finallycoffee/matrix-docker-ansible-deploy
5
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Relocate some playbook task files to make it easier to navigate

Browse Source
This commit is contained in:
Slavi Pantaleev
2018-10-21 13:14:47 +03:00
parent d0c2ef10e4
commit c7188e06f9
27 changed files with 91 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

73
roles/matrix-server/tasks/setup/main.yml Normal file
View File

@ -0,0 +1,73 @@
---
- include: tasks/setup/setup_base.yml
tags:
- setup-all
- include: tasks/setup/setup_main.yml
tags:
- setup-all
- include: tasks/setup/setup_ssl.yml
tags:
- setup-all
- setup-ssl
- include: tasks/setup/setup_postgres.yml
tags:
- setup-all
- setup-postgres
- include: tasks/setup/setup_goofys.yml
tags:
- setup-all
- setup-goofys
- include: tasks/setup/setup_coturn.yml
tags:
- setup-all
- setup-coturn
- include: tasks/setup/setup_mailer.yml
tags:
- setup-all
- setup-mailer
- include: tasks/setup/setup_mxisd.yml
tags:
- setup-all
- setup-mxisd
- include: tasks/setup/setup_corporal_overrides.yml
tags:
- always
- include: tasks/setup/setup_corporal.yml
tags:
- setup-all
- setup-corporal
- include: tasks/setup/setup_synapse.yml
tags:
- setup-all
- setup-synapse
- setup-coturn
- include: tasks/setup/setup_riot_web.yml
tags:
- setup-all
- setup-riot-web
- include: tasks/setup/setup_well_known.yml
tags:
- setup-all
- setup-mxisd
- setup-synapse
- setup-nginx-proxy
- setup-well-known
- include: tasks/setup/setup_nginx_proxy.yml
tags:
- setup-all
- setup-nginx-proxy
- setup-well-known

85
roles/matrix-server/tasks/setup/setup_base.yml Normal file
View File

@ -0,0 +1,85 @@
---
- name: Ensure Docker repository is enabled (CentOS)
template:
src: "{{ role_path }}/files/yum.repos.d/{{ item }}"
dest: "/etc/yum.repos.d/{{ item }}"
owner: "root"
group: "root"
mode: 0644
with_items:
- docker-ce.repo
when: ansible_distribution == 'CentOS'
- name: Ensure Docker's RPM key is trusted
rpm_key:
state: present
key: https://download.docker.com/linux/centos/gpg
when: ansible_distribution == 'CentOS'
- name: Ensure yum packages are installed (CentOS)
yum:
name:
- bash-completion
- docker-ce
- docker-python
- firewalld
- ntp
- fuse
state: latest
update_cache: yes
when: ansible_distribution == 'CentOS'
- name: Ensure APT usage dependencies are installed (Debian)
apt:
name:
- apt-transport-https
- ca-certificates
state: present
update_cache: yes
when: ansible_os_family == 'Debian'
- name: Ensure Docker's APT key is trusted (Debian)
apt_key:
url: https://download.docker.com/linux/ubuntu/gpg
id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
state: present
register: add_repository_key
ignore_errors: true
when: ansible_os_family == 'Debian'
- name: Ensure Docker repository is enabled (Debian)
apt_repository:
repo: "deb https://download.docker.com/linux/{{ ansible_distribution|lower }} {{ ansible_distribution_release }} stable"
state: present
update_cache: yes
when: ansible_os_family == 'Debian'
- name: Ensure APT packages are installed (Debian)
apt:
name:
- bash-completion
- docker-ce
- python-docker
- ntp
- fuse
state: latest
update_cache: yes
when: ansible_os_family == 'Debian'
- name: Ensure firewalld is started and autoruns
service: name=firewalld state=started enabled=yes
when: ansible_os_family == 'RedHat'
- name: Ensure Docker is started and autoruns
service: name=docker state=started enabled=yes
- name: Ensure ntpd is started and autoruns
service:
name: "{{ 'ntpd' if ansible_os_family == 'RedHat' else 'ntp' }}"
state: started
enabled: yes
- name: Ensure SELinux disabled
selinux: state=disabled
when: ansible_os_family == 'RedHat'

