roles/matrix-base/tasks/sanity_check.yml
View File

@ -15,16 +15,6 @@
msg: "{{ matrix_ansible_outdated_fail_msg }}"
when: "ansible_version.major == 2 and ansible_version.minor == 5 and ansible_version.revision < 2"
- name: Fail if Macaroon key is missing
fail:
msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable"
when: "matrix_synapse_macaroon_secret_key == ''"
- name: Fail if Coturn Auth secret is missing
fail:
msg: "You need to set a secret in the matrix_coturn_turn_static_auth_secret variable"
when: "matrix_coturn_turn_static_auth_secret == ''"
# This sanity check is only used to detect uppercase when people override these specific variables.
#
# If people set `host_specific_hostname_identity` without overriding other variables (the general use-case),

29
roles/matrix-corporal/defaults/main.yml
View File

@ -1,12 +1,13 @@
# Enable this to add support for matrix-corporal.
# matrix-corporal is a reconciliator and gateway for a managed Matrix server.
# See: https://github.com/devture/matrix-corporal
matrix_corporal_enabled: false
# Controls whether the matrix-corporal web server's ports are exposed outside of the container.
# Normally, matrix-nginx-proxy is enabled and nginx can reach matrix-corporal over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# matrix-corporal's web-server ports to the local host (`127.0.0.1:41080` and `127.0.0.1:41081`).
matrix_corporal_container_expose_ports: "{{ not matrix_nginx_proxy_enabled }}"
matrix_corporal_enabled: true
# Controls whether the matrix-corporal web server's ports (`41080` and `41081`) are exposed outside of the container.
matrix_corporal_container_expose_ports: false
# List of systemd services that matrix-corporal.service depends on
matrix_corporal_systemd_required_services_list: ['docker.service']
matrix_corporal_docker_image: "devture/matrix-corporal:1.2.2"
matrix_corporal_base_path: "{{ matrix_base_data_path }}/corporal"
@ -14,6 +15,20 @@ matrix_corporal_config_dir_path: "{{ matrix_corporal_base_path }}/config"
matrix_corporal_cache_dir_path: "{{ matrix_corporal_base_path }}/cache"
matrix_corporal_var_dir_path: "{{ matrix_corporal_base_path }}/var"
matrix_corporal_matrix_homeserver_domain_name: "{{ hostname_identity }}"
# Controls where matrix-corporal can reach your Synapse server (e.g. "http://matrix-synapse:8008").
# If Synapse runs on the same machine, you may need to add its service to `matrix_corporal_systemd_required_services_list`.
matrix_corporal_matrix_homeserver_api_endpoint: ""
# The shared secret between matrix-corporal and Synapse's shared-secret-auth password provider module.
# To use matrix-corporal, the shared-secret-auth password provider needs to be enabled and the secret needs to be identical.
matrix_corporal_matrix_auth_shared_secret: ""
# The shared secret for registering users with Synapse.
# Needs to be identical to Synapse's `registration_shared_secret` setting.
matrix_corporal_matrix_registration_shared_secret: ""
matrix_corporal_matrix_timeout_milliseconds: 45000
matrix_corporal_reconciliation_retry_interval_milliseconds: 30000

6
roles/matrix-corporal/tasks/init.yml
View File

@ -1,9 +1,3 @@
- name: Override configuration specifying where the Matrix Client API is
set_fact:
matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-corporal:41080"
matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:41080"
when: "matrix_corporal_enabled"
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-corporal'] }}"
when: "matrix_corporal_enabled"

6
roles/matrix-corporal/tasks/main.yml
View File

@ -2,6 +2,12 @@
tags:
- always
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: "run_setup and matrix_corporal_enabled"
tags:
- setup-all
- setup-corporal
- import_tasks: "{{ role_path }}/tasks/setup_corporal.yml"
when: run_setup
tags:

18
roles/matrix-corporal/tasks/setup_corporal.yml
View File

@ -4,24 +4,6 @@
# Tasks related to setting up matrix-corporal
#
- name: Fail if Shared Secret Auth extension not enabled
fail:
msg: "To use matrix-corporal, you need to enable the Shared Secret Auth module for Synapse (see matrix_synapse_ext_password_provider_shared_secret_auth_enabled)"
when: "matrix_corporal_enabled and not matrix_synapse_ext_password_provider_shared_secret_auth_enabled"
- name: Fail if HTTP API enabled, but no token set
fail:
msg: "The Matrix Corporal HTTP API is enabled, but no auth token has been set in matrix_corporal_http_api_auth_token"
when: "matrix_corporal_enabled and matrix_corporal_http_api_enabled and matrix_corporal_http_api_auth_token == ''"
- name: Fail if policy provider configuration not set
fail:
msg: "The Matrix Corporal policy provider configuration has not been set in matrix_corporal_policy_provider_config"
when: "matrix_corporal_enabled and matrix_corporal_policy_provider_config == ''"
# There are some additional initialization tasks in setup_corporal_overrides.yml,
# which need to always run, no matter what tag the playbook is running with.
- name: Ensure Matrix Corporal paths exist
file:
path: "{{ item }}"

17
roles/matrix-corporal/tasks/validate_config.yml Normal file
View File

@ -0,0 +1,17 @@
---
- name: Fail if required matrix-corporal settings not defined
fail:
msg: >
You need to define a required configuration setting (`{{ item }}`) for using matrix-corporal.
when: "vars[item] == ''"
with_items:
- "matrix_corporal_matrix_homeserver_api_endpoint"
- "matrix_corporal_matrix_auth_shared_secret"
- "matrix_corporal_matrix_registration_shared_secret"
- "matrix_corporal_policy_provider_config"
- name: Fail if HTTP API enabled, but no token set
fail:
msg: "The Matrix Corporal HTTP API is enabled (`matrix_corporal_http_api_enabled`), but no auth token has been set in `matrix_corporal_http_api_auth_token`"
when: "matrix_corporal_http_api_enabled and matrix_corporal_http_api_auth_token == ''"

8
roles/matrix-corporal/templates/config.json.j2
View File

@ -1,9 +1,9 @@
{
"Matrix": {
"HomeserverDomainName": "{{ hostname_identity }}",
"HomeserverApiEndpoint": "http://matrix-synapse:8008",
"AuthSharedSecret": "{{ matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret }}",
"RegistrationSharedSecret": "{{ matrix_synapse_registration_shared_secret }}",
"HomeserverDomainName": "{{ matrix_corporal_matrix_homeserver_domain_name }}",
"HomeserverApiEndpoint": "{{ matrix_corporal_matrix_homeserver_api_endpoint }}",
"AuthSharedSecret": "{{ matrix_corporal_matrix_auth_shared_secret }}",
"RegistrationSharedSecret": "{{ matrix_corporal_matrix_registration_shared_secret }}",
"TimeoutMilliseconds": {{ matrix_corporal_matrix_timeout_milliseconds }}
},

