Add host "matrix-media-repo.fedihub.com"

2020-10-24 13:50:58 +05:00 · 2020-10-24 13:50:58 +05:00 · 2961cd194d
parent dd8305c9cc
commit 2961cd194d
20 changed files with 347 additions and 178 deletions
--- a/host_vars/matrix-media-repo.fedihub.com.yml
+++ b/host_vars/matrix-media-repo.fedihub.com.yml
@ -0,0 +1,75 @@
+---
+ansible_become_pass_for:
+  kotovalexarian: !vault |
+    $ANSIBLE_VAULT;1.2;AES256;matrix
+    63326633306530326139353961383364663139396163623235366464356664613462653638633039
+    3939653732613839623434326665303762653265353161610a623461323166626535373833366464
+    61636234666533393433663239356562393232303966663665666231303338323935333163326566
+    3938656465353539640a656363333132626433393239643762666539623839306663646362353030
+    64613464653538613139383461623562613631303766633634393563303861626662306435626434
+    3634366165623565393230343831383430313166346439653766
+
+ansible_become_pass: "{{ ansible_become_pass_for[admin] }}"
+
+common__certbot__cert_name: 'matrix-media-repo.fedihub.com'
+common__certbot__cert_domains:
+  - 'matrix-media-repo.fedihub.com'
+common__certbot__post_hook: 'systemctl is-active nginx.service || systemctl start nginx.service'
+common__certbot__pre_hook: 'systemctl is-active nginx.service && systemctl stop nginx.service || true'
+
+common__nginx__state: install
+common__nginx__remove_default: true
+
+matrix_media_repo__site_host: 'fedihub.com'
+matrix_media_repo__media_host: 'matrix-media-repo.fedihub.com'
+matrix_media_repo__base_url: 'https://matrix.fedihub.com'
+matrix_media_repo__admin_user: '@kotovalexarian:fedihub.com'
+
+matrix_media_repo__ssl_cert: '/etc/letsencrypt/live/matrix-media-repo.fedihub.com/fullchain.pem'
+matrix_media_repo__ssl_key:  '/etc/letsencrypt/live/matrix-media-repo.fedihub.com/privkey.pem'
+
+matrix_media_repo__postgres: !vault |
+  $ANSIBLE_VAULT;1.2;AES256;matrix
+  62356433313435383239316430666234386234626335346239313264346532613232303064333731
+  3833633035363237346537623633303135383162636465300a366637666535353463616665653237
+  34346636333061303033633362356232643334393133363033646635313134366164306461663364
+  3935396239343630340a396463623534613630323833333330633861393063323332613532373565
+  32626463313965323635633034316237663835616464333261626331396136316335636132636265
+  62343935316666656466336438633565316338363665366161643739616534353933373861343938
+  38323533383362623835633230623363666662643264393534306362663535666531326534303636
+  66303133626239633436663137633438326632366234613033396230393262326234356362396336
+  64386664613064323034303039623038633339353362376238633065343364646266633862663232
+  6637313330656465623437393764353466666230666633366238
+
+matrix_media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com'
+matrix_media_repo__s3_bucket: 'fedihub-matrix-media-repo'
+
+matrix_media_repo__s3_access_key: !vault |
+  $ANSIBLE_VAULT;1.2;AES256;matrix
+  35326162306233313937646565623563636538376464643739313462323535393366363262323565
+  3465623639303935623461336230646439663839343331320a663635343239366366623062346630
+  37626332323965383738366532313665383564366132383530613762643836333831393735666438
+  6132393437343464390a336339383439326338646137356634333534636236326438646433353965
+  63376165363038326337346139303961373565346265393836396439656131633263
+
+matrix_media_repo__s3_access_secret: !vault |
+  $ANSIBLE_VAULT;1.2;AES256;matrix
+  36316562306261323138663361353762393736343765346435633631353734663765343638383265
+  3132383663393161306464386336396265363962313764320a653862343933666461666134383434
+  38623661326462303962376535373862303235353131363361633736336231336536633338643233
+  3539663031633038360a316433343432663865393738366633376235653839326232663134303931
+  65363837313464616536333934353062353962363365353831623234363939636333616634323832
+  3466656664353839333966643333336432303435663232646664
+
+common__iptables__drop_by_default: true
+
+common__iptables__v4_filter: |
+  # Allow incoming HTTP, HTTPS.
+  -A INPUT  -p tcp -m multiport --dport 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+  -A OUTPUT -p tcp -m multiport --sport 80,443 -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+
+  # Deny other HTTP, HTTPS.
+  -A INPUT  -p tcp -m multiport --dport 80,443 -j REJECT
+  -A OUTPUT -p tcp -m multiport --sport 80,443 -j REJECT
+
+common__iptables__v6_filter: '{{ common__iptables__v4_filter }}'
--- a/host_vars/matrix.fedihub.com.yml
+++ b/host_vars/matrix.fedihub.com.yml
@ -28,9 +28,10 @@ common__certbot__pre_hook: 'systemctl is-active nginx.service && systemctl stop
 common__nginx__state: install
 common__nginx__remove_default: true

