From ced8c2314c7b11e400dd3b97885ec6cce3944765 Mon Sep 17 00:00:00 2001 From: uumas Date: Tue, 11 Apr 2023 21:46:36 +0300 Subject: [PATCH] Synapse role --- LICENSE | 19 ++++ README.md | 3 + galaxy.yml | 11 +++ meta/runtime.yml | 3 + roles/synapse/defaults/main.yml | 24 +++++ roles/synapse/handlers/main.yml | 23 +++++ roles/synapse/tasks/config.yml | 55 ++++++++++++ roles/synapse/tasks/install_debian.yml | 30 +++++++ roles/synapse/tasks/main.yml | 38 ++++++++ roles/synapse/tasks/matrix-synchrotron.yml | 19 ++++ roles/synapse/tasks/matrix-synchrotrons.yml | 65 ++++++++++++++ roles/synapse/tasks/worker_instance.yml | 23 +++++ roles/synapse/tasks/worker_type.yml | 41 +++++++++ roles/synapse/tasks/workers.yml | 49 ++++++++++ .../synapse/templates/conf.d/autojoin.yaml.j2 | 6 ++ .../synapse/templates/conf.d/database.yaml.j2 | 12 +++ .../synapse/templates/conf.d/general.yaml.j2 | 16 ++++ .../templates/conf.d/listeners.yaml.j2 | 33 +++++++ .../synapse/templates/conf.d/modules.yaml.j2 | 10 +++ .../conf.d/password_providers.yaml.j2 | 25 ++++++ .../templates/conf.d/server_name.yaml.j2 | 3 + roles/synapse/templates/conf.d/sso.yaml.j2 | 74 +++++++++++++++ roles/synapse/templates/conf.d/turn.yaml.j2 | 11 +++ .../templates/conf.d/url_preview.yaml.j2 | 13 +++ .../synapse/templates/conf.d/workers.yaml.j2 | 90 +++++++++++++++++++ roles/synapse/templates/log.yaml.j2 | 69 ++++++++++++++ .../matrix-synchrotron-config.yaml.j2 | 12 +++ .../systemd/matrix-synapse-worker@.service.j2 | 24 +++++ .../systemd/matrix-synapse.service.j2 | 21 +++++ .../systemd/matrix-synchrotron@.service.j2 | 17 ++++ .../templates/systemd/matrix.target.j2 | 8 ++ .../templates/tmpfiles-matrix-synapse.conf.j2 | 1 + roles/synapse/templates/worker.yaml.j2 | 29 ++++++ roles/synapse/vars/account_persister.yml | 5 ++ roles/synapse/vars/appservice.yml | 3 + roles/synapse/vars/background_tasks.yml | 4 + roles/synapse/vars/defaults.yml | 5 ++ roles/synapse/vars/device_persister.yml | 5 ++ roles/synapse/vars/event_persister.yml | 4 + roles/synapse/vars/federation_sender.yml | 4 + roles/synapse/vars/frontend_proxy.yml | 3 + roles/synapse/vars/generic_federation.yml | 4 + .../synapse/vars/generic_federation_send.yml | 4 + roles/synapse/vars/generic_init_sync.yml | 3 + roles/synapse/vars/generic_sync.yml | 3 + roles/synapse/vars/media_repository.yml | 5 ++ roles/synapse/vars/presence_persister.yml | 5 ++ roles/synapse/vars/pusher.yml | 4 + roles/synapse/vars/receipt_persister.yml | 5 ++ roles/synapse/vars/typing_persister.yml | 5 ++ 50 files changed, 948 insertions(+) create mode 100644 LICENSE create mode 100644 README.md create mode 100644 galaxy.yml create mode 100644 meta/runtime.yml create mode 100644 roles/synapse/defaults/main.yml create mode 100644 roles/synapse/handlers/main.yml create mode 100644 roles/synapse/tasks/config.yml create mode 100644 roles/synapse/tasks/install_debian.yml create mode 100644 roles/synapse/tasks/main.yml create mode 100644 roles/synapse/tasks/matrix-synchrotron.yml create mode 100644 roles/synapse/tasks/matrix-synchrotrons.yml create mode 100644 roles/synapse/tasks/worker_instance.yml create mode 100644 roles/synapse/tasks/worker_type.yml create mode 100644 roles/synapse/tasks/workers.yml create mode 100644 roles/synapse/templates/conf.d/autojoin.yaml.j2 create mode 100644 roles/synapse/templates/conf.d/database.yaml.j2 create mode 100644 roles/synapse/templates/conf.d/general.yaml.j2 create mode 100644 roles/synapse/templates/conf.d/listeners.yaml.j2 create mode 100644 roles/synapse/templates/conf.d/modules.yaml.j2 create mode 100644 roles/synapse/templates/conf.d/password_providers.yaml.j2 create mode 100644 roles/synapse/templates/conf.d/server_name.yaml.j2 create mode 100644 roles/synapse/templates/conf.d/sso.yaml.j2 create mode 100644 roles/synapse/templates/conf.d/turn.yaml.j2 create mode 100644 roles/synapse/templates/conf.d/url_preview.yaml.j2 create mode 100644 roles/synapse/templates/conf.d/workers.yaml.j2 create mode 100644 roles/synapse/templates/log.yaml.j2 create mode 100644 roles/synapse/templates/matrix-synchrotron-config.yaml.j2 create mode 100644 roles/synapse/templates/systemd/matrix-synapse-worker@.service.j2 create mode 100644 roles/synapse/templates/systemd/matrix-synapse.service.j2 create mode 100644 roles/synapse/templates/systemd/matrix-synchrotron@.service.j2 create mode 100644 roles/synapse/templates/systemd/matrix.target.j2 create mode 100644 roles/synapse/templates/tmpfiles-matrix-synapse.conf.j2 create mode 100644 roles/synapse/templates/worker.yaml.j2 create mode 100644 roles/synapse/vars/account_persister.yml create mode 100644 roles/synapse/vars/appservice.yml create mode 100644 roles/synapse/vars/background_tasks.yml create mode 100644 roles/synapse/vars/defaults.yml create mode 100644 roles/synapse/vars/device_persister.yml create mode 100644 roles/synapse/vars/event_persister.yml create mode 100644 roles/synapse/vars/federation_sender.yml create mode 100644 roles/synapse/vars/frontend_proxy.yml create mode 100644 roles/synapse/vars/generic_federation.yml create mode 100644 