Compare commits
	
		
			2 Commits
		
	
	
		
			transcaffe
			...
			e8e3bc8859
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| e8e3bc8859 | |||
| dd696c3442 | 
| @@ -4,10 +4,16 @@ | ||||
|  | ||||
| Roles for deploying matrix infrastructure using ansible. | ||||
|  | ||||
| ## Modules | ||||
|  | ||||
| - [`synapse_signing_key`](plugins/modules/synapse_signing_key.md): Module for managing / generating synapse signing keys | ||||
|  | ||||
| ## Roles | ||||
|  | ||||
| - [`cinny`](roles/cinny/README.md): [Cinny](https://cinny.in/) Web Client | ||||
| - [`element`](roles/element/README.md): [Element](https://element.io/) Web Client | ||||
| - [`synapse`](roles/synapse/README.md): [Synapse](https://github.com/element-hq/synapse/), | ||||
|   a matrix homeserver implemention by Element | ||||
|  | ||||
| ## License | ||||
|  | ||||
|   | ||||
							
								
								
									
										6
									
								
								playbooks/synapse.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										6
									
								
								playbooks/synapse.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,6 @@ | ||||
| --- | ||||
| - name: Deploy and configure synapse | ||||
|   hosts: "{{ synapse_hosts | default('synapse') }}" | ||||
|   become: "{{ synapse_become | default(true) }}" | ||||
|   roles: | ||||
|     - role: finallycoffee.matrix.synapse | ||||
							
								
								
									
										33
									
								
								plugins/modules/synapse_signing_key.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										33
									
								
								plugins/modules/synapse_signing_key.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,33 @@ | ||||
| # `finallycoffee.matrix.synapse_signing_key` module | ||||
|  | ||||
| Module to generate and manage synapse signing keys. | ||||
|  | ||||
| > [!TIP] | ||||
| > Supports `check mode` and `diff` rendering | ||||
|  | ||||
| ## Requirements | ||||
|  | ||||
| - `python >= 3.9` | ||||
| - `signed_json >= 1.1.4` | ||||
|  | ||||
|  | ||||
| ## Usage examples | ||||
|  | ||||
| ```yaml | ||||
| # Generate a key | ||||
| - finallycoffee.matrix.synapse_signing_key: | ||||
|     path: "/not/there/yet/signing.key" | ||||
|     state: present | ||||
|  | ||||
| # Read a key from the filesystem or generate one | ||||
| - finallycoffee.matrix.synapse_signing_key: | ||||
|     path: "/maybe/existing/signing/key" | ||||
|   register: key_result | ||||
| - debug: | ||||
|     msg: "Signing key is '{{ key_result.signing_key }}'" | ||||
|  | ||||
| # Delete an existing signing key file | ||||
| - finallycoffee.matrix.synapse_signing_key: | ||||
|     path: "/path/to/key/to/delete.key" | ||||
|     state: absent | ||||
| ``` | ||||
							
								
								
									
										139
									
								
								plugins/modules/synapse_signing_key.py
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										139
									
								
								plugins/modules/synapse_signing_key.py
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,139 @@ | ||||
| #!/usr/bin/env python | ||||
|  | ||||
| __metaclass__ = type | ||||
|  | ||||
| import os | ||||
| import traceback | ||||
| import random, string | ||||
| from ansible.module_utils.basic import AnsibleModule, missing_required_lib | ||||
|  | ||||
| from dataclasses import asdict | ||||
|  | ||||
| LIB_IMPORT_ERR = None | ||||
| try: | ||||
|     from signedjson.key import * | ||||
|     HAS_LIB = True | ||||
| except: | ||||
|     HAS_LIB = False | ||||
|     LIB_IMPORT_ERR = traceback.format_exc() | ||||
|  | ||||
| DOCUMENTION = r""" | ||||
| --- | ||||
| module: synapse_signing_key | ||||
| author: | ||||
|     - transcaffeine (transcaffeine@finally.coffee) | ||||
| requirements: | ||||
|     - python >= 3.9 | ||||
|     - signed_json >= 1.1.4 | ||||
| short_description: Generate and persist a synapse signing key | ||||
| description: | ||||
|     - "Allows to generate, save and manipulate synapse signing keys" | ||||
| options: | ||||
|     path: | ||||
|         description: "Where the signing key is saved or read from" | ||||
|         type: str | ||||
|         required: false | ||||
|     state: | ||||
|         description: "State of the key to enforce, can be used to remove keys or generate them" | ||||
|         type: str | ||||
|         choices: [present, absent] | ||||
|         default: present | ||||
|         required: false | ||||
| """ | ||||
|  | ||||
| EXAMPLES = r""" | ||||
| - name: Read existing signing key from filesystem | ||||
|   finallycoffee.matrix.synapse_signing_key: | ||||
|     path: "/path/to/existing-synapse.signing.key" | ||||
| - name: Delete existing signing key | ||||
|   finallycoffee.matrix.synapse.signing_key: | ||||
|     path: "/this/signing/key/will/be/deleted.signing.key" | ||||
|     state: absent | ||||
| """ | ||||
|  | ||||
| RETURN = r""" | ||||
| signing_key: | ||||
|   description: Complete synapse signing key | ||||
|   returned: always | ||||
|   type: str | ||||
| """ | ||||
|  | ||||
| def main() -> None: | ||||
|     _ = dict | ||||
|     module = AnsibleModule( | ||||
|         argument_spec=_( | ||||
|             path=_(required=False, type="str"), | ||||
|             state=_( | ||||
|                 required=False, | ||||
|                 type="str", | ||||
|                 default="present", | ||||
|                 choices=["present", "absent"], | ||||
|             ), | ||||
|         ), | ||||
|         supports_check_mode=True, | ||||
|     ) | ||||
|  | ||||
|     result = _(changed=False, diff={}, msg="") | ||||
|     failed = False | ||||
|  | ||||
|     if not HAS_LIB: | ||||
|         module.fail_json(msg=missing_required_lib("signed_json"), exception=LIB_IMPORT_ERR) | ||||
|  | ||||
|     path = module.params['path'] | ||||
|     state = module.params['state'] | ||||
|     existing_key_found = False | ||||
|     if path: | ||||
|         try: | ||||
|             keys = _read_signing_keys(module.params['path']) | ||||
|             existing_key_found = True | ||||
|         except FileNotFoundError: | ||||
|             existing_key_found = False | ||||
|     if not existing_key_found: | ||||
|         keys = _generate_signing_key() | ||||
|         result['changed'] = True | ||||
|  | ||||
|     if not module.check_mode: | ||||
|         if state == 'present' and not existing_key_found and path: | ||||
|             _save_signing_keys(path, keys) | ||||
|         if state == 'absent' and existing_key_found: | ||||
|             os.remove(path) | ||||
|             result['changed'] = True | ||||
|  | ||||
|     result['diff'] = { | ||||
|         "before_header": path, | ||||
|         "after_header": path, | ||||
|         "before": _render_signing_keys(keys) if existing_key_found else "", | ||||
|         "after": "" if state == 'absent' else _render_signing_keys(keys), | ||||
|     } | ||||
|     result['signing_key'] = _render_signing_keys(keys) | ||||
|  | ||||
|     if failed: | ||||
|         module.fail_json(**result) | ||||
|     else: | ||||
|         module.exit_json(**result) | ||||
|      | ||||
| def _render_signing_keys(keys) -> str: | ||||
|     return "\n".join(_render_signing_key(k) for k in keys) | ||||
|  | ||||
| def _render_signing_key(key) -> str: | ||||
|     key_b64 = encode_signing_key_base64(key) | ||||
|     return f"{key.alg} {key.version} {key_b64}" | ||||
|  | ||||
| def _read_signing_keys(file): | ||||
|     with open(file, "r", opener=lambda path, f: os.open(path, f)) as stream: | ||||
|         return read_signing_keys(stream) | ||||
|  | ||||
| def _write_signing_keys(file, keys) -> None: | ||||
|     with open(file, "w", opener=lambda path, f: op.open(path, f, mode=0o640)) as stream: | ||||
|         write_signing_keys(strea, keys) | ||||
|  | ||||
| def _generate_signing_key(): | ||||
|     id = '' | ||||
|     for i in range(0, 4): | ||||
|         id += random.choice(string.ascii_letters) | ||||
|     key_id = "a_" + id | ||||
|     key = generate_signing_key(key_id) | ||||
|     return [key] | ||||
|  | ||||
| if __name__ == "__main__": | ||||
|     main() | ||||
							