-matrix__site_host: 'fedihub.com'
-matrix__base_host: 'matrix.fedihub.com'
-matrix__web_host:  'element.fedihub.com'
+matrix__site_host:  'fedihub.com'
+matrix__base_host:  'matrix.fedihub.com'
+matrix__media_host: 'matrix-media-repo.fedihub.com'
+matrix__web_host:   'element.fedihub.com'

 matrix__site_url: 'https://fedihub.com'
 matrix__base_url: 'https://matrix.fedihub.com'
@ -107,39 +108,6 @@ matrix__synapse__recaptcha_private_key: !vault |
  64353465313836306238653531383662366637616538666661663063366462323962373337666165
  3231306636303736653330333037393530643931366136326634

-matrix__media_repo__postgres: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;matrix
-  62356433313435383239316430666234386234626335346239313264346532613232303064333731
-  3833633035363237346537623633303135383162636465300a366637666535353463616665653237
-  34346636333061303033633362356232643334393133363033646635313134366164306461663364
-  3935396239343630340a396463623534613630323833333330633861393063323332613532373565
-  32626463313965323635633034316237663835616464333261626331396136316335636132636265
-  62343935316666656466336438633565316338363665366161643739616534353933373861343938
-  38323533383362623835633230623363666662643264393534306362663535666531326534303636
-  66303133626239633436663137633438326632366234613033396230393262326234356362396336
-  64386664613064323034303039623038633339353362376238633065343364646266633862663232
-  6637313330656465623437393764353466666230666633366238
-
-matrix__media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com'
-matrix__media_repo__s3_bucket: 'fedihub-matrix-media-repo'
-
-matrix__media_repo__s3_access_key: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;matrix
-  35326162306233313937646565623563636538376464643739313462323535393366363262323565
-  3465623639303935623461336230646439663839343331320a663635343239366366623062346630
-  37626332323965383738366532313665383564366132383530613762643836333831393735666438
-  6132393437343464390a336339383439326338646137356634333534636236326438646433353965
-  63376165363038326337346139303961373565346265393836396439656131633263
-
-matrix__media_repo__s3_access_secret: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;matrix
-  36316562306261323138663361353762393736343765346435633631353734663765343638383265
-  3132383663393161306464386336396265363962313764320a653862343933666461666134383434
-  38623661326462303962376535373862303235353131363361633736336231336536633338643233
-  3539663031633038360a316433343432663865393738366633376235653839326232663134303931
-  65363837313464616536333934353062353962363365353831623234363939636333616634323832
-  3466656664353839333966643333336432303435663232646664
-
 matrix__static__user_id: '@1:fedihub.com'

 matrix__static__access_token: !vault |
--- a/host_vars/postgres.fedihub.com.yml
+++ b/host_vars/postgres.fedihub.com.yml
@ -32,7 +32,6 @@ postgresql_users:
      3633343834336333650a663062393934663663646561616162386161336364326430346239396361
      36393735656637636165646261643166383464656231393361656634636565643434353163353738
      6134383131623635343166343165633164363766336334386365
-
  - name: matrix_synapse
    password: !vault |
      $ANSIBLE_VAULT;1.2;AES256;postgres
@ -123,19 +122,19 @@ postgresql_hba_entries:
  - type: hostssl
    database: matrix_media_repo
    user: matrix_media_repo
-    address: '188.166.85.61/32'
+    address: '167.172.46.255/32'
    auth_method: md5

  - type: hostssl
    database: matrix_media_repo
    user: matrix_media_repo
-    address: '2a03:b0c0:2:d0::ca1:e001/128'
+    address: '2a03:b0c0:2:f0::187:5001/128'
    auth_method: md5