roles/synapse/vars/generic_federation_send.yml create mode 100644 roles/synapse/vars/generic_init_sync.yml create mode 100644 roles/synapse/vars/generic_sync.yml create mode 100644 roles/synapse/vars/media_repository.yml create mode 100644 roles/synapse/vars/presence_persister.yml create mode 100644 roles/synapse/vars/pusher.yml create mode 100644 roles/synapse/vars/receipt_persister.yml create mode 100644 roles/synapse/vars/typing_persister.yml diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..84c8ad3 --- /dev/null +++ b/LICENSE @@ -0,0 +1,19 @@ +MIT License Copyright (c) 2023 uumas + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is furnished +to do so, subject to the following conditions: + +The above copyright notice and this permission notice (including the next +paragraph) shall be included in all copies or substantial portions of the +Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS +FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS +OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, +WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF +OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md new file mode 100644 index 0000000..717b911 --- /dev/null +++ b/README.md @@ -0,0 +1,3 @@ +# uumas.matrix + +Roles for matrix services diff --git a/galaxy.yml b/galaxy.yml new file mode 100644 index 0000000..dfb899f --- /dev/null +++ b/galaxy.yml @@ -0,0 +1,11 @@ +--- + +namespace: uumas +name: matrix +description: Matrix roles +version: 0.0.1 +readme: README.md +repository: https://git.uumas.fi/uumas/ansible-matrix +license_file: LICENSE +authors: + - uumas diff --git a/meta/runtime.yml b/meta/runtime.yml new file mode 100644 index 0000000..63340fb --- /dev/null +++ b/meta/runtime.yml @@ -0,0 +1,3 @@ +--- + +requires_ansible: ">=2.10" diff --git a/roles/synapse/defaults/main.yml b/roles/synapse/defaults/main.yml new file mode 100644 index 0000000..e9362bf --- /dev/null +++ b/roles/synapse/defaults/main.yml @@ -0,0 +1,24 @@ +--- + +depends: + +synapse_psql_host: localhost +synapse_psql_user: "{{ psql_dbs['matrix-synapse']['user'] }}" +synapse_psql_pw: "{{ psql_dbs['matrix-synapse']['password'] }}" +synapse_psql_db: "{{ synapse_psql_user }}" + +matrix_max_upload_size_mb: 100 +synapse_metrics: no +synapse_presence: yes + +synchrotron_workers: + balancer: generic_sync + init: generic_init_sync + +persister_workers: + - event_persister + - typing_persister + - account_persister + - device_persister + - presence_persister + - receipt_persister diff --git a/roles/synapse/handlers/main.yml b/roles/synapse/handlers/main.yml new file mode 100644 index 0000000..4f2c5bf --- /dev/null +++ b/roles/synapse/handlers/main.yml @@ -0,0 +1,23 @@ +--- + +- name: config synapse service + systemd: + daemon_reload: yes + name: matrix-synapse.service + enabled: yes + notify: config matrix target + +- name: config matrix target + systemd: + daemon_reload: yes + name: matrix.target + enabled: yes + state: restarted + +- name: config worker services + systemd: + daemon_reload: yes + name: "matrix-synapse-worker@{{ item }}.service" + enabled: yes + loop: "{{ synapse_worker_services }}" + notify: config matrix target diff --git a/roles/synapse/tasks/config.yml b/roles/synapse/tasks/config.yml new file mode 100644 index 0000000..00e6c2e --- /dev/null +++ b/roles/synapse/tasks/config.yml @@ -0,0 +1,55 @@ +--- + + +- name: Put synapse configs in place + template: + src: "conf.d/{{ item }}.yaml.j2" + dest: "/etc/matrix-synapse/conf.d/{{ item }}.yaml" + mode: '644' + loop: + - database + - general + - listeners + - server_name + - url_preview + notify: config matrix target + +- name: autojoin config + template: + src: 'conf.d/autojoin.yaml.j2' + dest: '/etc/matrix-synapse/conf.d/autojoin.yaml' + mode: '644' + when: matrix_auto_join_rooms is defined + notify: config matrix target + +- name: password provider config + template: + src: 'conf.d/password_providers.yaml.j2' + dest: '/etc/matrix-synapse/conf.d/password_providers.yaml' + mode: '644' + when: synapse_ldap_servers is defined + notify: config matrix target + +- name: modules config + template: + src: 'conf.d/modules.yaml.j2' + dest: '/etc/matrix-synapse/conf.d/modules.yaml' + mode: '644' + when: synapse_shared_secret_auth is defined + notify: config matrix target + +- name: sso config + template: + src: 'conf.d/sso.yaml.j2' + dest: '/etc/matrix-synapse/conf.d/sso.yaml' + mode: '644' + when: matrix_openidc_providers is defined + notify: config matrix target + +- name: turn config + template: + src: 'conf.d/turn.yaml.j2' + dest: '/etc/matrix-synapse/conf.d/turn.yaml' + mode: '644' + when: turn_domain is defined + notify: config matrix target diff --git a/roles/synapse/tasks/install_debian.yml b/roles/synapse/tasks/install_debian.yml new file mode 100644 index 0000000..6f92354 --- /dev/null +++ b/roles/synapse/tasks/install_debian.yml @@ -0,0 +1,30 @@ +--- + +- name: Install dependencies + apt: + name: + - lsb-release + - wget + - apt-transport-https + - python3-pysaml2 + - python3-psycopg2 + - acl + +- name: Add matrix.org repo signing key + apt_key: + url: 'https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg' + id: 'AAF9AE843A7584B5A3E4CD2BCF45A512DE2DA058' + +- name: Add matrix.org repo + apt_repository: + repo: "deb https://packages.matrix.org/debian/ {{ ansible_distribution_release }} main" + +- name: Install synapse + apt: + name: matrix-synapse-py3 + state: latest + +- name: Install redis + apt: + name: redis-server + when: synapse_workers is defined diff --git a/roles/synapse/tasks/main.yml b/roles/synapse/tasks/main.yml new file mode 100644 index 0000000..f3e62fb --- /dev/null +++ b/roles/synapse/tasks/main.yml @@ -0,0 +1,38 @@ +--- + +- name: Fail if not debian + fail: + when: ansible_os_family != "Debian" + +- name: Install synapse on debian + include_tasks: install_debian.yml + when: ansible_os_family=="Debian" + +- name: Synapse configuration + import_tasks: config.yml + +- name: Install matrix-synapse-shared-secret-auth + pip: + name: 'git+https://github.com/devture/matrix-synapse-shared-secret-auth' + state: latest + virtualenv: /opt/venvs/matrix-synapse + notify: config synapse service + when: synapse_shared_secret_auth is defined + +- name: Put systemd units in place + template: + src: "systemd/{{ item }}.j2" + dest: "/etc/systemd/system/{{ item }}" + mode: '644' + loop: + - matrix-synapse.service + - matrix.target + notify: + - config synapse service + - config matrix target + +- name: Synapse workers + include_tasks: workers.yml + when: synapse_workers is defined + +- meta: flush_handlers diff --git a/roles/synapse/tasks/matrix-synchrotron.yml b/roles/synapse/tasks/matrix-synchrotron.yml new file mode 100644 index 0000000..c668dbd --- /dev/null +++ b/roles/synapse/tasks/matrix-synchrotron.yml @@ -0,0 +1,19 @@ +--- + +- name: Create matrix-synchrotron-{{ item }} workdir + file: + path: /opt/matrix-synchrotron/{{ item }} + state: directory + mode: 0755 +- name: Put matrix-synchrotron-{{ item }} config in place + template: + src: "matrix-synchrotron-config.yaml.j2" + dest: "/opt/matrix-synchrotron/{{ item }}/config.yaml.ansibled" + notify: config synapse service + register: config +- name: Put matrix-synchrotron-{{ item }} config in final destination + copy: + src: "/opt/matrix-synchrotron/{{ item }}/config.yaml.ansibled" + dest: "/opt/matrix-synchrotron/{{ item }}/config.yaml" + remote_src: yes + when: config.changed diff --git a/roles/synapse/tasks/matrix-synchrotrons.yml b/roles/synapse/tasks/matrix-synchrotrons.yml new file mode 100644 index 0000000..d2c13ac --- /dev/null +++ b/roles/synapse/tasks/matrix-synchrotrons.yml @@ -0,0 +1,65 @@ +--- + +- block: + - name: Add backports + apt_repository: + repo: "deb http://deb.debian.org/debian/ buster-backports main" + filename: backports + mode: '644' + - name: Install go from backports + apt: + name: golang + default_release: buster-backports + when: ansible_distribution_release == 'buster' + +- name: Install git and golang + apt: + name: + - git + - golang + +- name: Create matrix-synchrotron user + user: + name: matrix-synchrotron + system: yes + home: /opt/matrix-synchrotron + shell: /bin/false + +- block: + - name: Clone matrix-synchrotron git repo + git: + repo: 'https://github.com/Sorunome/matrix-synchrotron-balancer.git' + dest: /opt/matrix-synchrotron/src + force: yes + register: install + + - name: Build matrix-synchrotron + command: go build + args: + chdir: /opt/matrix-synchrotron/src + when: install.changed + notify: config synapse service + + - name: Configure matrix-synchrotron(s) + include_tasks: matrix-synchrotron.yml + loop: "{{ synapse_synchrotrons }}" + loop_control: + extended: yes + + become_user: matrix-synchrotron + +- name: Put systemd matrix-synchrotron unit in place + template: + src: 'systemd/matrix-synchrotron@.service.j2' + dest: "/etc/systemd/system/matrix-synchrotron@.service" + mode: '644' + register: systemd_unit + +- name: Enable systemd matrix-synchrotron-{{ item }} unit + systemd: + daemon_reload: yes + name: "matrix-synchrotron@{{ item }}.service" + enabled: yes + state: restarted + when: systemd_unit.changed + loop: "{{ synapse_synchrotrons }}" diff --git a/roles/synapse/tasks/worker_instance.yml b/roles/synapse/tasks/worker_instance.yml new file mode 100644 index 0000000..c5e7b40 --- /dev/null +++ b/roles/synapse/tasks/worker_instance.yml @@ -0,0 +1,23 @@ +--- + +- name: Set worker var + set_fact: + worker: "{{ worker_type }}-{{ worker_index|default('0') }}" + +- name: Put {{ worker }} config in place + template: + src: "worker.yaml.j2" + dest: "/etc/matrix-synapse/workers/{{ worker }}.yaml" + mode: '644' + notify: config worker services + +- name: Put {{ worker }} logging config in place + template: + src: "log.yaml.j2" + dest: "/etc/matrix-synapse/worker-logs/{{ worker }}-log.yaml" + mode: '644' + notify: config worker services + +- name: Add {{ worker }} to synapse_worker_services + set_fact: + synapse_worker_services: "{{ synapse_worker_services + [ worker ] }}" diff --git a/roles/synapse/tasks/worker_type.yml b/roles/synapse/tasks/worker_type.yml new file mode 100644 index 0000000..8329599 --- /dev/null +++ b/roles/synapse/tasks/worker_type.yml @@ -0,0 +1,41 @@ +--- + +- name: Set worker type to {{ synapse_worker.key }} + set_fact: + worker_type: "{{ synapse_worker.key }}" + +- name: Include default variables + include_vars: defaults.yml + +- name: Include {{ worker_type }} variables + include_vars: "{{ item }}" + with_first_found: + - files: + - "{{ worker_type }}.yml" + skip: yes + +- name: Reset worker_ports + set_fact: + worker_ports: [] + +- name: Set worker_ports + set_fact: + worker_ports: "{{ synapse_worker.value }}" + when: synapse_worker.value is iterable + +- name: "Setup {{ worker_type }}(s) if they have listeners" + include_tasks: worker_instance.yml + loop: "{{ worker_ports }}" + loop_control: + loop_var: worker_port + index_var: worker_index + when: worker_ports|length != 0 + +- name: "Setup {{ worker_type }}(s) if they don't have listeners" + include_tasks: worker_instance.yml + when: worker_ports|length == 0 + +- name: Append synchrotron var + set_fact: + synapse_synchrotrons: "{{ synapse_synchrotrons + [ synchrotron_type ] }}" + when: synchrotron_type is defined and synchrotron_type not in synapse_synchrotrons diff --git a/roles/synapse/tasks/workers.yml b/roles/synapse/tasks/workers.yml new file mode 100644 index 0000000..fcf4bf0 --- /dev/null +++ b/roles/synapse/tasks/workers.yml @@ -0,0 +1,49 @@ +--- + +- name: synapse-wide worker config + template: + src: 'conf.d/workers.yaml.j2' + dest: '/etc/matrix-synapse/conf.d/workers.yaml' + +- name: Put worker systemd unit in place + template: + src: "systemd/matrix-synapse-worker@.service.j2" + dest: '/etc/systemd/system/matrix-synapse-worker@.service' + mode: '644' + notify: config worker services + +- name: Create workers config directories + file: + path: /etc/matrix-synapse/{{ item }} + state: directory + loop: + - workers + - worker-logs + +- name: Initialize synapse worker vars + set_fact: + synapse_worker_services: [] + synapse_synchrotrons: [] + +- name: 'Create worker pidfile dir in /run' + file: + path: /run/matrix-synapse/ + state: directory + owner: matrix-synapse + group: nogroup + +- name: Create tmpfiles config for pidfile dir in run + template: + src: 'tmpfiles-matrix-synapse.conf.j2' + dest: '/etc/tmpfiles.d/matrix-synapse.conf' + mode: '644' + +- name: Configure workers + include_tasks: worker_type.yml + loop: "{{ synapse_workers | dict2items }}" + loop_control: + loop_var: synapse_worker + +- name: Configure synchrotron balancer + include_tasks: matrix-synchrotrons.yml + when: synapse_synchrotrons | length != 0 diff --git a/roles/synapse/templates/conf.d/autojoin.yaml.j2 b/roles/synapse/templates/conf.d/autojoin.yaml.j2 new file mode 100644 index 0000000..346a22f --- /dev/null +++ b/roles/synapse/templates/conf.d/autojoin.yaml.j2 @@ -0,0 +1,6 @@ +# {{ ansible_managed }} + +auto_join_rooms: +{% for room_id in matrix_auto_join_rooms %} + - "{{ room_id }}" +{% endfor %} diff --git a/roles/synapse/templates/conf.d/database.yaml.j2 b/roles/synapse/templates/conf.d/database.yaml.j2 new file mode 100644 index 0000000..cbb891f --- /dev/null +++ b/roles/synapse/templates/conf.d/database.yaml.j2 @@ -0,0 +1,12 @@ +# {{ ansible_managed }} + +database: + name: "psycopg2" + args: + user: "{{ synapse_psql_user }}" + password: "{{ synapse_psql_pw }}" + database: {{ synapse_psql_db }} + host: {{ synapse_psql_host }} + cp_min: 2 + cp_max: 3 + diff --git a/roles/synapse/templates/conf.d/general.yaml.j2 b/roles/synapse/templates/conf.d/general.yaml.j2 new file mode 100644 index 0000000..dbde0cf --- /dev/null +++ b/roles/synapse/templates/conf.d/general.yaml.j2 @@ -0,0 +1,16 @@ +# {{ ansible_managed }} + +public_baseurl: '{{ matrix_external_url }}' +admin_contact: '{{ synapse_admin_contact }}' +max_upload_size: {{ matrix_max_upload_size_mb }}M +enable_registration: false +allow_public_rooms_over_federation: true +registration_shared_secret: '{{ matrix_registration_shared_secret }}' +enable_group_creation: true +enable_metrics: {{ synapse_metrics }} +use_presence: {{ synapse_presence }} +enable_media_repo: {{ matrix_media_repo_server is not defined and 'media_repository' not in synapse_workers }} +retention: + enabled: true +experimental_features: + msc2716_enabled: true diff --git a/roles/synapse/templates/conf.d/listeners.yaml.j2 b/roles/synapse/templates/conf.d/listeners.yaml.j2 new file mode 100644 index 0000000..44fed2a --- /dev/null +++ b/roles/synapse/templates/conf.d/listeners.yaml.j2 @@ -0,0 +1,33 @@ +# {{ ansible_managed }} + +listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + bind_addresses: ['::1', '127.0.0.1'] + resources: + - names: [client, federation] + compress: false +{% if matrix_extras is defined and synapse_workers is not defined %} + - port: 8009 + tls: false + type: http + x_forwarded: false + bind_addresses: ['::1', '127.0.0.1'] + resources: + - names: [client] + compress: false +{% endif %} +{% if synapse_metrics %} + - port: 9656 + type: metrics + bind_addresses: ['0.0.0.0'] # Don't bind to multiple addresses +{% endif %} +{% if synapse_workers is defined %} + - port: 9093 + bind_addresses: ['::1', '127.0.0.1'] + type: http + resources: + - names: [replication] +{% endif %} diff --git a/roles/synapse/templates/conf.d/modules.yaml.j2 b/roles/synapse/templates/conf.d/modules.yaml.j2 new file mode 100644 index 0000000..658c96b --- /dev/null +++ b/roles/synapse/templates/conf.d/modules.yaml.j2 @@ -0,0 +1,10 @@ +# {{ ansible_managed }} + +modules: +{% if synapse_shared_secret_auth is defined %} + - module: "shared_secret_authenticator.SharedSecretAuthProvider" + config: + shared_secret: "{{ synapse_shared_secret_auth }}" + m_login_password_support_enabled: true # Remove this once this isn't needed anymore + com_devture_shared_secret_auth_support_enabled: false # this works around https://github.com/vector-im/element-web/issues/19605 +{% endif %} diff --git a/roles/synapse/templates/conf.d/password_providers.yaml.j2 b/roles/synapse/templates/conf.d/password_providers.yaml.j2 new file mode 100644 index 0000000..6ec14f9 --- /dev/null +++ b/roles/synapse/templates/conf.d/password_providers.yaml.j2 @@ -0,0 +1,25 @@ +# {{ ansible_managed }} + +password_providers: +{% if synapse_ldap_servers is defined %} + - module: "ldap_auth_provider.LdapAuthProvider" + config: + enabled: true + mode: "search" + uri: +{% for synapse_ldap_server in synapse_ldap_servers %} + - {{ synapse_ldap_server }} +{% endfor %} + start_tls: false + base: "{{ synapse_ldap_search_base }}" + attributes: + uid: "uid" + name: "{{ synapse_ldap_user_name }}" + mail: "mail" + filter: "(objectClass=posixAccount)" +{% if synapse_ldap_bind_dn is defined %} + bind_dn: "{{ synapse_ldap_bind_dn }}" + bind_password: "{{ synapse_ldap_bind_pw }}" +{% endif %} +{% endif %} + diff --git a/roles/synapse/templates/conf.d/server_name.yaml.j2 b/roles/synapse/templates/conf.d/server_name.yaml.j2 new file mode 100644 index 0000000..5bb49c3 --- /dev/null +++ b/roles/synapse/templates/conf.d/server_name.yaml.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} + +server_name: {{ matrix_domain }} diff --git a/roles/synapse/templates/conf.d/sso.yaml.j2 b/roles/synapse/templates/conf.d/sso.yaml.j2 new file mode 100644 index 0000000..5e2dcf9 --- /dev/null +++ b/roles/synapse/templates/conf.d/sso.yaml.j2 @@ -0,0 +1,74 @@ +# {{ ansible_managed }} + +password_config: + enabled: false + +{% if synapse_sso_client_whitelist is defined %} +sso: + client_whitelist: +{% for client in synapse_sso_client_whitelist %} + - {{ client }} +{% endfor %} +{% endif %} + +oidc_providers: +{% for provider in matrix_openidc_providers %} + - idp_id: "{{ provider.idp_id }}" + idp_name: "{{ provider.idp_name }}" +{% if provider.idp_icon is defined %} + idp_icon: "{{ provider.idp_icon }}" +{% endif %} +{% if provider.idp_brand is defined %} + idp_brand: "{{ provider.idp_brand }}" +{% endif %} + discover: {{ provider.discover | default(true) | bool | lower }} + issuer: "{{ provider.issuer }}" + client_id: "{{ provider.client_id }}" +{% if provider.client_secret is defined %} + client_secret: "{{ provider.client_secret }}" +{% else %} + client_secret_jwt_key: "{{ provider.client_secret_jwt_key }}" +{% endif %} + client_auth_method: "{{ provider.client_auth_method | default('client_secret_basic') }}" + scopes: {{ provider.scopes }} +{% if provider.discover == false %} + authorization_endpoint: "{{ provider.authorization_endpoint }}" + token_endpoint: "{{ provider.token_endpoint }}" +{% if provider.userinfo_endpoint is defined %} + userinfo_endpoint: "{{ provider.userinfo_endpoint }}" +{% endif %} +{% if provider.jwks_uri is defined %} + jwks_uri: "{{ provider.jwks_uri }}" +{% endif %} +{% endif %} +{% if provider.skip_verification is defined %} + skip_verification: "{{ provider.skip_verification }}" +{% endif %} + user_profile_method: "{{ provider.user_profile_method | default('auto') }}" + allow_existing_users: {{ provider.allow_existing_users | default(false) | bool | lower }} +{% if provider.user_mapping_provider is defined %} + user_mapping_provider: +{% for mapping_provider in provider.user_mapping_provider %} + "{{ mapping_provider }}": +{% if provider.user_mapping_provider[mapping_provider].subject_claim is defined %} + subject_claim: "{{ provider.user_mapping_provider[mapping_provider].subject_claim }}" +{% endif %} +{% if provider.user_mapping_provider[mapping_provider].localpart_template is defined %} + localpart_template: "{{ provider.user_mapping_provider[mapping_provider].localpart_template }}" +{% endif %} +{% if provider.user_mapping_provider[mapping_provider].display_name_template is defined %} + display_name_template: "{{ provider.user_mapping_provider[mapping_provider].display_name_template }}" +{% endif %} +{% if provider.user_mapping_provider[mapping_provider].email_template is defined %} + email_template: "{{ provider.user_mapping_provider[mapping_provider].email_template }}" +{% endif %} +{% endfor %} +{% endif %} +{% if provider.attribute_requirements is defined %} + attribute_requirements: +{% for attribute in provider.attribute_requirements %} + - attribute: "{{ attribute }}" + value: "{{ attribute.value }}" +{% endfor %} +{% endif %} +{% endfor %} diff --git