Synapse role

2023-04-11 21:46:36 +03:00
commit ced8c2314c
50 changed files with 948 additions and 0 deletions
--- a/roles/synapse/templates/conf.d/autojoin.yaml.j2
+++ b/roles/synapse/templates/conf.d/autojoin.yaml.j2
@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+auto_join_rooms:
+{% for room_id in matrix_auto_join_rooms %}
+  - "{{ room_id }}"
+{% endfor %}
--- a/roles/synapse/templates/conf.d/database.yaml.j2
+++ b/roles/synapse/templates/conf.d/database.yaml.j2
@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+
+database:
+  name: "psycopg2"
+  args:
+    user: "{{ synapse_psql_user }}"
+    password: "{{ synapse_psql_pw }}"
+    database: {{ synapse_psql_db }}
+    host: {{ synapse_psql_host }}
+    cp_min: 2
+    cp_max: 3
+
--- a/roles/synapse/templates/conf.d/general.yaml.j2
+++ b/roles/synapse/templates/conf.d/general.yaml.j2
@@ -0,0 +1,16 @@
+# {{ ansible_managed }}
+
+public_baseurl: '{{ matrix_external_url }}'
+admin_contact: '{{ synapse_admin_contact }}'
+max_upload_size: {{ matrix_max_upload_size_mb }}M
+enable_registration: false
+allow_public_rooms_over_federation: true
+registration_shared_secret: '{{ matrix_registration_shared_secret }}'
+enable_group_creation: true
+enable_metrics: {{ synapse_metrics }}
+use_presence: {{ synapse_presence }}
+enable_media_repo: {{ matrix_media_repo_server is not defined and 'media_repository' not in synapse_workers }}
+retention:
+  enabled: true
+experimental_features:
+  msc2716_enabled: true
--- a/roles/synapse/templates/conf.d/listeners.yaml.j2
+++ b/roles/synapse/templates/conf.d/listeners.yaml.j2
@@ -0,0 +1,33 @@
+# {{ ansible_managed }}
+
+listeners:
+  - port: 8008
+    tls: false
+    type: http
+    x_forwarded: true
+    bind_addresses: ['::1', '127.0.0.1']
+    resources:
+      - names: [client, federation]
+        compress: false
+{% if matrix_extras is defined and synapse_workers is not defined %}
+  - port: 8009
+    tls: false
+    type: http
+    x_forwarded: false
+    bind_addresses: ['::1', '127.0.0.1']
+    resources:
+      - names: [client]
+        compress: false
+{% endif %}
+{% if synapse_metrics %}
+  - port: 9656
+    type: metrics
+    bind_addresses: ['0.0.0.0'] # Don't bind to multiple addresses
+{% endif %}
+{% if synapse_workers is defined %}
+  - port: 9093
+    bind_addresses: ['::1', '127.0.0.1']
+    type: http
+    resources:
+      - names: [replication]
+{% endif %}
--- a/roles/synapse/templates/conf.d/modules.yaml.j2
+++ b/roles/synapse/templates/conf.d/modules.yaml.j2
@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+modules:
+{% if synapse_shared_secret_auth is defined %}
+  - module: "shared_secret_authenticator.SharedSecretAuthProvider"
+    config:
+      shared_secret: "{{ synapse_shared_secret_auth }}"
+      m_login_password_support_enabled: true # Remove this once this isn't needed anymore
+      com_devture_shared_secret_auth_support_enabled: false # this works around https://github.com/vector-im/element-web/issues/19605
+{% endif %}
--- a/roles/synapse/templates/conf.d/password_providers.yaml.j2
+++ b/roles/synapse/templates/conf.d/password_providers.yaml.j2
@@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+
+password_providers:
+{% if synapse_ldap_servers is defined %}
+  - module: "ldap_auth_provider.LdapAuthProvider"
+    config:
+      enabled: true
+      mode: "search"
+      uri:
+{% for synapse_ldap_server in synapse_ldap_servers %}
+        - {{ synapse_ldap_server }}
+{% endfor %}
+      start_tls: false
+      base: "{{ synapse_ldap_search_base }}"
+      attributes:
+        uid: "uid"
