Add host "matrix-media-repo.fedihub.com"
This commit is contained in:
parent
dd8305c9cc
commit
2961cd194d
20 changed files with 347 additions and 178 deletions
75
host_vars/matrix-media-repo.fedihub.com.yml
Normal file
75
host_vars/matrix-media-repo.fedihub.com.yml
Normal file
|
@ -0,0 +1,75 @@
|
||||||
|
---
|
||||||
|
ansible_become_pass_for:
|
||||||
|
kotovalexarian: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.2;AES256;matrix
|
||||||
|
63326633306530326139353961383364663139396163623235366464356664613462653638633039
|
||||||
|
3939653732613839623434326665303762653265353161610a623461323166626535373833366464
|
||||||
|
61636234666533393433663239356562393232303966663665666231303338323935333163326566
|
||||||
|
3938656465353539640a656363333132626433393239643762666539623839306663646362353030
|
||||||
|
64613464653538613139383461623562613631303766633634393563303861626662306435626434
|
||||||
|
3634366165623565393230343831383430313166346439653766
|
||||||
|
|
||||||
|
ansible_become_pass: "{{ ansible_become_pass_for[admin] }}"
|
||||||
|
|
||||||
|
common__certbot__cert_name: 'matrix-media-repo.fedihub.com'
|
||||||
|
common__certbot__cert_domains:
|
||||||
|
- 'matrix-media-repo.fedihub.com'
|
||||||
|
common__certbot__post_hook: 'systemctl is-active nginx.service || systemctl start nginx.service'
|
||||||
|
common__certbot__pre_hook: 'systemctl is-active nginx.service && systemctl stop nginx.service || true'
|
||||||
|
|
||||||
|
common__nginx__state: install
|
||||||
|
common__nginx__remove_default: true
|
||||||
|
|
||||||
|
matrix_media_repo__site_host: 'fedihub.com'
|
||||||
|
matrix_media_repo__media_host: 'matrix-media-repo.fedihub.com'
|
||||||
|
matrix_media_repo__base_url: 'https://matrix.fedihub.com'
|
||||||
|
matrix_media_repo__admin_user: '@kotovalexarian:fedihub.com'
|
||||||
|
|
||||||
|
matrix_media_repo__ssl_cert: '/etc/letsencrypt/live/matrix-media-repo.fedihub.com/fullchain.pem'
|
||||||
|
matrix_media_repo__ssl_key: '/etc/letsencrypt/live/matrix-media-repo.fedihub.com/privkey.pem'
|
||||||
|
|
||||||
|
matrix_media_repo__postgres: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.2;AES256;matrix
|
||||||
|
62356433313435383239316430666234386234626335346239313264346532613232303064333731
|
||||||
|
3833633035363237346537623633303135383162636465300a366637666535353463616665653237
|
||||||
|
34346636333061303033633362356232643334393133363033646635313134366164306461663364
|
||||||
|
3935396239343630340a396463623534613630323833333330633861393063323332613532373565
|
||||||
|
32626463313965323635633034316237663835616464333261626331396136316335636132636265
|
||||||
|
62343935316666656466336438633565316338363665366161643739616534353933373861343938
|
||||||
|
38323533383362623835633230623363666662643264393534306362663535666531326534303636
|
||||||
|
66303133626239633436663137633438326632366234613033396230393262326234356362396336
|
||||||
|
64386664613064323034303039623038633339353362376238633065343364646266633862663232
|
||||||
|
6637313330656465623437393764353466666230666633366238
|
||||||
|
|
||||||
|
matrix_media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com'
|
||||||
|
matrix_media_repo__s3_bucket: 'fedihub-matrix-media-repo'
|
||||||
|
|
||||||
|
matrix_media_repo__s3_access_key: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.2;AES256;matrix
|
||||||
|
35326162306233313937646565623563636538376464643739313462323535393366363262323565
|
||||||
|
3465623639303935623461336230646439663839343331320a663635343239366366623062346630
|
||||||
|
37626332323965383738366532313665383564366132383530613762643836333831393735666438
|
||||||
|
6132393437343464390a336339383439326338646137356634333534636236326438646433353965
|
||||||
|
63376165363038326337346139303961373565346265393836396439656131633263
|
||||||
|
|
||||||
|
matrix_media_repo__s3_access_secret: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.2;AES256;matrix
|
||||||
|
36316562306261323138663361353762393736343765346435633631353734663765343638383265
|
||||||
|
3132383663393161306464386336396265363962313764320a653862343933666461666134383434
|
||||||
|
38623661326462303962376535373862303235353131363361633736336231336536633338643233
|
||||||
|
3539663031633038360a316433343432663865393738366633376235653839326232663134303931
|
||||||
|
65363837313464616536333934353062353962363365353831623234363939636333616634323832
|
||||||
|
3466656664353839333966643333336432303435663232646664
|
||||||
|
|
||||||
|
common__iptables__drop_by_default: true
|
||||||
|
|
||||||
|
common__iptables__v4_filter: |
|
||||||
|
# Allow incoming HTTP, HTTPS.
|
||||||
|
-A INPUT -p tcp -m multiport --dport 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -p tcp -m multiport --sport 80,443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
