From b74b49d6e99332421e8347716c2a6d5194f52335 Mon Sep 17 00:00:00 2001 From: uumas Date: Tue, 19 Nov 2024 20:14:05 +0200 Subject: [PATCH] Add synapse role --- roles/synapse/README.md | 2 + roles/synapse/defaults/main.yaml | 18 ++++ roles/synapse/meta/argument_specs.yaml | 87 +++++++++++++++++++ roles/synapse/tasks/main.yaml | 42 +++++++++ roles/synapse/templates/homeserver.yaml.j2 | 99 ++++++++++++++++++++++ roles/synapse/templates/log.yaml.j2 | 24 ++++++ roles/synapse/vars/main.yaml | 2 + 7 files changed, 274 insertions(+) create mode 100644 roles/synapse/README.md create mode 100644 roles/synapse/defaults/main.yaml create mode 100644 roles/synapse/meta/argument_specs.yaml create mode 100644 roles/synapse/tasks/main.yaml create mode 100644 roles/synapse/templates/homeserver.yaml.j2 create mode 100644 roles/synapse/templates/log.yaml.j2 create mode 100644 roles/synapse/vars/main.yaml diff --git a/roles/synapse/README.md b/roles/synapse/README.md new file mode 100644 index 0000000..f593857 --- /dev/null +++ b/roles/synapse/README.md @@ -0,0 +1,2 @@ +Sets up a matrix synapse podman container. +See https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html for info on configuration options where descriptions are not provided in this documentation. diff --git a/roles/synapse/defaults/main.yaml b/roles/synapse/defaults/main.yaml new file mode 100644 index 0000000..9b295fb --- /dev/null +++ b/roles/synapse/defaults/main.yaml @@ -0,0 +1,18 @@ +--- +synapse_postgres_tag: 16-alpine + +synapse_trusted_key_servers: + - matrix.org + +synapse_room_complexity_limit: 0 +synapse_room_complexity_error: "" + +synapse_turn_uris: [] + +synapse_max_upload_size: 50M +synapse_allow_public_rooms_over_federation: false +synapse_auto_accept_invites: + enabled: false +synapse_auto_join_rooms: [] + +synapse_smtp_server: "" diff --git a/roles/synapse/meta/argument_specs.yaml b/roles/synapse/meta/argument_specs.yaml new file mode 100644 index 0000000..03bd673 --- /dev/null +++ b/roles/synapse/meta/argument_specs.yaml @@ -0,0 +1,87 @@ +--- +argument_specs: + main: + description: + - Sets up a matrix synapse podman container. + - >- + See https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html for info on configuration options where descriptions are + not provided in this documentation. + options: + synapse_server_name: + description: Matrix server name. This can not be changed without a full reset and database wipe. This will be visible to users. + type: str + required: true + synapse_public_base_domain: + description: + - The public-facing domain that clients use to access synapse, without https://. e.g. matrix.domain.tld + - This is used to set the public_baseurl option for synapse (with https:// and trailing / added) + type: str + required: true + synapse_signing_key: + description: The homeserver signing key + type: str + required: true + synapse_trusted_key_servers: + type: list + required: false + default: + - matrix.org + elements: str + synapse_remote_room_complexity_limit: + description: Sets limit_remote_rooms.complexity value + type: float + required: false + default: 0 + synapse_room_complexity_error: + description: Sets limit_remote_rooms.copmlexity_error value. Required if synapse_remote_room_complexity_level is set. + type: str + default: "" + synapse_turn_uris: + type: list + required: false + default: [] + elements: str + synapse_turn_shared_secret: + description: Required if synapse_turn_uris is not empty + type: str + synapse_email_smtp_server: + description: email.smtp_host, set this to enable sending emails + type: str + required: false + default: "" + synapse_email_smtp_user: + description: Required if synapse_email_smtp_server is set + type: str + synapse_email_smtp_password: + description: Required if synapse_email_smtp_server is set + type: str + synapse_email_from: + description: Required if synapse_email_smtp_server is set + type: str + synapse_email_app_name: + description: Required if synapse_email_smtp_server is set + type: str + synapse_max_upload_size: + type: str + required: false + default: 50M + synapse_allow_public_rooms_over_federation: + type: bool + required: false + default: false + synapse_auto_accept_invites: + type: dict + required: false + default: + enabled: false + synapse_auto_join_rooms: + type: list + required: false + default: [] + elements: str + + synapse_postgres_tag: + description: Postgres tag to use for synapse postgres container + type: str + required: false + default: 16-alpine diff --git a/roles/synapse/tasks/main.yaml b/roles/synapse/tasks/main.yaml new file mode 100644 index 0000000..c895b9e --- /dev/null +++ b/roles/synapse/tasks/main.yaml @@ -0,0 +1,42 @@ +--- +- name: Assert