  - type: hostssl
    database: matrix_media_repo
    user: matrix_media_repo
-    address: '10.110.0.4/32'
+    address: '10.110.0.5/32'
    auth_method: md5

  - type: host
@ -161,17 +160,23 @@ common__iptables__v4_filter: |

  # Allow incoming PostgreSQL from specific hosts.
  # website.fedihub.com (public)
-  -A INPUT  -p tcp --dport 5432 -s 167.71.69.105/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-  -A OUTPUT -p tcp --sport 5432 -d 167.71.69.105/32 -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+  -A INPUT  -p tcp --dport 5432 -s 167.71.69.105/32  -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+  -A OUTPUT -p tcp --sport 5432 -d 167.71.69.105/32  -m conntrack --ctstate ESTABLISHED     -j ACCEPT
  # website.fedihub.com (private)
-  -A INPUT  -p tcp --dport 5432 -s 10.110.0.3/32    -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-  -A OUTPUT -p tcp --sport 5432 -d 10.110.0.3/32    -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+  -A INPUT  -p tcp --dport 5432 -s 10.110.0.3/32     -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+  -A OUTPUT -p tcp --sport 5432 -d 10.110.0.3/32     -m conntrack --ctstate ESTABLISHED     -j ACCEPT
  # matrix.fedihub.com (public)
-  -A INPUT  -p tcp --dport 5432 -s 188.166.85.61/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-  -A OUTPUT -p tcp --sport 5432 -d 188.166.85.61/32 -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+  -A INPUT  -p tcp --dport 5432 -s 188.166.85.61/32  -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+  -A OUTPUT -p tcp --sport 5432 -d 188.166.85.61/32  -m conntrack --ctstate ESTABLISHED     -j ACCEPT
  # matrix.fedihub.com (private)
-  -A INPUT  -p tcp --dport 5432 -s 10.110.0.4/32    -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-  -A OUTPUT -p tcp --sport 5432 -d 10.110.0.4/32    -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+  -A INPUT  -p tcp --dport 5432 -s 10.110.0.4/32     -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+  -A OUTPUT -p tcp --sport 5432 -d 10.110.0.4/32     -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+  # matrix-media-repo.fedihub.com (public)
+  -A INPUT  -p tcp --dport 5432 -s 167.172.46.255/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+  -A OUTPUT -p tcp --sport 5432 -d 167.172.46.255/32 -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+  # matrix-media-repo.fedihub.com (private)
+  -A INPUT  -p tcp --dport 5432 -s 10.110.0.5/32     -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+  -A OUTPUT -p tcp --sport 5432 -d 10.110.0.5/32     -m conntrack --ctstate ESTABLISHED     -j ACCEPT

  # Deny other PostgreSQL.
  -A INPUT  -p tcp --dport 5432 -j REJECT
@ -193,6 +198,9 @@ common__iptables__v6_filter: |
  # matrix.fedihub.com
  -A INPUT  -p tcp --dport 5432 -s 2a03:b0c0:2:d0::ca1:e001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  -A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:d0::ca1:e001/128 -m conntrack --ctstate ESTABLISHED     -j ACCEPT
+  # matrix-media-repo.fedihub.com
+  -A INPUT  -p tcp --dport 5432 -s 2a03:b0c0:2:f0::187:5001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
+  -A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:f0::187:5001/128 -m conntrack --ctstate ESTABLISHED     -j ACCEPT

  # Deny other PostgreSQL.
  -A INPUT  -p tcp --dport 5432 -j REJECT
--- a/1
+++ b/1
@ -1,4 +1,5 @@
 matrix.fedihub.com
+matrix-media-repo.fedihub.com
 postgres.fedihub.com
 website.fedihub.com

