Compare commits
49 Commits
Author | SHA1 | Date | |
---|---|---|---|
71c0f79008 | |||
e2815c991e | |||
e9faddb274 | |||
60d9fc8613 | |||
43cf9dcab6 | |||
dc7ca807a1 | |||
20057d554a | |||
5d0d3d44b5 | |||
ddcaf23d44 | |||
9ce7ae7bbf | |||
f30b193cc8 | |||
9b25152e7c | |||
b1168bee18 | |||
0b021825ce | |||
5b052beaad | |||
e4f0e1e1fa | |||
cec3858f7d | |||
65614491b3 | |||
5c3f465b8c | |||
5b48325716 | |||
54c65e1b45 | |||
64b0ef72b2 | |||
be6f7c1cc2 | |||
3ac177e04b | |||
c153483976 | |||
71b9e8046c | |||
04b5f8f54c | |||
7c78210551 | |||
7452bd8288 | |||
881eabdf00 | |||
4dbc7f9fea | |||
23e39bee4d | |||
1214b49da2 | |||
64ca0e97b5 | |||
3279f5b0ce | |||
f57b851916 | |||
e84e2fba81 | |||
2ec6bde3bd | |||
0a8d128205 | |||
244194e715 | |||
6350b77ba9 | |||
7d7693a2c7 | |||
03501ac444 | |||
7764a1dd9f | |||
777fc88aaa | |||
ce9cd996ee | |||
50ae4f63cc | |||
2517fe72db | |||
71ef58c97e |
@ -4,10 +4,17 @@
|
|||||||
|
|
||||||
Roles for deploying matrix infrastructure using ansible.
|
Roles for deploying matrix infrastructure using ansible.
|
||||||
|
|
||||||
|
## Modules
|
||||||
|
|
||||||
|
- [`synapse_signing_key`](plugins/modules/synapse_signing_key.md): Module for managing / generating synapse signing keys
|
||||||
|
|
||||||
## Roles
|
## Roles
|
||||||
|
|
||||||
- [`cinny`](roles/cinny/README.md): [Cinny](https://cinny.in/) Web Client
|
- [`cinny`](roles/cinny/README.md): [Cinny](https://cinny.in/) Web Client
|
||||||
- [`element`](roles/element/README.md): [Element](https://element.io/) Web Client
|
- [`element`](roles/element/README.md): [Element](https://element.io/) Web Client
|
||||||
|
- [`hydrogen`](roles/hydrogen/README.md): [Hydrogen](https://matrix.org/ecosystem/clients/hydrogen/) lightweight web client
|
||||||
|
- [`synapse`](roles/synapse/README.md): [Synapse](https://github.com/element-hq/synapse/),
|
||||||
|
a matrix homeserver implemention by Element
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
|
11
galaxy.yml
11
galaxy.yml
@ -1,6 +1,6 @@
|
|||||||
namespace: finallycoffee
|
namespace: finallycoffee
|
||||||
name: matrix
|
name: matrix
|
||||||
version: 0.0.1
|
version: 0.1.5
|
||||||
readme: README.md
|
readme: README.md
|
||||||
authors:
|
authors:
|
||||||
- transcaffeine <transcaffeine@finally.coffee>
|
- transcaffeine <transcaffeine@finally.coffee>
|
||||||
@ -9,4 +9,11 @@ license_file: LICENSE.md
|
|||||||
build_ignore:
|
build_ignore:
|
||||||
- '*.tar.gz'
|
- '*.tar.gz'
|
||||||
repository: https://git.finally.coffee/finallycoffee/matrix
|
repository: https://git.finally.coffee/finallycoffee/matrix
|
||||||
issues: https://git.finally.coffee/finallycoffee/matrix/issues
|
issues: https://codeberg.org/finallycoffee/ansible-collection-matrix/issues
|
||||||
|
tags:
|
||||||
|
- matrix
|
||||||
|
- synapse
|
||||||
|
- homeserver
|
||||||
|
- element
|
||||||
|
- hydrogen
|
||||||
|
- cinny
|
||||||
|
@ -1,3 +1,3 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
requires_ansible: ">=2.14"
|
requires_ansible: ">=2.15"
|
||||||
|
6
playbooks/hydrogen.yml
Normal file
6
playbooks/hydrogen.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
- name: Deploy and configure hydrogen
|
||||||
|
hosts: "{{ hydrogen_hosts | default('hydrogen') }}"
|
||||||
|
become: "{{ hydrogen_become | default(true) }}"
|
||||||
|
roles:
|
||||||
|
- role: finallycoffee.matrix.hydrogen
|
6
playbooks/synapse.yml
Normal file
6
playbooks/synapse.yml
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
---
|
||||||
|
- name: Deploy and configure synapse
|
||||||
|
hosts: "{{ synapse_hosts | default('synapse') }}"
|
||||||
|
become: "{{ synapse_become | default(true) }}"
|
||||||
|
roles:
|
||||||
|
- role: finallycoffee.matrix.synapse
|
33
plugins/modules/synapse_signing_key.md
Normal file
33
plugins/modules/synapse_signing_key.md
Normal file
@ -0,0 +1,33 @@
|
|||||||
|
# `finallycoffee.matrix.synapse_signing_key` module
|
||||||
|
|
||||||
|
Module to generate and manage synapse signing keys.
|
||||||
|
|
||||||
|
> [!TIP]
|
||||||
|
> Supports `check mode` and `diff` rendering
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
- `python >= 3.9`
|
||||||
|
- (pip) `signed_json >= 1.1.4`
|
||||||
|
|
||||||
|
|
||||||
|
## Usage examples
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
# Generate a key
|
||||||
|
- finallycoffee.matrix.synapse_signing_key:
|
||||||
|
path: "/not/there/yet/signing.key"
|
||||||
|
state: present
|
||||||
|
|
||||||
|
# Read a key from the filesystem or generate one
|
||||||
|
- finallycoffee.matrix.synapse_signing_key:
|
||||||
|
path: "/maybe/existing/signing/key"
|
||||||
|
register: key_result
|
||||||
|
- debug:
|
||||||
|
msg: "Signing key is '{{ key_result.signing_key }}'"
|
||||||
|
|
||||||
|
# Delete an existing signing key file
|
||||||
|
- finallycoffee.matrix.synapse_signing_key:
|
||||||
|
path: "/path/to/key/to/delete.key"
|
||||||
|
state: absent
|
||||||
|
```
|
139
plugins/modules/synapse_signing_key.py
Normal file
139
plugins/modules/synapse_signing_key.py
Normal file
@ -0,0 +1,139 @@
|
|||||||
|
#!/usr/bin/env python
|
||||||
|
|
||||||
|
__metaclass__ = type
|
||||||
|
|
||||||
|
import os
|
||||||
|
import traceback
|
||||||
|
import random, string
|
||||||
|
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
|
||||||
|
|
||||||
|
from dataclasses import asdict
|
||||||
|
|
||||||
|
LIB_IMPORT_ERR = None
|
||||||
|
try:
|
||||||
|
from signedjson.key import *
|
||||||
|
HAS_LIB = True
|
||||||
|
except:
|
||||||
|
HAS_LIB = False
|
||||||
|
LIB_IMPORT_ERR = traceback.format_exc()
|
||||||
|
|
||||||
|
DOCUMENTION = r"""
|
||||||
|
---
|
||||||
|
module: synapse_signing_key
|
||||||
|
author:
|
||||||
|
- transcaffeine (transcaffeine@finally.coffee)
|
||||||
|
requirements:
|
||||||
|
- python >= 3.9
|
||||||
|
- signed_json >= 1.1.4
|
||||||
|
short_description: Generate and persist a synapse signing key
|
||||||
|
description:
|
||||||
|
- "Allows to generate, save and manipulate synapse signing keys"
|
||||||
|
options:
|
||||||
|
path:
|
||||||
|
description: "Where the signing key is saved or read from"
|
||||||
|
type: str
|
||||||
|
required: false
|
||||||
|
state:
|
||||||
|
description: "State of the key to enforce, can be used to remove keys or generate them"
|
||||||
|
type: str
|
||||||
|
choices: [present, absent]
|
||||||
|
default: present
|
||||||
|
required: false
|
||||||
|
"""
|
||||||
|
|
||||||
|
EXAMPLES = r"""
|
||||||
|
- name: Read existing signing key from filesystem
|
||||||
|
finallycoffee.matrix.synapse_signing_key:
|
||||||
|
path: "/path/to/existing-synapse.signing.key"
|
||||||
|
- name: Delete existing signing key
|
||||||
|
finallycoffee.matrix.synapse.signing_key:
|
||||||
|
path: "/this/signing/key/will/be/deleted.signing.key"
|
||||||
|
state: absent
|
||||||
|
"""
|
||||||
|
|
||||||
|
RETURN = r"""
|
||||||
|
signing_key:
|
||||||
|
description: Complete synapse signing key
|
||||||
|
returned: always
|
||||||
|
type: str
|
||||||
|
"""
|
||||||
|
|
||||||
|
def main() -> None:
|
||||||
|
_ = dict
|
||||||
|
module = AnsibleModule(
|
||||||
|
argument_spec=_(
|
||||||
|
path=_(required=False, type="str"),
|
||||||
|
state=_(
|
||||||
|
required=False,
|
||||||
|
type="str",
|
||||||
|
default="present",
|
||||||
|
choices=["present", "absent"],
|
||||||
|
),
|
||||||
|
),
|
||||||
|
supports_check_mode=True,
|
||||||
|
)
|
||||||
|
|
||||||
|
result = _(changed=False, diff={}, msg="")
|
||||||
|
failed = False
|
||||||
|
|
||||||
|
if not HAS_LIB:
|
||||||
|
module.fail_json(msg=missing_required_lib("signed_json"), exception=LIB_IMPORT_ERR)
|
||||||
|
|
||||||
|
path = module.params['path']
|
||||||
|
state = module.params['state']
|
||||||
|
existing_key_found = False
|
||||||
|
if path:
|
||||||
|
try:
|
||||||
|
keys = _read_signing_keys(module.params['path'])
|
||||||
|
existing_key_found = True
|
||||||
|
except FileNotFoundError:
|
||||||
|
existing_key_found = False
|
||||||
|
if not existing_key_found:
|
||||||
|
keys = _generate_signing_key()
|
||||||
|
result['changed'] = True
|
||||||
|
|
||||||
|
if not module.check_mode:
|
||||||
|
if state == 'present' and not existing_key_found and path:
|
||||||
|
_write_signing_keys(path, keys)
|
||||||
|
if state == 'absent' and existing_key_found:
|
||||||
|
os.remove(path)
|
||||||
|
result['changed'] = True
|
||||||
|
|
||||||
|
result['diff'] = {
|
||||||
|
"before_header": path,
|
||||||
|
"after_header": path,
|
||||||
|
"before": _render_signing_keys(keys) if existing_key_found else "",
|
||||||
|
"after": "" if state == 'absent' else _render_signing_keys(keys),
|
||||||
|
}
|
||||||
|
result['signing_key'] = _render_signing_keys(keys)
|
||||||
|
|
||||||
|
if failed:
|
||||||
|
module.fail_json(**result)
|
||||||
|
else:
|
||||||
|
module.exit_json(**result)
|
||||||
|
|
||||||
|
def _render_signing_keys(keys) -> str:
|
||||||
|
return "\n".join(_render_signing_key(k) for k in keys)
|
||||||
|
|
||||||
|
def _render_signing_key(key) -> str:
|
||||||
|
key_b64 = encode_signing_key_base64(key)
|
||||||
|
return f"{key.alg} {key.version} {key_b64}"
|
||||||
|
|
||||||
|
def _read_signing_keys(file):
|
||||||
|
with open(file, "r", opener=lambda path, f: os.open(path, f)) as stream:
|
||||||
|
return read_signing_keys(stream)
|
||||||
|
|
||||||
|
def _write_signing_keys(file, keys) -> None:
|
||||||
|
with open(file, "w", opener=lambda path, f: os.open(path, f, mode=0o640)) as stream:
|
||||||
|
write_signing_keys(stream, keys)
|
||||||
|
|
||||||
|
def _generate_signing_key():
|
||||||
|
id = ''
|
||||||
|
for i in range(0, 4):
|
||||||
|
id += random.choice(string.ascii_letters)
|
||||||
|
key_id = "a_" + id
|
||||||
|
key = generate_signing_key(key_id)
|
||||||
|
return [key]
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
main()
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
cinny_user: cinny
|
cinny_user: cinny
|
||||||
cinny_state: "present"
|
cinny_state: "present"
|
||||||
cinny_version: "4.2.1"
|
cinny_version: "4.2.3"
|
||||||
cinny_deployment_method: "docker"
|
cinny_deployment_method: "docker"
|
||||||
|
|
||||||
cinny_base_path: "/opt/cinny"
|
cinny_base_path: "/opt/cinny"
|
||||||
|
@ -14,7 +14,6 @@ are available under the `cinny_container_` prefix:
|
|||||||
- `labels`
|
- `labels`
|
||||||
- `networks`
|
- `networks`
|
||||||
- `etc_hosts`
|
- `etc_hosts`
|
||||||
- `purge_networks`
|
|
||||||
|
|
||||||
The following variables are pre-populated by the role, so override them with care:
|
The following variables are pre-populated by the role, so override them with care:
|
||||||
|
|
||||||
|
12
roles/cinny/meta/main.yml
Normal file
12
roles/cinny/meta/main.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
allow_duplicates: true
|
||||||
|
dependencies: []
|
||||||
|
galaxy_info:
|
||||||
|
role_name: cinny
|
||||||
|
description: Deploy cinny, a matrix web client, using podman, docker or a raw tarball to serve from your webserver
|
||||||
|
galaxy_tags:
|
||||||
|
- cinny
|
||||||
|
- matrix
|
||||||
|
- matrix-client
|
||||||
|
- docker
|
||||||
|
- podman
|
@ -30,4 +30,3 @@
|
|||||||
networks: "{{ cinny_container_networks | default(omit) }}"
|
networks: "{{ cinny_container_networks | default(omit) }}"
|
||||||
etc_hosts: "{{ cinny_container_etc_hosts | default(omit) }}"
|
etc_hosts: "{{ cinny_container_etc_hosts | default(omit) }}"
|
||||||
restart_policy: "{{ cinny_container_restart_policy }}"
|
restart_policy: "{{ cinny_container_restart_policy }}"
|
||||||
purge_networks: "{{ cinny_container_purge_networks | default(omit) }}"
|
|
||||||
|
@ -11,12 +11,15 @@ element_container_image_registry: "docker.io"
|
|||||||
element_container_image_namespace: "vectorim"
|
element_container_image_namespace: "vectorim"
|
||||||
element_container_image_name: "element-web"
|
element_container_image_name: "element-web"
|
||||||
element_container_image_tag: ~
|
element_container_image_tag: ~
|
||||||
|
element_container_image_source: pull
|
||||||
|
element_container_image_force_source: >-2
|
||||||
|
{{ element_container_image_tag | default(false, true) | bool }}
|
||||||
element_container_name: "element-web"
|
element_container_name: "element-web"
|
||||||
element_container_restart_policy: >-
|
element_container_restart_policy: >-
|
||||||
{{ (element_deployment_method == 'docker')
|
{{ (element_deployment_method == 'docker')
|
||||||
| ternary('unless-stopped',
|
| ternary('unless-stopped',
|
||||||
(element_deployment_method == 'podman' |
|
(element_deployment_method == 'podman' |
|
||||||
ternary('on-failure', 'always'))
|
ternary('on-failure', 'always')))
|
||||||
}}
|
}}
|
||||||
element_container_full_volumes: >-
|
element_container_full_volumes: >-
|
||||||
{{ element_container_default_volumes
|
{{ element_container_default_volumes
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
element_user: element
|
element_user: element
|
||||||
element_state: "present"
|
element_state: "present"
|
||||||
element_version: "1.11.77"
|
element_version: "1.11.90"
|
||||||
element_deployment_method: "docker"
|
element_deployment_method: "docker"
|
||||||
|
|
||||||
element_base_path: "/opt/element"
|
element_base_path: "/opt/element"
|
||||||
@ -10,9 +10,9 @@ element_dist_path: "{{ element_source_path }}/dist"
|
|||||||
element_config_path: "{{ element_base_path }}/config"
|
element_config_path: "{{ element_base_path }}/config"
|
||||||
element_config_file: "{{ element_config_path }}/config.json"
|
element_config_file: "{{ element_config_path }}/config.json"
|
||||||
|
|
||||||
element_host_uid: >-
|
element_host_uid: >-2
|
||||||
{{ element_user_info is defined
|
{{ ((element_user_info is defined) and ('uid' in element_user_info))
|
||||||
| ternary(element_user_info.uid, element_user) }}