|
||||||
|
# Deny other HTTP, HTTPS.
|
||||||
|
-A INPUT -p tcp -m multiport --dport 80,443 -j REJECT
|
||||||
|
-A OUTPUT -p tcp -m multiport --sport 80,443 -j REJECT
|
||||||
|
|
||||||
|
common__iptables__v6_filter: '{{ common__iptables__v4_filter }}'
|
|
@ -30,6 +30,7 @@ common__nginx__remove_default: true
|
||||||
|
|
||||||
matrix__site_host: 'fedihub.com'
|
matrix__site_host: 'fedihub.com'
|
||||||
matrix__base_host: 'matrix.fedihub.com'
|
matrix__base_host: 'matrix.fedihub.com'
|
||||||
|
matrix__media_host: 'matrix-media-repo.fedihub.com'
|
||||||
matrix__web_host: 'element.fedihub.com'
|
matrix__web_host: 'element.fedihub.com'
|
||||||
|
|
||||||
matrix__site_url: 'https://fedihub.com'
|
matrix__site_url: 'https://fedihub.com'
|
||||||
|
@ -107,39 +108,6 @@ matrix__synapse__recaptcha_private_key: !vault |
|
||||||
64353465313836306238653531383662366637616538666661663063366462323962373337666165
|
64353465313836306238653531383662366637616538666661663063366462323962373337666165
|
||||||
3231306636303736653330333037393530643931366136326634
|
3231306636303736653330333037393530643931366136326634
|
||||||
|
|
||||||
matrix__media_repo__postgres: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.2;AES256;matrix
|
|
||||||
62356433313435383239316430666234386234626335346239313264346532613232303064333731
|
|
||||||
3833633035363237346537623633303135383162636465300a366637666535353463616665653237
|
|
||||||
34346636333061303033633362356232643334393133363033646635313134366164306461663364
|
|
||||||
3935396239343630340a396463623534613630323833333330633861393063323332613532373565
|
|
||||||
32626463313965323635633034316237663835616464333261626331396136316335636132636265
|
|
||||||
62343935316666656466336438633565316338363665366161643739616534353933373861343938
|
|
||||||
38323533383362623835633230623363666662643264393534306362663535666531326534303636
|
|
||||||
66303133626239633436663137633438326632366234613033396230393262326234356362396336
|
|
||||||
64386664613064323034303039623038633339353362376238633065343364646266633862663232
|
|
||||||
6637313330656465623437393764353466666230666633366238
|
|
||||||
|
|
||||||
matrix__media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com'
|
|
||||||
matrix__media_repo__s3_bucket: 'fedihub-matrix-media-repo'
|
|
||||||
|
|
||||||
matrix__media_repo__s3_access_key: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.2;AES256;matrix
|
|
||||||
35326162306233313937646565623563636538376464643739313462323535393366363262323565
|
|
||||||
3465623639303935623461336230646439663839343331320a663635343239366366623062346630
|
|
||||||
37626332323965383738366532313665383564366132383530613762643836333831393735666438
|
|
||||||
6132393437343464390a336339383439326338646137356634333534636236326438646433353965
|
|
||||||
63376165363038326337346139303961373565346265393836396439656131633263
|
|
||||||
|
|
||||||
matrix__media_repo__s3_access_secret: !vault |
|
|
||||||
$ANSIBLE_VAULT;1.2;AES256;matrix
|
|
||||||
36316562306261323138663361353762393736343765346435633631353734663765343638383265
|
|
||||||
3132383663393161306464386336396265363962313764320a653862343933666461666134383434
|
|
||||||
38623661326462303962376535373862303235353131363361633736336231336536633338643233
|
|
||||||
3539663031633038360a316433343432663865393738366633376235653839326232663134303931
|
|
||||||
65363837313464616536333934353062353962363365353831623234363939636333616634323832
|
|
||||||
3466656664353839333966643333336432303435663232646664
|
|
||||||
|
|
||||||
matrix__static__user_id: '@1:fedihub.com'
|
matrix__static__user_id: '@1:fedihub.com'
|
||||||
|
|
||||||
matrix__static__access_token: !vault |
|
matrix__static__access_token: !vault |
|
||||||
|
|
|
@ -32,7 +32,6 @@ postgresql_users:
|
||||||
3633343834336333650a663062393934663663646561616162386161336364326430346239396361
|
3633343834336333650a663062393934663663646561616162386161336364326430346239396361
|
||||||
36393735656637636165646261643166383464656231393361656634636565643434353163353738
|
36393735656637636165646261643166383464656231393361656634636565643434353163353738
|
||||||
6134383131623635343166343165633164363766336334386365
|
6134383131623635343166343165633164363766336334386365
|
||||||
|
|
||||||
- name: matrix_synapse
|
- name: matrix_synapse
|
||||||
password: !vault |
|
password: !vault |
|
||||||
$ANSIBLE_VAULT;1.2;AES256;postgres
|
$ANSIBLE_VAULT;1.2;AES256;postgres
|
||||||
|
@ -123,19 +122,19 @@ postgresql_hba_entries:
|
||||||
- type: hostssl
|
- type: hostssl
|
||||||
database: matrix_media_repo
|
database: matrix_media_repo
|
||||||
user: matrix_media_repo
|
user: matrix_media_repo
|
||||||
address: '188.166.85.61/32'
|
address: '167.172.46.255/32'
|
||||||
auth_method: md5
|
auth_method: md5
|
||||||
|
|
||||||
- type: hostssl
|
- type: hostssl
|
||||||
database: matrix_media_repo
|
database: matrix_media_repo
|
||||||
user: matrix_media_repo
|
user: matrix_media_repo
|
||||||
address: '2a03:b0c0:2:d0::ca1:e001/128'
|
address: '2a03:b0c0:2:f0::187:5001/128'
|
||||||
auth_method: md5
|
auth_method: md5
|
||||||
|
|
||||||
- type: hostssl
|
- type: hostssl
|
||||||
database: matrix_media_repo
|
database: matrix_media_repo
|
||||||
user: matrix_media_repo
|
user: matrix_media_repo
|
||||||
address: '10.110.0.4/32'
|
address: '10.110.0.5/32'
|
||||||
auth_method: md5
|
auth_method: md5
|
||||||
|
|
||||||
- type: host
|
- type: host
|
||||||
|
@ -172,6 +171,12 @@ common__iptables__v4_filter: |
|
||||||
# matrix.fedihub.com (private)
|
# matrix.fedihub.com (private)
|
||||||
-A INPUT -p tcp --dport 5432 -s 10.110.0.4/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
-A INPUT -p tcp --dport 5432 -s 10.110.0.4/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
-A OUTPUT -p tcp --sport 5432 -d 10.110.0.4/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
-A OUTPUT -p tcp --sport 5432 -d 10.110.0.4/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
# matrix-media-repo.fedihub.com (public)
|
||||||
|
-A INPUT -p tcp --dport 5432 -s 167.172.46.255/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -p tcp --sport 5432 -d 167.172.46.255/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
# matrix-media-repo.fedihub.com (private)
|
||||||
|
-A INPUT -p tcp --dport 5432 -s 10.110.0.5/32 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -p tcp --sport 5432 -d 10.110.0.5/32 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