a/roles/synapse/templates/conf.d/turn.yaml.j2 b/roles/synapse/templates/conf.d/turn.yaml.j2 new file mode 100644 index 0000000..662f3ec --- /dev/null +++ b/roles/synapse/templates/conf.d/turn.yaml.j2 @@ -0,0 +1,11 @@ +--- + +turn_uris: + - "turns:{{ turn_domain }}:443?transport=udp" + - "turn:{{ turn_domain }}:443?transport=udp" + - "turns:{{ turn_domain }}:443?transport=tcp" + - "turn:{{ turn_domain }}:443?transport=tcp" +turn_shared_secret: "{{ turn_secret }}" +turn_user_lifetime: 1d +turn_allow_guests: false + diff --git a/roles/synapse/templates/conf.d/url_preview.yaml.j2 b/roles/synapse/templates/conf.d/url_preview.yaml.j2 new file mode 100644 index 0000000..04af4b6 --- /dev/null +++ b/roles/synapse/templates/conf.d/url_preview.yaml.j2 @@ -0,0 +1,13 @@ +# {{ ansible_managed }} + +url_preview_enabled: true +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '169.254.0.0/16' + - '::1/128' + - 'fe80::/64' + - 'fc00::/7' diff --git a/roles/synapse/templates/conf.d/workers.yaml.j2 b/roles/synapse/templates/conf.d/workers.yaml.j2 new file mode 100644 index 0000000..d635896 --- /dev/null +++ b/roles/synapse/templates/conf.d/workers.yaml.j2 @@ -0,0 +1,90 @@ +--- + +redis: + enabled: true +{% if 'appservice' in synapse_workers %} +notify_appservices_from_worker: appservice-0 +{% endif %} +{% if 'pusher' in synapse_workers %} +start_pushers: false +{% endif %} +{% if 'user_dir' in synapse_workers %} +update_user_directory_from_worker: user_dir-0 +{% endif %} + + +{% if 'event_persister' in synapse_workers or 'typing_persister' in synapse_workers or 'account_persister' in synapse_workers or 'device_persister' in synapse_workers or 'presence_persister' in synapse_workers or 'receipt_persister' in synapse_workers %} +instance_map: + +{% for persister_type in persister_workers %} + +{% if persister_type in synapse_workers %} +{% for port in synapse_workers[persister_type] %} + {{ persister_type }}-{{ loop.index0 }}: + host: localhost + port: {{ port }} +{% endfor %} +{% endif %} + +{% endfor %} + +stream_writers: +{% if 'event_persister' in synapse_workers %} + events: +{% for port in synapse_workers.event_persister %} + - event_persister-{{ loop.index0 }} +{% endfor %} +{% endif %} + +{% if 'typing_persister' in synapse_workers %} + typing: +{% for port in synapse_workers.typing_persister %} + - typing_persister-{{ loop.index0 }} +{% endfor %} +{% endif %} + +{% if 'account_persister' in synapse_workers %} + account_data: +{% for port in synapse_workers.account_persister %} + - account_persister-{{ loop.index0 }} +{% endfor %} +{% endif %} + +{% if 'device_persister' in synapse_workers %} + to_device: +{% for port in synapse_workers.device_persister %} + - device_persister-{{ loop.index0 }} +{% endfor %} +{% endif %} + +{% if 'presence_persister' in synapse_workers %} + presence: +{% for port in synapse_workers.presence_persister %} + - presence_persister-{{ loop.index0 }} +{% endfor %} +{% endif %} + +{% if 'receipt_persister' in synapse_workers %} + receipts: +{% for port in synapse_workers.receipt_persister %} + - receipt_persister-{{ loop.index0 }} +{% endfor %} +{% endif %} + +{% endif %} + +{% if 'background_tasks' in synapse_workers %} +run_background_tasks_on: background_tasks-0 +{% endif %} + +{% if 'federation_sender' in synapse_workers %} +send_federation: false + +{% if synapse_workers.federation_sender|length > 1 %} +federation_sender_instances: +{% for port in synapse_workers.federation_sender %} + - federation_sender-{{ loop.index0 }} +{% endfor %} +{% endif %} + +{% endif %} diff --git a/roles/synapse/templates/log.yaml.j2 b/roles/synapse/templates/log.yaml.j2 new file mode 100644 index 0000000..35d157a --- /dev/null +++ b/roles/synapse/templates/log.yaml.j2 @@ -0,0 +1,69 @@ +# {{ ansible_managed }} +# Log configuration for Synapse {{ worker }} worker. +# +# This is a YAML file containing a standard Python logging configuration +# dictionary. See [1] for details on the valid settings. +# +# [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema + +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +handlers: + file: + class: logging.handlers.TimedRotatingFileHandler + formatter: precise + filename: /var/log/matrix-synapse/{{ worker }}.log + when: midnight + backupCount: 3 + encoding: utf8 + + # Default to buffering writes to log file for efficiency. This means that + # will be a delay for INFO/DEBUG logs to get written, but WARNING/ERROR + # logs will still be flushed immediately. + buffer: + class: logging.handlers.MemoryHandler + target: file + # The capacity is the number of log lines that are buffered before + # being written to disk. Increasing this will lead to better + # performance, at the expensive of it taking longer for log lines to + # be written to disk. + capacity: 10 + flushLevel: 30 # Flush for WARNING logs as well + + # A handler that writes logs to stderr. Unused by default, but can be used + # instead of "buffer" and "file" in the logger handlers. + console: + class: logging.StreamHandler + formatter: precise + +loggers: + synapse.storage.SQL: + # beware: increasing this