65
roles/matrix-server/tasks/setup/setup_corporal.yml Normal file
View File

@ -0,0 +1,65 @@
---
#
# Tasks related to setting up matrix-corporal
#
- name: Fail if Shared Secret Auth extension not enabled
fail:
msg: "To use matrix-corporal, you need to enable the Shared Secret Auth module for Synapse (see matrix_synapse_ext_password_provider_shared_secret_auth_enabled)"
when: "matrix_corporal_enabled and not matrix_synapse_ext_password_provider_shared_secret_auth_enabled"
- name: Fail if HTTP API enabled, but no token set
fail:
msg: "The Matrix Corporal HTTP API is enabled, but no auth token has been set in matrix_corporal_http_api_auth_token"
when: "matrix_corporal_enabled and matrix_corporal_http_api_enabled and matrix_corporal_http_api_auth_token == ''"
- name: Fail if policy provider configuration not set
fail:
msg: "The Matrix Corporal policy provider configuration has not been set in matrix_corporal_policy_provider_config"
when: "matrix_corporal_enabled and matrix_corporal_policy_provider_config == ''"
# There are some additional initialization tasks in setup_corporal_overrides.yml,
# which need to always run, no matter what tag the playbook is running with.
- name: Ensure Matrix Corporal paths exist
file:
path: "{{ item }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "{{ matrix_corporal_config_dir_path }}"
- "{{ matrix_corporal_cache_dir_path }}"
- "{{ matrix_corporal_var_dir_path }}"
when: "matrix_corporal_enabled"
- name: Ensure Matrix Corporal Docker image is pulled
docker_image:
name: "{{ matrix_corporal_docker_image }}"
when: "matrix_corporal_enabled"
- name: Ensure Matrix Corporal config installed
template:
src: "{{ role_path }}/templates/corporal/config.json.j2"
dest: "{{ matrix_corporal_config_dir_path }}/config.json"
mode: 0644
when: "matrix_corporal_enabled"
- name: Ensure matrix-corporal.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-corporal.service.j2"
dest: "/etc/systemd/system/matrix-corporal.service"
mode: 0644
when: "matrix_corporal_enabled"
#
# Tasks related to getting rid of matrix-corporal (if it was previously enabled)
#
- name: Ensure matrix-corporal.service doesn't exist
file:
path: "/etc/systemd/system/matrix-corporal.service"
state: absent
when: "not matrix_corporal_enabled"

11
roles/matrix-server/tasks/setup/setup_corporal_overrides.yml Normal file
View File

@ -0,0 +1,11 @@
# These overrides run with the `always` tag,
# because they're important not only for the `setup-corporal` tag, but for other tags too.
#
# We want an nginx-proxy rebuild (`--tags=setup-nginx-proxy`) to also go through here
# and be affected by these overrides.
- name: Override configuration specifying where the Matrix Client API is
set_fact:
matrix_nginx_proxy_matrix_client_api_addr_with_proxy_container: "matrix-corporal:41080"
matrix_nginx_proxy_matrix_client_api_addr_sans_proxy_container: "localhost:41080"
when: "matrix_corporal_enabled"

42
roles/matrix-server/tasks/setup/setup_coturn.yml Normal file
View File

@ -0,0 +1,42 @@
---
- name: Fail if Coturn secret is missing
fail:
msg: "You need to set a secret in the matrix_coturn_turn_static_auth_secret variable"
when: "matrix_coturn_turn_static_auth_secret == ''"
- name: Ensure Coturn image is pulled
docker_image:
name: "{{ matrix_docker_image_coturn }}"
- name: Ensure Coturn configuration path exists
file:
path: "{{ matrix_coturn_base_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
- name: Ensure turnserver.conf installed
template:
src: "{{ role_path }}/templates/coturn/turnserver.conf.j2"
dest: "{{ matrix_coturn_config_path }}"
mode: 0644
- name: Ensure matrix-coturn.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-coturn.service.j2"
dest: "/etc/systemd/system/matrix-coturn.service"
mode: 0644
- name: Allow access to Coturn ports in firewalld
firewalld:
port: "{{ item }}"
state: enabled
immediate: yes
permanent: yes
with_items:
- '3478/tcp' # STUN
- '3478/udp' # STUN
- "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN
when: ansible_os_family == 'RedHat'

70
roles/matrix-server/tasks/setup/setup_goofys.yml Normal file
View File

@ -0,0 +1,70 @@
#
# Tasks related to setting up Goofys
#
- name: Ensure Goofys Docker image is pulled
docker_image:
name: "{{ matrix_docker_image_goofys }}"
when: matrix_s3_media_store_enabled
# This will throw a Permission Denied error if already mounted
- name: Check Matrix Goofys external storage mountpoint path
stat: path="{{ matrix_synapse_media_store_path }}"
register: local_path_matrix_synapse_media_store_path_stat
ignore_errors: yes
when: matrix_s3_media_store_enabled
- name: Ensure Matrix Goofys external storage mountpoint exists
file:
path: "{{ matrix_synapse_media_store_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_uid }}"
group: "{{ matrix_user_gid }}"
when: "matrix_s3_media_store_enabled and not local_path_matrix_synapse_media_store_path_stat.failed and not local_path_matrix_synapse_media_store_path_stat.stat.exists"
- name: Ensure goofys environment variables file created
template:
src: "{{ role_path }}/templates/env/env-goofys.j2"
dest: "{{ matrix_environment_variables_data_path }}/goofys"
owner: root
mode: 0600
when: matrix_s3_media_store_enabled
- name: Ensure matrix-goofys.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-goofys.service.j2"
dest: "/etc/systemd/system/matrix-goofys.service"
mode: 0644
when: matrix_s3_media_store_enabled
#
# Tasks related to getting rid of goofys (if it was previously enabled)
#
- name: Check existence of matrix-goofys service
stat: path="/etc/systemd/system/matrix-goofys.service"
register: matrix_goofys_service_stat
- name: Ensure matrix-goofys is stopped
service: name=matrix-goofys state=stopped daemon_reload=yes
register: stopping_result
when: "not matrix_s3_media_store_enabled and matrix_goofys_service_stat.stat.exists"
- name: Ensure matrix-goofys.service doesn't exist
file:
path: "/etc/systemd/system/matrix-goofys.service"
state: absent
when: "not matrix_s3_media_store_enabled and matrix_goofys_service_stat.stat.exists"
- name: Ensure goofys environment variables file doesn't exist
file:
path: "{{ matrix_environment_variables_data_path }}/goofys"
state: absent
when: "not matrix_s3_media_store_enabled"
- name: Ensure Goofys Docker image doesn't exist
docker_image:
name: "{{ matrix_docker_image_goofys }}"
state: absent
when: "not matrix_s3_media_store_enabled"