+        name: "{{ synapse_ldap_user_name }}"
+        mail: "mail"
+      filter: "(objectClass=posixAccount)"
+{% if synapse_ldap_bind_dn is defined %}
+      bind_dn: "{{ synapse_ldap_bind_dn }}"
+      bind_password: "{{ synapse_ldap_bind_pw }}"
+{% endif %}
+{% endif %}
+
--- a/roles/synapse/templates/conf.d/server_name.yaml.j2
+++ b/roles/synapse/templates/conf.d/server_name.yaml.j2
@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+server_name: {{ matrix_domain }}
--- a/roles/synapse/templates/conf.d/sso.yaml.j2
+++ b/roles/synapse/templates/conf.d/sso.yaml.j2
@@ -0,0 +1,74 @@
+# {{ ansible_managed }}
+
+password_config:
+  enabled: false
+
+{% if synapse_sso_client_whitelist is defined %}
+sso:
+  client_whitelist:
+{% for client in synapse_sso_client_whitelist %}
+    - {{ client }}
+{% endfor %}
+{% endif %}
+
+oidc_providers:
+{% for provider in matrix_openidc_providers %}
+  - idp_id: "{{ provider.idp_id }}"
+    idp_name: "{{ provider.idp_name }}"
+{% if provider.idp_icon is defined %}
+    idp_icon: "{{ provider.idp_icon }}"
+{% endif %}
+{% if provider.idp_brand is defined %}
+    idp_brand: "{{ provider.idp_brand }}"
+{% endif %}
+    discover: {{ provider.discover | default(true) | bool | lower }}
+    issuer: "{{ provider.issuer }}"
+    client_id: "{{ provider.client_id }}"
+{% if provider.client_secret is defined %}
+    client_secret: "{{ provider.client_secret }}"
+{% else %}
+    client_secret_jwt_key: "{{ provider.client_secret_jwt_key }}"
+{% endif %}
+    client_auth_method: "{{ provider.client_auth_method | default('client_secret_basic') }}"
+    scopes: {{ provider.scopes }}
+{% if provider.discover == false %}
+    authorization_endpoint: "{{ provider.authorization_endpoint }}"
+    token_endpoint: "{{ provider.token_endpoint }}"
+{% if provider.userinfo_endpoint is defined %}
+    userinfo_endpoint: "{{ provider.userinfo_endpoint }}"
+{% endif %}
+{% if provider.jwks_uri is defined %}
+    jwks_uri: "{{ provider.jwks_uri }}"
+{% endif %}
+{% endif %}
+{% if provider.skip_verification is defined %}
+    skip_verification: "{{ provider.skip_verification }}"
+{% endif %}
+    user_profile_method: "{{ provider.user_profile_method | default('auto') }}"
+    allow_existing_users: {{ provider.allow_existing_users | default(false) | bool | lower }}
+{% if provider.user_mapping_provider is defined %}
+    user_mapping_provider:
+{% for mapping_provider in provider.user_mapping_provider %}
+        "{{ mapping_provider }}":
+{% if provider.user_mapping_provider[mapping_provider].subject_claim is defined %}
+          subject_claim: "{{ provider.user_mapping_provider[mapping_provider].subject_claim }}"
+{% endif %}
+{% if provider.user_mapping_provider[mapping_provider].localpart_template is defined %}
+          localpart_template: "{{ provider.user_mapping_provider[mapping_provider].localpart_template }}"
+{% endif %}
+{% if provider.user_mapping_provider[mapping_provider].display_name_template is defined %}
+          display_name_template: "{{ provider.user_mapping_provider[mapping_provider].display_name_template }}"
+{% endif %}
+{% if provider.user_mapping_provider[mapping_provider].email_template is defined %}
+          email_template: "{{ provider.user_mapping_provider[mapping_provider].email_template }}"
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if provider.attribute_requirements is defined %}
+    attribute_requirements:
+{% for attribute in provider.attribute_requirements %}
+      - attribute: "{{ attribute }}"
+        value: "{{ attribute.value }}"
+{% endfor %}