								
								
									
										28
									
								
								roles/synapse/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										28
									
								
								roles/synapse/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,28 @@ | ||||
| # `finallycoffee.matrix.synapse` ansible role | ||||
|  | ||||
| ## Configuration | ||||
|  | ||||
| ### Required | ||||
|  | ||||
| The following variables need to be populated: | ||||
|  | ||||
| - `synapse_domain` - the domain this homeserver should be authoritative for. | ||||
| - `synapse_signing_key` - the signing key synapse should use. | ||||
|   Set either this or `synapse_role_generate_signing_key: true`. | ||||
|  | ||||
| ## Other | ||||
|  | ||||
| - [Configure your database](docs/database.md) | ||||
| - [Configure your listeners](docs/listeners.md) | ||||
|  | ||||
| ## Deployment methods | ||||
|  | ||||
| ### Docker | ||||
|  | ||||
| Set `synapse_deployment_method: docker` to deploy synapse in docker container(s). | ||||
| This is currently the default. | ||||
|  | ||||
| ### Planned methods | ||||
|  | ||||
| - virtual env + systemd | ||||
| - podman | ||||
							
								
								
									
										43
									
								
								roles/synapse/defaults/main/container.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										43
									
								
								roles/synapse/defaults/main/container.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,43 @@ | ||||
| --- | ||||
| synapse_container_name: synapse | ||||
| synapse_container_image: >-2 | ||||
|   {{ | ||||
|     [ | ||||
|       synapse_container_image_repository, | ||||
|       synapse_container_image_tag | default('v' ~ synapse_version, true) | ||||
|     ] | join(':') | ||||
|   }} | ||||
| synapse_container_image_registry: ghcr.io | ||||
| synapse_container_image_namespace: element-hq | ||||
| synapse_container_image_name: synapse | ||||
| synapse_container_image_repository: >-2 | ||||
|   {{ synapse_container_image_registry | ||||
|   ~ (('/' ~ synapse_container_image_namespace) | ||||
|       if synapse_container_image_namespace else '') | ||||
|   ~ '/' ~ synapse_container_image_name }} | ||||
| synapse_container_image_source: pull | ||||
| synapse_container_image_tag: ~ | ||||
| synapse_container_env: {} | ||||
| synapse_container_user: ~ | ||||
| synapse_container_group: ~ | ||||
| synapse_container_ports: ~ | ||||
| synapse_container_labels: ~ | ||||
| synapse_container_ulimits: ~ | ||||
| synapse_container_networks: ~ | ||||
| synapse_container_purge_networks: ~ | ||||
| synapse_container_dns_servers: ~ | ||||
| synapse_container_etc_hosts: ~ | ||||
| synapse_container_memory: ~ | ||||
| synapse_container_memory_reservation: ~ | ||||
| synapse_container_memory_swap: ~ | ||||
| synapse_container_state: "started" | ||||
| synapse_container_restart_policy: "unless-stopped" | ||||
|  | ||||
| synapse_container_volumes: ~ | ||||
| synapse_container_default_volumes: | ||||
|   - "{{ synapse_homeserver_config_file }}:{{ synapse_homeserver_config_file }}:ro" | ||||
|   - "{{ synapse_logging_config_file }}:{{ synapse_logging_config_file }}:ro" | ||||
|   - "{{ synapse_signing_key_file }}:{{ synapse_signing_key_file }}:ro" | ||||
|   - "{{ synapse_data_path }}:{{ synapse_data_path }}:z" | ||||
|   - "{{ synapse_media_store_path }}:{{ synapse_media_store_path }}:z" | ||||
|  | ||||
							
								
								
									
										15
									
								
								roles/synapse/defaults/main/homeserver.cache.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										15
									
								
								roles/synapse/defaults/main/homeserver.cache.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,15 @@ | ||||
| --- | ||||
| synapse_config_event_cache_size: "10K" | ||||
| synapse_config_caches_global_factor: "0.5" | ||||
| synapse_config_caches_per_cache_factors: {} | ||||
| synapse_config_caches_expire_caches: true | ||||
| synapse_config_caches_sync_response_cache_duration: "2m" | ||||
|  | ||||
| synapse_cache_config: | ||||
|   event_cache_size: "{{ synapse_config_event_cache_size }}" | ||||
|   caches: | ||||
|     global_factor: "{{ synapse_config_caches_global_factor }}" | ||||
|     per_cache_factors: "{{ synapse_config_caches_per_cache_factors }}" | ||||
|     expire_caches: "{{ synapse_config_caches_expire_caches }}" | ||||
|     sync_response_cache_duration: >- | ||||
|       {{ synapse_config_caches_sync_response_cache_duration }} | ||||
							
								
								