|
| ternary(element_user_info.uid, element_user) }}
|
||||||
element_host_gid: >-
|
element_host_gid: >-2
|
||||||
{{ element_user_info is defined
|
{{ ((element_user_info is defined) and ('uid' in element_user_info))
|
||||||
| ternary(element_user_info.group, element_user) }}
|
| ternary(element_user_info.group, element_user) }}
|
||||||
|
@ -14,7 +14,6 @@ are available under the `element_container_` prefix:
|
|||||||
- `labels`
|
- `labels`
|
||||||
- `networks`
|
- `networks`
|
||||||
- `etc_hosts`
|
- `etc_hosts`
|
||||||
- `purge_networks`
|
|
||||||
|
|
||||||
The following variables are pre-populated by the role, so override them with care:
|
The following variables are pre-populated by the role, so override them with care:
|
||||||
|
|
||||||
|
12
roles/element/meta/main.yml
Normal file
12
roles/element/meta/main.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
allow_duplicates: true
|
||||||
|
dependencies: []
|
||||||
|
galaxy_info:
|
||||||
|
role_name: element
|
||||||
|
description: Deploy element, a matrix web client, using either docker, podman or a raw tarball to serve with your webserver
|
||||||
|
galaxy_tags:
|
||||||
|
- element
|
||||||
|
- matrix
|
||||||
|
- matrix-client
|
||||||
|
- docker
|
||||||
|
- podman
|
@ -14,8 +14,8 @@
|
|||||||
community.docker.docker_image:
|
community.docker.docker_image:
|
||||||
name: "{{ element_container_image }}"
|
name: "{{ element_container_image }}"
|
||||||
state: "{{ element_state }}"
|
state: "{{ element_state }}"
|
||||||
source: "{{ element_container_source }}"
|
source: "{{ element_container_image_source }}"
|
||||||
force_source: "{{ element_container_image_tag | default(false, true) }}"
|
force_source: "{{ element_container_image_force_source }}"
|
||||||
|
|
||||||
- name: Ensure container '{{ element_container_name }}' is {{ element_state }}
|
- name: Ensure container '{{ element_container_name }}' is {{ element_state }}
|
||||||
community.docker.docker_container:
|
community.docker.docker_container:
|
||||||
@ -23,11 +23,10 @@
|
|||||||
image: "{{ element_container_image }}"
|
image: "{{ element_container_image }}"
|
||||||
state: "{{ (element_state == 'present') | ternary('started', 'absent') }}"
|
state: "{{ (element_state == 'present') | ternary('started', 'absent') }}"
|
||||||
env: "{{ element_container_env | default(omit) }}"
|
env: "{{ element_container_env | default(omit) }}"
|
||||||
user: "{{ element_container_user }}"
|
user: "{{ element_container_user | default(omit) }}"
|
||||||
ports: "{{ element_container_ports | default(omit) }}"
|
ports: "{{ element_container_ports | default(omit) }}"
|
||||||
labels: "{{ element_container_labels | default(omit) }}"
|
labels: "{{ element_container_labels | default(omit) }}"
|
||||||
volumes: "{{ element_container_full_volumes }}"
|
volumes: "{{ element_container_full_volumes }}"
|
||||||
networks: "{{ element_container_networks | default(omit) }}"
|
networks: "{{ element_container_networks | default(omit) }}"
|
||||||
etc_hosts: "{{ element_container_etc_hosts | default(omit) }}"
|
etc_hosts: "{{ element_container_etc_hosts | default(omit) }}"
|
||||||
restart_policy: "{{ element_container_restart_policy }}"
|
restart_policy: "{{ element_container_restart_policy }}"
|
||||||
purge_networks: "{{ element_container_purge_networks | default(omit) }}"
|
|
||||||
|
@ -3,8 +3,8 @@
|
|||||||
containers.podman.podman_image:
|
containers.podman.podman_image:
|
||||||
name: "{{ element_container_image }}"
|
name: "{{ element_container_image }}"
|
||||||
state: "{{ element_state }}"
|
state: "{{ element_state }}"
|
||||||
pull: "{{ element_container_source == 'pull' }}"
|
pull: "{{ element_container_image_source == 'pull' }}"
|
||||||
force: "{{ element_container_image_tag | default(false, true) }}"
|
force: "{{ element_container_image_force_source }}"
|
||||||
|
|
||||||
- name: Ensure container '{{ element_container_name }}' is {{ element_state }}
|
- name: Ensure container '{{ element_container_name }}' is {{ element_state }}
|
||||||
containers.podman.podman_container:
|
containers.podman.podman_container:
|
||||||
@ -12,7 +12,7 @@
|
|||||||
image: "{{ element_container_image }}"
|
image: "{{ element_container_image }}"
|
||||||
state: "{{ (element_state == 'present') | ternary('started', 'absent') }}"
|
state: "{{ (element_state == 'present') | ternary('started', 'absent') }}"
|
||||||
env: "{{ element_container_env | default(omit) }}"
|
env: "{{ element_container_env | default(omit) }}"
|
||||||
user: "{{ element_container_user }}"
|
user: "{{ element_container_user | default(omit) }}"
|
||||||
ports: "{{ element_container_ports | default(omit) }}"
|
ports: "{{ element_container_ports | default(omit) }}"
|
||||||
labels: "{{ element_container_labels | default(omit) }}"
|
labels: "{{ element_container_labels | default(omit) }}"
|
||||||
volumes: "{{ element_container_full_volumes }}"
|
volumes: "{{ element_container_full_volumes }}"
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
---
|
---
|
||||||
element_state:
|
element_states:
|
||||||
- present
|
- present
|
||||||
- absent
|
- absent
|
||||||
|
|
||||||
|
13
roles/hydrogen/README.md
Normal file
13
roles/hydrogen/README.md
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
# `finallycoffee.matrix.hydrogen` ansible role
|
||||||
|
|
||||||
|
Deploy [hydrogen](https://matrix.org/ecosystem/clients/hydrogen/),
|
||||||
|
a lightweight matrix web client with SSO, multi-account and E2EE
|
||||||
|
Support.
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
All configuration keys which would be written in the `config.json`
|
||||||
|
are available under the `hydrogen_config_*` as flattened camelcase keys.
|
||||||
|
As an alternative, the entire config structure can be passed into
|
||||||
|
`hydrogen_config` (in combine mode) or `hydrogen_full_config` (ignores
|
||||||
|
all defaults).
|
42
roles/hydrogen/defaults/main/container.yml
Normal file
42
roles/hydrogen/defaults/main/container.yml
Normal file
@ -0,0 +1,42 @@
|
|||||||
|
---
|
||||||
|
hydrogen_container_name: hydrogen
|
||||||
|
hydrogen_container_image_server: ghcr.io
|
||||||
|
hydrogen_container_image_namespace: element-hq
|
||||||
|
hydrogen_container_image_name: hydrogen-web
|
||||||
|
hydrogen_container_image_tag: ~
|
||||||
|
hydrogen_container_image: >-2
|
||||||
|
{{
|
||||||
|
([
|
||||||
|
hydrogen_container_image_server,
|
||||||
|
hydrogen_container_image_namespace,
|
||||||
|
hydrogen_container_image_name,
|
||||||
|
] | join('/'))
|
||||||
|
+ ':' + (hydrogen_container_image_tag
|
||||||
|
| default('v' + hydrogen_version, true))
|
||||||
|
}}
|
||||||
|
|
||||||
|
hydrogen_container_working_directory: "/usr/share/nginx/html"
|
||||||
|
hydrogen_container_config_file: >-2
|
||||||
|
{{ hydrogen_container_working_directory }}/config.json
|
||||||
|
hydrogen_container_base_volumes:
|
||||||
|
- "{{ hydrogen_config_file }}:{{ hydrogen_container_config_file }}:ro"
|
||||||
|
hydrogen_container_full_volumes: >-2
|
||||||
|
{{ hydrogen_container_base_volumes | default([], true)
|
||||||
|
+ (hydrogen_container_volumes | default([], true))
|
||||||
|
|
||||||
|
hydrogen_container_image_source: pull
|
||||||
|
hydrogen_container_image_force_source: >-2
|
||||||
|
{{ hydrogen_container_image_tag | default(false, true) | bool }}
|
||||||
|
hydrogen_container_state: >-2
|
||||||
|
{{ (hydrogen_state == 'present') | ternary('started', 'absent') }}
|
||||||
|
hydrogen_container_env: ~
|
||||||
|
hydrogen_container_user: >-2
|
||||||
|
{{ hydrogen_run_user_id }}:{{ hydrogen_run_group_id }}
|
||||||
|
hydrogen_container_ports: ~
|
||||||
|
hydrogen_container_labels: ~
|
||||||
|
hydrogen_container_ulimits: ~
|
||||||
|
hydrogen_container_volumes: ~
|
||||||
|
hydrogen_container_networks: ~
|
||||||
|
hydrogen_container_dns_servers: ~
|
||||||
|
hydrogen_container_etc_hosts: ~
|
||||||
|
hydrogen_container_restart_policy: unless-stopped
|
21
roles/hydrogen/defaults/main/main.yml
Normal file
21
roles/hydrogen/defaults/main/main.yml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
---
|
||||||
|
hydrogen_state: present
|
||||||
|
hydrogen_user: hydrogen
|
||||||
|
hydrogen_version: "0.5.1"
|
||||||
|
hydrogen_deployment_method: docker
|
||||||
|
|
||||||
|
hydrogen_config_file: "/etc/hydrogen/config.json"
|
||||||
|
|
||||||
|
hydrogen_config: ~
|
||||||
|
hydrogen_config_default_home_server: matrix.org
|
||||||
|
hydrogen_config_default_theme_light: "element-light"
|
||||||
|
hydrogen_config_default_theme_dark: "element-dark"
|
||||||
|
hydrogen_config_default_theme:
|
||||||
|
light: "{{ hydrogen_config_default_theme_light }}"
|
||||||
|
dark: "{{ hydrogen_config_default_theme_dark }}"
|
||||||
|
hydrogen_base_config:
|
||||||
|
defaultHomeServer: "{{ hydrogen_config_default_home_server }}"
|
||||||
|
defaultTheme: "{{ hydrogen_config_default_theme }}"
|
||||||
|
hydrogen_full_config: >-2
|
||||||
|
{{ hydrogen_base_config | default({}, true)
|
||||||
|
| combine(hydrogen_config | default({}, true)) }}
|
5
roles/hydrogen/defaults/main/user.yml
Normal file
5
roles/hydrogen/defaults/main/user.yml
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
---
|
||||||
|
hydrogen_run_user_id: >-2
|
||||||
|
{{ hydrogen_user_info.uid | default(hydrogen_user) }}
|
||||||
|
hydrogen_run_group_id: >-2
|
||||||
|
{{ hydrogen_user_info.group | default(hydrogen_user) }}
|
12
roles/hydrogen/meta/main.yml
Normal file
12
roles/hydrogen/meta/main.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
allow_duplicates: true
|
||||||
|
dependencies: []
|
||||||
|
galaxy_info:
|
||||||
|
role_name: hydrogen
|
||||||
|
description: Deploy hydrogen, a lightweight matrix web client
|
||||||
|
galaxy_tags:
|
||||||
|
- hydrogen
|
||||||
|
- matrix
|
||||||
|
- matrix-client
|
||||||
|
- docker
|
||||||
|
- podman
|
31
roles/hydrogen/tasks/deploy-docker.yml
Normal file
31
roles/hydrogen/tasks/deploy-docker.yml
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure container image '{{ hydrogen_container_image }}' is {{ hydrogen_state }} on host
|
||||||
|
community.docker.docker_image:
|
||||||
|
name: "{{ hydrogen_container_image }}"
|
||||||
|
state: "{{ hydrogen_state }}"
|
||||||
|
source: "{{ hydrogen_container_image_source }}"
|
||||||
|
force_source: >-2
|
||||||
|
{{ hydrogen_container_image_force_source }}
|
||||||
|
register: hydrogen_container_image_info
|
||||||
|
until: hydrogen_container_image_info is success
|
||||||
|
retries: 5
|
||||||
|
delay: 3
|
||||||
|
|
||||||
|
- name: Ensure hydrogen container '{{ hydrogen_container_name }}' is {{ hydrogen_container_state }}
|
||||||
|
community.docker.docker_container:
|
||||||
|
name: "{{ hydrogen_container_name }}"
|
||||||
|
image: "{{ hydrogen_container_image }}"
|
||||||
|
env: "{{ hydrogen_container_env | default(omit, true) }}"
|
||||||
|
user: "{{ hydrogen_container_user }}"
|
||||||
|
ports: "{{ hydrogen_container_ports | default(omit, true) }}"
|
||||||
|
labels: "{{ hydrogen_container_labels | default(omit, true) }}"
|
||||||
|
ulimits: "{{ hydrogen_container_ulimits | default(omit, true) }}"
|
||||||
|
volumes: "{{ hydrogen_container_volumes }}"
|
||||||
|
networks: "{{ hydrogen_container_networks | default(omit, true) }}"
|
||||||
|
dns_servers: >-2
|
||||||
|
{{ hydrogen_container_dns_servers | default(omit, true) }}
|
||||||
|
etc_hosts: >-2
|
||||||
|
{{ hydrogen_container_etc_hosts | default(omit, true) }}
|
||||||
|
restart_policy: >-2
|
||||||
|
{{ hydrogen_container_restart_policy | default(omit, true) }}
|
||||||
|
state: "{{ hydrogen_container_state }}"
|
30
roles/hydrogen/tasks/deploy-podman.yml
Normal file
30
roles/hydrogen/tasks/deploy-podman.yml
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure container image '{{ hydrogen_container_image }}' is {{ hydrogen_state }} on host
|
||||||
|
containers.podman.podman_image:
|
||||||
|
name: "{{ hydrogen_container_image }}"
|
||||||
|
state: "{{ hydrogen_state }}"
|
||||||
|
pull: "{{ hydrogen_container_image_source == 'pull' }}"
|
||||||
|
force: "{{ hydrogen_container_image_force_source }}"
|
||||||
|
register: hydrogen_container_image_info
|
||||||
|
until: hydrogen_container_image_info is success
|
||||||
|
retries: 5
|
||||||
|
delay: 3
|
||||||
|
|
||||||
|
- name: Ensure hydrogen container '{{ hydrogen_container_name }}' is {{ hydrogen_container_state }}
|
||||||
|
containers.podman.podman_container:
|
||||||
|
name: "{{ hydrogen_container_name }}"
|
||||||
|
image: "{{ hydrogen_container_image }}"
|
||||||
|
env: "{{ hydrogen_container_env | default(omit, true) }}"
|
||||||
|
user: "{{ hydrogen_container_user }}"
|
||||||
|
ports: "{{ hydrogen_container_ports | default(omit, true) }}"
|
||||||
|
labels: "{{ hydrogen_container_labels | default(omit, true) }}"
|
||||||
|
ulimits: "{{ hydrogen_container_ulimits | default(omit, true) }}"
|
||||||
|
volumes: "{{ hydrogen_container_volumes }}"
|
||||||
|
network: "{{ hydrogen_container_networks | default(omit, true) }}"
|
||||||
|
dns_servers: >-2
|
||||||
|
{{ hydrogen_container_dns_servers | default(omit, true) }}
|
||||||
|
etc_hosts: >-2
|
||||||
|
{{ hydrogen_container_etc_hosts | default(omit, true) }}
|
||||||
|
restart_policy: >-2
|
||||||
|
{{ hydrogen_container_restart_policy | default(omit, true) }}
|
||||||
|
state: "{{ hydrogen_container_state }}"
|
57
roles/hydrogen/tasks/main.yml
Normal file
57
roles/hydrogen/tasks/main.yml
Normal file
@ -0,0 +1,57 @@
|
|||||||
|
---
|
||||||
|
- name: Check if deployment method is supported
|
||||||
|
ansible.builtin.fail:
|
||||||
|
msg: >-2
|
||||||
|
Deployment method '{{ hydrogen_deployment_method }}'
|
||||||
|
is not supported. Support methods are
|
||||||
|
{{ hydrogen_deployment_methods | join(', ') }}.
