diff --git a/playbooks/matrix.yml b/playbooks/matrix.yml new file mode 100644 index 0000000..b431e0f --- /dev/null +++ b/playbooks/matrix.yml @@ -0,0 +1,12 @@ +--- + + +- name: Synapse + hosts: matrix_synapse + become: true + vars_files: + - vars/nginx.yml + roles: + - synapse + - extras + - nginx diff --git a/playbooks/vars/nginx.yml b/playbooks/vars/nginx.yml new file mode 100644 index 0000000..3b80d39 --- /dev/null +++ b/playbooks/vars/nginx.yml @@ -0,0 +1,255 @@ +--- + +nginx_upstreams: + synapse_main: + servers: + - 8008 + locations: + - name: '/_matrix' + - name: '/_synapse/client' + - name: "{{ '/_matrix/media/' if matrix_media_repo_server is not defined and 'media_repository' not in synapse_workers | default('') else '' }}" + additional_options: + - "client_max_body_size {{ matrix_max_upload_size_mb }}M" + + matrix_media_repo: + servers: + - "{{ matrix_media_repo_server + ':9000' if matrix_media_repo_server is defined else '' }}" + locations: + - name: '/_matrix/media' + proxy_headers: + Host: "{{ matrix_domain }}" + additional_options: + - "client_max_body_size {{ matrix_max_upload_size_mb }}M" + + synchrotron_balancer: + servers: "{{ ['8183'] if synapse_workers.generic_sync is defined else '' }}" + locations: + - name: '~ ^/_matrix/client/(api/v1|r0|v3)/events$' + - name: "{{ '^/_matrix/client/(v2_alpha|r0|v3)/sync$' if 'generic_init_sync' not in synapse_workers | default('') else '' }}" + synchrotron_init: + servers: "{{ ['8184'] if synapse_workers.generic_init_sync is defined else '' }}" + locations: + - name: '~ ^/_matrix/client/(api/v1|r0|v3)/initialSync$' + - name: '~ ^/_matrix/client/(api/v1|r0|v3)/rooms/[^/]+/initialSync$' + synapse_generic_client: + servers: "{{ synapse_workers.generic_client | default('') }}" + locations: + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/createRoom$' + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/publicRooms$' + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/joined_members$' + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/context/.*$' + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/members$' + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state$' + - name: '~ ^/_matrix/client/v1/rooms/.*/hierarchy$' + - name: '~ ^/_matrix/client/unstable/org.matrix.msc2716/rooms/.*/batch_send$' + - name: '~ ^/_matrix/client/unstable/im.nheko.summary/rooms/.*/summary$' + - name: '~ ^/_matrix/client/(r0|v3|unstable)/account/3pid$' + - name: '~ ^/_matrix/client/(r0|v3|unstable)/account/whoami$' + - name: '~ ^/_matrix/client/(r0|v3|unstable)/devices$' + - name: '~ ^/_matrix/client/versions$' + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/voip/turnServer$' + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/event/' + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/joined_rooms$' + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/search$' + + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/query$' + additional_options: + - 'proxy_read_timeout 1h' + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/keys/changes$' + - name: '~ ^/_matrix/client/(r0|v3|unstable)/keys/claim$' + - name: '~ ^/_matrix/client/(r0|v3|unstable)/room_keys/' + synapse_generic_login: + servers: "{{ synapse_workers.generic_login | default('') }}" + locations: + - name: '~ ^/_matrix/client/(api/v1|r0|unstable|v3)/login$' + - name: '~ ^/_matrix/client/(r0|unstable|v3)/register$' + - name: '~ ^/_matrix/client/v1/register/m.login.registration_token/validity$' + # SSO + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/login/sso/redirect' + - name: '~ ^/_synapse/client/pick_idp$' + - name: '~ ^/_synapse/client/pick_username' + - name: '~ ^/_synapse/client/new_user_consent$' + - name: '~ ^/_synapse/client/sso_register$' + # OIDC + - name: '~ ^/_synapse/client/oidc/callback$' + # SAML + - name: '~ ^/_synapse/client/saml2/authn_response$' + # CAS + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/login/cas/ticket$' + synapse_generic_federation: + servers: "{{ synapse_workers.generic_federation | default('') }}" + locations: + - name: '~ ^/_matrix/federation/v1/event/' + - name: '~ ^/_matrix/federation/v1/state/' + - name: '~ ^/_matrix/federation/v1/state_ids/' + additional_options: + - 'proxy_read_timeout 1h' + - name: '~ ^/_matrix/federation/v1/backfill/' + - name: '~ ^/_matrix/federation/v1/get_missing_events/' + - name: '~ ^/_matrix/federation/v1/publicRooms' + - name: '~ ^/_matrix/federation/v1/query/' + - name: '~ ^/_matrix/federation/v1/make_join/' + - name: '~ ^/_matrix/federation/v1/make_leave/' + - name: '~ ^/_matrix/federation/(v1|v2)/send_join/' + - name: '~ ^/_matrix/federation/(v1|v2)/send_leave/' + - name: '~ ^/_matrix/federation/(v1|v2)/invite/' + - name: '~ ^/_matrix/federation/v1/event_auth/' + - name: '~ ^/_matrix/federation/v1/exchange_third_party_invite/' + - name: '~ ^/_matrix/federation/v1/user/devices/' + - name: '~ ^/_matrix/key/v2/query' + - name: '~ ^/_matrix/federation/v1/hierarchy/' + synapse_generic_federation_send: + servers: "{{ synapse_workers.generic_federation_send | default('') }}" + method: 'ip_hash' + locations: + - name: '~ ^/_matrix/federation/v1/send/' + additional_options: + - 'proxy_read_timeout 1h' + synapse_generic_event_send: + servers: "{{ synapse_workers.generic_event_send | default('') }}" + method: 'hash $request_uri' + locations: + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/redact' + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/send' + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/state/' + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$' + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/join/' + additional_options: + - 'proxy_read_timeout 1h' + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/profile/' + synapse_generic_pagination: + servers: "{{ synapse_workers.generic_pagination | default('') }}" + method: 'hash $request_uri' + locations: + - name: '~/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/messages$' + synapse_user_dir: + servers: "{{ synapse_workers.user_dir | default('') }}" + locations: + - name: '~ ^/_matrix/client/(r0|v3|unstable)/user_directory/search$' + synapse_frontend_proxy: + servers: "{{ synapse_workers.frontend_proxy | default('') }}" + locations: + - name: '~ ^/_matrix/client/(r0|v3|unstable)/keys/upload' + - name: "{{ '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/presence/[^/]+/status' if synapse_presence is defined and not synapse_presence else '' }}" + synapse_media_repository: + servers: "{{ synapse_workers.media_repository | default('') }}" + locations: + - name: '/_matrix/media/' + additional_options: + - "client_max_body_size {{ matrix_max_upload_size_mb }}M" + - name: '~ ^/_synapse/admin/v1/purge_media_cache$' + - name: '~ ^/_synapse/admin/v1/room/.*/media.*$' + - name: '~ ^/_synapse/admin/v1/user/.*/media.*$' + - name: '~ ^/_synapse/admin/v1/media/.*$' + - name: '~ ^/_synapse/admin/v1/quarantine_media/.*$' + - name: '~ ^/_synapse/admin/v1/users/.*/media$' + + synapse_typing_persister: + servers: "{{ synapse_workers.typing_persister | default('') }}" + locations: + - name: '~ ^/_matrix/client/(api/v1|r0|v3|unstable)/rooms/.*/typing' + synapse_device_persister: + servers: "{{ synapse_workers.device_persister | default('') }}" + locations: + - name: '~ ^/_matrix/client/(r0|v3|unstable)/sendToDevice/' + synapse_account_persister: + servers: "{{ synapse_workers.account_persister | default('') }}" + locations: + - name: '~ ^/_matrix/client/(r0|v3|unstable)/.*/tags' + - name: '~ ^/_matrix/client/(r0|v3|unstable)/.*/account_data' + synapse_receipt_persister: + servers: "{{ synapse_workers.receipt_persister | default('') }}" + locations: + - name: '~ ^/_matrix/client/(r0|v3|unstable)/rooms/.*/receipt' + - name: '~ ^/_matrix/client/(r0|v3|unstable)/rooms/.*/read_markers' + synapse_presence_persister: + servers: "{{ synapse_workers.presence_persister | default('') }}" + locations: + - name: '^/_matrix/client/(api/v1|r0|v3|unstable)/presence/' + + maubot: + servers: "{{ ['29316'] if 'maubot' in matrix_extras | default('') else '' }}" + locations: + - name: '/_matrix/maubot' + mautrix_telegram: + servers: "{{ ['29317'] if 'mautrix-telegram' in matrix_extras | default('') else '' }}" + locations: + - name: '/telegram' + mautrix_facebook: + servers: "{{ ['29319'] if 'mautrix-facebook' in matrix_extras | default('') else '' }}" + locations: + - name: '/facebook' + mautrix_googlechat: + servers: "{{ ['29320'] if 'mautrix-googlechat' in matrix_extras | default('') else '' }}" + locations: + - name: '/googlechat' + mx_puppet_slack: + servers: "{{ ['8432'] if 'mx-puppet-slack' in matrix_extras | default('') else '' }}" + locations: + - name: '/_matrix/slack' + +nginx_maps: + sync: + var: "{{ 'arg_since' if synapse_workers.generic_sync is defined and synapse_workers.generic_init_sync is defined else '' }}" + rules: + default: synchrotron_balancer + "''": synchrotron_init + locations: + - name: '~ ^/_matrix/client/(r0|v3)/sync$' + additional_options: + - 'proxy_read_timeout 1h' + +nginx_servers: + - listen: + - ip: 'all' + - ip: "{{ 'localhost' if matrix_extras is defined and synapse_workers is defined else '' }}" + port: 8009 + return: + - location: '/' + type: 301 + content: "{{ nginx_matrix_website_redirect }}" + - location: '/.well-known/matrix/server' + content_type: json + content: + m.server: "{{ matrix_server_domain }}" + + - location: '/.well-known/matrix/client' + content_type: json + content: + m.homeserver: + base_url: "{{ matrix_external_url }}" + + headers: + Access-Control-Allow-Origin: "'*'" + reverse_proxy: + - synapse_main + - matrix_media_repo + - synapse_media_repository + - synapse_generic_client + - synapse_generic_login + - synapse_generic_event_send + - synapse_generic_pagination + - synapse_user_dir + - synapse_frontend_proxy + - synchrotron_balancer + - synchrotron_init + - synapse_device_persister + - synapse_typing_persister + - synapse_account_persister + - synapse_receipt_persister + - synapse_presence_persister + - maubot + - mautrix_telegram + - mautrix_facebook + - mautrix_googlechat + - mx_puppet_slack + reverse_proxy_map: + - sync + - listen: + - port: 8448 + reverse_proxy: + - synapse_main + - matrix_media_repo + - synapse_media_repository + - synapse_generic_federation + - synapse_generic_federation_send