finallycoffee/matrix-docker-ansible-deploy
finallycoffee/matrix-docker-ansible-deploy
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
b3a8698734
matrix-docker-ansible-deploy/roles/matrix-server/tasks/setup_synapse.yml
Slavi Pantaleev cb323f5b4c Move SSL certificates from /etc/pki/acmetool-certs to /matrix/ssl 
Moving keeps everything in the /matrix directory, so that we
wouldn't contaminate anything else on the system or risk
clashing with something else.

Also retrieving certificates separately for the Riot and Matrix domains,
which should help in multiple ways:

- allows them to be very different (completely separate base domain..)

- allows for Riot to be disabled for the playbook some time later
  and still have the code not break
2017-09-11 23:50:14 +03:00

157 lines
6.3 KiB
YAML
Raw Blame History

---
- name: Ensure Matrix Synapse paths exists
file:
path: "{{ item }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
with_items:
- "{{ matrix_synapse_config_dir_path }}"
- "{{ matrix_synapse_run_path }}"
# We handle matrix_synapse_media_store_path below, not here,
# because if it's using S3fs and it's already mounted (from before),
# trying to chown/chmod it here will cause trouble.
- name: Check Matrix Synapse media store path
stat: path="{{ matrix_synapse_media_store_path }}"
register: local_path_media_store_stat
# This is separate and conditional, to ensure we don't execute it
# if the path already exists (and is likely used by an s3fs mount).
- name: Ensure Matrix media store path exists
file:
path: "{{ matrix_synapse_media_store_path }}"
state: directory
mode: 0750
owner: "{{ matrix_user_username }}"
group: "{{ matrix_user_username }}"
when: "not local_path_media_store_stat.stat.exists"
- name: Ensure Matrix Docker image is pulled
docker_image:
name: "{{ docker_matrix_image }}"
- name: Check if a Matrix Synapse configuration exists
stat:
path: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
register: matrix_synapse_config_stat
- name: Generate initial Matrix config
docker_container:
name: matrix-config
image: "{{ docker_matrix_image }}"
detach: no
cleanup: yes
command: generate
env:
SERVER_NAME: "{{ hostname_matrix }}"
REPORT_STATS: "no"
user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
volumes:
- "{{ matrix_synapse_config_dir_path }}:/data"
when: "not matrix_synapse_config_stat.stat.exists"
- name: Ensure self-signed certificates are removed
file:
path: "{{ item }}"
state: absent
with_items:
- "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt"
- "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.key"
- name: Augment Matrix log config
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config"
args:
regexp: "{{ item.regexp }}"
line: '{{ item.line }}'
with_items:
- {"regexp": "^ filename:", "line": ' filename: /matrix-run/homeserver.log'}
- {"regexp": "^ maxBytes:", "line": ' maxBytes: {{ matrix_max_log_file_size_mb * 1024 * 1024 }}'}
- {"regexp": "^ backupCount:", "line": ' backupCount: {{ matrix_max_log_files_count }}'}
- name: Augment Matrix config
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml"
args:
regexp: "{{ item.regexp }}"
line: '{{ item.line }}'
with_items:
- {"regexp": "^log_file:", "line": 'log_file: "/matrix-run/homeserver.log"'}
- {"regexp": "^tls_certificate_path:", "line": 'tls_certificate_path: "/acmetool-certs/live/{{ hostname_matrix }}/fullchain"'}
- {"regexp": "^tls_private_key_path:", "line": 'tls_private_key_path: "/acmetool-certs/live/{{ hostname_matrix }}/privkey"'}
- {"regexp": "^server_name:", "line": 'server_name: "{{ hostname_identity }}"'}
- {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'}
- {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'}
- {"regexp": "^max_upload_size:", "line": 'max_upload_size: "{{ matrix_max_upload_size_mb }}M"'}
- {"regexp": "^media_store_path:", "line": 'media_store_path: "/matrix-media-store"'}
- name: Augment Matrix config (specify URL previews blacklist)
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml"
args:
regexp: "^url_preview_ip_range_blacklist:"
line: 'url_preview_ip_range_blacklist: ["127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", "169.254.0.0/16"]'
insertafter: '^# url_preview_ip_range_blacklist:$'
# We only wish to do this for the 8008 port and not for the 8448 port
# (2nd instance of `x_forwarded` found in the config)
- name: Augment Matrix config (mark 8008 plain traffic as forwarded)
replace: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml"
args:
regexp: "8008((?:.|\n)*)x_forwarded(.*)"
replace: '8008\g<1>x_forwarded: true'
- name: Augment Matrix config (change database from SQLite to Postgres)
lineinfile:
dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
regexp: '(.*)name: "sqlite3"'
line: '\1name: "psycopg2"'
backrefs: yes
- name: Augment Matrix config (set the Postgres connection parameters)
replace:
dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
regexp: '(.*)name: "psycopg2"((?:.|\n)*?)\n\n'
replace: '\1name: "psycopg2"\n\1args:\n\1\1user: "{{ matrix_postgres_connection_username }}"\n\1\1password: "{{ matrix_postgres_connection_password }}"\n\1\1database: "{{ matrix_postgres_db_name }}"\n\1\1host: "{{ matrix_postgres_connection_hostname }}"\n\1\1cp_min: 5\n\1\1cp_max: 10\n\n'
- name: Augment Matrix config (configure Coturn)
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/turnserver.conf"
args:
regexp: "^{{ item.variable }}="
line: '{{ item.variable }}={{ item.value }}'
with_items:
- {'variable': 'min-port', 'value': "{{ matrix_coturn_turn_udp_min_port }}"}
- {'variable': 'max-port', 'value': "{{ matrix_coturn_turn_udp_max_port }}"}
- {'variable': 'external-ip', 'value': "{{ matrix_coturn_turn_external_ip_address }}"}
- name: Allow access to Matrix ports in firewalld
firewalld:
port: "{{ item }}"
state: enabled
immediate: yes
permanent: yes
with_items:
- '8448/tcp' # Matrix federation
- '3478/tcp' # STUN
- '3478/udp' # STUN
- "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN
when: ansible_os_family == 'RedHat'
- name: Ensure matrix-synapse.service installed
template:
src: "{{ role_path }}/templates/systemd/matrix-synapse.service.j2"
dest: "/etc/systemd/system/matrix-synapse.service"
mode: 0644
- name: Ensure matrix-synapse-register-user script created
template:
src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2"
dest: "/usr/local/bin/matrix-synapse-register-user"
mode: 0750
- name: Ensure periodic restarting of Matrix is configured (for SSL renewal)
template:
src: "{{ role_path }}/templates/cron.d/matrix-periodic-restarter.j2"
dest: "/etc/cron.d/matrix-periodic-restarter"
mode: 0600
Reference in New Issue View Git Blame Copy Permalink