|
||||||
|
when: hydrogen_deployment_method not in hydrogen_deployment_methods
|
||||||
|
|
||||||
|
- name: Check if state is supported
|
||||||
|
ansible.builtin.fail:
|
||||||
|
msg: >-2
|
||||||
|
State '{{ hydrogen_state }}' is not supported.
|
||||||
|
Supported states are: {{ hydrogen_states | join(', ') }}
|
||||||
|
when: hydrogen_state not in hydrogen_states
|
||||||
|
|
||||||
|
- name: Ensure hydrogen user '{{ hydrogen_user }}' is {{ hydrogen_state }}
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: "{{ hydrogen_user }}"
|
||||||
|
system: "{{ hydrogen_user_system | default(true, true) }}"
|
||||||
|
groups: "{{ hydrogen_user_groups | default(omit, true) }}"
|
||||||
|
append: >-2
|
||||||
|
{{ hydrogen_user_append_groups
|
||||||
|
| default(hydrogen_user_groups | default([]) | length > 0, true)
|
||||||
|
| bool
|
||||||
|
}}
|
||||||
|
state: "{{ hydrogen_state }}"
|
||||||
|
register: hydrogen_user_info
|
||||||
|
|
||||||
|
- name: Ensure hydrogen config file is {{ hydrogen_state }}
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ hydrogen_config_file }}"
|
||||||
|
state: "{{ hydrogen_state }}"
|
||||||
|
when: hydrogen_state == 'absent'
|
||||||
|
|
||||||
|
- name: Ensure hydrogen config folder is {{ hydrogen_state }}
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ hydrogen_config_file | ansible.builtin.basename }}"
|
||||||
|
state: >-2
|
||||||
|
{{ (hydrogen_state == 'present')
|
||||||
|
| ternary('directory', 'absent') }}
|
||||||
|
owner: "{{ hydrogen_run_user_id }}"
|
||||||
|
group: "{{ hydrogen_run_group_id }}"
|
||||||
|
mode: "0755"
|
||||||
|
|
||||||
|
- name: Ensure hydrogen config file is {{ hydrogen_state }}
|
||||||
|
ansible.builtin.copy:
|
||||||
|
dest: "{{ hydrogen_config_file }}"
|
||||||
|
content: "{{ hydrogen_config | to_nice_json }}"
|
||||||
|
owner: "{{ hydrogen_run_user_id }}"
|
||||||
|
group: "{{ hydrogen_run_group_id }}"
|
||||||
|
mode: "0640"
|
||||||
|
when: hydrogen_state == 'present'
|
||||||
|
|
||||||
|
- name: Deploy using {{ hydrogen_deployment_method }}
|
||||||
|
ansible.builtin.include_tasks:
|
||||||
|
file: "deploy-{{ hydrogen_deployment_method }}.yml"
|
7
roles/hydrogen/vars/main.yml
Normal file
7
roles/hydrogen/vars/main.yml
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
---
|
||||||
|
hydrogen_states:
|
||||||
|
- present
|
||||||
|
- absent
|
||||||
|
hydrogen_deployment_methods:
|
||||||
|
- docker
|
||||||
|
- podman
|
40
roles/synapse/README.md
Normal file
40
roles/synapse/README.md
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
# `finallycoffee.matrix.synapse` ansible role
|
||||||
|
|
||||||
|
## Configuration
|
||||||
|
|
||||||
|
### Required
|
||||||
|
|
||||||
|
The following variables need to be populated:
|
||||||
|
|
||||||
|
- `synapse_domain` - the domain this homeserver should be authoritative for.
|
||||||
|
- `synapse_signing_key` - the signing key synapse should use.
|
||||||
|
Set either this or `synapse_role_generate_signing_key: true`.
|
||||||
|
|
||||||
|
## Other
|
||||||
|
|
||||||
|
- [Configure your database](docs/database.md)
|
||||||
|
- [Configure your listeners](docs/listeners.md)
|
||||||
|
- [Configure logging](docs/logging.md)
|
||||||
|
|
||||||
|
## Deployment methods
|
||||||
|
|
||||||
|
- `docker`
|
||||||
|
- `podman`
|
||||||
|
- `virtualenv` - Python virtual env supervised with `systemd`
|
||||||
|
|
||||||
|
Set `synapse_deployment_method` to one of the supported deployment methods.
|
||||||
|
The current default is `docker`.
|
||||||
|
|
||||||
|
### `virtualenv` deployment method
|
||||||
|
|
||||||
|
This deployment method installs a `systemd` service called `synapse.service` to
|
||||||
|
control the homeserver process. The service depends on the `network.target` by
|
||||||
|
default (see [`synapse_systemd_unit_after`](synapse/main/systemd.yml)), and
|
||||||
|
uses the `default.target` as it's `WantedBy`
|
||||||
|
(see [`synapse_systemd_install_wanted_by`](synapse/main/systemd.yml)).
|
||||||
|
|
||||||
|
To only start synapse after, for example, services for redis and postgresql are up,
|
||||||
|
set `synapse_systemd_unit_wants: [ "postgresql.service", "redis.service" ]`.
|
||||||
|
|
||||||
|
> [!NOTE]
|
||||||
|
> Requires `systemd >= 245` on the target machine
|
64
roles/synapse/defaults/main/container.yml
Normal file
64
roles/synapse/defaults/main/container.yml
Normal file
@ -0,0 +1,64 @@
|
|||||||
|
---
|
||||||
|
synapse_container_name: synapse
|
||||||
|
synapse_container_image: >-2
|
||||||
|
{{
|
||||||
|
[
|
||||||
|
synapse_container_image_repository,
|
||||||
|
synapse_container_image_tag | default('v' ~ synapse_version, true)
|
||||||
|
] | join(':')
|
||||||
|
}}
|
||||||
|
synapse_container_image_registry: ghcr.io
|
||||||
|
synapse_container_image_namespace: element-hq
|
||||||
|
synapse_container_image_name: synapse
|
||||||
|
synapse_container_image_repository: >-2
|
||||||
|
{{ synapse_container_image_registry
|
||||||
|
~ (('/' ~ synapse_container_image_namespace)
|
||||||
|
if synapse_container_image_namespace else '')
|
||||||
|
~ '/' ~ synapse_container_image_name }}
|
||||||
|
synapse_container_image_source: pull
|
||||||
|
synapse_container_image_tag: ~
|
||||||
|
synapse_container_env: {}
|
||||||
|
synapse_container_user: >-2
|
||||||
|
{{ ((synapse_user_info is defined) and ('uid' in synapse_user_info))
|
||||||
|
| ternary(synapse_user_info.uid, synapse_user) }}
|
||||||
|
synapse_container_group: >-2
|
||||||
|
{{ ((synapse_user_info is defined) and ('group' in synapse_user_info))
|
||||||
|
| ternary(synapse_user_info.group, synapse_user) }}
|
||||||
|
synapse_container_groups:
|
||||||
|
- "{{ synapse_container_group }}"
|
||||||
|
synapse_container_ports: ~
|
||||||
|
synapse_container_labels: ~
|
||||||
|
synapse_container_ulimits: ~
|
||||||
|
synapse_container_networks: ~
|
||||||
|
synapse_container_dns_servers: ~
|
||||||
|
synapse_container_etc_hosts: ~
|
||||||
|
synapse_container_memory: ~
|
||||||
|
synapse_container_memory_reservation: ~
|
||||||
|
synapse_container_memory_swap: ~
|
||||||
|
synapse_container_state: >-2
|
||||||
|
{{ (synapse_state == 'present')
|
||||||
|
| ternary('started', 'absent') }}
|
||||||
|
synapse_container_restart_policy: >-2
|
||||||
|
{{ (synapse_deployment_method == 'docker')
|
||||||
|
| ternary('unless-stopped', ((synapse_deployment_method == 'podman')
|
||||||
|
| ternary('on-failure', 'always')))
|
||||||
|
}}
|
||||||
|
|
||||||
|
synapse_container_volumes: ~
|
||||||
|
synapse_container_default_volumes:
|
||||||
|
- "{{ synapse_homeserver_config_file }}:/data/homeserver.yaml:ro"
|
||||||
|
- "{{ synapse_logging_config_file }}:{{ synapse_logging_config_file }}:ro"
|
||||||
|
- "{{ synapse_signing_key_file }}:{{ synapse_signing_key_file }}:ro"
|
||||||
|
- "{{ synapse_data_path }}:{{ synapse_data_path }}:z"
|
||||||
|
- "{{ synapse_media_store_path }}:{{ synapse_media_store_path }}:z"
|
||||||
|
- "{{ synapse_log_path }}:{{ synapse_log_path }}:z"
|
||||||
|
synapse_container_tls_volumes:
|
||||||
|
- "{{ synapse_config_tls_certificate_path }}:{{ synapse_config_tls_certificate_path }}:ro"
|
||||||
|
- "{{ synapse_config_tls_private_key_path }}:{{ synapse_config_tls_private_key_path_path }}:ro"
|
||||||
|
synapse_container_all_volumes: >-
|
||||||
|
{{ synapse_container_default_volumes | default([], true)
|
||||||
|
+ (synapse_container_tls_volumes
|
||||||
|
if (synapse_config_tls_private_key_path | default(false, true) | bool
|
||||||
|
and synapse_config_tls_certificate_path | default(false, true) | bool)
|
||||||
|
else [])
|
||||||
|
+ synapse_container_volumes | default([], true) }}
|
31
roles/synapse/defaults/main/homeserver.api.yml
Normal file
31
roles/synapse/defaults/main/homeserver.api.yml
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
---
|
||||||
|
synapse_config_macaroon_secret_key: ~
|
||||||
|
synapse_config_form_secret: ~
|
||||||
|
synapse_config_use_appservice_legacy_authorization: false
|
||||||
|
synapse_config_track_appservice_user_ips: false
|
||||||
|
synapse_config_track_puppeted_user_ips: false
|
||||||
|
synapse_config_app_service_config_files: []
|
||||||
|
synapse_config_room_prejoin_state_disable_default_event_types: false
|
||||||
|
synapse_config_room_prejoin_state_additional_event_types: []
|
||||||
|
|
||||||
|
synapse_base_api_config:
|
||||||
|
app_service_config_files: "{{ synapse_config_app_service_config_files }}"
|
||||||
|
use_appservice_legacy_authorization: >-
|
||||||
|
{{ synapse_config_use_appservice_legacy_authorization }}
|
||||||
|
track_appservice_user_ips: >-
|
||||||
|
{{ synapse_config_track_appservice_user_ips }}
|
||||||
|
track_puppeted_user_ips: >-
|
||||||
|
{{ synapse_config_track_puppeted_user_ips }}
|
||||||
|
room_prejoin_state:
|
||||||
|
disable_default_event_types: >-2
|
||||||
|
{{ synapse_config_room_prejoin_state_disable_default_event_types }}
|
||||||
|
additional_event_types: >-2
|
||||||
|
{{ synapse_config_room_prejoin_state_additional_event_types }}
|
||||||
|
synapse_api_config: >-2
|
||||||
|
{{
|
||||||
|
synapse_base_api_config
|
||||||
|
| combine(({"macaroon_secret_key": synapse_config_macaroon_secret_key})
|
||||||
|
if synapse_config_macaroon_secret_key | default(false, true) else {})
|
||||||
|
| combine(({"form_secret": synapse_config_form_secret})
|
||||||
|
if synapse_config_form_secret | default(false, true) else {})
|
||||||
|
}}
|
15
roles/synapse/defaults/main/homeserver.cache.yml
Normal file
15
roles/synapse/defaults/main/homeserver.cache.yml
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
---
|
||||||
|
synapse_config_event_cache_size: "10K"
|
||||||
|
synapse_config_caches_global_factor: 0.5
|
||||||
|
synapse_config_caches_per_cache_factors: {}
|
||||||
|
synapse_config_caches_expire_caches: true
|
||||||
|
synapse_config_caches_sync_response_cache_duration: "2m"
|
||||||
|
|
||||||
|
synapse_cache_config:
|
||||||
|
event_cache_size: "{{ synapse_config_event_cache_size }}"
|
||||||
|
caches:
|
||||||
|
global_factor: "{{ synapse_config_caches_global_factor }}"
|
||||||
|
per_cache_factors: "{{ synapse_config_caches_per_cache_factors }}"
|
||||||
|
expire_caches: "{{ synapse_config_caches_expire_caches }}"
|
||||||
|
sync_response_cache_duration: >-
|
||||||
|
{{ synapse_config_caches_sync_response_cache_duration }}
|
31
roles/synapse/defaults/main/homeserver.config.yml
Normal file
31
roles/synapse/defaults/main/homeserver.config.yml
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
---
|
||||||
|
synapse_config_server_name: "{{ synapse_domain }}"
|
||||||
|
synapse_config_log_config_path: >-
|
||||||
|
{{ synapse_logging_config_file }}
|
||||||
|
synapse_config_media_store_path: >-
|
||||||
|
{{ synapse_media_store_path }}
|
||||||
|
synapse_config_signing_key_path: >-
|
||||||
|
{{ synapse_signing_key_file }}
|
||||||
|
synapse_config_trusted_key_servers:
|
||||||
|
- server_name: "matrix.org"
|
||||||
|
synapse_listeners_config: "{{ synapse_config_listeners }}"
|
||||||
|
|
||||||
|
synapse_default_config: >-
|
||||||
|
{{
|
||||||
|
synapse_default_server_config
|
||||||
|
| combine(synapse_tls_config)
|
||||||
|
| combine(synapse_email_config)
|
||||||
|
| combine(synapse_federation_config)
|
||||||
|
| combine(synapse_media_config)
|
||||||
|
| combine(synapse_turn_config)
|
||||||
|
| combine(synapse_cache_config)
|
||||||
|
| combine(synapse_ratelimit_config)
|
||||||
|
| combine(synapse_metrics_config)
|
||||||
|
| combine(synapse_api_config)
|
||||||
|
| combine(synapse_push_config)
|
||||||
|
| combine(synapse_registration_config)
|
||||||
|
}}
|
||||||
|
|
||||||
|
synapse_homeserver_config: >-
|
||||||
|
{{ synapse_default_config
|
||||||
|
| combine(synapse_config | default({}), recursive=True) }}
|
10
roles/synapse/defaults/main/homeserver.database.yml
Normal file
10
roles/synapse/defaults/main/homeserver.database.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
---
|
||||||
|
synapse_config_database_name: sqlite3
|
||||||
|
synapse_config_database_args:
|
||||||
|
database: "{{ synapse_sqlite_database_file }}"
|
||||||
|
synapse_config_database_txn_limit: "{{ 10000 | int}}"
|
||||||
|
|
||||||
|
synapse_database_config:
|
||||||
|
name: "{{ synapse_config_database_name }}"
|
||||||
|
args: "{{ synapse_config_database_args }}"
|
||||||
|
txn_limit: "{{ synapse_config_database_txn_limit }}"
|
51
roles/synapse/defaults/main/homeserver.email.yml
Normal file
51
roles/synapse/defaults/main/homeserver.email.yml
Normal file
@ -0,0 +1,51 @@
|
|||||||
|
---
|
||||||
|
synapse_config_email_smtp_host: ~
|
||||||
|
synapse_config_email_smtp_port: 465
|
||||||
|
synapse_config_email_smtp_user: ~
|
||||||
|
synapse_config_email_smtp_pass: ~
|
||||||
|
synapse_config_email_force_tls: false
|
||||||
|
synapse_config_email_require_transport_security: false
|
||||||
|
synapse_config_email_enable_tls: true
|
||||||
|
synapse_config_email_app_name: "[matrix]"
|
||||||
|
synapse_config_email_notif_from: >-
|
||||||
|
"%(app)s" <synapse@{{ synapse_domain }}>
|
||||||
|
synapse_config_email_enable_notifs: false
|
||||||
|
synapse_config_email_notif_for_new_users: true
|
||||||
|
synapse_config_email_notif_delay_before_mail: "10m"
|
||||||
|
synapse_config_email_client_base_url: "https://matrix.to"
|
||||||