									
										28
									
								
								roles/synapse/defaults/main/homeserver.config.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										28
									
								
								roles/synapse/defaults/main/homeserver.config.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,28 @@ | ||||
| --- | ||||
| synapse_config_server_name: "{{ synapse_domain }}" | ||||
| synapse_config_log_config_path: >- | ||||
|   {{ synapse_logging_config_file }} | ||||
| synapse_config_media_store_path: >- | ||||
|   {{ synapse_media_store_path }} | ||||
| synapse_config_signing_key_path: >- | ||||
|   {{ synapse_signing_key_file }} | ||||
| synapse_config_trusted_key_servers: | ||||
|   - "matrix.org" | ||||
| synapse_listeners_config: "{{ synapse_config_listeners }}" | ||||
|  | ||||
| synapse_default_config: >- | ||||
|   {{ | ||||
|     synapse_default_server_config | ||||
|     | combine(synapse_tls_config) | ||||
|     | combine(synapse_email_config) | ||||
|     | combine(synapse_federation_config) | ||||
|     | combine(synapse_media_config) | ||||
|     | combine(synapse_turn_config) | ||||
|     | combine(synapse_cache_config) | ||||
|     | combine(synapse_ratelimit_config) | ||||
|     | combine(synapse_metrics_config) | ||||
|   }} | ||||
|  | ||||
| synapse_homeserver_config: >- | ||||
|   {{ synapse_default_config | ||||
|     | combine(synapse_config | default({})) }} | ||||
							
								
								
									
										10
									
								
								roles/synapse/defaults/main/homeserver.database.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										10
									
								
								roles/synapse/defaults/main/homeserver.database.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,10 @@ | ||||
| --- | ||||
| synapse_config_database_name: sqlite3 | ||||
| synapse_config_database_args: | ||||
|   database: "{{ synapse_sqlite_database_file }}" | ||||
| synapse_config_database_txn_limit: "{{ 10000 | int}}" | ||||
|  | ||||
| synapse_database_config: | ||||
|   name: "{{ synapse_config_database_name }}" | ||||
|   args: "{{ synapse_config_database_args }}" | ||||
|   txn_limit: "{{ synapse_config_database_txn_limit }}" | ||||
							
								
								
									
										7
									
								
								roles/synapse/defaults/main/homeserver.email.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								roles/synapse/defaults/main/homeserver.email.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,7 @@ | ||||
| --- | ||||
| synapse_config_email_smtp_host: ~ | ||||
| synapse_config_email_smtp_port: 465 | ||||
| synapse_email_config: | ||||
|   email: | ||||
|     smtp_host: "{{ synapse_config_email_smtp_host }}" | ||||
|     smtp_port: "{{ synapse_config_email_smtp_port }}" | ||||
							
								
								
									
										37
									
								
								roles/synapse/defaults/main/homeserver.federation.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										37
									
								
								roles/synapse/defaults/main/homeserver.federation.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,37 @@ | ||||
| --- | ||||
| # see https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#federation | ||||
| synapse_config_federation_domain_whitelist: ~ | ||||
| synapse_config_federation_whitelist_endpoint_enabled: true | ||||
| synapse_config_federation_metrics_domains: [] | ||||
| # see https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#federation-1 | ||||
| # for federation retry / network tuning | ||||
| synapse_config_federation: {} | ||||
| synapse_config_allow_profile_lookup_over_federation: false | ||||
| synapse_config_allow_device_name_lookup_over_federation: false | ||||
|  | ||||
| synapse_config_federation_verify_certificates: true | ||||
| synapse_config_federation_client_minimum_tls_version: "1.2" | ||||
| synapse_config_federation_verification_whitelist: [] | ||||
| synapse_config_federation_custom_ca_list: [] | ||||
|  | ||||
| synapse_federation_tls_config: | ||||
|   federation_verify_certificates: "{{ synapse_config_federation_verify_certificates }}" | ||||
|   federation_client_minimum_tls_version: >- | ||||
|     {{ synapse_config_federation_client_minimum_tls_version }} | ||||
|   federation_certificate_verification_whitelist: >- | ||||
|     {{ synapse_config_federation_verification_whitelist }} | ||||
|   federation_custom_ca_list: "{{ synapse_config_federation_custom_ca_list }}" | ||||
|  | ||||
| synapse_federation_config: >- | ||||
|   {{ | ||||
|     { | ||||
|       "federation_whitelist_endpoint_enabled" : synapse_config_federation_whitelist_endpoint_enabled, | ||||
|       "federation_metrics_domains": synapse_config_federation_metrics_domains, | ||||
|       "allow_profile_lookup_over_federation": synapse_config_allow_profile_lookup_over_federation, | ||||
|       "allow_device_name_lookup_over_federation": synapse_config_allow_device_name_lookup_over_federation, | ||||
|       "federation": synapse_config_federation | ||||
|     } | ||||
|     | combine(synapse_federation_tls_config) | ||||
|     | combine(({"federation_domain_whitelist": synapse_config_federation_domain_whitelist}) | ||||
|       if synapse_config_federation_domain_whitelist | default(false, true) else {}) | ||||
|   }} | ||||
							
								
								
									
										95
									
								
								roles/synapse/defaults/main/homeserver.media_repo.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										95
									