56
roles/matrix-server/tasks/setup/setup_mailer.yml Normal file
View File

@ -0,0 +1,56 @@
---
#
# Tasks related to setting up the mailer
#
- name: Ensure mailer environment variables file created
template:
src: "{{ role_path }}/templates/env/{{ item }}.j2"
dest: "{{ matrix_environment_variables_data_path }}/{{ item }}"
mode: 0640
with_items:
- "env-mailer"
- name: Ensure mailer image is pulled
docker_image:
name: "{{ matrix_docker_image_mailer }}"
when: matrix_mailer_enabled
- name: Ensure matrix-mailer.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-mailer.service.j2"
dest: "/etc/systemd/system/matrix-mailer.service"
mode: 0644
when: matrix_mailer_enabled
#
# Tasks related to getting rid of the mailer (if it was previously enabled)
#
- name: Check existence of matrix-mailer service
stat: path="/etc/systemd/system/matrix-mailer.service"
register: matrix_mailer_service_stat
- name: Ensure matrix-mailer is stopped
service: name=matrix-mailer state=stopped daemon_reload=yes
register: stopping_result
when: "not matrix_mailer_enabled and matrix_mailer_service_stat.stat.exists"
- name: Ensure matrix-mailer.service doesn't exist
file:
path: "/etc/systemd/system/matrix-mailer.service"
state: absent
when: "not matrix_mailer_enabled and matrix_mailer_service_stat.stat.exists"
- name: Ensure Matrix mailer environment variables path doesn't exist
file:
path: "{{ matrix_environment_variables_data_path }}/env-mailer"
state: absent
when: "not matrix_mailer_enabled"
- name: Ensure mailer Docker image doesn't exist
docker_image:
name: "{{ matrix_docker_image_mailer }}"
state: absent
when: "not matrix_mailer_enabled"

56
roles/matrix-server/tasks/setup/setup_main.yml Normal file
View File

@ -0,0 +1,56 @@
---
- name: Ensure Matrix group is created
group:
name: "{{ matrix_user_username }}"
gid: "{{ matrix_user_gid }}"
state: present
- name: Ensure Matrix user is created
user:
name: "{{ matrix_user_username }}"
uid: "{{ matrix_user_uid }}"
state: present
group: "{{ matrix_user_username }}"
- name: Ensure environment variables data path exists
file:
path: "{{ matrix_environment_variables_data_path }}"
state: directory
mode: 0700
- name: Ensure Matrix base path exists
file:
path: "{{ item }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "{{ matrix_base_data_path }}"
- "{{ matrix_synapse_base_path }}"
# `docker_network` doesn't work as expected when the given network
# is a substring of a network that already exists.
#
# See:
# - https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/12
# - https://github.com/ansible/ansible/issues/32926
#
# Due to that, we employ a workaround below.
#
# - name: Ensure Matrix network is created in Docker
# docker_network:
# name: "{{ matrix_docker_network }}"
# driver: bridge
- name: Check existence of Matrix network in Docker
shell:
cmd: "docker network ls -q --filter='name=^{{ matrix_docker_network }}$'"
register: result_check_docker_network
changed_when: false
- name: Create Matrix network in Docker
shell:
cmd: "docker network create --driver=bridge {{ matrix_docker_network }}"
when: "result_check_docker_network.stdout == ''"

74
roles/matrix-server/tasks/setup/setup_mxisd.yml Normal file
View File

@ -0,0 +1,74 @@
---
#
# Tasks related to setting up mxisd
#
- name: Fail if mailer is not enabled
fail:
msg: "You need to enable the mailer service (matrix_mailer_enabled) to install mxisd"
when: "matrix_mxisd_enabled and not matrix_mailer_enabled"
- name: Ensure mxisd paths exist
file:
path: "{{ item }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "{{ matrix_mxisd_config_path }}"
- "{{ matrix_mxisd_data_path }}"
when: matrix_mxisd_enabled
- name: Ensure mxisd image is pulled
docker_image:
name: "{{ matrix_docker_image_mxisd }}"
when: matrix_mxisd_enabled
- name: Ensure mxisd config installed
template:
src: "{{ matrix_mxisd_template_config }}"
dest: "{{ matrix_mxisd_config_path }}/mxisd.yaml"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
when: matrix_mxisd_enabled
- name: Ensure matrix-mxisd.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-mxisd.service.j2"
dest: "/etc/systemd/system/matrix-mxisd.service"
mode: 0644
when: matrix_mxisd_enabled
#
# Tasks related to getting rid of mxisd (if it was previously enabled)
#
- name: Check existence of matrix-mxisd service
stat: path="/etc/systemd/system/matrix-mxisd.service"
register: matrix_mxisd_service_stat
- name: Ensure matrix-mxisd is stopped
service: name=matrix-mxisd state=stopped daemon_reload=yes
register: stopping_result
when: "not matrix_mxisd_enabled and matrix_mxisd_service_stat.stat.exists"
- name: Ensure matrix-mxisd.service doesn't exist
file:
path: "/etc/systemd/system/matrix-mxisd.service"
state: absent
when: "not matrix_mxisd_enabled and matrix_mxisd_service_stat.stat.exists"
- name: Ensure Matrix mxisd paths don't exist
file:
path: "{{ matrix_mxisd_base_path }}"
state: absent
when: "not matrix_mxisd_enabled"
- name: Ensure mxisd Docker image doesn't exist
docker_image:
name: "{{ matrix_docker_image_mxisd }}"
state: absent
when: "not matrix_mxisd_enabled"