|
synapse_config_email_validation_token_lifetime: "1h"
|
||||||
|
synapse_config_email_invite_client_location: ~
|
||||||
|
synapse_config_email_subjects: {}
|
||||||
|
|
||||||
|
synapse_email_config: >-
|
||||||
|
{{
|
||||||
|
(synapse_base_email_config
|
||||||
|
if synapse_config_email_smtp_host | default(false, true) else {})
|
||||||
|
| combine(synapse_base_email_auth_config
|
||||||
|
if (synapse_config_email_smtp_user | default(false, true)
|
||||||
|
and synapse_config_email_smtp_pass | default(false, true))
|
||||||
|
else {})
|
||||||
|
| combine(({"email": {"invite_client_location": synapse_config_email_invite_client_location}})
|
||||||
|
if synapse_config_email_invite_client_location | default(false, true) else {})
|
||||||
|
}}
|
||||||
|
synapse_base_email_auth_config:
|
||||||
|
smtp_user: "{{ synapse_config_email_smtp_user }}"
|
||||||
|
smtp_pass: "{{ synapse_config_email_smtp_pass }}"
|
||||||
|
synapse_base_email_config:
|
||||||
|
email:
|
||||||
|
smtp_host: "{{ synapse_config_email_smtp_host }}"
|
||||||
|
smtp_port: "{{ synapse_config_email_smtp_port }}"
|
||||||
|
force_tls: "{{ synapse_config_email_force_tls }}"
|
||||||
|
require_transport_security: >-
|
||||||
|
{{ synapse_config_email_require_transport_security}}
|
||||||
|
enable_tls: "{{ synapse_config_email_enable_tls }}"
|
||||||
|
app_name: "{{ synapse_config_email_app_name }}"
|
||||||
|
notif_from: "{[ synapse_config_email_notif_from }}"
|
||||||
|
enable_notifs: "{{ synapse_config_email_enable_notifs }}"
|
||||||
|
notif_for_new_users: "{{ synapse_config_email_notif_for_new_users }}"
|
||||||
|
notif_delay_before_mail: >-
|
||||||
|
{{ synapse_config_email_notif_delay_before_mail }}
|
||||||
|
client_base_url: "{{ synapse_config_email_client_base_url }}"
|
||||||
|
validation_token_lifetime: >-
|
||||||
|
{{ synapse_config_email_validation_token_lifetime }}
|
||||||
|
subjects: "{{ synapse_config_email_subjects }}"
|
39
roles/synapse/defaults/main/homeserver.federation.yml
Normal file
39
roles/synapse/defaults/main/homeserver.federation.yml
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
---
|
||||||
|
# see https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#federation
|
||||||
|
synapse_config_federation_domain_whitelist: ~
|
||||||
|
synapse_config_federation_whitelist_endpoint_enabled: true
|
||||||
|
synapse_config_federation_metrics_domains: []
|
||||||
|
# see https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#federation-1
|
||||||
|
# for federation retry / network tuning
|
||||||
|
synapse_config_federation: {}
|
||||||
|
synapse_config_allow_profile_lookup_over_federation: false
|
||||||
|
synapse_config_allow_device_name_lookup_over_federation: false
|
||||||
|
|
||||||
|
synapse_config_federation_verify_certificates: true
|
||||||
|
synapse_config_federation_client_minimum_tls_version: "1.2"
|
||||||
|
synapse_config_federation_verification_whitelist: []
|
||||||
|
synapse_config_federation_custom_ca_list: []
|
||||||
|
|
||||||
|
synapse_federation_tls_config:
|
||||||
|
federation_verify_certificates: "{{ synapse_config_federation_verify_certificates }}"
|
||||||
|
federation_client_minimum_tls_version: >-
|
||||||
|
{{ synapse_config_federation_client_minimum_tls_version }}
|
||||||
|
federation_certificate_verification_whitelist: >-
|
||||||
|
{{ synapse_config_federation_verification_whitelist }}
|
||||||
|
|
||||||
|
synapse_federation_config: >-
|
||||||
|
{{
|
||||||
|
{
|
||||||
|
"federation_whitelist_endpoint_enabled" : synapse_config_federation_whitelist_endpoint_enabled,
|
||||||
|
"federation_metrics_domains": synapse_config_federation_metrics_domains,
|
||||||
|
"allow_profile_lookup_over_federation": synapse_config_allow_profile_lookup_over_federation,
|
||||||
|
"allow_device_name_lookup_over_federation": synapse_config_allow_device_name_lookup_over_federation,
|
||||||
|
"federation": synapse_config_federation
|
||||||
|
}
|
||||||
|
| combine(synapse_federation_tls_config)
|
||||||
|
| combine(({"federation_custom_ca_list": synapse_config_federation_custom_ca_list})
|
||||||
|
if (synapse_config_federation_custom_ca_list | default(false, true)
|
||||||
|
and synapse_config_federation_custom_ca_list | length > 0) else {})
|
||||||
|
| combine(({"federation_domain_whitelist": synapse_config_federation_domain_whitelist})
|
||||||
|
if synapse_config_federation_domain_whitelist | default(false, true) else {})
|
||||||
|
}}
|
41
roles/synapse/defaults/main/homeserver.listeners.yml
Normal file
41
roles/synapse/defaults/main/homeserver.listeners.yml
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
---
|
||||||
|
synapse_config_listeners: >-
|
||||||
|
{{ synapse_listeners_default_config }}
|
||||||
|
synapse_config_listeners_port: 8080
|
||||||
|
synapse_config_listeners_tls: false
|
||||||
|
synapse_config_listeners_type: http
|
||||||
|
synapse_config_listeners_x_forwarded: true
|
||||||
|
synapse_config_listeners_bind_addresses:
|
||||||
|
- "::1"
|
||||||
|
- "127.0.0.1"
|
||||||
|
synapse_config_listeners_resources:
|
||||||
|
- names: "{{ synapse_config_listeners_resources_names }}"
|
||||||
|
compress: "{{ synapse_config_listeners_resources_compress }}"
|
||||||
|
synapse_config_listeners_resources_names:
|
||||||
|
- client
|
||||||
|
- federation
|
||||||
|
synapse_config_listeners_resources_compress: false
|
||||||
|
synapse_listeners_default_config:
|
||||||
|
- port: "{{ synapse_config_listeners_port }}"
|
||||||
|
tls: "{{ synapse_config_listeners_tls }}"
|
||||||
|
type: "{{ synapse_config_listeners_type }}"
|
||||||
|
x_forwarded: "{{ synapse_config_listeners_x_forwarded }}"
|
||||||
|
bind_addresses: "{{ synapse_config_listeners_bind_addresses }}"
|
||||||
|
resources: "{{ synapse_config_listeners_resources }}"
|
||||||
|
synapse_config_metrics_listener_port: 9000
|
||||||
|
synapse_config_metrics_listener_tls: false
|
||||||
|
synapse_config_metrics_listener_type: http
|
||||||
|
synapse_config_metrics_listener_x_forwarded: false
|
||||||
|
synapse_config_metrics_listener_bind_addresses:
|
||||||
|
- "127.0.0.1"
|
||||||
|
- "::1"
|
||||||
|
synapse_config_metrics_listener_resources:
|
||||||
|
- names: metrics
|
||||||
|
compress: false
|
||||||
|
synapse_metrics_listener:
|
||||||
|
- port: "{{ synapse_config_metrics_listener_port }}"
|
||||||
|
tls: "{{ synapse_config_metrics_listener_tls }}"
|
||||||
|
type: "{{ synapse_config_metrics_listener_type }}"
|
||||||
|
x_forwarded: "{{ synapse_config_metrics_listener_x_forwarded }}"
|
||||||
|
bind_addresses: "{{ synapse_config_metrics_listener_bind_addresses }}"
|
||||||
|
resources: "{{ synapse_config_metrics_listener_resources }}"
|
99
roles/synapse/defaults/main/homeserver.media_repo.yml
Normal file
99
roles/synapse/defaults/main/homeserver.media_repo.yml
Normal file
@ -0,0 +1,99 @@
|
|||||||
|
---
|
||||||
|
# Media repo configuration
|
||||||
|
synapse_config_enable_media_repo: true #TODO: set to false if workers enabled
|
||||||
|
synapse_config_enable_authenticated_media: true
|
||||||
|
synapse_config_media_store_path: "{{ synapse_media_store_path }}"
|
||||||
|
synapse_config_max_pending_media_uploads: 10
|
||||||
|
synapse_config_unused_expiration_time: "1h"
|
||||||
|
# see https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#media_storage_providers
|
||||||
|
synapse_config_media_store_providers: []
|
||||||
|
synapse_config_max_upload_size: "50M"
|
||||||
|
synapse_config_max_image_pixels: "32M"
|
||||||
|
synapse_config_dynamic_thumbnails: true
|
||||||
|
|
||||||
|
# The following values are KiB/Mib per burst/second
|
||||||
|
synapse_config_remote_media_download_burst_count: "500M"
|
||||||
|
synapse_config_remote_media_download_per_second: "87K"
|
||||||
|
|
||||||
|
# Blacklist known spam servers here
|
||||||
|
synapse_config_prevent_media_downloads_from: []
|
||||||
|
|
||||||
|
synapse_config_media_retention_local_media_lifetime: ~
|
||||||
|
synapse_config_media_retention_remote_media_lifetime: ~
|
||||||
|
synapse_config_media_retention: >-
|
||||||
|
{{ {}
|
||||||
|
| combine(({"local_media_lifetime": synapse_config_media_retention_local_media_lifetime})
|
||||||
|
if synapse_config_media_retention_local_media_lifetime | default(false, true) else {})
|
||||||
|
| combine(({"remote_media_lifetime": synapse_config_media_retention_remote_media_lifetime })
|
||||||
|
if synapse_config_media_retention_remote_media_lifetime | default(false, true) else {})
|
||||||
|
}}
|
||||||
|
|
||||||
|
# URL preview handling
|
||||||
|
synapse_config_url_preview_enabled: true
|
||||||
|
# Following recommendations from
|
||||||
|
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#url_preview_ip_range_blacklist
|
||||||
|
synapse_config_url_preview_ip_range_blacklist:
|
||||||
|
- '127.0.0.0/8'
|
||||||
|
- '10.0.0.0/8'
|
||||||
|
- '172.16.0.0/12'
|
||||||
|
- '192.168.0.0/16'
|
||||||
|
- '100.64.0.0/10'
|
||||||
|
- '192.0.0.0/24'
|
||||||
|
- '169.254.0.0/16'
|
||||||
|
- '192.88.99.0/24'
|
||||||
|
- '198.18.0.0/15'
|
||||||
|
- '192.0.2.0/24'
|
||||||
|
- '198.51.100.0/24'
|
||||||
|
- '203.0.113.0/24'
|
||||||
|
- '224.0.0.0/4'
|
||||||
|
- '::1/128'
|
||||||
|
- 'fe80::/10'
|
||||||
|
- 'fc00::/7'
|
||||||
|
- '2001:db8::/32'
|
||||||
|
- 'ff00::/8'
|
||||||
|
- 'fec0::/10'
|
||||||
|
synapse_config_url_preview_ip_range_whitelist: ~
|
||||||
|
# see https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#url_preview_url_blacklist
|
||||||
|
synapse_config_url_preview_url_blacklist:
|
||||||
|
- username: "*"
|
||||||
|
- netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$'
|
||||||
|
# see https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#url_preview_accept_language
|
||||||
|
synapse_config_url_preview_accept_language:
|
||||||
|
- "en"
|
||||||
|
synapse_config_max_spider_size: 8M
|
||||||
|
synapse_config_oembed_disable_default_providers: false
|
||||||
|
synapse_config_oembed_additional_providers: []
|
||||||
|
|
||||||
|
synapse_base_media_config:
|
||||||
|
enable_media_repo: "{{ synapse_config_enable_media_repo }}"
|
||||||
|
enable_authenticated_media: "{{ synapse_config_enable_authenticated_media }}"
|
||||||
|
media_store_path: "{{ synapse_config_media_store_path }}"
|
||||||
|
max_pending_media_uploads: "{{ synapse_config_max_pending_media_uploads }}"
|
||||||
|
unused_expiration_time: "{{ synapse_config_unused_expiration_time }}"
|
||||||
|
media_store_providers: "{{ synapse_config_media_store_providers }}"
|
||||||
|
max_upload_size: "{{ synapse_config_max_upload_size }}"
|
||||||
|
max_image_pixels: "{{ synapse_config_max_image_pixels }}"
|
||||||
|
# Media - remote media handling
|
||||||
|
remote_media_download_burst_count: >-
|
||||||
|
{{ synapse_config_remote_media_download_burst_count }}
|
||||||
|
remote_media_download_per_second: >-
|
||||||
|
{{ synapse_config_remote_media_download_per_second }}
|
||||||
|
prevent_media_downloads_from: "{{ synapse_config_prevent_media_downloads_from }}"
|
||||||
|
media_retention: "{{ synapse_config_media_retention }}"
|
||||||
|
# Media - URL preview options
|
||||||
|
dynamic_thumbnails: "{{ synapse_config_dynamic_thumbnails }}"
|
||||||
|
url_preview_enabled: "{{ synapse_config_url_preview_enabled }}"
|
||||||
|
url_preview_ip_range_blacklist: >-
|
||||||
|
{{ synapse_config_url_preview_ip_range_blacklist }}
|
||||||
|
url_preview_url_blacklist: "{{ synapse_config_url_preview_url_blacklist }}"
|
||||||
|
url_preview_accept_language: "{{ synapse_config_url_preview_accept_language }}"
|
||||||
|
max_spider_size: "{{ synapse_config_max_spider_size }}"
|
||||||
|
oembed:
|
||||||
|
disable_default_providers: "{{ synapse_config_oembed_disable_default_providers }}"
|
||||||
|
additional_providers: "{{ synapse_config_oembed_additional_providers }}"
|
||||||
|
synapse_media_config: >-2
|
||||||
|
{{
|
||||||
|
synapse_base_media_config
|
||||||
|
| combine(({'url_preview_ip_range_whitelist': synapse_config_url_preview_ip_range_whitelist})
|
||||||
|
if synapse_config_url_preview_ip_range_whitelist | default(false, true) else {})
|
||||||
|
}}
|
28
roles/synapse/defaults/main/homeserver.metrics.yml
Normal file
28
roles/synapse/defaults/main/homeserver.metrics.yml
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
---
|
||||||
|
synapse_config_enable_metrics: false
|
||||||
|
synapse_config_sentry_environment: ~
|
||||||
|
synapse_config_sentry_dsn: ~
|
||||||
|
synapse_config_metrics_flags_known_servers: true
|
||||||
|
synapse_config_report_stats: true
|
||||||
|
synapse_config_report_stats_endpoint: >-
|
||||||
|
https://matrix.org/report-usage-stats/push
|
||||||
|
|
||||||
|
synapse_metrics_sentry_config: >-
|
||||||
|
{{ {}
|
||||||
|
| combine(({"environment": synapse_config_sentry_environment })
|
||||||
|
if synapse_config_sentry_environment | default(false, true) else {})
|
||||||
|
| combine(({"dsn": synapse_config_sentry_dsn })
|
||||||
|
if synapse_config_sentry_dsn | default(false, true) else {})
|
||||||
|
}}
|
||||||
|
|
||||||
|
synapse_base_metrics_config:
|
||||||
|
enable_metrics: "{{ synapse_config_enable_metrics }}"
|
||||||
|
metrics_flags:
|
||||||
|
known_servers: "{{ synapse_config_metrics_flags_known_servers }}"
|
||||||
|
report_stats: "{{ synapse_config_report_stats }}"
|
||||||
|