|
||||||
# Deny other PostgreSQL.
|
# Deny other PostgreSQL.
|
||||||
-A INPUT -p tcp --dport 5432 -j REJECT
|
-A INPUT -p tcp --dport 5432 -j REJECT
|
||||||
|
@ -193,6 +198,9 @@ common__iptables__v6_filter: |
|
||||||
# matrix.fedihub.com
|
# matrix.fedihub.com
|
||||||
-A INPUT -p tcp --dport 5432 -s 2a03:b0c0:2:d0::ca1:e001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
-A INPUT -p tcp --dport 5432 -s 2a03:b0c0:2:d0::ca1:e001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
-A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:d0::ca1:e001/128 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
-A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:d0::ca1:e001/128 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
# matrix-media-repo.fedihub.com
|
||||||
|
-A INPUT -p tcp --dport 5432 -s 2a03:b0c0:2:f0::187:5001/128 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
|
||||||
|
-A OUTPUT -p tcp --sport 5432 -d 2a03:b0c0:2:f0::187:5001/128 -m conntrack --ctstate ESTABLISHED -j ACCEPT
|
||||||
|
|
||||||
# Deny other PostgreSQL.
|
# Deny other PostgreSQL.
|
||||||
-A INPUT -p tcp --dport 5432 -j REJECT
|
-A INPUT -p tcp --dport 5432 -j REJECT
|
||||||
|
|
1
hosts
1
hosts
|
@ -1,4 +1,5 @@
|
||||||
matrix.fedihub.com
|
matrix.fedihub.com
|
||||||
|
matrix-media-repo.fedihub.com
|
||||||
postgres.fedihub.com
|
postgres.fedihub.com
|
||||||
website.fedihub.com
|
website.fedihub.com
|
||||||
|
|
||||||
|
|
11
playbooks/deploy/matrix-media-repo.yml
Normal file
11
playbooks/deploy/matrix-media-repo.yml
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
---
|
||||||
|
- hosts: matrix-media-repo.fedihub.com
|
||||||
|
module_defaults:
|
||||||
|
apt:
|
||||||
|
force_apt_get: true
|
||||||
|
update_cache: true
|
||||||
|
cache_valid_time: 86400
|
||||||
|
roles:
|
||||||
|
- name: kotovalexarian.common
|
||||||
|
tags: common
|
||||||
|
- ../../roles/matrix-media-repo
|
|
@ -2,3 +2,4 @@
|
||||||
- import_playbook: postgres.yml
|
- import_playbook: postgres.yml
|
||||||
- import_playbook: website.yml
|
- import_playbook: website.yml
|
||||||
- import_playbook: matrix.yml
|
- import_playbook: matrix.yml
|
||||||
|
- import_playbook: matrix-media-repo.yml
|
||||||
|
|
14
roles/matrix-media-repo/defaults/main.yml
Normal file
14
roles/matrix-media-repo/defaults/main.yml
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
---
|
||||||
|
matrix_media_repo__site_host: 'example.com'
|
||||||
|
matrix_media_repo__media_host: 'matrix-media-repo.example.com'
|
||||||
|
matrix_media_repo__base_url: 'https://matrix.example.com'
|
||||||
|
matrix_media_repo__admin_user: '@user:example.com'
|
||||||
|
|
||||||
|
matrix_media_repo__ssl_cert: '/etc/letsencrypt/live/matrix.example.com/fullchain.pem'
|
||||||
|
matrix_media_repo__ssl_key: '/etc/letsencrypt/live/matrix.example.com/privkey.pem'
|
||||||
|
|
||||||
|
matrix_media_repo__postgres: 'postgres://user:pass@example.com/dbname?sslmode=require'
|
||||||
|
matrix_media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com'
|
||||||
|
matrix_media_repo__s3_access_key: ''
|
||||||
|
matrix_media_repo__s3_access_secret: ''
|
||||||
|
matrix_media_repo__s3_bucket: 'example-matrix-media-repo'
|
12
roles/matrix-media-repo/handlers/main.yml
Normal file
12
roles/matrix-media-repo/handlers/main.yml
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
---
|
||||||
|
- name: Restart Nginx
|
||||||
|
systemd:
|
||||||
|
name: nginx
|
||||||
|
state: restarted
|
||||||
|
|
||||||
|
- name: Load, enable and restart Matrix Media Repo
|
||||||
|
systemd:
|
||||||
|
name: '{{ matrix_media_repo__service }}'
|
||||||
|
daemon_reload: true
|
||||||
|
enabled: true
|
||||||
|
state: restarted
|
98
roles/matrix-media-repo/tasks/main.yml
Normal file
98
roles/matrix-media-repo/tasks/main.yml
Normal file
|
@ -0,0 +1,98 @@
|
||||||
|
---
|
||||||
|
- name: Install system packages for Matrix Media Repo
|
||||||
|
apt:
|
||||||
|
name:
|
||||||
|
- golang
|
||||||
|
- nginx
|
||||||
|
notify: Load, enable and restart Matrix Media Repo
|
||||||
|
|
||||||
|
- name: Create Nginx server configuration
|
||||||
|
template:
|
||||||
|
