diff --git a/host_vars/matrix-media-repo.fedihub.com.yml b/host_vars/matrix-media-repo.fedihub.com.yml new file mode 100644 index 0000000..ddce463 --- /dev/null +++ b/host_vars/matrix-media-repo.fedihub.com.yml @@ -0,0 +1,75 @@ +--- +ansible_become_pass_for: + kotovalexarian: !vault | + $ANSIBLE_VAULT;1.2;AES256;matrix + 63326633306530326139353961383364663139396163623235366464356664613462653638633039 + 3939653732613839623434326665303762653265353161610a623461323166626535373833366464 + 61636234666533393433663239356562393232303966663665666231303338323935333163326566 + 3938656465353539640a656363333132626433393239643762666539623839306663646362353030 + 64613464653538613139383461623562613631303766633634393563303861626662306435626434 + 3634366165623565393230343831383430313166346439653766 + +ansible_become_pass: "{{ ansible_become_pass_for[admin] }}" + +common__certbot__cert_name: 'matrix-media-repo.fedihub.com' +common__certbot__cert_domains: + - 'matrix-media-repo.fedihub.com' +common__certbot__post_hook: 'systemctl is-active nginx.service || systemctl start nginx.service' +common__certbot__pre_hook: 'systemctl is-active nginx.service && systemctl stop nginx.service || true' + +common__nginx__state: install +common__nginx__remove_default: true + +matrix_media_repo__site_host: 'fedihub.com' +matrix_media_repo__media_host: 'matrix-media-repo.fedihub.com' +matrix_media_repo__base_url: 'https://matrix.fedihub.com' +matrix_media_repo__admin_user: '@kotovalexarian:fedihub.com' + +matrix_media_repo__ssl_cert: '/etc/letsencrypt/live/matrix-media-repo.fedihub.com/fullchain.pem' +matrix_media_repo__ssl_key: '/etc/letsencrypt/live/matrix-media-repo.fedihub.com/privkey.pem' + +matrix_media_repo__postgres: !vault | + $ANSIBLE_VAULT;1.2;AES256;matrix + 62356433313435383239316430666234386234626335346239313264346532613232303064333731 + 3833633035363237346537623633303135383162636465300a366637666535353463616665653237 + 34346636333061303033633362356232643334393133363033646635313134366164306461663364 + 3935396239343630340a396463623534613630323833333330633861393063323332613532373565 + 32626463313965323635633034316237663835616464333261626331396136316335636132636265 + 62343935316666656466336438633565316338363665366161643739616534353933373861343938 + 38323533383362623835633230623363666662643264393534306362663535666531326534303636 + 66303133626239633436663137633438326632366234613033396230393262326234356362396336 + 64386664613064323034303039623038633339353362376238633065343364646266633862663232 + 6637313330656465623437393764353466666230666633366238 + +matrix_media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com' +matrix_media_repo__s3_bucket: 'fedihub-matrix-media-repo' + +matrix_media_repo__s3_access_key: !vault | + $ANSIBLE_VAULT;1.2;AES256;matrix + 35326162306233313937646565623563636538376464643739313462323535393366363262323565 + 3465623639303935623461336230646439663839343331320a663635343239366366623062346630 + 37626332323965383738366532313665383564366132383530613762643836333831393735666438 + 6132393437343464390a336339383439326338646137356634333534636236326438646433353965 + 63376165363038326337346139303961373565346265393836396439656131633263 + +matrix_media_repo__s3_access_secret: !vault | + $ANSIBLE_VAULT;1.2;AES256;matrix + 36316562306261323138663361353762393736343765346435633631353734663765343638383265 + 3132383663393161306464386336396265363962313764320a653862343933666461666134383434 + 38623661326462303962376535373862303235353131363361633736336231336536633338643233 + 3539663031633038360a316433343432663865393738366633376235653839326232663134303931 + 65363837313464616536333934353062353962363365353831623234363939636333616634323832 + 3466656664353839333966643333336432303435663232646664 + +common__iptables__drop_by_default: true + +common__iptables__v4_filter: | + # Allow incoming HTTP, HTTPS. + -A INPUT -p tcp -m multiport --dport 