report_stats_endpoint: "{{ synapse_config_report_stats_endpoint }}"
|
||||||
|
synapse_metrics_config: >-
|
||||||
|
{{ synapse_base_metrics_config
|
||||||
|
| combine(({"sentry": synapse_metrics_sentry_config})
|
||||||
|
if (synapse_config_sentry_dsn or synapse_config_sentry_environment) else {})
|
||||||
|
}}
|
13
roles/synapse/defaults/main/homeserver.push.yml
Normal file
13
roles/synapse/defaults/main/homeserver.push.yml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
synapse_config_push_enabled: true
|
||||||
|
synapse_config_push_include_content: true
|
||||||
|
synapse_config_push_group_unread_count_by_room: true
|
||||||
|
synapse_config_push_jitter_delay: "1s"
|
||||||
|
|
||||||
|
synapse_push_config:
|
||||||
|
push:
|
||||||
|
enabled: "{{ synapse_config_push_enabled }}"
|
||||||
|
include_content: "{{ synapse_config_push_include_content }}"
|
||||||
|
group_unread_count_by_room: >-
|
||||||
|
{{ synapse_config_push_group_unread_count_by_room }}
|
||||||
|
jitter_delay: "{{ synapse_config_push_jitter_delay }}"
|
112
roles/synapse/defaults/main/homeserver.ratelimits.yml
Normal file
112
roles/synapse/defaults/main/homeserver.ratelimits.yml
Normal file
@ -0,0 +1,112 @@
|
|||||||
|
---
|
||||||
|
# Ratelimit config, see
|
||||||
|
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#ratelimiting
|
||||||
|
synapse_config_rc_message_per_second: 0.2
|
||||||
|
synapse_config_rc_message_burst_count: 10
|
||||||
|
|
||||||
|
synapse_config_rc_registration_per_second: 0.1
|
||||||
|
synapse_config_rc_registration_burst_count: 5
|
||||||
|
|
||||||
|
synapse_config_rc_registration_token_validity_per_second: 0.1
|
||||||
|
synapse_config_rc_registration_token_validity_burst_count: 5
|
||||||
|
|
||||||
|
synapse_config_rc_login_address_per_second: 0.003
|
||||||
|
synapse_config_rc_login_address_burst_count: 5
|
||||||
|
synapse_config_rc_login_account_per_second: 0.003
|
||||||
|
synapse_config_rc_login_account_burst_count: 5
|
||||||
|
synapse_config_rc_login_failed_attempts_per_second: 0.17
|
||||||
|
synapse_config_rc_login_failed_attempts_burst_count: 3
|
||||||
|
|
||||||
|
synapse_config_rc_admin_redaction_per_second: 2
|
||||||
|
synapse_config_rc_admin_redaction_burst_count: 75
|
||||||
|
|
||||||
|
synapse_config_rc_joins_local_per_second: 0.1
|
||||||
|
synapse_config_rc_joins_local_burst_count: 10
|
||||||
|
synapse_config_rc_joins_remote_per_second: 0.01
|
||||||
|
synapse_config_rc_joins_remote_burst_count: 10
|
||||||
|
synapse_config_rc_joins_per_room_per_second: 1
|
||||||
|
synapse_config_rc_joins_per_room_burst_count: 10
|
||||||
|
|
||||||
|
synapse_config_rc_3pid_validation_per_second: 0.003
|
||||||
|
synapse_config_rc_3pid_validation_burst_count: 5
|
||||||
|
|
||||||
|
synapse_config_rc_invites_per_room_per_second: 0.3
|
||||||
|
synapse_config_rc_invites_per_room_burst_count: 10
|
||||||
|
synapse_config_rc_invites_per_user_per_second: 0.003
|
||||||
|
synapse_config_rc_invites_per_user_burst_count: 5
|
||||||
|
synapse_config_rc_invites_per_issuer_per_second: 0.3
|
||||||
|
synapse_config_rc_invites_per_issuer_burst_count: 10
|
||||||
|
|
||||||
|
synapse_config_rc_third_party_invite_per_second: 0.2
|
||||||
|
synapse_config_rc_third_party_invite_burst_count: 10
|
||||||
|
|
||||||
|
synapse_config_rc_media_create_per_second: 10
|
||||||
|
synapse_config_rc_media_create_burst_count: 50
|
||||||
|
|
||||||
|
synapse_config_rc_federation_window_size: 1000 # in ms
|
||||||
|
synapse_config_rc_federation_sleep_limit: 10
|
||||||
|
synapse_config_rc_federation_sleep_delay: 500 # in ms
|
||||||
|
synapse_config_rc_federation_reject_limit: 50
|
||||||
|
synapse_config_rc_federation_concurrent: 5
|
||||||
|
synapse_config_federation_rr_transactions_per_room_per_second: 50
|
||||||
|
|
||||||
|
synapse_ratelimit_config:
|
||||||
|
rc_message:
|
||||||
|
per_second: "{{ synapse_config_rc_message_per_second }}"
|
||||||
|
burst_count: "{{ synapse_config_rc_message_burst_count }}"
|
||||||
|
rc_registration:
|
||||||
|
per_second: "{{ synapse_config_rc_registration_per_second }}"
|
||||||
|
burst_count: "{{ synapse_config_rc_registration_burst_count }}"
|
||||||
|
rc_registration_token_validity:
|
||||||
|
per_second: "{{ synapse_config_rc_registration_token_validity_per_second }}"
|
||||||
|
burst_count: "{{ synapse_config_rc_registration_token_validity_burst_count }}"
|
||||||
|
rc_login:
|
||||||
|
address:
|
||||||
|
per_second: "{{ synapse_config_rc_login_address_per_second }}"
|
||||||
|
burst_count: "{{ synapse_config_rc_login_address_burst_count }}"
|
||||||
|
account:
|
||||||
|
per_second: "{{ synapse_config_rc_login_account_per_second }}"
|
||||||
|
burst_count: "{{ synapse_config_rc_login_account_burst_count}}"
|
||||||
|
failed_attemps:
|
||||||
|
per_second: "{{ synapse_config_rc_login_failed_attempts_per_second }}"
|
||||||
|
burst_count: "{{ synapse_config_rc_login_failed_attempts_burst_count }}"
|
||||||
|
rc_admin_redaction:
|
||||||
|
per_second: "{{ synapse_config_rc_admin_redaction_per_second }}"
|
||||||
|
burst_count: "{{ synapse_config_rc_admin_redaction_burst_count }}"
|
||||||
|
rc_joins:
|
||||||
|
local:
|
||||||
|
per_second: "{{ synapse_config_rc_joins_local_per_second }}"
|
||||||
|
burst_count: "{{ synapse_config_rc_joins_local_burst_count }}"
|
||||||
|
remote:
|
||||||
|
per_second: "{{ synapse_config_rc_joins_remote_per_second }}"
|
||||||
|
burst_count: "{{ synapse_config_rc_joins_remote_burst_count}}"
|
||||||
|
rc_joins_per_room:
|
||||||
|
per_second: "{{ synapse_config_rc_joins_per_room_per_second }}"
|
||||||
|
burst_count: "{{ synapse_config_rc_joins_per_room_burst_count }}"
|
||||||
|
rc_3pid_validation:
|
||||||
|
per_second: "{{ synapse_config_rc_3pid_validation_per_second }}"
|
||||||
|
burst_count: "{{ synapse_config_rc_3pid_validation_burst_count }}"
|
||||||
|
rc_invites:
|
||||||
|
per_room:
|
||||||
|
per_second: "{{ synapse_config_rc_invites_per_room_per_second }}"
|
||||||
|
burst_count: "{{ synapse_config_rc_invites_per_room_burst_count }}"
|
||||||
|
per_user:
|
||||||
|
per_second: "{{ synapse_config_rc_invites_per_user_per_second }}"
|
||||||
|
burst_count: "{{ synapse_config_rc_invites_per_user_burst_count }}"
|
||||||
|
per_issuer:
|
||||||
|
per_second: "{{ synapse_config_rc_invites_per_issuer_per_second }}"
|
||||||
|
burst_count: "{{ synapse_config_rc_invites_per_issuer_burst_count }}"
|
||||||
|
rc_third_party_invite:
|
||||||
|
per_second: "{{ synapse_config_rc_third_party_invite_per_second }}"
|
||||||
|
burst_count: "{{ synapse_config_rc_third_party_invite_burst_count }}"
|
||||||
|
rc_media_create:
|
||||||
|
per_second: "{{ synapse_config_rc_media_create_per_second }}"
|
||||||
|
burst_count: "{{ synapse_config_rc_media_create_burst_count }}"
|
||||||
|
rc_federation:
|
||||||
|
window_size: "{{ synapse_config_rc_federation_window_size }}"
|
||||||
|
sleep_limit: "{{ synapse_config_rc_federation_sleep_limit }}"
|
||||||
|
sleep_delay: "{{ synapse_config_rc_federation_sleep_delay }}"
|
||||||
|
reject_limit: "{{ synapse_config_rc_federation_reject_limit }}"
|
||||||
|
concurrent: "{{ synapse_config_rc_federation_concurrent }}"
|
||||||
|
federation_rr_transactions_per_room_per_second: >-
|
||||||
|
{{ synapse_config_federation_rr_transactions_per_room_per_second }}
|
41
roles/synapse/defaults/main/homeserver.registration.yml
Normal file
41
roles/synapse/defaults/main/homeserver.registration.yml
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
---
|
||||||
|
synapse_config_enable_registration: false
|
||||||
|
synapse_config_enable_registration_without_verification: false
|
||||||
|
synapse_config_registrations_require_3pid: []
|
||||||
|
synapse_config_registration_requires_token: true
|
||||||
|
synapse_config_registration_shared_secret: ~
|
||||||
|
synapse_config_registration_shared_secret_path: ~
|
||||||
|
synapse_config_allowed_local_3pids: []
|
||||||
|
synapse_config_enable_3pid_lookup: true
|
||||||
|
|
||||||
|
synapse_config_bcrypt_rounds: 14
|
||||||
|
synapse_config_allow_guest_access: false
|
||||||
|
synapse_config_default_identity_server: ~
|
||||||
|
synapse_config_enable_set_displayname: true
|
||||||
|
synapse_config_enable_set_avatar_url: true
|
||||||
|
synapse_config_enable_3pid_changes: true
|
||||||
|
|
||||||
|
synapse_registration_base_config:
|
||||||
|
enable_set_displayname: "{{ synapse_config_enable_set_displayname }}"
|
||||||
|
enable_set_avatar_url: "{{ synapse_config_enable_set_avatar_url }}"
|
||||||
|
enable_3pid_changes: "{{ synapse_config_enable_3pid_changes }}"
|
||||||
|
allow_guest_access: "{{ synapse_config_allow_guest_access }}"
|
||||||
|
enable_registration: "{{ synapse_config_enable_registration }}"
|
||||||
|
enable_registration_without_verification: >-2
|
||||||
|
{{ synapse_config_enable_registration_without_verification }}
|
||||||
|
allowed_local_3pids: "{{ synapse_config_allowed_local_3pids }}"
|
||||||
|
enable_3pid_lookup: "{{ synapse_config_enable_3pid_lookup }}"
|
||||||
|
registrations_require_3pid: "{{ synapse_config_registrations_require_3pid }}"
|
||||||
|
registration_requires_token: "{{ synapse_config_registration_requires_token }}"
|
||||||
|
registration_shared_secret: "{{ synapse_config_registration_shared_secret }}"
|
||||||
|
registration_shared_secret_path: >-2
|
||||||
|
{{ synapse_config_registration_shared_secret_path }}
|
||||||
|
bcrypt_rounds: "{{ synapse_config_bcrypt_rounds }}"
|
||||||
|
|
||||||
|
synapse_registration_config: >-2
|
||||||
|
{{
|
||||||
|
synapse_registration_base_config
|
||||||
|
| combine(({"default_identity_server": synapse_config_default_identity_server})
|
||||||
|
if (synapse_config_default_identity_server | default(false, true)
|
||||||
|
and synapse_config_default_identity_server | length > 0) else {})
|
||||||
|
}}
|
78
roles/synapse/defaults/main/homeserver.server.yml
Normal file
78
roles/synapse/defaults/main/homeserver.server.yml
Normal file
@ -0,0 +1,78 @@
|
|||||||
|
---
|
||||||
|
# Config options from the `server` section of
|
||||||
|
# https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#server
|
||||||
|
synapse_config_pid_file: "{{ synapse_pid_file }}"
|
||||||
|
synapse_config_public_baseurl: "https://{{ synapse_config_server_name }}"
|
||||||
|
synapse_config_serve_server_wellknown: false
|
||||||
|
synapse_config_extra_well_known_client_content: {}
|
||||||
|
synapse_config_soft_file_limit: 0
|
||||||
|
synapse_config_require_auth_for_profile_requests: false
|
||||||
|
synapse_config_limit_profile_requests_to_users_who_share_rooms: false
|
||||||
|
synapse_config_include_profile_data_on_invite: true
|
||||||
|
synapse_config_allow_public_rooms_without_auth: false
|
||||||
|
synapse_config_allow_public_rooms_over_federation: false
|
||||||
|
synapse_config_default_room_version: "10"
|
||||||
|
synapse_config_filter_timeline_limit: 200
|
||||||
|
synapse_config_block_non_admin_invites: false
|
||||||
|
synapse_config_enable_search: true
|
||||||
|
synapse_config_dummy_events_threshold: 10
|
||||||
|
synapse_config_delete_stale_devices_after: "90d"
|
||||||
|
synapse_config_key_refresh_interval: "1d"
|
||||||
|
synapse_config_suppress_key_server_warning: false
|
||||||
|
|
||||||
|
synapse_config_ip_range_blacklist:
|
||||||
|
- '127.0.0.0/8'
|
||||||
|
- '10.0.0.0/8'
|
||||||
|
- '172.16.0.0/12'
|
||||||
|
- '192.168.0.0/16'
|
||||||
|
- '100.64.0.0/10'
|
||||||
|
- '192.0.0.0/24'
|
||||||
|
- '169.254.0.0/16'
|
||||||
|
- '192.88.99.0/24'
|
||||||
|
- '198.18.0.0/15'
|
||||||
|
- '192.0.2.0/24'
|
||||||
|
- '198.51.100.0/24'
|
||||||
|
- '203.0.113.0/24'
|
||||||
|
- '224.0.0.0/4'
|
||||||
|
- '::1/128'
|
||||||
|
- 'fe80::/10'
|
||||||
|
- 'fc00::/7'
|
||||||
|
- '2001:db8::/32'
|
||||||
|
- 'ff00::/8'
|
||||||
|
- 'fec0::/10'
|
||||||
|
synapse_config_ip_range_whitelist: []
|
||||||
|
|
||||||
|
synapse_default_server_config:
|
||||||
|
server_name: "{{ synapse_config_server_name }}"
|
||||||
|
pid_file: "{{ synapse_config_pid_file }}"
|
||||||
|
listeners: "{{ synapse_listeners_config }}"
|
||||||
|
database: "{{ synapse_database_config }}"
|
||||||
|
log_config: "{{ synapse_config_log_config_path }}"
|
||||||
|
signing_key_path: "{{ synapse_config_signing_key_path }}"
|
||||||
|
key_refresh_interval: "{{ synapse_config_key_refresh_interval }}"
|
||||||
|
trusted_key_servers: "{{ synapse_config_trusted_key_servers }}"
|
||||||
|
suppress_key_server_warning: "{{ synapse_config_suppress_key_server_warning }}"
|
||||||
|
public_baseurl: "{{ synapse_config_public_baseurl }}"
|
||||||
|
serve_server_wellknown: "{{ synapse_config_serve_server_wellknown }}"
|
||||||
|
extra_well_known_client_content: >-
|
||||||
|
{{ synapse_config_extra_well_known_client_content }}
|
||||||
|
soft_file_limit: "{{ synapse_config_soft_file_limit }}"
|
||||||
|
# presence: TODO
|
||||||
|
require_auth_for_profile_requests: >-
|
||||||
|
{{ synapse_config_require_auth_for_profile_requests }}
|
||||||
|
limit_profile_requests_to_users_who_share_rooms: >-
|
||||||
|
{{ synapse_config_limit_profile_requests_to_users_who_share_rooms }}
|
||||||
|
include_profile_data_on_invite: >-
|
||||||
|
{{ synapse_config_include_profile_data_on_invite }}
|
||||||
|
allow_public_rooms_without_auth: >-
|
||||||
|
{{ synapse_config_allow_public_rooms_without_auth }}
|
||||||
|