+{% endif %}
+{% endfor %}
--- a/roles/synapse/templates/conf.d/turn.yaml.j2
+++ b/roles/synapse/templates/conf.d/turn.yaml.j2
@@ -0,0 +1,11 @@
+---
+
+turn_uris:
+  - "turns:{{ turn_domain }}:443?transport=udp"
+  - "turn:{{ turn_domain }}:443?transport=udp"
+  - "turns:{{ turn_domain }}:443?transport=tcp"
+  - "turn:{{ turn_domain }}:443?transport=tcp"
+turn_shared_secret: "{{ turn_secret }}"
+turn_user_lifetime: 1d
+turn_allow_guests: false
+
--- a/roles/synapse/templates/conf.d/url_preview.yaml.j2
+++ b/roles/synapse/templates/conf.d/url_preview.yaml.j2
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+
+url_preview_enabled: true
+url_preview_ip_range_blacklist:
+  - '127.0.0.0/8'
+  - '10.0.0.0/8'
+  - '172.16.0.0/12'
+  - '192.168.0.0/16'
+  - '100.64.0.0/10'
+  - '169.254.0.0/16'
+  - '::1/128'
+  - 'fe80::/64'
+  - 'fc00::/7'
--- a/roles/synapse/templates/conf.d/workers.yaml.j2
+++ b/roles/synapse/templates/conf.d/workers.yaml.j2
@@ -0,0 +1,90 @@
+---
+
+redis:
+  enabled: true
+{% if 'appservice' in synapse_workers %}
+notify_appservices_from_worker: appservice-0
+{% endif %}
+{% if 'pusher' in synapse_workers %}
+start_pushers: false
+{% endif %}
+{% if 'user_dir' in synapse_workers %}
+update_user_directory_from_worker: user_dir-0
+{% endif %}
+
+
+{% if 'event_persister' in synapse_workers or 'typing_persister' in synapse_workers or 'account_persister' in synapse_workers or 'device_persister' in synapse_workers or 'presence_persister' in synapse_workers or 'receipt_persister' in synapse_workers %}
+instance_map:
+
+{% for persister_type in persister_workers %}
+
+{% if persister_type in synapse_workers %}
+{% for port in synapse_workers[persister_type] %}
+  {{ persister_type }}-{{ loop.index0 }}:
+    host: localhost
+    port: {{ port }}
+{% endfor %}
+{% endif %}
+
+{% endfor %}
+
+stream_writers:
+{% if 'event_persister' in synapse_workers %}
+  events:
+{% for port in synapse_workers.event_persister %}
+    - event_persister-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% if 'typing_persister' in synapse_workers %}
+  typing:
+{% for port in synapse_workers.typing_persister %}
+    - typing_persister-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% if 'account_persister' in synapse_workers %}
+  account_data:
+{% for port in synapse_workers.account_persister %}
+    - account_persister-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% if 'device_persister' in synapse_workers %}
+  to_device:
+{% for port in synapse_workers.device_persister %}
+    - device_persister-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% if 'presence_persister' in synapse_workers %}
+  presence:
+{% for port in synapse_workers.presence_persister %}
+    - presence_persister-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% if 'receipt_persister' in synapse_workers %}
+  receipts:
+{% for port in synapse_workers.receipt_persister %}
+    - receipt_persister-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% endif %}
+
+{% if 'background_tasks' in synapse_workers %}
+run_background_tasks_on: background_tasks-0
+{% endif %}
+
+{% if 'federation_sender' in synapse_workers %}
+send_federation: false
+
+{% if synapse_workers.federation_sender|length > 1 %}
+federation_sender_instances:
+{% for port in synapse_workers.federation_sender %}
+  - federation_sender-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% endif %}
--- a/roles/synapse/templates/log.yaml.j2
+++ b/roles/synapse/templates/log.yaml.j2
@@ -0,0 +1,69 @@
+# {{ ansible_managed }}
+# Log configuration for Synapse {{ worker }} worker.