--- a/playbooks/deploy/matrix-media-repo.yml
+++ b/playbooks/deploy/matrix-media-repo.yml
@ -0,0 +1,11 @@
+---
+- hosts: matrix-media-repo.fedihub.com
+  module_defaults:
+    apt:
+      force_apt_get: true
+      update_cache: true
+      cache_valid_time: 86400
+  roles:
+    - name: kotovalexarian.common
+      tags: common
+    - ../../roles/matrix-media-repo
--- a/playbooks/deploy/site.yml
+++ b/playbooks/deploy/site.yml
@ -2,3 +2,4 @@
 - import_playbook: postgres.yml
 - import_playbook: website.yml
 - import_playbook: matrix.yml
+- import_playbook: matrix-media-repo.yml
--- a/roles/matrix-media-repo/defaults/main.yml
+++ b/roles/matrix-media-repo/defaults/main.yml
@ -0,0 +1,14 @@
+---
+matrix_media_repo__site_host: 'example.com'
+matrix_media_repo__media_host: 'matrix-media-repo.example.com'
+matrix_media_repo__base_url: 'https://matrix.example.com'
+matrix_media_repo__admin_user: '@user:example.com'
+
+matrix_media_repo__ssl_cert: '/etc/letsencrypt/live/matrix.example.com/fullchain.pem'
+matrix_media_repo__ssl_key:  '/etc/letsencrypt/live/matrix.example.com/privkey.pem'
+
+matrix_media_repo__postgres: 'postgres://user:pass@example.com/dbname?sslmode=require'
+matrix_media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com'
+matrix_media_repo__s3_access_key: ''
+matrix_media_repo__s3_access_secret: ''
+matrix_media_repo__s3_bucket: 'example-matrix-media-repo'
--- a/roles/matrix-media-repo/handlers/main.yml
+++ b/roles/matrix-media-repo/handlers/main.yml
@ -0,0 +1,12 @@
+---
+- name: Restart Nginx
+  systemd:
+    name: nginx
+    state: restarted
+
+- name: Load, enable and restart Matrix Media Repo
+  systemd:
+    name: '{{ matrix_media_repo__service }}'
+    daemon_reload: true
+    enabled: true
+    state: restarted
--- a/roles/matrix-media-repo/tasks/main.yml
+++ b/roles/matrix-media-repo/tasks/main.yml
@ -0,0 +1,98 @@
+---
+- name: Install system packages for Matrix Media Repo
+  apt:
+    name:
+      - golang
+      - nginx
+  notify: Load, enable and restart Matrix Media Repo
+
+- name: Create Nginx server configuration
+  template:
+    src: '../templates/matrix-media-repo.conf'
+    dest: '/etc/nginx/sites-available/matrix-media-repo.conf'
+    mode: 'u=rw,g=rw,o=r'
+    owner: root
+    group: root
+  notify: Restart Nginx
+
+- name: Enable Nginx server configuration
+  file:
+    state: link
+    src: '/etc/nginx/sites-available/matrix-media-repo.conf'
+    dest: '/etc/nginx/sites-enabled/matrix-media-repo.conf'
+    owner: root
+    group: root
+  notify: Restart Nginx
+
+- name: Create Matrix Media Repo system group
+  group:
+    name: '{{ matrix_media_repo__group }}'
+    system: true
+  notify: Load, enable and restart Matrix Media Repo
+
+- name: Create Matrix Media Repo system user
+  user:
+    name: '{{ matrix_media_repo__user }}'
+    group: '{{ matrix_media_repo__group }}'
+    system: true
+    create_home: true
+    home: '{{ matrix_media_repo__lib_dir }}'
+  notify: Load, enable and restart Matrix Media Repo
+
+- name: Create Matrix directories
+  file:
+    state: directory
+    path: '{{ item }}'
+    mode: 'u=rwx,g=rwx,o=rx'
+    owner: root
+    group: root
+  with_items:
+    - '{{ matrix__conf_dir }}'
+    - '{{ matrix__opt_dir }}'
+  notify: Load, enable and restart Matrix Media Repo
+
+- name: Create Matrix Media Repo directories
+  file:
+    state: directory
+    path: '{{ item }}'
+    mode: 'u=rwx,g=rwx,o=rx'
+    owner: '{{ matrix_media_repo__user }}'
+    group: '{{ matrix_media_repo__group }}'
+  with_items:
+    - '{{ matrix_media_repo__conf_dir }}'
+    - '{{ matrix_media_repo__opt_dir }}'
+    - '{{ matrix_media_repo__src_dir }}'
+  notify: Load, enable and restart Matrix Media Repo
+
+- name: Create Matrix Media Repo config
+  template:
+    src: '../templates/config.yaml'
+    dest: '{{ matrix_media_repo__conf_file }}'
+    mode: 'u=rw,g=rw,o='
+    owner: '{{ matrix_media_repo__user }}'
+    group: '{{ matrix_media_repo__group }}'
+  notify: Load, enable and restart Matrix Media Repo
+
+- name: Create Matrix Media Repo systemd service
+  template:
+    src: '../templates/matrix-media-repo.service'
+    dest: '{{ matrix_media_repo__service_file }}'
+    mode: 'u=rw,g=rw,o=r'
+    owner: root
+    group: root
+  notify: Load, enable and restart Matrix Media Repo
+
+- name: Get Matrix Media Repo source code
+  become_user: '{{ matrix_media_repo__user }}'
+  git:
+    repo: 'https://github.com/turt2live/matrix-media-repo.git'
+    dest: '{{ matrix_media_repo__src_dir }}'
+    version: 'b73a0082dd22e9ff447950b18e9ca49c73a6d912'
+
+- name: Build Matrix Media Repo source code
+  become_user: '{{ matrix_media_repo__user }}'
+  command:
+    chdir: '{{ matrix_media_repo__src_dir }}'
+    creates: '{{ matrix_media_repo__src_dir }}/bin/media_repo'
+    cmd: '/bin/bash {{ matrix_media_repo__src_dir }}/build.sh'
+  notify: Load, enable and restart Matrix Media Repo
--- a/roles/matrix-media-repo/templates/config.yaml
+++ b/roles/matrix-media-repo/templates/config.yaml
@ -1,7 +1,7 @@
 # General repo configuration
 repo:
  bindAddress: '127.0.0.1'
-  port: {{ matrix__media_repo__port }}
+  port: {{ matrix_media_repo__port }}