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp -m multiport --sport 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT + + # Deny other HTTP, HTTPS. + -A INPUT -p tcp -m multiport --dport 80,443 -j REJECT + -A OUTPUT -p tcp -m multiport --sport 80,443 -j REJECT + +common__iptables__v6_filter: '{{ common__iptables__v4_filter }}' diff --git a/host_vars/matrix.fedihub.com.yml b/host_vars/matrix.fedihub.com.yml index 8521aea..95f4ed0 100644 --- a/host_vars/matrix.fedihub.com.yml +++ b/host_vars/matrix.fedihub.com.yml @@ -28,9 +28,10 @@ common__certbot__pre_hook: 'systemctl is-active nginx.service && systemctl stop common__nginx__state: install common__nginx__remove_default: true -matrix__site_host: 'fedihub.com' -matrix__base_host: 'matrix.fedihub.com' -matrix__web_host: 'element.fedihub.com' +matrix__site_host: 'fedihub.com' +matrix__base_host: 'matrix.fedihub.com' +matrix__media_host: 'matrix-media-repo.fedihub.com' +matrix__web_host: 'element.fedihub.com' matrix__site_url: 'https://fedihub.com' matrix__base_url: 'https://matrix.fedihub.com' @@ -107,39 +108,6 @@ matrix__synapse__recaptcha_private_key: !vault | 64353465313836306238653531383662366637616538666661663063366462323962373337666165 3231306636303736653330333037393530643931366136326634 -matrix__media_repo__postgres: !vault | - $ANSIBLE_VAULT;1.2;AES256;matrix - 62356433313435383239316430666234386234626335346239313264346532613232303064333731 - 3833633035363237346537623633303135383162636465300a366637666535353463616665653237 - 34346636333061303033633362356232643334393133363033646635313134366164306461663364 - 3935396239343630340a396463623534613630323833333330633861393063323332613532373565 - 32626463313965323635633034316237663835616464333261626331396136316335636132636265 - 62343935316666656466336438633565316338363665366161643739616534353933373861343938 - 38323533383362623835633230623363666662643264393534306362663535666531326534303636 - 66303133626239633436663137633438326632366234613033396230393262326234356362396336 - 64386664613064323034303039623038633339353362376238633065343364646266633862663232 - 6637313330656465623437393764353466666230666633366238 - -matrix__media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com' -matrix__media_repo__s3_bucket: 'fedihub-matrix-media-repo' - -matrix__media_repo__s3_access_key: !vault | - $ANSIBLE_VAULT;1.2;AES256;matrix - 35326162306233313937646565623563636538376464643739313462323535393366363262323565 - 3465623639303935623461336230646439663839343331320a663635343239366366623062346630 - 37626332323965383738366532313665383564366132383530613762643836333831393735666438 - 6132393437343464390a336339383439326338646137356634333534636236326438646433353965 - 63376165363038326337346139303961373565346265393836396439656131633263 - -matrix__media_repo__s3_access_secret: !vault | - $ANSIBLE_VAULT;1.2;AES256;matrix - 36316562306261323138663361353762393736343765346435633631353734663765343638383265 - 3132383663393161306464386336396265363962313764320a653862343933666461666134383434 - 38623661326462303962376535373862303235353131363361633736336231336536633338643233 - 3539663031633038360a316433343432663865393738366633376235653839326232663134303931 - 65363837313464616536333934353062353962363365353831623234363939636333616634323832 - 3466656664353839333966643333336432303435663232646664 - matrix__static__user_id: '@1:fedihub.com' matrix__static__access_token: !vault | diff --git a/host_vars/postgres.fedihub.com.yml b/host_vars/postgres.fedihub.com.yml index 0465cbd..9285a8f 100644 --- a/host_vars/postgres.fedihub.com.yml +++ b/host_vars/postgres.fedihub.com.yml @@ -32,7 +32,6 @@ postgresql_users: 3633343834336333650a663062393934663663646561616162386161336364326430346239396361 36393735656637636165646261643166383464656231393361656634636565643434353163353738 6134383131623635343166343165633164363766336334386365 - - name: matrix_synapse password: !vault | $ANSIBLE_VAULT;1.2;AES256;postgres @@ -123,19 +122,19 @@ postgresql_hba_entries: - type: hostssl database: matrix_media_repo user: matrix_media_repo - address: '188.166.85.61/32' + address: '167.172.46.255/32' auth_method: md5 - type: hostssl database: matrix_media_repo user: matrix_media_repo - address: '2a03:b0c0:2:d0::ca1:e001/128' + address: '2a03:b0c0:2:f0::187:5001/128' auth_method: md5 - type: hostssl database: matrix_media_repo user: matrix_media_repo - address: '10.110.0.4/32' + address: '10.110.0.5/32' auth_method: md5 - type: host @@ -161,17 +160,23 @@ common__iptables__v4_filter: | # Allow incoming PostgreSQL from specific hosts. # website.fedihub.com (public) - -A INPUT -p tcp --dport 5432 -s 167.71.69.105/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT - -A OUTPUT -p tcp --sport 5432 -d 167.71.69.105/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT + -A INPUT -p tcp --dport 5432 -s 167.71.69.105/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp --sport 5432 -d 167.71.69.105/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT # website.fedihub.com (private) - -A INPUT -p tcp --dport 5432 -s 10.110.0.3/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT - -A OUTPUT -p tcp --sport 5432 -d 10.110.0.3/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT + -A INPUT -p tcp --dport 5432 -s 10.110.0.3/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp --sport 5432 -d 10.110.0.3/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT # matrix.fedihub.com (public) - -A INPUT -p tcp --dport 5432 -s 188.166.85.61/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT - -A OUTPUT -p tcp --sport 5432 -d 188.166.85.61/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT + -A INPUT -p tcp --dport 5432 -s 188.166.85.61/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp --sport 5432 -d 188.166.85.61/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT # matrix.fedihub.com (private) - -A INPUT -p tcp --dport 5432 -s 10.110.0.4/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT - -A OUTPUT -p tcp --sport 5432 -d 10.110.0.4/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT + -A INPUT -p tcp --dport 5432 -s 10.110.0.4/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp --sport 5432 -d 10.110.0.4/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT + # matrix-media-repo.fedihub.com (public) + -A INPUT -p tcp --dport 5432 -s 167.172.46.255/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp --sport 5432 -d 167.172.46.255/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT + # matrix-media-repo.fedihub.com (private) + -A INPUT -p tcp --dport 5432 -s 10.110.0.5/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp --sport 5432 -d 10.110.0.5/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT # Deny other PostgreSQL. -A INPUT -p tcp --dport 5432 -j REJECT @@ -193,6 +198,9 @@ common__iptables__v6_filter: | # matrix.fedihub.com -A INPUT -p tcp --dport 5432 -s 2a03:b0c0:2:d0::ca1:e001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT -A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:d0::ca1:e001/128 -m conntrack --ctstate ESTABLISHED -j ACCEPT + # matrix-media-repo.fedihub.com + -A INPUT -p tcp --dport 5432 -s 2a03:b0c0:2:f0::187:5001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT + -A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:f0::187:5001/128 -m conntrack --ctstate ESTABLISHED -j ACCEPT # Deny other PostgreSQL. -A INPUT -p tcp --dport 5432 -j REJECT diff --git a/hosts b/hosts index d8f57eb..2e6463a 100644 --- a/hosts +++ b/hosts @@ -1,4 +1,5 @@ matrix.fedihub.com +matrix-media-repo.fedihub.com postgres.fedihub.com website.fedihub.com diff --git a/playbooks/deploy/matrix-media-repo.yml b/playbooks/deploy/matrix-media-repo.yml new file mode 100644 index 0000000..2e05ec0 --- /dev/null +++ b/playbooks/deploy/matrix-media-repo.yml @@ -0,0 +1,11 @@ +--- +- hosts: matrix-media-repo.fedihub.com + module_defaults: + apt: + force_apt_get: true + update_cache: true + cache_valid_time: 86400 + roles: + - name: kotovalexarian.common + tags: common + - ../../roles/matrix-media-repo diff --git a/playbooks/deploy/site.yml b/playbooks/deploy/site.yml index 0f74324..0a46d8c 100644 --- a/playbooks/deploy/site.yml +++ b/playbooks/deploy/site.yml @@ -2,3 +2,4 @@ - import_playbook: postgres.yml - import_playbook: website.yml - import_playbook: matrix.yml +- import_playbook: matrix-media-repo.yml diff --git a/roles/matrix-media-repo/defaults/main.yml b/roles/matrix-media-repo/defaults/main.yml new file mode 100644 index 0000000..8dbd029 --- /dev/null +++ b/roles/matrix-media-repo/defaults/main.yml @@ -0,0 +1,14 @@ +--- +matrix_media_repo__site_host: 'example.com' +matrix_media_repo__media_host: 'matrix-media-repo.example.com' +matrix_media_repo__base_url: 'https://matrix.example.com' +matrix_media_repo__admin_user: '@user:example.com' + +matrix_media_repo__ssl_cert: '/etc/letsencrypt/live/matrix.example.com/fullchain.pem' +matrix_media_repo__ssl_key: '/etc/letsencrypt/live/matrix.example.com/privkey.pem' + +matrix_media_repo__postgres: 'postgres://user:pass@example.com/dbname?sslmode=require' +matrix_media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com' +matrix_media_repo__s3_access_key: '' +matrix_media_repo__s3_access_secret: '' +matrix_media_repo__s3_bucket: 'example-matrix-media-repo' diff --git a/roles/matrix-media-repo/handlers/main.yml b/roles/matrix-media-repo/handlers/main.yml new file mode 100644 index 0000000..849f96d --- /dev/null +++ b/roles/matrix-media-repo/handlers/main.yml @@ -0,0 +1,12 @@ +--- +- name: Restart Nginx + systemd: + name: nginx + state: restarted + +- name: Load, enable and restart Matrix Media Repo + systemd: + name: '{{ matrix_media_repo__service }}' + daemon_reload: true + enabled: true + state: restarted diff --git a/roles/matrix-media-repo/tasks/main.yml b/roles/matrix-media-repo/tasks/main.yml new file mode 100644 index 0000000..bba60f8 --- /dev/null +++ b/roles/matrix-media-repo/tasks/main.yml @@ -0,0 +1,98 @@ +--- +- name: Install system packages for Matrix Media Repo + apt: + name: + - golang + - nginx + notify: Load, enable and restart Matrix Media Repo + +- name: Create Nginx server configuration + template: + src: '../templates/matrix-media-repo.conf' + dest: '/etc/nginx/sites-available/matrix-media-repo.conf' + mode: 'u=rw,g=rw,o=r' + owner: root + group: root + notify: Restart Nginx + +- name: Enable Nginx server configuration + file: + state: link + src: '/etc/nginx/sites-available/matrix-media-repo.conf' + dest: '/etc/nginx/sites-enabled/matrix-media-repo.conf' + owner: root + group: root + notify: Restart Nginx + +- name: Create Matrix Media Repo system group + group: + name: '{{ matrix_media_repo__group }}' + system: true + notify: Load, enable and restart Matrix Media Repo + +- name: Create Matrix Media Repo system user + user: + name: '{{ matrix_media_repo__user }}' + group: '{{ matrix_media_repo__group }}' + system: true + create_home: true + home: '{{ matrix_media_repo__lib_dir }}' + notify: Load, enable and restart Matrix Media Repo + +- name: Create Matrix directories + file: + state: directory + path: '{{ item }}' + mode: 'u=rwx,g=rwx,o=rx' + owner: root + group: root + with_items: + - '{{ matrix__conf_dir }}' + - '{{ matrix__opt_dir }}' + notify: Load, enable and restart Matrix Media Repo + +- name: Create Matrix Media Repo directories + file: + state: directory + path: '{{ item }}' + mode: 'u=rwx,g=rwx,o=rx' + owner: '{{ matrix_media_repo__user }}' + group: '{{ matrix_media_repo__group }}' + with_items: + - '{{ matrix_media_repo__conf_dir }}' + - '{{ matrix_media_repo__opt_dir }}' + - '{{ matrix_media_repo__src_dir }}' + notify: Load, enable and restart Matrix Media Repo + +- name: Create Matrix Media Repo config + template: + src: '../templates/config.yaml' + dest: '{{ matrix_media_repo__conf_file }}' + mode: 'u=rw,g=rw,o=' + owner: '{{ matrix_media_repo__user }}' + group: '{{ matrix_media_repo__group }}' + notify: Load, enable and restart Matrix Media Repo + +- name: Create Matrix Media Repo systemd service + template: + src: '../templates/matrix-media-repo.service' + dest: '{{ matrix_media_repo__service_file }}' + mode: 'u=rw,g=rw,o=r' + owner: root + group: root + notify: Load, enable and restart Matrix Media Repo + +- name: Get Matrix Media Repo source code + become_user: '{{ matrix_media_repo__user }}' + git: + repo: 'https://github.com/turt2live/matrix-media-repo.git' + dest: '{{ matrix_media_repo__src_dir }}' + version: 'b73a0082dd22e9ff447950b18e9ca49c73a6d912' + +- name: Build Matrix Media Repo source code + become_user: '{{ matrix_media_repo__user }}' + command: + chdir: '{{ matrix_media_repo__src_dir }}' + creates: '{{ matrix_media_repo__src_dir }}/bin/media_repo' + cmd: '/bin/bash {{ matrix_media_repo__src_dir }}/build.sh' + notify: Load, enable and restart Matrix Media Repo diff --git a/roles/matrix/templates/media_repo/config.yaml b/roles/matrix-media-repo/templates/config.yaml similarity index 98% rename from roles/matrix/templates/media_repo/config.yaml rename to roles/matrix-media-repo/templates/config.yaml index 19e01af..c39f350 100644 --- a/roles/matrix/templates/media_repo/config.yaml +++ b/roles/matrix-media-repo/templates/config.yaml @@ -1,7 +1,7 @@ # General repo configuration repo: bindAddress: '127.0.0.1' - port: {{ matrix__media_repo__port }} + port: {{ matrix_media_repo__port }} # Where to store the logs, relative to where the repo is started from. Logs will be automatically # rotated every day and held for 14 days. To disable the repo logging to files, set this to @@ -33,7 +33,7 @@ federation: # user instead. Using the same server is fine, just not the same username and database. database: # Currently only "postgres" is supported. - postgres: "{{ matrix__media_repo__postgres }}" + postgres: "{{ matrix_media_repo__postgres }}" # The database pooling options pool: @@ -51,10 +51,10 @@ homeservers: - # This should match the server_name of your homeserver, and the Host header # provided to the media repo. - name: "{{ matrix__site_host }}" + name: "{{ matrix_media_repo__site_host }}" # The base URL to where the homeserver can actually be reached - csApi: "{{ matrix__base_url }}" + csApi: "{{ matrix_media_repo__base_url }}" # The number of consecutive failures in calling this homeserver before the # media repository will start backing off. This defaults to 10 if not given. @@ -118,7 +118,7 @@ accessTokens: # See docs/admin.md for information on what these people can do. They must belong to one of the # configured homeservers above. admins: - - "{{ matrix__admin_user }}" + - "{{ matrix_media_repo__admin_user }}" # Shared secret auth is useful for applications building on top of the media repository, such # as a management interface. The `token` provided here is treated as a repository administrator @@ -170,11 +170,11 @@ datastores: # before being uploaded to s3 (then the file is deleted). If you aren't concerned about # memory usage, set this to an empty string. tempPath: '' - endpoint: "{{ matrix__media_repo__s3_endpoint }}" - accessKeyId: "{{ matrix__media_repo__s3_access_key }}" - accessSecret: "{{ matrix__media_repo__s3_access_secret }}" + endpoint: "{{ matrix_media_repo__s3_endpoint }}" + accessKeyId: "{{ matrix_media_repo__s3_access_key }}" + accessSecret: "{{ matrix_media_repo__s3_access_secret }}" ssl: true - bucketName: "{{ matrix__media_repo__s3_bucket }}" + bucketName: "{{ matrix_media_repo__s3_bucket }}" # An optional region for where this S3 endpoint is located. Typically not needed, though # some providers will need this (like Scaleway). Uncomment to use. #region: 'sfo2' diff --git