90
roles/matrix-server/tasks/setup/setup_nginx_proxy.yml Normal file
View File

@ -0,0 +1,90 @@
---
#
# Generic tasks that we always want to happen, regardless
# if the user wants matrix-nginx-proxy or not.
#
# If the user would set up their own nginx proxy server,
# the config files from matrix-nginx-proxy can be reused.
#
# It doesn't hurt to put them in place, even if they turn out
# to be unnecessary.
#
- name: Ensure Matrix nginx-proxy paths exist
file:
path: "{{ item }}"
state: directory
mode: 0750
owner: root
group: root
with_items:
- "{{ matrix_nginx_proxy_data_path }}"
- "{{ matrix_nginx_proxy_confd_path }}"
- name: Ensure Matrix nginx-proxy configured
template:
src: "{{ role_path }}/templates/nginx-conf.d/{{ item }}.j2"
dest: "{{ matrix_nginx_proxy_confd_path }}/{{ item }}"
mode: 0644
with_items:
- "nginx-http.conf"
- "matrix-synapse.conf"
- "matrix-riot-web.conf"
#
# Tasks related to setting up matrix-nginx-proxy
#
- name: Ensure nginx Docker image is pulled
docker_image:
name: "{{ matrix_docker_image_nginx }}"
when: matrix_nginx_proxy_enabled
- name: Allow access to nginx proxy ports in firewalld
firewalld:
service: "{{ item }}"
state: enabled
immediate: yes
permanent: yes
with_items:
- "http"
- "https"
when: "ansible_os_family == 'RedHat' and matrix_nginx_proxy_enabled"
- name: Ensure matrix-nginx-proxy.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-nginx-proxy.service.j2"
dest: "/etc/systemd/system/matrix-nginx-proxy.service"
mode: 0644
when: matrix_nginx_proxy_enabled
- name: Ensure periodic restarting of matrix-nginx-proxy is configured (for SSL renewal)
template:
src: "{{ role_path }}/templates/cron.d/matrix-nginx-proxy-periodic-restarter.j2"
dest: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter"
mode: 0600
when: matrix_nginx_proxy_enabled
#
# Tasks related to getting rid of matrix-nginx-proxy (if it was previously enabled)
#
- name: Check existence of matrix-nginx-proxy service
stat: path="/etc/systemd/system/matrix-nginx-proxy.service"
register: matrix_nginx_proxy_service_stat
- name: Ensure matrix-nginx-proxy is stopped
service: name=matrix-nginx-proxy state=stopped daemon_reload=yes
register: stopping_result
when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
- name: Ensure matrix-nginx-proxy.service doesn't exist
file:
path: "/etc/systemd/system/matrix-nginx-proxy.service"
state: absent
when: "not matrix_nginx_proxy_enabled and matrix_nginx_proxy_service_stat.stat.exists"
- name: Ensure periodic restarting of matrix-nginx-proxy is removed
file:
path: "/etc/cron.d/matrix-nginx-proxy-periodic-restarter"
state: absent
when: "not matrix_nginx_proxy_enabled"