  # Where to store the logs, relative to where the repo is started from. Logs will be automatically
  # rotated every day and held for 14 days. To disable the repo logging to files, set this to
@ -33,7 +33,7 @@ federation:
 # user instead. Using the same server is fine, just not the same username and database.
 database:
  # Currently only "postgres" is supported.
-  postgres: "{{ matrix__media_repo__postgres }}"
+  postgres: "{{ matrix_media_repo__postgres }}"

  # The database pooling options
  pool:
@ -51,10 +51,10 @@ homeservers:
  -
    # This should match the server_name of your homeserver, and the Host header
    # provided to the media repo.
-    name: "{{ matrix__site_host }}"
+    name: "{{ matrix_media_repo__site_host }}"

    # The base URL to where the homeserver can actually be reached
-    csApi: "{{ matrix__base_url }}"
+    csApi: "{{ matrix_media_repo__base_url }}"

    # The number of consecutive failures in calling this homeserver before the
    # media repository will start backing off. This defaults to 10 if not given.
@ -118,7 +118,7 @@ accessTokens:
 # See docs/admin.md for information on what these people can do. They must belong to one of the
 # configured homeservers above.
 admins:
-  - "{{ matrix__admin_user }}"
+  - "{{ matrix_media_repo__admin_user }}"

 # Shared secret auth is useful for applications building on top of the media repository, such
 # as a management interface. The `token` provided here is treated as a repository administrator
@ -170,11 +170,11 @@ datastores:
      # before being uploaded to s3 (then the file is deleted). If you aren't concerned about
      # memory usage, set this to an empty string.
      tempPath: ''
-      endpoint: "{{ matrix__media_repo__s3_endpoint }}"
-      accessKeyId: "{{ matrix__media_repo__s3_access_key }}"
-      accessSecret: "{{ matrix__media_repo__s3_access_secret }}"
+      endpoint: "{{ matrix_media_repo__s3_endpoint }}"
+      accessKeyId: "{{ matrix_media_repo__s3_access_key }}"
+      accessSecret: "{{ matrix_media_repo__s3_access_secret }}"
      ssl: true
-      bucketName: "{{ matrix__media_repo__s3_bucket }}"
+      bucketName: "{{ matrix_media_repo__s3_bucket }}"
      # An optional region for where this S3 endpoint is located. Typically not needed, though
      # some providers will need this (like Scaleway). Uncomment to use.
      #region: 'sfo2'
--- a/roles/matrix-media-repo/templates/matrix-media-repo.conf
+++ b/roles/matrix-media-repo/templates/matrix-media-repo.conf
@ -0,0 +1,56 @@
+server {
+  listen 80;
+  listen [::]:80;
+
+  server_name {{ matrix_media_repo__media_host }};
+
+  set $CSP "";
+  set $CSP "${CSP}object-src 'none';";
+  set $CSP "${CSP}frame-src 'none';";
+  set $CSP "${CSP}connect-src 'none';";
+  set $CSP "${CSP}form-action 'none';";
+
+  add_header Content-Security-Policy $CSP always;
+  add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  add_header X-Content-Type-Options "nosniff" always;
+  add_header X-Frame-Options "SAMEORIGIN" always;
+
+  return 301 https://$host$request_uri;
+}
+
+server {
+  listen 443      ssl;
+  listen [::]:443 ssl;
+
+  server_name {{ matrix_media_repo__media_host }};
+
+  ssl_certificate     {{ matrix_media_repo__ssl_cert }};
+  ssl_certificate_key {{ matrix_media_repo__ssl_key }};
+
+  set $CSP "";
+  set $CSP "${CSP}object-src 'none';";