a/roles/matrix-media-repo/templates/matrix-media-repo.conf b/roles/matrix-media-repo/templates/matrix-media-repo.conf new file mode 100644 index 0000000..cff416c --- /dev/null +++ b/roles/matrix-media-repo/templates/matrix-media-repo.conf @@ -0,0 +1,56 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ matrix_media_repo__media_host }}; + + set $CSP ""; + set $CSP "${CSP}object-src 'none';"; + set $CSP "${CSP}frame-src 'none';"; + set $CSP "${CSP}connect-src 'none';"; + set $CSP "${CSP}form-action 'none';"; + + add_header Content-Security-Policy $CSP always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + listen [::]:443 ssl; + + server_name {{ matrix_media_repo__media_host }}; + + ssl_certificate {{ matrix_media_repo__ssl_cert }}; + ssl_certificate_key {{ matrix_media_repo__ssl_key }}; + + set $CSP ""; + set $CSP "${CSP}object-src 'none';"; + set $CSP "${CSP}frame-src 'none';"; + set $CSP "${CSP}connect-src 'none';"; + set $CSP "${CSP}form-action 'none';"; + + add_header Content-Security-Policy $CSP always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + + client_max_body_size 100M; + + location /_matrix/media { + proxy_read_timeout 60s; + proxy_set_header Host {{ matrix_media_repo__site_host }}; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_pass http://localhost:{{ matrix_media_repo__port }}; + } + + location / { + return 404; + } +} diff --git a/roles/matrix-media-repo/templates/matrix-media-repo.service b/roles/matrix-media-repo/templates/matrix-media-repo.service new file mode 100644 index 0000000..3e25194 --- /dev/null +++ b/roles/matrix-media-repo/templates/matrix-media-repo.service @@ -0,0 +1,18 @@ +[Unit] +After=network.target +Description=Matrix Media Repo + +[Service] +ExecStart={{ matrix_media_repo__src_dir }}/bin/media_repo -config {{ matrix_media_repo__conf_file }} +Group={{ matrix_media_repo__group }} +Restart=always +RestartSec=1 +StandardOutput=syslog +StandardError=syslog +SyslogIdentifier={{ matrix_media_repo__service }} +Type=simple +User={{ matrix_media_repo__user }} +WorkingDirectory={{ matrix_media_repo__opt_dir }} + +[Install] +WantedBy=multi-user.target diff --git a/roles/matrix-media-repo/vars/main.yml b/roles/matrix-media-repo/vars/main.yml new file mode 100644 index 0000000..101e84b --- /dev/null +++ b/roles/matrix-media-repo/vars/main.yml @@ -0,0 +1,20 @@ +--- +matrix_media_repo__user: 'matrix-media-repo' +matrix_media_repo__group: 'matrix-media-repo' +matrix_media_repo__service: 'matrix-media-repo' + +matrix_media_repo__port: 8000 + +matrix__conf_dir: '/etc/matrix' +matrix__opt_dir: '/opt/matrix' +matrix__lib_dir: '/var/lib/matrix' + +matrix_media_repo__conf_dir: '{{ matrix__conf_dir }}/media_repo' +matrix_media_repo__opt_dir: '{{ matrix__opt_dir }}/media_repo' +matrix_media_repo__lib_dir: '{{ matrix__lib_dir }}/media_repo' + +matrix_media_repo__conf_file: '{{ matrix_media_repo__conf_dir }}/config.yaml' +matrix_media_repo__archive_file: '{{ matrix_media_repo__opt_dir }}/src.tar.gz' +matrix_media_repo__src_dir: '{{ matrix_media_repo__opt_dir }}/src' + +matrix_media_repo__service_file: '/etc/systemd/system/{{ matrix_media_repo__service }}.service' diff --git a/roles/matrix/defaults/main.yml b/roles/matrix/defaults/main.yml index 5adefde..a99ffd2 100644 --- a/roles/matrix/defaults/main.yml +++ b/roles/matrix/defaults/main.yml @@ -1,7 +1,8 @@ --- -matrix__site_host: 'example.com' -matrix__base_host: 'matrix.example.com' -matrix__web_host: 'element.example.com' +matrix__site_host: 'example.com' +matrix__base_host: 'matrix.example.com' +matrix__media_host: 'matrix-media-repo.example.com' +matrix__web_host: 'element.example.com' matrix__site_url: 'https://example.com' matrix__base_url: 'https://matrix.example.com' @@ -31,11 +32,5 @@ matrix__synapse__form_secret: '' matrix__synapse__recaptcha_public_key: '' matrix__synapse__recaptcha_private_key: '' -matrix__media_repo__postgres: 