cb323f5b4c
Moving keeps everything in the /matrix directory, so that we wouldn't contaminate anything else on the system or risk clashing with something else. Also retrieving certificates separately for the Riot and Matrix domains, which should help in multiple ways: - allows them to be very different (completely separate base domain..) - allows for Riot to be disabled for the playbook some time later and still have the code not break
157 lines
6.3 KiB
YAML
157 lines
6.3 KiB
YAML
---
|
|
|
|
- name: Ensure Matrix Synapse paths exists
|
|
file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
mode: 0750
|
|
owner: "{{ matrix_user_username }}"
|
|
group: "{{ matrix_user_username }}"
|
|
with_items:
|
|
- "{{ matrix_synapse_config_dir_path }}"
|
|
- "{{ matrix_synapse_run_path }}"
|
|
# We handle matrix_synapse_media_store_path below, not here,
|
|
# because if it's using S3fs and it's already mounted (from before),
|
|
# trying to chown/chmod it here will cause trouble.
|
|
|
|
- name: Check Matrix Synapse media store path
|
|
stat: path="{{ matrix_synapse_media_store_path }}"
|
|
register: local_path_media_store_stat
|
|
|
|
# This is separate and conditional, to ensure we don't execute it
|
|
# if the path already exists (and is likely used by an s3fs mount).
|
|
- name: Ensure Matrix media store path exists
|
|
file:
|
|
path: "{{ matrix_synapse_media_store_path }}"
|
|
state: directory
|
|
mode: 0750
|
|
owner: "{{ matrix_user_username }}"
|
|
group: "{{ matrix_user_username }}"
|
|
when: "not local_path_media_store_stat.stat.exists"
|
|
|
|
- name: Ensure Matrix Docker image is pulled
|
|
docker_image:
|
|
name: "{{ docker_matrix_image }}"
|
|
|
|
- name: Check if a Matrix Synapse configuration exists
|
|
stat:
|
|
path: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
|
register: matrix_synapse_config_stat
|
|
|
|
- name: Generate initial Matrix config
|
|
docker_container:
|
|
name: matrix-config
|
|
image: "{{ docker_matrix_image }}"
|
|
detach: no
|
|
cleanup: yes
|
|
command: generate
|
|
env:
|
|
SERVER_NAME: "{{ hostname_matrix }}"
|
|
REPORT_STATS: "no"
|
|
user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
|
|
volumes:
|
|
- "{{ matrix_synapse_config_dir_path }}:/data"
|
|
when: "not matrix_synapse_config_stat.stat.exists"
|
|
|
|
- name: Ensure self-signed certificates are removed
|
|
file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
with_items:
|
|
- "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.crt"
|
|
- "{{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.tls.key"
|
|
|
|
- name: Augment Matrix log config
|
|
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/{{ hostname_matrix }}.log.config"
|
|
args:
|
|
regexp: "{{ item.regexp }}"
|
|
line: '{{ item.line }}'
|
|
with_items:
|
|
- {"regexp": "^ filename:", "line": ' filename: /matrix-run/homeserver.log'}
|
|
- {"regexp": "^ maxBytes:", "line": ' maxBytes: {{ matrix_max_log_file_size_mb * 1024 * 1024 }}'}
|
|
- {"regexp": "^ backupCount:", "line": ' backupCount: {{ matrix_max_log_files_count }}'}
|
|
|
|
- name: Augment Matrix config
|
|
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
|
args:
|
|
regexp: "{{ item.regexp }}"
|
|
line: '{{ item.line }}'
|
|
with_items:
|
|
- {"regexp": "^log_file:", "line": 'log_file: "/matrix-run/homeserver.log"'}
|
|
- {"regexp": "^tls_certificate_path:", "line": 'tls_certificate_path: "/acmetool-certs/live/{{ hostname_matrix }}/fullchain"'}
|
|
- {"regexp": "^tls_private_key_path:", "line": 'tls_private_key_path: "/acmetool-certs/live/{{ hostname_matrix }}/privkey"'}