8
roles/matrix-corporal/templates/systemd/matrix-corporal.service.j2
View File

@ -1,9 +1,9 @@
[Unit]
Description=Matrix Corporal
After=docker.service
Requires=docker.service
Requires=matrix-synapse.service
After=matrix-synapse.service
{% for service in matrix_corporal_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
[Service]
Type=simple

5
roles/matrix-coturn/defaults/main.yml
View File

@ -1,8 +1,13 @@
matrix_coturn_enabled: true
matrix_coturn_docker_image: "instrumentisto/coturn:4.5.0.8"
matrix_coturn_base_path: "{{ matrix_base_data_path }}/coturn"
matrix_coturn_config_path: "{{ matrix_coturn_base_path }}/turnserver.conf"
# List of systemd services that matrix-coturn.service depends on
matrix_coturn_systemd_required_services_list: ['docker.service']
# A shared secret (between Synapse and Coturn) used for authentication.
# You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
matrix_coturn_turn_static_auth_secret: ""

10
roles/matrix-coturn/tasks/main.yml
View File

@ -2,8 +2,14 @@
tags:
- always
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: "run_setup and matrix_coturn_enabled"
tags:
- setup-all
- setup-coturn
- import_tasks: "{{ role_path }}/tasks/setup_coturn.yml"
when: run_setup
tags:
- setup-coturn
- setup-all
- setup-all
- setup-coturn

48
roles/matrix-coturn/tasks/setup_coturn.yml
View File

@ -1,13 +1,13 @@
---
- name: Fail if Coturn secret is missing
fail:
msg: "You need to set a secret in the matrix_coturn_turn_static_auth_secret variable"
when: "matrix_coturn_turn_static_auth_secret == ''"
#
# Tasks related to setting up Coturn
#
- name: Ensure Coturn image is pulled
docker_image:
name: "{{ matrix_coturn_docker_image }}"
when: matrix_coturn_enabled
- name: Ensure Coturn configuration path exists
file:
@ -16,18 +16,21 @@
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
when: matrix_coturn_enabled
- name: Ensure turnserver.conf installed
template:
src: "{{ role_path }}/templates/turnserver.conf.j2"
dest: "{{ matrix_coturn_config_path }}"
mode: 0644
when: matrix_coturn_enabled
- name: Ensure matrix-coturn.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
dest: "/etc/systemd/system/matrix-coturn.service"
mode: 0644
when: matrix_coturn_enabled
- name: Allow access to Coturn ports in firewalld
firewalld:
@ -39,4 +42,39 @@
- '3478/tcp' # STUN
- '3478/udp' # STUN
- "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN
when: ansible_os_family == 'RedHat'
when: "matrix_coturn_enabled and ansible_os_family == 'RedHat'"
#
# Tasks related to getting rid of Coturn (if it was previously enabled)
#
- name: Check existence of matrix-coturn service
stat:
path: "/etc/systemd/system/matrix-coturn.service"
register: matrix_coturn_service_stat
- name: Ensure matrix-coturn is stopped
service:
name: matrix-coturn
state: stopped
daemon_reload: yes
register: stopping_result
when: "not matrix_coturn_enabled and matrix_coturn_service_stat.stat.exists"
- name: Ensure matrix-coturn.service doesn't exist
file:
path: "/etc/systemd/system/matrix-coturn.service"
state: absent
when: "not matrix_coturn_enabled and matrix_coturn_service_stat.stat.exists"
- name: Ensure Matrix coturn paths don't exist
file:
path: "{{ matrix_coturn_base_path }}"
state: absent
when: "not matrix_coturn_enabled"
- name: Ensure coturn Docker image doesn't exist
docker_image:
name: "{{ matrix_coturn_docker_image }}"
state: absent
when: "not matrix_coturn_enabled"

9
roles/matrix-coturn/tasks/validate_config.yml Normal file
View File

@ -0,0 +1,9 @@
---
- name: Fail if required Coturn settings not defined
fail:
msg: >
You need to define a required configuration setting (`{{ item }}`) for using Coturn.
when: "vars[item] == ''"
with_items:
- "matrix_coturn_turn_static_auth_secret"

6
roles/matrix-coturn/templates/systemd/matrix-coturn.service.j2
View File

@ -1,7 +1,9 @@
[Unit]
Description=Matrix Coturn server
After=docker.service
Requires=docker.service
{% for service in matrix_coturn_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
[Service]
Type=simple

3
roles/matrix-mailer/defaults/main.yml
View File

@ -1,6 +1,3 @@
# By default, this playbook sets up a postfix mailer server (running in a container).
# This is so that Matrix Synapse can send email reminders for unread messages.
# Other services (like mxisd), however, also use that mailer to send emails through it.
matrix_mailer_enabled: true
matrix_mailer_base_path: "{{ matrix_base_data_path }}/mailer"

4
roles/matrix-mailer/tasks/main.yml
View File

@ -5,5 +5,5 @@
- import_tasks: "{{ role_path }}/tasks/setup_mailer.yml"
when: run_setup
tags:
- setup-mailer
- setup-all
- setup-all
- setup-mailer