src: '../templates/matrix-media-repo.conf'
|
||||||
|
dest: '/etc/nginx/sites-available/matrix-media-repo.conf'
|
||||||
|
mode: 'u=rw,g=rw,o=r'
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
notify: Restart Nginx
|
||||||
|
|
||||||
|
- name: Enable Nginx server configuration
|
||||||
|
file:
|
||||||
|
state: link
|
||||||
|
src: '/etc/nginx/sites-available/matrix-media-repo.conf'
|
||||||
|
dest: '/etc/nginx/sites-enabled/matrix-media-repo.conf'
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
notify: Restart Nginx
|
||||||
|
|
||||||
|
- name: Create Matrix Media Repo system group
|
||||||
|
group:
|
||||||
|
name: '{{ matrix_media_repo__group }}'
|
||||||
|
system: true
|
||||||
|
notify: Load, enable and restart Matrix Media Repo
|
||||||
|
|
||||||
|
- name: Create Matrix Media Repo system user
|
||||||
|
user:
|
||||||
|
name: '{{ matrix_media_repo__user }}'
|
||||||
|
group: '{{ matrix_media_repo__group }}'
|
||||||
|
system: true
|
||||||
|
create_home: true
|
||||||
|
home: '{{ matrix_media_repo__lib_dir }}'
|
||||||
|
notify: Load, enable and restart Matrix Media Repo
|
||||||
|
|
||||||
|
- name: Create Matrix directories
|
||||||
|
file:
|
||||||
|
state: directory
|
||||||
|
path: '{{ item }}'
|
||||||
|
mode: 'u=rwx,g=rwx,o=rx'
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
with_items:
|
||||||
|
- '{{ matrix__conf_dir }}'
|
||||||
|
- '{{ matrix__opt_dir }}'
|
||||||
|
notify: Load, enable and restart Matrix Media Repo
|
||||||
|
|
||||||
|
- name: Create Matrix Media Repo directories
|
||||||
|
file:
|
||||||
|
state: directory
|
||||||
|
path: '{{ item }}'
|
||||||
|
mode: 'u=rwx,g=rwx,o=rx'
|
||||||
|
owner: '{{ matrix_media_repo__user }}'
|
||||||
|
group: '{{ matrix_media_repo__group }}'
|
||||||
|
with_items:
|
||||||
|
- '{{ matrix_media_repo__conf_dir }}'
|
||||||
|
- '{{ matrix_media_repo__opt_dir }}'
|
||||||
|
- '{{ matrix_media_repo__src_dir }}'
|
||||||
|
notify: Load, enable and restart Matrix Media Repo
|
||||||
|
|
||||||
|
- name: Create Matrix Media Repo config
|
||||||
|
template:
|
||||||
|
src: '../templates/config.yaml'
|
||||||
|
dest: '{{ matrix_media_repo__conf_file }}'
|
||||||
|
mode: 'u=rw,g=rw,o='
|
||||||
|
owner: '{{ matrix_media_repo__user }}'
|
||||||
|
group: '{{ matrix_media_repo__group }}'
|
||||||
|
notify: Load, enable and restart Matrix Media Repo
|
||||||
|
|
||||||
|
- name: Create Matrix Media Repo systemd service
|
||||||
|
template:
|
||||||
|
src: '../templates/matrix-media-repo.service'
|
||||||
|
dest: '{{ matrix_media_repo__service_file }}'
|
||||||
|
mode: 'u=rw,g=rw,o=r'
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
notify: Load, enable and restart Matrix Media Repo
|
||||||
|
|
||||||
|
- name: Get Matrix Media Repo source code
|
||||||
|
become_user: '{{ matrix_media_repo__user }}'
|
||||||
|
git:
|
||||||
|
repo: 'https://github.com/turt2live/matrix-media-repo.git'
|
||||||
|
dest: '{{ matrix_media_repo__src_dir }}'
|
||||||
|
version: 'b73a0082dd22e9ff447950b18e9ca49c73a6d912'
|
||||||
|
|
||||||
|
- name: Build Matrix Media Repo source code
|
||||||
|
become_user: '{{ matrix_media_repo__user }}'
|
||||||
|
command:
|
||||||
|
chdir: '{{ matrix_media_repo__src_dir }}'
|
||||||
|
creates: '{{ matrix_media_repo__src_dir }}/bin/media_repo'
|
||||||
|
cmd: '/bin/bash {{ matrix_media_repo__src_dir }}/build.sh'
|
||||||
|
notify: Load, enable and restart Matrix Media Repo
|
|
@ -1,7 +1,7 @@
|
||||||
# General repo configuration
|
# General repo configuration
|
||||||
repo:
|
repo:
|
||||||
bindAddress: '127.0.0.1'
|
bindAddress: '127.0.0.1'
|
||||||
port: {{ matrix__media_repo__port }}
|
port: {{ matrix_media_repo__port }}
|
||||||
|
|
||||||
# Where to store the logs, relative to where the repo is started from. Logs will be automatically
|
# Where to store the logs, relative to where the repo is started from. Logs will be automatically
|
||||||
# rotated every day and held for 14 days. To disable the repo logging to files, set this to
|
# rotated every day and held for 14 days. To disable the repo logging to files, set this to
|
||||||
|
@ -33,7 +33,7 @@ federation:
|
||||||
# user instead. Using the same server is fine, just not the same username and database.
|
# user instead. Using the same server is fine, just not the same username and database.
|
||||||
database:
|
database:
|
||||||
# Currently only "postgres" is supported.
|
# Currently only "postgres" is supported.
|
||||||
postgres: "{{ matrix__media_repo__postgres }}"
|
postgres: "{{ matrix_media_repo__postgres }}"
|
||||||
|
|
||||||
# The database pooling options
|
# The database pooling options
|
||||||
pool:
|
pool:
|
||||||
|
@ -51,10 +51,10 @@ homeservers:
|
||||||
-
|
-
|
||||||
# This should match the server_name of your homeserver, and the Host header
|
# This should match the server_name of your homeserver, and the Host header
|
||||||
# provided to the media repo.
|
# provided to the media repo.
|
||||||
name: "{{ matrix__site_host }}"
|
name: "{{ matrix_media_repo__site_host }}"
|
||||||
|
|
||||||
# The base URL to where the homeserver can actually be reached
|
# The base URL to where the homeserver can actually be reached
|
||||||
csApi: "{{ matrix__base_url }}"
|
csApi: "{{ matrix_media_repo__base_url }}"
|
||||||
|
|
||||||
# The number of consecutive failures in calling this homeserver before the
|
# The number of consecutive failures in calling this homeserver before the
|
||||||
# media repository will start backing off. This defaults to 10 if not given.
|
# media repository will start backing off. This defaults to 10 if not given.
|
||||||
|
@ -118,7 +118,7 @@ accessTokens:
|
||||||
# See docs/admin.md for information on what these people can do. They must belong to one of the
|
# See docs/admin.md for information on what these people can do. They must belong to one of the
|
||||||
# configured homeservers above.
|
# configured homeservers above.
|
||||||
admins:
|
admins:
|
||||||
- "{{ matrix__admin_user }}"
|
- "{{ matrix_media_repo__admin_user }}"
|
||||||
|
|
||||||
# Shared secret auth is useful for applications building on top of the media repository, such
|
# Shared secret auth is useful for applications building on top of the media repository, such
|
||||||
# as a management interface. The `token` provided here is treated as a repository administrator
|
# as a management interface. The `token` provided here is treated as a repository administrator
|
||||||
|
@ -170,11 +170,11 @@ datastores:
|
||||||
# before being uploaded to s3 (then the file is deleted). If you aren't concerned about
|
# before being uploaded to s3 (then the file is deleted). If you aren't concerned about
|
||||||
# memory usage, set this to an empty string.
|
# memory usage, set this to an empty string.
|
||||||
tempPath: ''
|
tempPath: ''
|
||||||
endpoint: "{{ matrix__media_repo__s3_endpoint }}"
|
endpoint: "{{ matrix_media_repo__s3_endpoint }}"
|
||||||
accessKeyId: "{{ matrix__media_repo__s3_access_key }}"
|
accessKeyId: "{{ matrix_media_repo__s3_access_key }}"
|
||||||
accessSecret: "{{ matrix__media_repo__s3_access_secret }}"
|
accessSecret: "{{ matrix_media_repo__s3_access_secret }}"
|
||||||
ssl: true
|
ssl: true
|
||||||
bucketName: "{{ matrix__media_repo__s3_bucket }}"
|
bucketName: "{{ matrix_media_repo__s3_bucket }}"