|
|
- {"regexp": "^server_name:", "line": 'server_name: "{{ hostname_identity }}"'}
|
|
- {"regexp": "^turn_allow_guests:", "line": 'turn_allow_guests: False'}
|
|
- {"regexp": "^url_preview_enabled:", "line": 'url_preview_enabled: True'}
|
|
- {"regexp": "^max_upload_size:", "line": 'max_upload_size: "{{ matrix_max_upload_size_mb }}M"'}
|
|
- {"regexp": "^media_store_path:", "line": 'media_store_path: "/matrix-media-store"'}
|
|
|
|
- name: Augment Matrix config (specify URL previews blacklist)
|
|
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
|
args:
|
|
regexp: "^url_preview_ip_range_blacklist:"
|
|
line: 'url_preview_ip_range_blacklist: ["127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", "169.254.0.0/16"]'
|
|
insertafter: '^# url_preview_ip_range_blacklist:$'
|
|
|
|
# We only wish to do this for the 8008 port and not for the 8448 port
|
|
# (2nd instance of `x_forwarded` found in the config)
|
|
- name: Augment Matrix config (mark 8008 plain traffic as forwarded)
|
|
replace: "dest={{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
|
args:
|
|
regexp: "8008((?:.|\n)*)x_forwarded(.*)"
|
|
replace: '8008\g<1>x_forwarded: true'
|
|
|
|
- name: Augment Matrix config (change database from SQLite to Postgres)
|
|
lineinfile:
|
|
dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
|
regexp: '(.*)name: "sqlite3"'
|
|
line: '\1name: "psycopg2"'
|
|
backrefs: yes
|
|
|
|
- name: Augment Matrix config (set the Postgres connection parameters)
|
|
replace:
|
|
dest: "{{ matrix_synapse_config_dir_path }}/homeserver.yaml"
|
|
regexp: '(.*)name: "psycopg2"((?:.|\n)*?)\n\n'
|
|
replace: '\1name: "psycopg2"\n\1args:\n\1\1user: "{{ matrix_postgres_connection_username }}"\n\1\1password: "{{ matrix_postgres_connection_password }}"\n\1\1database: "{{ matrix_postgres_db_name }}"\n\1\1host: "{{ matrix_postgres_connection_hostname }}"\n\1\1cp_min: 5\n\1\1cp_max: 10\n\n'
|
|
|
|
- name: Augment Matrix config (configure Coturn)
|
|
lineinfile: "dest={{ matrix_synapse_config_dir_path }}/turnserver.conf"
|
|
args:
|
|
regexp: "^{{ item.variable }}="
|
|
line: '{{ item.variable }}={{ item.value }}'
|
|
with_items:
|
|
- {'variable': 'min-port', 'value': "{{ matrix_coturn_turn_udp_min_port }}"}
|
|
- {'variable': 'max-port', 'value': "{{ matrix_coturn_turn_udp_max_port }}"}
|
|
- {'variable': 'external-ip', 'value': "{{ matrix_coturn_turn_external_ip_address }}"}
|
|
|
|
- name: Allow access to Matrix ports in firewalld
|
|
firewalld:
|
|
port: "{{ item }}"
|
|
state: enabled
|
|
immediate: yes
|
|
permanent: yes
|
|
with_items:
|
|
- '8448/tcp' # Matrix federation
|
|
- '3478/tcp' # STUN
|
|
- '3478/udp' # STUN
|
|
- "{{ matrix_coturn_turn_udp_min_port }}-{{ matrix_coturn_turn_udp_max_port }}/udp" # TURN
|
|
when: ansible_os_family == 'RedHat'
|
|
|
|
- name: Ensure matrix-synapse.service installed
|
|
template:
|
|
src: "{{ role_path }}/templates/systemd/matrix-synapse.service.j2"
|
|
dest: "/etc/systemd/system/matrix-synapse.service"
|
|
mode: 0644
|
|
|
|
- name: Ensure matrix-synapse-register-user script created
|
|
template:
|
|
src: "{{ role_path }}/templates/usr-local-bin/matrix-synapse-register-user.j2"
|
|
dest: "/usr/local/bin/matrix-synapse-register-user"
|
|
mode: 0750
|
|
|
|
- name: Ensure periodic restarting of Matrix is configured (for SSL renewal)
|
|
template:
|
|
src: "{{ role_path }}/templates/cron.d/matrix-periodic-restarter.j2"
|
|
dest: "/etc/cron.d/matrix-periodic-restarter"
|
|
mode: 0600
|