50
roles/matrix-mxisd/defaults/main.yml
View File

@ -1,17 +1,18 @@
# By default, this playbook installs the mxisd identity server on the same domain as Synapse (`hostname_matrix`).
# If you wish to use the public identity servers (matrix.org, vector.im, riot.im) instead of your own,
# you may wish to disable this.
matrix_mxisd_enabled: true
matrix_mxisd_docker_image: "kamax/mxisd:1.2.2"
matrix_mxisd_base_path: "{{ matrix_base_data_path }}/mxisd"
matrix_mxisd_config_path: "{{ matrix_mxisd_base_path }}/config"
matrix_mxisd_data_path: "{{ matrix_mxisd_base_path }}/data"
# Controls whether the mxisd web server's port is exposed outside of the container.
# Normally, matrix-nginx-proxy is enabled and nginx can reach mxisd over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# mxisd's web-server port to the local host (`127.0.0.1:8090`).
matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}"
# Controls whether the mxisd web server's port (`8090`) is exposed outside of the container.
matrix_mxisd_container_expose_port: false
# List of systemd services that matrix-mxisd.service depends on
matrix_mxisd_systemd_required_services_list: ['docker.service']
# List of systemd services that matrix-mxisd.service wants
matrix_mxisd_systemd_wanted_services_list: []
# Your identity server is private by default.
# To ensure maximum discovery, you can make your identity server
@ -21,14 +22,19 @@ matrix_mxisd_container_expose_port: "{{ not matrix_nginx_proxy_enabled }}"
matrix_mxisd_matrixorg_forwarding_enabled: false
# mxisd has serveral supported identity stores.
# One of them (which we enable by default) is storing identities directly in Synapse's database.
# One of them is storing identities directly in Synapse's database.
# Learn more here: https://github.com/kamax-matrix/mxisd/blob/master/docs/stores/synapse.md
#
# If you need to disable this in favor of some other store, you can toggle it to disabled here
# and add your own mxisd configuration for the other store in `matrix_mxisd_configuration_extension_yaml`.
matrix_mxisd_synapsesql_enabled: true
matrix_mxisd_synapsesql_type: postgresql
matrix_mxisd_synapsesql_connection: //{{ matrix_postgres_connection_hostname }}/{{ matrix_postgres_db_name }}?user={{ matrix_postgres_connection_username }}&password={{ matrix_postgres_connection_password }}
matrix_mxisd_synapsesql_enabled: false
matrix_mxisd_synapsesql_type: ""
matrix_mxisd_synapsesql_connection: ""
# Setting up email-sending settings is required for using mxisd.
matrix_mxid_threepid_medium_email_identity_from: "matrix@{{ hostname_identity }}"
matrix_mxid_threepid_medium_email_connectors_smtp_host: ""
matrix_mxid_threepid_medium_email_connectors_smtp_port: 587
matrix_mxid_threepid_medium_email_connectors_smtp_tls: 1
matrix_mxid_threepid_medium_email_connectors_smtp_login: ""
matrix_mxid_threepid_medium_email_connectors_smtp_password: ""
# Default mxisd configuration template which covers the generic use case.
# You can customize it by controlling the various variables inside it.
@ -59,12 +65,14 @@ matrix_mxisd_configuration_yaml: |
medium:
email:
identity:
from: {{ matrix_mailer_sender_address }}
from: {{ matrix_mxid_threepid_medium_email_identity_from }}
connectors:
smtp:
host: matrix-mailer
port: 587
tls: 0
host: {{ matrix_mxid_threepid_medium_email_connectors_smtp_host }}
port: {{ matrix_mxid_threepid_medium_email_connectors_smtp_port }}
tls: {{ matrix_mxid_threepid_medium_email_connectors_smtp_tls }}
login: {{ matrix_mxid_threepid_medium_email_connectors_smtp_login }}
password: {{ matrix_mxid_threepid_medium_email_connectors_smtp_password }}
synapseSql:
enabled: {{ matrix_mxisd_synapsesql_enabled }}
@ -92,10 +100,6 @@ matrix_mxisd_configuration_extension_yaml: |
# bindDn: CN=My Mxisd User,OU=Users,DC=example,DC=org
# bindPassword: TheUserPassword
# Doing `|from_yaml` when the extension contains nothing yields an empty string ("").
# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later.
matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}"
# Holds the final mxisd configuration (a combination of the default and its extension).
# You most likely don't need to touch this variable. Instead, see `matrix_mxisd_configuration_yaml`.
matrix_mxisd_configuration: "{{ matrix_mxisd_configuration_yaml|from_yaml|combine(matrix_mxisd_configuration_extension, recursive=True) }}"

6
roles/matrix-mxisd/tasks/main.yml
View File

@ -2,6 +2,12 @@
tags:
- always
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: "run_setup and matrix_mxisd_enabled"
tags:
- setup-all
- setup-mxisd
- import_tasks: "{{ role_path }}/tasks/setup_mxisd.yml"
tags:
- setup-all

43
roles/matrix-mxisd/tasks/setup_mxisd.yml
View File

@ -4,49 +4,6 @@
# Tasks related to setting up mxisd
#
- name: (Deprecation) Warn about mxisd variables that are not used anymore
fail:
msg: >
The `{{ item }}` variable defined in your configuration is not used by this playbook anymore!
You'll need to adapt to the new way of extending mxisd configuration.
See the CHANGELOG and the `matrix_mxisd_configuration_extension_yaml` variable for more information and examples.
when: "matrix_mxisd_enabled and item in vars"
with_items:
- 'matrix_mxisd_ldap_enabled'
- 'matrix_mxisd_ldap_connection_host'
- 'matrix_mxisd_ldap_connection_tls'
- 'matrix_mxisd_ldap_connection_port'
- 'matrix_mxisd_ldap_connection_baseDn'
- 'matrix_mxisd_ldap_connection_baseDns'
- 'matrix_mxisd_ldap_connection_bindDn'
- 'matrix_mxisd_ldap_connection_bindPassword'
- 'matrix_mxisd_ldap_filter'
- 'matrix_mxisd_ldap_attribute_uid_type'
- 'matrix_mxisd_ldap_attribute_uid_value'
- 'matrix_mxisd_ldap_connection_bindPassword'
- 'matrix_mxisd_ldap_attribute_name'
- 'matrix_mxisd_ldap_attribute_threepid_email'
- 'matrix_mxisd_ldap_attribute_threepid_msisdn'
- 'matrix_mxisd_ldap_identity_filter'
- 'matrix_mxisd_ldap_identity_medium'
- 'matrix_mxisd_ldap_auth_filter'
- 'matrix_mxisd_ldap_directory_filter'
- 'matrix_mxisd_template_config'
- name: Ensure mxisd configuration does not contain any dot-notation keys
fail:
msg: >
Since version 1.3.0, mxisd will not accept property-style configuration keys.
You have defined a key (`{{ item.key }}`) which contains a dot.
Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade#v130
when: "matrix_mxisd_enabled and '.' in item.key"
with_dict: "{{ matrix_mxisd_configuration }}"
- name: Fail if mailer is not enabled
fail:
msg: "You need to enable the mailer service (`matrix_mailer_enabled`) to install mxisd"
when: "matrix_mxisd_enabled and not matrix_mailer_enabled"
- name: Ensure mxisd paths exist
file:
path: "{{ item }}"