allow_public_rooms_over_federation: >-
|
||||||
|
{{ synapse_config_allow_public_rooms_over_federation }}
|
||||||
|
default_room_version: "{{ synapse_config_default_room_version }}"
|
||||||
|
filter_timeline_limit: "{{ synapse_config_filter_timeline_limit }}"
|
||||||
|
block_non_admin_invites: "{{ synapse_config_block_non_admin_invites }}"
|
||||||
|
enable_search: "{{ synapse_config_enable_search }}"
|
||||||
|
ip_range_blacklist: "{{ synapse_config_ip_range_blacklist }}"
|
||||||
|
ip_range_whitelist: "{{ synapse_config_ip_range_whitelist }}"
|
||||||
|
dummy_events_threshold: "{{ synapse_config_dummy_events_threshold }}"
|
||||||
|
delete_stale_devices_after: "{{ synapse_config_delete_stale_devices_after }}"
|
10
roles/synapse/defaults/main/homeserver.tls.yml
Normal file
10
roles/synapse/defaults/main/homeserver.tls.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
---
|
||||||
|
synapse_config_tls_certificate_path: ~
|
||||||
|
synapse_config_tls_private_key_path: ~
|
||||||
|
synapse_tls_config: >-
|
||||||
|
{{ {}
|
||||||
|
| combine(({"tls_certificate_path": synapse_config_tls_certificate_path })
|
||||||
|
if synapse_config_tls_certificate_path | default(false, true) else {})
|
||||||
|
| combine(({"tls_private_key_path": synapse_config_tls_private_key_path })
|
||||||
|
if synapse_config_tls_private_key_path | default(false, true) else {})
|
||||||
|
}}
|
26
roles/synapse/defaults/main/homeserver.turn.yml
Normal file
26
roles/synapse/defaults/main/homeserver.turn.yml
Normal file
@ -0,0 +1,26 @@
|
|||||||
|
---
|
||||||
|
# TURN / RTC configuration
|
||||||
|
synapse_config_turn_uris: []
|
||||||
|
synapse_config_turn_shared_secret: ~
|
||||||
|
synapse_config_turn_shared_secret_path: ~
|
||||||
|
synapse_config_turn_username: ~
|
||||||
|
synapse_config_turn_password: ~
|
||||||
|
synapse_config_turn_user_lifetime: "2h"
|
||||||
|
synapse_config_turn_allow_guests: false
|
||||||
|
|
||||||
|
synapse_turn_config_base:
|
||||||
|
turn_uris: "{{ synapse_config_turn_uris }}"
|
||||||
|
turn_user_lifetime: "{{ synapse_config_turn_user_lifetime }}"
|
||||||
|
turn_allow_guests: "{{ synapse_config_turn_allow_guests }}"
|
||||||
|
synapse_turn_config: >-2
|
||||||
|
{{
|
||||||
|
synapse_turn_config_base
|
||||||
|
| combine(({ turn_shared_secret: synapse_config_turn_shared_secret })
|
||||||
|
if synapse_config_turn_shared_secret | default(false, true) else {})
|
||||||
|
| combine(({ turn_shared_secret_path: synapse_config_turn_shared_secret_path })
|
||||||
|
if synapse_config_turn_shared_secret_path | default(false, true) else {})
|
||||||
|
| combine(({ turn_username: synapse_config_turn_username })
|
||||||
|
if synapse_config_username | default(false, true) else {})
|
||||||
|
| combine(({ turn_password: synapse_config_turn_password })
|
||||||
|
if synapse_config_turn_password | default(false, true) else {})
|
||||||
|
}}
|
88
roles/synapse/defaults/main/log.config.yml
Normal file
88
roles/synapse/defaults/main/log.config.yml
Normal file
@ -0,0 +1,88 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
synapse_log_config_root_level: "INFO"
|
||||||
|
synapse_log_config_disable_existing_loggers: false
|
||||||
|
|
||||||
|
# Formatter config
|
||||||
|
synapse_log_config_formatters_precise_name: precise
|
||||||
|
synapse_log_config_formatters_precise:
|
||||||
|
format: >-
|
||||||
|
%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s
|
||||||
|
synapse_log_config_formatters: >-
|
||||||
|
{{
|
||||||
|
{ synapse_log_config_formatters_precise_name: synapse_log_config_formatters_precise }
|
||||||
|
}}
|
||||||
|
|
||||||
|
# Loggers config
|
||||||
|
synapse_log_config_loggers_synapse_storage_sql_level: >-
|
||||||
|
{{ synapse_log_config_root_level }}
|
||||||
|
synapse_log_config_loggers_synapse_storage_sql:
|
||||||
|
level: "{{ synapse_log_config_loggers_synapse_storage_sql_level }}"
|
||||||
|
synapse_log_config_loggers:
|
||||||
|
"synapse.storage.SQL": "{{ synapse_log_config_loggers_synapse_storage_sql }}"
|
||||||
|
|
||||||
|
# File handler
|
||||||
|
synapse_log_config_handlers_file_name: file
|
||||||
|
synapse_log_config_handlers_file_class: >-
|
||||||
|
logging.handlers.TimedRotatingFileHandler
|
||||||
|
synapse_log_config_handlers_file_formatter: >-
|
||||||
|
{{ synapse_log_config_formatters_precise_name }}
|
||||||
|
synapse_log_config_handlers_file_filename: >-
|
||||||
|
{{ synapse_homeserver_log_path }}
|
||||||
|
synapse_log_config_handlers_file_when: midnight
|
||||||
|
synapse_log_config_handlers_file_backup_count: 3
|
||||||
|
synapse_log_config_handlers_file_encoding: utf8
|
||||||
|
synapse_log_config_handlers_file:
|
||||||
|
class: "{{ synapse_log_config_handlers_file_class }}"
|
||||||
|
formatter: "{{ synapse_log_config_handlers_file_formatter }}"
|
||||||
|
filename: "{{ synapse_log_config_handlers_file_filename }}"
|
||||||
|
when: "{{ synapse_log_config_handlers_file_when }}"
|
||||||
|
backupCount: "{{ synapse_log_config_handlers_file_backup_count }}"
|
||||||
|
encoding: "{{ synapse_log_config_handlers_file_encoding }}"
|
||||||
|
|
||||||
|
# Buffer handler
|
||||||
|
synapse_log_config_handlers_buffer_name: buffer
|
||||||
|
synapse_log_config_handlers_buffer_class: >-
|
||||||
|
synapse.logging.handlers.PeriodicallyFlushingMemoryHandler
|
||||||
|
synapse_log_config_handlers_buffer_target: file
|
||||||
|
synapse_log_config_handlers_buffer_capacity: 10
|
||||||
|
synapse_log_config_handlers_buffer_flush_level: 30
|
||||||
|
synapse_log_config_handlers_buffer_period: 5
|
||||||
|
synapse_log_config_handlers_buffer:
|
||||||
|
class: "{{ synapse_log_config_handlers_buffer_class }}"
|
||||||
|
target: "{{ synapse_log_config_handlers_buffer_target }}"
|
||||||
|
capacity: "{{ synapse_log_config_handlers_buffer_capacity }}"
|
||||||
|
flushLevel: "{{ synapse_log_config_handlers_buffer_flush_level }}"
|
||||||
|
period: "{{ synapse_log_config_handlers_buffer_period }}"
|
||||||
|
|
||||||
|
# Console handler
|
||||||
|
synapse_log_config_handlers_console_name: console
|
||||||
|
synapse_log_config_handlers_console_class: logging.StreamHandler
|
||||||
|
synapse_log_config_handlers_console_formatter: >-
|
||||||
|
{{ synapse_log_config_formatters_precise_name }}
|
||||||
|
synapse_log_config_handlers_console:
|
||||||
|
class: "{{ synapse_log_config_handlers_console_class }}"
|
||||||
|
formatter: "{{ synapse_log_config_handlers_console_formatter }}"
|
||||||
|
|
||||||
|
# Handler config
|
||||||
|
synapse_log_config_handlers: >-2
|
||||||
|
{{
|
||||||
|
{
|
||||||
|
synapse_log_config_handlers_file_name: synapse_log_config_handlers_file,
|
||||||
|
synapse_log_config_handlers_buffer_name: synapse_log_config_handlers_buffer,
|
||||||
|
synapse_log_config_handlers_console_name: synapse_log_config_handlers_console,
|
||||||
|
}
|
||||||
|
}}
|
||||||
|
|
||||||
|
synapse_log_config_root_handlers:
|
||||||
|
- "{{ synapse_log_config_handlers_buffer_name }}"
|
||||||
|
|
||||||
|
synapse_log_config:
|
||||||
|
version: 1
|
||||||
|
formatters: "{{ synapse_log_config_formatters }}"
|
||||||
|
root:
|
||||||
|
level: "{{ synapse_log_config_root_level }}"
|
||||||
|
handlers: "{{ synapse_log_config_root_handlers }}"
|
||||||
|
handlers: "{{ synapse_log_config_handlers }}"
|
||||||
|
loggers: "{{ synapse_log_config_loggers }}"
|
||||||
|
disable_existing_loggers: "{{ synapse_log_config_disable_existing_loggers }}"
|
25
roles/synapse/defaults/main/main.yml
Normal file
25
roles/synapse/defaults/main/main.yml
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
---
|
||||||
|
synapse_user: synapse
|
||||||
|
synapse_group: synapse
|
||||||
|
synapse_version: "1.122.0"
|
||||||
|
synapse_state: "present"
|
||||||
|
synapse_deployment_method: "docker"
|
||||||
|
|
||||||
|
synapse_base_path: /opt/synapse
|
||||||
|
synapse_config_path: "/etc/synapse"
|
||||||
|
synapse_data_path: "{{ synapse_base_path }}/data"
|
||||||
|
synapse_media_store_path: "{{ synapse_data_path }}/media_store"
|
||||||
|
synapse_log_path: "/var/log/synapse"
|
||||||
|
synapse_homeserver_log_path: "{{ synapse_log_path }}/homeserver.log"
|
||||||
|
synapse_venv_path: "{{ synapse_base_path }}/venv"
|
||||||
|
|
||||||
|
synapse_signing_key: ~
|
||||||
|
synapse_signing_key_file: >-
|
||||||
|
{{ synapse_config_path }}/{{ synapse_domain }}.signing.key
|
||||||
|
synapse_homeserver_config_file: "{{ synapse_config_path }}/homeserver.yaml"
|
||||||
|
synapse_logging_config_file: >-
|
||||||
|
{{ synapse_config_path }}/{{ synapse_domain }}.log.config
|
||||||
|
synapse_pid_file: "{{ synapse_data_path }}/homeserver.pid"
|
||||||
|
synapse_sqlite_database_file: "{{ synapse_data_path }}/homeserver.db"
|
||||||
|
|
||||||
|
synapse_role_generate_signing_key: false
|
53
roles/synapse/defaults/main/systemd.yml
Normal file
53
roles/synapse/defaults/main/systemd.yml
Normal file
@ -0,0 +1,53 @@
|
|||||||
|
---
|
||||||
|
synapse_systemd_name: "synapse.service"
|
||||||
|
synapse_systemd_service_directory: /etc/systemd/system
|
||||||
|
synapse_systemd_service_file: >-2
|
||||||
|
{{ synapse_systemd_service_directory }}/{{ synapse_systemd_name }}
|
||||||
|
|
||||||
|
synapse_systemd_state: >-2
|
||||||
|
{{ (synapse_state == 'present') | ternary('started', 'stopped') }}
|
||||||
|
synapse_systemd_enabled: >-2
|
||||||
|
{{ (synapse_state == 'present') | bool }}
|
||||||
|
|
||||||
|
synapse_systemd_unit_description: "Synapse matrix homeserver"
|
||||||
|
synapse_systemd_service_type: notify
|
||||||
|
synapse_systemd_service_exec_start: >-2
|
||||||
|
{{ synapse_venv_path }}/bin/synapse_homeserver \
|
||||||
|
--config-path={{ synapse_homeserver_config_file }}
|
||||||
|
synapse_systemd_service_exec_stop: >-2
|
||||||
|
{{ synapse_venv_path }}/bin/synctl \
|
||||||
|
stop {{ synapse_homeserver_config_file }}
|
||||||
|
synapse_systemd_service_exec_reload: >-2
|
||||||
|
/usr/bin/env kill -HUP $MAINPID
|
||||||
|
synapse_systemd_service_restart: on-failure
|
||||||
|
|
||||||
|
synapse_systemd_unit_after:
|
||||||
|
- "network.target"
|
||||||
|
synapse_systemd_unit_wants: []
|
||||||
|
synapse_systemd_install_wanted_by: "default.target"
|
||||||
|
|
||||||
|
# Hardening
|
||||||
|
synapse_systemd_service_read_write_paths:
|
||||||
|
- "{{ synapse_base_path }}"
|
||||||
|
- "{{ synapse_data_path }}"
|
||||||
|
- "{{ synapse_media_store_path }}"
|
||||||
|
- "{{ synapse_log_path }}"
|
||||||
|
synapse_systemd_service_restrict_address_families:
|
||||||
|
- "AF_INET"
|
||||||
|
- "AF_INET6"
|
||||||
|
- "AF_UNIX"
|
||||||
|
synapse_systemd_service_protect_system: strict
|
||||||
|
synapse_systemd_service_protect_home: true
|
||||||
|
synapse_systemd_service_protect_clock: true
|
||||||
|
synapse_systemd_service_protect_hostname: true
|
||||||
|
synapse_systemd_service_protect_protect_kernel_logs: true
|
||||||
|
synapse_systemd_service_protect_protect_kernel_modules: true
|
||||||
|
synapse_systemd_service_protect_protect_kernel_tunables: true
|
||||||
|
synapse_systemd_service_protect_protect_control_groups: true
|
||||||
|
|
||||||
|
synapse_systemd_service_restrict_namespaces: true
|
||||||
|
synapse_systemd_service_restrict_suid_sgid: true
|
||||||
|
|
||||||
|
synapse_systemd_service_remove_ipc: true
|
||||||
|
synapse_systemd_service_lock_personality: true
|
||||||
|
synapse_systemd_service_no_new_privileges: true
|
21
roles/synapse/defaults/main/user.yml
Normal file
21
roles/synapse/defaults/main/user.yml
Normal file
@ -0,0 +1,21 @@
|
|||||||
|
---
|
||||||
|
synapse_user_base_groups:
|
||||||
|
- "{{ synapse_run_group }}"
|
||||||
|
synapse_user_groups: ~
|
||||||
|
synapse_user_all_groups: >-2
|
||||||
|
{{ synapse_user_base_groups | default([], true)
|
||||||
|
+ synapse_user_groups | default([], true) }}
|
||||||
|
synapse_user_groups_append: "{{ synapse_user_all_groups | length > 0 }}"
|
||||||
|
synapse_run_user: >-2
|
||||||
|
{{ synapse_user_info.name | default(synapse_user) }}
|
||||||
|
synapse_run_group: >-2
|
||||||
|
{{ (synapse_user_info is defined and ('groups' in synapse_user_info))
|
||||||
|
| ternary(
|
||||||
|
(synapse_user_info.groups | default("") | split(",") | first),
|
||||||
|
synapse_group
|
||||||
|
)
|
||||||
|
}}
|
||||||
|
synapse_run_user_id: >-2
|
||||||
|
{{ synapse_user_info.uid | default(synapse_user) }}
|
||||||
|
synapse_run_group_id: >-2
|
||||||
|
{{ synapse_user_info.group | default(synapse_user) }}
|
11
roles/synapse/defaults/main/virtualenv.yml
Normal file
11
roles/synapse/defaults/main/virtualenv.yml
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
---
|
||||||
|
synapse_venv_package: "matrix-synapse[all]"
|
||||||
|
synapse_venv_pip_dependencies:
|
||||||
|
- pip
|
||||||
|
- setuptools
|
||||||
|
synapse_venv_package_full: >-2
|
||||||
|
{{ synapse_venv_package }}@{{ synapse_version }}
|
||||||
|
|
||||||
|
synapse_venv_python_binary: >-2
|
||||||
|
{{ ansible_python_interpreter | default(omit, true) }}
|
||||||
|
synapse_venv_extra_args: ~
|
27
roles/synapse/docs/database.md
Normal file
27
roles/synapse/docs/database.md
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
# `synapse` database configuration
|
||||||
|
|
||||||
|
Per default, the ansible role supplies a `sqlite`-database (file-based),
|
||||||
|
which is located in `/opt/synapse/data/homeserver.db` (`synapse_sqlite_database_file`).