to DEBUG will make synapse log sensitive + # information such as access tokens. + level: INFO + + twisted: + # We send the twisted logging directly to the file handler, + # to work around https://github.com/matrix-org/synapse/issues/3471 + # when using "buffer" logger. Use "console" to log to stderr instead. + handlers: [file] + propagate: false + +root: + level: WARNING + + # Write logs to the `buffer` handler, which will buffer them together in memory, + # then write them to a file. + # + # Replace "buffer" with "console" to log to stderr instead. (Note that you'll + # also need to update the configuation for the `twisted` logger above, in + # this case.) + # + handlers: [buffer] + +disable_existing_loggers: false + diff --git a/roles/synapse/templates/matrix-synchrotron-config.yaml.j2 b/roles/synapse/templates/matrix-synchrotron-config.yaml.j2 new file mode 100644 index 0000000..7b00c0d --- /dev/null +++ b/roles/synapse/templates/matrix-synchrotron-config.yaml.j2 @@ -0,0 +1,12 @@ +# {{ ansible_managed }} +homeserver_url: http://localhost:8008 # homeserver URL for the whoami request +listener: localhost:{{ 8183 + ansible_loop.index0 }} # host:port to listen to + +synchrotrons: +{% for port in synapse_workers[synchrotron_workers[item]] %} + - address: 127.0.0.1:{{ port }} + pid_file: /run/matrix-synapse/{{ synchrotron_workers[item] }}-{{ loop.index0 }}.pid +{% endfor %} + +balancer: + interval: 2 diff --git a/roles/synapse/templates/systemd/matrix-synapse-worker@.service.j2 b/roles/synapse/templates/systemd/matrix-synapse-worker@.service.j2 new file mode 100644 index 0000000..fa9b740 --- /dev/null +++ b/roles/synapse/templates/systemd/matrix-synapse-worker@.service.j2 @@ -0,0 +1,24 @@ +# {{ ansible_managed }} + +[Unit] +Description=Synapse %i +AssertPathExists=/etc/matrix-synapse/workers/%i.yaml +PartOf=matrix-synapse.service +After=matrix-synapse.service + +[Service] +Type=notify +PIDFile=/run/matrix-synapse/%i.pid +NotifyAccess=main +User=matrix-synapse +WorkingDirectory=/var/lib/matrix-synapse +EnvironmentFile=/etc/default/matrix-synapse +ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.generic_worker --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --config-path=/etc/matrix-synapse/workers/%i.yaml +ExecStartPost=/bin/sh -c "echo $MAINPID > /run/matrix-synapse/%i.pid" +ExecReload=/bin/kill -HUP $MAINPID +Restart=always +RestartSec=3 +SyslogIdentifier=matrix-synapse-%i + +[Install] +WantedBy=matrix-synapse.service diff --git a/roles/synapse/templates/systemd/matrix-synapse.service.j2 b/roles/synapse/templates/systemd/matrix-synapse.service.j2 new file mode 100644 index 0000000..2943897 --- /dev/null +++ b/roles/synapse/templates/systemd/matrix-synapse.service.j2 @@ -0,0 +1,21 @@ +# {{ ansible_managed }} + +[Unit] +Description=Synapse Matrix homeserver +PartOf=matrix.target + +[Service] +Type=notify +NotifyAccess=main +User=matrix-synapse +WorkingDirectory=/var/lib/matrix-synapse +EnvironmentFile=/etc/default/matrix-synapse +ExecStartPre=/opt/venvs/matrix-synapse/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --generate-keys +ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ +ExecReload=/bin/kill -HUP $MAINPID +Restart=always +RestartSec=3 +SyslogIdentifier=matrix-synapse + +[Install] +WantedBy=matrix.target diff --git a/roles/synapse/templates/systemd/matrix-synchrotron@.service.j2 b/roles/synapse/templates/systemd/matrix-synchrotron@.service.j2 new file mode 100644 index 0000000..72bc0f4 --- /dev/null +++ b/roles/synapse/templates/systemd/matrix-synchrotron@.service.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} + +[Unit] +Description=Matrix Synchrotron %i +After=matrix-synapse.service +PartOf=matrix-synapse.service + +[Service] +Type=simple +User=matrix-synchrotron +WorkingDirectory=/opt/matrix-synchrotron/%i +ExecStart=/opt/matrix-synchrotron/src/matrix-synchrotron-balancer +Restart=always +RestartSec=3 + +[Install] +WantedBy=matrix-synapse.service diff --git a/roles/synapse/templates/systemd/matrix.target.j2 b/roles/synapse/templates/systemd/matrix.target.j2 new file mode 100644 index 0000000..484e11a --- /dev/null +++ b/roles/synapse/templates/systemd/matrix.target.j2 @@ -0,0 +1,8 @@ +# {{ ansible_managed }} + +[Unit] +Description=Contains matrix services like synapse, bridges and bots +After=network.target + +[Install] +WantedBy=multi-user.target diff --git a/roles/synapse/templates/tmpfiles-matrix-synapse.conf.j2 b/roles/synapse/templates/tmpfiles-matrix-synapse.conf.j2 new file mode 100644 index 0000000..a24b743 --- /dev/null +++ b/roles/synapse/templates/tmpfiles-matrix-synapse.conf.j2 @@ -0,0 +1 @@ +d /run/matrix-synapse 0755 matrix-synapse nogroup - - diff --git a/roles/synapse/templates/worker.yaml.j2 b/roles/synapse/templates/worker.yaml.j2 new file mode 100644 index 0000000..6c01ee1 --- /dev/null +++ b/roles/synapse/templates/worker.yaml.j2 @@ -0,0 +1,29 @@ +# {{ ansible_managed }} +worker_app: synapse.app.