47
roles/matrix-mxisd/tasks/validate_config.yml Normal file
View File

@ -0,0 +1,47 @@
---
- name: (Deprecation) Warn about mxisd variables that are not used anymore
fail:
msg: >
The `{{ item }}` variable defined in your configuration is not used by this playbook anymore!
You'll need to adapt to the new way of extending mxisd configuration.
See the CHANGELOG and the `matrix_mxisd_configuration_extension_yaml` variable for more information and examples.
when: "item in vars"
with_items:
- 'matrix_mxisd_ldap_enabled'
- 'matrix_mxisd_ldap_connection_host'
- 'matrix_mxisd_ldap_connection_tls'
- 'matrix_mxisd_ldap_connection_port'
- 'matrix_mxisd_ldap_connection_baseDn'
- 'matrix_mxisd_ldap_connection_baseDns'
- 'matrix_mxisd_ldap_connection_bindDn'
- 'matrix_mxisd_ldap_connection_bindPassword'
- 'matrix_mxisd_ldap_filter'
- 'matrix_mxisd_ldap_attribute_uid_type'
- 'matrix_mxisd_ldap_attribute_uid_value'
- 'matrix_mxisd_ldap_connection_bindPassword'
- 'matrix_mxisd_ldap_attribute_name'
- 'matrix_mxisd_ldap_attribute_threepid_email'
- 'matrix_mxisd_ldap_attribute_threepid_msisdn'
- 'matrix_mxisd_ldap_identity_filter'
- 'matrix_mxisd_ldap_identity_medium'
- 'matrix_mxisd_ldap_auth_filter'
- 'matrix_mxisd_ldap_directory_filter'
- 'matrix_mxisd_template_config'
- name: Ensure mxisd configuration does not contain any dot-notation keys
fail:
msg: >
Since version 1.3.0, mxisd will not accept property-style configuration keys.
You have defined a key (`{{ item.key }}`) which contains a dot.
Instead, use nesting. See: https://github.com/kamax-matrix/mxisd/wiki/Upgrade#v130
when: "'.' in item.key"
with_dict: "{{ matrix_mxisd_configuration }}"
- name: Fail if required mxisd settings not defined
fail:
msg: >
You need to define a required configuration setting (`{{ item }}`) for using mxisd.
when: "vars[item] == ''"
with_items:
- "matrix_mxid_threepid_medium_email_connectors_smtp_host"

15
roles/matrix-mxisd/templates/systemd/matrix-mxisd.service.j2
View File

@ -1,11 +1,12 @@
[Unit]
Description=Matrix mxisd identity server
After=docker.service
Requires=docker.service
{% if not matrix_postgres_use_external %}
Requires=matrix-postgres.service
After=matrix-postgres.service
{% endif %}
Description=Matrix mxisd Identity server
{% for service in matrix_mxisd_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_mxisd_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
[Service]
Type=simple

5
roles/matrix-mxisd/vars/main.yml Normal file
View File

@ -0,0 +1,5 @@
---
# Doing `|from_yaml` when the extension contains nothing yields an empty string ("").
# We need to ensure it's a dictionary or `|combine` (when building `matrix_mxisd_configuration`) will fail later.
matrix_mxisd_configuration_extension: "{{ matrix_mxisd_configuration_extension_yaml|from_yaml if matrix_mxisd_configuration_extension_yaml|from_yaml else {} }}"

21
roles/matrix-nginx-proxy/defaults/main.yml
View File

@ -1,7 +1,3 @@
# By default, this playbook sets up its own nginx proxy server on port 80/443.
# This is fine if you're dedicating the whole server to Matrix.
# But in case that's not the case, you may wish to prevent that
# and take care of proxying by yourself.
matrix_nginx_proxy_enabled: true
matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine"
@ -9,6 +5,20 @@ matrix_nginx_proxy_docker_image: "nginx:1.15.8-alpine"
matrix_nginx_proxy_data_path: "{{ matrix_base_data_path }}/nginx-proxy"
matrix_nginx_proxy_confd_path: "{{ matrix_nginx_proxy_data_path }}/conf.d"
# List of systemd services that matrix-nginx-proxy.service depends on
matrix_nginx_proxy_systemd_required_services_list: ['docker.service']
# List of systemd services that matrix-nginx-proxy.service wants
matrix_nginx_proxy_systemd_wanted_services_list: []
# Controls whether proxying the riot domain should be done.
matrix_nginx_proxy_proxy_riot_enabled: false
matrix_nginx_proxy_proxy_riot_hostname: "{{ hostname_riot }}"
# Controls whether proxying the matrix domain should be done.
matrix_nginx_proxy_proxy_matrix_enabled: false
matrix_nginx_proxy_proxy_matrix_hostname: "{{ hostname_matrix }}"
# The addresses where the Matrix Client API is.
# Certain extensions (like matrix-corporal) may override this in order to capture all traffic.
matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-synapse:8008"
@ -39,6 +49,9 @@ matrix_nginx_proxy_ssl_protocols: "TLSv1.1 TLSv1.2"
# where <domain> refers to the domains that you need (usually `hostname_matrix` and `hostname_riot`).
matrix_ssl_retrieval_method: "lets-encrypt"
# The list of domains that this role will obtain certificates for.
matrix_ssl_domains_to_obtain_certificates_for: []
# Controls whether to obtain production or staging certificates from Let's Encrypt.
matrix_ssl_lets_encrypt_staging: false
matrix_ssl_lets_encrypt_certbot_docker_image: "certbot/certbot:v0.30.0"

40
roles/matrix-nginx-proxy/tasks/setup_nginx_proxy.yml
View File

@ -17,21 +17,30 @@
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
recurse: yes
with_items:
- "{{ matrix_nginx_proxy_data_path }}"
- "{{ matrix_nginx_proxy_confd_path }}"
- name: Ensure Matrix nginx-proxy configured
- name: Ensure Matrix nginx-proxy configured (generic)
template:
src: "{{ role_path }}/templates/nginx-conf.d/{{ item }}.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/{{ item }}"
src: "{{ role_path }}/templates/nginx-conf.d/nginx-http.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/nginx-http.conf"
mode: 0644
with_items:
- "nginx-http.conf"
- "matrix-synapse.conf"
- "matrix-riot-web.conf"
when: "matrix_nginx_proxy_enabled"
- name: Ensure Matrix nginx-proxy configuration for matrix domain exists
template:
src: "{{ role_path }}/templates/nginx-conf.d/matrix-synapse.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
mode: 0644
when: "matrix_nginx_proxy_proxy_matrix_enabled"
- name: Ensure Matrix nginx-proxy configuration for riot domain exists
template:
src: "{{ role_path }}/templates/nginx-conf.d/matrix-riot-web.conf.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
mode: 0644
when: "matrix_nginx_proxy_proxy_riot_enabled"
#
# Tasks related to setting up matrix-nginx-proxy
@ -50,7 +59,7 @@
with_items:
- "http"
- "https"
when: "ansible_os_family == 'RedHat' and matrix_nginx_proxy_enabled"
when: "matrix_nginx_proxy_enabled and ansible_os_family == 'RedHat'"
- name: Ensure matrix-nginx-proxy.service installed
template:
@ -82,3 +91,16 @@
path: "/etc/systemd/system/matrix-nginx-proxy.service"
state: absent
when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
- name: Ensure Matrix nginx-proxy configuration for matrix domain deleted
file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-synapse.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_matrix_enabled"
- name: Ensure Matrix nginx-proxy configuration for riot domain deleted
file:
path: "{{ matrix_nginx_proxy_confd_path }}/matrix-riot-web.conf"
state: absent
when: "not matrix_nginx_proxy_proxy_riot_enabled"

