uumas/ansible-podman
1
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases Wiki Activity

Add synapse role

Browse Source
This commit is contained in:
uumas
2024-11-19 20:14:05 +02:00
parent d7c806bf19
commit b74b49d6e9
7 changed files with 274 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
roles/synapse/README.md Normal file
View File

@@ -0,0 +1,2 @@
Sets up a matrix synapse podman container.
See https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html for info on configuration options where descriptions are not provided in this documentation.

18
roles/synapse/defaults/main.yaml Normal file
View File

@@ -0,0 +1,18 @@
---
synapse_postgres_tag: 16-alpine
synapse_trusted_key_servers:
- matrix.org
synapse_room_complexity_limit: 0
synapse_room_complexity_error: ""
synapse_turn_uris: []
synapse_max_upload_size: 50M
synapse_allow_public_rooms_over_federation: false
synapse_auto_accept_invites:
enabled: false
synapse_auto_join_rooms: []
synapse_smtp_server: ""

87
roles/synapse/meta/argument_specs.yaml Normal file
View File

@@ -0,0 +1,87 @@
---
argument_specs:
main:
description:
- Sets up a matrix synapse podman container.
- >-
See https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html for info on configuration options where descriptions are
not provided in this documentation.
options:
synapse_server_name:
description: Matrix server name. This can not be changed without a full reset and database wipe. This will be visible to users.
type: str
required: true
synapse_public_base_domain:
description:
- The public-facing domain that clients use to access synapse, without https://. e.g. matrix.domain.tld
- This is used to set the public_baseurl option for synapse (with https:// and trailing / added)
type: str
required: true
synapse_signing_key:
description: The homeserver signing key
type: str
required: true
synapse_trusted_key_servers:
type: list
required: false
default:
- matrix.org
elements: str
synapse_remote_room_complexity_limit:
description: Sets limit_remote_rooms.complexity value
type: float
required: false
default: 0
synapse_room_complexity_error:
description: Sets limit_remote_rooms.copmlexity_error value. Required if synapse_remote_room_complexity_level is set.
type: str
default: ""
synapse_turn_uris:
type: list
required: false
default: []
elements: str
synapse_turn_shared_secret:
description: Required if synapse_turn_uris is not empty
type: str
synapse_email_smtp_server:
description: email.smtp_host, set this to enable sending emails
type: str
required: false
default: ""
synapse_email_smtp_user:
description: Required if synapse_email_smtp_server is set
type: str
synapse_email_smtp_password:
description: Required if synapse_email_smtp_server is set
type: str
synapse_email_from:
description: Required if synapse_email_smtp_server is set
type: str
synapse_email_app_name:
description: Required if synapse_email_smtp_server is set
type: str
synapse_max_upload_size:
type: str
required: false
default: 50M
synapse_allow_public_rooms_over_federation:
type: bool
required: false
default: false
synapse_auto_accept_invites:
type: dict
required: false
default:
enabled: false
synapse_auto_join_rooms:
type: list
required: false
default: []
elements: str
synapse_postgres_tag:
description: Postgres tag to use for synapse postgres container
type: str
required: false
default: 16-alpine

42
roles/synapse/tasks/main.yaml Normal file
View File

@@ -0,0 +1,42 @@
---
- name: Assert complexity error is set if complexity limit is
ansible.builtin.assert:
that: synapse_room_complexity_limit == 0 or synapse_room_complexity_error | length > 0
fail_msg: "synapse_room_complexity_error must be set when synapse_room_complexity_limit is"
quiet: true
- name: Assert turn shared secret is set if turn uris is
ansible.builtin.assert:
that: synapse_turn_uris | length == 0 or synapse_turn_shared_secret | length > 0
fail_msg: "synapse_turn_shared_secret must be set when synapse_turn_uris is"
quiet: true
- name: Synapse container
ansible.builtin.include_role:
name: service
vars:
service_name: synapse
service_container_image: "{{ _synapse_image_name }}"
service_database_type: postgres
service_postgres_tag: "{{ synapse_postgres_tag }}"
service_container_mounts:
- type: template
source: homeserver.yaml.j2
destination: /data/homeserver.yaml
- type: template
source: log.yaml.j2
destination: /data/log.yaml
- type: volume
source: media
destination: /data/media
user: "991"
group: "991"
service_container_secrets:
- name: signing-key
value: "{{ synapse_signing_key }}"
service_container_env:
SYNAPSE_SERVER_NAME: "{{ synapse_server_name }}"
SYNAPSE_REPORT_STATS: "no"
UID: 991
GID: 991
service_container_http_port: 8008
service_domains: "{{ [synapse_public_base_domain] }}"