complexity error is set if complexity limit is + ansible.builtin.assert: + that: synapse_room_complexity_limit == 0 or synapse_room_complexity_error | length > 0 + fail_msg: "synapse_room_complexity_error must be set when synapse_room_complexity_limit is" + quiet: true +- name: Assert turn shared secret is set if turn uris is + ansible.builtin.assert: + that: synapse_turn_uris | length == 0 or synapse_turn_shared_secret | length > 0 + fail_msg: "synapse_turn_shared_secret must be set when synapse_turn_uris is" + quiet: true + +- name: Synapse container + ansible.builtin.include_role: + name: service + vars: + service_name: synapse + service_container_image: "{{ _synapse_image_name }}" + service_database_type: postgres + service_postgres_tag: "{{ synapse_postgres_tag }}" + service_container_mounts: + - type: template + source: homeserver.yaml.j2 + destination: /data/homeserver.yaml + - type: template + source: log.yaml.j2 + destination: /data/log.yaml + - type: volume + source: media + destination: /data/media + user: "991" + group: "991" + service_container_secrets: + - name: signing-key + value: "{{ synapse_signing_key }}" + service_container_env: + SYNAPSE_SERVER_NAME: "{{ synapse_server_name }}" + SYNAPSE_REPORT_STATS: "no" + UID: 991 + GID: 991 + service_container_http_port: 8008 + service_domains: "{{ [synapse_public_base_domain] }}" diff --git a/roles/synapse/templates/homeserver.yaml.j2 b/roles/synapse/templates/homeserver.yaml.j2 new file mode 100644 index 0000000..da7ebeb --- /dev/null +++ b/roles/synapse/templates/homeserver.yaml.j2 @@ -0,0 +1,99 @@ +--- +# vim:ft=yaml +# {{ ansible_managed }} + +signing_key_path: /run/secrets/synapse-signing-key +media_store_path: /data/media +log_config: /data/log.yaml + +server_name: {{ synapse_server_name }} +public_baseurl: https://{{ synapse_public_base_domain }}/ +report_stats: false + +listeners: + - port: 8008 + tls: false + type: http + x_forwarded: true + resources: + - names: [client, federation] + +database: + name: psycopg2 + args: + host: synapse-postgres + user: synapse + password: "{{ _service_database_password }}" + dbname: synapse + +caches: + global_factor: 1.0 + +enable_registration: false +enable_3pid_changes: false +ui_auth: + session_timeout: 5m + +trusted_key_servers: +{% for server in synapse_trusted_key_servers %} + - server_name: {{ server }} +{% endfor %} +suppress_key_server_warning: true + +max_upload_sixe: "{{ synapse_max_upload_size }}" + +{% if synapse_room_complexity_limit > 0 %} +limit_remote_rooms: + enabled: true + complexity: {{ synapse_room_complexity_limit }} + complexity_error: "{{ synapse_room_complexity_error }}" +{% endif %} + +url_preview_enabled: true +url_preview_ip_range_blacklist: + - '127.0.0.0/8' + - '10.0.0.0/8' + - '172.16.0.0/12' + - '192.168.0.0/16' + - '100.64.0.0/10' + - '192.0.0.0/24' + - '169.254.0.0/16' + - '192.88.99.0/24' + - '198.18.0.0/15' + - '192.0.2.0/24' + - '198.51.100.0/24' + - '203.0.113.0/24' + - '224.0.0.0/4' + - '::1/128' + - 'fe80::/10' + - 'fc00::/7' + - '2001:db8::/32' + - 'ff00::/8' + - 'fec0::/10' + +turn_uris: {{ synapse_turn_uris }} +{% if synapse_turn_uris | length > 0 %} +turn_shared_secret: {{ synapse_turn_shared_secret }} +{% endif %} +turn_user_lifetime: 1d +turn_allow_guests: false + +{% if synapse_smtp_server | length > 0 %} +email: + smtp_host: {{ synapse_smtp_server }} + smtp_port: 587 + smtp_user: {{ synapse_smtp_user }} + smtp_pass: {{ synapse_smtp_password }} + require_transport_security: true + + notif_from: "{{ synapse_email_from }}" + app_name: "{{ synapse_email_app_name }}" + enable_notifs: true + notif_for_new_users: false + notif_delay_before_mail: 1h +{% endif %} + +allow_public_rooms_over_federation: {{ synapse_allow_public_rooms_over_federation }} +auto_accept_invites: {{ synapse_auto_accept_invites }} +auto_join_rooms: {{ synapse_auto_join_rooms }} +autocreate_auto_join_rooms: false diff --git a/roles/synapse/templates/log.yaml.j2 b/roles/synapse/templates/log.yaml.j2 new file mode 100644 index 0000000..2ef56ee --- /dev/null +++ b/roles/synapse/templates/log.yaml.j2 @@ -0,0 +1,24 @@ +# {{ ansible_managed }} + +version: 1 + +formatters: + precise: + format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s' + +handlers: + console: + class: logging.StreamHandler + formatter: precise + +loggers: + synapse: + level: WARNING + synapse.storage.SQL: + level: WARNING + +root: + level: WARNING + handlers: [console] + +disable_existing_loggers: false diff --git a/roles/synapse/vars/main.yaml b/roles/synapse/vars/main.yaml new file mode 100644 index 0000000..0f4511d --- /dev/null +++ b/roles/synapse/vars/main.yaml @@ -0,0 +1,2 @@ +--- +_synapse_image_name: ghcr.io/element-hq/synapse:latest