9
roles/matrix-nginx-proxy/tasks/ssl/main.yml
View File

@ -8,15 +8,6 @@
# Common tasks, required by any method below.
- name: Determine domains that we require certificates for (Matrix)
set_fact:
domains_requiring_certificates: "['{{ hostname_matrix }}']"
- name: Determine domains that we require certificates for (Riot)
set_fact:
domains_requiring_certificates: "{{ domains_requiring_certificates + [hostname_riot] }}"
when: "matrix_riot_web_enabled"
- name: Ensure SSL certificate paths exists
file:
path: "{{ item }}"

2
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt.yml
View File

@ -39,7 +39,7 @@
- name: Obtain Let's Encrypt certificates
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml"
with_items: "{{ domains_requiring_certificates }}"
with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
loop_control:
loop_var: domain_name
when: "matrix_ssl_retrieval_method == 'lets-encrypt'"

2
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_manually_managed.yml
View File

@ -2,7 +2,7 @@
- name: Verify certificates
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_manually_managed_verify_for_domain.yml"
with_items: "{{ domains_requiring_certificates }}"
with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
loop_control:
loop_var: domain_name
when: "matrix_ssl_retrieval_method == 'manually-managed'"

2
roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_self_signed.yml
View File

@ -18,7 +18,7 @@
- name: Generate self-signed certificates
include_tasks: "{{ role_path }}/tasks/ssl/setup_ssl_self_signed_obtain_for_domain.yml"
with_items: "{{ domains_requiring_certificates }}"
with_items: "{{ matrix_ssl_domains_to_obtain_certificates_for }}"
loop_control:
loop_var: domain_name
when: "matrix_ssl_retrieval_method == 'self-signed'"

8
roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-riot-web.conf.j2
View File

@ -1,6 +1,6 @@
server {
listen 80;
server_name {{ hostname_riot }};
server_name {{ matrix_nginx_proxy_proxy_riot_hostname }};
server_tokens off;
@ -25,7 +25,7 @@ server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ hostname_riot }};
server_name {{ matrix_nginx_proxy_proxy_riot_hostname }};
server_tokens off;
root /dev/null;
@ -33,8 +33,8 @@ server {
gzip on;
gzip_types text/plain application/json application/javascript text/css image/x-icon font/ttf image/gif;
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/fullchain.pem;
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_riot }}/privkey.pem;
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_hostname }}/fullchain.pem;
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_riot_hostname }}/privkey.pem;
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

8
roles/matrix-nginx-proxy/templates/nginx-conf.d/matrix-synapse.conf.j2
View File

@ -1,6 +1,6 @@
server {
listen 80;
server_name {{ hostname_matrix }};
server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
server_tokens off;
@ -25,7 +25,7 @@ server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ hostname_matrix }};
server_name {{ matrix_nginx_proxy_proxy_matrix_hostname }};
server_tokens off;
root /dev/null;
@ -33,8 +33,8 @@ server {
gzip on;
gzip_types text/plain application/json;
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/fullchain.pem;
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ hostname_matrix }}/privkey.pem;
ssl_certificate {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/fullchain.pem;
ssl_certificate_key {{ matrix_ssl_config_dir_path }}/live/{{ matrix_nginx_proxy_proxy_matrix_hostname }}/privkey.pem;
ssl_protocols {{ matrix_nginx_proxy_ssl_protocols }};
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

21
roles/matrix-nginx-proxy/templates/systemd/matrix-nginx-proxy.service.j2
View File

@ -1,17 +1,12 @@
[Unit]
Description=Matrix nginx proxy server
After=docker.service
Requires=docker.service
Wants=matrix-synapse.service
{% if matrix_corporal_enabled %}
Wants=matrix-corporal.service
{% endif %}
{% if matrix_riot_web_enabled %}
Wants=matrix-riot-web.service
{% endif %}
{% if matrix_mxisd_enabled %}
Wants=matrix-mxisd.service
{% endif %}
Description=Matrix nginx-proxy server
{% for service in matrix_nginx_proxy_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_nginx_proxy_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
[Service]
Type=simple

13
roles/matrix-postgres/defaults/main.yml
View File

@ -1,10 +1,9 @@
# The defaults below cause a postgres server to be configured (running within a container).
# Using an external server is possible by tweaking all of the parameters below.
matrix_postgres_use_external: false
matrix_postgres_connection_hostname: "matrix-postgres"
matrix_postgres_connection_username: "synapse"
matrix_postgres_connection_password: "synapse-password"
matrix_postgres_db_name: "homeserver"
matrix_postgres_enabled: true
matrix_postgres_connection_hostname: ""
matrix_postgres_connection_username: ""
matrix_postgres_connection_password: ""
matrix_postgres_db_name: ""
matrix_postgres_base_path: "{{ matrix_base_data_path }}/postgres"
matrix_postgres_data_path: "{{ matrix_postgres_base_path }}/data"

5
roles/matrix-postgres/tasks/import_postgres.yml
View File

@ -2,6 +2,11 @@
# Pre-checks
- name: Fail if Postgres not enabled
fail:
msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import."
when: "not matrix_postgres_enabled"
- name: Fail if playbook called incorrectly
fail:
msg: "The `server_path_postgres_dump` variable needs to be provided to this playbook, via --extra-vars"

5
roles/matrix-postgres/tasks/import_sqlite_db.yml
View File

@ -2,6 +2,11 @@
# Pre-checks
- name: Fail if Postgres not enabled
fail:
msg: "Postgres via the matrix-postgres role is not enabled (`matrix_postgres_enabled`). Cannot import."
when: "not matrix_postgres_enabled"
- name: Fail if playbook called incorrectly
fail:
msg: "The `server_path_homeserver_db` variable needs to be provided to this playbook, via --extra-vars"

2
roles/matrix-postgres/tasks/init.yml
View File

@ -1,3 +1,3 @@
- set_fact:
matrix_systemd_services_list: "{{ matrix_systemd_services_list + ['matrix-postgres'] }}"
when: "not matrix_postgres_use_external"
when: matrix_postgres_enabled

8
roles/matrix-postgres/tasks/main.yml
View File

@ -2,11 +2,17 @@
tags:
- always
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: "run_setup and matrix_postgres_enabled"
tags:
- setup-all
- setup-postgres
- import_tasks: "{{ role_path }}/tasks/setup_postgres.yml"
when: run_setup
tags:
- setup-postgres
- setup-all
- setup-postgres
- import_tasks: "{{ role_path }}/tasks/import_postgres.yml"
when: run_import_postgres