								
								roles/synapse/defaults/main/homeserver.media_repo.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,95 @@ | ||||
| --- | ||||
| # Media repo configuration | ||||
| synapse_config_enable_media_repo: true  #TODO: set to false if workers enabled | ||||
| synapse_config_enable_authenticated_media: true | ||||
| synapse_config_media_store_path: "{{ synapse_media_store_path }}" | ||||
| synapse_config_max_pending_media_uploads: 10 | ||||
| synapse_config_unused_expiration_time: "1h" | ||||
| # see https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#media_storage_providers | ||||
| synapse_config_media_store_providers: [] | ||||
| synapse_config_max_upload_size: "50M" | ||||
| synapse_config_max_image_pixels: "32M" | ||||
| synapse_config_dynamic_thumbnails: true | ||||
|  | ||||
| # The following values are KiB/Mib per burst/second | ||||
| synapse_config_remote_media_download_burst_count: "500M" | ||||
| synapse_config_remote_media_download_per_second: "87K" | ||||
|  | ||||
| # Blacklist known spam servers here | ||||
| synapse_config_prevent_media_downloads_from: [] | ||||
|  | ||||
| synapse_config_media_retention_local_media_lifetime: ~  | ||||
| synapse_config_media_retention_remote_media_lifetime: ~ | ||||
| synapse_config_media_retention: >- | ||||
|   {{ {} | ||||
|     | combine(({"local_media_lifetime": synapse_config_media_retention_local_media_lifetime}) | ||||
|       if synapse_config_media_retention_local_media_lifetime | default(false, true) else {}) | ||||
|     | combine(({"remote_media_lifetime": synapse_config_media_retention_remote_media_lifetime }) | ||||
|       if synapse_config_media_retention_remote_media_lifetime | default(false, true) else {}) | ||||
|   }} | ||||
|  | ||||
| # URL preview handling | ||||
| synapse_config_url_preview_enabled: true | ||||
| # Following recommendations from | ||||
| # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#url_preview_ip_range_blacklist | ||||
| synapse_config_url_preview_ip_range_blacklist: | ||||
|   - '127.0.0.0/8' | ||||
|   - '10.0.0.0/8' | ||||
|   - '172.16.0.0/12' | ||||
|   - '192.168.0.0/16' | ||||
|   - '100.64.0.0/10' | ||||
|   - '192.0.0.0/24' | ||||
|   - '169.254.0.0/16' | ||||
|   - '192.88.99.0/24' | ||||
|   - '198.18.0.0/15' | ||||
|   - '192.0.2.0/24' | ||||
|   - '198.51.100.0/24' | ||||
|   - '203.0.113.0/24' | ||||
|   - '224.0.0.0/4' | ||||
|   - '::1/128' | ||||
|   - 'fe80::/10' | ||||
|   - 'fc00::/7' | ||||
|   - '2001:db8::/32' | ||||
|   - 'ff00::/8' | ||||
|   - 'fec0::/10' | ||||
| synapse_config_url_preview_ip_range_whitelist: ~ | ||||
| # see https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#url_preview_url_blacklist | ||||
| synapse_config_url_preview_url_blacklist: | ||||
|   - username: "*" | ||||
|   - netloc: '^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$' | ||||
|   # see https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#url_preview_accept_language | ||||
| synapse_config_url_preview_accept_language: | ||||
|   - "en" | ||||
| synapse_config_max_spider_size: 8M | ||||
| synapse_config_oembed_disable_default_providers: false | ||||
| synapse_config_oembed_additional_providers: [] | ||||
|  | ||||
| synapse_media_config: | ||||
|   enable_media_repo: "{{ synapse_config_enable_media_repo }}" | ||||
|   enable_authenticated_media: "{{ synapse_config_enable_authenticated_media }}" | ||||
|   media_store_path: "{{ synapse_config_media_store_path }}" | ||||
|   max_pending_media_uploads: "{{ synapse_config_max_pending_media_uploads }}" | ||||
|   unused_expiration_time: "{{ synapse_config_unused_expiration_time }}" | ||||
|   media_store_providers: "{{ synapse_config_media_store_providers }}" | ||||
|   max_upload_size: "{{ synapse_config_max_upload_size }}" | ||||
|   max_image_pixels: "{{ synapse_config_max_image_pixels }}" | ||||
|   # Media - remote media handling | ||||
|   remote_media_download_burst_count: >- | ||||
|     {{ synapse_config_remote_media_download_burst_count }} | ||||
|   remote_media_download_per_second: >- | ||||
|     {{ synapse_config_remote_media_download_per_second }} | ||||
|   prevent_media_downloads_from: "{{ synapse_config_prevent_media_downloads_from }}" | ||||
|   media_retention: "{{ synapse_config_media_retention }}" | ||||
|   # Media - URL preview options | ||||
|   dynamic_thumbnails: "{{ synapse_config_dynamic_thumbnails }}" | ||||
|   url_preview_enabled: "{{ synapse_config_url_preview_enabled }}" | ||||
|   url_preview_ip_range_blacklist: >- | ||||
|     {{ synapse_config_url_preview_ip_range_blacklist }} | ||||
|   url_preview_ip_range_whitelist: >- | ||||
|     {{ synapse_config_url_preview_ip_range_whitelist }} | ||||
|   url_preview_url_blacklist: "{{ synapse_config_url_preview_url_blacklist }}" | ||||
|   url_preview_accept_language: "{{ synapse_config_url_preview_accept_language }}" | ||||
|   max_spider_size: "{{ synapse_config_max_spider_size }}" | ||||
|   oembed: | ||||
|     disable_default_providers: "{{ synapse_config_oembed_disable_default_providers }}" | ||||
|     additional_providers: "{{ synapse_config_oembed_additional_providers }}" | ||||
							
								
								
									
										24
									
								
								roles/synapse/defaults/main/homeserver.metrics.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								roles/synapse/defaults/main/homeserver.metrics.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | ||||
| --- | ||||
| synapse_config_enable_metrics: false | ||||
| synapse_config_sentry_environment: ~ | ||||
| synapse_config_sentry_dsn: ~ | ||||
| synapse_config_metrics_flags_known_servers: true | ||||
| synapse_config_report_stats: true | ||||
| synapse_config_report_stats_endpoint: >- | ||||
|   https://matrix.org/report-usage-stats/push | ||||
|  | ||||
| synapse_metrics_sentry_config: >- | ||||
|   {{ {} | ||||
|     | combine(({"environment": synapse_config_sentry_environment }) | ||||
|       if synapse_config_sentry_environment | default(false, true) else {}) | ||||
|     | combine(({"dsn": synapse_config_sentry_dsn }) | ||||
|       if synapse_config_sentry_dsn | default(false, true) else {}) | ||||
|   }} | ||||
|  | ||||
| synapse_metrics_config: | ||||
|   enable_metrics: "{{ synapse_config_enable_metrics }}" | ||||
|   sentry: "{{ synapse_metrics_sentry_config }}" | ||||
|   metrics_flags: | ||||
|     known_servers: "{{ synapse_config_metrics_flags_known_servers }}" | ||||
|   report_stats: "{{ synapse_config_report_stats }}" | ||||
|   report_stats_endpoint: "{{ synapse_config_report_stats_endpoint }}" | ||||
							
								
								
									
										112
									
								
								roles/synapse/defaults/main/homeserver.ratelimits.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										112
									