108
roles/matrix-server/tasks/setup/setup_postgres.yml Normal file
View File

@ -0,0 +1,108 @@
---
#
# Generic tasks, no matter what kind of server we're using (internal/external)
#
- name: Determine existing Postgres version (check PG_VERSION file)
stat:
path: "{{ matrix_postgres_data_path }}/PG_VERSION"
register: result_pg_version_stat
- name: Determine existing Postgres version (read PG_VERSION file)
slurp:
src: "{{ matrix_postgres_data_path }}/PG_VERSION"
register: result_pg_version
when: "result_pg_version_stat.stat.exists"
- name: Determine existing Postgres version (default to empty)
set_fact:
pg_version: ""
- name: Determine existing Postgres version (make sense of PG_VERSION file)
set_fact:
pg_version: "{{ result_pg_version['content']|b64decode|replace('\n', '') }}"
when: "result_pg_version_stat.stat.exists"
- name: Determine Postgres version to use (default to latest)
set_fact:
matrix_docker_image_postgres_to_use: "{{ matrix_docker_image_postgres_latest }}"
- name: Determine Postgres version to use (use 9.x, if detected)
set_fact:
matrix_docker_image_postgres_to_use: "{{ matrix_docker_image_postgres_v9 }}"
when: "pg_version.startswith('9.')"
- debug:
msg: "NOTE: Your setup is on an old Postgres version ({{ matrix_docker_image_postgres_to_use }}), while {{ matrix_docker_image_postgres_latest }} is supported. You can upgrade using --tags=upgrade-postgres"
when: "matrix_docker_image_postgres_to_use != matrix_docker_image_postgres_latest"
# Even if we don't run the internal server, we still need this for running the CLI
- name: Ensure postgres Docker image is pulled
docker_image:
name: "{{ matrix_docker_image_postgres_to_use }}"
- name: Ensure Postgres environment variables file created
template:
src: "{{ role_path }}/templates/env/{{ item }}.j2"
dest: "{{ matrix_environment_variables_data_path }}/{{ item }}"
mode: 0640
with_items:
- "env-postgres-pgsql-docker"
- "env-postgres-server-docker"
- name: Ensure matrix-postgres-cli script created
template:
src: "{{ role_path }}/templates/usr-local-bin/matrix-postgres-cli.j2"
dest: "/usr/local/bin/matrix-postgres-cli"
mode: 0750
#
# Tasks related to setting up an internal postgres server
#
- name: Ensure postgres data path exists
file:
path: "{{ matrix_postgres_data_path }}"
state: directory
mode: 0700
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
when: "not matrix_postgres_use_external"
- name: Ensure matrix-postgres.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-postgres.service.j2"
dest: "/etc/systemd/system/matrix-postgres.service"
mode: 0644
when: "not matrix_postgres_use_external"
#
# Tasks related to getting rid of the internal postgres server (if it was previously enabled)
#
- name: Check existence of matrix-postgres service
stat: path="/etc/systemd/system/matrix-postgres.service"
register: matrix_postgres_service_stat
when: matrix_postgres_use_external
- name: Ensure matrix-postgres is stopped
service: name=matrix-postgres state=stopped daemon_reload=yes
when: "matrix_postgres_use_external and matrix_postgres_service_stat.stat.exists"
- name: Ensure matrix-postgres.service doesn't exist
file:
path: "/etc/systemd/system/matrix-postgres.service"
state: absent
when: "matrix_postgres_use_external and matrix_postgres_service_stat.stat.exists"
- name: Check existence of matrix-postgres local data path
stat: path="{{ matrix_postgres_data_path }}"
register: matrix_postgres_data_path_stat
when: matrix_postgres_use_external
# We just want to notify the user. Deleting data is too destructive.
- name: Notify if matrix-postgres local data remains
debug:
msg: "Note: You are not using a local PostgreSQL database, but some old data remains from before in {{ matrix_postgres_data_path }}. Feel free to delete that."
when: "matrix_postgres_use_external and matrix_postgres_data_path_stat.stat.exists"

69
roles/matrix-server/tasks/setup/setup_riot_web.yml Normal file
View File

@ -0,0 +1,69 @@
---
#
# Tasks related to setting up riot-web
#
- name: Ensure Matrix riot-web path exists
file:
path: "{{ matrix_riot_web_data_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
when: matrix_riot_web_enabled
- name: Ensure riot-web Docker image is pulled
docker_image:
name: "{{ matrix_docker_image_riot }}"
when: matrix_riot_web_enabled
- name: Ensure Matrix riot-web configured
template:
src: "{{ role_path }}/templates/riot-web/{{ item }}.j2"
dest: "{{ matrix_riot_web_data_path }}/{{ item }}"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "riot.im.conf"
- "config.json"
when: matrix_riot_web_enabled
- name: Ensure matrix-riot-web.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-riot-web.service.j2"
dest: "/etc/systemd/system/matrix-riot-web.service"
mode: 0644
when: matrix_riot_web_enabled
#
# Tasks related to getting rid of riot-web (if it was previously enabled)
#
- name: Check existence of matrix-riot-web service
stat: path="/etc/systemd/system/matrix-riot-web.service"
register: matrix_riot_web_service_stat
- name: Ensure matrix-riot-web is stopped
service: name=matrix-riot-web state=stopped daemon_reload=yes
register: stopping_result
when: "not matrix_riot_web_enabled and matrix_riot_web_service_stat.stat.exists"
- name: Ensure matrix-riot-web.service doesn't exist
file:
path: "/etc/systemd/system/matrix-riot-web.service"
state: absent
when: "not matrix_riot_web_enabled and matrix_riot_web_service_stat.stat.exists"
- name: Ensure Matrix riot-web paths doesn't exist
file:
path: "{{ matrix_riot_web_data_path }}"
state: absent
when: "not matrix_riot_web_enabled"
- name: Ensure riot-web Docker image doesn't exist
docker_image:
name: "{{ matrix_docker_image_riot }}"
state: absent
when: "not matrix_riot_web_enabled"