24
roles/matrix-postgres/tasks/setup_postgres.yml
View File

@ -5,8 +5,10 @@
#
- import_tasks: "{{ role_path }}/tasks/migrate_postgres_data_directory.yml"
when: matrix_postgres_enabled
- import_tasks: "{{ role_path }}/tasks/util/detect_existing_postgres_version.yml"
when: matrix_postgres_enabled
# If we have found an existing version (installed from before), we use its corresponding Docker image.
# If not, we install using the latest Postgres.
@ -14,16 +16,18 @@
# Upgrading is supposed to be performed separately and explicitly (see `upgrade_postgres.yml`).
- set_fact:
matrix_postgres_docker_image_to_use: "{{ matrix_postgres_docker_image_latest if matrix_postgres_detected_version_corresponding_docker_image == '' else matrix_postgres_detected_version_corresponding_docker_image }}"
when: matrix_postgres_enabled
- name: Warn if on an old version of Postgres
debug:
msg: "NOTE: Your setup is on an old Postgres version ({{ matrix_postgres_docker_image_to_use }}), while {{ matrix_postgres_docker_image_latest }} is supported. You can upgrade using --tags=upgrade-postgres"
when: "matrix_postgres_docker_image_to_use != matrix_postgres_docker_image_latest"
when: "matrix_postgres_enabled and matrix_postgres_docker_image_to_use != matrix_postgres_docker_image_latest"
# Even if we don't run the internal server, we still need this for running the CLI
- name: Ensure postgres Docker image is pulled
docker_image:
name: "{{ matrix_postgres_docker_image_to_use }}"
when: matrix_postgres_enabled
# We always create these directories, even if an external Postgres is used,
# because we store environment variable files there.
@ -37,6 +41,7 @@
with_items:
- "{{ matrix_postgres_base_path }}"
- "{{ matrix_postgres_data_path }}"
when: matrix_postgres_enabled
- name: Ensure Postgres environment variables file created
template:
@ -46,18 +51,21 @@
with_items:
- "env-postgres-psql"
- "env-postgres-server"
when: matrix_postgres_enabled
- name: Ensure matrix-postgres-cli script created
template:
src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli.j2"
dest: "/usr/local/bin/matrix-postgres-cli"
mode: 0750
when: matrix_postgres_enabled
- name: Ensure matrix-make-user-admin script created
template:
src: "{{ role_path }}/templates/usr-local-bin/matrix-make-user-admin.j2"
dest: "/usr/local/bin/matrix-make-user-admin"
mode: 0750
when: matrix_postgres_enabled
#
# Tasks related to setting up an internal postgres server
@ -68,7 +76,7 @@
src: "{{ role_path }}/templates/systemd/matrix-postgres.service.j2"
dest: "/etc/systemd/system/matrix-postgres.service"
mode: 0644
when: "not matrix_postgres_use_external"
when: matrix_postgres_enabled
#
# Tasks related to getting rid of the internal postgres server (if it was previously enabled)
@ -78,29 +86,29 @@
stat:
path: "/etc/systemd/system/matrix-postgres.service"
register: matrix_postgres_service_stat
when: matrix_postgres_use_external
when: "not matrix_postgres_enabled"
- name: Ensure matrix-postgres is stopped
service:
name: matrix-postgres
state: stopped
daemon_reload: yes
when: "matrix_postgres_use_external and matrix_postgres_service_stat.stat.exists"
when: "not matrix_postgres_enabled and matrix_postgres_service_stat.stat.exists"
- name: Ensure matrix-postgres.service doesn't exist
file:
path: "/etc/systemd/system/matrix-postgres.service"
state: absent
when: "matrix_postgres_use_external and matrix_postgres_service_stat.stat.exists"
when: "not matrix_postgres_enabled and matrix_postgres_service_stat.stat.exists"
- name: Check existence of matrix-postgres local data path
stat:
path: "{{ matrix_postgres_data_path }}"
register: matrix_postgres_data_path_stat
when: matrix_postgres_use_external
when: "not matrix_postgres_enabled"
# We just want to notify the user. Deleting data is too destructive.
- name: Notify if matrix-postgres local data remains
debug:
msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in {{ matrix_postgres_data_path }}. Feel free to delete it."
when: "matrix_postgres_use_external and matrix_postgres_data_path_stat.stat.exists"
msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in `{{ matrix_postgres_data_path }}`. Feel free to delete it."
when: "not matrix_postgres_enabled and matrix_postgres_data_path_stat.stat.exists"

4
roles/matrix-postgres/tasks/upgrade_postgres.yml
View File

@ -22,8 +22,8 @@
- name: Fail, if trying to upgrade external Postgres database
fail:
msg: "Your configuration indicates that you're using an external Postgres database. Refusing to try and upgrade that."
when: "matrix_postgres_use_external"
msg: "Your configuration indicates that you're not using Postgres from this role. There is nothing to upgrade."
when: "not matrix_postgres_enabled"
- name: Check Postgres auto-upgrade backup data directory
stat:

22
roles/matrix-postgres/tasks/validate_config.yml Normal file
View File

@ -0,0 +1,22 @@
---
- name: (Deprecation) Warn about matrix_postgres_use_external usage
fail:
msg: >
The `matrix_postgres_use_external` variable defined in your configuration is not used by this playbook anymore!
You'll need to adapt to the new way of using an external Postgres server.
It's a combination of `matrix_postgres_enabled: false` and specifying Postgres connection
details in a few `matrix_synapse_database_` variables.
See the "Using an external PostgreSQL server (optional)" documentation page.
when: "'matrix_postgres_use_external' in vars"
- name: Fail if required Postgres settings not defined
fail:
msg: >
You need to define a required configuration setting (`{{ item }}`) for using mxisd.
when: "vars[item] == ''"
with_items:
- "matrix_postgres_connection_hostname"
- "matrix_postgres_connection_username"
- "matrix_postgres_connection_password"
- "matrix_postgres_db_name"

11
roles/matrix-riot-web/defaults/main.yml
View File

@ -1,13 +1,17 @@
# By default, this playbook installs the Riot.IM web UI on the `hostname_riot` domain.
# If you wish to connect to your Matrix server by other means,
# you may wish to disable this.
matrix_riot_web_enabled: true
matrix_riot_web_docker_image: "bubuntux/riot-web:v0.17.8"
matrix_riot_web_data_path: "{{ matrix_base_data_path }}/riot-web"
matrix_riot_web_container_expose_port: false
# List of systemd services that matrix-riot-web.service depends on
matrix_riot_web_systemd_required_services_list: ['docker.service']
# Riot config.json customizations
matrix_riot_web_default_hs_url: ""
matrix_riot_web_default_is_url: ~
matrix_riot_web_disable_custom_urls: true
matrix_riot_web_disable_guests: true
matrix_riot_web_integrations_ui_url: "https://scalar.vector.im/"
@ -18,7 +22,6 @@ matrix_riot_web_integrations_jitsi_widget_url: "https://scalar.vector.im/api/wid
matrix_riot_web_roomdir_servers: ['matrix.org']
matrix_riot_web_welcome_user_id: "@riot-bot:matrix.org"
# Riot home.html customizations
# Default home.html template file
matrix_riot_web_homepage_template: "{{ role_path }}/templates/home.html.j2"