+  set $CSP "${CSP}frame-src 'none';";
+  set $CSP "${CSP}connect-src 'none';";
+  set $CSP "${CSP}form-action 'none';";
+
+  add_header Content-Security-Policy $CSP always;
+  add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  add_header X-Content-Type-Options "nosniff" always;
+  add_header X-Frame-Options "SAMEORIGIN" always;
+
+  client_max_body_size 100M;
+
+  location /_matrix/media {
+    proxy_read_timeout 60s;
+    proxy_set_header Host {{ matrix_media_repo__site_host }};
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_pass http://localhost:{{ matrix_media_repo__port }};
+  }
+
+  location / {
+    return 404;
+  }
+}
--- a/roles/matrix-media-repo/templates/matrix-media-repo.service
+++ b/roles/matrix-media-repo/templates/matrix-media-repo.service
@ -0,0 +1,18 @@
+[Unit]
+After=network.target
+Description=Matrix Media Repo
+
+[Service]
+ExecStart={{ matrix_media_repo__src_dir }}/bin/media_repo -config {{ matrix_media_repo__conf_file }}
+Group={{ matrix_media_repo__group }}
+Restart=always
+RestartSec=1
+StandardOutput=syslog
+StandardError=syslog
+SyslogIdentifier={{ matrix_media_repo__service }}
+Type=simple
+User={{ matrix_media_repo__user }}
+WorkingDirectory={{ matrix_media_repo__opt_dir }}
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/matrix-media-repo/vars/main.yml
+++ b/roles/matrix-media-repo/vars/main.yml
@ -0,0 +1,20 @@
+---
+matrix_media_repo__user:    'matrix-media-repo'
+matrix_media_repo__group:   'matrix-media-repo'
+matrix_media_repo__service: 'matrix-media-repo'
+
+matrix_media_repo__port: 8000
+
+matrix__conf_dir: '/etc/matrix'
+matrix__opt_dir:  '/opt/matrix'
+matrix__lib_dir:  '/var/lib/matrix'
+
+matrix_media_repo__conf_dir: '{{ matrix__conf_dir }}/media_repo'
+matrix_media_repo__opt_dir:  '{{ matrix__opt_dir  }}/media_repo'
+matrix_media_repo__lib_dir:  '{{ matrix__lib_dir  }}/media_repo'
+
+matrix_media_repo__conf_file:    '{{ matrix_media_repo__conf_dir }}/config.yaml'
+matrix_media_repo__archive_file: '{{ matrix_media_repo__opt_dir  }}/src.tar.gz'
+matrix_media_repo__src_dir:      '{{ matrix_media_repo__opt_dir  }}/src'
+
+matrix_media_repo__service_file: '/etc/systemd/system/{{ matrix_media_repo__service }}.service'
--- a/roles/matrix/defaults/main.yml
+++ b/roles/matrix/defaults/main.yml
@ -1,7 +1,8 @@
 ---
-matrix__site_host: 'example.com'
-matrix__base_host: 'matrix.example.com'
-matrix__web_host:  'element.example.com'
+matrix__site_host:  'example.com'
+matrix__base_host:  'matrix.example.com'
+matrix__media_host: 'matrix-media-repo.example.com'
+matrix__web_host:   'element.example.com'

 matrix__site_url: 'https://example.com'
 matrix__base_url: 'https://matrix.example.com'
@ -31,11 +32,5 @@ matrix__synapse__form_secret:     ''
 matrix__synapse__recaptcha_public_key:  ''
 matrix__synapse__recaptcha_private_key: ''

-matrix__media_repo__postgres: 'postgres://user:pass@example.com/dbname?sslmode=require'
-matrix__media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com'
-matrix__media_repo__s3_access_key: ''
-matrix__media_repo__s3_access_secret: ''
-matrix__media_repo__s3_bucket: 'example-matrix-media-repo'
-
 matrix__static__user_id: ''
 matrix__static__access_token: ''
--- a/roles/matrix/handlers/main.yml
+++ b/roles/matrix/handlers/main.yml
@ -11,13 +11,6 @@
    enabled: true
    state: restarted