99
roles/synapse/templates/homeserver.yaml.j2 Normal file
View File

@@ -0,0 +1,99 @@
---
# vim:ft=yaml
# {{ ansible_managed }}
signing_key_path: /run/secrets/synapse-signing-key
media_store_path: /data/media
log_config: /data/log.yaml
server_name: {{ synapse_server_name }}
public_baseurl: https://{{ synapse_public_base_domain }}/
report_stats: false
listeners:
- port: 8008
tls: false
type: http
x_forwarded: true
resources:
- names: [client, federation]
database:
name: psycopg2
args:
host: synapse-postgres
user: synapse
password: "{{ _service_database_password }}"
dbname: synapse
caches:
global_factor: 1.0
enable_registration: false
enable_3pid_changes: false
ui_auth:
session_timeout: 5m
trusted_key_servers:
{% for server in synapse_trusted_key_servers %}
- server_name: {{ server }}
{% endfor %}
suppress_key_server_warning: true
max_upload_sixe: "{{ synapse_max_upload_size }}"
{% if synapse_room_complexity_limit > 0 %}
limit_remote_rooms:
enabled: true
complexity: {{ synapse_room_complexity_limit }}
complexity_error: "{{ synapse_room_complexity_error }}"
{% endif %}
url_preview_enabled: true
url_preview_ip_range_blacklist:
- '127.0.0.0/8'
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/16'
- '100.64.0.0/10'
- '192.0.0.0/24'
- '169.254.0.0/16'
- '192.88.99.0/24'
- '198.18.0.0/15'
- '192.0.2.0/24'
- '198.51.100.0/24'
- '203.0.113.0/24'
- '224.0.0.0/4'
- '::1/128'
- 'fe80::/10'
- 'fc00::/7'
- '2001:db8::/32'
- 'ff00::/8'
- 'fec0::/10'
turn_uris: {{ synapse_turn_uris }}
{% if synapse_turn_uris | length > 0 %}
turn_shared_secret: {{ synapse_turn_shared_secret }}
{% endif %}
turn_user_lifetime: 1d
turn_allow_guests: false
{% if synapse_smtp_server | length > 0 %}
email:
smtp_host: {{ synapse_smtp_server }}
smtp_port: 587
smtp_user: {{ synapse_smtp_user }}
smtp_pass: {{ synapse_smtp_password }}
require_transport_security: true
notif_from: "{{ synapse_email_from }}"
app_name: "{{ synapse_email_app_name }}"
enable_notifs: true
notif_for_new_users: false
notif_delay_before_mail: 1h
{% endif %}
allow_public_rooms_over_federation: {{ synapse_allow_public_rooms_over_federation }}
auto_accept_invites: {{ synapse_auto_accept_invites }}
auto_join_rooms: {{ synapse_auto_join_rooms }}
autocreate_auto_join_rooms: false

24
roles/synapse/templates/log.yaml.j2 Normal file
View File

@@ -0,0 +1,24 @@
# {{ ansible_managed }}
version: 1
formatters:
precise:
format: '%(asctime)s - %(name)s - %(lineno)d - %(levelname)s - %(request)s - %(message)s'
handlers:
console:
class: logging.StreamHandler
formatter: precise
loggers:
synapse:
level: WARNING
synapse.storage.SQL:
level: WARNING
root:
level: WARNING
handlers: [console]
disable_existing_loggers: false

2
roles/synapse/vars/main.yaml Normal file
View File

@@ -0,0 +1,2 @@
---
_synapse_image_name: ghcr.io/element-hq/synapse:latest