Synapse role

roles/synapse/templates/conf.d/autojoin.yaml.j2

@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+auto_join_rooms:
+{% for room_id in matrix_auto_join_rooms %}
+  - "{{ room_id }}"
+{% endfor %}

roles/synapse/templates/conf.d/database.yaml.j2

@@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+
+database:
+  name: "psycopg2"
+  args:
+    user: "{{ synapse_psql_user }}"
+    password: "{{ synapse_psql_pw }}"
+    database: {{ synapse_psql_db }}
+    host: {{ synapse_psql_host }}
+    cp_min: 2
+    cp_max: 3
+

roles/synapse/templates/conf.d/general.yaml.j2

@@ -0,0 +1,16 @@
+# {{ ansible_managed }}
+
+public_baseurl: '{{ matrix_external_url }}'
+admin_contact: '{{ synapse_admin_contact }}'
+max_upload_size: {{ matrix_max_upload_size_mb }}M
+enable_registration: false
+allow_public_rooms_over_federation: true
+registration_shared_secret: '{{ matrix_registration_shared_secret }}'
+enable_group_creation: true
+enable_metrics: {{ synapse_metrics }}
+use_presence: {{ synapse_presence }}
+enable_media_repo: {{ matrix_media_repo_server is not defined and 'media_repository' not in synapse_workers }}
+retention:
+  enabled: true
+experimental_features:
+  msc2716_enabled: true

roles/synapse/templates/conf.d/listeners.yaml.j2

@@ -0,0 +1,33 @@
+# {{ ansible_managed }}
+
+listeners:
+  - port: 8008
+    tls: false
+    type: http
+    x_forwarded: true
+    bind_addresses: ['::1', '127.0.0.1']
+    resources:
+      - names: [client, federation]
+        compress: false
+{% if matrix_extras is defined and synapse_workers is not defined %}
+  - port: 8009
+    tls: false
+    type: http
+    x_forwarded: false
+    bind_addresses: ['::1', '127.0.0.1']
+    resources:
+      - names: [client]
+        compress: false
+{% endif %}
+{% if synapse_metrics %}
+  - port: 9656
+    type: metrics
+    bind_addresses: ['0.0.0.0'] # Don't bind to multiple addresses
+{% endif %}
+{% if synapse_workers is defined %}
+  - port: 9093
+    bind_addresses: ['::1', '127.0.0.1']
+    type: http
+    resources:
+      - names: [replication]
+{% endif %}

roles/synapse/templates/conf.d/modules.yaml.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+modules:
+{% if synapse_shared_secret_auth is defined %}
+  - module: "shared_secret_authenticator.SharedSecretAuthProvider"
+    config:
+      shared_secret: "{{ synapse_shared_secret_auth }}"
+      m_login_password_support_enabled: true # Remove this once this isn't needed anymore
+      com_devture_shared_secret_auth_support_enabled: false # this works around https://github.com/vector-im/element-web/issues/19605
+{% endif %}

roles/synapse/templates/conf.d/password_providers.yaml.j2

@@ -0,0 +1,25 @@
+# {{ ansible_managed }}
+
+password_providers:
+{% if synapse_ldap_servers is defined %}
+  - module: "ldap_auth_provider.LdapAuthProvider"
+    config:
+      enabled: true
+      mode: "search"
+      uri:
+{% for synapse_ldap_server in synapse_ldap_servers %}
+        - {{ synapse_ldap_server }}
+{% endfor %}
+      start_tls: false
+      base: "{{ synapse_ldap_search_base }}"
+      attributes:
+        uid: "uid"
+        name: "{{ synapse_ldap_user_name }}"
+        mail: "mail"
+      filter: "(objectClass=posixAccount)"
+{% if synapse_ldap_bind_dn is defined %}
+      bind_dn: "{{ synapse_ldap_bind_dn }}"
+      bind_password: "{{ synapse_ldap_bind_pw }}"
+{% endif %}
+{% endif %}
+