'postgres://user:pass@example.com/dbname?sslmode=require' -matrix__media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com' -matrix__media_repo__s3_access_key: '' -matrix__media_repo__s3_access_secret: '' -matrix__media_repo__s3_bucket: 'example-matrix-media-repo' - matrix__static__user_id: '' matrix__static__access_token: '' diff --git a/roles/matrix/handlers/main.yml b/roles/matrix/handlers/main.yml index ec9755c..32e6940 100644 --- a/roles/matrix/handlers/main.yml +++ b/roles/matrix/handlers/main.yml @@ -11,13 +11,6 @@ enabled: true state: restarted -- name: Load, enable and restart Matrix Media Repo - systemd: - name: '{{ matrix__media_repo__service }}' - daemon_reload: true - enabled: true - state: restarted - - name: Load, enable and restart Matrix Static systemd: name: '{{ matrix__static__service }}' diff --git a/roles/matrix/tasks/main.yml b/roles/matrix/tasks/main.yml index 3f7754c..566211b 100644 --- a/roles/matrix/tasks/main.yml +++ b/roles/matrix/tasks/main.yml @@ -8,9 +8,6 @@ - include_tasks: synapse.yml - meta: flush_handlers -- include_tasks: media_repo.yml -- meta: flush_handlers - - include_tasks: static.yml - meta: flush_handlers diff --git a/roles/matrix/tasks/media_repo.yml b/roles/matrix/tasks/media_repo.yml deleted file mode 100644 index 95cc4f8..0000000 --- a/roles/matrix/tasks/media_repo.yml +++ /dev/null @@ -1,66 +0,0 @@ ---- -- name: Install system packages for Matrix Media Repo - apt: - name: golang - notify: Load, enable and restart Matrix Media Repo - -- name: Create Matrix Media Repo system group - group: - name: '{{ matrix__media_repo__group }}' - system: true - notify: Load, enable and restart Matrix Media Repo - -- name: Create Matrix Media Repo system user - user: - name: '{{ matrix__media_repo__user }}' - group: '{{ matrix__media_repo__group }}' - system: true - create_home: true - home: '{{ matrix__media_repo__lib_dir }}' - notify: Load, enable and restart Matrix Media Repo - -- name: Create Matrix Media Repo directories - file: - state: directory - path: '{{ item }}' - mode: 'u=rwx,g=rwx,o=rx' - owner: '{{ matrix__media_repo__user }}' - group: '{{ matrix__media_repo__group }}' - with_items: - - '{{ matrix__media_repo__conf_dir }}' - - '{{ matrix__media_repo__opt_dir }}' - - '{{ matrix__media_repo__src_dir }}' - notify: Load, enable and restart Matrix Media Repo - -- name: Create Matrix Media Repo config - template: - src: '../templates/media_repo/config.yaml' - dest: '{{ matrix__media_repo__conf_file }}' - mode: 'u=rw,g=rw,o=' - owner: '{{ matrix__media_repo__user }}' - group: '{{ matrix__media_repo__group }}' - notify: Load, enable and restart Matrix Media Repo - -- name: Create Matrix Media Repo systemd service - template: - src: '../templates/media_repo/matrix-media-repo.service' - dest: '{{ matrix__media_repo__service_file }}' - mode: 'u=rw,g=rw,o=r' - owner: root - group: root - notify: Load, enable and restart Matrix Media Repo - -- name: Get Matrix Media Repo source code - become_user: '{{ matrix__media_repo__user }}' - git: - repo: 'https://github.com/turt2live/matrix-media-repo.git' - dest: '{{ matrix__media_repo__src_dir }}' - version: 'b73a0082dd22e9ff447950b18e9ca49c73a6d912' - -- name: Build Matrix Media Repo source code - become_user: '{{ matrix__media_repo__user }}' - command: - chdir: '{{ matrix__media_repo__src_dir }}' - creates: '{{ matrix__media_repo__src_dir }}/bin/media_repo' - cmd: '/bin/bash {{ matrix__media_repo__src_dir }}/build.sh' - notify: Load, enable and restart Matrix Media Repo diff --git a/roles/matrix/templates/media_repo/matrix-media-repo.service b/roles/matrix/templates/media_repo/matrix-media-repo.service deleted file mode 100644 index bc3c8c5..0000000 --- a/roles/matrix/templates/media_repo/matrix-media-repo.service +++ /dev/null @@ -1,18 +0,0 @@ -[Unit] -After=network.target -Description=Matrix Media Repo - -[Service] -ExecStart={{ matrix__media_repo__src_dir }}/bin/media_repo -config {{ matrix__media_repo__conf_file }} -Group={{ matrix__media_repo__group }} -Restart=always -RestartSec=1 -StandardOutput=syslog -StandardError=syslog -SyslogIdentifier={{ matrix__media_repo__service }} -Type=simple -User={{ matrix__media_repo__user }} -WorkingDirectory={{ matrix__media_repo__opt_dir }} - -[Install] -WantedBy=multi-user.target diff --git a/roles/matrix/templates/nginx/matrix.conf b/roles/matrix/templates/nginx/matrix.conf index 1d54acb..9a54a02 100644 --- a/roles/matrix/templates/nginx/matrix.conf +++ b/roles/matrix/templates/nginx/matrix.conf @@ -82,7 +82,7 @@ server { proxy_set_header Host {{ matrix__site_host }}; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; - proxy_pass http://localhost:{{ matrix__media_repo__port }}; + proxy_pass https://{{ matrix__media_host }}; } location /_matrix { @@ -128,7 +128,7 @@ server { proxy_set_header Host {{ matrix__site_host }}; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; - proxy_pass http://localhost:{{ matrix__media_repo__port }}; + proxy_pass https://{{ matrix__media_host }}; } location / { diff --git a/roles/matrix/vars/main.yml b/roles/matrix/vars/main.yml index a101650..9e194e6 100644 --- a/roles/matrix/vars/main.yml +++ b/roles/matrix/vars/main.yml @@ -3,16 +3,11 @@ matrix__synapse__user: 'matrix-synapse' matrix__synapse__group: 'matrix-synapse' matrix__synapse__service: 'matrix-synapse' -matrix__media_repo__user: 'matrix-media-repo' -matrix__media_repo__group: 'matrix-media-repo' -matrix__media_repo__service: 'matrix-media-repo' - matrix__static__user: 'matrix-static' matrix__static__group: 'matrix-static' matrix__static__service: 'matrix-static' matrix__synapse__port: 8001 -matrix__media_repo__port: 8002 matrix__static__port: 8003 matrix__conf_dir: '/etc/matrix' @@ -25,10 +20,6 @@ matrix__synapse__opt_dir: '{{ matrix__opt_dir }}/synapse' matrix__synapse__lib_dir: '{{ matrix__lib_dir }}/synapse' matrix__synapse__run_dir: '{{ matrix__run_dir }}/synapse' -matrix__media_repo__conf_dir: '{{ matrix__conf_dir }}/media_repo' -matrix__media_repo__opt_dir: '{{ matrix__opt_dir }}/media_repo' -matrix__media_repo__lib_dir: '{{ matrix__lib_dir }}/media_repo' - matrix__static__conf_dir: '{{ matrix__conf_dir }}/static' matrix__static__opt_dir: '{{ matrix__opt_dir }}/static' @@ -42,10 +33,6 @@ matrix__synapse__media_dir: '{{ matrix__synapse__lib_dir }}/media_store' matrix__synapse__db_file: '{{ matrix__synapse__lib_dir }}/homeserver.db' matrix__synapse__pid_file: '{{ matrix__synapse__run_dir }}/homeserver.pid' -matrix__media_repo__conf_file: '{{ matrix__media_repo__conf_dir }}/config.yaml' -matrix__media_repo__archive_file: '{{ matrix__media_repo__opt_dir }}/src.tar.gz' -matrix__media_repo__src_dir: '{{ matrix__media_repo__opt_dir }}/src' - matrix__static__conf_file: '{{ matrix__static__conf_dir }}/config.json' matrix__static__archive_file: '{{ matrix__static__opt_dir }}/src.tar.gz' matrix__static__src_dir: '{{ matrix__static__opt_dir }}/src' @@ -55,9 +42,8 @@ matrix__element__archive_file: '{{ matrix__element__opt_dir }}/src.tar.gz' matrix__element__src_dir: '{{ matrix__element__opt_dir }}/src' matrix__element__conf_file: '{{ matrix__element__src_dir }}/config.json' -matrix__synapse__service_file: '/etc/systemd/system/{{ matrix__synapse__service }}.service' -matrix__media_repo__service_file: '/etc/systemd/system/{{ matrix__media_repo__service }}.service' -matrix__static__service_file: '/etc/systemd/system/{{ matrix__static__service }}.service' +matrix__synapse__service_file: '/etc/systemd/system/{{ matrix__synapse__service }}.service' +matrix__static__service_file: '/etc/systemd/system/{{ matrix__static__service }}.service' matrix__static__url: 'https://github.com/matrix-org/matrix-static/archive/0.3.0.tar.gz' matrix__element__url: 'https://github.com/vector-im/riot-web/releases/download/v1.7.1/riot-v1.7.1.tar.gz'