54
roles/matrix-server/tasks/setup/setup_ssl.yml Normal file
View File

@ -0,0 +1,54 @@
---
- name: Determine domains to obtain certificates for (Matrix)
set_fact:
domains_to_obtain_certificate_for: "['{{ hostname_matrix }}']"
- name: Determine domains to obtain certificates for (Riot)
set_fact:
domains_to_obtain_certificate_for: "{{ domains_to_obtain_certificate_for + [hostname_riot] }}"
when: matrix_riot_web_enabled
- name: Allow access to HTTP/HTTPS in firewalld
firewalld:
service: "{{ item }}"
state: enabled
immediate: yes
permanent: yes
with_items:
- http
- https
when: ansible_os_family == 'RedHat'
- name: Ensure certbot Docker image is pulled
docker_image:
name: "{{ matrix_ssl_certbot_docker_image }}"
- name: Ensure SSL certificate paths exists
file:
path: "{{ item }}"
state: directory
mode: 0770
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "{{ matrix_ssl_log_dir_path }}"
- "{{ matrix_ssl_config_dir_path }}"
- name: Obtain initial certificates
include_tasks: "tasks/setup/setup_ssl_for_domain.yml"
with_items: "{{ domains_to_obtain_certificate_for }}"
loop_control:
loop_var: domain_name
- name: Ensure SSL renewal script installed
template:
src: "{{ role_path }}/templates/usr-local-bin/matrix-ssl-certificates-renew.j2"
dest: "/usr/local/bin/matrix-ssl-certificates-renew"
mode: 0750
- name: Ensure periodic SSL renewal cronjob configured
template:
src: "{{ role_path }}/templates/cron.d/matrix-ssl-certificate-renewal.j2"
dest: "/etc/cron.d/matrix-ssl-certificate-renewal"
mode: 0600

70
roles/matrix-server/tasks/setup/setup_ssl_for_domain.yml Normal file
View File

@ -0,0 +1,70 @@
- debug:
msg: "Dealing with SSL certificate retrieval for domain: {{ domain_name }}"
- set_fact:
domain_name_certificate_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/cert.pem"
- name: Check if a certificate for the domain already exists
stat:
path: "{{ domain_name_certificate_path }}"
register: domain_name_certificate_path_stat
- set_fact:
domain_name_needs_cert: "{{ not domain_name_certificate_path_stat.stat.exists }}"
# This will fail if there is something running on port 80 (like matrix-nginx-proxy).
# We suppress the error, as we'll try another method below.
- name: Attempt initial SSL certificate retrieval with standalone authenticator (directly)
shell: >-
/usr/bin/docker run
--rm
--name=matrix-certbot
--net=host
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
-v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
{{ matrix_ssl_certbot_docker_image }}
certonly
--non-interactive
{% if matrix_ssl_use_staging %}--staging{% endif %}
--standalone
--preferred-challenges http
--agree-tos
--email={{ matrix_ssl_support_email }}
-d {{ domain_name }}
when: "domain_name_needs_cert"
register: result_certbot_direct
ignore_errors: true
# If matrix-nginx-proxy is configured from a previous run of this playbook,
# and it's running now, it may be able to proxy requests to `matrix_ssl_certbot_standalone_http_port`.
- name: Attempt initial SSL certificate retrieval with standalone authenticator (via proxy)
shell: >-
/usr/bin/docker run
--rm
--name=matrix-certbot
-p 127.0.0.1:{{ matrix_ssl_certbot_standalone_http_port }}:80
--network={{ matrix_docker_network }}
-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
-v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
{{ matrix_ssl_certbot_docker_image }}
certonly
--non-interactive
{% if matrix_ssl_use_staging %}--staging{% endif %}
--standalone
--preferred-challenges http
--agree-tos
--email={{ matrix_ssl_support_email }}
-d {{ domain_name }}
when: "domain_name_needs_cert and result_certbot_direct.failed"
register: result_certbot_proxy
ignore_errors: true
- name: Fail if all SSL certificate retrieval attempts failed
fail:
msg: |
Failed to obtain a certificate directly (by listening on port 80)
and also failed to obtain by relying on the server at port 80 to proxy the request.
See above for details.
You may wish to set up proxying of /.well-known/acme-challenge to {{ matrix_ssl_certbot_standalone_http_port }} or,
more easily, stop the server on port 80 while this playbook runs.
when: "domain_name_needs_cert and result_certbot_direct.failed and result_certbot_proxy.failed"

7
roles/matrix-server/tasks/setup/setup_synapse.yml Normal file
View File

@ -0,0 +1,7 @@
---
- include: tasks/setup/setup_synapse_pre.yml
- include: tasks/setup/setup_synapse_ext.yml
- include: tasks/setup/setup_synapse_main.yml

7
roles/matrix-server/tasks/setup/setup_synapse_ext.yml Normal file
View File

@ -0,0 +1,7 @@
---
- include: tasks/setup/setup_synapse_ext_rest_auth.yml
- include: tasks/setup/setup_synapse_ext_shared_secret_auth.yml
- include: tasks/setup/setup_synapse_ext_mautrix_telegram.yml

68
roles/matrix-server/tasks/setup/setup_synapse_ext_mautrix_telegram.yml Normal file
View File