- name: Load, enable and restart Matrix Media Repo
-  systemd:
-    name: '{{ matrix__media_repo__service }}'
-    daemon_reload: true
-    enabled: true
-    state: restarted
-
 - name: Load, enable and restart Matrix Static
  systemd:
    name: '{{ matrix__static__service }}'
--- a/roles/matrix/tasks/main.yml
+++ b/roles/matrix/tasks/main.yml
@ -8,9 +8,6 @@
 - include_tasks: synapse.yml
 - meta: flush_handlers

- include_tasks: media_repo.yml
- meta: flush_handlers
-
 - include_tasks: static.yml
 - meta: flush_handlers

--- a/roles/matrix/tasks/media_repo.yml
+++ b/roles/matrix/tasks/media_repo.yml
@ -1,66 +0,0 @@
---
- name: Install system packages for Matrix Media Repo
-  apt:
-    name: golang
-  notify: Load, enable and restart Matrix Media Repo
-
- name: Create Matrix Media Repo system group
-  group:
-    name: '{{ matrix__media_repo__group }}'
-    system: true
-  notify: Load, enable and restart Matrix Media Repo
-
- name: Create Matrix Media Repo system user
-  user:
-    name: '{{ matrix__media_repo__user }}'
-    group: '{{ matrix__media_repo__group }}'
-    system: true
-    create_home: true
-    home: '{{ matrix__media_repo__lib_dir }}'
-  notify: Load, enable and restart Matrix Media Repo
-
- name: Create Matrix Media Repo directories
-  file:
-    state: directory
-    path: '{{ item }}'
-    mode: 'u=rwx,g=rwx,o=rx'
-    owner: '{{ matrix__media_repo__user }}'
-    group: '{{ matrix__media_repo__group }}'
-  with_items:
-    - '{{ matrix__media_repo__conf_dir }}'
-    - '{{ matrix__media_repo__opt_dir }}'
-    - '{{ matrix__media_repo__src_dir }}'
-  notify: Load, enable and restart Matrix Media Repo
-
- name: Create Matrix Media Repo config
-  template:
-    src: '../templates/media_repo/config.yaml'
-    dest: '{{ matrix__media_repo__conf_file }}'
-    mode: 'u=rw,g=rw,o='
-    owner: '{{ matrix__media_repo__user }}'
-    group: '{{ matrix__media_repo__group }}'
-  notify: Load, enable and restart Matrix Media Repo
-
- name: Create Matrix Media Repo systemd service
-  template:
-    src: '../templates/media_repo/matrix-media-repo.service'
-    dest: '{{ matrix__media_repo__service_file }}'
-    mode: 'u=rw,g=rw,o=r'
-    owner: root
-    group: root
-  notify: Load, enable and restart Matrix Media Repo
-
- name: Get Matrix Media Repo source code
-  become_user: '{{ matrix__media_repo__user }}'
-  git:
-    repo: 'https://github.com/turt2live/matrix-media-repo.git'
-    dest: '{{ matrix__media_repo__src_dir }}'
-    version: 'b73a0082dd22e9ff447950b18e9ca49c73a6d912'
-
- name: Build Matrix Media Repo source code
-  become_user: '{{ matrix__media_repo__user }}'
-  command:
-    chdir: '{{ matrix__media_repo__src_dir }}'
-    creates: '{{ matrix__media_repo__src_dir }}/bin/media_repo'
-    cmd: '/bin/bash {{ matrix__media_repo__src_dir }}/build.sh'
-  notify: Load, enable and restart Matrix Media Repo
--- a/roles/matrix/templates/media_repo/matrix-media-repo.service
+++ b/roles/matrix/templates/media_repo/matrix-media-repo.service
@ -1,18 +0,0 @@
-[Unit]
-After=network.target
-Description=Matrix Media Repo
-
-[Service]
-ExecStart={{ matrix__media_repo__src_dir }}/bin/media_repo -config {{ matrix__media_repo__conf_file }}
-Group={{ matrix__media_repo__group }}
-Restart=always
-RestartSec=1
-StandardOutput=syslog
-StandardError=syslog
-SyslogIdentifier={{ matrix__media_repo__service }}
-Type=simple
-User={{ matrix__media_repo__user }}
-WorkingDirectory={{ matrix__media_repo__opt_dir }}
-
-[Install]
-WantedBy=multi-user.target
--- a/roles/matrix/templates/nginx/matrix.conf
+++ b/roles/matrix/templates/nginx/matrix.conf
@ -82,7 +82,7 @@ server {
    proxy_set_header Host {{ matrix__site_host }};
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_pass http://localhost:{{ matrix__media_repo__port }};
+    proxy_pass https://{{ matrix__media_host }};
  }