|
||||||
|
|
||||||
|
## PostgresQL
|
||||||
|
|
||||||
|
To configure synapse for use with postgresql, set `synapse_config_database_name` to `psycopg2`.
|
||||||
|
|
||||||
|
Set your connection information in `synapse_config_database_args` like this:
|
||||||
|
```yaml
|
||||||
|
synapse_config_database_args:
|
||||||
|
user: my_synapse_db_user
|
||||||
|
password: my_synapse_db_password
|
||||||
|
host: my_database_host
|
||||||
|
port: my_database_port_to_connect_to
|
||||||
|
# connection pooling (cp) settings, min and max connections
|
||||||
|
cp_min: 5 | int
|
||||||
|
cp_max: 20 | int
|
||||||
|
```
|
||||||
|
|
||||||
|
Also see [the upstream documentation on the `database` config key](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#database-1).
|
||||||
|
|
||||||
|
## Transaction limits
|
||||||
|
|
||||||
|
The ansible role sets a default transaction limit of 10.000 concurrent transactions.
|
||||||
|
This configuration can be overridden in `synapse_config_database_txn_limit`.
|
85
roles/synapse/docs/listeners.md
Normal file
85
roles/synapse/docs/listeners.md
Normal file
@ -0,0 +1,85 @@
|
|||||||
|
# `synapse` listener config
|
||||||
|
|
||||||
|
Synapse serves endpoints under so-called listeners, which are
|
||||||
|
defined in `synapse_listeners_config`. The role gives some pre-
|
||||||
|
configured options to set for use in various scenarios.
|
||||||
|
|
||||||
|
## Behind reverse proxy which does SSL offloading
|
||||||
|
|
||||||
|
The `synapse_listeners_default_config` is analog to the upstream
|
||||||
|
defaults and will serve both federation and client API on a
|
||||||
|
single HTTP port, without TLS or compression, while trusting the
|
||||||
|
`X-Forwarded-For` headers.
|
||||||
|
|
||||||
|
Use it like this:
|
||||||
|
```yaml
|
||||||
|
synapse_listeners_config: "{{ synapse_listeners_default_config }}"
|
||||||
|
# Change the port like this
|
||||||
|
synapse_config_listeners_port: 8090
|
||||||
|
# If you use docker or your reverse-proxy is not local,
|
||||||
|
# set the listen_addresses like this
|
||||||
|
synapse_config_listeners_bind_addresses:
|
||||||
|
- "::"
|
||||||
|
- "0.0.0.0"
|
||||||
|
```
|
||||||
|
|
||||||
|
### Additional local metrics listener
|
||||||
|
|
||||||
|
The role provides a ready-to-use configuration for a locally-reachable
|
||||||
|
metrics listener in `synapse_metrics_listener`.
|
||||||
|
|
||||||
|
To enable it, set `synapse_config_listeners: "{{ synapse_listeners_default_config + synapse_metrics_listener}}`.
|
||||||
|
|
||||||
|
To customize the listener, see [the `synapse_config_metrics_listener_*` variables
|
||||||
|
in `defaults/main/homeserver.listeners.yml`](../defaults/main/homeserver.listeners.yml).
|
||||||
|
|
||||||
|
The defaults will create a http-only metrics listener on port 9000 which
|
||||||
|
will listen on `127.0.0.1` and `::1`.
|
||||||
|
|
||||||
|
## Synapse handling TLS without reverse proxy
|
||||||
|
|
||||||
|
Supply your certificates using `synapse_config_tls_{certificate,private_key}_path`.
|
||||||
|
|
||||||
|
Then you can either customize the default listener like this:
|
||||||
|
```yaml
|
||||||
|
# synapse_config_tls_certificate_path: "/etc/ssl/{{ synapse_domain }}.pem"
|
||||||
|
# synapse_config_tls_private_key_path: "/etc/ssl/{{ synapse_domain }}.key"
|
||||||
|
synapse_config_listeners_port: 443
|
||||||
|
synapse_config_listeners_tls: true
|
||||||
|
synapse_config_listeners_type: https
|
||||||
|
synapse_config_listeners_x_forwarded: false
|
||||||
|
synapse_config_listeners_resources_compress: true
|
||||||
|
synapse_config_serve_server_wellknown: true
|
||||||
|
```
|
||||||
|
|
||||||
|
or you can serve federation over a different port, by completely rewriting
|
||||||
|
the role's defaults:
|
||||||
|
```yaml
|
||||||
|
synapse_config_listeners:
|
||||||
|
- port: 8448
|
||||||
|
tls: true
|
||||||
|
type: https
|
||||||
|
x_forwarded: true
|
||||||
|
bind_addresses:
|
||||||
|
- 10.0.0.1
|
||||||
|
- fd00::1
|
||||||
|
resources:
|
||||||
|
- names: federation
|
||||||
|
compress: true
|
||||||
|
- port: 443
|
||||||
|
tls: true
|
||||||
|
type: https
|
||||||
|
x_forwarded: true
|
||||||
|
bind_addresses:
|
||||||
|
- 10.0.0.2
|
||||||
|
- fd00::2
|
||||||
|
resources:
|
||||||
|
- names: client
|
||||||
|
compress: true
|
||||||
|
```
|
||||||
|
|
||||||
|
It is possible to mix and match those listeners to almost all requirements,
|
||||||
|
like listening locally without HTTPs for federation and using a WAF / firewall /
|
||||||
|
reverse proxy infront of synapse for federation (see: "Secure Border Gateways")
|
||||||
|
and trusting the `X-Forwarded-For` Header, while having clients
|
||||||
|
directly connect to synapse.
|
48
roles/synapse/docs/logging.md
Normal file
48
roles/synapse/docs/logging.md
Normal file
@ -0,0 +1,48 @@
|
|||||||
|
# `synapse` logging configuration
|
||||||
|
|
||||||
|
Synapse uses a `buffer` handler per default, which flushes
|
||||||
|
periodically, but flushes logs immediately for log events
|
||||||
|
with a level greater or equal to WARNING.
|
||||||
|
|
||||||
|
To set your desired log level, specify it in `synapse_log_config_root_level`.
|
||||||
|
|
||||||
|
## Formatters
|
||||||
|
|
||||||
|
By default, the upstream `precise` formatter is availabe. To define and use
|
||||||
|
more formatters, extend `synapse_log_config_formatters` like this:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
synapse_log_config_formatters_custom_json:
|
||||||
|
custom_json:
|
||||||
|
format: >-
|
||||||
|
{"lineno": %(lineno)d, "level": "%(levelname)s", "req_id": "%(request)s", "msg": "%(message)s"}
|
||||||
|
synapse_log_config_formatters: >-2
|
||||||
|
{{
|
||||||
|
({ synapse_log_config_formatters_precise_name: synapse_log_config_formatters_precise })
|
||||||
|
| combine(synapse_log_config_formatters_custom_json)
|
||||||
|
}}
|
||||||
|
|
||||||
|
# Set handlers to use your formatter like this
|
||||||
|
synapse_log_config_handlers_file_formatter: custom_json
|
||||||
|
synapse_log_config_handlers_console_formatter: custom_json
|
||||||
|
```
|
||||||
|
|
||||||
|
## Handlers
|
||||||
|
|
||||||
|
For modifying the built-in `file`/`buffer`/`console` handlers, see
|
||||||
|
[the defaults in `../defaults/main/log.config.yml`](../defaults/main/log.config.yml).
|
||||||
|
|
||||||
|
### Containers
|
||||||
|
|
||||||
|
For typical container setups, it is often recommended to log all
|
||||||
|
logs to `stdout`/`stderr`. This can be easily archieved by setting
|
||||||
|
`synapse_log_config_root_handlers: [ synapse_log_config_handlers_console_name ]`.
|
||||||
|
|
||||||
|
## Child loggers
|
||||||
|
|
||||||
|
To set a different configuration / log level for child loggers of
|
||||||
|
the root logger (currently, this is only `synapse.storage.SQL`),
|
||||||
|
override `synapse_log_config_loggers` directly or for the SQL loggers,
|
||||||
|
set the level in `synapse_log_config_loggers_synapse_storage_sql_level`
|
||||||
|
(which defaults to `synapse_log_config_root_level`).
|
||||||
|
|
31
roles/synapse/handlers/main.yml
Normal file
31
roles/synapse/handlers/main.yml
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure synapse is restarted
|
||||||
|
listen: synapse-restart
|
||||||
|
community.docker.docker_container:
|
||||||
|
name: "{{ synapse_container_name }}"
|
||||||
|
state: started
|
||||||
|
restart: true
|
||||||
|
when: synapse_deployment_method == 'docker'
|
||||||
|
|
||||||
|
- name: Ensure synapse is restarted
|
||||||
|
listen: synapse-restart
|
||||||
|
containers.podman.podman_container:
|
||||||
|
name: "{{ synapse_container_name }}"
|
||||||
|
state: "{{ synapse_container_state }}"
|
||||||
|
force_restart: true
|
||||||
|
when: synapse_deployment_method == 'podman'
|
||||||
|
|
||||||
|
- name: Ensure synapse is restarted
|
||||||
|
listen: synapse-restart
|
||||||
|
ansible.builtin.systemd_service:
|
||||||
|
name: "{{ synapse_systemd_service_name }}"
|
||||||
|
state: restarted
|
||||||
|
when:
|
||||||
|
- synapse_deployment_method == 'virtualenv'
|
||||||
|
- ansible_facts['service_mgr'] == systemd
|
||||||
|
- synapse_systemd_state == 'started'
|
||||||
|
|
||||||
|
- name: Ensure systemd units are reloaded
|
||||||
|
listen: systemd-daemon-reload
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
daemon_reload: true
|
12
roles/synapse/meta/main.yml
Normal file
12
roles/synapse/meta/main.yml
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
---
|
||||||
|
allow_duplicates: true
|
||||||
|
dependencies: []
|
||||||
|
galaxy_info:
|
||||||
|
role_name: synapse
|
||||||
|
description: Deploy synapse, a matrix homeserver. Supports docker, podman, virtualenv
|
||||||
|
galaxy_tags:
|
||||||
|
- synapse
|
||||||
|
- matrix
|
||||||
|
- homeserver
|
||||||
|
- docker
|
||||||
|
- podman
|
32
roles/synapse/tasks/check.yml
Normal file
32
roles/synapse/tasks/check.yml
Normal file
@ -0,0 +1,32 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure synapse_state is valid
|
||||||
|
ansible.builtin.fail:
|
||||||
|
msg: "State '{{ synapse_state }}' is not known, supported states are {{ synapse_states | join(', ') }}"
|
||||||
|
when: synapse_state not in synapse_states
|
||||||
|
|
||||||
|
- name: Ensure synapse deployment method is supported
|
||||||
|
ansible.builtin.fail:
|
||||||
|
msg: >-
|
||||||
|
Deployment method '{{ synapse_deployment_method }}'
|
||||||
|
is unknown! Supported methods are:
|
||||||
|
{{ synapse_deployment_methods | join(', ') }}
|
||||||
|
when: synapse_deployment_method not in synapse_deployment_methods
|
||||||
|
|
||||||
|
- name: Ensure required variables are given
|
||||||
|
ansible.builtin.fail:
|
||||||
|
msg: "Required variable '{{ item }}' is undefined!"
|
||||||
|
loop: "{{ synapse_required_variables }}"
|
||||||
|
when: >-2
|
||||||
|
item not in hostvars[inventory_hostname]
|
||||||
|
or hostvars[inventory_hostname][item] | length == 0
|
||||||
|
|
||||||
|
- name: Ensure conditionally required variables are given
|
||||||
|
ansible.builtin.fail:
|
||||||
|
msg: "Required variable '{{ item.name }}' is undefined!"