@ -0,0 +1,68 @@
---
- name: Ensure Mautrix Telegram image is pulled
docker_image:
name: "{{ matrix_docker_image_mautrix_telegram }}"
when: "matrix_mautrix_telegram_enabled"
- name: Ensure Mautrix Telegram configuration path exists
file:
path: "{{ matrix_mautrix_telegram_base_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
when: "matrix_mautrix_telegram_enabled"
- stat: "path={{ matrix_mautrix_telegram_base_path }}/config.yaml"
register: mautrix_config_file
- name: Ensure Matrix Mautrix telegram config installed
template:
src: "{{ role_path }}/templates/mautrix-telegram/config.yaml.j2"
dest: "{{ matrix_mautrix_telegram_base_path }}/config.yaml"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
when: "matrix_mautrix_telegram_enabled and mautrix_config_file.stat.exists == False"
- name: Ensure matrix-mautrix-telegram.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-mautrix-telegram.service.j2"
dest: "/etc/systemd/system/matrix-mautrix-telegram.service"
mode: 0644
when: "matrix_mautrix_telegram_enabled"
- stat: "path={{ matrix_mautrix_telegram_base_path }}/registration.yaml"
register: mautrix_registration_file
- name: Generate matrix-mautrix-telegram registration.yaml if it doesn't exist
shell: /usr/bin/docker run --rm --name matrix-mautrix-telegram-gen -v {{ matrix_mautrix_telegram_base_path }}:/data:z {{ matrix_docker_image_mautrix_telegram }} python3 -m mautrix_telegram -g -c /data/config.yaml -r /data/registration.yaml
when: "matrix_mautrix_telegram_enabled and mautrix_registration_file.stat.exists == False"
- set_fact:
matrix_synapse_app_service_config_file_mautrix_telegram: '/app-registration/mautrix-telegram.yml'
- set_fact:
matrix_synapse_container_additional_volumes: >
{{ matrix_synapse_container_additional_volumes }}
+
{{ [{'src': '{{ matrix_mautrix_telegram_base_path }}/registration.yaml', 'dst': '{{ matrix_synapse_app_service_config_file_mautrix_telegram }}', 'options': 'ro'}] }}
when: "matrix_mautrix_telegram_enabled"
- set_fact:
matrix_synapse_app_service_config_files: >
{{ matrix_synapse_app_service_config_files }}
+
{{ ["{{ matrix_synapse_app_service_config_file_mautrix_telegram }}"] | to_nice_json }}
when: "matrix_mautrix_telegram_enabled"
#
# Tasks related to getting rid of matrix-mautrix-telegram (if it was previously enabled)
#
- name: Ensure matrix-mautrix-telegram.service doesn't exist
file:
path: "/etc/systemd/system/matrix-mautrix-telegram.service"
state: absent
when: "not matrix_mautrix_telegram_enabled"

43
roles/matrix-server/tasks/setup/setup_synapse_ext_rest_auth.yml Normal file
View File

@ -0,0 +1,43 @@
---
#
# Tasks related to setting up matrix-synapse-rest-auth
#
- name: Download matrix-synapse-rest-auth
get_url:
url: "{{ matrix_synapse_ext_password_provider_rest_auth_download_url }}"
dest: "{{ matrix_synapse_ext_path }}/rest_auth_provider.py"
force: true
mode: 0440
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
when: "matrix_synapse_ext_password_provider_rest_auth_enabled"
- set_fact:
matrix_synapse_password_providers_enabled: true
when: "matrix_synapse_ext_password_provider_rest_auth_enabled"
- set_fact:
matrix_synapse_container_additional_volumes: >
{{ matrix_synapse_container_additional_volumes }}
+
{{ [{'src': '{{ matrix_synapse_ext_path }}/rest_auth_provider.py', 'dst': '/usr/local/lib/python2.7/site-packages/rest_auth_provider.py', 'options': 'ro'}] }}
when: "matrix_synapse_ext_password_provider_rest_auth_enabled"
- set_fact:
matrix_synapse_additional_loggers: >
{{ matrix_synapse_additional_loggers }}
+
{{ [{'name': 'rest_auth_provider', 'level': 'INFO'}] }}
when: "matrix_synapse_ext_password_provider_rest_auth_enabled"
#
# Tasks related to getting rid of matrix-synapse-rest-auth (if it was previously enabled)
#
- name: Ensure matrix-synapse-rest-auth doesn't exist
file:
path: "{{ matrix_synapse_ext_path }}/rest_auth_provider.py"
state: absent
when: "not matrix_synapse_ext_password_provider_rest_auth_enabled"

48
roles/matrix-server/tasks/setup/setup_synapse_ext_shared_secret_auth.yml Normal file
View File