roles/synapse/templates/conf.d/server_name.yaml.j2

@@ -0,0 +1,3 @@
+# {{ ansible_managed }}
+
+server_name: {{ matrix_domain }}

roles/synapse/templates/conf.d/sso.yaml.j2

@@ -0,0 +1,74 @@
+# {{ ansible_managed }}
+
+password_config:
+  enabled: false
+
+{% if synapse_sso_client_whitelist is defined %}
+sso:
+  client_whitelist:
+{% for client in synapse_sso_client_whitelist %}
+    - {{ client }}
+{% endfor %}
+{% endif %}
+
+oidc_providers:
+{% for provider in matrix_openidc_providers %}
+  - idp_id: "{{ provider.idp_id }}"
+    idp_name: "{{ provider.idp_name }}"
+{% if provider.idp_icon is defined %}
+    idp_icon: "{{ provider.idp_icon }}"
+{% endif %}
+{% if provider.idp_brand is defined %}
+    idp_brand: "{{ provider.idp_brand }}"
+{% endif %}
+    discover: {{ provider.discover | default(true) | bool | lower }}
+    issuer: "{{ provider.issuer }}"
+    client_id: "{{ provider.client_id }}"
+{% if provider.client_secret is defined %}
+    client_secret: "{{ provider.client_secret }}"
+{% else %}
+    client_secret_jwt_key: "{{ provider.client_secret_jwt_key }}"
+{% endif %}
+    client_auth_method: "{{ provider.client_auth_method | default('client_secret_basic') }}"
+    scopes: {{ provider.scopes }}
+{% if provider.discover == false %}
+    authorization_endpoint: "{{ provider.authorization_endpoint }}"
+    token_endpoint: "{{ provider.token_endpoint }}"
+{% if provider.userinfo_endpoint is defined %}
+    userinfo_endpoint: "{{ provider.userinfo_endpoint }}"
+{% endif %}
+{% if provider.jwks_uri is defined %}
+    jwks_uri: "{{ provider.jwks_uri }}"
+{% endif %}
+{% endif %}
+{% if provider.skip_verification is defined %}
+    skip_verification: "{{ provider.skip_verification }}"
+{% endif %}
+    user_profile_method: "{{ provider.user_profile_method | default('auto') }}"
+    allow_existing_users: {{ provider.allow_existing_users | default(false) | bool | lower }}
+{% if provider.user_mapping_provider is defined %}
+    user_mapping_provider:
+{% for mapping_provider in provider.user_mapping_provider %}
+        "{{ mapping_provider }}":
+{% if provider.user_mapping_provider[mapping_provider].subject_claim is defined %}
+          subject_claim: "{{ provider.user_mapping_provider[mapping_provider].subject_claim }}"
+{% endif %}
+{% if provider.user_mapping_provider[mapping_provider].localpart_template is defined %}
+          localpart_template: "{{ provider.user_mapping_provider[mapping_provider].localpart_template }}"
+{% endif %}
+{% if provider.user_mapping_provider[mapping_provider].display_name_template is defined %}
+          display_name_template: "{{ provider.user_mapping_provider[mapping_provider].display_name_template }}"
+{% endif %}
+{% if provider.user_mapping_provider[mapping_provider].email_template is defined %}
+          email_template: "{{ provider.user_mapping_provider[mapping_provider].email_template }}"
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if provider.attribute_requirements is defined %}
+    attribute_requirements:
+{% for attribute in provider.attribute_requirements %}
+      - attribute: "{{ attribute }}"
+        value: "{{ attribute.value }}"
+{% endfor %}
+{% endif %}
+{% endfor %}

roles/synapse/templates/conf.d/turn.yaml.j2

@@ -0,0 +1,11 @@
+---
+
+turn_uris:
+  - "turns:{{ turn_domain }}:443?transport=udp"
+  - "turn:{{ turn_domain }}:443?transport=udp"
+  - "turns:{{ turn_domain }}:443?transport=tcp"
+  - "turn:{{ turn_domain }}:443?transport=tcp"
+turn_shared_secret: "{{ turn_secret }}"
+turn_user_lifetime: 1d
+turn_allow_guests: false
+

roles/synapse/templates/conf.d/url_preview.yaml.j2

@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+
+url_preview_enabled: true
+url_preview_ip_range_blacklist:
+  - '127.0.0.0/8'
+  - '10.0.0.0/8'
+  - '172.16.0.0/12'
+  - '192.168.0.0/16'
+  - '100.64.0.0/10'
+  - '169.254.0.0/16'
+  - '::1/128'
+  - 'fe80::/64'
+  - 'fc00::/7'

roles/synapse/templates/conf.d/workers.yaml.j2

@@ -0,0 +1,90 @@
+---
+
+redis:
+  enabled: true
+{% if 'appservice' in synapse_workers %}
+notify_appservices_from_worker: appservice-0
+{% endif %}
+{% if 'pusher' in synapse_workers %}
+start_pushers: false
+{% endif %}
+{% if 'user_dir' in synapse_workers %}
+update_user_directory_from_worker: user_dir-0
+{% endif %}
+
+
+{% if 'event_persister' in synapse_workers or 'typing_persister' in synapse_workers or 'account_persister' in synapse_workers or 'device_persister' in synapse_workers or 'presence_persister' in synapse_workers or 'receipt_persister' in synapse_workers %}
+instance_map:
+
+{% for persister_type in persister_workers %}
+
+{% if persister_type in synapse_workers %}
+{% for port in synapse_workers[persister_type] %}
+  {{ persister_type }}-{{ loop.index0 }}:
+    host: localhost
+    port: {{ port }}
+{% endfor %}
+{% endif %}
+
+{% endfor %}
+
+stream_writers:
+{% if 'event_persister' in synapse_workers %}
+  events:
+{% for port in synapse_workers.event_persister %}
+    - event_persister-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% if 'typing_persister' in synapse_workers %}
+  typing:
+{% for port in synapse_workers.typing_persister %}
+    - typing_persister-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% if 'account_persister' in synapse_workers %}
+  account_data:
+{% for port in synapse_workers.account_persister %}
+    - account_persister-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% if 'device_persister' in synapse_workers %}
+  to_device:
+{% for port in synapse_workers.device_persister %}
+    - device_persister-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% if 'presence_persister' in synapse_workers %}
+  presence:
+{% for port in synapse_workers.presence_persister %}
+    - presence_persister-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% if 'receipt_persister' in synapse_workers %}
+  receipts:
+{% for port in synapse_workers.receipt_persister %}
+    - receipt_persister-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% endif %}
+
+{% if 'background_tasks' in synapse_workers %}
+run_background_tasks_on: background_tasks-0
+{% endif %}
+
+{% if 'federation_sender' in synapse_workers %}
+send_federation: false
+
+{% if synapse_workers.federation_sender|length > 1 %}
+federation_sender_instances:
+{% for port in synapse_workers.federation_sender %}
+  - federation_sender-{{ loop.index0 }}
+{% endfor %}
+{% endif %}
+
+{% endif %}