								
								roles/synapse/defaults/main/homeserver.ratelimits.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,112 @@ | ||||
| --- | ||||
| # Ratelimit config, see | ||||
| # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#ratelimiting | ||||
| synapse_config_rc_message_per_second: 0.2 | ||||
| synapse_config_rc_message_burst_count: 10 | ||||
|  | ||||
| synapse_config_rc_registration_per_second: 0.1 | ||||
| synapse_config_rc_registration_burst_count: 5 | ||||
|  | ||||
| synapse_config_rc_registration_token_validity_per_second: 0.1 | ||||
| synapse_config_rc_registration_token_validity_burst_count: 5 | ||||
|  | ||||
| synapse_config_rc_login_address_per_second: 0.003 | ||||
| synapse_config_rc_login_address_burst_count: 5 | ||||
| synapse_config_rc_login_account_per_second: 0.003 | ||||
| synapse_config_rc_login_account_burst_count: 5 | ||||
| synapse_config_rc_login_failed_attempts_per_second: 0.17 | ||||
| synapse_config_rc_login_failed_attempts_burst_count: 3 | ||||
|  | ||||
| synapse_config_rc_admin_redaction_per_second: 2 | ||||
| synapse_config_rc_admin_redaction_burst_count: 75 | ||||
|  | ||||
| synapse_config_rc_joins_local_per_second: 0.1 | ||||
| synapse_config_rc_joins_local_burst_count: 10 | ||||
| synapse_config_rc_joins_remote_per_second: 0.01 | ||||
| synapse_config_rc_joins_remote_burst_count: 10 | ||||
| synapse_config_rc_joins_per_room_per_second: 1 | ||||
| synapse_config_rc_joins_per_room_burst_count: 10 | ||||
|  | ||||
| synapse_config_rc_3pid_validation_per_second: 0.003 | ||||
| synapse_config_rc_3pid_validation_burst_count: 5 | ||||
|  | ||||
| synapse_config_rc_invites_per_room_per_second: 0.3 | ||||
| synapse_config_rc_invites_per_room_burst_count: 10 | ||||
| synapse_config_rc_invites_per_user_per_second: 0.003 | ||||
| synapse_config_rc_invites_per_user_burst_count: 5 | ||||
| synapse_config_rc_invites_per_issuer_per_second: 0.3 | ||||
| synapse_config_rc_invites_per_issuer_burst_count: 10 | ||||
|  | ||||
| synapse_config_rc_third_party_invite_per_second: 0.2 | ||||
| synapse_config_rc_third_party_invite_burst_count: 10 | ||||
|  | ||||
| synapse_config_rc_media_create_per_second: 10 | ||||
| synapse_config_rc_media_create_burst_count: 50 | ||||
|  | ||||
| synapse_config_rc_federation_window_size: 1000 # in ms | ||||
| synapse_config_rc_federation_sleep_limit: 10 | ||||
| synapse_config_rc_federation_sleep_delay: 500 # in ms | ||||
| synapse_config_rc_federation_reject_limit: 50 | ||||
| synapse_config_rc_federation_concurrent: 5 | ||||
| synapse_config_federation_rr_transactions_per_room_per_second: 50 | ||||
|  | ||||
| synapse_ratelimit_config: | ||||
|   rc_message: | ||||
|     per_second: "{{ synapse_config_rc_message_per_second }}" | ||||
|     burst_count: "{{ synapse_config_rc_message_burst_count }}" | ||||
|   rc_registration: | ||||
|     per_second: "{{ synapse_config_rc_registration_per_second }}" | ||||
|     burst_count: "{{ synapse_config_rc_registration_burst_count }}" | ||||
|   rc_registration_token_validity: | ||||
|     per_second: "{{ synapse_config_rc_registration_token_validity_per_second }}" | ||||
|     burst_count: "{{ synapse_config_rc_registration_token_validity_burst_count }}" | ||||
|   rc_login: | ||||
|     address: | ||||
|       per_second: "{{ synapse_config_rc_login_address_per_second }}" | ||||
|       burst_count: "{{ synapse_config_rc_login_address_burst_count }}" | ||||
|     account: | ||||
|       per_second: "{{ synapse_config_rc_login_account_per_second }}" | ||||
|       burst_count: "{{ synapse_config_rc_login_account_burst_count}}" | ||||
|     failed_attemps: | ||||
|       per_second: "{{ synapse_config_rc_login_failed_attempts_per_second }}" | ||||
|       burst_count: "{{ synapse_config_rc_login_failed_attempts_burst_count }}" | ||||
|   rc_admin_redaction: | ||||
|     per_second: "{{ synapse_config_rc_admin_redaction_per_second }}" | ||||
|     burst_count: "{{ synapse_config_rc_admin_redaction_burst_count }}" | ||||
|   rc_joins: | ||||
|     local: | ||||
|       per_second: "{{ synapse_config_rc_joins_local_per_second }}" | ||||
|       burst_count: "{{ synapse_config_rc_joins_local_burst_count }}" | ||||
|     remote: | ||||
|       per_second: "{{ synapse_config_rc_joins_remote_per_second }}" | ||||
|       burst_count: "{{ synapse_config_rc_joins_remote_burst_count}}" | ||||
|   rc_joins_per_room: | ||||
|     per_second: "{{ synapse_config_rc_joins_per_room_per_second }}" | ||||
|     burst_count: "{{ synapse_config_rc_joins_per_room_burst_count }}" | ||||
|   rc_3pid_validation: | ||||
|     per_second: "{{ synapse_config_rc_3pid_validation_per_second }}" | ||||
|     burst_count: "{{ synapse_config_rc_3pid_validation_burst_count }}" | ||||
|   rc_invites: | ||||
|     per_room: | ||||
|       per_second: "{{ synapse_config_rc_invites_per_room_per_second }}" | ||||
|       burst_count: "{{ synapse_config_rc_invites_per_room_burst_count }}" | ||||
|     per_user: | ||||
|       per_second: "{{ synapse_config_rc_invites_per_user_per_second }}" | ||||
|       burst_count: "{{ synapse_config_rc_invites_per_user_burst_count }}" | ||||
|     per_issuer: | ||||
|       per_second: "{{ synapse_config_rc_invites_per_issuer_per_second }}" | ||||
|       burst_count: "{{ synapse_config_rc_invites_per_issuer_burst_count }}" | ||||
|   rc_third_party_invite: | ||||
|     per_second: "{{ synapse_config_rc_third_party_invite_per_second }}" | ||||
|     burst_count: "{{ synapse_config_rc_third_party_invite_burst_count }}" | ||||
|   rc_media_create: | ||||
|     per_second: "{{ synapse_config_rc_media_create_per_second }}" | ||||
|     burst_count: "{{ synapse_config_rc_media_create_burst_count }}" | ||||
|   rc_federation: | ||||
|     window_size: "{{ synapse_config_rc_federation_window_size }}" | ||||
|     sleep_limit: "{{ synapse_config_rc_federation_sleep_limit }}" | ||||
|     sleep_delay: "{{ synapse_config_rc_federation_sleep_delay }}" | ||||
|     reject_limit: "{{ synapse_config_rc_federation_reject_limit }}" | ||||
|     concurrent: "{{ synapse_config_rc_federation_concurrent }}" | ||||
|   federation_rr_transactions_per_room_per_second: >- | ||||
|     {{ synapse_config_federation_rr_transactions_per_room_per_second }} | ||||
							
								
								
									
										74
									
								
								roles/synapse/defaults/main/homeserver.server.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										74
									