|
||||||
|
loop: "{{ synapse_conditionally_required_variables }}"
|
||||||
|
loop_control:
|
||||||
|
label: "{{ item.name }}"
|
||||||
|
when: >-2
|
||||||
|
item.when
|
||||||
|
and (item.name not in hostvars[inventory_hostname]
|
||||||
|
or hostvars[inventory_hostname][item.name] | length == 0)
|
74
roles/synapse/tasks/configure.yml
Normal file
74
roles/synapse/tasks/configure.yml
Normal file
@ -0,0 +1,74 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure synapse group '{{ synapse_group }}' is {{ synapse_state }}
|
||||||
|
ansible.builtin.group:
|
||||||
|
name: "{{ synapse_group }}"
|
||||||
|
system: "{{ synapse_group_system | default(true, true) }}"
|
||||||
|
state: "{{ synapse_state }}"
|
||||||
|
register: synapse_group_info
|
||||||
|
|
||||||
|
- name: Ensure synapse user '{{ synapse_user }}' is {{ synapse_state }}
|
||||||
|
ansible.builtin.user:
|
||||||
|
name: "{{ synapse_user }}"
|
||||||
|
state: "{{ synapse_state }}"
|
||||||
|
system: "{{ synapse_user_system | default(true, true) }}"
|
||||||
|
create_home: "{{ synapse_user_create_home | default(false, true) }}"
|
||||||
|
groups: "{{ synapse_user_all_groups | default(omit, true) }}"
|
||||||
|
append: "{{ synapse_user_groups_append | default(omit, true) }}"
|
||||||
|
register: synapse_user_info
|
||||||
|
|
||||||
|
- name: Ensure directories for synapse are {{ synapse_state }}
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ item.path }}"
|
||||||
|
state: "{{ (synapse_state == 'present') | ternary('directory', 'absent') }}"
|
||||||
|
mode: "{{ item.mode | default('0750') }}"
|
||||||
|
owner: "{{ item.owner | default(synapse_user_info.uid | default(synapse_user)) }}"
|
||||||
|
group: "{{ item.group | default(synapse_user_info.group | default(synapse_user)) }}"
|
||||||
|
loop:
|
||||||
|
- path: "{{ synapse_base_path }}"
|
||||||
|
mode: "0755"
|
||||||
|
- path: "{{ synapse_config_path }}"
|
||||||
|
mode: "0755"
|
||||||
|
- path: "{{ synapse_data_path }}"
|
||||||
|
mode: "0755"
|
||||||
|
- path: "{{ synapse_media_store_path }}"
|
||||||
|
mode: "0755"
|
||||||
|
- path: "{{ synapse_log_path }}"
|
||||||
|
mode: "0755"
|
||||||
|
loop_control:
|
||||||
|
label: "{{ item.path }}"
|
||||||
|
|
||||||
|
- name: Ensure synapse signing key is generated
|
||||||
|
finallycoffee.matrix.synapse_signing_key:
|
||||||
|
path: "{{ synapse_signing_key_file }}"
|
||||||
|
state: "{{ synapse_state }}"
|
||||||
|
when: synapse_role_generate_signing_key
|
||||||
|
notify:
|
||||||
|
- synapse-restart
|
||||||
|
|
||||||
|
- name: Ensure configuration files are templated
|
||||||
|
ansible.builtin.copy:
|
||||||
|
dest: "{{ config_file.path }}"
|
||||||
|
content: "{{ config_file.content }}"
|
||||||
|
mode: "{{ config_file.mode | default('0640') }}"
|
||||||
|
owner: "{{ config_file.owner | default(synapse_user_info.uid | default(synapse_user)) }}"
|
||||||
|
group: "{{ config_file.group | default(synapse_user_info.group | default(synapse_user)) }}"
|
||||||
|
loop: >-
|
||||||
|
{{ synapse_configs_to_write
|
||||||
|
+ (synapse_keys_to_write if not synapse_role_generate_signing_key else [])
|
||||||
|
+ synapse_configs | default([]) }}
|
||||||
|
loop_control:
|
||||||
|
loop_var: config_file
|
||||||
|
label: "{{ config_file.path }}"
|
||||||
|
vars:
|
||||||
|
synapse_configs_to_write:
|
||||||
|
- content: "{{ synapse_homeserver_config | to_nice_yaml(width=1000) }}"
|
||||||
|
path: "{{ synapse_homeserver_config_file }}"
|
||||||
|
- content: "{{ synapse_log_config | to_nice_yaml(width=1000) }}"
|
||||||
|
path: "{{ synapse_logging_config_file }}"
|
||||||
|
synapse_keys_to_write:
|
||||||
|
- content: "{{ synapse_signing_key }}"
|
||||||
|
path: "{{ synapse_signing_key_file }}"
|
||||||
|
mode: "0640"
|
||||||
|
notify:
|
||||||
|
- synapse-restart
|
||||||
|
when: synapse_state != 'absent'
|
31
roles/synapse/tasks/deploy-docker.yml
Normal file
31
roles/synapse/tasks/deploy-docker.yml
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure container image '{{ synapse_container_image }}' is {{ synapse_state }} on host
|
||||||
|
community.docker.docker_image:
|
||||||
|
name: "{{ synapse_container_image }}"
|
||||||
|
state: "{{ synapse_state }}"
|
||||||
|
source: "{{ synapse_container_image_source }}"
|
||||||
|
force_source: "{{ synapse_container_image_tag | default(false, true) | bool }}"
|
||||||
|
register: synapse_container_image_info
|
||||||
|
until: synapse_container_image_info is success
|
||||||
|
retries: 4
|
||||||
|
delay: 2
|
||||||
|
|
||||||
|
- name: Ensure synapse container '{{ synapse_container_name }}' is {{ (synapse_state == 'present') | ternary('started', 'absent') }}
|
||||||
|
community.docker.docker_container:
|
||||||
|
name: "{{ synapse_container_name }}"
|
||||||
|
image: "{{ synapse_container_image }}"
|
||||||
|
env: "{{ synapse_container_env | default(omit, true) }}"
|
||||||
|
user: "{{ synapse_container_user | default(omit, true) }}"
|
||||||
|
groups: "{{ synapse_container_groups | default(omit, true) }}"
|
||||||
|
ports: "{{ synapse_container_ports | default(omit, true) }}"
|
||||||
|
labels: "{{ synapse_container_labels | default(omit, true) }}"
|
||||||
|
ulimits: "{{ synapse_container_ulimits | default(omit, true) }}"
|
||||||
|
volumes: "{{ synapse_container_all_volumes }}"
|
||||||
|
networks: "{{ synapse_container_networks | default(omit, true) }}"
|
||||||
|
dns_servers: "{{ synapse_container_dns_servers | default(omit, true) }}"
|
||||||
|
etc_hosts: "{{ synapse_container_etc_hosts | default(omit, true) }}"
|
||||||
|
memory: "{{ synapse_container_memory | default(omit, true) }}"
|
||||||
|
memory_reservation: "{{ synapse_container_memory_reservation | default(omit, true) }}"
|
||||||
|
memory_swap: "{{ synapse_container_memory_swap | default(omit, true) }}"
|
||||||
|
restart_policy: "{{ synapse_container_restart_policy }}"
|
||||||
|
state: "{{ synapse_container_state }}"
|
31
roles/synapse/tasks/deploy-podman.yml
Normal file
31
roles/synapse/tasks/deploy-podman.yml
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure container image '{{ synapse_container_image }}' is {{ synapse_state }} on host
|
||||||
|
containers.podman.podman_image:
|
||||||
|
name: "{{ synapse_container_image }}"
|
||||||
|
state: "{{ synapse_state }}"
|
||||||
|
pull: "{{ synapse_container_image_source == 'pull' }}"
|
||||||
|
force: "{{ synapse_container_image_tag | default(false, true) | bool }}"
|
||||||
|
register: synapse_container_image_info
|
||||||
|
until: synapse_container_image_info is success
|
||||||
|
retries: 5
|
||||||
|
delay: 3
|
||||||
|
|
||||||
|
- name: Ensure synapse container '{{ synapse_container_name }}' is {{ synapse_container_state }}
|
||||||
|
containers.podman.podmain_container:
|
||||||
|
name: "{{ synapse_container_name }}"
|
||||||
|
image: "{{ synapse_container_image }}"
|
||||||
|
env: "{{ synapse_container_env | default(omit, true) }}"
|
||||||
|
user: "{{ synapse_container_user | default(omit, true) }}"
|
||||||
|
groups: "{{ synapse_container_groups | default(omit, true) }}"
|
||||||
|
ports: "{{ synapse_container_ports | default(omit, true) }}"
|
||||||
|
labels: "{{ synapse_container_labels | default(omit, true) }}"
|
||||||
|
ulimits: "{{ synapse_container_ulimits | default(omit, true) }}"
|
||||||
|
volumes: "{{ synapse_container_all_volumes }}"
|
||||||
|
network: "{{ synapse_container_networks | default(omit, true) }}"
|
||||||
|
dns_servers: "{{ synapse_container_dns_servers | default(omit, true) }}"
|
||||||
|
etc_hosts: "{{ synapse_container_etc_hosts | default(omit, true) }}"
|
||||||
|
memory: "{{ synapse_container_memory | default(omit, true) }}"
|
||||||
|
memory_reservation: "{{ synapse_container_memory_reservation | default(omit, true) }}"
|
||||||
|
memory_swap: "{{ synapse_container_memory_swap | default(omit, true) }}"
|
||||||
|
restart_policy: "{{ synapse_container_restart_policy }}"
|
||||||
|
state: "{{ synapse_container_state }}"
|
67
roles/synapse/tasks/deploy-virtualenv.yml
Normal file
67
roles/synapse/tasks/deploy-virtualenv.yml
Normal file
@ -0,0 +1,67 @@
|
|||||||
|
---
|
||||||
|
- name: Ensure directory for virtualenv is {{ synapse_state }}
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ synapse_venv_path }}"
|
||||||
|
owner: >-2
|
||||||
|
{{ synapse_user_info.uid | default(synapse_user) }}
|
||||||
|
group: >-2
|
||||||
|
{{ synapse_user_info.group | default(synapse_user) }}
|
||||||
|
mode: "{{ synapse_venv_path_mode | default('0755') }}"
|
||||||
|
state: >-
|
||||||
|
{{ (synapse_state == 'present')
|
||||||
|
| ternary('directory', 'absent') }}
|
||||||
|
|
||||||
|
- name: Ensure virtual environment is {{ synapse_state }}
|
||||||
|
ansible.builtin.pip:
|
||||||
|
name: "{{ synapse_venv_pip_dependencies }}"
|
||||||
|
virtualenv: "{{ synapse_venv_path }}"
|
||||||
|
virtualenv_python: "{{ synapse_venv_python_binary }}"
|
||||||
|
extra_args: "{{ synapse_venv_extra_args | default(omit, true) }}"
|
||||||
|
state: "{{ synapse_state }}"
|
||||||
|
|
||||||
|
- name: Ensure synapse pip package is {{ synapse_state }}
|
||||||
|
ansible.builtin.pip:
|
||||||
|
name: "{{ synapse_venv_package }}"
|
||||||
|
version: "{{ synapse_version }}"
|
||||||
|
state: "{{ synapse_state }}"
|
||||||
|
virtualenv: "{{ synapse_venv_path }}"
|
||||||
|
notify:
|
||||||
|
- synapse-restart
|
||||||
|
when: synapse_state != 'absent'
|
||||||
|
|
||||||
|
- name: Ensure synapse virtualenv is {{ synapse_state }}
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ synapse_venv_path }}"
|
||||||
|
state: "{{ synapse_state }}"
|
||||||
|
when: synapse_state == 'absent'
|
||||||
|
|
||||||
|
- name: Ensure systemd unit is {{ synapse_state }}
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: "synapse.service.j2"
|
||||||
|
dest: "{{ synapse_systemd_service_file }}"
|
||||||
|
notify:
|
||||||
|
- systemd-daemon-reload
|
||||||
|
when: synapse_state != 'absent'
|
||||||
|
|
||||||
|
- name: Ensure systemd unit is {{ synapse_state }}
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ synapse_systemd_service_file }}"
|
||||||
|
state: "{{ synapse_state }}"
|
||||||
|
when: synapse_state == 'absent'
|
||||||
|
notify:
|
||||||
|
- systemd-daemon-reload
|
||||||
|
|
||||||
|
- name: Ensure handlers are flushed for systemd daemon reload and synapse service state propagation
|
||||||
|
meta: flush_handlers
|
||||||
|
|
||||||
|
- name: Ensure systemd service is {{ synapse_systemd_state }}
|
||||||
|
ansible.builtin.systemd_service:
|
||||||
|
name: "{{ synapse_systemd_name }}"
|
||||||
|
state: "{{ synapse_systemd_state }}"
|
||||||
|
when: synapse_state != 'absent'
|
||||||
|
|
||||||
|
- name: Ensure systemd service is {{ synapse_systemd_enabled | ternary('enabled', 'disabled') }}
|
||||||
|
ansible.builtin.systemd_service:
|
||||||
|
name: "{{ synapse_systemd_name }}"
|
||||||
|
enabled: "{{ synapse_systemd_enabled }}"
|
||||||
|
when: synapse_state != 'absent'
|
13
roles/synapse/tasks/main.yml
Normal file
13
roles/synapse/tasks/main.yml
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Ensure checks are passing
|
||||||
|
ansible.builtin.include_tasks:
|
||||||
|
file: "check.yml"
|
||||||
|
|
||||||
|
- name: Ensure base configuration is created
|
||||||
|
ansible.builtin.include_tasks:
|
||||||
|
file: "configure.yml"
|
||||||
|
|
||||||
|
- name: Deploy using {{ synapse_deployment_method }}
|
||||||
|
ansible.builtin.include_tasks:
|
||||||
|
file: "deploy-{{ synapse_deployment_method }}.yml"
|
44
roles/synapse/templates/synapse.service.j2
Normal file
44
roles/synapse/templates/synapse.service.j2
Normal file
@ -0,0 +1,44 @@
|
|||||||
|
[Unit]
|
||||||
|
Description={{ synapse_systemd_unit_description }}
|
||||||
|
|
||||||
|
{% if synapse_systemd_unit_after | default([]) | length > 0 %}
|
||||||
|
After={{ synapse_systemd_unit_after | join(' ') }}
|
||||||
|
{% endif %}
|
||||||
|
{% if synapse_systemd_unit_wants | default([]) | length > 0 %}
|
||||||
|
Wants={{ synapse_systemd_unit_wants | join(' ') }}
|
||||||
|
{% endif %}
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type={{ synapse_systemd_service_type }}
|
||||||
|
WorkingDirectory={{ synapse_venv_path }}
|
||||||
|
ExecStart={{ synapse_systemd_service_exec_start }}
|
||||||
|
ExecStop={{ synapse_systemd_service_exec_stop }}
|
||||||
|
ExecReload={{ synapse_systemd_service_exec_reload }}
|
||||||
|
|
||||||
|
User={{ synapse_run_user }}
|
||||||
|
Group={{ synapse_run_group }}
|
||||||
|
|
||||||
|
Restart={{ synapse_systemd_service_restart }}
|
||||||
|
|
||||||
|
ProtectSystem={{ synapse_systemd_service_protect_system }}
|
||||||
|
ProtectHome={{ synapse_systemd_service_protect_home }}
|
||||||
|
ProtectClock={{ synapse_systemd_service_protect_clock }}
|
||||||
|
ProtectHostname={{ synapse_systemd_service_protect_hostname }}
|
||||||
|
ProtectKernelLogs={{ synapse_systemd_service_protect_protect_kernel_logs }}
|
||||||
|
ProtectKernelModules={{ synapse_systemd_service_protect_protect_kernel_modules }}
|
||||||
|
ProtectKernelTunables={{ synapse_systemd_service_protect_protect_control_groups }}
|
||||||
|
ProtectControlGroups={{ synapse_systemd_service_protect_protect_control_groups }}
|
||||||
|
|
||||||
|
RestrictNamespaces={{ synapse_systemd_service_restrict_namespaces }}
|
||||||
|
RestrictSUIDSGID={{ synapse_systemd_service_restrict_suid_sgid }}
|
||||||
|
{% for path in synapse_systemd_service_read_write_paths | default([]) %}
|
||||||
|
ReadWritePaths={{ path }}
|
||||||
|
{% endfor %}
|
||||||
|
RestrictAddressFamilies={{ synapse_systemd_service_restrict_address_families | join(' ') }}
|
||||||
|
|
||||||
|
RemoveIPC={{ synapse_systemd_service_remove_ipc }}
|
||||||
|
LockPersonality={{ synapse_systemd_service_lock_personality }}
|
||||||
|
NoNewPrivileges={{ synapse_systemd_service_no_new_privileges }}
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy={{ synapse_systemd_install_wanted_by }}
|
16
roles/synapse/vars/main.yml
Normal file
16
roles/synapse/vars/main.yml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
synapse_states:
|
||||||
|
- present
|
||||||
|
- absent
|
||||||
|
|
||||||
|
synapse_deployment_methods:
|
||||||
|
- docker
|
||||||
|
- podman
|
||||||
|
- virtualenv
|
||||||
|
|
||||||
|
synapse_required_variables:
|
||||||
|
- synapse_domain
|
||||||
|
|
||||||
|
synapse_conditionally_required_variables:
|
||||||
|
- name: synapse_signing_key
|
||||||
|
when: "{{ not synapse_role_generate_signing_key | bool }}"
|
Loading…
x
Reference in New Issue
Block a user