|
||||||
# An optional region for where this S3 endpoint is located. Typically not needed, though
|
# An optional region for where this S3 endpoint is located. Typically not needed, though
|
||||||
# some providers will need this (like Scaleway). Uncomment to use.
|
# some providers will need this (like Scaleway). Uncomment to use.
|
||||||
#region: 'sfo2'
|
#region: 'sfo2'
|
56
roles/matrix-media-repo/templates/matrix-media-repo.conf
Normal file
56
roles/matrix-media-repo/templates/matrix-media-repo.conf
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
listen [::]:80;
|
||||||
|
|
||||||
|
server_name {{ matrix_media_repo__media_host }};
|
||||||
|
|
||||||
|
set $CSP "";
|
||||||
|
set $CSP "${CSP}object-src 'none';";
|
||||||
|
set $CSP "${CSP}frame-src 'none';";
|
||||||
|
set $CSP "${CSP}connect-src 'none';";
|
||||||
|
set $CSP "${CSP}form-action 'none';";
|
||||||
|
|
||||||
|
add_header Content-Security-Policy $CSP always;
|
||||||
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
|
add_header X-Content-Type-Options "nosniff" always;
|
||||||
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||||
|
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl;
|
||||||
|
listen [::]:443 ssl;
|
||||||
|
|
||||||
|
server_name {{ matrix_media_repo__media_host }};
|
||||||
|
|
||||||
|
ssl_certificate {{ matrix_media_repo__ssl_cert }};
|
||||||
|
ssl_certificate_key {{ matrix_media_repo__ssl_key }};
|
||||||
|
|
||||||
|
set $CSP "";
|
||||||
|
set $CSP "${CSP}object-src 'none';";
|
||||||
|
set $CSP "${CSP}frame-src 'none';";
|
||||||
|
set $CSP "${CSP}connect-src 'none';";
|
||||||
|
set $CSP "${CSP}form-action 'none';";
|
||||||
|
|
||||||
|
add_header Content-Security-Policy $CSP always;
|
||||||
|
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
|
||||||
|
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
|
||||||
|
add_header X-Content-Type-Options "nosniff" always;
|
||||||
|
add_header X-Frame-Options "SAMEORIGIN" always;
|
||||||
|
|
||||||
|
client_max_body_size 100M;
|
||||||
|
|
||||||
|
location /_matrix/media {
|
||||||
|
proxy_read_timeout 60s;
|
||||||
|
proxy_set_header Host {{ matrix_media_repo__site_host }};
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
proxy_pass http://localhost:{{ matrix_media_repo__port }};
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 404;
|
||||||
|
}
|
||||||
|
}
|
18
roles/matrix-media-repo/templates/matrix-media-repo.service
Normal file
18
roles/matrix-media-repo/templates/matrix-media-repo.service
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
[Unit]
|
||||||
|
After=network.target
|
||||||
|
Description=Matrix Media Repo
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
ExecStart={{ matrix_media_repo__src_dir }}/bin/media_repo -config {{ matrix_media_repo__conf_file }}
|
||||||
|
Group={{ matrix_media_repo__group }}
|
||||||
|
Restart=always
|
||||||
|
RestartSec=1
|
||||||
|
StandardOutput=syslog
|
||||||
|
StandardError=syslog
|
||||||
|
SyslogIdentifier={{ matrix_media_repo__service }}
|
||||||
|
Type=simple
|
||||||
|
User={{ matrix_media_repo__user }}
|
||||||
|
WorkingDirectory={{ matrix_media_repo__opt_dir }}
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
20
roles/matrix-media-repo/vars/main.yml
Normal file
20
roles/matrix-media-repo/vars/main.yml
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
---
|
||||||
|
matrix_media_repo__user: 'matrix-media-repo'
|
||||||
|
matrix_media_repo__group: 'matrix-media-repo'
|
||||||
|
matrix_media_repo__service: 'matrix-media-repo'
|
||||||
|
|
||||||
|
matrix_media_repo__port: 8000
|
||||||
|
|
||||||
|
matrix__conf_dir: '/etc/matrix'
|
||||||
|
matrix__opt_dir: '/opt/matrix'
|
||||||
|
matrix__lib_dir: '/var/lib/matrix'
|
||||||
|
|
||||||
|
matrix_media_repo__conf_dir: '{{ matrix__conf_dir }}/media_repo'
|
||||||
|
matrix_media_repo__opt_dir: '{{ matrix__opt_dir }}/media_repo'
|
||||||
|
matrix_media_repo__lib_dir: '{{ matrix__lib_dir }}/media_repo'
|
||||||
|
|
||||||
|
matrix_media_repo__conf_file: '{{ matrix_media_repo__conf_dir }}/config.yaml'
|
||||||
|
matrix_media_repo__archive_file: '{{ matrix_media_repo__opt_dir }}/src.tar.gz'
|
||||||
|
matrix_media_repo__src_dir: '{{ matrix_media_repo__opt_dir }}/src'
|
||||||
|
|
||||||
|
matrix_media_repo__service_file: '/etc/systemd/system/{{ matrix_media_repo__service }}.service'
|
|
@ -1,6 +1,7 @@
|
||||||
---
|
---
|
||||||
matrix__site_host: 'example.com'
|
matrix__site_host: 'example.com'
|
||||||
matrix__base_host: 'matrix.example.com'
|
matrix__base_host: 'matrix.example.com'
|
||||||
|
matrix__media_host: 'matrix-media-repo.example.com'
|
||||||
matrix__web_host: 'element.example.com'
|
matrix__web_host: 'element.example.com'
|
||||||
|
|
||||||
matrix__site_url: 'https://example.com'
|
matrix__site_url: 'https://example.com'
|
||||||
|
@ -31,11 +32,5 @@ matrix__synapse__form_secret: ''
|
||||||
matrix__synapse__recaptcha_public_key: ''