								
								roles/synapse/defaults/main/homeserver.server.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,74 @@ | ||||
| --- | ||||
| # Config options from the `server` section of | ||||
| # https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#server | ||||
| synapse_config_pid_file: "{{ synapse_pid_file }}" | ||||
| synapse_config_public_baseurl: "https://{{ synapse_config_server_name }}" | ||||
| synapse_config_serve_server_wellknown: false | ||||
| synapse_config_extra_well_known_client_content: {} | ||||
| synapse_config_soft_file_limit: 0 | ||||
| synapse_config_require_auth_for_profile_requests: false | ||||
| synapse_config_limit_profile_requests_to_users_who_share_rooms: false | ||||
| synapse_config_include_profile_data_on_invite: true | ||||
| synapse_config_allow_public_rooms_without_auth: false | ||||
| synapse_config_allow_public_rooms_over_federation: false | ||||
| synapse_config_default_room_version: "10" | ||||
| synapse_config_filter_timeline_limit: 200 | ||||
| synapse_config_block_non_admin_invites: false | ||||
| synapse_config_enable_search: true | ||||
| synapse_config_dummy_events_threshold: 10 | ||||
| synapse_config_delete_stale_devices_after: "90d" | ||||
|  | ||||
| synapse_config_ip_range_blacklist: | ||||
|   - '127.0.0.0/8' | ||||
|   - '10.0.0.0/8' | ||||
|   - '172.16.0.0/12' | ||||
|   - '192.168.0.0/16' | ||||
|   - '100.64.0.0/10' | ||||
|   - '192.0.0.0/24' | ||||
|   - '169.254.0.0/16' | ||||
|   - '192.88.99.0/24' | ||||
|   - '198.18.0.0/15' | ||||
|   - '192.0.2.0/24' | ||||
|   - '198.51.100.0/24' | ||||
|   - '203.0.113.0/24' | ||||
|   - '224.0.0.0/4' | ||||
|   - '::1/128' | ||||
|   - 'fe80::/10' | ||||
|   - 'fc00::/7' | ||||
|   - '2001:db8::/32' | ||||
|   - 'ff00::/8' | ||||
|   - 'fec0::/10' | ||||
| synapse_config_ip_range_whitelist: [] | ||||
|  | ||||
| synapse_default_server_config: | ||||
|   server_name: "{{ synapse_config_server_name }}" | ||||
|   pid_file: "{{ synapse_config_pid_file }}" | ||||
|   listeners: "{{ synapse_listeners_config }}" | ||||
|   database: "{{ synapse_listeners_config }}" | ||||
|   log_config: "{{ synapse_config_log_config_path }}" | ||||
|   signing_key_path: "{{ synapse_config_signing_key_path }}" | ||||
|   trusted_key_servers: "{{ synapse_config_trusted_key_servers }}" | ||||
|   public_baseurl: "{{ synapse_config_public_baseurl }}" | ||||
|   serve_server_wellknown: "{{ synapse_config_serve_server_wellknown }}" | ||||
|   extra_well_known_client_content: >- | ||||
|     {{ synapse_config_extra_well_known_client_content }} | ||||
|   soft_file_limit: "{{ synapse_config_soft_file_limit }}" | ||||
|   #  presence: TODO | ||||
|   require_auth_for_profile_requests: >- | ||||
|     {{ synapse_config_require_auth_for_profile_requests }} | ||||
|   limit_profile_requests_to_users_who_share_rooms: >- | ||||
|     {{ synapse_config_limit_profile_requests_to_users_who_share_rooms }} | ||||
|   include_profile_data_on_invite: >- | ||||
|     {{ synapse_config_include_profile_data_on_invite }} | ||||
|   allow_public_rooms_without_auth: >- | ||||
|     {{ synapse_config_allow_public_rooms_without_auth }} | ||||
|   allow_public_rooms_over_federation: >- | ||||
|     {{ synapse_config_allow_public_rooms_over_federation }} | ||||
|   default_room_version: "{{ synapse_config_default_room_version }}" | ||||
|   filter_timeline_limit: "{{ synapse_config_filter_timeline_limit }}" | ||||
|   block_non_admin_invites: "{{ synapse_config_block_non_admin_invites }}" | ||||
|   enable_search: "{{ synapse_config_enable_search }}" | ||||
|   ip_range_blacklist: "{{ synapse_config_ip_range_blacklist }}" | ||||
|   ip_range_whitelist: "{{ synapse_config_ip_range_whitelist }}" | ||||
|   dummy_events_threshold: "{{ synapse_config_dummy_events_threshold }}" | ||||
|   delete_stale_devices_after: "{{ synapse_config_delete_stale_devices_after }}" | ||||
							
								
								
									
										10
									
								
								roles/synapse/defaults/main/homeserver.tls.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										10
									
								
								roles/synapse/defaults/main/homeserver.tls.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,10 @@ | ||||
| --- | ||||
| synapse_config_tls_certificate_path: ~ | ||||
| synapse_config_tls_private_key_path: ~ | ||||
| synapse_tls_config: >- | ||||
|   {{ {} | ||||
|     | combine(({"tls_certificate_path": synapse_config_tls_certificate_path }) | ||||
|       if synapse_config_tls_certificate_path | default(false, true) else {}) | ||||
|     | combine(({"tls_private_key_path": synapse_config_tls_private_key_path }) | ||||
|       if synapse_config_tls_private_key_path | default(false, true) else {}) | ||||
|   }} | ||||
							
								
								
									
										16
									
								
								roles/synapse/defaults/main/homeserver.turn.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										16
									
								
								roles/synapse/defaults/main/homeserver.turn.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,16 @@ | ||||
| --- | ||||
| # TURN / RTC configuration | ||||
| synapse_config_turn_uris: [] | ||||
| synapse_config_turn_shared_secret: ~ | ||||
| synapse_config_turn_username: ~ | ||||
| synapse_config_turn_password: ~ | ||||
| synapse_config_turn_user_lifetime: "2h" | ||||
| synapse_config_turn_allow_guests: false | ||||
|  | ||||
| synapse_turn_config: | ||||
|   turn_uris: "{{ synapse_config_turn_uris }}" | ||||
|   turn_shared_secret: "{{ synapse_config_turn_shared_secret }}" | ||||
|   turn_username: "{{ synapse_config_turn_username }}" | ||||
|   turn_password: "{{ synapse_config_turn_password }}" | ||||
|   turn_user_lifetime: "{{ synapse_config_turn_user_lifetime }}" | ||||
|   turn_allow_guests: "{{ synapse_config_turn_allow_guests }}" | ||||
							
								
								
									
										24
									
								
								roles/synapse/defaults/main/homeservers.listeners.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								roles/synapse/defaults/main/homeservers.listeners.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | ||||
| --- | ||||
| synapse_config_listeners: >- | ||||
|   {{ synapse_listeners_default_config }} | ||||
| synapse_config_listeners_port: "8080" | ||||
| synapse_config_listeners_tls: false | ||||
| synapse_config_listeners_type: http | ||||
| synapse_config_listeners_x_forwarded: true | ||||
| synapse_config_listeners_bind_addresses: | ||||
|   - "::1" | ||||
|   - "127.0.0.1" | ||||
| synapse_config_listeners_resources: | ||||
|   - names: "{{ synapse_config_listeners_resources_names }}" | ||||
|     compress: "{{ synapse_config_listeners_resources_compress }}" | ||||
| synapse_config_listeners_resources_names: | ||||
|   - client | ||||
|   - federation | ||||
| synapse_config_listeners_resources_compress: false | ||||
| synapse_listeners_default_config: | ||||
|   - port: "{{ synapse_config_listeners_port }}" | ||||
|     tls: "{{ synapse_config_listeners_tls }}" | ||||
|     type: "{{ synapse_config_listeners_type }}" | ||||
|     x_forwarded: "{{ synapse_config_listeners_x_forwarded }}" | ||||
|     bind_addresses: "{{ synapse_config_listeners_bind_addresses }}" | ||||
|     resources: "{{ synapse_config_listeners_resources }}" | ||||
							