+#
+# This is a YAML file containing a standard Python logging configuration
+# dictionary. See [1] for details on the valid settings.
+#
+# [1]: https://docs.python.org/3.7/library/logging.config.html#configuration-dictionary-schema
+
+version: 1
+
+formatters:
+    precise:
+        format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
+
+handlers:
+    file:
+        class: logging.handlers.TimedRotatingFileHandler
+        formatter: precise
+        filename: /var/log/matrix-synapse/{{ worker }}.log
+        when: midnight
+        backupCount: 3
+        encoding: utf8
+
+    # Default to buffering writes to log file for efficiency. This means that
+    # will be a delay for INFO/DEBUG logs to get written, but WARNING/ERROR
+    # logs will still be flushed immediately.
+    buffer:
+        class: logging.handlers.MemoryHandler
+        target: file
+        # The capacity is the number of log lines that are buffered before
+        # being written to disk. Increasing this will lead to better
+        # performance, at the expensive of it taking longer for log lines to
+        # be written to disk.
+        capacity: 10
+        flushLevel: 30  # Flush for WARNING logs as well
+
+    # A handler that writes logs to stderr. Unused by default, but can be used
+    # instead of "buffer" and "file" in the logger handlers.
+    console:
+        class: logging.StreamHandler
+        formatter: precise
+
+loggers:
+    synapse.storage.SQL:
+        # beware: increasing this to DEBUG will make synapse log sensitive
+        # information such as access tokens.
+        level: INFO
+
+    twisted:
+        # We send the twisted logging directly to the file handler,
+        # to work around https://github.com/matrix-org/synapse/issues/3471
+        # when using "buffer" logger. Use "console" to log to stderr instead.
+        handlers: [file]
+        propagate: false
+
+root:
+    level: WARNING
+
+    # Write logs to the `buffer` handler, which will buffer them together in memory,
+    # then write them to a file.
+    #
+    # Replace "buffer" with "console" to log to stderr instead. (Note that you'll
+    # also need to update the configuation for the `twisted` logger above, in
+    # this case.)
+    #
+    handlers: [buffer]
+
+disable_existing_loggers: false
+
--- a/roles/synapse/templates/matrix-synchrotron-config.yaml.j2
+++ b/roles/synapse/templates/matrix-synchrotron-config.yaml.j2
@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+homeserver_url: http://localhost:8008 # homeserver URL for the whoami request
+listener: localhost:{{ 8183 + ansible_loop.index0 }} # host:port to listen to
+
+synchrotrons:
+{% for port in synapse_workers[synchrotron_workers[item]] %}
+  - address: 127.0.0.1:{{ port }}
+    pid_file: /run/matrix-synapse/{{ synchrotron_workers[item] }}-{{ loop.index0 }}.pid
+{% endfor %}
+
+balancer:
+  interval: 2
--- a/roles/synapse/templates/systemd/matrix-synapse-worker@.service.j2
+++ b/roles/synapse/templates/systemd/matrix-synapse-worker@.service.j2
@@ -0,0 +1,24 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Synapse %i
+AssertPathExists=/etc/matrix-synapse/workers/%i.yaml
+PartOf=matrix-synapse.service
+After=matrix-synapse.service
+
+[Service]
+Type=notify
+PIDFile=/run/matrix-synapse/%i.pid
+NotifyAccess=main
+User=matrix-synapse
+WorkingDirectory=/var/lib/matrix-synapse