|
matrix__synapse__recaptcha_public_key: ''
|
||||||
matrix__synapse__recaptcha_private_key: ''
|
matrix__synapse__recaptcha_private_key: ''
|
||||||
|
|
||||||
matrix__media_repo__postgres: 'postgres://user:pass@example.com/dbname?sslmode=require'
|
|
||||||
matrix__media_repo__s3_endpoint: 's3.eu-central-1.amazonaws.com'
|
|
||||||
matrix__media_repo__s3_access_key: ''
|
|
||||||
matrix__media_repo__s3_access_secret: ''
|
|
||||||
matrix__media_repo__s3_bucket: 'example-matrix-media-repo'
|
|
||||||
|
|
||||||
matrix__static__user_id: ''
|
matrix__static__user_id: ''
|
||||||
matrix__static__access_token: ''
|
matrix__static__access_token: ''
|
||||||
|
|
|
@ -11,13 +11,6 @@
|
||||||
enabled: true
|
enabled: true
|
||||||
state: restarted
|
state: restarted
|
||||||
|
|
||||||
- name: Load, enable and restart Matrix Media Repo
|
|
||||||
systemd:
|
|
||||||
name: '{{ matrix__media_repo__service }}'
|
|
||||||
daemon_reload: true
|
|
||||||
enabled: true
|
|
||||||
state: restarted
|
|
||||||
|
|
||||||
- name: Load, enable and restart Matrix Static
|
- name: Load, enable and restart Matrix Static
|
||||||
systemd:
|
systemd:
|
||||||
name: '{{ matrix__static__service }}'
|
name: '{{ matrix__static__service }}'
|
||||||
|
|
|
@ -8,9 +8,6 @@
|
||||||
- include_tasks: synapse.yml
|
- include_tasks: synapse.yml
|
||||||
- meta: flush_handlers
|
- meta: flush_handlers
|
||||||
|
|
||||||
- include_tasks: media_repo.yml
|
|
||||||
- meta: flush_handlers
|
|
||||||
|
|
||||||
- include_tasks: static.yml
|
- include_tasks: static.yml
|
||||||
- meta: flush_handlers
|
- meta: flush_handlers
|
||||||
|
|
||||||
|
|
|
@ -1,66 +0,0 @@
|
||||||
---
|
|
||||||
- name: Install system packages for Matrix Media Repo
|
|
||||||
apt:
|
|
||||||
name: golang
|
|
||||||
notify: Load, enable and restart Matrix Media Repo
|
|
||||||
|
|
||||||
- name: Create Matrix Media Repo system group
|
|
||||||
group:
|
|
||||||
name: '{{ matrix__media_repo__group }}'
|
|
||||||
system: true
|
|
||||||
notify: Load, enable and restart Matrix Media Repo
|
|
||||||
|
|
||||||
- name: Create Matrix Media Repo system user
|
|
||||||
user:
|
|
||||||
name: '{{ matrix__media_repo__user }}'
|
|
||||||
group: '{{ matrix__media_repo__group }}'
|
|
||||||
system: true
|
|
||||||
create_home: true
|
|
||||||
home: '{{ matrix__media_repo__lib_dir }}'
|
|
||||||
notify: Load, enable and restart Matrix Media Repo
|
|
||||||
|
|
||||||
- name: Create Matrix Media Repo directories
|
|
||||||
file:
|
|
||||||
state: directory
|
|
||||||
path: '{{ item }}'
|
|
||||||
mode: 'u=rwx,g=rwx,o=rx'
|
|
||||||
owner: '{{ matrix__media_repo__user }}'
|
|
||||||
group: '{{ matrix__media_repo__group }}'
|
|
||||||
with_items:
|
|
||||||
- '{{ matrix__media_repo__conf_dir }}'
|
|
||||||
- '{{ matrix__media_repo__opt_dir }}'
|
|
||||||
- '{{ matrix__media_repo__src_dir }}'
|
|
||||||
notify: Load, enable and restart Matrix Media Repo
|
|
||||||
|
|
||||||
- name: Create Matrix Media Repo config
|
|
||||||
template:
|
|
||||||
src: '../templates/media_repo/config.yaml'
|
|
||||||
dest: '{{ matrix__media_repo__conf_file }}'
|
|
||||||
mode: 'u=rw,g=rw,o='
|
|
||||||
owner: '{{ matrix__media_repo__user }}'
|
|
||||||
group: '{{ matrix__media_repo__group }}'
|
|
||||||
notify: Load, enable and restart Matrix Media Repo
|
|
||||||
|
|
||||||
- name: Create Matrix Media Repo systemd service
|
|
||||||
template:
|
|
||||||
src: '../templates/media_repo/matrix-media-repo.service'
|
|
||||||
dest: '{{ matrix__media_repo__service_file }}'
|
|
||||||
mode: 'u=rw,g=rw,o=r'
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
notify: Load, enable and restart Matrix Media Repo
|
|
||||||
|
|
||||||
- name: Get Matrix Media Repo source code
|
|
||||||
become_user: '{{ matrix__media_repo__user }}'
|
|
||||||
git:
|
|
||||||
repo: 'https://github.com/turt2live/matrix-media-repo.git'
|
|
||||||
dest: '{{ matrix__media_repo__src_dir }}'
|
|
||||||
version: 'b73a0082dd22e9ff447950b18e9ca49c73a6d912'
|
|
||||||
|
|
||||||
- name: Build Matrix Media Repo source code
|
|
||||||
become_user: '{{ matrix__media_repo__user }}'
|
|
||||||
command:
|
|
||||||
chdir: '{{ matrix__media_repo__src_dir }}'
|
|
||||||
creates: '{{ matrix__media_repo__src_dir }}/bin/media_repo'
|
|
||||||
cmd: '/bin/bash {{ matrix__media_repo__src_dir }}/build.sh'
|
|
||||||
notify: Load, enable and restart Matrix Media Repo
|
|
|
@ -1,18 +0,0 @@
|
||||||
[Unit]
|
|
||||||
After=network.target
|
|
||||||
Description=Matrix Media Repo
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
ExecStart={{ matrix__media_repo__src_dir }}/bin/media_repo -config {{ matrix__media_repo__conf_file }}
|
|
||||||
Group={{ matrix__media_repo__group }}
|
|
||||||
Restart=always
|
|
||||||
RestartSec=1
|
|
||||||
StandardOutput=syslog
|
|
||||||
StandardError=syslog
|
|
||||||
SyslogIdentifier={{ matrix__media_repo__service }}
|
|
||||||
Type=simple
|
|
||||||