6
roles/matrix-riot-web/tasks/main.yml
View File

@ -2,6 +2,12 @@
tags:
- always
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: "run_setup and matrix_riot_web_enabled"
tags:
- setup-all
- setup-riot-web
- import_tasks: "{{ role_path }}/tasks/setup_riot_web.yml"
when: run_setup
tags:

9
roles/matrix-riot-web/tasks/validate_config.yml Normal file
View File

@ -0,0 +1,9 @@
---
- name: Fail if required riot-web settings not defined
fail:
msg: >
You need to define a required configuration setting (`{{ item }}`) for using riot-web.
when: "vars[item] == ''"
with_items:
- "matrix_riot_web_default_hs_url"

14
roles/matrix-riot-web/templates/config.json.j2
View File

@ -1,13 +1,13 @@
{
"default_hs_url": "{{ matrix_homeserver_url }}",
"default_is_url": "{{ matrix_identity_server_url }}",
"disable_custom_urls": {{ matrix_riot_web_disable_custom_urls|lower }},
"disable_guests": {{ matrix_riot_web_disable_guests|lower }},
"default_hs_url": {{ matrix_riot_web_default_hs_url|to_json }},
"default_is_url": {{ matrix_riot_web_default_is_url|to_json }},
"disable_custom_urls": {{ matrix_riot_web_disable_custom_urls|to_json }},
"disable_guests": {{ matrix_riot_web_disable_guests|to_json }},
"brand": "Riot",
"integrations_ui_url": "{{ matrix_riot_web_integrations_ui_url }}",
"integrations_rest_url": "{{ matrix_riot_web_integrations_rest_url }}",
"integrations_ui_url": {{ matrix_riot_web_integrations_ui_url|to_json }},
"integrations_rest_url": {{ matrix_riot_web_integrations_rest_url|to_json }},
"integrations_widgets_urls": {{ matrix_riot_web_integrations_widgets_urls|to_json }},
"integrations_jitsi_widget_url": "{{ matrix_riot_web_integrations_jitsi_widget_url }}",
"integrations_jitsi_widget_url": {{ matrix_riot_web_integrations_jitsi_widget_url|to_json }},
"bug_report_endpoint_url": "https://riot.im/bugreports/submit",
"enableLabs": true,
"roomDirectory": {

10
roles/matrix-riot-web/templates/systemd/matrix-riot-web.service.j2
View File

@ -1,7 +1,9 @@
[Unit]
Description=Matrix Riot web server
After=docker.service
Requires=docker.service
Description=Matrix riot-web server
{% for service in matrix_riot_web_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
[Service]
Type=simple
@ -12,7 +14,7 @@ ExecStart=/usr/bin/docker run --rm --name matrix-riot-web \
-v {{ matrix_riot_web_data_path }}/config.json:/etc/riot-web/config.json:ro \
-v {{ matrix_riot_web_data_path }}/home.html:/etc/riot-web/home.html:ro \
--network={{ matrix_docker_network }} \
{% if not matrix_nginx_proxy_enabled %}
{% if matrix_riot_web_container_expose_port %}
-p 127.0.0.1:8765:80 \
{% endif %}
{{ matrix_riot_web_docker_image }}

40
roles/matrix-synapse/defaults/main.yml
View File

@ -8,10 +8,13 @@ matrix_synapse_media_store_path: "{{ matrix_synapse_storage_path }}/media-store"
matrix_synapse_ext_path: "{{ matrix_synapse_base_path }}/ext"
# Controls whether the Synapse container exposes the Client/Server API port (tcp/8008).
# Normally, matrix-nginx-proxy is enabled and nginx can reach Synapse over the container network.
# If matrix-nginx-proxy is not enabled, or you otherwise have a need for it, you can expose
# the Client/Server API's port to the local host (`127.0.0.1:8008`).
matrix_synapse_container_expose_client_server_api_port: "{{ not matrix_nginx_proxy_enabled }}"
matrix_synapse_container_expose_client_server_api_port: false
# List of systemd services that matrix-synapse.service depends on
matrix_synapse_systemd_required_services_list: ['docker.service']
# List of systemd services that matrix-synapse.service wants
matrix_synapse_systemd_wanted_services_list: []
matrix_synapse_in_container_python_packages_path: "/usr/local/lib/python3.6/site-packages"
@ -27,15 +30,10 @@ matrix_synapse_macaroon_secret_key: ""
matrix_synapse_registration_shared_secret: "{{ matrix_synapse_macaroon_secret_key }}"
matrix_synapse_form_secret: "{{ matrix_synapse_macaroon_secret_key }}"
# These are the identity servers that would be trusted by Synapse if mxisd is NOT enabled
matrix_synapse_id_servers_public: ['vector.im', 'matrix.org']
# These are the identity servers that would be trusted by Synapse if mxisd IS enabled
matrix_synapse_id_servers_own: "['{{ hostname_matrix }}']"
# The final list of identity servers to use for Synapse.
# The first one would also be used as riot-web's default identity server.
matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_own if matrix_mxisd_enabled else matrix_synapse_id_servers_public }}"
# The list of identity servers to use for Synapse.
# We assume this role runs standalone without a local Identity server, so we point Synapse to public ones.
# This most likely gets overwritten later, so that a local Identity server is used.
matrix_synapse_trusted_third_party_id_servers: "{{ matrix_synapse_id_servers_public }}"
matrix_synapse_max_upload_size_mb: 10
matrix_synapse_max_log_file_size_mb: 100
@ -114,6 +112,22 @@ matrix_synapse_app_service_config_files: []
# any password providers have been enabled or not.
matrix_synapse_password_providers_enabled: false
# Postgres database information
matrix_synapse_database_host: ""
matrix_synapse_database_user: ""
matrix_synapse_database_password: ""
matrix_synapse_database_database: ""
matrix_synapse_turn_uris: []
matrix_synapse_turn_shared_secret: ""
matrix_synapse_email_enabled: false
matrix_synapse_email_smtp_host: ""
matrix_synapse_email_smtp_port: 587
matrix_synapse_email_smtp_require_transport_security: false
matrix_synapse_email_notif_from: "Matrix <matrix@{{ hostname_identity }}>"
matrix_synapse_email_riot_base_url: "https://{{ hostname_riot }}"
# Enable this to activate the REST auth password provider module.
# See: https://github.com/kamax-io/matrix-synapse-rest-auth

6
roles/matrix-synapse/tasks/main.yml
View File

@ -2,6 +2,12 @@
tags:
- always
- import_tasks: "{{ role_path }}/tasks/validate_config.yml"
when: run_setup
tags:
- setup-all
- setup-synapse
- import_tasks: "{{ role_path }}/tasks/setup_synapse_entrypoint.yml"
when: run_setup
tags:

13
roles/matrix-synapse/tasks/self_check_client_api.yml
View File

@ -1,20 +1,17 @@
---
- set_fact:
matrix_client_api_url_endpoint_public: "https://{{ hostname_matrix }}/_matrix/client/versions"
- name: Check Matrix Client API
uri:
url: "{{ matrix_client_api_url_endpoint_public }}"
url: "{{ matrix_synapse_client_api_url_endpoint_public }}"
follow_redirects: false
register: result_matrix_client_api
register: result_matrix_synapse_client_api
ignore_errors: true
- name: Fail if Matrix Client API not working
fail:
msg: "Failed checking Matrix Client API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_client_api_url_endpoint_public }}`). Is Synapse running? Is port 443 open in your firewall? Full error: {{ result_matrix_client_api }}"
when: "result_matrix_client_api.failed or 'json' not in result_matrix_client_api"
msg: "Failed checking Matrix Client API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_client_api_url_endpoint_public }}`). Is Synapse running? Is port 443 open in your firewall? Full error: {{ result_matrix_synapse_client_api }}"
when: "result_matrix_synapse_client_api.failed or 'json' not in result_matrix_synapse_client_api"
- name: Report working Matrix Client API
debug:
msg: "The Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_client_api_url_endpoint_public }}`) is working"
msg: "The Matrix Client API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_client_api_url_endpoint_public }}`) is working"

13
roles/matrix-synapse/tasks/self_check_federation_api.yml
View File

@ -1,21 +1,18 @@
---
- set_fact:
matrix_federation_api_url_endpoint_public: "https://{{ hostname_matrix }}:8448/_matrix/federation/v1/version"
- name: Check Matrix Federation API
uri:
url: "{{ matrix_federation_api_url_endpoint_public }}"
url: "{{ matrix_synapse_federation_api_url_endpoint_public }}"
follow_redirects: false
validate_certs: false
register: result_matrix_federation_api
register: result_matrix_synapse_federation_api
ignore_errors: true
- name: Fail if Matrix Federation API not working
fail:
msg: "Failed checking Matrix Federation API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_federation_api_url_endpoint_public }}`). Is Synapse running? Is port 8448 open in your firewall? Full error: {{ result_matrix_federation_api }}"
when: "result_matrix_federation_api.failed or 'json' not in result_matrix_federation_api"
msg: "Failed checking Matrix Federation API is up at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`). Is Synapse running? Is port 8448 open in your firewall? Full error: {{ result_matrix_synapse_federation_api }}"
when: "result_matrix_synapse_federation_api.failed or 'json' not in result_matrix_synapse_federation_api"
- name: Report working Matrix Federation API
debug:
msg: "The Matrix Federation API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_federation_api_url_endpoint_public }}`) is working"
msg: "The Matrix Federation API at `{{ hostname_matrix }}` (checked endpoint: `{{ matrix_synapse_federation_api_url_endpoint_public }}`) is working"

9
roles/matrix-synapse/tasks/validate_config.yml Normal file
View File

@ -0,0 +1,9 @@
---
- name: Fail if required Synapse settings not defined
fail:
msg: >
You need to define a required configuration setting (`{{ item }}`) for using Synapse.
when: "vars[item] == ''"
with_items:
- "matrix_synapse_macaroon_secret_key"

24
roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
View File

@ -216,10 +216,10 @@ database:
# The database engine name
name: "psycopg2"
args:
user: {{ matrix_postgres_connection_username|to_json }}
password: {{ matrix_postgres_connection_password|to_json }}
database: "{{ matrix_postgres_db_name }}"
host: "{{ matrix_postgres_connection_hostname }}"
user: {{ matrix_synapse_database_user|to_json }}
password: {{ matrix_synapse_database_password|to_json }}
database: "{{ matrix_synapse_database_database }}"
host: "{{ matrix_synapse_database_host }}"
cp_min: 5
cp_max: 10
@ -409,10 +409,10 @@ recaptcha_siteverify_api: "https://www.google.com/recaptcha/api/siteverify"
## Turn ##
# The public URIs of the TURN server to give to clients
turn_uris: ["turn:{{ hostname_matrix }}:3478?transport=udp", "turn:{{ hostname_matrix }}:3478?transport=tcp"]
turn_uris: {{ matrix_synapse_turn_uris|to_json }}
# The shared secret used to compute passwords for the TURN server
turn_shared_secret: {{ matrix_coturn_turn_static_auth_secret|to_json }}
turn_shared_secret: {{ matrix_synapse_turn_shared_secret|to_json }}
# The Username and password if the TURN server needs them and
# does not use a token
@ -600,18 +600,18 @@ password_config:
# If your SMTP server requires authentication, the optional smtp_user &
# smtp_pass variables should be used
#
{% if matrix_mailer_enabled %}
{% if matrix_synapse_email_enabled %}
email:
enable_notifs: true
smtp_host: "matrix-mailer"
smtp_port: 587
require_transport_security: false
notif_from: "Matrix <{{ matrix_mailer_sender_address }}>"
smtp_host: {{ matrix_synapse_email_smtp_host|to_json }}
smtp_port: {{ matrix_synapse_email_smtp_port|to_json }}
require_transport_security: {{ matrix_synapse_email_smtp_require_transport_security|to_json }}
notif_from: {{ matrix_synapse_email_notif_from|to_json }}
app_name: Matrix
notif_template_html: notif_mail.html
notif_template_text: notif_mail.txt
notif_for_new_users: True
riot_base_url: "https://{{ hostname_riot }}"
riot_base_url: {{ matrix_synapse_email_riot_base_url|to_json }}
{% endif %}

21
roles/matrix-synapse/templates/synapse/systemd/matrix-synapse.service.j2
View File

@ -1,19 +1,12 @@
[Unit]
Description=Matrix Synapse server
After=docker.service
Requires=docker.service
{% if not matrix_postgres_use_external %}
Requires=matrix-postgres.service
After=matrix-postgres.service
{% endif %}
{% if matrix_s3_media_store_enabled %}
After=matrix-goofys.service
Requires=matrix-goofys.service
{% endif %}
{% if matrix_mailer_enabled %}
Wants=matrix-mailer.service
{% endif %}
Wants=matrix-coturn.service
{% for service in matrix_synapse_systemd_required_services_list %}
Requires={{ service }}
After={{ service }}
{% endfor %}
{% for service in matrix_synapse_systemd_wanted_services_list %}
Wants={{ service }}
{% endfor %}
[Service]
Type=simple

6
roles/matrix-synapse/vars/main.yml Normal file
View File

@ -0,0 +1,6 @@
---
matrix_synapse_id_servers_public: ['vector.im', 'matrix.org']
matrix_synapse_client_api_url_endpoint_public: "https://{{ hostname_matrix }}/_matrix/client/versions"
matrix_synapse_federation_api_url_endpoint_public: "https://{{ hostname_matrix }}:8448/_matrix/federation/v1/version"