+EnvironmentFile=/etc/default/matrix-synapse
+ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.generic_worker --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --config-path=/etc/matrix-synapse/workers/%i.yaml
+ExecStartPost=/bin/sh -c "echo $MAINPID > /run/matrix-synapse/%i.pid"
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=always
+RestartSec=3
+SyslogIdentifier=matrix-synapse-%i
+
+[Install]
+WantedBy=matrix-synapse.service
--- a/roles/synapse/templates/systemd/matrix-synapse.service.j2
+++ b/roles/synapse/templates/systemd/matrix-synapse.service.j2
@@ -0,0 +1,21 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Synapse Matrix homeserver
+PartOf=matrix.target
+
+[Service]
+Type=notify
+NotifyAccess=main
+User=matrix-synapse
+WorkingDirectory=/var/lib/matrix-synapse
+EnvironmentFile=/etc/default/matrix-synapse
+ExecStartPre=/opt/venvs/matrix-synapse/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/ --generate-keys
+ExecStart=/opt/venvs/matrix-synapse/bin/python -m synapse.app.homeserver --config-path=/etc/matrix-synapse/homeserver.yaml --config-path=/etc/matrix-synapse/conf.d/
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=always
+RestartSec=3
+SyslogIdentifier=matrix-synapse
+
+[Install]
+WantedBy=matrix.target
--- a/roles/synapse/templates/systemd/matrix-synchrotron@.service.j2
+++ b/roles/synapse/templates/systemd/matrix-synchrotron@.service.j2
@@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Matrix Synchrotron %i
+After=matrix-synapse.service
+PartOf=matrix-synapse.service
+
+[Service]
+Type=simple
+User=matrix-synchrotron
+WorkingDirectory=/opt/matrix-synchrotron/%i
+ExecStart=/opt/matrix-synchrotron/src/matrix-synchrotron-balancer
+Restart=always
+RestartSec=3
+
+[Install]
+WantedBy=matrix-synapse.service
--- a/roles/synapse/templates/systemd/matrix.target.j2
+++ b/roles/synapse/templates/systemd/matrix.target.j2
@@ -0,0 +1,8 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Contains matrix services like synapse, bridges and bots
+After=network.target
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/synapse/templates/tmpfiles-matrix-synapse.conf.j2
+++ b/roles/synapse/templates/tmpfiles-matrix-synapse.conf.j2
@@ -0,0 +1 @@
+d /run/matrix-synapse 0755 matrix-synapse nogroup - -
--- a/roles/synapse/templates/worker.yaml.j2
+++ b/roles/synapse/templates/worker.yaml.j2
@@ -0,0 +1,29 @@
+# {{ ansible_managed }}
+worker_app: synapse.app.{{ worker_app }}
+worker_name: {{ worker }}
+
+# The replication listener on the synapse to talk to.
+worker_replication_host: 127.0.0.1
+worker_replication_http_port: 9093
+
+worker_log_config: /etc/matrix-synapse/worker-logs/{{ worker }}-log.yaml
+{% if worker_port is defined and worker_listeners|length !=0 or synapse_metrics %}
+worker_listeners:
+{% if worker_listeners|length != 0 %}
+  - type: http
+    port: {{ worker_port }}
+    x_forwarded: true
+    bind_addresses: ['::1', '127.0.0.1']
+    resources:
+      - names: {{ worker_listeners }}
+{% endif %}
+
+{% if synapse_metrics %}
+  - type: metrics
+    port: {{ worker_port + 1000 }}
+    bind_addresses: ['0.0.0.0'] # Don't bind to multiple addresses
+{% endif %}
+{% endif %}
+{% if worker_app == 'frontend_proxy' %}
+worker_main_http_uri: http://localhost:8008
+{% endif %}
				`@@ -0,0 +1 @@`
				`d /run/matrix-synapse 0755 matrix-synapse nogroup - -`