  location /_matrix {
@ -128,7 +128,7 @@ server {
    proxy_set_header Host {{ matrix__site_host }};
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
-    proxy_pass http://localhost:{{ matrix__media_repo__port }};
+    proxy_pass https://{{ matrix__media_host }};
  }

  location / {
--- a/roles/matrix/vars/main.yml
+++ b/roles/matrix/vars/main.yml
@ -3,16 +3,11 @@ matrix__synapse__user:    'matrix-synapse'
 matrix__synapse__group:   'matrix-synapse'
 matrix__synapse__service: 'matrix-synapse'

-matrix__media_repo__user:    'matrix-media-repo'
-matrix__media_repo__group:   'matrix-media-repo'
-matrix__media_repo__service: 'matrix-media-repo'
-
 matrix__static__user:    'matrix-static'
 matrix__static__group:   'matrix-static'
 matrix__static__service: 'matrix-static'

 matrix__synapse__port:    8001
-matrix__media_repo__port: 8002
 matrix__static__port:     8003

 matrix__conf_dir: '/etc/matrix'
@ -25,10 +20,6 @@ matrix__synapse__opt_dir:  '{{ matrix__opt_dir  }}/synapse'
 matrix__synapse__lib_dir:  '{{ matrix__lib_dir  }}/synapse'
 matrix__synapse__run_dir:  '{{ matrix__run_dir  }}/synapse'

-matrix__media_repo__conf_dir: '{{ matrix__conf_dir }}/media_repo'
-matrix__media_repo__opt_dir:  '{{ matrix__opt_dir  }}/media_repo'
-matrix__media_repo__lib_dir:  '{{ matrix__lib_dir  }}/media_repo'
-
 matrix__static__conf_dir: '{{ matrix__conf_dir }}/static'
 matrix__static__opt_dir:  '{{ matrix__opt_dir  }}/static'

@ -42,10 +33,6 @@ matrix__synapse__media_dir:     '{{ matrix__synapse__lib_dir  }}/media_store'
 matrix__synapse__db_file:       '{{ matrix__synapse__lib_dir  }}/homeserver.db'
 matrix__synapse__pid_file:      '{{ matrix__synapse__run_dir  }}/homeserver.pid'

-matrix__media_repo__conf_file:    '{{ matrix__media_repo__conf_dir }}/config.yaml'
-matrix__media_repo__archive_file: '{{ matrix__media_repo__opt_dir  }}/src.tar.gz'
-matrix__media_repo__src_dir:      '{{ matrix__media_repo__opt_dir  }}/src'
-
 matrix__static__conf_file:    '{{ matrix__static__conf_dir }}/config.json'
 matrix__static__archive_file: '{{ matrix__static__opt_dir  }}/src.tar.gz'
 matrix__static__src_dir:      '{{ matrix__static__opt_dir  }}/src'
@ -55,9 +42,8 @@ matrix__element__archive_file: '{{ matrix__element__opt_dir }}/src.tar.gz'
 matrix__element__src_dir:      '{{ matrix__element__opt_dir }}/src'
 matrix__element__conf_file:    '{{ matrix__element__src_dir }}/config.json'

-matrix__synapse__service_file:    '/etc/systemd/system/{{ matrix__synapse__service    }}.service'
-matrix__media_repo__service_file: '/etc/systemd/system/{{ matrix__media_repo__service }}.service'
-matrix__static__service_file:     '/etc/systemd/system/{{ matrix__static__service     }}.service'
+matrix__synapse__service_file: '/etc/systemd/system/{{ matrix__synapse__service    }}.service'
+matrix__static__service_file:  '/etc/systemd/system/{{ matrix__static__service     }}.service'

 matrix__static__url:  'https://github.com/matrix-org/matrix-static/archive/0.3.0.tar.gz'
 matrix__element__url: 'https://github.com/vector-im/riot-web/releases/download/v1.7.1/riot-v1.7.1.tar.gz'