User={{ matrix__media_repo__user }}
|
|
||||||
WorkingDirectory={{ matrix__media_repo__opt_dir }}
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
|
@ -82,7 +82,7 @@ server {
|
||||||
proxy_set_header Host {{ matrix__site_host }};
|
proxy_set_header Host {{ matrix__site_host }};
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
proxy_pass http://localhost:{{ matrix__media_repo__port }};
|
proxy_pass https://{{ matrix__media_host }};
|
||||||
}
|
}
|
||||||
|
|
||||||
location /_matrix {
|
location /_matrix {
|
||||||
|
@ -128,7 +128,7 @@ server {
|
||||||
proxy_set_header Host {{ matrix__site_host }};
|
proxy_set_header Host {{ matrix__site_host }};
|
||||||
proxy_set_header X-Real-IP $remote_addr;
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
proxy_pass http://localhost:{{ matrix__media_repo__port }};
|
proxy_pass https://{{ matrix__media_host }};
|
||||||
}
|
}
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
|
|
@ -3,16 +3,11 @@ matrix__synapse__user: 'matrix-synapse'
|
||||||
matrix__synapse__group: 'matrix-synapse'
|
matrix__synapse__group: 'matrix-synapse'
|
||||||
matrix__synapse__service: 'matrix-synapse'
|
matrix__synapse__service: 'matrix-synapse'
|
||||||
|
|
||||||
matrix__media_repo__user: 'matrix-media-repo'
|
|
||||||
matrix__media_repo__group: 'matrix-media-repo'
|
|
||||||
matrix__media_repo__service: 'matrix-media-repo'
|
|
||||||
|
|
||||||
matrix__static__user: 'matrix-static'
|
matrix__static__user: 'matrix-static'
|
||||||
matrix__static__group: 'matrix-static'
|
matrix__static__group: 'matrix-static'
|
||||||
matrix__static__service: 'matrix-static'
|
matrix__static__service: 'matrix-static'
|
||||||
|
|
||||||
matrix__synapse__port: 8001
|
matrix__synapse__port: 8001
|
||||||
matrix__media_repo__port: 8002
|
|
||||||
matrix__static__port: 8003
|
matrix__static__port: 8003
|
||||||
|
|
||||||
matrix__conf_dir: '/etc/matrix'
|
matrix__conf_dir: '/etc/matrix'
|
||||||
|
@ -25,10 +20,6 @@ matrix__synapse__opt_dir: '{{ matrix__opt_dir }}/synapse'
|
||||||
matrix__synapse__lib_dir: '{{ matrix__lib_dir }}/synapse'
|
matrix__synapse__lib_dir: '{{ matrix__lib_dir }}/synapse'
|
||||||
matrix__synapse__run_dir: '{{ matrix__run_dir }}/synapse'
|
matrix__synapse__run_dir: '{{ matrix__run_dir }}/synapse'
|
||||||
|
|
||||||
matrix__media_repo__conf_dir: '{{ matrix__conf_dir }}/media_repo'
|
|
||||||
matrix__media_repo__opt_dir: '{{ matrix__opt_dir }}/media_repo'
|
|
||||||
matrix__media_repo__lib_dir: '{{ matrix__lib_dir }}/media_repo'
|
|
||||||
|
|
||||||
matrix__static__conf_dir: '{{ matrix__conf_dir }}/static'
|
matrix__static__conf_dir: '{{ matrix__conf_dir }}/static'
|
||||||
matrix__static__opt_dir: '{{ matrix__opt_dir }}/static'
|
matrix__static__opt_dir: '{{ matrix__opt_dir }}/static'
|
||||||
|
|
||||||
|
@ -42,10 +33,6 @@ matrix__synapse__media_dir: '{{ matrix__synapse__lib_dir }}/media_store'
|
||||||
matrix__synapse__db_file: '{{ matrix__synapse__lib_dir }}/homeserver.db'
|
matrix__synapse__db_file: '{{ matrix__synapse__lib_dir }}/homeserver.db'
|
||||||
matrix__synapse__pid_file: '{{ matrix__synapse__run_dir }}/homeserver.pid'
|
matrix__synapse__pid_file: '{{ matrix__synapse__run_dir }}/homeserver.pid'
|
||||||
|
|
||||||
matrix__media_repo__conf_file: '{{ matrix__media_repo__conf_dir }}/config.yaml'
|
|
||||||
matrix__media_repo__archive_file: '{{ matrix__media_repo__opt_dir }}/src.tar.gz'
|
|
||||||
matrix__media_repo__src_dir: '{{ matrix__media_repo__opt_dir }}/src'
|
|
||||||
|
|
||||||
matrix__static__conf_file: '{{ matrix__static__conf_dir }}/config.json'
|
matrix__static__conf_file: '{{ matrix__static__conf_dir }}/config.json'
|
||||||
matrix__static__archive_file: '{{ matrix__static__opt_dir }}/src.tar.gz'
|
matrix__static__archive_file: '{{ matrix__static__opt_dir }}/src.tar.gz'
|
||||||
matrix__static__src_dir: '{{ matrix__static__opt_dir }}/src'
|
matrix__static__src_dir: '{{ matrix__static__opt_dir }}/src'
|
||||||
|
@ -56,7 +43,6 @@ matrix__element__src_dir: '{{ matrix__element__opt_dir }}/src'
|
||||||
matrix__element__conf_file: '{{ matrix__element__src_dir }}/config.json'
|
matrix__element__conf_file: '{{ matrix__element__src_dir }}/config.json'
|
||||||
|
|
||||||
matrix__synapse__service_file: '/etc/systemd/system/{{ matrix__synapse__service }}.service'
|
matrix__synapse__service_file: '/etc/systemd/system/{{ matrix__synapse__service }}.service'
|
||||||
matrix__media_repo__service_file: '/etc/systemd/system/{{ matrix__media_repo__service }}.service'
|
|
||||||
matrix__static__service_file: '/etc/systemd/system/{{ matrix__static__service }}.service'
|
matrix__static__service_file: '/etc/systemd/system/{{ matrix__static__service }}.service'
|
||||||
|
|
||||||
matrix__static__url: 'https://github.com/matrix-org/matrix-static/archive/0.3.0.tar.gz'
|
matrix__static__url: 'https://github.com/matrix-org/matrix-static/archive/0.3.0.tar.gz'
|
||||||
|
|
Reference in a new issue