								
								
									
										14
									
								
								roles/synapse/defaults/main/log.config.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										14
									
								
								roles/synapse/defaults/main/log.config.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,14 @@ | ||||
| --- | ||||
|  | ||||
| synapse_log_config_root_level: "INFO" | ||||
| synapse_log_config_disable_existing_loggers: false | ||||
| synapse_log_config_root_handlers: | ||||
|   - buffer | ||||
| # TODO | ||||
|  | ||||
| synapse_log_config: | ||||
|   version: 1 | ||||
|   root: | ||||
|     level: "{{ synapse_log_config_root_level }}" | ||||
|     handlers: "{{ synapse_log_config_root_handlers }}" | ||||
|   disable_existing_loggers: "{{ synapse_log_config_disable_existing_loggers }}" | ||||
							
								
								
									
										22
									
								
								roles/synapse/defaults/main/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								roles/synapse/defaults/main/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | ||||
| --- | ||||
|  | ||||
| synapse_user: synapse | ||||
| synapse_version: "1.115.0" | ||||
| synapse_state: "present" | ||||
| synapse_deployment_method: "docker" | ||||
|  | ||||
| synapse_base_path: /opt/synapse | ||||
| synapse_config_path: "{{ synapse_base_path }}/config" | ||||
| synapse_data_path: "{{ synapse_base_path }}/data" | ||||
| synapse_media_store_path: "{{ synapse_data_path }}/media_store" | ||||
|  | ||||
| synapse_signing_key: ~ | ||||
| synapse_signing_key_file: >- | ||||
|   {{ synapse_config_path }}/{{ synapse_domain }}.signing.key | ||||
| synapse_homeserver_config_file: "{{ synapse_config_path }}/homeserver.yaml" | ||||
| synapse_logging_config_file: >- | ||||
|   {{ synapse_config_path }}/{{ synapse_domain }}.log.config | ||||
| synapse_pid_file: "{{ synapse_data_path }}/homeserver.pid" | ||||
| synapse_sqlite_database_file: "{{ synapse_data_path }}/homeserver.db" | ||||
|  | ||||
| synapse_role_generate_signing_key: false | ||||
							
								
								
									
										27
									
								
								roles/synapse/docs/database.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										27
									
								
								roles/synapse/docs/database.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,27 @@ | ||||
| # `synapse` database configuration | ||||
|  | ||||
| Per default, the ansible role supplies a `sqlite`-database (file-based), | ||||
| which is located in `/opt/synapse/data/homeserver.db` (`synapse_sqlite_database_file`). | ||||
|  | ||||
| ## PostgresQL | ||||
|  | ||||
| To configure synapse for use with postgresql, set `synapse_config_database_name` to `psycopg2`. | ||||
|  | ||||
| Set your connection information in `synapse_config_database_args` like this: | ||||
| ```yaml | ||||
| synapse_config_database_args: | ||||
|   user: my_synapse_db_user | ||||
|   password: my_synapse_db_password | ||||
|   host: my_database_host | ||||
|   port: my_database_port_to_connect_to | int | ||||
|   # connection pooling (cp) settings, min and max connections | ||||
|   cp_min: 5 | int | ||||
|   cp_max: 20 | int | ||||
| ``` | ||||
|  | ||||
| Also see [the upstream documentation on the `database` config key](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#database-1). | ||||
|  | ||||
| ## Transaction limits | ||||
|  | ||||
| The ansible role sets a default transaction limit of 10.000 concurrent transactions. | ||||
| This configuration can be overridden in `synapse_config_database_txn_limit`. | ||||
							
								
								
									
										24
									
								
								roles/synapse/docs/listeners.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								roles/synapse/docs/listeners.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | ||||
| # `synapse` listener config | ||||
|  | ||||
| Synapse serves endpoints under so-called listeners, which are | ||||
| defined in `synapse_listeners_config`. The role gives some pre- | ||||
| configured options to set for use in various scenarios: | ||||
|  | ||||
| ## Behind reverse proxy which does SSL offloading | ||||
|  | ||||
| The `synapse_listeners_default_config` is analog to the upstream | ||||
| defaults and will serve both federation and client API on a | ||||
| single HTTP port, without TLS or compression, while trusting the | ||||
| `X-Forwarded-For` headers. | ||||
|  | ||||
| Use it like this: | ||||
| ```yaml | ||||
| synapse_listeners_config: "{{ synapse_listeners_default_config }}" | ||||
| # Change the port like this | ||||
| synapse_config_listeners_port: "8090" | ||||
| # If you use docker or your reverse-proxy is not local, | ||||
| # set the listen_addresses like this | ||||
| synapse_config_listeners_bind_addresses: | ||||
|   - "::" | ||||
|   - "0.0.0.0" | ||||
| ``` | ||||
							
								
								
									
										32
									
								
								roles/synapse/tasks/check.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										32
									
								
								roles/synapse/tasks/check.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,32 @@ | ||||
| --- | ||||
| - name: Ensure synapse_state is valid | ||||
|   ansible.builtin.fail: | ||||
|     msg: "State '{{ synapse_state }}' is not known, supported states are {{ synapse_states | join(', ') }}" | ||||
|   when: synapse_state not in synapse_states | ||||
|  | ||||
| - name: Ensure synapse deployment method is supported | ||||
|   ansible.builtin.fail: | ||||
|     msg: >- | ||||
|       Deployment method '{{ synapse_deployment_method }}' | ||||
|       is unknown! Supported methods are: | ||||
|       {{ synapse_deployment_methods | join(', ') }} | ||||
|   when: synapse_deployment_method not in synapse_deployment_methods | ||||
|  | ||||
| - name: Ensure required variables are given | ||||
|   fail: | ||||
|     msg: "Required variable '{{ item }}' is undefined!" | ||||
|   loop: "{{ synapse_required_variables }}" | ||||
|   when: >-2 | ||||
|     item not in hostvars[ansible_host] | ||||
|     or hostvars[ansible_host][item] | length == 0 | ||||
|  | ||||
| - name: Ensure conditionally required variables are given | ||||
|   fail: | ||||
|     msg: "Required variable '{{ item.name }}' is undefined!" | ||||
|   loop: "{{ synapse_conditionally_required_variables }}" | ||||
|   loop_control: | ||||
|     label: "{{ item.name }}" | ||||
|   when: >-2 | ||||
|     item.when | ||||
|     and (item.name not in hostvars[ansible_host] | ||||
|         or hostvars[ansible_host][item.name] | length == 0) | ||||
							
								
								