@ -0,0 +1,48 @@
---
#
# Tasks related to setting up matrix-synapse-shared-secret-auth
#
- name: Fail if Shared Secret Auth enabled, but no secret set
fail:
msg: "Shared Secret Auth is enabled, but no secret has been set in matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret"
when: "matrix_synapse_ext_password_provider_shared_secret_auth_enabled and matrix_synapse_ext_password_provider_shared_secret_auth_shared_secret == ''"
- name: Download matrix-synapse-shared-secret-auth
get_url:
url: "{{ matrix_synapse_ext_password_provider_shared_secret_auth_download_url }}"
dest: "{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py"
force: true
mode: 0440
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
when: "matrix_synapse_ext_password_provider_shared_secret_auth_enabled"
- set_fact:
matrix_synapse_password_providers_enabled: true
when: "matrix_synapse_ext_password_provider_shared_secret_auth_enabled"
- set_fact:
matrix_synapse_container_additional_volumes: >
{{ matrix_synapse_container_additional_volumes }}
+
{{ [{'src': '{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py', 'dst': '/usr/local/lib/python2.7/site-packages/shared_secret_authenticator.py', 'options': 'ro'}] }}
when: "matrix_synapse_ext_password_provider_shared_secret_auth_enabled"
- set_fact:
matrix_synapse_additional_loggers: >
{{ matrix_synapse_additional_loggers }}
+
{{ [{'name': 'shared_secret_authenticator', 'level': 'INFO'}] }}
when: "matrix_synapse_ext_password_provider_shared_secret_auth_enabled"
#
# Tasks related to getting rid of matrix-synapse-shared-secret-auth (if it was previously enabled)
#
- name: Ensure matrix-synapse-shared-secret-auth doesn't exist
file:
path: "{{ matrix_synapse_ext_path }}/shared_secret_authenticator.py"
state: absent
when: "not matrix_synapse_ext_password_provider_shared_secret_auth_enabled"

91
roles/matrix-server/tasks/setup/setup_synapse_main.yml Normal file
View File

@ -0,0 +1,91 @@
---
- name: Fail if Macaroon key is missing
fail:
msg: "You need to set a secret in the matrix_synapse_macaroon_secret_key variable"
when: "matrix_synapse_macaroon_secret_key == ''"
# This will throw a Permission Denied error if already mounted using fuse
- name: Check Matrix Synapse media store path
stat: path="{{ matrix_synapse_media_store_path }}"
register: local_path_media_store_stat
ignore_errors: yes
# This is separate and conditional, to ensure we don't execute it
# if the path already exists or we failed to check, because it's mounted using fuse.
- name: Ensure Matrix media store path exists
file:
path: "{{ matrix_synapse_media_store_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
when: "not local_path_media_store_stat.failed and not local_path_media_store_stat.stat.exists"
- name: Ensure Matrix Docker image is pulled
docker_image:
name: "{{ matrix_docker_image_synapse }}"
- name: Check if a Matrix Synapse configuration exists
stat:
path: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
register: matrix_synapse_config_stat
# We do this mostly so that the keys would get generated.
# We'll replace the rest of the configuration with our own templates below.
- name: Generate initial Matrix config
docker_container:
name: matrix-config
image: "{{ matrix_docker_image_synapse }}"
detach: no
cleanup: yes
command: generate
env:
SYNAPSE_CONFIG_PATH: "/data/homeserver.yaml"
SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}"
SYNAPSE_REPORT_STATS: "no"
user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
volumes:
- "{{ matrix_synapse_config_dir_path }}:/data"
when: "not matrix_synapse_config_stat.stat.exists"
- name: Ensure Matrix homeserver config installed
template:
src: "{{ matrix_synapse_template_synapse_homeserver }}"
dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
mode: 0644
- name: Ensure Matrix log config installed
template:
src: "{{ matrix_synapse_template_synapse_log }}"
dest: "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config"
mode: 0644
- name: Ensure Synapse environment variables file created
template:
src: "{{ role_path }}/templates/env/env-synapse.j2"
dest: "{{ matrix_environment_variables_data_path }}/synapse"
owner: root
mode: 0600
- name: Ensure matrix-synapse.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-synapse.service.j2"
dest: "/etc/systemd/system/matrix-synapse.service"
mode: 0644
- name: Ensure matrix-synapse-register-user script created
template:
src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2"
dest: "/usr/local/bin/matrix-synapse-register-user"
mode: 0750
- name: Allow access to Matrix ports in firewalld
firewalld:
port: "{{ item }}"
state: enabled
immediate: yes
permanent: yes
with_items:
- '8448/tcp' # Matrix federation
when: ansible_os_family == 'RedHat'

17
roles/matrix-server/tasks/setup/setup_synapse_pre.yml Normal file
View File

@ -0,0 +1,17 @@
---
- name: Ensure Matrix Synapse paths exist
file:
path: "{{ item }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "{{ matrix_synapse_config_dir_path }}"
- "{{ matrix_synapse_run_path }}"
- "{{ matrix_synapse_storage_path }}"
- "{{ matrix_synapse_ext_path }}"
# We handle matrix_synapse_media_store_path elsewhere (in setup_synapse.yml),
# because if it's using S3fs and it's already mounted (from before),
# trying to chown/chmod it here will cause trouble.

24
roles/matrix-server/tasks/setup/setup_well_known.yml Normal file
View File

@ -0,0 +1,24 @@
- set_fact:
matrix_well_known_file_path: "{{ matrix_static_files_base_path }}/.well-known/matrix/client"
# We need others to be able to read these directories too,
# so that matrix-nginx-proxy's nginx user can access the files.
#
# For running with another webserver, we recommend being part of the `matrix` group.
- name: Ensure Matrix static-files path exists
file:
path: "{{ item }}"
state: directory
mode: 0755
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "{{ matrix_well_known_file_path|dirname }}"
- name: Ensure Matrix /.well-known/matrix/client configured
template:
src: "{{ role_path }}/templates/well-known/matrix-client.j2"
dest: "{{ matrix_well_known_file_path }}"
mode: 0644
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"