{{ worker_app }} +worker_name: {{ worker }} + +# The replication listener on the synapse to talk to. +worker_replication_host: 127.0.0.1 +worker_replication_http_port: 9093 + +worker_log_config: /etc/matrix-synapse/worker-logs/{{ worker }}-log.yaml +{% if worker_port is defined and worker_listeners|length !=0 or synapse_metrics %} +worker_listeners: +{% if worker_listeners|length != 0 %} + - type: http + port: {{ worker_port }} + x_forwarded: true + bind_addresses: ['::1', '127.0.0.1'] + resources: + - names: {{ worker_listeners }} +{% endif %} + +{% if synapse_metrics %} + - type: metrics + port: {{ worker_port + 1000 }} + bind_addresses: ['0.0.0.0'] # Don't bind to multiple addresses +{% endif %} +{% endif %} +{% if worker_app == 'frontend_proxy' %} +worker_main_http_uri: http://localhost:8008 +{% endif %} diff --git a/roles/synapse/vars/account_persister.yml b/roles/synapse/vars/account_persister.yml new file mode 100644 index 0000000..b0d9af3 --- /dev/null +++ b/roles/synapse/vars/account_persister.yml @@ -0,0 +1,5 @@ +--- + +worker_listeners: + - replication + - client diff --git a/roles/synapse/vars/appservice.yml b/roles/synapse/vars/appservice.yml new file mode 100644 index 0000000..14ed09c --- /dev/null +++ b/roles/synapse/vars/appservice.yml @@ -0,0 +1,3 @@ +--- + +worker_listeners: [] diff --git a/roles/synapse/vars/background_tasks.yml b/roles/synapse/vars/background_tasks.yml new file mode 100644 index 0000000..c04953e --- /dev/null +++ b/roles/synapse/vars/background_tasks.yml @@ -0,0 +1,4 @@ +--- + +worker_listeners: + - replication diff --git a/roles/synapse/vars/defaults.yml b/roles/synapse/vars/defaults.yml new file mode 100644 index 0000000..dbd00b1 --- /dev/null +++ b/roles/synapse/vars/defaults.yml @@ -0,0 +1,5 @@ +--- + +worker_app: generic_worker +worker_listeners: + - client diff --git a/roles/synapse/vars/device_persister.yml b/roles/synapse/vars/device_persister.yml new file mode 100644 index 0000000..b0d9af3 --- /dev/null +++ b/roles/synapse/vars/device_persister.yml @@ -0,0 +1,5 @@ +--- + +worker_listeners: + - replication + - client diff --git a/roles/synapse/vars/event_persister.yml b/roles/synapse/vars/event_persister.yml new file mode 100644 index 0000000..c04953e --- /dev/null +++ b/roles/synapse/vars/event_persister.yml @@ -0,0 +1,4 @@ +--- + +worker_listeners: + - replication diff --git a/roles/synapse/vars/federation_sender.yml b/roles/synapse/vars/federation_sender.yml new file mode 100644 index 0000000..9395643 --- /dev/null +++ b/roles/synapse/vars/federation_sender.yml @@ -0,0 +1,4 @@ +--- + +worker_app: federation_sender +worker_listeners: [] diff --git a/roles/synapse/vars/frontend_proxy.yml b/roles/synapse/vars/frontend_proxy.yml new file mode 100644 index 0000000..1f733a0 --- /dev/null +++ b/roles/synapse/vars/frontend_proxy.yml @@ -0,0 +1,3 @@ +--- + +worker_app: frontend_proxy diff --git a/roles/synapse/vars/generic_federation.yml b/roles/synapse/vars/generic_federation.yml new file mode 100644 index 0000000..af84101 --- /dev/null +++ b/roles/synapse/vars/generic_federation.yml @@ -0,0 +1,4 @@ +--- + +worker_listeners: + - federation diff --git a/roles/synapse/vars/generic_federation_send.yml b/roles/synapse/vars/generic_federation_send.yml new file mode 100644 index 0000000..af84101 --- /dev/null +++ b/roles/synapse/vars/generic_federation_send.yml @@ -0,0 +1,4 @@ +--- + +worker_listeners: + - federation diff --git a/roles/synapse/vars/generic_init_sync.yml b/roles/synapse/vars/generic_init_sync.yml new file mode 100644 index 0000000..27ba224 --- /dev/null +++ b/roles/synapse/vars/generic_init_sync.yml @@ -0,0 +1,3 @@ +--- + +synchrotron_type: init diff --git a/roles/synapse/vars/generic_sync.yml b/roles/synapse/vars/generic_sync.yml new file mode 100644 index 0000000..9768363 --- /dev/null +++ b/roles/synapse/vars/generic_sync.yml @@ -0,0 +1,3 @@ +--- + +synchrotron_type: balancer diff --git a/roles/synapse/vars/media_repository.yml b/roles/synapse/vars/media_repository.yml new file mode 100644 index 0000000..e44fa14 --- /dev/null +++ b/roles/synapse/vars/media_repository.yml @@ -0,0 +1,5 @@ +--- + +worker_app: media_repository +worker_listeners: + - media diff --git a/roles/synapse/vars/presence_persister.yml b/roles/synapse/vars/presence_persister.yml new file mode 100644 index 0000000..b0d9af3 --- /dev/null +++ b/roles/synapse/vars/presence_persister.yml @@ -0,0 +1,5 @@ +--- + +worker_listeners: + - replication + - client diff --git a/roles/synapse/vars/pusher.yml b/roles/synapse/vars/pusher.yml new file mode 100644 index 0000000..2e743a4 --- /dev/null +++ b/roles/synapse/vars/pusher.yml @@ -0,0 +1,4 @@ +--- + +worker_app: pusher +worker_listeners: [] diff --git a/roles/synapse/vars/receipt_persister.yml b/roles/synapse/vars/receipt_persister.yml new file mode 100644 index 0000000..b0d9af3 --- /dev/null +++ b/roles/synapse/vars/receipt_persister.yml @@ -0,0 +1,5 @@ +--- + +worker_listeners: + - replication + - client diff --git a/roles/synapse/vars/typing_persister.yml b/roles/synapse/vars/typing_persister.yml new file mode 100644 index 0000000..b0d9af3 --- /dev/null +++ b/roles/synapse/vars/typing_persister.yml @@ -0,0 +1,5 @@ +--- + +worker_listeners: + - replication + - client