									
										59
									
								
								roles/synapse/tasks/configure.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										59
									
								
								roles/synapse/tasks/configure.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,59 @@ | ||||
| --- | ||||
| - name: Ensure synapse user '{{ synapse_user }}' is {{ synapse_state }} | ||||
|   ansible.builtin.user: | ||||
|     name: "{{ synapse_user }}" | ||||
|     state: "{{ synapse_state }}" | ||||
|     system: "{{ synapse_user_system | default(true, true) }}" | ||||
|     create_home: "{{ synapse_user_create_home | default(false, true) }}" | ||||
|     groups: "{{ synapse_user_groups | default(omit, true) }}" | ||||
|     append: "{{ (synapse_user_groups is defined) | ternary(true, omit) }}" | ||||
|   register: synapse_user_info | ||||
|  | ||||
| - name: Ensure directories for synapse are {{ synapse_state }} | ||||
|   ansible.builtin.file: | ||||
|     path: "{{ item.path }}" | ||||
|     state: "{{ (synapse_state == 'present') | ternary('directory', 'absent') }}" | ||||
|     mode: "{{ item.mode | default('0750') }}" | ||||
|     owner: "{{ item.owner | default(synapse_user_info.uid | default(synapse_user)) }}" | ||||
|     group: "{{ item.group | default(synapse_user_info.group | default(synapse_user)) }}" | ||||
|   loop: | ||||
|     - path: "{{ synapse_base_path }}" | ||||
|       mode: "0755" | ||||
|     - path: "{{ synapse_config_path }}" | ||||
|     - path: "{{ synapse_data_path }}" | ||||
|     - path: "{{ synapse_media_store_path }}" | ||||
|   loop_control: | ||||
|     label: "{{ item.path }}" | ||||
|  | ||||
| - name: Ensure synapse signing key is generated | ||||
|   finallycoffee.matrix.synapse_signing_key: | ||||
|     path: "{{ synapse_signing_key_file }}" | ||||
|     state: "{{ synapse_state }}" | ||||
|   when: synapse_role_generate_signing_key | ||||
|  | ||||
| - name: Ensure configuration files are templated | ||||
|   ansible.builtin.copy: | ||||
|     dest: "{{ config_file.path }}" | ||||
|     content: "{{ config_file.content }}" | ||||
|     mode: "{{ config_file.mode | default('0640') }}" | ||||
|     owner: "{{ config_file.owner | default(synapse_user_info.uid | default(synapse_user)) }}" | ||||
|     group: "{{ config_file.group | default(synapse_user_info.group | default(synapse_user)) }}" | ||||
|   loop: >- | ||||
|     {{ synapse_configs_to_write | ||||
|       + (synapse_keys_to_write if not synapse_role_generate_signing_key else []) | ||||
|       + synapse_configs | default([]) }} | ||||
|   loop_control: | ||||
|     loop_var: config_file | ||||
|     label: "{{ config_file.path }}" | ||||
|   vars: | ||||
|     synapse_configs_to_write: | ||||
|       - content: "{{ synapse_homeserver_config | to_nice_yaml(width=1000) }}" | ||||
|         path: "{{ synapse_homeserver_config_file }}" | ||||
|       - content: "{{ synapse_log_config | to_nice_yaml(width=1000) }}" | ||||
|         path: "{{ synapse_logging_config_file }}" | ||||
|     synapse_keys_to_write: | ||||
|       - content: "{{ synapse_signing_key }}" | ||||
|         path: "{{ synapse_signing_key_file }}" | ||||
|         mode: "0640" | ||||
|  | ||||
| # TODO: signing key generation/handling | ||||
							
								
								
									
										32
									
								
								roles/synapse/tasks/deploy-docker.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										32
									
								
								roles/synapse/tasks/deploy-docker.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,32 @@ | ||||
| --- | ||||
| - name: Ensure container image '{{ synapse_container_image }}' is {{ synapse_state }} on host | ||||
|   community.docker.docker_image: | ||||
|     name: "{{ synapse_container_image }}" | ||||
|     state: "{{ synapse_state }}" | ||||
|     source: "{{ synapse_container_image_source }}" | ||||
|     force_source: "{{ synapse_container_image_tag | default(false, true) | bool }}" | ||||
|   register: synapse_container_image_info | ||||
|   until: synapse_container_image_info is success | ||||
|   retries: 10 | ||||
|   delay: 5 | ||||
|  | ||||
| - name: Ensure synapse container '{{ synapse_container_name }}' is {{ (synapse_state == 'present') | ternary('started', 'absent') }} | ||||
|   community.docker.docker_container: | ||||
|     name: "{{ synapse_container_name }}" | ||||
|     image: "{{ synapse_container_image }}" | ||||
|     env: "{{ synapse_container_env | default(omit, true) }}" | ||||
|     user: "{{ synapse_container_user | default(omit, true) }}" | ||||
|     group: "{{ synapse_container_group | default(omit, true) }}" | ||||
|     ports: "{{ synapse_container_ports | default(omit, true) }}" | ||||
|     labels: "{{ synapse_container_labels | default(omit, true) }}" | ||||
|     ulimits: "{{ synapse_container_ulimits | default(omit, true) }}" | ||||
|     volumes: "{{ synapse_container_volumes | default(omit, true) }}" | ||||
|     networks: "{{ synapse_container_networks | default(omit, true) }}" | ||||
|     purge_networks: "{{ synapse_container_purge_networks | default(omit, true) }}" | ||||
|     dns_servers: "{{ synapse_container_dns_servers | default(omit, true) }}" | ||||
|     etc_hosts: "{{ synapse_container_etc_hosts | default(omit, true) }}" | ||||
|     memory: "{{ synapse_container_memory | default(omit, true) }}" | ||||
|     memory_reservation: "{{ synapse_container_memory_reservation | default(omit, true) }}" | ||||
|     memory_swap: "{{ synapse_container_memory_swap | default(omit, true) }}" | ||||
|     restart_policy: "{{ synapse_container_restart_policy }}" | ||||
|     state: "{{ synapse_container_state }}" | ||||
							
								
								
									
										13
									
								
								roles/synapse/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										13
									
								
								roles/synapse/tasks/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,13 @@ | ||||
| --- | ||||
|  | ||||
| - name: Ensure checks are passing | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: "check.yml" | ||||
|  | ||||
| - name: Ensure base configuration is created | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: "configure.yml" | ||||
|  | ||||
| - name: Deploy using {{ synapse_deployment_method }} | ||||
|   ansible.builtin.include_tasks: | ||||
|     file: "deploy-{{ synapse_deployment_method }}.yml" | ||||
							
								
								
									
										14
									
								
								roles/synapse/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										14
									
								
								roles/synapse/vars/main.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,14 @@ | ||||
| --- | ||||
| synapse_states: | ||||
|   - present | ||||
|   - absent | ||||
|  | ||||
| synapse_deployment_methods: | ||||
|   - docker | ||||
|  | ||||
| synapse_required_variables: | ||||
|   - synapse_domain | ||||
|  | ||||
| synapse_conditionally_required_variables: | ||||
|   - name: synapse_signing_key | ||||
|     when: "{{ not synapse_role_generate_signing_key | bool }}" | ||||
		Reference in New Issue
	
	Block a user